Topics

Modern Cryptography Algorithm

MODERN CRYPTOGRAPHY
Block and Stream

DES
BITS3413

AES

MAC
Lecture 3
Digital Signature, RSA
Week 3

Modern Cryptography Algorithm Modern Cryptography Algorithm

Most modern ciphers use a sequence of binary
The encryption algorithm may act on a bit-string in
digits (bits), that is, zeros and ones such as a number of ways.
ASCII.
stream ciphers where the sequence is encrypted bit-by-
bit.

This bit sequence representing the plaintext is
block ciphers, where the sequence is divided into
then encrypted to give the ciphertext as a bit blocks of a predetermined size.
sequence.
ASCII requires 8 bits to represent one character, and
so for a block cipher that has 64-bit blocks, the
encryption algorithm acts on eight characters at once.
Modern Cryptography Algorithm Modern Cryptography Algorithm
 Since most modern algorithms operate on binary  Stream ciphers
strings we need to be familiar with a method of
they convert one symbol of plaintext immediately into a
symbol of ciphertext
combining two bits called Exclusive OR and often
depends on symbol, key and control information of
written as XOR or ⊕. encipherment algorithm
 Block ciphers
0 1
encrypt a group of plaintext symbols as one block

0 ⊕ 0 = 0, 0 ⊕ 1 =1, 0 0 1
examples are transposition ciphers
1 ⊕ 0 = 1 and 1 ⊕ 1 = 0  e.g, in columnar transposition, the entire message is
1 1 0 translated as one block, block size need not have any
particular relationship to the size of the character

Stream Ciphers Stream Ciphers

 The plaintext is enciphered bit by bit.  The encryption key is often called a keystream

The value of each bit is changed to the alternative value or sequence.
leave unchanged.
0 to mean ‘leave unchanged’, 1 to mean ‘change’.

If a bit is changed twice, it returns to its original value.
Plaintext, ciphertext and keystream are all binary
 If an attacker knows that a stream cipher has been sequences.
used, then their task is to try to identify the position of  Suppose that we have the plaintext 1100101 and the
those bits which have been changed and to change keystream is 1000110.
them back to their original values.
By applying the rule gives 0100011 as the ciphertext.

If there is any easily detectable pattern that identifies the  Changing a bit twice has the effect of returning it to its
changed bits then the attacker task may be simple. original value.

The position of the changed bits must be unpredictable to
This means that decryption process is identical to the
the attacker but the genuine receiver needs to be able to encryption process, so the keystream also determines
identify them easily. decryption.
Stream Ciphers Stream Ciphers
 The keystream bit in position i, Ki = Pi ⊕ Ci can be
 If Pi, Ki and Ci are respectively the plaintext, determined as the XOR of the plaintext and
keystream and ciphertext bits in position i, then ciphertext in position i.
the ciphertext bit Ci is given by Ci = Pi ⊕ Ki.
This highlight the potential weakness for stream

The decryption is defined by Pi = Ci ⊕ Ki. ciphers.
 A stream cipher takes a short key to generate
Anyone who is able to launch a known plaintext
attack, can deduce parts of the keystream sequence
a long keystream. from the corresponding plaintext and ciphertext bit

This is achieved by using binary sequence pairs.
generator.
Thus the keystream must be unpredictable in the sense
that knowledge of some of it should not enable an
attacker to deduce the rest.

Stream Ciphers Block Ciphers

 For a block cipher, the bit-string is divided into blocks
 If the keystream generator produces the same bit of a given size and the encryption algorithm acts on
stream every time it is turned on, the resulting that block to produce a cryptogram block that, for
cryptosystem will be trivial to break.
most symmetric ciphers, has the same size.

Anyone who has two different ciphertexts encrypted with
the same keystream, can XOR them together and get two  Block ciphers have many applications.
plaintext messages XORed with each other.
Can be used to provide confidentiality, integrity, or user

When the interceptor gets a single plaintext/ciphertext authentication and can even be used to provide the
pair, they can read everything. keystream generator for stream ciphers.

That is why all stream ciphers have keys - the output of  A symmetric algorithm is said to be well designed if an
the keystream generator is a function of the key.
exhaustive key search is the simplest form of attack.
 Usual number of blocks are 64,128,256 and 512 bits
Block Ciphers Data Encryption Standards (DES)
 Widely used encryption scheme
 There are a few obvious properties that a strong block
cipher should possess.  Adopted by The national Bureau of standard in

Diffusion properties - which a small change in the plaintext, 1977
may be one or two positions, should produce an
unpredictable change in the ciphertext.  The plaintext is divided into 64 bit blocks with

Confusion properties - if an attacker is conducting an
exhaustive key search then there should be no indication a key of 56 bits(with 8 bit parity).
that they are near to the correct key.

