CIS3360: Exam 2
Feistel Cipher Round Structure
Graph in notes
S-boxes S1 & S2
Graph in notes
SHA-512 80-round Processing Function
Graph in notes
SHA-512 Message Digest Generation (2)
Graph in notes
Message Authentication Model
Graph in notes Note: encryption is not necessary for secure authentication, although it may be desirable
Public-Key Encryption/Decryption Model
graph in notes
ShiftRows Step
graph in notes 1st row is unchanged 2nd row does 1 byte circular shift to left 3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left NOTE: same set of shifts every time
Cyclic Redundancy Check (CRC)
• A Cyclic Redundancy Check (CRC) is a checksum that is the remainder on division of the entire message by a polynomial. • The coefficients of the polynomial are expressed as a binary value • Examples • CRC-8: x^8 + x^5 + x^4 + x^2 + 1 -> 1 0 0 1 1 0 1 0 1 • CRC-4: x^4 + x^2 + x -> 1 0 1 1 0 • CRC-3: x^3 + x^2 + 1 -> 1 1 0 1 • NOTE: the number of coefficients (i.e., number of bits) for the polynomial is always one more than the CRC word size (4 bits for CRC-3, 9 bits for CRC-8, etc.)
MixColumns Step
• Each column is processed separately • Each byte is replaced by a value dependent on all 4 bytes in the column • Mix columns matrix is part of AES, just like the S-box and Inverse S-box graph in notes Example: s'_1,2 = 1 * s_0,2 + 2*s_1,2 + 3*s_2,2+1*s_3,2
Diffie-Hellman Key Exchange Overview
• First public-key algorithm • A way for two parties to use public key cryptography to negotiate a shared secret key for symmetric encryption • Global public elements (assumed to be known generally, even by attacker): • p - prime number • a - a primitive root of p • Suppose also that each participant has his/her own private key. • After the exchange, • both participants will have computed a shared secret key without disclosing their private keys to each other! • attacker doesn't know either private key or the shared secret key • Depends for its effectiveness on the difficulty for an attacker to compute the shared secret key even knowing p, α, and intercepted communications
Public-Key Cryptography Introduction
• Probably most significant advance in the 3,000 year history of cryptography • Uses two keys - a public key and a private key • It is asymmetric since sender and receiver use different keys • Based on a clever application of number theoretic concepts • In practice, it complements but does not replace symmetric cryptographic methods
The Importance of Modular Inverses
• Public key cryptosystems use two different keys (public and private) • The keys are modular inverses of each other • When we generate a new set of keys, we need to be able to choose one key at random and then determine the other key that is the first key's modular inverse • We need to be able to find the modular inverse without guessing • guessing is too hard (too many choices) for real-world situations • this is what makes public key cryptosystems secure
Comparing RSA Operation and RSA Digital Signature
• Suppose Alice has public key PU_A={ e_A, n_A } and private key PR_A ={ d_A, n_A } • Suppose Bob has public key PU_B={ e_B, n_B } and private key PR_B ={ d_B, n_B } • Alice sends encrypted message to Bob • Using standard RSA encryption • Alice encrypts using Bob's public key by computing: C = M ^eB modn_B • Bob decrypts using his own private key by computing: M = C^d_B modn_B • Alice sends digitally signed message to Bob • Using RSA algorithm in reverse • Alice digitally signs using her own private key by computing: C = M^d_A mod n_A • Note: Since anyone, including Eve, can decrypt this message using Alice's public key, she should use encryption to send it to Bob • Bob decrypts the ciphertext (if encrypted), and then decrypts digitally signed message using Alice's public key: M = C^e_A mod n_A
The Digital Signature Problem
• Suppose Bob receives a message claiming to be from Alice. • How does he know that Alice sent it? • How does he know that it hasn't been altered? -> A digitally signed message from Alice provides these assurances: • Authentication and non-repudiation - assurance that Alice sent it • Integrity - assurance that the message was not altered in transit
What it means to be "relatively prime"
• Two counting numbers are relatively prime if their greatest common divisor is 1 • The greatest common divisor (GCD) is • something we calculate for two input numbers • it is the largest number that divides evenly into both input numbers • we write GCD( a, b ) to mean the GCD of the two numbers a and b Question: Are the numbers 6 and 35 relatively prime? Answer: Yes, even though neither 6 nor 35 are prime 6 is evenly divisible by 1, 2, 3, and 6 35 is evenly divisible by 1, 5, 7, and 35 -The largest value that evenly divides both 6 and 35 is 1, so these two numbers are relatively prime
The Extended Euclidean Algorithm
• Used to find a modular inverse • Basic idea is to extend the standard Euclidean GCD algorithm by computing, for each standard Euclidean algorithm step 1 equation, a companion set of values • those companion values will generate the desired solution • starts by numbering the equations, starting with a counting index of 0 • the companion set of values are called "y" values y_0 is always 0 y_1 is always 1 for all other y values, we use the recurrence formula: y_i = y_i-2 - ( y_i-1 )( q_i-2 ) where q_i-2 is the Euclidean algorithm quotient for equation i-2 ->The modular inverse is the y value for the equation whose counting index is 2 more than the index for the last nonzero Euclidean algorithm remainder
Man-in-the-middle attack on DH
•Possible if the attacker can intercept and modify messages • Global public elements: • p - prime number; a - a primitive root of p • Evil Man-in-the-middle Attacker (Eve) picks s and t < p • Alice sends X = a^x mod p to Bob. Eve reads it and replaces it by T = a^t mod p . • Bob sends Y = a^y mod p to Alice. Eve reads it and replaces it by S = a^s mod p . • Alice and Eve compute K^1 = S^x mod p ( = a^sx mod p = a^xs mod p = X^s mod p ) • Bob and Eve computes K^2 = T^y mod p ( = a^ty mod p = a^yt mod p = Y^t mod p ) • When Alice sends message to Bob encrypted with K1, Eve decrypts it, re-encrypts with K2 and sends to Bob • When Bob sends message to Alice encrypted with K2, Eve decrypts it, re-encrypts with K1 and sends to Alice -> Alice and Bob do not know they are using different keys!
