CSE 331: Introduction to Networks and Security

Fall 2001Instructor: Carl A. Gunter

Slide Set 6

Introduction to Security

Goals Availability Integrity Confidentiality

Targets Hardware Software Data

Controls Physical security Limited interface Identification and

authorization Encryption

Analysis of costs and benefits

Progress and Risk

Security-critical considerations Credit card purchases on the web Voting on the web Banking on the web Mobile agents and active networks

Safety and security considerations Military systems, eg. Star Wars Actuators on public networks

Security Requirements

Banking Government Public Telecommunications Carriers Corporate / Private Networks Electronic Commerce

Banking

Electronic Funds Transfer (EFT) Prosecution of fraud problematic Financial system overall at risk

Automated Teller Machine (ATM)

Automatic Teller Machines

Goals Availability: Provide automated teller

operations 24x7 in convenient locations Integrity: Authorized users only,

transactional guarantees Confidentiality: Private communication

with branches or center Vulnerabilities and controls Risk analysis and liabilities

Government

National security of course, but also “Unclassified but sensitive

information” must not be disclosed Example: social security web page

Electronic signatures approved for government contractors

Public Telecom Carriers

Operations, Administration, Maintenance, and Provisioning (OAM&P) Customer network management

complexities Theft by hackers Unauthorized eavesdropping

Availability is a key concern Significant insider risks

Corporate Private Networks

Completely private networks are becoming a thing of the past because of telecommuting.

Protection of proprietary information of course, but also concerns like privacy in the health care industry.

Foreign government threat?

Electronic Commerce

Electronic Data Interchange (EDI) Electronic contracts need to be

binding ABA Resolution: “recognize that information

in electronic form, where appropriate, may be considered to satisfy legal requirements regarding a writing or signature to the same extent as information on paper or in other conventional forms, when appropriate security techniques, practices, and procedures have been adopted.”

Three Scenarios

Vera buys a lathe. Inter-corporate trading. Nola’s electronic market.

Vera Buys a Lathe

Vera, owner of Vera’s Manufacturing, shops for a lathe on the internet using WWW.

She finds the desired product from Danielle’s Machine Makers and makes the order using a web form provided by Danielle’s.

Danielle’s confirms that the order really comes from Vera’s manufacturing.

Vera Pays for the Lathe

She sends her credit card number, suitably encrypted.

She sends an EDI payment order remittance advice transaction set instructing Vera’s bank to credit Danielle’s bank account.

She uses an online payment mechanism like a credit-card based payment protocol or electronic check.

The lathe is delivered through the usual distribution channels.

Inter-Corporate Trading

Danielle’s Machine Makers is a medium-sized company in Canada with long-established requirements for high-grade steel which it buys from Steelcorp.

Steelcorp aims to reduce costs of customer transactions by using secure messaging with its regular customers.

Origin and confidentiality of all correspondence must be ensured.

Nola’s Electronic Market

Nola is an entrepreneurial small businessperson who works from her home basement.

She buys items from suppliers willing to do business wholly electronically and sells them through a WWW storefront.

Effective marketing of the web page and very low overhead provide Nola’s competitive edge.

Legal Support

Mostly by analogy with other commerce rules, but there are challenges.

How to satisfy traditional legal requirements for reduction of agreements to signed writings.

How to apply rules of evidence. Interpreting, adapting, and

complying with existing legal standards for electronic transactions.

Goals of Security

DATA

Integrity

DATA

Availability

DATA

Confidentiality

Safety and Security

Many things in common and some major differences.

Some similarities aid understanding of both.

System vs. Environment. Accident, breach. Hazard, vulnerability.

System vs. Environment (Safety)

Environment

System

System vs. Environment (Security)

System

Environment

Accident and Security Breach

Accident Loss of life Injury Damage to property

Security Breach Secret is revealed Service is disabled Data is altered Messages are fabricated

Accident Definition

An accident is an undesired and unplanned (but not necessarily unexpected) event that results in (at least) a specified level of harm.

