You are on page 1of 42

1

UNIT - I
INTRODUCTION Computer data often travels from one computer to another, leaving the safety of its protected physical surroundings. Once the data is out of hand, people with bad intention could modify or forge your data, either for amusement or for their own benefit. Cryptography can reformat and transform our data, making it safer on its trip between computers. The technology is based on the essentials of secret codes, augmented by modern mathematics that protects our data in powerful ways. 1 Computer Security - generic name for the collection of tools designed to protect data and to thwart hackers 1 Network Security - measures to protect data during their transmission 1 Internet Security - measures to protect data during their transmission over a collection of interconnected networks THE OSI SECURITY ARCHITECTURE To assess effectively the security needs of an organization and to evaluate and choose various security products and policies, the manager responsible for security needs some systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements. The OSI security architecture focuses on security attacks, mechanisms, and services. These can be defined briefly as follows:

Threats and Attacks (RFC 2828)


Threat A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit vulnerability. Attack An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system. Security Attacks, Services and Mechanisms To assess the security needs of an organization effectively, the manager responsible for security needs some systematic way of defining the requirements for security and characterization of approaches to satisfy those requirements. One approach is to consider three aspects of information security: Security attack Any action that compromises the security of information owned by an organization. Security mechanism A mechanism that is designed to detect, prevent or recover from a security attack.

Security service A service that enhances the security of the data processing systems and the information transfers of an organization. The services are intended to counter security attacks and they make use of one or more security mechanisms to provide the service. SECURITY SERVICES The classification of security services are as follows: Confidentiality: Ensures that the information in a computer system and transmitted information are accessible only for reading by authorized parties. Eg., printing, displaying and other forms of disclosure. Authentication: Ensures that the origin of a message or electronic document is correctly identified, with an assurance that the identity is not false. Integrity: Ensures that only authorized parties are able to modify computer system assets and transmitted information. Modification includes writing, changing status, deleting, creating and delaying or replaying of transmitted messages. Non repudiation: Requires that neither the sender nor the receiver of a message be able to deny the transmission. 1 Access control: Requires that access to information resources may be controlled by or the target system. 1 Availability: Requires that computer system assets be available to authorized parties when needed.

Security Services (X.800)


AUTHENTICATION The assurance that the communicating entity is the one that it claims to be. 1. Peer Entity Authentication Used in association with a logical connection to provide confidence in the identity of the entities connected. Data Origin Authentication In a connectionless transfer, provides assurance that the source of received data is as claimed.

2.

ACCESS CONTROL The prevention of unauthorized use of a resource (i.e., this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do). DATA CONFIDENTIALITY The protection of data from unauthorized disclosure. 1. Connection Confidentiality The protection of all user data on a connection. 2. Connectionless Confidentiality

The protection of all user data in a single data block 3. Selective-Field Confidentiality The confidentiality of selected fields within the user data on a connection or in a single data block. 4. Traffic Flow Confidentiality The protection of the information that might be derived from observation of traffic flows. DATA INTEGRITY 1. Connection Integrity with Recovery Provides for the integrity of all user data on a connection and detects any modification, insertion, deletion, or replay of any data within an entire data sequence, with recovery attempted. 2. Connection Integrity without Recovery As above, but provides only detection without recovery. 3. Selective-Field Connection Integrity Provides for the integrity of selected fields within the user data of a data block transferred over a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted, or replayed. 4. Connectionless Integrity Provides for the integrity of a single connectionless data block and may take the form of detection of data modification. Additionally, a limited form of replay detection may be provided. 5. Selective-Field Connectionless Integrity Provides for the integrity of selected fields within a single connectionless data block; takes the form of determination of whether the selected fields have been modified. NONREPUDIATION Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication. 1. Nonrepudiation, Origin Proof that the message was sent by the specified party. 2. Nonrepudiation, Destination Proof that the message was received by the specified party. SECURITY MECHANISMS One of the most specific security mechanisms in use is cryptographic techniques. Encryption or encryption-like transformations of information are the most common means of providing security. Some of the mechanisms are 1. Encipherment Reversible Encipherment Mechanism It is an encryption algorithm that allows data to be encrypted and subsequently decrypted Irreversible Encipherment Mechanism

Irreversible mechanism includes hash algorithms and message authentication codes, which are used in digital signatures and message authentication applications. 2. Digital Signature SECURITY ATTACKS Classifying the security attacks in terms of Passive attacks Active attacks Passive Attacks Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Passive attacks are of two types: 1 1. Release of message contents: A telephone conversation, an e-mail message and a transferred file may contain sensitive or confidential information. We would like to prevent the opponent from learning the contents of these transmissions. 1 2. Traffic analysis: If we had encryption protection in place, an opponent might still be able to observe the pattern of the message. The opponent could determine the location and identity of communication hosts and could observe the frequency and length of messages being exchanged. This information might be useful in guessing the nature of communication that was taking place.

