Information System Information System SecuritySecurity

Lecture 2Lecture 2

Symmetric cryptographySymmetric cryptography

22

ReferencesReferences

1.1. Cryptography and Network SecurityCryptography and Network Security, By W. , By W. Stallings. Prentice Hall, 2003.Stallings. Prentice Hall, 2003.

2.2. Handbook of applied Cryptography Handbook of applied Cryptography by A. by A. Menezes, P. Van Oorschot and S. Vanstone. 5Menezes, P. Van Oorschot and S. Vanstone. 5thth printing, 2001printing, 2001http://www.cacr.math.uwaterloo.ca/hachttp://www.cacr.math.uwaterloo.ca/hac

3.3. Cryptography: A Very Short Introduction Cryptography: A Very Short Introduction (Very Short Introduction S.)(Very Short Introduction S.), by, by Fred Piper and Fred Piper and Sean Murphy, Oxford University Press, 2002.Sean Murphy, Oxford University Press, 2002.

33

OutlineOutline

1.1. CryptographyCryptography

2.2. Symmetric Cipher systemsSymmetric Cipher systems

3.3. Stream CipherStream Cipher– Vernam CipherVernam Cipher– One-time padOne-time pad

4.4. Block cipherBlock cipher– DESDES– Triple DESTriple DES– AESAES

5.5. Modes of operationModes of operation– ECBECB– CBCCBC

44

1. Cryptography1. Cryptography

Cryptography is a means of providing information security.Cryptography is a means of providing information security.

Cryptography is the study of mathematical techniques related to Cryptography is the study of mathematical techniques related to aspects of information security such as confidentiality, integrity, aspects of information security such as confidentiality, integrity, authentication, and non-repudiation which form the main authentication, and non-repudiation which form the main objectives of ISSobjectives of ISS

Other ISS objectives are derived upon these four aspectsOther ISS objectives are derived upon these four aspects

55

CryptographyCryptography

Cryptanalysis: the study of mathematical techniques for Cryptanalysis: the study of mathematical techniques for attempting to defeat cryptographic techniques.attempting to defeat cryptographic techniques.

Cryptanalyst: is the one who engages in cryptanalysis.Cryptanalyst: is the one who engages in cryptanalysis.

Cryptology: the study of cryptanalysis and cryptography.Cryptology: the study of cryptanalysis and cryptography.

Cryptosystem (Cryptographic system): is a general term Cryptosystem (Cryptographic system): is a general term referring to a set of cryptographic primitives used to provide referring to a set of cryptographic primitives used to provide information security services.information security services.– Also called a Also called a ciphercipher..

66

A cipher modelA cipher model

A (Symmetric) cipher model consists of:A (Symmetric) cipher model consists of:– Plaintext, Plaintext, mm: the original intelligible message fed into the encryption algo.: the original intelligible message fed into the encryption algo.

– Encryption algo., Encryption algo., EE: performs various substitutions and transformation on : performs various substitutions and transformation on mm..

– Secret key, Secret key, KK: an input to : an input to EE, and a value independent of , and a value independent of mm. .

– Ciphertext, Ciphertext, CC: scrambled message produced as output of : scrambled message produced as output of EE. it depends on . it depends on mm and and KK..

– Decryption algo., Decryption algo., DD: the reverse of : the reverse of EE. it takes . it takes CC and and KK and produces and produces mm. .

ciphertextciphertextEncryptionAlgorithm(eg, AES)

Decryptionalgorithm

secret key secret key

plaintextplaintext

Sender Receiver

77

Symmetric-key systems Symmetric-key systems

Symmetric cipher – Encryption key and decryption key are exactly the same, or

– Decryption key is easily obtained from the encryption key.

All practical cipher systems prior to the 1980’s were symmetric cipher systems.

The study of symmetric cipher systems is often referred to as symmetric cryptography.– Also referred to as conventional cryptography, single-key

cryptography, or secret-key cryptography.

88

Public-key systemsPublic-key systems

In public-key cipher systems– Computationally infeasible (in other words, practically

impossible) to determine the decryption key from the encryption key.

In this case the encryption key and the decryption key must be different. For this reason, public key cipher systems are sometimes referred to as asymmetric cipher systems.

The study of public key cipher systems is often referred to as public-key or asymmetric cryptography.

