This material covers Authentication requirement, Authentication function, MAC, Hash function, Security of hash function and MAC, SHA, Digital signature and authentication protocols, DSS, Authentication protocols like Kerberos and X.509, entity authentication
This material covers Authentication requirement, Authentication function, MAC, Hash function, Security of hash function and MAC, SHA, Digital signature and authentication protocols, DSS, Authentication protocols like Kerberos and X.509, entity authentication
Key management: Introduction, How public key distribution done, Diffie Hellman Key Exchage Algorithm,Digital Certificate. Key Management using Digital certificate is done etc. wireshark screenshot showing digital cetificate.
The presentation include:
-Diffie hellman key exchange algorithm
-Primitive roots
-Discrete logarithm and discrete logarithm problem
-Attacks on diffie hellman and their possible solution
-Key distribution center
Module 4: Key Management and User Authentication
X.509 certificates- Public Key infrastructure-remote user authentication principles-remote user
authentication using symmetric and asymmetric encryption-Kerberos V5
E-Mail Security: Pretty Good Privacy, S/MIME IP Security: IP Security overview, IP Security architecture, Authentication Header, Encapsulating security payload, Combining security associations, Internet Key Exchange Case Studies on Cryptography and security: Secure Multiparty Calculation, Virtual Elections, Single sign On, Secure Inter-branch Payment Transactions, Cross site Scripting Vulnerability.
this presentation is on block cipher modes which are used for encryption and decryption to any message.That are Defined by the National Institute of Standards and Technology . Block cipher modes of operation are part of symmetric key encryption algorithm.
i hope you may like this.
Introduction to Public key Cryptosystems with block diagrams
Reference : Cryptography and Network Security Principles and Practice , Sixth Edition , William Stalling
CS8792 - Cryptography and Network Securityvishnukp34
this is an engineering subject.this consist of
pgno: 5 - Information security in past & present
pgno: 7 - Aim of Course
pgno: 8 - OSI Security Architecture
pgno: 9 - Security Goals – CIA Triad
pgno: 13 - Aspects of Security
pgno: 17 - ATTACKS
pgno: 22 - Passive Versus Active Attacks
pgno: 23 - SERVICES AND MECHANISMS
Feistel cipher
In cryptography, a Feistel cipher is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel who did pioneering research while working for IBM; it is also commonly known as a Feistel network.
SECURITY PRACTICE & SYSTEM SECURITY
Authentication applications – Kerberos – X.509 Authentication services – Internet Firewalls for Trusted System: Roles of Firewalls – Firewall related terminology- Types of Firewalls – Firewall designs – SET for E-Commerce Transactions. Intruder – Intrusion detection system – Virus and related threats – Countermeasures – Firewalls design principles – Trusted systems – Practical implementation of
cryptography and security.
Key management: Introduction, How public key distribution done, Diffie Hellman Key Exchage Algorithm,Digital Certificate. Key Management using Digital certificate is done etc. wireshark screenshot showing digital cetificate.
The presentation include:
-Diffie hellman key exchange algorithm
-Primitive roots
-Discrete logarithm and discrete logarithm problem
-Attacks on diffie hellman and their possible solution
-Key distribution center
Module 4: Key Management and User Authentication
X.509 certificates- Public Key infrastructure-remote user authentication principles-remote user
authentication using symmetric and asymmetric encryption-Kerberos V5
E-Mail Security: Pretty Good Privacy, S/MIME IP Security: IP Security overview, IP Security architecture, Authentication Header, Encapsulating security payload, Combining security associations, Internet Key Exchange Case Studies on Cryptography and security: Secure Multiparty Calculation, Virtual Elections, Single sign On, Secure Inter-branch Payment Transactions, Cross site Scripting Vulnerability.
this presentation is on block cipher modes which are used for encryption and decryption to any message.That are Defined by the National Institute of Standards and Technology . Block cipher modes of operation are part of symmetric key encryption algorithm.
i hope you may like this.
Introduction to Public key Cryptosystems with block diagrams
Reference : Cryptography and Network Security Principles and Practice , Sixth Edition , William Stalling
CS8792 - Cryptography and Network Securityvishnukp34
this is an engineering subject.this consist of
pgno: 5 - Information security in past & present
pgno: 7 - Aim of Course
pgno: 8 - OSI Security Architecture
pgno: 9 - Security Goals – CIA Triad
pgno: 13 - Aspects of Security
pgno: 17 - ATTACKS
pgno: 22 - Passive Versus Active Attacks
pgno: 23 - SERVICES AND MECHANISMS
Feistel cipher
In cryptography, a Feistel cipher is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel who did pioneering research while working for IBM; it is also commonly known as a Feistel network.
SECURITY PRACTICE & SYSTEM SECURITY
Authentication applications – Kerberos – X.509 Authentication services – Internet Firewalls for Trusted System: Roles of Firewalls – Firewall related terminology- Types of Firewalls – Firewall designs – SET for E-Commerce Transactions. Intruder – Intrusion detection system – Virus and related threats – Countermeasures – Firewalls design principles – Trusted systems – Practical implementation of
cryptography and security.
E-MAIL, IP & WEB SECURITY
E-mail Security: Security Services for E-mail-attacks possible through E-mail – establishing keys privacy-authentication of the source-Message Integrity-Non-repudiation-Pretty Good Privacy-S/MIME. IPSecurity: Overview of IPSec – IP and IPv6-Authentication Header-Encapsulation Security Payload (ESP)-Internet Key Exchange (Phases of IKE, ISAKMP/IKE Encoding). Web Security:
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
HASH FUNCTIONS AND DIGITAL SIGNATURES
Authentication requirement – Authentication function – MAC – Hash function – Security of hash function and MAC –MD5 – SHA – HMAC – CMAC – Digital signature and authentication protocols – DSS – EI Gamal – Schnorr.
UNIT II E-MAIL SECURITY & FIREWALLS
PGP – S/MIME – Internet Firewalls for Trusted System: Roles of Firewalls – Firewall related terminology- Types of Firewalls – Firewall designs – SET for E-Commerce Transactions.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
Modern block ciphers are widely used to provide encryption of quantities of information, and/or a cryptographic checksum to ensure the contents have not been altered. We continue to use block ciphers because they are comparatively fast, and because we know a fair amount about how to design them.
In cryptography, a block cipher is a deterministic algorithm operating on ... Systems as a means to effectively improve security by combining simple operations such as .... Finally, the cipher should be easily cryptanalyzable, such that it can be ...
Overview on Cryptography and Network SecurityDr. Rupa Ch
These slides give some overview on the the concepts which were in Crytography and network security. I have prepared these slides by the experiece after refer the text bbok as well as resources from the net. Added figures directly from the references. I would like to acknowledge all the authors by originally.
Module 1: Introduction to Cryptography and Symmetric Key Ciphers
Computer Security Concepts - OSI Security Architecture -Security Attacks - Services, Mechanisms -
Symmetric Cipher Model - Traditional Block Cipher Structure - The Data Encryption Standard -The Strength of DES - Advanced Encryption Standard.
Information and network security 19 feistel cipherVaibhav Khanna
Feistel cipher is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel who did pioneering research while working for IBM; it is also commonly known as a Feistel network
MODULE III Parallel Processors and Memory Organization 15 Hours
Parallel Processors: Introduction to parallel processors, Concurrent access to memory and cache
coherency. Introduction to multicore architecture. Memory system design: semiconductor memory
technologies, memory organization. Memory interleaving, concept of hierarchical memory
organization, cache memory, cache size vs. block size, mapping functions, replacement
algorithms, write policies.
