7/30/2019 CNS UNITS 1
1/42
1
UNIT - IINTRODUCTION
Computer data often travels from one computer to another, leaving the safety of its
protected physical surroundings. Once the data is out of hand, people with bad intention couldmodify or forge your data, either for amusement or for their own benefit.
Cryptography can reformat and transform our data, making it safer on its trip between
computers. The technology is based on the essentials of secret codes, augmented by modernmathematics that protects our data in powerful ways.
1 Computer Security - generic name for the collection of tools designed to protect data
and to thwart hackers1 Network Security - measures to protect data during their transmission
1 Internet Security - measures to protect data during their transmission over a
collection of interconnected networks
THE OSI SECURITY ARCHITECTURE
To assess effectively the security needs of an organization and to evaluate and choosevarious security products and policies, the manager responsible for security needs some
systematic way of defining the requirements for security and characterizing the approaches to
satisfying those requirements.The OSI security architecture focuses on security attacks, mechanisms, and services.
These can be defined briefly as follows:
Threats and Attacks (RFC 2828)
ThreatA potential for violation of security, which exists when there is a circumstance,
capability, action, or event that could breach security and cause harm. That is, a threat is a
possible danger that might exploit vulnerability.
Attack
An assault on system security that derives from an intelligent threat; that is, an intelligent
act that is a deliberate attempt (especially in the sense of a method or technique) to evade
security services and violate the security policy of a system.
Security Attacks, Services and Mechanisms
To assess the security needs of an organization effectively, the manager responsible forsecurity needs some systematic way of defining the requirements for security and
characterization of approaches to satisfy those requirements. One approach is to consider three
aspects of information security: Security attack Any action that compromises the security of information owned by an
organization. Security mechanism A mechanism that is designed to detect, prevent orrecover from a securityattack.
7/30/2019 CNS UNITS 1
2/42
Security service A service that enhances the security of the data processing systems and the
information transfers of an organization. The services are intended to counter security attacks
and they make use of one or more security mechanisms to provide the service.
SECURITY SERVICES
The classification of security services are as follows:
Confidentiality: Ensures that the information in a computer system and transmitted
information are accessible only for reading by authorized parties.Eg., printing, displaying and other forms of disclosure.
Authentication: Ensures that the origin of a message or electronic document is
correctly identified, with an assurance that the identity is not false.
Integrity: Ensures that only authorized parties are able to modify computer systemassets and transmitted information. Modification includes writing, changing status,
deleting, creating and delaying or replaying of transmitted messages.
Non repudiation: Requires that neither the sender nor the receiver of a message be able
to deny the transmission.1 Access control: Requires that access to information resources may be controlled by or
the target system.1 Availability: Requires that computer system assets be available to authorized parties
when needed.
Security Services (X.800)
AUTHENTICATION
The assurance that the communicating entity is the one that it claims to be.
1. Peer Entity AuthenticationUsed in association with a logical connection to provide confidence in the identityof the entities connected.
2. Data Origin Authentication
In a connectionless transfer, provides assurance that the source of received data isas claimed.
ACCESS CONTROL
The prevention of unauthorized use of a resource (i.e., this service controls who can have
access to a resource, under what conditions access can occur, and what those accessing the
resource are allowed to do).
DATA CONFIDENTIALITY
The protection of data from unauthorized disclosure.
1. Connection Confidentiality
The protection of all user data on a connection.
2. Connectionless Confidentiality
7/30/2019 CNS UNITS 1
3/42
The protection of all user data in a single data block
3. Selective-Field Confidentiality
The confidentiality of selected fields within the user data on a connection or in asingle data block.
4. Traffic Flow Confidentiality
The protection of the information that might be derived from observation of trafficflows.
DATA INTEGRITY
1. Connection Integrity with Recovery
Provides for the integrity of all user data on a connection and detects any
modification, insertion, deletion, or replay of any data within an entire data sequence,with recovery attempted.
2. Connection Integrity without Recovery
As above, but provides only detection without recovery.
3. Selective-Field Connection IntegrityProvides for the integrity of selected fields within the user data of a data block
transferred over a connection and takes the form of determination of whether the selectedfields have been modified, inserted, deleted, or replayed.
4. Connectionless Integrity
Provides for the integrity of a single connectionless data block and may take theform of detection of data modification. Additionally, a limited form of replay detection
may be provided.
5. Selective-Field Connectionless Integrity
Provides for the integrity of selected fields within a single connectionless datablock; takes the form of determination of whether the selected fields have been modified.
NONREPUDIATION
Provides protection against denial by one of the entities involved in a communication of
having participated in all or part of the communication.
1. Nonrepudiation, Origin
Proof that the message was sent by the specified party.
2. Nonrepudiation, Destination
Proof that the message was received by the specified party.
