Cryptography
Block Cipher – Breaks the plaintext into blocks and encrypts each with the same algorithm
Cipher – Cryptographic transformation operates on the characters or bites
Ciphertext or Cryptogram – unintelligible message
Clustering – plaintext message generates identical ciphertext using the same algorithm but different keys
Codes – A cryptographic transformation that operates at the word or phrase level
Cryptanalysis – act of obtaining plaintext or key from ciphertext. It is used to obtain valuable information
and to pass on altered or fake messages in order to deceive the original intended recipient.
Cryptographic Algorithm – Step-by-step procedure used to encipher plaintext and decipher ciphertext
Cryptography – Art and Science of hiding the meaning of communication
Cryptology – encompasses cryptography and cryptanalysis
Cryptosystem – set of transformations from message space to ciphertext space; A strong cryptosystem has a
large keyspace (entire keyspace to choose the values from) . It has a reasonably large unicity distance. A
system that provides encryption and decryption.
Strength of cryptosystem: An algorithm with no flaws, a large key, using all possible values within a key
space and protecting the actual key are important elements of encryption. If one is weak it affects the whole
process.
Cryptoperiod: period for which the same is used.
Decipher - to undo cipherment process
Encipher – to make a message unintelligible to all except recipient
End-to-end encryption – Encrypted information that is send from sender to receiver. End-to-end
encryption: refers to the protection of data from the originating host all the way to the final destination host
with no unprotected transmission points. In a complex environment, end to end encryption is provided at
the presentation or application layer.
Encryption (Encipher) is the transformation of data into a form that is as close to impossible as possible to
read with out the appropriate knowledge (a key). Its purpose is to ensure privacy by keeping information
hidden from anyone for whom it is not intended, even those who have access to the encrypted data.
Decryption (Decipher) is the reverse of encryption; it is the transformation of encrypted data back into an
intelligible form.
Exclusive Or
 Boolean Operation
 Indicated by XOR
 Indicated by symbol 
 Easily implemented in hardware
 0+0=0, 0+1=1, 1+1=0, 1+1=0
Input A
0
Input B
0
Output T
0
0
1
1



1
0
1
1
1
0
XOR operated on the bit level
XOR the plain text (byte level) with the keystream source
Can be reversed by simple XOR of output plus keystream.
 A XOR B = T
 T XOR B = A
Key – cryptovariable
 Information or sequence that controls enciphering and deciphering of message
Plaintext – a message in clear text
Steganogrophy
 Secret communication of a message where communication is hidden
 Example – least significant bit of each pixel in an image file contains bit of a message.
 Hiding the existence of the message.
 A digital watermark would be used to detect copying of digital images
Work Function (Factor)
 Difficulty in recovering plain text from ciphertext as a factor if time and cost
 Systems security is directly proportional to the work function
 Work function should be commensurate with the value of the data
Security of cryptosystem should depend ONLY on the secrecy of keys and not on algorithm
History of Cryptography
Traced back to the Egyptians in 3000B.C.
Scytale
 used by Spartans in 400B.C. – wrap message around wooden dowel
 diameter and length are the keys to the cipher.
Caesar cipher
 Monoalphabetic substitution – only used one alphabet
 Specifically - Involved shifting the alphabet three letters
 Known as C3 (Caesar shift 3 places)
Cipher Disks
 Two concentric disks with letters on the edge
 Can be used to match up letters
Arabs invented cryptanalysis
 Arab philosopher al-Kindi wrote Manuscript on Deciphering Cryptographic Messages
Thomas Jefferson - disks
 1790 developed device with 26 disks that could be rotated individually
 Message would assembled by lining up the disks to the alignment bar
 Then the bar was rotated a given angle and the resulting letters were the cipher text
 The angle of rotation of the alignment bar was the key
Disks used extensively during the civil war
UNIX – ROT13 shift the alphabet 13 places
Hagelin Machine
 Developed in 1920 by Boris Hagelin – Stockholm Sweden
 Known as the M-209 in the US
1920’a Herbert O. Yardley was in charge of U.S. MI-8 (a.k.a. the Black Chamber)
 Cracked codes of a number of Nations
 Gave U.S edge in Japanese negotiations in 1921-1922
 U.S. State Department shut down MI-8
 Upset, Yardley published book The American Black Chamber 1931
 Japanese got new codes
 Yardley is father of American Cryptology
William Frederick Frederick published the Index of coincidence and its applications in cryptography. He is
referred to as the “father of modern cryptography”.
Japanese Purple Machine
After Yardley William Friedman resumed cryptanalysis for U.S. Army
Broke the new Japanese cipher.
U.S. Navy broke the Purple Machine naval codes during World War II
German Enigma Machine
 Polyalphabetic substitution cipher - using mechanical rotors
 Developed in 1919 by Dutchman Arthur Scherbius obtained US Patent for Berlin firm
 Polish cryptanalyst broke the three-ring system with card file of all 6 x 17,576 possible rotor positions
 1938 German went to six rings
 In 1938 Poles and French developed the “Bombe” there own Enigma machine
 British took over in 1940 and by 1943 British and US had high speed “bombe”
 Disks have 26 contacts on each side, to communicate with each neighboring disk one of them makes
contact with the other disk
 Also rotates the disks after encryption of each letter
 Rotates next highest rotor like a “gas pump” – polyalphabetic
 Other rotor machines – German Enigma, Japanese Red, Japanese Purple and American SIGABA “Big
Machine”
Vigenere Polyalphabetic Cipher
 Caesar is a subset of the Vigenere Polyalphabetic Cipher
 Vigenere used 26 alphabets
 Each letter of the message corresponds to a different alphabet
 Subject to guessing the period, when the alphabet changes
Modulo returns the remainder over the modulo value
C=(M+b) mod N
Where
C = Cipher Text
M= Message
B = fixed integer
N = size of alphabet
Caesar monoalphabetic can be attacked by using frequency analysis.
Polyalphabetic cipher is accomplished through the use of multiple substitution: counters frequency analysis
but can be attacked by discovery of periods.
Transposition – Permutation
 Columnar Transposition – write the message vertically and read horizontally

Can be attacked through frequency analysis however hides the statistical properties of letter pairs such
as IS and TOO.
Book or Running Key Cipher
 Using text from a book as the key and performing modulo26 addition on it.
 Would use specific line and page number
Codes - Deal with words and phrases and represent them with other numbers or letter
Identify types of Encryption systems
Types of Cipher
Classical substitution
ciphers
Transposition
(permutation) ciphers
Monoalphabetic or simple
substitution ciphers
Polyalphabetic Ciphers
Running key ciphers
Concealment
Digital System
Codes
Characteristcs
Replaces bits, characters, or blocks of
characters with different bits, characters,
or blocks.
The letters of the plaintext are permuted.
Only one alphabet was used, which are
monoalphabetic substitution
Does not replace the original text with
different text but moves the original text
around. Is accomplished through use of
multiple substitution ciphers
Using text from a book as the key and
performing modulo26 addition on it.
Would use specific line and page
number
Does not require electronic algorithm
and bit alterations
The true letters of plaintext are
hidden/disguised in a sentence say every
third word in a sentence.
Does not require electronic algorithm
and bit alterations
Problems
Frequency analysis
But it hides the statistical
properties of letter pairs and
triples such as IS and TOO.
Frequency analysis
Counters Frequency analysis
however, attacked by
discovery of periods.
-
-
Deal with words and phrases and
represent them with other numbers or
letter
Steganography
Hiding the existence of the message.
A digital watermark would be used to
detect copying of digital images
Machines
End-to-end encryption
Encrypted information that is send from
sender to receiver
Protection of data from the originating
host all the way to the final destination
host with no unprotected transmission
points.
In a complex environment, end to end
encryption is provided at the
presentation or application layer.
Start to finish; more flexibility; higher
Headers, addresses, routing
and trailer information are not
encrypted hence attackers can
learn more about capture
packet
Destination to have same
encryption mechanism to
properly decrypt the message.
Link-to-link encryption :
One-Time pad
Clipper Chip
Double/Triple DES
Public Key
granularity becos each application
different key; hop computer does not
need to have key for decryption.
 Each entity has key in common with
two neighboring nodes.
 Node 1 –Encrypts with key A
 Node 2 – Decrypts with key A and
encrypts with key B
 Node 3 – Decrypts with Key B and
encrypts with Key C
The term refers to the use of encryption
to protect a single segment between two
physically contiguous nodes. It is
usually a hardware device operating at
layer 2. Such devices are used by
financial firms to protect automatic teller
machines transactions. Another common
form of link-to-link encryption in the
secure telephone unit (STU) used by the
military.
Provides data flow security since
everything is encrypted.
Users need not do anything; works at
lowest layer – physical layer
Vernam Cipher.
Unbreakable and each pad is used
exactly once.
Truly non-repeating set of random bits
that are combined bitwise XOR with
message to produce cipher text.
Encryption with key K ith components
k1, k2,…kn, the encipherment uses each
component of k to encrypt message M
with components m1, m2,…mn.
 The Key is the same length as the
Message; Random key
 Key only used once and never again
 Key must be completely random
 Two identical key pads one with
sender and another with receiver
 Unbreakable by exhaustive search
 Relies on physical security of the
pad
 Used
 Invented 1917 by the US Army
Signal Corps and AT&T
Clipper Chip – implemented in tamper
proof hardware
Skipjack algorithm
-refer above-refer above-
Key distribution and key
management is more complex
because each hop computer
must receive a key and when
the keys change each must be
updated.
Messages are decrypted at
each hop thus there are more
points of vulnerability.
Both End to End and link
should be used to
strengthen the process:
The data is encrypted with
the End to End and entire
packet ie header and
encrypted data packet is
encrypted with link – great
More overhead
Distribution of pad, or key
can be challenging
Perfect synchronization of
timing for usage.
Cipher
Long as message hence
infeasible to use in all
application. Not very
practical
Only 80 bit hence weak and
not opened for testing or any
proof of trying out.
16 bit checksum can be
defeated
CC id tagged and identified
every communication
session.
RSA
Elliptic curve
PGP
El Gamal
Diffie-Hellman
Escrowed encryption
Key Escrow
-refer above-refer above-refer below-refer above-refer aboveUS government clipper chip;
 Allowing law enforcement to obtain
the keys to view peoples encrypted
data
 Escrow the key in two pieces with
two trusted escrow agents
 Court order to get both pieces
 Clipper Chip – implemented in
tamper proof hardware
 80 bit family key and 80 bit unit key
( which is to be secret and this
encrypts the session key). Session
key is used to encrypt the message.
 Based on Skipjack algorithm
 Key exchange through DiffieHellman
Uses public key cryptography
 Fair Cryptosystems – Sylvio Micali,
MIT
 Private key is split and distributed
 Can verify each portion of the key
without joining.
 Public key is also split and sent
along