RC4: Initialize Arrays
Given: Key K expressed as a bit array: for(int i = 0; i < 256; i++){ S[i] = i; T[i] = K [ i mod K.length] } Note: We express the algorithm in Java-style pseudocode Example: for K = { 1, 1, 0, 1, 1, 0, 1, 1 } S[i]: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, ... T[i]: [1, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 0, ...
AES Encryption Round
Graph in notes
Primitive Roots
• A number a is a primitive root (or "generator") of a prime number p if and only if a^1 , a^2 , ........., a^p-1 are all distinct (mod p) • i.e., the powers of a generate all the numbers from 1 to p-1, where a < p, p prime • Example: For the prime number 7, the numbers 3 and 5 are primitive roots. For the primitive root 3, we have: 3^1 = 3 mod 7 = 3, 3^2 = 9 mod 7 = 2, 3^3 = 27 mod 7 = 6, 3^4 = 81 mod 7 = 4, 3^5 = 243 mod 7 = 5, 3^6 = 729 mod 7 = 1 • Example: For the prime number 19, the primitive roots are 2, 3, 10, 13, 14, 15
Stream Cipher Structure
• A stream cipher processes one element at a time • element can be a bit, byte, or something larger • Principal difference from a block cipher: • a stream cipher applies a different key for each element • cipher key is used by a key stream generator to generate the element keys • Generic steam cipher structure: graph in notes
Location of Encryption
• Encryption is the most common means for securing network communications • There are 2 common approaches • link encryption • end-to-end encryption graph in notes
AES Round Processing
• In each round, the state undergoes: • SubBytes step: • byte substitution: same S-box used on every element of the state (8 bits each) • ShiftRows step: • shift rows: permutation of the bytes in each row • MixColumns step: • mix values in each column using matrix multiplication • basically, applies a Hill Cipher to each column • AddRoundkey step: • XOR the state with the round key derived from the 128-bit encryption key
RC4 Operation
• Input is a key that can be from 1 to 256 bytes (i.e., from 8 to 2048 bits) • Processing 1. Initialize arrays 2. Generate initial permutation 3. Generate key stream • To encrypt: use bitwise XOR to combine key stream bit-by-bit with plaintext • To decrypt: use bitwise XOR to combine key stream bit-by-bit with ciphertext
AES Round Structure
• The 128-bit version of AES uses 10 rounds to encrypt each block of the input plaintext • Each round performs an invertible transformation on a 128-bit array, arranged as a 4-byte by 4-byte square array called the state. • The initial state X0 is the XOR of the plaintext P with the key K: X0 = P K. • Round i (i = 1, ..., 10) receives state Xi-1 as input and produces state Xi . • The ciphertext C (for the block) is the output of the final round: C = X10.
Extended Euclidean Algorithm Example
• We use the Euclidean Algorithm to find the greatest common divisor (GCD) and extend it to compute a companion set of "y" values (see below) • FOR THIS TO WORK, ALWAYS DIVIDE THE LARGER NUMBER BY THE SMALLER NUMBER • The desired result is the y value whose index is 2 more than the index for the last non-zero remainder. Given: a = 160 and b = 7, we find y, the mod a inverse of b, as follows: Equation 0: 160 = 22 ( 7 ) + 6 y_0 = 0 Equation 1: 7 = 1 ( 6 ) + 1 y_1 = 1 Equation 2: 6 = 6 ( 1 ) + 0 y_2 = y_0 - ( y_1 )( q_0 ) = 0 - (1)(22) = -22 y_3 = y_1 - ( y_2 )( q_1 ) = 1 - (-22)(1) = +23 Here, the last non-zero remainder occurred in Equation 1, so the modular inverse is the 3rd y-value: y_3 = 23 (same value we checked before) NOTE: Start with y_0 = 0 and y_1 = 1 always; thereafter, y_i = y_i-2 - ( y-i-1 )( q_i-2 )
Using Hash Functions for MACs
• Why use hash functions? ( After all, one could also use encryption) • Hash algorithms run faster than encryption (in software) • Library code for hash functions is widely available • Can easily replace one hash function with another in a modular MAC • Design problem: How to use keys with secure hash functions • Solution: HMAC (Hash-based Message Authentication) • invented by Bellare, Canetti, and Krawczyk (1996) • can use any existing secure hash algorithm as a replaceable module • block size of HMAC is block size of the embedded hash function • security of HMAC is provably related to security of embedded hash function • Issued as RFC 2104: mandatory for IPSec, also used in SSL/TLS
AES Background
• Advanced Encryption Standard (AES) • Published in 2001, standardized in 2002. • AES is based on Rijndael cipher structure (not Feistel) • Rijndael structure uses advanced mathematics (group, ring, and field theory) which we will not cover • Key size: 128, 192 or 256 bits • Block size: 128 bits
Checksum
• Generally, a small value that is used for detecting errors or changes • Many different algorithms can be used • We will use the Modular sum algorithm: • Divide input into uniform words (e.g., 2 byte blocks) of the checksum size • Add all the words as unsigned binary numbers, discarding any overflow bits • Interpret the result as a two's complement number • Use the negation of the result as the checksum value • Append the checksum value to the end of the input • To validate: • Divide into words and add them up in same manner, including the checksum • If result is not a word full of zeroes, then a change has occurred • NOTE: a single-bit error will be detected, but likelihood of 2 errors in the same column being undetected is 1/n, where n = #bits in word.