Passive attacks are very difficult to detect because they do not involve any alteration of data. However, it is feasible to prevent the success of these attacks. Active Attacks These attacks involve some modification of the data stream or the creation of a false stream. These attacks can be classified in to four categories: 1 1. Masquerade One entity pretends to be a different entity. 1 2. Replay involves passive capture of a data unit and its subsequent transmission to produce an unauthorized effect. 1 3. Modification of messages Some portion of message is altered or the messages are delayed or recorded, to produce an unauthorized effect. 4. Denial of service Prevents or inhibits the normal use or management of communication facilities. Another form of service denial is the disruption of an entire network, either by disabling the network or overloading it with messages so as to degrade performance. It is quite difficult to prevent active attacks absolutely, because to do so would require physical protection of all communication facilities and paths at all times. Instead, the goal is to detect them and to recover from any disruption or delays caused by them.

CLASSICAL ENCRYPTION TECHNIQUES Symmetric and public key algorithms Encryption/Decryption methods fall into two categories. Symmetric key 1 Public key In symmetric key algorithms, the encryption and decryption keys are known both to sender and receiver. The encryption key is shared and the decryption key is easily calculated from it. In many cases, the encryption and decryption keys are the same. In public key cryptography, encryption key is made public, but it is computationally infeasible to find the decryption key without the information known to the receiver. Some basic terminologies used :
plaintext - the original message

ciphertext - the coded message cipher - algorithm for transforming plaintext to ciphertext key - info used in cipher known only to sender/receiver encipher (encrypt) - converting plaintext to ciphertext decipher (decrypt) - recovering ciphertext from plaintext cryptography - study of encryption principles/methods cryptanalysis (codebreaking) - the study of principles/ methods of deciphering ciphertext without knowing key cryptology - the field of both cryptography and cryptanalysis

SYMMETRIC CIPHER MODEL


Symmetric cipher model has 5 ingredients: 1. Plaintext the original message ie., fed into the algorithm as input 2. Encryption Algorithm performs substitutions/transformations on plaintext 3. Secret Key the exact substitutions/transformations performed by the algorithm depend on the key 4. Ciphertext this is the scrambled message produced as output 5. Decryption Algorithm inverse of encryption algorithm

Referred conventional / private-key / single-key 1 sender and recipient share a common key 1 all classical encryption algorithms are private-key Two requirements for secure use of symmetric encryption: A strong encryption algorithm A secret key known only to sender / receiver Y = EK(X) X = DK(Y) Assume encryption algorithm is known Implies a secure channel to distribute key

(Diagram: Refer Page No. 26 in Cryptography & Network Security by William Stallings, 3rd Edition) Plaintext, X = [X1, X2, , XM] where M are the number of letters in the message. K = [K1, K2, , KJ] Cipher text Y = [Y1, Y2, , YN]. Y = EK(X) To invert the transformation: X = DK(Y) Cryptography Cryptographic systems are generally classified along 3 independent dimensions: 1 1. Type of operations used for transforming plain text to cipher text All the encryption algorithms are based on two general principles: Substitution, in which each element in the plaintext is mapped into another element Transposition, in which elements in the plaintext are rearranged. 2. The number of keys used If the sender and receiver uses same key then it is said to be symmetric key (or) single key (or) conventional encryption.

If the sender and receiver use different keys then it is said to be public key encryption. 3. The way in which the plain text is processed A block cipher processes the input and block of elements at a time, producing output block for each input block. A stream cipher processes the input elements continuously, producing output element one at a time, as it goes along.

