NEHRU ARTS AND SCIENCE COLLEGE T.M.PALAYAM,COIMBATORE NAME OF THE PAPER: NETWORK SECURITY AND CRYPTOGRAPHY STAFF NAME: A.SENTHIL KUMAR ACADEMIC YEAR : 2011 - 2012 UNIT-I: Service mechanism and attacks – The OSI security architecture – A model for network security – symmetric Cipher model – Substitution techniques – transposition techniques – simplified des – block chipper principles – the strength of des – block chipper design principles and modes of operation. Service mechanism and attacks Having identified the relevant security threats to a system, the system operator can apply various security services and mechanisms to confront these threats and implement a desired security policy. In this section we provide a general description of such services and techniques. The science behind these methods is researched and developed as part of the broad discipline of Cryptography. Cryptography embodies the mathematical principles, means, and methods for the transformation of data in order to hide its information content, prevent its undetected modification, and/or prevent its unauthorized use. Cryptographic functions may be used as part of encipherment, decipherment, data integrity, authentication exchanges, password storage and checking, etc. to help achieve confidentiality, integrity, and/or authentication. The following subsections summarize some key security services and mechanisms. Encipherment and Data Confidentiality Encipherment is a security mechanism that involves the transformation of data into some unreadable form. Its purpose is to ensure privacy by keeping the information hidden from anyone for whom it is not intended, even those who can see enciphered data. Decipherment is the reverse of encipherment. That is, it is the transformation of encrypted data back into some intelligible form. Encipherment which is performed on cleartext (intelligible data) to produce ciphertext (encrypted data whose semantic content is not available). The result of decipherment is either cleartext, or ciphertext under some cover. Encipherment can provide confidentiality of either data or traffic flow information and can play a part in, or complement other security mechanisms. Encipherment and Decipherment require the use of some secret information, usually referred to as a key, which directs specific transformations. This is one of two cryptovariables used: The other is the initialization variable, which is sometimes required to preserve the apparent randomness of ciphertext. Encipherment techniques can be symmetric or secret key, where knowledge of the encipherment key implies knowledge of the private decipherment key and vice versa, or asymmetric. In asymmetric algorithms, generally one key is called public (because it is publicly available), while the other is called private (because it is kept secret). Once a private key has been compromised, the system (or at least the use of that private key) is no longer secure. Both encipherment techniques are used to provide the data confidentiality service. Modern cryptographic systems also provides mechanisms for authentication, for instance through digital signatures that bind a document to the possessor of a specific key, or digital timestamps which bind a document to its creation at a given time. In general the existence of an encipherment mechanism implies the use of a key management mechanism. Public Key Cryptography Figure 6.1 illustrates a simple public key cryptographic system that provides data confidentiality. When Alice wishes to send a secret message to Bob, she looks up Bob's public key in a directory, uses it to encrypt the message, and sends it off. Bob then uses his private key to decrypt the message and read it. No one listening in can decrypt the message. Anyone can send Bob an encrypted message but only Bob can read it. Clearly one requirement is that no one can figure out the private key from the corresponding public key. Figure 6.1: A Public Key Cryptographic System (PKCS) 1#1 Digital Signatures Digital signature is the process of binding some information (e.g., a document) to its originator (e.g., the signer). The essential characteristic of a digital signature is that the signed data unit cannot be created without using the private key. This means that 1. The signed data unit cannot be created by any individual except the holder of the private key. 2. The recipient cannot create the signed data unit. 3. The sender cannot deny sending the signed data unit. Therefore, using only publicly available information-the public key-it is possible to identify the signer of a data unit as the possessor of the private key. It is also possible to prove the identity of the signer of the data unit to a reliable third party in case of later conflict. Thus, a digital signature attests to the contents of a message, as well as to the identity of the signer. As long as a secure hash function (a function that is easy to compute in one direction than the opposite direction) is used, one cannot take away a person's signature from one document and transpose it on another one, or alter a signed message in any way. The slightest change in a digitally signed document will cause the digital signature verification process to fail. However, if a signature verification fails, it is in general difficult to determine whether there was an attempted forgery or