Comparison of Methods
• Link encryption • each packets encrypted • all traffic secured • equipment required for each link • traffic must be decrypted and re-encryptedd at each node • vulnerable at each node/switch • End-to-end encryption • encrypted at source, decrypted at destination • user data is secure • cannot encrypt frame header • vulnerable to traffic analysis • Preferred method: Do both • user data secure, even at nodes/switches • not vulnerable to traffic analysis
Block Cipher Review (1)
• Modern symmetric ciphers typically operate on blocks of data • Similar to the "blocking" we have seen for • Playfair cipher - block size is 2 • Hill cipher - block size is size of vector determined by key matrix • Other: for example, Program #1 using Vigenere as block cipher • Block ciphers are widely used • Blocks used are typically much larger than classical single or double-character ciphers (8 or 16 bits) • Typical block sizes: 64, 128, and 256 bits • We will examine DES (this lecture) and AES (next lecture) to illustrate modern block cipher design principles
DES Permutation Step
• Takes 32-bit input and returns 32-bit output • A table-lookup fixed permutation of the input bits • Order is: 16,7,20,21,29,12,28,17,1,15,23,26,5,18,31,10, 2,8,24,14,32,27,3,9,19,13,30,6,22,11,4,25 ->First bit of output is 16th input bit, 2nd bit of output is 7th bit of input, etc. Note: You do NOT need to memorize or write down this permutation order
DES Substitution Step
• Takes 48-bit input and returns 32-bit output • Performed as follows: • Divide 48-bit block into eight 6-bit words • Each 6-bit word is fed into a separate S-box and produces a 4-bit output • Each S-box has 4 rows and 16 columns and contains numbers in the range 0, 1, 2, ..., 15. • First and last bit of 6-bit word index the row • The middle 4 bits index the column • The result is a 4-bit unsigned binary number
AES Key Schedule (Expansion)
• The 128-bit key is first divided into four 4-byte "words" (represented as columns in diagram) • First column of round key is computed as XOR of previous round first column and the "T" transformation of the previous round last column. • "T" transformation involves • Cyclical left shifts • S-box substitutions • XOR first byte with a "round" constant • Remaining columns computed in order using XOR of previous round column value and the preceding column in the current round. graph in notes
RC4: Generate Key Stream
• This step cycles through all the elements of S[ i ] and, for each S[ i ], swaps it with another element S[ j ] and uses both elements to compute the index of S, the value of which is used as the next key. • After S[ 255 ] is reached, the process continues, starting over at S[ 0 ] i, j = 0; while(true){ i = (i + 1) mod 256 j = (j + S[i]) mod 256 Swap (S[i], S[j] ); t = (S[i] + S[j] ) mod 256; nextKey = S(t); } The value "t" is the index into S that is generated from i and j. The value of S[ t ] is the next key in the key stream • Continuing our example, this produces the key stream: Key stream: 35, 211, 203, 36, 163, 148, 132, 68, 62, 194, 218, 78, 200, 119, 48, 250, 85, 235, 123, 211, 2, 12, ... Binary stream: 00100011110100111100101100100100101000111001010010000100010001000011 ...
Modulo Reduction Review
• To perform RSA encryption and decryption by hand using our calculators, we use modulo reduction • Suppose we wish to compute: 7^5 mod 11 • We expand and simplify repeatedly until we have the desired result: 7^5 mod 11 = ( 7^4 mod 11 )( 7^1 mod 11 ) mod 11 = ( 7^2 mod 11 )( 7^2 mod 11 ) ( 7 mod 11 ) mod 11 = ( 49 mod 11) ( 49 mod 11) ( 7 mod 11 ) mod 11 = ( 5 mod 11 )( 5 mod 11 )( 7 mod 11 ) mod 11 = ( 25 mod 11 ) ( 7 mod 11 ) mod 11 = ( 3 mod 11 )( 7 mod 11 ) mod 11 = 21 mod 11 = 10
S-Box Example
• To show how S-boxes work, let's just look at 12 bits out of the 48-bit block • Suppose we want: the S-Box output for the input F0E_16 • F0E_16 = 1111 0000 1110_2 • Input to S_1 = higher order six bits = 111100_2 • So, the row selector = 10_2 = row 2_10 • And the column selector = 1110_2 = column 14_10 • Thus, the output from S_1 = 5_10 = 5_16 • Input to S_2 = lower order six bits = 001110_2 • So, the row selector = 00_2 = row 0_10 • And the column selector = 0111_2 = column 7_10 • Output from S_2 = 4_10 = 4_16 • Hence, the combined output of S_1 and S_2 is 54_16. • We perform similar processing of the next 12 bits through S_3 & S_4 , the next 12 bits through S_5 & S_6 , and the last 12 bits through S_7 & S_8 to complete the processing for the 48-bit block
DES Processing
• Uses 16-round Feistel structure • Encrypts 64-bit data using 56-bit key • The subkeys for the rounds are generated from the single input encryption key • Complicated Feistel function consisting of: 1. An expansion permutation ("E-step") 2. XOR'ing with the round key ("key mixing") 3. Then performing a substitution with 8 "S-boxes" 4. And finally a permutation with a "P-box" • Feistel function result XOR'd with Left half, as usual • Left and Right results permuted by swapping, as usual
Euler's Totient Function ϕ(n) (part 2)
•If p is a prime, then ϕ(p) = p - 1 •If p and q are both primes, and p ≠ q, then ϕ(pq) =ϕ (p)f(q) • In other words, the totient of a product of two primes is the product of their totients • Example 1: p = 2, q = 5; pq = 10 <- p and q are both prime ϕ(10) = ϕ(2)ϕ(5) = (1)(4) = 4 <- result is same as before • Example 2: p = 5, q = 7; pq = 35 ϕ(35) = ϕ(5)ϕ(7) = (4)(6) = 24 <- we don't need to find them to know how many there are
RSA Example - Key Setup
1. Alice selects primes, for example: p = 17 and q = 11 1. Alice computes n = pq = (17)(11) = 187 2. Alice computes ϕ(n) = (p-1)(q-1) = (16)(10) = 160 3. Alice selects e so that gcd(e,160) = 1; suppose she chooses e = 7 4. Alice uses Extended Euclidean Algorithm to find d satisfying de = 1 mod 160 and d < 160 ( We computed this value previously; it is d = 23 since (23)(7) mod 160 = 161 mod 160 = 1 ) 6. Alice publishes her public key PU = { e, n } = { 7, 187 } and keeps secret her private key PR = { d, n } = { 23, 187 }
Euclid's GCD Algorithm (cont.)