Define breach similarly. A security threat is a possible form of

breach

Hazards and Vulnerabilities

Hazard No fire alarms No fire extinguishers Rags close to furnace

Vulnerability Password too short Secret sent in plaintext over public

network Files not write protected

Hazard Definition

A hazard is a state or set of conditions of a system that, together with other conditions in the environment of the system, will lead inevitably to an accident.

Define security vulnerability similarly.

Other Terms

Asset: object of value. Exposure: threat to an asset. Attack: effort by an agent to exploit

a vulnerability and create a breach.

Major Threats

Interruption Interception Modification Fabrication

Major Assets

Hardware Software Data

Threats to Hardware

Interruption: crash, performance degradation

Interception: theft Modification: tapping Fabrication: spoofed devices

Threats to Software Code

Interruption: deletion, reset protection Interception: theft Modification

Trojan horse Logic bomb Virus Back door Information leak

Fabrication: spoofing software distribution on the web

Threats to Software Processes

Interruption: bad inputs Interception: attacks on agents Modification: of exploited data Fabrication: service spoofing (man-

in-the-middle)

Threats to Data

Interruption: deletion, perceived integrity violation

Interception: eavesdropping, snooping memory

Modification: alteration of important information

Fabrication: spoofing web pages

Principles of Security

Easiest Penetration: An intruder must be expected to use any available means of penetration.

Adequate Protection: Computer items must be protected only until they lose their value. They must be protected to a degree consistent with their value.

Effectiveness: Controls must be used to be effective. They must be efficient, easy to use, and appropriate.

Controls

Physical security Limited interface Identification and authorization Encryption

Breakdown of S/W Controls

Program controls as exercised by the programmer as dictated by the programming

language or programming environment Operating system controls Development process controls

Basic Encryption

Monoalphabetic substitution ciphers Polyalphabetic substitution ciphers Transposition ciphers Other hiding techniques Stream versus block ciphers

Circumstances

S RT

Sender Transmission Medium Receiver

O

Interceptor

What Can O Do to a Message?

Block it (availability) Intercept it (confidentiality) Modify it (integrity) Fabricate another (integrity)

Terminology

Encryption / Decryption Encode / Decode Plaintext / Ciphertext Cryptography: hidden writing. Cryptanalysis: uncovering what is

hidden.

Monoalphabetic Substitution

Substitute one letter for another Creates “confusion”

Keyless Encryption

C = E(P) and P = D(C) P = D(E(P)) Transmit E(P), receiver applies D. Select D and E so that

Without knowing D or E it is hard to discover P from E(P).

It is feasible to know and apply D and E.

Caesar Cipher (Original)

E(p) = p + 3 (mod 26) D(p) = p - 3 (mod 26)

Easy to recall and calculate D and E. Create a table:

T R E A T Y I M P O S S I B L Ew u h d w b l p s r v v l e o h

A B C D E F G H I J K L M N O P Q R S T U V W X Y Zd e f g h I j k l m n o p q r s t u v w x y z a b c

Encryption Strategy: Confusion

The Caesar cipher confuses the letters of the alphabet, causing the result look like gibberish.

As we applied it in the previous example, a space is interpreted as a space, providing no confusion.

Note: changing one letter of plaintext changes exactly one letter of ciphertext.

Algorithm vs. Key

Moreover: It is hard to keep D and E secret if they

are much used, and Cryptanalysis is possible.

To address the first of these problems assume: algorithm is known, but key is not known.

Encryption with a Key

Symmetric key C = E(K, P) P = D(K, C) P = D(K, E(K, P))

Asymetric key C = E(Kpublic, P) P = D(Kprivate, C) P = D(Kprivate, E(Kpublic, P))

Permutation

Generalize Caesar cipher to allow other ways to permute the alphabet.

