Integrity protection and error propagation - E
advertisement
NEHRU ARTS AND SCIENCE COLLEGE
T.M.PALAYAM,COIMBATORE
NAME OF THE PAPER: NETWORK SECURITY AND CRYPTOGRAPHY
STAFF NAME: A.SENTHIL KUMAR
ACADEMIC YEAR : 2011 - 2012
UNIT-I:
Service mechanism and attacks – The OSI security architecture – A model for network
security – symmetric Cipher model – Substitution techniques – transposition techniques –
simplified des – block chipper principles – the strength of des – block chipper design
principles and modes of operation.
Service mechanism and attacks
Having identified the relevant security threats to a system, the system operator can apply various
security services and mechanisms to confront these threats and implement a desired security
policy. In this section we provide a general description of such services and techniques. The
science behind these methods is researched and developed as part of the broad discipline of
Cryptography. Cryptography embodies the mathematical principles, means, and methods for the
transformation of data in order to hide its information content, prevent its undetected
modification, and/or prevent its unauthorized use. Cryptographic functions may be used as part
of encipherment, decipherment, data integrity, authentication exchanges, password storage and
checking, etc. to help achieve confidentiality, integrity, and/or authentication.
The following subsections summarize some key security services and mechanisms.
Encipherment and Data Confidentiality
Encipherment is a security mechanism that involves the transformation of data into some
unreadable form. Its purpose is to ensure privacy by keeping the information hidden from anyone
for whom it is not intended, even those who can see enciphered data. Decipherment is the reverse
of encipherment. That is, it is the transformation of encrypted data back into some intelligible
form. Encipherment which is performed on cleartext (intelligible data) to produce ciphertext
(encrypted data whose semantic content is not available). The result of decipherment is either
cleartext, or ciphertext under some cover.
Encipherment can provide confidentiality of either data or traffic flow information and can play a
part in, or complement other security mechanisms.
Encipherment and Decipherment require the use of some secret information, usually referred to
as a key, which directs specific transformations. This is one of two cryptovariables used: The
other is the initialization variable, which is sometimes required to preserve the apparent
randomness of ciphertext.
Encipherment techniques can be symmetric or secret key, where knowledge of the encipherment
key implies knowledge of the private decipherment key and vice versa, or asymmetric. In
asymmetric algorithms, generally one key is called public (because it is publicly available),
while the other is called private (because it is kept secret). Once a private key has been
compromised, the system (or at least the use of that private key) is no longer secure. Both
encipherment techniques are used to provide the data confidentiality service.
Modern cryptographic systems also provides mechanisms for authentication, for instance
through digital signatures that bind a document to the possessor of a specific key, or digital
timestamps which bind a document to its creation at a given time. In general the existence of an
encipherment mechanism implies the use of a key management mechanism.
Public Key Cryptography
Figure 6.1 illustrates a simple public key cryptographic system that provides data confidentiality.
When Alice wishes to send a secret message to Bob, she looks up Bob's public key in a
directory, uses it to encrypt the message, and sends it off. Bob then uses his private key to
decrypt the message and read it. No one listening in can decrypt the message. Anyone can send
Bob an encrypted message but only Bob can read it. Clearly one requirement is that no one can
figure out the private key from the corresponding public key.
Figure 6.1: A Public Key Cryptographic
System (PKCS)
1#1
Digital Signatures
Digital signature is the process of binding some information (e.g., a document) to its originator
(e.g., the signer).
The essential characteristic of a digital signature is that the signed data unit cannot be created
without using the private key. This means that
1. The signed data unit cannot be created by any individual except the holder of the private key.
2. The recipient cannot create the signed data unit.
3. The sender cannot deny sending the signed data unit.
Therefore, using only publicly available information-the public key-it is possible to identify the
signer of a data unit as the possessor of the private key. It is also possible to prove the identity of
the signer of the data unit to a reliable third party in case of later conflict.
Thus, a digital signature attests to the contents of a message, as well as to the identity of the
signer. As long as a secure hash function (a function that is easy to compute in one direction than
the opposite direction) is used, one cannot take away a person's signature from one document
and transpose it on another one, or alter a signed message in any way. The slightest change in a
digitally signed document will cause the digital signature verification process to fail. However, if
a signature verification fails, it is in general difficult to determine whether there was an
attempted forgery or simply a transmission error.
In short, a digital signature mechanism involves the two procedures of signing a data unit, and
verifying the signed data unit. The former process uses information which is private (i.e. unique
and confidential) to the signer. The second process uses procedures and information which are
publicly available but from which the signer's private information cannot be deduced.