simply a transmission error. In short, a digital signature mechanism involves the two procedures of signing a data unit, and verifying the signed data unit. The former process uses information which is private (i.e. unique and confidential) to the signer. The second process uses procedures and information which are publicly available but from which the signer's private information cannot be deduced. Figure 6.2: A Digital Signature Mechanism Figure 6.2 illustrates a digital signature mechanism. To sign a message, Alice appends the information she wishes to send to an enciphered summary of the information. The summary is produced by means of a one-way hash function (h), while the enciphering is carried out using Alice's secret key (E). Thus the message sent to Bob is of the form: X{info} = info + Xs[h(info)] The encipherment using the secret key ensures that the signature cannot be forged. The one-way nature of the hash function ensures that false information, generated so as to have the same hash result (and thus signature), cannot be substituted. In his turn, upon receipt of Alice's message, Bob verifies the signature by applying the one-way hash function to the information, and comparing the result with that obtained by deciphering the signature using the public key of Alice. If these two are the same, it is verified that Alice is the "true" sender of the message. It should be clear and imperative that for the authentication to be performed correctly, both Alice and Bob must be using the same hash function. Authentication Authentication is defined by [KAUF95] as "the process of reliably verifying the identity of someone (or something)". Authentication can be "One-Way" or "Two-Way."6.3 Each of these is described below. ¥ One way Authentication: Involves a single transfer of information from one user (A) intended for another (B), and establishes the following: ¥ the identity of A and that the authentication token was generated by A; ¥ the identity of B and that the authentication token was intended to be sent to B; ¥ the integrity and originality (the property of not having been sent two or three times) of the authentication token being transferred. ¥ Two-way Authentication: Involves, in addition, a reply from B to A and establishes, in addition, the following: ¥ that the authentication token generated in the reply was actually generated by B and was intended to be sent to A; ¥ the integrity and originality of the authentication token sent in the reply; ¥ (optionally) the mutual secrecy of part of the tokens. Corroboration of identity is often established by demonstrating the possession of a secret key. Authentication may be accomplished by applying symmetric or asymmetric cryptographic techniques. When using private keys (symmetric) corroboration of identity is often based on a "shared secret." When using public keys (asymmetric), authentication is accomplished based on digital signatures and digital timestamps. Since the digital signature binds the possessor of the private key with a document and the timestamp can be verified to protect against replays, corroboration of identity can be established by combining digital signature and a timestamp. Traffic Flow Confidentiality Cryptographic protocols are designed to resist attacks and also, sometimes, traffic analysis. A specific traffic analysis countermeasure, traffic flow confidentiality, aims to conceal the presence or absence of data and its characteristics. This is important because knowledge of the activity can be as useful to the bad guys as the content of the activity itself. If cyphertext is relayed, the address must be in the clear at the relays and gateways. If the data are enciphered only on each link, and are deciphered (and are thus made vulnerable) in the relay or gateway, the architecture is said to use link-by-link confidentiality (or encipherment). If only the address (and similar control data) are in the clear in the relay or gateway, the architecture is said to use end-to-end data confidentiality (or encipherment). End-to-end encryption is more desirable from a security point of view, but considerably more complex architecturally. Furthermore, traffic padding can be used to provide various levels of protection against traffic analysis. This mechanism can be effective only if the traffic is protected by a confidentiality service. Data Integrity Data integrity is the property of data which has not been altered or destroyed in an unauthorized manner. It is achieved via a calculated cryptographic checkvalue. The checkvalue may be derived in one or more steps and is a mathematical function of the cryptovariables and the data. These checkvalues are associated with the data to be guarded. If the checkvalue is matched by the value calculated by the data recipient, data integrity is assumed. Two aspects of data integrity are: the integrity of a single data unit or field, and the integrity of a stream of data units or fields. Determining the integrity of a single data unit involves two processes, one at the sender, and the other at the receiver. The sender appends to the data unit a quantity which is a function of the data itself. This quantity may be supplementary information such as a block code or a cryptographic check value and may itself be enciphered. The receiver generates a corresponding quantity and compares it