SECURITY MECHANISMS
One of the most specific security mechanisms in use is cryptographic techniques.Encryption or encryption-like transformations of information are the most common means of
providing security. Some of the mechanisms are
1. Encipherment
Reversible Encipherment Mechanism
It is an encryption algorithm that allows data to be encrypted and
subsequently decrypted
Irreversible Encipherment Mechanism
7/30/2019 CNS UNITS 1
4/42
Irreversible mechanism includes hash algorithms and message
authentication codes, which are used in digital signatures and message
authentication applications.2. Digital Signature
SECURITY ATTACKS
Classifying the security attacks in terms of
Passive attacks
Active attacks
Passive Attacks
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions.
The goal of the opponent is to obtain information that is being transmitted. Passive attacks are of
two types:
1 1. Release of message contents: A telephone conversation, an e-mail message and a
transferred file may contain sensitive or confidential information. We would like to
prevent the opponent from learning the contents of these transmissions.
1 2.Traffic analysis: If we had encryption protection in place, an opponent might still be
able to observe the pattern of the message. The opponent could determine the location
and identity of communication hosts and could observe the frequency and length ofmessages being exchanged. This information might be useful in guessing the nature of
communication that was taking place.
Passive attacks are very difficult to detect because they do not involve any alteration of data.
However, it is feasible to prevent the success of these attacks.
Active Attacks
These attacks involve some modification of the data stream or the creation of a false
stream. These attacks can be classified in to four categories:
1 1. Masquerade One entity pretends to be a different entity.1 2. Replay involves passive capture of a data unit and its subsequent transmission to
produce an unauthorized effect.
1 3. Modification of messages Some portion of message is altered or the messages aredelayed or recorded, to produce an unauthorized effect.
4. Denial of service Prevents or inhibits the normal use or management of
communication facilities. Another form of service denial is the disruption of an entire network,either by disabling the network or overloading it with messages so as to degrade performance.
It is quite difficult to prevent active attacks absolutely, because to do so would require
physical protection of all communication facilities and paths at all times. Instead, the goal is todetect them and to recover from any disruption or delays caused by them.
7/30/2019 CNS UNITS 1
5/42
CLASSICAL ENCRYPTION TECHNIQUES
Symmetric and public key algorithms
Encryption/Decryption methods fall into two categories.
Symmetric key1 Public key
In symmetric key algorithms, the encryption and decryption keys are known both tosender and receiver. The encryption key is shared and the decryption key is easily calculated
from it. In many cases, the encryption and decryption keys are the same.
In public key cryptography, encryption key is made public, but it is computationallyinfeasible to find the decryption key without the information known to the receiver.
Some basic terminologies used :
plaintext - the original message
ciphertext - the coded message
cipher - algorithm for transforming plaintext to ciphertext
key - info used in cipher known only to sender/receiver
encipher (encrypt) - converting plaintext to ciphertext
decipher (decrypt) - recovering ciphertext from plaintext
cryptography - study of encryption principles/methods
cryptanalysis (codebreaking) - the study of principles/ methods of decipherinciphertext withoutknowing key
cryptology - the field of both cryptography and cryptanalysis
SYMMETRIC CIPHER MODEL
Symmetric cipher model has 5 ingredients:
1. Plaintext the original message ie., fed into the algorithm as input
2. Encryption Algorithm performs substitutions/transformations on plaintext3. Secret Key the exact substitutions/transformations performed by the algorithm depend on th
key
4. Ciphertext this is the scrambled message produced as output
5. Decryption Algorithm inverse of encryption algorithm
7/30/2019 CNS UNITS 1
6/42
Referred conventional / private-key / single-key
1 sender and recipient share a common key1 all classical encryption algorithms are private-key
Two requirements for secure use of symmetric encryption:
A strong encryption algorithm
A secret key known only to sender / receiver
Y= EK(X)X= DK(Y)
Assume encryption algorithm is known
Implies a secure channel to distribute key
(Diagram: Refer Page No. 26 in Cryptography & Network Security by William Stallings, 3rd Edition)
Plaintext, X = [X1, X2, , XM] where M are the number of letters in the message.
K = [K1, K2, , KJ]
Cipher text Y = [Y1, Y2, , YN].
Y = EK(X)
To invert the transformation:
X = DK(Y)
Cryptography
Cryptographic systems are generally classified along 3 independent dimensions:
1 1.Type of operations used for transforming plain text to cipher textAll the encryption algorithms are based on two general principles:
Substitution, in which each element in the plaintext is mapped into another elemen
Transposition, in which elements in the plaintext are rearranged.1 2.The number of keys used
If the sender and receiver uses same key then it is said to be symmetric key (or
single key (or) conventional encryption.
7/30/2019 CNS UNITS 1
7/42
If the sender and receiver use different keys then it is said to be public key
encryption.
1 3.The way in which the plain text is processedA block cipher processes the input and block of elements at a time, producing outpu
block for each input block.
A stream cipher processes the input elements continuously, producing output elemenone at a time, as it goes along.
