St. Vincent Pallotti College of Engg. & Tech., Nagpur Department of CE & IT Computer System Security UNIT: I Q.1) Write an algorithm for S-DES and analyze it. The most widely used private key block cipher, is the Data Encryption Standard (DES). It was adopted in 1977 by the National Bureau of Standards as Federal Information Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using a 56-bit key. The DES enjoys widespread use. It has also been the subject of much controversy its security. DES encryption:
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
St. Vincent Pallotti College of Engg. & Tech., NagpurDepartment of CE & IT
Computer System SecurityUNIT: I
Q.1) Write an algorithm for S-DES and analyze it.
The most widely used private key block cipher, is the Data Encryption Standard (DES). It was adopted in 1977 by the National Bureau of Standards as Federal Information Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using a 56-bit key. The DES enjoys widespread use. It has also been the subject of much controversy its security.DES encryption:
The overall scheme for DES encryption is illustrated in Stallings Figure3.4, which takes as input 64-bits of data and of key.The left side shows the basic process for enciphering a 64-bit data block which consists of: - an initial permutation (IP) which shuffles the 64-bit input block- 16 rounds of a complex key dependent round function involving substitutions & permutations- a final permutation, being the inverse of IP The right side shows the handling of the 56-bit key and consists of:- an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves - 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves.
The initial permutation and its inverse are defined by tables, as shown in Stallings Tables 3.2a and 3.2b, respectively. The tables are to be interpreted as follows. The input to a table consists of 64 bits numbered left to right from 1 to 64. The 64 entries in the permutation table contain a permutation of the numbers from 1 to 64. Each entry in the permutation table indicates the position of a numbered input bit in the output, which also consists of 64 bits.Note that the bit numbering for DES reflects IBM mainframe practice, and is the opposite of what we now mostly use - so be careful! Numbers from Bit 1 (leftmost, most significant) to bit 32/48/64 etc (rightmost, least significant).Note that examples are specified using hexadecimal. Here a 64-bit plaintext value of “675a6967 5e5a6b5a” (written in left & right halves) after permuting with IP becomes “ffb2194d 004df6fb”.
Detail here the internal structure of the DES round function F, which takes R half & subkey, and processes them through E, add subkey, S & P.This follows the classic structure for a feistel cipher.Note that the s-boxes provide the “confusion” of data and key values, whilst the permutation P then spreads this as widely as possible, so each S-box output affects as many S-box inputs in the next round as possible, giving “diffusion”.DES Round Structure
Figure illustrates the internal structure of the DES round function F. The R input is first expanded to 48 bits by using expansion table E that defines a permutation plus an expansion that involves duplication of 16 of the R bits .The resulting 48 bits are XORed with Ki. This 48-bit result passes through a substitution function comprising 8 S-boxes which each map 6 input bits to 4 output bits, producing a 32-bit output, which is then permuted by permutation P.
DES DecryptionAs with any Feistel cipher, DES decryption uses the same algorithm as encryption
except that the subkeys are used in reverse order SK16 .. SK1.If you trace through the DES overview diagram can see how each decryption step
top to bottom with reversed subkeys, undoes the equivalent encryption step moving from bottom to top.
Strength of DES :-1. Key Size2. Analytic Attacks3. Timing Attacks
Q.2) Encrypt the plaintext “read between the lines” using the keyboard “KNIGHT”.
Plaintext: read between the lines Keyword: KNIGHT By using Playfair cipher encryption method, Plaintext: READ BETWEEN THE LINES RE AD BE TW EX EN TH EL IN ES
Thus matrix can be constructed as,
Plaintext - Ciphertext RE - PL AD - BT BE - TL TW - AV EX - LV EN - FK TH - DK EL - FM IN - GI ES - MP Thus, the required ciphertext is PLBTTLAVLVFKDKFMGIMP.
Q.4) Explain different block cipher modes of operations and their limitations.
Symmetric-key encipherment can be done using modern block ciphers. Modes of operation have been devised to encipher text of any size employing either DES or AES. The modes are intended to cover virtually all the possible applications of encryption for which a block cipher could be used.
a. Electronic Codebook (ECB) Mode : The simplest mode of operation is called the electronic codebook (ECB) mode, in which plaintext is handled one block at a time and each block of plaintext is encrypted using same key. ECB is used when only a single block of info needs to be sent (Eg-A session encryption key).
K N I G HT A B C DE F L M OP Q R S UV W X Y Z
The Encryption & Decryption can be shown as-
Limitations: message repetitions may show in ciphertext
if aligned with message block particularly with data such graphics or with messages that change very little, which become a code-book
analysis problem weakness is due to the encrypted message blocks being independent main use is sending a few blocks of data
b. Cipher Block Chaining (CBC) Mode : To overcome the problems of repetitions and order independence in ECB, want some way of making the ciphertext dependent on all blocks before it. This is what CBC gives us, by combining the previous ciphertext block with the current message block before encrypting. To start the process, use an Initial Value (IV), which is usually well known (often all 0's), or otherwise is sent, ECB encrypted, just before starting CBC use. CBC mode is applicable whenever large amounts of data need to be sent securely, provided that all data is available in advance (eg email, FTP, web etc).