To prevent divide-and-conquer attacks we require  DES structure is similar to Fiestel Network
completeness - each bit of a ciphertext must depend on concept.
every bit of the key.

Statistical testing forms a fundamental component of the  Process through 16 round of Expansion,
assessment of block ciphers for these three listed properties substitution, key mixing and permutation
and others.
process.

Data Encryption Standards (DES)

 Is it breakable?
 Yes, can try brute force attack using all the
2^56 possible key
 1998, Electronic Frontier Foundation (EFF) has
created a USD220,000 machine to go through
the entire 56 bit DES key space in average of
4.5 days.
 Triple DES has been introduced to improve the
standard.
 Advanced Encryption Standard (AES)
 needed a better replacement for DES
 NIST called for proposals in 1997
 selected Rijndael in Nov 2001
 published as FIPS 197
 symmetric block cipher
 uses 128 bit data & 128/192/256 bit keys
 now widely available commercially

Message Authentication Message Authentication Codes (MAC)

 protects against active attacks
 verifies received message is authentic

contentsunaltered

from authentic source

timely and in correct sequence

 can use conventional encryption

only sender & receiver have key needed
 or separate authentication mechanisms

append authentication tag to cleartext message
Hash Function

Hash Function Requirements Simple Hash Functions

 a one-way or secure hash function used in message
 applied to any size data
authentication, digital signatures
 H produces a fixed-length output.
 all hash functions process input a block at a time in an
 H(x) is relatively easy to compute for any given x iterative fashion
 one-way property  one of simplest hash functions is the bit-by-bit exclusive-OR

computationally infeasible to find x such that H(x) = h (XOR) of each block
 weak collision resistance

computationally infeasible to find y ? x such that H(y) = H(x)
 strong collision resistance
– effective data integrity check on random data

computationally infeasible to find any pair (x, y) such thatH(x) =
– less effective on more predictable data
H(y)
– virtually useless for data security
Hash Functions Hash Functions
 two attack approaches  There are 2 prominent algorithms in Hashing

cryptanalysis functions.
 exploit logical weakness in alg
First,the most popularly used technique is MD5.

brute-force attack

Second, the well accepted standard is secure hashing
 trial many inputs algorithm SHA-1.
 strength proportional to size of hash code (2n/2)
 SHA most widely used hash algorithm  Nevertheless, SHA-256 is chosen in this class as it is

SHA-1 gives 160-bit hash
considered to be the primary next-generation

more recent SHA-256, SHA-384, SHA-512 provide improved size
and security
algorithm.

Hash Functions SHA Secure Hash Functions

 MD-5  SHA originally developed by NIST/NSA in 1993

A hash function designed by Ron Rivest, one of the inventors of the RSA
public-key encryption scheme.
 was revised in 1995 as SHA-1

The MD-5 algorithm produces a 128-bit output. Note that MD-5 is now

– US standard for use with DSA signature scheme
known to have some weaknesses and should be avoided if possible.
– standard is FIPS 180-1 1995, also Internet RFC3174

SHA-1 is generally recommended.
– produces 160-bit hash values
 NIST issued revised FIPS 180-2 in 2002
 SHA-1 (Secure Hash Algorithm-1)
– adds 3 additional versions of SHA

SHA-1 is an MD-5-like algorithm that was designed to be used with the
Digital Signature Standard (DSS).
– SHA-256, SHA-384, SHA-512

NIST (National Institute of Standards and Technology) and NSA

– with 256/384/512-bit hash values
(National Security Agency) are responsible for SHA-1.
– same basic structure as SHA-1 but greater security

The SHA-1 algorithm produces a 160-bit MAC.  NIST intend to phase out SHA-1 use

This longer output is considered to be more secure than MD-5.
 For SHA-1 and SHA-256, each message block has 512 bits,  SHA-1 and SHA-256
 Suppose that the length of the message, M, is l bits. Append the bit “1”
which are represented as a sequence of sixteen 32-bit to the end of the message.
words.  followed by k zero bits, where k is the smallest, non-negative solution
to the equation
 SHA-256 uses six logical functions, where each function
 l +1+ k ≡ 448mod 512 . Then append the 64-bit block that is equal to
operates on 32-bit words, which are the number l expressed
 using a binary representation. For example, the (8-bit ASCII) message
“abc” has length 8×3 = 24, so the message is padded with a one bit,
then 448 − (24 +1) = 423 zero bits, and then the message length, to
become the 512-bit padded message

Initial value
 For SHA-1 and SHA-256, the padded message is
parsed into N 512-bit blocks, M(1), M(2),…,M(N).
Since the 512 bits of the input block may be
expressed as sixteen 32-bit words, the first 32 bits
of message block i are denoted M (i) 0, the next 32
bits are M (i) 1, and so on up to M (i) 15.
 For SHA-256, the initial hash value, H(0), shall consist
of the following eight 32-bit words, in hex:
 SHA-512 Structure
 Refer to the psudocode

Digital Signatures (Cont.)

