Cryptography (An Overview). Security Attacks Normal Flow Interruption ModificationFabrication Interception.

CryptographyCryptography(An Overview)(An Overview)

Security AttacksSecurity Attacks

Normal Flow

Interruption

Modification Fabrication

Interception

Security ServicesSecurity Services

• Confidentiality

• Authentication

• Integrity

• Nonrepudiation

• Access control

• Availability

cryptography may be used to implement some of this services

Introduction to CryptographyIntroduction to Cryptography• Cryptographic Systems are classified by

– Type of operations used for transforming plaintext to ciphertext.

– Number of keys used• No key• Symmetric, single-key, secret-key, or conventional

encryption.• Asymmetric, two-key, or public-key encryption.

– The way in which the plaintext is processed• Block cipher• Stream cipher.

• Encryption techniques not using any keys are very simple.– Transforming or scrambling the information

being encrypted.– Not secure (apparently secure)– Easy to decipher the encrypted information,

once you know the algorithm.

This is an encrypted messageZmny ny fs jshxduzji rjyyflj

– Also known as single key, secrete key, or symmetric key system.

– Only one key.– The same key is used for encryption and

decryption.

Plaintext

Transmitted ciphertext

Encryption Algorithm

Decryption Algorithm

Plaintext

Secret key shared by sender and recipient

Secret key shared by sender and recipient

Private Key SystemPrivate Key System

• Data Encryption Standard (DES)– Commonly used private key algorithms.– Developed by IBM– Became a U.S.government standard in 1976.– It has remained a secure algorithm over the past

20 years.– To this day, the most practical attack against

DES is a brute-force attack.

– Algorithm• 64-bit plaintext pass through the initial permutation

(IP).

• A phase consist of 16 iteration of the same function as shown on the next slide.

• The output of the last iteration is passed through a permutation ( ) that is the inverse of the initial permutation function.

1IP

Source: http://www.cs.wm.edu/~hallyn/des/algorithm.html

Initial permutation

Round 1

Round2

Round 16

32-bit swap

Inverse initialpermutation

Permuted choice 2

Permuted choice 2

Permuted choice 2

Permuted choice 1

Let circular shift

Left circular shift

Left circular shift

64-bit plaintext 56-bit key

64-bit ciphertext

General Depiction of DES Encryption Algorithm

– Concerns about the strength of DES• Cryptanalysis

– There has been numerous attempts to find and exploit weaknesses in the algorithm.

– No one has so far succeeded in discovering a fatal weakness.

• Key length– Rising processor speed and falling hardware costs made it

a simple matter to break DES quickly using brute-force approach.

– It was finally declared dead in July 1998, when the Electronic Frontier Foundation (EFF) announced that it had broken a new Des encryption using a special-purpose “DES cracker”.

– 10 hours to break DES

– 10^18 years to break 128 bit-key

• Triple DEA (3DES)– Proposed by Tuchman (79)– First standardized for use in financial

applications in ANSI in 1985.– TDEA uses three keys and three executions of

the DES algorithm.– The function follows an encrypt-decrypt-

encrypt (EDE) sequence.

– Decryption is simply the same operation with the keys reversed.

]]][[[ 123 PEDEC KKK

– With three distinct keys, 3DES has an effective key length of 168 bits.

– With K1=K3, the effective key length is 112.

• Other Symmetric Block Ciphers– Rather than totally reinventing the wheel,

virtually all contemporary conventional block encryption algorithms use the basic Feistel block structure (the one similar to that of DES).

– Some popular conventional encryption algorithm are summarized in the table on the next page.

Algorithm Key Size (bits) Number of Rounds

Mathematical Operations

Applications

DES 56 16 XOR, fixed S-boxes

SET, Kerberos

Triple DES 112 or 168 48 XOR, fixed S-boxes

Financial key management, PGP, S/MIME

IDEA 128 8 XOR, addition, multiplication

PGP

Blowfish Variable to 448 16 XOR, variable, S-boxes, addition

RC5 Variable to 2048 Variable to 255 Addition, subtraction, XOR, rotation

CAST-128 40 to 128 16 Addition, subtraction,

XOR, rotation, fixed S-boxes

PGP

Conventional Encryption Algorithm

Message AuthenticationMessage Authentication

• Protection against falsification of data and transactions.