Criminal encryption use
exists.
Encryption is not
regulatable outside the
US.
Key recovery is
expensive for both
government and software
companies.
Escrow has not been
thoroughly tested.
Mandatory escrow can be
circumvented. There is
no way to "scan" the
Internet to detect use of
non-escrowed
encryption.
Escrow involves humans.
The government would
hold the key to
everyone's personal data.
Under current proposed
legislation, keys would
be released by a court
subpoena, not a judicial
order.
Types of Encryption
Secret Key Cryptography – Symmetric Key
 Sender and receiver both know the key
 Encrypt and decrypt with the same key
 Secret key should be changed frequently
 Requires secure distribution of keys – by alternate channel; Out of band method is used to exchange
the key.
 Ideally only used once
 Secret Key Cryptosystem does have both public and private information
 Large keys like >128 bit are very hard to break
 Very fast
 Key needs to be secret.
 Sender requires different key for each receiver
 Time stamps can be associated to the key so valid only during time window (counters replay)
 Symmetric key do no Authentication or repudiation
 Best known is DES developed by IBM in 1970’s for commercial use
 Key Management: only for symmetric wide distribution of keys. Can be manual, or through link or end
to end encryption and last choice is through KDC.

Algorithm need not be secret though we need strong algorithm. Used in : low cost chip
implementations which are widely available and incorporated into a number of products,
because algorithm need not be secure.
The encryption scheme is computationally secure if the cipher text meets one or both criteria such as
cost of breaking the cipher exceeds the value of the encrypted information and time required is more
than the useful life of the data.
Public
 Algorithm for enciphering plaintext
 Possibly some plaintext and cipher text
 Possibly encipherment of chosen plaintext
Private
 The KEY
 One cryptographic transformation out of many possible transformations
Fiestal : Dr. Horst Feistel led a research project at the IBM Watson Research Lab in the 1960's which
developed the Lucifer cipher. This later inspired the US DES (below) and other product ciphers, creating a
family labeled ``Feistel ciphers''.
1.
2.
3.
4.
Higher block size it is safe but reduced speed; tradeoff 64
key size – higher the better ; trade off 128
number of rounds : higher the better typical is 16
subkey generation algorithm and round key function : more complex the better.
Speed is a concern if the encryption is embedded in applications which precludes the hardware hence
slower; also, ease of analysis is good but DES is not done that way.
Public Key Cryptography
 Employee private and public key
 Public made available to anyone wanting to encrypt a message
 Private key is used to decrypt
 Public Key cannot decrypt the message it encrypted
 Ideally private key cannot be derived from the public key
 The other can decrypt a message encrypted by one of the keys
 Private key is kept private
 1,000 to 10,000 times slower than secret key encryption






