MTech SIS

Security of Information Systems
Mr. Rahul Kumar Yadav Assistant Professor IT Department, PDMCE rahul_engg@pdm.ac.in
PDM CSE
1/335
Syllabus
Encryption and De-encryption Terminology and Background: and De-encryption cryptosystem , Plain text and cipher. encryption cryptoanalysis. Intro. to cipher, monoalphabetic, substation ploy alphabet . Secure encryption systems Hard problems: complexity NP- complete problems characteristic of NP complete, the meaning of completeness , NP completeness and cryptography, properties of arithmetic operation inverse prime GCD, Modular arithmetic, Properties of modular arithmetic, computing the inverse, Fermats theory algo. for computing inverses, random number generation. Public key encryption systems: concept and characteristic, introduction to merkellhellman knapsacks RSA , digital signatures, DSS Hash algorithms: hash concept , description of hash algorithms , MD4 ,MD5, SHA1, SHA2 Secure secret key systems: DES, AES Applied cryptography protocols practices, key management protocols Operating system , database, program security Network Security.
PDM CSE 2/335
Examination Schedule (Marks)

Marks of Class Work 50 Theory Practical TOTAL
100
150
Marks of Class Work

Sessional Marks Assignment and Presentation 10 Attendance and Class Work 10 TOTAL
30
50
PDM CSE
3/335
References
Security in Computing (Second Edition)- Charles P Pfleeger, 1996,Prentice-Hall International,Inc
Applied Cryptography Protocols, Algorithms and Source Code in C(Second edition), Bruce Schneier, 1995,John Wiley.
Security Technologies for the world wide web,Rolf Oppliger,Artech House,Inc. Digital Certificates Applied interest Security ,Jalal Feghhi,Jalli feghhi and Peter Williams,Addison Wesley Longman. The World web Security FAQ, Lincoln D Stein, World Wide Web Consortium(Online) Available at http:www.w3.org/Security/Faq/www-securityfaq.html. Cryptographic Message Syntax Standard,Public-Key Cryptography Standard,RSA Laborateories[Online] available at http://www.rsasecurity.com/rsalabs/pkcs7/index.html
PDM CSE 4/335
Encryption and De-encryption

Terminology and Background Introduction to cipher
PDM CSE
5/335
Security
In general, security is the quality or state of being secure to be free from danger. It means to be protected from adversaries, from those who would do harm, intentionally or otherwise.
PDM CSE
6/335
The History of Information Security

Computer security began immediately after the first mainframes were developed Groups developing code-breaking computations during World War II created the first modern computers Multiple levels of security were implemented Physical controls to limit access to sensitive military locations to authorized personnel Rudimentary in defending against physical theft, espionage, and sabotage.
PDM CSE 7/335
The Enigma Source: Courtesy of National Security Agency
PDM CSE
8/335
The 1960s
Advanced Research Project Agency (ARPA) began to examine feasibility of redundant networked communications Larry Roberts developed ARPANET from its inception
PDM CSE
9/335
Figure 1-2 - ARPANET
Development of the ARPANET Program Plan Source: Courtesy of Dr. Lawrence Roberts
PDM CSE 10/335
The 1970s and 80s

ARPANET grew in popularity as did its potential for misuse Fundamental problems with ARPANET security were identified No safety procedures for dial-up connections to ARPANET Nonexistent user identification and authorization to system Late 1970s: microprocessor expanded computing capabilities and security threats
PDM CSE
11/335
The 1970s and 80s (contd.)

Information security began with Rand Report R-609 (paper that started the study of computer security) Scope of computer security grew from physical security to include:
Safety of data Limiting unauthorized access to data Involvement of personnel from multiple levels of an organization
PDM CSE 12/335
MULTICS
Early focus of computer security research was a system called Multiplexed Information and Computing Service (MULTICS) First operating system created with security as its primary goal Mainframe, time-sharing OS developed in mid-1960s by General Electric (GE), Bell Labs, and Massachusetts Institute of Technology (MIT) Several MULTICS key players created UNIX Primary purpose of UNIX was text processing
PDM CSE
13/335
Key Dates for Seminal Works in Early Computer Security

PDM CSE 14/335
The 1990s
Networks of computers became more common; so too did the need to interconnect networks Internet became first manifestation of a global network of networks Initially based on de facto standards In early Internet deployments, security was treated as a low priority
PDM CSE
15/335
2000 to Present
The Internet brings millions of computer networks into communication with each othermany of them unsecured Ability to secure a computers data influenced by the security of every computer to which it is connected Growing threat of cyber attacks has increased the need for improved security
PDM CSE
16/335
An organization should have following multiple layers of security

Physical security- to protect the physical items, objects, or areas of an organization from unauthorized access and misuse Personal security- to protect the individual or group of individuals who are authorized to access the organization and its operations Operations security- to protect the details of a particular operation or series of activities
PDM CSE 17/335
Communications security- to protect an organizations communications media, technology, and content Network security- to protect networking components, connections, and contents Information security- to protect information assets
PDM CSE
18/335
Information Security
Information security, therefore, is the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information.
PDM CSE
19/335
Critical Characteristics of Information

Availability- enables users who need to access information to do so without interference or obstruction and to retrieve that information in the required format. Accuracy- occurs when information is free from mistakes or errors and has the value that the end user expects. If information contains a value different from the users expectations due to the intentional or unintentional modification of its content, it is no longer accurate. Authenticity- is the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.
PDM CSE 20/335
Critical Characteristics of Information (contd.)

Confidentiality- is the quality or state of preventing disclosure or exposure to unauthorized individuals or systems. Integrity- is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state. Utility- is the quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.
PDM CSE
21/335
Critical Characteristics of Information (contd.)

Possession- is the quality or state of having ownership or control of some object or item. Information is said to be in one's possession if one obtains it, independent of format or other characteristics. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.
PDM CSE
22/335
Components of an Information System

An information system (IS) is much more than computer hardware; it is the entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization. Software Software is the operating systems, applications, and assorted utilities of an information system. Hardware Hardware as the physical assets that run the applications that manipulate the data of an information system. As hardware has become more portable, the threat posed by hardware loss has become a more prominent problem.
PDM CSE 23/335
Components of an Information System (contd.)

Data The lifeblood of an organization is the information needed to strategically execute on business opportunities and the data processed by information systems are critical to todays business strategy. People Note that people are often the weakest link in an information system, since they give the orders, design the systems, develop the systems, and ultimately use and game the systems that run todays business world. Procedures Procedures are the written instructions for accomplishing a task, which may include the use of technology or information systems, but not necessarily. These are the rules that we are supposed to follow and the foundation for the technical controls that security systems must be designed to implement.
PDM CSE 24/335
Components of an Information System (contd.)

Networks The modern information processing system is extremely complex and relies on many hundreds of connections, both internal and external. From the LAN to the MAN and ultimately the WAN or Internet, networks are the highway over which information systems pass data and users complete their tasks. Proper control over all traffic in every network in an organization is vital to properly managing the information flow and security of that organization.
PDM CSE
25/335
Components of Information Security

PDM CSE 26/335
Key Information Security Concepts

Access Asset Attack Control, Safeguard, or Countermeasure Exploit Exposure Loss Protection Profile or Security Posture Risk Subjects and Objects Threat Threat Agent Vulnerability
27/335
PDM CSE
Information Security Terms

PDM CSE 28/335
Key Information Security Concepts (contd.)

Computer can be subject of an attack and/or the object of an attack When the subject of an attack, computer is used as an active tool to conduct attack When the object of an attack, computer is the entity being attacked
PDM CSE
29/335
Figure Subject and Object of Attack
Computer as the Subject and Object of an Attack

PDM CSE 30/335
CNSS Security Model
The McCumber Cube

PDM CSE 31/335
Information Security: Is it an Art or a Science?
Implementation of information security often described as combination of art and science.
PDM CSE
32/335
Security as Art
No hard and fast rules nor many universally accepted complete solutions. No manual for implementing security through entire system.
PDM CSE
33/335
Security as Science
Dealing with technology designed to operate at high levels of performance. Specific conditions cause virtually all actions that occur in computer systems. Nearly every fault, security hole, and systems malfunction are a result of interaction of specific hardware and software. If developers had sufficient time, they could resolve and eliminate faults.
PDM CSE 34/335
Security as a Social Science
Social science examines the behaviour of individuals interacting with systems Security begins and ends with the people that interact with the system Security administrators can greatly reduce levels of risk caused by end users, and create more acceptable and supportable security profiles
PDM CSE 35/335
Balancing Information Security & Access

Impossible to obtain perfect securityit is a process, not an absolute Security should be considered balance between protection and availability To achieve balance, level of security must allow reasonable access, yet protect against threats
PDM CSE
36/335
Figure Balancing Security and Access
Balancing Information Security and Access

PDM CSE 37/335
Approaches to Information Security Implementation: Bottom-Up Approach

Grassroots effort: systems administrators attempt to improve security of their systems Key advantage: technical expertise of individual administrators Seldom works, as it lacks a number of critical features: Participant support Organizational staying power
PDM CSE 38/335
Approaches to Information Security Implementation: Top-Down Approach

Initiated by upper management Issue policy, procedures, and processes Dictate goals and expected outcomes of project Determine accountability for each required action The most successful also involve formal development strategy referred to as systems development life cycle
PDM CSE
39/335
Approaches to Information Security Implementation

PDM CSE 40/335
The Systems Development Life Cycle

Systems Development Life Cycle (SDLC): methodology for design and implementation of information system within an organization Methodology: formal approach to problem solving based on structured sequence of procedures Using a methodology: Ensures a rigorous process Increases probability of success Traditional SDLC consists of six general phases
PDM CSE 41/335
SDLC Waterfall Methodology

PDM CSE 42/335
Investigation
What problem is the system being developed to solve? Objectives, constraints, and scope of project are specified Preliminary cost-benefit analysis is developed At the end, feasibility analysis is performed to assess economic, technical, and behavioural feasibilities of the process
PDM CSE
43/335
Analysis
Consists of assessments of: The organization Current systems Capability to support proposed systems Analysts determine what new system is expected to do and how it will interact with existing systems Ends with documentation of findings and update of feasibility analysis
PDM CSE 44/335
Logical Design
Main factor is business need Applications capable of providing needed services are selected Data support and structures capable of providing the needed inputs are identified Technologies to implement physical solution are determined Feasibility analysis performed at the end
PDM CSE
45/335
Physical Design
Technologies to support the alternatives identified and evaluated in the logical design are selected Components evaluated on make-or-buy decision Feasibility analysis performed
Entire solution presented to end-user representatives for approval
PDM CSE 46/335
Implementation

Needed software created Components ordered, received, and tested Users trained and documentation created Feasibility analysis prepared Users presented with system for performance review and acceptance test
PDM CSE
47/335
Maintenance and Change

Longest and most expensive phase Consists of tasks necessary to support and modify system for remainder of its useful life Life cycle continues until the process begins again from the investigation phase When current system can no longer support the organizations mission, a new project is implemented
PDM CSE 48/335
The Security Systems Development Life Cycle