Cryptanalysis The process of attempting to discover X or K or both is known as cryptanalysis. The strategy used by the cryptanalysis depends on the nature of the encryption scheme and the information available to the cryptanalyst. There are various types of cryptanalytic attacks based on the amount of information known to the cryptanalyst. 1 Cipher text only A copy of cipher text alone is known to the cryptanalyst. 1 Known plaintext The cryptanalyst has a copy of the cipher text and the corresponding plaintext. Chosen plaintext The cryptanalysts gains temporary access to the encryption machine. They cannot open it to find the key, however; they can encrypt a large number of suitably chosen plaintexts and try to use the resulting cipher texts to deduce Chosen cipher text The cryptanalyst obtains temporary access to the decryption machine, uses it to decrypt several string of symbols, and tries to use the results to deduce the key. Brute-force attack - The attacker tries every possible key on a piece of cipher-text until an intelligible translation into plaintext is obtained.

SUBSTITUTION TECHNIQUES A substitution technique is one in which the letters of plaintext are replaced by other letters or by numbers or symbols. If the plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with cipher text bit patterns. (i) Caesar cipher (or) shift cipher

The earliest known use of a substitution cipher and the simplest was by Julius Caesar. The Caesar cipher involves replacing each letter of the alphabet with the letter standing 3 places further down the alphabet. Ex: Plain text : pay more money Cipher text: SDB PRUH PRQHB Note that the alphabet is wrapped around, so that letter following z is a. For each plaintext letter p, substitute the cipher text letter c such that

C = E(p) = (p+3) mod 26 A shift may be any amount, so that general Caesar algorithm is C = E (p) = (p+k) mod 26 Where k takes on a value in the range 1 to 25. The decryption algorithm is simply P = D(C) = (C-k) mod 26 (ii) Monoalphabetic Cipher Shuffle the letters and map each plaintext letter to a different random ciphertext Plain letters: abcdefghijklmnopqrstuvwxyz Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN Plaintext: ifwewishtoreplaceletters Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA Monoalphabetic Cipher Security Now we have a total of 26! = 4 x 1026 keys. With so many keys, it is secure against brute-force attacks. But not secure against some cryptanalytic attacks. Problem is language characteristics. Language Statistics and Cryptanalysis Human languages are not random. Letters are not equally frequently used. In English, E is by far the most common letter, followed by T, R, N, I, O, A, S. Other letters like Z, J, K, Q, X are fairly rare. There are tables of single, double & triple letter frequencies for various languages letter.

Statistics for double & triple letters In decreasing order of frequency Double letters: th he an in er re es on, Triple letters: the and ent ion tio for nde, Use in Cryptanalysis Key concept: monoalphabetic substitution does not change relative letter frequencies To attack, we calculate letter frequencies for ciphertext compare this distribution against the known one Example Cryptanalysis Given ciphertext: UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ Count relative letter frequencies (see next page) Guess {P, Z} = {e, t} Of double letters, ZW has highest frequency, so guess ZW = th and hence ZWP = the Proceeding with trial and error finally get: it was disclosed yesterday that several informal but direct contacts have been made with political representatives of the viet cong in moscow

P 13.33 Z 11.67 S U O M 8.33 8.33

H 5.83 D 5.00 E 5.00 V 4.17

F 3.33 W 3.33 Q 2.50 T A 2.50 1.67

B 1.67 G 1.67 Y 1.67 I J 0.83 0.83

C 0.00 K 0.00 L 0.00 N 0.00 R 0.00

7.50 X 4.17 6.67

(iii)

Playfair cipher

Multiple letter encryption cipher is the playfair The playfair algorithm is based on the use of 5x5 matrix of letters constructed using a keyword. Let the keyword be monarchy. The matrix is constructed by filling in the letters of the keyword (minus duplicates) from left to right and from top to bottom, and then filling in the remainder of the matrix with the remaining letters in alphabetical order. The letter i and j count as one letter. Plaintext is encrypted two letters at a time according to the following rules: 1 Repeating plaintext letters that would fall in the same pair are separated with a filler letter such as x. 2 Plaintext letters that fall in the same row of the matrix are each replaced by the letter to the right, with the first element of the row following the last. 3 Plaintext letters that fall in the same column are replaced by the letter beneath, with the top element of the column following the last. 4 Otherwise, each plaintext letter is replaced by the letter that lies in its own row and the column occupied by the other plaintext letter. M O N C H Y E F G L U A B I/ J P Q S V W X R D K T Z

Plaintext = meet me at the school house Splitting two letters as a unit => me et me at th es ch ox ol ho us ex Corresponding cipher text => CL KL CL RS PD IL HY AV MP HF XL IU Strength of playfair cipher Playfair cipher is a great advance over simple mono alphabetic ciphers.