Cryptanalysis
The process of attempting to discover X or K or both is known as cryptanalysis. The strategy use
by the cryptanalysis depends on the nature of the encryption scheme and the information available to th
cryptanalyst.There are various types of cryptanalytic attacksbased on the amount ofinformation known to th
cryptanalyst.
1 Cipher text only A copy of cipher text alone is known to the cryptanalyst.
1 Known plaintext The cryptanalyst has a copy of the cipher text and the correspondin
plaintext.
Chosen plaintext The cryptanalysts gains temporary access to the encryption machine. The
cannot open it to find the key, however; they can encrypt a large number of suitably chosen plaintext
and try to use the resulting cipher texts to deduce
Chosen cipher text The cryptanalyst obtains temporary access to the decryption machine
uses it to decrypt several string of symbols, and tries to use the results to deduce the key.
Brute-force attack - The attacker tries every possible key on a piece of cipher-text until an
intelligible translation into plaintext is obtained.
SUBSTITUTION TECHNIQUES
A substitution technique is one in which the letters of plaintext are replaced by other letters or by
numbers or symbols. If the plaintext is viewed as a sequence of bits, then substitution involves replacingplaintext bit patterns with cipher text bit patterns.
(i) Caesar cipher (or) shift cipher
The earliest known use of a substitution cipher and the simplest was by Julius Caesar. The
Caesar cipher involves replacing each letter of the alphabet with the letter standing 3 placesfurther down the alphabet.
Ex: Plain text :pay more money
Cipher text: SDB PRUH PRQHB
Note that the alphabet is wrapped around, so that letter following z is a.
For each plaintext letter p, substitute the cipher text letter c such that
7/30/2019 CNS UNITS 1
8/42
C = E(p) = (p+3) mod 26
A shift may be any amount, so that general Caesar algorithm is
C = E (p) = (p+k) mod 26
Where k takes on a value in the range 1 to 25. The decryption algorithm is simply
P = D(C) = (C-k) mod 26
(ii) Monoalphabetic Cipher
Shuffle the letters and map each plaintext letter to a different random ciphertext letter.
Plain letters: abcdefghijklmnopqrstuvwxyz
Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplaceletters
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
Monoalphabetic Cipher Security
Now we have a total of 26! = 4 x 10
26
keys. With so many keys, it is secure against brute-force attacks.
But not secure against some cryptanalytic attacks.
Problem is language characteristics.
Language Statistics and Cryptanalysis
Human languages are not random.
Letters are not equally frequently used.
In English, E is by far the most common letter, followed by T, R, N, I, O, A, S.
Other letters like Z, J, K, Q, X are fairly rare.
There are tables of single, double & triple letter frequencies for various languages
7/30/2019 CNS UNITS 1
9/42
7/30/2019 CNS UNITS 1
10/42
P 13.33 H 5.83 F 3.33 B 1.67 C 0.00
Z 11.67 D 5.00 W 3.33 G 1.67 K 0.00
S 8.33 E 5.00 Q 2.50 Y 1.67 L 0.00
U 8.33 V 4.17 T 2.50 I 0.83 N 0.00
O 7.50 X 4.17 A 1.67 J 0.83 R 0.00
M 6.67
(iii) Playfair cipher
Multiple letter encryption cipher is the playfair
The playfair algorithm is based on the use of5x5 matrix of letters constructed using keyword.
Let the keyword be monarchy.The matrix is constructed by filling in the letters of the keyword (minus duplicates) from
left to right and from top to bottom, and then filling in the remainder of the matrix with theremaining letters in alphabetical order.
The letter i and j count as one letter.
Plaintext is encrypted two letters at a time according to the following rules:
1 Repeating plaintext letters that would fall in the same pair are separated with a filler
letter such as x.
2 Plaintext letters that fall in the same row of the matrix are each replaced by the letter to the right, with the first element of the row following the last.
3 Plaintext letters that fall in the same column are replaced by the letter beneath, with the top element of the column following the last.4 Otherwise, each plaintext letter is replaced by the letter that lies in its own row and the
column occupied by the other plaintext letter.
M O N A R
C H Y B D
E F G I/
J
K
L P Q S T
U V W X Z
Plaintext = meet me at the school house
Splitting two letters as a unit => me et me at th es ch ox ol ho us ex
Corresponding cipher text => CL KL CL RS PD IL HY AV MP HF XL IU
Strength of playfair cipher
Playfair cipher is a great advance over simple mono alphabetic ciphers.
7/30/2019 CNS UNITS 1
11/42
Since there are 26 letters, 26x26 = 676 diagrams are possible, so identification
of individual diagram is more difficult.
Frequency analysis is much more difficult.
(iii) Polyalphabetic ciphers
Another way to improve on the simple monoalphabetic technique is to use different
monoalphabetic substitutionsThe general name for this approach is polyalphabetic cipher. All the techniques have the
following features in common.
1 A set of related monoalphabetic substitution rules are used2 A key determines which particular rule is chosen for a given transformation.
