NEHRU ARTS AND SCIENCE COLLEGE T.M.PALAYAM, COIMBATORE NAME OF THE PAPER: NETWORK SECURITY AND CRYPTOGRAPHY STAFF NAME: A.SENTHIL KUMAR ACADEMIC YEAR : 2011 - 2012 UNIT-II: Triple des-blow fish – RCS Advanced Symmetric Block Ciphers –RC4 stream Cipher confidentially using symmetric encryption – introduction to number theory – public – key cryptography and RSA. Triple des In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm (TDEA) block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. Because of the availability of increasing computational power, the key size of the original DES cipher was becoming subject to brute force attacks; Triple DES was designed to provide a relatively simple method of increasing the key size of DES to protect against such attacks, without designing a completely new block cipher algorithm. Triple DES uses a "key bundle" which comprises three DES keys, K1, K2 and K3, each of 56 bits (excluding parity bits). The encryption algorithm is: ciphertext = EK3(DK2(EK1(plaintext))) I.e., DES encrypt with K1, DES decrypt with K2, then DES encrypt with K3. Decryption is the reverse: plaintext = DK1(EK2(DK3(ciphertext))) I.e., decrypt with K3, encrypt with K2, then decrypt with K1. Each triple encryption encrypts one block of 64 bits of data. In each case the middle operation is the reverse of the first and last. This improves the strength of the algorithm when using keying option 2, and provides backward compatibility with DES with keying option 3. Blow fish Blowfish (cipher) From Wikipedia, the free encyclopedia Jump to: navigation, search Blowfish The round function (Feistel function) of Blowfish General Designers Bruce Schneier First published 1993 Successors Twofish Cipher detail Key sizes 8–448 bits in steps of 8 bits Block sizes 64 bits Structure Feistel network Rounds 16 Best public cryptanalysis Four rounds of Blowfish are susceptible to a secondorder differential attack (Rijmen, 1997);[1] for a class of weak keys, 14 rounds of Blowfish can be distinguished from a pseudorandom permutation (Vaudenay, 1996). Blowfish is a keyed, symmetric block cipher, designed in 1993 by Bruce Schneier and included in a large number of cipher suites and encryption products. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, the Advanced Encryption Standard now receives more attention. Schneier designed Blowfish as a general-purpose algorithm, intended as an alternative to the aging DES and free of the problems and constraints associated with other algorithms. At the time Blowfish was released, many other designs were proprietary, encumbered by patents or were commercial/government secrets. Schneier has stated that, "Blowfish is unpatented, and will remain so in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone." Notable features of the design include key-dependent S-boxes and a highly complex key schedule. RCS Advanced Symmetric Block Ciphers A block cipher consists of two paired algorithms, one for encryption, E, and the other for decryption, E−1. Both algorithms accept two inputs: an input block of size n bits and a key of size k bits, yielding an n-bit output block. For any one fixed key, decryption is the inverse function of encryption, so that for any block M and key K. M is termed the plaintext and C the ciphertext. For each key K, EK is a permutation (a bijective mapping) over the set of input blocks. Each key selects one permutation from the possible set of 2n! (see Factorial). The block size, n, is typically 64 or 128 bits, although some ciphers have a variable block size. 64 bits was the most common length until the mid-1990s, when new designs began to switch to the longer 128-bit length. One of several modes of operation is generally used along with a padding scheme to allow plaintexts of arbitrary lengths to be encrypted. Each mode has different characteristics in regard to error propagation, ease of random access and vulnerability to certain types of attack. Typical key sizes (k) include 40, 56, 64, 80, 128, 192 and 256 bits. As of 2006, 80 bits is normally taken as the minimum key length needed to prevent brute force attacks. For creating ciphers with arbitrary block sizes (or on domains that aren't powers of two) see Formatpreserving encryption. Iterated block ciphers Most block ciphers are constructed by repeatedly applying a simpler function. This approach is known as iterated block cipher (see also product cipher). Each iteration is termed a round, and the repeated function is termed the round function; anywhere between 4 to 32 rounds are typical. Usually, the round function R takes different round keys Ki as second input, which are derived from the original key: where M0 is the plaintext and Mr the ciphertext, with r being the round number. Frequently, key whitening is used in addition to this. At the beginning and the end, the data is modified with key material (often with XOR, but simple arithmetic operations like adding and subtracting are also used): Many block ciphers can be categorised as Feistel networks, or, as more general substitutionpermutation networks. Arithmetic operations, logical operations (especially XOR), S-boxes and various permutations are all frequently used as components. RC4 stream Cipher confidentially using symmetric encryption Symmetric ciphers are often used to achieve other cryptographic primitives than just encryption. Encrypting a message does not guarantee that this message is not changed while encrypted. Hence often a message authentication code is added to a ciphertext to ensure that changes to the ciphertext will be noted by the receiver. Message authentication codes can be constructed from symmetric ciphers (e.g. CBC-MAC). However, symmetric ciphers also can be used for non-repudiation purposes by ISO 13888-2 standard. Another application is to build hash functions from block ciphers. See one-way compression function for descriptions of several such methods. Public-key cryptography An unpredictable (typically large and random) number is used to begin generation of an acceptable pair of keys suitable for use by an asymmetric