Hybrids use public key to encrypt the symmetric key
Important algorithms Diffie-Helllman RSA, El Gamal, Knapsack, Elliptic Curve
Whitfield Diffie and Martin Hellman published ``New Directions in Cryptography'', introducing the
idea of public key cryptography.
Key management: only transcription and storage.
Very slow, better key distribution, scalability and provide confidentiality, authentication and nonrepudiation.
In order to be useful should have a trap door, a secret mechanism that enables you to accomplish the
reverse function in a ONE WAY HASH FUNCTION.
 A mathematical function that is easier to compute in one direction (forward direction) than in the
opposite direction (inverse direction)
 Forward direction could take seconds, inverse months
 ‘Trap-door one way function’ is a one way function for which the inverse direction is easy given a
piece of information (the trap door)
 Public Key Cryptography is based on ‘trap-door one way functions’
 Public key: gives info about the function
 Private key: gives info about the trap door
 Whoever knows the trap door (private key) can compute function easily in both directions
Under Public Key Cryptography, there are two formats:
Open message ( if authentication is more important)
 Sender encodes message with own private key
 Receiver decodes with sender's public key
Secure message format ( if confidentiality is more important)
 Sender encodes in the receiver’s public key.
 Receiver decodes with own private key
Secure & signed message
 Sender encodes message with own private key
 Sender re-encodes message with receiver's public key
 Receiver decodes message with own private key
 Receiver decodes message with sender's public key
Hybrid systems
Using Symmetric and Asymmetric known as public key cryptography: symmetric for bulk data encryption
and asymmetric for protecting encryption keys and key distribution.
 Asymmetric algorithm performs encryption and decryption by using public and private keys
 Symmetric algorithm performs encryption and decryption by using a secret key.
 A secret key is used to encrypt the actual message
 Public and private keys are used to encrypt the secret key
 A secret key is synonymous to a symmetric key
 An asymmetric key refers to a public or private key
Symmetric
Algorith Developer
m
IBM under US government
DES
contract (devised in 1972
64 bit
as a derivative of Lucifer
block
algorithm by
size
Horst Feistal at IBM.
Modified by NSA to come
up with US DES
Provides
Confidentiality
.
It can be used
in many
applications
including
during data
transmission
and file
security.
Implemented
in electronic
devices
including
VLSI, RAM,
PROM,
EEPROM and
ROM
Key Size
(bits)
56 bits
Characteristics
Defacto industry standard.
64 bit block size. It begins with a 64-bit key and
strips off 8 parity (1 odd in each byte) bits.
8 bit parity can be used for error detection
16 rounds of transposition and substitution
Uses techniques of confusion and diffusion.
Adopted as US federal standard in 1976
Increasing concern over resistance to brute-force attack
(though with 56 bit key , one has to try 256 or 70
quadrillion keys, can be broken using large computers in
a network
U.S. Government no longer uses it
Patented in 1974 - Block Cipher Cryptographic System
Commercial and non-classified systems
DES describes the Data Encryption Algorithm DEA
Federal Information Processing Standard FIPS adopted
DES in 1977
Re-certified in 1993 by National Institute of Standards
and Technology but will be replaced by AES Advanced
Encryption Standard by Rijndael.
DES Operates in four modes
 Cipher Block Chaining (CBC)
 Electronic Code Book (ECB)
 Cipher Feedback (CFB)
 Output Feedback (OFB)
13) Never adopted for national security applications.
14) single chip installation (hardware) now software.
 Commercial and non-classified systems
 DES uses confusion and diffusion as suggested by
Claude Shannon
 Confusion conceals statistical connection
Accomplished through non-linear S-boxes in DES.
 Diffusion spread the influence of plaintext character
3DES
3 sequential applications
of DES.
Algorithm is too sluggish
in software, hence very
slow and 64 bit block size
can be higher.
IDEA (Internatio
Developed in Switzerland
by Xuejia Lai and James
112 (using 2
keys)
168 (using 3
keys)
7 modes of
operation of
TDEA
128 bit key
over many ciphertext characters: Accomplished
through p-boxes
 Distributed systems can break it. U.S. Government
no longer uses it
 DES is considered vulnerable by brute force
(exhaustive) search of the key – replaced by triple
DES and AES. If the attack is only the brute force,
then counter it by longer keys. Hence 128 key is
better.
 Knowledge of expected plain text and automatically
distinguishing plaintext from garble is needed for
breaking the key.
 Triple DES – three encryptions using DEA are now
being used until AES is adopted
1) Slow
2) Double encryption is subject to meet in the middle
attack
Encrypt on one end decrypt on the other and compare the
values
Work factor of DES and Double DES is the same.
So Triple DES is used
Can be done several different ways
a) DES – EDE2 (encrypt key 1, decrypt key 2,
encrypt key 1)
b) DES – EE2 (encrypt key 1, encrypt key 2, encrypt
key 1)
c) DES –EE3 (encrypt key 1, encrypt key 2, encrypt key
3) - most secure however Triple DES with two keys will
prevent the brute force and meet in the middle with a less
payload.
3 keys are also known as key bundle.
TDEA is a formidable algorithm. Same resistence as to
DEA. Stronger 168 bit key, brute force is not possible.
If security is only concern, then TDEA is best for the
years to come.
1) 64 bit block, 8 rounds
2) Used in PGP
nal Data
Encryptio
n
Algorith
m)
Massey.
Blowfish
Bruce Schneier
3) Much more difficult than DES
4) Differs in round function and subkey generation
function.
5) Uses both confusion and diffusion but confusion
is not achieved through use of S-boxes
6) Instead XOR, binary addition and binary
multiplication of 16 bit integers.
7) Highly resistant to cryptanalysis.
Key length Up
to 448
Twofish
Developed by
Counterpane based on
Blowfish (also by
Counterpane) - Bruce
Schnier, John Kelsey,
Doug Whiting, David
Wagner, Chris Hall and
Niels Ferguson, U.S.A.
up to 256 bit
RC5 –
Family
of
algorith
Developed by Ronald
Rivest in 1994
0 to 2048 bit
keys
1) Upto 16 rounds of data blocks
2) Published in 1993.
3) Fast, compact and flexible.
4) Uses S-boxes, X0r and binary addition
5) Variable S-boxes
Suitable:
Due to its high execution speed and easy implementation
and compact algorithm, < than 5 k of memory, its is used
in number of commercial applications.
Since sub keys and S-boxes are generated by repeated
application, it is not suitable for applications in which
secret key changes frequently.
1) 128 bit blocks in 16 rounds
2) Employs whitening before first round and after
last round
3) Need to break whitening keys in addition to
Twofish key prewhitening”
4) Employs prewhitening” and “post whitening”
where additional subkeys are XORed with the
plaintext before the first round and after the
sixteenth round.
5) In twofish algorithm, the MDS matrix, the PHT,
and key additions provide diffusion
1) 32,64 or 128 bit blocks, up to 0 to 255 rounds
2) RSA patented in 1997
Suitablity
ms
It is suitable for hardware or software – uses primitive
computational operations commonly found on
microprocessors
Fast, with a simple algorithm
Variable number of rounds & variable key length
Easy to implement
Low memory requirement makes it suitable for smart
cards other devices with restricted memory; higher
security with suitable parameters. Number of RSA
products uses this.
AES
1) Block Cipher that will replace DES
Anticipated that Triple DES will remain approved for
Government Use
AES announced by NIST in January 1997 to find
replacement for DES
Five finalist
MARS IBM Corp. (represented by Nevenko Zunic),
U.S.A.
RC6
RSA Laboratories (represented by
Matthew Robshaw), U.S.A.
Rijndael
Joan Daemen and Vincent Rijmen,
Belgium
SERPENT
Ross Anderson, Eli Biham and Lars
Knudsen, U.K., israel and Norway
TWOFISH- Bruce Schneier, John Kelsey, Doug
Whiting, David Wagner, Chris Hall and Niels Ferguson,
U.S.A.
3) October 2, 2000 NIST Selected Rijndael
2 Belgian Cryptographers Dr. Daeman and Dr. Rijmen
Will be used by government for sensitive but unclassified
documents
Rijndael
Block
Cipher
Joan Daemen and Vincent
Rijmen
variable block
length and key
lengths that
1) Iterative block cipher
2) Resistance to all known attacks
3) Design Simplicity
(AES)
SERPEN
T
RC6
Weakness:
One issue was with then
underlying architecture:
some opined that its
internal mathematics is
simple.
The Rijndael team
defended its design
pointing that simpler
mathematics made
Rijndael easier to
implement in embedded
hardware.They argued
that obfuscation was not
needed.
Ross Anderson, Eli
Biham and Lars Knudsen,
U.K., israel and Norway
RSA Laboratories
(represented by Matthew
can be
independently
chosen as 128,
192 or 256
bits.
To break 128
bit AES key, it
is estimated to
take 140
trillion years.
4) Code compactness and speed on wide variety of
platforms
5) Intermediate cipher result is called “state”
that transformations operate on
6) Does not use Feistel transposition structure from
DES
7) Uses round transformation of 3 layers
 Non-linear layer – S-boxes
 Linear mixing layer – shifting of rows
and mixing of columns
 Key addition layer – An exclusive OR
of the round key to the intermediate.
8) Suitable for High Speed Chips and compact coprocessor on smart cards
9) Key taken from cipher key through key schedule
which consists of key expansion and round key
selection: total number of round key bit is equal
to block length multiplied by the number of
rounds plus 1.
10) High speed chip; no area restriction.
11) It is a substitution-linear transformation network
(non Fiestal)
NIST selected Rijndael for the following reasons:
 Good performance in both hardware and software
across wide range of computing environments
 Good Performance in both feedback and nonfeedback modes
 Key setup time is excellent.
 Key agility is good
 Very low memory requirements
 Easy to defend against power and timing attacks,
without significantly impacting performance.
Robshaw), U.S.A
RC4
MARS
IBM Corp. (represented
by Nevenko Zunic),
U.S.A.
There are 4 primary modes of operation on which the block ciphers can be based:
Type
Character
Electronic Code Book
 Native mode of DES (natural mode –
The weakness in ECB is that
direct application)
identical input blocks will produce
 Block Cipher
identical cipher results of the same
 ECB is applied to 64 bits of plain text and
length.
produces corresponding 64 bit blocks of
ciphertext
 64 input vector is broken in to two block
Suitable for short messages and
non repeating patterns ECB is
(right block and left block)
best with small amounts of data (
 Each 32 bit block is copied into a 48 bit
like challenge response operations
block
and key management, encrypting
 Each 48 bit block is XORed with a 48 bit
PIN etc.,
encryption key
 Exists pairs of plain text an corresponding
code
Can be used for IV encryption in
the case of CBC because along
with the key the IV also should be
sent.
Cipher Block Chaining (CBC)
Widely used in security
applications





Cipher Feedback (CFB) – Errors

Plaintext block of 64 bits
Randomly generated 64 bit Initialization
Vector is XORed with the first block
Then encrypted with DES
First ciphertext will then be XORed with
the next plaintext 64 bit block
Enhanced mode of ECB which chains
together block of cipher text.
Stream cipher where cipher text is used as
Problem
Replay &
Substitution
attack.
Interestingly, this
is a fundamental
encryption flaw
that affected the
Enigma.
Errors are
propagated using
this method

Errors will
will propogate

Output Feedback (OFB) - Errors
will not propogate






feedback into the key generation source to
develop the next key stream
Ie. Input to the DES to generate
pseudorandom number which are
combined with plain text to produce the
cipher
Feedback is used to generate the key
stream
Therefore the key stream varies
Errors do not propagate
Functioning like a stream cipher by
generating random binary bits to be
combined with plaintext to create
ciphertext.
Previous output of DES is used as input
OFB does not chain the cipher
propogate
A block cipher is a type of symmetric key encryption algorithm that accepts a fixed block of plaintext to produce cipher text of the same length – a linear
relationship.
Block Ciphers are more suited to implementation in software to execute on a general purpose computer. This guideline is not absolute, and there are variety of
operational reasons to choose one method over the other. Types of block ciphers DES, 3DES, Idea, RC5, Rijndeal, Twofish, DES CBC, DES ECB,
The secret to the secret sauce is the key. It is the key that provides the randomness of the encryption process.
Stream Cipher
Tend to be implemented more in hardware devices. This guideline is not absolute, and there are variety of operational reasons to choose one method over the
other. It is symmetric encryption algorithm and it is extremely faster.
 Rotor machines
 RC4
 DES Cipher Feed Back (CFB)
 Link encryption
 Onetime pad (vernam cipher) -- it is possible to generate ciphertext that is random and therefore unbreakable even by brute-force attacks.
 Output feedback mode
Linear feedback shift register (LFSR) : this is one of the simplest finite state machines. This is used for generation of key stream from the key generation. Shifts
in a block of 4 last by one but 3rd and 4th bit before shift Xord and assigned as last.
Some of the features that a cryptographer will design in to the algorithm for a stream cipher include:
1) Long periods without a repetition.
2) Functional complexity – each keystreambit should depend on most or all of the cryptovariable bits.
3) Statistically unpredictable – given n successive bits from the keystream it is not possible to predict the n+1st bit with a probability different from ½.
4) The keystream should be statistically unbiased – there should be as many 0s as 1s, as many 00s as 10s, 01s and 11s etc.,
5) The keystream should not be linearly related to the cryptovariable.
The first condition is trivial to satisfy. The second condition, ensuring that the two machines have the same crypto variable is an administrative problem (key
management). We can ensure that the two machines start in the same state by several means. One way is to include initial state as part of the crypto variable.
Another way is to send the initial state to the receiver at the beginning of each message. (This is sometimes called a message indicator or initial vector)
Common Asymmetric Algorithms:
RSA and other public key systems is as key distribution systems:
Algorithm
RSA
Developed by
Rivest, Shamir and
Addleman . Introduced
in 1976.
Suitable for High Speed
Chips and compact coprocessor on smart cards
Diffie-Hellman
Whitfield Diffie &
Martin Hellman
“came up with whole
public key/private key
concept”.
El Gamal
Dr. T.E. El Gamal
Provides
Provide
confidentiality,
authentication
and nonrepudiation.
Encryption,
key exchange,
and digital
signatures
For key
distribution
only
Characteristic
 Based on difficulty of factoring a
number which is the product of
two large prime numbers, may be
200 digits each. Is insecure, 768
moderately secure, and
 1024 bits is good.
 Suitable for High Speed Chips
 and compact co-processor on
smart cards
Two possible approach of defeating RSA:
 brute force approach: try all possible
private keys.
 finding out the large prime numbers.
1) Invented in 1976-first public
key algorithm
2) Key agreement protocol
3) Security stems from difficulty
of calculating discrete logarithms
in a finite field. While it is
relatively easy to calculate
exponentials modulo a prime, it
is very difficult to calculate
discrete logarithms. For large
primes, the latter task is
considered infeasible.
4) Used for key distribution of a
shared key but not for message
encryption/decryption
5) Vulnerable to ‘man in the
middle’ attacks ( since peers are
not authenticated) – result :
station to station protocol.
For digital