with the received quantity to determine whether the data has been modified in transit. Protecting the integrity of a sequence of data units (against misordering, losing, replaying, and inserting or modifying the data) requires additionally some form of explicit ordering such as sequence numbering, time stamping, or cryptographic chaining. Key Management Key management encompasses the generation, distribution, and control of cryptographic keys. It is implied by the use of cryptographic algorithms. Important points to be considered are: 1. The use of a lifetime based on time, use, or other criteria, for each key defined, implicitly, or explicitly. The longer a key's lifetime, the greater the probability that the key will be compromised by the bad guys. 2. The proper identification of keys according to their functions so that they are used only for their intended function. The greater the key's exposure (to multiple applications) the greater the probability that the key will be compromised. 3. Physical distribution and archiving of keys. This is both a logistics and security issue, especially in distributed systems such as WANs. Points to be considered concerning key management for symmetric key algorithms include: 1. The use of a confidentiality service in the key management protocol. 2. The use of a key hierarchy ("flat" hierarchies using only data-enciphering keys, multilayer key hierarchies, etc.) 3. The division of responsibilities so that no one person has a complete copy of an important key. For asymmetric key management, confidentiality services are used to convey the secret keys. Additionally an integrity service (or a service with proof of origin) is needed to convey the public keys. Access Control Access control mechanisms are used to enforce a policy of limiting access to a resource to only those users who are authorized. These techniques include the use of access control lists or matrices, passwords, capabilities, and labels, the possession of which may be used to indicate access rights. Network Layer Security Considerations Network Layer Security Protocol (NLSP) NLSP is an international standard that specifies a protocol to be used by end systems and intermediate systems in order to provide security services in the network layer. It is defined by ISO 11577. Much of the material appearing here is from the American National Standards Institute (ANSI) which is the official U.S. representative to ISO. NLSP specifies a series of services and functional requirements for implementation. The services, as defined in ISO 7498-2 are: ¥ peer entity authentication. ¥ data origin authentication. ¥ access control. ¥ connection confidentiality. ¥ connectionless confidentiality. ¥ traffic flow confidentiality. ¥ connection integrity without recovery (including data unit integrity, in which individual SDUs on a connection are integrity protected). ¥ connectionless integrity. The Procedures of this protocol are defined in terms of: ¥ requirements on the cryptographic techniques that can be used in an instance on this protocol. ¥ requirements on the information carried in the security association used in an instance of communication. Although the degree of protection afforded by some security mechanisms depends on the use of some specific cryptographic techniques, correct operation of this protocol is not dependent on the choice of any particular encipherment of decipherment algorithm that is left as a local matter for the communicating systems. Furthermore, neither the choice nor the implementation of a specific security policy are within the scope of this international standard. The choice of a specific security policy, and hence the degree of protection that will be achieved, is left as a local matter among the systems that are using a single instance of secure communications. NLSP does not require that multiple instances of secure communications involving a single open system must use the same security protocol. NLSP supports cryptographic protection either between End Systems (and in this case resembles the Transport Layer Security Protocol - TLSP) or between Intermediate Systems that are located at the borders of security domains. This latter aspect makes NLSP quite appealing to those who would like to provide security services not by securing each and every system in a domain but by forcing all external communications to transit through a small set of secure systems (assuming that communications within the domain need no security services). In this sense, one can see NLSP as supporting (at the domain level) administrative policies (mandatory security) while TLSP is more tuned towards discretionary communication policies. The OSI security architecture Security architecture for OSI, define such a systematic approach. The OSI security architecture is useful to managers, as a way of organizing the task of providing security. It was developed as an international standard. The OSI security architecture focus on security attack, mechanism, and services. These can be defined briefly as fallows: Security Attack: Any action that compromise the security of information owned by an organization. Security Mechanism: A process that is designed to detect, prevent or recover from a security attack. And security mechanism is a method which is used to protect your message from unauthorized entity. Security