Cryptographic algorithms and

protocols can be grouped into four

main areas:
Symmetric encryption

• Used to conceal the contents of blocks or streams of data of

any size, including messages, files, encryption keys, and
passwords
Asymmetric encryption

• Used to conceal small blocks of data, such as encryption

keys and hash function values, which are used in digital
signatures
Data integrity algorithms

• Used to protect blocks of data, such as messages, from

alteration
Authentication protocols

• Schemes based on the use of cryptographic algorithms

designed to authenticate the identity of entities
 Computer Security
Objectives
Confidentiality
• Data confidentiality
• Assures that private or confidential information is not made
available or disclosed to unauthorized individuals
• Privacy
• Assures that individuals control or influence what information
related to them may be collected and stored and by whom and to
whom that information may be disclosed

Integrity
• Data integrity
• Assures that information and programs are changed only in a
specified and authorized manner
• System integrity
• Assures that a system performs its intended function in an
unimpaired manner, free from deliberate or inadvertent
unauthorized manipulation of the system
Availability
• Assures that systems work promptly and service is not denied
to authorized users
Breach of Security
Levels of Impact
• The loss could be expected to have a severe
or catastrophic adverse effect on
organizational operations, organizational
High assets, or individuals

• The loss could be expected to have

Moderat a serious adverse effect on

organizational operations,
organizational assets, or individuals
e • The loss could be
expected to have a
limited adverse effect on
organizational operations,
Low organizational assets, or
individuals
 Security
Attacks
•A means of classifying
security attacks, used
both in X.800 and RFC
4949, is in terms of
passive attacks and active
attacks

•A passive attack
attempts to learn or make
use of information from
the system but does not
affect system resources

•An active attack attempts

to alter system resources
or affect their operation
 Passive
Attacks

• Are in the nature of

eavesdropping on, or
monitoring of,
transmissions
• Two types of passive
• Goal of the opponent attacks are:
is to obtain information
that is being • The release of
transmitted message contents
• Traffic analysis
 Active Attacks
• Takes place when one entity
pretends to be a different
• Involve some modification Masquerad entity
of the data stream or the e • Usually includes one of the
other forms of active attack
creation of a false stream

• Difficult to prevent because • Involves the passive capture of

a data unit and its subsequent
of the wide variety of Replay retransmission to produce an
potential physical, unauthorized effect
software, and network
vulnerabilities • Some portion of a legitimate
Modificatio message is altered, or
• Goal is to detect attacks n of messages are delayed or
reordered to produce an
messages unauthorized effect
and to recover from any
disruption or delays caused
by them
• Prevents or inhibits the normal
Denial of use or management of
service communications facilities
Model for Network
Security
All the techniques for providing security
have two components:

• A security-related transformation on
the information to be sent.

• Some secret information shared by the

two principals and, it is hoped,
unknown to the opponent
This general model shows that there are four basic
tasks in designing a particular security service:
• Design an algorithm for performing the security-
related transformation. The algorithm should be
such that an opponent cannot defeat its purpose.
• Generate the secret information to be used with
the algorithm.
• Develop methods for the distribution and sharing
of the secret information.
• Specify a protocol to be used by the two principals
that makes use of the security algorithm and the
secret information to achieve a particular security
service.
 Definitions
Plaintext Ciphertext Enciphering/
• An original • The coded
encryption
• The process of
message message converting from
plaintext to
ciphertext

Deciphering/ Cryptography Cryptographic

decryption • The area of study of system/cipher
• Restoring the the many schemes • A scheme
plaintext from the used for encryption
ciphertext

Cryptanalysis Cryptology
• Techniques used for • The areas of
deciphering a cryptography and
message without any cryptanalysis
knowledge of the
enciphering details
 A symmetric encryption scheme has five

ingredients
Plaintext: This is the original intelligible message or data that is fed into the
algorithm as input.
Encryption algorithm: The encryption algorithm performs various
substitutions and transformations on the plaintext.
Secret key: The secret key is also input to the encryption algorithm. The key
is a value independent of the plaintext and of the algorithm. The algorithm
will produce a different output depending on the specific key being used at
the time. The exact substitutions and transformations performed by the
algorithm depend on the key.
Ciphertext: This is the scrambled message produced as output. It depends
on the plaintext and the secret key. For a given message, two different keys
will produce two different ciphertexts. The ciphertext is an apparently
random
stream of data and, as it stands, is unintelligible.
Decryption algorithm: This is essentially the encryption algorithm run in
reverse. It takes the ciphertext and the secret key and produces the original
plaintext.
© 2017 Pearson Education, Ltd.,
All rights reserved.
 Symmetric Cipher
Model
• There are two requirements for secure
use of conventional encryption:
• A strong encryption algorithm

