An introduction to cryptography By-Aditya Raina

[email protected]

I have given history short-shrift in my attempt to get to modern cryptography as quickly as possible. Any mistakes in this document are mine. Please notify me of any that you find at the above e-mail address.

Table of contentsPart I: Introduction1 Vocabulary2 Concepts3 History4 Crash Course in Number Theory

Part II: Cryptography5. Simple Cryptosystems6. Symmetric key cryptography7. Cryptography Algorithms7.1 Symmetric key Algorithms 1. Block Ciphers1. A RIJNDAEL1. B CAMELLIA 2. Stream Ciphers2. A RABBIT8. Finite Fields9. Modern Stream Ciphers9.1 RC49.2 One-Time Pads10. Modern Block Ciphers10.1 Modes of Operation of a Block Cipher10.2 The Block Cipher DES10.3 The Block Cipher AES11. Public Key Cryptography11.1 Public Key Algorithms11.1.1. RSA11.2. Key Management 11.2 .1 Finite Field Discrete Logarithm Problem11.2.2. Diffie-Hellman Key Agreement11.3. Elliptic Curve Cryptography12. Hash functions and Message Authentication Codes12. a SHA-0, SHA-112. b The MD5 hash function12. c WHIRLPOOL12. d RIPEMD12. e SHACAL12.1 Security of Hash Functions12.2 MAC13 Signatures and Authentication

13.1 Public Key digital signatures

Part III: Applications of Cryptography14.1 E-mail Security14.2 IP-Security14.3 Web Security15 Time-stamping16 KERBEROS17 Key Management and Salting18 Quantum Cryptography

Part IV: Introduction to System Security19. Intruders19.1 Intrusion Detection20. Password Management20.1 Password Protection21. Firewalls21.1 Firewall Characteristics22. Cryptography Failures

Part V: Cryptanalysis23 Basic Concepts of Cryptanalysis23.1 Cryptanalytic Attacks

Introduction To “Cryptography: A Black Art”

Cryptography is a fundamental building block for building information systems, and as we enter the so-called "information age" of global networks, ubiquitous computing devices, and electronic commerce, we can expect that the cryptography will become more and more important with time. It is used to hide information. It is not only use by spies but for phone, fax and e-mail communication, bank transactions, bank account security, PINs, passwords and credit card transactions on the web. It is also used for a variety of other information security issues including electronic signatures, which are used to prove who sent a message. The main goal of cryptography is to adequately address the following four areas in both theory and practice:a) Confidentiality is a service used to keep the content of information from all but those authorized to have it. Secrecy is a term synonymous with confidentiality and privacy. There are numerous approaches to providing confidentiality, ranging from physical protection to mathematical algorithms which render data unintelligible.b) Data integrity is a service which addresses the unauthorized alteration of data. To assure data integrity, one must have the ability to detect data manipulation byunauthorized parties. Data manipulation includes such things as insertion, deletion, and substitution.3) Authentication is a service related to identification. This function applies to both entities and information itself. Two parties entering into a communication should identify each other. Information delivered over a channel should be authenticated as to origin, date of origin, data content, time sent, etc. For these reasons this aspect of cryptography is usually subdivided into two major classes: entity authentication and data origin authentication. Data origin authentication implicitly provides data integrity (for if a message is modified, the source has changed).4) Non-repudiation is a service which prevents an entity from denying previous commitments or actions. When disputes arise due to an entity denying that certain actions were taken, a means to resolve the situation is necessary. For example, one entity may authorize the purchase of property by another entity and later deny such authorization was granted. A procedure involving a trusted third party is needed to resolve the dispute.

1 VocabularyA plaintext message, or simply a plaintext, is a message to be communicated. A misguided version of a plaintext message is a ciphertext message or simply a ciphertext. The process of creating a ciphertext from a plaintext is called encryption. The process of turning a ciphertext back into a plaintext is called decryption. The verbs encipher and decipher are synonymous with the verbs encrypt and decrypt. In England, cryptology is the study of encryption and decryption and cryptography is the application of them. In the U.S., the terms are synonymous, and the latter term is used more commonly. In non-technical English, the term encode is often used as a synonym for encrypt. To encode a plaintext changes the plaintext into a series of bits(Usually) or numbers (traditionally). A bit is simply a 0 or a 1. There is nothing secret about encoding. A simple encoding of the alphabet would

be A! 0, Z! 25. Using this, we could encode the message HELLO as 7 4 11 11 14. The most common method of encoding a message nowadays is to replace it by its ASCII equivalent, which is an 8 bit representation for each symbol. Decoding turns bits or numbers back into plaintext.

Plaintext encryption cipher text decryption plaintext

Figure1-1. Encryption and decryption

A stream cipher operates on a message symbol-by-symbol, or nowadays bit-by-bit. A block cipher operates on blocks of symbols. A digraph is a pair of letters and a trigraph is a triple of letters. These are blocks that were used historically in cryptography. The Advanced Encryption Standard (AES) operates on 128 bit strings. So when AES is used to encrypt a text message, it encrypts blocks of 128/8 = 16 symbols. A transposition cipher rearranges the letters, symbols or bits in a plaintext. A substitution cipher replaces letters, symbols or bits in a plaintext with others without changing the order. A product cipher alternates transposition and substitution. The concept of stream versus block cipher really only applies to substitution and product ciphers, not transposition ciphers. An algorithm is a series of steps performed by a computer (nowadays) or a person (traditionally) to perform some task. 2. Cryptosystem:In this meaning, the term Cryptosystem is used as shorthand for "cryptographic system". A cryptographic system is any computer system that involves cryptography. Such systems include for instance, a system for secure electronic mail which might include methods for digital signatures, cryptographic hash functions, key management techniques, and so on. Cryptographic systems are made up of cryptographic primitives, and are usually rather complex. Because of this, breaking a cryptosystem is not restricted to breaking the underlying cryptographic algorithms - usually it is far easier to break the system as a whole, e.g., through the not uncommon misconceptions of users in respect to the cryptosystem. The systematic arrangement of cypher text can abide the security.

Meaning in the context of cryptography:In this meaning, a Cryptosystem refers to a suite of algorithms needed to implement a particular form of encryption and decryption. Typically, a cryptosystem consists of three algorithms:1. for key generation, 2. for encryption, and 3. for decryption. The term cipher (sometimes cypher) is often used to refer to a pair of algorithms, one for encryption and one for decryption. Therefore, the term "cryptosystem" is most often used when the key generation algorithm is important. For this reason, the term

"cryptosystem" is commonly used to refer to public key techniques; however both "cipher" and "cryptosystem" are used for symmetric key techniques.

CRYPTOSYSTEMS AND KEYS By definition, a cryptosystem is the combination of three elements: an encryption engine, keying information, and operational procedures for their secure use. In order to cryptographically secure high-value data on a hard disk (or on back-up media), it is necessary to employ a high-grade cryptosystem: one which even an attacker possessing both a copy of your encryption engine and knowledge of your operating procedures cannot break without your keying information.

Cryptanalysis is the process by which the enemy tries to turn Cipher text into Plaintext. It can also mean the study of this.Cryptosystems come in 3 kinds:1. Those that have been broken (most).2. Those that have not yet been analysed (because they are new and not yet widely used).3. Those that have been analysed but not broken. (RSA, Discrete log cryptosystems, Triple- DES, AES).# Three most common ways for the enemy to turn ciphertext into plaintext:1. Steal/purchase/bribe to get key2. Exploit sloppy implementation/protocol problems (hacking). Examples: someone used spouse’s name as key, someone sent key along with message3. Cryptanalysis Alice is the sender of an encrypted message. Bob is the recipient. Eve is the eavesdropper who tries to read the encrypted message.

3 History400 BC Spartan sky tale cipher (sounds like Italy). Example of transposition cipher. Letters were written on a long thin strip of leather wrapped around a cylinder. The diameter of the cylinder was the key._____________________________/T/H/I/S/I/S/_/ / \/ /H/O/W/I/T/ | |/ /W/O/U/L/D/ \ /------------------------------------------------Julius Caesar’s substitution cipher. Shift all letters three to the right. In our alphabetthat would send A! D, B! E, Z! C.

Cryptography has a long and fascinating history. The predominant practitioners of the art were those associated with the military, the diplomatic service and government in general. Cryptography was used as a tool to protect national secrets and strategies. The proliferation of computers &communications systems in the 1960s brought with it a demand from the private sector for means to protect information in digital form and to provide security services. Beginning with the work of Feistel at IBM in the early 1970s and culminating in 1977 with the adoption as a U.S. Federal Information Processing Standard for encrypting unclassified information, DES, the Data Encryption Standard, is the most well-known

cryptographic mechanism in history. It remains the standard means for securing electronic commerce for many financial institutions around the world. The most striking development in the history of cryptography came in 1976 when Diffie and Hellman published “New Directions in Cryptography”. This paper introduced the revolutionary concept of public-key cryptography and also provided a new and ingenious method for key exchange, the security of which is based on the intractability of the discrete logarithm problem. Although the authors had no practical realization of a public-key encryption scheme at the time, the idea was clear and it generated extensive interest and activity in the cryptographic community. In 1978 Rivest, Shamir, and Adleman discovered the first practical public-key encryption and signature scheme, now referred to as RSA. The RSA scheme is based on another hard mathematical problem, the intractability of factoring large integers. Thisapplication of a hard mathematical problem to cryptography revitalized efforts to find more efficient methods to factor.The 1980s saw major advances in this area but none which rendered the RSA system insecure. Another class of powerful and practical public-key schemes was found by ElGamal in 1985. These are also based on the discrete logarithm problem. One of the most significant contributions provided by public-key cryptography is thedigital signature. In 1991 the first international standard for digital signatures (ISO/IEC 9796) was adopted. It is based on the RSA public-key scheme. In 1994 the U.S. Government adopted the Digital Signature Standard, a mechanism based on the El Gamal public key scheme.The search for new public-key schemes, improvements to existing cryptographic mechanisms, and proofs of security continues at a rapid pace. Various standards and infrastructures involving cryptography are being put in place. Security products are being developed to address the security needs of an information intensive society.