(iv)Vigenere cipher
In this scheme, the set of related monoalphabetic substitution rules consisting of 26 caesarciphers with shifts of 0 through 25. Each cipher is denoted by a key letter. e.g., Caesar cipher with
a shift of 3 is denoted by the key value 'd (since a=0, b=1, c=2 and so on). To aid inunderstanding the scheme, a matrix known as vigenere tableau is constructed.
PLAIN TEXT
K E Y
L E T TE R S
a b c d e f g h i j k x y z
a A B C D E F G H I J K X Y Z
b B C D E F G H I J K L Y Z A
c C D E F G H I J K L M Z A B
d D E F G H I J K L M N A B C
e E F G H I J K L M N O B C D
f F G H I J K L M N O P C D E
g G H I J K L M N O P Q D E F
: : : : : : : : : : : : ::
: : : : : : : : : : : : : : : :
x X Y Z A B C D E F G H W
y Y Z A B C D E F G H I X
z Z A B C D E F G H I J Y
Each of the 26 ciphers is laid out horizontally, with the key letter for each cipher to its left. Anormal alphabet for the plaintext runs across the top.
The process of encryption is simple:
Given a key letter X and a plaintext letter y, the cipher text is at the intersection of the rowlabeled x and the column labeled y;
In this case, the ciphertext is V.To encrypt a message, a key is needed that is as long as the message.
Usually, the key is a repeating keyword
. e.g., key = d e c e p t i v e d e c e p t i v e d e c e p t i v ePlain Text = w e a r e d i s c o v e r e d s a v e y o u r s e l f
Cipher Text = ZICVTWQNGRZGVTWAVZHCQYGLMGJ
7/30/2019 CNS UNITS 1
12/42
Decryption is equally simple:
The key letter again identifies the row. The position of the cipher text letter in that rowdetermines the column, and the plaintext letter is at the top of that column. Strength of Vigenere
cipher
1o
There are multiple ciphertext letters for each plaintext letter.2 o Letter frequency information is obscured.
One Time Pad Cipher
It is an unbreakable cryptosystem. It represents the message as a sequence of 0s and 1s.
this can be accomplished by writing all numbers in binary, for example, or by using ASCII. Thekey is a random sequence of 0s and 1s of same length as the message. Once a key is used, it is
discarded and never used again.
The system can be expressed as follows:Ci = Pi + Ki
Ci - ithbinary digit of cipher textPi - ithbinary digit of plaintextKi - ithbinary digit of key
1 exclusive OR opearaiton
Thus the cipher text is generated by performing the bitwise XOR of the plaintext
and the key. Decryption uses the same key. Because of the properties of XOR, decryption
simply involves the same bitwise operation:Pi = Ci + Ki
e.g., plaintext = 0 0 1 0 1 0 0 1
Key = 1 0 1 0 1 1 0 0-------------------
ciphertext = 1 0 0 0 0 1 0 1
Advantage:
1 Encryption method is completely unbreakable for a ciphertext only attack.
Disadvantages
1 It requires a very long key which is expensive to produce and expensive to transmit.2 Once a key is used, it is dangerous to reuse it for a second message; any knowledge on the first
message would give knowledge of the second.
TRANSPOSITION TECHNIQUESAll the techniques examined so far involve the substitution of a cipher text symbol for a plaintext
symbol.A very different kind of mapping is achieved by performing some sort of permutation on the plaintext
letters. This technique is referred to as a transposition cipher.
Rail fence is simplest of such cipher, in which the plaintext is written down as a sequence of
diagonals and then read off as a sequence of rows.Plaintext = meet at the school house
7/30/2019 CNS UNITS 1
13/42
To encipher this message with a rail fence of depth 2, we write the message as follows:
m e a t e c o l o s
e t t h s h o h u eThe encrypted message is MEATECOLOSETTHSHOHUE
Row Transposition Ciphers-A more complex scheme is to write the message in a rectangle, row by
row, and read the message off, column by column, but permute the order of the columns. The order ofcolumns then becomes the key of the algorithm.
e.g., plaintext = meet at the school house
Key = 4 3 1 2 5 6 7
PT = m e e t a t t
h e s c h o o
l h o u s eCT = ESOTCUEEHMHLAHSTOETO
A pure transposition cipher is easily recognized because it has the same letter frequencies as
the original plaintext. The transposition cipher can be made significantly more secure by performing
more than one stage of transposition. The result is more complex permutation that is not easilyreconstructed.
Rotor Machine
1920s: mechanical devices used for automating encryption
set of independently rotating cylinders through which electrical pulses flow
each cylinder has input & output pin for each letter of the alphabet
implements version of Vigenre cipher
each rotor implements a substitution cipher
output of each rotor is fed into the next rotor
7/30/2019 CNS UNITS 1
14/42
Steganography
The methods of steganography conceal the existence of the message.
It is time-consuming to construct.