1. perform division using a and b to find q and r 2. then, assign a = b and b = r 3. repeat steps 1 and 2 until r = 0 4. GCD is the last non-zero remainder r Example: Let's use 6 and 35 again Step 0: Let a = 35 and b = 6 <- we let the larger number be "a" Step 1: 35 = ( 5 )( 6 ) + 5, so q = 5 and r = 5 Step 2: assign a = 6 and b = 5 Repeat step 1: 6 = ( 1 ) ( 5 ) + 1, so q = 1 and r = 1 Repeat step 2: assign a = 5 and b = 1 Repeat step 1: 5 = ( 5 )( 1 ) + 0, and stop since r = 0 GCD is last nonzero r, which is 1 in this case ( go back to repeat step 1) -> Since GCD(6, 35) = 1, the numbers 6 and 35 are relatively prime
State Representation of 128-bit Block
128 bits = 16 bytes of 8 bits each - interpreted in column major order This array is called the State Graph in notes
S-Box (16 x 16)
Example: Byte {95} is replaced by byte in row 9 column 5, which has value {2A} graph in notes
CRC-3 Example: message=5AE, x^3 + x^2 + 1
Graph in notes Since we are doing CRC-3 and final result remainder is only 3 bits, we must pad it with a leading zero to get a 4-bit value. Our final CRC code for this message is 0100 which is 4_16, so the message with CRC appended is: 5AE4_16
Inverse S-Box
NOTE: This table is used for decryption graph in notes
SubBytes Step: Byte Substitution
Each byte of the state is replaced by the byte indexed by row (left 4-bits) & column (right 4-bits) graph in notes
Feistel Cipher Computations
Given plaintext block P, we divide it into L0 and R0 halves For Round 1: L1 = R0 R1 = L0 ⊕ F(R0, K1) For Round i: Li = Ri-1 Ri = Li-1 ⊕ F(Ri-1, Ki ) NOTE 1: we use of the XOR operator ⊕ NOTE 2: F(R,K) is the Feistel function; value depends on current R and K In other words, for example: Round 7 uses the L and R produced by Round 6 The L produced by Round 7 is just the R produced by Round 6 The R produced by Round 7 is computed per formula above
Extended Euclidean Algorithm Example 2
Given: a = 160 and b = 43, we find y, the mod a inverse of b, as follows: Equation 0: 160 = 3 ( 43 ) + 31 y_0 = 0 Equation 1: 43 = 1 ( 31 ) + 12 y_1 = 1 Equation 2: 31 = 2 ( 12 ) + 7 y_2 = y_0 - ( y_1 )( q_0 ) = 0 - (1)(3) = -3 Equation 3: 12 = 1 ( 7 ) + 5 y_3 = y_1 - ( y_2 )( q_1 ) = 1 - (-3)(1) = +4 Equation 4: 7 = 1 ( 5 ) + 2 y_4 = y_2 - ( y_3 )( q_2 ) = -3 - (4)(2) = -11 Equation 5: 5 = 2 ( 2 ) + 1 y_5 = y_3 - ( y_4 )( q_3 ) = 4 - (-11)(1) = 15 Equation 6: 2 = 2 ( 1 ) + 0 y_6 = y_4 - ( y_5 )( q_4 ) = -11 - (15)(1) = -26 y_7 = y_5 - ( y_6 )( q_5 ) = 15 - (-26)(2) = 67 Here, the last non-zero remainder occurred in Equation 5, so the modular inverse is the 7th y-value, that is: y_7 = 67 We check our result: (43)(67) mod 160 = 2881 mod 160 = 1, so our result is correct
DES Round Structure
Graph in notes
Feistel Cipher Encryption & Decryption
Graph in notes
Message Authentication using Digital Signature
Graph in notes If received and computed MACs match, the recipient is assured 1. the message has not been altered (since the hash values match) 2. the message came from the alleged sender (since only Bob know PR_Bob)
4-bit Checksum Example (1): message = B37F19
Graph in notes Note: we ignore the overflow bits as we go along (shown in red) Checksum is two's complement of 1110, which is 0001 + 1 = 0010 = 2_16 So, what will be transmitted is the message, plus the checksum: B37F192
4-bit Checksum Example (2): validate B37F192
Graph in notes Note: we ignore the overflow bits as we go along (shown in red) Note: Since final result (ignoring overflow) is all zeroes, the message with checksum is validated
HMAC Architecture
K+ = shared secret key, padded to match the hash algorithm block size (or, if larger, then its hash value) ipad = 00110110 (36_16) repeated b/8 times opad = 01011100 (5C_16) repeated b/8 times S_i = K+ XOR'd with ipad S_o = K+ XOR'd with opad Y_i = i th block of Message M, 0 ≤ i ≤ (L-1) IV = fixed initialization vector used by hash function HMAC(K,M) = H[ (K+ ⊕ opad) || H[ (K+ ⊕ ipad) || M ]]
AddRoundKey Step
graph in notes Exclusive-or (XOR) the state with a set of keys for the round, derived from the 128-bit secret key
Hash Functions
• A hash function is • An algorithm much like a cipher, but: • Takes any size data (such as a file) as input; and • Separates the input message/file into fixed-size blocks • Processes the input one block at a time, in order • Produces a fixed size output (the hash value or hash code) • size of hash code is same as block size • typically much smaller than the entire input message/file • hash value also commonly called the message digest, or simply the digest • Properties • Easy to compute: M -> H(M), where H(M) is the digest of M
Secure Hash Functions
• A secure hash function (also called a cryptographic hash function) is a hash function that has these additional properties: • It is, for all practical purposes, one-way: • easy to compute Y = H(M), but hard to find M given only Y. • that is, it is Infeasible, as a practical matter, to generate a message with a given hash value • It is, for all practical purposes, collision-resistant: • hard to find two messages, M and N, such that H(M) = H(N). • i.e., Highly unlikely to find two different messages with the same hash value • that is, it is Infeasible, as a practical matter, to modify a message without changing the hash value • Examples: MD5, SHA family of algorithms
A Simple Hash Function
• Bit-by-bit exclusive-OR (XOR) • produces a simple parity for each bit position ( C_i = b_i1 ⊕ b_i2 ⊕ ... ⊕ b_im ) • also known as a longitudinal redundancy check • values for each bit position are computed separately • reasonably effective for random data • somewhat less effective for non-random data (e.g., text, where msb = 0) Graph in notes