Case Study: Instruction sets of some common CPUs - Design of a simple hypothetical CPU- A
sequential Y86-64 design-Sun Ultra SPARC II pipeline structure
MODULE II Control unit, I/O systems and Pipelining 15 Hours
CPU control unit design: Hardwired and micro-programmed design approaches, Peripheral
devices and their characteristics: Input-output subsystems, I/O device interface, I/O transfersprogram controlled, interrupt driven and DMA, privileged and non-privileged instructions, software
interrupts and exceptions. Programs and processes-role of interrupts in process state transitions,
I/O device interfaces - SCII, USB. Basic concepts of pipelining, throughput and speedup, pipeline
hazards.
Functional Blocks of a Computer: Functional blocks and its operations. Instruction set architecture of a CPU - registers, instruction execution cycle, Data path, RTL interpretation of
instructions, instruction set. Performance metrics. Addressing modes. Data Representation:
Signed number representation, fixed and floating point representations, character representation.
Computer arithmetic - integer addition and subtraction, ripple carry adder, carry look-ahead
adder, etc. multiplication - shift-and add, Booth multiplier, carry save multiplier, etc. Division
restoring and non-restoring techniques, floating point arithmetic.
Module II - Distributed objects and file systems:
Introduction - Communication between distributed objects - Remote procedure call - Events and notifications - case study - Operating system support - introduction - operating system layer - protection - process and threads - communication and invocation - architecture - Introduction to DFS - File service architecture - Sun network file system - Andrew file system - Enhancements and future developments.
Module 2 - Distributed Objects and File Systems
Introduction - Communication between distributed objects - Remote procedure call - Events and notifications - case study - Operating system support - introduction - operating system layer - protection - process and threads - communication and invocation - architecture - Introduction to DFS - File service architecture - Sun network file system - Andrew file system - Enhancements and future developments.
Module I
Introduction to Distributed systems - Examples of distributed systems, resource sharing and the web, challenges - System model - introduction - architectural models - fundamental models - Introduction to inter-process communications - API for Internet protocol - external data.
Module I
Introduction to Distributed systems - Examples of distributed systems, resource sharing and the web, challenges - System model - introduction - architectural models - fundamental models - Introduction to inter-process communications - API for Internet protocol - external data.
Module 6: IP and System Security
IP security overview-IP security policy-Encapsulating Security payload-intruders-intrusion detectionvirus/worms-countermeasure-need for firewalls-firewall characteristics-types of fire
Module 6
Advanced Networking
Security problems with internet architecture, Introduction to Software defined networking, Working of SDN, SDN in data centre, SDN applications, Data centre networking, IoT.
Module 6: Standards for Information Security Management
Information Security Management Systems (ISMS) - ISO 27001 - Framing Security Policy of
Organization- Committees- Security Forum, Core Committee, Custodian and Users, Business
Continuity Process Team & Procedure- Information Security Auditing Process. IT Security Incidents
Module 5: Social Networking, Ethics of Information Technology Organizations
Social Networking Web Site - Business Applications of Online Social Networking-Social Networking
Ethical IssuesOnline Virtual Worlds-Key ethical issues for Organizations- Outsourcing-Whistle
Blowing-Green Computing-ICT Industry Code for Conduct.
Module 4: Software Development and Information Technology
Strategies to Engineer Quality Software-Key Issues in Software Development- The impact of IT on the Standard of Living and Productivity -Industry 4.0 standards and applications in areas like Food, Water, Energy and Health care
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdfKamal Acharya
The College Bus Management system is completely developed by Visual Basic .NET Version. The application is connect with most secured database language MS SQL Server. The application is develop by using best combination of front-end and back-end languages. The application is totally design like flat user interface. This flat user interface is more attractive user interface in 2017. The application is gives more important to the system functionality. The application is to manage the student’s details, driver’s details, bus details, bus route details, bus fees details and more. The application has only one unit for admin. The admin can manage the entire application. The admin can login into the application by using username and password of the admin. The application is develop for big and small colleges. It is more user friendly for non-computer person. Even they can easily learn how to manage the application within hours. The application is more secure by the admin. The system will give an effective output for the VB.Net and SQL Server given as input to the system. The compiled java program given as input to the system, after scanning the program will generate different reports. The application generates the report for users. The admin can view and download the report of the data. The application deliver the excel format reports. Because, excel formatted reports is very easy to understand the income and expense of the college bus. This application is mainly develop for windows operating system users. In 2017, 73% of people enterprises are using windows operating system. So the application will easily install for all the windows operating system users. The application-developed size is very low. The application consumes very low space in disk. Therefore, the user can allocate very minimum local disk space for this application.
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxR&R Consult
CFD analysis is incredibly effective at solving mysteries and improving the performance of complex systems!
Here's a great example: At a large natural gas-fired power plant, where they use waste heat to generate steam and energy, they were puzzled that their boiler wasn't producing as much steam as expected.
R&R and Tetra Engineering Group Inc. were asked to solve the issue with reduced steam production.
An inspection had shown that a significant amount of hot flue gas was bypassing the boiler tubes, where the heat was supposed to be transferred.
R&R Consult conducted a CFD analysis, which revealed that 6.3% of the flue gas was bypassing the boiler tubes without transferring heat. The analysis also showed that the flue gas was instead being directed along the sides of the boiler and between the modules that were supposed to capture the heat. This was the cause of the reduced performance.
Based on our results, Tetra Engineering installed covering plates to reduce the bypass flow. This improved the boiler's performance and increased electricity production.
It is always satisfying when we can help solve complex challenges like this. Do your systems also need a check-up or optimization? Give us a call!
Work done in cooperation with James Malloy and David Moelling from Tetra Engineering.
More examples of our work https://www.r-r-consult.dk/en/cases-en/
Courier management system project report.pdfKamal Acharya
It is now-a-days very important for the people to send or receive articles like imported furniture, electronic items, gifts, business goods and the like. People depend vastly on different transport systems which mostly use the manual way of receiving and delivering the articles. There is no way to track the articles till they are received and there is no way to let the customer know what happened in transit, once he booked some articles. In such a situation, we need a system which completely computerizes the cargo activities including time to time tracking of the articles sent. This need is fulfilled by Courier Management System software which is online software for the cargo management people that enables them to receive the goods from a source and send them to a required destination and track their status from time to time.
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
Vaccine management system project report documentation..pdfKamal Acharya
The Division of Vaccine and Immunization is facing increasing difficulty monitoring vaccines and other commodities distribution once they have been distributed from the national stores. With the introduction of new vaccines, more challenges have been anticipated with this additions posing serious threat to the already over strained vaccine supply chain system in Kenya.
Democratizing Fuzzing at Scale by Abhishek Aryaabh.arya
Presented at NUS: Fuzzing and Software Security Summer School 2024
This keynote talks about the democratization of fuzzing at scale, highlighting the collaboration between open source communities, academia, and industry to advance the field of fuzzing. It delves into the history of fuzzing, the development of scalable fuzzing platforms, and the empowerment of community-driven research. The talk will further discuss recent advancements leveraging AI/ML and offer insights into the future evolution of the fuzzing landscape.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
TECHNICAL TRAINING MANUAL GENERAL FAMILIARIZATION COURSEDuvanRamosGarzon1
AIRCRAFT GENERAL
The Single Aisle is the most advanced family aircraft in service today, with fly-by-wire flight controls.
The A318, A319, A320 and A321 are twin-engine subsonic medium range aircraft.
The family offers a choice of engines
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
Water scarcity is the lack of fresh water resources to meet the standard water demand. There are two type of water scarcity. One is physical. The other is economic water scarcity.
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
1. CS6701 CRYPTOGRAPHY AND
NETWORK SECURITY
UNIT – II
Dr.A.Kathirvel, Professor, Dept of CSE
M.N.M Jain Engineering College, Chennai
2. UNIT - II
BLOCK CIPHERS PUBLIC KEY CRYPTOGRAPHY
• Data Encryption Standard-Block cipher principles-block
cipher modes of operation-Advanced Encryption
Standard (AES)-Triple DES-Blowfish-RC5 algorithm.
