A brief introduction to Crytography,the various types of crytography and the advantages and disadvantages associated to using the following tyes with some part of the RSA algorithm
A brief introduction to Crytography,the various types of crytography and the advantages and disadvantages associated to using the following tyes with some part of the RSA algorithm
The presentation describes basics of cryptography and information security. It covers goals of cryptography, history of cipher symmetric and public key cryptography
The presentation covers the following:
Basic Terms
Cryptography
The General Goals of Cryptography
Common Types of Attacks
Substitution Ciphers
Transposition Cipher
Steganography- “Concealed Writing”
Symmetric Secret Key Encryption
Types of Symmetric Algorithms
Common Symmetric Algorithms
Asymmetric Secret Key Encryption
Common Asymmetric Algorithms
Public Key Cryptography
Hashing Techniques
Hashing Algorithms
Digital Signatures
Transport Layer Security
Public key infrastructure (PKI)
This presentation contains the contents pertaining to the undergraduate course on Cryptography and Network Security (UITC203) at Sri Ramakrishna Institute of Technology. This covers the ElGamal Cryptosystem.
The presentation describes basics of cryptography and information security. It covers goals of cryptography, history of cipher symmetric and public key cryptography
The presentation covers the following:
Basic Terms
Cryptography
The General Goals of Cryptography
Common Types of Attacks
Substitution Ciphers
Transposition Cipher
Steganography- “Concealed Writing”
Symmetric Secret Key Encryption
Types of Symmetric Algorithms
Common Symmetric Algorithms
Asymmetric Secret Key Encryption
Common Asymmetric Algorithms
Public Key Cryptography
Hashing Techniques
Hashing Algorithms
Digital Signatures
Transport Layer Security
Public key infrastructure (PKI)
This presentation contains the contents pertaining to the undergraduate course on Cryptography and Network Security (UITC203) at Sri Ramakrishna Institute of Technology. This covers the ElGamal Cryptosystem.
Software testing is an investigation conducted to provide stakeholders with information about the quality of the product or service under test. I hope this ppt will help u to learn about software testing.
A digital code that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. Digital signatures are especially important for electronic commerce and are a key component of most authentication schemes. To be effective, digital signatures must be unforgettable. There are a number of different encryption techniques to guarantee this level of security.
This presentation contains the basics of cryptography. I have developed this presentation as a course material of Cryptography during my honors final year examination
Topics listed below are explained in the PPT:
Introduction
CIA Triad
Mechanisms of Cryptography
OSI Security Architecture
Security Attacks
Security Mechanisms
Security Services
Cryptography vs Steganography
Network Security Model
Cryptographic techniques
Stream Cipher vs Block cipher
Improved Caesar Cipher with Random Number Generation Technique and Multistage...ijcisjournal
Secured Communication involves Encryption process at the sending end and Decryption process at the receiving end of the communication system. Many Ciphers have been developed to provide data security . The efficiency of the Ciphers that are being used depends mainly on their throughput and memory requirement. Using of large key spaces with huge number of rounds with multiple complex operations may provide security but at the same time affects speed of operation. Hence in this paper we have proposed a method to improve Caesar cipher with random number generation technique for key generation operations. The Caesar cipher has been expanded so as to include alphabets, numbers and symbols. The original Caesar cipher was restricted only for alphabets. The key used for Caesar Substitution has been derived using a key Matrix Trace value restricted to Modulo 94. The Matrix elements are generated using recursive random number generation equation, the output of which solely depends on the value of seed selected . In this paper, we made an effort to incorporate modern cipher properties to classical cipher. The second stage of encryption has been performed using columnar transposition with arbitrary random order column selection. Thus the proposed Scheme is a hybrid version of classical and modern cipher properties. The proposed method provides appreciable Security with high throughput and occupies minimum memory space. The Method is resistant against brute-force attack with 93! Combinations of keys, for Caesar encryption.
Improved Caesar Cipher with Random Number Generation Technique and Multistage...ijcisjournal
Secured Communication involves Encryption process at the sending end and Decryption process at the receiving end of the communication system. Many Ciphers have been developed to provide data security . The efficiency of the Ciphers that are being used depends mainly on their throughput and memory requirement. Using of large key spaces with huge number of rounds with multiple complex operations may provide security but at the same time affects speed of operation. Hence in this paper we have proposed a method to improve Caesar cipher with random number generation technique for key generation operations. The Caesar cipher has been expanded so as to include alphabets, numbers and symbols. The original Caesar cipher was restricted only for alphabets. The key used for Caesar Substitution has been derived using a key Matrix Trace value restricted to Modulo 94. The Matrix elements are generated using recursive random number generation equation, the output of which solely depends on the value of seed selected . In this paper, we made an effort to incorporate modern cipher properties to classical cipher. The second stage of encryption has been performed using columnar transposition with arbitrary random order column selection. Thus the proposed Scheme is a hybrid version of classical and modern cipher properties. The proposed method provides appreciable Security with high throughput and occupies minimum memory space. The Method is resistant against brute-force attack with 93! Combinations of keys, for Caesar encryption.
Multiple Encryption using ECC and Its Time Complexity AnalysisIJCERT
Rapid growth of information technology in present era, secure communication, strong data encryption technique and trusted third party are considered to be major topics of study. Robust encryption algorithm development to secure sensitive data is of great significance among researchers at present. The conventional methods of encryption used as of today may not sufficient and therefore new ideas for the purpose are to be design, analyze and need to be fit into the existing system of security to provide protection of our data from unauthorized access. An effective encryption/ decryption algorithm design to enhance data security is a challenging task while computation, complexity, robustness etc. are concerned. The multiple encryption technique is a process of applying encryption over a single encryption process in a number of iteration. Elliptic Curve Cryptography (ECC) is well known and well accepted cryptographic algorithm and used in many application as of today. In this paper, we discuss multiple encryptions and analyze the computation overhead in the process and study the feasibility of practical application. In the process we use ECC as a multiple-ECC algorithm and try to analyze degree of security, encryption/decryption computation time and complexity of the algorithm. Performance measure of the algorithm is evaluated by analyzing encryption time as well as decryption time in single ECC as well as multiple-ECC are compared with the help of various examples.
This presentation introduces the Basics of Cryptography and Network Security concepts. Heavily derived from content from William Stalling's book with the same title.
UNIT - 2
SYMMETRIC CIPHERS: Symmetric Cipher Model, Substitution Techniques,
Transposition Techniques, Simplified DES, Data encryption standard (DES), The strength of
DES, Differential and Linear Cryptanalysis, Block Cipher Design Principles and Modes of
Operation, Evaluation Criteria for Advanced Encryption Standard, The AES Cipher.
Vaccine management system project report documentation..pdfKamal Acharya
The Division of Vaccine and Immunization is facing increasing difficulty monitoring vaccines and other commodities distribution once they have been distributed from the national stores. With the introduction of new vaccines, more challenges have been anticipated with this additions posing serious threat to the already over strained vaccine supply chain system in Kenya.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
About
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Technical Specifications
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
Key Features
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface
• Compatible with MAFI CCR system
• Copatiable with IDM8000 CCR
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
Application
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxR&R Consult
CFD analysis is incredibly effective at solving mysteries and improving the performance of complex systems!
Here's a great example: At a large natural gas-fired power plant, where they use waste heat to generate steam and energy, they were puzzled that their boiler wasn't producing as much steam as expected.
R&R and Tetra Engineering Group Inc. were asked to solve the issue with reduced steam production.
An inspection had shown that a significant amount of hot flue gas was bypassing the boiler tubes, where the heat was supposed to be transferred.
R&R Consult conducted a CFD analysis, which revealed that 6.3% of the flue gas was bypassing the boiler tubes without transferring heat. The analysis also showed that the flue gas was instead being directed along the sides of the boiler and between the modules that were supposed to capture the heat. This was the cause of the reduced performance.
Based on our results, Tetra Engineering installed covering plates to reduce the bypass flow. This improved the boiler's performance and increased electricity production.
It is always satisfying when we can help solve complex challenges like this. Do your systems also need a check-up or optimization? Give us a call!
Work done in cooperation with James Malloy and David Moelling from Tetra Engineering.
More examples of our work https://www.r-r-consult.dk/en/cases-en/
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Forklift Classes Overview by Intella PartsIntella Parts
Discover the different forklift classes and their specific applications. Learn how to choose the right forklift for your needs to ensure safety, efficiency, and compliance in your operations.
For more technical information, visit our website https://intellaparts.com
1. UNIT-I
Security trends
OSI Security Architecture
Security Attacks
Security Services
Security mechanisms
A Model for Network Security
Symmetric Cipher Model
Substitution Techniques and Transposition Techniques
Block Cipher Principles
The Data Encryption Standard and The Strength of DES
Differential and linear cryptanalysis Block
cipher design principles
Evaluation criteria for AES and The AES Cipher.
1
3. Cryptography
cryptography - study of encryption
principles/methods.
Cryptography deals with creating
documents that can be shared secretly
over public communication channels.
3
8. Internet security
it is used to protect data during their
transmission over a collection of
interconnected networks.
8
9. Security trends
In 1994, the Internet Architecture Board
(IAB) issued a report entitled "Security in
the Internet Architecture"
The report stated the general agreement
that the Internet needs more and better
security, and it identified key areas for
security mechanisms.
9
10. CERT Statistics
security trend in Internet-related
vulnerabilities reported to CERT over a
10-year period.
These include security weaknesses in the
operating systems of attached computers
as well as vulnerabilities in Internet routers
and other network devices.
10
12. OSI Security Architecture
The OSI (open systems interconnection)
security architecture provides a systematic
framework for defining security attacks,
mechanisms, and services.
12
14. Security service
A service that enhances the security of
data processing systems and information
transfers.
A security service makes use of one or
more security mechanisms.
14
28. Notarization
The use of a trusted third party to assure
certain properties of a data exchange.
28
29. Security Attack
Any action that compromise the security of
information.
threat & attack used to mean same thing
29
30. passive attacks
passive attacks attempt to learn or make
use of information from the system but does
not affect system resources.
Are difficult to detect because they do not
involve any alteration of the data.
30
33. Active attacks
active attacks attempt to alter system
resources or affect their operation.
Easy to detect because they will involve
alteration of the data.
33
40. Model for Network Security
design a suitable algorithm for the security
transformation
generate the secret keys used by the
algorithm
develop methods to distribute secret key
specify a protocol enabling the principals to
use the transformation and secret information
for a security service
40
42. Symmetric Encryption
Symmetric encryption, also referred to as
conventional encryption or single-key
encryption
All traditional schemes are symmetric /
single key / private-key encryption
algorithms, with a single key, used for
both encryption and decryption.
Since both sender and receiver are
equivalent, either can encrypt or decrypt
messages using that common key. 42
43. Some Basic Terminology
plaintext - original message
Cipher text - coded message
key – shared by both sender and receiver
encipher (encrypt) - converting plaintext to cipher text
decipher (decrypt) – converting cipher text to plaintext
45. Cryptography
characterize cryptographic system by:
type of encryption operations used
substitution / transposition / product
number of keys used
single-key or private / two-key or public
way in which plaintext is processed
block / stream
46. Cryptanalysis
There are two general approach to attacking a
conventional encryption scheme
cryptanalytic attack
brute-force attack
51. Caesar Cipher
The Caesar cipher involves replacing
each letter of the alphabet with the
letter standing k places further down the
alphabet, for k in the range 1 through 25.
52. Caesar Cipher
• mathematically give each letter a number
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
• then have Caesar cipher as:
c = E(p) = (p + k) mod (26)
p = D(c) = (c – k) mod (26)
54. Brute-Force Cryptanalysis of
Caesar Cipher
If it is known that a given cipher text is a
Caesar cipher, then a brute-force
cryptanalysis is easily performed.
Simply try all the 25 possible keys.
54
57. Mono alphabetic Ciphers
Shuffle the letters and map each plaintext letter
to a different random ciphertext letter:
Plain letters: abcdefghijklmnopqrstuvwxyz
Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplaceletters
Cipher text: WIRFRWAJUHYFTSDVFSFUUFYA
57
60. Monoalphabetic Cipher
the relative frequency of the letters can be
determined and compared to a standard
frequency distribution for English.
If the message were long enough, this
technique alone might be sufficient,
60
61. Playfair Cipher
The Playfair algorithm is based on the use
of a 5 * 5 matrix of letters constructed
using a keyword.
Plaintext is encrypted two letters at a time
using this matrix.
61
62. 62
Playfair Cipher
• Rules:
– Take a pair of letters from plaintext
– Separate repeating letters with an x
– Plaintext letters in the same row are replaced by
letters to the right (cyclic manner)
– Plaintext letters in the same column are replaced by
letters below (cyclic manner)
– Plaintext letters in different row and column are
replaced by the letter in the row corresponding to the
column of the other letter and vice versa
64. Hill Cipher
The encryption algorithm takes m
successive plaintext letters and
substitutes for them m cipher text letters.
The substitution is determined by m linear
equations in which each character is
assigned a numerical value (a = 0, b = 1 ...
z = 25).
