Chapter 20
Symmetric Encryption and
Message Confidentiality
Symmetric Encryption
• Also referred to as:
o
o
Conventional encryption
Secret-key or single-key encryption
o
Still most widely used alternative
o
o
o
o
o
Plaintext
Encryption algorithm
Secret key
Ciphertext
Decryption algorithm
• Only alternative before public-key
encryption in 1970’s
• Has five ingredients:
Cryptography
Classified along three
independent dimensions:
The type of
The number of keys
operations used for
used
transforming plaintext • Sender and receiver use
to ciphertext
same key – symmetric
The way in which the
plaintext is processed
• Block cipher – processes
input one block of
elements at a time
• Sender and receiver
• Substitution – each
each use a different key - • Stream cipher –
element in the plaintext is
asymmetric
processes the input
mapped into another
elements continuously
element
• Transposition – elements
in plaintext are
rearranged
Computationally Secure
Encryption Schemes
• Encryption is computationally secure if:
o Cost of breaking cipher exceeds value of information
o Time required to break cipher exceeds the useful lifetime of the
information
• Usually very difficult to estimate the amount
of effort required to break
• Can estimate time/cost of a brute-force
attack
Plaintext (2w bits)
Round 1
L0
w bits
w bits
R0
K1
F
L1
R1
Round i
Ki
F
Li
Ri
Round n
Kn
F
Ln
Rn
Ln+1
Rn+1
Ciphertext (2w bits)
Figure 20.1 Classical Feistel Network
Block Cipher Structure
• Symmetric block cipher consists of:
o A sequence of rounds
o With substitutions and permutations controlled by key
• Parameters and design features:
Block size
Key size
Number of
rounds
Subkey
generation
algorithm
Ease of
analysis
Fast
software
encryption/
decryption
Round
function
DES
• Most Widely used Encryption
• Minor variation on Feistel Network
• Modern symmetric-key cryptosystems
o Data Encryption Standard (DES)
• Adopted in 1976
• Block size = 64 bits
• Key length = 56 bits
o Advanced Encryption Standard (AES)
• Adopted in 2000
• Block sizes = 128, 192, or 256 bits
• Key lengths = 128, 192, or 256 bits
• 1973: NBS (now NIST) solicits proposals for crypto algorithm
which:
o
o
o
o
Provides a high level of security
Completely specified and easy to understand
Is available royalty-free
Is efficient
DES - Keys
• Any 56-bit string can be a DES key
• There are 256 keys
o 72,057,594,037,927,936 DES keys
• Test one trillion keys per second
o 2 hours to find the key
• A very small number of “weak keys”
DES – The Algorithm
• To encrypt a 64-bit plaintext
block
• An initial permutation
o
o
o
o
16 rounds of substitution, transposition
48-bit subkey added to each round,
Subkeys derived from 56-bit DES key
Final permutation
DES Initial Permutation
• Permutes 64 bits of the plaintext
• 58th bit is moved to position 1
• 50th bit is moved to position 2
….
• 7th bit is moved to position 64
DES – Subkey Generation
• DES key: 64-bits (eight parity bits)
• A 56-bit DES key
o 11010001101010101000101011101010101000100011010101010101
• The 64-bit representation
o 1101000111010100101000110101110010101010000100011101010010101010
• Sixteen 48-bit subkeys generated from 64-bit
DES key (one for each round)
DES – Subkey (cont)
• 64-bit DES key
o 110100011101010010100011010111001010101000
0100011101010010101010
• A key permutation removes eight
parity bits and
• The 57th bit is moved to position 1
• The 49th bit is moved to position 2
…
• The 4th bit is moved to position 56
64-bit “key” to 56-bit DES key
DES – Subkey Gen (cont)
• 56 key bits (after permutation) divided into
two 28-bit halves
• Each half circularly shifted left by one bit
(rounds 1,2,9 and 16) or 2 bits (all other
rounds)
• Halves recombined into 56 bit string
DES – Compression Perm
• Compression permutation selects 48 bits
• 14th bit goes to output 1
• 17th bit goes to output 2
….