Services: Security Services is the services to implement security policies and implemented by security mechanism. A model for network security Introduction to the Network Security Model (NSM) The Open Systems Interconnection model (OSI), developed in 1983 bythe International Organization for Standardization (ISO), has been used as a framework to teach networking basics and troubleshoot networking issues for the last 25 years. It has been so influential in network development and architecture that even most of the network communication protocols in use today have a structure thatis based on it. But just as the OSI model never fails us, we find that we are lacking a standard that all network security professionals can adhere to, a Network Security Model (NSM). Today’s sophisticated and complex networks provide the fundamental need for the NSM. The proposed Network Security Model (NSM) is a seven layer model that divides the daunting task of securing a network infrastructure into seven manageable sections. The model is generic and can apply to all security implementation and devices. The development of the NSM is important because unity is needed in securing networks, just as unity was needed in the architecture of networks with the development of the OSI model. When an attack on a network has succeeded it is much easier to locate the underlying issue and fix it with the use of the NSM. The NSM will provide a way to teach and implement basic network security measures and devices as well as locate underlying issues that may have allowed an attack to succeed. Traditionally we work from the bottom up to determine which layer has failed on the OSI model, but on the NSM we will work from the top down to determine which layer has failed. See the NSM (Figure 1.1). Once the layer of failure is found, we can determine that all of the layers above this layer have also failed. A network security professional will be able to quickly determine if other possible hosts have been compromised with the breech of the layer and how to secure it against the same attack in the future. Throughout the paper we will be working from the top down describing what each layer is and how the layers of the NSM work together to accomplish complete network security. Physical VLAN Physical ACL Software User Administrative IT Department Figure 1.1 – The Network Security Model 1.2 Why do we need a Network Security Model? A well structured NSM will give the security community a way tostudy, implement, and maintain network security that can be applied to any network. In study, it can be used as a tool to breakdown network security into seven simple layers with a logical process. Traditional books have always presented network security in an unorganized fashion where some books cover issues that other books may completely neglect. In implementation, it can be used by network architects to insure that they are not missing any important security details while designing a network. In maintaining existing networks it can be used to develop maintenance schedules and lifecycles for the security of the existing network. It can to detect where breaches have occurred so that an attack can be mitigated. The NSM is beneficial to all types of professionals. Let us not forget professionals who are transitioning into positions previously held by other network security professionals. Currently, learning what security techniques are implemented on a network and which ones have not can be a daunting task when the basic security structure of the network is unclear. The NSM provides that basic structure. It provides the new professional with the knowledge to discover what has been implemented and what has not been implemented from a security standpoint. Without an NSM, the network security community faces potential chaos as professionals continue to implement their own versions of secure networks without adequate structure. symmetric Cipher model Symmetric cipher model (figure 2.1) consists of five ingredients, these ingredients are : Plaintext Encryption algorithm which performs substitutions/transformations on plaintext Secret key which controls exact substitutions/transformations used in encryption algorithm Ciphertext Decryption algorithm which is the inverse of encryption algorithm Symmetric cipher mathematical model (figure 2.2) can be described as follows: X : plaintext X = [ X 1, X 2, … , X M]. K : key K = [K 1, K 2,…….., K j] Y : ciphertext Y = [Y 1, Y 2, …... , Y N] Y = E K(X) E K : Encryption algorithm X = D K(Y) D K : Decryption algorithm A source produces a message in plaintext X = [ X 1, X 2, … , X M]. The M elements of X are letters in some finite alphabet, in classical encryption scheme the alphabet consists of 26 capital letters while in modern encryption scheme the binary alphabet [0,1] is used. A key of the form K = [K 1, K 2,…….., K j] is generated to be used for encryption, if the key is generated at the message source, then it must be provided to the destination by means of some secure channel. But if the key is generated by trusted third party, the key must be securely delivered to both source and destination. The encryption algorithm E takes the plaintext X and the key K as input then it transforms X into cipher text Y = [Y 1, Y 2, …... , Y N], so we can write this asY = E K(X). This means that Y is produced