4 Crash course in Number TheoryLet Z denote the integers . . . , −2, −1, 0, 1, 2, . ... The symbol 2 means is an element of. If a, b 2 Z we say a divides b if b = na for some n 2 Z and write a|b. a divides b is just another way of saying b is a multiple of a. So 3|12 since 12 = 4 · 3, 3|3 since 3 = 1 · 3, 5| − 5 since −5 = −1 · 5, 6|0 since 0 = 0 · 6. If x|1, what is x? (Answer ±1). Properties:If a, b, c 2 Z and a|b then a|bc. I.e., since 3|12 then 3|60.If a|b and b|c then a|c.If a|b and a|c then a|b ± c.If a|b and a 6 |c (not divide) then a 6 |b ± c.The primes are 2, 3, 5, 7, 11, 13 . ...The Fundamental Theorem of Arithmetic: Any n 2 Z, n > 1, can be written uniquely as a product of powers of distinct primes. For example 90 = 21 · 32 · 51.Given a, b € Z_0 (the non-negative integers), not both 0, the greatest common divisor of a and b is the largest integer d dividing both a and b. It is denoted gcd(a, b) or just (a, b). As examples: gcd (12, 18) = 6, gcd (12, 19) = 1.To get the fraction 12/18 into lowest terms, cancel the 6’s. The fraction 12/19 is already in lowest terms.

If you have the factorization of a and b written out, then take the product of the primes to the minimum of the two exponents, for each prime, to get the gcd. 2520 = 23 · 32 · 51 · 71

and 2700 = 22 · 33 · 52 · 70 so gcd (2520, 2700) = 22 · 32 · 51 · 70 = 180. Note 2520/180 = 14, 2700/180 = 15 and gcd (14, 15) = 1. We say that two numbers with gcd equal to 1 are relatively prime.Factoring is slow with large numbers. The Euclidean algorithm for gcd’ing is very fastwith large numbers. Find gcd (329, 119). Recall long division. When dividing 119 into 329 you get 2 with remainder of 91. At each step, previous divisor and remainder become the new dividend and divisor.329 = 2 · 119 + 91119 = 1 · 91 + 2891 = 3 · 28 + 728 = 4 · 7 + 0The number above the 0 is the gcd. So gcd (329, 119) = 7.

Part II - Cryptography

In this section we shall introduce the major methods of encryption, hashing and signatures.

5 Simple CryptosystemsLet P be the set of possible plaintext messages. For example it might be the set { A, B,. . . ,Z } of size 26 or the set { AA, AB, . . . ,ZZ } of size 26^2. Let C be the set of possible ciphertext messages.An enciphering transformation f is a map from P to C. f shouldn’t send different plaintext messages to the same ciphertext message (so f should be one-to-one or injective).We’ll start with a cryptosystem based on single letters. You can replace letters by other letters. Having a weird permutation is slow, like A! F, B! Q, C! N,. ... There’s less storage if you have a mathematical rule to govern encryption and decryption.Shift transformation: P is plaintext letter/number A=0, B=1, Z=25. The Caesar cipher is an example: Encryption is given by C _ P + 3(mod26) and so decryption is given by P _ C − 3(mod26). This is the Caesar cipher. If you have an N letter alphabet, a shift enciphering transformation is C _ P + b (modN) where b is the encrypting key and –b is the decrypting key.

6. Symmetric key cryptographyIn symmetric key cryptosystem, Alice and Bob must agree on a secret, shared key ahead of time. We will consider stream ciphers and block ciphers.

7. CRYPTOGRAPHY ALGORITHMS

7.1 SYMMETRIC KEY ALGORITHMS

I. BLOCK CIPHERS

Symmetric (secret key) encryption schemes use the same key for encryption and decryption and usually have predefined key lengths. They provide a high security and a high performance, but suffer from the key exchange problem. A group of n entities needs to exchange n*(n−1)/2 different keys over secure channels. The current state of the art in symmetric encryption is surely given by the five finalists of the AES selection process. In the AES competition, the winner, Rijndael, got 86 votes at the last AES conference while Serpent got 59 votes, Twofish 31 votes, RC6 23 votes and MARS 13 votes Nechvatal et al.

A. RIJNDAELRijndael, is a block cipher adopted as an encryption standard by the US government. It is expected to be used worldwide and analysed extensively, as was the case withits predecessor, the Data Encryption Standard (DES). AES was adopted by National Institute of Standards and Technology (NIST) as US FIPS PUB 197 in November2001 after a 5-year standardization process. The cipher was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, and submitted to the AES selection process under the name "Rijndael", a combination of the names of the inventors. Strictly speaking, AES is not precisely Rijndael (although in practice they are used interchangeably) as Rijndaelsupports a larger range of block and key sizes; AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits, whereas Rijndael can be specified with key and block sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits. The key is expanded using Rijndael's key schedule. Most of AES calculations are done in a special finite field. AES operates on a 4×4 array of bytes, termed the state -versions of Rijndael with a larger block size have additionalcolumns in the state. For encryption, each round of AES, except the last round consists of four stages:_ AddRoundKey — each byte of the state is combined with the round key; each round key is derived from the cipher key using a key schedule._ SubBytes — a non-linear substitution step where each byte is replaced with another according to a lookup table._ Shift Rows — a transposition step where each row of the state is shifted cyclically a certain number of steps._ Mix Columns — a mixing operation which operates on the columns of the state, combining the four bytes in each column using a linear transformation. The final round replaces the Mix Columns stage with another instance of AddRoundKey.

SECURITYAs of 2006, the only successful attacks against AES have been side channel attacks. The National Security Agency (NSA) reviewed all the AES finalists, including Rijndael, and stated that all of them were secure enough for US Government non-classified data. In June 2003, the US Government announced [9] that AES may be used for classified information:“The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOPSECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior totheir acquisition and use."This marks the first time that the public has had access to a cipher approved by NSA for TOP SECRET information. It is interesting to note that many public products use

128-bit secret keys by default; it is possible that NSA suspects a fundamental weakness in keys this short, or they may simply prefer a safety margin for top secret documents (which may require security decades into the future). The most common way to attack block ciphers is to try various attacks on versions of the cipher with a reduced number of rounds. AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys. As of 2006, the best known attacks are on 7 rounds for 128-bit keys, 8 rounds for 192-bit keys, and 9 rounds for 256-bit keys.

Some cryptographers worry about the security of AES. They feel that the margin between the number of rounds specified in the cipher and the best known attacks is too small for comfort. The risk is that some way to improve these attacks might be found and that, if so, the cipher could be broken. In this meaning, a cryptographic "break" is anything faster than an exhaustive search, so an attack against 128-bit key AES requiring 'only' 2120 operations would be considered a break even though it would be, now, quite unfeasible. In practical application, any break of AES which is only this 'good' would be irrelevant. For the moment, such concerns can be ignored. The largest publicly-known brute-force attack has been against a 64 bit RC5 key by distributed.net (finishing in 2002; Moore's Law implies that this is roughly equivalent to an attack on a 66- bit key today). Another concern is the mathematical structure of AES. Unlike most other block ciphers, AES has a very neat mathematical description. This has not yet led to any attacks, but some researchers are worried that future attacks may find a way to exploit this structure. In 2002, a theoretical attack, termed the "XSL attack", was announced by Nicolas Courtois and Josef Pieprzyk, showing a potential weakness in the AES algorithm. Several cryptography experts have found problems in the underlying mathematics of the proposed attack, suggesting that the authors may have made a mistake in their estimates. Whether this line of attack can be made to work against AES remains an open question. For the moment, the XSL attack against AES appears speculative; it is unlikely thatanyone could carry out the current attack in practice.

B. CAMELLIAThe cipher was developed jointly by Mitsubishi and NTT in 2000 , and has similar design elements to earlier block ciphers (E2 and MISTY1) from these companies.Camellia has a block size of 128 bits, and can use 128-bit, 192-bit or 256-bit keys — the same interface as the Advanced Encryption Standard. It is a Feistel cipher witheither 18 rounds (if the key is 128 bits) or 24 rounds (if the key is 192 or 256 bits). Every six rounds, a logical transformation layer is applied: the so-called "FL-function"or its inverse. The cipher also uses input and output key whitening.We will focus on the use of the Camellia block cipher algorithm in Cipher Block Chaining Mode, with an explicit Initialization Vector, as a confidentiality mechanism within the context of the IPsec Encapsulating Security Payload (ESP). Camellia was selected as a recommended cryptographic primitive by the EU NESSIE (New European Schemes for Signatures, Integrity and Encryption) project and was included in the list of cryptographic techniques for Japanese e-Government systems that was selected by the Japan CRYPTREC (Cryptography Research, Evaluation Committees). Camellia has been submitted to several other standardization bodies, such as ISO (ISO/IEC 18033) and the IETF S/MIME Mail Security Working Group. Camellia supports 128-bit block size and 128-, 192-, and 256-bit key lengths, i.e., the same interface specifications as the Advanced Encryption Standard (AES).Camellia is a symmetric cipher with a Feistel structure. Camillia was developed jointly by NTT and Mitsubishi Electric Corporation in 2000. It was designed to withstand all known cryptanalytic attacks, and it has been scrutinized by worldwide cryptographic

experts. Camellia is suitable for implementation in software and hardware, offering encryption speed in software and hardware implementations that is comparable to AES.Camellia supports three key sizes: 128 bits, 192 bits, and 256 bits. The default key size is 128 bits, and all implementations must support this key size. Implementations may also support key sizes of 192 bits and 256 bits. Camellia uses a different number of rounds for each of the defined key sizes. When a 128-bit key is used,implementations must use 18 rounds. When a 192-bit key is used, implementations must use 24 rounds. When a 256-bit key is used, implementations must use 24 rounds. At the time of writing this document, there are no known weak keys for Camellia.

SECURITYImplementations are encouraged to use the largest key sizes they can, taking into account performance considerations for their particular hardware and software configuration. Note that encryption necessarily affects both sides of a secure channel, so such consideration must take into account not only the client side, but also the server.However, a key size of 128 bits is considered secure for the foreseeable future. No security problem has been found on Camellia [CRYPTREC]. Although patented, Camellia is available under a royalty-free license.

II. STREAM CIPHERSA. RABBITRabbit is a high-speed stream cipher first presented in February 2003 at the 10th FSE workshop by Martin Boesgaard, Mette Vesterager, Thomas Christensen and Erik Zenner. In May 2005, it was submitted to the eSTREAM. Cryptico has patented the algorithm and requires a license fee for commercial use of the cipher. The license fee is waived for non-commercial uses.The internal state of the stream cipher consists of 513 bits. 512 bits are divided between eight 32-bit state variables xj,I and eight 32-bit counter variables cj,i, where xj,i is the state variable of subsystem j at iteration i, and cj,i denote the corresponding counter variables. There is one counter carry bit, Á7,i, which needs to be stored between iterations. This counter carry bit is initialized to zero. The eight statevariables and the eight counters are derived from the key at initialization.The algorithm is initialized by expanding the 128-bit key into both the eight state variables and the eight counters such that there is a one-to-one correspondence between the key and the initial state variables, xj,0, and the initial counters, cj,0.The key, K[127..0], is divided into eight subkeys: k0 = K[15..0], k1 = K[31..16], ..., k7 =K[127..112].