• 32nd bit goes to output 48
DES Round 1 Subkey & Subkey overview
DES Round 1 Subkey
DES - Subkey Overview
DES – Rounds
• Each of 16 rounds takes 64-bit block of input
to 64-bit block of output
• The output from initial perm is input to round
one
• Round one output is input to round two
• Round two output is input to round three

• Round 16 output is ciphertext
DES – Round 1
Input block (64)
L1 (32)
R1 (32)
EP
XOR
S-box
P-box
XOR
L2 (32)
R2 (32)
Output block (64)
Subkey1
DES Rounds
• 64-bit input divided into two 32bit halves
• Right half sent through
expansion perm which
produces 48 bits by
o Rearranging the input bits
o Repeating some input bits more
than once
Expansion permutation
DES – XOR Operation
• XOR is applied to the 48-bit output of expansion
perm and subkey
• The resulting 48-bits go to S-boxes
DES – S-boxes
• S-boxes perform substitution
• 8 different S-boxes
• Each S-box maps 6 bits to 4 bits
• Bits 1-6 are input to S-box 1
• Bits 7-12 are input to S-box 2, etc.
DES – Inside an S-box
•
Each S-box has 4 rows, 16 columns. First and last input bits specify the row. Middle
four input bits specify the column e.g. S-box 1
•
S-box entry is the four-bit output. Examples with S-box 1
•
•
•
011010  row 0, column 13  9 = 1001 (output)
110010  row 2, column 9  12 = 1100 (output)
000011  row 1, column 1  15 = 1111 (output)
DES – S-boxes
DES – P-box
• 32-bit output of S-boxes goes to Pbox
• P-box permutes the bits
o The first bit is moved to position 16
o The second bit is moved to position 7
o The third bit is moved to position 20
:
o The thirty-second bit is moved into position 25
DES – Second XOR Operation
• Output of P-box is XORed with the left half of
64-bit input block
• 32-bit output of the XOR operation:
o 01101111011011000110111010010010
DES – Rounds
• 64-bit output from round 1 is input for round 2
• Output from round 2 is input for round 3
:
• Output from round 16 is passed through a final
permutation
DES – Final Perm
• Final permutation is inverse of initial
perm
o 40th bit is moved into the 1st position
o 8th bit is moved into the 2nd position
:
o 25th bit is moved into the 64th position
• Output of final permutation is
ciphertext
DES – Encryption Overview
DES - Decryption
• Same algorithm and key as encryption
• Subkeys are applied in opposite order
o Subkey 16 used in first round
o Subkey 15 used in second round
:
o Subkey 1 used in 16th round
Triple DES (3DES)
 first used in financial
applications
 in DES FIPS PUB 46-3
standard of 1999
 uses three keys and
three DES executions:
C = E(K3, D(K2, E(K1, P)))
 decryption same with
keys reversed
 use of decryption in
second stage gives
compatibility with
original DES users
 effective 168-bit key
length, slow, secure
 AES will eventually
replace 3DES
K1
P
E
K2
A
D
K3
B
E
C
(a) Encryption
K3
C
D
K2
B
E
K1
A
D
(b) Decryption
Figure 20.2 Triple DES
P
AES
• 1997: NIST requests proposals for a new Advanced Encryption
Standard (AES) to replace DES
• NIST required that the algorithm be:
o
o
o
o
o
A symmetric-key cryptosystem
A block cipher
Capable of supporting a block size of 128 bits
Capable of supporting key lengths of 128, 192, and 256 bits
Available on a worldwide, non-exclusive, royalty-free basis
• Evaluation criteria:
o Security - soundness of the mathematical basis and the results of
analysis by the research community
o Computational efficiency, memory requirements, flexibility, and
simplicity
AES – Round 1 Results
• After eight months of analysis and public comment,
NIST:
o Eliminated DEAL, Frog, HPC, Loki97, and Magenta
• Had what NIST considered major security flaws
• Were among the slowest algorithms submitted
o Eliminated Crypton, DFC, E2, and SAFER+
• Had what NIST considered minor security flaws
• Had unimpressive characteristics on the other evaluation criteria
