CSC/EE 526: Computer

and Network Security

Lecture 3
Dr. Hang Liu
 Outline

• Review of Last Lecture

• Symmetric Encryption and Message
Confidentiality

• Chapter 3: Public Key Cryptography and

Message Authentication
Some Basic Terminology
• Plaintext - original message

• Ciphertext - coded message

• Cipher - algorithm for transforming plaintext to ciphertext

• Key - info used in cipher known only to sender/receiver

• Encipher (encrypt) - converting plaintext to ciphertext

• Decipher (decrypt) - recovering plaintext from ciphertext

• Cryptography - study of encryption principles/methods

• Cryptanalysis (code breaking) - study of principles/methods of

deciphering ciphertext without knowing key

• Cryptology - field of both cryptography and cryptanalysis

The security of symmetric encryption
depends on the secrecy of the key, not the
secrecy of the algorithm
 Cryptography

• The type of operations used for transforming plaintext to

ciphertext
• Substitution
• Each element in the plaintext is mapped into another element
Cryptographic • Transposition
• Elements in the plaintext are rearranged
systems are • Fundamental requirement is that no information be lost
generically • Product systems
• Involve multiple stages of substitutions and transpositions
classified • The number of keys used
along three • Referred to as symmetric, single-key, secret-key, or conventional
encryption if both sender and receiver use the same key
independent • Referred to as asymmetric, two-key, or public-key encryption if
the sender and receiver each use a different key
dimensions: • The way in which the plaintext is processed
• Block cipher processes the input one block of elements at a time,
producing an output block for each input block
• Stream cipher processes the input elements continuously,
producing output one element at a time, as it goes along
 Table 2.1
Types of Attacks on Encrypted Messages
 Symmetric Block
encryption algorithms
• Block cipher
Data
• The most commonly Encryption
Standard
used symmetric (DES)
encryption algorithms
• Processes the plaintext The three most
input in fixed-sized important
blocks and produces a symmetric
block of ciphertext of
Advanced
block ciphers
equal size for each Encryption Triple DES
Standard (3DES)
plaintext block (AES)
 DES algorithm
• Description of the algorithm:
• Plaintext is 64 bits in length
• Key is 56 bits in length
• Structure is a minor variation of the Feistel network
• There are 16 rounds of processing
• Process of decryption is essentially the same as the encryption
process

• The strength of DES:

• Concerns fall into two categories
• The algorithm itself
• Refers to the possibility that cryptanalysis is possible by exploiting
the characteristics of the algorithm
• The use of a 56-bit key
• Speed of commercial, off-the-shelf processors threatens the security
 Table 2.2
Average Time Required for Exhaustive
Key Search
Advanced encryption
standard (AES)
• In 1997 NIST issued a call for proposals for a new AES:
• Should have a security strength equal to or better than 3DES
and significantly improved efficiency
• Must be a symmetric block cipher with a block length of 128
bits and support for key lengths of 128, 192, and 256 bits
• Evaluation criteria included security, computational efficiency,
memory requirements, hardware and software suitability, and
flexibility

• NIST selected Rijndael as the proposed AES algorithm

• FIPS PUB 197
• Developers were two cryptographers from Belgium: Dr. Joan
Daemen and Dr. Vincent Rijmen
 Random and
Pseudorandom Numbers
• Randomness:

• The distribution of bits in the sequence

Uniform should be uniform
• Frequency of occurrence of ones and
distribution zeros should be approximately the
same

• No one subsequence in the sequence can be

inferred from the others
• There is no test to “prove” independence
Independence • The general strategy is to apply a number of
tests until the confidence that independence
exists is sufficiently strong
 unpredictability
• In applications such as reciprocal authentication and
session key generation, the requirement is not so much
that the sequence of numbers be statistically random
but that the successive members of the sequence are
unpredictable
• With “true” random sequences, each number is
statistically independent of other numbers in the
sequence and therefore unpredictable
• Care must be taken that an opponent not be able to
predict future elements of the sequence on the basis of
earlier elements
 Algorithm design

• Designed specifically and solely for the purpose of

Purpose-built algorithms generating pseudorandom bit streams

Algorithms based on • Cryptographic algorithms have the effect of

existing cryptographic randomizing input
algorithms • Can serve as the core of PRNGs

Three broad categories of • Symmetric block ciphers

cryptographic algorithms
• Asymmetric ciphers
are commonly used to
create PRNGs: • Hash functions and message authentication codes
 Stream Cipher design
considerations
• The encryption sequence should have a large period
• The longer the period of repeat, the more difficult it will be to do
cryptanalysis

