Cryptography and Network Security

Published on June 2016 | Categories: Documents | Downloads: 51 | Comments: 0 | Views: 559
of 213
Download PDF   Embed   Report

Comments

Content

REJIN R
Asst. Prof.,
Department of Information Technology,
Govt. Engg. College Idukki

“The history of codes & ciphers is the story of the
centuries old battle between codemakers and
codebreakers, an intellectual arms race that has had
a dramatic impact on course of history. ”
- Simon Singh, The Code
book

Classical X

Where X =

Cryptography

Ciphers
 Crypto : (Secret) + Graphy : (Writing) = Cryptography
 History of Cryptography lead us back to ages of Roman
Empire.
 To securely communicate war commands with Generals
Ciphers were introduced.
 Cipher is a method of shifting letters in order to disguise a
message.
 Caesar used shift of 3 = Caesar cipher.

Cipher Cryptography
 A message, the plaintext is converted through some process,
the Cipher Algorithm into an enciphered form = Cipher
Text.
 The cipher algorithm is usually well known: what makes a
cipher system secret is Key- some vital piece of information
that is needed to perform the algorithm.
You
Your General
write

Message
(Plain Text)
Cipher algorithm

pass

Message
(Plain Text)
Cipher algorithm
(Reverse)

Enciphered Message
Enciphered Message
Open Channel
Possible interception (Cipher Text)
(Cipher Text)

Cipher Cryptography
 Caesar cipher is a type of substitution cipher.
 Cipher Algorithm:

Each letter in plain alphabet is replaced with letter n places
further on in the alphabet.


Key = n, number of letters to shift.
HELLO EVERYONE
JGNNQ GXGUAQPG

 Here key = 2

Cracking the Caesar Cipher
 Caesar cipher was used for 100’s of years.
 Achilles heel: There are only 25 possible cipher alphabets.
 Wouldn’t take long to try them all.
 Crack it: An attacker can try out all the 25 combinations
and obtain a valid message= Brute Force method.

Substitution Cipher
 We need some better method which is less regular.
 We must still have a key to generate an alphabet the recipient
can reproduce.
 Why can’t we use some random alphabet?
 If we use random alphabet, everyone has to carry a little book to
see which is which.
 If that person get captured, then alphabet falls to enemy hands
= Game Over!!!..

Mono Alphabetic Substitution Cipher
 Take your key a favorite quote.
 “Pure Mathematics is, in its way the poetry of logical ideas. ”
- Albert Einstein
A B C D E F G H I J K L M N
O P Q R S T U V W X Y Z
Y

P U R E MA T H I C S NW
O F L G DB J K Q V X Z

 Your agents have intercepted an
enciphered message from the enemy.

Cracking the Mono Alphabetic
Substitution Cipher
 In 8th century AD, Islamic culture entered a golden age.
 Cryptography was routinely used for matters of state.
 This led to development of Cryptanalysis.
 Scholars used a combination of mathematics, statistics and
linguistics to develop techniques for deciphering messages
when the key is unknown.
 In the studies of Quran, scholars had noticed that some
letters appear more frequently than others.

Cracking the Substitution Cipher
 As you write in English, e & t are more frequent than z & q.
 This fact can be used to decipher the messages.
 This process is called frequency analysis.
 Here average letter frequency of letters is utilized.

Cracking the Substitution Cipher
 Pairs of letters in words are likely to be : “ss”, “ee”, “tt”,
“f”, “ll”, “mm”, oo”.
 One letter word either “a” or “i”
 Two letter words : “of”, “to”, “in”, “it”, “is”, “be”, “as”,
“at”, “so”, “we”, “he”, “by”, “or”, “on”, “do”.
 Three letter words: “the”, “and”.
 Letter h frequency goes before e (he, the, then) but rarely
goes after e. No other pair of letters has such an
asymmetric relationship.

Let’s crack it
NKRRU NKXK OY G ZKYZ SKYYGMK ZU KTIOVNKX
LUX AYK GY GT KDGSVRK OT GT GXZOIRK LUX
OYWAGXKO SGMGFOTK
Hello here is a text message to encipher for use as an
example in an article for isquared magazine.

Frequency analysis : lot of guess words and lot of dead
ends.



Notice all letters are in alphabetical positions.
So it gives Caesar cipher with key=6.

Let’s crack it
 So by knowing the key you can decipher future messages
from enemy.


But be careful on what information you act on though, so
that the enemy doesn't get suspicious.

 If so they may change the algorithm itself. End of Story!...
 Another technique for cryptanalysis is to use a crib which is
a phrase u can guess which will be in the message.

How to resist Cryptanalysis???...
 Can a cipher be created to provide greater resistance to
frequency analysis?
 During Renaissance in Europe politics become more
complicated.
 This contributed to the development of cryptography and
cryptanalysis.
 So methods for countering frequency analysis were
introduced:
 Omitting spaces
 Uniform spacing
 Deliberate misspelling


How to resist Cryptanalysis???...
 All these methods helped, but ultimately cryptanalysis won
out and each method could be cracked.
 So some better cipher was needed.

Introduction to Poly Alphabetic
Cipher
 All these methods helped, but ultimately cryptanalysis won
out and each method could be cracked.
 So some better cipher was needed.
 Poly alphabetic substitution cipher = One alphabet is
coded to more
than one cipher alphabets.

Vigenère cipher
 Most famous poly-alphabetic substitution cipher.
 Emerged in the 16th century.
 Invented by Blaise De Vigenère
 Cipher alphabets must be chosen by some systematic
process.


Vigenère table

Vigenère cipher

Vigenère cipher
 Cipher Algorithm:
Encode each letter using each cipher alphabet in turn,
cycling through the cipher alphabets in turn, cycling through
the cipher alphabets.
 Through use of multiple alphabets, the chart of letter
frequencies is distorted, providing strong resistance to
frequency analysis.
 Vigenere is more complicated to implement than singlealphabet substitution ciphers.
 This adds to the time taken to encipher and decipher
messages.

EnhancingVigenère cipher - Autokey
 Any way to improve security of Vigenere cipher?
 Solution : Autokey – using message as the key.
 Keyword : SECURITY
Message : T H I S I S A N I M P O RT A N T
ME SS A
GE
Key
: S E CU R I T Y T H I S I S A N I M P O R T A
NT MESSAGE
 Message itself is part of the encryption mechanism.