The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project Identification of specific threats and creating controls to counter them Sec-SDLC is a coherent program rather than a series of random, seemingly unconnected actions
PDM CSE
49/335
Investigation
Identifies process, outcomes, goals, and constraints of the project Begins with Enterprise Information Security Policy (EISP) Organizational feasibility analysis is performed
PDM CSE
50/335
Analysis
Documents from investigation phase are studied Analysis of existing security policies or programs, along with documented current threats and associated controls Includes analysis of relevant legal issues that could impact design of the security solution Risk management task begins
PDM CSE
51/335
Logical Design
Creates and develops blueprints for information security Incident response actions planned: Continuity planning Incident response Disaster recovery Feasibility analysis to determine whether project should be continued or outsourced
PDM CSE 52/335
Physical Design
Needed security technology is evaluated, alternatives are generated, and final design is selected At end of phase, feasibility study determines readiness of organization for project
PDM CSE
53/335
Implementation
Security solutions are acquired, tested, implemented, and tested again Personnel issues evaluated; specific training and education programs conducted Entire tested package is presented to management for final approval
PDM CSE
54/335
Maintenance and Change

Perhaps the most important phase, given the everchanging threat environment Often, repairing damage and restoring information is a constant duel with an unseen adversary Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve
PDM CSE
55/335
Security Professionals and the Organization

Wide range of professionals required to support a diverse information security program Senior management is key component Additional administrative support and technical expertise are required to implement details of IS program
PDM CSE
56/335
Senior Management
Chief Information Officer (CIO) Senior technology officer Primarily responsible for advising senior executives on strategic planning Chief Information Security Officer (CISO) Primarily responsible for assessment, management, and implementation of IS in the organization Usually reports directly to the CIO
PDM CSE 57/335
Information Security Project Team

A number of individuals who are experienced in one or more facets of required technical and nontechnical areas: Team leader Security policy developers Risk assessment specialists Security professionals Systems administrators End users
PDM CSE
58/335
Data Responsibilities
Data owner: responsible for the security and use of a particular set of information Data custodian: responsible for storage, maintenance, and protection of information Data users: end users who work with information to perform their daily jobs supporting the mission of the organization
PDM CSE
59/335
Some Basic Terminology

plaintext - original message ciphertext - coded message cipher - algorithm for transforming plaintext to ciphertext key - info used in cipher known only to sender/receiver encipher (encrypt) - converting plaintext to ciphertext decipher (decrypt) - recovering ciphertext from plaintext cryptography - study of encryption principles/methods cryptanalysis (codebreaking) - study of principles/ methods of deciphering ciphertext without knowing key cryptology - field of both cryptography and cryptanalysis
PDM CSE
60/335
Security Attack
Security Attack -Any action that compromises the security of information owned by an organization Information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems. Often threat & attack used to mean same thing. According to RFC 2828: Threat- A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. Attack- An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate attempt ( especially in the sense of a method or technique ) to evade security services and violate the security policy of a system. Have a wide range of attacks We can focus of generic types of attacks passive active
PDM CSE
61/335
Passive Attacks
PDM CSE
62/335
Active Attacks
PDM CSE
63/335
Security Service
A communication service that enhance security of data processing systems and information transfers of an organization. Intended to counter security attacks Using one or more security mechanisms Often replicates functions normally associated with physical documents. which, for example, have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed
PDM CSE
64/335
Security Services
X.800: a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers
RFC 2828: a processing or communication service provided by a system to give a specific kind of protection to system resources
PDM CSE 65/335
Security Services (X.800)

Authentication - assurance that the communicating entity is the one claimed Access Control - prevention of the unauthorized use of a resource Data Confidentiality protection of data from unauthorized disclosure Data Integrity - assurance that data received is as sent by an authorized entity Non-Repudiation - protection against denial by one of the parties in a communication
PDM CSE 66/335
Security Mechanism
Feature designed to detect, prevent, or recover from a security attack No single mechanism that will support all services required However one particular element underlies many of the security mechanisms in use: cryptographic techniques hence our focus on this topic
PDM CSE
67/335
Security Mechanisms (X.800)

specific security mechanisms:
Encipherment, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization
pervasive security mechanisms:

Trusted functionality, security labels, event detection, security audit trails, security recovery.
PDM CSE
68/335
Model for Network Security
PDM CSE
69/335
Model for Network Security

Using this model requires us to: 1. Design a suitable algorithm for the security transformation 2. Generate the secret information (keys) used by the algorithm 3. Develop methods to distribute and share the secret information 4. Specify a protocol enabling the principals to use the transformation and secret information for a security service
PDM CSE 70/335
Model for Network Access Security
PDM CSE
71/335
Symmetric Encryption
Conventional / private-key / single-key Sender and recipient share a common key All classical encryption algorithms are private-key As only type prior to invention of public-key in 1970s.
PDM CSE
72/335
Symmetric Cipher Model
PDM CSE
73/335
Requirements
two requirements for secure use of symmetric encryption:
a strong encryption algorithm a secret key known only to sender / receiver
mathematically have:
Y = EK(X) X = DK(Y)
assume encryption algorithm is known implies a secure channel to distribute key

PDM CSE 74/335
Cryptography
Characterize cryptographic system by:
Type of encryption operations used
substitution / transposition / product
Number of keys used

single-key or private(Symmetric) / two-key or public(Asymmetric)
Way in which plaintext is processed

block / stream
PDM CSE
75/335
Cryptanalysis
Objective to recover key not just message General approaches:
cryptanalytic attack brute-force attack
PDM CSE
76/335
Cryptanalytic Attacks
ciphertext only Only know algorithm & ciphertext, is statistical, know or can identify plaintext known plaintext know/suspect plaintext & ciphertext chosen plaintext select plaintext and obtain ciphertext chosen ciphertext select ciphertext and obtain plaintext chosen text select plaintext or ciphertext to en/decrypt
PDM CSE 77/335
More Definitions
Unconditional security No matter how much computer power or time is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext. Computational security Given limited computing resources (eg time needed for calculations is greater than age of universe), the cipher cannot be broken.
PDM CSE
78/335
Brute Force Search

Always possible to simply try every key Most basic attack, proportional to key size Assume either know / recognise plaintext
Key Size (bits) 32 56 Number of Alternative Keys 232 = 4.3 109 256 = 7.2 1016 Time required at 1 decryption/s 231 s 255 s = 35.8 minutes = 1142 years Time required at 106 decryptions/s 2.15 milliseconds 10.01 hours
128
168 26 characters (permutation)
2128 = 3.4 1038

2168 = 3.7 1050 26! = 4 1026
2127 s
2167 s
= 5.4 1024 years

= 5.9 1036 years
5.4 1018 years

5.9 1030 years 6.4 106 years
2 1026 s = 6.4 1012 years
PDM CSE
79/335
Classical Substitution Ciphers

Where letters of plaintext are replaced by other letters or by numbers or symbols If plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns
PDM CSE
80/335
Caesar Cipher
Earliest known substitution cipher given by Julius Caesar First attested use in military affairs Replaces each letter by 3rd letter on example:
meet me after the toga party PHHW PH DIWHU WKH WRJD SDUWB
PDM CSE
81/335
Caesar Cipher
can define transformation as:
abcdefghijklmnopqrstuvwxyz DEFGHIJKLMNOPQRSTUVWXYZABC
mathematically give each letter a number

abcdefghij k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
then have Caesar cipher as:

c = E(p) = (p + k) mod (26) p = D(c) = (c k) mod (26)
PDM CSE 82/335
Monoalphabetic Cipher
Rather than just shifting the alphabet Could shuffle (jumble) the letters arbitrarily Each plaintext letter maps to a different random ciphertext letter hence key is 26 letters long
Plain: abcdefghijklmnopqrstuvwxyz Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN Plaintext: ifwewishtoreplaceletters Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
PDM CSE 83/335
Monoalphabetic Cipher Security

now have a total of 26! = 4 x 1026 keys with so many keys, might think is secure but would be !!!WRONG!!! problem is language characteristics
PDM CSE
84/335
Language Redundancy and Cryptanalysis

human languages are redundant eg "th lrd s m shphrd shll nt wnt" letters are not equally commonly used in English E is by far the most common letter
followed by T,R,N,I,O,A,S
other letters like Z,J,K,Q,X are fairly rare have tables of single, double & triple letter frequencies for various languages
PDM CSE 85/335
English Letter Frequencies
PDM CSE
86/335
Use in Cryptanalysis
key concept - Monoalphabetic substitution ciphers do not change relative letter frequencies discovered by Arabian scientists in 9th century calculate letter frequencies for ciphertext compare counts/plots against known values
PDM CSE
87/335
Example Cryptanalysis
given ciphertext:
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
count relative letter frequencies (see text) guess P & Z are e and t guess ZW is th and hence ZWP is the proceeding with trial and error finally get:
it was disclosed yesterday that several informal but direct contacts have been made with political representatives of the viet cong in moscow
PDM CSE
88/335
Playfair Cipher
Not even the large number of keys in a monoalphabetic cipher provides security One approach to improving security was to encrypt multiple letters the Playfair Cipher is an example Invented by Charles Wheatstone in 1854, but named after his friend Baron Playfair
PDM CSE 89/335
Playfair Key Matrix

A 5X5 matrix of letters based on a keyword fill in letters of keyword (Minus duplicates) fill rest of matrix with other letters eg. using the keyword MONARCHY
M C E L U O H F P V N Y G Q W
PDM CSE
A B I/J S X
R D K T Z
90/335
Encrypting and Decrypting

plaintext is encrypted two letters at a time
1. if a pair is a repeated letter, insert filler like 'X 2. if both letters fall in the same row, replace each with letter to right (wrapping back to start from end) 3. if both letters fall in the same column, replace each with the letter below it (again wrapping to top from bottom) 4. otherwise each letter is replaced by the letter in the same row and in the column of the other letter of the pair
PDM CSE 91/335
Security of Playfair Cipher

security much improved over monoalphabetic since have 26 x 26 = 676 digrams would need a 676 entry frequency table to analyse (verses 26 for a monoalphabetic) and correspondingly more ciphertext was widely used for many years
eg. by US & British military in WW1
it can be broken, given a few hundred letters since still has much of plaintext structure
PDM CSE 92/335
Polyalphabetic Ciphers
Polyalphabetic substitution ciphers Improve security using multiple cipher alphabets make cryptanalysis harder with more alphabets to guess and flatter frequency distribution use a key to select which alphabet is used for each letter of the message use each alphabet in turn repeat from start after end of key is reached
PDM CSE 93/335
Vigenre Cipher
simplest Polyalphabetic substitution cipher effectively multiple Caesar ciphers key is multiple letters long K = k1 k2 ... kd ith letter specifies ith alphabet to use use each alphabet in turn repeat from start after d letters in message decryption simply works in reverse
PDM CSE
94/335
Example of Vigenre Cipher