64
66. Hill Cipher
where C and P are column vectors of
length 3, representing the plaintext and
cipher text, and K is a 3 x 3 matrix,
representing the encryption key
66
67. Hill Cipher
In general terms, the Hill cipher system can
be expressed as follows:
C = E(K, P) = KP mod 26
P = D(K1
, C) = K1
C mod 26 = P
67
69. For Example if the key is an 3 X 3 matrix
Plain Text : paymoremoney
m=3
(p a y)=(15 0 24)
So Encryption is as follows
(15 0 24) = (303 303 531) mod 26
= (17 17 11) = RRL
Now the cipher text for pay is RRL
70. For Decryption you have to find the K-1
How to find inverse of K that is
K-1
1. Find the adjoint of the element in the matrix,
2. Transpose the matrix
adj A= 300 -357 6
-313 313 0
267 -252 -51
This is
Transpose of
adj A
Determinant of matrix A is=
=17(18*19 – 21*2) -17(21*9 – 21*2) + 5(21*2 – 18*2)
= -939
(18*19 – 21*2) – (19*21 – 21*2) +
( 17*19 – 5*2) ………
71. Now K-1
is 1/adj(A) * K-1
1/adj(A) = 1 /(-939) = (-939)-1
=
(-939 mod 26)-1
(the easy way to find -939mod 26 is keep
adding 26 with -939 till you get a positive value, so that you will get 23)
= (23)-1
mod 26
= 23 * 17 = 391 mod 26 =1 (find a number when
multiplied with 23 gives a number consider “ s” ; then s mod 26 should give 1)
Now (-939 mod 26)-1
= 17
Now according to 1/adj(A) * K-1
= 17 * K-1
= 17 *
=
300 -313 267
-357 313 -252
6 0 -51
5100 -5321 4539
6069 5321 4284
102 0 867
Mod 26
Mod 26 =
This is the
inverse matrix
73. Vigenère Cipher
The Vigenère cipher is a method
of encrypting alphabetic text by using a
series of different Caesar ciphers based
on the letters of a keyword.
It is a simple form of polyalphabetic
substitution.
73
74. Vigenère Cipher
To encrypt a message, a key is needed that
as long as the message. Usually, the key
is a repeating keyword.
key: `deceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
74
76. One-time pad
The one-time pad's security comes from
it's key; the key is EQUAL to the length of
the plaintext and is COMPLETELY
random.
76
77. One-time pad
H E L L O Message
7 4 11 11 14
X M C K L Key
+ 23 12 2 10 11
= 30 16 13 21 25 Message + key
= 4 16 13 21 25 Message+key(mod 26)
E Q N V Z → ciphertext
77
79. Rail Fence cipher
The simplest such cipher is the rail fence technique, in
which the plaintext is written down as a sequence of
diagonals and then read off as a sequence of rows.
The example message is: meet me after the toga
party
eg. write message out as:
m e m a t r h t g p r y
e t e f e t e o a a t
giving ciphertext
MEMATRHTGPRYETEFETEOAAT
80. Row Transposition Ciphers
A more complex transposition cipher is to
write the message in a rectangle, row by row,
and read the message off shuffling the order of
the columns in each row.
80
84. Steganography
Steganography is the art and science of
writing hidden messages in such a way
that no one knows, apart from the sender
and receiver.
84
85. Character marking:
text are overwritten in pencil The marks
are ordinarily not visible unless the paper
is held at an angle to bright light.
85
86. Invisible ink
A number of substances can be used for
writing but leave no visible trace until heat
or some chemical is applied to the paper.
86
87. Pin punctures:
Small pin punctures on selected letters are
ordinarily not visible unless the paper is
held up in front of a light.
87
88. Block Cipher Principles
A block cipher is an encryption/decryption
scheme in which a block of plaintext is
treated as a whole and used to produce a
cipher text block of equal length.
88
100. Feistel Cipher Structure
The inputs to the encryption algorithm are a
plaintext block of length 2w bits and a key K.
The plaintext block is divided into two halves, L0
and R0.
The two halves of the data pass through n
rounds of processing and then combine to
produce the cipher text block.
Each round i has as inputs Li-1 and Ri-1, derived
from the previous round, as well as a subkey Ki,
derived from the overall K.
100
101. Feistel Cipher Structure
A substitution is performed on the left
half of the data. This is done by applying
a round function F to the right half of the
data and then taking the exclusive-OR of
the output of that function and the left half
of the data.
101
104. Feistel Cipher Design Elements
block size - increasing size improves
security, but decrease the encryption
speed.
key size – increasing key size improves
security, but decrease the encryption
speed.
number of rounds - increasing number of
rounds improves security but decrease the
encryption speed.
104
105. Feistel Cipher Design Elements
sub key generation algorithm - greater
complexity can make analysis harder,
decrease the encryption speed.
round function - greater complexity can
make analysis harder, but decrease the
encryption speed.
105
106. Simplified DES
Developed 1996 as a teaching tool
Santa Clara University
Prof. Edward
Takes an 8-bit block plaintext, a 10 –bit key and
produces an 8-bit block of cipher text
Decryption takes the 8-bit block of cipher text,
the same 10-bit key and produces the original 8-
bit block of plaintext
106
108. Five Functions to Encrypt
IP – an initial permutation
fk - a complex, 2-input function
SW – a simple permutation that swaps
the two nybles
fk - a complex, 2-input function; again
IP – inverse permutation of the initial
permutation
108
117. DES
The Data Encryption Standard (DES) is
a block cipher that uses shared secret
encryption.
data are encrypted in 64-bit blocks using a
56-bit key. The algorithm transforms 64-bit
input in a series of steps into a 64-bit
output.
117
118. DES
• Adopted in 1976 as US Government
standard encryption technique
• Utilizes a 56-bit symmetric key
• Cracked in 1998
• Replaced in 2002 by AES which utilizes
128 bit keys.
118
120. DES
• First, the 64-bit plaintext passes through
an initial permutation (IP) that rearranges
the bits to produce the permuted input.
• This is followed by a phase consisting of
16 rounds of the same function, which
involves both permutation and substitution
functions.
120
121. DES
• The output of the last (sixteenth) round
consists of 64 bits that are a function of
the input plaintext and the key.
• The left and right halves of the output are
swapped to produce the preoutput.
• Finally, the preoutput is passed through a
permutation (IP-1) that is the inverse of
the initial permutation function, to produce
the 64-bit cipher text.
121
126. Details of Single Round
• uses two 32-bit L & R halves
• as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 ⊕ F(Ri–1, Ki)
• F takes 32-bit R half and 48-bit sub key:
– expands R to 48-bits using perm E
– adds to sub key using XOR
– passes through 8 S-boxes to get 32-bit result
– finally permutes using 32-bit perm P
126
130. S-Boxes
• The substitution consists of a set of eight
S-boxes, each of which accepts 6 bits as
input and produces 4 bits as output.
• The first and last bits of the input to box Si
form a 2-bit binary that represent the row
of the table for Si.
• The middle four bits select one of the
sixteen columns
130
131. Example
• For example, in S1 for input 011001, the
row is 01 (row 1) and the column is 1100
(column 12).
• The value in row 1, column 12 is 9, so the
output is 1001.
131
139. Avalanche Effect
A small change in the plaintext or in the key
results in a significant change in the cipher text.
DES provides a strong avalanche effect
Changing 1 bit in the plaintext affects 34
bits in the cipher text on average.
139
141. The Strength of DES
• The use of 56 bit key
• The Nature of the DES algorithm
• Timing attacks
141
142. The use of 56 bit key
• With a key length of 56 bits, there are 256
possible keys.
• single machine performing one DES
encryption per microsecond would take
more than a thousand years to break the
cipher.
142
143. The Nature of the DES algorithm
Eight S-boxes, that are used in each
iteration.
143
144. Timing Attacks
timing attack is one in which information
about the key or the plaintext is obtained
by observing how long it takes a given
implementation to perform decryptions on
various cipher texts.
144
145. Differential Cryptanalysis
• Differential cryptanalysis is the first
published attack that is capable of
breaking DES in less than 255
encryptions.
• powerful method to analyse block ciphers
146. Differential Cryptanalysis
differential cryptanalysis compares two
related pairs of encryptions.
it is feasible to determine the sub key used in
the function f.
The differential cryptanalysis attack is
complex.
146
147. Differential Cryptanalysis
Compares Pairs of Encryptions
• with a known difference in the input
• searching for a known difference in output
• when same subkeys are used
148. Linear Cryptanalysis
• another recent development
• also a statistical method
• must be iterated over rounds, with
decreasing probabilities
• developed by Matsui in early 90's
• based on finding linear approximations
• can attack DES with 243
known plaintexts,
easier but still in practise infeasible
149. Linear Cryptanalysis
For example, the following equation,
states the XOR sum of the first and third
plaintext bits (as in a block cipher's block)
and the first cipher text bit is equal to the
second bit of the key
P1ӨP3 ӨC1=k2
150. Block Cipher Design
• basic principles still like Feistel’s in 1970’s
• number of rounds
– more is better, exhaustive search best attack
• function f:
– provides “confusion”, is nonlinear, avalanche
– have issues of how S-boxes are selected
• key schedule
– complex subkey creation, key avalanche
151. AES
• DES finally proved insecure in July 1998,
when the Electronic Frontier Foundation
(EFF) announced that it had broken a
DES encryption using a special-purpose
"DES cracker" machine that was built for
less than $250,000.
• The Advanced Encryption Standard (AES)
was published by NIST (National Institute
of Standards and Technology) in 2001.
151
152. AES
AES is a block cipher intended to replace
DES for commercial applications.
It uses a 128-bit block size.
AES does not use a Feistel structure.
152
157. Memory requirement
The memory required to implement a
candidate algorithm for both hardware and
software implementations of the algorithm
will also be considered during the
evaluation process.
157
159. Key Agility
Key agility refers to the ability to change
keys quickly and with a minimum of
resources.
159
160. The AES Cipher
• The input to the encryption and decryption
algorithms is a single 128-bit block.
• This block is copied into the State array,
which is modified at each stage of
encryption or decryption.
• After the final stage, State is copied to an
output matrix.
160
165. Substitute Bytes
Transformation
• Replace each byte in the state array with
its corresponding value from the S-Box
00 44 88 CC
11 55 99 DD
22 66 AA EE
33 77 BB FF
55
165
166. Shift row transformation
• The first row of State is not altered.
• For the second row, a 1-byte circular left
shift is performed.
• For the third row, a 2- byte circular left
shift is performed.
• For the fourth row, a 3-byte circular left
shift is performed.
166
173. Key Expansion Algorithm
• The AES key expansion algorithm takes
as input a 4-word (16-byte) key and
produces a linear array of 44 words (176
bytes).
• This is sufficient to provide a 4-word round
key for the initial AddRoundKey stage and
each of the 10 rounds of the cipher.
173
177. Example
Given the plaintext {00 01 02 03 04 05 06 07 08 09
0A 0B 0C 0D 0E 0F} and the key {01 01 01 01 01
01 01 01 01 01 01 01 01 01 01 01},
I. Show the original contents of State, displayed as a
4 x 4 matrix.
II.Show the value of State array after initial
AddRoundKey.
III.Show the value of State array after Sub Bytes.
IV.Show the value of State array after Shift Rows.
V.Show the value of State array after Mix Columns.
177
183. Example
Consider the given key K and the plaintext,
namely: in hexadecimal notation: 0 1 2 3 4
5 6 7 8 9 A B C D E F
• in binary notation: 0000 0001 0010 0011
0100 0101 0110 0111 1000 1001 1010
1011 0100 1101 1110 1111
183
184. A. Derive K1, the first-round sub key.
B. Derive L0, R0.
C. Expand R0 to get E[R0], where E[·] is the
expansion function.
D. Calculate A = E[R0] Ө K1.
E. Group the 48-bit result of (d) into sets of 6 bits
and evaluate the corresponding S-box
substitutions.
F. Concatenate the results of (e) to get a 32-bit
result, B.
G. Apply the permutation to get P(B).
H. Calculate R1 = P(B)Ө L0.
i. Write down the cipher text. 184
185. UNIT-II
Multiple Encryption and Triple DES
Block Cipher Modes of Operation
Stream cipher and RC4
Placement of Encryption function
Traffic confidentiality
Key Distribution
Principle of Public Key Cryptosystems
The RSA Algorithm
Key management
Diffie Hellman Key Exchange
Elliptic curve cryptography.
185
187. Double DES
The simplest form of multiple encryption
has two encryption stages and two keys .
Given a plaintext P and two encryption keys
K1 and K2, cipher text C is generated as
C = E(K2, E(K1, P))
187
189. Double DES
• Decryption requires that the keys be
applied in reverse order
P = D(K1, D(K2, C))
• this scheme apparently involves a key
length of 56 x 2 = 112 bits, of resulting in a
dramatic increase in cryptographic
strength
189
190. Meet-in-the-middle attack
• Given a known pair, (P, C), the attack
proceeds as follows.
• First, encrypt P for all 256
possible values of
K1 Store these results in a table and then
sort the table by the values of X.
• Next, decrypt C using all 256
possible
values of K2. As each decryption is
produced, check the result against the
table for a match. 190
191. Meet-in-the-middle attack
• If a match occurs, then test the two
resulting keys against a new known
plaintext-cipher text pair.
• If the two keys produce the correct cipher
text, accept them as the correct keys.
191
192. Triple DES with Two Keys
• Triple DES makes use of three stages of
the DES algorithm, using a total of two or
three distinct keys.
• The function follows an encrypt-decrypt-
encrypt (EDE) sequence
C = E(K1, D(K2, E(K1, P)))
192
194. Triple DES with Three Keys
• Three-key 3DES has an effective key
length of 168 bits and is defined as
follows:
• C = E(K3, D(K2, E(K1, P)))
194
195. Block Cipher Modes of
Operation
• To apply a block cipher in a variety of
applications, four "modes of operation"
have been defined by NIST .
• mode of operation is a technique for
enhancing the effect of a cryptographic
algorithm for an application
195
198. Limitation of ECB
• The most significant characteristic of ECB
is that the same b-bit block of plaintext, if it
appears more than once in the message,
always produces the same cipher text.
• For lengthy messages, the ECB mode
may not be secure.
198
200. Cipher Block Chaining (CBC)
200
• To overcome the security deficiencies of
ECB, we would like a technique in which
the same plaintext block, if repeated,
produces different cipher text blocks.
• A simple way to satisfy this requirement is
the cipher block chaining (CBC) mode
• The input to the encryption algorithm is the
XOR of the next 64 bits of plaintext and
the preceding 64 bits of cipher text.
205. Cipher Feedback (CFB)
205
Input is processed j bits at a time.
Preceding cipher text is used as input to
the encryption algorithm to produce
pseudorandom output, which is XORed
with plaintext to produce next unit of
cipher text.
208. Limitation of CFB
A possible problem is that if its used over
a "noisy" link, then any corrupted bit will
destroy values in the current and next
blocks.