 It is the provision of a means of settling

disputes between sender and receiver that
SHA-512 distinguishes the digital signature
mechanism from the MACing process.
Round

Such dispute can only be settled if there
is asymmetric between sender and
receiver.
Digital Signatures (Basic Principle) Generating a Digital Signature
 For a digital signature scheme based on RSA or El  Asymmetric cryptographic processing
Gamal: requires much computational processing.

Each user has a private key that only they can  Thus a condensed version or hash of the
use and its use is accepted as identifying them. message is produced by applying a hash

There is a corresponding public key.
function to the message.
 The signature is produced from the hash

Anyone who knows this public key, can check
(which represent the message) by using the
that the corresponding private key has been asymmetric algorithm with the private key.
used, but cannot determine the private key.  Thus only the owner of the private key can

This gives the receiver assurance of both the generate the signature.
origin and content of the message.

Digital signature HASH FUNCTION

M M M
E E E Hf
S S S
S S S
A A A
G G G
E E E Compare

Hf

E D

Private key Public key

How to Create a Digital Signature Using RSA Verifying a Digital Signature
MESSAGE  The signature can be verified by anyone who
knows the corresponding public key.
HASHING  To do this a value is produced from the
FUNCTION signature using the asymmetric algorithm with
the public key.
 This value should be the hash of the message,
HASH OF MESSAGE which anyone can calculate.
 If this value and the hash agree, the
Sign using Private Key signature is accepted as genuine.

SIGNATURE -
SIGNED HASH OF MESSAGE

How to Verify a Digital Signature Using RSA Certification Authority (CA)

Message
 AIM:
Signature

To guarantee the authenticity of public keys.
Verify the Re-hash the
Received Signature Received Message  METHOD:
Message
The CA guarantees the authenticity by signing a
Signature certificate containing user’s identity and public key
with its secret key.
Hashing
Verify using Function  REQUIREMENT:
Public key
All users must have an authentic copy of the
Certification Authority’s public key.
Hash of Message
Hash of Message
If hashes are equal, signature is
authentic
Certification Process How Does it Work?

 The certificate can accompany all

Centre Verifies Creates sender’s messages.
credentials Certificate
 The recipient must directly or indirectly:
Distribution

Trustthe CA
Owner

Validate the certificate
Presents Public Receives
Generates
Key and (and checks)
Key Set
credentials certificate

Certification Authorities Attacks on Digital Signature

 Problems / Questions  Suppose digital signatures are being used as

Who generates users’ key? a means of identification.

How is identity established?  If user A wishes to impersonate user B, then
there are two different forms of attack:

How can certificates be
cancelled?
A attempts to obtain the use of B’s private
key

Any others?

A tries to substitute their public key for B’s
public key.
Public Key Infrastructure (PKI) Establishing a PKI
 The motivation of using PKI is to facilitate the use of  When a PKI is established, the following
public key cryptography. processes need to take place:
 Three key players in PKI system:
The key pairs for CAs must be generated.

The certificate owner - who applies for the certificate.
The key pairs for users must be generated.

CA - which issues the certificate that binds the owner’s
Users must request certificates
identity to the owner’s public key value.
Users’ identities must be verified.

The relying party - who uses on the certificate.

Users’ key pairs must be verified.
 Other players:

Certificates must be produced.

Registration Authority (RA) - in some systems the

Certificates must be checked.
identification verification is performed by a separate
authority.
Certificates must be removed/updated (when

Validation Authority (VA) - end users ask the VA if a necessary).
given certificate is still valid and receive a yes or no
Certificates must be revoked (when
answer. necessary).

Key Management Key Management (Cont.)

 A typical requirement specification for a symmetric
A key must not be used if its compromise is either
key system might include each of the following: known or suspected.

Keys must be generated using a random or

Compromise of a key which is shared between two
parties must not compromise any key used by a
pseudorandom process. third party.