What is now called a Caesar cipher is any choice of an offset: () = (n + ) (mod 26). The number n is the key.

Generalize further: use any permutation as a key.

To encode, apply the key to each letter.

To decode, apply the inverse of the key to each letter.

Sample Permutations

Example: a passphrase like “this is a long key” can be a key.

Example: take every third letter.

() = (3 * ) (mod 26)

A B C D E F G H I J K L M N O P Q R S T U V W X Y Zt h i s a l o n g k e y b c d f j m p q r u v w x z

A B C D E F G H I J K L M N O P Q R S T U V W X Y Za d g j m p s v y b e h k n q t w z c f i l o r u x

Cryptanalysis of Monoalphabetic Ciphers

There are 26! permutation keys, so it is not feasible to try all possible keys.

Mapping a space to itself is a big clue: try to guess short words.

Look for common English repeated letters like a “ss” or “oo”

Exploit frequency information

wklv phvvdjh lv qrw wrr kdug wr euhdnT--- ------- -- -OT TOO ---- TO -----

Sample Ciphertext

hqfubswlrq lv d phdqv rl dwwdlqlqj vhfxuh frpsxwdwlrq ryhu lqvhfxuh fkdqqhov eb xvlqj hqfubswlrq zh glvjxlvh wkh phvvdjh vr wkdw hyhq li wkh wudqvplvvlrq lv glyhuwhg wkh phvvdjh zloo qrw eh uhyhdohg

Note similarity of e and h.

Caesar Cipher Examplehqfubswlrq lv d phdqv rl dwwdlqlqj vhfxuh frpsxwdwlrq ryhu lqvhfxuh fkdqqhov eb xvlqj hqfubswlrq zh glvjxlvh wkh phvvdjh vr wkdw hyhq li wkh wudqvplvvlrq lv glyhuwhg wkh phvvdjh zloo qrw eh uhyhdohg

ENCRYPTION IS A MEANS OF ATTAINING SECURE COMMUNICATION OVER INSECURE CHANNELS BY USING ENCRYPTION WE DISGUISE THE MESSAGE SO THAT EVEN IF THE TRANSMISSION IS DIVERTED THE MESSAGE WILL NOT BE REVEALED

Polyalphabetic Cipher

To beat frequency analysis we need to break the connection between frequently occurring ciphertext letters and frequently occurring plaintext letters.

This could be done by varying the translation of letters.

Consider using one translation for letters in even positions and a different one for letters in odd positions.

Two Table Cipher

First TableA B C D E F G H I J K L M N O P Q R S T U V W X Y Za d g j n o s v y b e h k n q t w z c f I l o r u x

Second TableA B C D E F G H I J K L M N O P Q R S T U V W X Y Zn s x c h m r w b g l q v a f k p u z e j o t y d i

Example TranslationTREAT YIMPO SSIBL Efumnf dyvtv czysh h

Vigenere Tableaux

The distribution can be further flattened by picking complementary permutations.

Another approach: use more tables. A Vigenere Tableaux is a collection

of 26 permutations.

Sample Encryption Using a Vigenere Tableau

Encrypt: but soft, what light through yonder window breaks?using keyword juliet

julie tjuli etjul ietju lietj uliet julie tjuli eBUTSO FTWHA TLIGH TTHRO UGHYO NDERW INDOW BREAK Skoeas ycqsi ...

One-Time Pad

Using a Vigenere tableau with more keys than letters in the message would defeat the techniques we have discussed.

Indeed, this is an unbreakable code. It’s disadvantage is the long keys

required.

History of the One Time Pad

G. Vernam patented an idea for telegraph encryption in 1919. This was based on punched tape from a teletype. 32 alphabets were used in no regular pattern.

W. Kunze, R. Schauffler, and E. Langlotz developed an approach to German diplomatic correspondence circa 1921-1923 from which the name “one time pad” derives.

Pads of 50 numbered sheets were used, with 48 five-digit groups on each. No sheets were used twice; they were destroyed after use.

