Professional Documents
Culture Documents
Alice Bob
data, control
channel
messages
Trudy
Eavesdropping - Message Interception
(Attack on Confidentiality)
• Unauthorized access to information
• Packet sniffers and wiretappers
• Illicit copying of files and programs
A B
Eavesdropper
Integrity Attack - Tampering
With Messages
• Stop the flow of the message
• Delay and optionally modify the message
• Release the message again
A B
Perpetrator
Authenticity Attack - Fabrication
• Unauthorized assumption of other’s identity
• Generate and distribute objects under this
identity
A B
Masquerader: from A
Attack on Availability
• Destroy hardware (cutting fiber) or software
• Modify software in a subtle way (alias commands)
• Corrupt packets in transit
A B
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
0 1 2 3 4 5 6 7 8 9 10 11 12
n o p q r s t u v w x y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
Plain: abcdefghijklmnopqrstuvwxyz
Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplaceletters
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
Monoalphabetic Cipher Security
• Now have a total of 26! = 4 x 1026 keys
• Is that secure?
• Problem is language characteristics
– Human languages are redundant
– Letters are not equally commonly used
English Letter Frequencies
Note that all human languages have varying letter frequencies, though the
number of letters and their frequencies varies.
Example Cryptanalysis
• Given ciphertext:
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
• Giving ciphertext
MEMATRHTGPRYETEFETEOAAT
Product Ciphers
• Ciphers using substitutions or transpositions are
not secure because of language characteristics
• Hence consider using several ciphers in succession
to make harder, but:
– Two substitutions make another substitution
– Two transpositions make a more complex transposition
– But a substitution followed by a transposition makes a
new much harder cipher
• This is bridge from classical to modern ciphers
Rotor Machines
• Before modern ciphers,
rotor machines were
most common complex
ciphers in use
• Widely used in WW2
– German Enigma, Allied
Hagelin, Japanese Purple
• Implemented a very
complex, varying
substitution cipher
Outline
• Overview of Cryptography
• Classical Symmetric Cipher
• Modern Symmetric Ciphers (DES/AES)
• Asymmetric Cipher
• One-way Hash Functions and Message Digest
Block vs Stream Ciphers
• Block ciphers process messages in into blocks,
each of which is then en/decrypted
• Like a substitution on very big characters
– 64-bits or more
• Stream ciphers process messages a bit or byte
at a time when en/decrypting
• Many current ciphers are block ciphers, one of
the most widely used types of cryptographic
algorithms
Block Cipher Principles
• Most symmetric block ciphers are based on a
Feistel Cipher Structure
• Block ciphers look like an extremely large
substitution
• Would need table of 264 entries for a 64-bit
block
• Instead create from smaller building blocks
• Using idea of a product cipher
Ideal Block Cipher
Substitution-Permutation Ciphers
• Substitution-permutation (S-P) networks
[Shannon, 1949]
– modern substitution-transposition product cipher
• These form the basis of modern block ciphers
• S-P networks are based on the two primitive
cryptographic operations
– substitution (S-box)
– permutation (P-box)
• provide confusion and diffusion of message
Feistel Cipher Structure
• Feistel cipher implements Shannon’s S-P
network concept
– based on invertible product cipher
• Process through multiple rounds which
– partitions input block into two halves
– perform a substitution on left data half
– based on round function of right half & subkey
– then have permutation swapping halves
Feistel
Cipher
Structure
Feistel
Cipher
Decryption
DES (Data Encryption Standard)
• Published in 1977, standardized in 1979.
• Key: 64 bit quantity=8-bit parity+56-bit key
– Every 8th bit is a parity bit.
• 64 bit input, 64 bit output.
64 bit M 64 bit C
DES
Encryption
56 bits
DES Top View
56-bit Key
64-bit
48-bitInput
K1
Generate keys
Permutation Initial Permutation
48-bit K1
Round 1
48-bit K2
Round 2
…... 48-bit K16
Round 16
64-bit Output
DES Summary
• Simple, easy to implement:
– Hardware/gigabits/second,
software/megabits/second
• 56-bit key DES may be acceptable for non-
critical applications but triple DES (DES3)
should be secure for most applications today
• Supports several operation modes (ECB CBC,
OFB, CFB) for different applications
Avalanche Effect
• Key desirable property of encryption alg
• Where a change of one input or key bit
results in changing more than half output bits
• DES exhibits strong avalanche
Strength of DES – Key Size
• 56-bit keys have 256 = 7.2 x 1016 values
• Brute force search looks hard
• Recent advances have shown is possible
– in 1997 on a huge cluster of computers over the
Internet in a few months
– in 1998 on dedicated hardware called “DES cracker”
by EFF in a few days ($220,000)
– in 1999 above combined in 22hrs!
• Still must be able to recognize plaintext
• No big flaw for DES algorithms
DES Replacement
• Triple-DES (3DES)
– 168-bit key, no brute force attacks
– Underlying encryption algorithm the same, no
effective analytic attacks
– Drawbacks
• Performance: no efficient software codes for DES/3DES
• Efficiency/security: bigger block size desirable
• decryption:
M = 1123 mod 187 = 88
Is RSA Secure?
• Factoring 512-bit number is very hard!