write the plaintext out write the keyword repeated above it use each key letter as a caesar cipher key encrypt the corresponding plaintext letter eg using keyword deceptive
key: deceptivedeceptivedeceptive plaintext: wearediscoveredsaveyourself ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ
PDM CSE
95/335
Aids
simple aids can assist with en/decryption a Saint-Cyr Slide is a simple manual aid
a slide with repeated alphabet line up plaintext 'A' with key letter, eg 'C' then read off any mapping for key letter
can bend round into a cipher disk or expand into a Vigenre Tableau
PDM CSE 96/335
Security of Vigenre Ciphers

have multiple ciphertext letters for each plaintext letter hence letter frequencies are obscured but not totally lost start with letter frequencies
see if look monoalphabetic or not
if not, then need to determine number of alphabets, since then can attach each
PDM CSE 97/335
Kasiski Method
method developed by Babbage / Kasiski repetitions in ciphertext give clues to period so find same plaintext an exact period apart which results in the same ciphertext of course, could also be random fluke eg repeated VTW in previous example suggests size of 3 or 9 then attack each monoalphabetic cipher individually using same techniques as before
PDM CSE 98/335
Autokey Cipher
ideally want a key as long as the message Vigenre proposed the autokey cipher with keyword is prefixed to message as key knowing keyword can recover the first few letters use these in turn on the rest of the message but still have frequency characteristics to attack eg. given key deceptive
key: deceptivewearediscoveredsav plaintext: wearediscoveredsaveyourself ciphertext:ZICVTWQNGKZEIIGASXSTSLVVWLA
PDM CSE 99/335
One-Time Pad
if a truly random key as long as the message is used, the cipher will be secure called a One-Time pad is unbreakable since ciphertext bears no statistical relationship to the plaintext since for any plaintext & any ciphertext there exists a key mapping one to other can only use the key once though problems in generation & safe distribution of key
PDM CSE 100/335
Transposition Ciphers
now consider classical transposition or permutation ciphers these hide the message by rearranging the letter order without altering the actual letters used can recognise these since have the same frequency distribution as the original text
PDM CSE 101/335
Rail Fence cipher

write message letters out diagonally over a number of rows then read off cipher row by row eg. write message out as:
mematrhtgpry etefeteoaat
giving ciphertext
MEMATRHTGPRYETEFETEOAAT
PDM CSE
102/335
Row Transposition Ciphers

a more complex transposition write letters of message out in rows over a specified number of columns then reorder the columns according to some key before reading off the rows
Key: 3421567 Plaintext: a t t a c k p ostpone duntilt woamxyz Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ
PDM CSE
103/335
Product Ciphers
ciphers using substitutions or transpositions are not secure because of language characteristics hence consider using several ciphers in succession to make harder, but:
two substitutions make a more complex substitution two transpositions make more complex transposition but a substitution followed by a transposition makes a new much harder cipher
this is bridge from classical to modern ciphers
PDM CSE
104/335
Rotor Machines
before modern ciphers, rotor machines were most common complex ciphers in use widely used in WW2
German Enigma, Allied Hagelin, Japanese Purple
implemented a very complex, varying substitution cipher used a series of cylinders, each giving one substitution, which rotated and changed after each letter was encrypted with 3 cylinders have 263=17576 alphabets
PDM CSE 105/335
Hagelin Rotor Machine
PDM CSE
106/335
Steganography
An alternative to encryption Hides existence of message
using only a subset of letters/words in a longer message marked in some way using invisible ink hiding in LSB in graphic image or sound file
Has drawbacks
high overhead to hide relatively few info bits
PDM CSE
107/335
Secure Encryption Systems
PDM CSE
108/335
Computational Complexity
Recall from our sorting examples at the start of class that we could prove that any sort would have to do at least some minimal amount of work (lower bound)
We proved this using decision trees
PDM CSE
109/335
// Sorts an array of 3 items void sortthree(int s[]) { a=s[1]; b=s[2]; c=s[3]; if (a < b) { if (b < c) { S = a,b,c; b<c } else { if (a < c) { S = a,c,b; } else { S = c,a,b; a,b,c a<c }} } else if (b < c) { if (a < c) { S = b,a,c; a,c,b c,a,b } else { S = b,c,a; }} else { S = c,b,a; } PDM CSE }
a<b
b<c
a<c
c,b,a
b,a,c
b,c,a
110/335
Decision Trees
A decision tree can be created for every comparison-based sorting algorithm
The following is a decision tree for a 3 element Exchange sort
Note that c < b means that the Exchange sort compares the array item whose current value is c with the one whose current value is b not that it compares s[3] to s[2].
PDM CSE
111/335
b<a c<b c<a
b<a
c<a
a<b
c<b
c,b,a
b,c,a
b,a,c
c,a,b
a,c,b
a,b,c
PDM CSE
112/335
Decision Trees
So what does this tell us
Note that there are 6 leaves in each of the examples given (each N=3)
In general there will be N! leaves in a decision tree corresponding to the N! permutations of the array
The number of comparisons (work) is equal to the depth of the tree (from root to leaf)
Worst case behavior is the path from the root to the deepest leaf
PDM CSE 113/335
Decision Trees
Thus, to get a lower bound on the worst case behavior we need to find the shortest tree possible that can still hold N! leaves
No comparison-based sort could do better
A tree of depth d can hold 2d leaves

So, what is the minimal d where 2d >= N!
Solving for d we get d >= log2(N!)
The minimal depth must be at least log2(N!)
PDM CSE
114/335
Decision Trees
According to Lemma 7.4 (p. 291):
log2(N!) >= n log2(n) 1.45n
Putting that together with the previous result

d must be at least as great as (n log2(n) 1.45n)
Applying Big-O
d must be at least O(n log2(n))
No comparison-based sorting algorithm can have a running time better than O(n log2(n))
PDM CSE 115/335
Decision Trees for other problems?

Unfortunately, this is a lot of work and the technique only applies directly to comparisonbased sorts What if the problem is Traveling Salesperson?
The book has only shown exponential time (or worse) algorithms for this problem What if your boss wants a faster implementation?
Do you try and find one? Do you try and prove one doesnt exist?
PDM CSE 116/335
Polynomial-Time Algorithms
A polynomial-time algorithm is one whose worst-case running time is bounded above by a polynomial function
Poly-time examples: 2n, 3n, n5, n log(n), n100000 Non-poly-time examples: 2n, 20.000001n, n!
Poly-time is important because for large problem sizes, all non-poly-time algorithms will take forever to execute
PDM CSE
117/335
Intractability
In Computer Science, a problem is called intractable if it is impossible to solve it with a polynomial-time algorithm
Let me stress that intractability is a property of the problem, not just of any one algorithm to solve the problem
There can be no poly-time algorithm that solves the problem if the problem is to be considered intractable And just because one non-poly-time algorithm exists for the problem does not make it intractable
PDM CSE 118/335
Three Categories of Problems

We can group problems into 3 categories:
Problems for which poly-time algorithms have been found Problems that have been proven to be intractable
Proven that no poly-time algorithms exist
Problems that have not been proven to be intractable, but for which poly-time algorithms have never been found
No one has found a poly-time algorithm, but no one has proven that one doesnt exist either
The interesting thing is that tons of problems fall into the 3rd category and almost none into the second
PDM CSE 119/335
Poly-time Category
Any problem for which we have found a polytime algorithm
Sorting, searching, matrix multiplication, chained matrix multiplication, shortest paths, minimal spanning tree, etc.
PDM CSE
120/335
Intractable Category
Two types of problems
Those that require a non-polynomial amount of output
Determining all Hamiltonian Circuits
(n 1)! Circuits in worst case
Those that produce a reasonable amount of output, but the processing time is just too long
These are called undecidable problems Very few of these, but one classic is the Halting Problem
Takes as input any algorithm and any input and will tell you if the algorithm halts when run on the input
PDM CSE 121/335
Unknown Category
Many problems belong in the category
0-1 Knapsack, Traveling Salesperson, m-coloring, Hamiltonian Circuits, etc. In general, any problem that we had to solve using backtracking or bounded backtracking falls into this category
PDM CSE
122/335
The Theory of NP
In the following slides we will show a close and interesting relationship among many of the problem in the Unknown Category It will be more convenient to develop this theory restricting ourselves to decision problems
Problems that have a yes/no answer We can always convert non-decision problems into decision problems
In 0/1 Knapsack instead of just asking for the optimal profit, we can instead ask if the optimal profit exceeds some number In graph coloring instead of just asking the minimal number of colors we can instead ask if the minimal number is less than m
PDM CSE
123/335
The Set P
The set P is the set of all decision problems that can be solved by polynomial-time algorithms What problems are in P?
Obviously all the ones we have found poly-time solutions for (sorting, etc) What about problems like Traveling Salesperson?
PDM CSE 124/335
The Set NP
The set NP is the set of all decision problems that can be solved by a polynomial-time nondeterministic algorithm
A poly-time non-deterministic algorithm is an algorithm that is broken into 2 stages:
Guessing (non-deterministic) stage Verification (deterministic) stage
Where the verification stage can be accomplished in poly-time

PDM CSE 125/335
Non-deterministic Algorithms
For Traveling Salesperson:
The guessing stage simply guesses possible tours The verification stage takes a tour from the guessing stage and decides yes/no
is it a tour that has a total weight of no greater than x?
Obviously, this verification stage can be written in polytime

Note, however, that the guessing stage may or may not be done in poly-time
Note that the purpose of this type of algorithm is for theory and classification there are usually much better ways to actually implement the algorithm
PDM CSE
126/335
NP
There are thousands of problems that have been proven to be in NP Further note that all problems in P are also in NP
The guessing stage can do anything it wants The verification stage can just run the algorithm
The only problems proven to not be in NP are the intractable ones

And there are only a few of these
PDM CSE
127/335
P and NP
Here is the way the picture of the sets is usually drawn That is, we know that P is a subset of NP However, we dont know if it is a proper subset
PDM CSE 128/335
P and NP
That is, no one has ever proven that there exists a problem in NP that is not in P So, NP P could be an empty set
If it is then we say that P = NP
The question of whether P = NP is one of the more intriguing and important questions in all of Computer Science
PDM CSE
129/335
P = NP?
To prove that P NP we would have to find a single problem in NP that is not in P To prove P = NP we would have to find a poly-time algorithm for each problem in NP
This route sounds much harder, but over the next few slides we will show a way to simplify this proof
If you prove either you get an A in the class, not to mention famous
And if you prove P = NP then you also become rich!
PDM CSE 130/335
NP-Complete Problems
Over the next few slides we develop the background for a new set called NP-Complete This set will help us in attempting to prove that P = NP
PDM CSE
131/335
Reducibility
If there exists a poly-time transformation algorithm from decision problem A to decision problem B, then we say A is poly-time reducible to B (or A reduces to B)
AB
Further, if B is in set P and A B then A is also in set P
PDM CSE
132/335
A problem B is called NP-Complete if
It is in NP and For every other problem A in NP, A B
By the previous theorem if we could show that any NP-complete problem is in P then we could conclude that P = NP So, Cook basically proved that CNF-Satisfiability is NP-complete
Cook did not reduce all other NP problems to CNFSatisfiability, instead he did it by exploiting common properties of all NP problems
PDM CSE 133/335
Now we can use transitivity to get:
A problem C is NP-complete if:
It is in NP and For some other NP-complete problem B, B C
Researchers have spent the last 30 years creating transformation for these problems and we now have a list of hundreds of NP-complete problems
If any of these NP-complete problems can be proven to be in P then P = NP
And, additionally, we also have a way to solve all the NP problems (poly-time transformations to the poly-time problem)
PDM CSE
134/335
The State of P and NP