The Encryption & Decryption can be shown as-
Limitations: a ciphertext block depends on all blocks before it any change to a block affects all following ciphertext blocks need Initialization Vector (IV)
which must be known to sender & receiver if sent in clear, attacker can change bits of first block, and change IV
to compensate hence IV must either be a fixed value (as in EFTPOS) or must be sent encrypted in ECB mode before rest of message
c. Cipher Feedback (CFB) Mode : If the data is only available a bit/byte at a time, then must use some other approach to encrypt it, so as not to delay the info. Idea here is to use the block cipher essentially as a pseudo-random number generator and to combine these "random" bits with the message. XOR is an easily inverted operator (just XOR with same thing again to undo). Again start with an IV to get things going, then use the ciphertext as the next input. As originally defined, idea was to "consume" as much of the "random" output as needed for each message unit (bit/byte) before "bumping" bits out of the buffer and re-encrypting. This slows the encryption down as more encryptions are needed. An alternate way to think of it is to generate a block of "random" bits, consume them as message bits/bytes arrive,and when they're used up, only then feed a full block of ciphertext back. This is CFB-64 or CFB-128 mode (depending on the block size of the cipher used). CFB is the usual
choice for quantities of stream oriented data, and for authentication use. The Encryption & Decryption can be shown as-
Limitations:
appropriate when data arrives in bits/bytes most common stream mode limitation is need to stall while do block encryption after every n-bits note that the block cipher is used in encryption mode at both ends errors propogate for several blocks after the error
d. Output Feedback (OFB) Mode : The alternative to CFB is OFB. Here the generation of the "random" bits is independent of the message being encrypted. The advantage is that firstly, they can be computed in advance, good for bursty traffic, and secondly, any bit error only affects a single bit. Thus this is good for noisy links (eg satellite TV transmissions etc).
The Encryption & Decryption can be shown as-
Limitations: bit errors do not propagate more vulnerable to message stream modification a variation of a Vernam cipher
hence must never reuse the same sequence (key+IV) sender & receiver must remain in sync originally specified with m-bit feedback subsequent research has shown that only full block feedback (ie CFB-64 or
CFB-128) should ever be used
e. Counter (CTR) Mode : The Counter (CTR) mode is a variant of OFB, but which encrypts a counter value (hence name). Although it was proposed many years before, it has only recently been standardized for use with AES along with the other existing 4 modes. It is being used with applications in ATM (asynchronous transfer mode) network security and IPSec (IP security). A counter, equal to the plaintext block size is used. The only requirement stated in SP 800-38A is that the counter value must be
different for each plaintext block that is encrypted. Typically the counter is initialized to some value and then incremented by 1 for each subsequent block. The Encryption & Decryption can be shown as-
Limitations:
efficiency can do parallel encryptions in h/w or s/w can preprocess in advance of need good for bursty high speed links
random access to encrypted data blocks provable security (good as other modes) but must ensure never reuse key/counter values, otherwise could break (of
OFB)
Q.5) Write short notes on: (i) International Data Encryption Algorithm(IDEA) (ii) CAST
(i) International Data Encryption Algorithm(IDEA)
Xuejia Lai and James Massey, ETH (Swiss Federal Institute of Technology), 1991
Patented
patent is held by Ascom-Tech
Non-commercial use of IDEA is free. Commercial licenses can be obtained contacting Ascom-Tech
Used in PGP
128-bit key, 64-bit block
Variant Feistel network (not Feistel)
Eight rounds + final transformation
Uses three operations. Each operation is performed on two 16-bit inputs to produce a single 16-bit output
Bit-by-bit XOR ( )
(Unsigned 16-bit integers) addition modulo 216 ( )
(Unsigned 16-bit integers) multiplication modulo 216 + 1 (except that a block of
all zeros is treated as representing 216 ( )
Three operations are incompatible in the sense that
No pair of the three operations satisfies a distributive law. e.g.,
a (b c) (a b) (a c)
No pair of the three operations satisfies an associative law. e.g.,
a (b c) (a b) c
In IDEA, confusion is achieved by using these three separate operations in combination
Provides a complex transformation of the input, making cryptanalysis much more difficult (than with a DES which uses just a single XOR)
(ii) CAST:
-Developed by Carlisle Adams and Stafford Tavares
-Used in IPSec
-64-bit block, 40- to 128-bit keys (in 8-bit increments)
-Classical Feistel network structure
-Sixteen rounds
-Two subkeys per round, one 32-bit (Kmi ), one 5-bit (Kri )
-Three different round functions
-Four operations: addition(+) and subtraction(-) modulo 232 , XOR, and (variable) circular left rotate (<<<)
-5-bit subkey (Kri ) determines rotate amount
-Encryption:
L0||R0 = Plaintext for i = 1 to 16 do Li = Ri-1 Ri = Li-1 Fi[Ri-1, Kmi, Kri]; Ciphertext = L16||R16
-Decryption: same as encryption with the keys applied in reverse order
-CAST-128 uses 8 S-boxes
-Four of these, S-box 1 thru S-box 4 are used in the encryption/decryption process
-S-box 5 thru S-box 8 are used in the subkey generation
-S-boxes contain fixed (predefined) values
-Each S-box contains 256 32-bit values
Q.6) Explain various aspects of information security.
Information security involves protecting information from diverse threats for the pur-pose of ensuring continuity of operation, minimizing damages and maximizing results. In-formation security can be seen as a means of protecting:
Confidentiality, i.e. assurance that information is accessible only to authorised per-sons. Sensitive information must be protected from unauthorised publication, access or interception.
Integrity, i.e. maintaining the accuracy and completeness of information and pro-cesses. Ensuring that information is correct and undamaged and that software func-tions correctly.
Availability, i.e. ensuring that information and services are available to authorised users when needed.Information security also involves the preservation of other characteristics, such as information traceability, reliability, irrefutability and responsibility.
Information is a valuable asset and therefore needs appropriate protection. Information comes in various formats, e.g. printed or written on paper, stored electronically, published on film or revealed in conversation. Information should always be protected in an appropri-ate manner, irrespective of the means by which such information is utilised or stored.
Q.7) Define the terms with reference to cryptanalysis: (i) Unconditionally secure (ii) Computationally secure
Unconditionally secure: An encryption scheme is unconditionally secure if the cipher text generated by the scheme does not contain enough information to determine uniquely the corresponding plaintext, no matter how much ciphertext is available.