Figure 6.2: A Digital Signature Mechanism
Figure 6.2 illustrates a digital signature mechanism. To sign a message, Alice appends the
information she wishes to send to an enciphered summary of the information. The summary is
produced by means of a one-way hash function (h), while the enciphering is carried out using
Alice's secret key (E). Thus the message sent to Bob is of the form:
X{info} = info + Xs[h(info)]
The encipherment using the secret key ensures that the signature cannot be forged. The one-way
nature of the hash function ensures that false information, generated so as to have the same hash
result (and thus signature), cannot be substituted.
In his turn, upon receipt of Alice's message, Bob verifies the signature by applying the one-way
hash function to the information, and comparing the result with that obtained by deciphering the
signature using the public key of Alice. If these two are the same, it is verified that Alice is the
"true" sender of the message. It should be clear and imperative that for the authentication to be
performed correctly, both Alice and Bob must be using the same hash function.
Authentication
Authentication is defined by [KAUF95] as "the process of reliably verifying the identity of
someone (or something)".
Authentication can be "One-Way" or "Two-Way."6.3 Each of these is described below.
¥ One way Authentication: Involves a single transfer of information from one user (A) intended
for another (B), and establishes the following:
¥ the identity of A and that the authentication token was generated by A;
¥ the identity of B and that the authentication token was intended to be sent to B;
¥ the integrity and originality (the property of not having been sent two or three times) of the
authentication token being transferred.
¥ Two-way Authentication: Involves, in addition, a reply from B to A and establishes, in
addition, the following:
¥ that the authentication token generated in the reply was actually generated by B and was
intended to be sent to A;
¥ the integrity and originality of the authentication token sent in the reply;
¥ (optionally) the mutual secrecy of part of the tokens.
Corroboration of identity is often established by demonstrating the possession of a secret key.
Authentication may be accomplished by applying symmetric or asymmetric cryptographic
techniques.
When using private keys (symmetric) corroboration of identity is often based on a "shared
secret."
When using public keys (asymmetric), authentication is accomplished based on digital signatures
and digital timestamps. Since the digital signature binds the possessor of the private key with a
document and the timestamp can be verified to protect against replays, corroboration of identity
can be established by combining digital signature and a timestamp.
Traffic Flow Confidentiality
Cryptographic protocols are designed to resist attacks and also, sometimes, traffic analysis. A
specific traffic analysis countermeasure, traffic flow confidentiality, aims to conceal the presence
or absence of data and its characteristics. This is important because knowledge of the activity can
be as useful to the bad guys as the content of the activity itself.
If cyphertext is relayed, the address must be in the clear at the relays and gateways. If the data
are enciphered only on each link, and are deciphered (and are thus made vulnerable) in the relay
or gateway, the architecture is said to use link-by-link confidentiality (or encipherment). If only
the address (and similar control data) are in the clear in the relay or gateway, the architecture is
said to use end-to-end data confidentiality (or encipherment). End-to-end encryption is more
desirable from a security point of view, but considerably more complex architecturally.
Furthermore, traffic padding can be used to provide various levels of protection against traffic
analysis. This mechanism can be effective only if the traffic is protected by a confidentiality
service.
Data Integrity
Data integrity is the property of data which has not been altered or destroyed in an unauthorized
manner. It is achieved via a calculated cryptographic checkvalue. The checkvalue may be
derived in one or more steps and is a mathematical function of the cryptovariables and the data.
These checkvalues are associated with the data to be guarded. If the checkvalue is matched by
the value calculated by the data recipient, data integrity is assumed.
Two aspects of data integrity are: the integrity of a single data unit or field, and the integrity of a
stream of data units or fields. Determining the integrity of a single data unit involves two
processes, one at the sender, and the other at the receiver. The sender appends to the data unit a
quantity which is a function of the data itself. This quantity may be supplementary information
such as a block code or a cryptographic check value and may itself be enciphered. The receiver
generates a corresponding quantity and compares it with the received quantity to determine
whether the data has been modified in transit.
Protecting the integrity of a sequence of data units (against misordering, losing, replaying, and
inserting or modifying the data) requires additionally some form of explicit ordering such as
sequence numbering, time stamping, or cryptographic chaining.
Key Management
Key management encompasses the generation, distribution, and control of cryptographic keys. It
is implied by the use of cryptographic algorithms. Important points to be considered are:
1. The use of a lifetime based on time, use, or other criteria, for each key defined, implicitly, or
explicitly. The longer a key's lifetime, the greater the probability that the key will be
compromised by the bad guys.
