He who wants to defend everything defends nothing

  • Slides: 94
Download presentation
“He, who wants to defend everything, defends nothing. ” --- Frederick, the Great 1

“He, who wants to defend everything, defends nothing. ” --- Frederick, the Great 1

Focus of a Security Plan Reference: Thomas Calabrese, ”Information Security Intelligence, ” Thomson Delmar

Focus of a Security Plan Reference: Thomas Calabrese, ”Information Security Intelligence, ” Thomson Delmar learning, 2004, pp 4 n n n Scope: restricting the scope as much as possible Prioritization Practicability Some Examples of Attacks and a Hint about technologies 2

Example of a Security Incident: Phishing (mis)uses the following rule: If ASCII 00 and

Example of a Security Incident: Phishing (mis)uses the following rule: If ASCII 00 and 01 characters are used just prior to @ character, IE would not display the rest of the URL. Example: http: //www. whitehouse. gov%01%00@www. hacker. com/. . . will show up as http: //www. whitehouse. gov in the status bar, indicating as if the message is from the White House. However the response will go to the Hacker. 3

Anti-Phishing. org n n n A Web site www. antiphishing. org, for reporting incidents,

Anti-Phishing. org n n n A Web site www. antiphishing. org, for reporting incidents, set up by a group of global banks and technology companies, led by Secure-messaging firm Tumbleweed Communications Corp Fast Response required; The phishing Web sites: often only in place for a day. Example: Dec 2003: Phishing e-mail appeared to come from the U. K. bank Nat. West. Anti-Phishing. org tracked the IP address to a spoofed home computer in San Francisco. "The owner of the computer probably had no idea he'd been hijacked, " says Dave Jevans, Tumbleweed's senior vice president of marketing. 4

Common attacks on Financial Institutions like Banks through Internet Common attacks: n phishing (attempts

Common attacks on Financial Institutions like Banks through Internet Common attacks: n phishing (attempts to trick account holders to give their account authentication details away), n fraudulent association with the bank as part of investment scams, and n trademark violation Losses due to attacks: "The major banks don't want to divulge the amount of losses. But just to give one example, a major Australian bank has put several million dollars in reserve since August 2003 to cover damages due to Internet frauds. “– Dave Jevans, e. Week, Dec 2003 5

An Example: time-to-market for Internet Security products n n 16 December, 2003: Discovery of

An Example: time-to-market for Internet Security products n n 16 December, 2003: Discovery of the problem of Phishing 5 January 2004: Announcement of development of a new Anti-phishing service by Netcraft, of Bath, England. Netcraft says that the service is mainly for banks and other financial organizations 6

General Strategies for security n n n Continuous vigilance by monitoring and analysis reduce

General Strategies for security n n n Continuous vigilance by monitoring and analysis reduce size of target: disable unneeded services limit access of attacker to target systems hardening the OS and applications Use technologies, which cannot be hacked easily 7

General Strategies for security: Technologies n n Confidentiality: encrypting sensitive data Integrity: Hashing, Digital

General Strategies for security: Technologies n n Confidentiality: encrypting sensitive data Integrity: Hashing, Digital Signatures Authentication: Digital certificates Non-repudiation: Trusted Digital 3 rd part signatures 8

“Using encryption on the Internet is the equivalent of using an armored car to

“Using encryption on the Internet is the equivalent of using an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench. “ --- Professor Eugene Spafford Purdue University 9

CRYPTOGRAPHY n n n Cryptography (from two words in Greek): means secret writing. Cryptoanalysis:

CRYPTOGRAPHY n n n Cryptography (from two words in Greek): means secret writing. Cryptoanalysis: breaking of a cryptographic code CRYPTOGRAPHY: process data into unintelligible form, n n n reversibly/irreversibly without data loss usually one-to-one in size /compression 10

Cryptography Services, provided by cryptographic tools: n n Encoding information into a form which

Cryptography Services, provided by cryptographic tools: n n Encoding information into a form which makes the information unintelligible to an unauthorized person integrity checking: no tampering authentication: not an impostor Encryption or Enciphering Plaintext Encryption Algorithm Ciphertext Key 11

Why encrypt? n A few valid reasons for (reversibly) encrypting data are: n n

Why encrypt? n A few valid reasons for (reversibly) encrypting data are: n n To prevent casual browsers from viewing sensitive data files To prevent accidental disclosure of sensitive data To prevent privileged users (e. g. , system administrators) from viewing private data files To complicate matters for intruders who attempt to search through a system's files 12

Kerckhoff’s principle The security of an encryption scheme should depend upon only the secrecy

Kerckhoff’s principle The security of an encryption scheme should depend upon only the secrecy of the key, and NOT on the secrecy of the algorithm. 13

Classification n Two types of Encryption Algorithms n n n Reversible Irreversible Two types

Classification n Two types of Encryption Algorithms n n n Reversible Irreversible Two types of Keys n n Symmetric Asymmetric 14