Since there are 26 letters, 26x26 = 676 diagrams are possible, so identification of individual diagram is more difficult. Frequency analysis is much more difficult. (iii) Polyalphabetic ciphers Another way to improve on the simple monoalphabetic technique is to use different monoalphabetic substitutions The general name for this approach is polyalphabetic cipher. All the techniques have the following features in common. 1 A set of related monoalphabetic substitution rules are used 2 A key determines which particular rule is chosen for a given transformation. (iv)Vigenere cipher In this scheme, the set of related monoalphabetic substitution rules consisting of 26 caesar ciphers with shifts of 0 through 25. Each cipher is denoted by a key letter. e.g., Caesar cipher with a shift of 3 is denoted by the key value 'd (since a=0, b=1, c=2 and so on). To aid in understanding the scheme, a matrix known as vigenere tableau is constructed. PLAIN TEXT KEY LETT ERS a b c d e f g :: x y z a A B C D E F G :: X Y Z b B C D E F G H :: Y Z A c C D E F G H I :: Z A B d D E F G H I J :: A B C e E F G H I J K :: B C D f F G H I J K L : : C D E g G H I J K L M :: D E F h H I J K L M N :: E F G i I J K L M N O :: F G H j J K L M N O P :: G H I k K L M N O P Q :: H I J x X Y Z A B C D :: y Y Z A B C D E :: z Z A B C D E F :: W X Y

Each of the 26 ciphers is laid out horizontally, with the key letter for each cipher to its left. A normal alphabet for the plaintext runs across the top. The process of encryption is simple: Given a key letter X and a plaintext letter y, the cipher text is at the intersection of the row labeled x and the column labeled y; In this case, the ciphertext is V. To encrypt a message, a key is needed that is as long as the message. Usually, the key is a repeating keyword . e.g., key = d e c e p t i v e d e c e p t i v e d e c e p t i v e Plain Text = w e a r e d i s c o v e r e d s a v e y o u r s e l f Cipher Text = ZICVTWQNGRZGVTWAVZHCQYGLMGJ

Decryption is equally simple: The key letter again identifies the row. The position of the cipher text letter in that row determines the column, and the plaintext letter is at the top of that column. Strength of Vigenere cipher 1 o There are multiple ciphertext letters for each plaintext letter. 2 o Letter frequency information is obscured. One Time Pad Cipher It is an unbreakable cryptosystem. It represents the message as a sequence of 0s and 1s. this can be accomplished by writing all numbers in binary, for example, or by using ASCII. The key is a random sequence of 0s and 1s of same length as the message. Once a key is used, it is discarded and never used again. The system can be expressed as follows: Ci = Pi + Ki Ci - ith binary digit of cipher text Pi - ith binary digit of plaintext Ki - ith binary digit of key 1 exclusive OR opearaiton

Thus the cipher text is generated by performing the bitwise XOR of the plaintext and the key. Decryption uses the same key. Because of the properties of XOR, decryption simply involves the same bitwise operation: Pi = Ci + Ki e.g., plaintext = 0 0 1 0 1 0 0 1 Key =10101100 ------------------ciphertext = 1 0 0 0 0 1 0 1 Advantage: 1 Encryption method is completely unbreakable for a ciphertext only attack. Disadvantages 1 It requires a very long key which is expensive to produce and expensive to transmit. 2 Once a key is used, it is dangerous to reuse it for a second message; any knowledge on the first message would give knowledge of the second. TRANSPOSITION TECHNIQUES All the techniques examined so far involve the substitution of a cipher text symbol for a plaintext symbol. A very different kind of mapping is achieved by performing some sort of permutation on the plaintext letters. This technique is referred to as a transposition cipher. Rail fence is simplest of such cipher, in which the plaintext is written down as a sequence of diagonals and then read off as a sequence of rows. Plaintext = meet at the school house

To encipher this message with a rail fence of depth 2, we write the message as follows: meatecolos etthshohue The encrypted message is MEATECOLOSETTHSHOHUE Row Transposition Ciphers-A more complex scheme is to write the message in a rectangle, row by row, and read the message off, column by column, but permute the order of the columns. The order of columns then becomes the key of the algorithm. e.g., plaintext = meet at the school house Key = 4 3 1 2 5 6 7 PT = m e e t a t t h es c hoo l hou se CT = ESOTCUEEHMHLAHSTOETO A pure transposition cipher is easily recognized because it has the same letter frequencies as the original plaintext. The transposition cipher can be made significantly more secure by performing more than one stage of transposition. The result is more complex permutation that is not easily reconstructed. Rotor Machine 1920s: mechanical devices used for automating encryption set of independently rotating cylinders through which electrical pulses flow each cylinder has input & output pin for each letter of the alphabet implements version of Vigenre cipher each rotor implements a substitution cipher output of each rotor is fed into the next rotor