2. The proper identification of keys according to their functions so that they are used only for
their intended function. The greater the key's exposure (to multiple applications) the greater the
probability that the key will be compromised.
3. Physical distribution and archiving of keys. This is both a logistics and security issue,
especially in distributed systems such as WANs.
Points to be considered concerning key management for symmetric key algorithms include:
1. The use of a confidentiality service in the key management protocol.
2. The use of a key hierarchy ("flat" hierarchies using only data-enciphering keys, multilayer key
hierarchies, etc.)
3. The division of responsibilities so that no one person has a complete copy of an important key.
For asymmetric key management, confidentiality services are used to convey the secret keys.
Additionally an integrity service (or a service with proof of origin) is needed to convey the
public keys.
Access Control
Access control mechanisms are used to enforce a policy of limiting access to a resource to only
those users who are authorized. These techniques include the use of access control lists or
matrices, passwords, capabilities, and labels, the possession of which may be used to indicate
access rights.
Network Layer Security Considerations
Network Layer Security Protocol (NLSP)
NLSP is an international standard that specifies a protocol to be used by end systems and
intermediate systems in order to provide security services in the network layer. It is defined by
ISO 11577. Much of the material appearing here is from the American National Standards
Institute (ANSI) which is the official U.S. representative to ISO.
NLSP specifies a series of services and functional requirements for implementation. The
services, as defined in ISO 7498-2 are:
¥ peer entity authentication.
¥ data origin authentication.
¥ access control.
¥ connection confidentiality.
¥ connectionless confidentiality.
¥ traffic flow confidentiality.
¥ connection integrity without recovery (including data unit integrity, in which individual SDUs
on a connection are integrity protected).
¥ connectionless integrity.
The Procedures of this protocol are defined in terms of:
¥ requirements on the cryptographic techniques that can be used in an instance on this protocol.
¥ requirements on the information carried in the security association used in an instance of
communication.
Although the degree of protection afforded by some security mechanisms depends on the use of
some specific cryptographic techniques, correct operation of this protocol is not dependent on the
choice of any particular encipherment of decipherment algorithm that is left as a local matter for
the communicating systems.
Furthermore, neither the choice nor the implementation of a specific security policy are within
the scope of this international standard. The choice of a specific security policy, and hence the
degree of protection that will be achieved, is left as a local matter among the systems that are
using a single instance of secure communications. NLSP does not require that multiple instances
of secure communications involving a single open system must use the same security protocol.
NLSP supports cryptographic protection either between End Systems (and in this case resembles
the Transport Layer Security Protocol - TLSP) or between Intermediate Systems that are located
at the borders of security domains. This latter aspect makes NLSP quite appealing to those who
would like to provide security services not by securing each and every system in a domain but by
forcing all external communications to transit through a small set of secure systems (assuming
that communications within the domain need no security services). In this sense, one can see
NLSP as supporting (at the domain level) administrative policies (mandatory security) while
TLSP is more tuned towards discretionary communication policies.
The OSI security architecture
Security architecture for OSI, define such a systematic approach. The OSI security architecture is
useful to managers, as a way of organizing the task of providing security.
It was developed as an international standard.
The OSI security architecture focus on security attack, mechanism, and services. These can be
defined briefly as fallows:
Security Attack: Any action that compromise the security of information owned by an
organization.
Security Mechanism: A process that is designed to detect, prevent or recover from a
security attack. And security mechanism is a method which is used to protect your
message from unauthorized entity.
Security Services: Security Services is the services to implement security policies and
implemented by security mechanism.
A model for network security
Introduction to the Network Security Model (NSM)
The Open Systems Interconnection model (OSI), developed in 1983 bythe International
Organization for Standardization (ISO), has been used as a framework to teach networking
basics and troubleshoot networking issues for the last 25 years. It has been so influential
in network development and architecture that even most of the network communication protocols
in use today have a structure thatis based on it. But just as the OSI model never fails us, we find
that we are lacking a standard that all network security professionals can adhere to, a Network
Security Model (NSM). Today’s sophisticated and complex networks provide the fundamental
need for the NSM.
The proposed Network Security Model (NSM) is a seven layer model that divides the daunting
task of securing a network infrastructure into seven manageable sections. The model is generic
and can apply to all security implementation and devices. The development of the NSM is
important because unity is needed in securing networks, just as unity was needed in the
architecture of networks with the development of the OSI model. When an attack on a network
has succeeded it is much easier to locate the underlying issue and fix it with the use of the NSM.