Types of Cryptographic Algorithms: • Secret Key • Example: DES, AES (Rijndael) • Public

Types of Cryptographic Algorithms: • Secret Key • Example: DES, AES (Rijndael) • Public Key • Example: RSA, Rabin, El Gamal • Message Digest (Hash or cryptographic checksum) Example : SHA 256 • Message Authentication Codes 15

Reversible Encryption Reversible ENCRYPTION: cleartext ENCRYPTION DEVICE Decryption key cleartext n ciphertext encryption key

Reversible Encryption Reversible ENCRYPTION: cleartext ENCRYPTION DEVICE Decryption key cleartext n ciphertext encryption key Decryption Device can be used only when the same type of encryption software/equipment is available at both the ends 16

Decryption n Decryption or Deciphering Ciphertext Decryption Algorithm Plaintext Key 17

Decryption n Decryption or Deciphering Ciphertext Decryption Algorithm Plaintext Key 17

Fingerprinting Data Irreversible Encryption Hash Functions Plaintext Encryption Algorithm Hash Collisions in the output?

Fingerprinting Data Irreversible Encryption Hash Functions Plaintext Encryption Algorithm Hash Collisions in the output? 18

Cryptographic Hash Functions (H) n H : A transformation m = variable size input

Cryptographic Hash Functions (H) n H : A transformation m = variable size input h = hash value : a fixed size string, also known as message digest or fingerprint or compression function. m H(m) h 19

Message Digest Variable Length Message Hashing Algorithm Fixed Length Digest 20

Message Digest Variable Length Message Hashing Algorithm Fixed Length Digest 20

Uses of Hash Functions n n Integrity check for getting a document time- stamped

Uses of Hash Functions n n Integrity check for getting a document time- stamped without revealing its contents to the time stamp service Authentication through Digital Signatures For generation of pseudo-random numbers to generate several keys from a single shared secret Typical output of a Hash: 128 to 512 bits 21

A Cryptographic Hash function Properties of Cryptographic Hash functions : § One-way functions ‘Hard’

A Cryptographic Hash function Properties of Cryptographic Hash functions : § One-way functions ‘Hard’ to invert : Computationally infeasible to find some input m such that H(m) = h. § Collision-resistant: a very large number of collisions exist. But these cannot be found. § Should be a random mapping from all possible input values to the set of possible output values 22

Message Digest (MD) • Consider an algorithm that generates outputs which are randomly distributed.

Message Digest (MD) • Consider an algorithm that generates outputs which are randomly distributed. • Let the MD (output) be of n bits • 2 n No of possible outputs. • Since these are randomly distributed, the probability is that after 1. 2 (2 n )1/2 digests are computed, we may find the same value. • ( Reference: statistical ideas of Birthday Paradox; Please see the last set of slides on Cryptoanalysis for a statement of the Paradox. ) Thus for n = 128, it would be (1. 2)264. 23

Definitions WEAKLY COLLISION FREE HASH FUNCTION: Given a message m 1. It is computationally

Definitions WEAKLY COLLISION FREE HASH FUNCTION: Given a message m 1. It is computationally infeasible to find m 2 such that § m 1 is not equal to m 2, and, § H(m 1) = H(m 2). STRONGLY COLLISION FREE HASH FUNCTION: It is computationally infeasible to find any two messages m 1 and m 2 such that H(m 1) = H(m 2). 24

Hash Functions: Collision-free Example: Consider a Hash of 128 bits. Weak: The probability of

Hash Functions: Collision-free Example: Consider a Hash of 128 bits. Weak: The probability of finding a message m 2 corresponding to a given hash value H(m 1) is 2 -128. Strong: The probability of finding two messages with the same hash value (with no constraint on any of the two messages) is 2 -64. 25

Properties of Cryptographic Hash functions (continued) n H(m) is easy to compute. § The

Properties of Cryptographic Hash functions (continued) n H(m) is easy to compute. § The input can be of any length. § The output has a fixed length. Notes 1: Consider a transformation of a sequence of length n 1 to a sequence of length n 2, where n 1 > n 2. In such a case, there must exist multiple input sequences that map to the same fixed-length hash value. 26

Notes on hash functions (continued) In the definitions of hash functions, it is only

Notes on hash functions (continued) In the definitions of hash functions, it is only required that ‘to find x’ should be computationally infeasible, even though we know that x exists. 2. Computationally Infeasible (CI) means that the time complexity of the algorithm should grow faster than any polynomial. So CI means that it may take an extremely long time to compute x on even the fastest machine of the day. 27

Popular Hash Functions n n Iterative functions: n Split the message to equal sized

Popular Hash Functions n n Iterative functions: n Split the message to equal sized blocks m 1, m 2, …… mk(padding for the last block) n Hi = h(Hi-1, mi), with H 0 as a fixed value MD 2 , MD 4 and MD 5 developed by Rivest. MD 2 (1989 ): Optimized for 8 bit machine; MD 4 (1990) , MD 5 (1991) : Optimized for 32 -bit machines. n MD 4 and MD 5 : Both produce a 128 -bit hash value. 28