Computationally secure: An encryption scheme is said to be computationally secure if
either of the foregoing two criteria are met. The rub is that it is very difficult to estimate the amount of effort required to cryptanalyze ciphertext successfully.
Q.8) What is steganography?
Steganography: Steganography conceal the existence of the message. A simple form of
steganography is one in which an arrangement of words or letters within an apparently Innocuous text spells out the real message. For example, the sequence of first letters of
each word of the overall message spells out the hidden message. Some of the other techniques that have been used are-
Character marking: Selected letters or printed or typewritten text are overwritten in pencil. The marks are ordinarily not visible unless the paper is held at an angle to bright light.
Invisible ink: A number of substances can be used for writing but leave no visible trace until heat or some chemical is applied to the paper.
Pin punctures: small pin punctures on selected letters are ordinarily not visible unless the paper is held up in front of light.
Q.9) Explain in detail the actual DES algorithm using appropriate diagrams.
The most widely used private key block cipher, is the Data Encryption Standard (DES). It was adopted in 1977 by the National Bureau of Standards as Federal Information Processing Standard 46 (FIPS PUB 46). DES encrypts data in 64-bit blocks using a 56-bit key. The DES enjoys widespread use. It has also been the subject of much controversy its security.
DES encryption:
The overall scheme for DES encryption is illustrated in Stallings Figure3.4, which takes as input 64-bits of data and of key.The left side shows the basic process for enciphering a 64-bit data block which consists of: - an initial permutation (IP) which shuffles the 64-bit input block- 16 rounds of a complex key dependent round function involving substitutions & permutations- a final permutation, being the inverse of IP The right side shows the handling of the 56-bit key and consists of:- an initial permutation of the key (PC1) which selects 56-bits out of the 64-bits input, in two 28-bit halves - 16 stages to generate the 48-bit subkeys using a left circular shift and a permutation of the two 28-bit halves.
The initial permutation and its inverse are defined by tables, as shown in Stallings Tables 3.2a and 3.2b, respectively. The tables are to be interpreted as follows. The input to a table consists of 64 bits numbered left to right from 1 to 64. The 64 entries in the permutation table contain a permutation of the numbers from 1 to 64. Each entry in the permutation table indicates the position of a numbered input bit in the output, which also consists of 64 bits.
Note that the bit numbering for DES reflects IBM mainframe practice, and is the opposite of what we now mostly use - so be careful! Numbers from Bit 1 (leftmost, most significant) to bit 32/48/64 etc (rightmost, least significant).Note that examples are specified using hexadecimal. Here a 64-bit plaintext value of “675a6967 5e5a6b5a” (written in left & right halves) after permuting with IP becomes “ffb2194d 004df6fb”.
Detail here the internal structure of the DES round function F, which takes R half & subkey, and processes them through E, add subkey, S & P.This follows the classic structure for a feistel cipher.Note that the s-boxes provide the “confusion” of data and key values, whilst the permutation P then spreads this as widely as possible, so each S-box output affects as many S-box inputs in the next round as possible, giving “diffusion”.DES Round Structure
Figure illustrates the internal structure of the DES round function F. The R input is first expanded to 48 bits by using expansion table E that defines a permutation plus an expansion that involves duplication of 16 of the R bits .The resulting 48 bits are XORed with Ki. This 48-bit result passes through a substitution function comprising 8 S-boxes which each map 6 input bits to 4 output bits, producing a 32-bit output, which is then permuted by permutation P.
DES DecryptionAs with any Feistel cipher, DES decryption uses the same algorithm as encryption
except that the subkeys are used in reverse order SK16 .. SK1.If you trace through the DES overview diagram can see how each decryption step
top to bottom with reversed subkeys, undoes the equivalent encryption step moving from bottom to top.
Q.10) Explain the subkey generation process in Blowfish.
The subkeys are calculated using the Blowfish algorithm:1. Initialize first the P-array and then the four S-boxes, in order, with a fixed string.This string consists of the hexadecimal digits of pi (less the initial 3): P1 = 0x243f6a88, P2 = 0x85a308d3, P3 = 0x13198a2e, P4 = 0x03707344, etc.2. XOR P1 with the first 32 bits of the key, XOR P2 with the second 32-bits of the key, and so on for all bits of the key (possibly up to P14). Re-peatedly cycle through the key bits until the entire P-array has been XORed with key bits. (For every short key, there is at least one equiva-lent longer key; for example, if A is a 64-bit key, then AA, AAA, etc., are equivalent keys.)3. Encrypt the all-zero string with the Blowfish algorithm, using the sub-keysdescribed in steps (1) and (2).4. Replace P1 and P2 with the output of step (3).5. Encrypt the output of step (3) using the Blowfish algorithm with the modifiedsubkeys.6. Replace P3 and P4 with the output of step (5).
7. Continue the process, replacing all entries of the P array, and then all four S-boxesin order, with the output of the continuously changing Blowfish algorithm.
In total, 521 iterations are required to generate all required sub-keys. Applications can store the subkeys rather than execute this deriva-tion process multiple times.
11) Explain Blowfish encryption algorithm with reference to the characteristics and the encryption operations.