Public key cryptography: Principles of public key
cryptosystems-The RSA algorithm-Key management –
Diffie Hellman Key exchange-Elliptic curve arithmetic-
Elliptic curve cryptography.
2
3. DATA ENCRYPTION
• Encryption Definition:
–The action of disguising information
so that it can be recovered easily by
the persons who have the key, but is
highly resistant to recovery by
persons who do not have the key.
3
4. DATA ENCRYPTION
• A message is cleartext (plaintext) is
encrypted (disguised) through the use of
an encryption key to create a Ciphertext.
4
5. DATA ENCRYPTION
• The encryption key may be changed from time to
time to make an intruder’s task more difficult.
• Restoration of a ciphertext to cleartext is achieved
by the action of decryption using a decryption
key.
• In symmetric (Single key) - The encryption and
decryption keys are the same.
• In asymmetric (two keys) - The encryption and
decryption keys are different.
5
6. DATA ENCRYPTION
• Encryption Methods - Encryption is accomplished
by scrambling the bits, characters, words, or
phrases in the original message. Scrambling
involves two activities:
• Transposition - In which the order of the bits
patterns, characters, words or phrases is
rearranged.
• Substitution - In which new bit patterns,
characters, words, or phrases are substituted
for the originals without changing their order.
6
7. DATA ENCRYPTION
• Data Encryption Standard (DES):
–Most widely used algorithm
–Pioneered by IBM
–It is symmetric cryptosystem
–Developed to protect sensitive, unclassified,
US government, Computer data.
–Used to provide authentication of electronic
funds transfer messages.
7
8. DATA ENCRYPTION
• DES Algorithm
• The algorithm accepts plaintext, P, and performs an
initial permutation, IP, on P producing P0, The block is
then broken into left and right halves, the Left (L0)
being the first 32 bits of P0 and the right (R0) being
the last 32 bits of P0.
• With L0 and R0, 16 rounds are performed until L16 and
R16 are generated.
• The inverse permutation, IP-1, is applied to L16R16 to
produce ciphertext C.
8
9. DATA ENCRYPTION
• Public Key Cryptosystem
– It is an asymmetric cryptosystem.
– First announced in 1976.
– Offer a radically different approach to encryption.
– The idea depends on the use of a pair of keys that
differ in a complementary way.
– Several algorithms are proposed
– RSA algorithm is considered to be highly secure.
• Public key encryption can achieved
– Privacy
– Authentication 9
10. DIFFERENTIAL CRYPTANALYSIS
• one of the most significant recent (public) advances
in cryptanalysis
• known in 70's with DES design
• Murphy, Biham & Shamir published 1990
• powerful method to analyse block ciphers
• used to analyse most current block ciphers with
varying degrees of success
• DES reasonably resistant to it
10
11. DIFFERENTIAL CRYPTANALYSIS
• a statistical attack against Feistel ciphers
• uses cipher structure not previously used
• design of S-P networks has output of
function f influenced by both input & key
• hence cannot trace values back through
cipher without knowing values of the key
• Differential Cryptanalysis compares two
related pairs of encryptions
11
12. DIFFERENTIAL CRYPTANALYSIS
COMPARES PAIRS OF ENCRYPTIONS
• Differential cryptanalysis is complex
• with a known difference in the input
• searching for a known difference in output
12
13. DIFFERENTIAL CRYPTANALYSIS
• have some input difference giving some
output difference with probability p
• if find instances of some higher probability
input / output difference pairs occurring
• can infer subkey that was used in round
• then must iterate process over many
rounds
13
14. DIFFERENTIAL CRYPTANALYSIS
• perform attack by repeatedly encrypting plaintext
pairs with known input XOR until obtain desired
output XOR
• when found
– if intermediate rounds match required XOR have a
right pair
– if not then have a wrong pair
• can then deduce keys values for the rounds
– right pairs suggest same key bits
– wrong pairs give random values
• larger numbers of rounds makes it more difficult
• Attack on full DES requires an effort on the order of
247, requiring 247 chosen plaintexts to be encrypted 14
15. LINEAR CRYPTANALYSIS
• another recent development
• also a statistical method
• based on finding linear
approximations to model the
transformation of DES
• can attack DES with 247 known
plaintexts, still in practise infeasible
15
16. • have considered:
–terminology
–classical cipher techniques
–substitution ciphers
•cryptanalysis using letter frequencies
–transposition ciphers
DATA ENCRYPTION STANDARD
16
17. MODERN BLOCK CIPHERS
• will now look at modern block ciphers
• one of the most widely used types of
cryptography algorithms
• provide strong secrecy and/or
authentication services
• in particular will introduce DES (Data
Encryption Standard)
17
18. BLOCK VS STREAM CIPHERS
• block ciphers process messages into blocks, each of
which is then en/decrypted
• like a substitution on very big characters
– 64-bits or more
• stream ciphers process messages a bit or byte at a
time when en/decrypting
• many current ciphers are block ciphers
• hence are focus of course
18
19. BLOCK CIPHER PRINCIPLES
• block ciphers look like an extremely large
substitution
• would need table of 264 entries for a 64-bit block
• arbitrary reversible substitution cipher for a large
block size is not practical
– 64-bit general substitution block cipher, key size
264!
• most symmetric block ciphers are based on a Feistel
Cipher Structure
• needed since must be able to decrypt ciphertext to
recover messages efficiently
19
20. C. SHANNON AND SUBSTITUTION-
PERMUTATION CIPHERS
• in 1949 Shannon introduced idea of substitution-
permutation (S-P) networks
– modern substitution-transposition product cipher
• these form the basis of modern block ciphers
• S-P networks are based on the two primitive
cryptographic operations we have seen before:
– substitution (S-box)
– permutation (P-box) (transposition)
• provide confusion and diffusion of message
20
21. DIFFUSION AND CONFUSION
• Introduced by Claude Shannon to thwart cryptanalysis based on
statistical analysis
– Assume the attacker has some knowledge of the statistical
characteristics of the plaintext
• cipher needs to completely obscure statistical properties of
original message
• a one-time pad does this
• more practically Shannon suggested combining elements to
obtain:
• diffusion – dissipates statistical structure of plaintext over bulk of
ciphertext
• confusion – makes relationship between ciphertext and key as
complex as possible
21
22. FEISTEL CIPHER STRUCTURE
• Horst Feistel devised the feistel cipher
– implements Shannon’s
substitution-permutation network
concept
• partitions input block into two halves
– process through multiple rounds
which
– perform a substitution on left data
half
– based on round function of right
half & subkey
– then have permutation swapping
halves
22
23. FEISTEL CIPHER
• n sequential rounds
• A substitution on the left half Li
–1. Apply a round function F to the right
half Ri and
–2. Take XOR of the output of (1) and Li
• The round function is parameterized by
the subkey Ki
–Ki are derived from the overall key K
23
24. FEISTEL CIPHER DESIGN PRINCIPLES
• block size - increasing size improves security, but slows
cipher
• key size - increasing size improves security, makes
exhaustive key searching harder, but may slow cipher
• number of rounds - increasing number improves
security, but slows cipher
• subkey generation - greater complexity can make
analysis harder, but slows cipher
• round function - greater complexity can make analysis
harder, but slows cipher
• fast software en/decryption & ease of analysis - are
more recent concerns for practical use and testing
24
26. DATA ENCRYPTION STANDARD (DES)
• most widely used block cipher in world
• adopted in 1977 by NBS (now NIST) - as FIPS PUB 46
• encrypts 64-bit data using 56-bit key
• has widespread use
• IBM developed Lucifer cipher - by team lead by Feistel
– used 64-bit data blocks with 128-bit key
• then redeveloped as a commercial cipher with input from
NSA and others
• in 1973 NBS issued request for proposals for a national
cipher standard
• IBM submitted their revised Lucifer which was eventually
accepted as the DES 26
27. DES DESIGN CONTROVERSY
• although DES standard is public
• was considerable controversy over design -in choice of
56-bit key (vs Lucifer 128-bit)
•subsequent events
and public analysis
show in fact design
was appropriate
•DES has become
widely used,
especially in financial
applications
27
28. INITIAL PERMUTATION IP
• first step of the data computation
• IP reorders the input data bits
• quite regular in structure
• example:
IP(675a6967 5e5a6b5a) =
(ffb2194d 004df6fb)
28
29. DES ROUND STRUCTURE
• uses two 32-bit L & R halves
• as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 xor F(Ri–1, Ki)
• takes 32-bit R half and 48-bit subkey and:
– expands R to 48-bits using Expansion Permutation
E (Table 3.2 c.)