EnhancingVigenère cipher - Autokey
 Any way to improve security of Vigenere cipher?
 Solution : Autokey – using message as the key.
 Keyword : SECURITY
Message : T H I S I S A N I M P O RT A N T
ME SS A
GE
Key
: S E CU R I T Y T H I S I S A N I M P O R T A
NT MESSAGE
 Message itself is part of the encryption mechanism.

More Stronger ciphers
 These examples proved to us substitution ciphers are not
enough.
 Characters are replaced in substitution ciphers.
 Experience will lead to breaking the code.
 Solution is shuffling of characters.
 Eg: Bifid cipher

More Stronger ciphers
 Message : I UNDERSTAND CRYPTOGRAPHY
 Horizontally : 2 5 4 3 2 2 4 5 1 4 3 3 2 1 1 5 4 3 2 1 1 3
1
 Vertically :
1223325132323241133115
4
 Grouping : 25 43 22 45 14 33 21 ………… 12 23 32 51
32 32 32 ….
 Encrypted message :
MORSYDI…….LECT…..
 Security is enhanced.
 But still it is breakable with some more
efort.

One time Pad
 How to design a cipher which is resilient to frequency
analysis?
 Solution: Randomness
 Suppose you rolled a 26 sided dice to generate a long list of
random shifts and shared with war generals.
 To encrypt and decrypt this random shift is utilized.
 If this shift is long as the message to avoid repetition.
 Now cracking in between is impossible.

One time Pad
 Now cracking in between is impossible. Because:
1. shifts never fall into repetitive pattern.
2. encrypted message will have a uniform frequency
distribution.
 There for no leak.
 This is the strongest possible method of encryption.
 Emerged in end of 19th century.
 Now known as one time pad.

One time Pad the most powerful
cipher
 Keyspace of Caesar cipher = 26
 Keyspace of One time pad = 26 x 26 x 26 x 26 x …..
 Combinatorial explosion.
 One time pad = Perfect secrecy.
 Enigma cipher used some preliminary versions of one time
pad

Modern
Cryptography

Security Goals
1.




Confidentiality:
Most common aspect of information security
Ensure data is secret
Users : Military, Industry, Banking

2. Integrity:
 Changes need to be done only by authorized entities and
through authorized mechanisms.
3. Availability:
 The information created and stored by an organization
needs to be available to authorized entities.

Cryptographic attacks
1. Cryptanalytic attacks:
 Uses statistical, algebraic and linguistic techniques to break
the code.


Inspect the mathematical properties of the cryptographic
algorithms and aims at finding variations from uniform
distribution.



Objective: to find properties of the cipher which does not
exist in a random fashion.

2. Non-cryptanalytic attacks:
 Do not exploit the mathematical weakness of the
cryptographic algorithm.


Most threatening class of attack: affects confidentiality,

Cryptanalytic attacks

Non-Cryptanalytic attacks
1. Attacks threatening Confidentiality:
a) Snooping: Unauthorized access to or interception of data.
b) Traffic Analysis: Obtain some type of information by
monitoring the traffic

Snooping

Traffic Analys

Non-Cryptanalytic attacks
2. Attacks threatening Integrity:
a) Modification: After intercepting attacker modifies the
information. Sometimes attacker deletes or delays the
message.
b) Masquerading / Spoofing: Attacker impersonates
somebody else.

Modification

Masquerading/Sp

Non-Cryptanalytic attacks
2. Attacks threatening Integrity:
b) Replaying: Attacker obtains a copy of a message sent by a
user and later tries to replay it.
c) Repudiation: Performed by one of the two parties in the
communication. Sender/Receiver later deny that he has
sent/received
the message.

Non-Cryptanalytic attacks
3. Attacks threatening Availability:
a) Denial of Service: Slow down or totally interrupt the
service of a system.
 One way to achieve this is to send bogus requests to a
server so that it crashes.
 Most critical type: DDoS(Distributed Denial of Service)

Passive Versus Active attacks
a) Passive Attacks: Attacker’s goal is just to obtain
information.
 Attack does not modify data or harm the system.
 It is difficult to detect this type of attack until the sender or
receiver finds out about leaking of confidential information.
b) Active Attacks: Attack may change the data or harm the
system.

Security Services and
Mechanisms
1. Security Services:
a) Data confidentiality: Designed to protect data from
disclosure attack.
b) Data integrity: Designed to protect data from
modification, insertion, deletion and replaying.
c) Authentication: Provides authentication of the party at
the other end of the line.
d) Non-repudiation: Service protects against repudiation
e) Access Control: Control access to system based on
credentials

Security Services and
Mechanisms
2. Security mechanisms:
a) Encipherment: Hiding or covering data.
b) Data integrity: Appends short check value that has
been created by a specific process from the data itself.
Receiver checks for check value.
c) Digital Signature: Sender can electronically sign the
data and the receiver can electronically verify the signature.
d) Authentication: Two entities exchange some message
to prove their identity to each other.
e) Traffic Padding: inserting some bogus data into the
data traffic to thwart the adversary’s attempt to use the

Security Services and
Mechanisms
2. Security mechanisms:
f) Routing Control: Selecting and continuously changing
different available routes to prevent eavesdropping
particular route.
g) Notarization: Selecting third trusted party to control the
communication between two entities.
e) Access control: Uses methods to prove that a user has
access right to the data or resources owned by the system.

Modern Cryptography
 Modern cryptographic systems are characterized along 3
independent dimensions.
1. Type of operation to transform plain text to cipher
text:
a) Substitution
b) Transposition
2. The number of keys used:
a) Symmetric Key
b) Asymmetric Key
3. The way in which plain text is processed:
a) Block cipher
b) Stream cipher

Modern Cryptography
 Previously character oriented ciphers were used.
 With advent of computers information is all binary: text,
video, graphics, audio etc…
 So bit oriented ciphers are used.
 Characters were replaced by 8 bits -> number of symbols is
8 times larger.
 Increase in security.

