hybrid cryptographic algorithm for robust network security
TRANSCRIPT
-
8/8/2019 Hybrid Cryptographic Algorithm for Robust Network Security
1/6
Hybrid Cryptographic Algorithm for Robust Network Security
Janakiraman V S, Ganesan R, Gobi MDepartment of Computer Science and Applications, PSG College of Arts and Science,
Avinashi Road, Coimbatore 641 [email protected], [email protected], [email protected]
AbstractIt is widely recognized and accepted that data security
will play a crucial and critical role in modern times forbusinesses will be transacted over the Internet through e-commerce and m-commerce channels. To address thesesecurity concerns, various security protocols that are ofsymmetric-key and asymmetric-key type have beendeveloped. In this paper, we present a softwareimplementation of a hybrid algorithm that combines boththe symmetric key algorithm of AES and the asymmetric-key algorithm of Elliptic Curve Cryptography (ECC).
This hybrid algorithm that has been implemented alsoconsiders takes care of the integrity of data using MD5algorithm. The paper also presents future trends ofresearch.
Keywords: Authenticity, Integrity, Non-Reputability, Advanced Encryption Standard (AES), Elliptic CurveCryptosystems (ECC), Message Digest version 5 ( MD5),Symmetric Key, Asymmetric Key
1. IntroductionE-commerce and m-commerce transactions are growingat an explosive rate. The success of these depends on
how transactions are carried out in the most securedmanner. The prime requirements for any e-commerce andm-commerce transactions are Privacy, Authentication,Integrity maintenance and Non-Repudiation.
Cryptography helps us in achieving these primerequirements. Today, various cryptographic algorithmshave been developed. These are broadly classified as
symmetric key (DES, TDES, Blowfish, CAST, IDEA,RC4, RC6, AES) and asymmetric key (RSA, ECC)algorithms. In this paper, we present an hybrid algorithmfor enhanced network security.
The organization of the paper is as follows. In section 2,
we present the basics of symmetric key encryptiontechniques and describe the AES algorithm in detail. Insection 3 we explain the essentials of asymmetric keyencryption techniques. Elliptic Curve Cryptography is
described in section 4. In section 5, the hybrid algorithmis presented. We conclude the paper with directions for
future research. Appendix A, B & C provides thealgorithms for an ECC, AES and MD5 respectively.
2. Symmetric-Key Encryption TechniquesIn any symmetric-key encryption technique, both
encryption and decryption process are carried out using asingle key. These algorithms are efficient, are secure,execute at high speeds, and consume less computerresources of memory and processor time.However, symmetric key cryptographic techniques sufferfrom the disadvantages of Key distribution problem, Key
management problem and inability to digitally sign amessage. (Schneier [13], Stallings [14]).Despite these drawbacks, numerous secure symmetrickey encryption algorithms such as DES, TDES, Blowfish,
CAST, IDEA, RC4, and RC6 have been developed. Inrecent times, National Institute of Standards (NIST)
selected Rijndael algorithm as the Advanced EncryptionStandard (AES). Details on various symmetric keyalgorithms including AES can be had from (Schneier [13],Stallings [14]).
