Cryptography 1 n n Cyber Attacks Cryptography Terminology
![Cryptography 1 n n Cyber Attacks Cryptography Terminology Secret-Key Encryption Cryptography 1 n n Cyber Attacks Cryptography Terminology Secret-Key Encryption](https://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-1.jpg)
Cryptography 1 n n Cyber Attacks Cryptography Terminology Secret-Key Encryption
![Reading Assignment n Reading assignments for this lecture Required: ¨ Pfleeger: Ch 2 Recommended: Reading Assignment n Reading assignments for this lecture Required: ¨ Pfleeger: Ch 2 Recommended:](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-2.jpg)
Reading Assignment n Reading assignments for this lecture Required: ¨ Pfleeger: Ch 2 Recommended: C. Dupuis, A Short History of Cryptography, http: //jproc. ca/crypto_hist. html ¨ Navajo Code Talkers: World War II Fact Sheet, http: //www. historynet. com/world-war-ii-navajo-code-talkers. htm ¨ CSCE 522 - Farkas 2
![Insecure communications Snooper Confidential Insecure channel Recipient Sender CSCE 522 - Farkas 3 Insecure communications Snooper Confidential Insecure channel Recipient Sender CSCE 522 - Farkas 3](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-3.jpg)
Insecure communications Snooper Confidential Insecure channel Recipient Sender CSCE 522 - Farkas 3
![Cryptographic Protocols § Messages should be transmitted to destination § Only the recipient should Cryptographic Protocols § Messages should be transmitted to destination § Only the recipient should](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-4.jpg)
Cryptographic Protocols § Messages should be transmitted to destination § Only the recipient should see it § Only the recipient should get it § Proof of the sender’s identity § Message shouldn’t be corrupted in transit § Message should be sent/received once only CSCE 522 - Farkas 4
![Terminology § Plaintext (cleartext): a message in its original § § § form Ciphertext Terminology § Plaintext (cleartext): a message in its original § § § form Ciphertext](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-5.jpg)
Terminology § Plaintext (cleartext): a message in its original § § § form Ciphertext (cyphertext): an encrypted message Encryption: transformation of a message to hide its meaning Cipher: cryptographic algorithm. A mathematical function used for encryption (encryption algorithm) and decryption (decryption algorithm). CSCE 522 - Farkas 5
![Terminology §Decryption: recovering meaning from ciphertext §Cryptography: art and science of keeping messages secure Terminology §Decryption: recovering meaning from ciphertext §Cryptography: art and science of keeping messages secure](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-6.jpg)
Terminology §Decryption: recovering meaning from ciphertext §Cryptography: art and science of keeping messages secure §Cryptanalysis: art and science of breaking ciphertext §Cryptology: study of both cryptography and cryptanalysis CSCE 522 - Farkas 6
![Encryption and Decryption Plaintext Encryption Ciphertext Decryption Plaintext Additional requirements: • Authentication • Between Encryption and Decryption Plaintext Encryption Ciphertext Decryption Plaintext Additional requirements: • Authentication • Between](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-7.jpg)
Encryption and Decryption Plaintext Encryption Ciphertext Decryption Plaintext Additional requirements: • Authentication • Between communicating parties • Third-party authentication • Non-repudiation • Integrity verification • Key distribution • Secret key (secure distribution) • Public key (reliable distribution) CSCE 522 - Farkas 7
![Conventional (Secret Key) Cryptosystem Plaintext Ciphertext Encryption Plaintext Decryption Sender Recipient C=E(K, M) M=D(K, Conventional (Secret Key) Cryptosystem Plaintext Ciphertext Encryption Plaintext Decryption Sender Recipient C=E(K, M) M=D(K,](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-8.jpg)
Conventional (Secret Key) Cryptosystem Plaintext Ciphertext Encryption Plaintext Decryption Sender Recipient C=E(K, M) M=D(K, C) K K needs secure channel CSCE 522 - Farkas 8
![Public Key Cryptosystem Recipient’s public Key (Kpub) Plaintext Recipient’s private Key (Kpriv) Ciphertext Encryption Public Key Cryptosystem Recipient’s public Key (Kpub) Plaintext Recipient’s private Key (Kpriv) Ciphertext Encryption](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-9.jpg)
