UNIT-II - Blog 4 U

advertisement
UNIT-II
Conventional Encryption Principles, Conventional encryption algorithms, cipher block modes of
operation, location of encryption devices, key distribution Approaches of Message
Authentication, Secure Hash Functions and HMAC.
LEARNINIG OBJECTIVES
At the End of this UNIT student should be able to:








Define encryption
List and describe the conventional encryption principles
List the conventional encryption algorithms
Explain cipher block modes and its operation
Describe the location of encryption devices
Explain the key distribution approaches
Describe secure hash function
Explain about HMAC
1
Conventional encryption: Symmetric encryption is called as conventional encryption where a
single secret key is used for encryption and decryption, was the only type of encryption used
prior to the development of a public key encryption. Block encryption algorithms like DES,
triple DES and AES are examples for symmetric key encryption algorithms.
Symmetric encryption principles:
A symmetric key encryption scheme has five ingredients
 Plaintext: This is the original message or data that is fed into the algorithm as input.
 Encryption algorithm: The encryption algorithm performs various substitutions and
transformations on the plain text.
 Secret Key: The secret key is also input to the algorithm. The exact number of
substitutions and transformations performed by the algorithm depend on the key.
 Cipher text: This is the scrambled message produced as output. It depends on the
plain text and secret key. For any given message two different keys will produce two
different cipher texts.
 Decryption algorithm: This is essentially the encryption algorithm run in reverse. It
takes cipher text and secret key as input and produces original plain text.
Simplified model of symmetric encryption.
There are two requirements for secure use of symmetric encryption:
1. The encryption algorithm must be strong enough, it states that the opponent should be
unable to decrypt cipher text or the key even if he /she is in possession of a number of
cipher texts together with the plain text that produced each cipher text.
2. Sender and receiver must have obtained copies of the secret key in secure fashion and
must keep the key secure.
Note: Security of symmetric encryption depends on the secrecy of the key, not the secrecy of the
algorithm.
Cryptography: Cryptographic systems are generally classified based on the three independent
dimensions:
1. The type of operation used for transforming plaintext to cipher text: All the
encryption algorithms are based on two general principles,
 Substitution: Here each element in the plain text is mapped into another
element.
 Transposition: Here the elements in the plain text are rearranged.
2
Most product systems involve multiple stages of substitutions and transpositions.
2. The number of keys used: Here user may use symmetric or asymmetric keys.
 Symmetric (single key): Both sender and receiver use the same key.
 Asymmetric (two-keys, or public-key encryption): Sender and receiver use a
different key.
3. The way in which plain text is processed: It can be in terms of block or stream.
 Block cipher: Encrypts/decrypts a block at a time.
 Stream cipher: Encrypts/decrypts one element a time or process the input
elements continuously.
Cryptanalysis: The process of attempting to discover the plain text or key is known as
cryptanalysis. The strategy used by the cryptanalyst depends on the
 Nature of the encryption scheme and
 The information available to the cryptanalyst.
Types of cryptographic attacks: We can classify them as follow.
Classification one : Approach of mounting attack it can be
 Brute force attack
 Cryptanalytic attacks again cryptanalytic attacks can be differential cryptanalytic
attack or linear cryptanalytic attack.
Classification two: Attacks that try to recover keys
 Cipher text only attack: Here the attacker has only the cipher text.
 Known plain text attack: The attacker has the cipher text of some known plain text.
 Chosen plain text attacks: The attacker has the cipher text of some chosen plain text
 Chosen cipher text attacks: Here the cipher text and corresponding plain text are
chosen.
Classification three: Attacks that focus upon discovering the difference between the actual
and expected cipher
 Distinguishing attacks: exploit imperfections of encryption functions.
Generally an encryption algorithm is designed to withstand a known plain text attacks. An
encryption scheme is conceptually secure if the cipher text generated by the scheme meets one or
both of the criteria.
 The cost of breaking the cipher exceeds the value of the encrypted information
 The time required to break the cipher exceeds the life time of the information.
Unfortunately it is very difficult to estimate the amount of effort required to crypt analyze cipher
text successfully. The below table shows reasonably how much time is involved for cryptanalysis
3
Feistel Cipher Structure: Virtually all conventional block encryption algorithms, including
DES have a structure first described by Horst Feistel of IBM in 1973.