Other techniques:
Character Marking
Selected letters of printed or typewritten text are overwritten in pencil.
Invisible Ink
A number of substances can be used for writing but leave no visible trace until heat or some
chemical is applied to the paper.
Pin Pictures
Small pin pictures on selected letters are ordinarily not visible unless the paper is held up in front of
a light.
Typewriter correction ribbon
Used between lines typed with a black ribbon the results of typing with the correction tape are
visible only under a strong light.
7/30/2019 CNS UNITS 1
15/42
Block Cipher Principles
Stream Ciphers and Block Ciphers
Stream cipher, such as Vigene`re cipher, encrypts one letter at a time.
Block cipher, such as Hill cipher, treats a n-letter block of plaintext as a whole and
produce a ciphertext block of equal length.
Motivation for the Feistel Cipher Structure
most symmetric block ciphers are based on a Feistel Cipher Structure
needed since must be able to decrypt ciphertext to recover messages efficiently
block ciphers look like an extremely large substitution
need table of 264 entries for a 64-bit block
instead create from smaller building blocks
using idea of a product cipher
7/30/2019 CNS UNITS 1
16/42
(General n-bit n-bit Block Substitution)
Feistel Cipher
Feistel proposed the use of a cipher that alternates substitution and permutations. This is a practicalapplication of a proposal by Claude Shannon to develop a product cipher that alternates confusion and
diffusion function
Confusion. In Shannons original definitions, confusion makes the relation between the
key and the ciphertext as complex as possible.
Diffusion. Diffusion refers to the property that the statistics structure of the plaintext isdissipated into long range statistics of the ciphertext
Feistel Cipher Structure
Horst Feistel devised the Feistel Cipher
based on concept of invertible product cipher
partitions input block into two halves
process through multiple rounds which
perform a substitution on left data half
based on round function of right half & subkey
then have permutation swapping halves
7/30/2019 CNS UNITS 1
17/42
- implements Shannons S-P net concept
(Classical Feistel Network)
The Feistel network shown in Fig. 1 is a particular form of the substitution-permutation
network.
The input to a Feistel network is a plaintext block of n bits, and a key K. The plaintext
block is divided into two halves, L0 and R0 .
7/30/2019 CNS UNITS 1
18/42
The two halves of the data pass through r rounds of processing and then combine to
produce the ciphertext block.
Each round i has as input Li1 and Ri1, derived from the previous round, as well as
a subkey Ki, derived from the overall key K.
In general, the subkey Ki are different from K and from each other.
In this structure, a substitution is performed via the round function F, and permutation is
performed that interchanges the two halves of thedata.
The exact realization of a Feistel network depends on the choices of the following
parameters and design features.
Parameters
Block size: Larger block size means greater security, but reduces encryption/decryption
speed.
Key size: Larger key size means greater security but may decrease encryption/decryption
speed.
Number of rounds: Multiple rounds offer increasing security.
Subkey generation algorithm: Greater complexity in subkey generation leads to greater
security.
Round function: Greater complexity in round function means greater difficulty of
cryptanalysis.
Design Features
Fast Software encryption/decryption
Ease of analysis
7/30/2019 CNS UNITS 1
19/42
Feistel Decryption Algorithm
(Feistel Encryption and Decryption)
The process of decryption with a Feistel network is essentially the same as the encryption process
by using the ciphertext as input to the network, but using the subkey Ki in reverse order, as shown in
7/30/2019 CNS UNITS 1
20/42
the above Fig. The reason is explained as follows. Lets consider the last step in encryption, which
gives,
LE16 = RE15 (1)
RE16 = LE15 F (RE15 , K16 ) (2)
On the decryption side,
LD1 = RD0 = LE16 = RE15
RD1 = LD0
F (RD0, K16)
=RE16 F (RE15 ,K16)
=[LE15F (RE15 ,K16)]F (RE15 ,K16)
= LE15
The process can be done iteratively. Finally, we will see that the output of the decryption
is the same as the input to the encryption (i.e., original plaintext).
Data Encryption Standard(DES)
most widely used block cipher in world
adopted in 1977 by NBS (now NIST)
as FIPS PUB 46
encrypts 64-bit data using 56-bit key
has widespread use
has been considerable controversy over its security
The following topics are covered
1. DES Encryption
7/30/2019 CNS UNITS 1
21/42
a. Initial Permutation
b. Details of Single Round
c. Key Generation2. DES Decryption
3. The AvalancheEffect
DES Encryption
7/30/2019 CNS UNITS 1
22/42
Initial Permutation (IP):
The plaintext block undergoes an intial permutation.
> 64 bits of the block are permuted.
A Complex Transformation:
64 bit permuted block undergoes 16 rounds of complex transformation. (Using
subkeys)
32-bit swap:
32 bit left and right halves of the output of the 16 th round are swapped.
Inverse Initial Permutation (IP-1):
The 64 bit output undergoes a permutation that is inverse of the intial
permutation.