using encryption algorithm E as a function of the plaintext X and the key K. At the destination end the ciphertext Y is transformed into the original plaintext X using the decryption algorithm D and the shared key K, we can write this as X = D K(Y). An opponent (Cryptanalyst) can get Y but he can't access to K or X. He may be try to recover X or K. It is assumed that the opponent knows the encryption and decryption algorithms. Generally assume that the algorithm is known. This allows easy distribution of software and hardware implementations. Hence assume just keeping key secret is sufficient to secure encrypted messages. Have plaintext X, ciphertext Y, key K, encryption algorithm E k, decryption algorithm D k. Substitution techniques In cryptography, a Caesar cipher, also known as a Caesar's cipher, the shift cipher, Caesar's code or Caesar shift, is one of the simplest and most widely known encryption techniques. It is a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet. For example, with a shift of 3, A would be replaced by D, B would become E, and so on. The method is named after Julius Caesar, who used it to communicate with his generals. The encryption step performed by a Caesar cipher is often incorporated as part of more complex schemes, such as the Vigenère cipher, and still has modern application in the ROT13 system. As with all single alphabet substitution ciphers, the Caesar cipher is easily broken and in practice offers essentially no communication security. S-DES Key Generation S-DES depends on the use of a 10-bit key shared between sender and receiver. From this key, two 8-bit subkeys are produced for use in particular stages of the encryption and decryption algorithm. Figure C.2 depicts the stages followed to produce the subkeys. First, permute the key in the following fashion. Let the 10-bit key be designated as (k1, k2, k3, k4, k5, k6, k7, k8, k9, k10). Then the permutation P10 is defined as: P10(k1, k2, k3, k4, k5, k6, k7, k8, k9, k10) = (k3, k5, k2, k7, k4, k10, k1, k9, k8, k6) P10 can be concisely defined by the display: P10 3 5 2 7 4 10 1 9 8 6 This table is read from left to right; each position in the table gives the identity of the input bit that produces the output bit in that position. So the first output bit is bit 3 of the input; the second output bit is bit 5 of the input, and so on. For example, the key (1010000010) is permuted to (1000001100). Next, perform a circular left shift (LS-1), or rotation, separately on the first five bits and the second five bits. In our example, the result is (00001 11000). Next we apply P8, which picks out and permutes 8 of the 10 bits according to the following rule: P8 6 3 7 4 8 5 10 9 The result is subkey 1 (K1). In our example, this yields (10100100) We then go back to the pair of 5-bit strings produced by the two LS-1 functions and perform a circular left shift of 2 bit positions on each string. In our example, the value (00001 11000) becomes (00100 00011). Finally, P8 is applied again to produce K2. In our example, the result is (01000011). C.3 S-DES Encryption Figure C.3 shows the S-DES encryption algorithm in greater detail. As was mentioned, encryption involves the sequential application of five functions. We examine each of these. Initial and Final Permutations The input to the algorithm is an 8-bit block of plaintext, which we first permute using the IP function: IP 26314857 This retains all 8 bits of the plaintext but mixes them up. At the end of the algorithm, the inverse permutation is used: 8/5/05 C-4 IP–1 41357286 It is easy to show by example that the second permutation is indeed the reverse of the first; that is, IP–1(IP(X)) = X. The Function fK The most complex component of S-DES is the function fK, which consists of a combination of permutation and substitution functions. The functions can be expressed as follows. Let L and R be the leftmost 4 bits and rightmost 4 bits of the 8-bit input to fK, and let F be a mapping (not necessarily one to one) from 4-bit strings to 4-bit strings. Then we let fK(L, R) = (L where SK R, SK), R) -by-bit exclusive-OR function. For example, suppose the output of the IP stage in Figure C.3 is (10111101) and F(1101, SK) = (1110) for some key SK. Then fK We now describe the mapping F. The input is a 4-bit number (n1n2n3n4). The first operation is an expansion/permutation operation: E/P 41232341 For what follows, it is clearer to depict the result in this fashion: n4 n1 n2 n3 n2 n3 n4 n1 The 8-bit subkey K1 = (k11, k12, k13, k14, k15, k16, k17, k18) is added to this value using exclusiveOR: n k11 n k12 n k13 n k14 n k15 n k16 n k17 n k18 Let us rename these 8 bits: p0,0 p0,1 p0,2 p0,3 p1,0 p1,1 p1,2 p1,3 The first 4 bits (first row of the preceding matrix) are fed into the S-box S0 to produce a 2bit output, and the remaining 4 bits (second row) are fed into S1 to produce another 2-bit output. The S-boxes operate as follows. The first and fourth input bits are treated as a 2-bit number that specify a row of the S-box, and the second and third input bits specify a column of the Sbox. The entry in that row and column, in base 2, is the 2-bit output. For example, if (p0,0p0,3) = (00) and (p0,1p0,2) = (10), then the output is from row 0, column 2 of S0, which is 3, or (11) in binary. Similarly, (p1,0p1,3) and (p1,1p1,2) are used to index into a row and column of S1 to produce