Substitution-Permutation Networks
• Claude Shannon introduced idea of substitution-permutation (S-P) networks in 1949 paper • S-P nets form the basis of modern block ciphers • S-P nets are based on the two primitive cryptographic operations we have studied before: • substitution (S-box) • permutation (P-box) • S-P nets provide confusion and diffusion for message and key
Feistel Cipher Structure
• Developed by Horst Feistel at IBM in early 70s and first implemented in the Lucifer cipher for Lloyd's of London monetary transactions • Based on concept of invertible product cipher (i.e, the ability to reverse a sequence of cryptographic transformations) • Implements Shannon's S-P net concept • Involves multiple rounds of encryption/decryption • Uses the same cipher algorithm for both encryption and decryption • But uses multiple keys (subkeys), which are different (so, the order matters)
RSA Algorithm Key Setup
• Developed by Ron Rivest, Adi Shamir, and Len Adleman, who won the Turing award in 2002 for this • Select two large prime numbers at random: p, q • Compute n = pq and ϕ( n ) = ( p-1 )( q-1 ) • Select a random encryption key e that satisfies both of these conditions: 1 < e < ϕ( n ) gcd( e, ϕ( n ) ) = 1 <- e and ϕ( n ) are relatively prime • Find decryption key d in the range 0 ≤ d ≤ f( n ) using the Extended Euclidean Algorithm, satisfying the condition: ed = 1 mod f( n ) <- e and d are inverses modulo ϕ( n ) • Publish public encryption key: PU = { e, n } • Keep secret private decryption key: PR = { d, n }
Why Public-Key Cryptography?
• Developed to address two key issues: • key distribution/exchange - how to have secure communications in general without having to trust a Key Distribution Center (KDC) with your key • digital signatures - how to verify that a message arrives intact (unmodified) from the claimed sender • Public invention due to Whitfield Diffie & Martin Hellman at Stanford University in 1976 • known earlier in classified community • described in a classified report in 1970 by James Ellis (UK CESG) - and subsequently declassified. • There is also a claim that the NSA knew of the concept in the mid-60's.
Non-mutability
• Digital signature goal is to create something unique, that only Bob could have generated. This is called non-mutability. • Non-mutability is not always achieved by the RSA signature scheme • Suppose Eve, the attacker, has two valid signatures from Bob • S1 = M1 d mod n • S2 = M2 d mod n • Eve could then produce a new signature • ( S1 )( S2 ) mod n = ( ( M1 )( M2 ) )d mod n • This would validate as a verifiable signature from Bob for ( M1 )( M2 ) • This problem is avoided in practice by using digital signatures with cryptographic hash functions, which fixes this problem
Feistel Cipher Operation
• Each round of encryption involves a substitution step, followed by a permutation step • Here's how it works: 1. Plaintext input block is first split into 2 halves, labelled right (R) and left (L) 2. In each round: a) R passes through unchanged (and after step (c) below becomes the L half for the next round) b) L goes through a substitution step that uses a function (known as the Feistel function) that depends on R and the subkey for the round c) Then permute by swapping halves
RSA Example - Operation
• Encryption/decryption for the example on the previous slide • Assume Alice has generated these public and private RSA keys, and has published the public key: PU = { 7, 187 } PR = { 23, 187 } • And suppose Bob wishes to encrypt the message M = 88 (which is less than 187) and send it to Alice. • Bob encrypts using Alice's public key: C = 88^7 mod 187 = 11 • Alice decrypts using her private key: M = 11^23 mod 187 = 88
Euler's Totient Function ϕ(n) (part 1)
• Euler's Totient, which we denote by ϕ (n) is defined as the number of positive integers less than n (or 1 if n=1) that are relatively prime to n • ϕ(n) is a count of a set of numbers, i.e., how many of them there are • 1 is always in the set; 0 is never in the set • Notation: • we use braces to enclose the elements of a set, e.g., { 2, 5, 13 } • we use vertical bars around a set denote its count, e.g., |{2, 5, 13}| • Some totient values: ϕ(1) = 1 = |{1}| ϕ(2) = 1 = |{1}| ϕ(3) = 2 = |{1, 2}| ϕ(4) = 2 = |{1, 3}| ϕ(7) = 6 = |{1, 2, 3, 4, 5, 6}| ϕ(10) = 4 = |{1, 3, 7, 9}|
DES Expansion Permutation (E-step)
• Expands 32-bit Right half to 48 bits • Performed as follows: 1. Divide 32-bit block into eight 4-bit words 2. Add a bit to the left of each 4-bit word that is the last bit of the previous 4-bit word (with wraparound) 3. Add a bit to the right of each 4-bit word that is the first bit of the next 4-bit word (with wraparound) 4. Result is eight 6-bit words which are combined into a single 48-bit block
AES Assembler instructions
• For Intel & AMD: •Instruction - Description •AESENC - Perform one round of an AES encryption flow •AESENCLAST - Perform the last round of an AES encryption flow •AESDEC - Perform one round of an AES decryption flow •AESDECLAST - Perform the last round of an AES decryption flow •AESKEYGENASSIST -Assist in AES round key generation •AESIMC - Assist in AES Inverse Mix Columns •PCLMULQDQ -Carryless multiply (CLMUL)
Euclid's GCD Algorithm