3. Asymmetric Key Encryption TechniquesThe problems associated with symmetric-key
cryptographic techniques were solved when asymmetricencryption mechanism was implemented. Here, insteadof a single key, every person has a pair of keys. One key,called the public key is known to everyone and the other
one, the private key is known only to the owner. There isa mathematical relationship between both these keys.Thus, if any message m is encrypted using any of the
key, it can be decrypted by the other portion. Variousasymmetric encryption algorithms (RSA, Elgamal) have been implemented. Details on the working ofasymmetric encryption techniques can be had fromSchneier [13], Stallings[14].Asymmetric encryption algorithms are broadly divided
into three families:1. Algorithms based on the integer factorization
problem (e.g. RSA)2. Algorithms based on the discrete logarithm problem
(e.g. DLP)3. Algorithms based on Elliptic Curves
ICGST- CNIR, Volume (7), Issue (I), July 2007
33
-
8/8/2019 Hybrid Cryptographic Algorithm for Robust Network Security
2/6
Despite these differences, one thing that is commonamong all these three families is that they all performextensive and complex operations on numbers, typicallymodular exponentiation
4. Elliptic Curve Cryptosystems (ECC)An elliptic curve E over a field F is defined by the
Weierstrass equation:
E/F:y2 + a1xy + a3y = x
3 + a2x2 + a4x + a6 with a1, a2, a3,
a4, a6 F.Mathematical operations involving elliptic curves includeaddition of two points, scalar multiplication, determiningthe inverse of a given point on the curve.The two most common choices for implementation ofECC are:
1. Galois Field GF(2m), also known as characteristictwo or even (containing 2
melements, where m is an
integer greater than one). In this case, equation (1)
becomes E/F: y2+xy=x
3+ax+b where a and b F,
b
0 together with a point at infinity2. Galois Field GF(p), also known as integers modulo p,
odd, or odd prime (containing p elements, where p is
an odd prime number). In this case, equation (1) can be simplified to the form E/F : y
2= x
3+ ax + b
where a and b F and 4a3 + 27b2 0 togetherwith a point at infinity()
An important characteristic of elliptic curves is that the points on the elliptic curves form a group. Details onECC can be had from Blake [1], Cohen [3], Enge [5],Hankerson [6], Koblitz [9], Menezes [10], Menezes [11],Rosing [12], Washington [16].Various researchers (Certicom[2], DeWin [4]) have
proved that ECC requires more time to break ascompared to RSA and DSA. Certicom[2] summarizes the
results of their study as: ECC provides greater efficiencythan either integer factorization systems or discretelogarithm systems, in terms of computational overheads,key sizes, and bandwidth. In implementations, thesesavings mean higher speeds, lower power consumption,and code size reductions. ECC has been accepted as a
standard by various bodies. Some of them are ANSI(American National Standards Institute), FIPS (FederalInformation Processing Standards), IEEE P1363(Institution of Electrical & Electronic Engineers), andWAP (Wireless Application Protocol).In this work, we have adopted GF(p) and have
implemented the system.
5. Hybrid Algorithm Combining AES &
ECCThe algorithm we present here combines the best features
of both symmetric and asymmetric encryption techniques.The data (plain text) that is to be transmitted is encryptedusing the AES algorithm. Details on AES can be hadfrom [7] and [15]. The AES key which is used to encryptthe data is encrypted using ECC. The cipher text of themessage and the cipher text of the key are then sent to the
receiver.
To ensure integrity of the data that is transmitted, the datais subjected to MD5 hash algorithm. The message digest
obtained by this process is also encrypted using ECCtechnique. Thus the sender sends a) Cipher text of themessage, b) Ciphertext of the AES key, and c) Ciphertext
of the message digest. The receiver upon receivinga) Cipher text of the message, b) Ciphertext of the AESkey, and c) Ciphertext of the message digest, firstdecrypts the Ciphertext of the AES key to obtain the AESkey. This is then used to decrypt the cipher text of themessage to obtain the plain text. The plaintext is again
subjected to MD5 hash algorithm. This process yields amessage digest. The ciphertext of the message digest isdecrypted using ECC technique to obtain the messagedigest sent by the sender. This value is compared with thecomputed message digest. If both of them are equal, themessage is accepted else rejected. Figure 1 shows the
sequence of operation. This hybrid algorithm is acombination of symmetric and asymmetric encryption
techniques.
6. Implementation Details
The entire implementation was carried out in Java 2,Standard Edition (J2SE) v 1.4.0.J2SE has the built-in classes for AES, and MD5. Theseclasses are available in the Java packages of java.security,
javax.crypto, javax.crypto.spec. Details on java securityarchitecture can be had from [8].The code uses these packages and the header files havethe following header.
import java.security.*;
import javax.crypto.*;
import javax.crypto.spec.*;
import java.io.*;
We developed methods in Java for elliptic curvegeneration, base point generation, keys (both public andprivate) generation and encryption and decryption usingElGamal method.
We also used the Java class of BigInteger to handle largeintegers and the method of IsProbablePrime to determinewhether the large integer is prime or not. The softwarewas running on Celeron machine @ 1.0 Ghz and 256 MBRAM.