an additional 2 bits. Next, the 4 bits produced by S0 and S1 undergo a further permutation as follows: P4 2431 The output of P4 is the output of the function F. The Switch Function The function fK only alters the leftmost 4 bits of the input. The switch function (SW) interchanges the left and right 4 bits so that the second instance of fK operates on a different 4 bits. In this second instance, the E/P, S0, S1, and P4 functions are the same. The key input is K2. C.4 Analysis of Simplified DES A brute-force attack on simplified DES is certainly feasible. With a 10-bit key, there are only 210 = 1024 possibilities. Given a ciphertext, an attacker can try each possibility and analyze the result to determine if it is reasonable plaintext. What about cryptanalysis? Let us consider a known plaintext attack in which a single plaintext (p1, p2, p3, p4, p5, p6, p7, p8) and its ciphertext output (c1, c2, c3, c4, c5, c6, c7, c8) are known and the key (k1, k2, k3, k4, k5, k6, k7, k8, k9, k10) is unknown. Then each ci is a polynomial function gi of the pj's and kj's. We can therefore express the encryption algorithm as 8 nonlinear equations in 10 unknowns. There are a number of possible solutions, but each of these could be calculated and then analyzed. Each of the permutations and additions in the algorithm is a linear mapping. The nonlinearity comes from the S-boxes. It is useful to write down the equations for these boxes. For clarity, rename (p0,0, p0,1,p0,2, p0,3) = (a, b, c, d) and (p1,0, p1,1,p1,2, p1,3) = (w, x, y, z), and let the 4-bit output be (q, r, s, t) Then the operation of the S0 is defined by the following equations: q = abcd ab r = abcd abd ac ab b ac d ad a c where all additions are modulo 2. Similar equations define S1. Alternating linear maps with these nonlinear maps results in very complex polynomial expressions for the ciphertext bits, making cryptanalysis difficult. To visualize the scale of the problem, note that a polynomial equation in 10 unknowns in binary arithmetic can have 210 possible terms. On average, we might therefore 8/5/05 C-6 expect each of the 8 equations to have 29 terms. The interested reader might try to find these equations with a symbolic processor. Either the reader or the software will give up before much progress is made. C.5 Relationship to DES DES operates on 64-bit blocks of input. The encryption scheme can be defined as: IP -1 o fK16 oSW o fK15 oSWoLoSWo fK1 o IP A 56-bit key is used, from which sixteen 48-bit subkeys are calculated. There is an initial permutation of 64 bits followed by a sequence of shifts and permutations of 48 bits. Within the encryption algorithm, instead of F acting on 4 bits (n1n2n3n4), it acts on 32 bits (n1…n32). After the initial expansion/permutation, the output of 48 bits can be diagrammed as: n32 n1 n2 n3 n4 n5 n4 n5 n6 n7 n8 n9 • • • • • • • • • n28 n29 n30 n31 n32 n1 This matrix is added (exclusive-OR) to a 48-bit subkey. There are 8 rows, corresponding to 8 S-boxes. Each S-box has 4 rows and 16 columns. The first and last bit of a row of the preceding matrix picks out a row of an S-box, and the middle 4 bits pick out a column. Block Cipher Principle I. SYMMETRIC ENCRYPTION PRINCIPLES This lecture discusses the principles of all known contemporary symmetric key cryptosystems. All these systems have evolved from early classical ciphers discussed in the previous lectures. As we have seen, these classical ciphers may operate in the following two ways. • Stream cipher, such as Vigen`ere cipher, encrypts one letter at a time. • Block cipher, such as Hill cipher, treats a n-letter block of plaintext as a whole and produce a ciphertext block of equal length. A. Block Cipher Principles As block cipher have different modes of operation (we will discuss this topic later in this lecture) and applies to a broader range of applications than stream cipher, we will focus on its design principles in this lecture. A block cipher transform a plaintext block of n letters into an encrypted block. For the alphabet with 26 letters, there are 26n possible different plaintext blocks. The most general way of encrypting a n-letter block is to take each of the plaintext blocks and map it to a cipher block (arbitrary n-letter substitution cipher). For decryption to be possible, such mapping needs to be one-to-one (i.e., each plaintext block must be mapped to a unique ciphertext block). The number of different one-to-one mappings among n-letter blocks is (26n)!. The length of block n can not be too short in order to secure the cryptographic scheme. For example, n = 1 gives a monoalphabetic cipher. Such schemes, as we have seen, are vulnerable to frequency analysis and brute-force attacks. However, an arbitrary reversible substitution cipher for a large block size n is not practical. Let’s consider the problem of specifying a mapping of all possible n-letter blocks. In a cipher, each key specifies such a mapping. Let’s assume the key consists of a block of k letters. Then the number of all possible keys is 26k. Then for a n-letter arbitrary substitution block cipher, the key size needs to satisfy 26k _ (26n)!, i.e., k _ n × 26n!. So the major challenge to design a symmetric key cryptographic scheme is to provide enough security (e.g., using a reasonable large block size) with a reasonable small size key1. 