Popular Hash Function: MD 5 n MD 4: n n n Den Boer and

Popular Hash Function: MD 5 n MD 4: n n n Den Boer and Bosselaers ( in a paper in 1991) discovered weaknesses. was cracked by Dobbertin. He devised a method to generate collisions in MD 4. MD 5 (Ref: RFC 1321) was supposed to be more secure. probability of MD 5 collision 1/3 x 1038 n n 1994: A non-fatal flaw discovered. SHA 1 (Secure Hash Algorithm) : Produces a 160 bit hash value from a message of less than 264 bits; 29

Popular Hash Function: SHA 1 n SHA 1: designed by NSA and standardized by

Popular Hash Function: SHA 1 n SHA 1: designed by NSA and standardized by NIST as a part of the Capstone project. (based on MD 5 and 2 to 3 times slower than MD 5) (Ref: RFC 3174 and FIPS 180 -1) n Aug 2004: reported generating collisions in MD 4 using "hand calculation", and in the family of MD 4/MD 5/SHA/RIPEMD. So its usage is now not recommended. * *Reference: Xiaoyun Wang and Dengguo Feng and Xuejia Lai and Hongbo Yu, ” Collisions for Hash Functions MD 4, MD 5, HAVAL 128 and RIPEMD, ” Cryptology e. Print Archive: Report 2004/199, http: //eprint. iacr. org/2004/199. pdf 30

Popular Hash Functions: To be used today n SHA 256, SHA 384 and SHA

Popular Hash Functions: To be used today n SHA 256, SHA 384 and SHA 512 (Ref: FIPS 1802) designed for use with AES with 128, 196 and 256 bits. Slower than SHA 1; may take nearly as much time as encryption by AES. SHA 384 uses SHA 512 method and discards the remaining bits. So though it takes the same time as SHA 512, it is less secure. Others: Snerfu: generates 128 bit or 256 bit hash; Haval: produces 128, 160, 192, 224 or 256 bit hash. 31

Secret Key/ Symmetric Cryptography n n Simpler and faster (than asymmetric by a factor

Secret Key/ Symmetric Cryptography n n Simpler and faster (than asymmetric by a factor of 1000) For Integrity check, a fixed-length checksum for the message may have to be used; CRC* not sufficient *Cyclic Redundancy Check 32

Symmetric Key Encryption Also called Private/Secret key Encryption Message by sender Sender-end Pr-key Encrypted

Symmetric Key Encryption Also called Private/Secret key Encryption Message by sender Sender-end Pr-key Encrypted Message Internet Message at receiver Pr-key Encrypted Message Receiver-end 33

Symmetric Key Cipher Standards n Data Encryption Standard: n n n the initial version

Symmetric Key Cipher Standards n Data Encryption Standard: n n n the initial version developed by IBM as a US standard from 1975 to 1999 Advanced Encryption Standard n n The proposal from two belgian professor accepted in Sept 2000 Declared in Nov 2001 34

Theoretical Basis of DES Claude Shannon’s theories: Recapitulation 1945: Introduce diffusion and confusion through

Theoretical Basis of DES Claude Shannon’s theories: Recapitulation 1945: Introduce diffusion and confusion through cryptographic algorithms. • Diffusion: Use permutation followed by some functional transformation. • So that one ‘character’ in ciphertext = function of a large number of ‘characters’ in the plaintext. • Thus if e is the most commonly used character in English plaintext, it may not be so in the ciphertext. In ciphertext all the characters should have ideally an equal frequency of occurrence. 35

Diffusion & Confusion : Recapitulation • Diffusion: seeks to make statistical relationship between the

Diffusion & Confusion : Recapitulation • Diffusion: seeks to make statistical relationship between the plaintext and ciphertext as complex as possible. Diffuses the structure of the plaintext over a large part of the ciphertext. • Confusion: makes the relationship between the statistics of the ciphertext and the encryption key as complex as possible. • Achieved by using a complex substitution algorithm. 36

Substitution and permutation Substitution or Permutation: easy to break by using statistical analysis For

Substitution and permutation Substitution or Permutation: easy to break by using statistical analysis For every language: frequency of characters, digrams ( two letter sequences) and trigrams are known. statistical analysis to decipher encrypted information. n English: e: the character with highest frequency n C: #define and #include in the beginning n Protocols and tcpdump: repetitive, fixed sized 37 fields

Kerckhoff’s Rule The strength of an encryption algorithm depends upon: 1. Design of the

Kerckhoff’s Rule The strength of an encryption algorithm depends upon: 1. Design of the algorithm 2. Key length 3. Secrecy of the key ( requires proper management of key distribution) 1883: Jean Guillaumen Hubert Victor Fransois Alexandre Auguste Kerckhoff von Nieuwenhof: “ Cryptosystems should rely on the secrecy of the key, but not of algorithm. ” Advantages of Openness: 1994: A hacker published the source code of RC 4, a secret encryption algorithm, designed by RSA Data security Inc. attacks, that exposed several weaknesses of RC 4 38