• For large numbers, it is impractical to find a GCD by first finding all the factors of each input number and then checking for a number greater than 1 on both lists • Uses the definition of division, a = ( q )( b ) + r, where • a and b are the two given numbers • q is the quotient and r is the remainder • Euclid's GCD Algorithm: 1. perform division using a and b to find q and r 2. then, assign a = b and b = r 3. repeat steps 1 and 2 until r = 0 4. GCD is the last non-zero remainder r IMPORTANT: For this class we will always divide the larger number by the smaller number, that is, we let "a" be the larger number
Diffie-Hellman Key Exchange Example
• Given prime p = 71 and a primitive root 7. • Alice randomly selects private key x = 5 So, Alice computes her public key X = 7^5 mod 71 = 7^3 x 7^2 mod 71 =59 x 49 mod 71 = 51 <- what Alice sends to Bob • Bob randomly selects private key y = 12 So, Bob computes the public key Y = 7^12 mod 71 = 51 x 51 x 49 mod 71 = 45 x 49 mod 71 = 4 <- what Bob sends to Alice Alice computes K = 4^5 mod 71 = 1024 mod 71 = 30 <- the shared secret key Bob computes K = 51^12 mod 71 = 5^12 x 5^12 x 5^12 x 5^12 x 5^12 x 5^12 mod 71 = 45 x 45 x 45 x 45 x 45 x 45 mod 71 = 4^53 x 4^53 mod 71 = 32 x 32 mod 71 = 1024 mod 71 = 30 <- the shared secret key
Diffusion and Confusion
• Goal of cipher design is to completely obscure statistical properties of original message • Shannon's idea: combining S & P elements to obtain: • Diffusion - dissipates statistical structure of plaintext over bulk of ciphertext • i.e., changing one plaintext bit must affect as many ciphertext bits as possible • Confusion - makes relationship between ciphertext and key as complex as possible • i.e., changing one bit of the encryption key must affect as many ciphertext bits as possible
Prime Numbers
• Here, we are only talking about the counting numbers 1, 2, 3, ... • A prime number is a counting number that is evenly divisible only by 1 and itself • evenly divisible means that the remainder is zero when the larger number is divided by the smaller of the two numbers • e.g., 12 is evenly divisible by 1, 2, 3, 4, and 6, but not by 5, 7, 8, 9, 10, or 11 • The first few prime numbers are: 1, 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, ... • Note 1: "2" is the only even prime number; all other even numbers are evenly divisible by 2, so they cannot be prime • Note 2: all prime numbers other than 2 are odd, but not all odd number are prime • e.g., "15" is not prime, since it is divisible by 3 and 5 • e.g., similarly for 9, 21, 25, 27, 33, and countless others
Euler's Totient Function ϕ(n) (part 3)
• If p and q are relatively prime, then ϕ(pq) = ϕ(p)ϕ(q) • i.e., the result for primes also works for relatively prime numbers • Example: ϕ(110) = ϕ(11) ϕ(10) = (10) (4) = 40 Note that ϕ(11) = 10 since 11 is prime We also know ϕ(10) = ϕ(2)ϕ(5) = (1)(4) = 4 from before
Block Cipher Review (2)
• In a block cipher: • Plaintext and ciphertext are processed in blocks of fixed length b (e.g., 128 bits) • A plaintext of length n is partitioned into a sequence of m blocks, P[0], ..., P[m-1], where n £ bm < n + b • Each message is divided into a sequence of blocks and encrypted or decrypted in terms of its blocks • All blocks are the same size • Last block may need include some padding (if run out of plaintext)
Using Hash Functions with Digital Signatures
• In practice, digital signatures are not applied to entire messages • Because public key encryption algorithms are slow compared with symmetric algorithms • And also because it is possible to construct valid RSA signatures on combined messages from existing RSA signatures (see previous slide) • So, digital signatures are more commonly applied to cryptographic hashes of messages, which serve as message authentication codes • Suppose Bob wishes to send a message, M, to Alice: • Cryptographic hash of message: H(M) • Bob digitally signs the hash value using his private key: PR_Bob( H(M) ) • What Bob sends to Alice: PR_Bob( H(M) ) and M • On receipt, Alice separates message from digital signature • Alice uses Bob's public key to recover the hash value: PU_Bob[PR_Bob( H(M) ) ] = H(M) • Alice computes her own hash value from M and compares with received H(M)
DES Key Schedule
• Initial key is 56 bits (7 bytes) • Can also be 8 bytes, with last bit of each byte used for parity (so only 56 bit are used) • Before any round keys are generated, the 56 usable bits are permuted using a table called "Permutation Choice 1" • Thereafter, at the beginning of each round: • Split 56-bit key block into two 28-bit halves • Circularly left shift each block by 1 or 2 bits (1 bit for rounds 1,2,9, and 16; 2 bits for others) • Join the shifted halves together and contract to 48 bits using "Permutation Choice 2" that selects a fixed 48-bit subset of the 56 bits in a particular order (this is the subkey for the round) • NOTE: the circularly shifted 28-bit halves are joined and passed on to the next round to generate the next key
Integrity Checking
• Integrity checking is all about • detecting changes in files and messages • Basic idea • Compute a numeric value for each message/file • Later, compute a fresh value to check for any unauthorized modifications • Applications: • digital signatures • message authentication • file system integrity • Numeric value computation • Checksum • Cyclic Redundancy Check (CRC) • Simple Hash Function • Cryptographic Hash function
Key Distribution Components
• Key Distribution Center (KDC) • responsible for distributing session keys • knows who is authorized to communicate to whom • Security Service Module (SSM) • at each host • requests session key from KDC • using permanent key shared with KDC • Permanent key is used for communicating between hosts and KDC • Session key is used for encrypted communications between the hosts