Ans: - Manipulates data in large blocks_ has a 64-bit block size._ has a scalable key, from 32 bits to at least 256 bits._ uses simple operations that are efficient on microprocessors.e.g., exclusive-or, addition, table lookup, modular- multiplication. It does notUse variable-length shifts or bit-wise permutations, or conditional jumps._ employs precomputable subkeys.On large-memory systems, these subkeys can be precomputed for fasterOperation. Not precomputing the subkeys will result in slower operation, but itShould still be possible to encrypt data without any precomputations._ consists of a variable number of iterations.For applications with a small key size, the trade-off between the complexity ofA brute-force attack and a differential attack make a large number of iterationsSuperfluous. Hence, it should be possible to reduce the number of iterationswith no loss of security (beyond that of the reduced key size)._ Uses subkeys that are a one-way hash of the key.This allows the use of long passphrases for the key without compromisingsecurity._ Has no linear structures that reduce the complexity of exhaustive search._ Uses a design that is simple to understand. This facilitates analysis and increasethe confidence in the algorithm. In practice, this means that the algorithm will be
a Feistel iterated block cipher.
Blowfish has 16 rounds.The input is a 64-bit data element, x.Divide x into two 32-bit halves: xL, xR.Then, for i = 1 to 16:
xL = xL XOR PixR = F(xL) XOR xRSwap xL and xRAfter the sixteenth round, swap xL and xR again to undo the last swap.Then, xR = xR XOR P17 and xL = xL XOR P18.
Finally, recombine xL and xR to get the ciphertext.
12) What makes cryptanalysis difficult and security of Blowfish unchallenged?
- Blowfish uses Key-dependent S-Boxes.
- Operations are performed on both halves of data.
- Blowfish uses Time-consuming subkey generation process which makes it bad for rapid key switching, but makes brute force expensive.
Perfect avalanche effect:- Small change in input plaintext will give all together different output. Thus cryptanalysis becomes very critical.
Q.13) Blowfish is not appropriate for applications with limited memory. Justify.Blowfish is a variable-length key, 64-bit block cipher. The algorithm consistsof two parts: a key-expansion part and a data- encryption part. Key expansionconverts a key of at most 448 bits into several subkey arrays totaling 4168bytes.Data encryption occurs via a 16-round Feistel network. Each round consists of akey-dependent permutation, and a key- and data-dependent substitution. Alloperations are XORs and additions on 32-bit words. The only additionaloperations are four indexed array data lookups per round.The difficult part is only the computation to construct the P- and S-array fromthe fractional part of pi. First, we need to know how to use the binaryexponential algorithm to find the d-th position of pi in hex. Used a file calledcalpi.c to generate the hex one at a time
Subkey and S-Box GenerationThe key ranging from 32 bits to 448 bits (1 to 14 32-bit words) is stored in a K-array:
K1, K
2, …, K
j 1 j 14
The 18 32-bit subkeys are stored in the P-array: P
1, P
2, …, P
18
There are 4 S-boxes, each with 8x32(=256) 32-bit entries
S1,0, S1,1, …, S1,255S2,0, S2,1, …, S2,255
S3,0, S3,1, …, S3,255S4,0, S4,1, …, S4,255
P-array and then 4 S-boxes are initialized with fractional part of :
P1= 243F6A8816P2= 85A308D316 S4,254= 578FDFE316 S4,255= 3AC372E616
Subkey and S-Box Initialization
P-array is XORed with K-array (reusing K-array if necessary): P1
= P1
K1
, P2
= P2
K2
, …, Pj = P
j K
j, P
j+1 = P
j+1 K
1, P
j+2 = P
j+2 K
2, …
Then update P-array and S-boxes as follows:
P1, P2 = EP,S[0]P3, P4 = EP,S[P1 || P2] P17, P18 = EP,S[P15 || P16]S1,0, S1,1 = EP,S[P17 || P18] S4,254, S4,255 = EP,S[P4,252 || P4,253]
Where EP,S[Y] is the ciphertext produced by encrypting Y using Blowfish with the P and S arrays
521 executions in total are required to produce the final P and S arrays.Hence Blowfish is not appropriate for applications with limited memory.
Q.14) The Caesar cipher has no real importance where serious security is needed. Comment.
The Caesar cipher involves replacing each letter of the alphabet with the letter standing three places further down the alphabet. If it is known that a given ciphertext is a Caesar cipher, then a brute-force cryptanalysis is easily performed: Simply try all 25 possible keys.
Three important characteristics of this problem enabled us to use a brute-force cryptanalysis:
The encryption and decryption algorithm are known.
There are only 25 keys to try.
The language of plaintext is known and easily recognizable.
Thus, the Caesar cipher has no real importance where serious security is needed.
Q15)Distinguish between mono-alphabetic and poly-alphabetic ciphers. Give examples for each.
Monoalphabetic cipher - rather than just shifting the alphabet -could shuffle (jumble) the letters arbitrarily -each plaintext letter maps to a different random ciphertext letter -hence key is 26 letters long
eg. Plaintext: abcdefghijklmnopqrstuvwxyz Ciphertext: DKVQFIBJWPESCXHTMYAUOLRGZN
Polyalphabetic ciphers: -improve security using multiple cipher alphabets -make cryptanalysis harder with more alphabets to guess and flatter
frequency distribution -use a key to select which alphabet is used for each letter of the message -use each alphabet in turn
-repeat from start after end of key is reached
eg. Transposition technique:
message : “meet me after the toga party”m e m a t r h t g p r y
e t e f e t e o a a t
ciphertext :
MEMATRHTGPRYETEFETEOAAT
Q.16) Explain transposition ciphers. How is it different from substitution ciphers? If the cipher is keyed by a word “COMPUTER” and the plaintext is “Please transferonemilliondollarstomyswissbankaccountssixtwotwo”. Obtain the ciphertext by columnar transposition.
All the techniques examined so far involve the substitution of a ciphertext symbol for a plaintext symbol. A very different kind of mapping is achieved by performing some sort of permutation on the plaintext letters. This technique is referred to as a transposition cipher.