99

CryptographyCryptography

Cryptographic techniques are divided into 2 types:Cryptographic techniques are divided into 2 types:– Symmetric-key CryptographySymmetric-key Cryptography

Symmetric-key ciphersSymmetric-key ciphers– Block cipherBlock cipher

– Stream cipherStream cipher Arbitrary length Hash functions (MACs)Arbitrary length Hash functions (MACs) SignaturesSignatures IdentificationIdentification Pseudorandom sequences Pseudorandom sequences

– Public-key CryptographyPublic-key Cryptography Asymmetric-key ciphers Asymmetric-key ciphers

– Integer Factorization

– Discrete logarithmDiscrete logarithm SignaturesSignatures IdentificationIdentification

1010

2. Symmetric ciphers2. Symmetric ciphers

There are two classes: Block cipher and Stream There are two classes: Block cipher and Stream cipher. cipher.

1 …… 1 …… 0 ……0 ……0

E

1……...1……..1…….0…….1

100110110100010111010010

110010011101010010001001

E E E E

100110110100010111010010

110010011101010010001001

100110 110100 010111 010010

E E E E

110010 011101 010010 001001

… … … …

Stream cipher Block cipher

1111

3. Stream Ciphers3. Stream Ciphers

A A stream cipherstream cipher is an encryption scheme which treats the is an encryption scheme which treats the plaintext symbol-by-symbol (e.g., bit or character)plaintext symbol-by-symbol (e.g., bit or character)– A A keystreamkeystream is a sequence of symbols is a sequence of symbols ee11ee22ee33…. …. K K (the key space for a (the key space for a

set of encryption transformations)set of encryption transformations)

– AA an alphabet of definition of an alphabet of definition of qq symbols symbols

– Encryption: Encryption: EEee is a simple substitution cipher with block length 1, where e is a simple substitution cipher with block length 1, where e

K K EEee = = EEee11 (m(m11) ) EEee22 (m(m22) …= c) …= c11cc22……

PlaintextPlaintext m= m m= m1 1 mm22.... and ciphertext and ciphertext c = cc = c11cc22……

– Decryption: Decryption: DDdd = = DDdd11 (c(c11) D) Ddd22 (c(c22) …= m) …= m11mm22…… , , ddii=e=eii-1-1

The security stream ciphers depends on the changing keysteam The security stream ciphers depends on the changing keysteam rather than the encryption function (may be simple, e.g., XOR).rather than the encryption function (may be simple, e.g., XOR).

1212

Vernam CipherVernam Cipher

random key bits k1, k2,…, kn

plaintext bits p1, p2,…, pn

+p1 k1 p2 k2…pn Kn

ciphertext bits

A stream cipher defined on the alphabet A={0,1}

The keystream is a binary string (k=k1…kt) of the same length as the plaintext m (=m1 … mt)

Encryption ccii=mi ki , Decryption mmii=ci ki

1313

One-time padOne-time pad

If the key string is randomly chosen and never used again then Vernam cipher is called a one-time pad

One-time pad’s drawback: The keystream must be as long as the One-time pad’s drawback: The keystream must be as long as the plaintext.plaintext. – This increases the difficulty of key distribution and key managementThis increases the difficulty of key distribution and key management

Solution: generate the key stream pseudorandomly (Solution: generate the key stream pseudorandomly (i.e.i.e., keystream , keystream generated from a smaller secret key).generated from a smaller secret key).

Keystreamgenerator

key random key bits k1 k2… kn

plaintext bits p1 p2… pn

+p1 k1,…, pn kn

ciphertext bits

Model of a stream cipher

1414

Properties of stream Properties of stream ciphersciphers

Advantages:Advantages:– No error propagation: a ciphertext digit is modified during transmission No error propagation: a ciphertext digit is modified during transmission

doesn’t affect the decryption of other ciphertext digitsdoesn’t affect the decryption of other ciphertext digits– Easy for implementationEasy for implementation– FastFast

Drawbacks:Drawbacks:– Requirement for synchronization: sender and receiver must be Requirement for synchronization: sender and receiver must be

synchronizedsynchronized (ie, they must use the same key and operate on the same (ie, they must use the same key and operate on the same position (digit)). If synchronization is lost due to digit insertion or position (digit)). If synchronization is lost due to digit insertion or deletion then re-synchronization is required.deletion then re-synchronization is required.

They are suitable for applications where errors are intolerable.They are suitable for applications where errors are intolerable.– GSM and phone networks.GSM and phone networks.

A Modern Stream cipher: RC4 (1987). A Modern Stream cipher: RC4 (1987).

1515

4. Block ciphers4. Block ciphers

A A block cipherblock cipher is an encryption scheme which breaks up the is an encryption scheme which breaks up the plaintext message into blocks of a fixed length and produces plaintext message into blocks of a fixed length and produces ciphertext blocks of the same length.ciphertext blocks of the same length.