Modern Cryptography

Symmetric Key
Cryptography

Symmetric Key Cryptography
 We need a strong cryptographic algorithm.
 We need security under the assumption that attacker knows
the algorithm and have access to one or more cipher texts.
 Still he should be unable to break the code.
 What if he has some plain text and cipher text
combination?
 For a stronger algorithm he should still be unable to break
the code.
 To increase security: Symmetric Key / Secret key

Symmetric Key Cryptography
 One most important requirement: Sender and receiver
must have obtained copies of keys in advance in a secret
manner.
 We doesn’t need to keep the algorithm secret, only need to
keep the key secret.
 This feature makes secret key cryptography suitable for wide
spread use.

Model of Symmetric Key
Cryptosystem

Stream Ciphers

Stream Cipher
 Encrypts bits individually.
 Achieved by operating a bit from key stream to a plain text
bit.
 Classical stream ciphers: Caesar cipher, Vigenere cipher,
etc…
 Most secure type of stream cipher: One-time pad
 Modern stream cipher :
RC4(was used in wifi security: WPA)

Stream Cipher vs Block Cipher
 In internet block ciphers are used more often than stream
ciphers.
 Because stream ciphers are small and fast, they are relevant
for application with little computational resources. Eg: Wifi
Security, GSM mobile phones etc…


Stream ciphers are efficient for software-optimized stream
ciphers means that they need fewer processor instructions to
encrypt one bit of plain text. For hardware-optimized stream
ciphers, fewer gates are required.

XOR operation and Security
 XOR operation plays a major role in modern cryptography.
 Modulo 2 addition = XOR
 Why XOR operation is particularly useful? Why not AND?
 Depending on the key bit cipher text is either a 0 or 1.
 i.e., It is unpredictable as 50% chance to have the value 0 or
1.
 XOR is perfectly balanced. i.e., by observing the output value
there is exactly a 50% chance for any value of the input bits.

Properties of XOR
1. Closure: result of XORing two n-bit words is another n-bit
word.
2. Associativity: A  (B  C) = (A  B)  C
3. Commutativity: A  B = B  A
4. Existence of identity: A(00…0) = A
5. Existence of inverse: A A = (000…0)
6. Inverse: Y = X  k



X=k  Y

Block Ciphers

Block Ciphers- Confusion & Diffusion
 According to Claude Shannon there are two primitive
operations with which strong encryption algorithms can be
made:
1. Confusion:
 An encryption operation where the relationship between
key
and cipher text is obscured.
 Today, a common element for achieving confusion is
substitution.
2. Diffusion:
 An encryption operation where the influence of one
plaintext
symbol is spread over many cipher text symbols.

Product Ciphers
 Confusion or Diffusion individually is not strong enough.
 By combining confusion and diffusion stronger cipher can be
built.
 Shannon also proposed idea to concatenate several
encryption operation, which is known as Product Cipher.
Round 1

 All of today’s block ciphers are product ciphers.
Round 2

 They consists of rounds which are applied repeatedly.
 DES is a product cipher.

Round N

Data Encryption Standards
(DES)

Introduction to DES
 Most popular symmetric cipher.
 Was proposed in 1974 as a joint project by IBM and
NSA(National Security Agency) based on earlier cipher
called LUCIFER.
 Uses Feistel Structure
 Block size = 64 bits
 Key size = 56 bits

Details of DES

Introduction to DES
 Iterative algorithm.
 16 rounds with each round performing identical operation.
 In every round different subkey is used which is derived
from main key.
 Uses Fiestel structure, there by encryption and decryption
process are almost the same.
 Decryption requires only a reversed key schedule.
 Let’s go deep into one round of encryption.

Feistel Structure/Network
 Many of today’s ciphers uses Feistel network.
 Plain text is split into two halves L0 and R0 .
 These two 32 bit blocks are input to Feistel network which
consists of 16 rounds.
 The right half Ri is fed into the function f. together with key k
 The output of f is XORed with left 32-bit half Li.
 Finally, the right and left half are swapped.

k1

Feistel Structure of DES
 Simple question: Which of the tow halves are
encrypted? Left or Right?
 Ans: It’s the Left hand side(L0). It is not right hand side(R0)
because, R0 is directly copied to L1.
 L0 is encrypted by first applying function f on R0, and then
XOR it with L0.
 Why this swap between left hand and right hand sides
in Fiestel Structure?
 This is for making the decryption to work just by
reversal!!!...

k1

Feistel Structure of DES
 To decrypt(obtain L0 from L1,R1) we need to apply
XOR with function f and R1.
 To compute function f we need key k1(which the receiver
already has) and R0.
 Question : does BOB knows R0?
 Of course!!!: we have copied R0 to L1 in the feistel
structure.
 If R0 were not copied we will never be able to decrypt.
That’s why we have to copy R0.

k1

Initial Permutation and Final Permutation
of DES
 One round of encryption is repeatedly applied over 16
rounds.
 Initial Permutation(IP)& Final Permutations(IP-1):
 Simple bit permutation
 Very easy to implement in hardware, but slow in software.
 Both permutations are inverse operations.

IP and IP-1 of DES
 Both tables are read from left to right, top to bottom.
 The final permutation IP-1 performs the inverse operation of
IP.
 Does this permutations increases DES’s security?
 Not at all.!!!!.... Since it is publicly known and attacker can
reverse that…

IP and IP-1 of DES
 L and R are again swapped at the end of the 16th round.

The ‘f’ function of DES

The ‘f’ function of DES

The ‘f’ function of DES

The ‘f’ function of DES

The ‘f’ function of DES

DES Deryption
 DES decryption is essentially same as Encryption.
 This is because DES is based on Feistal Structure.
 Compared to encryption only Key Schedule is reversed.
 In Decryption round-1 subkey needed is key-16. etc…
 How to generated reversed key schedule?
 Why Decryption requires reversed key schedule?

DES Deryption –Reversed Key
Schedule
 Given initial DES key k, how can we generate k16?
 We knows: C0=C16, D0=D16. This is due to left shift 28
times.
 To compute K16:

 To compute K15 we need C15 and D15, which can be derived
from C16,D16 by cyclic right shift(RS).

DES Deryption –Why Decryption is same
as Encryption?
 Basic idea: Decryption function reverses DES encryption in
Round by round manner.
 i.e., Decryption round 1 reverses Encryption round 16.
 And thus:

 First Decryption round will reverses last encryption round.