• Sender and receiver must have

obtained copies of the secret key in a
secure fashion and must keep the key
secure
 Cryptographic
Systems
• Characterized along three independent
dimensions:
The type of
operations used for The way in which
The number of
transforming the plaintext is
keys used
plaintext to processed
ciphertext

Symmetric,
single-key,
Substitution secret-key, Block cipher
conventional
encryption

Asymmetric,
two-key, or
Transposition Stream cipher
public-key
encryption
Cryptanalysis and
Brute-Force Attack
Cryptanalysis Brute-force
• Attack relies on attack
the nature of • Attacker tries
the algorithm every possible
plus some key on a piece
knowledge of of ciphertext
the general until an
characteristics intelligible
of the plaintext translation into
• Attack exploits plaintext is
the obtained
characteristics • On average,
of the algorithm half of all
to attempt to possible keys
deduce a must be tried to
specific achieve success
plaintext or to
deduce the key
being used
Table 3.1
Types of
Attacks
on
Encrypted
Messages
 Encryption Scheme
Security
• Unconditionally secure
• No matter how much time an opponent
has, it is impossible for him or her to
decrypt the ciphertext simply because
the required information is not there

• Computationally secure
• The cost of breaking the cipher exceeds
the value of the encrypted information
• The time required to break the cipher
exceeds the useful lifetime of the
information
 Brute-Force Attack
Involves trying every possible key until an
intelligible translation of the ciphertext into
plaintext is obtained

On average, half of all possible keys must

be tried to achieve success

To supplement the brute-force approach,

some degree of knowledge about the
expected plaintext is needed, and some
means of automatically distinguishing
plaintext from garble is also needed
 Substitution
Technique
• Is one in which the letters of plaintext
are replaced by other letters or by
numbers or symbols

• If the plaintext is viewed as a sequence

of bits, then substitution involves
replacing plaintext bit patterns with
ciphertext bit patterns
 Stream Cipher For practical reasons
the bit-stream
In the ideal case, a one-
generator must be
time pad version of the
Encrypts a digital data implemented as an
Vernam cipher would be
stream one bit or one algorithmic procedure
used, in which the
byte at a time so that the
keystream is as long as
cryptographic bit
the plaintext bit stream
stream can be produced
byItboth
mustusers
be
Examples: If the
cryptographic computationally
• Autokeyed Vigenère
cipher keystream is impractical to
• Vernam cipher random, then this predict future
cipher is portions of the bit
unbreakable by stream based on
any means other previous portions
than acquiring the of the bit stream
keystream
• Keystream must be
provided to both users The two users
in advance via some need only share
independent and the generating
secure channel
• This introduces key and each can
insurmountable produce the
logistical problems if keystream
the intended data
traffic is very large
Block Cipher
A block of
plaintext is
treated as a Typically a block
whole and used size of 64 or
to produce a 128 bits is used
ciphertext block
of equal length

The majority of
As with a
network-based
stream cipher,
symmetric
the two users
cryptographic
share a
applications
symmetric
make use of
encryption key
block ciphers
Data Encryption Standard
(DES)

6.25
 6.1.2 Overview

DES is a block cipher, as shown in Figure 6.1.

Figure 6.1 Encryption and decryption with DES

6.26
6-2 Continue

Figure 6.2 General structure of DES

6.27
6.2.1 Initial and Final Permutations

Figure 6.3 Initial and final permutation steps in DES

6.28
6.2.1 Continue

Table 6.1 Initial and final permutation tables

6.29
 6.2.2 Rounds

DES uses 16 rounds. Each round of DES is a Feistel

cipher.

Figure 6.4
A round in DES
(encryption site)

6.30
 6.2.2 Continued
DES Function
The heart of DES is the DES function. The DES function
applies a 48-bit key to the rightmost 32 bits to produce a
32-bit output.