208
210. Output Feedback (OFB)
The alternative to CFB is OFB. Here the
generation of the "random" bits is
independent of the message being
encrypted.
The advantage is that firstly, they can be
computed in advance, good for bursty
traffic, and secondly, any bit error only
affects a single bit. Thus this is good for
noisy links (eg satellite TV transmissions
etc).
210
215. Advantages and Limitations of CTR
can do parallel encryptions in h/w or s/w.
good for bursty high speed links.
provable security (good as other modes)
but CTR does not reusing the same key
and counter value
221. Design considerations
• long period with no repetitions of pseudo
random key.
• output of the pseudorandom number
generator is conditioned on the value of
the input key.
• To protect against brute-force attacks, the
key needs to be sufficiently long.
221
222. RC4 Basics
• A symmetric key encryption algorithm.
• Invented by Ron Rivest.
• Normally uses 64 bit and 128 bit key sizes.
• Cryptographically very strong yet very easy to
implement.
• Consists of 2 parts: Key Scheduling Algorithm
(KSA) & Pseudo-Random Generation Algorithm
224. RC4 …break up
• Initialize an array of 256 bytes.
• Run the KSA on them
• Run the PRGA on the KSA output to
generate keystream.
• XOR the data with the keystream.
225. Array Initialization
C Code:
char S[256];
Int i;
For(i=0; i< 256; i++)
S[i] = i;
After this the array would like this :
S[] = { 0,1,2,3, ……, 254, 255}
226. The KSA
• The initialized array S[256] is now run through
the KSA. The KSA uses the secret key to
scramble the array.
• C Code for KSA:
int i, j = 0;
for(i=0; i<256; i++)
{
j = ( j + S[i] + key[ i % key_len] ) % 256;
swap(S[i], S[j]);
}
227. The PRGA
• The KSA scrambled S[256] array is used to generate the
PRGA. This is the actual keystream.
• C Code:
i = j = 0;
while(output_bytes)
{
i = ( I + 1) % 256;
j = ( j + S[i] ) % 256;
swap( S[i], S[j] );
output = S[ ( S[i] + S[j] ) % 256 ]
}
228. Encryption using RC4
• Choose a secret key
• Run the KSA and PRGA using the key to
generate a keystream.
• XOR keystream with the data to generated
encrypted stream.
• Transmit Encrypted stream.
229. Decryption using RC4
• Use the same secret key as during the encryption phase.
• Generate keystream by running the KSA and PRGA.
• XOR keystream with the encrypted text to generate the
plain text.
• Logic is simple :
(A xor B) xor B = A
A = Plain Text or Data
B = KeyStream
230. RC4 Example
• Simple 4-byte example
• S = {0, 1, 2, 3}
• K = {1, 7, 1, 7}
• Set i = j = 0
231. KSA
First Iteration (i = 0, j = 0, S = {0, 1, 2, 3}):
j = (j + S[ i ] + K[ i ]) = (0 + 0 + 1) = 1
Swap S[ i ] with S[ j ]: S = {1, 0, 2, 3}
Second Iteration (i = 1, j = 1, S = {1, 0, 2, 3}):
j = (j + S[ i ] + K[ i ]) = (1 + 0 + 7) = 0 (mod 4)
Swap S[ i ] with S[ j ]: S = {0, 1, 2, 3}
232. KSA
Third Iteration (i = 2, j = 0, S = {0, 1, 2, 3}):
j = (j + S[ i ] + K[ i ]) = (0 + 2 + 1) = 3
Swap S[ i ] with S[ j ]: S = {0, 1, 3, 2}
Fourth Iteration (i = 3, j = 3, S = {0, 1, 3, 2}):
j = (j + S[ i ] + K[ i ]) = (3 + 2 + 7) = 0 (mod 4)
Swap S[ i ] with S[ j ]: S = {2, 1, 3, 0}
233. PRGA
Reset i = j = 0, Recall S = {2, 1, 3, 0}
i = i + 1 = 1
j = j + S[ i ] = 0 + 1 = 1
Swap S[ i ] and S[ j ]: S = {2, 1, 3, 0}
Output z = S[ S[ i ] + S[ j ] ] = S[2] = 3
234. Analysis of RC4
• Advantages
– Faster than DES
– Enormous key space (average of 1700 bits)
• Disadvantages
– Large number of “weak” keys 1 of 256
– “Weak” keys can be detected and exploited
with a high probability
235. Placement of Encryption
function
If encryption is to be used to counter
attacks on confidentiality, we need to
decide what to encrypt and where the
encryption function should be located.
235
241. Placement of Encryption
With end-to-end encryption, user data are
secure, but the traffic pattern is not because
packet headers are transmitted in the clear.
To achieve greater security, both link and
end-to-end encryption are needed
242. Placement of Encryption
• can place encryption function at various
layers in OSI Reference Model
– link encryption occurs at layers 1 or 2
– end-to-end can occur at layers 3, 4, 6, 7
246. Information that can be derived from a traffic
analysis attack:
• Identities of partners
• How frequently the partners are
communicating
• Message pattern, message length, or
quantity of messages that suggest
important information is being exchanged
246
247. Link Encryption Approach
Network-layer headers are encrypted,
reducing the opportunity for traffic
analysis.
However, it is still possible to observe the
amount of traffic entering and leaving
each end system.
247
250. Traffic-Padding Encryption Device
• A continuous random data stream is
generated.
• When plaintext is available, it is encrypted
and transmitted.
• When input plaintext is not present,
random data are encrypted and
transmitted.
• This makes it impossible for an attacker to
distinguish between true data flow and
padding
250
251. End-to-End Encryption Approach
• if encryption is implemented at the
application layer, then an opponent can
determine which transport unit are
engaged in dialogue.
• In addition, null messages can be inserted
randomly into the stream. These tactics
deny an opponent knowledge about the
amount of data exchanged between end
users and difficult to understand the
underlying traffic pattern.
251
253. Key Distribution
given parties A and B have various key
distribution alternatives:
1. A can select key and physically deliver to B
2. third party can select & deliver key to A & B
3. if A & B have communicated previously can
use previous key to encrypt a new key
4. if A & B have secure communications with a
third party C, C can relay key between A & B
254. Session key
• Session keys can also be termed
temporary keys or one-time use keys.
Usually after a session, these keys are
discarded and not used again.
• Communication between end systems is
encrypted using session key.
254
255. Master key
• session keys are transmitted in encrypted
form, using a master key that is shared
by the key distribution center and an end
system or user.
255
258. Key Distribution Scenario
• A issues a request to the KDC for a
session key to protect a logical connection
to B.
• The KDC responds with a message
encrypted using Ka Thus, A is the only
one who can successfully read the
message, and A knows that it originated at
the KDC
258
259. Key Distribution Scenario
• A stores the session key for use in the upcoming
session and forwards to B the information that
originated at the KDC for B, namely, E(Kb, [Ks ||
IDA]). Because this information is encrypted with
Kb, it is protected from eavesdropping.
• B now knows the session key (Ks), knows that
the other party is A (from IDA), and knows that
the information originated at the KDC (because it
is encrypted using Kb).
259
260. Key Distribution Scenario
• Using the newly minted session key for
encryption, B sends a nonce, N2, to A.
• Also using Ks, A responds with f(N2),
where f is a function that performs some
transformation on N2 (e.g., adding one).
260
262. Hierarchical Key Control
• It is not necessary to limit the key
distribution function to a single KDC.
Indeed, for very large networks, it may not
be practical to do so. As an alternative, a
hierarchy of KDCs can be established.
• If two entities in different domains desire a
shared key,then the corresponding local
KDCs can communicate through a global
KDC.
262
264. Decentralized Key Control
1. A issues a request to B for a session key and
includes a nonce, N1
2. B responds with a message that is encrypted
using the shared master key. The response
includes the session key selected by B, an
identifier of B, the value f(N1), and another
nonce, N2.
3. Using the new session key, A returns f(N2) to B.
264
266. Private-Key Cryptography
• traditional private/secret/single key
cryptography uses one key
• shared by both sender and receiver
• if this key is disclosed communications are
compromised
• does not support authentication
266
267. Public-Key Cryptography
• Asymmetric encryption is a form of cryptosystem
in which encryption and decryption are performed
using the different keys—one a public key and
one a private key. It is also known as public-key
encryption.
• Asymmetric encryption transforms plaintext into
cipher text using a one of two keys and an
encryption algorithm. Using the paired key and a
decryption algorithm, the plaintext is recovered
from the cipher text.
• Asymmetric encryption can be used for
confidentiality, authentication, or both. 267
268. Public-Key Cryptography
public-key/two-key/asymmetric cryptography
involves the use of two keys:
– a public-key, which may be known by
anybody, and can be used to encrypt
messages, and verify signatures
– a private-key, known only to the recipient,
used to decrypt messages, and sign
(create) signatures
268
269. Principles of Public-Key
Cryptosystems
• The concept of public-key cryptography
evolved from an attempt to attack two of
the most difficult problems associated with
symmetric encryption.
• Key distribution
• Does not Supports Data authentication
269
271. Encryption
• Each user generates a pair of keys to be
used for the encryption and decryption of
messages.
• Each user places one of the two keys in a
public register This is the public key.
• The companion key is kept private.
271
272. Encryption
• If Bob wishes to send a confidential
message to Alice, Bob encrypts the
message using Alice's public key.
• When Alice receives the message, she
decrypts it using her private key.
• No other recipient can decrypt the
message because only Alice knows
Alice's private key.
272
274. Difference between Symmetric Encryption and asymmetric
Encryption
Symmetric encryption Asymmetric encryption
symmetric encryption is a form of
cryptosystem in which encryption and
decryption are performed using same
key.
Asymmetric encryption is a form of
cryptosystem in which encryption and
decryption are performed using the
different keys .one is public key and
another one is private key.
It is also known as secret key
encryption.
It is also known as public-key
encryption.
symmetric encryption can be used for
confidentiality.
Asymmetric encryption can be used for
confidentiality, authentication, or both.
The most widely used symmetric key-
key cryptosystem is Transposition and
substitution.
The most widely used public-key
cryptosystem is RSA.
274
276. Public-Key Cryptosystem:
Secrecy
• With the message X and the encryption
key PUb as input, A forms the cipher text
Y = [Y1, Y2,..., YN]:
• Y = E(PUb, X)
• The intended receiver, in possession of
the matching private key, is able to invert
the transformation:
• X = D(PRb, Y)
276
280. Requirements for Public-Key
Cryptography
1.It is computationally easy for a party B to
generate a pair (public key PUb, private key
PRb).
2. It is computationally easy for a sender A,
knowing the public key and the message to be
encrypted, M, to generate the corresponding
cipher text: C = E(PUb, M)
3.It is computationally easy for the receiver B to
decrypt the resulting cipher text using the private
key to recover the original message: M = D(PRb,
C) = D[PRb, E(PUb, M)] 280
281. Requirements for Public-Key
Cryptography
4. It is computationally infeasible for an
opponent, knowing the public key, PUb, to
determine the private key, PRb.
5.It is computationally infeasible for an
opponent, knowing the public key, PUb,
and a cipher text, C, to recover the original
message, M.
281
284. The RSA Algorithm
RSA algorithm is developed by Ron
Rivest , Adi Shamir, and Len Adleman at
MIT and first published in 1978.
The RSA scheme is a block cipher in
which the plaintext and cipher text are
integers between 0 and n.
284
285. RSA Public Key Cryptosystem
c=
m e
mod n
Network
Plain Text Cipher Text Cipher Text Plain Text
Alice
Bob
Bob: (e, n)
Public Key Directory (Yellow/White Pages)
public key:
e & n
secret key: d
m=
c d
mod n
286. The RSA Algorithm – Key Generation
1. Select p,q p and q both prime
2. Calculate n = p x q
3. Calculate
4. Select integer e
5. Calculate d
6. Public Key KU = {e,n}
7. Private key KR = {d,n}
286
)1)(1()( −−=Φ qpn
)(1;1)),(gcd( neen Φ<<=Φ
)(mod1
ned Φ= −
287. The RSA Algorithm - Encryption
• Plaintext: M<n
• Ciphertext: C = Me
(mod n)
287
288. The RSA Algorithm - Decryption
• Ciphertext: C
• Plaintext: M = Cd
(mod n)
288
289. Example
Select two prime numbers, p = 17 and q = 11.
Calculate n = pq = 17 x 11 = 187
Calculate θ(n) = (p -1)(q -1) = 16 x 10 = 160.
Select e such that e is relatively prime to θ(n) =
160 and less than θ(n) we choose e = 7
289
290. Example
Calculate d value using the formula
d=(1+X * θ(n) )/e
X=0 d=(1+0*160)/ 7 = 0.143
X=1 d=(1+1 *160)/7 = 23
d=23
290
291. Example
PU={e, n}
PR={d , n}
The resulting keys are
public key PU = {7,187}
private key PR = {23,187}.
291
304. The Security of RSA
Brute force: This involves trying all
possible private keys.
Mathematical attacks: There are several
approaches, all equivalent in effort to
factoring the product of two primes.
Timing attacks: These depend on the
running time of the decryption algorithm.
Chosen cipher text attacks This type of
attack make use of properties of the RSA
algorithm. 304
305. Key Management
One of the major roles of public-key
encryption has been to address the
problem of key distribution.
• The distribution of public keys
• Distribution of secret keys using public key
305
306. Distribution of Public Keys
• Public announcement
• Publicly available directory
• Public-key authority
• Public-key certificates
306
307. Public Announcement of
Public Keys
• any participant can send his or her public
key to any other participant or broadcast
the key to the community at large.
307
309. Example
• For Example USENET is a public forum
anybody can post a message and read
message.
• it has a major weakness.
• some user could pretend to be user A and
send a public key to another participant.
309
310. Publicly Available Directory
• can obtain greater security by registering keys
with a public directory
• The authority maintains a directory with a {name,
public key} entry for each participant.
• Each participant registers a public key with the
directory authority.
• A participant may replace the existing key with a
new one at any time.