All this sounds promising, but
Over the last 30 years no one has been able prove that any problem from NP is not in P Over the last 30 years no one has been able to prove that any problem from NP-complete is in P Proving either of these things would give us an answer to the open problem of P = NP?
Most people seem to believe that P NP
PDM CSE 135/335
NP-completeness and Cryptography

The continuing improvement in computing hardware make problems of larger size tractable.
Parallel processing machine are being designed with finite but larger number of processors running together.
In a GUESS program, two processors can follow the paths from a GUESS point concurrently. So with more processors it is possible to complete certain nondeterministic problems in deterministic mode in polynomial time.
Even if an encryption algorithm uses a hard problem, the interceptor does not always have to solve it to crack the encryption.
There may always be a secret, easy solution. An interceptor may look for the easy solution instead of trying to solve the hard problem. This type of exposure can happen with the Merkle-Hellman Knapsack algorithm. (will talk about it later on)
PDM CSE 136/335
NP-completeness and Cryptography

Hard-to-solve problems are fundamental to cryptography, because the interceptor would need to work hard to break the encryption. But, be aware of the fallacies: 1. An NP-complete problem does not guarantee that there is no solution easier than exponential. 2. Every NP-complete problem has a deterministic exponential time solution. That is, O(2n). 3. Continuing advances in hardware make problems of larger size tractable. 4. The interceptor does not always have to solve the had problem in order to crack the encryption.
PDM CSE 137/335
Modular Arithmetic Operations

is 'clock arithmetic' uses a finite number of values, and loops back from either end modular arithmetic is when do addition & multiplication and modulo reduce answer can do reduction at any point, ie
a+b mod n = [a mod n + b mod n] mod n
PDM CSE
138/335
Modular Arithmetic
can do modular arithmetic with any group of integers: Zn = {0, 1, , n-1} form a commutative ring for addition with a multiplicative identity note some peculiarities
if (a+b)=(a+c) mod n then b=c mod n but if (a.b)=(a.c) mod n then b=c mod n only if a is relatively prime to n
PDM CSE 139/335
Modulo 8 Addition Example

+ 0 1 2 3 4 5 6 7 0 0 1 2 3 4 5 6 7
1 1 2 3 4 5 6 7 0
2 2 3 4 5 6 7 0 1 3 3 4 5 6 7 0 1 2
4 4 5 6 7 0 1 2 3
5 5 6 7 0 1 2 3 4 6 6 7 0 1 2 3 4 5 7 7 0 1 2 3 4 5 6
PDM CSE 140/335
Greatest Common Divisor (GCD)

a common problem in number theory GCD (a,b) of a and b is the largest number that divides evenly into both a and b
eg GCD(60,24) = 12
often want no common factors (except 1) and hence numbers are relatively prime
eg GCD(8,15) = 1 hence 8 & 15 are relatively prime
PDM CSE 141/335
Euclidean Algorithm
an efficient way to find the GCD(a,b) uses theorem that:
GCD(a,b) = GCD(b, a mod b)
Euclidean Algorithm to compute GCD(a,b) is:

EUCLID(a,b)
1. 2. 3. 4. 5. 6. A = a; B = b if B = 0 return R = A mod B A = B B = R goto 2
A = gcd(a, b)
PDM CSE
142/335
Example GCD(1970,1066)
1970 = 1 x 1066 + 904 gcd(1066, 904) 1066 = 1 x 904 + 162 gcd(904, 162) 904 = 5 x 162 + 94 gcd(162, 94) 162 = 1 x 94 + 68 gcd(94, 68) 94 = 1 x 68 + 26 gcd(68, 26) 68 = 2 x 26 + 16 gcd(26, 16) 26 = 1 x 16 + 10 gcd(16, 10) 16 = 1 x 10 + 6 gcd(10, 6) 10 = 1 x 6 + 4 gcd(6, 4) 6 = 1 x 4 + 2 gcd(4, 2) 4 = 2 x 2 + 0 gcd(2, 0)
PDM CSE 143/335
Finding Inverses
EXTENDED EUCLID(m, b)
1. (A1, A2, A3)=(1, 0, m); (B1, B2, B3)=(0, 1, b) 2. if B3 = 0 return A3 = gcd(m, b); no inverse 3. if B3 = 1 return B3 = gcd(m, b); B2 = b1 mod m 4. Q = A3 div B3 5. (T1, T2, T3)=(A1 Q B1, A2 Q B2, A3 Q B3) 6. (A1, A2, A3)=(B1, B2, B3) 7. (B1, B2, B3)=(T1, T2, T3) 8. goto 2
PDM CSE
144/335
Inverse of 550 in GF(1759)

Q A1 A2 A3 B1 B2 B3
3 5
1
0 1
0
1 3
1759
550 109
0
1 5
1
3 16
550
109 5
21
1
5
106
16
339
5
4
106
111
339
355
4
1
PDM CSE
145/335
Polynomial Arithmetic
can compute using polynomials
f(x) = anxn + an-1xn-1 + + a1x + a0 = aixi
nb. not interested in any specific value of x which is known as the indeterminate
several alternatives available

ordinary polynomial arithmetic poly arithmetic with coords mod p poly arithmetic with coords mod p and polynomials mod m(x)
PDM CSE 146/335
Ordinary Polynomial Arithmetic

add or subtract corresponding coefficients multiply all terms by each other eg
let f(x) = x3 + x2 + 2 and g(x) = x2 x + 1 f(x) + g(x) = x3 + 2x2 x + 3 f(x) g(x) = x3 + x + 1 f(x) x g(x) = x5 + 3x2 2x + 2
PDM CSE
147/335
Polynomial Arithmetic with Modulo Coefficients

when computing value of each coefficient do calculation modulo some value
forms a polynomial ring
could be modulo any prime but we are most interested in mod 2

ie all coefficients are 0 or 1 eg. let f(x) = x3 + x2 and g(x) = x2 + x + 1 f(x) + g(x) = x3 + x + 1 f(x) x g(x) = x5 + x2
PDM CSE 148/335
Polynomial Division
can write any polynomial in the form:
f(x) = q(x) g(x) + r(x) can interpret r(x) as being a remainder r(x) = f(x) mod g(x)
if have no remainder say g(x) divides f(x) if g(x) has no divisors other than itself & 1 say it is irreducible (or prime) polynomial arithmetic modulo an irreducible polynomial forms a field
PDM CSE 149/335
Polynomial GCD
can find greatest common divisor for polys
c(x) = GCD(a(x), b(x)) if c(x) is the poly of greatest degree which divides both a(x), b(x)
can adapt Euclids Algorithm to find it:

EUCLID[a(x), b(x)] 1. A(x) = a(x); B(x) = b(x) 2. if B(x) = 0 return A(x) = gcd[a(x), b(x)] 3. R(x) = A(x) mod B(x) 4. A(x) B(x) 5. B(x) R(x) 6. goto 2
PDM CSE 150/335
Modular Polynomial Arithmetic

can compute in field GF(2n)
polynomials with coefficients modulo 2 whose degree is less than n hence must reduce modulo an irreducible poly of degree n (for multiplication only)
form a finite field can always find an inverse

can extend Euclids Inverse algorithm to find
PDM CSE 151/335
Prime Numbers
prime numbers only have divisors of 1 and self
they cannot be written as a product of other numbers note: 1 is prime, but is generally not of interest
eg. 2,3,5,7 are prime, 4,6,8,9,10 are not prime numbers are central to number theory list of prime number less than 200 is:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199
PDM CSE 152/335
Prime Factorisation
to factor a number n is to write it as a product of other numbers: n=a x b x c note that factoring a number is relatively hard compared to multiplying the factors together to generate the number the prime factorisation of a number n is when its written as a product of primes
eg. 91=7x13 ; 3600=24x32x52
PDM CSE 153/335
Relatively Prime Numbers & GCD

two numbers a, b are relatively prime if have no common divisors apart from 1
eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8 and of 15 are 1,3,5,15 and 1 is the only common factor
conversely can determine the greatest common divisor by comparing their prime factorizations and using least powers
eg. 300=21x31x52 18=21x32 hence GCD(18,300)=21x31x50=6
PDM CSE
154/335
Fermat's Theorem
ap-1 = 1 (mod p)
where p is prime and gcd(a,p)=1
also known as Fermats Little Theorem also ap = p (mod p)
useful in public key and primality testing
PDM CSE
155/335
Primality Testing
often need to find large prime numbers traditionally sieve using trial division
ie. divide by all numbers (primes) in turn less than the square root of the number only works for small numbers
alternatively can use statistical primality tests based on properties of primes

for which all primes numbers satisfy property but some composite numbers, called pseudo-primes, also satisfy the property
can use a slower deterministic primality test

PDM CSE 156/335
Miller Rabin Algorithm

a test based on Fermats Theorem algorithm is:
TEST (n) is: 1. Find integers k, q, k > 0, q odd, so that (n1)=2kq 2. Select a random integer a, 1<a<n1 3. if aq mod n = 1 then return (maybe prime"); 4. for j = 0 to k 1 do 2jq mod n = n-1) 5. if (a then return(" maybe prime ") 6. return ("composite")
PDM CSE 157/335
Probabilistic Considerations
if Miller-Rabin returns composite the number is definitely not prime otherwise is a prime or a pseudo-prime chance it detects a pseudo-prime is < 1/4 hence if repeat test with different random a then chance n is prime after t tests is:
Pr(n prime after t tests) = 1-4-t eg. for t=10 this probability is > 0.99999
PDM CSE 158/335
Prime Distribution
prime number theorem states that primes occur roughly every (ln n) integers but can immediately ignore evens so in practice need only test 0.5 ln(n) numbers of size n to locate a prime
note this is only the average sometimes primes are close together other times are quite far apart
PDM CSE 159/335
Random Numbers
many uses of random numbers in cryptography
nonces in authentication protocols to prevent replay session keys public key generation keystream for a one-time pad
in all cases its critical that these values be

statistically random, uniform distribution, independent unpredictability of future values from previous values
PDM CSE
160/335
Pseudorandom Number Generators (PRNGs)

often use deterministic algorithmic techniques to create random numbers
although are not truly random can pass many tests of randomness
known as pseudorandom numbers created by Pseudorandom Number Generators

(PRNGs)
PDM CSE
161/335
Linear Congruential Generator

common iterative technique using: given suitable values of parameters can produce a long random-like sequence suitable criteria to have are:
function generates a full-period generated sequence should appear random efficient implementation with 32-bit arithmetic
Xn+1 = (aXn + c) mod m
note that an attacker can reconstruct sequence given a small number of values have possibilities for making this harder
PDM CSE 162/335
Using Block Ciphers as PRNGs

for cryptographic applications, can use a block cipher to generate random numbers often for creating session keys from master key Counter Mode
Xi = EKm[i]
Output Feedback Mode

Xi = EKm[Xi-1]
PDM CSE
163/335
ANSI X9.17 PRG
PDM CSE
164/335
Blum Blum Shub Generator

based on public key algorithms use least significant bit from iterative equation:
xi = xi-12 mod n where n=p.q, and primes p,q=3 mod 4
unpredictable, passes next-bit test security rests on difficulty of factoring N is unpredictable given any run of bits slow, since very large numbers must be used too slow for cipher use, good for key generation
PDM CSE 165/335
Natural Random Noise

best source is natural randomness in real world find a regular but random event and monitor do generally need special h/w to do this
eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc
starting to see such h/w in new CPU's problems of bias or uneven distribution in signal
have to compensate for this when sample and use best to only use a few noisiest bits from each sample
PDM CSE 166/335
Public Key Encryption Systems
PDM CSE
167/335
Private-Key Cryptography
Traditional private/secret/single key cryptography uses one key Shared by both sender and receiver If this key is disclosed communications are compromised Also in symmetric, parties are equal Hence does not protect sender from receiver forging a message & claiming is sent by sender
PDM CSE 168/335
Public-Key Cryptography
Probably most significant advance in the 3000 year history of cryptography Uses two keys a public & a private key Asymmetric since parties are not equal Uses clever application of number theoretic concepts to function Complements rather than replaces private key crypto
PDM CSE 169/335
Why Public-Key Cryptography?