The simplest such cipher is the rail fence technique, in which the plaintext is written down as a sequence of diagonals and then read off as a sequence of rows. But this would be
trivial to cryptanalyze. A more complex scheme is to write the message in a rectangle, row by row, and read the message off, column by column, but permute the order of the columns. The order of the columns then becomes the key to the algorithm.
Key: - COMPUTERPlaintext: - Please transferonemilliondollarstomyswissbankaccountssixtwotwo
C0
O1
M2
P3
U4
T5
E6
R7
P L E A S E T R
A N S F E R O N
E M I L L I O N
D O L L A R S T
O M Y S W I S S
B A N K A C C O
U N T S S I X T
W O T W O
Seq.:- 4 3 1 2 5 6 7 0Output: - SELAWASO AFLLSKSW LNMOMANO ESILYNTT ERIRICI
TOOSSCX RNNTSOT PAEDOBUW
Q.17) Explain the Model of Network Security with access Security Model.
A message is to be transferred from one party to another across some sort of internet. The two parties, who are the principals in the transaction, must cooperate for the exchange to take place. Security aspects come into play when it is necessary or desirable to protect the information transmission from an opponent who may present a threat to confidentiality, authenticity, and so on. All the techniques for providing security have two components A security-related transformation on the information to be sent. Examples include the encryption of the message, which scrambles the message so that it is unreadable by the opponent, and the addition of a code based on the contents of the message, which can be used to verify the identity of the senderSome secret information shared by the two principals and, it is hoped, unknown to the opponent. An example is an encryption key used in conjunction with the transformation to scramble the message before transmission and unscramble it on reception. A trusted third party may be needed to achieve secure transmission. For example, a third party may be responsible for distributing the secret information to the two principals while keeping it from any opponent. Or a third party may be needed to arbitrate disputes between the two principals concerning the authenticity of a message transmission
This general model shows that there are four basic tasks in designing a particular security service1. Design an algorithm for performing the security-related transformation. The algorithm should be such that an opponent cannot defeat its purpose2. Generate the secret information to be used with the algorithm3. Develop methods for the distribution and sharing of the secret information4. Specify a protocol to be used by the two principals that makes use of the security algorithm and the secret information to achieve a particular security service.
Q.18) Explain Fiestel Encryption and Decryption algorithm with proper diagram of Block Cipher Principle.
Fiestel Encryption algorithm:
Above Fig. depicts the structure proposed by Feistel. The inputs to the encryption algorithm are a plaintext block of length 2 w bits and a key K. The plaintext block is divided into two halves,L0 and R0. The two halves of the data pass through n rounds of processing and then combine to produce the ciphertext block. Each round i has as inputs L i-1 and R i-1, derived from the previous round, as well as a subkey k i derived from the overall k. In general the subkeys k are different from k and from each other.
All rounds have the same structure. A substitution is performed on the left half of the data. This is done by applying a round function F to the right half of the data and then taking the exclusive- OR of the output of that function and the left half of the data. The round function has the same general structure for each round but is parameterized by the round subkey K .. Following this substitution, a permutation is performed that consists of the interchange of the two halves of the data. This structure is a particular form of the substitution-permutation network (SPN) proposed by Shannon.
The exact realization of a Feistel network depends on the choice of the following parameters and design features:
• block size - increasing size improves security, but slows cipher • key size - increasing size improves security, makes exhaustive key searching harder,
but may slow cipher • number of rounds - increasing number improves security, but slows cipher • subkey generation algorithm - greater complexity can make analysis harder, but
slows cipher • round function - greater complexity can make analysis harder, but slows cipher • fast software en/decryption - more recent concern for practical use • ease of analysis - for easier validation & testing of strength
Feistel Decryption AlgorithmThe process of decryption with a Feistel cipher is essentially the same as the
encryption process.The rule is as follows: Use the ciphertext as input to the algorithm, but use the subkeysK i in reverse order. That is, use K i in the first round, K n-1 in the second round, and so on until k1 is used in the last round. This is a nice feature because it means we need not implement two different algorithms, one for encryption and one for decryption.
To see that the same algorithm with a reversed key order produces the correct result, consider the fig below which shows the encryption process going down the left-hand side and the decryption process going up the right-hand side for a 16-round algorithm( the result would be same for the number of rounds). The notations LEi and REi for data travelling through encryption algorithm and LDi and RDi for data travelling through the decryption algorithm. The diagram indicates that, at every round, the intermediate value of the decryption process is equal to the corresponding value of the encryption process with the two halves of the value swapped. To put this another way, let the output of the ith encryption round be LEi||REi (Li concatenated with Ri). Then the corresponding input to(16-i)th decryption round is REi||LEi or, equivalently, RD16-i||LD16-i.
Q.19) Explain RC5 algorithm with characteristics, parameters, primitives and Encryption, decryption functions. The characteristics of RC5 algorithm are as follows:
1. RC5 is a symmetric block cipher.2. RC5 is suitable for hardware or software.3. RC5 is fast.4. RC5 is adaptable to processors of different word-lengths.5. RC5 is iterative in structure, with a variable number of rounds.6. RC5 have a variable-length cryptographic key.7. RC5 is simple.8. RC5 have a low memory requirement.9. RC5 provides high security when suitable parameter values are
chosen.
Some parameters of RC5 algorithm are : - w This is the word size, in bits; each word contains u = (w/8) 8-bit Bytes. The nominal value of w is 32 bits; allowable values of w are 16,
32 and 64. RC5 encrypts two-word blocks: plaintext and ciphertext Blocks are each 2w bits long.
r This is the number of rounds. Also, the expanded key table S containst = 2(r + 1) words. Allowable values of r are 0, 1, ..., 255.
In addition to w and r, RC5 has a variable-length secret cryptographic key, specified by parameters b and K: b The number of bytes in the secret key K. Allowable values of b are 0, 1, ..., 255.