– adds to subkey
– passes through 8 S-boxes to get 32-bit result
– finally permutes this using 32-bit Permutation
Function P (Table 3.2 d)
29
31. SUBSTITUTION BOXES S
• 8 S-boxes (Table 3.3 )
• Each S-Box mapps 6 to 4 bits
– outer bits 1 & 6 (row bits) select the row
– inner bits 2-5 (col bits) select the column
– For example, in S1, for input 011001,
• the row is 01 (row 1)
• the column is 1100 (column 12).
• The value in row 1, column 12 is 9
• The output is 1001.
• result is 8 X 4 bits, or 32 bits
31
32. DES Key Schedule
• forms subkeys used in each round
• 1. initial permutation of the key PC1 (Table 3.4b)
• 2. divide the 56-bits in two 28-bit halves
• 3. at each round
– 3.1. Left shift each half (28bits) separately either 1 or 2
places based on the left shift schedule (Table 3.4d)
• Shifted values will be input for next round
– 3.2. Combine two halfs to 56 bits, permuting them by PC2
(Table 3.4c) for use in function f
• PC2 takes 56-bit input, outputs 48 bits
32
33. DES DECRYPTION
• decrypt must unwind steps of data computation
• with Feistel design, do encryption steps again
• using subkeys in reverse order (SK16 … SK1)
• note that IP undoes final FP step of encryption
• 1st round with SK16 undoes 16th encrypt round
• ….
• 16th round with SK1 undoes 1st encrypt round
• then final FP undoes initial encryption IP
• thus recovering original data value
33
35. AVALANCHE EFFECT
• key desirable property of encryption alg
• DES exhibits strong avalanche
• where a change of one input or key bit
results in changing approx half output
bits
35
36. STRENGTH OF DES – KEY SIZE
• 56-bit keys have 256 = 7.2 x 1016 values
• brute force search looks hard
• recent advances have shown is possible
–in 1997 on Internet in a few months
–in 1998 on dedicated hardware (EFF) in a
few days
–in 1999 above combined in 22hrs!
• still must be able to recognize plaintext
• now considering alternatives to DES
36
37. STRENGTH OF DES – TIMING ATTACKS
• attacks actual implementation of cipher
• use knowledge of consequences of
implementation to derive knowledge of
some/all subkey bits
• specifically use fact that calculations
can take varying times depending on
the value of the inputs to it
37
38. STRENGTH OF DES – ANALYTIC ATTACKS
• now have several analytic attacks on DES
• these utilise some deep structure of the cipher
– by gathering information about encryptions
– can eventually recover some/all of the sub-key bits
– if necessary then exhaustively search for the rest
• generally these are statistical attacks
• include
– differential cryptanalysis
– linear cryptanalysis
– related key attacks
38
39. MODES OF OPERATION
• block ciphers encrypt fixed size blocks
• eg. DES encrypts 64-bit blocks, with 56-bit key
• need way to use in practise, given usually have
arbitrary amount of information to encrypt
• four were defined for DES in ANSI standard
ANSI X3.106-1983 Modes of Use
• subsequently now have 5 for DES and AES
• have block and stream modes
39
40. ELECTRONIC CODEBOOK BOOK (ECB)
• message is broken into independent blocks
which are encrypted
• each block is a value which is substituted, like
a codebook, hence name
• each block is encoded independently of the
other blocks
Ci = DESK1 (Pi)
• uses: secure transmission of single values
40
42. ADVANTAGES AND LIMITATIONS OF ECB
• repetitions in message may show in ciphertext
–if aligned with message block
–particularly with data such graphics
–or with messages that change very little,
which become a code-book analysis problem
• weakness due to encrypted message blocks
being independent
• main use is sending a few blocks of data
42
43. CIPHER BLOCK CHAINING (CBC)
• message is broken into blocks
• but these are linked together in the
encryption operation
• each previous cipher blocks is chained with
current plaintext block, hence name
• use Initial Vector (IV) to start process
Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
• uses: bulk data encryption, authentication
43
45. ADVANTAGES AND LIMITATIONS OF CBC
• each ciphertext block depends on all message blocks
• thus a change in the message affects all ciphertext blocks after
the change as well as the original block
• need Initial Value (IV) known to sender & receiver
– however if IV is sent in the clear, an attacker can change bits
of the first block, and change IV to compensate
– hence either IV must be a fixed value (as in EFTPOS) or it
must be sent encrypted in ECB mode before rest of message
• at end of message, handle possible last short block
– by padding either with known non-data value (eg nulls)
– or pad last block with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes
pad+count
45
46. CIPHER FEEDBACK (CFB)
• message is treated as a stream of bits
• added to the output of the block cipher
• result is feed back for next stage (hence name)
• standard allows any number of bit (1,8 or 64 or
whatever) to be feed back
– denoted CFB-1, CFB-8, CFB-64 etc
• is most efficient to use all 64 bits (CFB-64)
Ci = Pi XOR DESK1(Ci-1)
C-1 = IV
• uses: stream data encryption, authentication
46
48. Advantages and Limitations of CFB
• appropriate when data arrives in bits/bytes
• most common stream mode
• limitation is need to stall while do block
encryption after every n-bits
• note that the block cipher is used in
encryption mode at both ends
• errors propagate for several blocks after the
error
48
49. OUTPUT FEEDBACK (OFB)
• message is treated as a stream of bits
• output of cipher is added to message
• output is then feed back (hence name)
• feedback is independent of message
• can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
• uses: stream encryption over noisy channels
• Note: the OFB mode description presented in Fig 3.14
on page 96 of Stallings’ text is incorrect. Refer to the
NIST Spl Pubs 800-38A - Fig 4/page 14 49
50. ADVANTAGES AND LIMITATIONS OF OFB
• used when error feedback a problem or where need to
encryptions before message is available
• superficially similar to CFB
• but feedback is from the output of cipher and is
independent of message
• a variation of a Vernam cipher
– hence must never reuse the same sequence (key+IV)
• sender and receiver must remain in sync, and some
recovery method is needed to ensure this occurs
• originally specified with m-bit feedback in the standards
• subsequent research has shown that only OFB-64 should
ever be used
50
51. COUNTER (CTR)
• a “new” mode, though proposed early on
• similar to OFB but encrypts counter value
rather than any feedback value
• must have a different key & counter value for
every plaintext block (never reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
• uses: high-speed network encryptions
51
53. ADVANTAGES AND LIMITATIONS OF CTR
• efficiency
–can do parallel encryptions
–in advance of need
–good for bursty high speed links
• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never reuse key/counter
values, otherwise could break (cf OFB)
53
54. ADVANCED ENCRYPTION STANDARD
• Replacement for DES was needed
– Theoretical attacks that can break it
– Demonstrated exhaustive key search attacks