Types of Cipher Algorithms n n Streaming Cipher: encrypts data bit by bit Block

Types of Cipher Algorithms n n Streaming Cipher: encrypts data bit by bit Block cipher: encrypts a fixed- sized block of data at a time. Block ciphers: n n For a 64 bit block of plaintext, for encryption to a 64 -bit ciphertext, may need a table of 264 = 150 million terabytes. For a block size of 128 bits, the table would require a memory of 5 x 1039 bytes. 39

DES Encryption: DES a public standard. But its design criterion has not been published.

DES Encryption: DES a public standard. But its design criterion has not been published. 64 bit plaintext goes through • an Initial Permutation (IP). • 16 Rounds of a complex function fk as follows: • Round 1 of a complex function fk with sub key K 1. • Round 2 of a complex function fk with sub key K 2. • Round 16 of a complex function fk with sub key K 16 Every round ends with a swap of Left-half and Right-half. • an Inverse Initial Permutation (IP-1 ) to produce 64 bit ciphertext. 40

DES Round x: block of plaintext n let x 0 = IP (x) =

DES Round x: block of plaintext n let x 0 = IP (x) = L 0: R 0 n 16 rounds with f: cipher function Ki: sub-key for the ith round While i ≤ 16, xi = Li: Ri Li = Ri-1 Ri = Li: f(Ri-1 , Ki) n 41

Function n n n Expansion permutation to get 48 bits from 32 bits of

Function n n n Expansion permutation to get 48 bits from 32 bits of Ri : each input block of 4 bits contributes 2 bits to each output block Avalanche Effect: A small difference in plaintext causes quite different ciphertext E(Ri-1) Ki S-boxes for converting 48 bits to 32 bits output: Non-linear; provide major part of the strength of the cipher Straight permutation XOR with left half Switch the left half and the right half 42

Key Schedule Algorithm n n n Each sub-key Ki : 48 bits: obtained from

Key Schedule Algorithm n n n Each sub-key Ki : 48 bits: obtained from a 56 bit key K Fixed Permutation: PC 1(K) = C 0: D 0 A left circular shift (of 1 or 2 bits) on the Lefthalf (C 0 ) and Right-half (D 0) separately (Output: C 1 of 28 bits and D 1 of 28 bits) 2 bits: for rounds 3 -8 and 10 -15 Compression permutation PC 2 to get 48 bit key Ki from Ci: Di Round-dependent left shifts different parts of initial key create each sub-key 43

Sub Key Generation The input key: 56 bits Hardware Design: the 8, 16, 24,

Sub Key Generation The input key: 56 bits Hardware Design: the 8, 16, 24, 32, 40, 48, 56 and 64 th bit is always the odd parity bit. 64 bit key Software design: the key is stated in ASCII code. Each character of 8 bits, with the first bit being zero plus 7 bits of code. (!) Since DES was designed with the viewpoint of hardware implementation, the conversion to 56 bits is done by neglecting every 8 th bit. PC 1 converts to 56 bits and permutes. 44

Key Schedule K: 64 bit key n C 0: D 0 =PC 1(K) ,

Key Schedule K: 64 bit key n C 0: D 0 =PC 1(K) , 56 bit key n 16 steps for i = 1 -15: A left circular shift (of 1 or 2 bits) on the Left-half (Ci-1) and Right-half (Di-1) separately (Output: Ci of 28 bits and Di of 28 bits) n 16 Subkeys for i = 1 -15: Ki = PC 2(Ci : Di ) of 48 bits each n 45

PC 1: Obtaining C 0 and D 0 PC 1 generates C 0 and

PC 1: Obtaining C 0 and D 0 PC 1 generates C 0 and D 0, the left and the right halves respectively. C 0 Read the first column of the input 64 -bit key from bottom up. Write it row-wise from left to right. Repeat for the second, the third and the lower-half of the fourth column respectively. D 0 Read the seventh column of the input 64 -bit key from bottom up. Write it row-wise from left to right. Repeat for the sixth, the fifth and the upper-half of the fourth column respectively. Probably the conversion to the two halves was done due to the limitation of the hardware of seventies. 46

Sub Key Generation: continued Thus DES has a 56 bit key K consisting of

Sub Key Generation: continued Thus DES has a 56 bit key K consisting of C 0 and D 0. All the sub keys K 1 to K 16 are of 48 bits. To generate these keys, K goes through • A Permuted Choice (PC-1) (output C 0 of 28 bits and D 0 of 28 bits). • A left circular shift (of 1 or 2 bits) on the Left-half (C 0 ) and Right-half (D 0) separately (Output: C 1 of 28 bits and D 1 of 28 bits) followed by a Permuted Choice (PC-2) which permutes as well as ‘contracts’ to produce a sub-key K 1 of 48 bits. 47