Figure 6.5
DES function

6.31
 6.2.2 Continue

Expansion P-box
Since RI−1 is a 32-bit input and KI is a 48-bit key, we first
need to expand RI−1 to 48 bits.

Figure 6.6 Expansion permutation

6.32
 6.2.2 Continue

Whitener (XOR)
After the expansion permutation, DES uses the XOR
operation on the expanded right section and the round
key. Note that both the right section and the key are 48-
bits in length. Also note that the round key is used only in
this operation.

6.33
 6.2.2 Continue

S-Boxes
The S-boxes do the real mixing (confusion). DES uses 8
S-boxes, each with a 6-bit input and a 4-bit output. See
Figure 6.7.

Figure 6.7 S-boxes

6.34
6.2.2 Continue

Figure 6.8 S-box rule

6.35
 6.2.2 Continue

Straight Permutation

Table 6.11 Straight permutation table

6.36
6.2.3 Continued

Figure 6.10
Key generation

6.37
6.2.3 Continued

Table 6.12 Parity-bit drop table

Table 6.13 Number of bits shifts

6.38
6.2.3 Continued

Table 6.14 Key-compression table

6.39
 Given a plaintext P and two encryption keys K1 and K2, ciphertext C
is generated as

Decryption requires that the keys be applied in reverse order:

For DES, this scheme apparently involves a key length of 56 * 2 =

112 bits, and should result in a dramatic increase in cryptographic
strength.

© 2017 Pearson Education, Ltd.,

All rights reserved.
Meet-in-the-Middle Attack

The meet-in-
the-middle
attack
algorithm will
The use of
attack this
double DES
scheme and
results in a
does not
mapping that
depend on
is not
any particular
equivalent to
property of
a single DES
DES but will
encryption
work against
any block
encryption
cipher
 Triple-DES with Two-
Keys
• Obvious counter to the meet-in-the-middle attack is
to use three stages of encryption with three different
keys
• This raises the cost of the meet-in-the-middle attack to
2112, which is beyond what is practical
• Has the drawback of requiring a key length of
56 x 3 = 168 bits, which may be somewhat unwieldy
• As an alternative Tuchman proposed a triple encryption
method that uses only two keys

• 3DES with two keys is a relatively popular

alternative to DES and has been adopted for use in
the key management standards ANSI X9.17 and ISO
8732
 Two-key triple encryption was first
proposed by Tuchman [TUCH79]. The
function follows an encrypt-decrypt-
encrypt (EDE) sequence

© 2017 Pearson Education, Ltd.,

All rights reserved.
Triple DES with Three
Keys
• Many researchers now feel that three-key 3DES
is the preferred alternative
Three-key 3DES
has an effective
key length of 168 • C = E( K3, D( K2, E( K1, P)))
bits and is
defined as:
Backward
compatibility with • K3 = K2 or K1 = K2
DES is provided
by putting:
• A number of Internet-based applications have
adopted three-key 3DES including PGP and
S/MIME
 Modes of Operation
• A technique for enhancing the effect of a
cryptographic algorithm or adapting the
algorithm for an application
• To apply a block cipher in a variety of
applications, five modes of operation have
been defined by NIST
• The five modes are intended to cover a wide
variety of applications of encryption for which
a block cipher could be used
• These modes are intended for use with any
symmetric block cipher, including triple DES
and AES
Advanced Encryption Standard
(AES)

7.49
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
 7.1.3 Rounds.

AES is a non-Feistel cipher that encrypts and decrypts a

data block of 128 bits. It uses 10, 12, or 14 rounds. The
key size, which can be 128, 192, or 256 bits, depends on
the number of rounds.

Note

AES has defined three versions, with 10, 12,

and 14 rounds.
Each version uses a different cipher key size
(128, 192, or 256), but the round keys are
always 128 bits.
7.50
 7.1.3 Continue

Figure 7.1 General design of AES encryption cipher

7.51
7.1.5 Structure of Each Round
Figure 7.5 Structure of each round at the encryption site

7.52
 7-2 TRANSFORMATIONS

To provide security, AES uses four types of

transformations: substitution, permutation, mixing, and
key-adding.

