cs6701 cryptography and network security
TRANSCRIPT
![Page 1: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/1.jpg)
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
UNIT – II
Dr.A.Kathirvel, Professor, Dept of CSE M.N.M Jain Engineering College, Chennai
![Page 2: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/2.jpg)
UNIT - II
BLOCK CIPHERS PUBLIC KEY CRYPTOGRAPHY
• Data Encryption Standard-Block cipher principles-block cipher modes of operation-Advanced Encryption Standard (AES)-Triple DES-Blowfish-RC5 algorithm. Public key cryptography: Principles of public key cryptosystems-The RSA algorithm-Key management – Diffie Hellman Key exchange-Elliptic curve arithmetic-Elliptic curve cryptography.
2
![Page 3: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/3.jpg)
DATA ENCRYPTION
• Encryption Definition:
–The action of disguising information so that it can be recovered easily by the persons who have the key, but is highly resistant to recovery by persons who do not have the key.
3
![Page 4: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/4.jpg)
DATA ENCRYPTION
• A message is cleartext (plaintext) is encrypted (disguised) through the use of an encryption key to create a Ciphertext.
4
![Page 5: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/5.jpg)
DATA ENCRYPTION
• The encryption key may be changed from time to time to make an intruder’s task more difficult.
• Restoration of a ciphertext to cleartext is achieved by the action of decryption using a decryption key.
• In symmetric (Single key) - The encryption and decryption keys are the same.
• In asymmetric (two keys) - The encryption and decryption keys are different.
5
![Page 6: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/6.jpg)
DATA ENCRYPTION
• Encryption Methods - Encryption is accomplished by scrambling the bits, characters, words, or phrases in the original message. Scrambling involves two activities:
• Transposition - In which the order of the bits patterns, characters, words or phrases is rearranged.
• Substitution - In which new bit patterns, characters, words, or phrases are substituted for the originals without changing their order.
6
![Page 7: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/7.jpg)
DATA ENCRYPTION
• Data Encryption Standard (DES):
– Most widely used algorithm
– Pioneered by IBM
– It is symmetric cryptosystem
– Developed to protect sensitive, unclassified, US government, Computer data.
– Used to provide authentication of electronic funds transfer messages.
7
![Page 8: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/8.jpg)
DATA ENCRYPTION
• DES Algorithm
• The algorithm accepts plaintext, P, and performs an initial permutation, IP, on P producing P0, The block is then broken into left and right halves, the Left (L0) being the first 32 bits of P0 and the right (R0) being the last 32 bits of P0.
• With L0 and R0, 16 rounds are performed until L16 and R16 are generated.
• The inverse permutation, IP-1, is applied to L16R16 to produce ciphertext C.
8
![Page 9: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/9.jpg)
DATA ENCRYPTION
• Public Key Cryptosystem
– It is an asymmetric cryptosystem.
– First announced in 1976.
– Offer a radically different approach to encryption.
– The idea depends on the use of a pair of keys that differ in a complementary way.
– Several algorithms are proposed
– RSA algorithm is considered to be highly secure.
• Public key encryption can achieved
– Privacy
– Authentication
9
![Page 10: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/10.jpg)
DIFFERENTIAL CRYPTANALYSIS
• one of the most significant recent (public) advances in cryptanalysis
• known in 70's with DES design
• Murphy, Biham & Shamir published 1990
• powerful method to analyse block ciphers
• used to analyse most current block ciphers with varying degrees of success
• DES reasonably resistant to it
10
![Page 11: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/11.jpg)
DIFFERENTIAL CRYPTANALYSIS
• a statistical attack against Feistel ciphers
• uses cipher structure not previously used
• design of S-P networks has output of function f influenced by both input & key
• hence cannot trace values back through cipher without knowing values of the key
• Differential Cryptanalysis compares two related pairs of encryptions
11
![Page 12: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/12.jpg)
DIFFERENTIAL CRYPTANALYSIS COMPARES PAIRS OF ENCRYPTIONS
• Differential cryptanalysis is complex
• with a known difference in the input
• searching for a known difference in output
12
![Page 13: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/13.jpg)
DIFFERENTIAL CRYPTANALYSIS
• have some input difference giving some output difference with probability p
• if find instances of some higher probability input / output difference pairs occurring
• can infer subkey that was used in round
• then must iterate process over many rounds
13
![Page 14: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/14.jpg)
DIFFERENTIAL CRYPTANALYSIS • perform attack by repeatedly encrypting plaintext
pairs with known input XOR until obtain desired output XOR
• when found
– if intermediate rounds match required XOR have a right pair
– if not then have a wrong pair
• can then deduce keys values for the rounds
– right pairs suggest same key bits
– wrong pairs give random values
• larger numbers of rounds makes it more difficult
• Attack on full DES requires an effort on the order of 247, requiring 247 chosen plaintexts to be encrypted 14
![Page 15: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/15.jpg)
LINEAR CRYPTANALYSIS
• another recent development
• also a statistical method
• based on finding linear approximations to model the transformation of DES
• can attack DES with 247 known plaintexts, still in practise infeasible
15
![Page 16: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/16.jpg)
• have considered:
–terminology
–classical cipher techniques
–substitution ciphers
•cryptanalysis using letter frequencies
–transposition ciphers
DATA ENCRYPTION STANDARD
16
![Page 17: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/17.jpg)
MODERN BLOCK CIPHERS
• will now look at modern block ciphers
• one of the most widely used types of cryptography algorithms
• provide strong secrecy and/or authentication services
• in particular will introduce DES (Data Encryption Standard)
17
![Page 18: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/18.jpg)
BLOCK VS STREAM CIPHERS
• block ciphers process messages into blocks, each of which is then en/decrypted
• like a substitution on very big characters
– 64-bits or more
• stream ciphers process messages a bit or byte at a time when en/decrypting
• many current ciphers are block ciphers
• hence are focus of course
18
![Page 19: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/19.jpg)
BLOCK CIPHER PRINCIPLES
• block ciphers look like an extremely large substitution
• would need table of 264 entries for a 64-bit block
• arbitrary reversible substitution cipher for a large block size is not practical
– 64-bit general substitution block cipher, key size 264!