o Eliminated CAST-256
• Had mediocre speed and large ROM requirements
• Five candidates, MARS, RC6, Rijndael, Serpent, and
Twofish, advanced to the second round
• Analysis and public comment on the five finalists circa 2000
o Selects Rijndael
• Adequate security margin, fast encryption, decryption, and key setup
speeds, low RAM and ROM requirements
AES – Rijndael Algorithm
• Symmetric-key block cipher
o Block sizes are 128, 192, or 256 bits
o Key lengths are 128, 192, or 256 bits
• Performs several rounds of operations to transform
each block of plaintext into a block of ciphertext
o The number of rounds depends on the block size and the
length of the key:
• Nine regular rounds if both the block and key are 128 bits
• Eleven regular rounds if either the block or key are 192 bits
• Thirteen regular rounds if either the block or key is 256 bits
o One, slightly different, final round is performed after the regular
rounds
AES – Rijndael Algorithm (cont)
• For a 128-bit block of plaintext and
a 128-bit key the algorithm
performs:
o An initial AddRoundKey (ARK)
operation
o Nine regular rounds composed of four
operations:
•
•
•
•
ByteSub (BSB)
ShiftRow (SR)
MixColumn (MC)
AddRoundKey (ARK)
o One final (reduced) round composed
of three operations:
• ByteSub (BSB)
• ShiftRow (SR)
• AddRoundKey (ARK)
AES – Rijndael Keys
• Keys are expressed as 128-bit (or bigger) quantities
• Keyspace contains at least 2128 elements:
o 340,282,366,920,938,463,463,374,607,431,768,211,456
• Exhaustive search at one trillion keys per second takes:
o 1x1019 years (the universe is about 1x1010 years old)
• Blocks &keys are represented as a two-dimensional
array of bytes with four rows and four columns:
o Block = 128 bits = 16 bytes = b0 , b1, . , b15
o Key = 128 bits = 16 bytes = k0 , k1, . k15
State
S
SubBytes
S
S
S
S
S
S
S
S
S
S
S
S
S
S
S
State
ShiftRows
State
MixColumns
M
M
M
M
State
r0
r1
r2
r3
r4
r5
r6
r7
r8
r9
r10
r11
r12
AddRoundKey
State
Figure 20.4 AES Encryption Round
r13
r14
r15
The ByteSub Operation
• An S-box is applied to each of the 16 input bytes
independently
• Each byte is replaced by the output of the S-box:
AES – The Rijndael S-box
• The input to the S-box is one byte:
• Example 1:
o b0 = 01101011 (binary) = 6b (hex)
o b’0 = row 6, column b = 7f (hex) =
01111111 (binary)
• Example 2:
o b1 = 00001000 (binary) = 08 (hex)
o b’1 = row 0, column 8 = 30 (hex) =
00110000 (binary)
• Example 3:
o b2 = 11111001 (binary) = f9 (hex)
o b’2 = row f, column 9 = 99 (hex) =
10011001 (binary)
AES - ShiftRow Operation
• Each row of the input is circularly left shifted:
o
o
o
o
First row by zero places
Second row by one place
Third row by two places
Fourth row by three places
Mix Columns and Add Key
• Mix columns
o Operates on each column individually
o Mapping each byte to a new value that is a function of all
four bytes in the column
o Use of equations over finite fields
o To provide good mixing of bytes in column
• Add round key
o Simply XOR State with bits of expanded key
o Security from complexity of round key expansion and other
stages of AES
AES - The MixColumn Operation
• The four bytes in each input column are replaced
with four new bytes:
The AddRoundKey Operation
• Each byte of the input block is
XORed with the corresponding
byte of the round subkey:
AES – Rijndael Overview
Plaintext
Add round key
w[0, 3]
Add round key
Substitute bytes
Expand key
Inverse sub bytes
Shift rows
Inverse shift rows
Mix columns
Inverse mix cols
Add round key
w[4, 7]
Round 10
Key
Add round key
Inverse sub bytes
Round 9
Round 1
Plaintext
Inverse shift rows
Shift rows
Mix columns
Round 10
Add round key
Inverse mix cols
w[36, 39]
Add round key
Substitute bytes
Inverse sub bytes
Shift rows
Inverse shift rows
Add round key