Sub Key Generation (continued) • A left circular shift (of 1 or 2 bits)

Sub Key Generation (continued) • A left circular shift (of 1 or 2 bits) on the Left-half (C 1 ) and Right-half (D 1) separately (Output: C 2 of 28 bits and D 2 of 28 bits) followed by a Permuted Choice (PC-2) which permutes as well as ‘contracts’ to produce a sub-key K 2 of 48 bits. • A left circular shift (of 1 or 2 bits) on the Left-half (C 15 ) and Right-half (D 15) separately (Output: C 16 of 28 bits and D 16 of 28 bits) followed by a Permuted Choice (PC-2) which permutes as well as ‘contracts’ to produce a sub-key K 16 of 48 bits. 48

Key Schedule n KA = PC 1(K) KB 1 = LS-j(KA); LS-j is left

Key Schedule n KA = PC 1(K) KB 1 = LS-j(KA); LS-j is left circular shift by j bits, on the two halves of the 56 bits separately. j is given by Table 5. KB 2 = LS-j(KB 1) KB 3 = LS-j(KB 2). KBi = LS-j(Kbi-1). KB 16 = LS-j(KB 15) n n Ki = PC 2(KBi) 49

i-th Round The part in yellow, in the previous slide, shows the sub key

i-th Round The part in yellow, in the previous slide, shows the sub key generation. After PC 1, the circular rotations are independent for the left half and the right-half. ENCRYPTION: In the i-th round, Li = Ri-1 Ri = Li-1 F(Ri-1, Ki) = Li-1 P(S( E(Ri-1) Ki )) Where E: expansion from 32 bits to 48 S: Using 8 S-boxes to convert 48 bits to 32 bits – each S box converts 6 bits to 4 bits P: permutation 50

Expansion-Permutation (E/P): • In figure 2, the E-table generates 48 -bit output from 32

Expansion-Permutation (E/P): • In figure 2, the E-table generates 48 -bit output from 32 bit input by expansion-permutation by using table T 6. Table T 6: E/P 32 4 8 12 16 20 24 28 1 5 9 13 17 21 25 29 2 6 10 14 18 22 26 30 3 7 11 15 19 23 27 31 4 8 12 16 20 24 28 32 5 9 13 17 21 25 29 1 51

DES Decryption: Decryption uses the same algorithm as encryption except that the application of

DES Decryption: Decryption uses the same algorithm as encryption except that the application of the sub-keys is reversed. : • • • In the first round of decryption, sub-key K 16 is used. . In the 16 th round of decryption, sub-key K 1 is used. 52

Decryption Relations ENCRYPTION: (from slide 49) Li = Ri-1 Ri = Li-1 F(Ri-1, Ki)

Decryption Relations ENCRYPTION: (from slide 49) Li = Ri-1 Ri = Li-1 F(Ri-1, Ki) = Li-1 P(S( E(Ri-1) Ki )) Rewriting: DECRYPTION relations are: Ri-1= Li Li-1 = Ri F(Ri-1, Ki) On substituting the value of Ri-1 from the first decryption relation, Li-1 = Ri F(Li, Ki) 53

Decryption Process n n n First: IP on ciphertext: undoes the final IP-1 step

Decryption Process n n n First: IP on ciphertext: undoes the final IP-1 step of encryption 16 Rounds: First round with subkey 16 undoes 16 th round of encryption. . Sixteenth round with subkey 1 undoes 1 st encryption round Last: IP-1 undoes the initial encryption IP 54

AES n n AES: designed by Joan Daemen and Vincent Rijmen Initially known as

AES n n AES: designed by Joan Daemen and Vincent Rijmen Initially known as Rijndael Cipher 55

Rijndael Cipher Three steps: n initial XOR of the block with the sub-key 1

Rijndael Cipher Three steps: n initial XOR of the block with the sub-key 1 n has 9/11/13 rounds in which state undergoes: n byte substitution (The same S-box used on every byte) n shift rows(permute bytes between columns) n mix columns (subs using matrix multiply of groups) n add round key (XOR state with separate sub-keys for each round) n Incomplete last (i. e. 10/12/14 th) round (without mix columns operation) 56

Rijandael Cipher n continued The Rijndael cipher has a variable block length and key

Rijandael Cipher n continued The Rijndael cipher has a variable block length and key length. currently keys with a length of 128, 192, or 256 bits to encrypt blocks with a length of 128, 192 or 256 bits (all nine combinations of key length and block length are possible). Both block length and key length can be extended very easily by multiples of 32 bits. n n Rijndael can be implemented efficiently on a wide range of processors and in hardware. all operations can be combined into XOR and table lookups - hence very fast & efficient 57