K The b-byte secret key: K[0], K[1], ..., K[b − 1] .
RC5 uses only the following three primitive operations (and their inverses):
1. Two’s complement addition of words, denoted by “+”. This is modulo- 2w addition. The inverse operation, subtraction, is denoted “−”.
2. Bit-wise exclusive-OR of words, denoted by o.3. A left-rotation (or “left-spin”) of words: the cyclic rotation of word x
left by y bits is denoted x <<< y. Here y is interpreted modulo w, so that when w is a power of two, only the lg(w) low-order bits of y are used to determine the rotation amount. The inverse operation, right-rotation, is denoted x >>> y.
RC5 Encryption Function:We assume that the input block is given in two w-bit registers A and B.
We also assume that key-expansion has already been performed, so that the array S[0...t−1] has been computed. Here is the encryption algorithm in pseudo-code:A = A + S[0];B = B + S[1];for i = 1 to r doA = ((A _ B) <<< B) + S[2 _ i];B = ((B _ A) <<< A) + S[2 _ i + 1];The output is in the registers A and B.We note the exceptional simplicity of this 5-line algorithm.We also note that each RC5 round updates both registers A and B, whereas a “round” in DES updates only half of its registers. An RC5 “half-round” (one of the assignment statements updating A or B in the body of the loop above) is thus perhaps more analogous to a DES round.
RC5 Decryption Function:The decryption routine is easily derived from the encryption routine.for i = r downto 1 doB = ((B − S[2 _ i + 1]) >>> A) _ A;A = ((A − S[2 _ i]) >>> B) _ B;B = B − S[1];A = A − S[0];
Q.20) State characteristics of advanced symmetric block cipher.
variable key length
eg. Blowfish,RC5,CAST-128,RC2
Expensive key schedule computation
eg blowfish
mixed operators
More than one arithmetic and / or Boolean operator.
Data independent rotation
-provide excellent confusion and diffusion
eg. RC5
Key dependent rotation
- eg CAST-128
Operation on both halves each round
eg IDEA,Blowfish,RC5
Variable no of rounds
eg. RC5
Variable plaintext / ciphertext block length
eg RC5
key dependent S-Boxes
eg. Blowfish
Variable round function
eg. CAST-128
Q.21) What is cryptanalysis? Explain the various types of cryptanalytic attacks based on the amount of information known to the cryptanalyst.
Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext or even some sample plaintext-ciphertext pairs.
The various types of Cryptanalytic attacks on security based on the amount of information known to the cryptanalyst, from least to most. The most difficult problem is presented when all that is available is the ciphertext only. In some cases, not even the encryption algorithm is known, but in general we can assume that the opponent does know the algorithm used for encryption. Then with increasing information have the other attacks. Generally, an encryption algorithm is designed to withstand a known-plaintext attack. Various types of cryptanalytic attacks:
f. ciphertext only 1. only know algorithm & ciphertext, is statistical, know or can identify
plaintext g. known plaintext
1. know/suspect plaintext & ciphertext h. chosen plaintext
1. select plaintext and obtain ciphertext i. chosen ciphertext
1. select ciphertext and obtain plaintextj. chosen text
select plaintext or ciphertext to en/decrypyt
Brute-force attacks try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained. On average,half of all possible keys must be tried to achieve success.
Q.22) Encrypt the following text as follows:- IAMINSEVENTHSEM
Using Playfair cipher, Key- EIGHT Using Transposition cipher(2-state Columnar Tech),
Key- CLASS
Plaintext: IAMINSEVENTHSEM Keyword: EIGHT (i) By using Playfair cipher encryption method, Plaintext: IAMINSEVENTHSEM IA MI NS EV EN TH SE MX Thus matrix can be constructed as,
Plaintext - Ciphertext IA - EB MI - LG NS - SY EV - AE
E I G H TA B C D FK L M N OP Q R S UV W X Y Z
EN - HK TH - ET SE - HP MX - RG Thus, the required ciphertext is .EBLGSYAEHKETHPRG (ii)By using transposition cipher (2-state Columnar Tech) Key-CLASS As there are 5 characters in key so 5 columns are there State 1:
C1 C2 C3 C4 C5 i a m i n s e v e n t h s e m
As key is CLASS so alphabetically the order of columns will be C3-C1-C2-C4-C5 Cipher text: mvs ist aeh iee nnm State 2: C1 C2 C3 C4 C5 m v s i s t a e h i e e n n m As key is CLASS so alphabetically the order of columns will be C3-C1-C2-C4-C5 Cipher text is: sen mte vae ihn sim
Q.23) What are block cipher modes of operation of DES? Explain any one mode in detail.
The block cipher modes of operation of DES are
Electronic Code Book[ECB] ,
Cipher Block Chaining[CBC],
3. Output Feedback[OFB] and
4. Cipher Feedback[CFB]
Electronic Codebook (ECB) Mode. The Electronic Codebook (ECB) mode is defined as follows (Figure 1). In ECB encryption, a plain text data block (D1,D2,...,D64) is used di-rectly as the DES input block (11,12,... ,164). The input block is processed through a DES
device in the encrypt state. The resultant output block (01,02,...,064) is used directly as ci-pher text (C1,C2,...,C64) or may be used in subsequent ADP applications.
In ECB decryption, a cipher text block (C1,C2,...,C64) is used directly as the DES input block (I1,I2,...,164). The input block is then processed through a DES device in the decrypt state. The resultant output block (O1,O2,...,064) is the plain text (D1,D2,. ..,D64) or may be used in subsequent ADP applications.
The ECB decryption process is the same as the ECB encryption process except that the de-crypt state of the DES device is used rather than the encrypt state.