Topics discussed in this section:

7.2.1 Substitution
7.2.2 Permutation
7.2.3 Mixing
7.2.4 Key Adding
7.53
 7-3 KEY EXPANSION

To create round keys for each round, AES uses a key-

expansion process. If the number of rounds is N r , the
key-expansion routine creates Nr + 1 128-bit round keys
from one single 128-bit cipher key.

Topics discussed in this section:

7.3.1 Key Expansion in AES-128
7.3.2 Key Expansion in AES-192 and AES-256
7.3.3 Key-Expansion Analysis

7.54
The key-expansion routine creates round keys word by
word, where a word is an array of four bytes. The
routine creates 4X(Nr +1) words that are called
w0, w1, w2, ………, w4(Nr+1)-1

7.55
7-3 Continued

7.56
7.3.1 Key Expansion in AES-128
Figure 7.16 Key expansion in AES

7.57
7.3.1 Continue

7.58
Public Key Cryptography and RSA
 Table 9.1
Terminology Related to Asymmetric
Encryption

Source: Glossary of Key Information Security Terms, NIST IR 7298 [KISS06]

Principles of Public-Key
Cryptosystems
• The concept of public-key cryptography evolved
from an attempt to attack two of the most difficult
problems
Key
associated with symmetric encryption:
distribution
• How to have secure communications in general
without having to trust a KDC with your key
Digital
signatures
• How to verify that a message comes intact from the
claimed sender
• Whitfield Diffie and Martin Hellman from Stanford
University achieved a breakthrough in 1976 by
coming up with a method that addressed both
problems and was radically different from all
previous approaches to cryptography
Public-Key Cryptosystems
• A public-key encryption scheme has six ingredients:

Decrypti
Encryptio
Public Private Cipherte on
Plaintext n
key key xt algorith
algorithm
m
Accept
The s the
readab ciphert
le ext
Perform
messa The and
s Used Used scrambl
ge or the
various for for ed
data matchi
transfor encrypti encrypt messag
that is ng key
ma-tions on or ion or e
fed produce and
on the decrypti decrypt
into d as produc
plaintex on ion
the output es the
t
algorit origina
hm as l
input plainte
xt
 Table 9.2
Conventional and Public-Key
Encryption
Public-Key Cryptosystem:
Secrecy
Public-Key Cryptosystem:
Authentication
 Public-Key Cryptosystem:
Authentication and Secrecy
Applications for Public-Key
Cryptosystems
• Public-key cryptosystems can be classified
into three categories:

Encryption/ • The sender encrypts a

decryption message with the
recipient’s public key
• The sender “signs” a
Digital signature message with its private
key
• Two sides cooperate to
Key exchange exchange a session key

• Some algorithms are suitable for all three

applications, whereas others can be used
only for one or two
 Public-Key
Requirements
• Conditions that these algorithms must fulfill:
• It is computationally easy for a party B to generate a
pair (public-key PUb, private key PRb)
• It is computationally easy for a sender A, knowing the
public key and the message to be encrypted, to
generate the corresponding ciphertext
• It is computationally easy for the receiver B to decrypt
the resulting ciphertext using the private key to
recover the original message
• It is computationally infeasible for an adversary,
knowing the public key, to determine the private key
• It is computationally infeasible for an adversary,
knowing the public key and a ciphertext, to recover the
original message
• The two keys can be applied in either order
 Public-Key
Requirements
• Need a trap-door one-way function
• A one-way function is one that maps a domain into a range
such that every function value has a unique inverse, with
the condition that the calculation of the function is easy,
whereas the calculation of the inverse is infeasible
• Y = f(X) easy
• X = f–1(Y) infeasible

• A trap-door one-way function is a family of invertible

functions fk, such that
• Y = fk(X) easy, if k and X are known
• X = fk–1(Y) easy, if k and Y are known
• X = fk–1(Y) infeasible, if Y known but k not known

• A practical public-key scheme depends on a suitable trap-

door one-way function
 Public-Key
Cryptanalysis
• A public-key encryption scheme is vulnerable to a brute-force
attack
• Countermeasure: use large keys
• Key size must be small enough for practical encryption and
decryption
• Key sizes that have been proposed result in
encryption/decryption speeds that are too slow for general-
purpose use
• Public-key encryption is currently confined to key management
and signature applications

• Another form of attack is to find some way to compute the

private key given the public key
• To date it has not been mathematically proven that this form of
attack is infeasible for a particular public-key algorithm