• most symmetric block ciphers are based on a Feistel Cipher Structure
• needed since must be able to decrypt ciphertext to recover messages efficiently
19
![Page 20: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/20.jpg)
C. SHANNON AND SUBSTITUTION-PERMUTATION CIPHERS
• in 1949 Shannon introduced idea of substitution-permutation (S-P) networks
– modern substitution-transposition product cipher
• these form the basis of modern block ciphers
• S-P networks are based on the two primitive cryptographic operations we have seen before:
– substitution (S-box)
– permutation (P-box) (transposition)
• provide confusion and diffusion of message
20
![Page 21: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/21.jpg)
DIFFUSION AND CONFUSION • Introduced by Claude Shannon to thwart cryptanalysis based on
statistical analysis
– Assume the attacker has some knowledge of the statistical characteristics of the plaintext
• cipher needs to completely obscure statistical properties of original message
• a one-time pad does this
• more practically Shannon suggested combining elements to obtain:
• diffusion – dissipates statistical structure of plaintext over bulk of ciphertext
• confusion – makes relationship between ciphertext and key as complex as possible
21
![Page 22: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/22.jpg)
FEISTEL CIPHER STRUCTURE • Horst Feistel devised the feistel cipher
– implements Shannon’s substitution-permutation network concept
• partitions input block into two halves
– process through multiple rounds which
– perform a substitution on left data half
– based on round function of right half & subkey
– then have permutation swapping halves
22
![Page 23: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/23.jpg)
FEISTEL CIPHER
• n sequential rounds
• A substitution on the left half Li
–1. Apply a round function F to the right half Ri and
–2. Take XOR of the output of (1) and Li
• The round function is parameterized by the subkey Ki
–Ki are derived from the overall key K
23
![Page 24: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/24.jpg)
FEISTEL CIPHER DESIGN PRINCIPLES
• block size - increasing size improves security, but slows cipher
• key size - increasing size improves security, makes exhaustive key searching harder, but may slow cipher
• number of rounds - increasing number improves security, but slows cipher
• subkey generation - greater complexity can make analysis harder, but slows cipher
• round function - greater complexity can make analysis harder, but slows cipher
• fast software en/decryption & ease of analysis - are more recent concerns for practical use and testing
24
![Page 25: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/25.jpg)
FEISTEL CIPHER DECRYPTION
25
![Page 26: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/26.jpg)
DATA ENCRYPTION STANDARD (DES)
• most widely used block cipher in world
• adopted in 1977 by NBS (now NIST) - as FIPS PUB 46
• encrypts 64-bit data using 56-bit key
• has widespread use
• IBM developed Lucifer cipher - by team lead by Feistel
– used 64-bit data blocks with 128-bit key
• then redeveloped as a commercial cipher with input from NSA and others
• in 1973 NBS issued request for proposals for a national cipher standard
• IBM submitted their revised Lucifer which was eventually accepted as the DES
26
![Page 27: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/27.jpg)
DES DESIGN CONTROVERSY
• although DES standard is public
• was considerable controversy over design -in choice of 56-bit key (vs Lucifer 128-bit)
•subsequent events and public analysis show in fact design was appropriate •DES has become widely used, especially in financial applications 27
![Page 28: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/28.jpg)
INITIAL PERMUTATION IP
• first step of the data computation
• IP reorders the input data bits
• quite regular in structure
• example: IP(675a6967 5e5a6b5a) =
(ffb2194d 004df6fb)
28
![Page 29: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/29.jpg)
DES ROUND STRUCTURE
• uses two 32-bit L & R halves
• as for any Feistel cipher can describe as:
Li = Ri–1
Ri = Li–1 xor F(Ri–1, Ki)
• takes 32-bit R half and 48-bit subkey and:
– expands R to 48-bits using Expansion Permutation E (Table 3.2 c.)
– adds to subkey
– passes through 8 S-boxes to get 32-bit result
– finally permutes this using 32-bit Permutation Function P (Table 3.2 d)
29
![Page 30: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/30.jpg)
THE ROUND FUNCTION F(R,K)
30
![Page 31: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/31.jpg)
SUBSTITUTION BOXES S
• 8 S-boxes (Table 3.3 )
• Each S-Box mapps 6 to 4 bits
– outer bits 1 & 6 (row bits) select the row
– inner bits 2-5 (col bits) select the column
– For example, in S1, for input 011001,
• the row is 01 (row 1)
• the column is 1100 (column 12).
• The value in row 1, column 12 is 9
• The output is 1001.
• result is 8 X 4 bits, or 32 bits
31
![Page 32: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/32.jpg)
DES Key Schedule
• forms subkeys used in each round
• 1. initial permutation of the key PC1 (Table 3.4b)
• 2. divide the 56-bits in two 28-bit halves
• 3. at each round
– 3.1. Left shift each half (28bits) separately either 1 or 2 places based on the left shift schedule (Table 3.4d)
• Shifted values will be input for next round
– 3.2. Combine two halfs to 56 bits, permuting them by PC2 (Table 3.4c) for use in function f
• PC2 takes 56-bit input, outputs 48 bits
32
![Page 33: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/33.jpg)
DES DECRYPTION
• decrypt must unwind steps of data computation
• with Feistel design, do encryption steps again
• using subkeys in reverse order (SK16 … SK1)
• note that IP undoes final FP step of encryption
• 1st round with SK16 undoes 16th encrypt round
• ….
• 16th round with SK1 undoes 1st encrypt round
• then final FP undoes initial encryption IP
• thus recovering original data value
33
![Page 34: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/34.jpg)
DES Decryption (Reverse encryption)
34
![Page 35: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/35.jpg)
AVALANCHE EFFECT
• key desirable property of encryption alg
• DES exhibits strong avalanche
• where a change of one input or key bit results in changing approx half output bits
35
![Page 36: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/36.jpg)
STRENGTH OF DES – KEY SIZE
• 56-bit keys have 256 = 7.2 x 1016 values
• brute force search looks hard
• recent advances have shown is possible
– in 1997 on Internet in a few months
– in 1998 on dedicated hardware (EFF) in a few days
– in 1999 above combined in 22hrs!