signature
And encryption 


Merkle-Hellman
Knapsack


ECC
Neil Koblitz
160 bit key

Digital signatures,
6) Patent expired in 1997
Extended Diffie-Hellman to
include signatures and encryption.
First key for digital signature
un-patented public key crypto
system that involves discrete
logrithm problem.
Having set of items with fixed
weights
Determining which items can be
added in order to obtain a given
total weight
Illustrated using Super increasing
weights (all weights greater than
sum of previous)
Elliptic curve discrete logarithm
are hard to compute than general
Suitable for High Speed
Chips and compact coprocessor on smart cards
First proposed by
Victor Miller
(IBM/CRD) 1985 &
Neal koblitz (
Washington univ)
encryption and
key management 
Suited to smart
cards and
wireless
devices (less
memory and
processing)








discrete logarithm
Smaller key size same level of
security like RSA : higher strength
per key.
No other advantage than speed
over RSA
Computational power limited
Integrated circuit space limited
High speed required
Intensive signing, verifying,
authenticating required
Signed messages stored or
transmitted
Bandwidth limited
Wireless communications/some
networks
Asymmetric and Symmetric Key Comparisons
Asymmetric Key
512 bits
1024 bits
1729 bits
2304 bits
Symmetric Key
64 bits
80 bits
112 bits
128 bits
Like symmetric algorithms, public key encryption implementations do not rely on the obscurity of their
algorithm, but use key lengths that are so long that a brute-force attack is impossible. Asymmetric
encryption keys are based on prime numbers, which limits the population of numbers that can be
used as keys.
Comparison of DES and RSA:
CHARACTERISTIC
Relative Speed
Functions Used
Key Length
Least Cost Attack
Cost of Attack
Time to generate a key
Key Type
DES
Fast
Transportation and Substitution
56 bits
Exhaustion
Centuries
Microseconds
Symmetric
RSA
Slow
Multiplication
400-800 bits
Factoring
Centuries
Tens of Seconds
Assymmetric
Note: Most products use symmetric key cryptography to encrypt files, messages, sessions and objects, but
use asymmetric key cryptography to exchange and protect keys.
Preferred Crypto algorithms should have the following properties:
 No reliance on algorithm secrecy
 Explicitly designed for encryption
 Available for analysis
 Subject to analysis
 No practical weaknesses
PKC systems are based on problems that are difficult to solve (Hard problems):
Factoring large prime integers
 RSA
Discrete logarithm problem (difficulty of taking logarithms in finite fields)
 Diffie-Hellman








El Gamal encryption schemes & signature algorithms
Schnorr's signature algorithm
Nybergrueppel's signature algorithm
Station-to-station protocol for key agreement (STS)
Digital Signature Algorithm (DSA)
Elliptic Curve Crypto (ECC) ( only speed is a factor) – higher key strength compared to the RSA.
DSS (Digital Signature Standard) - NIST & NSA proposed in 1991
LUC
Mathematical Problems
 Factoring
 Given P, Q, easy to compute P*Q
 Given product N = P*Q, not easy to compute P and Q
 Pick E (encrypt number)
 Compute D so that D*E=1, MOD(P-1)*(Q-1)
 But there are better than exhaustion attacks against factoring
 This is why parameters have to be large (512, 1024, 2048)
 Discrete Logs
 Based


on two facts
Exponentiation is easy: if you have G and X, it is easy to compute S=G to the power of X
Logarithms are hard: if you have S and G, it is hard to find X such that G to the power of
X=S
Usage of public key cryptography
1) For encryption and decryption: encrypts the message with receiver’s public key
2) For digital signatures: encrypting the message digest or MAC value
3) Two sides co-operate to exchange session keys.
Algorithm
Encryption/Decryption
Digital signature
key exchange
RSA
ECC
Diffie
DSS
Yes
Yes
-
Yes
Yes
Yes
Yes
Yes
Yes
-
Hash algorithms:
A hash algorithm is a one-way cryptographic function. When applied to a data object, it outputs a fixedsize output, often called a message digest (fingerprint). It is conceptually similar to a checksum, but is
much more difficult to corrupt.
One way hash function
Reversible by trap door
Provide confidentiality and Authentication
One way hash algorithm
Irreversible
Provides only integrity.
Purpose of Digital Signatures
 To Detect unauthorized modifications and to authenticate identity and non-repudiation.
 Generates block of data smaller than the original data
 One way hash functions
 One way has produces fixed size output (digest)
 Has the following good hash function characteristics
After message digest is calculated it is encrypted with senders private key.
Receiver decrypts using senders public key, if it opens then it is from the sender.
Then receiver computes message digest of sent file if hash is the same it has not been modified.
Hash functions are much faster than encryption processes and can be utilized to enhance performance while
maintaining integrity.
Good hash function characteristics
1. hash should be computed on the entire message
2. hash should be a one way hash function so that messages are not disclosed by their signatures.
(original message should not be found out). – one way property.
3. It should be impossible given a message and its hash value to compute another message with the
same hash value. Collision resistance.
4. It should be resistant to birthday attacks meaning an attacker should not be able to find two
messages with the same hash value. – larger output is stronger and less vulnerable to brute force
attacks like birthday attack.
One way Hash with or without encryption can be used. Encryption is discouraged some times due to
higher hardware cost, export regulations, slow in software and not suitable for small data values such
as hash.
Hash
MD2
Blocks and hash size
128 bit hash value
Ron Rivest
MD4
Ron Rivest
128 bit hash value
Haval
Variable length one way hash
Blocks of 1024 bits.
 Developed by Ronald Rivest
in 1991
 Produces 128 bit message
digest from arbitrary length
of data
 512 blocks of in four distinct
rounds
MD 5
Other characteristics
Slower than MD5 & MD4
MD2 is a hash function that has
collision vulnerability.
Used for high speed computation
in software implementations and
is optimized for microprocessors.
Problem:
Hash function’s poor one-way
property.
Modification of MD5
Message Digest (MD) is the most
common hash function today.
Developed by Ron Rivest
Commonly used as a data
integrity checking tool, such as
in Tripwire and other products
64 (4 of 16) rounds
infinite input size.
SHA - 1
4 primitive logical function and
64 additive constants used.
160 bit hash if < 2(64) bit as
input.
Integrity of the message.
512 blocks of data.
80 (4 rounds of 20)
4 primitive logical function and
4 additive constants used.
Applying the process of
Developed by NSA
It is relatively easy to computer
Hash for a given value given
hardware and software
implementations practical.
Algorithm is used to input the
message and get the hash ( called
as cryptographic hash)
Used in PGP
Used for generating digest for
digital signatures
It is computationally infeasible to
computing the SHA1 and then
processed by the DSA to either
generate or verify the signature
for a shorter message is more
efficient than applying it to the
longer message.
Message Authentication Code
(MAC)
Last 16 bit or 32 bit code from
the cipher text generated by
DES algorithm on the message.
Provides authentication but not
confidentiality ; has proper
sequence number hence sequence
of the message is ensured.
HMAC





Available hash function must
be used
Allow replaceability of the
hash function
Preserve performance of the
hash function
Use and handle keys in a
simple way
Have well understood
cryptographic analysis of the
strength of the authentication
mechanism based on
reasonable assumptions on
the embedded hash function.
Uses key to generate a Message
Authentication Code which is
used as a checksum.
The hash function is either MD5
or SHA1 which is incorporated
with a secret key in to existing
hash algorithm
find a message that corresponds
to a given message digest
It is computationally infeasible to
find two different messages that
produce the same message digest.
It is computationally impractical
to find any pair which will have
same pair of hash.
Padding bits are added to
message to make it a multiple of
512.
The length of the message is the
number of bits in a message
Equivalent to factoring (RSA)
Input into DSA to get digital
signture
Resistant to “birthday” attack and
brute force attacks
.
Combination of encryption and
hashing; key depended one way
hash – requires symmetric key in
the process – hash encrypted with
symmetric key. DES is
recommended for the encryption
of the message and the last 16 bit
or 32 bit cyper text code is taken /
used as the code.
Similar to encryption, however
the authentication algorithm need
not be reversible. Smaller fixed
length that is not designed for
decryption hence need not be
reversible
HMAC can be used with any
iterative cryptographic hash
function (MD5, SHA1) in
combination with a secret shared
key.
The cryptographic strength of
HMAC depends on the properties
of underlying hash function.
It is now mandatory to use
HMAC in IP security. And is
used in TLS & SET.
Digital Signature Standard
(DSS)
& Secure Hash Standard
Digital Signature Algorithm
Others signature algorithm
include:
Condenses message to 160 bits
Key size 512-1024 bits
 Enables use of RSA digital
signature algorithm or DSA –
Digital Signature Algorithm
(based on El Gamal)
 Both use The Secure Hash
Algorithm to compute
message digest then
processed by DSA to verify
the signature. Message
digest is used instead of the
longer message because
faster.
Generate and verify signatures.
Provides authentication and
integrity i.e identify the signatory
and integrity of data.
•Nyberg-Rueppel
•Schnorr
Only for digital signature and not
for encryption (unlike RSA which
does both),
Ripemd –160
160 bits
512 block of size
160 ( 5 paired rounds of 16)
5 primitive logical function and
9 additive constants used.
Infinite input length.