Mathematical
Preliminaries for
Cryptography!!!

Modulo Arithmetic
 Most important operation in Modern Cryptography.
 Fundamental idea behind Asymmetric Key cryptography.
 Used in Classical Cryptosystems also. Eg: Caesar
cipher(Modular addition with fixed value)
 Both symmetric and asymmetric crypto-algorithms are
based on arithmetic of finite number of elements.

Modulo Arithmetic

Modulo Arithmetic – How to computer the
Remainder???

Modulo Arithmetic – Equivalent
Classes
 Eg: Equivalent classes of 9:

 All members of the given class behaves equivalently.
 Each equivalent class is infinite.
 All these equivalent classes together covers range of integer
numbers.

Modulo Arithmetic – Equivalent
Classes
 For a given modulus m, it does not matter which element
from a class we choose for a given computation.
 This property of modular arithmetic has several practical
implications.
 If we have computations with fixed modulus(usually the case
in cryptography) we are free to choose the class element
that results in easiest computation.
 This property helps to perform one of the core operation in
public key cryptography => Modular exponentiation.

Applications of Modular arithmetic -Modular
Exponentiation
 We want to compute 3^8 mod 7:

method 1: straight forward computation:


method 2: smarter method:

 Applications in Public Key algorithms: RSA, Diffie-Hellman,
Elliptic Curve Cryptography,etc…

Prime Numbers

Prime numbers
 Number of days between full moons????....
 Ans: 29
 What if we try to divide 29 into equal pieces???
 It is impossible….. Only ways to divide 29 into equal pieces
is to break it back down into single units.
  29 is a prime number.
 If a number can be broken down into equal pieces greater
than 1 then it is
 Composite number.

Prime numbers
 How many prime numbers are there??? How big they get???
 Let’s divide all numbers into two categories: prime numbers
and composite numbers

 Structure of this pattern is still unsolved today.

Fundamental Theorem of
Arithmetic

Fundamental Theorem of Arithmetic
 Ancient Greek Philosopher Euclid(300 BC) understood that all
numbers can be divided into two categories: prime and
composite.
 He realized that any number can be divided over and over
until it reaches a group of smallest equal numbers.
 These smallest numbers are always prime numbers.
 i.e, All numbers are built out of set of primes. 
Fundamental Theorem of Arithmetic
 In other words prime numbers are building blocks to
set of numbers.

Fundamental Theorem of Arithmetic
 Take any number and find all the prime numbers divides it
equally. This is known as factorization.
30 = 2+2+ …… 15 times
30 = 3+3+…….10 times
30 = 5+5+…….6 times
 This will give us the prime factors. Here it is 2, 3 and 5.
 Euclid realized that you could multiply these prime factors a
specific number of times to build the original number.
In this case it is: 30 = 2^1 x 3^1 x 5^1
 There is no other way to build 30 using some other
groups of primes multiplied.
 So every possible number has one and only prime

Fermat’s Theorem

Fermat’s Little Theorem

 Example:

Fermat’s Theorem - Application
 Useful for Primality testing(Given a number test whether it is
prime or not).
 This works as follows:
 If any random number p is given, take some number from 1
to p.


Let’s assume the chosen number is a.

 Test this using Fermat’s theorem.
 If this test fails then p is a composite number.
 In case test passes we can’t say it is a prime number. It is

Euler’s Theorem

Euler’s Totient Function
 If n is a number, then:


(Euler’s Totient Function) represents the number
of positive integers less than n which are relatively prime to
n.

 a is relatively prime to n if gcd(n,a)=1

Euler’s Totient Function & Euler’s
Theorem

 This property is utilized in RSA algorithm.

Euler’s Totient Function

Primitive Roots

Primitive Roots
 Consider the powers of 7 modulo 19

Primitive Roots

Primitive Roots

Primitive Roots – Discrete
Logarithms


Primitive root has one important property that which makes
it suitable for cryptography that, when raised to different
exponents solution distributes uniformly.

Primitive Roots – Discrete
Logarithms

Fast Exponentiation

Fast Exponentiation
 Public-key algorithms are based on arithmetic with very long
numbers.
 Unless we pay close attention to how to realize the
necessary computations, we can easily end up with schemes
that are too slow for practical use.
 In most public key
exponentiation.

algorithms

we

require

modular

 In the public key algorithms straight forward multiplication
would require 2^1024 or more multiplications.
 Number of atoms in visible universe is estimated to be
around 2^300.
Then a web browser doing 2^1024

Fast Exponentiation
 The central question is whether there is a faster method for
exponentiation available?
 Yes: square and multiply method.

Fast Exponentiation

Fast Exponentiation

Euclidean Algorithm

Euclidean Algorithm
 Goal: Given two integers r0 and r1, we have to find
gcd(r0,r1).
 gcd(r0,r1) = the largest positive number that divides both
r0 and r1.
Eg: gcd(27,21)=3
 How to compute it faster???
 Solution: Prime Factorization.
 27=3 ^ 3
 21=3^1 x 7^1
 gcd=3


But it doesn’t work for large numbers… In
cryptography we deal with very large numbers.

Euclidean Algorithm
 Euclidean algorithm Reduce large number operations to
small numbers over and over again until we reach very small
number.
 Idea: gcd(r0,r1) = gcd(r0 mod r1, r1) = gcd(r1, r0 mod r1)
 Eg:

Extended Euclidean
Algorithm(EAA)

Extended Euclidean Algorithm
 It turns out that finding the gcd is not the main application of
the Euclidean algorithm.
 An extension of the algorithm allows us to compute modular
inverses, which is of major importance in public-key
cryptography.
 In addition to computing the gcd, the extended Euclidean
algorithm (EEA) computes a linear combination of the form:

Chinese Remainder
Theorem

Euler’s Totient Function & Euler’s
Theorem

Chinese Remainder Theorem (CRT)
 In essence CRT says that it is possible to reconstruct integers
in certain range from their residues modulo a set of pairwise
relatively prime moduli.
 Let us say, we have set of numbers : n1, n2,…. nk. These
numbers are positive integers and pairwise relatively prime.
 Then we can take an integer x and we can represent it
uniquely in the range of product of (n1xn2x…..nk).
X ≡ a1 mod n1
X ≡ a2 mod n2
.
.
.
.
.
.
.
.
.
.
.
.
X ≡ ak mod nk

Public Key Cryptography

Public Key Cryptography
 In early days of internet, symmetric encryption algorithms
were used to encrypt data over network.
 As internet grew in scale from universities to financial
sectors an old problem became more savior.
 How to share the secret key???
 How two people who have never met agree on a secret
shared key without letting Darth also obtain a copy??
 In 1976 Whitfield Diffie and Martin E Hellman deviced an
amazing trick to do this.