The NSM will provide a way to teach and implement basic network security measures and
devices as well as locate underlying issues that may have allowed an attack to succeed.
Traditionally we work from the bottom up to determine which layer has failed on the OSI
model, but on the NSM we will work from the top down to determine which layer has failed. See
the NSM (Figure 1.1). Once the layer of failure is found, we can determine that all of the layers
above this layer have also failed. A network security professional will be able to quickly
determine if other possible hosts have been compromised with the breech of the layer and how to
secure it against the same attack in the future.
Throughout the paper we will be working from the top down describing what each layer is and
how the layers of the NSM work together to accomplish complete network security.
Physical
VLAN
Physical
ACL
Software
User
Administrative
IT Department
Figure 1.1 – The Network Security Model
1.2 Why do we need a Network Security Model?
A well structured NSM will give the security community a way tostudy, implement, and
maintain network security that can be applied to any network. In study, it can be used as a tool to
breakdown network security into seven simple layers with a logical process.
Traditional books have always presented network security in an unorganized fashion where some
books cover issues that other books may completely neglect. In implementation, it can be used
by network architects to insure that they are not missing any important security details while
designing a network. In maintaining existing networks it can be used to develop maintenance
schedules and lifecycles for the security of the existing network. It can to detect where breaches
have occurred so that an attack can be mitigated.
The NSM is beneficial to all types of professionals. Let us not forget professionals who are
transitioning into positions previously held by other network security professionals. Currently,
learning what security techniques are implemented on a network and which ones have not can be
a daunting task when the basic security structure of the network is unclear. The NSM provides
that basic structure. It provides the new professional with the knowledge to discover what
has been implemented and what has not been implemented from a security standpoint. Without
an NSM, the network security community faces potential chaos as professionals continue to
implement their own versions of secure networks without adequate structure.
symmetric Cipher model
Symmetric cipher model (figure 2.1) consists of five ingredients, these ingredients are :
Plaintext
Encryption algorithm which performs substitutions/transformations on plaintext
Secret key which controls exact substitutions/transformations used in encryption
algorithm
Ciphertext
Decryption algorithm which is the inverse of encryption algorithm
Symmetric cipher mathematical model (figure 2.2) can be described as follows:
X : plaintext X = [ X 1, X 2, … , X M].
K : key K = [K 1, K 2,…….., K j]
Y : ciphertext Y = [Y 1, Y 2, …... , Y N]
Y = E K(X) E K : Encryption algorithm
X = D K(Y) D K : Decryption algorithm
A source produces a message in plaintext X = [ X 1, X 2, … , X M]. The M elements of X are
letters in some finite alphabet, in classical encryption scheme the alphabet consists of 26 capital
letters while in modern encryption scheme the binary alphabet [0,1] is used.
A key of the form K = [K 1, K 2,…….., K j] is generated to be used for encryption, if the key is
generated at the message source, then it must be provided to the destination by means of some
secure channel. But if the key is generated by trusted third party, the key must be securely
delivered to both source and destination.
The encryption algorithm E takes the plaintext X and the key K as input then it transforms X into
cipher text Y = [Y 1, Y 2, …... , Y N], so we can write this asY = E K(X). This means that Y is
produced using encryption algorithm E as a function of the plaintext X and the key K.
At the destination end the ciphertext Y is transformed into the original plaintext X using the
decryption algorithm D and the shared key K, we can write this as X = D K(Y).
An opponent (Cryptanalyst) can get Y but he can't access to K or X. He may be try to recover X
or K. It is assumed that the opponent knows the encryption and decryption algorithms.
Generally assume that the algorithm is known. This allows easy distribution of software and
hardware implementations. Hence assume just keeping key secret is sufficient to secure
encrypted messages. Have plaintext X, ciphertext Y, key K, encryption algorithm E k, decryption
algorithm D k.
Substitution techniques
In cryptography, a Caesar cipher, also known as a Caesar's cipher, the shift cipher, Caesar's
code or Caesar shift, is one of the simplest and most widely known encryption techniques. It is
a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed
number of positions down the alphabet. For example, with a shift of 3, A would be replaced by
D, B would become E, and so on. The method is named after Julius Caesar, who used it to
communicate with his generals.
The encryption step performed by a Caesar cipher is often incorporated as part of more complex
schemes, such as the Vigenère cipher, and still has modern application in the ROT13 system. As
with all single alphabet substitution ciphers, the Caesar cipher is easily broken and in practice
offers essentially no communication security.