The state and counter variables are initialized from the sub keys as follows:The system is iterated four times, according to the next state function defined below, to diminish correlations between bits in the key and bits in the internal state variables. Finally, the counter values are re-initialized according to:cj,4=cj,4 XOR x(j+4 mod 8),4 to prevent recovery of the key by inversion of the counter system. The core of the Rabbit algorithm is the iteration of the system defined by the following equations:x0,i+1 = g0,i + (g7,i<<< 16) + (g6,i<<< 16)x1,i+1 = g1,i + (g0,i<<< 8) + g7,ix2,i+1 = g2,i + (g1,i<<< 16) + (g0,i<<< 16)

x3,i+1 = g3,i + (g2,i<<< 8) + g1,ix4,i+1 = g4,i + (g3,i<<< 16) + (g2,i<<< 16)x5,i+1 = g5,i + (g4,i<<< 8) + g3,ix6,i+1 = g6,i + (g5,i<<< 16) + (g4,i<<< 16)x7,i+1 = g7,i + (g6,i<<< 8) + g5,igj,i = ((xj,i + cj,i)2 XOR ((xj,i + cj,i)2 >> 32) mod 232where all additions are modulo 232 .

SECURITYAs of March 2006, no cryptographic weaknesses are known.

PERFORMANCERabbit uses a 128-bit key and a 64-bit initialization vector. The cipher was designed with high performance in software in mind, where fully optimized implementations achieve an encryption speed of up to 3.7 cycles per byte on a Pentium 3, and of 9.7 cycles per byte on an ARM7. However, the cipher also turns out to be very fast and compact in hardware. The core component of the cipher is a bitstream generator which encrypts 128 message bits per iteration. The cipher's strength rests on strong mixing of its inner state between two consecutive iterations. The mixing function is entirely based on arithmetical operations that are available on a modern processor, i.e., no S-boxes or lookup tables are required to implement the cipher.

8 Finite fieldsIf p is a prime we rename Z/pZ = Fp, the field with p elements = {0, 1, . . . , p − 1} with+,−,×. Note all elements _ other than 0 have gcd(_, p) = 1 so we can find _−1(modp).So we can divide by any non-0 element. So it’s like other fields like the rationals, reals and complex numbers. F_ p is {1, . . . , p − 1} here we do ×,÷. Note F_ p has _(p − 1) generators g (also called primitive roots of p). The sets {g, g2, g3, . . . , gp−1} and {1, 2, . . . , p−1} are the same (though the elements will be in different orders).Example, F_ 5, g = 2: 21 = 2, 22 = 4, 23 = 3, 24 = 1. Also g = 3: 31 = 3, 32 = 4, 33 = 2,34 = 1. For F_ 7, 21 = 2, 22 = 4, 23 = 1, 24 = 2, 25 = 4, 26 = 1, so 2 is not a generator. g = 3: 31 = 3, 32 = 2, 33 = 6, 34 = 4, 35 = 5, 36 = 1.

9 Modern stream ciphersModern stream ciphers are symmetric key cryptosystems. So Alice and Bob must agree on a key beforehand. The plaintext is turned into ASCII. So the plaintext Go would be encoded as 0100011101101111. There’s a given (pseudo)random bit generator. Alice and Bob agree on a seed, which acts as the symmetric/shared /secret key. They both generate the same random bit stream like 0111110110001101, which we call the keystream. Alice gets the ciphertext by bit-by-bit XOR’ing, i.e. bit-by-bit addition mod 2. 0 XOR-ed 0 = 0, 0 XOR-ed 1 = 1, 1 XOR-ed 0 = 1, 1 XOR-ed 1 = 0.

We could sequentially use the letters of a key word as key letters for monoalphabetic substitution of sequential plaintext letters from separate

substitution alphabets, equal in number to the number of letters in the key. This polyalphabetic substitution cipher blurs the statistics of the letter frequencies to an almost flat probability distribution.

Its modern version is the byte-by-byte addition of a key-stream to the plaintext - a Vernam cipher. For all its apparent complexity, however, if you sample its cipher-text at letter intervals equal to the length of the key, the old statistics jump out at you. Friedman's brilliant index of coincidence statistic will betray that key length.

NOTE: An excellent source for understanding how many ways have been devised to break apparently clever ciphers is US Army Field Manual FM-34-40-2, Basic Cryptanalysis, the successor to TM 32-220. It will quickly show you why professional creation of ciphers is restricted to those with proven experience in breaking the codes and ciphers of others.

To counter this attack, we must have a secret key-stream as long as the message. If it is used twice on messages of the same length, adding the two cipher-text streams will cancel it out, leaving non-uniformly distributed letters for statistical cryptanalysis. To be unbreakable, the key-stream must come from a onetime pad of length equal to that of all the data bytes encrypted. All this keying material must be kept secret.

This horrendous keying materials management problem for the only proven unbreakable cipher has led to searches for keying material generators which can substitute. However, all such schemes are based on algorithms, and must therefore leave patterns in the key streams for statistical analyses that can break them.

Their cryptographic strength is therefore a matter of degree (the cryptanalyst's work factor), not an absolute. However, that strength can still be formidable.

One technique for achieving it is the use of Feistal networks, that generate blocks of key stream from blocks of the message itself, through multiple rounds of groups of permutations and substitutions, each dependent on transformations of a key. If they are specifically structured to thwart all the known statistical cryptanalysis methods, their cryptanalytic work factor can be made as large as that for exhaustive key search.

RC4 is the most widely used stream cipher. Invented by Ron Rivest (R of RSA) in 1987. The RC stands for Ron’s code. The pseudo random bit generator was kept secret. The source code was published anonymously on Cypherpunks mailing list in 1994.

One-time pads

If the key (not the key stream) for a stream cipher is random and as long as the plaintext then this is called a one-time-pad. The key must never be used again. Cryptanalysis is provably impossible. This was used by Russians during the cold war and by the phone linking the White House and the Kremlin. It is very impractical.

10 Modern Block CiphersMost encryption now is done using block ciphers. The two most important historically have been the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES). DES has a 56 bit key and 64 bit plaintext and ciphertext blocks. AES has a 128 bit key, and 128 bit plaintext and ciphertext blocks.

10.1 Modes of Operation of a Block Cipher

NIST has defined five modes of operation:CBC (Cipher Block Chaining), ECB (Electronic Codebook), CFB (Cipher Feedback), OFB (Output Feedback), and CTR (Counter).The CBC mode is well defined and well understood for symmetric ciphers, and it is currently required for all other ESP ciphers.

ECB: The simplest of the encryption modes is the electronic codebook (ECB) mode, in which the message is split into blocks and each is encrypted separately. The disadvantage of this method is that identical plaintext blocks are encrypted to identical ciphertext blocks; thus, it does not hide data patterns well. In some senses it doesn't provide message confidentiality at all, and it is not recommended for cryptographic protocols.

CBC: In the cipher-block chaining (CBC) mode, each block of plaintext is XOR-ed with the previous ciphertext block before being encrypted. This way, each cipher text block is dependent on all plaintext blocks up to that point. Also, to make each message unique, an initialization vector is used in the first block.

CFB The cipher feedback (CFB) mode, a close relative of CBC, makes a block cipher into a self-synchronizing stream cipher. The operation is very similar; in particular, CFB decryption is almost identical to CBC decryption performedin reverse

OFB: The output feedback (OFB) mode makes a block cipher into a synchronous stream cipher: it generates keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. This property allows many error correcting codes to function normally even if applied before encryption. Because of the symmetry of the XOR operation, encryption and decryption are exactly the same.

CTR: Like OFB, counter mode turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a "counter". The counter can be any simple function which produces a sequence which is guaranteed not to repeat for a long time, although an actual counter is the simplest and most popular. CTR mode has very similar characteristics to OFB, but also allows a random access property for decryption and is probably secure if the block cipher is strong. CTR mode is also known as Segmented Integer Counter (SIC) mode.

10.2 The Block Cipher DESThe DES cipher was reviewed for NIST (then the National Bureau of Standards) by the NSA, in its COMSEC role (as opposed to its code-breaking COMINT role). The values of the constants in the DES S-box substitution tables were specifically chosen to resist then-known-by-NSA cryptanalytic attacks, including the then-highly-classified concept of differential cryptanalysis. Its key size was chosen to be secure for at least a decade, while allowing implementations in 1970s integrated circuit technology. This 64-bit block cipher has successfully withstood public cryptanalysis for more than 20 years, a record matched by no other. In that time, however, the cost of special-purpose key-search machines capable of brute force attacks on its 56-bit key space has dropped below levels feasible for most governments (and some corporations).

NOTE: A thousand cooperating million-DES-encryptions-per-second machines, an array affordable by many governments and corporations, could perform the 2-to-the-55th-power trial encryptions required to search half the 56-bit key space of DES (the amount necessary, on average) in a year. Ten thousand of them could do such an exhaustive key search in little more than a month. With the speed-per-dollar of such machines doubling every year or so, DES can hardly be considered secure for long-term use. Over two decades of unsuccessful cryptanalysis have shown the DES cipher's cryptographic strength to be, in practical terms, equivalent to the size of its key. Thus, an obvious place to look for its replacement is a version with a larger key.

TRIPLE-DES CIPHER Unlike the available alternative block ciphers, the DES cipher has been proven mathematically to not be an algebraic Group. Consequently, unlike those alternatives, three-pass encryption with DES yields a product cipher with a key space dimension equivalent to the sum of the sizes of the independent keys used in those passes. (Two-pass use of any block cipher is vulnerable to meet-in-the-middle attacks.) Each additional key-bit doubles the size of the key space. This is a crude, but extremely effective approach to defeating exhaustive key-search attacks through many years of increased computing power evolution.

NOTE: This type of product cipher can be attacked by two different types of key-search methods:

(1) the obvious one of searching a 168-bit (3x56 bits) key-space, requiring an average of 2-to-the-167th-power triple-DES encryptions to crack the key used for a particular cipher-text (half the key space); or(2) pre-computing 2-to-the-56th-power DES decryptions and checking the stored table of results against an average of 2-to-the-111th-power double-DES encryptions. The former attack requires a thousand million-DES-encryptions-per-second machines to run for 10-to-the-31st-power millennia; the latter "only" requires them to run for 64 million-million millennia, if all one thousand machines can access the lookup table (which requires 500 million gigabytes of storage). Neither attack is taken very seriously by professionals, who would attack the key (and all your other keys at the same time) by exploiting cryptosystem implementation weaknesses or operator mistakes.