key algorithm. In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but only the holder of the paired private key can decrypt. Security depends on the secrecy of that private key. In some related signature schemes, the private key is used to sign a message; but anyone can check the signature using the public key. Validity depends on private key security. In the Diffie–Hellman key exchange scheme, each party generates a public/private key pair and distributes the public key. After obtaining an authentic copy of each other's public keys, Alice and Bob can compute a shared secret offline. The shared secret can be used as the key for a symmetric cipher. Public-key cryptography is a cryptographic approach which involves the use of asymmetric key algorithms instead of or in addition to symmetric key algorithms. Unlike symmetric key algorithms, it does not require a secure initial exchange of one or more secret keys to both sender and receiver. The asymmetric key algorithms are used to create a mathematically related key pair: a secret private key and a published public key. Use of these keys allows protection of the authenticity of a message by creating a digital signature of a message using the private key, which can be verified using the public key. It also allows protection of the confidentiality and integrity of a message, by public key encryption, encrypting the message using the public key, which can only be decrypted using the private key. Public key cryptography is a fundamental and widely used technology around the world. It is the approach which is employed by many cryptographic algorithms and cryptosystems. It underlies such Internet standards as Transport Layer Security (TLS) (successor to SSL), PGP, and GPG. RSA: In cryptography, RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) is an algorithm for public-key cryptography.[1] It is the first algorithm known to be suitable for signing as well as encryption, and was one of the first great advances in public key cryptography. RSA is widely used in electronic commerce protocols, and is believed to be secure given sufficiently long keys and the use of up-to-date implementations. The RSA algorithm involves three steps: key generation, encryption and decryption. [edit] Key generation RSA involves a public key and a private key. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted using the private key. The keys for the RSA algorithm are generated the following way: 1. Choose two distinct prime numbers p and q. o For security purposes, the integers p and q should be chosen uniformly at random and should be of similar bit-length. Prime integers can be efficiently found using a primality test. 2. Compute n = pq. o n is used as the modulus for both the public and private keys 3. Compute φ(pq) = (p − 1)(q − 1). (φ is Euler's totient function). 4. Choose an integer e such that 1 < e < φ(pq), and e and φ(pq) share no divisors other than 1 (i.e., e and φ(pq) are coprime). o e is released as the public key exponent. o e having a short bit-length and small Hamming weight results in more efficient encryption - most commonly 0x10001 = 65537. However, small values of e (such as e = 3) have been shown to be less secure in some settings.[4] 5. Determine (using Modular multiplicative inverse). This satisfies the congruence relation . o Stated differently, ed − 1 can be evenly divided by the totient (p − 1)(q − 1). o This is often computed using the Modular multiplicative inverse and extended Euclidean algorithm. o d is kept as the private key exponent. The public key consists of the modulus n and the public (or encryption) exponent e. The private key consists of the private (or decryption) exponent d which must be kept secret. Note: An alternative, used by PKCS#1, is to choose d matching e d ≡ 1 (mod λ) with λ = lcm(p1,q-1), where lcm is the least common multiple. Using λ instead of φ(n) allows more choices for d. λ can also be defined using the Carmichael function λ(n). Encryption Alice transmits her public key (n,e) to Bob and keeps the private key secret. Bob then wishes to send message M to Alice. He first turns M into an integer 0 < m < n by using an agreed-upon reversible protocol known as a padding scheme. He then computes the ciphertext c corresponding to: This can be done quickly using the method of exponentiation by squaring. Bob then transmits c to Alice. Decryption Alice can recover m from c by using her private key exponent d by the following computation: Given m, she can recover the original message M by reversing the padding scheme. (In practice, there are more efficient methods of calculating cd using the pre computed values above.) A worked example Here is an example of RSA encryption and decryption. The parameters used here are artificially small, but one can also use OpenSSL to generate and examine a real keypair. 1. Choose two prime numbers p = 61 and q = 53 Make sure that these prime numbers are distinct (i.e. they are not both the same number). 2. Compute n = pq 3. Compute the totients of product. For primes the totient is maximal and equals the prime minus one. Therefore 4. Choose any number e > 1 that is coprime to 3120. Choosing a prime number for e leaves you with a single check: that e is not a divisor of 3120. e = 17 5. Compute d such that e.g., by computing the modular multiplicative inverse of e modulo : d = 2753 since 17 · 2753 = 46801 and 46801 mod 3120 = 1, this is the correct answer. (iterating finds (15 times 3120)+1 divided by 17 is 2753, an integer, whereas other values in place of 15 do not produce an integer. The extended euclidean algorithm finds the solution to Bézout's identity of 3120x2 + 17x-367=1, and -367 mod 3120 is 2753) The public key is (n = 3233, e = 17). For a padded plaintext message m, the encryption function is or abstractly: The private key is (n = 3233, d = 2753). For an encrypted ciphertext c, the decryption function is or in its general form: For instance, in order to encrypt m = 65, we calculate To decrypt c = 2790, we calculate . Both of these calculations can be computed efficiently