S-DES Key Generation
S-DES depends on the use of a 10-bit key shared between sender and receiver. From this key,
two 8-bit subkeys are produced for use in particular stages of the encryption and decryption
algorithm. Figure C.2 depicts the stages followed to produce the subkeys.
First, permute the key in the following fashion. Let the 10-bit key be designated as (k1, k2,
k3, k4, k5, k6, k7, k8, k9, k10). Then the permutation P10 is defined as:
P10(k1, k2, k3, k4, k5, k6, k7, k8, k9, k10) = (k3, k5, k2, k7, k4, k10, k1, k9, k8, k6)
P10 can be concisely defined by the display:
P10
3 5 2 7 4 10 1 9 8 6
This table is read from left to right; each position in the table gives the identity of the input
bit that produces the output bit in that position. So the first output bit is bit 3 of the input; the
second output bit is bit 5 of the input, and so on. For example, the key (1010000010) is permuted
to (1000001100). Next, perform a circular left shift (LS-1), or rotation, separately on the first
five bits and the second five bits. In our example, the result is (00001 11000).
Next we apply P8, which picks out and permutes 8 of the 10 bits according to the following
rule:
P8
6 3 7 4 8 5 10 9
The result is subkey 1 (K1). In our example, this yields (10100100)
We then go back to the pair of 5-bit strings produced by the two LS-1 functions and
perform a circular left shift of 2 bit positions on each string. In our example, the value (00001
11000) becomes (00100 00011). Finally, P8 is applied again to produce K2. In our example, the
result is (01000011).
C.3 S-DES Encryption
Figure C.3 shows the S-DES encryption algorithm in greater detail. As was mentioned,
encryption involves the sequential application of five functions. We examine each of these.
Initial and Final Permutations
The input to the algorithm is an 8-bit block of plaintext, which we first permute using the IP
function:
IP
26314857
This retains all 8 bits of the plaintext but mixes them up. At the end of the algorithm, the inverse
permutation is used:
8/5/05
C-4
IP–1
41357286
It is easy to show by example that the second permutation is indeed the reverse of the first;
that is, IP–1(IP(X)) = X.
The Function fK
The most complex component of S-DES is the function fK, which consists of a combination of
permutation and substitution functions. The functions can be expressed as follows. Let L and R
be the leftmost 4 bits and rightmost 4 bits of the 8-bit input to fK, and let F be a mapping (not
necessarily one to one) from 4-bit strings to 4-bit strings. Then we let
fK(L, R) = (L
where SK
R, SK), R)
-by-bit exclusive-OR function. For example, suppose the
output of the IP stage in Figure C.3 is (10111101) and F(1101, SK) = (1110) for some key SK.
Then fK
We now describe the mapping F. The input is a 4-bit number (n1n2n3n4). The first operation
is an expansion/permutation operation:
E/P
41232341
For what follows, it is clearer to depict the result in this fashion:
n4 n1 n2 n3
n2 n3 n4 n1
The 8-bit subkey K1 = (k11, k12, k13, k14, k15, k16, k17, k18) is added to this value using
exclusiveOR:
n
k11 n
k12 n
k13 n
k14
n
k15 n
k16 n
k17 n
k18
Let us rename these 8 bits:
p0,0 p0,1 p0,2 p0,3
p1,0 p1,1 p1,2 p1,3
The first 4 bits (first row of the preceding matrix) are fed into the S-box S0 to produce a 2bit output, and the remaining 4 bits (second row) are fed into S1 to produce another 2-bit output.
The S-boxes operate as follows. The first and fourth input bits are treated as a 2-bit number
that specify a row of the S-box, and the second and third input bits specify a column of the Sbox.
The entry in that row and column, in base 2, is the 2-bit output. For example, if (p0,0p0,3) =
(00) and (p0,1p0,2) = (10), then the output is from row 0, column 2 of S0, which is 3, or (11) in
binary. Similarly, (p1,0p1,3) and (p1,1p1,2) are used to index into a row and column of S1 to
produce an additional 2 bits.
Next, the 4 bits produced by S0 and S1 undergo a further permutation as follows:
P4
2431
The output of P4 is the output of the function F.
The Switch Function
The function fK only alters the leftmost 4 bits of the input. The switch function (SW)
interchanges the left and right 4 bits so that the second instance of fK operates on a different 4
bits. In this second instance, the E/P, S0, S1, and P4 functions are the same. The key input is K2.
C.4 Analysis of Simplified DES
A brute-force attack on simplified DES is certainly feasible. With a 10-bit key, there are only
210
= 1024 possibilities. Given a ciphertext, an attacker can try each possibility and analyze the
result to determine if it is reasonable plaintext.