NIST proposed in 1991
Uses secure hash algorithm
(SHA 1) – 160 bit.
Modular arithmetic
exponentiations of large
numbers
Difficult to invert
exponentiations (security)
Equivalent to factoring
(RSA)
Digital Signature Algorithm
Integrity
FIPS 186:
This Standard specifies a Digital
Signature Algorithm (DSA)
appropriate for applications
requiring a digital rather than
written signature. The DSA
digital signature is a pair of large
numbers represented in a
computer as strings of binary
digits.
Provides authentication, integrity
and non-repudiation.
Public Key Certification Systems
A source could post a public key under the name of another individual
Digital certificates counter this attack, a certificate can bind individuals to their key
A Certificate Authority (CA) acts as a notary to bind the key to the person
CA must be cross-certified by another CA
Public Key Infrastructure - (PKI)
Integration of digital signatures and certificates.
 Digital Certificates
 Certificate Authorities (CA)
 Registrations Authorities
 Policies and procedures
 Certificate Revocation
 Non-repudiation support
 Time stamping
 Lightweight Directory Access Protocol
 Security Enabled Applications
 Cross Certification
 Provides Access control, authentication, confidentiality, integrity, non-repudiation
 Assumes, that receiver’s public identity can be positively ensured through certificates and that the DH
exchange will automatically negotiate the process of key exchange.



Identifies users, create and distribute certificates, maintain and revoke certificates, distribute and
maintain encryption keys, and enable all technologies to communicate and work together for the
purpose of encrypted communication.
Digital Certificate binds that certificate to its particular owner with a unique serial number within the
CA. Popular certificate is the x.509 v3 certificate.
Separate keys can be used for digital signature and encryption. Layers of necessary protection.
Cryptographic Attacks
Cipher text only
Encryption algorithm
attacks
Ciphertext to be decoded
Known plaintext
Encryption algorithm
Ciphertext to be decoded
One or more pair of plain text cipher text pairs formed with the secret key.
Chosen Plaintext
Encryption algorithm
Ciphertext to be decoded
Plaintext message chosen by cryptanalyst, together with its corresponding
ciphertext generated with the secret key
Chosen Ciphertext
Encryption algorithm
Ciphertext to be decoded
Purported cipher text chosen by cryptanalyst, together with its corresponding
decrypted plaintext generated with the secret key.
Portions of the cipher text are selected for trial decryption while having access to
plain text; goal is to figure out the key. Attacker has some plain text, can capture
an encrypted message and therefore capture the cipher text. Once few pieces of
puzzle discovered, rest is accomplished by reverse-engineering and trial-anderror attempts.
Chosen text
Encryption algorithm
Ciphertext to be decoded
Plaintext message chosen by cryptanalyst, together with its corresponding
ciphertext generated with the secret key
Purported cipher text chosen by cryptanalyst, together with its corresponding
decrypted plaintext generated with the secret key.
Birthday Attack
 You in a room with better than 50/50 chance of another person having your birthday? Need 253 people
 You in a room with better than 50/50 chance of two people having the same birthday? Need 23 people
Two different messages having same message digest or finding two different messages that have the same
message diges
Brute Force - Attack try every possible combination
Adaptive Chosen Plain Text – selection of plain text is altered based on previous results
Adaptive Chosen Ciphertext - Chosen cipher text are selected for trial decryption where selection is based
on previous results
Meet in the Middle – For attacking double encryption from each end and comparing in the middle
Differential Cryptanalysis – Private key cryptography looking at text pairs after encryption looking for
differences
Linear Cryptanalysis – using plain text and cipher text to generate a linear approximation of a portion of
the key
Differential Linear Cryptanalysis – using both linear and differential approaches; S-boxes are used to
minimize the danger from an attack called differential cryptanalysis.
Factoring – using mathematics to determine the prime factors of large numbers
Statistical – exploiting the lack of randomness in key generation
Dictionary attack – with a database of one-way function password, dictionary program and a captured
password file, this attack can be accomplished.
Replay attack – attacker able to intercept an encrypted secret message but not able to readily decrypt the
message… OS flaws, memory residue, temporary files, differential power analysis, distributed
computing…
Time stamping and sequence numbering are two measures to counter this.
Active attacks include:
Replay – countered by timestamping & block chaining
Substitution – countered by block chaining
Modification of messages
Denial of service
Statistical attacks: in the design based on statistical weakness – more1s than 0s in the key stream.
Analytic attacks: Use algorithm and algebraic manipulation to reduce complexity - RSA factoring and
Double DES are examples.
Implementaion attacks: weak implementation
Even when an algorithm is correctly implemented, the overall system security posture may be weakened by
some other factor. Key generation is a weak spot. If an attacker discovers a pattern in key generation, it
effectively reduces the total population of possible keys and greatly reduces the strength of implementation.
A recent example was the failure of one of the original implementations of Netscape’s SSL, which used
a predictable time-based technique for random number generation. When subjected to statistical analysis,
few man-made devices can provide sufficiently random output.
Man in the middle: changing the public key of B by C as his key…. Prevented by PKI/digital certificates:
Intercepting messages and forwarding on modified versions by replacing the public key that are kept on
public server and acts as a middle man
Clear text attack & cipher text only attack – can’t work on key encrypting key.
Passive attacks involve the listening-in, eavesdropping, or monitoring of information, which may lead to
interception of unintended information or traffic analysis where information is inferred.
Traffic analysis - inference of information from analysis of traffic (presence, absence, frequency, etc.):
Traffic padding - generation of spurious data units & padding are the counters.
Dictionary attacks has proved immensely successful in attacking and compromising UNIX systems and
Windows NT systems. UNIX systems generally use the crypt () function to generate theoretically
irreversible encrypted password hashes. The problem is some users choose weak passwords based on real
words. It is possible to use dictionary of words and to use this well known function until there is a match
with the encoded password. In Windows NT, it is possible by obtaining a copy of the NT SAM file, which
contains the encrypted passwords.
Cryptographically secure digital timestamps (CSDTs) have been used for a variety of purposes,
including variety of document archiving, digital notary services, etc. By adding a CSDT to every digital
certificate issued within a PKI, one now has a method for ensuring not only that the certificate is valid, but
also at what point in time that validity was declared.
Time stamps: Primary component of a CSDT is the timestamp itself and a time source is required.
To allow high volume transactions, a 16-bit sequence no is appended to the timestamp to ensure that there
can be no 2 CSDTs with the identical time
If the time resolution is 0.0001 sec, it is possible to issue 65,536 CSDT’s that all happen within that same
0.0001 sec.
Hash of the certificate: For a CSDT to be bound to a particular certificate, some data must be included to
tie it to the certificate in question. A hash generated by a known and trusted algorithm, such as SHA-1 or
MD5, is used to provide this connection. This is the same hash that is calculated and encrypted during the
Certificate Authority signing process.
To resist cipher-text only attacks, good practice requires that all such patterns as format, e.g., file or email message, language (e.g English) alphabet (e.g Roman), and public code (e.g., ASCII or EBCDIC) in
the clear text object must be disguised before the object is encrypted. (pg 376 vol 1)
In a brute force attack, one tries keys one after another until one finds the key in use. here are 2 waysclear-and cipher-text attacks, and cipher-text-only attacks. Neither of these attacks will work on a keyencrypting key, if principles of key management are adhered to.
Note: On average, the correct key will be found once half of the total key space has been tried in a
brute force attack.
It is not always practical to provide a digital certificate with every signed object, and high –assurance CA’s
need a CRL server. Directory service is a distributed database optimized for reading that can make both
CRL’s and certificates available on a wide area network (WAN) or the Internet. Most directory services
are based on the X.500 standard and use the extensible format X.509 to store digital certificates.
Point: Encryption rarely improves availability, but if mission-critical encryption services fail, then
availability requirements probably will not meet. Use of cryptographically based strong authentication
system to prevent denial-of-service attacks would be an example of using encryption to increase
availability.
Boomerang Attack:
Recently, a means of improving the flexibility of differential cryptanalysis was discovered by David A.
Wagner. Called the boomerang attack, it allows the use of two unrelated characteristics for attacking two
halves of a block cipher.
A technique called the boomerang amplifier attack works like this: instead of considering the pairs of
inputs, differing by the XOR required for the characteristic of the first few rounds, as completely
independent, one could note that it would be quite likely that somehow, taking two such pairs at a time, one
could obtain any desired XOR difference between two such pairs by the birthday paradox. This allows a
boomerang attack to be mounted with only chosen plaintext, instead of adaptive chosen ciphertext as well.
Email Security
 Non-repudiation
 Confidentiality of messages
 Authentication of Source
 Verification of delivery
 Labeling of sensitive material
 Control Access
E-mail Security
Characterics/ features
PEM (Privacy Enhanced
Mail)







Internet Standard to provide
secure email over the
internet.
A standard proposed by
IETF to be compliant with
the Public Key
Cryptography Standards
DES in CBC mode
Compliant with Public Key
Cryptography Standards
(PKCS)
Developed by consortium of
Microsoft, Sun, and Novell
Triple DES-EDE –
Symmetric Encryption
MD2 and MD5 Message
Provides what
In which layer
Confidentiality,
Authentication, message
integrity, key management
Non-repudiation
application level protocol.
Digest
RSA Public Key –
signatures and key
distribution
 X.509 Certificates and
formal CA
Is a public domain
implementation of PEM protocol
although not in its entirely.