Message Authentication Requirements
• Message authentication must provide these assurances 1. the message has not been altered 2. the message came from the alleged sender • Consider this scenario: • Alice wishes to send an authenticated message to Bob • Alice computes the SHA-512 hash code for the email and sends it to Bob along with the original message • Eve (our attacker) intercepts the message, changes it, computes a fresh SHA512 value, and forwards it to Bob instead of Alice's original transmission • Bob receives the message and hash value that Eve sent, computes his own SHA-512 value for the message, and believes and believes he has authenticated a message from Alice Q: How can we fix this (and provide both assurances above)? A: Use a MAC algorithm that requires a secret key known only to Alice and Bob
Differences from RSA
• RSA • PU=(e,n) where n is composite and e is relatively prime to ϕ( n ) • private key d is the inverse of e modulo ϕ( n ) • Diffie-Hellman • use p and a, where p is prime and a is a primitive root of p • private keys for Alice and Bob can be any values less than p
Finding Modular Inverses
• Recall the definition of a modular inverse: • Given counting numbers x and y, they are modular inverses with respect to a particular modulus n if ( x )( y ) mod n = 1 • Example (from before): 7 and 3 are inverses modulo 10, since ( 7 )( 3 ) mod 10 = 21 mod 10 = 1 • Two ways to find modular inverses: • We can guess (aka "trial and error" or "brute force attack") and then check to see if we are correct • Or, given x and n, we can use an algorithm to find y • we can use the Extended Euclidean Algorithm to do this
The RSA Signature Scheme
• Recall: • In the standard RSA encryption/decryption process, • sender encrypts using the recipient's public key • recipient who uses his/her own private key • For digital signatures, however, it is the sender who uses the private key • The sender must use his or her own private key • The recipient uses the sender's public key • Why this works • When the recipient uses the sender's public key to decrypt, the recipient is assured that the sender sent the message and that the message was not altered in transit, since only the sender could have encrypted it using the sender's private key
Stream Cipher Operation
• Regardless of size of element, bit-wise XOR is used for both encryption and decryption • we have seen this previously as the binary one-time pad • Example (given element is an 8-bit byte): • Encryption 1 1 0 0 1 1 0 0 plaintext ⊕0 1 1 0 1 1 0 0 key stream 1 0 1 0 0 0 0 0 ciphertext • Decryption 1 0 1 0 0 0 0 0 ciphertext ⊕0 1 1 0 1 1 0 0 key stream 1 1 0 0 1 1 0 0 plaintext
SHA-512 Message Digest Generation (1)
• SHA-512 computes a digest in 5 steps 1. Append padding bits so message length is congruent to 896 modulo 1024 2. Append length as a 128-bit unsigned binary number 3. Initialize a 512-bit hash buffer to certain fixed values 4. Process message in 1024-bit blocks 5. The message digest is the output after the last input block is processed 16 Note: the other SHA algorithms use a similar structure
SHA Family of Algorithms
• Secure Hash Algorithm (SHA) • Developed by NIST, published in 1993 and revised as SHA-1 in 1995 • 3 additional versions added in 2002: SHA-256, SHA-384, SHA-512 • All versions share same basic structure • SHA-3 in development, presumably with different architecture Graph in notes
Key Distribution Alternatives
• Security of cryptosystem depends on the key distribution method used • secrecy of keys • frequently changing keys Why? • Key distribution alternatives for secure communication between A and B: 1. Key could be selected by A and physically delivered to B 2. Key could be selected by a third party and physically delivered to both A and B 3. If A and B have previously communicated, could send new key by encrypting it with prior key 4. If A and B each have an encrypted connection to a third party C, then C could deliver a key on the encrypted links to A and B • Option 3 is dangerous: if any key is compromised, all subsequent keys are known • Option 4 is preferable for end-to-end encryption
Triple-DES with Two/Three-Keys
• Single DES is strong, but Triple DES ("3DES") is much stronger • at cost of 3 times slower to run • The reason: must encrypt 3 times • but can use 2 keys with E-D-E sequence • C = E_K1( D_K2( E_K1( P ) ) ) and P = D_K1( E_K2( D_K1( C ) ) ) • NOTE: encrypt & decrypt equivalent in security • if K1=K2 then equivalent to single DES • key space ≈ 2^112 • can also use Triple-DES with Three-Keys • C = EK3( DK2( EK1( P ) ) ) and P = D_K1( E_K2( D_K3( C ) ) ) • key space ≈ 2^168 • no current known practical attacks for either version • but use AES for applications that need better performance
What Makes DES Strong
• Substitution step performs diffusion well: • On average, changing 1 bit of 64-bit input block changes 34 bits of the ciphertext block • Key schedule performs confusion well: • On average, changing 1 bit of 56-bit encryption key changes 35 bits of the ciphertext block • Good size key space: 2^56 ≈ 7.2 x 10^16 = 72,000,000,000,000,000 • Brute force attack at 1,000 keys/microsecond would need about 13 months to test half the keys • EFF took 3 days on special hardware • If can parallel process 1 million keys at once, can do in about 10 hours • This is why we now use 3DES
Review: Checking Candidate Modular Inverses