Public Key Cryptosystem Recipient’s public Key (Kpub) Plaintext Recipient’s private Key (Kpriv) Ciphertext Encryption Plaintext Decryption Sender Recipient C=E(Kpub, M) M=D(Kpriv, C) CSCE 522 - Farkas Kpub needs reliable channel 9
![Security Objectives Confidentiality n Integrity n Availability n Authenticity n Non-repudiation n Question 1: Security Objectives Confidentiality n Integrity n Availability n Authenticity n Non-repudiation n Question 1:](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-10.jpg)
Security Objectives Confidentiality n Integrity n Availability n Authenticity n Non-repudiation n Question 1: How can cryptography support these objectives? CSCE 522 - Farkas 10
![Cryptography and Security Objectives Secret key (fast) Public key (slow) Hash Confidentiality Integrity Availability Cryptography and Security Objectives Secret key (fast) Public key (slow) Hash Confidentiality Integrity Availability](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-11.jpg)
Cryptography and Security Objectives Secret key (fast) Public key (slow) Hash Confidentiality Integrity Availability Authentication (peers only) Authentication (third party) Non-repudiation CSCE 522 - Farkas 11
![Security Objectives n n n Confidentiality: Hiding message/file content n Secret key, public key Security Objectives n n n Confidentiality: Hiding message/file content n Secret key, public key](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-12.jpg)
Security Objectives n n n Confidentiality: Hiding message/file content n Secret key, public key encryption Integrity: Detecting modification n Hash function Availability: Not much – hiding existence of data n Secret key, public key encryption Authenticity: Verify origin n Public key encryption Non-repudiation: Verify activity n Public key encryption CSCE 522 - Farkas 12
![Cryptanalysis Cryptanalyst’s goal: ¨ Break message ¨ Break key ¨ Break algorithm CSCE 522 Cryptanalysis Cryptanalyst’s goal: ¨ Break message ¨ Break key ¨ Break algorithm CSCE 522](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-13.jpg)
Cryptanalysis Cryptanalyst’s goal: ¨ Break message ¨ Break key ¨ Break algorithm CSCE 522 - Farkas 13
![Taxonomy of Attacks n Ciphertext-only attack: attacker has ciphertext for messages encrypted with K. Taxonomy of Attacks n Ciphertext-only attack: attacker has ciphertext for messages encrypted with K.](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-14.jpg)
Taxonomy of Attacks n Ciphertext-only attack: attacker has ciphertext for messages encrypted with K. Deduce keys and/or plaintext messages. n Known plaintext attack: attacker additionally knows the plaintext of the messages. Deduce keys or a decryption algorithm. n Chosen plaintext attack: attacker can obtain the ciphertext for selected plaintext messages. Deduce as above. n Chosen ciphertext attack: attacker can obtain decrypted (plaintext) versions of selected ciphertext. Deduce as above. CSCE 522 - Farkas 14
![Breakable versus Practically breakable n Unconditionally secure: impossible to decrypt. No amount of ciphertext Breakable versus Practically breakable n Unconditionally secure: impossible to decrypt. No amount of ciphertext](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-15.jpg)
Breakable versus Practically breakable n Unconditionally secure: impossible to decrypt. No amount of ciphertext will enable a cryptanalyst to obtain the plaintext n Computationally secure: an algorithm that is not breakable in practice based on worst case scenario n Breakable: all algorithms (except one-time pad) are theoretically breakable CSCE 522 - Farkas 15
![What makes a good cryptosystem? § A good cryptosystem is one whose security § What makes a good cryptosystem? § A good cryptosystem is one whose security §](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-16.jpg)
What makes a good cryptosystem? § A good cryptosystem is one whose security § does not depend upon the secrecy of the algorithm. From Bruce Schneier: § “Good cryptographers rely on peer review to separate the good algorithms from the bad. '' CSCE 522 - Farkas 16
![Secret Key Cryptosystem Plaintext Ciphertext Encryption Plaintext Decryption Sender Recipient C=E(K, M) M=D(K, C) Secret Key Cryptosystem Plaintext Ciphertext Encryption Plaintext Decryption Sender Recipient C=E(K, M) M=D(K, C)](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-17.jpg)