1.It is fairly obvious that the key length can not be too short either. Otherwise the cryptographic scheme would also be vulnerable to brute-force attack where the attackers may search through all possible keys. 2.However, how do we know that a cryptographic system is secure enough? To answer this question,Claude Shannon theoretically deduced the following principles that should be followed to design secure cryptographic systems. These principles aim at thwarting cryptanalysis based on known statistical properties of the plaintext. • Confusion. In Shannon’s original definitions, confusion makes the relation between the key and the ciphertext as complex as possible. Ideally, every letter in the key influences every letter of the ciphertext block. Replacing every letter with the one next to it on the typewriter keyboard is a simple example of confusion by substitution. However, good confusion can only be achieved when each character of the ciphertext depends on several parts of the key, and this dependence appears to be random to the observer. Ciphers that do not offer much confusion (such as Vigen`ere cipher) are vulnerable to frequency analysis. • Diffusion. Diffusion refers to the property that the statistics structure of the plaintext is dissipated into long range statistics of the ciphertext. In contrast to confusion, diffusion spreads the influence of a single plaintext letter over many ciphertext letters. In terms of the frequency statistics of letters, digrams, etc in the plaintext, diffusion randomly spreads them across several characters in the ciphertext. This means that much more ciphertexts are needed to do a meaningful statistical attackon the cipher. B. The Feistel Network Product ciphers use the two classical encryption forms: substitution and transposition, alternatively in multiple rounds to achieve both confusion and diffusion respectively. Shannon was the first to investigate the product cryptosystem (so called substitution-permutation network) and show that some sophisticated heuristic ciphers were nothing other than products of some simpler ciphers. Most importantly, Shannon identified the necessary condition of the cipher strength increases as a result of cascading simple ciphers. One possible way to build a secret key algorithm using substitution-permutation-network is to break the input into manageable-sized chunks, do a substitution on each small chunk, and then take the outputs of all the substitutions and run them through a permuter that is as big as the input, which shuffles the letters around. Then the process is repeated, so that each letter winds up as an input to each of the substitutions. Since modern cryptosystems are all computer-based, from now on we will assume that both plain and cipher text are strings of bits ({0, 1}), instead of strings of letters ({a, b, c, ..., z}). The Feistel network shown in Fig. 1 is a particular form of the substitution-permutation network. The input to a Feistel network is a plaintext block of n bits, and a key K. The plaintext block is divided intotwo halves, L0 and R0. The two halves of the data pass through r rounds of processing and then combine to produce the ciphertext block. Each round i has as input Li−1 and Ri−1, derived from the previous round, as well as a subkey Ki, derived from the overall key K. In general, the subkey Ki are different from K and from each other. In this structure, a substitution is performed via the round function F, and permutation is performed that interchanges the two halves of the data. The exact realization of a Feistel network depends on the choices of the following parameters and design features. • Block size: Larger block size means greater security, but reduces encryption/decryption speed. • Key size: Larger key size means greater security but may decrease encryption/decryption speed. • Number of rounds: Multiple rounds offer increasing security. • Subkey generation algorithm: Greater complexity in subkey generation leads to greater security. 4• Round function: Greater complexity in round function means greater difficulty of cryptanalysis. It is worth noting that the process of decryption with a Feistel network is essentially the same as the encryption process by using the ciphertext as input to the network, but using the subkey Ki in reverse order, as shown in Fig 2. The reason is explained as follows. Let’s consider the last step in encryption,which gives, 5 LE16 = RE15 (1) RE16 = LE15 _ F(RE15,K16) (2) On the decryption side, LD1 = RD0 = LE16 = RE15 (3) RD1 = LD0 _ F(RD0,K16) (4) = RE16 _ F(RE15,K16) (5) = [LE15 _ F(RE15,K16)] _ F(RE15,K16) (6) = LE15 (7) The process can be done iteratively. Finally, we will see that the output of the decryption is the same as the input to the encryption (i.e., original plaintext). Modes of operation Electronic codebook (ECB) The simplest of the encryption modes is the electronic codebook (ECB) mode, in which the message is split into blocks and each is encrypted separately. The disadvantage of this method is that identical plaintext blocks are encrypted to identical ciphertext blocks; it does not hide data patterns. Thus, in some senses it doesn't provide message confidentiality at all, and is not recommended for cryptographic protocols. Here's a striking example of the degree to which ECB can reveal patterns in the plaintext. A pixel-map version of the image on the left