The Feistel structure is particular example of the more general structure used by all symmetric
block ciphers which consists of a sequence of rounds, with each round performing substitutions
and permutations conditioned by a secret key value.


The inputs to the encryption algorithm are plain text block of length 2 w bits and key K.
The plain text block is divided into two halves L0 and R0.
4








The two halves of the data pass through n rounds of processing and then combined to
produce the cipher text block.
Each round i has as inputs Li-1 and Ri-1derived from the previous round, as well as a sub
key Ki , derived from the overall K.
All rounds have the same structure.
A substitution is performed on the left half of the data .This is done by applying a round
function F to the right half of the data and then taking the exclusive –OR (XOR) of the
output of that function and the left half of the data.
The round function has the same general structure for each round but is parameterized by
the round sub key Ki.
Following this substitution, a permutation is performed that consists of the interchange of
the two halves of the data.
Decryption is essentially the same as encryption process. Here we use cipher text as input
to the algorithm, but use the sub keys Ki in reverse order i.e. use Kn in the first round, Kn1 in the second round and so on until K1 used in the last round.
Here we use one algorithm for encryption and decryption.
The realization of a Feistel cipher depends on the choice of the following parameters and design
features
o Block size: Larger block sizes mean greater security but lower encryption/decryption
speed. A block size of 128 bits is a reasonable tradeoff.
o Key Size: Larger key size means greater security but lower encryption/decryption speed.
The most common key length in modern algorithms is 128 bits.
o Number of rounds: Multiple rounds offer increasing security. (16 rounds are mostly
used.)
o Sub key generation algorithm: Greater complexity of this algorithm will lead to greater
difficulty of cryptanalysis.
o Round function: The greater the complexity of rounds function, the greater the
resistance to cryptanalysis.
o Fast software encryption/decryption: The speed of execution of the algorithm
becomes a concern.
o Ease of analysis: There are great benefits in making the algorithm easy to analyze i.e. the
algorithm can be concisely explained and it is easier to analyze the algorithm for
cryptanalytic vulnerabilities.
Symmetric Block Encryption Algorithms: The most commonly used symmetric encryption
algorithms are block ciphers. A block cipher process the plain text input in fixed-sized blocks
and produces a block of cipher text of equal size for each plaintext block. The most important
block ciphers are Data Encryption Standard (DES), triple DES, Advanced Encryption Standard
(AES) and Blowfish ect.
Data Encryption Standard (DES):
o The most widely used encryption scheme
o The algorithm is referred to the Data Encryption Algorithm (DEA)
o DES is a block cipher
o The plaintext is processed in 64-bit blocks
o The key is 56-bits in length
o The DES structure is a minor variation of the Feistal structure.
5
o There are sixteen rounds of processing. From original 56 bit key sixteen sub keys
are generated, one of which is used for each round.
o Details of function F: It takes 32 bits input and produces a 32 bit output .32 bit input is
expanded into 48 bits. This is done by permuting and duplicating some bits of 32 bits.
Exclusive OR operation is performed between these 48 bits and 48 bit sub key. 48 bit
output of the Exclusive OR operation is grouped into 8 groups of 6 bits each. Each 6 bit
group is fed into a 6-to-4 substitution box that transforms 6 bits to 4 bits. 32 bit output of
8 substitution boxes is fed into a permutation box. The 32 bit output of the permutation
box is F(Ri-1, Ki).
6
o The overall processing at each iteration:
– Li = Ri-1
– Ri = Li-1 (XOR) F(Ri-1, Ki)
o The process of decryption with DES is same as the encryption process. Use the cipher
text as input the DES algorithm, but use the sub key K i in reverse order i.e. use K16 on
the first iteration, K15 on the second iteration and so on until K1 is used on the 16th and
last iteration.
The strength of DES: Concerns about the strengths of DES falls in two categories:
o Concern about the algorithm itself: This refers to the possibility that the cryptanalysis
is possible by exploiting the characteristics of DES algorithm. No one has so far
succeeded in discovering a fatal weakness in DES.