Secret Key Cryptosystem Plaintext Ciphertext Encryption Plaintext Decryption Sender Recipient C=E(K, M) M=D(K, C) K K needs secure channel CSCE 522 - Farkas 17
![Secret Key Cryptosystem Vulnerabilities (1 Passive Attacker (Eavesdropper) n Obtain and/or guess key and Secret Key Cryptosystem Vulnerabilities (1 Passive Attacker (Eavesdropper) n Obtain and/or guess key and](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-18.jpg)
Secret Key Cryptosystem Vulnerabilities (1 Passive Attacker (Eavesdropper) n Obtain and/or guess key and cryptosystem use these to decrypt messages n Capture text in transit and try a ciphertextonly attack to obtain plaintext. CSCE 522 - Farkas 18
![Secret Key Cryptosystem Vulnerabilities Active Attacker n Break communication channel (denial of service) n Secret Key Cryptosystem Vulnerabilities Active Attacker n Break communication channel (denial of service) n](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-19.jpg)
Secret Key Cryptosystem Vulnerabilities Active Attacker n Break communication channel (denial of service) n Obtain and/or guess key and cryptosystem and use these to send fake messages CSCE 522 - Farkas 19
![Inherent Weaknesses of Symmetric Cryptography § Key distribution must be done secretly (difficult when Inherent Weaknesses of Symmetric Cryptography § Key distribution must be done secretly (difficult when](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-20.jpg)
Inherent Weaknesses of Symmetric Cryptography § Key distribution must be done secretly (difficult when § § parties are geographically distant, or don't know each other) Need a key for each pair of users § n users need n*(n-1)/2 keys If the secret key (and cryptosystem) is compromised, the adversary will be able to decrypt all traffic and produce fake messages CSCE 522 - Farkas 20
![Basic Encryption Techniques Substitution n Permutation n Combinations and iterations of these n CSCE Basic Encryption Techniques Substitution n Permutation n Combinations and iterations of these n CSCE](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-21.jpg)
Basic Encryption Techniques Substitution n Permutation n Combinations and iterations of these n CSCE 522 - Farkas 21
![Simple Alphabetic Substitution n Assign a new symbol to each plain text symbol randomly Simple Alphabetic Substitution n Assign a new symbol to each plain text symbol randomly](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-22.jpg)
Simple Alphabetic Substitution n Assign a new symbol to each plain text symbol randomly or by key, e. g. , C k, A h, B l M=CAB C =k h l §Advantages: large key space 26! §Disadvantages: trivially broken for known plaintext attack, repeated pattern, letter frequency distributions unchanged CSCE 522 - Farkas 22
![Question 2: Does multiple substitutions increase security? a) b) c) Yes, because the attacker Question 2: Does multiple substitutions increase security? a) b) c) Yes, because the attacker](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-23.jpg)
Question 2: Does multiple substitutions increase security? a) b) c) Yes, because the attacker must decrypt the cypher text twice No, because it is equivalent to a single substitution Maybe, depending on the complexity of each substitution CSCE 522 - Farkas 23
![Polyalphabetic Substitution n Frequency distribution: reflects the distribution of the underlying alphabet cryptanalysts find Polyalphabetic Substitution n Frequency distribution: reflects the distribution of the underlying alphabet cryptanalysts find](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-24.jpg)
Polyalphabetic Substitution n Frequency distribution: reflects the distribution of the underlying alphabet cryptanalysts find substitutions ¨ E. g. , n English: e – 14 %, t – 9. 85%, a – 7. 49%, o- 7. 37%, … Need: flatten the distribution ¨ E. g. , combine high and low distributions: t a (odd position), b (even position) x a (even position) , b (odd position) CSCE 522 - Farkas 24
![Cryptanalysis of Polyalphabetic Substitution Determine the number of alphabets used 2. Solve each piece Cryptanalysis of Polyalphabetic Substitution Determine the number of alphabets used 2. Solve each piece](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-25.jpg)