EXPORT CONTROLS The financial services and banking industry uses the DES cipher to secure trillions of dollars of transactions. It has been moving toward standardizing on 112-bit (2-key) triple-DES as its successor for the next century. (In 2-key triple-DES, the same key is used for the first and third encryptions, requiring less keying material generation.) However, the US Government has thus far refused to provide the required export approvals, instead suggesting the use of its Escrowed Encryption Standard (FIPS PUB 185). This mandates use of the now-declassified Skipjack cipher with an 80-bit key (16 million times the size of the 56-bit DES key space), and a Law Enforcement Access Field (LEAF) permitting key recovery without the user's cooperation. NOTE: The Skipjack cipher is used in the Fortezza and Fortezza Plus encryption engines for all SBU information in NSA's Multi-level Information System Security Initiative (MISSI) system. NSA apparently considers this 64-bit block, 32-round, Feistal network's 80-bit key size to be adequate for fulfilling its SBU INFOSEC mission for the next decade or two. Our software cryptosystems employ a full 168-bit (3-key) triple-DES algorithm in cipher block chaining (CBC) mode. They incorporate neither a LEAF mechanism nor covert channels for key recovery. (The Professional versions do, however, provide you with the ability to generate secure split key shares that enable you to offer emergency access to your encrypted data by multiple trusted parties acting in concert.)

10.3 The Block Cipher AESHowever, DES was not designed with Triple-DES in mind. Undoubtedly there would be a more efficient algorithm with the same level of safety as Triple-DES. So in 1997, the National Institute of Standards and Technology (NIST) solicited proposals for replacements of DES. In 2001, NIST chose 128-bit block Rijndael with a 128-bit key to become the Advanced Encryption Standard (AES). (If you don’t speak Dutch, Flemish or Afrikaans, then the closest approximation to the pronunciation is Rine-doll). Rijndael is a symmetric-key block cipher designed by Joan Daemen and Vincent Rijmen. The Rijndael proposal for AES defined a cipher in which the block length and the key length can be independently specified to be 128, 192, or 256

bits. The AES specification uses the same three key size alternatives but limits the block length to 128 bits. A number of AES parameters depend on the key length (Table 1.1). In the description of this section, we assume a key length of 128 bits, which is likely to be the one most commonly

implemented.

Table 1.1 AES Parameters

Key size (words/bytes/bits) 4/16/128 6/24/192 8/32/256

Plaintext block size (words/bytes/bits) 4/16/128 4/16/128 4/16/128

Number of rounds 10 12 14

Round key size (words/bytes/bits) 4/16/128 4/16/128 4/16/128

Expanded key size (words/bytes) 44/176 52/208 60/240

Rijndael was designed to have the following characteristics:

Resistance against all known attacks

Speed and code compactness on a wide range of platforms

Design simplicity

About AES Structure:

1. The key that is provided as input is expanded into an array of forty-four 32-bit words. Four distinct words (128 bits) serve as a round key for each round.

2. Four different stages are used, one of permutation and three of substitution:

o Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block

o ShiftRows: A simple permutationo MixColumns: A substitution that makes use of arithmetic over GF(28)o AddRoundKey: A simple bitwise XOR of the current block with a portion of

the expanded key.

The Finite Field:

Both the key expansion and encryption algorithms of simplified AES depend on an S-box that itself depends on the finite field with 16 elements.Let F16 = F2[x]/(x4 + x + 1). The word nibble refers to a four-bit string, like 1011. Wewill frequently associate an element b0x3 + b1x2 + b2x + b3 of F16 with the nibble b0b1b2b3.The S-box: The S-box is a map from nibbles to nibbles. It can be inverted. (For those in the know, it is one-to-one and onto or bi-jective.)

The Simplified AES Algorithm:The simplified AES algorithm operates on 16-bit plaintexts and generates 16-bit ciphertexts, using the expanded key k0 . . . k47. The encryption algorithm consists of the composition of 8 functions applied to the plaintext. Each function operates on a state. A state consists of 4 nibbles.

The Function AKi : The abbreviation AK stands for add key. The function AKi

consistsof XORing Ki with the state so that the subscripts of the bits in the state and the key bits agree modulo 16. The Function NS: The abbreviation NS stands for nibble substitution. The function NS replaces each nibble Ni in a state by S-box(Ni) without changing the order of the nibbles. So it sends the state. The Function SR: The abbreviation SR stands for shift row. The function SR takes the state.The Function MC: The abbreviation MC stands for mix column. A column [Ni,Nj ]of the state is considered to be the element Niz + Nj of F16[z]/(z2 + 1).The function MC multiplies each column by the polynomial c(z) = x2z + 1.The simplest way to explain MC is to note that MC sends a column.The Rounds: The composition of functions AKi _MC _ SR _NS is considered to be thei-th round. So this simplified algorithm has two rounds. There is an extra AK before the first round and the last round does not have an MC.

SecurityAs an encryption standard, AES needs to be resistant to all known cryptanalytic attacks. Thus, AES was designed to be resistant against these attacks, especially differential and linear cryptanalysis. To ensure such security, block ciphers in general must have diffusion and non-linearity.

EfficiencyAES is expected to be used on many machines and devices of various sizes and processing powers. For this reason, it was designed to be versatile. Versatility means that the algorithm works efficiently on many platforms, ranging from desktop computers to embedded devices such as cable boxes.

11 Public Key Cryptography

In a symmetric key cryptosystem, if you know the encrypting key you can quickly determine the decrypting key (C _ aP +b(modN) or they are the same (modern stream cipher, AES). In public key cryptography, everyone has a public key and a private key. There is now known way of quickly determining the private key from the public key.

Main uses of public-key cryptography:1) Agree on a key for a symmetric cryptosystem.2) Digital signatures.Public-key cryptography is rarely used for message exchange since it is slower than symmetric key cryptosystems.

11.1 PUBLIC KEY ALGORITHMSA. RIVEST SHAMIR & ADELMAN (RSA)RSA involves two keys: public key and private key (a key is a constant number later used in the encryption formula.) The public key can be known to everyone and is used to encrypt messages. These messages can only be decrypted by use of the private key. In other words, anybody can encrypt a message, but only the holder of a private key can actually decrypt the message and read it. Intuitive example:Bob wants to send Alice a secret message that only she can read. To do this, Alice sends Bob a box with an open lock, for which only Alice has the key. Bob receives the box, he writes the message in plain English, puts it in the box and locks it with Alice's lock (now Bob can no longer read the message.) Bob sends the box to Alice and she opens it with her key. In this example, the box with the lock is Alice's public key, and the key to the lock is her private key.

Key generationSuppose Alice and Bob are communicating over an insecure (open) channel, and Alice wants Bob to send her a private (or secure) message. Using RSA, Alice will take the following steps to generate a public key and a private key:1. Choose two large prime numbers p and q such that p0q randomly and independently of each other.2. Compute n=p·q.3. Compute the totient function: "(n)=(p-1)(q-1).4. Choose an integer e such that 1<e<"(n) which is coprime to "(n).5. Compute d such that de21(mod("(n)).• The prime numbers can be probabilistically tested for primality.• A popular choice for the public exponents is e=216+1=65537. Some applications choose smaller values such as e = 3,5, or 35 instead. This is done in order to make implementations on small devices (e.g. smart cards) easier, i.e. encryption andsignature verification is faster. But choosing small public exponents may lead to greater security risks.• Steps 4 and 5 can be performed with the extended Euclidean algorithm; see modular arithmetic.• Step 3 changed in PKCS#1 v2.0 to $=LCM(p-1,q-1) instead of "=(p-1)(q-1).

The public key consists of• n, the modulus, and• e, the public exponent (sometimes encryption exponent).

The private key consists of

• n, the modulus, which is public and appears in the public key, and• d, the private exponent (sometimes decryption exponent), which must be kept secret.For reasons of efficiency sometimes a different form of the private key (including CRT parameters) is stored:• p and q, the primes from the key generation,• d mod (p-1) and d mod (q-1) (often known as dmp1 and dmq1)• (1/q) mod p (often known as iqmp)Though this form allows faster decryption and signing using the Chinese Remainder Theorem (CRT), it considerably lowers the security. In this form, all of the parts of the private key must be kept secret. Yet, it is a bad idea to use it, since it enables side channel attacks in particular if implemented on smart cards, which wouldmost benefit from the efficiency win. (Start with y = xemodn and let the card decrypt that. So it computes yd(mod p) or yd(mod q) whose results give some value z. Now, induce an error in one of the computations. Then gcd(z − x,n) will reveal p or q.)Alice transmits the public key to Bob, and keeps the private key secret. p and q are sensitive since they are the factors of n, and allow computation of d given e. If p and q are not stored in the CRT form of the private key, they are securely deleted along with the other intermediate values from the key generation.

1) Encrypting messagesSuppose Bob wishes to send a message M to Alice. He turns M into a number m < n, using some previously agreed-upon reversible protocol known as a paddingscheme. Bob now has m, and knows n and e, which Alice has announced. He then computes the ciphertext c corresponding to m: c=me mod nThis can be done quickly using the method of exponentiation by squaring. Bob then transmits c to Alice.

2) Decrypting messagesAlice receives c from Bob, and knows her private key d. She can recover m from c by the following procedure: m=cd mod nGiven m, she can recover the original message M. The decryption procedure works because cd 2 (me)d 2 med (mod n)

Now, since ed 2 1 (mod p-1) and ed 2 1 (mod q-1), Fermat's little theorem yields med 2 m (mod p) and med 2 m (mod q)Since p and q are distinct prime numbers, applying the Chinese remainder theorem to these two congruence yields med 2 m (mod pq). Thus, cd 2 m (mod n).

PERFORMANCERSA is much slower than DES and other symmetric cryptosystems. In practice, Bob typically encrypts a secret message with a symmetric algorithm, encrypts the (comparatively short) symmetric key with RSA, and transmits both the RSA-encrypted symmetric key and the symmetrically-encrypted message to Alice.This procedure raises additional security issues. For instance, it is of utmost importance to use a strong random number generator for the symmetric key, because otherwise Eve (an eavesdropper wanting to see what was sent) could

bypass RSA by guessing the symmetric key.