• Can use Triple DES – but slow, small block size
• NIST issued a call for a new AES in 1997
• 15 candidates accepted in Jun 1998
• 5 candidates were short-listed in Aug 1999
• Rijndael was selected as the AES in Oct 2000
• Published as FIPS PUB 197 standard in Dec 2001
54
55. AES REQUIREMENTS
• Symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• Stronger & faster than triple DES
• Active life of 20-30 years (+ archival use)
• Provide full specification & design details
• Both C & Java implementations
• NIST have released all submissions &
unclassified analyses
55
56. AES EVALUATION CRITERIA
• Initial criteria:
– Security – effort for practical cryptanalysis
– Cost – in terms of computational efficiency (speed, memory)
– Algorithm & implementation characteristics
• flexibility, algorithm simplicity
• Final criteria
– General security
– Ease of software & hardware implementation
– Restricted-space environments
– Attacks on implementations
• timing attack, power analysis
– Flexibility (in en/decrypt, keying, other factors) 56
57. AES SHORT-LIST
• After testing and evaluation, short-list in Aug 1999:
– MARS (IBM) - complex, fast, high security margin
– RC6 (USA) - very simple, very fast, low security margin
– Rijndael (Belgium) - clean, fast, good security margin
– Serpent (Euro) - clean, slow, very high security margin
– Twofish (USA) - complex, very fast, high security
margin
• Then subject to further analysis & comment
• Saw contrast between algorithms with
– Few complex rounds vs. many simple rounds
– Refined existing ciphers vs. new proposals
57
58. THE AES CIPHER - RIJNDAEL
• Designed by Rijmen-Daemen in Belgium
• Block length: 128 bits
• Key length: 128/192/256 bits
• Number of Rounds: 10/12/14 rounds
• An iterated cipher (rather than Feistel cipher)
– Processes data as block of 4 columns of 4 bytes
– Operates on entire data block in every round
• Designed to be:
– Resistance against all known attacks
– Speed and code compactness on a wide range of platforms
– Design simplicity
58
59. OVERALL AES STRUCTURE
• Data block of 4 columns of 4 bytes is “state”
• Key is expanded to array of words
• Has 9/11/13 rounds in which state undergoes:
– Substitute bytes (1 S-box used on every byte)
– Shift rows (permute bytes between columns)
– Mix columns (substitute using matrix
multiplication of columns)
– Add round key (XOR state with key material)
– View as alternating XOR key & scramble data bytes
• Initial XOR key material & incomplete last round
• With fast XOR & table lookup implementation 59
63. SUBSTITUTE BYTES (SUBBYTES)
• Simple substitution on each byte of state
independently
• Use an S-box of 16x16 bytes containing a permutation
of all 256 8-bit values
• Each byte of state is replaced by a new byte indexed
by row (left 4-bits) & column (right 4-bits)
– eg. byte {95} is replaced by {2A} in row 9 column 5
• S-box constructed using defined transformation of
values in GF(28)
• Designed to be resistant to all known attacks
63
65. SUBSTITUTE BYTES
• GF(28) = 2[x] / (x8+x4+x3+x+1)
SubBytes(a7a6a5a4a3a2a1a0)
1. z ← BinaryToField(a7a6a5a4a3a2a1a0)
2. if z ≠ 0
3. then z ← FieldInv(z)
4. (a7a6a5a4a3a2a1a0) ← FieldToBinary(z)
5. (c7c6c5c4c3c2c1c0) ← (01100011)
6. for i ← 0 to 7
7. do bi ←
(ai+ai+4+ai+5+ai+6+ai+7+ci) mod 2
8. return (b7b6b5b4b3b2b1b0)
65
66. SUBSTITUTE BYTES
• Example
– Input: a = 0x53 = 01010011 (x6+x4+x3+1)
– Multiplicative inverse a-1 = x7+x6+x3+x (mod
x8+x4+x3+x+1)
– (a7a6a5a4a3a2a1a0) = (11001010)
– (c7c6c5c4c3c2c1c0) = (01100011)
– b0 = a0+a4+a5+a6+a7+c0 mod 2 = 0+0+0+1+1+1
mod 2 = 1
– b1 = a1+a5+a6+a7+a8+c1 mod 2 = 1+0+1+1+0+1
mod 2 = 0
– (b7b6b5b4b3b2b1b0) = (11101101) = 0xED
66
67. INVERSE SUBBYTES
InvSubBytes(b7b6b5b4b3b2b1b0)
1. (d7d6d5d4d3d2d1d0) ← (00000101)
2. for i ← 0 to 7 do
3. ai ← (bi+2+bi+5+bi+7+di) mod 2
4. z ←
BinaryToField(a7a6a5a4a3a2a1a0)
5. if z ≠ 0 then
6. z ← FieldInv(z)
7. (a7a6a5a4a3a2a1a0) ←
FieldToBinary(z)
8. return (a7a6a5a4a3a2a1a0)
67
68. SHIFT ROWS
• A circular byte shift in each
– 1st row is unchanged
– 2nd row does 1 byte circular shift to left
– 3rd row does 2 byte circular shift to left
– 4th row does 3 byte circular shift to left
• Decrypt inverts using shifts to right
• Since state is processed by columns, this step permutes bytes
between the columns
68
69. MIX COLUMNS
• Each column is processed separately
• Each byte is replaced by a value dependent on all 4 bytes
in the column
• Effectively a matrix multiplication in GF(28) using
irreducible polynomial m(x) = x8 + x4 + x3 + x + 1
69
73. ADD ROUND KEY
• XOR state with 128-bits of the round key
• Again processed by column (though effectively a series of byte
operations)
• Inverse for decryption identical
– Since XOR own inverse, with reversed keys
• Designed to be as simple as possible
– A form of Vernam cipher on expanded key
– Complexity of other stages ensures security
73
74. AES Key Expansion
• Takes 128-bit (16-byte; 4-word) key
and expands into array of 44 32-bit
words
• Start by copying key into first 4 words
• Then loop creating words that
depend on values in previous & 4
places back
– In 3 of 4 cases just XOR these
together
– 1st word in 4 has rotate + S-box +
XOR round constant on previous,
before XOR 4th back
74
76. AES KEY EXPANSION
• RotWord(B0,B1,B2,B3) = (B1,B2,B3,B0)
• SubWord(B0,B1,B2,B3) = (B0’,B1’,B2’,B3’), where
Bi’ = SubBytes(Bi), i = 0,1,2,3
76
77. KEY EXPANSION RATIONALE
• Designed to resist known attacks
• Design criteria included
– Knowing part key insufficient to find many more
– Invertible transformation
– Fast on wide range of CPU’s
– Use round constants to break symmetry
– Diffuse key bits into round keys
– Enough non-linearity to hinder analysis
– Simplicity of description
77
78. AES DECRYPTION
• AES decryption is not identical to
encryption since steps done in
reverse
• But can define an equivalent
inverse cipher with steps as for
encryption
– But using inverses of each step
– With a different key schedule
• Works since result is unchanged
when
– Swap byte substitution & shift
rows
– Swap mix columns & add
(tweaked) round key 78
79. IMPLEMENTATION ASPECTS
• Can efficiently implement on 8-bit CPU
– byte substitution works on bytes using a table of 256 entries
– shift rows is simple byte shift
– add round key works on byte XOR’s
– mix columns requires matrix multiply in GF(28) which works on byte
values, can be simplified to use table lookups & byte XOR’s
• Can efficiently implement on 32-bit CPU
– redefine steps to use 32-bit words
– can precompute 4 tables of 256-words
– then each column in each round can be computed using 4 table
lookups + 4 XORs
– at a cost of 4Kb to store tables
• Designers believe this very efficient implementation was a key
factor in its selection as the AES cipher 79
80. TRIPLE DES
• clearly a replacement for DES was needed
–theoretical attacks that can break it
–demonstrated exhaustive key search attacks
• AES is a new cipher alternative
• prior to this alternative was to use multiple
encryption with DES implementations
• Triple-DES is the chosen form
80
81. WHY TRIPLE-DES?
• why not Double-DES?