Cryptanalysis of Polyalphabetic Substitution Determine the number of alphabets used 2. Solve each piece as monoalphabetic substitution. Kasiski Method: ¨ Uses regularity of English: letters, letter groupings, full words ¨ e. g. , endings: -th, -ing, -ed, -ion, -ation, -tion, … beginnings: im-, in-, re-, un-, . . . patterns: -eek-, -oot-, -our-, … words: of, end, to, with, are, is, … 1. CSCE 522 - Farkas 25
![One-Time Pad n n n Perfect Secrecy! Large, non-repeating set of keys Key is One-Time Pad n n n Perfect Secrecy! Large, non-repeating set of keys Key is](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-26.jpg)
One-Time Pad n n n Perfect Secrecy! Large, non-repeating set of keys Key is larger than the message Advantages: immune to most attacks Disadvantages: ¨ Need total synchronization ¨ Need very long, non-repeating key ¨ Key cannot be reused ¨ Key management: printing, storing, accounting for CSCE 522 - Farkas 26
![Question 3: Recommend a practical approach for generating a large key … Discussion topic… Question 3: Recommend a practical approach for generating a large key … Discussion topic…](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-27.jpg)
Question 3: Recommend a practical approach for generating a large key … Discussion topic… CSCE 522 - Farkas 27
![Summary of Substitution n Advantages: ¨ Simple ¨ Easy n to encrypt Disadvantages: ¨ Summary of Substitution n Advantages: ¨ Simple ¨ Easy n to encrypt Disadvantages: ¨](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-28.jpg)
Summary of Substitution n Advantages: ¨ Simple ¨ Easy n to encrypt Disadvantages: ¨ Easy to break!!! CSCE 522 - Farkas 28
![Transposition n n Letters of the message are rearranged Break patterns, e. g. , Transposition n n Letters of the message are rearranged Break patterns, e. g. ,](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-29.jpg)
Transposition n n Letters of the message are rearranged Break patterns, e. g. , columnar transposition Plaintext: this is a test this isat est! n n tiehssiatst! Advantages: easy to implement Disadvantages: ¨ Trivially broken for known plaintext attack ¨ Easily broken for cipher only attack CSCE 522 - Farkas 29
![Cryptanalysis n n Rearrange the letters Digrams, Trigrams, Patterns ¨ n Frequent digrams: -re-, Cryptanalysis n n Rearrange the letters Digrams, Trigrams, Patterns ¨ n Frequent digrams: -re-,](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-30.jpg)
Cryptanalysis n n Rearrange the letters Digrams, Trigrams, Patterns ¨ n Frequent digrams: -re-, -th-, -en-, -ed-, … Cryptanalysis: Compute letter frequencies subst. or perm. 2. Compare strings of ciphertext to find reasonable patterns (e. g. , digrams) 3. Find digram frequencies 1. CSCE 522 - Farkas 30
![Double Transposition n Two columnar transposition with different number of columns ¨ First transposition: Double Transposition n Two columnar transposition with different number of columns ¨ First transposition:](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-31.jpg)
Double Transposition n Two columnar transposition with different number of columns ¨ First transposition: breaks up adjacent letters ¨ Second transposition. : breaks up short patterns CSCE 522 - Farkas 31
![Product Ciphers One encryption applied to the result of the other En(En-1(…(E 1(M)))), e. Product Ciphers One encryption applied to the result of the other En(En-1(…(E 1(M)))), e.](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-32.jpg)
Product Ciphers One encryption applied to the result of the other En(En-1(…(E 1(M)))), e. g. , ¨ Double transposition ¨ Substitution followed by permutation, followed by substitution, followed by permutation… n Broken for ¨ Chosen plaintext CSCE 522 - Farkas 32
![Shannon’s Characteristics of “Good” Ciphers The amount of secrecy needed should determine the amount Shannon’s Characteristics of “Good” Ciphers The amount of secrecy needed should determine the amount](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-33.jpg)
Shannon’s Characteristics of “Good” Ciphers The amount of secrecy needed should determine the amount of labor appropriate for the encryption and decryption n The set of keys and the enciphering algorithm should be free from complexity n The implementation of the process should be simple and possible n CSCE 522 - Farkas 33
![Shannon’s Characteristics of “Good” Ciphers (cont. ) Errors in ciphering should not propagate and Shannon’s Characteristics of “Good” Ciphers (cont. ) Errors in ciphering should not propagate and](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-34.jpg)