Binary Vernam Cipher

Long Random Sequences

Middle digits from numbers in a phone book

Book of prose? Danger: frequency analysis possible!

Pseudo-random number generators

Linear congruential random number generator Seed r(0), constants a, b, n r(i+1) = (a * r(i) + b) mod n

Probable Word Attack Solve a family of equations

Transpositions (Permutations)

The order of the letters can be altered.

Columnar transposition example

Memory issues.

S M AL L EX A MP L E

slxpm lalae meSMALL EXAMPLE

Larger Example

THIS IS A MESSAGE TO SHOW HOW A COLUMNAR TRANSPOSITION WORKS

This is encoded using 5 columns and 10 rows.

T H I S IS A M E SS A G E TO S H O WH O W A CO L U M NA R T R AN S P O SI T I O NW O R K S

Cryptanalysis using Digrams

How Many Columns?

Other Encryption Ideas

Open code. Stegonagraphy. Fractionated Morse Code. Foreign languages.

1918 eight Choctaws in Company D, 141st Infantry.

50,000 Navaho speakers in WWII. Only 18 non-Navahos could speak it.

Stream and Block Ciphers

Stream ciphers convert one symbol of plaintext immediately into a symbol of ciphertext. Polyalphabetic substitution cipher, and Fractionated Morse, but Not columnar transposition.

Advantages and Disadvantages

Advantages Speed Low error propogation

Disadvantages Low diffusion Susceptibility to attacks on integrity

Block Ciphers

Block ciphers encrypt a group of plaintext symbols as one block. Columnar transposition is an example.

Advantages and Disadvantages

Advantages Diffusion Immunity to insertions

Disadvantages Slowness Error propogation

Confusion and Diffusion

Confusion: difficulty in determining how a change in the plaintext will affect the ciphertext.

Diffusion: spreading of the effect of a change in the plaintext to many parts of the ciphertext.

Attacks on Encryption

Ciphertext only Known (or probable) plaintext Chosen plaintext

Chosen sample of encrypted plaintext Adaptive chosen plaintext

Ability to gain new chosen samples of encrypted plaintext based on existing samples

Chosen or adaptive chosen ciphertext Temporary access to decryption

Encryption with a Key (Revision)

Symmetric key C = E(K, P) P = D(K, C) P = D(K, E(K, P))

Asymetric key C = E(Kpublic, P) P = D(Kprivate, C) P = D(Kprivate, E(Kpublic, P))

Definitions

Trusted Third Party (TTP) Unconditionally trusted TTP must be

trusted completely Functionally trusted TTP must be

trusted for availability and integrity.

Advantages of Symmetric

Efficient encryption Relatively short keys Useful as primitives for various

functions (pseudorandom number generators, hash functions, etc.)

Good composition properties Extensive history

Disadvantages of Symmetric

Key must remain secret at both ends.

Many key pairs must be managed in a large network. May require unconditionally trusted TTP.

Keys must be changed frequently. Large keys or TTP required for public

verification function of digital signatures.

Advantages of Asymmetric

Only the private key must be kept secret.

Key management requires only a functionally trusted TTP.

Long-lived keys. Efficient digital signatures with

relatively small keys for public verification function.

Disadvantage of Asymmetric

Lower throughput for encryption. Large key sizes. Security based on presumed

complexity of a small collection of number-theoretic problems.

Limited history.

Roundup Comparison

Asymmetric (public) key cryptography facilitates efficient digital signatures and key management.

Symmetric (shared secret) key cryptography provides efficient encryption.

Complementary Use

Use public keys to help establish symmetric key for encrypted session.

Modern Cryptography

Diffie Hellman RSA Hash algorithms DES Clipper key escrow Modes of operation Digital signatures

Public Key Cryptography

Some number theory. Diffie-Hellman key exchange. Some more number theory. RSA public keys.