• Participants could also access the directory
electronically.
310
312. Public-Key Authority
Stronger security for public-key distribution
can be achieved by providing tighter
control over the distribution of public keys
from the directory.
312
314. Public-Key Authority
1. A sends a time stamped message to the public-key authority containing a
request for the current public key of B.
2. The authority responds with a message that is encrypted using the
authority's private key, PRauthThus, A is able to decrypt the message using
the authority's public key.
The message includes the following:
● B's public key, PUb which A can use to encrypt messages destined for B
● The original request, to enable A to match this response with the
corresponding earlier request and to verify that the original request was not
altered before reception by the authority
● The original timestamp, so A can determine that this is not an old
message from the authority.
314
315. Public-Key Authority
A stores B's public key and also uses it to encrypt a message to B containing
an identifier of A(IDA) and a nonce (N1), which is used to identify this
transaction uniquely.
4,5.B retrieves A's public key from the authority in the same manner as A
retrieved B's public key.
At this point, public keys have been securely delivered to A and B, and they
may begin their protected exchange. However, two additional steps are
desirable:
6. B sends a message to A encrypted with PUa and containing A's nonce
(N1) as well as a new nonce generated by B (N2) Because only B could
have decrypted message (3), the presence of N1 in message (6) assures A
that the correspondent is B.
7. A returns N2, encrypted using B's public key, to assure B that its
correspondent is A.
315
317. Public-Key Certificates
• Any participant can read a certificate to
determine the name and public key of the
certificate's owner.
• Any participant can verify that the
certificate originated from the certificate
authority and is not counterfeit.
• Only the certificate authority can create
and update certificates.
317
318. Distribution of Secret Keys Using Public-Key
Cryptography
• Simple Secret Key Distribution
• Secret Key Distribution with
Confidentiality and Authentication
318
320. Simple Secret Key
Distribution
1.A generates a public/private key pair
{PUa, PRa} and transmits a message to B
consisting of Pua and an identifier of A,
IDA.
2. B generates a secret key, Ks, and
transmits it to A, encrypted with A's
public key.
320
321. Simple Secret Key
Distribution
3. A computes D(PRa, E(PUa, Ks)) to
recover the secret key. Because only A
can decrypt the message, only A and B
will know the identity of Ks.
4. A discards PUa and PRa and B
discards PUa.
321
322. Man-in-the-middle attack
1.A generates a public/private key pair
{PUa, PRa} and transmits a message
intended for B consisting of PUa and an
identifier of A, IDA.
2.E capture the message, creates its own
public/private key pair {PUe, PRe} and
transmits PUe|| IDA to B.
322
323. Man-in-the-middle attack
3.B generates a secret key, Ks, and
transmits E(PUe, Ks).
4.E capture the message, and learns Ks by
computing D(PRe, E(PUe, Ks)).
5.E transmits E(PUa, Ks) to A.
323
325. 1. A uses B's public key to encrypt a
message to B containing an identifier of A
(IDA) and a nonce (N1), which is used to
identify this transaction uniquely.
2. B sends a message to A encrypted with
PUa and containing A's nonce (N1) as well
as a new nonce generated by B (N2)
Because only B could have decrypted
message (1), the presence of N1 in
message (2) assures A that the
correspondent is B.
325
326. 3. A returns N2 encrypted using B's public
key, to assure B that its correspondent is
A.
4. A selects a secret key Ks and sends M =
E(PUb, E(PRa, Ks)) to B. Encryption of
this message with B's public key ensures
that only B can read it; encryption with A's
private key ensures that only A could have
sent it.
5. B computes D(PUa, D(PRb, M)) to
recover the secret key.
326
327. Diffie-Hellman Key Exchange
The purpose of the algorithm is to enable
two users to securely exchange a key that
can then be used for subsequent
encryption of messages.
327
328. Primitive roots
P is prime number
a is a primitive root of p means
It should satisfies following condition
a mod p, a2
mod p,..., ap-1
mod p
are distinct and consist of the integers from
1 through p-1 in some permutation.
328
329. Primitive roots
3 is a primitive root of 5:
a=3,p=5
p ap
ap
mod 5
1 3 3
2 9 4
3 27 2
4 81 1
329
330. Primitive roots
4 is not a primitive root of 5:
a= 4 p=5
p ap
ap
mod 5
1 4 4
2 16 1
3 64 4
4 256 1
330
337. Diffie-Hellman Example
Users A and B use the Diffie-Hellman key
exchange technique with a common prime
q = 71 and a primitive root a = 7.
i)If user A has private key XA = 5, what is A's
public key YA?
ii)If user B has private key XB = 12, what is
B's public key YB?
iii) What is the shared secret key?
337
340. Diffie-Hellman Example
Consider a Diffie-Hellman scheme with a
common prime q = 11 and a primitive root
a = 2.
I. Show that 2 is a primitive root of 11.
II.If user A has public key YA = 9, what is A's
private key XA?
III.If user B has public key YB = 3, what is the
shared secret key K, shared with A?
340
341. Elliptic Curve Cryptography
Elliptical curve cryptography (ECC) is a
public key encryption technique based on
elliptic curve theory that can be used to
create faster, smaller, and more efficient
cryptographic keys.
341
342. Elliptic Curve Cryptography
ECC generates keys through the
properties of the elliptic curve equation
instead of the traditional method of
generation as the product of very large
prime numbers
342
343. Elliptic Curve Cryptography
• ECC requires significantly smaller key
size with same level of security.
• Benefits of having smaller key sizes :
faster computations, need less storage
space.
• ECC ideal for constrained environments :
Pagers ; PDAs ; Cellular Phones ; Smart
Cards.
343
344. elliptic curve
• Elliptic curves are not ellipses. They are
so named because they are described by
cubic equations, used for calculating the
circumference of an ellipse.
• An elliptic curve is a set of points (x, y), for
which it is true that
• y2
= x3
+ ax + b given certain chosen
numbers a and b.
344
354. Authentication Functions
Message encryption: The cipher text of the
entire message serves as its authenticator
Message authentication code (MAC):
A function of the message and a secret key that
produces a fixed-length value that serves as the
authenticator
Hash function: A function that maps a
message of any length into a fixed-length hash
value, which serves as the authenticator
354
366. Requirements for MACs
1. knowing a message and MAC, is infeasible
to find another message with same MAC
2. MACs should be uniformly distributed
3. MAC should depend equally on all bits of the
message.
367. Data Authentication Algorithm
• Data Authentication Algorithm (DAA) is
a widely used MAC based on DES-CBC
– using IV=0 and zero-pad of final block
– encrypt message using DES in CBC mode
– and send just the final block as the MAC
• or the leftmost M bits (16≤M≤64) of final block
• but final MAC is now too small for security
369. Hash Function
hash function accepts a variable-size
message M as input and produces a fixed-
size output, referred to as a hash code
H(M).
The hash code is also referred to as a
message digest or hash value
A hash value h is generated by a function
H of the form h = H(M)
369
376. Requirements for Hash Functions
1. can be applied to any sized message M
2. produces fixed-length output h
3. is easy to compute h=H(M) for any message M
4. given h is infeasible to find x s.t. H(x)=h
• one-way property
377. Weak collision resistance
Given an input m1 it should be difficult to
find another input m2 — where m1!=m2
— such that H(m1)=H(m2)
377
379. Hash Functions & MAC Security
• like block ciphers have:
• brute-force attacks exploiting
– strong collision resistance hash have cost 2
m/2
• have proposal for h/w MD5 cracker
• 128-bit hash looks vulnerable, 160-bits better
– MACs with known message-MAC pairs
• can either attack keyspace (cf key search) or MAC
• at least 128-bit MAC is needed for security
380. Hash Functions & MAC Security
• cryptanalytic attacks exploit structure
– like block ciphers want brute-force attacks to be the
best alternative
• have a number of analytic attacks on iterated
hash functions
– CVi = f[CVi-1, Mi]; H(M)=CVN
– typically focus on collisions in function f
– like block ciphers is often composed of rounds
– attacks exploit properties of round functions
381. Secure Hash Algorithms
The Secure Hash Algorithm (SHA) was
developed by the National Institute of
Standards and Technology (NIST) and
published as a federal information
processing standard in 1993.
381
384. SHA-512
• The algorithm takes as input a message
with a maximum length of less than 2128
bits
and produces as output a 512-bit
message digest.
• The input is processed in 1024-bit blocks.
384
389. Processing of a Single 1024-
Bit Block
• A 512-bit buffer is used to hold
intermediate and final results of the hash
function.
• The buffer can be represented as eight
64-bit registers (a, b, c, d, e, f, g, h).
• These registers are initialized default
hexadecimal values.
389
390. a = 6A09E667F3BCC908
b = BB67AE8584CAA73B
c = 3C6EF372FE94F82B
c = A54FF53A5F1D36F1
e = 510E527FADE682D1
f = 9B05688C2B3E6C1F
g = 1F83D9ABFB41BD6B
h = 5BE0CDI9137E2179 390
391. SHA-512 Processing of a
Single 1024-Bit Block
• Each round takes as input the 512-bit
buffer value abcdefgh, and updates the
contents of the buffer.
391
393. • Where
IV= initial value of the abcdefgh buffer,
• abcdefghi= the output of the last round of
processing of the ith message block
• N= the number of blocks in the message
(including padding and length fields)
• SUM64= Addition modulo 264
performed
separately on each word of the pair of
inputs
• MD= final message digest value
393
400. Creation of 80-word Input Sequence for SHA-
512 Processing of Single Block
400
401. Creation of 80-word Input Sequence for SHA-
512 Processing of Single Block
401
402. Creation of 80-word Input Sequence for SHA-
512 Processing of Single Block
402
403. Whirlpool
• Whirlpool is based on the use of a block
cipher for the compression function.
• It takes a message of any length less than
2256
bits and returns a 512-bit message
digest.
403
404. Features
• The hash code length is 512 bits
• The underlying block cipher is based on
AES .
404
407. Whirlpool Overview
Step 1: Append padding bits
Step 2: Append length
Step 3: Initialize hash matrix
Step 4: Process message in 512-bit (64-
byte) blocks, using as its core, the block
cipher W.
407
409. Comparison of Whirlpool
Block Cipher W and AES
W AES
Block size (bits) 512 128
Key size (bits) 512 128, 192, or 256
Matrix
orientation
Input is mapped row-wise Input is mapped column-
wise
Number of
rounds
10 10, 12, or 14
409
411. Whirlpool Block Cipher W
The encryption algorithm takes a 512-bit
block of plaintext and a 512-bit key as
input and produces a 512-bit block of
cipher text as output.
The encryption algorithm involves the use
of four different functions add key (AK),
substitute bytes (SB), shift columns (SC),
and mix rows (MR).
411
412. Whirlpool Matrix Structure
• The plaintext input to W is a single 512-bit
block.
• This block is treated as an 8 x 8 square
matrix of bytes, labeled Cstate.
412
415. The Nonlinear Layer SB
The leftmost 4 bits of the byte are used as
a row value and the rightmost 4 bits are
used as a column value.
These row and column values serve as
indexes into the S-box to select a unique
8-bit output value.
For example, the hexadecimal value[3]
{95}references row 9, column 5 of the S-
box, which contains the value {BA}.
Accordingly, the value {95}is mapped into
the value {BA}. 415
416. Mix Row
• Each byte of a row is mapped into a new
value that is a function of all eight bytes in
that row.
• The transformation can be defined by the
matrix multiplication: B = AC
• where A is the input matrix, B is the output
matrix, and C is the transformation matrix:
416
417. Whirlpool Performance &
Security
• Whirlpool is a very new proposal, hence
there is little experience with use
• compared to SHA-512, Whirlpool requires
more hardware resources but performs
much better in terms of throughput.
417
420. HMAC
Message authentication code is generated
by hash function.
HMAC is computationally very fast and
very compact.
Any cryptographic hash function, such as
MD5 or SHA-1, may be used in the
calculation of an HMAC.
420
421. HMAC Algorithm
H = embedded hash function
IV = initial value input to hash function
M = message input to HMAC
Yi = ith block of M,
L = number of blocks in M
b = number of bits in a block
n = length of hash code produced by embedded
hash function
K= secret key
421
422. HMAC Algorithm
K+ = K padded with zeros on the left
ipad = 00110110 (36 in hexadecimal)
opad = 01011100 (5C in hexadecimal)
422
424. HMAC Overview
1.Append zeros to the left end of K to create
a b-bit string K+.
2. XOR K+ with ipad to produce the b-bit
block Si.
3. Append M to Si.
4. Apply H to the stream generated in step
5. XOR K+ with opad to produce the b-bit
block So
424
425. HMAC Overview
6.Append the hash result from step 4 to So
7.Apply H to the stream generated in step 6
and output the result.
425
431. CMAC Overview
The message is divided into n blocks
M1..Mn, padded if necessary.
The algorithm makes use of a k-bit
encryption key K and an n-bit constant K1
or K2 (depending on whether the
message was padded or not).
431
433. CMAC Overview
T= MSBTlen(Cn)
where
T= message authentication code, also referred to
as the tag
Tlen= bit length of T
MSBs(X)= the s leftmost bits of the bit string X
433
434. Digital signature
A digital signature is an authentication
mechanism that enables the creator of a
message to attach a code that acts as a
signature.
The signature is formed by taking the
hash of the message and encrypting the
message with the creator's private key.
The signature guarantees the source and
integrity of the message.
434
435. Digital Signature Properties
The signature must be a bit pattern that depends on the
message being signed.
The signature must use some information unique to the
sender, to prevent both fake and disagreement.
It must be relatively easy to produce the digital signature.
It must be relatively easy to recognize and verify the
digital signature.
It must be computationally infeasible to fake a digital
signature.
It must be practical to retain a copy of the digital
signature in storage.
435
436. Direct Digital Signatures
Direct Digital Signatures involve only the
communicating parties.
A digital signature may be formed by encrypting the
entire message with the sender’s private key.