Block ciphers encrypt one block at a time, using a complex Block ciphers encrypt one block at a time, using a complex encryption functionencryption function

Examples Examples – DES: operates on blocks of 64 bitsDES: operates on blocks of 64 bits– AES: operates on blocks of 128 bitsAES: operates on blocks of 128 bits

Block ciphers can be used in various modes (Block ciphers can be used in various modes (modes of modes of operationoperation).).

1616

Data Encryption Standard Data Encryption Standard (DES)(DES)

DES design is based on two general concepts: DES design is based on two general concepts: – product cipher: combination of two or more operations product cipher: combination of two or more operations

(transposition, translation (e.g., XOR), arithmetic (transposition, translation (e.g., XOR), arithmetic operations, modular multiplication, simple substitutions.)operations, modular multiplication, simple substitutions.)

– Feistel Concept: Feistel Concept:

Block of ciphertextBlock of ciphertextEncryptionAlgorithm

(DES)

Encryption key

Block of plaintext

64

56

64

1717

Feistel principleFeistel principle

An An iterated block cipheriterated block cipher is a block cipher involving the is a block cipher involving the sequential repetition of an internal function called sequential repetition of an internal function called round round functionfunction. Parameters include:. Parameters include:rr, number of rounds,, number of rounds,nn block size block size and and kk, the input key from which , the input key from which rr subkeys subkeys kkii ( (round keysround keys) are ) are

derived.derived. A A Feistel CipherFeistel Cipher is an iterated cipher mapping a 2 is an iterated cipher mapping a 2tt-bit plaintext -bit plaintext

((LL00, R, R00), for ), for tt-bit blocks -bit blocks LL00 and and RR00, to a ciphertext (, to a ciphertext (RRrr, L , L rr), ),

through an through an rr-round process (-round process (r r ≥≥ 1 1) for each ) for each 1 1 ≤≤ i i ≤≤ r r, round , round ii maps (maps (LLi-1i-1,R,Ri-1i-1))((LLii,R,Rii) as follows:) as follows:

– LLi i = R= Ri-1i-1

– RRi i = L= Li-1i-1 + f(R + f(Ri-1i-1,k,kii))

Decryption is achieved by the same r-round process but with Decryption is achieved by the same r-round process but with subkeys in reverse order.subkeys in reverse order.

1818

Feistel principleFeistel principle

L0 R0

f

L1=R0 R1 = L0 f (R0, k1)

f

L2= R1

Key k1

Key k2

R2 = L1 f (R1,k2)

plaintext

1

3

45

6

7

2

round 1

round 2

1919

DES EncryptionDES Encryption (ch 7 ,[2]) (ch 7 ,[2])

L0 R0

f

L1=R0R1 = L0 f (R0, k1)

Key k1

Plaintext

IP

L16 = R15

IP-1

R16 = L15 f (R15, k16)

Ciphertext

64

32

32 4

8

32

32

64

32

32

2020

DES’s DES’s ff function function

Ri-1 (32 bits)

Expansion Permutation

Ri-1 (48 bits)

Ki (48 bits)

S1 S2 S3 S4 S5 S6 S7 S8

6 bits into each

P

32 bits

4 bits out of each

2121

DES propertiesDES properties

DES has 4 weak keys and six pairs of semi-weak keysDES has 4 weak keys and six pairs of semi-weak keys– A DES weak key is a key A DES weak key is a key kk such that such that EEkk(E(Ekk(x))=x(x))=x for all for all xx

– A pair of DES semi weak keys is a pair (A pair of DES semi weak keys is a pair (KK11,K,K22) with ) with EEkk11(E(Ekk22

(x))=x(x))=x

Tables 7.5 and 7.6, of weak and semi-weak keys on pp. 258 of [2].Tables 7.5 and 7.6, of weak and semi-weak keys on pp. 258 of [2].

DES Today DES Today – A DES key can be found by anyone determined enough.A DES key can be found by anyone determined enough.

In 1998 Electronic Frontier Foundation managed to break DES (using In 1998 Electronic Frontier Foundation managed to break DES (using DES Cracker, costing < $250,000 ) in less than 3 days. DES Cracker, costing < $250,000 ) in less than 3 days.

– Differential and linear cryptanalysis provide academic attacks on Differential and linear cryptanalysis provide academic attacks on DES.DES.

– However, DES is still in use in many applications.However, DES is still in use in many applications.– Triple DES or AES are commonly recommended instead of DES.Triple DES or AES are commonly recommended instead of DES.