• still must be able to recognize plaintext
• now considering alternatives to DES
36
![Page 37: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/37.jpg)
STRENGTH OF DES – TIMING ATTACKS
• attacks actual implementation of cipher
• use knowledge of consequences of implementation to derive knowledge of some/all subkey bits
• specifically use fact that calculations can take varying times depending on the value of the inputs to it
37
![Page 38: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/38.jpg)
STRENGTH OF DES – ANALYTIC ATTACKS
• now have several analytic attacks on DES
• these utilise some deep structure of the cipher – by gathering information about encryptions
– can eventually recover some/all of the sub-key bits
– if necessary then exhaustively search for the rest
• generally these are statistical attacks
• include – differential cryptanalysis
– linear cryptanalysis
– related key attacks
38
![Page 39: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/39.jpg)
MODES OF OPERATION
• block ciphers encrypt fixed size blocks
• eg. DES encrypts 64-bit blocks, with 56-bit key
• need way to use in practise, given usually have arbitrary amount of information to encrypt
• four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use
• subsequently now have 5 for DES and AES
• have block and stream modes
39
![Page 40: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/40.jpg)
ELECTRONIC CODEBOOK BOOK (ECB)
• message is broken into independent blocks which are encrypted
• each block is a value which is substituted, like a codebook, hence name
• each block is encoded independently of the other blocks
Ci = DESK1 (Pi)
• uses: secure transmission of single values
40
![Page 41: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/41.jpg)
ELECTRONIC CODEBOOK BOOK (ECB)
41
![Page 42: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/42.jpg)
ADVANTAGES AND LIMITATIONS OF ECB
• repetitions in message may show in ciphertext
– if aligned with message block
–particularly with data such graphics
–or with messages that change very little, which become a code-book analysis problem
• weakness due to encrypted message blocks being independent
• main use is sending a few blocks of data
42
![Page 43: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/43.jpg)
CIPHER BLOCK CHAINING (CBC)
• message is broken into blocks
• but these are linked together in the encryption operation
• each previous cipher blocks is chained with current plaintext block, hence name
• use Initial Vector (IV) to start process Ci = DESK1(Pi XOR Ci-1)
C-1 = IV
• uses: bulk data encryption, authentication
43
![Page 44: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/44.jpg)
CIPHER BLOCK CHAINING (CBC)
44
![Page 45: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/45.jpg)
ADVANTAGES AND LIMITATIONS OF CBC
• each ciphertext block depends on all message blocks
• thus a change in the message affects all ciphertext blocks after the change as well as the original block
• need Initial Value (IV) known to sender & receiver
– however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate
– hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message
• at end of message, handle possible last short block
– by padding either with known non-data value (eg nulls)
– or pad last block with count of pad size
• eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count
45
![Page 46: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/46.jpg)
CIPHER FEEDBACK (CFB)
• message is treated as a stream of bits
• added to the output of the block cipher
• result is feed back for next stage (hence name)
• standard allows any number of bit (1,8 or 64 or whatever) to be feed back – denoted CFB-1, CFB-8, CFB-64 etc
• is most efficient to use all 64 bits (CFB-64) Ci = Pi XOR DESK1(Ci-1)
C-1 = IV
• uses: stream data encryption, authentication
46
![Page 47: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/47.jpg)
CIPHER FEEDBACK (CFB)
47
![Page 48: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/48.jpg)
Advantages and Limitations of CFB
• appropriate when data arrives in bits/bytes
• most common stream mode
• limitation is need to stall while do block encryption after every n-bits
• note that the block cipher is used in encryption mode at both ends
• errors propagate for several blocks after the error
48
![Page 49: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/49.jpg)
OUTPUT FEEDBACK (OFB) • message is treated as a stream of bits
• output of cipher is added to message
• output is then feed back (hence name)
• feedback is independent of message
• can be computed in advance
Ci = Pi XOR Oi
Oi = DESK1(Oi-1)
O-1 = IV
• uses: stream encryption over noisy channels
• Note: the OFB mode description presented in Fig 3.14 on page 96 of Stallings’ text is incorrect. Refer to the NIST Spl Pubs 800-38A - Fig 4/page 14 49
![Page 50: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/50.jpg)
ADVANTAGES AND LIMITATIONS OF OFB
• used when error feedback a problem or where need to encryptions before message is available
• superficially similar to CFB
• but feedback is from the output of cipher and is independent of message
• a variation of a Vernam cipher
– hence must never reuse the same sequence (key+IV)
• sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs
• originally specified with m-bit feedback in the standards
• subsequent research has shown that only OFB-64 should ever be used
50
![Page 51: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/51.jpg)
COUNTER (CTR)
• a “new” mode, though proposed early on
• similar to OFB but encrypts counter value rather than any feedback value
• must have a different key & counter value for every plaintext block (never reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
• uses: high-speed network encryptions
51
![Page 52: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/52.jpg)
Counter (CTR)
52
![Page 53: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/53.jpg)
ADVANTAGES AND LIMITATIONS OF CTR
• efficiency
–can do parallel encryptions
– in advance of need
–good for bursty high speed links
• random access to encrypted data blocks
• provable security (good as other modes)
• but must ensure never reuse key/counter values, otherwise could break (cf OFB)
53
![Page 54: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/54.jpg)
ADVANCED ENCRYPTION STANDARD
• Replacement for DES was needed
– Theoretical attacks that can break it
– Demonstrated exhaustive key search attacks
• Can use Triple DES – but slow, small block size
• NIST issued a call for a new AES in 1997
• 15 candidates accepted in Jun 1998
• 5 candidates were short-listed in Aug 1999
• Rijndael was selected as the AES in Oct 2000
• Published as FIPS PUB 197 standard in Dec 2001
54
![Page 55: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/55.jpg)
AES REQUIREMENTS
• Symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• Stronger & faster than triple DES
• Active life of 20-30 years (+ archival use)
• Provide full specification & design details
• Both C & Java implementations
• NIST have released all submissions & unclassified analyses
55
![Page 56: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/56.jpg)
AES EVALUATION CRITERIA
• Initial criteria:
– Security – effort for practical cryptanalysis
– Cost – in terms of computational efficiency (speed, memory)
– Algorithm & implementation characteristics
• flexibility, algorithm simplicity
• Final criteria
– General security
– Ease of software & hardware implementation
– Restricted-space environments
– Attacks on implementations
• timing attack, power analysis
– Flexibility (in en/decrypt, keying, other factors)
56
![Page 57: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/57.jpg)
AES SHORT-LIST
• After testing and evaluation, short-list in Aug 1999:
– MARS (IBM) - complex, fast, high security margin
– RC6 (USA) - very simple, very fast, low security margin
– Rijndael (Belgium) - clean, fast, good security margin
– Serpent (Euro) - clean, slow, very high security margin
– Twofish (USA) - complex, very fast, high security margin
• Then subject to further analysis & comment
• Saw contrast between algorithms with
– Few complex rounds vs. many simple rounds
– Refined existing ciphers vs. new proposals
57
![Page 58: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/58.jpg)
THE AES CIPHER - RIJNDAEL • Designed by Rijmen-Daemen in Belgium
• Block length: 128 bits
• Key length: 128/192/256 bits
• Number of Rounds: 10/12/14 rounds