>The 64 bit output is the ciphertext.
7/30/2019 CNS UNITS 1
23/42
The complex processing at each iteration/round:
Li= Ri-1
Ri = Li-1 F(Ri-1, Ki)
Details of function F:
It takes 32 bits input and produces a 32 bit output.
Details of function F:
>32 bit input is expanded into 48 bits.
-This is done by permuting and
duplicating some bits of 32 bits.
>Exclusive OR operation is performed between these 48 bits and 48 bit subkey.
> 48 bit output of the Exclusive OR operation is grouped into 8 groups of 6 bits each.
7/30/2019 CNS UNITS 1
24/42
> Each 6 bit group is fed into a 6-to-4 substitution box that transforms 6 bits to 4 bits.
> 32 bit output of 8 substitution boxes is fed into a permutation box.
> The 32 bit output of the permutation box is F(Ri-1, Ki).
Concerns about:
The key length (56-bits)
> 56 bit key was adequate in 70s.
> With faster processors, this encryption method is no longer safe.
DES Decryption
Decryption uses the same algorithm as encryption, except that the application of the
subkeysis reversed.
The Avalanche Effect
A change in one bit of the plaintext or one bit of the key should produce a change in
many bits of the ciphertext.
Block Cipher Design Principles
DES Design Criteria
Criteria for S-box
7/30/2019 CNS UNITS 1
25/42
1. No. of output bits of any S-box should be too close to a linear function of the
input bits.
2. Each row of an S-box should include all 16 possible output bit combinations.3. If 2 inputs to an S-box differ in exactly 1 bit, the outputs differ in atleast 2
bits.
4. If 2 inputs to an S-box differ in exactly 2 middle bits, the outputs differ inatleast 2 bits.
5. If 2 inputs to an S-box differ in first 2 bits bit and are identical in last 2 bits,
the 2 outputsmust not be the same.
Criteria for P-box
1. The 4 output bits from each S-box at round i
2 of them affect middle bits of round(i+1)
other 2 affect - end bits
The 2 middle bits of input to an S-box not shared with adjacent S-boxes.
The end bits(2 left-hand bits and 2 right-hand bits) shared with adjacent S-
boxes.
2. The 4 output bits from each S-box affect 6 different S-boxes on the next round.
No 2 affect the same S-box.
3. For 2 S-boxes j,k,
if an o/p bit from Sj affects a middle bit of Skon the next round
then o/p bit from Skcannot affect the middle bit of Sj implies that j=k.
Number of Rounds
The number of rounds is more; it is difficult to perform cryptanalysis.
Known cryptanalytic efforts require more effort than a simple brute-force key search
attack.
Design of Function F
Design Criteria for F
The function F provides the confusion in a Feistel cipher.
Difficult to unscramble the substitution performed by F.
F- nonlinear
Strict Avalanche Criterion(SAC)
Any output bit j of an S-box should change with probability
when any single input bit I is inverted for all i,j.
Bit Independence Criterion(BIC)
Output bits j and k should change independently when any
single i/p bit I is inverted for all I,j and k.
7/30/2019 CNS UNITS 1
26/42
S-Box Design
Guaranteed Avalanche(GA)
An S-box satisfies GA of order if, for a 1bit input change, atleast output bits change.
S-box design suggests the following approaches:
Random
Random digits to generate the entries in the S-box
Random with testing
Choose S-box entries randomly, then test the results against various
criteria and throw it that do not pass.
Human-made
Manual approach with simple mathematics to support it.
Math-made
Generate S-boxes according to mathematical principles.
Key Schedule Algorithm
Key schedule algorithm has les attention than S-box design.
To generate one subkey for each round
Block Cipher Modes of Operations
block ciphers encrypt fixed size blocks
eg. DES encrypts 64-bit blocks, with 56-bit key
need way to use in practise, given usually have arbitrary amount of information to
encrypt
four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use
subsequently now have 5 for DES and AES
have blockand stream modes
Five Modes are
1. Electronic Codebook Mode(ECB)
2. Cipher Block Chaining Mode(CBC)3. Cipher Feedback Mode(CFB)
4. Output Feedback Mode(OFB)5. Counter Mode(CTR)
Electronic Codebook Mode(ECB)
Plaintext is handled 64 bits at a time.
Each block is encrypted using the same key
7/30/2019 CNS UNITS 1
27/42
If a message is longer than 64 bit, the procedure is to break the message into 64bit blocks,
padding the last block if necessary
Decryption is performed one block at a time, using the same key.
Advantage:
Transmit a DES key securely.
Disadvantage:
The same 64bit block of plaintext appears more than once in the message always produce
the same ciphertext.
For lengthy message, the ECB mode may not secure.
Cipher Block Chaining Mode(CBC)
To overcome the security deficiencies of ECE, the same plaintext block, if repeated,
produces different ciphertext blocks.CBC mode is used to satisfy this requirement.