Steganography The methods of steganography conceal the existence of the message. It is time-consuming to construct. Other techniques: Character Marking Selected letters of printed or typewritten text are overwritten in pencil. Invisible Ink A number of substances can be used for writing but leave no visible trace until heat or some chemical is applied to the paper. Pin Pictures Small pin pictures on selected letters are ordinarily not visible unless the paper is held up in front of a light. Typewriter correction ribbon Used between lines typed with a black ribbon the results of typing with the correction tape are visible only under a strong light.

Block Cipher Principles Stream Ciphers and Block Ciphers Stream cipher, such as Vigene`re cipher, encrypts one letter at a time.

Block cipher, such as Hill cipher, treats a n-letter block of plaintext as a whole and produce a ciphertext block of equal length. Motivation for the Feistel Cipher Structure

most symmetric block ciphers are based on a Feistel Cipher Structure needed since must be able to decrypt ciphertext to recover messages efficiently block ciphers look like an extremely large substitution need table of 264 entries for a 64-bit block instead create from smaller building blocks using idea of a product cipher

(General n-bit n-bit Block Substitution) Feistel Cipher Feistel proposed the use of a cipher that alternates substitution and permutations. This is a practical application of a proposal by Claude Shannon to develop a product cipher that alternates confusion and diffusion function Confusion. In Shannons original definitions, confusion makes the relation between the key and the ciphertext as complex as possible. Diffusion. Diffusion refers to the property that the statistics structure of the plaintext is dissipated into long range statistics of the ciphertext

Feistel Cipher Structure


Horst Feistel devised the Feistel Cipher based on concept of invertible product cipher partitions input block into two halves process through multiple rounds which perform a substitution on left data half based on round function of right half & subkey then have permutation swapping halves

implements Shannons S-P net concept

(Classical Feistel Network)

The Feistel network shown in Fig. 1 is a particular form of the substitution-permutation network. The input to a Feistel network is a plaintext block of n bits, and a key K . The plaintext block is divided into two halves, L0 and R0 .

The two halves of the data pass through r rounds of processing and then combine to produce the ciphertext block. Each round i has as input Li1 and Ri1 , derived from the previous round, as well as a subkey Ki , derived from the overall key K . In general, the subkey Ki are different from K and from each other. In this structure, a substitution is performed via the round function F, and permutation is performed that interchanges the two halves of the data. The exact realization of a Feistel network depends on the choices of the following parameters and design features. Parameters Block size: Larger block size means greater security, but reduces encryption/decryption speed. Key size: Larger key size means greater security but may decrease encryption/decryption speed. Number of rounds: Multiple rounds offer increasing security. Subkey generation algorithm: Greater complexity in subkey generation leads to greater security. Round function: Greater complexity in round function means greater difficulty of cryptanalysis. Design Features Fast Software encryption/decryption Ease of analysis

Feistel Decryption Algorithm

(Feistel Encryption and Decryption)

The process of decryption with a Feistel network is essentially the same as the encryption process by using the ciphertext as input to the network, but using the subkey Ki in reverse order, as shown in

t h e a b o v e Fig. The reason is explained as follows. Lets consider the last step in encryption, which gives, LE16 RE16 = RE15 = LE15 F (RE15 , K16 ) (1) (2)

On the decryption side, LD1 = RD0 = LE16 = RE15 RD1 = LD0 F (RD0 , K16 ) = RE16 F (RE15 , K16 ) = [LE15 F (RE15 , K16 )] F (RE15 , K16 ) = LE15 The process can be done iteratively. Finally, we will see that the output of the decryption is the same as the input to the encryption (i.e., original plaintext). (3) (4) (5) (6) (7)

Data Encryption Standard(DES)


most widely used block cipher in world adopted in 1977 by NBS (now NIST)

as FIPS PUB 46

encrypts 64-bit data using 56-bit key has widespread use has been considerable controversy over its security

The following topics are covered 1. DES Encryption

a. Initial Permutation b. Details of Single Round c. Key Generation 2. DES Decryption 3. The AvalancheEffect

DES Encryption

Initial Permutation (IP): The plaintext block undergoes an intial permutation. > 64 bits of the block are permuted.

