CSIT311: Spring 2010 Network Management and Security Ghulam Murtaza

Agenda ●Recap ●DES ●Cryptographic modes ●RSA

Cryptography basics ●Terminology ●A unencrypted data or message in it’s original form is referred to as plaintext ●The process of disguising a message in such a way as to hide it substance is encryption. ●An encrypted message is ciphertext. ●Turning ciphertext back into plaintext is decryption. ●key space refers to the set of all possible keys that can be used to initialize it. For example, if an algorithm works using a key that is a string of 10 bits, then its key space is the set of all binary strings of length 10 stringbits M = message (plaintext), C = ciphertext

Ciphers we discussed

Frequency analysis ●Study of the frequency of letter or groups of letters in a ciphertext ●Characteristic distribution of letters that is roughly the same for almost all samples of that language ●English: E is very common ●X is uncommon ●Limitations of frequency analysis –Length –Ideal situation, –Frequency should be flat ●XOR cipher?

cryptanalysis ●Simple frequency analysis doesn’t work –If P is the most frequent letter in a ciphertext whose plaintext is in English –P= E ? –However E can be enciphered as different ciphertext letters at different points in the message ●The primary weakness of the Vigenère cipher –repeating nature of its key ● How to guess the key length

One Time pad or Vernam Cipher

Product Ciphers

Private Key cryptography

Private and public key cryptography

Digital Signatures ● Adds integrity to conversation ●Superior to hand written signature

Block Cipher Scheme Secret key Plaintext block of length N Cipher block of length N Encrypt Decrypt

DES (Data Encryption Standard) ●Published in 1977, standardized in ●Key: 64 bit quantity=8-bit parity+56-bit key –Every 8 th bit is a parity bit. ●64 bit input, 64 bit output. DES Encryption 64 bit M64 bit C 56 bits

Essentially a loop with 16 iterations called rounds.

There is an initial permutation IP before the first round has started.

Similarly there is a final permutation performed on the block after the last round.

Each round also generates a 48 bit subkey from the original 56-bit key

Each round breaks the message block into two halves, L and R, and concentrates on only one half of the message block

The round subjects R to a transformation, which is a function F of the subkey and R

The left side L is then set to XOR of itself and the result of F(Ki, R).

Finally, the two halves are swapped so that the other half can be processed in the next round

function DES_Encrypt (M, K) where M = (L, R) M = IP(M) for round = 1 to 16 do Ki = SK(K, round) L = L xor F(R, Ki) swap(L, R) end swap(L, R) M = IP -1 (M) return M end

Initial Permutation ●First bit of output is 58 th bit of input, second is 50 th bit etc.

Final Permutation ●Final permutation is the inverse of the initial permutation, table is interpreted similarly

Key permutation ●The first operation on the key is to reduce it from 64-bits to 56.

Key permutation ●Every eighth bit of the key is used for parity, so they are removed before we use the key for encryption.

Key permutation ●Then the key is subjected to a permutation similar to the initial permutation that is applied to the message Left Right

Key permutation ●the key is split into two halves, C and D.

Key permutation ●After each round, each half is independently shifted to the left by either one or two bits ●The shift is rotational, so that bits that get shifted off of one end get placed back on the other end. Round # Shifts

Subkey selection ●the subkey function is used to convert the key into a 48 bit block ●Some bits are discarded, 9,18,22,25,35,38,43,

Cipher Function ●Each round works on only the right half of the block ●The 32 bit right half is expanded to meet the 48 bit subkey size.

32-48 bit Expansion ●Some bits from the input are duplicated at the output; ●Break R into 8, four bit chunks ●Expand to 6 bits by taking adjacent bits and concatenating them ●4 and 9 are concatenated to 5,6,7,8 to make a 6 bit output

S-Boxes ●The Key is XORed with the expanded R ●The output is divided into 8 six bit chunks ●Each chunk is fed into an S-box ●Each S-box produces a 4 bit output ●The exact derivation of these boxes are unknown. ●The first and last bits of a chunk are used to denote row ●Middle four bits determine the column

S-box continued ●Output of all S-boxes is concatenated ●A final permutation P is applied to the 32-bit quantity ●Why?