Confidentiality can be provided by further encrypting
the entire message plus signature using either public
or private key schemes.
security depends on sender’s private-key
436
437. Arbitrated Digital Signatures
• involves use of arbiter A
– validates any signed message
– then dated and sent to recipient
• requires suitable level of trust in arbiter
• can be implemented with either private or
public-key algorithms
• arbiter may or may not see message
437
439. Authentication Protocols
• Authentication Protocols are used to
support parties of each others identity and
to exchange session keys.
• may be one-way or mutual
439
445. Global Public-Key Components
p prime number where 2L-1
< p < 2L
for 512 <= L <= 1024
q prime divisor of (p- 1), where 2159
< q < 2160
g = h(p-1)/q
mod p, where h is any integer with 1 < h < (p -1)
such that h(p- 1)/q
mod p > 1
445
453. Kerberos
Kerberos provides a centralized
authentication server whose function is to
authenticate users to servers and servers
to users.
453
454. Kerberos
Kerberos is an authentication service
designed for use in a distributed
environment.
Kerberos makes use of a trusted third-part
authentication service that enables clients
and servers to establish authenticated
communication.
454
455. 455
Requirements for KERBEROS
Secure:
opponent does not find it to be the weak link
Scalable:
The system supports large number of clients and
severs
Reliable: For all services that rely on Kerberos for
access control, lack of availability of the Kerberos
service means lack of availability of the supported
services.
Transparent: the user should not be aware that
authentication is taking place.
456. A Simple Authentication
Dialogue
C = client
AS = authentication server
V =server
IDC = identifier of user on C
IDV = identifier of V
PC = password of user on C
ADC = network address of C
Kv = secret encryption key shared by AS and V
456
457. 457
A Simple Authentication Dialogue
1- IDc + Pc+IDv
2- Ticket
3- IDc +Ticket
Ticket=Ekv[IDc,ADc,IDv]
kv=Secret Key between AS and
V (Server)
Pc=password of client
458. A More Secure Authentication Dialogue
minimize the number of times that a
user has to enter a password
tickets are not reusable
To solve these problems, we introduce a
scheme a new server, known as the ticket-
granting server (TGS)
458
459. Once per user logon session:
(1)CAS : IDC||Idtgs
(2) AS C : E(Kc, Tickettgs)
459
460. Once per type of service:
(3) C TGS: IDC||IDV||Tickettgs
(4) TGS C: Ticketv
460
463. 1.The client requests a ticket-granting ticket on
behalf of the user by sending its user's ID and
password to the AS, together with the TGS ID,
indicating a request to use the TGS service.
2. The AS responds with a ticket that is
encrypted with a key that is derived from the
user‘s password. When this response arrives at
the client, the client prompts the user for his or
her password, generates the key, and attempts
to decrypt the incoming message. If the correct
password is supplied, the ticket is successfully
recovered.
463
464. 3.The client requests a service-granting ticket on
behalf of the user.
4. The TGS decrypts the incoming ticket and
verifies the success of the decryption by the
presence of its ID. It checks to make sure that
the lifetime has not expired. Then it compares
the user ID and network address with the
incoming information to authenticate the user. If
the user is permitted access to the server V, the
TGS issues a ticket to grant access to the
requested service.
464
465. 5.The client requests access to a service on
behalf of the user. For this purpose, the
client transmits a message to the server
containing the user's ID and the service-
granting ticket. The server authenticates
by using the contents of the ticket.
465
469. Kerberos allows the global distribution of ASs and TGSs,
with each system called a realm. A user may get a ticket for
a local server or a remote server.
Kerberos realm
470. Kerberos realm
• 1.The Kerberos server must have the user ID
and hashed passwords of all participating users
in its database.
• 2.The Kerberos server must share a secret key
with each server. All servers are registered with
the Kerberos server.
• Such an environment is referred to as a
Kerberos realm.
470
471. 31/03/2005 Authentication Applications471
Request for Service in another realm:
1-Request ticket
for local TGS
2-Ticket for local TGS
5-Request ticket for remote server
6-Ticket for remote server
3-Request ticket for remote TGS
4-Ticket for remote TGS
7-request for remote service
472. The minor differences between version 4 and version 5
1) Version 5 has a longer ticket lifetime.
2) Version 5 allows tickets to be renewed.
3) Version 5 can accept any symmetric-key algorithm.
4) Version 5 uses a different protocol for describing data
types.
5) Version 5 has more overhead than version 4.
473. X.509 Authentication Service
X.509 is an ITU-T standard for a public key
infrastructure (PKI) and Privilege Management
Infrastructure (PMI).
X.509 specifies standard formats for public key
certificates, certificate revocation lists, attribute
certificates, and a certification path validation
algorithm.
473
475. X.509 Certificates
• issued by a Certification Authority (CA), containing:
– version (1, 2, or 3)
– serial number (unique within CA) identifying certificate
– signature algorithm identifier
– issuer X.500 name (CA)
– period of validity (from - to dates)
– subject X.500 name (name of owner)
– subject public-key info (algorithm, parameters, key)
– issuer unique identifier (v2+)
– subject unique identifier (v2+)
– extension fields (v3)
– signature (of hash of all fields in certificate)
• notation CA<<A>> denotes certificate for A signed by CA
475
477. CRL
• certificates have a period of validity
• may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
• CRL is a file that contains a list of
revoked certificates, their serial numbers,
and their revocation dates.
477
478. Obtaining a Certificate
• any user with access to CA can get any
certificate from it
• only the CA can modify a certificate
• because cannot be forged, certificates can
be placed in a public directory
478
479. CA Hierarchy
• if both users share a common CA then they are
assumed to know its public key
• otherwise CA's must form a hierarchy
• use certificates linking members of hierarchy to
validate other CA's
– each CA has certificates for clients (forward) and
parent (backward)
• each client trusts parents certificates
• enable verification of any certificate from one CA
by users of all other CAs in hierarchy
479
481. 31/03/2005 Authentication Applications 481
Authentication Procedures:
• CA must authenticate/verify an applicant
before issuing it a certificate for it.
• Three alternative authentication procedures:
– One-Way Authentication
– Two-Way Authentication
– Three-Way Authentication
482. One-Way Authentication
• One way authentication involves a single
transfer of information from one user (A) to
another (B)
482
483. 31/03/2005 Authentication Applications 483
One-Way Authentication:
• 1 message ( A->B) used to establish
– the identity of A and that message is from A
– message was intended for B
– integrity & originality of message
A B1-A {ta,ra,B,sgnData,KUb[Kab]}
Ta-timestamp rA=nonce B =identity
sgnData=signed with A’s private key
484. 31/03/2005 Authentication Applications 484
Two-Way Authentication
• 2 messages (A->B, B->A) which also
establishes in addition:
– the identity of B and that reply is from B
– that reply is intended for A
– integrity & originality of reply
A B
1-A {ta,ra,B,sgnData,KUb[Kab]}
2-B {tb,rb,A,sgnData,KUa[Kab]}
485. 31/03/2005 Authentication Applications 485
Three-Way Authentication
• 3 messages (A->B, B->A, A->B) which
enables above authentication without
synchronized clocks
A B
1- A {ta,ra,B,sgnData,KUb[Kab]}
2 -B {tb,rb,A,sgnData,KUa[Kab]}
3- A{rb}
486. Public-Key Infrastructure
public-key infrastructure (PKI) as the set of
hardware, software, people, policies, and
procedures needed to create, manage,
store, distribute, and revoke digital
certificates based on asymmetric
cryptography.
486
487. Public-Key Infrastructure
End entity: A generic term used to denote
end users, devices (e.g., servers, routers)
Certification authority (CA): The issuer
of certificates and certificate revocation
lists (CRLs).
Registration authority (RA): An optional
component that can assume a number of
administrative functions.
487
488. Public-Key Infrastructure
CRL issuer: An optional component that a
CA can delegate to publish CRLs.
Repository: A generic term used to
denote any method for storing certificates
and CRLs so that they can be retrieved by
End Entities.
488
490. Public-Key Infrastructure
Registration: This is the process whereby a
user first makes itself known to a CA (directly, or
through an RA), prior to that CA issuing a
certificate or certificates for that user.
Initialization: Before a client system can
operate securely, it is necessary to install key
materials that have the appropriate relationship
with keys stored elsewhere in the infrastructure
490
491. Public-Key Infrastructure
Certification: This is the process in which
a CA issues a certificate for a user's public
key, and returns that certificate to the
user's client system and/or posts that
certificate in a repository.
Key pair update: All key pairs need to be
updated regularly (i.e., replaced with a
new key pair) and new certificates issued.
491
496. Pretty Good Privacy
PGP provides a confidentiality and
authentication service that can be used for
electronic mail and file storage
applications.
496
497. Pretty Good Privacy
PGP is an open-source freely available
software package for e-mail security.
It provides authentication through the use
of digital signature;
It provides confidentiality through the use
of symmetric block encryption;
497
498. Pretty Good Privacy
It provides compression using the ZIP
algorithm.
It provides e-mail compatibility using the
radix-64 encoding scheme.
It provides Segmentation and reassembly
to accommodate long e-mails.
498
499. Pretty Good Privacy
Ks =session key used in symmetric
encryption scheme
PRa =private key of user A, used in
public-key encryption scheme
PUa =public key of user A, used in public-
key encryption scheme
499
500. Pretty Good Privacy
EP = public-key encryption
DP = public-key decryption
EC = symmetric encryption
DC = symmetric decryption
H = hash function
|| = concatenation
Z = compression using ZIP algorithm
R64 = conversion to radix 64 ASCII format
500
502. Authentication
1.The sender creates a message.
2.SHA-1 is used to generate a 160-bit hash
code of the message.
3.The hash code is encrypted with RSA
using the sender's private key, and the
result is prepended to the message.
4.The receiver uses RSA with the sender's
public key to decrypt and recover the hash
code.
502
503. Authentication
5. The receiver generates a new hash code
for the message and compares it with the
decrypted hash code. If the two match, the
message is accepted as authentic.
503
504. Confidentiality
1.The sender generates a message and a
random 128-bit number to be used as a
session key for this message only.
2.The message is encrypted, using CAST-
128 (or IDEA or 3DES) with the session
key.
3.The session key is encrypted with RSA,
using the recipient's public key, and is
prepended to the message.
504
505. Confidentiality
4.The receiver uses RSA with its private key
to decrypt and recover the session key.
5.The session key is used to decrypt the
message.
505
508. PGP Message Format
The message component includes the
actual data to be stored or transmitted,
as well as a filename and a timestamp
that specifies the time of creation.
508
509. PGP Message Format
The signature component includes the
following:
Timestamp: The time at which the
signature was made.
Message digest: The 160-bit SHA-1
digest, encrypted with the sender's
private signature key.
509
510. PGP Message Format
Leading two octets of message digest:
To enable the recipient to determine if
the correct public key was used to
decrypt the message digest for
authentication
• Key ID of sender's public key: Identifies
the public key that should be used to
decrypt the message digest
510
511. PGP Message Format
The session key component includes
the session key and the identifier of the
recipient's public key that was used by
the sender to encrypt the session key.
511
512. Signing the message
PGP retrieves the sender's private key from the
private-key ring using your_userid as anindex. If
your_userid was not provided in the command,
the first private key on the ring is retrieved.
PGP prompts the user for the passphrase to
recover the unencrypted private key.
The signature component of the message is
constructed.
512
513. Encrypting the message
PGP generates a session key and
encrypts the message.
PGP retrieves the recipient's public key
from the public-key ring using her_userid
as an index.
The session key component of the
message is constructed.
513
516. Decrypting the message
PGP retrieves the receiver's private key
from the private-key ring, using the Key ID
field in
the session key component of the
message as an index.
PGP prompts the user for the passphrase
to recover the unencrypted private key.
PGP then recovers the session key and
decrypts the message.
516
517. Authenticating the message
PGP retrieves the sender's public key from the
public-key ring, using the Key ID field in the
signature key component of the message as an
index.
PGP recovers the transmitted message digest.
PGP computes the message digest for the
received message and compares it to the
transmitted message digest to authenticate.
517
518. S/MIME
Another security service designed for electronic mailAnother security service designed for electronic mail
is Secure/Multipurpose Internet Mail Extensionis Secure/Multipurpose Internet Mail Extension
(S/MIME).(S/MIME).
The protocol is an enhancement of the MultipurposeThe protocol is an enhancement of the Multipurpose
Internet Mail Extension (MIME) protocolInternet Mail Extension (MIME) protocol
518
519. RFC 822
RFC 822 defines a format for text
messages that are sent using electronic
mail. It has been the standard for Internet-
based text mail message and remains in
common use.
519
521. MIME
MIME is an extension to the RFC 822
framework that is intended to address
some of the problems and limitations of
the use of SMTP .
521
522. MIME
SMTP cannot transmit executable files or other
binary objects.
SMTP cannot transmit text data that includes
national language characters
SMTP servers may reject mail message over a
certain size.
SMTP cannot handle non textual data.
522
525. 16.525
MIME-VersionMIME-Version
This header defines the version of MIME used. TheThis header defines the version of MIME used. The
current version is 1.1.current version is 1.1.
Content-TypeContent-Type
The content type and the content subtype are separatedThe content type and the content subtype are separated
by a slash. Depending on the subtype, the header mayby a slash. Depending on the subtype, the header may
contain other parameters.contain other parameters.
528. S/MIME Functions
enveloped data
encrypted content and associated keys
signed data
encoded message + signed digest
clear-signed data
clear text message + encoded signed digest
signed & enveloped data
nesting of signed & encrypted entities
529. Cryptographic Algorithms
Function Requirement
Create a message digest to be used in
forming a digital signature.
MUST support SHA-1.
Encrypt message digest to form digital
signature.
Receiver SHOULD support MD5 for
backward compatibility.
Sending and receiving agents MUST
support DSS.
Sending agents SHOULD support RSA
encryption.
Receiving agents SHOULD support
verification of RSA signatures with key
sizes 512 bits to 1024 bits.
Encrypt session key for transmission with
message.
Sending and receiving agents SHOULD
support Diffie-Hellman.