7
o Second concern is the key length: With a key length of 56 bits there are 256 possible
keys which is approximately 7.2 X 1016 keys. Here brute force attack is impossible and a
single machine performing one DES encryption per microsecond would take more than
thousand years to break the cipher.
Triple DES: 3DES uses three keys three executions of DES algorithm. The functions follows an
encrypt – decrypt- encrypt (EDE) sequence.
C=E (K3, D (K2, E (K1, P)))
Where
C = Cipher text
P = Plain text
E[K,X] = Encryption of X using key K
D[K,Y] = Decryption of Y using key K.
Decryption is simply the same operation with the keys reserved.
P = D (K1, E (K2, D (K3, C)))
o With three distinct keys, 3DES has an effective key length of 168 bits.
o 3DES is the FIPS (Federal Information Processing Standards) approved symmetric
encryption algorithm of choice.
o Government organizations with legacy DES systems are encouraged to transmission to
3DES.
o Further , with a 168 bit key length ,brute force attacks are effectively impossible.
ADVANCED ENCRYPTION STANDARD:
o AES uses a block length of 128 bits and a key length that can be 128, 102, or 256 bits.
o The input to the encryption and decryption algorithm is a single 128 bit block, which is
depicted as a square matrix of bytes. The block is copied into the state array, which is
modified at each stage of encryption and decryption. After the final stage, state is copied
to an output matrix.
8
o Similarly the 128 bit key is depicted as a square matrix of bytes. The key is then
expanded into an array of key scheduled words, each word is four bytes and total key
schedule is 44 words for 128 bit key.
o The ordering of bytes with in a matrix is by column. For example the first four bytes of
128 bit plain text, input to the encryption cipher occupy the first column of the in matrix;
the second four bytes occupy the second column and so on. Similarly the first four bytes
of the expanded key, which forms a word, occupy the first column of the w matrix.
o AES is based on a design principle known as a Substitution permutation network. It is
fast in both software and hardware. Unlike its predecessor, DES, AES does not use a
Feistel network.
o The AES cipher is specified as a number of repetitions of transformation rounds that
convert the input plaintext into the final output of cipher text. Each round consists of
several processing steps, including one that depends on the encryption key. A set of
reverse rounds are applied to transform cipher text back into the original plaintext using
the same encryption key.
The following diagram shoes AES encryption and decryption.
Four different stages are used one of permutation and three of substitution.
1. SubBytes—a non-linear substitution step where each byte is replaced with
another according to a lookup table.
2. ShiftRows—a transposition step where each row of the state is shifted
cyclically a certain number of steps.
9
3. MixColumns—a mixing operation which operates on the columns of the state,
combining the four bytes in each column.
4. AddRoundKey
For Final Round there will be no MixColumns but it have the following steps
o SubBytes
o ShiftRows
o AddRoundKey
a)
Substitute Byte: Uses a table, referred to as an S-box to perform a byte by byte
substitution of the block.
b) Shift rows: It’s a simple permutation that is performed row by row. The Shift Rows step
operates on the rows of the state; it cyclically shifts the bytes in each row by a certain
offset. For AES, the first row is left unchanged. Each byte of the second row is shifted
one to the left. Similarly, the third and fourth rows are shifted by offsets of two and three
respectively.
In the Shift Rows step, bytes in each row of the state are shifted cyclically to the left. The
number of places each byte is shifted differs for each row.
c) Mix columns: In the Mix Columns step, the four bytes of each column of the state are
combined using an invertible linear transformation. The Mix Columns function takes four
bytes as input and outputs four bytes, where each input byte affects all four output bytes.
Together with Shift Rows, Mix Columns provides diffusion in the cipher.
10
In the Mix Columns step, each column of the state is multiplied with a fixed polynomial c(x).
d) The add round key step: In the AddRoundKey step, the sub key is combined with the
state. For each round, a sub key is derived from the main key using Rijndael's key
schedule; each sub key is the same size as the state. The sub key is added by combining
each byte of the state with the corresponding byte of the sub key using bitwise XOR.
In the Add RoundKey step, each byte of the state is combined with a byte of the round sub key
using the XOR operation (⊕).
Stream ciphers and RC4:
Block Cipher: A block cipher processes the input one block of elements at time, produces an
output block for each input block. For many applications block cipher are common in use.