Shannon’s Characteristics of “Good” Ciphers (cont. ) Errors in ciphering should not propagate and cause corruption of further information in the message n The size of the enciphered text should be no larger than the original message n CSCE 522 - Farkas 34
![Trustworthy Encryption Systems Based on sound mathematics n Has been analyzed by experts n Trustworthy Encryption Systems Based on sound mathematics n Has been analyzed by experts n](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-35.jpg)
Trustworthy Encryption Systems Based on sound mathematics n Has been analyzed by experts n Has stood the test of time n n Examples: Data Encryption Standard (DES), Advanced Encryption Standard (AES), River-Shamir-Adelman (RSA) CSCE 522 - Farkas 35
![Stream Ciphers n n Convert one symbol of plain text into a symbol of Stream Ciphers n n Convert one symbol of plain text into a symbol of](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-36.jpg)
Stream Ciphers n n Convert one symbol of plain text into a symbol of ciphertext based on the symbol (plain), key, and algorithm Advantages: ¨ Speed of transformation ¨ Low error propagation n Disadvantages: ¨ Low diffusion ¨ Vulnerable to malicious insertion and modification CSCE 522 - Farkas 36
![Block Ciphers Encrypt a group of plaintext as one block and produces a block Block Ciphers Encrypt a group of plaintext as one block and produces a block](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-37.jpg)
Block Ciphers Encrypt a group of plaintext as one block and produces a block of ciphertext n Advantages: n ¨ Diffusion ¨ Immunity n to insertions Disadvantages: ¨ Slowness of encryption ¨ Error propagation CSCE 522 - Farkas 37
![Secret Key Cryptosystem Vulnerabilities (1) Passive Attacker (Eavesdropper) n Obtain and/or guess key and Secret Key Cryptosystem Vulnerabilities (1) Passive Attacker (Eavesdropper) n Obtain and/or guess key and](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-38.jpg)
Secret Key Cryptosystem Vulnerabilities (1) Passive Attacker (Eavesdropper) n Obtain and/or guess key and cryptosystem use these to decrypt messages n Capture text in transit and try a ciphertextonly attack to obtain plaintext. CSCE 522 - Farkas 38
![Secret Key Cryptosystem Vulnerabilities (2) Active Attacker n Break communication channel (denial of service) Secret Key Cryptosystem Vulnerabilities (2) Active Attacker n Break communication channel (denial of service)](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-39.jpg)
Secret Key Cryptosystem Vulnerabilities (2) Active Attacker n Break communication channel (denial of service) n Obtain and/or guess key and cryptosystem and use these to send fake messages n No third party authentication CSCE 522 - Farkas 39
![Inherent Weaknesses of Symmetric Cryptography § Key distribution must be done secretly (difficult when Inherent Weaknesses of Symmetric Cryptography § Key distribution must be done secretly (difficult when](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-40.jpg)
Inherent Weaknesses of Symmetric Cryptography § Key distribution must be done secretly (difficult when § § parties are geographically distant, or don't know each other) Need a key for each pair of users § n users need n*(n-1)/2 keys If the secret key (and cryptosystem) is compromised, the adversary will be able to decrypt all traffic and produce fake messages CSCE 522 - Farkas 40
![Data Encryption Standards DES CSCE 522 - Farkas 41 Data Encryption Standards DES CSCE 522 - Farkas 41](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-41.jpg)
Data Encryption Standards DES CSCE 522 - Farkas 41
![Background and History n n n Developed by the U. S. government Intended for Background and History n n n Developed by the U. S. government Intended for](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-42.jpg)
Background and History n n n Developed by the U. S. government Intended for general public 1970 s: NBS (National Bureau of Standards) — now named NIST (National Institute of Standards and Technology) — need for standard for encrypting unclassified, sensitive information 1974: IBM’s candidate: Lucifer November 1976 : DES was approved as a federal standard in CSCE 522 - Farkas 42
![DES Versions n n n n Jan. 15, 1977: DES was published as FIPS DES Versions n n n n Jan. 15, 1977: DES was published as FIPS](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-43.jpg)