Sending and receiving agents MUST
support RSA encryption with key sizes 512
bits to 1024 bits.
529
530. Cryptographic Algorithms
Encrypt message for
transmission with one-time
session key.
Sending and receiving agents MUST support
encryption with triple DES
Sending agents SHOULD support encryption
with AES.
Sending agents SHOULD support encryption
with RC2/40.
530
531. S/MIME Messages
Type Subtype smime Parameter Description
Multipart Signed
A clear-signed message in two parts:
one is the message and the other is the
signature.
Application pkcs 7-mime signedData A signed S/MIME entity.
pkcs 7-mime envelopedData An encrypted S/MIME entity.
pkcs 7-mime degenerate
signedData An entity containing only public- key
certificates.
pkcs 7-mime CompressedData A compressed S/MIME entity
531
532. Enveloped data
This consists of encrypted content of any
type and encrypted-content encryption
keys for one or more recipients.
532
533. 533
enveloped data
Version
Encrypted Content Info
Recipient Info
Version
Recipient ID (issuer and s.no.)
Key Encryption Algorithm
Encrypted Key
Content Encryption Alg.
Content type
Encrypted Content
Originator Info
S/MIME/messageformats
Editor's Notes
Computer Emergency Response Team
See Table 1.4 for details of the 5 Security Service categories and the 14 specific services.
Have “passive attacks” which attempt to learn or make use of information from the system but does not affect system resources.
By eavesdropping on, or monitoring of, transmissions to:
+ obtain message contents (as shown above in Stallings Figure 1.3a), or
+ monitor traffic flows
Are difficult to detect because they do not involve any alteration of the data.
In considering the place of encryption, its useful to use the following two models. The first models information flowing over an insecure communications channel, in the presence of possible opponents. Hence an appropriate security transform (encryption algorithm) can be used, with suitable keys, possibly negotiated using the presence of a trusted third party.
The second, illustrated in Figure 1.6, model is concerned with controlled access to information or resources on a computer system, in the presence of possible opponents. Here appropriate controls are needed on the access and within the system, to provide suitable security. Some cryptographic techniques are useful here also.
Briefly review some terminology used throughout the course.
Detail the five ingredients of the symmetric cipher model, shown in Stallings Figure 2.1:
plaintext - original message
encryption algorithm – performs substitutions/transformations on plaintext
secret key – control exact substitutions/transformations used in encryption algorithm
ciphertext - scrambled message
decryption algorithm – inverse of encryption algorithm
Cryptographic systems can be characterized along these three independent dimensions.
Typically objective is to recover the key in use rather then simply to recover the plaintext of a single ciphertext.
There are two general approaches:
Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext or even some sample plaintext-ciphertext pairs.
Brute-force attacks try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained. On average,half of all possible keys must be tried to achieve success.
Substitution ciphers form the first of the fundamental building blocks. The core idea is to replace one basic unit (letter/byte) with another. Whilst the early Greeks described several substitution ciphers, the first attested use in military affairs of one was by Julius Caesar, described by him in Gallic Wars (cf. Kahn pp83-84). Still call any cipher using a simple letter shift a caesar cipher, not just those with shift 3.
This mathematical description uses modulo (clock) arithmetic. Here, when you reach Z you go back to A and start again. Mod 26 implies that when you reach 26, you use 0 instead (ie the letter after Z, or 25 + 1 goes to A or 0).
Example: howdy (7,14,22,3,24) encrypted using key f (ie a shift of 5) is MTBID
Note that even given the very large number of keys, being 10 orders of magnitude greater than the key space for DES, the monoalphabetic substitution cipher is not secure, because it does not sufficiently obscure the underlying language characteristics.
The simplest such cipher is the rail fence technique, in which the plaintext is written down as a sequence of diagonals and then read off as a sequence of rows.
The example message is: &quot;meet me after the toga party&quot; with a rail fence of depth 2.
This sort of thing would be trivial to cryptanalyze.
Block ciphers work a on block / word at a time, which is some number of bits. All of these bits have to be available before the block can be processed. Stream ciphers work on a bit or byte of the message at a time, hence process it as a “stream”. Block ciphers are currently better analysed, and seem to have a broader range of applications, hence focus on them.
Most symmetric block encryption algorithms in current use are based on a structure referred to as a Feistel block cipher. A block cipher operates on a plaintext block of n bits to produce a ciphertext block of n bits. An arbitrary reversible substitution cipher for a large block size is not practical, however, from an implementation and performance point of view. In general, for an n-bit general substitution block cipher, the size of the key is n x 2n. For a 64-bit block, which is a desirable length to thwart statistical attacks, the key size is 64 x 264 = 270 = 1021 bits. In considering these difficulties, Feistel points out that what is needed is an approximation to the ideal block cipher system for large n, built up out of components that are easily realizable.
Biham & Shamir show Differential Cryptanalysis can be successfully used to cryptanalyse the DES with an effort on the order of 247 encryptions, requiring 247 chosen plaintexts. They also demonstrated this form of attack on a variety of encryption algorithms and hash functions.
Differential cryptanalysis was known to the IBM DES design team as early as 1974 (as a T attack), and influenced the design of the S-boxes and the permutation P to improve its resistance to it. Compare DES’s security with the cryptanalysis of an eight-round LUCIFER algorithm which requires only 256 chosen plaintexts, verses an attack on an eight-round version of DES requires 214 chosen plaintexts.
This attack is known as Differential Cryptanalysis because the analysis compares differences between two related encryptions, and looks for a known difference in leading to a known difference out with some (pretty small but still significant) probability. If a number of such differences are determined, it is feasible to determine the subkey used in the function f.
Shown here is the equation from Stallings section 3.4 which shows how this removes the influence of the key, hence enabling the analysis.
A more recent development is linear cryptanalysis. This attack is based on finding linear approximations to describe the transformations performed in DES. This method can find a DES key given 2^43 known plaintexts, as compared to 2^47 chosen plaintexts for differential cryptanalysis. Although this is a minor improvement, because it may be easier to acquire known plaintext rather than chosen plaintext, it still leaves linear cryptanalysis infeasible as an attack on DES. Again, this attack uses structure not seen before. So far, little work has been done by other groups to validate the linear cryptanalytic approach.
The objective of linear cryptanalysis is to find an effective linear equation relating some plaintext, ciphertext and key bits that holds with probability p&lt;&gt;0.5 as shown. Once a proposed relation is determined, the procedure is to compute the results of the left-hand side of the equation for a large number of plaintext-ciphertext pairs, in order to determine whether the sum of the key bits is 0 or 1, thus giving 1 bit of info about them. This is repeated for other equations and many pairs to derive some of the key bit values. Because we are dealing with linear equations, the problem can be approached one round of the cipher at a time, with the results combined. See [MATS93] for details.
The cryptographic strength of a Feistel cipher derives from three aspects of the design: the number of rounds, the function F, and the key schedule algorithm. Briefly discuss these.
The greater the number of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak F. In general, the criterion should be that the number of rounds is chosen so that known cryptanalytic efforts require greater effort than a simple brute-force key search attack. This criterion is attractive because it makes it easy to judge the strength of an algorithm and to compare different algorithms.
The function F provides the element of confusion in a Feistel cipher, want it to be difficult to “unscramble” the substitution performed by F. One obvious criterion is that F be nonlinear. The more nonlinear F, the more difficult any type of cryptanalysis will be. We would like it to have good avalanche properties, or even the strict avalanche criterion (SAC). Another criterion is the bit independence criterion (BIC). One of the most intense areas of research in the field of symmetric block ciphers is that of S-box design. Would like any change to the input vector to an S-box to result in random-looking changes to the output. The relationship should be nonlinear and difficult to approximate with linear functions.
A final area of block cipher design, and one that has received less attention than S-box design, is the key schedule algorithm. With any Feistel block cipher, the key schedule is used to generate a subkey for each round. Would like to select subkeys to maximize the difficulty of deducing individual subkeys and the difficulty of working back to the main key. The key schedule should guarantee key/ciphertext Strict Avalanche Criterion and Bit Independence Criterion.
CTR mode has a number of advantages in parallel h/w & s/w efficiency, can preprocess the output values in advance of needing to encrypt, can get random access to encrypted data blocks, and is simple. But like OFB have issue of not reusing the same key+counter value.
Stallings Figure 6.8 illustrates the general structure of a stream cipher, where a key is input to a pseudorandom bit generator that produces an apparently random keystream of bits, and which are XOR’d with message to encrypt it, and XOR’d again to decrypt it by the receiver.
If encryption is to be used to counter attacks on confidentiality, need to decide what to encrypt and where the encryption function should be located. Now examine potential locations of security attacks and then look at the two major approaches to encryption placement: link and end to end.
Have many locations where attacks can occur in a typical scenario (Stallings Figure 7.1), such as when have:
+ workstations on LANs access other workstations & servers on LAN
+ LANs interconnected using switches/routers
+ with external lines or radio/satellite links
Consider attacks and placement in this scenario:
+ snooping from another workstation
+ use dial-in to LAN or server to snoop
+ physically tap line in wiring closet
+ use external router link to enter & snoop
+ monitor and/or modify traffic one external links
Stallings Figure 7.2 contrasts the two encryption placement alternatives, for encryption over a Packet Net.
With end-to-end encryption, user data are secure, but the traffic pattern is not because packet headers are transmitted in the clear. However end-to-end encryption does provide a degree of authentication, since a recipient is assured that any message that it receives comes from the alleged sender, because only that sender shares the relevant key. Such authentication is not inherent in a link encryption scheme. To achieve greater security, both link and end-to-end encryption are needed, as is shown in Figure 7.2 on the previous slide.
Can place encryption at any of a number of layers in the OSI Reference Model.
Link encryption can occur at either the physical or link layers.
End-to-end encryption could be performed at the network layer (for all processes on a system, perhaps in a Front End Processor), at the Transport layer (now possibly per process), or at the Presentation/Application layer (especially if need security to cross application gateways, but at cost of many more entities to manage).
Can view alternatives noting that as you move up the communications hierarchy, less information is encrypted but it is more secure.
The strength of any cryptographic system thus depends on the key distribution technique. For two parties A and B, key distribution can be achieved in a number of ways:
Physical delivery (1 & 2) is simplest - but only applicable when there is personal contact between recipient and key issuer. This is fine for link encryption where devices & keys occur in pairs, but does not scale as number of parties who wish to communicate grows. 3 is mostly based on 1 or 2 occurring first.
A third party, whom all parties trust, can be used as a trusted intermediary to mediate the establishment of secure communications between them (4). Must trust intermediary not to abuse the knowledge of all session keys. As number of parties grow, some variant of 4 is only practical solution to the huge growth in number of keys potentially needed.
The key distribution concept can be deployed in a number of ways. A typical scenario is illustrated in Stallings Figure 7.9 above, which has a “Key Distribution Center” (KDC) which shares a unique key with each party (user). See text section 7.3 for details of the steps shown in this distribution process.
So far all the cryptosystems discussed, from earliest history to modern times, have been private/secret/single key (symmetric) systems.
All classical, and modern block and stream ciphers are of this form, and still rely on the fundamental building blocks of substitution and permutation (transposition).
Emphasize here the radical difference with Public-Key Cryptography is the use of two related keys but with very different roles and abilities. Anyone knowing the public key can encrypt messages or verify signatures, but cannot decrypt messages or create signatures, all thanks to some clever use of number theory.
In assessing the security of a MAC function, we need to consider the types of attacks that may be mounted against it. Hence it needs to satisfy the listed requirements.
The first requirement deals with message replacement attacks, in which an opponent is able to construct a new message to match a given MAC, even though the opponent does not know and does not learn the key.
The second requirement deals with the need to thwart a brute-force attack based on chosen plaintext.
The final requirement dictates that the authentication algorithm should not be weaker with respect to certain parts or bits of the message than others.
Can also use block cipher chaining modes to create a separate authenticator, by just sending the last block. This was done with the Data Authentication Algorithm (DAA), a widely used MAC based on DES-CBC (next slide). However this suffers from being too small for acceptable use today.
Stallings Figure 11.6 “Data Authentication Algorithm”, illustrates the FIPS PUB 113 / ANSI X9.17 MAC based on DES-CBC with IV 0 and 0-pad of the final block if needed. Resulting MAC can be 16-64 bits of the final block. But this is now too small for security.
The purpose of a hash function is to produce a “fingerprint”of a file, message, or other block of data.
These are the specifications for good hash functions. Essentially it must be extremely difficult to find 2 messages with the same hash, and the hash should not be related to the message in any obvious way (ie it should be a complex non-linear function of the message). There are quite a few similarities in the evolution of hash functions & block ciphers, and in the evolution of the design requirements on both.
Just as with symmetric and public-key encryption, we can group attacks on hash functions and MACs into two categories: brute-force attacks and cryptanalysis.
The strength of a hash function against brute-force attacks depends solely on the length of the hash code produced by the algorithm, with cost O(2^m/2). See proposal in text for a h/w MD5 cracker.
A brute-force attack on a MAC is a more difficult undertaking because it requires known message-MAC pairs. However analysis shows cost is related to min(2^k, 2^n), similar to symmetric encryption algorithms.
As with encryption algorithms, cryptanalytic attacks on hash functions and MAC algorithms seek to exploit some property of the algorithm to perform some attack other than an exhaustive search. The way to measure the resistance of a hash or MAC algorithm to cryptanalysis is to compare its strength to the effort required for a brute-force attack. That is, an ideal hash or MAC algorithm will require a cryptanalytic effort greater than or equal to the brute-force effort.
Cryptanalysis of hash functions focuses on the internal structure of the compression function f and is based on attempts to find efficient techniques for producing collisions for a single execution of f. Keep in mind that for any hash function there must exist collisions, but want it to be computationally infeasible to find these collisions.