2222

Triple DESTriple DES

ciphertexciphertextt

EncryptUsing DES

plaintext

Key K1

DecryptUsing DES

EncryptUsing DES

Key K2

Key K3

3

2

4

• Key =k1 k2k3

• Key are longer (192 bits)

• Three times slower than DES

2323

Advanced Encryption Advanced Encryption Standard Standard

In November 2001 the USA NIST announced In November 2001 the USA NIST announced RijndaelRijndael algorithm as the AES to replace DES as a FIPS 197algorithm as the AES to replace DES as a FIPS 197

Became effective in May 2002Became effective in May 2002 AES is a symmetric encryption algorithmAES is a symmetric encryption algorithm Block size 128, rounds 10, 12, or 14 depending on the key Block size 128, rounds 10, 12, or 14 depending on the key

size (128, 192, or 256)size (128, 192, or 256)

AES will probably be worldwide used very soonAES will probably be worldwide used very soon It’s security not proved yetIt’s security not proved yet

Block of ciphertextBlock of ciphertext

AES

Encryption key

Block of plaintext

128

128, 196, or 256

128

2424

Other Block ciphersOther Block ciphers

IDEA (International Data Encryption Algorithm)IDEA (International Data Encryption Algorithm)– Published in 1991Published in 1991– Operates on 64-bit blocks, and 128-bit key and produces Operates on 64-bit blocks, and 128-bit key and produces

blocks of 64 bitsblocks of 64 bits

Other ciphers: FEAL, SAFER, RC5, …Other ciphers: FEAL, SAFER, RC5, …

Block of ciphertextBlock of ciphertextIDEA

Encryption key

Block of plaintext

64

128

64

2525

5. Modes of operation5. Modes of operation

1.1. Electronic CodeBook (ECB):Electronic CodeBook (ECB): Identical plaintext blocks (under the Identical plaintext blocks (under the

same key) result in identical ciphertext.same key) result in identical ciphertext. Chaining dependency: blocks are Chaining dependency: blocks are

enciphered independently of other enciphered independently of other blocks.blocks.

Error propagation: one or more bit Error propagation: one or more bit errors in a single ciphertext affect errors in a single ciphertext affect decipherment of that block only.decipherment of that block only.

ECB is not recommended for messages ECB is not recommended for messages longer than one block, or if keys are longer than one block, or if keys are reused for more than one-block reused for more than one-block message.message.

Security of ECB may be improved by Security of ECB may be improved by inclusion of random padding bits in each inclusion of random padding bits in each block.block.

E Ekey

xj

n

-1

n

cj

Encryption

Decryption

Electronic CodeBook Electronic CodeBook (ECB)(ECB)

key

xj

2626

6. Modes of operation6. Modes of operation

2.2. Cipher-Block Chaining (CBC):Cipher-Block Chaining (CBC):

E Ekey

n

-1

n

Encryption

decryption

+

key

c0=IV

+

Cipher-Block Chaining Cipher-Block Chaining (CBC)(CBC)

cj-1

xj

xj

cj

cj-1

Identical plaintexts: identical ciphertext blocks result when the same plaintext is enciphered under the key and IV.

Chaining dependency: a ciphertext cj

depends on xj and all preceding

plaintext blocks rearranging the order of ciphertext blocks affects decryption.

Error propagation: a single bit error in ciphertext block cj affects decipherment of cj and cj+1.

Error recovery: CBC is self-synchronizing in the sense that if an error occurs in block cj, cj+2 is correctly recovered.

IV is not secret but needs integrity.

2727

Properties of block ciphersProperties of block ciphers

Block ciphers do propagate errors (to a limited extent), but are Block ciphers do propagate errors (to a limited extent), but are quite flexible and can be used in different ways in order to quite flexible and can be used in different ways in order to provide different security properties.provide different security properties.

The properties of cryptographic algorithms are not only affected The properties of cryptographic algorithms are not only affected by algorithm design, but also by the ways in which the by algorithm design, but also by the ways in which the algorithms are used. Different modes of operation can algorithms are used. Different modes of operation can significantly change the properties of a block cipher.significantly change the properties of a block cipher.

The security of block ciphers mainly depends on the complexity The security of block ciphers mainly depends on the complexity of the encryption function whereas thus of stream ciphers of the encryption function whereas thus of stream ciphers depend on the keystream randomness.depend on the keystream randomness.

They can be used to provide confidentiality, data integrity, or They can be used to provide confidentiality, data integrity, or user authentication, and can even be used to provide the user authentication, and can even be used to provide the keystream generator for stream cipherskeystream generator for stream ciphers