Diffie-Hellman Key Exchange
 Analogy: Agreeing colors
 Alice and Bob need to agree on a secret color without eve
finding it out.
 The trick is based on two things:
1. It is easy to mix 2 colors together to get third color.
2. Given a mix color it is hard to reverse it in order to find
the exact original colors.
 It is the basis for the algorithm : easy in one direction, hard
in reverse direction.  On way function

Discrete logarithmic problem
 To do this with numbers we need a numerical procedure,
which is easy in one direction and hard in the other.
 For this purpose in Diffie-Hellman key exchange
protocol, concept of Discrete Logarithm is utilized
(Discrete Logarithm problem).
 Key idea of Discrete Logarithm Problem:
 Choose a prime modulus (for example 17).Then find
primitive root of 17.(for example 3).


This has an important property that, when raised to
diferent exponents solution distributes uniformly.

Diffie-Hellman Key Exchange
 If we raise 3 to any exponent x, then the solution is equally
likely to be any integer between 0 and 17. ( 3 ^ x mod 17
≡ 12)
 But the reverse procedure is hard. (Given 12, 3 and 17
compute X).
 Diffie-Hellman Key Exchange protocol works based on this
idea.

Diffie-Hellman Key Exchange

Diffie-Hellman Key Exchange
 Now the shared key KAB can be used to establish a secure
communication between Alice and Bob.
 Eg: By using KAB as key for symmetric algorithms like 3-DES
or AES.

 Application

:

Secure

Shell

(SSH),

Transport

Layer

RSA

RSA Algorithm
 After Whitfield Diffie and Martin Hellman introduced public
key cryptosystem, a new branch of cryptography suddenly
opened up.
 In 1977, Ronald Rivest, Adi Shamir and Leonard Adleman
proposed a scheme which became the most widely used
asymmetric cryptographic scheme, RSA.
 There are many applications for RSA, but in practice it is
most often used for:
 Encryption of small pieces of data, especially for key
transport.
 Digital signatures, used for digital certificates on
the Internet.

RSA Algorithm
 Suppose Alice wants
people(Alice = Bank).

to

communicate

with

multiple

 To use Diffie Hellman Key exchange she going to have to
exchange distinct keys with each person.


Now she have to manage all these keys and needs to send
thousands of messages to establish them.

 Is there a simpler way????
 Idea is based on splitting the key: An Encryption key
and Decryption key.
 To do this we need One-way Trapdoor function.

RSA Algorithm
 One-way Trapdoor function: Easy to compute in one
direction but difficult to reverse unless we have special
information called Trapdoor.
 This is the key idea of any public key cryptosystem.
 In RSA one-way trapdoor function is created based on the
idea of Prime factorization.
 RSA algorithm includes:
1. Key Generation
2. Encryption
3. Decryption

RSA Algorithm – Key Generation
 Unlike symmetric key algorithms Public Key algorithms
requires the computation of the pair (Kpub, Kpr).

RSA Algorithm – Encryption &
Decryption
 Unlike symmetric key algorithms Public Key algorithms
requires the computation of the pair (Kpub, Kpr).

RSA Algorithm – Example

Applications of
Cryptography

Modern Cryptography

Digital Signature

Digital Signature
 Digital signatures are one of the most important
cryptographic tools they and are widely used today.


Applications for digital signatures range from digital
certificates for secure e-commerce to legal signing of
contracts to secure software updates.

 Digital Signatures
electronic world.

are Signature

like

function

for

the

 In particular, they provide a method to assure that a
message is authentic to one user.
 i.e., it in fact originates from the person who claims to have
generated the message.

Digital Signature
 Can we do the similar procedure like signing in paper by
appending some random bits which we created???...
 Ans: This is not feasible since that portion can be copied….
 Can we utilize cryptographic ideas we studied???
 Is symmetric key algorithms are good option???
 What are the security services we obtain by using symmetric
key algorithm?
 Ans:

Message Authentication
Message integrity
 What we doesn’t get is Non-repudiation.

Digital Signature
 Solution???
 Ans: Switch to Asymmetric Key algorithms.
 Using Asymmetric key cryptosystems; where to use the
private key? At the signature generation side or signature
verifier side???
 Ans: Private key should be used at signature generation
side.

RSA Digital Signature Scheme
 The RSA signature scheme is based on RSA encryption.
 Since its first description in 1978 the RSA signature scheme
has emerged as the most widely used digital signatures
scheme in practice.
 Suppose Bob wants to send a signed message x to Alice.
He generates the same RSA keys that were used for RSA
encryption

RSA Digital Signature Scheme

Secure Hash Function
(SHA)

Hash Function
 Hash function is an auxiliary function which is an important
cryptographic primitive and are widely used in protocols.
 They compute a digest of a message which is a short, fixedlength bitstring.
 For a particular message, the message digest, or hash value,
can be seen as the fingerprint of a message, i.e., a unique
representation of a message.
 Unlike all other crypto algorithms introduced so far hash
functions do not have a key.
 Hash functions are used : for signatures,
Authentication Codes(MAC), RNGs, etc…

Message

Hash Function and Digital Signature
 Hash Functions are best known for important role they play
in practical use of Digital Signatures.
 In Digital signature scheme based on RSA, the main problem
is that the length of the plaintext is limited(message cannot
be greater than modulus).
 Thus far, we have ignored the fact that in practice the
plaintext x will often be (much) larger than those sizes.
 The question that arises at this point is simple: How are we
going to efficiently compute signatures of large messages?
 Can we split entire message into blocks and perform digital
signing??? Is it secure???