• An iterated cipher (rather than Feistel cipher)
– Processes data as block of 4 columns of 4 bytes
– Operates on entire data block in every round
• Designed to be:
– Resistance against all known attacks
– Speed and code compactness on a wide range of platforms
– Design simplicity
58
![Page 59: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/59.jpg)
OVERALL AES STRUCTURE
• Data block of 4 columns of 4 bytes is “state”
• Key is expanded to array of words
• Has 9/11/13 rounds in which state undergoes:
– Substitute bytes (1 S-box used on every byte)
– Shift rows (permute bytes between columns)
– Mix columns (substitute using matrix multiplication of columns)
– Add round key (XOR state with key material)
– View as alternating XOR key & scramble data bytes
• Initial XOR key material & incomplete last round
• With fast XOR & table lookup implementation 59
![Page 60: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/60.jpg)
AES Encryption & Decryption
60
![Page 61: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/61.jpg)
AES DATA STRUCTURES
Plaintext
Ciphertext
61
![Page 62: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/62.jpg)
AES ENCRYPTION ROUND
62
![Page 63: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/63.jpg)
SUBSTITUTE BYTES (SUBBYTES)
• Simple substitution on each byte of state independently
• Use an S-box of 16x16 bytes containing a permutation of all 256 8-bit values
• Each byte of state is replaced by a new byte indexed by row (left 4-bits) & column (right 4-bits)
– eg. byte {95} is replaced by {2A} in row 9 column 5
• S-box constructed using defined transformation of values in GF(28)
• Designed to be resistant to all known attacks
63
![Page 64: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/64.jpg)
SUBSTITUTE BYTES
64
![Page 65: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/65.jpg)
SUBSTITUTE BYTES • GF(28) = 2[x] / (x8+x4+x3+x+1)
SubBytes(a7a6a5a4a3a2a1a0)
1. z ← BinaryToField(a7a6a5a4a3a2a1a0)
2. if z ≠ 0
3. then z ← FieldInv(z)
4. (a7a6a5a4a3a2a1a0) ← FieldToBinary(z)
5. (c7c6c5c4c3c2c1c0) ← (01100011)
6. for i ← 0 to 7
7. do bi ←
(ai+ai+4+ai+5+ai+6+ai+7+ci) mod 2
8. return (b7b6b5b4b3b2b1b0)
65
![Page 66: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/66.jpg)
SUBSTITUTE BYTES • Example
– Input: a = 0x53 = 01010011 (x6+x4+x3+1)
– Multiplicative inverse a-1 = x7+x6+x3+x (mod x8+x4+x3+x+1)
– (a7a6a5a4a3a2a1a0) = (11001010)
– (c7c6c5c4c3c2c1c0) = (01100011)
– b0 = a0+a4+a5+a6+a7+c0 mod 2 = 0+0+0+1+1+1 mod 2 = 1
– b1 = a1+a5+a6+a7+a8+c1 mod 2 = 1+0+1+1+0+1 mod 2 = 0
– (b7b6b5b4b3b2b1b0) = (11101101) = 0xED
66
![Page 67: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/67.jpg)
INVERSE SUBBYTES InvSubBytes(b7b6b5b4b3b2b1b0)
1. (d7d6d5d4d3d2d1d0) ← (00000101)
2. for i ← 0 to 7 do
3. ai ← (bi+2+bi+5+bi+7+di) mod 2
4. z ←
BinaryToField(a7a6a5a4a3a2a1a0)
5. if z ≠ 0 then
6. z ← FieldInv(z)
7. (a7a6a5a4a3a2a1a0) ←
FieldToBinary(z)
8. return (a7a6a5a4a3a2a1a0)
67
![Page 68: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/68.jpg)
SHIFT ROWS • A circular byte shift in each
– 1st row is unchanged
– 2nd row does 1 byte circular shift to left
– 3rd row does 2 byte circular shift to left
– 4th row does 3 byte circular shift to left
• Decrypt inverts using shifts to right
• Since state is processed by columns, this step permutes bytes between the columns
68
![Page 69: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/69.jpg)
MIX COLUMNS • Each column is processed separately
• Each byte is replaced by a value dependent on all 4 bytes in the column
• Effectively a matrix multiplication in GF(28) using irreducible polynomial m(x) = x8 + x4 + x3 + x + 1
69
![Page 70: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/70.jpg)
GF(28)[x] / (x4+1) • GF(28) = 2[x] / (x8+x4+x3+x+1)
• Let
a(x) = a3x3+a2x2+a1x+a0, ai 2 GF(28)
b(x) = b3x3+b2x2+b1x+b0, bi 2 GF(28)
• Addition
a(x) + b(x) = (a3+b3)x3+(a2+b2)x2+(a1+b1)x+(a0+b0)
• Multiplication
c(x) = a(x) b(x) = c6x6 + c5x5 + c4x4 + c3x3 + c2x2 + c1x1 + c0
c0 = a0b0 c4 = (a3b1 + a2b2 + a1b3)
c1 = (a1b0 + a0b1) c5 = (a3b2 + a2b3)
c2 = (a2b0 + a1b1 + a0b2) c6 = a3b3
c3 = (a3b0 + a2b1 + a1b2 + a0b3)
70
![Page 71: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/71.jpg)
GF(28)[x] / (x4+1) d(x) = c(x) mod (x4+1)
= c6x6 + c5x5 + c4x4 + c3x3 + c2x2 + c1x1 + c0
= c3x3 + (c2+c6)x2 + (c1+c5)x + (c0+c4)
= d3x3 + d2x2 + d1x + d0
d0 = a0b0 + a3b1 + a2b2 + a1b3
d1 = a1b0 + a0b1 + a3b2 + a2b3
d2 = a2b0 + a1b1 + a0b2 + a3b3
d3 = a3b0 + a2b1 + a1b2 + a0b3
d0 a0 a3 a2 a1 b0 d0 02 03 01 01 b0
d1 a1 a0 a3 a2 b1 d1 01 02 03 01 b1
d2 a2 a1 a0 a3 b2 d2 01 01 02 03 b2
d3 a3 a2 a1 a0 b3 d3 03 01 01 02 b3
=
a(x) = {03}x3+{01}x2+{01}x+{02}
=
71
![Page 72: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/72.jpg)
INVERSE MIXCOLUMNS
b0 0E 0B 0D 09 d0
b1 09 0E 0B 0D d1
b2 0D 09 0E 0B d2
b3 0B 0D 09 0E d3
=
a(x) = {03}x3+{01}x2+{01}x+{02}
a(x)-1 mod (x4+1) = {0B}x3+{0D}x2+{09}x+{0E}
72
![Page 73: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/73.jpg)
ADD ROUND KEY
• XOR state with 128-bits of the round key
• Again processed by column (though effectively a series of byte operations)
• Inverse for decryption identical
– Since XOR own inverse, with reversed keys
• Designed to be as simple as possible
– A form of Vernam cipher on expanded key
– Complexity of other stages ensures security
73
![Page 74: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/74.jpg)
AES Key Expansion
• Takes 128-bit (16-byte; 4-word) key and expands into array of 44 32-bit words
• Start by copying key into first 4 words
• Then loop creating words that depend on values in previous & 4 places back
– In 3 of 4 cases just XOR these together
– 1st word in 4 has rotate + S-box + XOR round constant on previous, before XOR 4th back
74
![Page 75: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/75.jpg)
AES Key Expansion KeyExpasion(key)
1. RCon[1] ← 0x01000000
RCon*2+ ← 0x02000000
RCon[3] ← 0x04000000
RCon*4+ ← 0x08000000
RCon*5+ ← 0x10000000
RCon*6+ ← 0x20000000
RCon*7+ ← 0x40000000
RCon*8+ ← 0x80000000
RCon*9+ ← 0x01B00000
RCon*10+ ← 0x36000000
2. for i ← 0 to 3 do
3. w*i+ ← (key*4i+,key*4i+1+,key*4i+2+,key*4i+3+)
4. for i ← 4 to 43 do
5. temp ← w*i-1]
6. if i 0 mod 4 then
7. temp ← SubWord(RotWord(temp))© Rcon[i/4]
8. w*i+ ← w*i-4]© temp 75
![Page 76: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/76.jpg)
AES KEY EXPANSION
• RotWord(B0,B1,B2,B3) = (B1,B2,B3,B0)
• SubWord(B0,B1,B2,B3) = (B0’,B1’,B2’,B3’), where
Bi’ = SubBytes(Bi), i = 0,1,2,3
76
![Page 77: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/77.jpg)
KEY EXPANSION RATIONALE
• Designed to resist known attacks
• Design criteria included
– Knowing part key insufficient to find many more
– Invertible transformation
– Fast on wide range of CPU’s
– Use round constants to break symmetry
– Diffuse key bits into round keys
– Enough non-linearity to hinder analysis
– Simplicity of description
77
![Page 78: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/78.jpg)
AES DECRYPTION • AES decryption is not identical to
encryption since steps done in reverse
• But can define an equivalent inverse cipher with steps as for encryption
– But using inverses of each step
– With a different key schedule
• Works since result is unchanged when
– Swap byte substitution & shift rows
– Swap mix columns & add (tweaked) round key 78
![Page 79: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/79.jpg)
IMPLEMENTATION ASPECTS • Can efficiently implement on 8-bit CPU
– byte substitution works on bytes using a table of 256 entries
– shift rows is simple byte shift
– add round key works on byte XOR’s
– mix columns requires matrix multiply in GF(28) which works on byte values, can be simplified to use table lookups & byte XOR’s
• Can efficiently implement on 32-bit CPU
– redefine steps to use 32-bit words
– can precompute 4 tables of 256-words
– then each column in each round can be computed using 4 table lookups + 4 XORs
– at a cost of 4Kb to store tables
• Designers believe this very efficient implementation was a key factor in its selection as the AES cipher
79
![Page 80: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/80.jpg)
TRIPLE DES
• clearly a replacement for DES was needed
– theoretical attacks that can break it
– demonstrated exhaustive key search attacks
• AES is a new cipher alternative
• prior to this alternative was to use multiple encryption with DES implementations
• Triple-DES is the chosen form
80
![Page 81: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/81.jpg)
WHY TRIPLE-DES?