Q.24) State the different substitution encryption techniques and explain Caesar cipher in details and convert plaintext to ciphertext of given sentences.
“Hardwork Makes Man perfect”.
The different substitution encryption techniques are as follows :- Caesar cipher Monoalphabetic cipher
Playfair cipher Hill cipher Polyalphabetic substitution cipher
Caesar cipher: The earliest known substitution cipher by Julius Caesar First attested use in military affairs The Caesar cipher involves replacing each letter of the alphabet with
the 3rd letter further down the alphabet example:
meet me after the toga party PHHW PH DIWHU WKH WRJD SDUWB
can define transformation as: a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
mathematically give each letter a number a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
then have Caesar cipher as: c = E(p) = (p + k) mod (26) p = D(c) = (c – k) mod (26)
plaintext : Hardwork Makes Man perfect Ciphertext : kdvhasvo qdoiw qdr tivjigx
Q.25) Blowfish is not appropriate for applications with limited memory. Jus-tify.
Blowfish is a variable-length key, 64-bit block cipher. The algorithm consists of two parts: a key-expansion part and a data- encryption part. Key expansion converts a key of at most 448 bits into several subkey arrays totaling 4168 bytes.Data encryption occurs via a 16-round Feistel network. Each round consists of a key-dependent permutation, and a key- and data-dependent substitution. All operations are XORs and additions on 32-bit words. The only additional operations are four indexed array data lookups per round. The difficult part is only the computation to construct the P- and S-array from the fractional part of pi. First, we need to know how to use the binary exponential algorithm to find the d-th position of pi in hex. Used a file called calpi.c to generate the hex one at a time.
Subkey and S-Box GenerationThe key ranging from 32 bits to 448 bits (1 to 14 32-bit words) is stored in a K-array:
K
1
, K
2
, …, K
j
1 j 14
The 18 32-bit subkeys are stored in the P-array: P
1
, P
2
, …, P
18
There are 4 S-boxes, each with 8x32(=256) 32-bit entries
S1,0, S1,1, …, S1,255S2,0, S2,1, …, S2,255S3,0, S3,1, …, S3,255S4,0, S4,1, …, S4,255
P-array and then 4 S-boxes are initialized with fractional part of :
P1= 243F6A8816P2= 85A308D316 S4,254= 578FDFE316 S4,255= 3AC372E616
Subkey and S-Box Initialization
P-array is XORed with K-array (reusing K-array if necessary): P
1
= P
1
K
1
, P
2
= P
2
K
2
, …, P
j
= P
j
K
j
, P
j+1
= P
j+1
K
1
, P
j+2 = P
j+2
K
2
, …
Then update P-array and S-boxes as follows:
P1, P2 = EP,S[0]P3, P4 = EP,S[P1 || P2] P17, P18 = EP,S[P15 || P16]S1,0, S1,1 = EP,S[P17 || P18]
S4,254, S4,255 = EP,S[P4,252 || P4,253]
Where E
P,S
[Y] is the ciphertext produced by encrypting Y using Blowfish with the P and S arrays
521 executions in total are required to produce the final P and S arrays.Hence Blowfish is not appropriate for applications with limited memory.
Q.26) Explain the conventional cryptosystem model.
A message is to be transferred from one party to another across some sort of internet. The two parties, who are the principals in the transaction, must cooperate for the exchange to take place. Security aspects come into play when it is necessary or desirable to protect the information transmission from an opponent who may present a threat to confidentiality, authenticity, and so on. All the techniques for providing security have two components A security-related transformation on the information to be sent. Examples include the encryption of the message, which scrambles the message so that it is unreadable by the opponent, and the addition of a code based on the contents of the message, which can be used to verify the identity of the senderSome secret information shared by the two principals and, it is hoped, unknown to the opponent. An example is an encryption key used in conjunction with the transformation to scramble the message before transmission and unscramble it on reception. A trusted third party may be needed to achieve secure transmission. For example, a
third party may be responsible for distributing the secret information to the two principals while keeping it from any opponent. Or a third party may be needed to arbitrate disputes between the two principals concerning the authenticity of a message transmission
This general model shows that there are four basic tasks in designing a particular security service
1. Design an algorithm for performing the security-related transformation. The algorithm should be such that an opponent cannot defeat its purpose2. Generate the secret information to be used with the algorithm3. Develop methods for the distribution and sharing of the secret information4. Specify a protocol to be used by the two principals that makes use of the security algorithm and the secret information to achieve a particular security service.
Q.27) What is linear and differential cryptanalysis?
Linear Cryptanalysis: A more recent development is linear cryptanalysis. This attack is based on finding linear approximations to describe the transformations performed in DES. This method can find a DES key given 2^43 known plaintexts, as compared to 2^47 chosen plaintexts for differential cryptanalysis. Although this is a minor improvement, because it may be easier to acquire known plaintext rather than chosen plaintext, it still leaves linear cryptanalysis infeasible as an attack on DES. Again, this attack uses structure not seen before. So far, little work has been done by other groups to validate the linear cryptanalytic approach. The objective of linear cryptanalysis is to find an effective linear equation relating some plaintext, ciphertext and key bits that holds with probability p<>0.5 as shown. P[i1,i2,...,ia] C[j1,j2,...,jb] = K[k1,k2,...,kc] where ia=jb,kc are bit locations in P,C,K
Once a proposed relation is determined, the procedure is to compute the results of the left-hand side of the equation for a large number of plaintext-ciphertext pairs, in order to determine whether the sum of the key bits is 0 or 1, thus giving 1 bit of info about them. This is repeated for other equations and many pairs to derive some of the key bit values. Because we are dealing with linear equations, the problem can be approached one round of the cipher at a time, with the results combined.