A Complex Transformation: 64 bit permuted block undergoes 16 rounds of complex transformation. (Using subkeys)

32-bit swap: 32 bit left and right halves of the output of the 16th round are swapped.

Inverse Initial Permutation (IP-1): The 64 bit output undergoes a permutation that is inverse of the intial permutation. >The 64 bit output is the ciphertext.

The complex processing at each iteration/round:

Li = Ri-1 Ri = Li-1 F(Ri-1, Ki)

Details of function F: It takes 32 bits input and produces a 32 bit output.

Details of function F: >32 bit input is expanded into 48 bits. -This is done by permuting and duplicating some bits of 32 bits. >Exclusive OR operation is performed between these 48 bits and 48 bit subkey. > 48 bit output of the Exclusive OR operation is grouped into 8 groups of 6 bits each.

> Each 6 bit group is fed into a 6-to-4 substitution box that transforms 6 bits to 4 bits. > 32 bit output of 8 substitution boxes is fed into a permutation box. > The 32 bit output of the permutation box is F(Ri-1, Ki).

Concerns about: The key length (56-bits)

> 56 bit key was adequate in 70s. > With faster processors, this encryption method is no longer safe. DES Decryption Decryption uses the same algorithm as encryption, except that the application of the subkeys is reversed. The Avalanche Effect A change in one bit of the plaintext or one bit of the key should produce a change in many bits of the ciphertext.

Block Cipher Design Principles


DES Design Criteria Criteria for S-box

1. No. of output bits of any S-box should be too close to a linear function of the input bits. 2. Each row of an S-box should include all 16 possible output bit combinations. 3. If 2 inputs to an S-box differ in exactly 1 bit, the outputs differ in atleast 2 bits. 4. If 2 inputs to an S-box differ in exactly 2 middle bits, the outputs differ in atleast 2 bits. 5. If 2 inputs to an S-box differ in first 2 bits bit and are identical in last 2 bits, the 2 outputs must not be the same. Criteria for P-box 1. The 4 output bits from each S-box at round i 2 of them affect middle bits of round(i+1) other 2 affect - end bits The 2 middle bits of input to an S-box not shared with adjacent S-boxes. The end bits(2 left-hand bits and 2 right-hand bits) shared with adjacent Sboxes. 2. The 4 output bits from each S-box affect 6 different S-boxes on the next round. No 2 affect the same S-box. 3. For 2 S-boxes j,k, if an o/p bit from Sj affects a middle bit of Sk on the next round then o/p bit from Sk cannot affect the middle bit of Sj implies that j=k. Number of Rounds The number of rounds is more; it is difficult to perform cryptanalysis. Known cryptanalytic efforts require more effort than a simple brute-force key search attack.

Design of Function F Design Criteria for F The function F provides the confusion in a Feistel cipher. Difficult to unscramble the substitution performed by F. F- nonlinear Strict Avalanche Criterion(SAC) Any output bit j of an S-box should change with probability when any single input bit I is inverted for all i,j. Bit Independence Criterion(BIC) Output bits j and k should change independently when any single i/p bit I is inverted for all I,j and k.

S-Box Design Guaranteed Avalanche(GA) An S-box satisfies GA of order if, for a 1bit input change, atleast output bits change. S-box design suggests the following approaches: Random Random digits to generate the entries in the S-box Random with testing Choose S-box entries randomly, then test the results against various criteria and throw it that do not pass. Human-made Manual approach with simple mathematics to support it. Math-made Generate S-boxes according to mathematical principles. Key Schedule Algorithm Key schedule algorithm has les attention than S-box design. To generate one subkey for each round

Block Cipher Modes of Operations


block ciphers encrypt fixed size blocks eg. DES encrypts 64-bit blocks, with 56-bit key need way to use in practise, given usually have arbitrary amount of information to encrypt four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use subsequently now have 5 for DES and AES have block and stream modes

Five Modes are 1. 2. 3. 4. 5. Electronic Codebook Mode(ECB) Cipher Block Chaining Mode(CBC) Cipher Feedback Mode(CFB) Output Feedback Mode(OFB) Counter Mode(CTR)

Electronic Codebook Mode(ECB) Plaintext is handled 64 bits at a time. Each block is encrypted using the same key

If a message is longer than 64 bit, the procedure is to break the message into 64bit blocks, padding the last block if necessary Decryption is performed one block at a time, using the same key. Advantage: Transmit a DES key securely. Disadvantage: The same 64bit block of plaintext appears more than once in the message always produce the same ciphertext. For lengthy message, the ECB mode may not secure.