• why not Double-DES?
– NOT same as some other single-DES use, but have
• meet-in-the-middle attack
– works whenever use a cipher twice
– since X = EK1[P] = DK2[C]
– attack by encrypting P with all keys and store
– then decrypt C with keys and match X value
– can show takes O(256) steps
81
![Page 82: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/82.jpg)
TRIPLE-DES WITH TWO-KEYS
• hence must use 3 encryptions
– would seem to need 3 distinct keys
• but can use 2 keys with E-D-E sequence
– C = EK1[DK2[EK1[P]]]
– nb encrypt & decrypt equivalent in security
– if K1=K2 then can work with single DES
• standardized in ANSI X9.17 & ISO8732
• no current known practical attacks
82
![Page 83: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/83.jpg)
TRIPLE-DES WITH THREE-KEYS
• although are no practical attacks on two-key Triple-DES have some indications
• can use Triple-DES with Three-Keys to avoid even these
– C = EK3[DK2[EK1[P]]]
• has been adopted by some Internet applications, eg PGP, S/MIME
83
![Page 84: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/84.jpg)
Blowfish
• a symmetric block cipher designed by Bruce Schneier in 1993/94
• characteristics
– fast implementation on 32-bit CPUs
– compact in use of memory
– simple structure for analysis/implementation
– variable security by varying key size
• has been implemented in various products
84
![Page 85: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/85.jpg)
Blowfish Key Schedule
•uses a 32 to 448 bit key, 32-bit words stored in K-array Kj ,j from
1 to 14
• used to generate
– 18 32-bit subkeys stored in P array, P1 ….P18
– four 8x32 S-boxes stored in Si,j , each with 256 32-bit entries
• Subkeys and S-Boxes Generation:
1- initialize P-array and then 4 S-boxes in order using the fractional
part of pi P1 ( left most 32-bit), and so on,,, S4,255.
2- XOR P-array with key-Array (32-bit blocks) and reuse as needed:
assume we have up to k10 then P10 XOR K10,, P11 XOR K1 … P18 XOR K8
85
![Page 86: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/86.jpg)
Blowfish: SubKey and S-Boxes -cont.
• 3- Encrypt 64-bit block of zeros, and use the result to update P1 and P2.
• 4- encrypting output form previous step using current P & S and replace P3 and P4. Then encrypting current output and use it to update successive pairs of P.
• 5- After updating all P’s (last :P17 P18), start updating S values
• using the encrypted output from previous step.
• requires 521 encryptions, hence slow in re-keying
• Not suitable for limited-memory applications.
86
![Page 87: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/87.jpg)
Blowfish Encryption
• uses two main operations: addition modulo 232 , and XOR
• data is divided into two 32-bit halves L0 & R0
for i = 1 to 16 do
Ri = Li-1 XOR Pi;
Li = F[Ri] XOR Ri-1;
L17 = R16 XOR P18;
R17 = L16 XOR P17;
• where F[a,b,c,d] = ((S1,a + S2,b) XOR S3,c) + S4,d
87
![Page 88: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/88.jpg)
Blowfish Encryption/Decryption
88
![Page 89: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/89.jpg)
Blowfish S boxes and Function F
89
![Page 90: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/90.jpg)
characteristics
• key dependent S-boxes and subkeys, generated using cipher itself, makes analysis very difficult
• changing both halves in each round increases security
• provided key is large enough, brute-force key search is not practical, especially given the high key schedule cost
90
![Page 91: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/91.jpg)
RC4
• a proprietary cipher owned by RSA DSI
• another Ron Rivest design, simple but effective
• variable key size, byte-oriented stream cipher
• widely used (web SSL/TLS, wireless WEP)
• key forms random permutation of all 8-bit values
• uses that permutation to scramble input info processed a byte at a time
91
![Page 92: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/92.jpg)
RC4 SECURITY
• Claimed secure against known attacks
– Have some analyses, none practical
• Result is very non-linear
• Since RC4 is a stream cipher, must never reuse a key
• Have a concern with WEP, but due to key handling rather than RC4 itself
92
![Page 93: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/93.jpg)
RC5
• can vary key size / data size / variable rounds
• very clean and simple design
• easy implementation on various CPUs
• yet still regarded as secure
93
![Page 94: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/94.jpg)
RC5 Ciphers • RC5 is a family of ciphers RC5-w/r/b
– w = word size in bits (16/32/64). Encrypts 2w data blocks
– r = number of rounds (0..255)
– b = number of bytes in the key (0..255)
• nominal version is RC5-32/12/16
– ie 32-bit words so encrypts 64-bit data blocks
– using 12 rounds
– with 16 bytes (128-bit) secret key
94
![Page 95: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/95.jpg)
RC5 Key Expansion
• RC5 uses t=2r+2 subkey words (w-bits)
• subkeys are stored in array S[i], i=0..t-1
• then the key schedule consists of – initializing S to a fixed pseudorandom value,
based on constants e and phi
– the byte key is copied into a c-words array L
– a mixing operation then combines L and S to form the final S array
95
![Page 96: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/96.jpg)
RC5 Key Expansion
96
![Page 97: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/97.jpg)
RC5 Encryption • Three main operations: + mod 2w, XOR, circular left shift
<<<, and there inverses used.