DES Versions n n n n Jan. 15, 1977: DES was published as FIPS PUB 46 (Federal Information Processing Standard), authorized for use on all unclassified data 1988 (revised as FIPS-46 -1) and 1993 (FIPS-46 -2): DES is reaffirmed Jan. 1999: DES key is broken in 22 hours and 15 minutes 1999 (FIPS-46 -3): DES, containing Triple DES, is reaffirmed Nov. 26, 2001: The Advanced Encryption Standard (AES) is published in FIPS 197 May 26, 2002: The AES standard becomes effective May 19, 2005: FIPS 46 -3 was officially withdrawn but Triple DES is approved by NIST until 2030 for sensitive government information 43 CSCE 522 - Farkas
![Data Encryption Standard Mathematics to design strong product ciphers is classified n Breakable by Data Encryption Standard Mathematics to design strong product ciphers is classified n Breakable by](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-44.jpg)
Data Encryption Standard Mathematics to design strong product ciphers is classified n Breakable by exhaustive search on 56 -bit key size for known plaintext, chosen plaintext and chosen ciphertext attacks n Security: computational complexity of computing the key under the above scenarios (22 hours) n CSCE 522 - Farkas 44
![Data Encryption Standard DES is a product cipher 56 bit key size n 64 Data Encryption Standard DES is a product cipher 56 bit key size n 64](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-45.jpg)
Data Encryption Standard DES is a product cipher 56 bit key size n 64 bit block size for plaintext and cipher text n Developed by IBM and adopted by NIST with NSA approval Encryption and decryption algorithms are public but the design principles are classified CSCE 522 - Farkas 45
![DES Controversies Key size 56 bits – threshold of allowing exhaustive-search known plaintext attack DES Controversies Key size 56 bits – threshold of allowing exhaustive-search known plaintext attack](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-46.jpg)
DES Controversies Key size 56 bits – threshold of allowing exhaustive-search known plaintext attack Built in trapdoor – allegations The US Senate Select Committee of Intelligence exonerated NSA from tampering with the design of DES in any way CSCE 522 - Farkas 46
![DES Multiple Encryption 1992: proven that DES is not a group: multiple encryptions by DES Multiple Encryption 1992: proven that DES is not a group: multiple encryptions by](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-47.jpg)
DES Multiple Encryption 1992: proven that DES is not a group: multiple encryptions by DES are not equivalent to a single encryption CSCE 522 - Farkas 47
![DES Multiple Encryption Double DES P EK 1(P) Intermediate Ciphertext Plaintext Encryption K 1 DES Multiple Encryption Double DES P EK 1(P) Intermediate Ciphertext Plaintext Encryption K 1](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-48.jpg)
DES Multiple Encryption Double DES P EK 1(P) Intermediate Ciphertext Plaintext Encryption K 1 EK 2[EK 1(P)] Ciphertext K 2 Known-plaintext: meet-in-the-middle attack Effective key size: 57 bit -- Why not 112? CSCE 522 - Farkas 48
![DES Multiple Encryption Triple DES P EK 1(P) DK 2[EK 1(P)] EK 3[DK 2[EK DES Multiple Encryption Triple DES P EK 1(P) DK 2[EK 1(P)] EK 3[DK 2[EK](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-49.jpg)
DES Multiple Encryption Triple DES P EK 1(P) DK 2[EK 1(P)] EK 3[DK 2[EK 1(P)]] E D E K 1 K 2 K 3 Tuchman: avoid meet-in-the-middle attack If K 1=K 2: single encryption CSCE 522 - Farkas 49
![Triple DES Tuchman’s technique is part of NIST standard Can be broken in 2^56 Triple DES Tuchman’s technique is part of NIST standard Can be broken in 2^56](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-50.jpg)
Triple DES Tuchman’s technique is part of NIST standard Can be broken in 2^56 operations if one has 2^56 chosen plaintext blocks (Merkle, Hellman 1981) Could use distinct K 1, K 2, K 3 to avoid this attack -- 2^112 bit key CSCE 522 - Farkas 50
![Modes of DES (review) ECB – Electronic Code Book CBC – Cipher Block Chaining Modes of DES (review) ECB – Electronic Code Book CBC – Cipher Block Chaining](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-51.jpg)
Modes of DES (review) ECB – Electronic Code Book CBC – Cipher Block Chaining CFB – Cipher Feed. Back OFB – Output Feed. Back Part of NIST standard CSCE 522 - Farkas 51
