453 Network Security

453 Network Security Section 2: Cryptography Dr. E.C. Kulasekere Sri Lanka Institute of Information Technology - 2006

Outline • Importance of Cryptography • Encryption algorithms and principles (DEA, BlowFish) • Ciphering • Public key cryptography principles and algorithms. • Digital signatures

What is Cryptography? June 20, 2006 Hi ! Happy to see you all in Sri Lanka. Many thanks for your invitation letter and for the spring examination packages. All new entry forms are ready for final dispatch to the syndicate by tonight. Things are improving here, though there's room for improvement still; just give us three or four more years and we can do great things! Please don't let these wretched 16+important proposals destroy your basic pattern. Certainly this sort of change, if implemented immediately, would bring chaos. Yours sincerely,

Obvious Solution For Information Security • Develop hardware and software to ensure the following • Conceal the context of message from all except the sender and recipient. • Verify the correctness of the message to the recipient via authentication. • Use hidden writing encryption such as digital signatures. And digital watermarks. • The above expectation is embodied in two forms • Conventional or symmetric encryption • Public key or asymmetric encryption.

Conventional Encryption Scheme Ingredients • Plaintext – the original message • Encryption algorithm – performs various substitutions and transformations to the plaintext • Secret key – used for above • Ciphertext – scrambled message depending on the key and plaintext. For the same text, two different keys will generate two ciphertexts. • Decryption algorithm – encryption algorithm run in the reverse. Uses a Secret key + ciphertext to produce plaintext. • Note that the security depends on the secrecy of the key and not on the secrecy of the algorithm.

Simplified Model of Symmetric Encryption

Requirements for Secure use of Conventional Encryption • A strong Encryption Algorithm: • Opponent knows the algorithm by default. • May also have access to the ciphertext • However the opponent should not be able to decipher the text or figure out the key. • This should be the case if the opponent has several ciphertext which have been encrypted using the same key. • Secure Key Handling: • The sender and receiver should obtain copies of the key securely. • If the key is known the ciphertext can be decoded.

Advantages and Disadvantages of Conventional Encryption Methods • It is assumed to be impractical to decrypt a message on the basis of the cipertext plus the algorithm. The time you spend on deciphering is too large hence a deterrent. That is the algorithm need not be kept a secret. • The features such as the above makes the conventional method widely applicable. • Low cost on chip implementations of this algorithm is available due to the algorithm being available. • The principle problem is the secrecy of the key. • The fundamental requirement of all algorithms is that the process should be reversible (no information should be lost).

Classification of Cryptographic Systems (1) • Based on the type of operations used to transform plaintext to ciphertext • Substitution – each element in the plaintext (bit, letter, or groups of these) is mapped into another element. • Transposition – Elements in the plaintext are rearranged.

Classification of Cryptographic Systems (2) • The number of keys used • Symmetric – the sender and receiver uses same key. • Asymmetric – the sender and receiver use two separate keys. • The manner in which the plaintext is processed • Block cipher processes • A stream cipher process.

Model of a Conventional Cryptosystem

Cryptology

Are we Safe Now? (1) • Cryptanalysis is defined as the approaches to attacking a conventional encryption method. (just when you thought it was safe!!!) • These procedures will attempt to discover the plaintext or the encryption key. If a crypt is broken, all present, future and past encryptions using this key is compromised

Are we Safe Now? (2) • The attacks on a conventional encryption scheme can be categorized into: • Cryptanalysis: This type of attack relies on the nature of the algorithm and perhaps some knowledge of the general characteristics of plaintext. • Brute-Force attack: All possible key combinations are tried on ciphertext until plaintext is obtained.

Cryptanalysis – Type of Attacks

Brute Force Search • always possible to simply try every key • most basic attack, proportional to key size • assume either know / recognise plaintext

Unconditional Security • no matter how much computer power is available, the cipher cannot be broken. • That is the ciphertext provides insufficient information to uniquely determine the corresponding plaintext. • We note that no algorithm is unconditionally secure. • if it is then it cannot be uniquely decrypted.

Computational Security • given limited computing resources (eg time needed for calculations is greater than age of universe), the cipher cannot be broken. • Or in a milder case, the cost of breaking the cipher exceeds the value of the encrypted data or the required time to break the cipher exceeds the useful lifetime of the information.

Classical Substitution Ciphers • where letters of plaintext are replaced by other letters or by numbers or symbols • or if plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns

Machine Cipher LanguageJefferson Cylinder • developed in 1790s, • comprised of 36 disks • each with a random alphabet • order of disks was the key • message was set in one row • another row became cipher

WW2 Cipher Machine

Caesar Cipher (1) • earliest known substitution cipher • by Julius Caesar • first attested use in military affairs • replaces each letter by 3rd letter on • example: meet me after the toga party PHHW PH DIWHU WKH WRJD SDUWB

Caesar Cipher (2) • can define transformation as: a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C • mathematically give each letter a number a b c d e f g h i j k l m 0 1 2 3 4 5 6 7 8 9 10 11 12 n o p q r s t u v w x y Z 13 14 15 16 17 18 19 20 21 22 23 24 25 • then have Caesar cipher as: C = E(p) = (p + k) mod (26) – encryption algorithm E p = D(C) = (C – k) mod (26) – decryption algorithm D

Cryptanalysis of Caesar Cipher • only have 25 possible cipher keys • A maps to A,B,..Z • could simply try each in turn • The task is made easier since the language of plaintext is also known. • a brute force search • given ciphertext, just try all shifts of letters • do need to recognize when the plaintext is obtained

eg. break ciphertext "GCUA VQ DTGCM" Example Cryptanalysis

Block Cipher Methods • A block cipher operates on a plaintext block of n bits and produces a ciphertext block of n bits. • For the 2n possible different plaintext blocks must produce 2n different ciphertext blocks for reversible encryption.