Establishing a Shared Secret

Suppose Alice has has an authenticated channel for communicating with Bob.

Alice and Bob wish to use this channel to established a shared secret.

However, Eve is able to learn everything sent over the channel.

If Alice and Bob have no other channel to use, can they establish a shared secret that Eve does not know?

General Strategy

Alice and Bob exchange information, each keeping a secret to themselves.

The secrets that they keep allow them to compute a shared secret.

Since Eve lacks either of these secrets she is unable to compute the shared secret.

Some Number Theory

Non-negative numbers: 0,1,2,3,… (Whole) number: 1,2,3,… Division Algorithm: For any numbers

a,b, there are unique numbers q,r such that 0<=r<b and a = q*b+r.

Write a mod b for r. Write a b (mod c) if a mod c = b

mod c.

Some More Number Theory

Write a|b if there is a number k such that a*k = b. This is the same as saying a 0 (mod b).

A number p is prime if it is neither 0 nor 1 and is divisible only by 1 and itself.

Notation for exponential: 2**5=32. Modular exponentiation: 3**3 2

(mod 5).

Primitive Roots

A primitive root of a prime p is a number such that {**1 mod p, …, **(p-1) mod p} = {1, …, p-1}.

Example: 2 is not a primitive root of 7, but 3 is a primitive root of 7.

Diffie-Hellman Key Exchange

Alice and Bob agree on a shared basis.

Alice selects a private key XA < q and calculates a public key YA from it using q and .

Bob does the same to get XB and YB. Alice and Bob exchange their public

keys (which are now known to Eve), but keep their private keys.

Diffie-Hellman, continued

Alice knows XA, YA, and YB. Bob knows XB, YB, and YA. Eve knows YA and YB. Alice combines XA with YB to get S,

the shared secret. Bob combines XB with YA to get S,

the (same) shared secret. Eve tries to get S from YA and YB,

but gives up in disgust.

What Must Alice and Bob Do?

Select and share the public information Select a prime number q and a primitive

root of this prime. Compute the private and public keys.

Alice chooses XA < q at random and takes YA to be **XA mod q.

Bob chooses XB < q at random and takes YB to be **XB mod q.

They use their respective information to calculate the shared secret. YB**XA S YA**XB (mod q).

Realization of the Approach

What must not be possible: use the public information and public keys to compute the shared secret.

Strategy: calculations by Alice and Bob involve modular exponentiation. The obvious calculation by Eve involves discrete logarithms.

Example

Alice and Bob agree that q=71 and =7. Alice selects a private key XA=5 and

calculates a public key YA 7**5 51 (mod 71). She sends this to Bob.

Bob selects a private key XB=12 and calculates a public key YB 7**12 4 (mod 71). He sends this to Alice.

Alice calculates the shared secret S YB**XA 4**5 30 (mod 71).

Bob calculates the shared secret S YA**XB 51**12 30 (mod 71).

Why Does it Work?

Security is provided by the difficulty of calculating discrete logarithms.

Feasibility is provided by The ability to find large primes. The ability to find primitive roots for

large primes. The ability to do efficient modular

arithmetic. Correctness is an immediate

consequence of basic facts about modular arithmetic.

More Number Theory Again

Given non-negative numbers a,b, their greatest common divisor gcd(a,b) is the largest number d such that d|a and d|b.

If gcd(a,b)=1 then a and b are said to be relatively prime.

Theorem: If gcd(a,b)=1 then there is a number k such that a*k 1 (mod b).

Proposition: If p|(a*b) then p|a or p|b.

RSA Public Keys

Named for Ron Rivest, Adi Shamir, and Len Adleman, published in 1978.

Most widely known and used public key system.

No shared secret is required.

Key Generation

Pick large random primes p,q. Let p*q = n and =(p-1)(q-1).

Choose a random number e such that: 1<e< and gcd(e, )=1.

Calculate the unique number d such that 1<d< and d*e 1 (mod ).