What about cryptanalysis? Let us consider a known plaintext attack in which a single
plaintext (p1, p2, p3, p4, p5, p6, p7, p8) and its ciphertext output (c1, c2, c3, c4, c5, c6, c7, c8)
are
known and the key (k1, k2, k3, k4, k5, k6, k7, k8, k9, k10) is unknown. Then each ci is a
polynomial
function gi of the pj's and kj's. We can therefore express the encryption algorithm as 8 nonlinear
equations in 10 unknowns. There are a number of possible solutions, but each of these could be
calculated and then analyzed. Each of the permutations and additions in the algorithm is a linear
mapping. The nonlinearity comes from the S-boxes. It is useful to write down the equations for
these boxes. For clarity, rename (p0,0, p0,1,p0,2, p0,3) = (a, b, c, d) and (p1,0, p1,1,p1,2, p1,3) =
(w, x,
y, z), and let the 4-bit output be (q, r, s, t) Then the operation of the S0 is defined by the
following equations:
q = abcd
ab
r = abcd
abd
ac
ab
b
ac
d
ad
a
c
where all additions are modulo 2. Similar equations define S1. Alternating linear maps with these
nonlinear maps results in very complex polynomial expressions for the ciphertext bits, making
cryptanalysis difficult. To visualize the scale of the problem, note that a polynomial equation in
10 unknowns in binary arithmetic can have 210 possible terms. On average, we might therefore
8/5/05
C-6
expect each of the 8 equations to have 29 terms. The interested reader might try to find these
equations with a symbolic processor. Either the reader or the software will give up before much
progress is made.
C.5 Relationship to DES
DES operates on 64-bit blocks of input. The encryption scheme can be defined as:
IP
-1
o fK16
oSW o fK15
oSWoLoSWo fK1
o IP
A 56-bit key is used, from which sixteen 48-bit subkeys are calculated. There is an initial
permutation of 64 bits followed by a sequence of shifts and permutations of 48 bits.
Within the encryption algorithm, instead of F acting on 4 bits (n1n2n3n4), it acts on 32 bits
(n1…n32). After the initial expansion/permutation, the output of 48 bits can be diagrammed as:
n32 n1 n2 n3 n4 n5
n4 n5 n6 n7 n8 n9
•
•
•
•
•
•
•
•
•
n28 n29 n30 n31 n32 n1
This matrix is added (exclusive-OR) to a 48-bit subkey. There are 8 rows, corresponding to
8 S-boxes. Each S-box has 4 rows and 16 columns. The first and last bit of a row of the
preceding matrix picks out a row of an S-box, and the middle 4 bits pick out a column.
Block Cipher Principle
I. SYMMETRIC ENCRYPTION PRINCIPLES
This lecture discusses the principles of all known contemporary symmetric key cryptosystems.
All these
systems have evolved from early classical ciphers discussed in the previous lectures. As we have
seen,
these classical ciphers may operate in the following two ways.
• Stream cipher, such as Vigen`ere cipher, encrypts one letter at a time.
• Block cipher, such as Hill cipher, treats a n-letter block of plaintext as a whole and produce a
ciphertext block of equal length.
A. Block Cipher Principles
As block cipher have different modes of operation (we will discuss this topic later in this lecture)
and applies to a broader range of applications than stream cipher, we will focus on its design
principles in this lecture.
A block cipher transform a plaintext block of n letters into an encrypted block. For the alphabet
with 26 letters, there are 26n possible different plaintext blocks. The most general way of
encrypting a n-letter block is to take each of the plaintext blocks and map it to a cipher block
(arbitrary n-letter substitution cipher). For decryption to be possible, such mapping needs to be
one-to-one (i.e., each plaintext block must be mapped to a unique ciphertext block). The number
of different one-to-one mappings among n-letter blocks is (26n)!.
The length of block n can not be too short in order to secure the cryptographic scheme. For
example, n = 1 gives a monoalphabetic cipher. Such schemes, as we have seen, are vulnerable to
frequency analysis and brute-force attacks. However, an arbitrary reversible substitution cipher
for a large block size n is not practical. Let’s consider the problem of specifying a mapping of all
possible n-letter blocks. In a cipher, each key specifies such a mapping. Let’s assume the key
consists of a block of k letters. Then the number of all possible keys is 26k. Then for a n-letter
arbitrary substitution block cipher, the key size needs to satisfy 26k _ (26n)!, i.e., k _ n × 26n!.