In cryptography, a block cipher is a symmetric key cipher operating on fixed-length
groups of bits, called blocks, with an unvarying transformation.
A block cipher encryption algorithm might take (for example) a 128-bit block of plaintext
and key as input, and output a corresponding 128-bit block of ciphertext.
The exact transformation is controlled using a second input — the secret key.
Decryption is similar: the decryption algorithm takes, in this example, a 128-bit block of
ciphertext together with the secret key, and yields the original 128-bit block of plaintext.
11




A message longer than the block size (128 bits in the above example) can still be
encrypted with a block cipher by breaking the message into blocks and encrypting each
block individually.
However, in this method all blocks are encrypted with the same key, which degrades
security (because each repetition in the plaintext becomes a repetition in the ciphertext).
To overcome this issue, modes of operation are used to make encryption probabilistic.
Some modes of operation, despite the fact that their underlying implementation is a block
cipher, allow the encryption of individual bits. The resulting cipher is called a stream
cipher.
An early and highly influential block cipher design was the Data Encryption Standard
(DES), developed at IBM and published as a standard in 1977. A successor to DES, the
Advanced Encryption Standard (AES), was adopted in 2001.
Other symmetric block ciphers:
•
RC5
– Developed by Ron Rivest in 1994
– Suitable for hardware and software
– Fast, simple
– Adaptable to processors of different word lengths
– Variable number of rounds
– Variable-length key
– Low memory requirement
– High security
– Data-dependent rotations
– Used in the Products from RSA Data Security
• Cast-128
– Key size from 40 to 128 bits
– The round function differs from round to round
• International Data Encryption Algorithm (IDEA)
– A block cipher with block size 64 bits
– 128-bit key
– Used in PGP
 Blowfish
– Easy to implement (simple structure)
– High execution speed
– Run in less than 5K of memory
– Variable security: key length is variable.
Stream Ciphers: A stream cipher processes the input elements continuously, producing output
one element at time, as it goes along. For some applications stream cipher is more appropriate.

In cryptography, a stream cipher is a symmetric key cipher where plaintext bits are
combined with a pseudorandom cipher bit stream (keystream), typically by an exclusiveor (xor) operation.
For example: if the next byte generated by the generator is 01101100 and the next plain text byte
is 11001100 , then the resulting ciphertext byte is:
12
+



11001100
01101100
____________
10100000
plaintext
keystream
ciphertext
In a stream cipher the plaintext digits are encrypted one at a time, and the transformation
of successive digits varies during the encryption.
An alternative name is a state cipher, as the encryption of each digit is dependent on the
current state. In practice, the digits are typically single bits or bytes.
Stream ciphers typically execute at a higher speed than block ciphers and have lower
hardware complexity. However, stream ciphers can be susceptible to serious security
problems if used incorrectly, they are vulnerable to attack if certain precautions are not
followed; a) keys must never be used twice; b) valid encryption should never be relied on
to indicate authenticity
Types of stream ciphers
A stream cipher generates successive elements of the keystream based on an internal state. This
state is updated in essentially two ways: if the state changes independently of the plaintext or
ciphertext messages, the cipher is classified as a synchronous stream cipher. By contrast, selfsynchronising stream ciphers update their state based on previous ciphertext digits.
Example for stream cipher: RC4 is stream cipher. In cryptography, RC4 is the most widelyused software stream cipher and is used in popular protocols such as Secure Sockets Layer (SSL)
and WEP (to secure wireless networks). It is remarkable for its simplicity and speed in software,
RC4 has weaknesses that argue against its use in new systems. It is especially vulnerable when
the beginning of the output keystream is not discarded, or nonrandom or related keys are used;
some ways of using RC4 can lead to very insecure cryptosystems such as WEP.
CIPHER BLOCK MODES OF OPERATION:
In a symmetric block cipher process one block of data at a time. In case the message longer than
the block size (128 bits in the above example) can still be encrypted with a block cipher by
breaking the message into blocks and encrypting each block individually. However, in this
method all blocks are encrypted with the same key, which degrades security (because each
repetition in the plaintext becomes a repetition in the ciphertext). To overcome this issue, modes
of operation are used to make encryption probabilistic.