–NOT same as some other single-DES use, but
have
• meet-in-the-middle attack
–works whenever use a cipher twice
–since X = EK1[P] = DK2[C]
–attack by encrypting P with all keys and store
–then decrypt C with keys and match X value
–can show takes O(256) steps
81
82. TRIPLE-DES WITH TWO-KEYS
• hence must use 3 encryptions
– would seem to need 3 distinct keys
• but can use 2 keys with E-D-E sequence
– C = EK1[DK2[EK1[P]]]
– nb encrypt & decrypt equivalent in security
– if K1=K2 then can work with single DES
• standardized in ANSI X9.17 & ISO8732
• no current known practical attacks
82
83. TRIPLE-DES WITH THREE-KEYS
• although are no practical attacks on two-key Triple-
DES have some indications
• can use Triple-DES with Three-Keys to avoid even
these
– C = EK3[DK2[EK1[P]]]
• has been adopted by some Internet applications, eg
PGP, S/MIME
83
84. Blowfish
• a symmetric block cipher designed by Bruce
Schneier in 1993/94
• characteristics
– fast implementation on 32-bit CPUs
– compact in use of memory
– simple structure for analysis/implementation
– variable security by varying key size
• has been implemented in various products
84
85. Blowfish Key Schedule
•uses a 32 to 448 bit key, 32-bit words stored in K-array Kj ,j from
1 to 14
• used to generate
– 18 32-bit subkeys stored in P array, P1 ….P18
– four 8x32 S-boxes stored in Si,j , each with 256 32-bit entries
• Subkeys and S-Boxes Generation:
1- initialize P-array and then 4 S-boxes in order using the fractional
part of pi P1 ( left most 32-bit), and so on,,, S4,255.
2- XOR P-array with key-Array (32-bit blocks) and reuse as needed:
assume we have up to k10 then P10 XOR K10,, P11 XOR K1 … P18 XOR K8
85
86. Blowfish: SubKey and S-Boxes -cont.
• 3- Encrypt 64-bit block of zeros, and use the result to
update P1 and P2.
• 4- encrypting output form previous step using current
P & S and replace P3 and P4. Then encrypting current
output and use it to update successive pairs of P.
• 5- After updating all P’s (last :P17 P18), start updating S
values
• using the encrypted output from previous step.
• requires 521 encryptions, hence slow in re-keying
• Not suitable for limited-memory applications.
86
87. Blowfish Encryption
• uses two main operations: addition modulo 232 , and
XOR
• data is divided into two 32-bit halves L0 & R0
for i = 1 to 16 do
Ri = Li-1 XOR Pi;
Li = F[Ri] XOR Ri-1;
L17 = R16 XOR P18;
R17 = L16 XOR P17;
• where
F[a,b,c,d] = ((S1,a + S2,b) XOR S3,c) + S4,d
87
90. characteristics
• key dependent S-boxes and subkeys,
generated using cipher itself, makes
analysis very difficult
• changing both halves in each round
increases security
• provided key is large enough, brute-force
key search is not practical, especially given
the high key schedule cost
90
91. RC4
• a proprietary cipher owned by RSA DSI
• another Ron Rivest design, simple but effective
• variable key size, byte-oriented stream cipher
• widely used (web SSL/TLS, wireless WEP)
• key forms random permutation of all 8-bit
values
• uses that permutation to scramble input info
processed a byte at a time
91
92. RC4 SECURITY
• Claimed secure against known attacks
–Have some analyses, none practical
• Result is very non-linear
• Since RC4 is a stream cipher, must never reuse
a key
• Have a concern with WEP, but due to key
handling rather than RC4 itself
92
93. RC5
• can vary key size / data size / variable
rounds
• very clean and simple design
• easy implementation on various
CPUs
• yet still regarded as secure
93
94. RC5 Ciphers
• RC5 is a family of ciphers RC5-w/r/b
–w = word size in bits (16/32/64). Encrypts 2w
data blocks
–r = number of rounds (0..255)
–b = number of bytes in the key (0..255)
• nominal version is RC5-32/12/16
–ie 32-bit words so encrypts 64-bit data blocks
–using 12 rounds
–with 16 bytes (128-bit) secret key
94
95. RC5 Key Expansion
• RC5 uses t=2r+2 subkey words (w-bits)
• subkeys are stored in array S[i], i=0..t-1
• then the key schedule consists of
–initializing S to a fixed pseudorandom value,
based on constants e and phi
–the byte key is copied into a c-words array L
–a mixing operation then combines L and S to
form the final S array
95
97. RC5 Encryption
• Three main operations: + mod 2w, XOR, circular left shift
<<<, and there inverses used.
• split input into two halves A & B (w-bits each)
L0 = A + S[0];
R0 = B + S[1];
for i = 1 to r do
Li = ((Li-1 XOR Ri-1) <<< Ri-1) + S[2 x i];
Ri = ((Ri-1 XOR Li) <<< Li) + S[2 x i + 1];
• each round is like 2 DES rounds
• note rotation is main source of non-linearity
• need reasonable number of rounds (eg 12-16)
97
99. RC5 Modes
• 4 modes used by RC5:
–RC5 Block Cipher, is ECB mode
–RC5-CBC, is CBC mode
–RC5-CBC-PAD, is CBC with padding by bytes with
value being the number of padded bytes
–RC5-CTS, a variant of CBC which is the same size
as the original message, uses ciphertext stealing
to keep size same as original
99
101. PRIVATE-KEY CRYPTOGRAPHY
• traditional private/secret/single-key cryptography uses
one key
• shared by both sender and receiver
• if this key is disclosed communications are compromised
• also is symmetric, parties are equal
• hence does not protect sender from receiver forging a
message & claiming it’s sent by sender
• probably most significant advance in the 3000 year
history of cryptography
• uses two keys – a public & a private key
• asymmetric since parties are not equal
101
102. PUBLIC-KEY CRYPTOGRAPHY
• uses clever application of number theoretic concepts to
function
• complements rather than replaces private key crypto
• public-key/two-key/asymmetric cryptography involves the
use of two keys:
– a public-key, which may be known by anybody, and can
be used to encrypt messages, and verify signatures
– a private-key, known only to the recipient, used to
decrypt messages, and sign (create) signatures
• is asymmetric because
– those who encrypt messages or verify signatures cannot
decrypt messages or create signatures 102
104. WHY PUBLIC-KEY CRYPTOGRAPHY?
• developed to address two key issues:
– key distribution – how to have secure
communications in general without having to trust
a KDC with your key
– digital signatures – how to verify a message
comes intact from the claimed sender
• public invention due to Whitfield Diffie &
Martin Hellman at Stanford Uni in 1976
104
105. PUBLIC-KEY CHARACTERISTICS
• Public-Key algorithms rely on two keys with
the characteristics that it is:
– computationally infeasible to find decryption key
knowing only algorithm & encryption key
– computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is known
– either of the two related keys can be used for
encryption, with the other used for decryption (in
some schemes)
105
107. PUBLIC-KEY APPLICATIONS
• can classify uses into 3 categories:
–encryption/decryption (provide secrecy)
–digital signatures (provide
authentication)
–key exchange (of session keys)
• some algorithms are suitable for all uses,
others are specific to one
107
108. SECURITY OF PUBLIC KEY SCHEMES
• like private key schemes brute force exhaustive
search attack is always theoretically possible
• but keys used are too large (>512bits)
• security relies on a large enough difference in
difficulty between easy (en/decrypt) and hard
(cryptanalyse) problems
• more generally the hard problem is known, its just
made too hard to do in practise
• requires the use of very large numbers
• hence is slow compared to private key schemes
108
109. RSA
• by Rivest, Shamir & Adleman of MIT in 1977
• best known & widely used public-key scheme
• based on exponentiation in a finite (Galois) field over
integers modulo a prime
– nb. exponentiation takes O((log n)3) operations (easy)
• uses large integers (eg. 1024 bits)
• security due to cost of factoring large numbers
– nb. factorization takes O(e log n log log n) operations (hard)
109
110. RSA Key Setup
• each user generates a public/private key pair by:
• selecting two large primes at random - p, q
• computing their system modulus N=p.q
– note ø(N)=(p-1)(q-1)
• selecting at random the encryption key e
• where 1<e<ø(N), gcd(e,ø(N))=1
• solve following equation to find decryption key d
– e.d=1 mod ø(N) and 0≤d≤N
• publish their public encryption key: KU={e,N}
• keep secret private decryption key: KR={d,p,q}
110
111. RSA Use
• to encrypt a message M the sender:
– obtains public key of recipient KU={e,N}
– computes: C=Me mod N, where 0≤M<N
• to decrypt the ciphertext C the owner:
– uses their private key KR={d,p,q}
– computes: M=Cd mod N
• note that the message M must be smaller
than the modulus N (block if needed)
111
112. RSA Example
1. Select primes: p=17 & q=11
2. Compute n = pq =17 11=187
3. Compute ø(n)=(p–1)(q-1)=16 10=160
4. Select e : gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160
Value is d=23 since 23 7=161= 10 160+1
6. Publish public key KU={7,187}
7. Keep secret private key KR={23,17,11}
112
113. RSA EXAMPLE CONT
• sample RSA encryption/decryption is:
• given message M = 88 (nb. 88<187)
• encryption:
C = 887 mod 187 = 11
• decryption:
M = 1123 mod 187 = 88
113
114. RSA KEY GENERATION
• users of RSA must:
– determine two primes at random - p, q
– select either e or d and compute the other
• primes p,q must not be easily derived from
modulus N=p.q
– means must be sufficiently large
– typically guess and use probabilistic test
• exponents e, d are inverses, so use Inverse
algorithm to compute the other
114
115. SECURITY OF RSA
• How to attack RSA?
– we have public key (n,e)
– compute (n) and get d
• Easier said than done!!
– If we have n and n)
then we can factor n
– If we have e and d
then we can factor n
Adi Shamir
115
116. Attacks on RSA
• Various attacks on RSA
–known digits attack
–low exponent attack
–short plaintext attack
–timing attack
–factoring Len Adleman
116
117. KNOWN DIGITS ATTACK
• Theorem
n = pq – has m digits
If we know the first
or the last m/4
digits of either p or
q, then we can
efficiently factor n
• Theorem
(n,e) – RSA public key
n has m digits, and
we know the last
m/4 digits of d
We can find d in time
linear in e log e
Conclusion: Need care about the choice of p and q!
117
118. LOW EXPONENT ATTACK
• Theorem
– p,q – RSA primes, q < p < 2q
– 1 ≤ d, e < (n)
– de = 1 (mod (n))
– If d < ⅓n1/4 , then d can be calculated quickly
• Consequences
– cannot optimize decryption via small exponents
– how to choose good d’s?
118
119. SHORT PLAINTEXT ATTACK
• Scenario
– DES – symmetric cipher, used in the past
– Two banks exchange DES keys over RSA
– DES key m: 56 bits (m < 256 < 1017)
– RSA encryption
• c = me (mod n)
• m small, but c will have many digits
• Defense:
– do not use short messages!
– pad with random bits
– Optimal Assymetric Encryption Padding
119
120. SHORT PLAINTEXT ATTACK
• C = ME (MOD N)
M < 256 < 1017
• EVE PREPARES TWO LISTS:
– CX-E (MOD N), 1 ≤ X ≤ 109
– YE (MOD N) 1 ≤ Y ≤ 109
• IF THERE IS A MATCH ON THE LISTS THEN
– C = (XY)E (MOD N)
– THUS: M = XY (MOD N)
• IF M IS A MULTIPLE OF TWO NUMBERS <109 THEN
THIS ATTACK WILL SUCCEED
120
121. OPTIMAL ASSYMETRIC ENCRYPTION PADDING
• n – k bits
• k0, k1 – two numbers s.t.
k0 + k1 < k
• Message can have
k - k0 - k1 bits
• r – random string of k0
bits
• G: k
0 k-k
0
• H: k-k
0 k
0
• The method
x1 = m0k
1 G(r)
x2 = r H(x1)
The message is x1x2
Bob decrypts and gets
m0k
1 = x1 G(H(x1) x2)
121
122. TIMING ATTACK
• Within RSA computation we do perform
exponentiaiton
– quick exponentiation procedure
– multiplications occur for each bit of the exponent
that is 1
– these multiplications take „random” amounts of
time (variation)
• Very hard in practice!
– Initiated a big discussion
122
123. EXPONENTIATION ALGORITHM
• Goal: yd (mod n)
– d = b1b2...bw
(in binary left-to-right)
• Algorithm
1. k = 1, s1 = 1
2. if bk = 1 then rk = sky (mod n)
else rk = sk
3. sk+1 = rk
2 (mod n)
4. if k = w, stop
else set k to k+1, goto 2
5. output rw
123
124. FACTORING AND PRIMALITY TESTING
• Factoring
– Input: n N
– Output: nontrivial
factor of n
• Primality testing
– Input n N
– Output:
• the number is
composite
• the number is
probably prime
• Is there a difference?
– Yes! – primality
testing much easier!
– You do not need to
factor the number to
see it is composite
124
125. MILLER-RABIN TEST
• Generalization of the
Fermat’s test
• Principle
– if p is a prime then
x2 = 1 (mod p)
has only two
solutions:
x = 1 and x = -1
• Why does the principle
hold?
• Gist of the MR test
– find a number b such
that b2 = 1 (mod p)
– If b {-1,1} then
composite
125
126. MILLER-RABIN TEST
MR( int n ):
let n-1 = 2km
a random in {2, 3, ..., n-2 }
b0 = am (mod n)
if b0 = 1 (mod n) then declare
prime
for j = 1 to k-1 do
bj = bj-1
2 (mod n)
if bj = 1 (mod n) then
declare composite
if bj = -1 (mod n) then
declare prime
declare composite
• What are we doing?
– b0 = am (mod n)
– b1 = a2m (mod n)
– b2 = a4m (mod n)
– ...
– bj = a2jm (mod n)
– ...
– bk-1 = a(n-1)/2 (mod n)
126
128. MILLER-RABIN TEST: EXAMPLES
• n = 401
n -1 = 400 = 24*25
k = 4, m = 25
a = 3
b0 = 325 = 268 (mod 401)
b1 = 325*2 = 45 (mod 401)
b2 = 325*22
= 20 (mod 401)
b3 = 325*23
= 400 (mod 401)
= -1 (mod 401)
• n = 401
n -1 = 400 = 24*25
k = 4, m = 25
a = 2
b0 = 225 = 356 (mod 401)
b1 = 225*2 = 20 (mod 401)
b2 = 225*22
= 400 (mod 401)
Evidence of primality!
128
129. MILLER-RABIN TEST
• if b0 = 1 (mod n)
– all bi’s (i > 0) will be 1
– can’t find nontrivial roots of 1
• i {1, ..., k-1}
– if bi = 1 (mod n) then
• bi-1 is neither 1 nor -1
• bi-1
2 = 1 (mod n)
• we found a nontrivial root
– if bi = -1 (mod n) then
• bi+1 through bk are all 1 (mod
n)
• can’t find nontrivial roots of 1
• Why this works?
– n-1 = 2km
– b0 = am (mod n)
– b1 = a2m (mod n)
– b2 = a4m (mod n)
– ...
– bj = a2jm (mod n)
– ...
