Chapter 2

Chapter 2
Cryptographic Tools
 Symmetric Encryption
 the universal technique for providing
confidentiality for transmitted or stored
data

 also referred to as conventional encryption

or single-key encryption

 two requirements for secure use:

 need a strong encryption algorithm
 sender and receiver must have obtained copies
of the secret key in a secure
fashion and must keep
the key secure
Figure 2.1
 Attacking Symmetric
Encryption
Cryptanalytic Brute-Force
Attacks Attack
 rely on:  try all possible keys on
 nature of the some ciphertext until
algorithm an intelligible
 some knowledge of the translation into
general characteristics plaintext is obtained
of the plaintext  on average half of all
 some sample plaintext- possible keys must be
ciphertext pairs tried to achieve
 exploits the success
characteristics of the
algorithm to attempt to
deduce a specific
plaintext or the key being
used
 if successful all future
 Table 2.1

Average Time Required for Exhaustive Key

Search
 Table 2.2

Comparison of Three Popular

Symmetric Encryption Algorithms
Data Encryption Standard
(DES)
the most widely used
encryption scheme
• FIPS PUB 46
• referred to as the Data Encryption
Algorithm (DEA)
• uses 64 bit plaintext block and 56
bit key to produce a 64 bit
ciphertext block

strength concerns:
• concerns about algorithm
• DES is the most studied encryption
algorithm in existence
• use of 56-bit key
• Electronic Frontier Foundation (EFF)
announced in July 1998 that it had
broken a DES encryption
Fig
ure
2.2

Figure 2.2 Time to Break a Code (assuming 106 decryptions/ms) The

graph assumes that a symmetric encryption algorithm is attacked using
a brute-force approach of trying all possible keys
 Triple DES (3DES)
 repeats basic DES algorithm three times
using either two or three unique keys
 first standardized for use in financial
applications in ANSI standard X9.17 in 1985
 attractions:
 168-bit key length overcomes the vulnerability
to brute-force attack of DES
 underlying encryption algorithm is the same as
in DES
 drawbacks:
 algorithm is sluggish in software
 uses a 64-bit block size
 Advanced Encryption
Standard (AES)
NIST called
selected
needed a for
Rijndael in
replacement proposals
November
for 3DES for a new
2001
AES inhave
should 1997
a
security strength
equal to or better
than 3DES

significantly
3DES was not improved efficiency
published as
reasonable for
FIPS 197
long term use symmetric block
cipher

128 bit data and

128/192/256 bit keys
 Practical Security
Issues
 typically symmetric encryption is applied to
a unit of data larger than a single 64-bit or
128-bit block
 electronic codebook (ECB) mode is the
simplest approach to multiple-block
encryption
 each block of plaintext is encrypted using the
same key
 cryptanalysts may be able to exploit regularities
in the plaintext

 modes of operation
 alternative techniques developed to increase
 Block
Cipher
Encryption

Stream
Encryption
 Block & Stream
Ciphers
Block
Cipher
• processes the input one block of elements at a time
• produces an output block for each input block
• can reuse keys
• more common

Stream
Cipher
• processes the input elements continuously
• produces output one element at a time
• primary advantage is that they are almost always faster
and use far less code
• encrypts plaintext one byte at a time
• pseudorandom stream is one that is unpredictable
without knowledge of the input key
 Message
Authentication
protects
against active
attacks
verifies • contents have not been
received altered
• from authentic source
message is • timely and in correct
sequence
authentic
can use
• only sender & receiver
conventional share a key
encryption
Message Authentication
Codes
 Secure
Hash
Functions
Figure 2.6

Message
Authenticatio
n Using a
One-Way
Hash Function
 Hash Function
Requirements
 can be applied to a block of data of any
size
 produces a fixed-length output
 H(x) is relatively easy to compute for
any given x
 one-way or pre-image resistant
 computationally infeasible to find x such that
H(x) = h
 second pre-image resistant or weak
collision resistant
 computationally infeasible to find y ≠ x such
that H(y) = H(x)
 collision resistant or strong collision
resistance
 Security of Hash
Functions
 there are two approaches to attacking a
secure hash function:
 cryptanalysis
 exploit logical weaknesses in the algorithm
 brute-force attack
 strength of hash function depends solely on the length
of the hash code produced by the algorithm