• split input into two halves A & B (w-bits each) L0 = A + S[0];
R0 = B + S[1];
for i = 1 to r do
Li = ((Li-1 XOR Ri-1) <<< Ri-1) + S[2 x i];
Ri = ((Ri-1 XOR Li) <<< Li) + S[2 x i + 1];
• each round is like 2 DES rounds
• note rotation is main source of non-linearity
• need reasonable number of rounds (eg 12-16)
97
![Page 98: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/98.jpg)
RC5 Encryption
98
![Page 99: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/99.jpg)
RC5 Modes
• 4 modes used by RC5:
– RC5 Block Cipher, is ECB mode
– RC5-CBC, is CBC mode
– RC5-CBC-PAD, is CBC with padding by bytes with value being the number of padded bytes
– RC5-CTS, a variant of CBC which is the same size as the original message, uses ciphertext stealing to keep size same as original
99
![Page 100: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/100.jpg)
RC5 Ciphertext Stealing (CTS) mode
100
![Page 101: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/101.jpg)
PRIVATE-KEY CRYPTOGRAPHY
• traditional private/secret/single-key cryptography uses one key
• shared by both sender and receiver
• if this key is disclosed communications are compromised
• also is symmetric, parties are equal
• hence does not protect sender from receiver forging a message & claiming it’s sent by sender
• probably most significant advance in the 3000 year history of cryptography
• uses two keys – a public & a private key
• asymmetric since parties are not equal
101
![Page 102: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/102.jpg)
PUBLIC-KEY CRYPTOGRAPHY
• uses clever application of number theoretic concepts to function
• complements rather than replaces private key crypto
• public-key/two-key/asymmetric cryptography involves the use of two keys:
– a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures
– a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures
• is asymmetric because
– those who encrypt messages or verify signatures cannot decrypt messages or create signatures 102
![Page 103: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/103.jpg)
PUBLIC-KEY CRYPTOGRAPHY
103
![Page 104: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/104.jpg)
WHY PUBLIC-KEY CRYPTOGRAPHY?
• developed to address two key issues:
– key distribution – how to have secure communications in general without having to trust a KDC with your key
– digital signatures – how to verify a message comes intact from the claimed sender
• public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976
104
![Page 105: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/105.jpg)
PUBLIC-KEY CHARACTERISTICS
• Public-Key algorithms rely on two keys with the characteristics that it is:
– computationally infeasible to find decryption key knowing only algorithm & encryption key
– computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known
– either of the two related keys can be used for encryption, with the other used for decryption (in some schemes)
105
![Page 106: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/106.jpg)
PUBLIC-KEY CRYPTOSYSTEMS
106
![Page 107: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/107.jpg)
PUBLIC-KEY APPLICATIONS
• can classify uses into 3 categories:
–encryption/decryption (provide secrecy)
–digital signatures (provide authentication)
–key exchange (of session keys)
• some algorithms are suitable for all uses, others are specific to one
107
![Page 108: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/108.jpg)
SECURITY OF PUBLIC KEY SCHEMES
• like private key schemes brute force exhaustive search attack is always theoretically possible
• but keys used are too large (>512bits)
• security relies on a large enough difference in difficulty between easy (en/decrypt) and hard (cryptanalyse) problems
• more generally the hard problem is known, its just made too hard to do in practise
• requires the use of very large numbers
• hence is slow compared to private key schemes
108
![Page 109: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/109.jpg)
RSA
• by Rivest, Shamir & Adleman of MIT in 1977
• best known & widely used public-key scheme
• based on exponentiation in a finite (Galois) field over integers modulo a prime
– nb. exponentiation takes O((log n)3) operations (easy)
• uses large integers (eg. 1024 bits)
• security due to cost of factoring large numbers
– nb. factorization takes O(e log n log log n) operations (hard)
109
![Page 110: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/110.jpg)
RSA Key Setup
• each user generates a public/private key pair by:
• selecting two large primes at random - p, q
• computing their system modulus N=p.q – note ø(N)=(p-1)(q-1)
• selecting at random the encryption key e • where 1<e<ø(N), gcd(e,ø(N))=1
• solve following equation to find decryption key d – e.d=1 mod ø(N) and 0≤d≤N
• publish their public encryption key: KU={e,N}
• keep secret private decryption key: KR={d,p,q}
110
![Page 111: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/111.jpg)
RSA Use
• to encrypt a message M the sender:
– obtains public key of recipient KU={e,N}
– computes: C=Me mod N, where 0≤M<N
• to decrypt the ciphertext C the owner:
– uses their private key KR={d,p,q}
– computes: M=Cd mod N
• note that the message M must be smaller than the modulus N (block if needed)
111
![Page 112: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/112.jpg)
RSA Example
1. Select primes: p=17 & q=11
2. Compute n = pq =17 11=187
3. Compute ø(n)=(p–1)(q-1)=16 10=160
4. Select e : gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23 7=161= 10 160+1
6. Publish public key KU={7,187}
7. Keep secret private key KR={23,17,11}
112
![Page 113: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/113.jpg)
RSA EXAMPLE CONT
• sample RSA encryption/decryption is:
• given message M = 88 (nb. 88<187)
• encryption:
C = 887 mod 187 = 11
• decryption:
M = 1123 mod 187 = 88
113
![Page 114: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/114.jpg)
RSA KEY GENERATION
• users of RSA must:
– determine two primes at random - p, q
– select either e or d and compute the other
• primes p,q must not be easily derived from modulus N=p.q
– means must be sufficiently large
– typically guess and use probabilistic test
• exponents e, d are inverses, so use Inverse algorithm to compute the other
114
![Page 115: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/115.jpg)
SECURITY OF RSA
• How to attack RSA?
– we have public key (n,e)
– compute (n) and get d
• Easier said than done!!
– If we have n and n) then we can factor n
– If we have e and d then we can factor n
Adi Shamir
115
![Page 116: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/116.jpg)
Attacks on RSA
• Various attacks on RSA
–known digits attack
–low exponent attack
–short plaintext attack
–timing attack
–factoring Len Adleman
116
![Page 117: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/117.jpg)
KNOWN DIGITS ATTACK
• Theorem
n = pq – has m digits
If we know the first or the last m/4 digits of either p or q, then we can efficiently factor n
• Theorem
(n,e) – RSA public key
n has m digits, and we know the last m/4 digits of d
We can find d in time linear in e log e
Conclusion: Need care about the choice of p and q!
117
![Page 118: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/118.jpg)
LOW EXPONENT ATTACK
• Theorem
– p,q – RSA primes, q < p < 2q
– 1 ≤ d, e < (n)
– de = 1 (mod (n))
– If d < ⅓n1/4 , then d can be calculated quickly
• Consequences
– cannot optimize decryption via small exponents
– how to choose good d’s?
118
![Page 119: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/119.jpg)
SHORT PLAINTEXT ATTACK
• Scenario
– DES – symmetric cipher, used in the past
– Two banks exchange DES keys over RSA
– DES key m: 56 bits (m < 256 < 1017)
– RSA encryption
• c = me (mod n)
• m small, but c will have many digits
• Defense:
– do not use short messages!