So the major challenge to design a symmetric key cryptographic scheme is to provide enough
security (e.g., using a reasonable large block size) with a reasonable small size key1.
1.It is fairly obvious that the key length can not be too short either. Otherwise the cryptographic
scheme would also be vulnerable to brute-force attack where the attackers may search through all
possible keys.
2.However, how do we know that a cryptographic system is secure enough? To answer this
question,Claude Shannon theoretically deduced the following principles that should be followed
to design secure cryptographic systems. These principles aim at thwarting cryptanalysis based on
known statistical properties of the plaintext.
• Confusion. In Shannon’s original definitions, confusion makes the relation between the key and
the ciphertext as complex as possible. Ideally, every letter in the key influences every letter of
the ciphertext block. Replacing every letter with the one next to it on the typewriter keyboard is a
simple example of confusion by substitution. However, good confusion can only be achieved
when each character of the ciphertext depends on several parts of the key, and this dependence
appears to be random to the observer. Ciphers that do not offer much confusion (such as
Vigen`ere cipher) are vulnerable to frequency analysis.
• Diffusion. Diffusion refers to the property that the statistics structure of the plaintext is
dissipated into long range statistics of the ciphertext. In contrast to confusion, diffusion spreads
the influence of a single plaintext letter over many ciphertext letters. In terms of the frequency
statistics of letters, digrams, etc in the plaintext, diffusion randomly spreads them across several
characters in the ciphertext. This means that much more ciphertexts are needed to do a
meaningful statistical attackon the cipher.
B. The Feistel Network
Product ciphers use the two classical encryption forms: substitution and transposition,
alternatively in multiple rounds to achieve both confusion and diffusion respectively. Shannon
was the first to investigate the product cryptosystem (so called substitution-permutation network)
and show that some sophisticated heuristic ciphers were nothing other than products of some
simpler ciphers. Most importantly, Shannon identified the necessary condition of the cipher
strength increases as a result of cascading simple ciphers.
One possible way to build a secret key algorithm using substitution-permutation-network is to
break the input into manageable-sized chunks, do a substitution on each small chunk, and then
take the outputs of all the substitutions and run them through a permuter that is as big as the
input, which shuffles the letters around. Then the process is repeated, so that each letter winds up
as an input to each of the substitutions.
Since modern cryptosystems are all computer-based, from now on we will assume that both plain
and cipher text are strings of bits ({0, 1}), instead of strings of letters ({a, b, c, ..., z}).
The Feistel network shown in Fig. 1 is a particular form of the substitution-permutation network.
The input to a Feistel network is a plaintext block of n bits, and a key K. The plaintext block is
divided intotwo halves, L0 and R0. The two halves of the data pass through r rounds of
processing and then combine to produce the ciphertext block. Each round i has as input Li−1 and
Ri−1, derived from the previous round, as well as a subkey Ki, derived from the overall key K.
In general, the subkey Ki are different from K and from each other. In this structure, a
substitution is performed via the round function F, and permutation is performed that
interchanges the two halves of the data.
The exact realization of a Feistel network depends on the choices of the following parameters
and design features.
• Block size: Larger block size means greater security, but reduces encryption/decryption speed.
• Key size: Larger key size means greater security but may decrease encryption/decryption
speed.
• Number of rounds: Multiple rounds offer increasing security.
• Subkey generation algorithm: Greater complexity in subkey generation leads to greater
security.
4• Round function: Greater complexity in round function means greater difficulty of
cryptanalysis.
It is worth noting that the process of decryption with a Feistel network is essentially the same as
the encryption process by using the ciphertext as input to the network, but using the subkey Ki in
reverse order, as shown in Fig 2. The reason is explained as follows. Let’s consider the last step
in encryption,which gives,
5 LE16 = RE15 (1)
RE16 = LE15 _ F(RE15,K16) (2)
On the decryption side,
LD1 = RD0 = LE16 = RE15 (3)
RD1 = LD0 _ F(RD0,K16) (4)
= RE16 _ F(RE15,K16) (5)
= [LE15 _ F(RE15,K16)] _ F(RE15,K16) (6)
= LE15 (7)
The process can be done iteratively. Finally, we will see that the output of the decryption is the
same as the input to the encryption (i.e., original plaintext).
Modes of operation
Electronic codebook (ECB)
The simplest of the encryption modes is the electronic codebook (ECB) mode, in which the
message is split into blocks and each is encrypted separately. The disadvantage of this method is
that identical plaintext blocks are encrypted to identical ciphertext blocks; it does not hide data
patterns. Thus, in some senses it doesn't provide message confidentiality at all, and is not
recommended for cryptographic protocols.