• But if you can factor big number n then given public
key <e,n>, you can find d, hence the private key by:
– Knowing factors p, q, such that, n = p*q
– Then ø(n) =(p-1)(q-1)
– Then d such that e*d = 1 mod ø(n)
• Threat
– Moore’s law
– Refinement of factorizing algorithms
• For the near future, a key of 1024 or 2048 bits
needed
Symmetric (DES) vs. Public Key (RSA)
• Exponentiation of RSA is expensive !
• AES and DES are much faster
– 100 times faster in software
– 1,000 to 10,000 times faster in hardware
• RSA often used in combination in AES and DES
– Pass the session key with RSA
Outline
• History of Security and Definitions
• Overview of Cryptography
• Symmetric Cipher
– Classical Symmetric Cipher
– Modern Symmetric Ciphers (DES and AES)
• Asymmetric Cipher
• One-way Hash Functions and Message Digest
Confidentiality => Authenticity ?
• Symmetric cipher ?
– Shared key problem
– Plaintext has to be intelligible/understandable
• Asymmetric cipher?
– Too expensive
– Plaintext has to be intelligible/understandable
– Desirable to cipher on a much smaller size of data
which uniquely represents the long message
Hash Functions
• Condenses arbitrary message to fixed size
h = H(M)
ABCD=fF(ABCD,mi,T[1..16])
A B C D
ABCD=fG(ABCD,mi,T[17..32])
ABCD=fH(ABCD,mi,T[33..48])
ABCD=fI(ABCD,mi,T[49..64])
+ + + +
MD i+1
Secure Hash Algorithm
• Developed by NIST, specified in the Secure
Hash Standard (SHS, FIPS Pub 180), 1993
• SHA is specified as the hash algorithm in the
Digital Signature Standard (DSS), NIST
General Logic
• Input message must be < 264 bits
– not really a problem
• Message is processed in 512-bit blocks
sequentially
• Message digest is 160 bits
• SHA design is similar to MD5, a little slower,
but a lot stronger
SHA-1 verses MD5
• Brute force attack is harder (160 vs 128 bits for
MD5)
• A little slower than MD5 (80 vs 64 steps)
– Both work well on a 32-bit architecture
• Both designed as simple and compact for
implementation
• Cryptanalytic attacks
– MD4/5: vulnerability discovered since its design
– SHA-1: no until recent 2005 results raised concerns on
its use in future applications
Revised Secure Hash Standard
• NIST have issued a revision FIPS 180-2 in 2002
• Adds 3 additional hash algorithms
• SHA-256, SHA-384, SHA-512
– Collectively called SHA-2
• Designed for compatibility with increased
security provided by the AES cipher
• Structure & detail are similar to SHA-1
• Hence analysis should be similar, but security
levels are rather higher
Backup Slides
Cryptanalysis Scheme
• Ciphertext only:
– Exhaustive search until “recognizable plaintext”
– Need enough ciphertext
• Known plaintext:
– Secret may be revealed (by spy, time), thus <ciphertext,
plaintext> pair is obtained
– Great for monoalphabetic ciphers
• Chosen plaintext:
– Choose text, get encrypted
– Pick patterns to reveal the structure of the key
One-Time Pad
• If a truly random key as long as the message is
used, the cipher will be secure - One-Time pad
• E.g., a random sequence of 0’s and 1’s XORed to
plaintext, no repetition of keys
• Unbreakable since ciphertext bears no
statistical relationship to the plaintext
• For any plaintext, it needs a random key of the
same length
– Hard to generate large amount of keys
• Have problem of safe distribution of key
Confusion and Diffusion
• Cipher needs to completely obscure statistical
properties of original message
• A one-time pad does this
• More practically Shannon suggested S-P networks
to obtain:
• Diffusion – dissipates statistical structure of
plaintext over bulk of ciphertext
• Confusion – makes relationship between
ciphertext and key as complex as possible
Bit Permutation (1-to-1)
1 2 3 4 32
0 0 1 0 ……. 1
Input:
1 bit
Output 1 0 1 1 …….. 1
22 6 13 32 3
Per-Round Key Generation
Initial Permutation of DES key
E
One Round 48 bits
Mangler
Encryption Function 48 bits
S-Boxes Ki
32 bits
6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
+ + + + + + + +
Permutation
Bits Expansion (1-to-m)
1 2 3 4 5 32
Input: 0 0 1 0 1……. 1
Output
1 0 0 1 0 1 0 1 …….. 1 0
1 2 3 4 5 6 7 8 48
S-Box (Substitute and Shrink)
• 48 bits ==> 32 bits. (8*6 ==> 8*4)
• 2 bits used to select amongst 4 substitutions
for the rest of the 4-bit quantity
2 bits I1
row I2
O1
I3 Si O2
I4 O3
I5 O4
4 bits I6
column i = 1,…8.
S-Box Examples
Each row and column contain different numbers.
0 1 2 3 4 5 6 7 8 9…. 15
0 14 4 13 1 2 15 11 8 3
1 0 15 7 4 14 2 13 1 10
2 4 1 14 8 13 6 2 11 15
3 15 12 8 2 4 9 1 7 5
– Output:
• ABCDE: new MD.