The public key is {e,n} and the private key is {d,n}.

Encryption and Decryption

Encryption: Suppose we are given a message m represented as a number such that 1<=m<n. The ciphertext is c where 0<=c<n and c m**e (mod n).

Decryption: Given c and the private key {d,n}, calculate c**d (m**e)**d m**(d*e) m (mod n).

Why Does it Work?

It is secure because it is difficult to find or d using only e and n. Finding d is equivalent in difficulty to factoring n as p*q.

It is feasible to encrypt and decrypt because: It is possible to find large primes. It is possible to find relative primes and

their inverses. Modular exponentiation is feasible.

Why Does it Work? continued

Theorem (Fermat): If p is a prime and gcd(m,p)=1 then m**(p-1) 1 (mod p).

Lemma 1: If p,q are distinct primes and a=b (mod p) and a b (mod q) then a b (mod p*q).

Lemma 2: For the RSA numbers e,d,p,q, we have m**(e*d) m (mod p) and m**(e*d) m (mod q). Proof.

Corollary: m**(d*e) m (mod p*q). (That is, decrypting the ciphertext yields the plaintext modulo p*q).

Large Primes

Not feasible to check for divisors. Fermat test is effective: look for

numbers p that satisfy the Fermat theorem for enough values a<p.

Theorem: If p is prime, then 1 and –1 are the only values of x that solve the equation x**2 1 (mod p).

Miller Rabin algorithm looks for solutions to this equation.

Euclid’s Algorithm

Finding relative primes cannot be done by enumerating all divisors.

Euclid’s Algorithm: If a,b are non-negative numbers and b>0, then gcd(a,b)=gcd(b, a mod b).

Since a mod b is less than a, this terminates if repeatedly applied. It also terminates quickly.

Extended Euclid Algorithm keeps some additional information so that if the result is 1, then the additional information includes the inverse of a.

Modular Exponentiation

Calculating m**e is infeasible if m and e are large.

Fortunately we want m**e (mod n). Even if n is large, this is not difficult. Basic facts:

a*b (mod n) = [(a (mod n))*(b (mod n))] (mod n)

a**(b*c) = (a**b)**c. Trick using squares reduces

multiplications needed.

Hash Algorithms

Reduce a message of variable size to a small digest of fixed size.

The probability that a randomly chosen message maps to an n-bit hash should ideally be 2**-n.

Example: The NIST Secure Hash Algorithm takes a message of less than 2**64 bits and produces a digest of 160 bits.

Uses for Hashing Algorithms

Hash functions without secret keys are used: To condense a message for digital signature. To check the integrity of an input if the hash

has been previously recorded. Such functions are called Modification

Detection Codes (MDC’s). Hash functions that use secret keys are

called Message Authentication Codes (MAC’s). They are used for data origin authentication.

Properties of MDC’s

Hash functions h for cryptographic use as MDC’s fall in one or both of the following classes. Collision Resistant Hash Function (CRHF):

It should be computationally infeasible to find two distinct inputs that hash to a common value ( i.e.. h(x) = h(y) ).

One Way Hash Function (OWHF): Given a specific hash value y, it should be computationally infeasible to find an input x such that h(x)=y.

Secure Hash Algorithm

Pad message so it can be divided into 512-bit blocks, including a 64 bit value giving the length of the original message.

Process each block as 16 32-bit words called W(t) for t from 0 to 15.

Expand from these 16 words to 80 words by defining as follows for each t from 16 to 79: W(t) := W(t-3) W(t-8) W(t-14) W(t-16)

SHA

Chaining Variables

NBS Requirements for DES

Provide a high level of security. Completely specified and easy to understand. Security must not depend on secrecy of the

algorithm. Available to all users. Adaptable for diverse applications. Economical to implement in electronic

devices. Efficient to use. Able to be validated. Exportable.

DES History

Based on Lucifer algorithm of IBM. Algorithm developed by IBM for NBS

became known as the Digital Encryption Standard.