 SHA most widely used hash algorithm

 additional secure hash function applications:
 passwords
 hash of a password is stored by an operating
system
 intrusion detection
 store H(F) for each file on a system and secure the
hash values
 Public-Key Encryption
Structure

asymmetri
publicly c some form
proposed based on • uses two of protocol
by Diffie mathemati separate is needed
and cal keys for
Hellman in functions • public key distributio
1976 and private n
key
• public key
is made
public for
others to
use
 Figure 2.7a
Public-Key Encryption
 plaintext
 readable
message or data
that is fed
into the
algorithm as
input
 encryption
algorithm
 performs
transformations
on the
plaintext
 public and
private key
 pair of keys,
***directed toward providing confidentiality one for
encryption, one
for decryption
 ciphertext
 scrambled
message
 Figure 2.7b
Private-Key Encryption

 user encrypts
data using his
or her own
private key
 anyone who knows
the
corresponding
public key will
be able to
decrypt the
message

***directed toward providing authentication

 Table 2.3

Applications for Public-Key

Cryptosystems
Requirements for Public-Key
Cryptosystems
computationally
easy to create
key pairs

computationally
useful if either easy for sender
key can be used knowing public
for each role key to encrypt
messages

computationally computationally
infeasible for easy for
opponent to receiver
otherwise knowing private
recover original key to decrypt
message computationally ciphertext
infeasible for
opponent to
determine
private key from
public key
Asymmetric Encryption
Algorithms
RSA most widely block cipher in
(Rivest, developed in 1977
accepted and
implemented
which the plaintext
and ciphertext are
Shamir, approach to public-
key encryption
integers between 0
and n-1 for some n.
Adleman)
Diffie- enables two users to
securely reach
Hellman agreement about a
shared secret that
limited to the
key can be used as a
secret key for
exchange of the
keys
exchange subsequent
symmetric
encryption of
algorithm messages

Digital
Signature provides only a
digital signature
cannot be used for
encryption or key
Standard function with SHA-1 exchange

(DSS)
Elliptic
curve security like RSA,
but with much
cryptograp smaller keys

hy (ECC)
 Digital Signatures

 used for authenticating both source and

data integrity
 created by encrypting hash code with
private key
 does not provide confidentiality
 even in the case of complete encryption
 message is safe from alteration but not
eavesdropping
Public Key Certificates
 Digital
Envelope
s
 protects a
message without
needing to first
arrange for sender
and receiver to
have the same
secret key

***equates to the same

thing as a sealed
envelope containing
an unsigned letter
Random
Number  keys for public-key
algorithms
s  stream key for
symmetric stream
cipher
 symmetric key for
use as a temporary
session key or in
creating a digital
envelope
 handshaking to
Uses include prevent replay
attacks
generation of:  session key
Random Number Requirements

Randomness Unpredictability
 criteria:  each number is
 uniform distribution statistically
 frequency of independent of other
occurrence of each numbers in the
of the numbers sequence
should be
 opponent should not
approximately the
same be able to predict
 independence future elements of the
 no one value in the sequence on the basis
sequence can be of earlier elements
inferred from the
others
 Random versus
Pseudorandom
 cryptographic applications typically make use of
algorithmic techniques for random number
generation
 algorithms are deterministic and therefore
produce sequences of numbers that are not
statistically random
 pseudorandom numbers are:
 sequences produced that satisfy statistical
randomness tests
 likely to be predictable

 true random number generator (TRNG):

 uses a nondeterministic source to produce
randomness
 most operate by measuring unpredictable natural
 Practical Application:
Encryption of Stored Data

common to encrypt transmitted data

much less common for stored data

there is often little
protection beyond
domain
authentication and
operating system
access controls approaches to encrypt
data are archived for
indefinite periods
stored data:
use a
commercially background
back-end library based tape
available laptop/PC data
appliance encryption
even though erased, encryption encryption
until disk sectors are package
reused data are
recoverable