Stallings Figure 12.7 shows the structure of Block Cipher W. The encryption algorithm takes a 512-bit block of plaintext as input and a 512-bit key and produces a 512-bit block of ciphertext as output. The encryption algorithm involves the use of four different functions, or transformations: add key (AK), substitute bytes (SB), shift columns (SC), and mix rows (MR). Note that the input is mapped by rows (unlike AES which is mapped by column). Hence the use of “Mix Rows” as the diffusion layer; and “Shift Columns” as the permutation (vs Mix Columns & Shift Rows in AES). Note also that the Key Schedule uses the same W round function, but with round constants RC[I] (being S-box outputs) taking the role of “subkeys” in the AddKey function.
Whirlpool is a very new proposal, hence there is little experience with use, though many AES findings should apply to it. As yet, there has been little implementation experience with Whirlpool. One study [KITS04] compared Whirlpool with a number of other secure hash functions. The authors developed multiple hardware implementations of each hash function and concluded that, compared to SHA-512, Whirlpool requires more hardware resources but performs much better in terms of throughput.
The idea of a keyed hash evolved into HMAC, designed to overcome some problems with the original proposals. It involves hashing padded versions of the key concatenated with the message, and then with another outer hash of the result prepended by another padded variant of the key. The hash function need only be used on 3 more blocks than when hashing just the original message (for the two keys + inner hash). HMAC can use any desired hash function, and has been shown to have the same security as the underlying hash function. Can choose the hash function to use based on speed/security concerns.
Stallings Figure 12.10 shows the structure of HMAC, which implements the function:
HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad) || M)]
elements are:
K+ is K padded with zeros on the left so that the result is b bits in length
ipad is a pad value of 36 hex repeated to fill block
opad is a pad value of 5C hex repeated to fill block
M is the message input to HMAC (including the padding specified in the embedded hash function)
Stallings Figure 12.12 shows the structure of CMAC.
It uses the blocksize of the underlying cipher (ie 128-bits for AES or 64-bits for triple-DES). The message is divided into n blocks M1..Mn, padded if necessary. The algorithm makes use of a k-bit encryption key K and an n-bit constant K1 or K2 (depending on whether the message was padded or not). For AES, the key size k is 128,192, or 256 bits; for triple DES, the key size is 112 or 168 bits. The two constants K1 & K2 are derived from the original key K using encryption of 0 and multiplication in GF(2^n), as detailed in the text.
Stallings Figure 14.1 diagrammatically summarizes the Kerberos v4 authentication dialogue, with 3 pairs of messages, for each phase listed previously.
X.509 is part of the X.500 series of recommendations that define a directory service, being a server or distributed set of servers that maintains a database of information about users.
X.509 defines a framework for the provision of authentication services by the X.500 directory to its users. The directory may serve as a repository of public-key certificates. In addition, X.509 defines alternative authentication protocols based on the use of public-key certificates. X.509 is based on the use of public-key cryptography and digital signatures. The standard does not dictate the use of a specific algorithm but recommends RSA.
The X.509 certificate format is widely used, in for example S/MIME, IP Security and SSL/TLS and SET.
The X.509 certificate is the heart of the standard. There are 3 versions, with successively more info in the certificate - must be v2 if either unique identifier field exists, must be v3 if any extensions are used. These user certificates are assumed to be created by some trusted certification authority (CA) and placed in the directory by the CA or by the user. The directory server itself is not responsible for the creation of public keys or for the certification function; it merely provides an easily accessible location for users to obtain certificates. The certificate includes the elements shown.
The standard uses the notation for a certificate of: CA&lt;&lt;A&gt;&gt; where the CA signs the certificate for user A with its private key.
Stallings Figure 14.4 shows the format of an X.509 certificate and CRL.
User certificates generated by a CA have the characteristics that any user with access to the public key of the CA can verify the user public key that was certified, and no party other than the certification authority can modify the certificate without this being detected. Because certificates are unforgeable, they can be placed in a directory without the need for the directory to make special efforts to protect them.
If both parties use the same CA, they know its public key and can verify others certificates. If not, then there has to be some means to form a chain of certifications between the CA&apos;s used by the two parties, by the use of client and parent certificates. It is assumed that each client trusts its parents certificates.
Stallings Figure 14.5 illustrates the use of an X.509 hierarchy to mutually verify clients certificates.
Track chains of certificates:
A get B certificate using chain: X&lt;&lt;W&gt;&gt;W&lt;&lt;V&gt;&gt;V&lt;&lt;Y&gt;&gt;Y&lt;&lt;Z&gt;&gt;Z&lt;&lt;B&gt;&gt;
B obtain A certificate using chain: Z&lt;&lt;Y&gt;&gt;&lt;&lt;V&gt;&gt;V&lt;&lt;W&gt;&gt;W&lt;&lt;X&gt;&gt;X&lt;&lt;A&gt;&gt;
Stallings Figure 15.3 shows the format of a transmitted PGP message. A message consists of three components: the message component, a signature (optional), and a session key component (optional).
Stallings Figure 15.5 illustrates how these key rings are used in message transmission to implement the various PGP crypto services (ignoring compression and radix-64 conversion for simplicity).
Stallings Figure 15.6 then illustrates how these key rings are used in message reception to implement the various PGP crypto services (again ignoring compression and radix-64 conversion for simplicity).
In terms of general functionality, S/MIME is very similar to PGP. Both offer the ability to sign and/or encrypt messages. S/MIME provides the functions shown.
Stallings Figure 16.1 illustrates a typical IP Security scenario. An organization maintains LANs at dispersed locations. Nonsecure IP traffic is conducted on each LAN. For traffic offsite, through some sort of private or public WAN, IPSec protocols are used. These protocols operate in networking devices, such as a router or firewall, that connect each LAN to the outside world. The IPSec networking device will typically encrypt and compress all traffic going into the WAN, and decrypt and decompress traffic coming from the WAN; these operations are transparent to workstations and servers on the LAN. Secure transmission is also possible with individual users who dial into the WAN. Such user workstations must implement the IPSec protocols to provide security.
[MARK97] lists the benefits shown for IPSec. It also plays a vital role in the routing architecture required for internetworking.
The IPSec specification has become quite complex. The IPSec specification consists of numerous documents. The most important of these,issued in November of 1998, are
• RFC 2401: An overview of a security architecture
• RFC 2402: Description of a packet authentication extension to IPv4 and IPv6
• RFC 2406: Description of a packet encryption extension to IPv4 and IPv6
• RFC 2408: Specification of key management capabilities
In addition to these four RFCs, a number of additional drafts have been published by the IP Security Protocol Working Group set up by the IETF. The documents are divided into seven groups.
Support for these features is mandatory for IPv6 and optional for IPv4.
In both cases, the security features are implemented as extension headers that follow the main IP header. The extension header for authentication is known as the Authentication Header (AH); that for encryption is known as the Encapsulating Security Payload (ESP) header.
IPSec provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services. The security services supported are as shown above. See Stallings Table 16.1 for the services provided by AH & ESP respectively. For ESP, there are two cases: with and without the authentication option. Both AH and ESP are vehicles for access control, based on the distribution of cryptographic keys and the management of traffic flows relative to these security protocols.
Stallings Figure 16.3 shows the Authentication Header fields:
• Next Header (8 bits): Identifies the type of header immediately following this header
• Payload Length (8 bits): Length of Authentication Header in 32-bit words, minus 2.
• Reserved (16 bits): For future use
• Security Parameters Index (32 bits): Identifies a security association
• Sequence Number (32 bits): A monotonically increasing counter value
• Authentication Data (variable): A variable-length field (must be an integral number of 32-bit words) that contains the Integrity Check Value (ICV), or MAC,for this packet
Stallings Figure 16.5 shows the difference between end-to-end (transport) mode and end-to-intermediate (tunnel) mode.
Transport mode provides protection primarily for upper-layer protocol payloads, by inserting the AH after the original IP header and before the IP payload. Typically, transport mode is used for end-to-end communication between two hosts.
or router that implements IPSec. Tunnel mode provides protection to the entire IP, after the AH or ESP fields are added to the IP packet, the entire packet plus security fields is treated as the payload of new “outer”IP packet with a new outer IP header. Tunnel mode is used when one or both ends of an SA are a security gateway, such as a firewall
The Encapsulating Security Payload provides confidentiality services, including confidentiality of message contents and limited traffic flow confidentiality. As an optional feature, ESP can also provide an authentication service, with the same MACs as AH. ESP supports range of ciphers, modes, and padding, as shown.
Stallings Figure16.7 shows the format of an ESP packet. It contains the following fields:
• Security Parameters Index (32 bits): Identifies a security association
• Sequence Number (32 bits): A monotonically increasing counter value; this provides an anti-replay function ,as discussed for AH
• Payload Data (variable): This is a transport-level segment (transport mode) or IP packet (tunnel mode) that is protected by encryption
• Padding (0–255 bytes): for various reasons
• Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this field
• Next Header (8 bits): Identifies the type of data contained in the payload data field by identifying the first header in that payload
• Authentication Data (variable): A variable-length field that contains the Integrity Check Value computed over the ESP packet minus the Authentication Data field
Transport mode ESP is used to encrypt and optionally authenticate the data carried by IP. Transport mode operation provides confidentiality for any application that uses it, thus avoiding the need to implement confidentiality in every individual application. This mode of operation is also reasonably efficient, adding little to the total length of the IP packet. One drawback to this mode is that it is possible to do traffic analysis on the transmitted packets.
Tunnel mode ESP is used to encrypt an entire IP packet. Tunnel mode is useful in a configuration that includes a firewall or other sort of security gateway that protects a trusted network from external networks.
An individual SA can implement either the AH or ESP protocol but not both. Sometimes a particular traffic flow will call for the services provided by both AH and ESP. Further, a particular traffic flow may require IPSec services between hosts and ,for that same flow, separate services between security gateways, such as firewalls. In all of these cases, multiple SAs must be employed for the same traffic flow to achieve the desired IPSec services. The term security association bundle refers to a sequence of SAs through which traffic must be processed to provide a desired set of IPSec services. The SAs in a bundle may terminate at different endpoints or at the same endpoints.
Security associations may be combined into bundles in two ways:
• Transport adjacency: more than one security protocol on same IP packet, without invoking tunneling
• Iterated tunneling: application of multiple layers of security protocols effected through IP tunneling
One interesting issue is the order in which authentication and encryption may be applied between a given pair of endpoints.
The IPSec Architecture document lists four examples of combinations of SAs that must be supported by compliant IPSec hosts or security gateways. These are illustrated in Stallings Figure 16.10. Note the *’d devices implement IPSec. The cases are:
Case 1 security is provided between end systems that implement IPSec.
Case 2 security is provided only between gateways (routers,firewalls,etc.) and no hosts implement IPSec.
Case 3 builds on Case 2 by adding end-to-end security .The same combinations discussed for cases 1 and 2 are allowed here.
Case 4 provides support for a remote host that uses the Internet to reach an organization’s firewall and then to gain access to some server or workstation behind the firewall. Only tunnel mode is required between the remote host and the firewall.
The key management portion of IPSec involves the determination and distribution of secret keys. A typical requirement is four keys for communication between two applications: transmit and receive pairs for both AH and ESP. The IPSec Architecture document mandates support for two types of key management:
• Manual where a system administrator manually configures each system with its own keys and with the keys of other communicating
• Automated where an automated system enables the on-demand creation of keys for SAs and facilitates the use of keys in a large distributed system with an evolving configuration
The default automated key management protocol for IPSec is referred to as ISAKMP/Oakley.
The Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for Internet key management and provides the specific protocol support, defining procedures and packet formats to establish, negotiate, modify, and delete security associations. ISAKMP defines payloads for exchanging key generation and authentication data. These payload formats provide a consistent framework independent of the specific key exchange protocol, encryption algorithm, and authentication mechanism.
An ISAKMP message consists of an ISAKMP header followed by one or more payloads, carried in a transport protocol (UDP by default).
Stallings Figure16.12a shows the header format for an ISAKMP message. All ISAKMP payloads begin with the same generic payload header shown in Figure 16.12b.
The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats as shown. These can be described as passive attacks including eavesdropping on network traffic between browser and server and gaining access to information on a Web site that is supposed to be restricted, and active attacks including impersonating another user, altering messages in transit between client and server, and altering information on a Web site. The web needs added security mechanisms to address these threats.
Stallings Figure 17.2 shows the SSL Protocol stack. The SSL Record Protocol provides basic security services to various higher-layer protocols. In particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSL. Three higher-layer protocols are also defined as part of SSL: the Handshake Protocol, Change Cipher Spec Protocol, and Alert Protocol. These SSL-specific protocols are used in the management of SSL exchanges.
Two important SSL concepts are the SSL connection and the SSL session:
• Connection: A connection is a network transport that provides a suitable type of service, such connections are transient, peer-to-peer relationships, associated with one session
• Session: An SSL session is an association between a client and a server, created by the Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each connection.
Stallings Figure17.3 shows the overall operation of the SSL Record Protocol. The Record Protocol takes an application message to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies a MAC, encrypts, adds a header, and transmits the resulting unit in a TCP segment. Received data are decrypted, verified, decompressed, and reassembled and then delivered to higher-layer applications.
The Change Cipher Spec Protocol is one of the three SSL-specific protocols that use the SSL Record Protocol, and it is the simplest, consisting of a single message. Its purpose is to cause the pending state to be copied into the current state, which updates the cipher suite to be used on this connection.
The Alert Protocol is used to convey SSL-related alerts to the peer entity. As with other applications that use SSL, alert messages are compressed and encrypted, as specified by the current state. Each message in this protocol consists of two bytes,
the first takes the value warning(1) or fatal(2) to convey the severity of the message. The second byte contains a code that indicates the specific alert. The first group shown are the fatal alerts, the others are warnings.
The most complex part of SSL is the Handshake Protocol. This protocol allows the server and client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in an SSL record. The Handshake Protocol is used before any application data is transmitted. The Handshake Protocol consists of a series of messages exchanged by client and server, which can be viewed in 4 phases:
Phase 1. Establish Security Capabilities - this phase is used by the client to initiate a logical connection and to establish the security capabilities that will be associated with it
Phase 2. Server Authentication and Key Exchange - the server begins this phase by sending its certificate if it needs to be authenticated.