was encrypted with ECB mode to create the center image: Original Encrypted using ECB mode Encrypted securely The image on the right is how the image might look encrypted with CBC, CTR or any of the other more secure modes -- indistinguishable from random noise. Note that the random appearance of the image on the right tells us very little about whether the image has been securely encrypted; many kinds of insecure encryption have been developed which would produce output just as random-looking. ECB mode can also make protocols without integrity protection even more susceptible to replay attacks, since each block gets decrypted in exactly the same way. For example, the Phantasy Star Online: Blue Burst online video game uses Blowfish in ECB mode. Before the key exchange system was cracked leading to even easier methods, cheaters repeated encrypted "monster killed" message packets, each an encrypted Blowfish block, to illegitimately gain experience points quickly. Cipher-block chaining (CBC) In the cipher-block chaining (CBC) mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block is dependent on all plaintext blocks up to that point. Cipher feedback (CFB) and output feedback (OFB) The cipher feedback (CFB) and output feedback (OFB) modes make the block cipher into a stream cipher: they generate keystream blocks, which are then XORed with the plaintext blocks to get the ciphertext. Just as with other stream ciphers, flipping a bit in the ciphertext produces a flipped bit in the plaintext at the same location. With cipher feedback a keystream block is computed by encrypting the previous ciphertext block. Output feedback generates the next keystream block by encrypting the last one. Counter (CTR) Like OFB, counter mode turns a block cipher into a stream cipher. It generates the next keystream block by encrypting successive values of a "counter". The counter can be any simple function which produces a sequence which is guaranteed not to repeat for a long time, although an actual counter is the simplest and most popular. CTR mode has very similar characteristics to OFB, but also allows a random access property for decryption. Integrity protection and error propagation The block cipher modes of operation presented above provide no integrity protection. This means that an attacker who does not know the key may still be able to modify the data stream in ways useful to them. It is now generally well understood that wherever data is encrypted, it is nearly always essential to provide integrity protection for security. For secure operation, the IV and ciphertext generated by these modes should be authenticated with a secure MAC, which is checked before decryption. Before these issues were well understood, it was common to discuss the "error propogation" properties of a mode of operation as a means of evaluating it. It would be observed, for example, that a one-block error in the transmitted ciphertext would result in a one-block error in the reconstructed plaintext for ECB mode encryption, while in CBC mode such an error would affect two blocks: Some felt that such resilience was desirable in the face of random errors, while others argued that it increased the scope for attackers to modify the message to their own ends. However, when proper integrity protection is used such an error will result (with high probability) in the entire message being rejected - if resistance to random error is desirable, error correcting codes should be applied after encryption. AEAD block cipher modes of operation such as IACBC, IAPM, OCB, EAX, and CWC mode directly provide both encryption and authentication. Initialization vector (IV) All modes (except ECB) require an initialization vector, or IV - a sort of dummy block to kick off the process for the first real block, and also provide some randomisation for the process. There is no need for the IV to be secret, but it is important that it is never reused with the same key. For CBC and CFB, reusing an IV leaks some information. For OFB and CTR, reusing an IV completely destroys security. In addition, the IV used in CFB mode must be randomly generated and kept secret until the first block of plaintext is made available for encryption. Padding Because a block cipher works on units of a fixed size, but messages come in a variety of lengths, some modes (mainly CBC) require that the final block be padded before encryption. Several padding schemes exist. The simplest is simply to add null bytes to the plaintext to bring its length up to a multiple of the block size, but care must be taken that the original length of the plaintext can be recovered; this is so, for example, if the plaintext is a C style string which contains no null bytes except at the end. Slightly more complex is the original DES method, which is to add a single one bit, followed by enough zero bits to fill out the block; if the message ends on a block boundary, a whole padding block will be added. Most sophisticated are CBC-specific schemes such as ciphertext stealing or residual block termination, which do not cause any extra ciphertext expansion, but these schemes are relatively complex. CFB, OFB and CTR modes do not require any special measures to handle messages whose lengths are not multiples of the block size since they all work by XORing the plaintext with the output of the block cipher,