Rijandael Cipher n n continued for 128 bit block: processes data as 4 groups

Rijandael Cipher n n continued for 128 bit block: processes data as 4 groups of 4 bytes each. Each group is shown as a column in a matrix of four columns. Each column has 4 rows. Each cell of the 4 x 4 matrix contains one byte. The output in every round creates a new state of 128 bits or of 4 columns of 4 bytes each. The ciphertext is the final output generated by the cipher system. 58

Steps of a Round Function n n Round function: uniform and parallel, composed of

Steps of a Round Function n n Round function: uniform and parallel, composed of 4 steps (except for the incomplete– without Mix. Column-- last round) Each step has its own particular function: n n n Byte. Sub: non-linearity Shift. Row: inter-column diffusion Mix Column: inter-byte diffusion within columns Round key addition Figure on slide 20: shows both encryption and decryption processes; STATE at corresponding levels for encryption and decryption is the same. 59

Pseudo Code for Encryption for the earlier rounds, and, for the last round Round(State,

Pseudo Code for Encryption for the earlier rounds, and, for the last round Round(State, Round. Key) { Bytesub(State); Shift. Row(State); Mix. Column(State); Add. Round. Key(State, Roundkey); } n For the last round, it is a little different: Round(State, Round. Key) { Bytesub(State); Shift. Row(State); Add. Round. Key(State, Roundkey); } n 60

Rijandael Cipher continued 61

Rijandael Cipher continued 61

Three Steps of Decryption n initial XOR of the ciphertext with the sub-key has

Three Steps of Decryption n initial XOR of the ciphertext with the sub-key has 9/11/13 rounds in which state undergoes: n Inv. Byte substitution (The same Inverse S-box used on every byte) n Inv. Shift rows(permute bytes between columns) n Inv. Mix columns (subs using matrix multiply of groups) n add round key (XOR state with separate sub-keys for each round) Incomplete last (i. e. 10/12/14 th) round (without Inv. Mix columns operation) 62

Pseudo Code for Decryption for the earlier rounds, and, for the last round Round(State,

Pseudo Code for Decryption for the earlier rounds, and, for the last round Round(State, Round. Key) { Inv. Byte. Sub(State); Inv. Shift. Row(State); Inv. Mix. Column(State); Add. Round. Key(State, Roundkey); } n For the last round, it is a little different: Round(State, Round. Key) { Inv. Bytesub(State); Inv. Shift. Row(State); Add. Round. Key(State, Roundkey); n 63

Public Key/ Asymmetric Cryptography invented in 1976 by Whitfield Diffie and Martin Hellman n

Public Key/ Asymmetric Cryptography invented in 1976 by Whitfield Diffie and Martin Hellman n two keys: private (d), public (e) Both are mathematically related. REQUIREMENTS: Computationally infeasible n n to derive one key from the other; to find out the private key from a chosen plaintext attack much slower (about 1000 times) than secret key cryptography 64

public-key cryptography (continued) n public-key cryptography system requires n a trusted system for distributing

public-key cryptography (continued) n public-key cryptography system requires n a trusted system for distributing public keys RSA (Rivest, Shamir and Adelman) Algorithm is well known for the public key system. APPLICATIONS n a digital signature system to authenticate that a message is really from whom it purports to be from n Pretty Good Privacy system, an e-mail system, uses the public key system for 65 security.

public-key cryptography (continued) 66

public-key cryptography (continued) 66

Asymmetric/Public Key Encryption A B’s public Encrypted Message key Internet Message B’s private Encrypted

Asymmetric/Public Key Encryption A B’s public Encrypted Message key Internet Message B’s private Encrypted Message key B 67

public-key cryptography (continued) n Data transmission: private key(d), public key (e) 68

public-key cryptography (continued) n Data transmission: private key(d), public key (e) 68

public-key cryptography (continued) Applications and Advantages: n Storage: for safety: use public key of

public-key cryptography (continued) Applications and Advantages: n Storage: for safety: use public key of trusted person n Secret vs. Public Key system: secret key system: needs secret key for every pair of persons, that wish to communicate n users n(n-1)/2 keys public key system: needs two keys for every person, who wants to communicate. n users 2 n keys 69

Digital certificate for getting Public Key reliably n A digital certificate from a trusted

Digital certificate for getting Public Key reliably n A digital certificate from a trusted party may contain: n n n The name of a person His e-mail address His public key The recipient of the encrypted certificate uses the public key of the Certification Authority to decode the certificate. Examples of CAs: www. verisign. com or www. thawte. com (Verisign’s liability limited to $100 only!) Standard for certificate: X. 509 70

Digital signatures Digital Signatures: A is to sign a Msg and send it to

Digital signatures Digital Signatures: A is to sign a Msg and send it to B n A Msg Digest Algorithm Msg + Encoded Digest Encoding using Private key of A Msg + Encoded Digest Decode digest using Public key of A Digest Msg Digest Algorithm Digest Compare 71 B

Key management issues n n Distribution of keys for both symmetric and asymmetric cases