7. ResultsWe tested this hybrid algorithm on a test data of various
sizes. Table 1 provides details on the time taken forencryption, decryption and calculation of MD5 messagedigest process. Table 2 provides information onEncryption & Decryption of 128 bit AES key and MD5message digest using ECC. Figure 2 & 3 gives the
graphical output of the results.
Table 1: Time in milliseconds for 128 bit AES encryptionand decryption and calculation of MD5 message digest
FileSize
128 bitAES
Encryption
128 bitAES
Decryption
MD5MessageDigest
50Kb 1902 1987 1364
100Kb 2275 2543 1505
150Kb 3572 3427 1632
ICGST- CNIR, Volume (7), Issue (I), July 2007
34
-
8/8/2019 Hybrid Cryptographic Algorithm for Robust Network Security
3/6
Message
AES KeEncr tion
Ciphertext ofthe message
ECCtechnique
Ciphertext of the AES keyCiphertext of the message
Ciphertext of Message Digest
SENDERS SIDE
RECEIVERS SIDE Ciphertext of the AES keyCiphertext of the message
Ciphertext of the Message Digest
ElGamalDecryption
Ciphertext ofthe AES key
AES KeyCiphertext ofthe message
DecryptionMessage
Transmitted to the receiver
MD5 Hashin
ElGamal Encryptionof Message Digest
ECCTechnique
ECCTechnique
Ciphertext of
MessageDigest
ElGamal Decryption
Message Digest
MD5HashingMessa e Di est
COMPAREAccept if same. Else reject.
ElGamalEncryption
Figure 1 : Sequence of operations
ICGST- CNIR, Volume (7), Issue (I), July 2007
35
-
8/8/2019 Hybrid Cryptographic Algorithm for Robust Network Security
4/6
26
28
30
32
34
36
Time (in
Milliseconds)
Encryption Decryption
Run Time Analysis of ECC
AES key (128 Bit)
MD5 Hashing
Runtime Analysis of ECC
Run Time Analysis of AES and MD5
0
500
1000
1500
2000
2500
3000
3500
4000
50Kb 100Kb 150Kb
File Size (in Kb)
Time(inMilliseconds)
Encryption (Time inMilliSec.)
Decryption (Time in
MilliSec.)
Message Digest
(MD5) Generated(Time in MilliSec.)
Runtime anal sis of AES and MD5
Table 2: Encryption & Decryption of 128 bit AES keyand MD5 message digest using ECC
Encryption Decryption
128 bit AES key 30 34
MD5 Messagedigest of theCiphertext
32 36
Figure 2: Runtime analysis of AES and MD5
Figure 3: Runtime analysis of ECC
8. AnalysisWith any cryptographic system dealing with 128 bit key,
the total number of combination is 2128
. The time
required to check all possible combinations at the rate of
rate 50 billion keys/second is approximately 5 x 1021
years.Stallings [14] states that the computational complexityfor breaking the elliptic-curve cryptosystem for an
elliptic curve key size of 150 bits is 3.8 x 1010
MIPS
(Million Instructions Per Second years). Moreover, therecommended key sizes as per National Institute ofStandards Technology are given in Table 3
Table 3: NIST Recommended Key Sizes
Symmetric Key
Size (bits)
RSA
Key Size (bits)Elliptic Curve
Key Size
(bits)
80 1024 160
112 2048 224128 3072 256
192 7680 384
256 15360 521
From table 3 it is clear that ECC fairs better than RSA interms of security.
9. ConclusionIn this paper, we have designed and implemented ahybrid algorithm in Java combining the best of bothsymmetric (AES) and asymmetric (ECC over GF(p))
methodologies. We have tested the algorithm for varioussizes of files. To ensure integrity of the data, we haveadopted the MD5 hash algorithm.In this framework, we have adopted a probabilistic
primality checking (isProbablePrime() in Java) todetermine whether the given number is prime or not. Todetermine whether the given number is prime or not, onehas to use AKS algorithm which is deterministic in
nature. The main limiting factor in AKS algorithm is theoverhead it puts on computation in terms of time and processor speed. To illustrate, for a 7 digit number,researches have indicated that AKS algorithm takes about20 hours whereas Rabin-Miller gives its verdict in less
than a second.