SECURITYPublic key algorithms have complex mathematics and need very long keys. Due to this public key cryptography is very much slower than secret key cryptography and needs times which are some orders of magnitude over those of Rijndael.Due to this public key encryption is normally only used in hybrid encryption systems. Thereby the entities use the public key systems to exchange a secret key. Thisexchanged key is then used to encrypt the actual message with a symmetric encryption system. In opposite to symmetric systems the encryption performance ofasymmetric systems may significantly differ from its decryption performance. The first invented public key encryption system RSA is still the most used one. It isbased on the factorization problem. According to Lenstra RSA currently needs a modulus size somewhere between 2790bit and 3390bit to meet the security of a128bit Rijndael encryption. Rijndael–192 security is reached by a modulus size somewhere between 7160bit and 8200bit. Rijndael–256 security implies an RSA modulus between 14200bit and 15800bit. ECRYPT [16] estimates RSA keys with the length of 3072, 7680 and 15360 offer equivalent security to Rijndael 128, 192 and 256.The most prominent alternative to RSA is elliptic curve cryptography (ECC). It is based on the discrete logarithm problem and is faster than RSA because it manages with shorter keys. Due to the table form Lenstra and Verheul the security of 1024bit RSA is met by an ECC key between 138bit and 147bit. ECRYPT estimates a 160bit ECC key provides RSA–1024 security. All widely used public key cryptosystems are broken by efficient algorithms for sufficiently large quantum computers. There is some research on quantum–safe public key cryptosystems in order to meet this threat.

11.2 Key ManagementAs the entire operation is dependent upon the security of the keys, it is sometimes appropriate to devise a fairly complex mechanism to manage them.Where a single individual is involved, often direct input of a value or string will suffice. The 'memorised' value will then be re-input to retrieve the data, similar to password usage. Sometimes, many individuals are involved, with a requirement for unique keys to be sent to each for retrieval/decryption of transmitted data. In this case, the keys themselves may be encrypted. A number of comprehensive and proven key management systems are available for these situations.

CRYPTOGRAPHY KEY BASICSThe two components required to encrypt data are an algorithm and a key. The algorithm generally known and the key are kept secret. The key is a very large number that should be impossible to guess, and of a size that makes exhaustive search impractical.In a symmetric cryptosystem, the ‘same key is used for encryption and decryption’. In an asymmetric cryptosystem, the ‘key used for decryption is different from the key used for encryption’.

THE KEY PAIR:In an asymmetric system the encryption and decryption keys are different but related. The encryption key is known as the public key and the decryption key is known as the private key. The public and private keys are known as a key pair. Where a certification authority is used, remember that it is the public key that is certified and not the private key.

KEY COMPONENT:Keys should whenever possible be distributed by electronic means, enciphered under previously established higher-level keys. There comes a point, of course when no higher-level key exists and it is necessary to establish the key manually. A common way of doing this is to split the key into several parts (components) and entrust the parts to a number of key management personnel. The idea is that none of the key parts should contain enough information to reveal anything about the key itself. Usually; the key is combined by means of the exclusive-OR operation within a secure environment.In the case of DES keys, there should be an odd number of components, each component having odd parity. Odd parity is preserved when all the components are combined. Further, each component should be accompanied by a key check value to guard against keying errors when the component is entered into the system.A key check value for the combined components should also be available as a final check when the last component is entered. A problem that occurs with depressing regularity in the real world is when it is necessary to re-enter a key from its components. This is always an emergency situation, and it is usually found that one or more of the key component holders cannot be found. For this reason it is prudent to arrange matters so that the components are distributed among the key holders in such a way that not all of them need to be present.For example, if there are three components (C1, C2, and C3) and three key holders (H1, H2, H3) then H1 could have (C2, C3), H2 could have (C1, C3) and H3 could have (C1, C2). In this arrangement any two out of the three key holders would be sufficient.In more sophisticated systems the components may be held on smart cards.

11.2.1 Finite Field Discrete logarithm problemLet Fq be a finite field. Let g generate F_ q . Let b 2 F_ q . Then gi = b for some positive integer i _ q − 1. Determining i given Fq, g and b is the finite field discrete logarithm problem (FFDLP), which is (to our current knowledge) as hard as factoring.Example. 2 generates F_ 101. So we know 2i = 3 (i.e. 2i _ 3(mod 101)) has a solution. It is i = 69. Similarly, we know 2i = 5 has a solution; it is i = 24. How could you solve such problems faster than brute force? In Sections 30.1 and 30.3.3 we present solutions faster than brute force. But they are nonetheless not fast. End example.For cryptographic purposes we take 10300 < q < 10600 where q is a (large) prime or ofthe form 2d. Notation, if gi = b then we write logg(b) = i. Recall the logarithms you have already learned: log10(1000) = 3 since 103 = 1000 and ln(e2) = loge(e2) = 2. In the above example, for q = 101 we have log2(3) = 69 (since 269 _ 3(mod 101)).The best known algorithms for solving the FFLDP take as long as those for factoring,

and so are sub-exponential.

11.2.3 Diffie-Hellman key agreementDiffie-Hellman key agreement over a finite field (FFDH) is commonly used. For a bunch of users A, B, C, etc. we fix q and g (a generator of F_ q . The numbers q and g are used for the whole system. Each user has a private key a (aA, aB, aC, . . .) with 1 < a < q−1 and a public key, which is the reduction of ga in the field Fq. Each user publishes (the reductions of) gaA, gaB, . . . in a directory or on their websites.Note, often you create a new aA, gaA for each transaction. Alice would then need to send gaA to Bob at the beginning and vice versa.If Alice and Bob want to agree on a key for AES, they use the reduction of gaAaB. Alicecan compute this since she looks up gaB and raises it to aA. Bob can compute this since he looks up gaA and raises it to aB. Eve has q, g, gaA, gaB

but cannot seem to find gaAaB without solving the FFDLP. This often seems amazing. She can find gaAgaB = gaA + aB, but that’s useless. To get gaAaB, she needs to raise gaA, for example, to aB. To get aB she could try to use g and gaB. But determining aB from g and gaB is the FFDLP, for which there is no known fast solution.

11.2.4 Elliptic curve cryptography

Elliptic curvesAn elliptic curve is a curve described by an equation of the form y2 + a1xy + a3y = x3 +a2x2 + a4x + a6 and an extra 0-point.

12 Hash Functions and Message Authentication Codes

Hash Functions take a block of data as input, and produce a hash or message digest as output. The usual intent is that the hash can act as a signature for the original data, without revealing its contents. Therefore, it's important that the hash function be irreversible - not only should it be nearly impossible to retrieve the original data, it must also be unfeasible to construct a data block that matches some given hash value. Randomness, however, has no place in a hash function, which should be completely deterministic.Given the exact same input twice, the hash function should always produce the same output. Even a single bit changed in the input, though, should produce a different hash value. The hash value should be small enough to be manageable infurther manipulations, yet large enough to prevent an attacker from randomly finding a block of data that produces the same hash .In cryptography, a cryptographichash function is a hash function with certain additional security properties to make it suitable for use as a primitive in various information security applications, such as

authentication and message integrity. A hash function takes a long string (or message) of any length as input and produces a fixed length string as output, sometimes termed a message digest or a digital fingerprint.

A typical use of a cryptographic hash would be as follows: Alice poses to Bob a tough math problem and claims she has solved it. Bob would like to try it himself, but would yet like to be sure that Alice is not bluffing. Therefore, Alice writes down her solution, appends a random nonce, computes its hash and tells Bob the hash value (whilst keeping the solution secret). This way, when Bob comes up with the solution himself a few days later; Alice can verify his solution but still be able to prove that she had the solution earlier. In actual practice, Alice and Bob will often be computerprograms, and the secret would be something less easily spoofed than a claimed puzzle solution. The above application is called a commitment scheme. Anotherimportant application of secure hashes is verification of message integrity. Determination of whether or not any changes have been made to a message (or a file), for example, can be accomplished by comparing message digests calculatedbefore, and after, transmission (or any other event) (for example, see Tripwire , a system using this property as a defence against malware and malfeasance). A message digest can also serve as a means of reliably identifying a file. A related application is password verification. Passwords are usually not stored in clear text,for obvious reasons, but instead in digest form. To authenticate a user, the password presented by the user is hashed and compared with the stored hash. Hashes are also used to identify files on peer-to-peer file sharing networks. For example, in an ed2k link the hash is combined with the file size, providing sufficient information for locating file sources, downloading the file and verifying its contents. Magnet links are another example. Such file hashes are often the top hash of a hash list or a hash tree which allows for additional benefits. For both security and performance reasons, most digital signature algorithms specify that only the digest of the message be "signed", not the entire message. Hash functions can also be used in the generation of pseudorandom bits.The most widely used hash functions (and their modifications) are:_ MD5 of R. Rivest (RFC 1321)_ SHA-1 SHA-224, SHA-256, SHA-384, SHA-512 of NIST ( FIPS PUB 180-1)_ RIPEMD, RIPEMD-128, RIPEMD-160 H. Dobbertin, A. Bosselaers, B. Preneel_ WHIRLPOOL-0, WHIRLPOOL-T, WHIRLPOOL P. Barreto, V. Rijmen (NESSIE project ISO/IEC 10118-3:2004)

SHA-1, MD5, and RIPEMD-160 are among the most commonly-used message digest algorithms as of 2005. In August 2004, researchers found weaknesses in a number of hash functions, including MD5, SHA-0 and RIPEMD. This has called into question the long-term security of later algorithms which are derived from these hash functions. In particular, SHA-1 (a strengthened version of SHA-0), RIPEMD-128, and RIPEMD-160 (both strengthened versions of RIPEMD). Neither SHA-0 nor RIPEMD are widely used since they were replaced by their strengthened versions.