13
Electronic codebook (ECB)
The simplest of the encryption modes is the electronic codebook (ECB) mode. The message is
divided into blocks and each block is encrypted separately. The term code book is used because,
for a given key there is a unique cipher text for every 64-bit block of plain text.



The disadvantage of this method is that identical plaintext blocks are encrypted into
identical cipher text blocks; thus, it does not hide data patterns well.
In some senses, it doesn't provide serious message confidentiality, and it is not
recommended for use in cryptographic protocols at all.
ECB mode can also make protocols without integrity protection even more susceptible to
replay attacks, since each block gets decrypted in exactly the same way.
Cipher-block chaining (CBC)
CBC mode of operation was invented by IBM in 1976. In the cipher-block chaining (CBC)
mode, each block of plaintext is XORed with the previous ciphertext block before being
encrypted. This way, each ciphertext block is dependent on all plaintext blocks processed up to
that point. Also, to make each message unique, an initialization vector must be used in the first
block.
If the first block has index 1, the mathematical formula for CBC encryption is
14
while the mathematical formula for CBC decryption is
CBC has been the most commonly used mode of operation. Its main drawbacks are that
encryption is sequential (i.e., it cannot be parallelized), and that the message must be padded to a
multiple of the cipher block size. One way to handle this last issue is through the method known
as ciphertext stealing.
Note that a one-bit change in a plaintext affects all following ciphertext blocks. A plaintext can
be recovered from just two adjacent blocks of ciphertext. As a consequence, decryption can be
parallelized, and a one-bit change to the cipher text causes complete corruption of the
corresponding block of plaintext, and inverts the corresponding bit in the following block of
plaintext.
Propagating cipher-block chaining (PCBC)
The propagating cipher-block chaining or plaintext cipher-block chaining mode was designed to
cause small changes in the cipher text to propagate indefinitely when decrypting, as well as when
encrypting.
15
Encryption and decryption algorithms are as follows:
PCBC is used in Kerberos v4 and WASTE, most notably, but otherwise is not common. On a
message encrypted in PCBC mode, if two adjacent cipher text blocks are exchanged, this does
not affect the decryption of subsequent blocks. For this reason, PCBC is not used in Kerberos v5.
Cipher feedback (CFB)
The cipher feedback (CFB) mode, a close relative of CBC, makes a block cipher into a selfsynchronizing stream cipher. Operation is very similar; in particular, CFB decryption is almost
identical to CBC encryption performed in reverse:
16
This simplest way of using CFB described above is not any more self-synchronizing than other
cipher modes like CBC. If a whole block size of cipher text is lost both CBC and CFB will
synchronize, but losing only a single byte or bit will permanently throw off decryption. To be
able to synchronize after the loss of only a single byte or bit, a single byte or bit must be
encrypted at a time. CFB can be used this way when combined with a shift register as the input
for the block cipher.
To use CFB to make a self-synchronizing stream cipher that will synchronize for any multiple of
x bits lost, start by initializing a shift register the size of the block size with the initialization
vector. This is encrypted with the block cipher, and the highest x bits of the result are XOR' ed
with x bits of the plaintext to produce x bits of cipher text. These x bits of output are shifted into
the shift register, and the process repeats with the next x bits of plaintext. Decryption is similar,
start with the initialization vector, encrypt, and XOR the high bits of the result with x bits of the
cipher text to produce x bits of plaintext. Then shift the x bits of the cipher text into the shift
register.
In notation, where Si is the i th state of the shift register, a << x is a shifted up x bits, head(a, x) is
the x highest bits of a and n is number of bits of IV:
17
If x bits are lost from the cipher text, the cipher will output incorrect plaintext until the shift
register once again equals a state it held while encrypting, at which point the cipher has
resynchronized. This will result in at most one block size of output being garbled.
Like CBC mode, changes in the plaintext propagate forever in the cipher text, and encryption
cannot be parallelized. Also like CBC, decryption can be parallelized. When decrypting, a onebit change in the cipher text affects two plaintext blocks: a one-bit change in the corresponding
plaintext block, and complete corruption of the following plaintext block. Later plaintext blocks
are decrypted normally.
CFB shares two advantages over CBC mode with the stream cipher modes OFB and CTR: the
block cipher is only ever used in the encrypting direction, and the message does not need to be
padded to a multiple of the cipher block size (though cipher text stealing can also be used to
make padding unnecessary).