• Message authentication is a procedure that allows communicating parties to verify that received messages are authentic.– Contents of the message have not been altered.– Source is authentic.– Message’s timeliness– Sequence relative to other messages flowing

between two parties.

• Using conventional encryption– Assume that only the sender and receiver share

a key.– Only the genuine sender would be able to

encrypt a message successfully.– Include error-detection code and sequence

number.• Assured that no alternations have been made, and

• Sequencing is proper.

– Include timestamp• Assured that the message has not been delayed.

• Without message encryption– An authentication tag is generated and

appended to each message.– The message itself is not encrypted and can be

read at the destination independent of the authentication function.

– Message confidentiality is not provided.• Broadcast

• One side has a heavy load and cannot afford the time to decrypt all incoming message.

• Authentication of a computer program in plaintext is an attractive service (save execution time).

• Message authentication code– Involves the use of a secret key to generate a

small block of data.• known as message authentication code.

– Both parties share a common secret key KAB

– When A sends a message to B• It calculates the message authentication code

• MACM = F(KAB,M)• The recipient performs the same calculation on the

received message.• The received code is compared to the calculated

code.

Message

MACAlgorithm MAC

MACAlgorithm

transmit

Compare

K

K

Message Authentication using a Message Authentication Code (MAC)

• One-way Hash Function– A hash function accepts a variable-size message

M as input and produces a fixed-size message digest H(M) as output.

– Unlike the MAC, a hash function does not also take a secret key as input.

– To authenticate a message, the message digest is sent with the message in such a way that the message digest is authentic.

Message

H

transmit

(a) Using conventional encryption

E

H

D

Compare

K

K

Message

H

transmit

(b) Using public-key encryption

E

H

D

Compare

K(private)

K(public)

Message

H

transmit

(c) Using Secret value

H

Compare

Secret value

Secretvalue

Secure Hash FunctionsSecure Hash Functions

• One-way hash function

• Important for– Message authentication– Digital signatures

• Produce a “fingerprint” for a file, message or block of data.

• Requirements (for hash function H)1. H can be applied to a block of data of any

size.2. H produces a fixed-length output.3. H(x) is relatively easy to compute for any

given x, making both hardware and software implementations practical.

4. For any given code h, it is computationally infeasible to find x such that H(x) = h.

5. For any given block x, it is computationally infeasible to find y x with H(y) = H(x).

6. It is computationally infeasible to find any pair (x,y) such that H(x) = H(y).

– The first three properties are requirements for practical applications.

– The 4th property is the “one-way” property.• For authentication technique involves the use of

secret value (method c)

– The 5th property prevents forgery when an encrypted hash code is used.

• For method (a) and (b).

– Without the 6th property, it is called a weak hash function; otherwise it is a strong hash function.

– The 6th property is used to protect against the birthday attack.

• Birthday paradox– it gets its name from the surprising result that

the probability that two or more people in a group of 23 share the same birthday is greater than 1/2.

– if some function, when supplied with a random input, returns one of k equally-likely values, then by repeatedly evaluating the function for different inputs, we expect to obtain the same output after about 1.2k^1/2. For the above birthday paradox, replace k with 365.

• Details of the attack– The source A is prepared to sign a message by

appending an m-bit signature.– The opponent

• generates variations of the message, all conveying the same meanings.

• prepares a fraudulent message, and variations of the fraudulent message.

• matches the two sets to find a pair of messages with equal hashing code.

• by birthday paradox, the probability of success is high.

• offers A a valid message for signature.• attaches the fraudulent copy with the signature.

2/2m

2/2m

• SHA-1 secure hash function– The secure hash algorithm (SHA) was

developed by the National Institute of Standard and Technology (NIST).