• Finally, there is a probable-message attack

• This attack can be thwarted by appending some random
bits to simple messages
 Rivest-Shamir-
Adleman (RSA)
Algorithm
• Developed in 1977 at MIT by Ron
Rivest, Adi Shamir & Len Adleman

• Most widely used general-purpose

approach to public-key encryption

• Is a cipher in which the plaintext and

ciphertext are integers between 0 and
n – 1 for some n
• A typical size for n is 1024 bits, or 309
decimal digits
 RSA Algorithm
• RSA makes use of an expression with exponentials

• Plaintext is encrypted in blocks with each block having a

binary value less than some number n
• Encryption and decryption are of the following form, for
some plaintext block M and ciphertext block C
C = Me mod n
M = Cd mod n = (Me)d mod n = Med mod n

• Both sender and receiver must know the value of n

• The sender knows the value of e, and only the receiver

knows the value of d

• This is a public-key encryption algorithm with a public

key of PU={e,n} and a private key of PR={d,n}
 Algorithm
Requirements
• For this algorithm to be satisfactory
for public-key encryption, the following
requirements must be met:
1. It is possible to find values of e, d, n
such that Med mod n = M
for all M < n

2. It is relatively easy to calculate Me

mod n and Cd mod n for all
values of M < n

3. It is infeasible to determine d given

e and n
 1. Select two prime numbers, p = 17 and q = 11.
2. Calculate n = pq = 17 * 11 = 187.
3. Calculate ϕ(n) = (p - 1)(q - 1) = 16 * 10 = 160.
4. Select e such that e is relatively prime to ϕ(n) = 160 and
less than ϕ(n); we choose e = 7.
5. Determine d such that de ≡ 1 (mod 160) and d ˂ 160. The
correct value is d = 23, because 23 * 7 = 161 = (1 * 160) + 1;
d can be calculated using the extended Euclid’s algorithm

© 2017 Pearson Education, Ltd.,

All rights reserved.
Example of RSA
Algorithm
 Key Generation
• Before the application • Because the value of n
of the public-key = pq will be known to
cryptosystem each any potential
participant must adversary, primes must
generate a pair of be chosen from a
keys: sufficiently large set
• Determine two prime • The method used for
numbers p and q finding large primes
• Select either e or d must be reasonably
and calculate the efficient
other
Procedure for Picking
a Prime Number
• Pick an odd integer n at random

• Pick an integer a < n at random

• Perform the probabilistic primality test

with a as a parameter. If n fails the
test, reject the value n and go to step
1

• If n has passed a sufficient number of

tests, accept n; otherwise, go to step 2
 The Security of RSA
Brute
force Mathematical
Chosen • Involves attacks
ciphertext trying all • There are
attacks possible several
• This type of private approaches, all
attack exploits keys equivalent in
properties of effort to
the RSA factoring the
algorithm
Five product of two
possible primes
approac
Hardware fault- hes to
based attack attackin
• This involves g RSA Timing attacks
inducing are: • These depend
hardware faults on the running
in the processor time of the
that is decryption
generating algorithm
digital
signatures
Cryptographic Hash Functions
 Hash Functions
• A hash function H accepts a variable-length
block of data M as input and produces a fixed-
size hash value
• h = H(M)
• Principal object is data integrity

• Cryptographic hash function

• An algorithm for which it is computationally
infeasible to find either:
(a) a data object that maps to a pre-specified hash
result (the one-way property)

(b) two data objects that map to the same hash

result (the collision-free property)
Message Authentication
Code (MAC)
• Also known as a keyed hash function

• Typically used between two parties that share a

secret key to authenticate information
exchanged between those parties
Takes as input a secret key and a data block and
produces a hash value (MAC) which is associated
with the protected message
• If the integrity of the message needs to be checked,
the MAC function can be applied to the message
and the result compared with the associated MAC
value
• An attacker who alters the message will be unable
to alter the associated MAC value without
knowledge of the secret key
 Digital Signature
• Operation is similar to that of the MAC