Hash Function and Digital Signature

 Problem 1: Message overhead
 Problem 2: High computational Load
 Problem 3: Security Limitations
 Hence, for performance as well as for security reasons we
would like to have one short signature for a message of

Hash Function
 The solution to this problem is hash functions.
 If we had a hash function that somehow computes a
fingerprint of the message x, we could perform the signature
operation.

Hash Function
 The hash value represents the message.
 The hash is sometimes referred to as the message digest or
the fingerprint of the message.

Hash Function - Requirements
 We want to be able to apply a hash function to
messages x of any size and thus it is thus desirable that
the function h is computationally efficient.
 Even if we hash large messages, it should be relatively fast
to compute.


Another desirable property is that the output of a hash
function is of fixed length and independent of the
input length.

 Finally, the computed fingerprint should be highly sensitive
to all input bits. That means even if we make minor
modifications to the input x, the fingerprint should
look very different.

Hash Function - Requirements

Hash Function – Security
Requirements
 Unlike all other crypto algorithms we have dealt with so far,
hash functions do not have keys.
 The question is now whether there are any special properties
needed for a hash function to be “secure”???
 It turns out that there are three central properties which
hash functions need to possess in order to be secure:

Hash Function – Security
Requirements

Hash Function – Security
Requirements
1. Preimage Resistance (One-wayness):
 Given a hash output z it must be computationally infeasible
to find an input message x such that z = h(x).

In other words, given a fingerprint, we cannot derive a
matching message.
2.

Second Preimage
Resistance
(Weak Collision
Resistance):
 For digital signatures with hash it is essential that two
different messages do not hash to the same value.
 This means it should be computationally infeasible to
create two diferent messages x1 != x2 with equal
hash values h(x1) = h(x2) .

Hash Function – Security
Requirements
 If Oscar is capable of finding a second message x2 such that
h(x1) = h(x2), he can run the following substitution
attack:

 The question now is how we can prevent Oscar from finding
X2???

Hash Function – Security
Requirements
 Since weak collisions exist in theory, the next best thing we
can do is to assure that they cannot be found in practice.


A strong hash function should be designed such that
given x1 and h(x1) it is impossible to construct x2
such that h(x1) = h(x2).

 This means there is no analytical attack. However, Oscar
can always randomly pick x2 values, compute their hash
values and check whether they are equal to h(x1).
 This is similar to an exhaustive key search for a
symmetric cipher.

Hash Function – Strong Collision
Resistance
 We call a hash function collision resistant or strong
collision resistant if it is computationally infeasible to
find two diferent inputs x1 = x2 with h(x1) = h(x2).
 This property is harder to achieve than weak collision
resistance since an attacker.
 This is because the attacker has two degrees of freedom:
*
Both messages can be altered to achieve
similar hash values.
 How the attacker can turn this into a practical attack
scenario???

Hash Function – Strong Collision
Resistance

Hash Function – Strong Collision
Resistance
 Due to the pigeonhole principle, collisions always exist.


The question is how difficult it is to find them.



Our first guess is probably that this is as difficult as finding
second preimages, i.e., if the hash function has an output
length of 80 bits, we have to check about 2^80 messages.



However, it turns out that an attacker needs only about
2^40 messages!

 This is a quite surprising result which is due to the birthday
attack. This attack is based on the birthday paradox,

Hash Function – Birthday Paradox
 It turns out that the following real-world question is closely
related to finding collisions for hash functions:
 How many people are needed at a party such that there
is a reasonable chance that at least two people have the
same birthday?

Hash Function – Birthday Paradox
 It turns out that the following real-world question is closely
related to finding collisions for hash functions:
 How many people are needed at a party such that there
is a reasonable chance that at least two people have the
same birthday?

Hash Function – Birthday Paradox

 For 40 people the probability is about 90%.


Due to the surprising outcome of this it is often referred to
as the birthday paradox.

 Collision search for a hash function h() is exactly the
same problem as finding birthday collisions among

Hash Function – Birthday Paradox
 The number of messages we need to hash to find a collision
is roughly equal to the square root of the number of possible
output values
i.e., about √2^n = 2^(n/2).
 Hence, for a security level of x bit, the hash function
needs to have an output length of 2x bit.
 Computing around 2^40 hashes and checking for collisions
can be done with current laptops!


To thwart this, the output length of a hash function must be
about twice as long as an output length which protects
merely against a second preimage attack.

 For this reason, all hash functions have an output

Hash Function – Construction
 There are two general types of hash functions:
1. Dedicated hash functions: These are algorithms that
are specifically designed to serve as hash functions.
2. Block cipher-based hash functions: It is also possible
to use block ciphers such as AES to construct hash functions.
 Hash functions can process an arbitrary-length message and
produce a fixed-length output.


In practice, this is achieved by segmenting the input into a
series of blocks of equal size.

 These blocks are processed sequentially by the hash
function, which has a compression function at its heart. This
iterated
design
is
known
as
Merkle–Damg°ard
construction.

Hash Function – Construction
 The hash value of the input message is then defined as the
output of the last iteration of the compression function.

SHA-1
 The Secure Hash Algorithm (SHA-1) is the most widely used
message digest function.
 SHA-1 is based on Merkle–Damgard construction.
 An interesting interpretation of the SHA-1 algorithm is that
the compression function works like a block cipher, where
the input is the previous hash value Hi−1 and the key is
formed by the message block xi.
 As we will see below, the actual rounds of SHA-1 are in fact
quite similar to a Feistel block cipher.
 SHA-1 produces a 160-bit output of a message with a
maximum length of 2^64 bit.

SHA-1
 Before the hash computation,
preprocess the message.

the

algorithm

has

to

 During the actual computation, the compression function
processes the message in 512-bit chunks.
 The compression function consists of 80 rounds which are
divided into four stages of 20 rounds each.

SHA-1

SHA-1 - Preprocessing
 Before the actual hash computation, the message x has to
be padded to fit a size of a multiple of 512 bit.
 For the internal processing, the padded message must then
be divided into blocks.


Also, the initial value H0 is set to a predefined constant.

SHA-1 – Hash Computation
 Each message block xi is processed in
four stages with 20 rounds each.
The algorithm uses:
1. A
message
schedule
which
computes
wordW0,W1, ...,W79 for each of the 80 rounds.