Phase 3. Client Authentication and Key Exchange - the client should verify that the server provided a valid certificate if required and check that the server_hello parameters are acceptable
Phase 4. Finish - this phase completes the setting up of a secure connection. The client sends a change_cipher_spec message and copies the pending CipherSpec into the current CipherSpec
Stallings Figure17.6 shows the initial exchange needed to establish a logical connection between client and server. The exchange can be viewed as having the four phases discussed previously.
TLS is defined as a Proposed Internet Standard in RFC 2246. RFC 2246 is very similar to SSLv3, but with a number of minor differences in the areas shown, as discussed in the text.
Now briefly detail the sequence of events that are required for a transaction as shown, details in text.
The purpose of the SET dual signature is to link two messages that are intended for two different recipients, the order information (OI) for the merchant and the payment information (PI) for the bank. The merchant does not need to know the customer’s credit card number, and the bank does not need to know the details of the customer’s order, however the two items must be linked in a way that can be used to resolve disputes if necessary. The customer takes the hash (using SHA-1) of the PI and the hash of the OI, concatenates them, and hashes the result. Finally,the customer encrypts the final hash with his or her private signature key, creating the dual signature. This can be summarized as: DS=E(PRc, [H(H(PI)||H(OI))])
The purchase request exchange consists of four messages: Initiate Request, Initiate Response, Purchase Request, and Purchase Response. In order to send SET messages to the merchant, the cardholder must have a copy of the certificates of the merchant and the payment gateway. The customer requests the certificates in the Initiate Request message, sent to the merchant. The merchant generates a response and signs it with its private signature key. The cardholder verifies the merchant and gateway certificates by means of their respective CA signatures and then creates the OI and PI. Next, the cardholder prepares the Purchase Request message with Purchase-related information & Order-related information. The Purchase Response message includes a response block that acknowledges the order and references the corresponding transaction number.
Stallings Figure 17.10 shows the details of the contents of the Purchase Request message generated b y the customer.
The message includes the following:
Purchase-related information, which will be forwarded to the payment gateway by the merchant and consists of: PI, dual signature, & OI message digest (OIMD).
2. Order-related information, needed by the merchant and consists of: OI, dual signature, PI message digest (PIMD).
3. Cardholder certificate. This contains the cardholder’s public signature key.
When the merchant receives the Purchase Request message, the actions listed are performed.
Details of the request verification are shown on the next slide; and of the payment authorization on the following slide.
The Purchase Response message includes a response block that acknowledges the order and references the corresponding transaction number. This block is signed by the merchant using its private signature key.The block and its signature are sent to the customer, along with the merchant’s signature certificate.
Stallings Fig 17.11 illustrates the crypto processes used by the merchant to verify the customer’s purchase request order (step 2 on previous slide).
Stallings Figure 20.1 suggests, in very abstract terms, the nature of the task confronting the designer of an intrusion detection system. Although the typical behavior of an intruder differs from the typical behavior of an authorized user, there is an overlap in these behaviors. Thus, a loose interpretation of intruder behavior, which will catch more intruders, will also lead to a number of &quot;false positives,&quot; or authorized users identified as intruders. On the other hand, an attempt to limit false positives by a tight interpretation of intruder behavior will lead to an increase in false negatives, or intruders not identified as intruders. Thus, there is an element of compromise and art in the practice of intrusion detection.
Stallings Figure18.2 shows the overall architecture, consisting of three main components, of the system independent distributed IDS developed at the University of California at Davis. The components are:
• Host agent module: audit collection module operating as a background process on a monitored system
• LAN monitor agent module: like a host agent module except it analyzes LAN traffic
• Central manager module: Receives reports from LAN monitor and host agents and processes and correlates these reports to detect intrusion
Stallings Figure 18.3 shows the general approach that is taken. The agent captures each native O/S audit record, & applies a filter that retains only records of security interest. These records are then reformatted into a standardized format (HAR). Then a template-driven logic module analyzes the records for suspicious activity. When suspicious activity is detected, an alert is sent to the central manager. The central manager includes an expert system that can draw inferences from received data. The manager may also query individual systems for copies of HARs to correlate with those from other agents.
Honeypots are decoy systems, designed to lure a potential attacker away from critical systems, and:
• divert an attacker from accessing critical systems
• collect information about the attacker’s activity
• encourage the attacker to stay on the system long enough for administrators to respond
These systems are filled with fabricated information designed to appear valuable but which any legitimate user of the system wouldn’t access, thus, any access is suspect.
They are instrumented with sensitive monitors and event loggers that detect these accesses and collect information about the attacker’s activities.
Have seen evolution from single host honeypots to honeynets of multiple dispersed systems.
The IETF Intrusion Detection Working Group is currently drafting standards to support interoperability of IDS info (both honeypot and normal IDS) over a wide range of systems & O/S’s.
The front line of defense against intruders is the password system, where a user provides a name/login identifier (ID) and a password. The password serves to authenticate the ID of the individual logging on to the system. Passwords are usually stored encrypted rather than in the clear (which would make them more vulnerable to theft). Unix systems traditionally used a multiple DES variant with salt as a one-way hash function (see text). More recent O/S’s use a cryptographic hash function (eg. MD5). The file containing these passwords hashes needs access control protections to make guessing attacks harder.
Studies have shown that users tend to choose poor passwords too often.
A study at Purdue University in 1992 observed password change choices on 54 machines, for 7000 users, and found almost 3% of the passwords were three characters or fewer in length, easily exhaustively searched!
Password length is only part of the problem, since many people pick a password that is guessable, such as their own name, their street name, a common dictionary word, and so forth. This makes the job of password cracking straightforward.
A study by Klein 1990 collected UNIX password files, containing nearly 14,000 encrypted passwords, and found nearly one-fourth of these passwords were guessable.
A strategy is needed to force users to select passwords that are difficult to guess.
Computer-generated passwords create a password for the user, but have problems. If the passwords are quite random in nature, users will not be able to remember them. Even if the password is pronounceable, the user may have difficulty remembering it and so be tempted to write it down. In general, computer-generated password schemes have a history of poor acceptance by users. FIPS PUB 181 defines one of the best-designed automated password generators. The standard includes not only a description of the approach but also a complete listing of the C source code of the algorithm, which generates words by forming a random set of pronounceable syllables and concatenating them to form a word.
A very general depiction of virus structure is shown in Figure 21.1. In this case, the virus code, V, is prepended to infected programs, and it is assumed that the entry point to the program, when invoked, is the first line of the program. An infected program begins with the virus code and works as follows. The first line of code is a jump to the main virus program. The second line is a special marker that is used by the virus to determine whether or not a potential victim program has already been infected with this virus. When the program is invoked, control is immediately transferred to the main virus program. The virus program first seeks out uninfected executable files and infects them. Next, the virus may perform some action, usually detrimental to the system. This action could be performed every time the program is invoked, or it could be a logic bomb that triggers only under certain conditions. Finally, the virus transfers control to the original program. If the infection phase of the program is reasonably rapid, a user is unlikely to notice any difference between the execution of an infected and uninfected program.
The ideal solution to the threat of viruses is prevention, but in general this is impossible to achieve. The next best approach is to be able to do the following:
• Detection: determine that infection has occurred and locate the virus
• Identification: of the specific virus that has infected a program
• Removal: of all traces of the virus from the infected program and restore it to its original state; or discard infected program and reload a clean backup version
As the virus arms race has evolved,both viruses and, necessarily, antivirus software have grown more complex and sophisticated. See four generations of antivirus software:
• First generation: simple scanners use a virus signature to identify a virus, limited to known viruses; or use length of program to detect changes to it
• Second generation: heuristic scanners use rules to search for probable virus infection, eg for code fragments; or use crypto hash of programs to detect changes
• Third generation: activity traps which identify a virus by its actions rather than its structure
• Fourth generation: full-featured protection using packages consisting of a variety of antivirus techniques used in conjunction, including scanning and activity trap components
The arms race continues. With fourth-generation packages, a more comprehensive defense strategy is employed, broadening the scope of defense to more general purpose computer security measures.
Stallings Figure19.4 illustrates the typical steps in digital immune system operation:
A monitoring program on each PC uses a variety of heuristics based on system behavior, suspicious changes to programs, or family signature to infer that a virus may be present, & forwards infected programs to an administrative machine
2. The administrative machine encrypts the sample and sends it to a central virus analysis machine
3. This machine creates an environment in which the infected program can be safely run for analysis to produces a prescription for identifying and removing the virus
4. The resulting prescription is sent back to the administrative machine
5. The administrative machine forwards the prescription to the infected client
6. The prescription is also forwarded to other clients in the organization
7. Subscribers around the world receive regular antivirus updates that protect them from the new virus.
A DDoS attack attempts to consume the target’s resources so that it cannot provide service. One way to classify DDoS attacks is in terms of the type of resource that is consumed, either an internal host resource on the target system, or data transmission capacity in the target local network.
Stallings Figure19.5a shows an example of an internal resource attack - the SYN flood attack. 1. The attacker takes control of multiple hosts over the Internet 2. The slave hosts begin sending TCP/IP SYN (synchronize/initialization) packets, with erroneous return IP address information, to the target 3. For each such packet, the Web server responds with a SYN/ACK (synchronize/acknowledge) packet. The Web server maintains a data structure for each SYN request waiting for a response back and becomes bogged down as more traffic floods in.
Stallings Figure 19.5b illustrates an example of an attack that consumes data transmission resources. 1. The attacker takes control of multiple hosts over the Internet, instructing them to send ICMP ECHO packets with the target’s spoofed IP address to a group of hosts that act as reflectors 2. Nodes at the bounce site receive multiple spoofed requests and respond by sending echo reply packets to the target site. 3. The target’s router is flooded with packets from the bounce site, leaving no data transmission capacity for legitimate traffic.
One of the primary functions of a firewall is to provide a buffer between trusted and untrusted networks. The most common place for this – as demonstrated in the slide – is between the corporate network and the Internet. Other examples could include:
Protecting a group of R&D computers from the rest of the network.
Separating sensitive HR or finance servers from the corporate network.
Firewalls have their limitations, including that they:
cannot protect against attacks that bypass the firewall, eg PCs with dial-out capability to an ISP, or dial-in modem pool use
2. do not protect against internal threats, eg disgruntled employee or one who cooperates with an attacker
3. cannot protect against the transfer of virus-infected programs or files, given wide variety of O/S & applications supported
Have three common types of firewalls: packet filters, application-level gateways, & circuit-level gateways.
A packet-filtering router applies a set of rules to each incoming and outgoing IP packet to forward or discard the packet. Filtering rules are based on information contained in a network packet such as src & dest IP addresses, ports, transport protocol & interface. Some advantages are simplicity, transparency & speed.
If there is no match to any rule, then one of two default policies are applied:
• that which is not expressly permitted is prohibited (default action is discard packet), conservative policy
• that which is not expressly prohibited is permitted (default action is forward packet), permissive policy
Stallings Figure 20.1a illustrates the packet filter firewall placement in the border router, on the security perimeter, between the external less-trusted Internet, and the internal more trusted private network.
A circuit-level gateway relays two TCP connections, one between itself and an inside TCP user, and the other between itself and a TCP user on an outside host. Once the two connections are established, it relays TCP data from one connection to the other without examining its contents. The security function consists of determining which connections will be allowed. It is typically used when internal users are trusted to decide what external services to access.
One of the most common circuit-level gateways is SOCKS, defined in RFC 1928. It consists of a SOCKS server on the firewall, and a SOCKS library & SOCKS-aware applications on internal clients.
An application-level gateway (or proxy server), acts as a relay of application-level traffic. A user contacts the gateway to access some service, provides details of the service, remote host & authentication details, contacts the application on the remote host and relays all data between the two endpoints. If the gateway does not implement the proxy code for a specific application, then it is not supported and cannot be used. Note that some services naturally support proxying, whilst others are more problematic. Application-level gateways tend to be more secure than packet filters, &can log and audit traffic at application level.
Stallings Figure 20.1b illustrates an application-level gateway (or proxy server), emphasizing that it only supports a specific list of application services.
Stallings Figure 20.1c illustrates a circuit-level gateway, showing how it relays between 2 TCP connections. Note that it can be implemented in a stand-alone system or can be a specialized function in an application-level gateway for certain applications. Note also that relaying UDP packets is more problematical, because of the lack of connection context, and require a parallel TCP connection to provide these details.
In addition to the use of a simple configuration consisting of a single system, more complex configurations are possible and indeed more common. Stallings Figure 20.2 illustrates three common firewall configurations.
Figure 20.2a shows the “screened host firewall, single-homed bastion configuration”, where the firewall consists of two systems:
a packet-filtering router - allows Internet packets to/from bastion only
a bastion host - performs authentication and proxy functions
This configuration has greater security, as it implements both packet-level & application-level filtering, forces an intruder to generally penetrate two separate systems to compromise internal security, & also affords flexibility in providing direct Internet access to specific internal servers (eg web) if desired.
Stallings Figure 20.2b illustrates the “screened host firewall, dual-homed bastion configuration” which physically separates the external and internal networks, ensuring two systems must be compromised to breach security. The advantages of dual layers of security are also present here. Again, an information server or other hosts can be allowed direct communication with the router if this is in accord with the security policy, but are now separated from the internal network.
Stallings Figure 20.2c shows the “screened subnet firewall configuration”, being the most secure shown. It has two packet-filtering routers, one between the bastion host and the Internet and the other between the bastion host and the internal network, creating an isolated subnetwork. This may consist of simply the bastion host but may also include one or more information servers and modems for dial-in capability. Typically, both the Internet and the internal network have access to hosts on the screened subnet, but traffic across the screened subnet is blocked.
This configuration offers several advantages:
• There are now three levels of defense to thwart intruders
• The outside router advertises only the existence of the screened subnet to the Internet; therefore the internal network is invisible to the Internet
• Similarly, the inside router advertises only the existence of the screened subnet to the internal network; hence systems on the inside network cannot construct direct routes to the Internet