– pad with random bits
– Optimal Assymetric Encryption Padding
119
![Page 120: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/120.jpg)
SHORT PLAINTEXT ATTACK
• C = ME (MOD N) M < 256 < 1017
• EVE PREPARES TWO LISTS:
– CX-E (MOD N), 1 ≤ X ≤ 109
– YE (MOD N) 1 ≤ Y ≤ 109
• IF THERE IS A MATCH ON THE LISTS THEN
– C = (XY)E (MOD N)
– THUS: M = XY (MOD N)
• IF M IS A MULTIPLE OF TWO NUMBERS <109 THEN THIS ATTACK WILL SUCCEED
120
![Page 121: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/121.jpg)
OPTIMAL ASSYMETRIC ENCRYPTION PADDING
• n – k bits
• k0, k1 – two numbers s.t. k0 + k1 < k
• Message can have k - k0 - k1 bits
• r – random string of k0 bits
• G: k0 k-k
0
• H: k-k0 k
0
• The method
x1 = m0k1 G(r)
x2 = r H(x1)
The message is x1x2
Bob decrypts and gets
m0k1 = x1 G(H(x1) x2)
121
![Page 122: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/122.jpg)
TIMING ATTACK
• Within RSA computation we do perform exponentiaiton – quick exponentiation procedure
– multiplications occur for each bit of the exponent that is 1
– these multiplications take „random” amounts of time (variation)
• Very hard in practice! – Initiated a big discussion
122
![Page 123: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/123.jpg)
EXPONENTIATION ALGORITHM
• Goal: yd (mod n)
– d = b1b2...bw
(in binary left-to-right)
• Algorithm
1. k = 1, s1 = 1
2. if bk = 1 then rk = sky (mod n) else rk = sk
3. sk+1 = rk2 (mod n)
4. if k = w, stop else set k to k+1, goto 2
5. output rw
123
![Page 124: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/124.jpg)
FACTORING AND PRIMALITY TESTING
• Factoring
– Input: n N
– Output: nontrivial factor of n
• Primality testing
– Input n N
– Output:
• the number is composite
• the number is probably prime
• Is there a difference?
– Yes! – primality testing much easier!
– You do not need to factor the number to see it is composite
124
![Page 125: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/125.jpg)
MILLER-RABIN TEST • Generalization of the
Fermat’s test
• Principle
– if p is a prime then x2 = 1 (mod p) has only two solutions: x = 1 and x = -1
• Why does the principle hold?
• Gist of the MR test
– find a number b such that b2 = 1 (mod p)
– If b {-1,1} then composite
125
![Page 126: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/126.jpg)
MILLER-RABIN TEST
MR( int n ):
let n-1 = 2km
a random in {2, 3, ..., n-2 }
b0 = am (mod n)
if b0 = 1 (mod n) then declare prime
for j = 1 to k-1 do
bj = bj-12 (mod n)
if bj = 1 (mod n) then declare composite
if bj = -1 (mod n) then
declare prime
declare composite
• What are we doing?
– b0 = am (mod n)
– b1 = a2m (mod n)
– b2 = a4m (mod n)
– ...
– bj = a2jm (mod n)
– ...
– bk-1 = a(n-1)/2 (mod n)
126
![Page 127: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/127.jpg)
MILLER-RABIN TEST: EXAMPLES
• n = 5*7*11 = 385
n -1 = 384 = 27*3
k = 7, m = 3
a = 9
b0 = 93 = 344 (mod 385)
b1 = 93*2 = 141 (mod 385)
b2 = 93*22 = 246 (mod 385)
b3 = 93*23 = 71 (mod 385)
b4 = 93*24 = 36 (mod 385)
b5 = 93*25 = 141 (mod 385)
• n = 3*11*17 = 561
n -1 = 560 = 24*35
k = 4, m = 35
a = 2
b0 = 235 = 263 (mod 561)
b1 = 235*2 = 166 (mod 561)
b2 = 235*22 = 67 (mod 561)
b3 = 235*23 = 1 (mod 561)
Proof of compositeness! 127
![Page 128: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/128.jpg)
MILLER-RABIN TEST: EXAMPLES
• n = 401
n -1 = 400 = 24*25
k = 4, m = 25
a = 3
b0 = 325 = 268 (mod 401)
b1 = 325*2 = 45 (mod 401)
b2 = 325*22 = 20 (mod 401)
b3 = 325*23 = 400 (mod 401)
= -1 (mod 401)
• n = 401
n -1 = 400 = 24*25
k = 4, m = 25
a = 2
b0 = 225 = 356 (mod 401)
b1 = 225*2 = 20 (mod 401)
b2 = 225*22 = 400 (mod 401)
Evidence of primality!
128
![Page 129: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/129.jpg)
MILLER-RABIN TEST
• if b0 = 1 (mod n)
– all bi’s (i > 0) will be 1
– can’t find nontrivial roots of 1
• i {1, ..., k-1}
– if bi = 1 (mod n) then
• bi-1 is neither 1 nor -1
• bi-12 = 1 (mod n)
• we found a nontrivial root
– if bi = -1 (mod n) then
• bi+1 through bk are all 1 (mod n)
• can’t find nontrivial roots of 1
• Why this works?
– n-1 = 2km
– b0 = am (mod n)
– b1 = a2m (mod n)
– b2 = a4m (mod n)
– ...
– bj = a2jm (mod n)
– ...
– bk-1 = a(n-1)/2 (mod n)
129
![Page 130: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/130.jpg)
MILLER-RABIN TEST: QUALITY
• MR test is probabilistic
• Answer
– composite – the number is certainly composite
– prime – the number is prime with high probability
• Errors
– MR(n) says prime but n is composite
– Pr[error] ≤ ¼
– Repeat the test to downgrade the prob. of error
130
![Page 131: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/131.jpg)
OTHER PRIMALITY TESTS
• Solovay-Strassen Test
– similar in nature to MR
– uses so called Jacobi symbol
– fast in practice
– probabilistic
• Deterministic test
– Agrawal, Kayal, and Saxena 2002
– extremely slow
• Tests that prove primality
– MR tests compositeness!
– fairly slow
– needed in very few cases
131
![Page 132: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/132.jpg)
FACTORING
• Huge amount of work on factoring!
– we look at some simple algorithms
• Some best algorithms
– quadratic sieve
– elliptic curve
– number field sieve
• Assumption
– Factor an odd integer
– produce one factor
– how to get all of them?
O(e(1+o(1))sqrt(lnn lnln n))
O(e(1+o(1))sqrt(lnp lnln p))
O(e(1.92+o(1))(lnn)1/3(lnlnn)2/3)
132
![Page 133: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/133.jpg)
FACTORING
• Factoring
– Input: n N
– Output: nontrivial factor of n
• There are about (n) = n / ln n primes ≤ n
• Trivial methods
– divide by all numbers in {2, ... , n-1}
– or by all primes p p ≤ sqrt(n)
– These are exponential!