– Published as a federal information processing standard (FIPS PUB 180) in 1993.

– The revised version was issued in 1995 and is generally referred to as SHA-1.

– Input message with max length of bits.– Output a 160-bit message digest.

642

• Steps1. Append padding bits

– Length is congruent to 448 modulo 512.– 64 bits less than a multiple of 512.

2. Append length– 64 bits

3. Initialize MD buffer– A 160-bit buffer is used to hold intermediate and final

results.– A = 67452301– B =EFCDAB89– C = 98BADCFE– D = 10325476– E = C3D2E1F0

4. Process message in 512-bit (16 words) blocks– compression function.

Source:http://cwx.prenhall.com/bookbind/pubbooks/stallings8/chapter0/deluxe.html

• Other Secure Hash Function– As was the case with symmetric block ciphers,

designers of secure hash functions have been reluctant to depart from a proven structure.

– DES : Feistel cipher• Virtually all subsequent block ciphers follow the

Feistel design.

– similarly, most important modern hash functions follow the basic structure of SHA.

– The structure can produce a secure hash function.

– Concentrate to design a collision-resistant compression function.

• MD5 Message Digest Algorithm– Latest version of MDs (MD2, MD4)– Developed by Ron Rivest.– Input: arbitrary length.– Output: 128-bit message digest.– The difficulty of coming up with two messages

having the same message digest is on the order of operations.

– Finding a message with a given digest is on the order of operations.

– Recently, a number of cryptanalytic attacks have been developed.

642

1282



MD5 SHA-1 RIPEMD-160

Digest length 128 bits 160 bits 160 bits

Basic unit of processing

512 bits 512 bits 512 bits

Number of steps

64

(4 round of 16)

80

(4 rounds of 20)

160

(5 paired rounds of 16)

Maximum message size

Primitive logical functions

4 4 5

Additive constants used

64 4 9

1264

• Public-Key Cryptography– First proposed by Diffie and Hellman in 1976.– Asymmetric Keys

• Two separate keys for encryption and decryption.

– Based on mathematical functions rather than on simple operations on bit patterns.

– A public-key encryption scheme has six ingredients:

• Plaintext• Encryption algorithm• Public and private key• Ciphertext• Decryption algorithm


– Essential steps for public-key cryptographic system:

1. Each user generates a pair of keys for encryption and decryption.

2. Places one of the two keys in a public register (or other accessible file). The companion key is kept private.

3. The sender encrypt the message with the receiver’s public key.

4. The receiver decrypts the message with his private key.

• Applications for public-key cryptosystems– Encryption/decryption– Digital signature– Key exchange

Algorithm Encryption/

decrypion

Digital Signature

Key Exchange

RSA yes yes yes

Diffie-Hellman no no yes

DSS no yes no

Elliptic Curve yes yes yes

– Requirements for public-key cryptography• Computationally easy to generate a pair of public

key and private key.• Computationally easy for a sender to encrypt a

message with a public key.• Computationally easy to decrypt the ciphertext with

the private key.• Computationally infeasible for an opponent,

knowing the public key, to determine the private key.

• Computationally infeasible for an opponent, knowing the public key and a ciphertext, to recover the original message.

• Either two related keys can be used for encryption with the other for decryption. (not necessary but useful)

• RSA– The public and private keys are generated

based on the following rules:1. Choose two large prime numbers p and q and

calculate their product n.

2. Find a number e that is relatively prime to (p-1)*(q-1). The public key consists of {e,n}.

3. Find a number d such that d*e = 1 mod ((p-1)(q-1))

4. The private key is {d,n}.

– The algorithm is based on the fact that, if P < n

)(mod)(mod nPnPde

– Let P be a binary block of plaintext of length smaller than that of the key. RSA encrypts P as follows:

– To decrypt the ciphertext C, the RSA algorithm raises C to the power e and reduces the result modulo n:

– Why is RSA secure?– Factoring large integers n is very

computationally intensive using currently available techniques.