Illustration of Block Cipher Technique

Illustration of Stream Cipher Which one is safer? Which one has faster en-de-cryption speeds? Which one is commercially viable? Eliminated the need for padding

STOP! XOR the Magic Maker • XOR is wonderful for Cryptography. • It is a bitwise operator with a domain of two bits. • With the XOR operation the attacker cannot make a prediction, even a statistical, i.e. we do not know the transform value of the plaintext bit. • That is a plaintext 0 can be a 1 or 0 in the cipher text depending on the encryption bit. Complete lack of predictability if secret key is not known. • The XOR operation is lossless (reversible): C=A xor B, C xor B=A xor B xor B= A (show this with the truth table) (Other operations like AND will lead to loss of information.

Feistel Cipher Structure (1) • Virtually all conventional block encryption algorithms, including DES, have a structure described by Horst Feistel of IBM in 1973. • Inputs to the encryption algorithm • Plaintext block of 2w bits • A key K • The plain text block is divided into two halves L0 and R0

Feistel Cipher Structure (2) • The two halves of data are then passed through n rounds of processing and then combined to produce the ciphertext block. • Each round i has as input Li-1 and Ri-1 derived from the previous round and a subkey Ki derived from the overall K

Classical Feistel Network • Subkeys are generated using a subkey generation function • All rounds have the same structure • A substitution is performed on the left half of the data • It is done by applying a round function F to the right half of the data and then taking XOR of the output of that function and the left half of the data. • F is parameterized depending on the subkey • The permutation consists of interchanging the left and the right halves.

Design Features of Feistel Structure (1) • The exact realization of the structure will depend on all or most of the following design feature. • Block size • Larger block sizes means greater security (all other things being equal) • Larger block sizes reduces en-/de-cryption speeds. • Generally accepted size is 64 bits.

Design Features of Feistel Structure (2) • Key size • Larger key sizes => greater security. • Again this can reduce en-/de-crypt ion speeds. • Common key length in modern algorithms is 128bits. • Number of Rounds • Multiple rounds offer higher security. • A typical size is 16 rounds • Subkey generation algorithm • Greater difficulty in this algorithm leads to greater difficulty of cryptanalysis

Design Features of Feistel Structure (3) • Round Function • Greater complexity means greater resistance to cryptanalysis • Fast Software Encryption/Decryption • Encryption algorithm is mainly embedded in software • Hardware implementation becomes impossible in these cases • He speed of execution will be of concern in such cases.

Design Features of Feistel Structure (4) • Ease of Analysis • The more difficult the algorithm is, the more difficult it is to guarantee its strengths. • Complex algorithms make it harder to cryptanalyze.

Mathematics Behind the Feistel Structure(Encryption) The output the ith round of a Feistel network is determined from the output of the i-1 round by: L{i} = R{i-1} R{i} = L{i-1} XOR f(R{i-1},K{i})

Mathematics Behind the Feistel Structure(Decryption) Why is a Feistel network reversible? Clearly, R{i-1} can be obtained from L{i} with no work at all. How do we get L{i-1}? That is straightforward also, by the nature of XOR: L{i-1} = L{i-1} XOR F(R{i-1},K{i}) XOR F(R{i-1},K{i} Or, simplifying: L{i-1} = R{i} XOR F(L{i},K{i})

Additional Information For the above to be possible the subkeys need to be Generated at the receiver end. This is a given in a encoding system. Furthermore decryption uses the same Feistel structure that makes This method simpler.

Note that we have to show the previous stage of the encryption values can be obtained through the reverse traverse of the decryption algorithm. That is LD1=RE15 and RD1=LE15 The final permutation also has to be taken into account. The result is independent of the function ‘F’ and it need not be reversible Decryption Example

Data Encryption Standard (DES) • This was the most widely used encryption scheme. • This was adopted in 1977 as a standard and later cracked in 2002. • This is a block cipher technique. • The plaintext is processed in 64 bit blocks. • Cont …

Data Encryption Standard (DES) • This uses a secret key of 64 bits. However 8 of the bits are used as parity and can also be set arbitrarily. Hence the key size is usually stated as 56 bits. • With the exception of the initial and final permutations in DES it has exactly the same structure as the Feistel cipher.

General Description of DES

A Single Round in DES

Important Design Features of DES (1) • S-box design • The relationship provided by the s-box should be nonlinear and difficult to approximate with a linear function • Should be reversible? • The size should be large enough to incorporate complexity

Important Design Features of DES (2) • The function F • Should provide an element of confusion • Resistance against unscrambling the substitutions performed by F • The encoding should be nonlinear so that it cannot be approximated by a linear function during cryptanalysis

Important Facts About DES (1) • The 64 bit plaintext passes through an initial permutation. • IP reorders the input data bits. • Even bits to LH half and the odd bits to the RH half. • Next stage consists of 16 iterations similar to the Feistel cipher. • Uses two 32 bit L and H halves. Li= Ri–1 Ri= Li–1 xor F(Ri–1, Ki)

Important Facts About DES (2) • The stage continues … • takes 32-bit R half and 48-bit subkey and • expands R to 48-bits using perm E and adds to subkey • passes through 8 S-boxes to get 32-bit result (use tables) • finally permutes this using 32-bit perm P

Important Facts About DES (3) • The subkeys required by the previous stage will be generated as given below. • Initial permutation is carried out using permuted choice 1 • Then for each of the 16 iterations the key is produced by a combination of circular left shift and a permutations (permutation choice 2) • The permutation function is same for each stage. However different subkeys are generated due to the shifted input.

Time to Break the Code(assuming 10e6 decryptions per microsecond)

453 Network Security