• The keystream should approximate the properties of a true

random number stream as close as possible
• The more random-appearing the keystream is, the more
randomized the ciphertext is, making cryptanalysis more difficult

• The pseudorandom number generator is conditioned on the value

of the input key
• To guard against brute-force attacks, the key needs to be
sufficiently long
• With current technology, a key length of at least 128 bits is
desirable
RC4 algorithm

Key-scheduling algorithm (KSA)

for i from 0 to 255
S[i] := i
endfor
j := 0
for i from 0 to 255
j := (j + S[i] + T[i]) mod 256
swap values of S[i] and S[j]
endfor

Pseudo-random generation
algorithm (PRGA)
i := 0
j := 0
while GeneratingOutput:
i := (i + 1) mod 256
j := (j + S[i]) mod 256
swap values of S[i] and S[j]
K := S[(S[i] + S[j]) mod 256]
output K
endwhile
 Electronic
Codebook Mode (ECB)
• Plaintext is handled b bits at a time and each block of plaintext is
encrypted using the same key
• The term “codebook” is used because, for a given key, there is a
unique ciphertext for every b-bit block of plaintext
• One can imagine a gigantic codebook in which there is an entry
for every possible b-bit plaintext pattern showing its corresponding
ciphertext

• With ECB, if the same b-bit block of plaintext appears more than
once in the message, it always produces the same ciphertext
• Because of this, for lengthy messages, the ECB mode may not be
secure
• If the message is highly structured, it may be possible for a
cryptanalyst to exploit these regularities
𝑪𝒊 = 𝒉𝒆𝒂𝒅(𝑬𝒌 (𝑺𝒊−𝟏 ), 𝒔) ⊕ 𝑷𝒊 𝑺𝒊 = ((𝑺𝒊−𝟏 ≪ 𝒔) + 𝑪𝒊 )𝒎𝒐𝒅𝟐𝒃

𝑷𝒊 = 𝒉𝒆𝒂𝒅(𝑬𝒌 (𝑺𝒊−𝟏 ), 𝒔) ⊕ 𝑪𝒊
Ci = Ek(CTRi) ⨁ Pi

Pi = Ek(CTRi) ⨁ Ci
 summary
• Symmetric encryption • Random and pseudorandom
principles numbers
• Cryptography • The use of random numbers
• Cryptanalysis • TRNGs, PRNGs, PRFs
• Feistel cipher structure • Algorithm design

• Symmetric block encryption • Stream ciphers and RC4

algorithms • Stream cipher structure
• Data encryption standard • RC4 algorithm
• Triple DES
• Advanced encryption • Cipher block modes of
standard operation
• ECB
• CBC
• CFB
• CTR
 Homework

• Chapter 2 Homework: Problems 2.3, 2.8, 2.11, 2.16

(5th or 6th edition)

• Due: Wednesday, Sept. 20

• Quiz 1: Sept. 20
 Chapter 3
Public Key Cryptography and
Message Authentication
Every Egyptian received two names, which were known respectively as the
true name and the good name, or the great name and the little name; and
while the good or little name was made public, the true or great name
appears to have been carefully concealed.

—The Golden Bough, Sir James George Frazer

To guard against the baneful influence exerted by strangers is therefore an

elementary dictate of savage prudence. Hence before strangers are allowed
to enter a district, or at least before they are permitted to mingle freely
with the inhabitants, certain ceremonies are often performed by the
natives of the country for the purpose of disarming the strangers of their
magical powers, or of disinfecting, so to speak, the tainted atmosphere by
which they are supposed to be surrounded.

—The Golden Bough, Sir James George Frazer

 Approaches to Message
Authentication
Using conventional Without message
encryption encryption
• Symmetric encryption alone is not
a suitable tool for data • An authentication tag is
authentication generated and appended to each
• We assume that only the sender and message for transmission
receiver share a key, so only the
genuine sender would be able to • The message itself is not
encrypt a message successfully encrypted and can be read at the
• The receiver assumes that no destination independent of the
alterations have been made and that authentication function at the
sequencing is proper if the message destination
includes an error detection code
and a sequence number
• Because the message is not
• If the message includes a encrypted, message
timestamp, the receiver assumes confidentiality is not provided
that the message has not been
delayed beyond that normally
expected for network transit
One-way Hash Functions

• Accepts a variable-size message M as input and

produces a fixed-size message digest H(M) as output

• Does not have to have a secret key as input to generate

H(M), issue?