RIPEM
Message Security Protocol
PGP (Pretty Good Privacy) –
Internet Security
HTTP
Secure Telnet
Remote terminal access
Secure Telnet
Secure RPC authentication
(SRA)
Military PEM
x.400 compatible
 Phil Zimmerman
 No CA uses “web of trust”
 Users can certify each other
 Uses passphrases
 User keeps collection signed
public keys he has received
from other users in a file
referred to as a Key ring.
 It provides a number of
mechanisms for ensuring
that one is using the correct
and intended public key for
a correspondent. One of
these is called the “key
fingerprint”.
 Public domain software
 Not endorsed by the NSA.
 Bound by federal export
laws due to its usage of the
RSA, IDEA, DiffieHellman, 3DES and CAST
algorithms.
Stateless protocol
For development of web pages
HTTP is a stateless protocol
because each command is
executed independently without
any knowledge of the commands
that came before it. The
shortcoming of HTTP to
implement Web sites that react
intelligently to user input is
being addressed in a number of
new technologies including
ActiveX, Java, Javascript and
cookies.
 Secure RPC: Uses DiffieHellman public key to deter
the shared key for
encryption with 192 bit key.
Even if the packet is sniffed
and captured, it cannot be
application level protocol.
Confidentiality through IDEA
( with 128 bit) - Block cipher
key
Integrity through MD5
hashing;
(or) SHA to generate digital
signatures.
Authentication by using PKC
Non-repudiation by use of
cryptographically signed
messages
Encryption (confidentiality)
Application layer
S-HTTP
SSL /TLS









Developed by Netscape in
1994
Uses public key to
authenticate server to the
client
Also provides option client
to sever authentication
Supports RSA public Key
Algorithms, IDEA, DES,
and 3DES
Supports MD5 Hashing
HTTPS header
Resides between the
application and TCP layer
Can be used by telnet, FTP,
HTTP and e-mail protocols.
Based on X.509
Transaction Layer Security
SKIP - Simple Key
Management for Internet
Protocol
necessarily decrypted.
Designed to send individual
messages securely.
 Stateful protocol
 Does not get disconnected
like HTTP.
 Can be used to secure
individual WWW
Documents
 SSL is session based
 Computes hash value of the
message and the value can
be digitally signed.
 Can use public key
technology, symmetric,
PEM etc., - shows flexibility
Designed to establish a secure
connection between two
computers.
Requires SSL enabled webbrowser.
SSL is both an API and a
protocol intended for end-to-end
encryption to client-server
application across an arbitrary
network.
This protocol was developed by
Netscape.
Navigator browser is its
reference implementation
It uses public key certificates to
authenticate the server to the
client and optionally the client to
the server.
It uses the server’s public key to
negotiate a session key to be
used for the session.
It manifests this key by setting a
solid key icon in the lower
lefthand corner of the
screen.
Refer below for connectivity.
Successor to SSL:




Similar to SSL – however
no prior communication
required Requires no prior
communication in order to
establish or exchange keys
on a session-by-session
basis
Enables TCP/IP host to send
encrypted IP packet to
another host without
requiring a prior message
Well suited for Internet,
Data integrity and sender
authentication capability
Application Layer
SSL lies beneath the
application layer and above the
transport layer.
(precisely transport layer)
Man in the middle attack
possible.
Using digital signature during
session key exchange can
circumvent this attack.
Heavily used for internet
transaction.
Provides authentication,
compression, confidentiality,
and integrity
Can use with Kerberos and
with PPP for authentication
Uses Diffie-Hellman to
generate a shared secret, which
in turn provides IP packetbased encryption and
authentication
High availability
MIME (Multipurpose Internet
Mail Extensions)
MOSS (MIME Object Security
Services)
S/MIME (Secure Multipurpose
Internet Mail Extensions)
MONDEX system
IOTP is Internet open trading
protocol.
SET
SSH 2
since both are stateless
protocols
 SKIP does not continually
generate new key values as
SSH does
was standardized with RFC 822
and RFC 1521.
defines the mail header and type
of mail content
designed to provide facilities to
include multiple objects in a
single message, to represent
body text in character sets other
than US-ASCII, to represent
formatted multi-font text
messages, to represent nontextual material such as images
and audio fragments and
generally to facilitate later
extensions defining new types of
internet mail for use by
cooperating mail agents.
Provides flexibility by
supporting different trust models
Permits identification outside of
the X.509 Standard
 Adds secure services to
messages in MIME format
 Follows Public Key
Cryptography Standards
(PKCS)
 Uses X.509 Signatures
 Smart cash card application
 Proprietary encryption
algorithm
 Card is same as cash
 Aimed at consumer to
business transaction
 Flexible and future focused
 Visa and Mastercard
developed in 1997
 Encrypts the payment
information
 DES – Symmetric
Encryption
 RSA Public Key –
signatures and key
distribution
 Taken over by SSL
 Remote access via encrypted
tunnel
 Client to server
authentication
 Comprised of:
Uses MD5, RSA Public Key
and DES
Encryption and hashing
Provides authentication
through digital signatures
Application layer protocol
Internet transaction and
Authentication of sender and
receiver
Application layer protocol
Host and user authentication,
data compression, data
confidentiality and integrity
Key exchange and encryption
RSA & Triple DES