Assistance provided by NSA. Official name in the US: Data

Encryption Algorithm (DEA). Official name internationally: Data

Encryption Algorithm-1 (DEA-1).

DES Algorithm

Based on product of substitution and permutation ciphers applied in rounds.

DES Characterized

Substitution-Permutation (SP) Network

Iterated block cipher: sequential repetition of round function

Feistel cipher: iterated cipher on halved inputs combined at each round in a specific way

f1

f16

f2

IP

IP -1Twist

Bitwise exclusive or

Types of Relations

Summary

64 bit keys with each 8th bit designated as a parity bit, thus 56 significant bits

Rotations and choice permutations on original key are used to create 16 subkeys K(I), each 48 bits

f(I)(R(I-1)) = g(R(I-1), K(I)) g(R(I-1), K(I)) = P( S(E(R(I-1)) K(I)) ) E is an expansion permutation, S is a

substitution, and P is a permutation

Subkeys

Start with the 56 significant bits of the key, divide into two 28 bit halves.

Apply left circular shift to each half using the following table to indicate how much to shift

Subkeys continued

After the shifts, concatenate the two 28 bit vectors and use the following table to select 48 of these bits

Expansion Permutation E

E is applied to 32 bit vector R(I-1) to obtain a 48 bit vector. It is defined by the following table

“S Box” Substitutions S

S is applied to the result of exclusive or combination of the expansion of R(I-1) and the subkey K(I). It is essentially a substitution cipher on 6 bit words, mapping them to 4 bit words, defined by the table on the slide after next.

S Boxes Continued

Use the first and last bit of the 6 bit block to determine the value for the row, and use the middle 4 bits to determine the value for the column.

Example: 011011 for box 4 Outer bits 01 yield 1 Inner bits 1101 yield 13 Result is 10 (decimal) or 1010

(binary)

End-of-Round Permutation P

After applying the S box substitutions a permutation is made using the following table

R(I-1) K(I)

E

P

g(R(I-1), K(I)) = P(S(E(R(I-1)) K(I)))

S1 S2 S3 S4 S5 S6 S7 S8

8 x 6 bits

8 x 4 bits

Substitutions

32

48

48

48

6

4

32

32

Final Permutation IP Inverse

DES Properties

Each bit of the ciphertext depends on all bits of the key and all bits of the plaintext.

There is no statistical relationship evident between plaintext and ciphertext.

Altering any single plaintext or key bit alters each ciphertext bit with probability 1/2.

Altering a ciphertext bit results in an unpredictable change to the recovered plaintext.

Weak and Semi-Weak Keys

A weak key is a key K such that E(K,E(K,x)) = x for all x. That is, E(K,-) is an involution.

DES has 4 weak keys. A pair of DES keys K and L is semi-weak if

E(K,E(L,x)) = x. That is, encryption for K acts like decryption for L.

DES has 6 semi-weak key pairs. These arise when the subkeys K(1) to

K(16) correspond to L(16) to L(1).

(Value before initial permutation)

Security and Law Enforcement

Wire taps by law enforcement agencies are allowed when approved by court.

Can a wire tap succeed against a triple-DES encoded conversation?

Aims of key escrow: Provide strong symmetric key security Provide for wire taps on encrypted

communications.

Key Escrow

NSA Clipper Program

Key split into two parts, held by two government agencies.

Law enforcement officials with good cause can obtain a court order and get the two key halves.

Encryption algorithm classified. NSA to provide only hardware embodiments of the algorithm.

Keys and Fields

Skipjack algorithm: 80 bit keys encrypting 64 bit blocks in 32 rounds.

D(K,E(K,M)) = M as usual Law Enforcement Agents’ Field

(LEAF): E(f, E(u,k)&n&a)) where f is an 80-bit key for Clipper chips n is a 30-bit identifier for the unit a is an escrow authenticator u is an 80-bit unit-specific key k is an 80-bit session key

Clipper Message Fields

Who Knows What

Known to law enforcement agencies: The key f.