2. Five registers of size of 32 bits A,B,C,D,E.
3. A hash value Hi consisting of five 32-bit words
H(0)i ,H(1)i ,H(2)i ,H(3)i ,H(4)i .

a

32-bit

SHA-1 – Hash Computation
 The four SHA-1 stages have a similar structure but use
different internal functions ft and constants Kt , where 1 ≤ t
≤ 4.
 Each stage is composed of 20 rounds, where parts of the
message block are processed by the function ft together with
some stage-dependent constant Kt.
 The output after 80 rounds is added to the input value Hi−1
modulo 232 in word-wise fashion.

Message Authentication
Code(MAC)

Message Authentication Code
 A Message Authentication Code (MAC), also known as a
cryptographic checksum or a keyed hash function, is
widely used in practice.
 In terms of security functionality, MACs share some
properties with digital signatures, since they also
provide message integrity and message authentication.
 However, unlike digital signatures, MACs are symmetric-key
schemes and they do not provide nonrepudiation.
 One advantage of MACs is that they are much faster than
digital signatures since they are based on either block
ciphers or hash functions.

Message Authentication Code
 The motivation for using MACs is typically that Alice and Bob
want to be assured that any manipulations of a message x in
transit are detected.
 Similar to digital signatures, MACs append an authentication
tag to a message.


The crucial difference between MACs and digital signatures
is that MACs use a symmetric key k for both generating the
authentication tag and verifying it.

 A MAC is a function of the symmetric key k and the message
x.

Message Authentication Code

Message Authentication Code

MAC’s From Hash Function – HMAC
 An option for realizing MACs is to use cryptographic hash
functions such as SHA-1 as a building block.
 One possible construction, named HMAC, has become very
popular in practice over the last decade.


For instance, it is used in both the Transport Layer Security
(TLS) protocol as well as in the IPsec protocol suite.

 The
basic
idea
behind
all
hash-based
message
authentication codes is that the key is hashed together with
the message.

MAC’s From Hash Function – HMAC
 Two obvious construction are possible:

 Both are cryptographically weak.

MAC’s From Hash Function – HMAC
1. Attacks Against Secret Prefix MACs:

MAC’s From Hash Function – HMAC
1. Attacks Against Secret Suffix MACs:

 Solution : HMAC

Symmetric Key Establishment

Symmetric Key Establishment
 All cryptographic mechanisms that we have discussed so far
assume that keys are properly distributed between the
parties involved.
 The task of key establishment is in practice one of the most
important and often also most difficult parts of a security
system.
 Key establishment deals with establishing a shared secret
between two or more parties. Methods for this can be
classified into key transport and key agreement methods.
 A key transport protocol is a technique where one party
securely transfers a secret value to others.


In a key agreement protocol two (or more) parties derive the

Symmetric Key Establishment

Symmetric Key Establishment
 In many (but not all) security systems it is desirable to use
cryptographic keys which are only valid for a limited time,
e.g., for one Internet connection.


Such keys are called session keys or ephemeral keys.

 Limiting the period in which a cryptographic key is used has
several advantages.
 A major one is that there is less damage if the key is
exposed.
 Also, an attacker has less ciphertext available that was
generated under one key, which can make cryptographic
attacks much more difficult.

Symmetric Key Establishment
 Real-world examples where session keys are frequently
generated include voice encryption in GSM cell phones and
video encryption in pay-TV satellite systems; in both cases
new keys are generated within a matter of minutes or
sometimes even seconds.
 The question now is, how can key updates be realized?


The first approach is to simply execute the key
establishment protocols(Diffie-Hellman) over and over again.



However, there are always certain costs associated with key
establishment, typically with respect to additional
communication connections and computations.



The latter holds especially in the case of public-key

Symmetric Key Establishment
 The second approach to key update uses an already
established joint secret key to derive fresh session keys.
 The principal idea is to use a Key Derivation Function (KDF).
 Typically, a non-secret parameter r is processed together
with the joint secret kAB between the users Alice and Bob.

Symmetric Key Establishment
 An important characteristic of the key derivation function is
that it should be a one-way function.


The one-way property prevents an attacker from deducing
kAB should any of the session keys become compromised,
which in turn would allow the attacker to compute all other
session keys.

 One possible way of realizing the key derivation function is
that one party sends a nonce, i.e., a numerical value that is
used only once, to the other party.


Both users encrypt the nonce using the shared secret key
kAB by means of a symmetric cipher such as AES.

Symmetric Key Establishment

Symmetric Key Establishment

The n2 Key Distribution
Problem

The n2 Key Distribution Problem
 Until now we mainly assumed that the necessary keys for
symmetric algorithms are distributed via a “secure channel”
 Distributing keys this way is sometimes referred to as key
predistribution or out-of-band .( e.g., the key is transmitted
via a phone line or in a letter.)


However, key predistribution quickly reaches its limits even
if the number of entities in a network is only moderately
large.



This leads to the well-known n^2 key distribution
problem.

 We assume a network with n users, where every party is
capable of communicating with every other one in a secure

The n2 Key Distribution Problem

The n2 Key Distribution Problem
 The consequences of these observations are not very
favorable if the number of users increases.


The first drawback is that the number of keys in the system
is roughly n^2. Even for moderately sized networks, this
number becomes quite large.

 All these keys must be generated securely at one location,
which is typically some type of trusted authority.
 The other drawback, which is often more serious in practice,
is that adding one new user to the system requires updating
the keys at all existing users. Since each update requires a
secure channel, this is very burdensome.

The n2 Key Distribution Problem
 Obviously, this approach does not work for large networks.
 However, there are many cases in practice where the
number of users is:
(i) small and
(ii) does not change frequently.
 An example could be a company with a small number of
branches which all need to communicate with each other
securely.


Adding a new branch does not happen too often, and if this
happens it can be tolerated that one new key is uploaded to
any of the existing branches.

Key Establishment Using SymmetricKey Techniques

Key Establishment Using SymmetricKeyTechniques
 Symmetric ciphers can be used to establish secret (session)
keys.


This is somewhat surprising because we assumed that
symmetric ciphers themselves need a secure channel for
establishing their keys.

 However, it turns out that it is in many cases sufficient to
have a secure channel only when a new user joins the
network.