IPSEC
S/WAN – Secure WAN –
defines IPSec based widespread
use of VPNs on the internet
Transport Layer protocol
User Authentication
protocol
Connection Protocol
IPSec adds per-packet
authentication, payload
verification, and encryption
mechanisms to traditional IP.
 Two Main Protocols are
 Authentication Header
 Encapsulating Security
Payload
 Can operate with single
protocol ( with or without
encryption – confidentiality)
 Security Association is
required between two parties
– one way connection Comprised of Security
Parameter Index – (SPI) –
32 bit identifier
 Bi-directional
communication requires two
Security Associations
 In VPN implementation
IPSec can operate in
transport or tunnel mode
 Transport mode – data
encrypted, header not
 Tunnel mode – data and
original IP header encrypted,
new header is added
 New header has address of
VPN gateway
 MD5 and SHA are used for
integrity
 Security Associations can be
combined into bundles using
either
 Transport Adjacency
 Iterated Tunneling
 IKE – Internet Key
Exchange is used for key
management with IPSEC
 IKE is set of three protocols
 Internet Security and Key
Management Protocol
(ISAKMP) –phases for
establishing relationship
 Secure Key Exchange
Mechanism – SKEME –
secure exchange mechanism
 Oakley – modes of operation
needed to establish secure
accordingly.
Heavily used for internet
transaction.
Operates in Transport layer.
Provides encryption, access
control, and non-repudiation
over IP.
Operates in Network Layer
ESP: provides authenticity,
integrity and confidentiality.
Authentication Header –
integrity, authentication and
non-repudiation
connection
Kerberos
Authentication Server: Knows all the passwords of the user and stores in a centralized database. It also
shares a unique secret key with each server, which is pre-distributed in some manner.
Minimize the number of time the user has to enter a password & requirement multiple tickets for every
different service:
Plaintext transmission of the password: TGS is introduced. TGS issues tickets to users who have been
authenticated to AS. Hence user requires TGT from AS, then using that TGS grants a service granting
ticket. Ticket can be used b the client to request multiple service-granting ticket. TGT is reusable. To
counter the replay attack, timestamp is included as to till when the ticket is valid. : this satisfies both the
problem above.
Capturing the TGT and the service granting ticket and using it before it expires within the time frame:
AS to provide a secret piece of information in a secure manner for both the user and the client. : referred as
session key in kerberos.
Service / server needing to authenticate to the client so that the user is sure of the correct server / service he
is looking for: for mutual authentication is required the server can reply as shown in message. The server
returns the value of the timestamp from the authenticator incremented by 1, and encrypted in the session
key.
Set of servers with a kerberos are reffered to realm and there needs to certification with cross realms.
Kerberos 5 came up with avoiding environmental short comings and technical deficiencies
1.
encryption system dependence: allowing same key to be used in different
algorithm and different variation on a given algorithm
2. IP dependence is not there.
3. ticket life time is flexible
4. authentication forwarding: client to access a server and have that service
access another server on behalf of the client
5. interrealm authentication reduced relationships;
Double encryption is removed; explicit integrity and not PCBC , standard CBC
Session key; sub session key to prevent replay
Password attack: cant prevent but system of pre-authentication thus making
password attacks ore difficult.
Includes nonce – random value to be repeated in message to assure that the response is fresh and has not
been replayed by an opponent.
1.
The basic Kerberos 5 protocol defines the syntax and semantics for authentication, secure
messaging, limited syntax and semantics for authorization, and the application of various
cryptographic algorithms within those elements.
2.
Kerberos is often described as an “application-layer” protocol.
3.
Kerberos is used very effectively at all layers of the network, as well as in middleware. Kerberos
is used for authentication and key management in a virtual Private network (VPN).
4. Organizational models:
Autocracy : All control flows from a central authority.
Anarchy
: All authority flows from individuals.
5.
In Kerberos, the entities that authenticate with one another are referred to as ‘Principals’, as in
‘principals to a transaction”.
6.
Kerberos credentials are refered to as ‘tickets’ (pg 401 vol 1). A ticket is a part of a
cryptographically sealed credential issued by the KDC to a client. (Pg 410 vol1)
7.
The KDC logically consists of a set of services and a database that contains information about
principals. In Kerberos that collective is referred to as a “realm”. Principals in different realms
can interact using ‘cross-realm’ (sometimes referred to as ‘inter-realm’)
8.
In Kerberos, the trusted third party is known as the Key Distribution Center (KDC). In public
key systems, the trusted third party is referred to as a Certificate Authority (CA)
9.
In typical operation, a cryptovariable is inserted prior to encrypting a message and the same key is
used for some period of time. This period of time is known as ‘cryptoperiod’. For reasons having
to do with cryptanalysis, the key should be changed on a regular basis.
10. The AS generates a random key, referred to as the ‘session key’
11. While we can formulate solutions to authentication, confidentiality, integrity and access control
that are useful and that are independent of a broad range of applications, the same cannot be said
of delegation and authorization.
12. The combined ability to provide both efficient and secure access to services, and the ability to
serve as the basis for a collective security mechanism is one of Kerberos’s major strengths.
13. Replay Protection : Time-Stamps: Replay protection using timestamps is most suited to datagram
ot transaction otrientd protocols and requires loosely synchronized clocks based on a secure time
service and the use of a replay ‘cache’ by the receiver. A replay cache is simply a cache of
messages previously seen by the receiver, or more likely, a hash of each of those messages. The
receiver must check each received message against the replay cache to determine if the message is
a replay. Time-stamps help to limit the size of the replay cache.
14. Challenge-Response: Replay protection using a challenge-response exchange is most suited to
session-oriented protocols, such as TCP/IP. (Please refer Pg 422 Vol 1 there is a lot about it, that I
didn’t understand. Read it and delete this)
15. Multiple security functions including authentication, authorization, access control, and key
management – can be provided by or built from Kerberos. While the concept of aggregate
enterprise security service is not native to Kerberos, the union of the two is very natural.
16. Security Services – Kerberos
Authentication : The Kerberos authentication protocol implicitly provides the cryptogphic material or
session keys needed fir establishing a secure channel that continues to protect he principal’s
conversation after authentication that occurred.
Secure Channels: A secure channel provides integrity and confidentiality services to communicating
principals. Kerberos provides these services either directly through the use of Kerberos protocol
messages, or indirectly by providing the cryptographic material needed by other protocols or
applications to implement their own form of secure channel.
Integrity: Kerberos provides message integrity through the use of signed message checksums or oneway hashes using a choice of algorithms.
Confidentiality: Kerberos provides message confidentiality by encrypting messages using a choice of
encryption algorithm.
Access Control: Kerberos does not directly provide access control for persistent data, such as disk
files. However, the Kerberos protocol provides for the inclusion and protection of authorization
information needed by applications and operating systems in making access control decisions
Authorization: An authorization service provides information that is used to make access control
decisions. Common mechanisms used to represent authorization information include access control
lists (ACLs) and capabilities. An ACL based system uses access control lists to make access decisions.
Capability based systems require the encapsulation of authorization information in a tamper-proof
package that is bound to an identity.
17. Non-repudiation: Kerberos does not offer the arbitration services that are requited for the
complete implementation of such a service (non-repudiation).
18. Availability: Distributed security systems generally do not offer availability services.
So Kerberos can give Authentication, Secure Channel, Integrity, Confidentiality, Access Control and
Authorization, but does not provide non-repudiation and availability.
19. Additional layer is built in now namely ticket granting service. Ie. Now AS gives ticket to TGS
which is called as TGT and TGS gives out sessions tickets to the users.
Kerberos related technologies









OSF DCE – open software foundation, distributed computing environment uses kerberos 5 as the
underlying security mechanism.
GSS-API- generic security service applications programming interface (GSS-API).
Sengo : simple and protected GSS-API negotiation mechanism
SSPI Microsoft Security service provider interface
SSL – Secure socket layer.
SASL – simple authentication and security layer (SASL)
IPSEC – key management by kerberos
Radius- to surrogate radius clients – integrated with kerberos
Common data security architecture, token cards etc., where kerberos can be implemented.
Wireless Security
WAP – Wireless Application Protocol
Designed for mobile devices (PDA, Phones)
Set of protocols covering layers 7 to 3 of the OSI model
Less overhead than TCP/IP
 Wireless Markup language (WML)
 Wireless Application Environment (WAE)
 Wireless Session Protocol (WSP)
 Wireless Transport Security Protocol (WTLS)
 Wireless Datagram Protocol (WDP)
For security WAP uses Wireless Transport Security Protocol (WTLS)
Three classes of security
 Class 1 – Anonymous Authentication
 Class 2- Sever Authentication
 Class 3 – Two way client and server authentication
Authentication and Authorisation can be performed through smart cards/tokens
Security vulnerability of WAP
 WAP GAP – where WTLS is decrypted and re-encrypted to SSL at the WAP gateway
C-HTML is competing with WML from Japan
C-HTML is stripped down HTML, C-HTML can be displayed on standard browser
Mobile PKI – relates to the possible time lapse between the expiration of a public key and the reissue of the
certificates to them.
IEEE – 802.11 Standards
Active mode (can transmit and receive) and power save mode (does not enable the user to transmit or
receive)
 Interface between clients and base station
 802.11 Layers
 The physical layer PHY can use:
DSSS - Direct Sequence Spread Spectrum
FH – Frequency Hoping Spread Spectrum
IR – Infrared pulse modulation : more secure for data capturing since it requires line of sight path
 MAC Layer – Medium Access Control
Specifies CSMA/CA Carrier Sense Multiple Access Collision Avoidance
 Provides:
Data Transfer
Association
Re-association
Authentication - WEP
Privacy – WEP
Power Management
Notes to remember
Private key is 1000 or more times faster than public key
Time stamps can be used to prevent replay attacks.
One time pad is usually implemented as a stream cipher using XOR function
Security of cryptosystem should only depend on security of keys, not the algorithm.
Unix systems use a substitution cipher called ROT 13
Lightweight Directory Access Protocol (LDAP) appears to be the chosen method for distributing keys.
Keep in mind that the server storing the certificates and the delivery of the certificates containing the keys
do not have to be secure. The signature from the CA with the certificate vouches for the authenticity of the
key pair. Availability and integrity are the main concerns of the LDAP server and if attacked by DOS, then
CRL cannot be processed and thus permit the use of the revoked certificate for transactions.
Protecting the Private key of the CA & the software used for signing and the private key of users will be
important. Users secure – by encrypted passphrase and / or smart cards with CPU and RAM and unlocked
by the PIN when inserted in a card reader.
The Data Criticality Matrix is helpful in comprehending and prioritizing an organization’s information
asset security categories. This matrix includes 5 security requirements. The widely used CIA
requirements of Confidentiality, Integrity and Availability are supplemented with the two additional
requirements: Non-repudiation and Time.
RSA Secure PC
This is just a hint. The object of encryption is always the individual file rather than the drive or the
directory. When a file is initially encrypted, the system generates a 64-bit block cipher key to be used to
encrypt the file. This file key is then encrypted using the public key of the system and is stored with the
file.
Cryptography requirements
Secrecy requirements
 If ciphertext and plaintext are known, it should be computationally infeasible to determine the
deciphering algorithm
 It should be computationally infeasible to systematically determine plaintext from intercepted
ciphertext (Even if you decrypt ciphertext once, it should require the same amount of work to do it
again.)
Note: “systematically” allows for a lucky guess
Note: “Computationally infeasible” means great effort, doesn’t account for advances in computing,
mathematics
Authentication requirements
 If ciphertext and plaintext are known, it should be computationally infeasible to determine the
enciphering algorithm
 It should be computationally infeasible to find valid ciphertext (Even if you encrypt plaintext so that it
can be decrypted once, it should require the same amount of work to do it again.)
Identify applications of cryptography
 Data Storage
Prevent disclosure
 Password files
 Backup tapes
 Bulk
 Telecommunications
Prevent disclosure
Data transmission
 STU
 Message authentication
Detect fraudulent insertion
Detect fraudulent deletion
Detect fraudulent modification
Detect replay
 Digital Signature
Source Verification
 Non-Repudiation
Uses