w[40, 43]
Add round key
Ciphertext
Ciphertext
(a) Encryption
(b) Decryption
Figure 20.3 AES Encryption and Decryption
Round 1
Round 9
Substitute bytes
AES Summary
• The research community participated very actively
and expertly in the design and evaluation of the
candidate algorithms
• The AES selection process served to raise public
awareness of cryptography and its importance
• The AES algorithm is widely used
• The AES should offer useful cryptographic
protection for at least the next few decades
Stream Ciphers
• A typical stream cipher encrypts plaintext one byte at a time,
although a stream cipher may be designed to operate on one
bit at a time or on units larger than a byte at a time.
• A key is input to a pseudorandom bit generator that produces a
stream of 8-bit numbers that are apparently random.
• A pseudorandom stream is one that is generated by an
algorithm but is unpredictable without knowledge of the input
key.
• The output of the generator, called a keystream, is combined
one byte at a time with the plaintext stream using the bitwise
exclusive-OR (XOR) operation.
Stream Ciphers
• For example, if the next byte generated by the generator is
01101100 and the next plaintext byte is 11001100, then the
resulting ciphertext byte is:
XOR
11001100 plaintext
01101100 key stream
10100000 ciphertext
Decryption requires the use of the same pseudorandom sequence:
XOR
10100000 ciphertext
01101100 key stream
11001100 plaintext
Stream Ciphers
design considerations for a stream cipher
•
1. The encryption sequence should have a large period. A
pseudorandom number generator uses a function that produces a
deterministic stream of bits that eventually repeats. The longer the
period of repeat the more difficult it will be to do cryptanalysis.
•
2. The keystream should approximate the properties of a true
random number stream as close as possible. For example, there
should be an approximately equal number of 1s and 0s. If the
keystream is treated as a stream of bytes, then all of the 256 possible
byte values should appear approximately equally often. The more
random-appearing the keystream is, the more randomized the
ciphertext is, making cryptanalysis more difficult.
•
3. The output of the pseudorandom number generator is
conditioned on the value of the input key. To guard against bruteforce attacks, the key needs to be sufficiently long. The same
considerations as apply for block ciphers are valid here. Thus, with
current technology, a key length of at least 128 bits is desirable
Stream Ciphers
•
With a properly designed pseudorandom number generator, a
stream cipher can be as secure as block cipher of comparable key
length. The primary advantage of a stream cipher is that stream
ciphers are almost always faster and use far less code than do block
ciphers. RC4 can be implemented in just a few lines of code.
•
The advantage of a block cipher is that you can reuse keys.
However, if two plaintexts are encrypted with the same key using a
stream cipher, then cryptanalysis is often quite simple. If the two
ciphertext streams are XORed together, the result is the XOR of the
original plaintexts. If the plaintexts are text strings, credit card
numbers, or other byte streams with known properties, then
cryptanalysis may be successful.
•
For applications that require encryption/decryption of a stream of
data, such as over a data communications channel or a
browser/Web link, a stream cipher might be the better alternative.
For applications that deal with blocks of data, such as file transfer, email, and database, block -4- ciphers may be more appropriate.
However, either type of cipher can be used in any application.
Stream Ciphers
Table below compares execution times of RC4
with three well-known symmetric block ciphers.