A. SHA-0,SHA-1SHA-0 and SHA-1 produce a 160-bit digest from a message with a maximum size of 264 bits, and is based on principles similar to those used by Professor Ronald L. Rivest of MIT in the design of the MD4 and MD5 message digest algorithms. The original specification of the algorithm was published in 1993 as the Secure Hash Standard, FIPS PUB 180, by US government standards agency NIST (National Institute of Standards and Technology). This version is now often referred to as

"SHA-0". It was withdrawn by the NSA shortly after publication and was superseded by the revised version, published in 1995 in FIPS PUB 180-1 and commonly referred to as "SHA-1". SHA-1 differs from SHA-0 only by a single bitwise rotation in the message schedule of its compression function. This was done, according to the NSA, to correct a flaw in the original algorithm which reduced its cryptographic security. This function takes as input a 160-bit state and a 512-bit data word and outputs a new 160-bit state. The hash function works by repeatedly calling this compression function with successive 512-bit data blocks and each time updating the state accordingly. This compression function is easily invertible if the data block is known,- given the data block on which it acted and the output of the compressionfunction, one can compute that state that went in. Weaknesses have subsequently been reported in both SHA-0 and SHA-1. SHA-1 appears to provide greater resistance to attacks, supporting the NSA's assertion that the change increased the security. In February 2005, an attack on SHA-1 was reported, finding collisions in about 269 hashing operations, rather than the 280 expected for a 160-bit hashfunction. In August 2005, another attack on SHA-1 was reported, finding collisions in 263 operations.

B. MD5 (Message-Digest algorithm 5) is a widely-used cryptographic hash function with a 128-bit hash value. As an Internet standard (RFC 1321), MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files.MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function, MD4. In 1996, a flaw was found with the design of MD5; while it was not a clearly fatal weakness, cryptographers began to recommend using other algorithms, such as SHA-1 (recent claims suggest thatSHA-1 has been broken, however). In 2004, more serious flaws were discovered making further use of the algorithm for security purposes questionable.MD5 processes a variable length message into a fixed length output of 128 bits. The input message is broken up into chunks of 512-bit blocks; the message is padded so that its length is divisible by 512. The padding works as follows: first a single bit, 1, is appended to the end of the message. This is followed by as many zeros as are required to bring the length of the message up to 64 bits less than a multiple of 512. The remaining bits are filled up with a 64-bit integer representing the length of the original message.The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words, denoted A, B, C and D.These are initialized to certain fixed constants. The main algorithm then operates on each 512-bit message block in turn, each block modifying the state. The processing of a message block consists of four similar stages, termed rounds; each round is composed of 16 similar operations based on a non-linear function F, modular addition, and left rotation. There are four possible functions F; a different oneis used in each round: denote the XOR, AND, OR and NOT operations respectively.

C. WHIRLPOOLWHIRLPOOL is a cryptographic hash function designed by Vincent Rijmen and Paulo S. L. M. Barreto. The hash has been recommended by the NESSIE project. It has also been adopted by the International Organization for Standardization (ISO) and the International Electro technical Commission (IEC) as part of the joint ISO/IEC 10118-3 international standard.

WHIRLPOOL is a hash designed after the Square block cipher. WHIRLPOOL is a Miyaguchi-Preneel construction based on a substantially modified Advanced Encryption Standard (AES). Given a message less than 2256 bits in length, it returns a 512-bit message digest. The authors have declared that "WHIRLPOOL is not (andwill never be) patented. It may be used free of charge for any purpose. The reference implementations are in the public domain."

D. RIPEMDRIPEMD-160 (RACE Integrity Primitives Evaluation Message Digest) is a 160-bit message digest algorithm (and cryptographic hash function) developed in Europe by Hans Dobbertin, Antoon Bosselaers and Bart Preneel, and first published in 1996. It is an improved version of RIPEMD, which in turn was based upon the design principles used in MD4, and is similar in performance to the more popularSHA-1. There also exist 128, 256 and 320-bit versions of this algorithm, called RIPEMD-128, RIPEMD-256, and RIPEMD-320, respectively. The 128-bit version was intended only as a drop-in replacement for the original RIPEMD, which was also 128-bit, and which had been found to have questionable security. The 256 and 320-bit versions diminish only the chance of accidental collision, and don't have higher levels of security as compared to, respectively, RIPEMD-128 and RIPEMD-160.RIPEMD-160 was designed in the open academic community, in contrast to the NSA-designed algorithm, SHA-1. On the other hand, RIPEMD-160 is a less popularand correspondingly less well-studied design. RIPEMD-160 is not constrained by any patents.

E. SHACALSHACAL-1 and SHACAL-2 are block ciphers based on cryptographic hash function from the SHA family. It was designed by Helena Handschuh and David Naccache, both cryptographers from the smart card manufacturer Gemplus. It is a 160-bit block cipher based on SHA-1, and supports keys from 128-bit to 512-bit. SHACAL-2 is a 256-bit block cipher based upon the larger hash function SHA-256. SHACAL turns the SHA-1 compression function into a block cipher by using the state input as the data block and using the data input as the key input. In other words SHACAL views the SHA-1 compression function as 160-bit block cipher with a 512-bit key. Keys shorter than 512 bits are supported by padding them with zero up to 512. SHACAL is not intended to be used with keys shorter than128 bit. In 2003, SHACAL-2 was selected by the NESSIE project as one of their 17 recommended algorithms.

SECURITY OF HASH FUNCTIONSIn order to attack a hash function, the intruder must replace the initial message in such a way, by putting his own message, so as to produce the same output of the hash function. This is called collision and it’s very difficult to happen.

13 Signatures and authenticationMaking oneself sure that a message came from the proper sender is called authentication. The solution is signatures and certificates. Signatures connect a message with a public key. Certificates connect a public key with an entity. You can use public-key cryptography for signatures.Authentication, nonrepudiation, and integrity checks can be supported with a digital signature. A digital signature is similar to a written signature, however, it is stronger.

For example, detection will result from any attempt to change the message content or to forge the signature. We note that a Message Authentication Code (MAC), as defined in ANSI X 9.9, provides integrity protection against alteration, but does not provide nonrepudiation because of the sharing of the conventional secret DES key. (Another term for a MAC is a manipulation detection code, or MDC.) A digital signature must be a function of the entire document. Changing even a single bit should produce a different signature. A signed message cannot be changed without detection Public key digital signatures: The use of public key digital signaturesand supporting hash functions can provide both authentication and verificationof message integrity. Hash functions, which have been briefly introduced,will be discussed further. They can also serve as cryptographic checksums used for validating the contents of a message. Public key schemes supporting authentication permit generation of digital signatures algorithmically from the same key repeatedly, although the actual signatures are different. Digital signatures are a function of the message and a long-term key. Therefore, key material can be reused many times before replacement. Hash functions also reduce the impact of the computationallyintensive nature of public key algorithms.

Public key digital signatures are generally preferred for electronic commerce because:1. Private keys can be used repeatedly for generating digital signatures algorithmically, and2. Nonrepudiation of the sender (Alice) is inherently a part of the system design.Therefore, public key implementation of digital signatures is effective and versatile.

Nonrepudiation: Nonrepudiation is the system capability that prevents a sender (Alice) from denying that she has sent a message. The integrity of nonrepudiation is a function of the degree of security maintained for the sender’s (Alice’s) private key (DA).For example, Alice could repudiate or deny sending a message if DA is compromised. Depending on the applicable legislation, Alice may still be held liable for messages signed before the compromise was reported to a central authority. Certain administrative approaches have been proposed for incorporation into protocols. Most of these involve use of some form of arbitrator. However, certain disputes may require litigation, because nonrepudiation is a critical business issue. One method of supporting nonrepudiation is to use a central authority. For example, the receiver of a message (Bob) sends a copy to the central authority. The central authority can verify sender’s (Alice’s) signature. This verification provides assurance that there is no report that Alice’s private key (DA) was compromised at the time of sending. In this case, Alice would have to rapidly report the compromise of her private key. We must also consider the impact of the increased workload of the central authority on the throughput of the network. An alternate approach is to use time stamps. Although a network of automated arbitrators may still be required, the system overhead is modest because the arbitrators only have time stamp messages. A receiver (Bob) may check the validity of the sender’s (Alice’s) private key by checking with a central authority. Bob has a degree of assurance of nonrepudiation if the received message is time stamped before the validity check. He still has to determine if a compromise is discovered and reported later. Legal requirements for nonrepudiation may include a requirement that the sender (Alice) is responsible for signing until a compromise of her private key is reported to the central authority. Implementation of this approach could require an on-line central authority and real-time validity checks and time stamps. In addition to peak load concentrations that

may occur at the central authority, certain requirements for a network-wide clock should be considered. A network-wide clock has other security vulnerabilities, such as vulnerability to forgery of time stamps. If users, such as Alice, are permitted to change their private keys, a central authority should archive past keys to assist in resolving disputes. Each industry should have a set of legal and administrative safeguards to maintain continuity of operations in the event of a compromise or change of keys. For example, credit card systems have effective legal and administrative provisions for cases of lost or stolen credit cards.

private key public key

Original text signing signed text verifying verified text

Figure . Simple digital signatures

Message Authentication Code (MAC): Standard ANSI X9.9-1982,1986. The Message Authentication Code (MAC) (ANSI X9.9), not to be confused with Mandatory Access Control (MAC), is a cryptographic checksum appended to a message. It seals the message against modification. All fields such as time, date, sources, and so on included in the checksum are rendered unalterable. Either the entire message or selected fields are processed through the algorithm using the

Cipher Block Chaining Mode (CBC). As mentioned, the last block is the only output of the process that is used in the MAC. MAC requires a key management protocol, such as ANSI Standard X9.17.

14. Applications of Cryptography in Network Security:

1.E-mail Security

2. IP Security

3.Web security

E-mail Security:

14.1. Pretty Good Privacy:

PGP is a remarkable phenomenon. PGP started as a free secure e-mail program. Largely the effort of a single person, Phil Zimmermann, PGP provides a confidentiality and authentication service that can be used for electronic mail and file storage applications. In essence, Zimmermann has done the following:

1. Selected the best available cryptographic algorithms as building blocks2. Integrated these algorithms into a general-purpose application that is independent of

operating system and processor and that is based on a small set of easy-to-use commands

3. Made the package and its documentation, including the source code, freely available via the Internet, bulletin boards, and commercial networks such as AOL (America On Line)

4. Entered into an agreement with a company (Via crypt, now Network Associates) to provide a fully compatible, low-cost commercial version of PGP

PGP has grown explosively and is now widely used. A number of reasons can be cited for this growth:

1. It is available free worldwide in versions that run on a variety of platforms, including Windows, UNIX, Macintosh, and many more. In addition, the commercial version satisfies users who want a product that comes with vendor support.

2. It is based on algorithms that have survived extensive public review and are considered extremely secure. Specifically, the package includes RSA, DSS, and Diffie-Hellman for public-key encryption; CAST-128, IDEA, and 3DES for symmetric encryption; and SHA-1 for hash coding.

3. It has a wide range of applicability, from corporations that wish to select and enforce a standardized scheme for encrypting files and messages to individuals who wish to communicate securely with others worldwide over the Internet and other networks.