![ECB Mode (review) 64 bit data 56 bit key E D 56 bit key ECB Mode (review) 64 bit data 56 bit key E D 56 bit key](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-52.jpg)
ECB Mode (review) 64 bit data 56 bit key E D 56 bit key 64 bit data Good for small messages Identical data block will be identically encrypted CSCE 522 - Farkas 52
![CBC Mode (review) 64 bit data + 56 bit key 64 bit previous Ciphertext CBC Mode (review) 64 bit data + 56 bit key 64 bit previous Ciphertext](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-53.jpg)
CBC Mode (review) 64 bit data + 56 bit key 64 bit previous Ciphertext block E Cn=Ek[Cn-1 Pn] D 64 bit previous Ciphertext block 56 bit key + 64 bit data + XOR Need initiation vector CSCE 522 - Farkas 53
![Advanced Encryption Standard (AES) Federal Information Processing Standard (FIPS) to be used by U. Advanced Encryption Standard (AES) Federal Information Processing Standard (FIPS) to be used by U.](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-54.jpg)
Advanced Encryption Standard (AES) Federal Information Processing Standard (FIPS) to be used by U. S. Government organizations n Effective since May 26, 2002 n Replaces DES (triple DES remains) n Rijndael ([Rhine Dhal]) algorithm (Joan Daemen and Vincent Rijmen) n CSCE 522 - Farkas 54
![AES Origin n n Started in 1997 and lasted for several years Requirements specified AES Origin n n Started in 1997 and lasted for several years Requirements specified](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-55.jpg)
AES Origin n n Started in 1997 and lasted for several years Requirements specified by NIST: ¨ ¨ ¨ ¨ Algorithm unclassified and publicly available Available royalty free world wide Symmetric key Operates on data blocks of 128 bits Key sizes of 128, 192, and 256 bits Fast, secure, and portable Active life of 20 -30 years Provides full specifications CSCE 522 - Farkas 55
![AES Finalists § 1999: Algorithm name Complexity Speed Security margin MARS (IBM- USA) Complex AES Finalists § 1999: Algorithm name Complexity Speed Security margin MARS (IBM- USA) Complex](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-56.jpg)
AES Finalists § 1999: Algorithm name Complexity Speed Security margin MARS (IBM- USA) Complex Fast High Serpent (Anserson, Biham, & Simple - clean Knudsen - U. K. ) Slow High Rijndael (Joan Daemen/V. Rijmen – Belgium) Fast Good RC 6 (RSA Data Security, Ins. Very simple - USA) Very fast Low Twofish (Bruse Schneier and others - USA) Fast High Simple -clean Complex CSCE 522 - Farkas 56
![Rijndael Algorithm n n § Chosen for: security, performance, efficiency, ease of implementation, and Rijndael Algorithm n n § Chosen for: security, performance, efficiency, ease of implementation, and](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-57.jpg)
Rijndael Algorithm n n § Chosen for: security, performance, efficiency, ease of implementation, and flexibility Block cipher (variable block and key length) Federal Information Processing Standard (FIPS) CSCE 522 - Farkas 57
![Rijndael §Symmetric, block cipher §Key size: 128, 192, or 256 bits §Block size: 128 Rijndael §Symmetric, block cipher §Key size: 128, 192, or 256 bits §Block size: 128](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-58.jpg)
Rijndael §Symmetric, block cipher §Key size: 128, 192, or 256 bits §Block size: 128 § Processed as 4 groups of 4 bytes (state) §Operates on the entire block in every round §Number of rounds depending on key size: § Key=128 9 rounds § Key=192 11 rounds § Key=256 13 rounds CSCE 522 - Farkas 58
![Strength of Algorithm New – little experimental results n Cryptanalysis results n ¨ Few Strength of Algorithm New – little experimental results n Cryptanalysis results n ¨ Few](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-59.jpg)
Strength of Algorithm New – little experimental results n Cryptanalysis results n ¨ Few theoretical weakness ¨ No real problem No relation to government agency no allegations of tampering with code n Has sound mathematical foundation n CSCE 522 - Farkas 59
![Next Class Key distribution ¨ Public key encryption ¨ CSCE 522 - Farkas 60 Next Class Key distribution ¨ Public key encryption ¨ CSCE 522 - Farkas 60](http://slidetodoc.com/presentation_image_h2/e6d99d7bde0a81df60fbf21d3aa267f8/image-60.jpg)
Next Class Key distribution ¨ Public key encryption ¨ CSCE 522 - Farkas 60
- Slides: 60