Differential Cryptanalysis: Biham & Shamir show Differential Cryptanalysis can be successfully used to cryptanalyse the DES with an effort on the order of 247 encryptions, requiring 247 chosen plaintexts. They also demonstrated this form of attack on a variety of encryption algorithms and hash functions. Differential cryptanalysis was known to the IBM DES design team as early as 1974 (as a T attack), and influenced the design of the S-boxes and the permutation P to improve its resistance to it. Compare DES’s security with the cryptanalysis of an eight-round
LUCIFER algorithm which requires only 256 chosen plaintexts, verses an attack on an eight-round version of DES requires 214 chosen plaintexts. This attack is known as Differential Cryptanalysis because the analysis compares differences between two related encryptions, and looks for a known difference in leading to a known difference out with some (pretty small but still significant) probability. If a number of such differences are determined, it is feasible to determine the subkey used in the function f.Shown here is the equation which shows how this removes the influence of the key, hence enabling the analysis.
Q.28) Encrypt the following plaintext using Playfair cipher:- Plaintext – WILLIAMSTALLING Keyword – INFOTECT
Plaintext: WILLIAMSTALLING
Keyword: INFOTECH (i) By using Playfair cipher encryption method, Plaintext: WILLIAMSTALLING WI LX LI AM ST AL XL IN GX Thus matrix can be constructed as,
Plaintext - Ciphertext WI - VI LX - KY LI - DO AM - BL ST - UO AL - LS XL - YK IN - TI GX - VK
I N F O TE C H A BD G K L MP Q R S UV W X Y Z
Thus, the required ciphertext is VIKYDOBLUOLSYKTIVK
Q.29) Explain Triple-DES algorithm with the help of encryption and decryption.
The possibility of known-plaintext attacks on triple DES with two keys has enticed some applications to use triple DES with three keys. Triple DES with three keys is used by many applications such as PGP
C = EK3 (DK2 (EK1 (P)))
No cryptographic significance to middle decrypt operation
backwards compatible with existing single DES (K1 = K2 = K3 )
Two-key Triple DES (K1 = K3 ) or three-key triple DES
Security of Triple DES
no known practical attacks
brute force search impossible
meet-in-the-middle attacks need 256 plaintext-ciphertext pairs per key
A popular current
alternative
Major disadvantage is
speed (3x slower)
Q.30) Explain various types of Cryptanalytic attacks on security.
Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext or even some sample plaintext-ciphertext pairs. The various types of Cryptanalytic attacks on security based on the amount of information known to the cryptanalyst, from least to most. The most difficult problem is presented when all that is available is the ciphertext only. In some cases, not even the encryption algorithm is known, but in general we can assume that the opponent does know the algorithm used for encryption. Then with increasing information have the other attacks. Generally, an encryption algorithm is designed to withstand a known-plaintext attack. Various types of cryptanalytic attacks:
k. ciphertext only 1. only know algorithm & ciphertext, is statistical, know or can identify
plaintext l. known plaintext
1. know/suspect plaintext & ciphertext m. chosen plaintext
1. select plaintext and obtain ciphertext n. chosen ciphertext
1. select ciphertext and obtain plaintexto. chosen text
select plaintext or ciphertext to en/decrypyt
Brute-force attacks try every possible key on a piece of cipher-text until an intelligible translation into plaintext is obtained. On aver-age,half of all possible keys must be tried to achieve success.
Q.31) “Poly-alphabetic ciphers are secured than mono-alphabetic ciphers”. Com-ment.
Monoalphabetic cipher
rather than just shifting the alphabet could shuffle (jumble) the letters arbitrarily each plaintext letter maps to a different random ciphertext letter hence key is 26 letters long
Plaintext: abcdefghijklmnopqrstuvwxyz Ciphertext: DKVQFIBJWPESCXHTMYAUOLRGZN
Polyalphabetic ciphers: improve security using multiple cipher alphabets make cryptanalysis harder with more alphabets to guess and flatter frequency
distribution use a key to select which alphabet is used for each letter of the message use each alphabet in turn repeat from start after end of key is reached
Therefore Polyalphabetic ciphers are secured than mono-alphabetic ciphers
Q.32) Sort out the difference between substitution technique and transposition tech-nique with example.
Substitution technique: Substitution ciphers form the first of the fundamental building blocks. The core idea is to replace one basic unit (letter/byte) with another. Examples: Playfair cipher , Caesar cipher ,Hill cipher
Playfair cipher: Consider ways to reduce the "spikyness" of natural language text, since if just map one letter always to another, the frequency distribution is just shuffled. One approach is to encrypt more than one letter at once. The Playfair cipher is an example of doing this. The best-known multiple-letter encryption cipher is the Playfair, which treats digrams in the plaintext as single units and translates these units into ciphertext digrams. The Playfair algorithm is based on the use of a 5x5 matrix of letters constructed using a keyword. The rules for filling in this 5x5 matrix are: L to
R, top to bottom, first with keyword after duplicate letters have been removed, and then with the remain letters, with I/J used as a single letter.
eg. using the keyword EIGHT
Transposition technique: . A very different kind of mapping is achieved by performing some sort of permutation on the plaintext letters. This technique is referred to as a transposition cipher, and form the second basic building block of ciphers. The core idea is to rearrange the order of basic units (letters/bytes/bits) without altering their actual values. The simplest such cipher is the rail fence technique, in which the plaintext is written down as a sequence of diagonals and then read off as a sequence of rows. The example message is: "meet me after the toga party" with a rail fence of depth 2.This sort of thing would be trivial to cryptanalyze.
eg. write message out as:
m e m a t r h t g p r y e t e f e t e o a a tgiving ciphertext MEMATRHTGPRYETEFETEOAAT
E I G H TA B C D FK L M N O P Q R S UV W X Y Z