Developed to address two key issues:
Key distribution how to have secure communications in general without having to trust a KDC with your key Digital signatures how to verify a message comes intact from the claimed sender
Public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976
known earlier in classified community
PDM CSE 170/335
Public-key/Two-key/Asymmetric cryptography involves the use of two keys:
A public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures A private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures
Is asymmetric because
those who encrypt messages or verify signatures cannot decrypt messages or create signatures
PDM CSE
171/335
PDM CSE
172/335
Public-Key Characteristics
Public-Key algorithms rely on two keys where:
It is computationally infeasible to find decryption key knowing only algorithm & encryption key It is computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known Either of the two related keys can be used for encryption, with the other used for decryption (for some algorithms)
PDM CSE
173/335
Public-Key Cryptosystems
PDM CSE
174/335
Public-Key Applications
Can classify uses into 3 categories:
Encryption/Decryption (provide secrecy) Digital signatures (provide authentication) Key exchange (of session keys)
Some algorithms are suitable for all uses, others are specific to one
PDM CSE
175/335
RSA ALGORITHM
Rivest , Shamir & Adleman Algorithm
PDM CSE
176/335
RSA
By Rivest, Shamir & Adleman of MIT in 1977 Best known & widely used public-key scheme Based on exponentiation in a finite (Galois) field over integers modulo a prime
Exponentiation takes O((log n)3) operations (easy)
Uses large integers (eg. 1024 bits) Security due to cost of factoring large numbers
Factorization takes O(e log n log log n) operations (hard)
PDM CSE
177/335
RSA Key Setup

Each user generates a public/private key pair by: Selecting two large primes at random - p, q Computing their system modulus n=p.q
note (n)=(p-1)(q-1)
Selecting at random the encryption key e

where 1<e<(n), gcd(e,(n))=1
Solve following equation to find decryption key d

e.d=1 mod (n) and 0dn
Publish their public encryption key: PU={e,n} Keep secret private decryption key: PR={d,n}
PDM CSE 178/335
RSA Use
To encrypt a message M the sender:
obtains public key of recipient PU={e,n} computes: C = Me mod n, where 0M<n
To decrypt the ciphertext C the owner:

uses their private key PR={d,n} computes: M = Cd mod n
Note that the message M must be smaller than the modulus n (block if needed)
PDM CSE 179/335
How RSA Works

Because of Euler's Theorem:
a(n)mod n = 1 where gcd(a,n)=1
In RSA have:
n=p.q (n)=(p-1)(q-1) carefully chose e & d to be inverses mod (n) hence e.d=1+k.(n) for some k
Hence : Cd = Me.d = M1+k.(n) = M1.(M(n))k = M1.(1)k = M1 = M mod n
PDM CSE
180/335
RSA Example - Key Setup

1. 2. 3. 4. 5. Select primes: p=17 & q=11 Compute n = pq =17 x 11=187 Compute (n)=(p1)(q-1)=16 x 10=160 Select e: gcd(e,160)=1; choose e=7 Determine d: de=1 mod 160 and d < 160 Value is d=23 since 23x7=161= 10x160+1 6. Publish public key PU={7,187} 7. Keep secret private key PR={23,187}
PDM CSE
181/335
RSA Example En/Decryption

sample RSA encryption/decryption is: given message M = 88 (nb. 88<187) encryption:
C = 887 mod 187 = 11
decryption:
M = 1123 mod 187 = 88
PDM CSE
182/335
Exponentiation
Can use the Square and Multiply Algorithm A fast, efficient algorithm for exponentiation Concept is based on repeatedly squaring base And multiplying in the ones that are needed to compute the result Look at binary representation of exponent Only takes O(log2 n) multiples for number n
eg. 75 = 74.71 = 3.7 = 10 mod 11 eg. 3129 = 3128.31 = 5.3 = 4 mod 11
PDM CSE 183/335
Exponentiation
c = 0; f = 1 for i = k downto 0 do c = 2 x c f = (f x f) mod n if bi == 1 then c=c+1 f = (f x a) mod n return f
PDM CSE 184/335
Efficient Encryption
Encryption uses exponentiation to power e Hence if e small, this will be faster
often choose e=65537 (216-1) also see choices of e=3 or e=17
But if e too small (eg e=3) can attack

using Chinese remainder theorem & 3 messages with different modulii
If e fixed must ensure gcd(e,(n))=1

ie. reject any p or q not relatively prime to e
PDM CSE 185/335
Efficient Decryption
Decryption uses exponentiation to power d
this is likely large, insecure if not
Can use the Chinese Remainder Theorem (CRT) to compute mod p & q separately. then combine to get desired answer
approx 4 times faster than doing directly
Only owner of private key who knows values of p & q can use this technique
PDM CSE 186/335
RSA Key Generation

Users of RSA must:
determine two primes at random - p, q select either e or d and compute the other
Primes p,q must not be easily derived from modulus n=p.q

means must be sufficiently large typically guess and use probabilistic test
Exponents e, d are inverses, so use Inverse algorithm to compute the other

PDM CSE 187/335
RSA Security
Possible approaches to attacking RSA are:
Brute force key search (infeasible given size of numbers) Mathematical attacks (based on difficulty of computing (n), by factoring modulus n) Timing attacks (on running of decryption) Chosen ciphertext attacks (given properties of RSA)
PDM CSE 188/335
Factoring Problem
Mathematical approach takes 3 forms:
factor n=p.q, hence compute (n) and then d determine (n) directly and compute d find d directly
Currently believe all equivalent to factoring

have seen slow improvements over the years
as of May-05 best is 200 decimal digits (663) bit with LS
biggest improvement comes from improved algorithm

cf QS to GHFS to LS
currently assume 1024-2048 bit RSA is secure

ensure p, q of similar size and matching other constraints
PDM CSE 189/335
Timing Attacks
Developed by Paul Kocher in mid-1990s Exploit timing variations in operations
eg. multiplying by small vs large number or IF's varying which instructions executed
Infer operand size based on time taken RSA exploits time taken in exponentiation Countermeasures
use constant exponentiation time add random delays blind values used in calculations
PDM CSE 190/335
Chosen Ciphertext Attacks

RSA is vulnerable(weak or helpless) to a Chosen Ciphertext Attack (CCA). attackers chooses ciphertexts & gets decrypted plaintext back choose ciphertext to exploit properties of RSA to provide info to help cryptanalysis can counter with random pad of plaintext or use Optimal Asymmetric Encryption Padding (OASP)
PDM CSE 191/335
Digital Signature Properties

must depend on the message signed must use information unique to sender
to prevent both forgery and denial
must be relatively easy to produce must be relatively easy to recognize & verify be computationally infeasible to forge
with new message for existing digital signature with fraudulent digital signature for given message
be practical save digital signature in storage

PDM CSE 192/335
Direct Digital Signatures

involve only sender & receiver assumed receiver has senders public-key digital signature made by sender signing entire message or hash with private-key can encrypt using receivers public-key important that sign first then encrypt message & signature security depends on senders private-key
PDM CSE 193/335
Arbitrated Digital Signatures

involves use of arbiter A
validates any signed message then dated and sent to recipient
requires suitable level of trust in arbiter can be implemented with either private or public-key algorithms arbiter may or may not see message
PDM CSE 194/335
Authentication Protocols
used to convince parties of each others identity and to exchange session keys may be one-way or mutual key issues are
confidentiality to protect session keys timeliness to prevent replay attacks
published protocols are often found to have flaws and need to be modified
PDM CSE 195/335
Replay Attacks
where a valid signed message is copied and later resent
simple replay repetition that can be logged repetition that cannot be detected backward replay without modification
countermeasures include
use of sequence numbers (generally impractical) timestamps (needs synchronized clocks) challenge/response (using unique nonce)
PDM CSE 196/335
Using Symmetric Encryption

as discussed previously can use a two-level hierarchy of keys usually with a trusted Key Distribution Center (KDC)
each party shares own master key with KDC KDC generates session keys used for connections between parties master keys used to distribute these to them
PDM CSE 197/335
Needham-Schroeder Protocol
original third-party key distribution protocol for session between A B mediated by KDC protocol overview is:
1. A->KDC: IDA || IDB || N1 2. KDC -> A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ] 3. A -> B: EKb[Ks||IDA] 4. B -> A: EKs[N2] 5. A -> B: EKs[f(N2)]
PDM CSE 198/335
Needham-Schroeder Protocol
used to securely distribute a new session key for communications between A & B but is vulnerable to a replay attack if an old session key has been compromised
then message 3 can be resent convincing B that is communicating with A
modifications to address this require:

timestamps (Denning 81) using an extra nonce (Neuman 93)
PDM CSE 199/335
Using Public-Key Encryption

have a range of approaches based on the use of public-key encryption need to ensure have correct public keys for other parties using a central Authentication Server (AS) various protocols exist using timestamps or nonces
PDM CSE 200/335
Denning AS Protocol
Denning 81 presented the following:
1. A -> AS: IDA || IDB 2. AS -> A: EPRas[IDA||PUa||T] || EPRas[IDB||PUb||T] 3. A -> B: EPRas[IDA||PUa||T] || EPRas[IDB||PUb||T] || EPUb[EPRas[Ks||T]]
note session key is chosen by A, hence AS need not be trusted to protect it timestamps prevent replay but require synchronized clocks
PDM CSE 201/335
One-Way Authentication
required when sender & receiver are not in communications at same time (eg. email) have header in clear so can be delivered by email system may want contents of body protected & sender authenticated
PDM CSE
202/335
Using Symmetric Encryption

can refine use of KDC but cant have final exchange of nonces, vis:
1. A->KDC: IDA || IDB || N1 2. KDC -> A: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ] 3. A -> B: EKb[Ks||IDA] || EKs[M]
does not protect against replays

could rely on timestamp in message, though email delays make this problematic
PDM CSE 203/335
Public-Key Approaches
have seen some public-key approaches if confidentiality is major concern, can use:
A->B: EPUb[Ks] || EKs[M] has encrypted session key, encrypted message
if authentication needed use a digital signature with a digital certificate:

A->B: M || EPRa[H(M)] || EPRas[T||IDA||PUa] with message, signature, certificate
PDM CSE 204/335
Digital Signature Standard (DSS)

US Govt approved signature scheme designed by NIST & NSA in early 90's published as FIPS-186 in 1991 revised in 1993, 1996 & then 2000 uses the SHA hash algorithm DSS is the standard, DSA is the algorithm FIPS 186-2 (2000) includes alternative RSA & elliptic curve signature variants
PDM CSE
205/335
Digital Signature Algorithm (DSA)

creates a 320 bit signature with 512-1024 bit security smaller and faster than RSA a digital signature scheme only security depends on difficulty of computing discrete logarithms variant of ElGamal & Schnorr schemes
PDM CSE 206/335
Digital Signature Algorithm (DSA)
PDM CSE
207/335
DSA Key Generation

have shared global public key values (p,q,g):
choose q, a 160 bit choose a large prime p = 2L
where L= 512 to 1024 bits and is a multiple of 64 and q is a prime factor of (p-1)
choose g = h(p-1)/q
where h<p-1, h(p-1)/q (mod p) > 1
users choose private & compute public key:

choose x<q compute y = gx (mod p)
PDM CSE 208/335
DSA Signature Creation

to sign a message M the sender:
generates a random signature key k, k<q nb. k must be random, be destroyed after use, and never be reused
then computes signature pair:

r = (gk(mod p))(mod q) s = (k-1.H(M)+ x.r)(mod q)
sends signature (r,s) with message M

PDM CSE 209/335
DSA Signature Verification

having received M & signature (r,s)
to verify a signature, recipient computes:

w = u1= u2= v = s-1(mod q) (H(M).w)(mod q) (r.w)(mod q) (gu1.yu2(mod p)) (mod q)
if v=r then signature is verified
see book web site for details of proof why

PDM CSE 210/335
Hash Algorithms
PDM CSE
211/335
Message Authentication
message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) will consider the security requirements then three alternative functions used: message encryption message authentication code (MAC) hash function
PDM CSE 212/335
Security Requirements
Disclosure Traffic analysis Masquerade Content modification Sequence modification Timing modification Source repudiation Destination repudiation
PDM CSE 213/335
Message Encryption
Message encryption by itself also provides a measure of authentication If symmetric encryption is used then:
receiver know sender must have created it since only sender and receiver now key used know content cannot of been altered if message has suitable structure, redundancy or a checksum to detect any changes
PDM CSE 214/335
Message Encryption
If public-key encryption is used: encryption provides no confidence of sender since anyone potentially knows public-key however if sender signs message using their private-key then encrypts with recipients public key have both secrecy and authentication again need to recognize corrupted messages but at cost of two public-key uses on message
PDM CSE 215/335
Message Authentication Code (MAC)

Generated by an algorithm that creates a small fixed-sized block
depending on both message and some key like encryption though need not be reversible
Appended to message as a signature Receiver performs same computation on message and checks it matches the MAC Provides assurance that message is unaltered and comes from sender
PDM CSE 216/335
Message Authentication Code
PDM CSE
217/335
Message Authentication Codes

As shown the MAC provides authentication Can also use encryption for secrecy
generally use separate keys for each can compute MAC either before or after encryption is generally regarded as better done before
Why use a MAC?

sometimes only authentication is needed sometimes need authentication to persist longer than the encryption (eg. archival use)
Note that a MAC is not a digital signature

PDM CSE 218/335
MAC Properties
A MAC is a cryptographic checksum
MAC = CK(M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator
Is a many-to-one function
potentially many messages have same MAC but finding these needs to be very difficult
PDM CSE 219/335
Requirements for MACs

Taking into account the types of attacks Need the MAC to satisfy the following:
1. knowing a message and MAC, is infeasible to find another message with same MAC 2. MACs should be uniformly distributed 3. MAC should depend equally on all bits of the message
PDM CSE
220/335
Hash Functions
Condenses arbitrary message to fixed size
h = H(M)
Usually assume that the hash function is public and not keyed
cf. MAC which is keyed
Hash used to detect changes to message Can use in various ways with message Most often to create a digital signature
PDM CSE 221/335
Hash Functions & Digital Signatures
PDM CSE
222/335
Requirements for Hash Functions

1. 2. 3. 4.

Can be applied to any sized message M Produces fixed-length output h Is easy to compute h=H(M) for any message M Given h is infeasible to find x s.t. H(x)=h
one-way property weak collision resistance
5. Given x is infeasible to find y s.t. H(y)=H(x) 6. Is infeasible to find any x,y s.t. H(y)=H(x)
strong collision resistance
PDM CSE
223/335
Simple Hash Functions

Are several proposals for simple functions Based on XOR of message blocks Not secure since can manipulate any message and either not change hash or change hash also Need a stronger cryptographic function (next chapter)
PDM CSE
224/335
Birthday Attacks
might think a 64-bit hash is secure but by Birthday Paradox is not birthday attack works thus:
opponent generates 2 /2 variations of a valid message all with essentially the same meaning m opponent also generates 2 /2 variations of a desired fraudulent message two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox) have user sign the valid message, then substitute the forgery which will have a valid signature
m
conclusion is that need to use larger MAC/hash

PDM CSE 225/335
Block Ciphers as Hash Functions

Can use block ciphers as hash functions
using H0=0 and zero-pad of final block compute: Hi = EMi [Hi-1] and use final block as the hash value similar to CBC but without a key
Resulting hash is too small (64-bit)

both due to direct birthday attack and to meet-in-the-middle attack
Other variants also susceptible to attack

PDM CSE 226/335
Hash Functions & MAC Security

Like block ciphers have: Brute-force attacks exploiting
strong collision resistance hash have cost
have proposal for h/w MD5 cracker 128-bit hash looks vulnerable, 160-bits better
m/ 2 2
MACs with known message-MAC pairs

can either attack keyspace (cf key search) or MAC at least 128-bit MAC is needed for security
PDM CSE
227/335
Hash Functions & MAC Security

cryptanalytic attacks exploit structure
like block ciphers want brute-force attacks to be the best alternative
have a number of analytic attacks on iterated hash functions

CVi = f[CVi-1, Mi]; H(M)=CVN typically focus on collisions in function f like block ciphers is often composed of rounds attacks exploit properties of round functions
PDM CSE
228/335
Hash and MAC Algorithms

Hash Functions
condense arbitrary size message to fixed size by processing message in blocks through some compression function either custom or block cipher based
Message Authentication Code (MAC)

fixed sized authenticator for some message to provide authentication for message by using block cipher mode or hash function
PDM CSE 229/335
Hash Algorithm Structure
PDM CSE
230/335
Secure Hash Algorithm

SHA originally designed by NIST & NSA in 1993 was revised in 1995 as SHA-1 US standard for use with DSA signature scheme
standard is FIPS 180-1 1995, also Internet RFC3174 nb. the algorithm is SHA, the standard is SHS
based on design of MD4 with key differences produces 160-bit hash values recent 2005 results on security of SHA-1 have raised concerns on its use in future applications
PDM CSE 231/335
Revised Secure Hash Standard

NIST issued revision FIPS 180-2 in 2002 adds 3 additional versions of SHA
SHA-256, SHA-384, SHA-512
designed for compatibility with increased security provided by the AES cipher structure & detail is similar to SHA-1 hence analysis should be similar but security levels are rather higher
PDM CSE 232/335
SHA-512 Overview
PDM CSE
233/335
SHA-512 Compression Function

heart of the algorithm processing message in 1024-bit blocks consists of 80 rounds
updating a 512-bit buffer using a 64-bit value Wt derived from the current message block and a round constant based on cube root of first 80 prime numbers
PDM CSE 234/335
SHA-512 Round Function
PDM CSE
235/335
SHA-512 Round Function
PDM CSE
236/335
Whirlpool
now examine the Whirlpool hash function endorsed by European NESSIE project uses modified AES internals as compression function addressing concerns on use of block ciphers seen previously with performance comparable to dedicated algorithms like SHA
PDM CSE 237/335
Whirlpool Overview
PDM CSE
238/335
Whirlpool Block Cipher W

designed specifically for hash function use with security and efficiency of AES but with 512-bit block size and hence hash similar structure & functions as AES but
input is mapped row wise has 10 rounds a different primitive polynomial for GF(2^8) uses different S-box design & values
PDM CSE 239/335
Whirlpool Block Cipher W
PDM CSE
240/335
Whirlpool Performance & Security

Whirlpool is a very new proposal hence little experience with use but many AES findings should apply does seem to need more h/w than SHA, but with better resulting performance
PDM CSE
241/335
Keyed Hash Functions as MACs

want a MAC based on a hash function
because hash functions are generally faster code for crypto hash functions widely available
hash includes a key along with message original proposal:

KeyedHash = Hash(Key|Message) some weaknesses were found with this
eventually led to development of HMAC

PDM CSE 242/335
HMAC
specified as Internet standard RFC2104 uses hash function on the message:
HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]]
where K+ is the key padded out to size and opad, ipad are specified padding constants overhead is just 3 more hash calculations than the message needs alone any hash function can be used
eg. MD5, SHA-1, RIPEMD-160, Whirlpool
PDM CSE 243/335
HMAC Overview
PDM CSE
244/335
HMAC Security
proved security of HMAC relates to that of the underlying hash algorithm attacking HMAC requires either:
brute force attack on key used birthday attack (but since keyed would need to observe a very large number of messages)
choose hash function used based on speed verses security constraints

PDM CSE 245/335
CMAC
previously saw the DAA (CBC-MAC) widely used in govt & industry but has message size limitation can overcome using 2 keys & padding thus forming the Cipher-based Message Authentication Code (CMAC) adopted by NIST SP800-38B
PDM CSE 246/335
CMAC Overview
PDM CSE
247/335
Secure secret key systems
PDM CSE
248/335
Modern Block Ciphers

Modern block ciphers are widely used in symmetric cryptographic algorithms. Provide secrecy /authentication services We focus on DES (Data Encryption Standard) and AES (Advance Encryption Standard)
PDM CSE
249/335
Block vs Stream Ciphers

Block ciphers process messages in blocks, each of which is then en/decrypted Like a substitution on very big characters
64-bits or more
Stream ciphers process messages a bit or byte at a time when en/decrypting Many current ciphers are block ciphers Block cipher have broader range of applications
PDM CSE 250/335
Block Cipher Principles