Cipher Block Chaining Mode(CBC) To overcome the security deficiencies of ECE, the same plaintext block, if repeated, produces different ciphertext blocks. CBC mode is used to satisfy this requirement. The input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block. The same key is used for each block. For decryption, each cipher block is passed through the decryption algorithm. The result is XORed with the preceding ciphertext block to produce the plaintext block.

Cipher Feedback Mode Message is treated as a stream of bits If a character stream is being transmitted, each character can be encrypted and transmitted immediately using character oriented stream cipher. The unit of transmission is s(8) bits. Errors propagate for several blocks after the error

Encryption: 64bits shift register is initialized with vector IV The leftmost s bits of the output of the encryption function are XORed with the first segment of plaintext P1 to produce the first unit of ciphertext C1, The contents of the shift register are shifted left by s bits and C1 is placed in the rightmost. Decryption The same scheme is used, except that the received ciphertext unit is XORed with the output of the encryption function to produce the plaintext unit. C1 = P1 Ss (Ek (IV)) P1 = C1 Ss (Ek (IV))

Output Feedback Mode The OFB is similar to CFB. The output of the encryption function that is fed back to the shift register in OFB.

Advantages: o Bit errors in transmission do not propagate. o Ex: If a bit error occurs in C1, only the recovered value of P1 is affected; subsequent plaintext units are not corrupted Disadvantage Message stream modification attack than CFB Counter Mode

A counter, equal to the plaintext block size is used. Counter value must be different for each plaintext block that is encrypted. A counter is initialized to some value and then incremented by 1 for each subsequent block Advantages Hardware efficiency Software efficiency Preprocessing

Random Access Provable security Simplicity

Evaluation Criteria for AES


The Origins of AES clear a replacement for DES was needed Key size is too small The variants are just patches can use Triple-DES but slow, has small blocks US NIST issued call for ciphers in 1997 15 candidates accepted in Jun 98 5 were shortlisted in Aug-99 AES Evaluation initial criteria: security effort for practical cryptanalysis cost in terms of computational efficiency algorithm & implementation characteristics
final criteria:

general security ease of software & hardware implementation implementation attacks restricted-space environments Attacks on implementations Encryption versus decryption Key agility Flexibility

Potential for instruction-level parallelism AES Cipher Rinjdael Rijndael was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov-2001
designed by Joan Daemen and Vincent Rijmen in Belgium

has 128/192/256 bit keys, 128 bit data


an iterative rather than Feistel cipher processes data as block of 4 columns of 4 bytes operates on entire data block in every round Characteristics:

resistant against known attacks speed and code compactness on many CPUs
design simplicity

1. AES is not a Feistel structure. Process the entire data block in parallel during each round using substitution and permutation. 2. The key that is provided as i/p is expanded into an array of 44(32 bits) words. 3. Four different stages are used(permutation 1, substitution 3) 1. Substitution Bytes(SB): Uses an S-box to perform substitution 2. Shift Rows(SR): A simple permutation 3. Mix Columns(MC): A substitution that makes use of arithmetic over GF(28) 4. Add Round Key(ARK): A bitwise XOR of the current block with a portion of the expanded key. 4. The structure is simple. Both encryption and decryption begins with Add Round Key stage. Followed by 9 rounds 4 stages 10th round 3 stages 5. Add Round Key - use key vernam cipher

6. Add Round Key - vernam cipher Other stages(not use the key) provide confusion, diffusion and nonlinearity. 7. Each stage is reversible 8. Decryption algorithm makes use of the expanded key in reverse order 9. All 4 stages are reversible, easy to verify that decryption does recover the plaintext 10. The final round of both encryption and decryption consists of only 3 stages Substitution Bytes(SB) a simple substitution of each byte uses one S-box of 16x16 bytes containing a permutation of all 256 8-bit values each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits) eg. byte {95} is replaced by byte in row 9 column 5 which has value {2A} S-box constructed Initialize the S-box with the byte values in ascending sequence row by row.
Map each byte in the S-box to its multiplicative inverse in the finite field GF(28) Each byte in S-box consists of 8 bits labeled(b7,b6,b5,b1,b0)

Shift Row Transformation a circular byte shift in each each

1st row is unchanged 2nd row does 1 byte circular shift to left

3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left

Mix Columns each column is processed separately each byte is replaced by a value dependent on all 4 bytes in the column
effectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1

Add Round Key The 128 bits of state are bitwise XORed with the 128 bits of the round key. The operation is viewed as a columnwise operation between the 4 bytes of a State column and one word of the round key.