Table 20.3 Speed Comparisons of Symmetric Ciphers on a Pentium 4
Cipher
Key Length
Speed (Mbps)
DES
56
21
3DES
168
10
AES
128
61
RC4
Variable
Source: http://www.cryptopp.com/benchmarks.html
113
RC4
• The RC4 Encryption Algorithm, developed by Ronald Rivest
of RSA, is a shared key stream cipher algorithm requiring a secure
exchange of a shared key.
• The symmetric key algorithm is used identically for encryption
and decryption such that the data stream is simply XORed with
the generated key sequence.
• The algorithm is serial as it requires successive exchanges of state
entries based on the key sequence. Hence implementations can
be very computationally intensive.
• The RC4 encryption algorithm is used by standards such as IEEE
802.11 within WEP (Wireless Encryption Protocol) using 40 and 128bit keys. Published procedures exist for cracking the security
measures as implemented in WEP.
RC4
• In the RC4 encryption algorithm, the key stream is completely
independent of the plaintext used. An 8 * 8 S-Box (S0 S255),
where each of the entries is a permutation of the numbers 0 to
255, and the permutation is a function of the variable length key.
There are two counters i, and j, both initialized to 0 used in the
algorithm.
• The algorithm uses a variable length key from 1 to 256 bytes to
initialize a 256-byte state table. The state table is used for
subsequent generation of pseudo-random bytes and then to
generate a pseudo-random stream which is XORed with the
plaintext to give the ciphertext. Each element in the state table is
swapped at least once.
• The key is often limited to 40 bits, because of export restrictions
but it is sometimes used as a 128 bit key. It has the capability of
using keys between 1 and 2048 bits. RC4 is used in many
commercial software packages such as Lotus Notes and Oracle
Secure SQL.
RC4
• The algorithm works in two phases, key setup and ciphering. Key
setup is the first and most difficult phase of this encryption
algorithm.
• During a N-bit key setup (N being your key length), the
encryption key is used to generate an encrypting variable using
two arrays, state and key, and N-number of mixing operations.
• These mixing operations consist of swapping bytes, modulo
operations, and other formulas. A modulo operation is the
process of yielding a remainder from division. For example, 11/4 is
2 remainder 3; therefore eleven mod four would be equal to
three.
RC4 – Initialization of S
• To begin, the entries of S are set equal to the values from 0
through 255 in ascending order; that is; S[0] = 0, S[1] = 1, …, S[255]
= 255. A temporary vector, T, is also created. If the length of the
key K is 256 bytes, then K is transferred to T. Otherwise, for a key of
length keylen bytes, the first keylen elements of T are copied from
K and then K is repeated as many times as necessary to fill out T.
These preliminary operations can be summarized as follows:
/* Initialization */
for i = 0 to 255 do
S[i] = i;
T[i] = K[i mod keylen];
RC4 – Initialization of S
• Next we use T to produce the initial permutation of S. This involves
starting with S[0] and going through to S[255], and, for each S[i],
swapping S[i] with another byte in S according to a scheme
dictated by T[i]:
/* Initial Permutation of S */
j = 0;
for i = 0 to 255 do
j = (j + S[i] + T[i]) mod 256;
Swap (S[i], S[j]);
Because the only operation on S is a swap, the only effect is a
permutation. S still contains all the numbers from 0 through 255.
RC4 – Stream Generation
• Once the S vector is initialized, the input key is no longer used.
Stream generation involves starting with S[0] and going through to
S[255], and, for each S[i], swapping S[i] with another byte in S
according to a scheme dictated by the current configuration of
S. After S[255] is reached, the process continues, starting over at
S[0]:
/* Stream Generation */
i, j = 0;
while (true)
i = (i + 1) mod 256;
j = (j + S[i]) mod 256;
Swap (S[i], S[j]);
t = (S[i] + S[j]) mod 256;
k = S[t];
• To encrypt, XOR the value k with the next byte of plaintext. To
decrypt, XOR the value k with the next byte of ciphertext.