Key management issues n n Distribution of keys for both symmetric and asymmetric cases is a challenge, when the two communicating parties are located at a distance. Certifying authorities, as mentioned earlier, help. But in view of the very limited liability, that the certifying authorities are ready to shoulder, it is not a complete solution. 72

Message/data Encryption Combines conventional and public-key encryption Recipient’s Session key Public key Encrypted session

Message/data Encryption Combines conventional and public-key encryption Recipient’s Session key Public key Encrypted session key Encrypt data Encrypted data 73

Message/data Encryption Combines conventional and public-key encryption Recipient’s Private key Session key Encrypted session

Message/data Encryption Combines conventional and public-key encryption Recipient’s Private key Session key Encrypted session key Decrypt Encrypted data Public-key encryption provides a secure channel to exchange symmetric encryption keys 74

Message Authentication Codes MAC: A sort of Hash function, which uses a key m:

Message Authentication Codes MAC: A sort of Hash function, which uses a key m: message (can be of any size) K: fixed-size symmetric key known to both the sender and receiver only MAC: of fixed size m MAC Function MAC Key 75

MAC’s for integrity Message Authentication code, adds a password/key to a hash data Mac

MAC’s for integrity Message Authentication code, adds a password/key to a hash data Mac Message MAC Password/key Only the password holder(s) can generate the MAC 76

MAC n A MAC function (also called a cryptographic checksum) n n n continued

MAC n A MAC function (also called a cryptographic checksum) n n n continued Need not be reversible. Many-to-one function MAC provides n n n Authentication and integrity If one more symmetric key is used, confidentiality can be provided. This separates authentication and confidentiality functionalities. 77

MAC n n continued Separation of Authentication and Confidentiality: This may be required in

MAC n n continued Separation of Authentication and Confidentiality: This may be required in a system wherein authentication may be at the application layer, whereas confidentiality may be required at a lower layer (like at transport layer. ) Or the recipient organisation may check for authentication at the entry system. The confidentiality may be required up to the final host within the recipient organization. Does not provide signatures n The recipient can forge the message. n The sender can repudiate it. 78

HMAC: keyed Hashing for Message Authentication HMAC: An algorithm which uses a keyless hash

HMAC: keyed Hashing for Message Authentication HMAC: An algorithm which uses a keyless hash function and a cryptographic key to develop a MAC Advantages: Hash functions are faster; no export controls on keyless hash functions. H: a keyless hash function Input: a block of b bytes Output: a hash of l bytes K: key no longer than b bytes K’: pad K, if required, so that K’ becomes b bytes long 79

HMAC (continued) ipad: a sequence of b bytes obtained by repeating the byte 0011

HMAC (continued) ipad: a sequence of b bytes obtained by repeating the byte 0011 0110 opad: a sequence of b bytes obtained by repeating the byte 0101 1100 Definition of a HMAC-H function with a key K and message m: H(K, m) = H( (K’ XOR opad) ll H( (K’ XOR ipad) ll m) ) Reference: 1. M. Bellare, R. Kaneti and H. Krawczyk, ‘Keyed Hash Functions and Message Authentication, ’ Advances in Cryptology - Proceedings of CRYPTO ’ 96, PP. 1 -15 (1996) 2. H. Krawczyk, M. Bellare and R. Kaneti, ‘RFC 2104’, Feb 1997 80

Function for MAC n HMAC: n n n MD 5 or an SHA function

Function for MAC n HMAC: n n n MD 5 or an SHA function may be used. Recommendation for a 128 bit security: SHA-256 MAC may also be obtained by using a block cipher and by throwing away all the blocks except the last block. This is called CBC-MAC. CBC: cipher block chaining method However if it is used, the key for encryption and the key for message authentication must be different. Secondly it would be slower than HMAC. 81

Authentication issues n If only the message between Alice and Bob is authenticated, n

Authentication issues n If only the message between Alice and Bob is authenticated, n n Eve could store the message and send it later again. Or Eve could send the message from Alice -- back to Alice at some later time, spoofing it as a message from Bob. To avoid it, d = information like message number, sender address and receiver address etc may be concatenated with m before creating a MAC. If a protocol for time synchronization is being used by both the sender and the receiver, time in seconds after midnight at Greenwich may also be used. Alternatively a random number, called a nonce may also be usedfor the purpose. 82

Authentication issues n …. 2 Further problem: Version problem, which may increase the size

Authentication issues n …. 2 Further problem: Version problem, which may increase the size of fields. Example: Alice sends the older version. Eve adds data to make it look to Bob as if Alice sent the new version. So version number has also to be added to d. RULE: Authentication at a higher layer only. 83

Cryptanalysis continued Cryptanalysis : It tries to locate the structures and patterns of the

Cryptanalysis continued Cryptanalysis : It tries to locate the structures and patterns of the plaintext in the ciphertext. None of the cryptological methods can completely eliminate the patterns and structures of the plaintext in the ciphertext. Polyalphabetic cipher where the substitution differs from character to character in response to a key, which is n as long as the message, and which is, n truly random can eliminate such patterns. But the key? 84