Any key used by a communicating pair must be
Keys should only appear in clear form within a
unique to them. highly tamper resistant device. Elsewhere all keys

A key must be used for only for a purpose, e.g.
must be encrypted or in component form.
the same key should not be used for both
Keys must be protected against misuse.
encryption and authentication.
Unauthorized modification, substitution or replay
of any key must be prevented or detected.

Each key must be replaced within the time
deemed necessary to determine it by an
exhaustive search.
The Key Life Cycle RSA
 by Rivest, Shamir & Adleman of MIT in
Generation
1977
 best known & widely used public-key
Destruction Distribution scheme
 Ingredients of RSA:
p, q, two primes number (private, chosen)

Storage n = p*q (public, calculated)

Change
e, with gcd (Ø(n),e) =1; (public, chosen)
1<e<Ø(n)
Usage d = e-1 (mod Ø(n)) (private, calculated)

RSA Key Setup RSA Use

 each user generates a public/private key pair by:  to encrypt a message M the sender:
 selecting two large primes at random - p, q
obtains public key of recipient PU={e,n}
 computing their system modulus n=p*q
computes: C = Me mod n, where 0≤M<n

note ø(n)=(p-1)(q-1)  to decrypt the ciphertext C the owner:
 selecting at random the encryption key e
uses their private key PR={d,n}
 where 1<e<ø(n), gcd(e,ø(n))=1

computes: M = Cd mod n
 solve following equation to find decryption key d
 note that the message M must be smaller than

e*d=1 mod ø(n) and 0≤d≤n the modulus n (block if needed)
 publish their public encryption key: PU={e,n}
 keep secret private decryption key: PR={d,n}
RSA Example - Key Setup RSA Example - En/Decryption
1. Select primes: p=17 & q=11 sample RSA encryption/decryption is:
2. Compute n = pq =17 x 11=187  given message M = 88 (number 88<187)
3. Compute ø(n)=(p–1)(q-1)=16 x  encryption:
10=160 C = Me mod n
4. Select e: gcd(e,160)=1; choose e=7 C = 887 mod 187 = 11
5. Determine d: de=1 mod 160 and d <  decryption:
160 Value is d=23
M = Cd mod n
6. Publish public key PU={7,187}
M = 1123 mod 187 = 88
7. Keep secret private key PR={23,187}

Exponentiation (Algorithm for Computing ab mod

Exponentiation n)

 can use the Square and Multiply Algorithm c = 0; f = 1

 a fast, efficient algorithm for exponentiation
for i = k downto 0
 concept is based on repeatedly squaring base
 and multiplying in the ones that are needed to do c = 2 x c
compute the result f = (f x f) mod n
 look at binary representation of exponent if bi == 1 then
 only takes O(log2 n) multiples for number n
c=c+1

eg. 75 = 74.71 = 3.7 = 10 mod 11

eg. 3129 = 3128.31 = 5.3 = 4 mod 11 f = (f x a) mod n
return f
Efficient Encryption Efficient Decryption
 encryption uses exponentiation to power e  decryption uses exponentiation to power d

this is likely large, insecure if not
 hence if e small, this will be faster

often choose e=65537 (216-1)
 can use the Chinese Remainder Theorem (CRT) to
compute mod p & q separately. then combine to get

also see choices of e=3 or e=17
desired answer
 but if e too small (eg e=3) can attack
approx 4 times faster than doing directly

using Chinese remainder theorem & 3 messages  only owner of private key who knows values of p &
with different moduli q can use this technique
 if e fixed must ensure gcd(e,ø(n))=1

i.e. reject any p or q not relatively prime to e

RSA Key Generation RSA Security

 users of RSA must:  possible approaches to attacking RSA are:

determine two primes at random - p, q

brute force key search (infeasible given size of

select either e or d and compute the other
numbers)
 primes p,q must not be easily derived from
modulus n=p*q
mathematical attacks (based on difficulty of

means must be sufficiently large computing ø(n), by factoring modulus n)

typically guess and use probabilistic test
timing attacks (on running of decryption)
 exponents e, d are inverses, so use Inverse
chosen ciphertext attacks (given properties of
algorithm to compute the other RSA)
Methods of Attack Methods of Attack (Cont.)
 Four general attacks can be perform against  There are also specific attacks that can
encrypted information: be launched against encryption systems.

Ciphertext-only attack
Brute-Force attack
guessing the plaintext or using frequency  Exhaustive key search - trying every possible
analysis combination.

Known Plaintext
Replay attacks

 Taking encrypted information and playing it
guess using known pliantext. back at a later point in time.

Chosen-plaintext
Man-in-the-middle attacks

Chosen-ciphertext attack
Fault in Cryptosytem