S
0
1
2
3
4
253 253 255
keylen
K
T
(a) Initial state of S and T
T
T[i]
j = j + S[i] + T[i]
S
S[i]
S[j]
i
Swap
(b) Initial permutation of S
j = j + S[i]
S
S[i]
i
S[j]
S[t]
Swap
t = S[i] + S[j]
(c) Stream Generation
Figure 20.5 RC4
k
RC4
Strengths of RC4
• The difficulty of knowing where any value is in the table.
• The difficulty of knowing which location in the table is used to
select each value in the sequence.
• A particular RC4 Algorithm key can be used only once.
• Encryption is about 10 times faster than DES.
Limitations of RC4
• One in every 256 keys can be a weak key. These keys are
identified by cryptanalysis that is able to find circumstances
under which one of more generated bytes are strongly
correlated with a few bytes of the key.
Block Cipher Modes of Operation
Electronic Codebook (ECB)
• Simplest mode
• Plaintext is handled b bits at a time and each block
is encrypted using the same key
• “Codebook” because have unique ciphertext value
for each plaintext block
o Not secure for long messages since repeated plaintext is seen in
repeated ciphertext
• To overcome security deficiencies you need a
technique where the same plaintext block, if
repeated, produces different ciphertext blocks
IV
Time = 1
P1
Time = 2
P2
Time = N
PN
CN–1
Encrypt
K
K
C1
Encrypt
K
C2
Encrypt
CN
(a) Encryption
C1
Decrypt
K
C2
K
Decrypt
CN
K
Decrypt
CN–1
IV
P1
P2
(b) Decryption
Figure 20.6 Cipher Block Chaining (CBC) Mode
PN
CM–1
IV
Shift register
b – s bits
s bits
Shift register
b – s bits
s bits
64
K
64
K
Encrypt
P1
64
K
Encrypt
64
Select
s bits
Shift register
b – s bits
s bits
Encrypt
64
Discard
b – s bits
Select
s bits
P2
s
s
64
Discard
b – s bits
Select
s bits
PM
s
s
Discard
b – s bits
s
s
s
C1
C2
(a) Encryption
CM
CM–1
IV
Shift register
b – s bits
s bits
Shift register
b – s bits
s bits
64
K
64
K
Encrypt
64
Select
s bits
Discard
b – s bits
64
K
Encrypt
Select
s bits
64
Discard
b – s bits
Select
s bits
s
s
C1
Encrypt
64
s
s
P1
Shift register
b – s bits
s bits
Discard
b – s bits
s
s
s
C2
P2
(b) Decryption
Figure 20.7 s-bit Cipher Feedback (CFB) Mode
PM
CM
Counter
Encrypt
K
Counter + 1
Encrypt
K
P1
Counter + N – 1
P2
C1
Encrypt
K
PN
C2
CN
(a) Encryption
Counter
Encrypt
K
C1
Counter + 1
Encrypt
K
C2
P1
Counter + N – 1
Encrypt
K
CN
P2
(b) Decryption
Figure 20.8 Counter (CTR) Mode
PN
FRN
FRN
Frame relay
network
FRN
FRN
= end-to-end encryption device
= link encryption device
FRN = frame relay node
Figure 20.9 Encryption Across a Frame Relay Network
Key Distribution
• The means of delivering a key to two parties that wish
to exchange data without allowing others to see the
key
• Two parties (A and B) can achieve this by:
1
2
3
4
•A key could be selected by A and physically delivered to B
•A third party could select the key and physically deliver it to A and B
•If A and B have previously and recently used a key, one party could
transmit the new key to the other, encrypted using the old key
•If A and B each have an encrypted connection to a third party C,
C could deliver a key on the encrypted links to A and B
Key
distribution
center
1. Host sends packet requesting connection.
2. Security service buffers packet; asks
KDC for session key.