Cryptanalysis Methods: Finding the Key Assumption: The hacker always knows the ciphertext and the

Cryptanalysis Methods: Finding the Key Assumption: The hacker always knows the ciphertext and the encryption algorithm. More is the information available to a hacker Easier is the analysis for finding the Key TYPES OF ATTACKS: The type is dependent on the amount of INFORMATION available to a Hacker: 1. ciphertext only Analysis for key: Most difficult 2. Known plaintext-ciphertext pairs 3. Chosen plaintext-ciphertext pairs 4. Chosen ciphertext-plaintext pairs 5. Chosen text (both 3 and 4) Analysis for key: Easiest 85

Two Definitions n n UNCONDITIONALLY SECURE: An encryption algorithm for which no amount of

Two Definitions n n UNCONDITIONALLY SECURE: An encryption algorithm for which no amount of ciphertext can make it possible for one to determine uniquely the corresponding plaintext. There is no such algorithm available. COMPUTATIONALLY SECURE: An encryption algorithm is said to be computationally secure if n n The cost of breaking the cipher is more than the intrinsic value of the information, or, the time required to break the cipher is more than the time over which the information is required to be 86 confidential.

Exhaustive Key Search Key Size 32 56 128 26 P No. of Possible keys

Exhaustive Key Search Key Size 32 56 128 26 P No. of Possible keys 232 =4. 3 x 109 256 = 7. 2 x 1016 2128 = 3. 4 x 1038 26!=4 x 1026 Average Time at 1 decryption per microsecond 231= 35. 8 m 1142 y 5. 4 x 1024 y 4 x 1026 =6. 4 x 1012 y 87

Large numbers and computational security -as worked out by Dr Lawrie Brown n It

Large numbers and computational security -as worked out by Dr Lawrie Brown n It can be shown from energy consumption considerations that the maximum number of possible elementary operations in 1000 years is about: 3 x 1048. Similarly if 10 atoms are needed to store a bit of information, the greatest possible number of bits storable in a volume of say the moon is: 1045. If for deciphering a cipher requires more operations than 3 x 1048, or needs more storage than 1045, it is pretty reasonable to say it is computationally secure. Reference: Notes of Dr Lawrie Brown, Australian Defence Force Academy available at http: //www. williamstallings. com/Crypto 3 e. html 88

Exhaustive Key Search n (continued) A calculation in 1995 showed that: n n 56

Exhaustive Key Search n (continued) A calculation in 1995 showed that: n n 56 -bit key broken in 1 week with 120, 000 processors ($6. 7 M); 56 -bit key broken in 1 month with 28, 000 processors ($1. 6 M); 64 -bit key broken in 1 week with 3. 1 x 107 processors ($1. 7 B); 128 -bit key broken in 1 week with 5. 6 x 1026 processors 89

Brute Force Cryptoanalysis n n n 1999: 56 -bit key broken in 22. 5

Brute Force Cryptoanalysis n n n 1999: 56 -bit key broken in 22. 5 h with 1, 800 chips ($250, 000) (245 109 keys/s, or 4. 08 microsecond for one key -- see eff. org); helped by distributed. net 1998: 56 -bit key broken, on dedicated h/w, in a few days 1997: 56 -bit key broken, by using a large number of machines in parallel on the Internet, in a few months 90

Birthday paradox n A result from probability theory: Consider an element that has an

Birthday paradox n A result from probability theory: Consider an element that has an equal probability of assuming any one of the N values. The probability of a collision is more than 50% after choosing 1. 2√N values. Random input Function One of k equally likely values The same output can be expected after 1. 2 k 1/2 inputs. Thus in a group of 23, two or more persons are likely to share the same birthday. (Put k = 365) Birthday attacks are used to find collisions of Hash functions 91

Birthday Bound n n A 64 bit key has 264 = 18 x 1018

Birthday Bound n n A 64 bit key has 264 = 18 x 1018 different key values. But 232 = 4. 3 x 109 A Key is selected at random. So after seeing 1. 2 x 232 transactions, a hacker can expect the same key to be used. For an n-bit case, 2 n/2 is called the Birthday Bound 92

Example of a Birthday Attack Assume n A 64 bit key n The first

Example of a Birthday Attack Assume n A 64 bit key n The first statement in a message is always the same. A hacker n listens to and stores all encrypted messages. n When the FIRST encrypted sentence turns out to be the same, he replaces the rest of the new message by the old message, that he has in his memory. By Birthday Paradox, this is likely to happen after 232 transactions. 93

Example of a “Meet in the Middle” attack n n Generate 232 keys. Store

Example of a “Meet in the Middle” attack n n Generate 232 keys. Store encrypted messages of the first sentence. Compare the first sentence of every encrypted message on the net with each of the stored messages. On getting a match, the Hacker knows the key. So he can now replace the remaining message by whatever he wants. 94