This is in practice often achievable for computer networks
because at setup time a (trusted) system administrator
might be needed in person anyway who can install a secret
key manually.

Key Establishment with a Key Distribution
Center
The protocols developed in the following rely on a Key
Distribution Center (KDC). This is a server that is fully trusted
by all users and that shares a secret key with each user.
 This key, which is named the Key Encryption Key (KEK), is
used to securely transmit session keys to users.


Key Establishment Using KDC
 Advantage:
1. Key storage overhead is reduced from quadratic to linear.
2. Adding new users requires secure channel only at the time of
initialization.
 Disadvantage:
1.
Single point of failure: KDC
2. No Perfect Secrecy: Compromise of even a single key
let the attacker decrypt past messages.
 Security Threats:
1.
Replay Attack
2.
Key Confirmation Attack.

Key Establishment Using KDC – Security
issues
1. Replay Attack:
 This attack makes use of the fact that neither Alice nor Bob
know whether the encrypted session key they receive is
actually a new one.
 If an old one is reused, key freshness is violated.
 This can be a particularly serious issue if an old session key
has become compromised. This could happen if an old key is
leaked, e.g., through a hacker.
 If Oscar gets hold of a previous session key, he can
impersonate the KDC and resend old messages yA and yB to
Alice and Bob.

Key Establishment Using KDC – Security
issues
2. Key Confirmation Attack:
 The weakness utilized is: Alice is not assured that the key
material she receives from the KDC is actually for a session
between her and Bob.
 This attack assumes that Oscar is also a legitimate (but
malicious) user.
 By changing the session-request message Oscar can trick
the KDC and Alice to set up session between him and Alice
as opposed to between Alice and Bob.
 The underlying problem for this attack is that there is no key
confirmation.

Key Establishment Using KDC – Security
issues

Kerberos

Kerberos
 A more advanced protocol that protects against both replay
and key confirmation attacks is Kerberos.
 In Greek mythology, Kerberos is the name of a three headed
dog, “Guarding the entrance of Hades”
 It is, in fact, more than a mere key distribution protocol; its
main purpose is to provide user authentication in computer
networks.
 It provides a centralized authentication server
authenticate users to servers and servers to users.

to

It is also based on a KDC, which is named
“authentication sever” in Kerberos terminology.

the



Kerberos

Kerberos – Security against Replay attack
 Kerberos assures the timeliness of the protocol through two
measures:
o First, the KDC specifies a lifetime T for the session key. The
lifetime is encrypted with both session keys, i.e., it is
included in yA and yB.
Hence, both Alice and Bob are aware of the
period during which they can use the session key.
o

Second, Alice uses a time stamp TS, through which Bob can
be assured that Alice’s messages are recent and are not the
result of a replay attack.
For this, Alice’s and Bob’s system clocks must be
synchronized, but not with a very high accuracy. Typical
values are in the range of a few minutes.

Kerberos – Security against Key
Confirmation attack
 Equally important is that Kerberos provides key confirmation
and user authentication.
 In the beginning, Alice sends a random nonce rA to
the KDC. This can be considered as a challenge
because she challenges the KDC to encrypt it with
their joint KEK kA.
 If the returned challenge rA matches the sent one,
Alice is assured that the message yA was actually
sent by the KDC.
 This method to authenticate users is known as challengeresponse protocol and is widely used, e.g., for authentication

Kerberos – Security against Key
Confirmation attack
 Equally important is that Kerberos provides key confirmation
and user authentication.
 In the beginning, Alice sends a random nonce rA to
the KDC. This can be considered as a challenge
because she challenges the KDC to encrypt it with
their joint KEK kA.
 If the returned challenge rA matches the sent one,
Alice is assured that the message yA was actually
sent by the KDC.
 This method to authenticate users is known as challengeresponse protocol and is widely used, e.g., for authentication

Kerberos

Remaining problems with Symmetric-key
Distribution
 Equally important is that Kerberos provides key confirmation
and user authentication.
 In the beginning, Alice sends a random nonce rA to
the KDC. This can be considered as a challenge
because she challenges the KDC to encrypt it with
their joint KEK kA.
 If the returned challenge rA matches the sent one,
Alice is assured that the message yA was actually
sent by the KDC.
 This method to authenticate users is known as challengeresponse protocol and is widely used, e.g., for authentication

Kerberos – Security against Key
Confirmation attack
 Even though Kerberos provides strong assurance that the
correct keys are being used and that users are
authenticated, there are still drawbacks to the protocols.
 Main problems that exist for KDC based schemes are:
1. Communication overhead
2. Secure channel during initialization
3. Single point of failure
4. No Perfect Forward Secrecy

Kerberos – Security against Key
Confirmation attack
1. Communication Overhead: KDC needs to be contacted if
a new secure session is to be initiated between any two
parties in the network.
 Even though this is a performance rather than a security
problem, it can be
a serious hindrance in a system with very many users.
In Kerberos, one can alleviate this potential problem by
increasing the lifetime T of the key.
In practice, Kerberos can run with tens of thousands of users.
However, it would be a problem to scale such an approach to

Kerberos – Security against Key
Confirmation attack
2. Secure channel during initialization: All KDC-based
protocols require a secure channel at the time a new user
joins the network for transmitting that user’s key encryption
key.
3. Single point of failure All KDC-based protocols, including
Kerberos, have the security drawback that they have a single
point of failure, namely the database that contains the key
encryption keys, the KEKs.
 If the KDC becomes compromised, all KEKs in the entire
system become invalid and have to be re-established using
secure channels between the KDC and each user.

Kerberos – Security against Key
Confirmation attack
4. No perfect forward secrecy: If any of the KEKs becomes
compromised, e.g., through a hacker or Trojan software
running on a user’s computer, the consequences are serious.
 First, all future communication can be decrypted by the
attacker who eavesdrops. For instance, if Oscar got a hold of
Alice’s KEK kA, he can recover the session key from all
messages yA that the KDC sends out. Even more dramatic is
the fact that Oscar can also decrypt past communications if
he stored old messages yA and y.
 Even if Alice immediately realizes that her KEK has been
compromised and she stops using it right away, there is
nothing she can do to prevent Oscar from decrypting her past
communication.

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close