)(modnPC e

PnPnPnPnC deded )(mod)(mod)(mod)()(mod

• Example– P = 5, q = 11.– Then n = 55 and (p-1)(q-1) = 40.– Next find a number e that is relatively prime to

40, say 7.– The multiplicative inverse of 7 modulo 40

yields d = 23.– Public key is {7,55}– Private key is {23,55}.– Suppose the plaintext is 18,19,1

•

155mod1

1955mod24

1855mod17

produces decryption the

155mod1

2455mod19

1755mod18

23

23

23

73

72

71

C

C

C

– How do we calculate modular arithmetic involving large number?

– Use this property:

– For example

nnbnanba mod))mod(*)mod((mod)*(

55mod)17171717(55mod1755mod17 24161241623

55mod)55mod17()55mod17(55mod17

,55mod)55mod17()55mod17(55mod17

,55mod)55mod17()55mod17(55mod17

,55mod)55mod17()55mod17(55mod17

8816

448

224

2

• Diffie-Hellman Key Exchange– Enable two users to agree on the same secret

key.– Depends for its effectiveness on the difficulty

of computing discrete logarithms.– Background

• A primitive root of a prime number p is one whose powers generate all the integers from 1 to p-1.

• i.e. if a is a primitive root of a prime p, then

are distinct and consist of the integers from 1 through p – 1 in some permutation.

papapa p mod,,mod,mod 12

• For any integer b and a primitive root a of prime number p, one can find a unique exponent i such that

• The exponent I is referred to as the discrete logarithm of b for the base a mod p.

– Algorithm• There are two publicly known numbers

– A prime number q

– an integer a that is a primitive root of q.

)1(0,mod piwherepab i

• User A key generation– Select private key

– Calculate

• User B Key generation– Select private key

– Calculate

• Each side keeps the X value private and makes the Y value available publicly.

• A computes the key

• B computes the key

qX A

qaY AXA mod

qX B

qaY BXB mod

qYK AXB mod)(

qYK BXA mod)(

X.509 Authentication ServiceX.509 Authentication Service• X.509 defines a framework for the provision of

authentication services by the X.500 directory to its users.

• The directory may serve as a repository of public-key certificates.

• The heart of the X.509 scheme is the public-key certificate associated with each user.

• The X.509 certificate format is used in S/MIME, IP Security, SSL/TLS, and SET.

• These user certificates are assumed to be created by some trusted certification authority (CA) and placed in the directory by the CA or by the user.


• Characteristics of certificates generated by a CA– Any user with access to the public key of the CA can

recover the user public key that was certified.– No party other than the CA can modify the certificate

without being detected.

• All users subscribe to the same CA have the common trust to that CA.

• All user certificates can be placed in the directory for access by all users.

• For a large community, it may be more practical for more than one CA.– Each CA provides its public key to some fraction of the

user.

• Problem– Suppose A obtains a certificate from CA X1– B obtains a certificate from CA X2.– If A does not know the public key of X2, then

B’s certificate is useless to A.

• Solution– If the two CAs have securely exchanged their

public keys, A can obtain B’s public key.• A obtains X2’s certificate signed by X1

• Then A can obtain X2’s public key.

• Hence A can obtain the certificate of B signed by X2.

• The chain is X1<<X2>>X2<<B>>• Where Y<<X>> = the certificate of user X issued by

CA Y.• Similarly, B can obtain A’s public key

X2<<X1>>X1<<A>>

– In general, a chain with N elements can be expressed asX1<<X2>>X2<<X3>>…..XN<<B>>

– All these certificates of CAs by CAs need to appear in the directory, and the user needs to know how they are linked to follow a path.

– X.509 suggests that CAs be arranged in a hierarchy so that navigation is straight forward.


• The directory of each CA X includes two types of certificates.– Forward certificates

• Certificates of X generated by other CAs.

– Reverse certificates• certificates generated by X that are the certificates

of other CAs.