10. References
[1] Blake I, G. Seroussi and N. Smart (eds).Advances in Elliptic Curve Cryptography ,Cambridge University Press, 2005
[2] Certicom whitepaper, Remarks on the Securityof the Elliptic Curve Cryptosystem.. September
1997.http://www.certicom.com/research/wecc3.html
[3] Cohen H , Gerhard Frey, Handbook of Ellipticand Hyper-elliptic curve Cryptography,
Chapman & Hall /CRC, NW, FL, 2006[4] DeWin E , S. Mister, B. Preneel, and M. Wiener.
On the Performance of Signature SchemesBased on Elliptic Curves. In J. P. Buhler, editor,
Algorithmic Number Theory: ThirdInternational Symposium (ANTS 3), volumeLNCS 1423, pages 252-266. Springer-Verlag,June 21-25 1998.
[5] Enge A , Elliptic Curves and Their Applicationsto Cryptography: An Introduction, Kluwer
Academic Publishers, Norwell, MA, USA,,1999.[6] Hankerson D, Alfred Menezes, and Scott
Vanstone, Guide to Elliptic Curve Cryptography,
Springer-Verlag Professional Computing Series,New York, 2004.
[7] http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
[8] http://java.sun.com/j2se/1.3/docs/guide/security/CryptoSpec.html
[9] Koblitz N , Algebraic aspects of cryptography,Springer-Verlag Professional Computing Series,New York, 1998
[10]Menezes A J, P. C. van Oorschot, and S. A.Vanstone. Handbook of Applied Cryptography.
CRC Press, Boca Raton, Florida, USA, 1997.[11]Menezes. A, Elliptic curve public key
cryptosystems, Kluwer Academic Publishers,Norwell, MA, USA, 1994.
ICGST- CNIR, Volume (7), Issue (I), July 2007
36
-
8/8/2019 Hybrid Cryptographic Algorithm for Robust Network Security
5/6
[12]Rosing M, Implementing Elliptic CurveCryptography, Manning Publications, 1998.
[13]Schneier B . Applied Cryptography. John Wiley& Sons Inc., New York, New York, USA, 2nd
edition, 1996.[14]Stallings W. Cryptography and Network
Security. Prentice Hall, Upper Saddle River,New Jersey, USA, second edition, 1999.
[15]U.S. Department of Commerce / NationalInstitute of Standard and Technology. FIPS
PUB 197, Specification for the AdvancedEncryption Standard (AES), November 2001.Available at http://csrc.nist.gov/encryption/aes.
[16]Washington L C , Elliptic Curves: NumberTheory and Cryptography Chapman &Hall/CRC, FL, USA. 2003.
Appendix A: Elliptic curves in Galois Field GF(p)
Elliptic curves can be defined in a finite or Galois field
GF(p) y
2
mod p = x
3
+ ax + b mod p where p is aprime number.
Steps in ECC over GF(p)
The following are the steps in performing ECC.Step A: Determine the Base Point.Step B : Determine the public key and the
private key for the sender and receiver.Step C : Perform Encryption
Step D : Perform Decryption
Step A : Steps in finding the Base Point
Step 1: Take the Elliptic curvey2 mod p= x3 + ax +b mod p where p is a prime number.
Step 2 : For values from 0 to p-1, compute LHS and RHSStep 3 : Locate points P where LHS = RHS
Step 4 : Count the number of points n. The total numberof points is always n + 1 (one point at infinity)Step 5 : Find the prime factors of (n+1) and choose thelargest among them.Step 6: Find the negative point for every point computedin step 3.
Step 7 : Now perform addition operation of the each ofthe points obtained in step 3. Addition refers to finding2P, 3P, 4P, 5P.... and tabulate themStep 8 : Repeat step 7 until one gets the point at infinity.Step 9 : Identify the largest prime factor from step 5.
From the table created in step 7,locate for what points of P, the value is O (point at
infinity)Step 10: From the list of points, one can choose any pointwhich will be the base point.
Step B : Steps in Key Generation
Step 1: Sender and receiver agree on the elliptic curve Eand the base point G with order n. The order of n must belarge. Hence E,G and n are known to everyone.Step 2: Sender chooses a random number ds which is 1