Initial and Final Permutations ●Initial permutation (IP) ●The initial permutation adds no strength to DES –Prove it. ●Final permutation FP = IP -1

Questions? ●How is decryption performed ●Why are the initial permutations needed ●Why do we need to permute the output from the S-boxes ●What is the logic behind the S-boxes ●Logic behind the selection of the S-Boxes remains unpublished secret ●Is it a good idea technically to publish it? ●Why is key length 56? ●How safe is that ●What sort of attacks are possible ●Tripple DES, how does it benefit

DES Box Summary ●Simple, easy to implement: –Hardware/gigabits/second, software/megabits/second ●56-bit key DES may be acceptable for non-critical applications but triple DES (DES3) should be secure for most applications today ●Supports several operation modes: ECB CBC, OFB, CFB

Encrypting a Large Message ●How do you encrypt a message larger than 64 bits ●Several schemes defined –ECB (Electronic Code Book) –CBC (Cipher Block Chaining Mode) –OFB (Output Feedback Mode) –CFB (Cipher Feedback Mode) –Stream Cipher

Electronic Code Book (ECB) ●Message is divided into blocks ●Most obvious, usually the worst method ●Each block is encrypted separately ●Decryptions is the exact opposite

Electronic Code Book (ECB) ●Identical plaintext blocks are encrypted to identical ciphertext blocks ●Leaves plaintext patterns in the ciphertext

Electronic Code Book (ECB) Original ECB mode Other modes A pixel-map version of the image on the left was encrypted with ECB mode to create the center image

ECB Problems ●Lack the basic protection against integrity attacks on the ciphertext at message level (i.e., multiple cipher blocks) ●Without additional integrity protection –cipher block substitution and rearrangement attacks –fabrication of specific information –Block replay

Example illustration ●Banks agree on a standard message transfer format Bank one: Sending1.5 Blocks Bank Two: Receiving1.5 Blocks Depositor’s Name6 Blocks Depositor’s Account2 Blocks Amount of Deposit1 Block ●Bank of Alice and Bank of Bob make the transactions. ●How can mallory use this information to get rich?

Example illustration ●Banks agree on a standard message transfer format Bank one: Sending1.5 Blocks Bank Two: Receiving1.5 Blocks Depositor’s Name6 Blocks Depositor’s Account2 Blocks Amount of Deposit1 Block ● Records all conversations ●Transfers $100 from Bank of Alice to his account in Bank of Bob ●Does it again.

Example illustration ●Banks agree on a standard message transfer format Bank one: Sending1.5 Blocks Bank Two: Receiving1.5 Blocks Depositor’s Name6 Blocks Depositor’s Account2 Blocks Amount of Deposit1 Block ●Identifies identical messages which represent his money transfer. ●Once isolated this message can be inserted into the communication stream at will.

Example illustration ●Banks agree on a standard message transfer format Bank one: Sending1.5 Blocks Bank Two: Receiving1.5 Blocks Depositor’s Name6 Blocks Depositor’s Account2 Blocks Amount of Deposit1 Block ●Time stamp?

Example illustration ●Banks agree on a standard message transfer format Bank one: Sending1.5 Blocks Bank Two: Receiving1.5 Blocks Depositor’s Name6 Blocks Depositor’s Account2 Blocks Amount of Deposit1 Block ●Block Replay –Example Record Timest amp Sending Bank Receiving Bank Depositors nameDepositors AccountAmount

Example illustration ●Mallory replaces block 5-12 with his name and Account number –Does not need to know original depositor –Does not need to know what the amount is ●Block Replay –Example Record Timest amp Sending Bank Receiving Bank Depositors nameDepositors AccountAmount

Cipher Block Chaining (CBC) ●Chaining adds a feedback mechanism ●Results of encryption from previous block are fed into encryption of current block

Cipher Block Chaining (CBC) ●Resulting cipher text is dependent on the current plaintext as well as the previous blocks as well.

Cipher Block Chaining (CBC) ●The IV (initialization vector) is a random number to ensure each message is encrypted uniquely.

CBC Decryption ●Cipher block is decrypted normally ●Also saved in a feedback register ●Next cipher block is decrypted, it is XORed with feedback register

CBC Problems ●Encryption is serial, cannot be parallelized ●Message must be padded ●Loss sync of block boundary garbles the rest of the stream ●Single bit error at encryption is not significant? ●Single bit error in ciphertext?

CBC Problems ●Encryption is serial, cannot be parallelized ●Message must be padded ●Loss sync of block boundary garbles the rest of the stream ●Single bit error at encryption is not significant? ●Single bit error in ciphertext? –Single bit error effects one block and one bit of the recovered plaintext –Block with the error is completely garbled –Subsequent block has a 1 bit error in the same position as error

CBC Problems

●If a bit is added or lost from the cipher-text stream, then all subsequent blocks are garbled.

Output Feedback Mode (OFB) ●Encryption is performed by XORing the message with the pad generated by OFB ●Like a Random Number Generator...