4. It was not developed by, nor is it controlled by, any governmental or standards organization. For those with an instinctive distrust of "the establishment," this makes PGP attractive.

5. PGP is now on an Internet standards track (RFC 3156). Nevertheless, PGP still has an aura of an anti-establishment endeavour.

How PGP works:PGP combines some of the best features of both conventional and public key cryptography. PGP is a hybrid cryptosystem. When a user encrypts plaintext with PGP, PGP first compresses the plaintext. Data compression saves modem transmission time and disk space and, more importantly, strengthens cryptographic security. Compression reduces these patterns in the plaintext, thereby greatly enhancing resistance to cryptanalysis. PGP then creates a session key, which is a one-time-only secret key. This key is a random number generated from the random movements of your mouse and the keystrokes you type. This session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted to the Recipient’s public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient.

Session key is encrypted with public key.

Plaintext is encrypted with session key.

Cipher text + encrypted session key

Figure 1-1: How PGP encryption works

Decryption works in the reverse. The recipient’s copy of PGP uses his or her private key to recover the temporary session key, which PGP then uses to decrypt the conventionally-encrypted ciphertext.

Encrypted message Encrypted session key recipient’s private key usedTo decrypt session key

Cipher text session key used originalTo decrypt cipher text plaintext

Figure 1-2. How PGP decryption works

14.2. S/MIME:

S/MIME (Secure/Multipurpose Internet Mail Extension) is a security enhancement to the MIME Internet e-mail format standard, based on technology from RSA Data Security. Although both PGP and S/MIME are on an IETF standards track, it appears likely that S/MIME will emerge as the industry standard for commercial and organizational use, while PGP will remain the choice for personal e-mail security for many users. S/MIME is defined in a number of documents, most importantly RFCs 3369, 3370, 3850 and 3851.

IP Security:

Internet Protocol Security (IPsec) is a competitor of TLS. It works at a different level than TLS which gives it more flexibility. I do not understand different levels on a computer - it is a concept from computer engineering. IPsec is, however, less efficient than TLS. Its primary use is in Virtual Private Networks (VPN). A VPN is a private communications network. That means it is used within one company or among a small network of companies. TLS is used by everyone on the internet.

IPsec encompasses three functional areas: “authentication, confidentiality, and key management”.

Authentication makes use of the HMAC message authentication code. Authentication can be applied to the entire original IP packet (tunnel mode) or to the entire packet except for the IP header (transport mode).

Confidentiality is provided by an encryption format known as encapsulating security payload. Both tunnel and transport modes can be accommodated.

IPsec defines a number of techniques for key management.

Web Security:

14.1. Web Security Considerations

The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets. But, the Web presents new challenges not generally appreciated in the context of computer and network security:

The Internet is two way. Unlike traditional publishing environments, even electronic publishing systems involving teletext, voice response, or fax-back, the Web is vulnerable to attacks on the Web servers over the Internet.

The Web is increasingly serving as a highly visible outlet for corporate and product information and as the platform for business transactions. Reputations can be damaged and money can be lost if the Web servers are subverted.

Although Web browsers are very easy to use, Web servers are relatively easy to configure and manage, and Web content is increasingly easy to develop, the underlying software is extraordinarily complex. This complex software may hide many potential security flaws. The short history of the Web is filled with examples of new and upgraded systems, properly installed, that are vulnerable to a variety of security attacks.

A Web server can be exploited as a launching pad into the corporation's or agency's entire computer complex. Once the Web server is subverted, an attacker may be able to gain access to data and systems not part of the Web itself but connected to the server at the local site.

Casual and untrained (in security matters) users are common clients for Web-based services. Such users are not necessarily aware of the security risks that exist and do not have the tools or knowledge to take effective countermeasures.

Web Security Threats

This table provides a summary of the types of security threats faced in using the Web. One way to group these threats is in terms of passive and active attacks. Passive attacks include eavesdropping on network traffic between browser and server and gaining access to information on a Web site that is supposed to be restricted. Active attacks include impersonating another user, altering messages in transit between client and server, and altering information on a Web site.

A Comparison of Threats on the Web

Threats Consequences Countermeasures

Integrity Modification of user data

Trojan horse browser

Modification of memory

Modification of message traffic in transit

Loss of information Compromise of

machine Vulnerability to all

other threats

Cryptographic checksums

Confidentiality Eavesdropping on Loss of information Encryption, web

A Comparison of Threats on the Web

Threats Consequences Countermeasures

the Net Theft of info from

server Theft of data from

client Info about network

configuration Info about which

client talks to server

Loss of privacy proxies

Denial of Service

Killing of user threads

Flooding machine with bogus requests

Filling up disk or memory

Isolating machine by DNS attacks

Disruptive Annoying Prevent user from

getting work done

Difficult to prevent

Authentication Impersonation of legitimate users

Data forgery

Misrepresentation of user

Belief that false information is valid

Cryptographic techniques

15 Time stamping

If you have a printed document and want to prove that it existed on a certain date, you can get it notarized. This is important for copyrighting a document to prove you originated it. This is more difficult with digital data. If there is a date on it, then the date can be easily replaced by another. The solution is a time stamping service.

Here is a second scenario. If Alice signs a message, and later decides that she does not want that message to be signed (this is a kind of cheating) then she can anonymously publish her private key and say that anyone could have done the signing. This is called repudiation. So if someone receives a signature from Alice, he or she can demand that Alice use a digital time stamping service. That lessens Alice’s ability to repudiate the signature.

16 KERBEROS

A protocol is a sequence of steps involving at least two parties that accomplishes a task. KERBEROS is a third-party authentication protocol for insecure, closed systems. Between systems people use fire walls. Note most problems come from people within a system. KERBEROS is used to prove someone’s identity (authentication) in a secure manner without using public key cryptography. At SCU, KERBEROS is probably used for access to e-campus, OSCAR, People-soft, Novell, etc. It was developed by MIT and can be obtained free. KERBEROS requires a trusted third party. It enables a person to use a password to gain access to some service. Let C be the client, KDC be the key distribution centre, S be the service that C wants access to and TGS be S’s ticket granting service.Summary:i) KDC authenticates C’s identity to TGS.ii) TGS gives permission to C to use S.

17. Key Management and SaltingA common hacker attack is exploiting sloppy key management. Often bribe or steal to get a key.Scenario 1. Web: You pick your own password, usually. Uses SSL/TLS so use RSAto agree on AES key which is used to encrypt password (first time and later visits). They store passwords in (hopefully hidden) file with userids. Your password is not hashed.Scenario 2. Non-web systems. The system has a file (may or may not be public) withpairs: userid, hash(password). The system administrator has access to this file. Maybe someday, the password cracker can get access to this file. He cannot use the hashed passwords to get access to your account because access requires entering a password and then having it hashed. In Scenario 2, from the hashes, Cracker may be able to determine the original password. Most people’s passwords are not random. As another example, it would take about 11 seconds on a single computer using brute force to determine someone’s key if you knew it consisted of 7 lowercase letters (that is 7 bytes). But if it consisted of 7 bytes from a pseudo-random number generator, then it would take 11 thousand years to brute force it. (This is basically like brute-forcing DES since DES has a 7 byte key and running a hash is like running DES. In fact, DES used to be used as a hash where the key was the 0 string and the password was used as the plaintext.). But most people have trouble remembering a password like 8 _ &u!M} and so don’t want to use it. They could write it down and put it in their wallet/purse, but that can get stolen. So instead, most passwords are easy to remember. So attacker can do a dictionary attack. Attacker can hash all entries of a dictionary. On-line we can find dictionaries containing all common English words, common proper names and then all of the above entries with i’s and l’s replaced by 1’s and o’s replaced by 0’s, etc. Attacker can even brute force all alpha-numeric strings up to a certain length. Then Attacker looks in the password file and finds many matches. This has been used to get tens of thousands of different passwords. The Password Recovery Toolkit can test 200000 passwords per second.

In 1998, there was an incident where 186000 account names collected and hashed passwords collected. It was discovered, 1/4 of them using dictionary attack.Salt is a string that is concatenated to a password. It should be different for each user-id. It is public for non-SSL/TLS applications like KERBEROS and UNIX. It might seem like the salt should be hidden. But then the user would need to know the salt and keep it secret. But then the salt may as well just be appended to the password. If the salt were stored on the user’s machine instead (so it’s secret and the user would not need to memorize it) then the user could not log in from a different machine.For KERBEROS and UNIX, the system administrator usually gives you your password off-line in a secure way. The system creates your salt.

Scenario 3. (Old UNIX) This is the same as Scenario 2, but the public password file has triples: username, user-id, expiration of password, location information, salt, hash (salt, password). The salt is a random string in plaintext, unique for this user-id. Now the dictionary attack won’t get lots of passwords. But we can attack a single user as in Scenario 2.

Scenario 4. UNIX. For reasons of backward-compatibility, new Unix-like operating systems need a non-encrypted password file. It has to be similar to the old password file or certain utilities don’t work. For example, several utilities need the username to userid map available and look in password file for it. In the password file, where there was once the salt and the hash of a salted password, there is now a *. Unix has a second hidden file called the shadow password file. It is encrypted using a password only known to the system administrator. The shadow file contains user-id, salt, hash (salt, password). The user doesn’t need to look up the salt. If the user connects to UNIX with SSH (Secure Shell), then the password goes, un-hashed, through SSH’s encryption. The server decrypts the password, appends the salt, hashes and checks against hash (salt, password) in shadow file. Scenario 5. KERBEROS uses a non-secret salt which is related to the user-id and domain names. If two people have the same password, they won’t have the same hash and if one person has two accounts with the same password, they won’t have the same hash. The authentication server (for KERBEROS this is called the key distribution centre) keeps the hash secret, protected by a password known only to the authentication server.A single key or password should not be used forever. The longer it is used, the moreDocuments there are encrypted with it and so the more damage is done if it is compromised. The longer it is used, the more tempting it is to break it and the more time an attacker has to break it. Good way to generate key, easy to remember, hard to crack.