The input to the encryption algorithm is the XOR of the current plaintext block and the
preceding ciphertext block.
The same key is used for each block.
For decryption, each cipher block is passed through the decryption algorithm.
The result is XORed with the preceding ciphertext block to produce the plaintext block.
7/30/2019 CNS UNITS 1
28/42
Cipher Feedback Mode
Message is treated as a stream of bitsIf a character stream is being transmitted, each character can be encrypted and transmitted
immediately using character oriented stream cipher.
The unit of transmission is s(8) bits.
Errors propagate for several blocks after the error
7/30/2019 CNS UNITS 1
29/42
Encryption:
64bits shift register is initialized with vector IV
The leftmost s bits of the output of the encryption function are XORed with the first
segment of plaintext P1 to produce the first unit of ciphertext C1,
The contents of the shift register are shifted left by s bits and C1 is placed in therightmost.
Decryption
The same scheme is used, except that the received ciphertext unit is XORed with the
output of the encryption function to produce the plaintext unit.
C1 = P1 Ss (Ek (IV))
P1 = C1 Ss (Ek (IV))
7/30/2019 CNS UNITS 1
30/42
Output Feedback Mode
The OFB is similar to CFB.
The output of the encryption function that is fed back to the shift register in OFB.
Advantages:
o Bit errors in transmission do not propagate.
o Ex: If a bit error occurs in C1, only the recovered value of P1 is affected;
subsequent plaintext units are not corrupted
Disadvantage
Message stream modification attack than CFB
Counter Mode
A counter, equal to the plaintext block size is used.
Counter value must be different for each plaintext block that is encrypted. A counter
is initialized to some value and then incremented by 1 for each subsequent block
Advantages
Hardware efficiency
Software efficiency
Preprocessing
7/30/2019 CNS UNITS 1
31/42
Random Access
Provable security
Simplicity
Evaluation Criteria for AESThe Origins of AES
clear a replacement for DES was needed
Key size is too small
The variants are just patches
can use Triple-DES but slow, has small blocks
US NIST issued call for ciphers in 1997
15 candidates accepted in Jun 98
5 were shortlisted in Aug-99
AES Evaluation
initial criteria:
security effort for practical cryptanalysis
cost in terms of computational efficiency
algorithm & implementation characteristics
final criteria:
general security
ease of software & hardware implementation
implementation attacks
restricted-space environments
Attacks on implementations
Encryption versus decryption
Key agility
Flexibility
7/30/2019 CNS UNITS 1
32/42
Potential for instruction-level parallelism
AES Cipher Rinjdael
Rijndael was selected as the AES in Oct-2000
issued as FIPS PUB 197 standard in Nov-2001
designed by Joan Daemen and Vincent Rijmen in Belgium
has 128/192/256 bit keys, 128 bit data
an iterative rather than Feistel cipher
processes data as block of 4 columns of 4 bytes
operates on entire data block in every round
Characteristics:
resistant against known attacks
speed and code compactness on many CPUs
design simplicity
7/30/2019 CNS UNITS 1
33/42
1. AES is not a Feistel structure. Process the entire data block in parallel during each round
using substitution and permutation.
2. The key that is provided as i/p is expanded into an array of 44(32 bits) words.
3. Four different stages are used(permutation 1, substitution 3)
1. Substitution Bytes(SB): Uses an S-box to perform substitution
2. Shift Rows(SR): A simple permutation
3. Mix Columns(MC): A substitution that makes use of arithmetic over GF(28)
4. Add Round Key(ARK): A bitwise XOR of the current block with a portion of
the expanded key.
4. The structure is simple.
Both encryption and decryption begins with Add Round Key stage.
Followed by 9 rounds 4 stages
10th round 3 stages
5. Add Round Key - use key vernam cipher
7/30/2019 CNS UNITS 1
34/42
6. Add Round Key - vernam cipher
Other stages(not use the key) provide confusion, diffusion and nonlinearity.
7. Each stage is reversible
8. Decryption algorithm makes use of the expanded key in reverse order
9. All 4 stages are reversible, easy to verify that decryption does recover the plaintext
10. The final round of both encryption and decryption consists of only 3 stages
Substitution Bytes(SB)
a simple substitution of each byte
uses one S-box of 16x16 bytes containing a permutation of all 256 8-bit values
each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits)
eg. byte {95} is replaced by byte in row 9 column 5
which has value {2A}
S-box constructed
Initialize the S-box with the byte values in ascending sequence row by row.
Map each byte in the S-box to its multiplicative inverse in the finite field GF(28)
Each byte in S-box consists of 8 bits labeled(b7,b6,b5,b1,b0)
Shift Row Transformation
a circular byte shift in each each
7/30/2019 CNS UNITS 1
35/42
1st row is unchanged
2nd row does 1 byte circular shift to left
3rd row does 2 byte circular shift to left
4th row does 3 byte circular shift to left
Mix Columns
each column is processed separately
each byte is replaced by a value dependent on all 4 bytes in the column
effectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1
7/30/2019 CNS UNITS 1
36/42
Add Round Key
The 128 bits of state are bitwise XORed with the 128 bits of the round key.