• The hash value of a message is encrypted

with a user’s private key
• Anyone who knows the user’s public key can
verify the integrity of the message
• An attacker who wishes to alter the message
would need to know the user’s private key
• Implications of digital signatures go beyond
just message authentication
Other Hash Function Uses
Can be used to
construct a
Commonly used to Can be used for pseudorandom
create a one-way intrusion and virus function (PRF) or a
password file detection pseudorandom
number generator
When a user enters
(PRNG)
Store H(F) for each
a password, the file on a system and
hash of that secure the hash
password is values
compared to the
stored hash value A common
for verification One can later
application for a
determine if a file
hash-based PRF is
has been modified
for the generation
by recomputing H(F)
of symmetric keys
This approach to
password protection An intruder would
is used by most need to change F
operating systems without changing
H(F)
 Attacks on Hash
Functions
Brute-Force
Attacks Cryptanalysis
• Does not depend on the • An attack based on
specific algorithm, only weaknesses in a
depends on bit length
particular
• In the case of a hash cryptographic
function, attack algorithm
depends only on the bit
length of the hash value • Seek to exploit some
property of the
• Method is to pick values algorithm to perform
at random and try each some attack other
one until a collision than an exhaustive
occurs search
Secure Hash Algorithm
(SHA)
• SHA was originally designed by the National
Institute of Standards and Technology (NIST) and
published as a federal information processing
standard (FIPS 180) in 1993
• Was revised in 1995 as SHA-1

• Based on the hash function MD4 and its design

closely models MD4
• Produces 160-bit hash values

• In 2002 NIST produced a revised version of the

standard that defined three new versions of SHA
with hash value lengths of 256, 384, and 512
• Collectively known as SHA-2
 Table 11.3
Comparison of SHA Parameters

Note: All sizes are measured in bits.

Secure Hash Algorithm
(SHA)
• Append padding bits

• Append Length

• Initialize hash buffer

• Process message in 1024 bit (128-

byte) blocks
• output
Digital Signatures
 Digital Signature
Properties

It must verify It must It must be

the author authenticate verifiable by
and the date the contents third parties
and time of at the time of to resolve
the signature the signature disputes
 Attacks

• C chooses a Directed
Known list of chosen • C may
message messages message request
attack before attack from A
attempting • Similar to the signatures
• C only of
• C is given to break A’s generic
knows signature messages
A’s access to attack,
a set of scheme, that
public except that
messages independent depend on
key the list of
and their of A’s public previously
messages to
Key-only signatures key; C then obtained
be signed is
attack obtains from message-
chosen after
A valid signature
C knows A’s
signatures pairs
public key but
for the before any Adaptive
Generic
chosen signatures chosen
chosen
messages are seen message
message
attack
attack
 Forgeries
Universal Selective Existenti
forgery forgery al
Total
forgery
break • C finds an
• C efficient • C forges a • C forges a
determine signing signature signature
s A’s algorithm for a for at least
private that particular one
key provides an message message; C
equivalent chosen by has no
way of C control over
constructin the
g message
signatures
on arbitrary
messages
 Digital Signature
Requirements
• The signature must be a bit pattern that depends on the
message being signed
• The signature must use some information unique to the
sender to prevent both forgery and denial
• It must be relatively easy to produce the digital signature

• It must be relatively easy to recognize and verify the

digital signature
• It must be computationally infeasible to forge a digital
signature, either by constructing a new message for an
existing digital signature or by constructing a fraudulent
digital signature for a given message
• It must be practical to retain a copy of the digital
signature in storage
 Direct Digital
Signature
Confidentiality can be
Refers to a digital The validity of the
provided by encrypting
signature scheme that scheme depends on the
the entire message plus
involves only the security of the sender’s
signature with a shared
communicating parties private key
secret key

If a sender later wishes to

deny sending a particular
It is important to perform
It is assumed that the message, the sender can
the signature function
destination knows the claim that the private key
first and then an outer
public key of the source was lost or stolen and
confidentiality function
that someone else forged
his or her signature

One way to thwart or at

least weaken this ploy is
In case of dispute some to require every signed
third party must view the message to include a
message and its timestamp and to require
signature prompt reporting of
compromised keys to a
central authority
ElGamal Digital Signature
• Scheme involves the use of the private key for
encryption and the public key for decryption
• Global elements are a prime number q and a,
which is a primitive root of q
• Use private key for encryption (signing)

• Uses public key for decryption (verification)

• Each user generates their key

• Chooses a secret key (number): 1 < xA < q-1
• Compute their public key: yA = axA mod q