Most symmetric block ciphers are based on a Feistel Cipher Structure. Needed since must be able to decrypt ciphertext to recover messages efficiently Block ciphers look like an extremely large substitution would need table of 264 entries for a 64-bit block Instead create from smaller building blocks Using idea of a product cipher
PDM CSE
251/335
Ideal Block Cipher
PDM CSE
252/335
Claude Shannon and Substitution-Permutation Ciphers

Claude Shannon introduced idea of substitutionpermutation (S-P) networks. Form basis of modern block ciphers S-P nets are based on the two primitive cryptographic operations seen before:
substitution (S-box) permutation (P-box)
Provide confusion & diffusion of message & key
PDM CSE
253/335
Confusion and Diffusion

Cipher needs to completely obscure statistical properties of original message A one-time pad does this More practically Shannon suggested combining S & P elements to obtain: Diffusion dissipates statistical structure of plaintext over bulk of ciphertext Confusion makes relationship between ciphertext and key as complex as possible
PDM CSE 254/335
Feistel Cipher Structure

Horst Feistel devised the Feistel cipher
based on concept of invertible product cipher
Partitions input block into two halves

process through multiple rounds which perform a substitution on left data half based on round function of right half & subkey then have permutation swapping halves
Implements Shannons S-P net concept

PDM CSE 255/335
Feistel Cipher Structure
PDM CSE
256/335
Feistel Cipher Design Elements

Block size Key size Number of rounds Sub-key generation algorithm Round function Fast software en/decryption Ease of analysis
PDM CSE
257/335
Feistel Cipher Decryption
PDM CSE
258/335
Data Encryption Standard (DES)

Most widely used block cipher in world Adopted in 1977 by NBS (now NIST)
as FIPS PUB 46
Encrypts 64-bit data using 56-bit key Has widespread use Has been considerable controversy over its security
PDM CSE
259/335
DES History
IBM developed Lucifer cipher
by team led by Feistel in late 60s used 64-bit data blocks with 128-bit key
Then redeveloped as a commercial cipher with input from NSA and others In 1973 NBS issued request for proposals for a national cipher standard IBM submitted their revised Lucifer which was eventually accepted as the DES
PDM CSE 260/335
DES Design Controversy

although DES standard is public Was considerable controversy over design
in choice of 56-bit key (vs Lucifer 128-bit) and because design criteria were classified
Subsequent events and public analysis show in fact design was appropriate Use of DES has flourished
especially in financial applications still standardised for legacy application use
PDM CSE 261/335
DES Encryption Overview
PDM CSE
262/335
Initial Permutation IP
First step of the data computation IP reorders the input data bits Even bits to LH half, odd bits to RH half Quite regular in structure (easy in h/w)
PDM CSE
263/335
DES Round Structure

Uses two 32-bit L & R halves As for any Feistel cipher can describe as:
Li = Ri1 Ri = Li1 F(Ri1, Ki)
F takes 32-bit R half and 48-bit subkey:

expands R to 48-bits using perm E adds to sub-key using XOR passes through 8 S-boxes to get 32-bit result finally permutes using 32-bit permutation P
PDM CSE 264/335
DES Round Structure
PDM CSE
265/335
Substitution Boxes S
Have eight S-boxes which map 6 to 4 bits Each S-box is actually 4 little 4 bit boxes
outer bits 1 & 6 (row bits) select one row of 4 inner bits 2-5 (col bits) are substituted result is 8 lots of 4 bits, or 32 bits
Row selection depends on both data & key

feature known as autoclaving (autokeying)
Example:
S(18 09 12 3d 11 17 38 39) = 5fd25e03
PDM CSE 266/335
DES Key Schedule

Sub-keys used in each round
initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves 16 stages consisting of:
rotating each half separately either 1 or 2 places depending on the key rotation schedule K selecting 24-bits from each half & permuting them by PC2 for use in round function F
PDM CSE
267/335
DES Decryption
Decrypt must unwind steps of data computation With Feistel design, do encryption steps again using sub-keys in reverse order (SK16 SK1)
IP undoes final FP step of encryption 1st round with SK16 undoes 16th encrypt round . 16th round with SK1 undoes 1st encrypt round then final FP undoes initial encryption IP thus recovering original data value
PDM CSE 268/335
Avalanche Effect
Key desirable property of encryption algo. Where a change of one input or key bit results in changing approx half output bits Making attempts to home-in by guessing keys impossible DES exhibits strong avalanche
PDM CSE
269/335
Strength of DES Key Size

56-bit keys have 256 = 7.2 x 1016 values Brute force search looks hard Recent advances have shown is possible
in 1997 on Internet in a few months in 1998 on dedicated h/w (EFF) in a few days in 1999 above combined in 22hrs!
Still must be able to recognize plaintext Must now consider alternatives to DES
PDM CSE 270/335
Strength of DES Analytic Attacks

Now have several analytic attacks on DES These utilise some deep structure of the cipher
by gathering information about encryptions can eventually recover some/all of the sub-key bits if necessary then exhaustively search for the rest
Generally these are statistical attacks Include

differential cryptanalysis linear cryptanalysis related key attacks
PDM CSE 271/335
Strength of DES Timing Attacks

Attacks actual implementation of cipher Use knowledge of consequences of implementation to derive information about some/all sub-key bits Specifically use fact that calculations can take varying times depending on the value of the inputs to it Particularly problematic on smartcards
PDM CSE 272/335
Differential Cryptanalysis
One of the most significant recent (public) advances in cryptanalysis Known by NSA in 70's cf DES design Murphy, Biham & Shamir published in 90s Powerful method to analyse block ciphers Used to analyse most current block ciphers with varying degrees of success DES reasonably resistant to it, cf Lucifer
PDM CSE 273/335
A statistical attack against Feistel ciphers Uses cipher structure not previously used Design of S-P networks has output of function f influenced by both input & key Hence cannot trace values back through cipher without knowing value of the key Differential cryptanalysis compares two related pairs of encryptions
PDM CSE 274/335
Differential Cryptanalysis Compares Pairs of Encryptions
With a known difference in the input Searching for a known difference in output When same subkeys are used
PDM CSE
275/335
Have some input difference giving some output difference with probability p If find instances of some higher probability input / output difference pairs occurring Can infer sub-key that was used in round Then must iterate process over many rounds (with decreasing probabilities)
PDM CSE 276/335
PDM CSE
277/335
Perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR When found
if intermediate rounds match required XOR have a right pair if not then have a wrong pair, relative ratio is S/N for attack
Can then deduce keys values for the rounds

right pairs suggest same key bits wrong pairs give random values
For large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs Biham and Shamir have shown how a 13-round iterated characteristic can break the full 16-round DES
PDM CSE 278/335
Linear Cryptanalysis
Another recent development Also a statistical method Must be iterated over rounds, with decreasing probabilities Developed by Matsui et al in early 90's Based on finding linear approximations Can attack DES with 243 known plaintexts, easier but still in practise infeasible
PDM CSE 279/335
Linear Cryptanalysis
Find linear approximations with prob p !=
P[i1,i2,...,ia] C[j1,j2,...,jb] = K[k1,k2,...,kc]
where ia,jb,kc are bit locations in P,C,K
Gives linear equation for key bits Get one key bit using max likelihood alg Using a large number of trial encryptions Effectiveness given by: |p1/2|
PDM CSE 280/335
DES Design Criteria

As reported by Coppersmith in [COPP94] 7 criteria for S-boxes provide for
non-linearity resistance to differential cryptanalysis good confusion
3 criteria for permutation P provide for

increased diffusion
PDM CSE
281/335
Block Cipher Design

Basic principles still like Feistels in 1970s Number of rounds
more is better, exhaustive search best attack
Function f:
provides confusion, is nonlinear, avalanche have issues of how S-boxes are selected
Key schedule
complex sub-key creation, key avalanche
PDM CSE 282/335
Advanced Encryption Standard
PDM CSE
283/335
Origins
Clear a replacement for DES was needed
have theoretical attacks that can break it have demonstrated exhaustive key search attacks
Can use Triple-DES but slow, has small blocks US NIST issued call for ciphers in 1997 15 candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000 Issued as FIPS PUB 197 standard in Nov-2001
PDM CSE 284/335
AES Requirements
Private key symmetric block cipher 128-bit data, 128/192/256-bit keys Stronger & faster than Triple-DES Active life of 20-30 years (+ archival use) Provide full specification & design details Both C & Java implementations NIST have released all submissions & unclassified analysis
PDM CSE 285/335
AES Evaluation Criteria

Initial criteria:
security effort for practical cryptanalysis cost in terms of computational efficiency algorithm & implementation characteristics
Final criteria
general security ease of software & hardware implementation implementation attacks flexibility (in en/decrypt, keying, other factors)
PDM CSE 286/335
AES Shortlist
After testing and evaluation, shortlist in Aug-99:
MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin Rijndael (Belgium) - clean, fast, good security margin Serpent (Euro) - slow, clean, v. high security margin Twofish (USA) - complex, v. fast, high security margin
Then subject to further analysis & comment Saw contrast between algorithms with
few complex rounds verses many simple rounds which refined existing ciphers versus new proposals
PDM CSE 287/335
The AES Cipher Rijndael

Designed by Rijmen-Daemen in Belgium Has 128/192/256 bit keys, 128 bit data An iterative rather than feistel cipher
processes data as block of 4 columns of 4 bytes operates on entire data block in every round
Designed to be:
resistant against known attacks speed and code compactness on many CPUs design simplicity
PDM CSE
288/335
Rijndael
Data block of 4 columns of 4 bytes is state Key is expanded to array of words Has 9/11/13 rounds in which state undergoes:
byte substitution (1 S-box used on every byte) shift rows (permute bytes between groups/columns) mix columns (subs using matrix multipy of groups) add round key (XOR state with key material) view as alternating XOR key & scramble data bytes
Initial XOR key material & incomplete last round With fast XOR & table lookup implementation
PDM CSE 289/335
Rijndael
PDM CSE
290/335
Byte Substitution
A simple substitution of each byte Uses one table of 16x16 bytes containing a permutation of all 256 8-bit values Each byte of state is replaced by byte indexed by row (left 4-bits) & column (right 4-bits)
eg. byte {95} is replaced by byte in row 9 column 5 which has value {2A}
S-box constructed using defined transformation of values in GF(28) Designed to be resistant to all known attacks
PDM CSE 291/335
Byte Substitution
PDM CSE
292/335
Shift Rows
A circular byte shift in each
1st row is unchanged 2nd row does 1 byte circular shift to left 3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left
Decrypt inverts using shifts to right Since state is processed by columns, this step permutes bytes between the columns
PDM CSE
293/335
Shift Rows
PDM CSE
294/335
Mix Columns
Each column is processed separately Each byte is replaced by a value dependent on all 4 bytes in the column Effectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1
PDM CSE
295/335
Mix Columns
PDM CSE
296/335
Mix Columns
Can express each col as 4 equations
to derive each new byte in col
Decryption requires use of inverse matrix

with larger coefficients, hence a little harder
Have an alternate characterization

each column a 4-term polynomial with coefficients in GF(28) and polynomials multiplied modulo (x4+1)
PDM CSE
297/335
Add Round Key