Split between two government agencies: The key u.

Indexed by each agency The identifier n.

“Wire Tapping” Protocol

Intercept communication Determine that encoding uses

Clipper Decrypt E(f, E(u,k)&n&a)) to get n Deliver n and court order to escrow

agencies Get the two halves of u Use u to decrypt E(u,k) to get k Use k to decrypt session

Capstone

Clipper chip: implements encryption and appending of LEAF.

Capstone cryptographic device: performs basic algorithm together with key exchange, hashing, and digital signature authentication.

Capstone also known as Tessera. Clipper program also known as Mosaic.

Panel Conclusions about Clipper

There is no significant risk that Skipjack will be broken by exhaustive search in the next 30 to 40 years.

There is no significant risk that Skipjack will be broken through a shortcut method of attack.

The strength of Skipjack encryption does not depend on the secrecy of the algorithm.

Revision on Cryptography

Public (Asymmetric) Key Systems Diffie-Hellman RSA

Hash Functions (Collision Resistant, One Way) SHA-1

Secret (Symmetric) Key Systems DES

Modes of Operation

Electronic codebook (ECB) mode. Chain block chain (CBC) mode. Cipher feedback (CFB) mode. Output feedback (OFB) mode. For details, see 7.2.2 in: Handbook

of Applied Cryptography, AJ Menezes, PC van Ooschot, and SA Vanstone, 1996.

Electronic Codebook (ECB)

Encrypt each block individually Properties

Identical plaintext blocks yield identical ciphertext.

Order matters, but each successive block can be enciphered without regard to previous blocks

Bit errors affect only the block in which they occur.

ECB Figure

Block Replay

Cipher Block Chaining (CBC)

Take an exclusive or of each plaintext block with the previous ciphertext block before encrypting.

Properties Depends on initialization vector (IV). Ciphertext depends on all previous

plaintext blocks. Bit errors in ciphertext propagate to two

blocks. (“Self-synchronizing.”)

CBC Figure

Cipher Feedback (CFB)

Encrypt blocks to produce encrypted plaintext of shorter length by using a shift register.

Properties Depends on initialization vector (IV). Ciphertext depends on all previous

plaintext blocks. Self-synchronizing: bit errors in

ciphertext propagate to a limited number of blocks.

CFB Figure

Output Feedback (OFB)

Like CFB, but not using the enciphered text in creating the key stream.

Properties Like CFB, but the key stream is

independent of the input plaintext and can therefore be pre-computed.

OFB Figure

Digital Signatures

Notation for Symmetric Keys E(K,P) encrypt plaintext P using key K D(K,C) decrypt ciphertext C using key K

Notation for Asymmetric key pair A EA(P) encrypt P (using public part of A) DA(C) decrypt C (using private part of A)

Digital signature DA(P) sign P (using private part of A) EA(DA(P)) = P verify the signature on P

(using the public part of A).

Formal Definition of Signature

Cryptography: Theory and Practice, Douglas R. Stinson,CRC Press, 1995.

(Illustration)

(Illustration)

Data Authentication Algorithm

To create a Message Authentication Code (MAC), use DES and CBC.

Let D1, D2, …, Dn be 64 bit blocks of the message, padded with zeros. Use an IV of zeros. O1 = E(K, D1) O2 = E(K, D2 O1) … On = E(K, Dn O(n-1))

On is the Data Authentication Code (DAC).

Internet MAC

Modular use of cryptographic hash function for MAC.

Use existing kinds of hash functions. Avoid significant degradation in

performance of hashing. Well-understood cryptographic

analysis.

HMAC

Cryptographic hash function H. Key K, expanded to K+ to match

block size for hash. Pads: opad and ipad. Message M. O = K+ opad. I = K+ ipad. HMAC(K,M) = H(O || H(I || M)).