Location of Encrypting Devices:
In network security the most powerful and common approach to avoid threats to network is
encryption. In encryption we need to decide what to encrypt and where the encryption gear
should be located.
18
For this there are two fundamental alternatives:
1)
Link encryption:
a) With link encryption each vulnerable communication link is equipped on both ends
with an encryption device. Thus all traffic over all communication links is secured.
b) It requires a lot of encryption devices in a large network.
c) It provides high level security.
d) One disadvantage of this approach is that the message must be decrypted each time it
enters a packet switch, to route the packet.
e) Message is vulnerable at each switch.
f) If it is in the public packet-switching network, the user has no control over the security
of the nodes.
2)
End-to-end encryption:
a) Here the encryption process is carried out at the two end systems, i.e. the source host
or terminal encrypts the data, then transmitted unaltered across the network to the
destination terminal.
b) The destination shares a key with the source and so is able to decrypt the data.
c) This approach secures the transmission against attacks on the network links or the
switches.
d) With end-to-end encryption we can secure the user data not the traffic pattern,
because packet headers are transmitted in clear.
To achieve greater security, both link and end-to-end encryption is needed. Here the host
encrypts the user data portion of packet using end-to-end encryption key. The entire packet is
then encrypted using link encryption key. As the packet traverse the network , each switch
decrypts the packet using link encryption key to read the header and then encrypts the entire
packet again for sending it out on the next link. Now the entire packet is secure except for the
time that the packet is actually in the memory of a packet switch.
KEY DISRTIBUTION:
In symmetric key cryptography, both parties must possess a secret key which they must
exchange prior to using any encryption and key must be protected from access by others.
Distribution of secret keys can be achieved in a number of ways for two parties A and B.
1. Key could be selected by A and physically delivered to B
2. A third party could select the key and physically deliver it to A and B.
3. If A and B have previously and recently used a key, one party could transmit the new key
to the other, encrypted using the old key.
4. If A and B each have an encrypted connection to a third party C, and C could deliver a
key on the encrypted links to A and B.
Here option 1 and 2 are called manual delivery of a key which is not suggestible always. Option
3 is possible for either link encryption or end-to-end encryption, to provide keys for end-to-end
encryption option 4 is preferable.
The following figure illustrates an implementation that satisfies option 4 for end-to-end
encryption. For this scheme two kinds of keys are needed.
1. Session key: Data encrypted with a one-time session key. At the conclusion of the
session the key is destroyed
2. Permanent key: Used between entities for the purpose of distributing session keys
19
This configuration consists of the following elements:
 Key distribution center (KDC): The KDC determines which systems are allowed to
communicate with each other. When the permission is granted for two systems to
establish a connection, the key distribution center provides a one-time session key for that
connection.
 Security service module (SSM): The module which may consists of functionality at one
protocol layer, performs end-to-end encryption and obtains session keys on behalf of
users.
The steps involved in the connection establishment are
 Step 1: When one host wishes to set up a connection to another host, it transmits a
connection request packet.
 Step 2: The SSM saves that packet and applies to the KDC for permission to establish the
connection.
 Step 3: The communication between SSM and KDC is encrypted using a master key
shared by only this SSM and KDC. If KDC approves the connection request, it generates
the session key and delivers it to the two appropriate SSMs using unique permanent key
for each MMS.
 Step 4: Connection release.
Advantages with automatic key distribution approach:
 Provides the flexibility and dynamic characteristics needed by the terminals to exchange
data.
 All the user data exchanged between two end systems are encrypted by their respective
MMS using the one time session key.
 It uses public key encryption.
20
Questions from previous papers
1. Describe the various steps of encryption and decryption in an AES algorithm.
2. Describe Feistel’s cipher structure with a neat illustration.
3. Explain terms related to key distribution methods:
a. Session key
b. Master key
c. Key distribution center
d. Security service module.
4.
5.
6.
7.
8.
9.
Explain various key distribution methods
Compare and contrast between cryptography and cryptology
Enumerate various cipher block modes of operation.
Difference between DES and AES algorithms
Explain the use of S-Box in AES algorithm.
Compare AES with Rc4 cipher.
21
Download