– certification path from A to BX<<W>>W<<V>>V<<Y>>Y<<Z>>Z<<B>>(assume X doesn't have X<<Z>>)

– Certification path from B to AZ<<Y>>Y<<V>>V<<W>>W<<X>>X<<A>>(assume Z doesn't have Z<<X>>)

• Revocation of certificate– Certificate may be revoked because

• The user’s secret key is assumed to be compromised.

• The user is no longer certified by this CA.• The CA’s certificate is assumed to be compromised.

– Each CA must maintain a list consisting of all revoked but not expired certificates issued by that CA.

– User could check the directory each time a certificate is received.

– User may maintain a local cache of certificates and lists of revoked certificates.

• One-way authentication

A B

]}[,sgn,,,{ abKUbAA KEDataBrtA

• Two-way authentication

A B


]}[,sgn,,,,{ baKUaABB KEDatarArtB

• Three-way authentication

A B


]}[,sgn,,,,{ baKUaABB KEDatarArtB

}{ BrA

Secure Socket LayerSecure Socket Layer• SSL was originated by Netscape.

• Version 3 of the protocol was designed with public review and input from industry.

• It is designed to make use of TCP to provide a reliable end-to-end secure service.

• It consists of two layers of protocols.

• The SSL Record Protocol provides basic security services to various higher layer protocols.

• HTTP can operate on SSL.

• SSL-specific protocols

– Handshake protocol.

– Change Cipher Spec Protocol

– Alert Protocol.


• Two important SSL concepts– Session

• An association between a client and a server.

• Created by the handshake protocol.

• Define a set of cryptographic security parameters, which can be shared by multiple connections.

– Connection• A connection is a transport that provides a suitable

type of service.

• Peer-to-peer relation

• Connection are transient.

• Every connection is associated with one session.

• SSL record protocol– Provides two services

• Confidentiality– The handshake protocol defines a shared secret key that is

used for conventional encryption of SSL payload

• Message Integrity:– The handshake protocol also defines a shared secret key

that is used to form a message authentication code.

– Take an application message to be transmitted• Fragments the data• Optionally compresses the data• Applies a MAC• Encrypts• Add header• Transmit it in TCP



• Handshake protocol (see diagram on the previous page)

– Allows the server and client to authenticate each other.

– To negotiate an encryption and MAC algorithm and cryptographic keys.

– Phase 1: Establish Security Capabilities• Initiate a logical connection and establish the

security capabilities associates with it.• Initiated by the client with a client_hello message

with– Version

» Highest SSL version understood by client– Random

» Random to prevent replay attack.

– Session ID

» Session identifier

– cipherSuite

» List of cryptographic algorithms supported b the client.

– Compression Method

» List of compression methods supported by the client.

– Phase 2: Server Authentication and Key Exchange

• Server begins by sending its certificate– The message contains one or a chain of X.509 certificates.

– The certificate message may required for any agreed-on key exchange.

• Send server_key_exchange message if required.

• Send certificate_request message– Certificate_type

» Indicates the public-key algorithm and its use.

– Certificate authorities.

» A list of the distinguished names of acceptable certificate authorities.

• Send server_done message

– Phase 3: Client Authentication and Key Exchange

• The client will first validate the certificate and parameter in the server_hello message.

• Send certificate if it is requested by server.

• Send client_key_exchange message– The content depends on the type of the key exchange.

• Send certificate_verify message– Only sent following any client certificate that has signing

capability.

– Phase 4: finish• The client sends change_cipher_spec message

– User SSL record protocol

– Consists of a single byte with value 1.

– Cause the pending state to be copied into the current state, which updates the cipher suite to be used on this connection.

• Client sends finish message– Under new algorithms, key and secrets

– Verifies that the key exchange and authentication processes were successful.

• Server send change_cipher_spec message

• Server sends its finished message.

Cryptography (An Overview). Security Attacks Normal Flow Interruption ModificationFabrication Interception.

Documents

single key

recipientsecret key

publickey encryption

effective key length

private key algorithms

symmetric key system

des algorithm

new des encryption