3. KDC distributes session key to both hosts.
4. Buffered packet transmitted.
3
Application
Application
2
1
Security
service
Security
service
4
HOST
HOST
Network
Figure 20.10 Automatic Key Distribution for Connection-Oriented Protocol
Today’s Lab
ARP Poisoning –
Man in the Middle Attacks
Introduction
The Address Resolution Protocol (ARP) facilitates communications on a
Local Area Network (LAN).
It does this by providing a means for clients to resolve a Layer 3 Internet
Protocol (IP) Address (192.168.1.5) to a Layer 2 Hardware Address
(af:23:b4:7d:f5:c9) or Media Access Control (MAC) address.
The ARP protocol employs no form of security or authentication and is a
simple request and reply protocol.
Example
For Scott to send packets to Dave over the LAN he needs to
know Dave’s MAC address.
Scott
Dave
ARP Request
Who is 192.168.0.6, FF:FF:FF:FF:FF:FF?
I’m Scott, 192.168.0.5, A3:DD:B4:12:3A:4F.
ARP Response
192.168.0.5
A3:DD:B4:12:3A:4F
Hi Scott, 192.168.0.5, A3:DD:B4:12:3A:4F.
I’m Dave, 192.168.0.6, B7:C2:11:F2:BB:E6.
192.168.0.6
B7:C2:11:F2:BB:E6
- Thanks to Scott Helme for this example
Example
Scott
Scott was able to send the ARP request to Dave
without knowing his MAC address by using the
broadcast address FF:FF:FF:FF:FF:FF.
A packet with the broadcast address as the
destination is delivered to every client on the current
LAN segment, ensuring Dave will receive it. Once
we have Dave’s MAC address, we can send
packets to him instead of everyone on the network.
192.168.0.5
A3:DD:B4:12:3A:4F
ARP Request
Who is 192.168.0.6, FF:FF:FF:FF:FF:FF?
I’m Scott, 192.168.0.5, A3:DD:B4:12:3A:4F.
Example
When Dave received the ARP request, he
identified it was for him and responded to the
request using the details in the initial request.
Dave
ARP Response
Hi Scott, 192.168.0.5, A3:DD:B4:12:3A:4F.
I’m Dave, 192.168.0.6, B7:C2:11:F2:BB:E6.
192.168.0.6
B7:C2:11:F2:BB:E6
Example
Scott
192.168.0.5
A3:DD:B4:12:3A:4F
Dave
Now Scott and Dave have exchanged
details they can communicate with each
other directly. They both store a record
in their ARP Cache of the other clients
IP and MAC address so they can
perform a lookup later if needed. This
prevents the need for subsequent ARP
requests and reduces network traffic.
192.168.0.6
B7:C2:11:F2:B
B:E6
The Problem
Scott
Dave
During the ARP request/response
exchange neither client took any steps
to verify the identity of the responding
client, or the authenticity of the
response sent. This presents an
opportunity for a 3rd party to
impersonate clients on the network.
192.168.0.5
A3:DD:B4:12:3A:4F
192.168.0.6
B7:C2:11:F2:BB:E6
The Problem
Attacker
192.168.0.7
C4:D3:46:B1:EE:BA
ARP Requests are sent
to all clients on the
network as they use the
broadcast MAC address
FF:FF:FF:FF:FF:FF.
Scott
Dave
192.168.0.5
A3:DD:B4:12:3A:4F
192.168.0.6
B7:C2:11:F2:BB:E6
The Problem
Attacker
Hi Scott, 192.168.0.5, A3:DD:B4:12:3A:4F.
I’m Dave, 192.168.0.6, C4:D3:46:B1:EE:BA.
192.168.0.7
C4:D3:46:B1:EE:BA
ARP Responses are not
verified and if any client
receives a new response
they will update their ARP
cache assuming the sender
has changed their MAC or IP
address.
Scott
Dave
192.168.0.5
A3:DD:B4:12:3A:4F
192.168.0.6
B7:C2:11:F2:BB:E6
The Problem
Attacker
Hi Scott, 192.168.0.5, A3:DD:B4:12:3A:4F.