Here's a striking example of the degree to which ECB can reveal patterns in the plaintext. A
pixel-map version of the image on the left was encrypted with ECB mode to create the center
image:
Original
Encrypted using ECB mode
Encrypted securely
The image on the right is how the image might look encrypted with CBC, CTR or any of the
other more secure modes -- indistinguishable from random noise. Note that the random
appearance of the image on the right tells us very little about whether the image has been
securely encrypted; many kinds of insecure encryption have been developed which would
produce output just as random-looking.
ECB mode can also make protocols without integrity protection even more susceptible to replay
attacks, since each block gets decrypted in exactly the same way. For example, the Phantasy Star
Online: Blue Burst online video game uses Blowfish in ECB mode. Before the key exchange
system was cracked leading to even easier methods, cheaters repeated encrypted "monster killed"
message packets, each an encrypted Blowfish block, to illegitimately gain experience points
quickly.
Cipher-block chaining (CBC)
In the cipher-block chaining (CBC) mode, each block of plaintext is XORed with the previous
ciphertext block before being encrypted. This way, each ciphertext block is dependent on all
plaintext blocks up to that point.
Cipher feedback (CFB) and output feedback (OFB)
The cipher feedback (CFB) and output feedback (OFB) modes make the block cipher into a
stream cipher: they generate keystream blocks, which are then XORed with the plaintext blocks
to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a
flipped bit in the plaintext at the same location.
With cipher feedback a keystream block is computed by encrypting the previous ciphertext
block.
Output feedback generates the next keystream block by encrypting the last one.
Counter (CTR)
Like OFB, counter mode turns a block cipher into a stream cipher. It generates the next
keystream block by encrypting successive values of a "counter". The counter can be any simple
function which produces a sequence which is guaranteed not to repeat for a long time, although
an actual counter is the simplest and most popular. CTR mode has very similar characteristics to
OFB, but also allows a random access property for decryption.
Integrity protection and error propagation
The block cipher modes of operation presented above provide no integrity protection. This
means that an attacker who does not know the key may still be able to modify the data stream in
ways useful to them. It is now generally well understood that wherever data is encrypted, it is
nearly always essential to provide integrity protection for security. For secure operation, the IV
and ciphertext generated by these modes should be authenticated with a secure MAC, which is
checked before decryption.
Before these issues were well understood, it was common to discuss the "error propogation"
properties of a mode of operation as a means of evaluating it. It would be observed, for example,
that a one-block error in the transmitted ciphertext would result in a one-block error in the
reconstructed plaintext for ECB mode encryption, while in CBC mode such an error would affect
two blocks:
Some felt that such resilience was desirable in the face of random errors, while others argued that
it increased the scope for attackers to modify the message to their own ends.
However, when proper integrity protection is used such an error will result (with high
probability) in the entire message being rejected - if resistance to random error is desirable, error
correcting codes should be applied after encryption.
AEAD block cipher modes of operation such as IACBC, IAPM, OCB, EAX, and CWC mode
directly provide both encryption and authentication.
Initialization vector (IV)
All modes (except ECB) require an initialization vector, or IV - a sort of dummy block to kick
off the process for the first real block, and also provide some randomisation for the process.
There is no need for the IV to be secret, but it is important that it is never reused with the same
key. For CBC and CFB, reusing an IV leaks some information. For OFB and CTR, reusing an IV
completely destroys security. In addition, the IV used in CFB mode must be randomly generated
and kept secret until the first block of plaintext is made available for encryption.
Padding
Because a block cipher works on units of a fixed size, but messages come in a variety of lengths,
some modes (mainly CBC) require that the final block be padded before encryption. Several
padding schemes exist. The simplest is simply to add null bytes to the plaintext to bring its length
up to a multiple of the block size, but care must be taken that the original length of the plaintext
can be recovered; this is so, for example, if the plaintext is a C style string which contains no null
bytes except at the end. Slightly more complex is the original DES method, which is to add a
single one bit, followed by enough zero bits to fill out the block; if the message ends on a block
boundary, a whole padding block will be added. Most sophisticated are CBC-specific schemes
such as ciphertext stealing or residual block termination, which do not cause any extra ciphertext
expansion, but these schemes are relatively complex.
CFB, OFB and CTR modes do not require any special measures to handle messages whose
lengths are not multiples of the block size since they all work by XORing the plaintext with the
output of the block cipher,