using the square-and-multiply algorithm for modular exponentiation. In real life situations the primes selected would be much larger; in our example it would be relatively trivial to factor n, 3233, obtained from the freely available public key back to the primes p and q. Given e, also from the public key, we could then compute d and so acquire the private key. Using the Chinese remainder algorithm For efficiency many popular crypto libraries (like OpenSSL, Java and .NET) use the following optimization for decryption and signing: The following values are precomputed and stored as part of the private key: p and q: the primes from the key generation, , and . These values allow to compute the exponentiation computed as follows: more efficiently (if m1 < m2 then some libraries compute h as ) This is more efficient than computing even though two modular exponentiations have to be computed. The reason is that these two modular exponentiations both use a smaller exponent and a smaller modulus. Padding schemes When used in practice, RSA is generally combined with some padding scheme. The goal of the padding scheme is to prevent a number of attacks that potentially work against RSA without padding: When encrypting with low encryption exponents (e.g., e = 3) and small values of the m, (i.e. m < n1 / e) the result of me is strictly less than the modulus n. In this case, ciphertexts can be easily decrypted by taking the eth root of the ciphertext over the integers. If the same clear text message is sent to e or more recipients in an encrypted way, and the receivers share the same exponent e, but different p, q, and n, then it is easy to decrypt the original clear text message via the Chinese remainder theorem. Johan Håstad noticed that this attack is possible even if the cleartexts are not equal, but the attacker knows a linear relation between them.[5] This attack was later improved by Don Coppersmith.[6] Because RSA encryption is a deterministic encryption algorithm – i.e., has no random component – an attacker can successfully launch a chosen plaintext attack against the cryptosystem, by encrypting likely plaintexts under the public key and test if they are equal to the ciphertext. A cryptosystem is called semantically secure if an attacker cannot distinguish two encryptions from each other even if the attacker knows (or has chosen) the corresponding plaintexts. As described above, RSA without padding is not semantically secure. RSA has the property that the product of two ciphertexts is equal to the encryption of the product of the respective plaintexts. That is Because of this multiplicative property a chosen-ciphertext attack is possible. E.g. an attacker, who wants to know the decryption of a ciphertext c = me(mod n) may ask the holder of the private key to decrypt an unsuspicious-looking ciphertext c' = cre(mod n) for some value r chosen by the attacker. Because of the multiplicative property c' is the encryption of mr(mod n). Hence, if the attacker is successful with the attack, he will learn mr(mod n) from which he can derive the message m by multiplying mr with the modular inverse of r modulo n. To avoid these problems, practical RSA implementations typically embed some form of structured, randomized padding into the value m before encrypting it. This padding ensures that m does not fall into the range of insecure plaintexts, and that a given message, once padded, will encrypt to one of a large number of different possible ciphertexts. Standards such as PKCS#1 have been carefully designed to securely pad messages prior to RSA encryption. Because these schemes pad the plaintext m with some number of additional bits, the size of the un-padded message M must be somewhat smaller. RSA padding schemes must be carefully designed so as to prevent sophisticated attacks which may be facilitated by a predictable message structure. Early versions of the PKCS#1 standard (up to version 1.5) used a construction that turned RSA into a semantically secure encryption scheme. This version was later found vulnerable to a practical adaptive chosen ciphertext attack. Later versions of the standard include Optimal Asymmetric Encryption Padding (OAEP), which prevents these attacks. The PKCS#1 standard also incorporates processing schemes designed to provide additional security for RSA signatures, e.g., the Probabilistic Signature Scheme for RSA (RSAPSS). In the common case where RSA is used to exchange symmetric keys, key encapsulation provides a simpler alternative to padding. Instead of generating a random symmetric key, padding it and then encrypting the padded version with RSA, a random integer m between 1 and n-1 is generated and encrypted directly using RSA. Both the sender and receiver generate identical symmetric keys by applying the same key derivation function to m.[7] Signing messages Suppose Alice uses Bob's public key to send him an encrypted message. In the message, she can claim to be Alice but Bob has no way of verifying that the message was actually from Alice since anyone can use Bob's public key to send him encrypted messages. In order to verify the origin of a message, RSA can also be used to sign a message. Suppose Alice wishes to send a signed message to Bob. She can use her own private key to do so. She produces a hash value of the message, raises it to the power of dmod n (as she does when decrypting a message), and attaches it as a "signature" to the message. When Bob receives the signed message, he uses the same hash algorithm in conjunction with Alice's public key. He raises the signature to the power of emod n (as he does when encrypting a message), and compares the resulting hash value with the message's actual hash value. If the two agree, he knows that the author of the message was in possession of Alice's private key, and that the message has not been tampered with since. Note that secure padding schemes such as RSA-PSS are as essential for the security of message signing as they are for message encryption, and that the same key should never be used for both encryption and signing purposes.