Triple DES Double DES Consider 2-DES with two keys: In DES, it is possible to perform a brute force attack. One alternative is to design a new algorithm. Another alternative is to use multiple encryptions with multiple keys.

C = EK2(EK1(P))

Decryption:

P = DK1(DK2(C))

Key length: 56 x 2 = 112 bits Meet-in-the-Middle Attack on 2DES


2-DES: C = EK2(EK1(P))

So,

X = EK1(P) = DK2(C)

Given a known pair (P, C), attack as follows:


Encrypt P with all 256 possible keys for K1. Decrypt C with all 256 possible keys for K2. If EK1(P) = DK2(C), try the keys on another (P, C).

If works, (K1, K2) = (K1, K2) with high probability.

Takes O(256) steps; not much more than attacking 1-DES.

Triple DES with Two Keys A straightforward implementation would be: C = EK1(EK2(EK1(P)))

In practice: C = EK1(DK2(EK1(P))) Also referred to as EDE encryption Reason: if K1=K2, then 3DES = 1DES. Thus, 3DES software can be used as a single-DES.

Standardized in ANSI X9.17 & ISO8732

Triple DES with Three Keys

Encryption: C = EK3(DK2(EK1(P))). If K1 = K3, we have 3DES with 2 keys. If K1 = K2 = K3, we have the regular DES. So, 3DES w/ 3keys is backward compatible with 3DES w/ 2 keys and with the regular DES.

Placement of Encryption Function Points of Vulnerability Adversary can eavesdrop from a machine on the same LAN Adversary can eavesdrop by dialing into communication server Adversary can eavesdrop by gaining physical control of part of external links twisted pair, coaxial cable, or optical fiber radio or satellite links

Confidentiality using Symmetric Encryption have two major placement alternatives link encryption

encryption occurs independently on every link All traffic over all communication links is secured implies must decrypt traffic between links because the switch must read the address in the packet header Each pair of nodes that share a unique key, with a different key used on each link, many keys. Message is vulnerable at each switch If working with a public network, the user has not control over the security of the nodes

end-to-end encryption encryption occurs between original source and final destination need devices at each end with shared keys Secure the transmission against attacks on the network links or switches

end-to-end principle What part of each packet will the host encrypt? Header or user data? A degree of authentication, only alleged sender shares the relevant key

Placement of Encryption Can place encryption function at various layers in OSI Reference Model link encryption occurs at layers 1 or 2 end-to-end can occur at layers 3, 4, 6, 7

If move encryption toward higher layer

less information is encrypted but is more secure application layer encryption is more complex, with more entities and need more keys

Scope of Encryption

monitoring of communications flows between parties useful both in military & commercial spheres can also be used to create a covert channel

link encryption obscures header details but overall traffic volumes in networks and at end-points is still visible

traffic padding can further obscure flows but at cost of continuous traffic

when using end-to-end encryption must leave headers in clear so network can correctly route information

hence although contents protected, traffic pattern flows are not ideally want both at once

end-to-end protects data contents over entire path and provides authentication link protects traffic flows from monitoring

Traffic Confidentiality From a traffic analysis attack the following types of information that can be derived. exchanged The events that correlate with special conversations between particular partners Traffic patterns to create a covert channel. A covert channel is a means of communication in a fashion unintended by the designers of the communications facility. Link Encryption Approach Network-layer headers are encrypted, reducing the opportunity for traffic analysis. An attacker is still possible to assess the amount of traffic on a network and to observe the amount of traffic entering and leaving each end system. Traffic padding produces ciphertext output continuously, even in the absence of plaintext. A continuous random data stream is generated. When plaintext is present, it is encrypted and transmitted. When plaintext is not present, random data is encrypted and transmitted. Identities of partners How frequently the partners are communicating Message pattern, message length or quantity of messages is being

End-to-End Encryption Approach If en-to-end encryption, the measures available to the defender are more limited. If encryption is implemented at the application layer, then the opponent can determine which transport entities are engaged in dialogue. If encryption is at the transport layer, then network-layer address and traffic patterns remain accessible.

You might also like