The operation is viewed as a columnwise operation between the 4 bytes of a
State column and one word of the round key.
Triple DES
- In DES, it is possible to perform a brute force attack.
- One alternative is to design a new algorithm.
- Another alternative is to use multiple encryptions with multiple keys.
Double DES
Consider 2-DES with two keys:
7/30/2019 CNS UNITS 1
37/42
C = EK2(EK1(P))
Decryption: P = DK1(DK2(C))
Key length: 56 x 2 = 112 bits
Meet-in-the-Middle Attack on 2DES
2-DES: C = EK2(EK1(P))
So, X = EK1(P) = DK2(C)
Given a known pair (P, C), attack as follows:
Encrypt P with all 256 possible keys for K1.
Decrypt C with all 256 possible keys for K2.
If EK1(P) = DK2(C), try the keys on another (P, C).
If works, (K1, K2) = (K1, K2) with high probability.
Takes O(256) steps; not much more than attacking 1-DES.
Triple DES with Two Keys
A straightforward implementation would be:
C = EK1(EK2(EK1(P)))
In practice: C = EK1(DK2(EK1(P)))
Also referred to as EDE encryption
Reason: if K1=K2, then 3DES = 1DES. Thus, 3DES software can be used as a
single-DES.
Standardized in ANSI X9.17 & ISO8732
7/30/2019 CNS UNITS 1
38/42
Triple DES with Three Keys
Encryption: C = EK3(DK2(EK1(P))).
If K1 = K3, we have 3DES with 2 keys.
If K1 = K2 = K3, we have the regular DES.
So, 3DES w/ 3keys is backward compatible with 3DES w/ 2 keys and with the regular
DES.
Placement of Encryption Function
Points of Vulnerability
Adversary can eavesdrop from a machine on the same LAN
Adversary can eavesdrop by dialing into communication server
Adversary can eavesdrop by gaining physical control of part of external links
twisted pair, coaxial cable, or optical fiber
- radio or satellite links
7/30/2019 CNS UNITS 1
39/42
Confidentiality using Symmetric Encryption
have two major placement alternatives
link encryption
encryption occurs independently on every link
All traffic over all communication links is secured
implies must decrypt traffic between links because the switch must read the
address in the packet header
Each pair of nodes that share a unique key, with a different key used on each link,
many keys.
Message is vulnerable at each switch
If working with a public network, the user has not control over the security of the
nodes
end-to-end encryption
encryption occurs between original source and final destination
need devices at each end with shared keys
Secure the transmission against attacks on the network links or switches
7/30/2019 CNS UNITS 1
40/42
end-to-end principle
What part of each packet will the host encrypt? Header or user data?
A degree of authentication, only alleged sender shares the relevant key
Placement of Encryption
Can place encryption function at various layers in OSI Reference Model
link encryption occurs at layers 1 or 2
end-to-end can occur at layers 3, 4, 6, 7
If move encryption toward higher layer
less information is encrypted but is more secure
application layer encryption is more complex, with more entities and need more
keys
7/30/2019 CNS UNITS 1
41/42
Scope of Encryption
monitoring of communications flows between parties
useful both in military & commercial spheres
can also be used to create a covert channel
link encryption obscures header details
but overall traffic volumes in networks and at end-points is still visible
traffic padding can further obscure flows
but at cost of continuous traffic
when using end-to-end encryption must leave headers in clear
so network can correctly route information
hence although contents protected, traffic pattern flows are not
ideally want both at once
end-to-end protects data contents over entire path and provides authentication
link protects traffic flows from monitoring
7/30/2019 CNS UNITS 1
42/42
Traffic Confidentiality
From a traffic analysis attack the following types of information that can be derived.
- Identities of partners
- How frequently the partners are communicating
- Message pattern, message length or quantity of messages is being
exchanged
- The events that correlate with special conversations between
particular partners
Traffic patterns to create a covert channel. A covert channel is a means of communication in
a fashion unintended by the designers of the communications facility.
Link Encryption Approach
- Network-layer headers are encrypted, reducing the opportunity for traffic
analysis.
- An attacker is still possible to assess the amount of traffic on a network and to
observe the amount of traffic entering and leaving each end system.
- Traffic padding produces ciphertext output continuously, even in the absence of
plaintext. A continuous random data stream is generated.
- When plaintext is present, it is encrypted and transmitted.
- When plaintext is not present, random data is encrypted and transmitted.
End-to-End Encryption Approach
- If en-to-end encryption, the measures available to the defender are more limited.
- If encryption is implemented at the application layer, then the opponent can
determine which transport entities are engaged in dialogue.
- If encryption is at the transport layer, then network-layer address and traffic
patterns remain accessible.
Top Related