OFB Properties ●Advantages –Allow pre-computing of pseudo-random stream (One-Time Pad); XOR can be implemented very efficiently –No error propagation problem as in CBC –Flipping a bit in ciphertext produces a flipped bit in the plaintext at the same location –Message can arrive in arbitrarily sized chunks –Allow in-time encrypt/decrypt due to bit-wise computation (versus the fixed blocks)

Cipher Feedback mode ●When data is to be processed in smaller chunks ●Initially queue is filled with IV similar to CBC

Cipher Feedback mode ●When data is to be processed in smaller chunks ●Queue is encrypted

Cipher Feedback mode ●When data is to be processed in smaller chunks ●Left most 8 bits are XORed with the first 8 bits of input

Cipher Feedback mode ●When data is to be processed in smaller chunks ●8 left most bits are discarded, output fed back.

Cipher Feedback mode ●When data is to be processed in smaller chunks ●Ciphertext depends on all the preceding plaintext

CFB Properties ●Advantage compared with CBC. –With k=8, errors on one byte of ciphertext only affect 8 more bytes beyond. –Error in plaintext is reversed at decryption –Synchronization errors? ●Disadvantage compared with OFB. –Random stream can no longer be computed in advance.

Modular Arithmetic ●Public key algorithms are based on modular arithmetic. –where numbers "wrap around" after they reach a certain value ●Modular addition. ●Modular multiplication. ●Modular exponentiation.

Modular Addition ●Addition modulo (mod) K ●Additive inverse of a number: addition mod K yields 0. ●Encrypt by adding a number modulo K ●“Decrypt” by adding inverse.

Modular Multiplication ●Multiplication modulo K ●Only multiplication by 1, 3,7,9 works as a cipher ●Why? ●Multiplicative inverse: multiplication mod K yields 1 ●Only some numbers have inverse ●If K is large, how do you find inverse

Modular Multiplication ●Use Euclid’s algorithm to find inverse –Given x, n, it finds y such that x  y mod n = 1 ●What is special about numbers 1,3,7,9? ●They do not share any common factors other than 1 ●All number relatively prime to n will have mod n multiplicative inverse

Totient Function ●x, m relative prime: no other common factor than 1 ●Totient function ø(n): number of integers less than n relatively prime to n –if n is prime, ø(n)=n-1 –if n=p  q, and p, q are primes, ø(n)=(p-1)(q-1) –Why is that?

Totient Function ●x, m relative prime: no other common factor than 1 ●Totient function ø(n): number of integers less than n relatively prime to n –if n is prime, ø(n)=n-1 –if n=p  q, and p, q are primes, ø(n)=(p-1)(q-1) –Why is that? –Total numbers = p*q –Exclude those numbers that are not relatively prime to n –Multiples of p, q –P multiples of q less than pq –Q multiples of p less than pq –P+q-1 numbers –ø(n)=(p-1)(q-1)

Modular Exponentiation ●x y mod n = x y mod ø(n) mod n ●if y = 1 mod ø(n) then x y mod n = x mod n

RSA (Rivest, Shamir, Adleman) ●The most popular one. ●Support both public key encryption and digital signature. ●Assumption/theoretical basis: –Factoring a big number is hard. ●Variable key length (usually 512 bits). ●Variable plaintext block size. –Plaintext must be “smaller” than the key. –Ciphertext block size is the same as the key length.

What Is RSA? ●To generate key pair: –Step 1: To create a public key, we start by getting two very large prime numbers, p and q (>= 256 bits each). –Let n = p*q, keep your p and q to yourself! –For public key, choose e that is relatively prime to ø(n) =(p-1)(q-1), let pub = –For private key, find d that is the multiplicative inverse of e mod ø(n), i.e., e*d = 1 mod ø(n), let priv =

How Does RSA Work? ●Given pub = and priv = –encryption: c = m e mod n, m < n –decryption: m = c d mod n –signature: s = m d mod n, m < n –verification: m = s e mod n

Why Does RSA Work? ●Given pub = and priv = –n =p*q, ø(n) =(p-1)(q-1) –e*d = 1 mod ø(n) –x e  d = x mod n –encryption: c = m e mod n –decryption: m = c d mod n = m e  d mod n = m mod n = m (since m < n) –digital signature (similar)

Why Is RSA Secure? ●Factoring 512-bit number is very hard! ●But if you can factor big number n then given public key, you can find d, hence the private key by: –Knowing factors p, q, such that, n = p*q –Then ø(n) =(p-1)(q-1) –Then d such that e*d = 1 mod ø(n)