– bk-1 = a(n-1)/2 (mod n)
129
130. MILLER-RABIN TEST: QUALITY
• MR test is probabilistic
• Answer
– composite – the
number is certainly
composite
– prime – the number
is prime with high
probability
• Errors
– MR(n) says prime but
n is composite
– Pr[error] ≤ ¼
– Repeat the test to
downgrade the prob.
of error
130
131. OTHER PRIMALITY TESTS
• Solovay-Strassen Test
– similar in nature to
MR
– uses so called Jacobi
symbol
– fast in practice
– probabilistic
• Deterministic test
– Agrawal, Kayal, and
Saxena 2002
– extremely slow
• Tests that prove
primality
– MR tests
compositeness!
– fairly slow
– needed in very few
cases
131
132. FACTORING
• Huge amount of work
on factoring!
– we look at some
simple algorithms
• Some best algorithms
– quadratic sieve
– elliptic curve
– number field sieve
• Assumption
– Factor an odd integer
– produce one factor
– how to get all of
them?
O(e(1+o(1))sqrt(lnn lnln n))
O(e(1+o(1))sqrt(lnp lnln p))
O(e(1.92+o(1))(lnn)1/3(lnlnn)2/3
)
132
133. FACTORING
• Factoring
– Input: n N
– Output: nontrivial
factor of n
• There are about
(n) = n / ln n
primes ≤ n
• Trivial methods
– divide by all numbers
in
{2, ... , n-1}
– or by all primes p
p ≤ sqrt(n)
– These are
exponential!
133
134. Key Management
• public-key encryption helps
address key distribution problems
• have two aspects of this:
–distribution of public keys
–use of public-key encryption to
distribute secret keys
134
135. Distribution of Public Keys
• can be considered as using one of:
–Public announcement
–Publicly available directory
–Public-key authority
–Public-key certificates
135
136. Public Announcement
• users distribute public keys to recipients or
broadcast to community at large
–eg. append PGP keys to email messages or
post to news groups or email list
• major weakness is forgery
–anyone can create a key claiming to be
someone else and broadcast it
–until forgery is discovered can masquerade as
claimed user
136
137. Publicly Available Directory
• can obtain greater security by registering
keys with a public directory
• directory must be trusted with properties:
–contains {name,public-key} entries
–participants register securely with directory
–participants can replace key at any time
–directory is periodically published
–directory can be accessed electronically
• still vulnerable to tampering or forgery
137
138. Public-Key Authority
• improve security by tightening control
over distribution of keys from directory
• has properties of directory
• and requires users to know public key for
the directory
• then users interact with directory to
obtain any desired public key securely
–does require real-time access to directory
when keys are needed
138
140. Public-Key Certificates
• certificates allow key exchange without
real-time access to public-key authority
• a certificate binds identity to public key
–usually with other info such as period of
validity, rights of use etc
• with all contents signed by a trusted Public-
Key or Certificate Authority (CA)
• can be verified by anyone who knows the
public-key authorities public-key
140
142. Public-Key Distribution of Secret Keys
• use previous methods to obtain public-key
• can use for secrecy or authentication
• but public-key algorithms are slow
• so usually want to use private-key
encryption to protect message contents
• hence need a session key
• have several alternatives for negotiating a
suitable session
142
143. Simple Secret Key Distribution
• proposed by Merkle in 1979
–A generates a new temporary public key pair
–A sends B the public key and their identity
–B generates a session key K sends it to A
encrypted using the supplied public key
–A decrypts the session key and both use
• problem is that an opponent can intercept
and impersonate both halves of protocol
143
145. Diffie-Hellman Key Exchange
• first public-key type scheme proposed
• by Diffie & Hellman in 1976 along with the
exposition of public key concepts
–note: now know that James Ellis (UK CESG)
secretly proposed the concept in 1970
• is a practical method for public exchange
of a secret key
• used in a number of commercial products
145
146. Diffie-Hellman Key Exchange
• a public-key distribution scheme
– cannot be used to exchange an arbitrary message
– rather it can establish a common key
– known only to the two participants
• value of key depends on the participants (and
their private and public key information)
• based on exponentiation in a finite (Galois) field
(modulo a prime or a polynomial) - easy
• security relies on the difficulty of computing
discrete logarithms (similar to factoring) – hard
146
147. Diffie-Hellman Setup
• all users agree on global parameters:
–large prime integer or polynomial q
–α a primitive root mod q
• each user (eg. A) generates their key
–chooses a secret key (number): xA < q
–compute their public key: yA = α
xA
mod q
• each user makes public that key yA
147
148. Diffie-Hellman Key Exchange
• shared session key for users A & B is KAB:
KAB = α
xA.xB
mod q
= yA
xB
mod q (which B can compute)
= yB
xA
mod q (which A can compute)
• KAB is used as session key in private-key
encryption scheme between Alice and Bob
• if Alice and Bob subsequently communicate,
they will have the same key as before, unless
they choose new public-keys
• attacker needs an x, must solve discrete log
148
149. Diffie-Hellman Example
• users Alice & Bob who wish to swap keys:
• agree on prime q=353 and α=3
• select random secret keys:
– A chooses xA=97, B chooses xB=233
• compute public keys:
– yA=3
97
mod 353 = 40(Alice)
– yB=3
233
mod 353 = 248 (Bob)
• compute shared session key as:
KAB= yB
xA
mod 353 = 248
97
= 160 (Alice)
KAB= yA
xB
mod 353 = 40
233
= 160 (Bob)
149
150. Elliptic Curve Cryptography
• majority of public-key crypto (RSA, D-H) use
either integer or polynomial arithmetic with
very large numbers/polynomials
• imposes a significant load in storing and
processing keys and messages
• an alternative is to use elliptic curves
• offers same security with smaller bit sizes
150
151. Real Elliptic Curves
• an elliptic curve is defined by an equation in
two variables x & y, with coefficients
• consider a cubic elliptic curve of form
–y2 = x3 + ax + b
–where x,y,a,b are all real numbers
–also define zero point O
• have addition operation for elliptic curve
–geometrically sum of Q+R is reflection of
intersection R
151
153. Finite Elliptic Curves
• Elliptic curve cryptography uses curves whose
variables & coefficients are finite
• have two families commonly used:
–prime curves Ep(a,b) defined over Zp
• use integers modulo a prime
• best in software
–binary curves E2m(a,b) defined over GF(2n)
• use polynomials with binary coefficients
• best in hardware
153
154. Elliptic Curve Cryptography
• ECC addition is analog of modulo multiply
• ECC repeated addition is analog of modulo
exponentiation
• need “hard” problem equiv to discrete log
–Q=kP, where Q,P belong to a prime curve
–is “easy” to compute Q given k,P
–but “hard” to find k given Q,P
–known as the elliptic curve logarithm problem
• Certicom example: E23(9,17)
154
155. ECC Diffie-Hellman
• can do key exchange analogous to D-H
• users select a suitable curve Ep(a,b)
• select base point G=(x1,y1) with large order
n s.t. nG=O
• A & B select private keys nA<n, nB<n
• compute public keys: PA=nA G, PB=nB G
• compute shared key: K=nA PB, K=nB PA
–same since K=nA nB G
155
156. ECC Encryption/Decryption
• several alternatives, will consider simplest
• must first encode any message M as a point on
the elliptic curve Pm
• select suitable curve & point G as in D-H
• each user chooses private key nA<n
• and computes public key PA=nA G
• to encrypt Pm : Cm={kG, Pm+k Pb}, k random
• decrypt Cm compute:
Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
156
157. ECC Security
• relies on elliptic curve logarithm problem
• fastest method is “Pollard rho method”
• compared to factoring, can use much
smaller key sizes than with RSA etc
• for equivalent key lengths computations
are roughly equivalent
• hence for similar security ECC offers
significant computational advantages
157