EFT systems
Protecting stored data
E-mail
Communication links
VPNs
E-Commerce (Secure WWW Connections)
SSL, S-HTTP
Digital Signatures
MD5, SHA
Encryption laws:
The Electronic Data Security Act states it’s goals as:
To enable the development of a key management infrastructure for public-key-based encryption and
attendant encryption products that will assure that individuals and businesses can transmit and receive
information electronically with confidence in the information's confidentiality, integrity, availability, and
authenticity, and that will promote timely lawful government access.
IEEE P1363a, will cover additional public-key techniques
Standards Activities Involving ECC
 IEEE, P1363 (public-key crypto)
 Covers main public key techniques
 RSA, ECC, El Gamal, Diffie-Hellman
 ANSI X9
 Elliptic
Curve Digital Signature Algorithm (ECDSA) proposed work item
 ANSI ASC X9
 Elliptic curve key agreement & key management proposed work item
 ISO/IEC CD 148883 “digital signatures with appendix”
 Variety of digital signature mechanisms
ISO/IEC (International Electrotechnical Commission) is the joint technical committee developing the
standards for information technology.
There is four type of modules: inline, offline, enbedded, stand-alone
Inline





Front end configuration
Module capable of accepting plaintext from source
o Performing crypto processing
o Passing processed data directly to communications equipment
o Without passing back to source
May also decrypt reverse process
Data cannot leave host without passing through module
Comm equip in module or external to host
Offline





Back end configuration
Module capable of accepting data from source
o Performing crypto processing
o Passing processed data back to source
Source responsible for storage and further transmission
o Maintaining separation between protected and unprotected data
Ideal for local file encryption
Comm boards may be internal to host
Embedded




Module physically enclosed within and interfaces with computer
Either inline or offline
Less expensive
Physical security (temper protection and detection) questionable
Standalone



Module contained in own physical enclosure
Outside host computer
Either inline or offline
Describe the principle of key management

Must be fully automated

Key length should be long enough to provide the necessary level of protection

Should be stored and transmitted by secure for key discipline and secrecy

No key in clear outside of crypto device for secrecy and known plaintext attack resistance

Choose keys randomly from entire key space to prevent pattern can be
exploited by attacker to reduce work

Key encrypting keys must be separate from data keys : Nothing appearing in clear is encrypted
with key-encrypting-key

Keep KEK invulnerable to brute force attack

Disguise all pattern in cleartext object before encryption Format, language, alphabet, public code
to resist ciphertext only attacks

Infrequently use keys with long life

More key is used, more likely a successful attack and greater the consequences – shorter should be
life time.

Backed by escrow in case of emergencies.

Lifetime should correspond with the sensitivity of data it is processing

Emergency key recovery can be possible by multiparty control. Member from management,
individual from auditing, IT department to require collusion for fraudulent activities to take place-key
escrow.
Key Management Activities
 Key control
 Key recovery
 Key storage
 Key retirement/destruction
 Key Change
 Key Generation
 Key theft
 Frequency of key use
 Describe Bitstream Authentication





Generate new MAC
Compare with original
Mac Algorithm qualities
Sensitive to bit changes
Creates MAC unable to be duplicated
In the mid-80's, NSA introduced a program called the Commercial COMSEC Endorsement Program, or
CCEP: Commercial communications security endorsement program (





NSA and industry relationship
Combine government crypto knowledge with industry product-development expertise
Type 1 or type 2 high-grade crypto products.
Type 1 encrypt classified and SUI
o STU Secure telephone unit
Type 2 encrypts SUI
o Authentication devices, transmission security devices, secure LAN’s
Cryptography is export-controlled for several reasons. Strong cryptography can be used for criminal
purposes or even as a weapon of war. During wartime, the ability to intercept and decipher enemy
communications is crucial. Hence protected.
Cryptography is just one of many technologies which is covered by the ITAR (International Traffic in
Arms Regulations).
In the United States, government agencies consider strong encryption to be systems that use RSA with key
sizes over 512-bits or symmetric algorithms (like DES, IDEA, or RC5) with key sizes over 40-bits. Since
government encryption policy is heavily influenced by the agencies responsible for gathering domestic and
international intelligence (the FBI and NSA, respectively) the government is compelled to balance the
conflicting requirements of making strong cryptography available for commercial purposes while still
making it possible for those agencies to break those codes, if need be. The US government does, however,
allow 56-bit block ciphers to be exported for financial cryptography.
Cryptographic Protocols & Standards
 Domain Name Server Security (DNSSEC)
o Secure Distributed Name Services
 Generic Security Services API (GSSAPI)
o Provides generic authentication, key exchange & encryption interface for different
systems & authentication methods
 Secure Socket Layer (SSL)
o Secure WWW connections
 Secure Hypertext Transfer Protocol (SHTTP)
o Secure WWW connections
o More flexible than SSL, but not as widely used
 E-mail security and related service
o S/MIME (Secure MIME)
 Secure Multipurpose Internet Mail Extensions
 Specs for secure electronic messaging
 Developed to fix interception & forgery of e-mail
 Easily integrated into e-mail & messaging products
 Provides privacy, data integrity, authentication
 MSP (Message Security Protocol)

Offers confidentiality, authentication, non-repudiation, return-receipt, signature

Public Key Cryptography Standards (PKCS)
 Provides an agreed upon format for Public Key Cryptography
 Extension to PEM
SSH2 Protocol
 Used to secure terminal sessions, developed by IETF
 Provides 3 components

Transport Layer Protocol

server authentication, confidentiality, and integrity

User Authentication Protocol

authenticates the client to the server

Connection Protocol: multiplexes encrypted tunnel into several logical channels

multiplexes encrypted tunnel into several logical channels
X.509
1) Framework for the provision of authentication services by the X.500 directory to its users.
2) Directory is a repository of public key certificates
3) Certificate contains the public key of user and is signed by private key of trusted certification
authority
4) X.509 defines alternative authentication protocols as well.
5) Certificate structure and authentication protocols defined hence very important and used in variety
of content Ex; SSL, SET., SMIME etc.,
6) Based on public key cryptography and digital signatures and the recommended algorithm is RSA.
7) Certificate issues is associated with each user. Certificate contains, version, serial number,
signature algorithm identifier, issue name, period of validity, subject name, subject’s public key
information, issuer unique identifier, subject unique identifier, extensions & signature.
8) Cross certificate between CAs
9) Suggest that Cas be arranged in a hierarchy so that navigation is straightforward.
10) Forward certificates: certificates of X generated by other CAs
11) Reverse certificates: certificates generated by X that are the certificates of other Cas
12) Revocation of certificates and that must be maintained as CRL
Authentication
One way authentication: initiating entity is authenticated, message is from A, and is for B & integrity and
originality is assured.
Two way authentication: all three plus the reverse is also done.
Three way authentication: Final message from A to B is included, which contains the signed copy of the
Nonce.
X.509 version 3: all that are needed for recent design and implementation is not available which were
added up to include key and policy information, certificate and issuer identification and certificate path
constraints.
Cracking of Symmetric and Asymmetric – History
DES Cracker

In 1998, the DES message was cracked in 39 days.

In July 1998 EFF(Electronic Freedom Foundation) announced that it had easily won the RSA
Security ‘DES challenge II’, taking less than 3 days to recover the original message.

In January 1999, EFF announced in collaboration with Distributed.Net, it had won the RSA
Security ‘DES Challenge III’), taking 22 hours to recover the plain-text.

In 1977, Whitfield Diffie and Martin Hellman proposed the construction of DES-cracking
machine that could crack 56-bit DES keys in 20 hours.

In 1994, Micheal Weiner proposed a design built from existing technology which could crack 56bit DES in under 4 hours for a cost of US $1 million

Contests held in 1997 and 1998 to crack DES-encrypted messages, were won by distributed
computing efforts.
RSA-155 (512bit) factorization:
 In August 1999 factorization of 155-digit (512 bit) RSA Challenge Number was completed in
around five to seven months without dedicating hardware.
 RSA-140 was solved in 9 weeks.
 In summer 1999, Adi Shamir presented a design for the Weizmann Institute Key Locating Engine
(TWINKLE) cost: US $5000, provides processing equivalent to 100 to 1000 PCs. This device is targeted
at 512-bit RSA keys.
 In January 1997, it was announced that a Berkeley student using the idle time on a network of 250
computers was able to break the RSA challenge message, encrypted using a 40-bit key, in three and
one-half hours.
Data/Session: This is often negotiated using standard protocols or sent in a protected manner using secret public and
private keys.
Key Encrypting Split keys
Strength Comparison:
Moore’s law: Processing speeds seem to double (or costs halved) every 18 months.
MIPS year (M.Y) is the number of instructions a million-instruction-per-second can execute in one year. One M.Y is
approximately
10 13.5 instructions. Based on exhaustive key search, a triple-DES (112-bit) key is approximately equal to a 1792bit RSA key (i.e., key modulus) and a 1024-bit RSA key is approximately equal to a 160-bit ECC key.
EC Key Size
RSA Key Size
MIPs Year
160
1,024
1012
320
5,120
1036
600
21,000
1079
1,200
120,000
10168