I’m Dave, 192.168.0.6, C4:D3:46:B1:EE:BA.
192.168.0.7
C4:D3:46:B1:EE:BA
Scott
192.168.0.5
A3:DD:B4:12:3A:4F
As long as the attacker regularly
sends the forged response to the
target (Scott), they will continue to
send traffic to the wrong location.
If the Attacker then resends the
traffic to the correct destination
there is no interruption on the LAN
and Dave is not aware the
Attacker can view his traffic.
Dave
192.168.0.6
B7:C2:11:F2:BB:E6
The Problem
Attacker
To Dave,
192.168.0.6,
C4:D3:46:B1:EE:BA.
The password is
“SuperSecret1234”.
From Scott,
192.168.0.5
A3:DD:B4:12:3A:4F
192.168.0.7
C4:D3:46:B1:EE:BA
To Dave,
192.168.0.6,
B7:C2:11:F2:BB:E6.
The password is
“SuperSecret1234”.
From Scott,
192.168.0.5
A3:DD:B4:12:3A:4F
Dave
Scott
This is a successful implementation
of a MITM attack and allows the
attacker to view all traffic sent by
Scott to Dave.
192.168.0.5
A3:DD:B4:12:3A:4F
192.168.0.6
B7:C2:11:F2:BB:E6
The Scope
Client
Client
Attacker
Client
192.168.0.7
C4:D3:46:B1:EE:BA
Client
Client
At this point, the attacker can
choose which targets on the
network he wants to MITM and
impersonate
them
using
forged ARP packets to poison
their ARP Cache.
The Bigger Problem
A gratuitous ARP can be sent by a client at any point, usually when their IP
address or MAC address has changed for some reason. This allows other clients
to update their ARP cache and maintain current records. An attacker can send out
a forged gratuitous ARP without needing to wait for an ARP request from a target
on the network.
Broadcast
Attacker
192.168.0.7
C4:D3:46:B1:EE:BA
To Everyone!
Here are my updated details!
192.168.0.1
C4:D3:46:B1:EE:BA
The attacker has just told all clients on
the network that he is the default
gateway!
Default Gateway
192.168.0.1
D7:AD:F1:C3:A4:D9
The Bigger Problem
Client
Client
Attacker
Default Gateway
Client
Client
192.168.0.7
C4:D3:46:B1:EE:BA
192.168.0.1
D7:AD:F1:C3:A4:D9
Client
Client
Here the attacker can monitor all Internet traffic on the LAN
that isn’t being sent using TLS. He could also simply not
forward on the traffic and bring the entire network down as no
clients would be able to communicate at all. This is known as
a Denial of Service (DoS) attack.
Mitigation
• There is no replacement for ARP on a LAN so ARP Cache Poisoning is a
difficult threat to defend against.
• You can create static ARP entries on client machines for important things like
the default gateway. The only problem is if the IP or MAC genuinely changes no
client will listen to the new details and depend upon the incorrect static entries
which now need to be updated.
• ARP Cache Poisoning actually has genuine advantageous uses. If a web server
on your LAN went down, you could invisibly direct all clients to a backup server
without needing to alter any configurations. Simply broadcast a forged ARP
packet with the MAC address for the new server.
• You can employ monitoring software to listen and try to detect forged ARP
packets. They are easy to spot by maintaining a historic record of ARP
broadcasts and looking for an ARP packet with the same IP address but a
different MAC address to one previously reported.
Summary
• Symmetric encryption
principles
o Cryptography
o Cryptanalysis
o Feistel cipher structure
• Data encryption
standard
o Data encryption standard
o Triple DES
• Advanced encryption
standard
o Overview of the algorithm
o Algorithm details
• Stream ciphers
and RC4
o Stream cipher structure
o The RC4 algorithm
• Cipher block
modes of
operation
o Electronic codebook
mode
o Cipher block chaining
mode
o Cipher feedback mode
o Counter mode
• Location of
symmetric
encryption devices
• Key distribution