XOR state with 128-bits of the round key Again processed by column (though effectively a series of byte operations) Inverse for decryption identical
since XOR own inverse, with reversed keys
Designed to be as simple as possible

a form of Vernam cipher on expanded key requires other stages for complexity / security
PDM CSE 298/335
Add Round Key
PDM CSE
299/335
AES Round
PDM CSE
300/335
AES Key Expansion

Takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words Start by copying key into first 4 words Then loop creating words that depend on values in previous & 4 places back
in 3 of 4 cases just XOR these together 1st word in 4 has rotate + S-box + XOR round constant on previous, before XOR 4th back
PDM CSE 301/335
AES Key Expansion
PDM CSE
302/335
Key Expansion Rationale

Designed to resist known attacks Design criteria included
knowing part key insufficient to find many more invertible transformation fast on wide range of CPUs use round constants to break symmetry diffuse key bits into round keys enough non-linearity to hinder analysis simplicity of description
PDM CSE 303/335
AES Decryption
AES decryption is not identical to encryption since steps done in reverse But can define an equivalent inverse cipher with steps as for encryption
but using inverses of each step with a different key schedule
Works since result is unchanged when

swap byte substitution & shift rows swap mix columns & add (tweaked) round key
PDM CSE 304/335
AES Decryption
PDM CSE
305/335
Implementation Aspects
Can efficiently implement on 8-bit CPU
byte substitution works on bytes using a table of 256 entries shift rows is simple byte shift add round key works on byte XORs mix columns requires matrix multiply in GF(28) which works on byte values, can be simplified to use table lookups & byte XORs
PDM CSE 306/335
Implementation Aspects
Can efficiently implement on 32-bit CPU
redefine steps to use 32-bit words can precompute 4 tables of 256-words then each column in each round can be computed using 4 table lookups + 4 XORs at a cost of 4Kb to store tables
Designers believe this very efficient implementation was a key factor in its selection as the AES cipher
PDM CSE
307/335
Key Management
Public-key encryption helps address key distribution problems Have two aspects of this:
distribution of public keys use of public-key encryption to distribute secret keys
PDM CSE
308/335
Distribution of Public Keys

Can be considered as using one of:
public announcement publicly available directory public-key authority public-key certificates
PDM CSE
309/335
Public Announcement
Users distribute public keys to recipients or broadcast to community at large
eg. append PGP( pretty good privacy) keys to email messages or post to news groups or email list
Major weakness is forgery

anyone can create a key claiming to be someone else and broadcast it until forgery is discovered can masquerade as claimed user
PDM CSE 310/335
Publicly Available Directory

Can obtain greater security by registering keys with a public directory Directory must be trusted with properties:
contains {name,public-key} entries participants register securely with directory participants can replace key at any time directory is periodically published directory can be accessed electronically
Still vulnerable to tampering or forgery

PDM CSE 311/335
Public-Key Authority
Improve security by tightening control over distribution of keys from directory Has properties of directory Requires users to know public key for the directory Then users interact with directory to obtain any desired public key securely
does require real-time access to directory when keys are needed(The technique is known as catching)
PDM CSE 312/335
Public-Key Authority
PDM CSE
313/335
Public-Key Certificates
Certificates allow key exchange without realtime access to public-key authority A certificate binds identity to public key
usually with other info such as period of validity, rights of use etc
With all contents signed by a trusted PublicKey or Certificate Authority (CA) Can be verified by anyone who knows the public-key authorities public-key
PDM CSE 314/335
Public-Key Certificates
PDM CSE
315/335
Public-Key Distribution of Secret Keys

Use previous methods to obtain public-key Can use for secrecy or authentication But public-key algorithms are slow So usually want to use private-key encryption to protect message contents Hence need a session key Have several alternatives for negotiating a suitable session
PDM CSE 316/335
Simple Secret Key Distribution

Proposed by Merkle in 1979
A generates a new temporary public key pair A sends B the public key and their identity B generates a session key K sends it to A encrypted using the supplied public key A decrypts the session key and both use
Problem is that an opponent can intercept and impersonate both halves of protocol
PDM CSE 317/335
Public-Key Distribution of Secret Keys

If have securely exchanged public-keys:
PDM CSE
318/335
Hybrid Key Distribution

Retain use of private-key KDC Shares secret master key with each user Distributes session key using master key Public-key used to distribute master keys
especially useful with widely distributed users
Rationale
performance backward compatibility
PDM CSE 319/335
Diffie-Hellman Key Exchange

First public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts
note: now know that Williamson (UK CESG) secretly proposed the concept in 1970
It is a practical method for public exchange of a secret key Used in a number of commercial products
PDM CSE 320/335

A public-key distribution scheme
cannot be used to exchange an arbitrary message rather it can establish a common key known only to the two participants
Value of key depends on the participants (and their private and public key information) Based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy Security relies on the difficulty of computing discrete logarithms (similar to factoring) hard
PDM CSE 321/335
Diffie-Hellman Setup
All users agree on global parameters:
large prime integer or polynomial q a being a primitive root mod q
Each user (eg. A) generates their key

chooses a secret key (number): xA < q xA compute their public key: yA = a mod q
Each user makes public that key yA

PDM CSE 322/335

Shared session key for users A & B is KAB:
KAB = a mod q xB = yA mod q (which B can compute) xA = yB mod q (which A can compute)
xA.xB
KAB is used as session key in private-key encryption scheme between Alice and Bob If Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys Attacker needs an x, must solve discrete log
PDM CSE 323/335
Diffie-Hellman Example
Users Alice & Bob who wish to swap keys: Agree on prime q=353 and a=3 Select random secret keys:
A chooses xA=97, B chooses xB=233
Compute respective public keys:

yA=3 mod 353 = 40 (Alice) 233 yB=3 mod 353 = 248 (Bob)
97
Compute shared session key as:

KAB= yB mod 353 = 248 = 160 xB 233 KAB= yA mod 353 = 40 = 160
PDM CSE
xA
97
(Alice) (Bob)
324/335
Key Exchange Protocols

Users could create random private/public D-H keys each time they communicate Users could create a known private/public D-H key and publish in a directory, then consulted and used to securely communicate with them Both of these are vulnerable to a meet-in-theMiddle Attack Authentication of the keys is needed
PDM CSE 325/335
Elliptic Curve Cryptography

majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials imposes a significant load in storing and processing keys and messages an alternative is to use elliptic curves offers same security with smaller bit sizes newer, but not as well analysed
PDM CSE 326/335
Real Elliptic Curves

an elliptic curve is defined by an equation in two variables x & y, with coefficients consider a cubic elliptic curve of form
y2 = x3 + ax + b where x,y,a,b are all real numbers also define zero point O
have addition operation for elliptic curve

geometrically sum of Q+R is reflection of intersection R
PDM CSE 327/335
Real Elliptic Curve Example
PDM CSE
328/335
Finite Elliptic Curves

Elliptic curve cryptography uses curves whose variables & coefficients are finite have two families commonly used:
prime curves Ep(a,b) defined over Zp
use integers modulo a prime best in software
binary curves E2m(a,b) defined over GF(2n)

use polynomials with binary coefficients best in hardware
PDM CSE 329/335
Elliptic Curve Cryptography

ECC addition is analog of modulo multiply ECC repeated addition is analog of modulo exponentiation need hard problem equiv to discrete log
Q=kP, where Q,P belong to a prime curve is easy to compute Q given k,P but hard to find k given Q,P known as the elliptic curve logarithm problem
Certicom example: E23(9,17)

PDM CSE 330/335
ECC Diffie-Hellman
can do key exchange analogous to D-H users select a suitable curve Ep(a,b) select base point G=(x1,y1)
with large order n s.t. nG=O
A & B select private keys nA<n, nB<n compute public keys: PA=nAG, PB=nBG compute shared key: K=nAPB, K=nBPA
same since K=nAnBG
PDM CSE 331/335
ECC Encryption/Decryption
several alternatives, will consider simplest must first encode any message M as a point on the elliptic curve Pm select suitable curve & point G as in D-H each user chooses private key nA<n and computes public key PA=nAG to encrypt Pm : Cm={kG, Pm+kPb}, k random
decrypt Cm compute:
Pm+kPbnB(kG) = Pm+k(nBG)nB(kG) = Pm
PDM CSE 332/335
ECC Security
relies on elliptic curve logarithm problem fastest method is Pollard rho method compared to factoring, can use much smaller key sizes than with RSA etc for equivalent key lengths computations are roughly equivalent hence for similar security ECC offers significant computational advantages
PDM CSE 333/335
Comparable Key Sizes for Equivalent Security

Symmetric ECC-based RSA/DSA scheme scheme (modulus size in (key size in bits) (size of n in bits) bits) 56 112 512 80 160 1024 112 224 2048 128 256 3072 192 384 7680 256 512 15360
PDM CSE 334/335
PDM CSE
335/335

MTech SIS

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

MTech SIS

Enviado por

Direitos autorais:

Formatos disponíveis

Security of Information Systems

Mr. Rahul Kumar Yadav Assistant Professor IT Department, PDMCE rahul_engg@pdm.ac.in

Examination Schedule (Marks)

Marks of Class Work

Encryption and De-encryption

The History of Information Security

The Enigma Source: Courtesy of National Security Agency

Figure 1-2 - ARPANET

The 1970s and 80s

The 1970s and 80s (contd.)

Key Dates for Seminal Works in Early Computer Security

An organization should have following multiple layers of security

Critical Characteristics of Information

Critical Characteristics of Information (contd.)

Critical Characteristics of Information (contd.)

Components of an Information System

Components of an Information System (contd.)

Components of an Information System (contd.)

Components of Information Security

Key Information Security Concepts

Information Security Terms

Key Information Security Concepts (contd.)

Figure Subject and Object of Attack

Computer as the Subject and Object of an Attack

CNSS Security Model

The McCumber Cube

Information Security: Is it an Art or a Science?

Implementation of information security often described as combination of art and science.

Security as a Social Science

Balancing Information Security & Access

Figure Balancing Security and Access

Balancing Information Security and Access

Approaches to Information Security Implementation: Bottom-Up Approach

Approaches to Information Security Implementation: Top-Down Approach

Approaches to Information Security Implementation

The Systems Development Life Cycle

SDLC Waterfall Methodology

Maintenance and Change

The Security Systems Development Life Cycle

Maintenance and Change

Security Professionals and the Organization

Information Security Project Team

Some Basic Terminology

Security Services (X.800)

Security Mechanisms (X.800)

pervasive security mechanisms:

Model for Network Security

Model for Network Security

Model for Network Access Security

Symmetric Cipher Model

assume encryption algorithm is known implies a secure channel to distribute key

Number of keys used

Way in which plaintext is processed

Brute Force Search

2128 = 3.4 1038

= 5.4 1024 years

5.4 1018 years

2 1026 s = 6.4 1012 years

Classical Substitution Ciphers

mathematically give each letter a number

then have Caesar cipher as:

Monoalphabetic Cipher Security

Language Redundancy and Cryptanalysis

English Letter Frequencies