• To authenticate a message, the message digest is sent

with the message in such a way that the message digest
is authentic
 Secure Hash Functions
• Is important not only • H can be applied to a block of data of any size.
1.
in message
authentication but in
digital signatures 2.
• H produces a fixed-length output.

• Purpose is to produce • H(x) is relatively easy to compute for any given x, making both hardware
a “fingerprint” of a 3. and software implementations practical.
file, message, or other
block of data • For any given code h, it is computationally infeasible to find x such that
H(x) = h. A hash function with this property is referred to as one-way or
4. preimage resistant.
• To be useful for
message • For any given block x, it is computationally infeasible to find y with
H(y) = H(x). A hash function with this property is referred to as second
authentication, a 5. preimage resistant. This is sometimes referred to as weak collision
hash function H must resistant.
have the following
• It is computationally infeasible to find any pair (x, y) such that H(x) =
properties: H(y).
6. • A hash function with this property is referred to as collision resistant.
This is sometimes referred to as strong collision resistant.
 Security of Hash
Functions
• There are two approaches to attacking a secure hash
function:
• Brute-force attack
• The strength of a hash function against this attack depends
solely on the length of the hash code produced by the
algorithm
• Cryptanalysis
• Involves exploiting logical weaknesses in the algorithm
Secure Hash Algorithm
(SHA)
• SHA was developed by NIST and published as a federal
information processing standard (FIPS 180) in 1993
• Was revised in 1995 as SHA-1 and published as FIPS 180-1
• The actual standards document is entitled “Secure Hash
Standard”

• Based on the hash function MD4 and its design closely

models MD4
• Produces 160-bit hash values
• In 2005 NIST announced the intention to phase out
approval of SHA-1 and move to a reliance on SHA-2 by
2010
 Table 3.1
Comparison of SHA Parameters

Note: All sizes are measured in bits.

 a=6A09E667F3BCC908
b=BB67AE8584CAA73B
64 bits 64 bits
…
 Sha-3

2. SHA-3 must preserve

1. It must be possible to
the online nature of SHA-2.
replace SHA-2 with SHA-3
That is, the algorithm must
in any application by a
process comparatively small
simple drop-in substitution.
blocks (512 or 1024 bits) at
Therefore, SHA-3 must
a time instead of requiring
support hash value lengths
that the entire message be
of 224, 256, 384, and 512
buffered in memory before
bits.
processing it.

Basic
requirements
that must be
satisfied by
any candidate
for SHA-3
 HMAC
• There has been an increased interest in developing a MAC
derived from a cryptographic hash code
• Cryptographic hash functions generally execute faster in software
than conventional encryption algorithms such as DES
• Library code for cryptographic hash functions is widely available
• A hash function such as SHA-1 was not designed for use as a
MAC and cannot be used directly for that purpose because it does
not rely on a secret key

• There have been a number of proposals for the incorporation

of a secret key into an existing hash algorithm
• The approach that has received the most support is HMAC

HMAC

• Has been issued as RFC 2104

• Has been chosen as the mandatory-to-implement MAC for IP
Security
• Is used in other Internet protocols, such as Transport Layer
Security (TLS) and Secure Electronic Transaction (SET)
HMAC Design Objectives
• To use, without modifications, available hash functions --- in
particular, hash functions that perform well in software, and
for which code is freely and widely available
• To allow for easy replaceability of the embedded hash
function in case faster or more secure hash functions are
found or required
• To preserve the original performance of the hash function
without incurring a significant degradation
• To use and handle keys in a simple way
• To have a well understood cryptographic analysis of the
strength of the authentication mechanism based on
reasonable assumptions on the embedded hash function
• K is a secret key
• ipad is the inner
padding
(0x363636…3636,
one-block-long).
• opad is the outer
padding
(0x5c5c5c…5c5c,
one-block-long
constant),
Counter with Cipher Block Chaining-
Message Authentication Code (CCM)
• NIST standard SP 800-
38C
• Referred to as an
authenticated encryption CTR mode
CMAC
authentication
mode of operation algorithm
• “Authenticated
encryption” is a term
used to describe
encryption systems that
simultaneously protect AES
confidentiality and encryption
algorithm
authenticity of
communications

• A single key is used for

both encryption and MAC
algorithms Key algorithmic ingredients
 Public-Key
encryption structure
• First publicly proposed by Diffie and Hellman in 1976
• Based on mathematical functions rather than on simple
operations on bit patterns
• Is asymmetric, involving the use of two separate keys
Misconceptions:

•Public-key encryption is more secure from cryptanalysis than

conventional encryption.
• As of 2003 RSA Security claims that 1024-bit RSA keys are equivalent in
strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit
symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys. 15360-
bit RSA keys are equivalent in strength to 256-bit symmetric keys
•Public-key encryption is a general-purpose technique that has made
conventional encryption obsolete
•There is a feeling that key distribution is trivial when using public-key
encryption, compared to the rather cumbersome handshaking involved
with key distribution centers for conventional encryption
 Applications for
public-key cryptosystems
• Public-key systems are characterized by the use of a
cryptographic type of algorithm with two keys, one
held private and one available publicly
• Depending on the application, the sender uses either
the sender’s private key, the receiver’s public key, or
both to perform some type of cryptographic function
The sender encrypts a
Encryption/decryption message with the
recipient’s public key

The use of public-key

The sender “signs” a
cryptosystems can be
Digital signature message with its private
classified into three
key
categories:

Two sides cooperate to

Key exchange
exchange a session key
 Table 3.2
applications for public-key cryptosystems
Greatest
Common
Divisor
(gcd): the
largest
positive
integer that
divides the
numbers
without a
remainder.
For
example,
the GCD of
8 and 12 is
4
Public Key = <e, n> = <7, 187> Private Key = <d, n> = <23, 187>
 Diffie-Hellman Key
Exchange
• First published public-key algorithm

• A number of commercial products employ this key

exchange technique

• Purpose of the algorithm is to enable two users to

exchange a secret key securely that then can be used
for subsequent encryption of messages
• The algorithm itself is limited to the exchange of the keys

• Depends for its effectiveness on the difficulty of

computing discrete logarithms
 Some Basic Number
Theory
• For a positive integer n, two integers a and b are said to be congruent
modulo n,
𝑎 ≡ 𝑏(𝑚𝑜𝑑 𝑛)
• if their difference a − b is an integer multiple of n (or n divides a − b). The
number n is called the modulus of the congruence.
• For example, 38≡ 14 𝑚𝑜𝑑 12
• because 38 − 14 = 24, which is a multiple of 12.

• Two integers a and b are said to be relatively prime, mutually prime,

or coprime if the only positive integer that evenly divides both of
them is 1
• they have no common positive factors other than 1, gcd(a, b) = 1

• a number α is a primitive root modulo q if every number coprime to

q is congruent to a power of α modulo q.
• for every integer y coprime to q, there is an integer x such that
α x ≡ y (mod q).
• x is called the index or discrete logarithm of y to the base α modulo q.
• α is a generator of the multiplicative group of integers modulo q.
K=∝𝑋𝐴𝑋𝐵 mod q K=∝𝑋𝐴𝑋𝐵 mod q
 Digital Signature
standard (DSS)
• FIPS PUB 186

• Makes use of the SHA-1 and presents a new digital

signature technique, the Digital Signature Algorithm (DSA)

• Originally proposed in 1991 and revised in 1993 and again

in 1996

• Uses an algorithm that is designed to provide only the

digital signature function

• Unlike RSA, it cannot be used for encryption or key

exchange
 Elliptic-curve
cryptology (ECC)
• Technique is based on the use of a mathematical
construct known as the elliptic curve

• Principal attraction of ECC compared to RSA is that it

appears to offer equal security for a far smaller bit size,
thereby reducing processing overhead

• The confidence level in ECC is not yet as high as that

in RSA
 Summary
• Approaches to message • Message authentication codes
authentication • HMAC
• MACs based on block ciphers
• Authentication using
conventional encryption • Public-key cryptography principles
• Message authentication • Public-key encryption structure
without message encryption • Applications for public-key
cryptosystems
• Secure hash functions • Requirements for public-key
cryptography
• Hash function requirements
• Security of hash functions • Public-key cryptography algorithms
• The RSA public-key encryption
• Simple hash functions algorithm
• The SHA secure hash • Diffie-Hellman key exchange
function SHA-3 • Other public-key cryptography
algorithms
• Digital signatures
 Homework

• Chapter 3: Problems 3.3, 3.8, 3.10, 3.21 (5th or 6th

edition)

• Due: Wednesday, Oct. 18

• Quiz 2: Chapters 1, 2, 3, and 4, Wednesday, Oct. 18

• Midterm: Wednesday, Nov. 1st