133
![Page 134: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/134.jpg)
Key Management
• public-key encryption helps address key distribution problems
• have two aspects of this:
–distribution of public keys
–use of public-key encryption to distribute secret keys
134
![Page 135: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/135.jpg)
Distribution of Public Keys
• can be considered as using one of:
–Public announcement
–Publicly available directory
–Public-key authority
–Public-key certificates
135
![Page 136: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/136.jpg)
Public Announcement
• users distribute public keys to recipients or broadcast to community at large
– eg. append PGP keys to email messages or post to news groups or email list
• major weakness is forgery
– anyone can create a key claiming to be someone else and broadcast it
– until forgery is discovered can masquerade as claimed user
136
![Page 137: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/137.jpg)
Publicly Available Directory
• can obtain greater security by registering keys with a public directory
• directory must be trusted with properties: – contains {name,public-key} entries
– participants register securely with directory
– participants can replace key at any time
– directory is periodically published
– directory can be accessed electronically
• still vulnerable to tampering or forgery
137
![Page 138: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/138.jpg)
Public-Key Authority
• improve security by tightening control over distribution of keys from directory
• has properties of directory
• and requires users to know public key for the directory
• then users interact with directory to obtain any desired public key securely – does require real-time access to directory
when keys are needed
138
![Page 139: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/139.jpg)
Public-Key Authority
139
![Page 140: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/140.jpg)
Public-Key Certificates
• certificates allow key exchange without real-time access to public-key authority
• a certificate binds identity to public key – usually with other info such as period of
validity, rights of use etc
• with all contents signed by a trusted Public-Key or Certificate Authority (CA)
• can be verified by anyone who knows the public-key authorities public-key
140
![Page 141: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/141.jpg)
Public-Key Certificates
141
![Page 142: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/142.jpg)
Public-Key Distribution of Secret Keys
• use previous methods to obtain public-key
• can use for secrecy or authentication
• but public-key algorithms are slow
• so usually want to use private-key encryption to protect message contents
• hence need a session key
• have several alternatives for negotiating a suitable session
142
![Page 143: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/143.jpg)
Simple Secret Key Distribution
• proposed by Merkle in 1979
– A generates a new temporary public key pair
– A sends B the public key and their identity
– B generates a session key K sends it to A encrypted using the supplied public key
– A decrypts the session key and both use
• problem is that an opponent can intercept and impersonate both halves of protocol
143
![Page 144: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/144.jpg)
Public-Key Distribution of Secret Keys
• if have securely exchanged public-keys:
144
![Page 145: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/145.jpg)
Diffie-Hellman Key Exchange
• first public-key type scheme proposed
• by Diffie & Hellman in 1976 along with the exposition of public key concepts
– note: now know that James Ellis (UK CESG) secretly proposed the concept in 1970
• is a practical method for public exchange of a secret key
• used in a number of commercial products
145
![Page 146: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/146.jpg)
Diffie-Hellman Key Exchange
• a public-key distribution scheme – cannot be used to exchange an arbitrary message
– rather it can establish a common key
– known only to the two participants
• value of key depends on the participants (and their private and public key information)
• based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy
• security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard
146
![Page 147: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/147.jpg)
Diffie-Hellman Setup
• all users agree on global parameters:
– large prime integer or polynomial q
– α a primitive root mod q
• each user (eg. A) generates their key
– chooses a secret key (number): xA < q
– compute their public key: yA = αxA mod q
• each user makes public that key yA
147
![Page 148: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/148.jpg)
Diffie-Hellman Key Exchange
• shared session key for users A & B is KAB: KAB = α
xA.xB mod q
= yAxB mod q (which B can compute)
= yBxA mod q (which A can compute)
• KAB is used as session key in private-key encryption scheme between Alice and Bob
• if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys
• attacker needs an x, must solve discrete log
148
![Page 149: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/149.jpg)
Diffie-Hellman Example
• users Alice & Bob who wish to swap keys:
• agree on prime q=353 and α=3
• select random secret keys: – A chooses xA=97, B chooses xB=233
• compute public keys: – yA=3
97 mod 353 = 40 (Alice)
– yB=3233
mod 353 = 248 (Bob)
• compute shared session key as: KAB= yB
xA mod 353 = 24897 = 160 (Alice)
KAB= yAxB mod 353 = 40
233 = 160 (Bob)
149
![Page 150: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/150.jpg)
Elliptic Curve Cryptography
• majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials
• imposes a significant load in storing and processing keys and messages
• an alternative is to use elliptic curves
• offers same security with smaller bit sizes
150
![Page 151: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/151.jpg)
Real Elliptic Curves
• an elliptic curve is defined by an equation in two variables x & y, with coefficients
• consider a cubic elliptic curve of form – y2 = x3 + ax + b
– where x,y,a,b are all real numbers
– also define zero point O
• have addition operation for elliptic curve – geometrically sum of Q+R is reflection of
intersection R
151
![Page 152: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/152.jpg)
Real Elliptic Curve Example
152
![Page 153: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/153.jpg)
Finite Elliptic Curves
• Elliptic curve cryptography uses curves whose variables & coefficients are finite
• have two families commonly used:
– prime curves Ep(a,b) defined over Zp
• use integers modulo a prime
• best in software
– binary curves E2m(a,b) defined over GF(2n)
• use polynomials with binary coefficients
• best in hardware
153
![Page 154: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/154.jpg)
Elliptic Curve Cryptography
• ECC addition is analog of modulo multiply
• ECC repeated addition is analog of modulo exponentiation
• need “hard” problem equiv to discrete log –Q=kP, where Q,P belong to a prime curve
– is “easy” to compute Q given k,P
– but “hard” to find k given Q,P
– known as the elliptic curve logarithm problem
• Certicom example: E23(9,17)
154
![Page 155: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/155.jpg)
ECC Diffie-Hellman
• can do key exchange analogous to D-H
• users select a suitable curve Ep(a,b)
• select base point G=(x1,y1) with large order n s.t. nG=O
• A & B select private keys nA<n, nB<n
• compute public keys: PA=nA G, PB=nB G
• compute shared key: K=nA PB, K=nB PA
– same since K=nA nB G
155
![Page 156: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/156.jpg)
ECC Encryption/Decryption
• several alternatives, will consider simplest
• must first encode any message M as a point on the elliptic curve Pm
• select suitable curve & point G as in D-H
• each user chooses private key nA<n
• and computes public key PA=nA G
• to encrypt Pm : Cm={kG, Pm+k Pb}, k random
• decrypt Cm compute: Pm+kPb–nB(kG) = Pm+k(nBG)–nB(kG) = Pm
156
![Page 157: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/157.jpg)
ECC Security
• relies on elliptic curve logarithm problem
• fastest method is “Pollard rho method”
• compared to factoring, can use much smaller key sizes than with RSA etc
• for equivalent key lengths computations are roughly equivalent
• hence for similar security ECC offers significant computational advantages
157
![Page 158: CS6701 CRYPTOGRAPHY AND NETWORK SECURITY](https://reader033.vdocuments.mx/reader033/viewer/2022050803/5a649d257f8b9a27568b780b/html5/thumbnails/158.jpg)
Questions ?