18.Quantum CryptographyThere are two ways of agreeing on a symmetric key that do not involve co-presence. The first is public key cryptography, which is based on

mathematics. The second is quantum cryptography. It currently (2008) works up to 100 miles and is on the market but is not widely used.A photon has a polarization. A polarization is like a direction. The polarization can bemeasured on any basis in two-space: rectilinear (horizontal and vertical), diagonal (slope 1 and slope -1), etc. If you measure a photon in the wrong basis then you get a random result and you disturb all future measurements.Here is how it works. Alice and Bob need to agree on a symmetric key. Alice sends Bob a stream of photons. Each photon is randomly assigned a polarization in one of the four directions: |, −, \, /. We will have | = 1, − = 0, \ = 1, / = 0. Let’s say that Alice sends: \ / | | / \ | − − \ − | /.Bob has a polarization detector. For each photon, he randomly chooses a basis: rectilinear or diagonal. Say his choices are × + + × × + + + × × × + + Each time he chooses the right basis, he measures the polarization correctly. If he measures it wrong, then he will get a random measurement. His detector might output \ − | \ / / | − / \ \ | |. Alice sends \ / | | / \ | − − \ − | /Bob sets × + + × × + + + × × × + +Correct ~ ~ ~ ~ ~ ~ ~Bob gets \ − | \ / − | − / \ \ | |Notice that when Bob correctly sets the basis, Alice and Bob have the same polarization, which can be turned into a 0 or 1. Looking at the second and last photons, we see an example of the randomness of Bob’s measurement if the basis is chosen incorrectly. Now Bob contacts Alice, in the clear, and tells her the basis settings he made. Alice tells him which were correct. The others are thrown out.Alice sends \ | / | − \ |Bob gets \ | / | − \ |Those are turned into 0’s and 1’sAlice sends 1 1 0 1 0 1 1Bob gets 1 1 0 1 0 1 1On average, if Alice sends Bob 2n bits, they will end up with n bits after throwing outthose from the wrong basis settings. So to agree on a 128 bit key, on average Alice must send 256 bits.What if Eve measures the photons along the way. We will focus on the photons for which Bob correctly guessed the basis. For half of those, Eve will guess the wrong basis. Whenever Eve measures in the wrong basis, she makes Bob’s measurement random, instead of accurate.Alice sends \ | / | − \ |Eve sets × × × × + + +Bob sets × + × + + × +Bob gets \ − / | − / |Alice sends 1 1 0 1 0 1 1Bob gets 1 0 0 1 0 0 1Note for the second and fourth photon, since Eve set the basis incorrectly, Bob gets a random (and half the time wrong) bit. So if Eve is eavesdropping then we expect her to get the wrong basis sometimes and some of those times Bob will get the wrong polarization.

To detect eavesdropping, Alice and Bob agree to check on some of the bits, which are randomly chosen by Alice. For example, in the above, they could both agree to tell, in the clear, what the first three bits are. Alice would say 110 and Bob would say 100 and they would know that they had been tampered with. They would then have to start the whole process again and try to prevent Eve from eavesdropping somehow. ((Ed, what if Eve gets in between and just reflects back the answer to each one? There are identity issues.)) If those check-bits agreed, then they would use the remaining four bits for their key. Of course there is a possibility that Alice and Bob would get the same three bits even though Eve was eavesdropping. So in real life, Alice and Bob would tell each other a lot more bits to detect eavesdropping. The probability that a lot of bits would all agree, given that Eve was eavesdropping, would then be very small. If they disagreed, then they would know there was eavesdropping. If those all agreed, then with very high probability, there was noeavesdropping. So they would throw the check-bits away and use as many bits as necessary for the key Notice that Alice needs to be sure that it is actually Bob with whom she is communicating. In 2007, they had gotten quantum cryptography working over 150 kilometers. Quantum cryptography is considered safer than public key cryptography and has a built-in eavesdropping detection. However, it is difficult to transmit a lot of information this way, which is why it would be used for agreeing on a symmetric key (like for AES). At the moment, there are physics implementation issues that have been discovered so that the current implementation of quantum cryptography is insecure.

19 Exposures To System Security :

19.1 Intruders: One of the two most publicized threats to security is the intruder (the other is viruses), generally referred to as a hacker or cracker. In an important early study of intrusion, Anderson identified three classes of intruders:

Masquerader: An individual who is not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account

Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges

Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection

The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the clandestine user can be either an outsider or an insider.

19.2 Intrusion Detection

Inevitably, the best intrusion prevention system will fail. A system's second line of defence is intrusion detection. This interest is motivated by a number of considerations, including the following:

1. If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised. Even if the

detection is not sufficiently timely to pre-empt the intruder, the sooner that the intrusion is detected, the less the amount of damage and the more quickly that recovery can be achieved.

2. An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions.

3. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility.

20. Password Management :

Password Protection:

The front line of defence against intruders is the password system. Virtually all multiuser systems require that a user provide not only a name or identifier (ID) but also a password. The password serves to authenticate the ID of the individual logging on to the system. In turn, the ID provides security in the following ways:

The ID determines whether the user is authorized to gain access to a system. In some systems, only those who already have an ID filed on the system are allowed to gain access.

The ID determines the privileges accorded to the user. A few users may have supervisory or "super user" status that enables them to read files and perform functions that are especially protected by the operating system. Some systems have guest or anonymous accounts, and users of these accounts have more limited privileges than others.

The ID is used in what is referred to as discretionary access control. For example, by listing the IDs of the other users, a user may grant permission to them to read files owned by that user.

The Vulnerability of Passwords:

To understand the nature of the threat to password-based systems, let us consider a scheme that is widely used on UNIX, in which passwords are never stored in the clear. Rather, the following procedure is employed .Each user selects a password of up to eight printable characters in length. This is converted into a 56-bit value (using 7-bit ASCII) that serves as the key input to an encryption routine. The encryption routine, known as crypt, is based on DES. The DES algorithm is modified using a 12-bit "salt" value. Typically, this value is related to the time at which the password is assigned to the user. The modified DES algorithm is exercised with a data input consisting of a 64-bit block of zeros. The output of the algorithm then serves as input for a second encryption. This process is repeated for a total of 25 encryptions. The resulting 64-bit output is then translated into an 11-character sequence. The hashed password is then stored, together with a plaintext copy of the salt, in the password file for the corresponding user ID. This method has been shown to be secure against a variety of cryptanalytic attacks.

21. Firewalls :

Firewall characteristics:

The following capabilities are within the scope of a firewall:

1. A firewall defines a single choke point that keeps unauthorized users out of the protected network, prohibits potentially vulnerable services from entering or leaving the network, and provides protection from various kinds of IP spoofing and routing attacks. The use of a single choke point simplifies security management because security capabilities are consolidated on a single system or set of systems.

2. A firewall provides a location for monitoring security-related events. Audits and alarms can be implemented on the firewall system.

3. A firewall is a convenient platform for several Internet functions that are not security related. These include a network address translator, which maps local addresses to Internet addresses, and a network management function that audits or logs Internet usage.

4. A firewall can serve as the platform for IPsec. Using the tunnel mode capability described in, the firewall can be used to implement virtual private networks.

Firewalls have their limitations, including the following:

1. The firewall cannot protect against attacks that bypass the firewall. Internal systems may have dial-out capability to connect to an ISP. An internal LAN may support a modem pool that provides dial-in capability for traveling employees and telecommuters.

2. The firewall does not protect against internal threats, such as a disgruntled employee or an employee who unwittingly cooperates with an external attacker.

3. The firewall cannot protect against the transfer of virus-infected programs or files. Because of the variety of operating systems and applications supported inside the perimeter, it would be impractical and perhaps impossible for the firewall to scan all incoming files, e-mail, and messages for viruses.

22. Cryptography Failures:

Designers of cryptographic systems have suffered from a lack of information about how their products fail in practice, as opposed to how they might fail in theory. This lack of feedback has led to a false threat model being accepted. Designers focussed on what could possibly go wrong, rather than on what was likely to; and many of their products are so complex and tricky to use that they are rarely used properly. As a result, most security failures are due to implementation and management errors. One special consequence has been a spate of ATM fraud, which has not just caused financial losses, but has also caused at least one miscarriage of justice and has eroded confidence in the UK banking system. There has also been a military cost; the details remain classified, but its existence has at last been admitted.

Part IV: Cryptanalysis

23 Basic Concepts of CryptanalysisCryptosystems come in 3 kinds:1. Those that have been broken (most).2. Those that have not yet been analysed (because they are new and not yet widely used).

3. Those that have been analysed but not broken. (RSA, Discrete log cryptosystems, AES).3 most common ways to turn cipher text into plaintext:1. Steal/purchase/bribe to get key2. Exploit sloppy implementation/protocol problems (hacking/cracking). Examples: someone used spouse’s name as key, someone sent key along with message3. Cryptanalysis

23.1. Cryptanalytic attacks are generally classified into six categories that distinguish the kind of information the cryptanalyst has available to mount an attack. The categories of attack are listed here roughly in increasing order of the quality of information available to the cryptanalyst, or, equivalently, in decreasing order of the level of difficulty to the cryptanalyst. The objective of the cryptanalyst in all cases is to be able to decrypt new pieces of cipher text without additional information. The ideal for a cryptanalyst is to extract the secret key.

Cipher-text only attack. The enemy has intercepted cipher text but has no matching plaintext.You typically assume that the enemy has access to the cipher text. Two situations:a) The enemy is aware of the nature of the cryptosystem, but does not have the key. True with most cryptosystems used in U.S. businesses.b) The enemy is not aware of the nature of the cryptosystem. The proper users should never assume that this situation will last very long. The Skipjack algorithm on the Clipper Chip is classified, for example. Often the nature of a military cryptosystem is kept secret as long as possible. RSA has tried to keep the nature of a few of its cryptosystems secret, but they were published on Cypher punks.

Known plaintext attack. The enemy has some matched cipher text/plaintext pairs. The enemy may well have more cipher text also.

Chosen plaintext attack. Here we assume that the enemy can choose the plaintext that he wants put through the cryptosystem. Though this is, in general, unrealistic, such attacks are of theoretic interest because if enough plaintext is known, then chosen plaintext attack techniques may be useable. However this is an issue with smart cards.

An adaptive-chosen-plaintext attack is a special case of chosen-plaintext attack in which the cryptanalyst is able to choose plaintext samples dynamically, and alter his or her choices based on the results of previous encryptions.

A chosen - cipher text attack is one in which cryptanalyst may choose a piece of cipher text and attempt to obtain the corresponding decrypted plaintext. This type of attack is generally most applicable to public-key cryptosystems.

An adaptive-chosen-cipher text is the adaptive version of the above attack. A cryptanalyst can mount an attack of this type in a scenario in

which he has free use of a piece of decryption hardware, but is unable to extract the decryption key from it.

Note that cryptanalytic attacks can be mounted not only against encryption algorithms, but also, analogously, against digital signature algorithms, MAC-ing algorithms, and pseudo-random number generators.

Thanks!!!.