• Suppose we are given the number 7 and a modulus of 160 and we are asked to determine whether the number 23 is the modulo 160 inverse of 7 Question: How do we proceed? ->Answer: We just multiply it out using the definition of modular inverse; if the result is 1, then the the two numbers are modular inverses • Solution: We let x = 7, y = 23, and n = 160 We compute ( 7 )( 23 ) mod 160 = 161 mod 160 = 1 -> Since the result is 1, we conclude that 7 and 23 are inverses modulo 160
RSA Operation
• The message is divided into blocks (pad the last one, if necessary), which are interpreted as unsigned binary numbers • the blocks must be sized so that the largest numeric value is less than the modulus n (which is part of both keys) • i.e., For all message blocks M, we have 0 ≤ M < n • Alice encrypts a single message block M and sends it to Bob: • she uses Bob's public key PU_B={ e, n } • Alice encrypts by computing: C = M^e mod n • Bob decrypts the ciphertext C for the block: • Bob uses Bob's private key PRB ={ d, n } • Bob decrypts by computing: M = C^d mod n • NOTE that C was already blocked at the encryption end
Data Encryption Standard (DES)
• The most widely used block cipher in world • Adopted in 1977 by NBS (now NIST) as FIPS (Federal Information Processing Standard) PUB 46 • Based on Lucifer cipher developed by IBM for Lloyds of London (for cash transfers) • Has been considerable controversy over its security • Code cracked in 1999 by the Electronics Frontiers Foundation using special hardware • Following which NIST directed use of "Triple DES" • Ultimately replaced by AES for Federal use, but Triple DES is still in wide use commercially.
Key Distribution Using a KDC
• The preferred method for distributing symmetric keys for end-to-end encryption graph in notes 1. Host sends packet requesting connection 2. Security service buffers packet; asks KDC for session key. 3. KDC distributes session key to both hosts. 4. Buffered packet transmitted.
Security of HMAC
• The quantitative measure of security that is used • the probability of successful forgery with a given amount of time spent by the forger and a given number of message-MAC pairs created with the same key • HMAC security has been proved to be equivalent to either 1. Attacker is able to compute an output of the hash function even with an IV that is random, secret, and unknown to the attacker 2. The attacker finds collisions in the hash function even when the IV is random and secret • Analysis shows: • Brute force effort is O ( b^n ), where n is the size of the IV • "Birthday attack" reduces this to O( b^n/2 ) -> This is why the security of a hash function is considered roughly half the digest size, e.g. 80 for SHA-1, 256 for SHA-512, etc.
RC4: Generate Initial Permutation
• This step generates a pseudorandom permutation of the entire S array: j = 0; for(int i = 0; i < 256; i++){ j = (j + S[i] + T[i]) mod 256 Swap (S[i], S[j]); } Swap( i, j ) interchanges the values of S[ i ] and S[ j ] Example: for S and T arrays computed before: S[i]: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, ... T[i]: [1, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 0, ... this step modifies S to become: Initial perm of S[i]: [1, 205, 155, 104, 11, 92, 20, 28, 37, 251, ...
CRC Procedure
• To generate a CRC: 1. Pad the message with zeroes (3 for CRC-3, 4 for CRC-4, etc.). 2. Divide by the coefficients of the selected polynomial, using the binary exclusive-or (XOR) operator. 3. The remainder is the CRC code. (Graph in note: XOR table) • To validate a CRC: • Compute the CRC on the message without the CRC. • If the computed value is the same as the value received, no change has occurred.
Security of Public Key Schemes
• as for symmetric schemes, brute force exhaustive search attack is always theoretically possible • but keys used are usually too large ( >512bits ) • security relies on the difficulty of computing a modular inverse without knowing the modulus • this task is impractical if large numbers are used • since security requires the use of very large numbers and complex calculations are involved, public key methods are slow compared to private (symmetric) key schemes • this is why general practice is to use public key methods for negotiating keys and for digital signatures, but use symmetric methods for data communication
The RC4 Stream Cipher
• invented in 1987 by Ron Rivest (of RSA fame) • originally a trade secret of RSA Security, but posted the Internet in 1994 • uses a variable key size • basic idea: • use a random permutation of the numbers 0 to 255 to generate the pad • after exhaust the first 256 bytes, generate next 256 bytes based on the previous set • apply the pad using XOR operator for both encryption and decryption • this scheme essentially uses a PRNG with a very long period • all PRNGs repeat, eventually, since they are deterministic • analysis shows that the period (for repetition) is "overwhelmingly likely" to be greater than 10^100 numbers • used in SSL/TLS, WEP, and WPA
DES Round Structure (simplified)
• splits a 64-bit input block into two 32-bit L & R halves • as for any Feistel cipher can describe as: Li = Ri-1 Ri = Li-1 Å F ( Ri-1, Ki ) • Feistel function F takes 32-bit R half and 48-bit subkey: • expands R to 48-bits using E-step permutation • applies subkey using XOR • passes through 8 S-boxes to get 32-bit result • finally permutes using 32-bit perm P-box
Diffie-Hellman Key Exchange Protocol
•Given the global public elements: • p - prime number • a - a primitive root of p • Alice picks a random x < p and computes <- little x is Alice's private key X = a^x mod p, and sends this to Bob <- big X is what Alice sends to Bob • Bob picks a random y < p and computes <- little y is Bob's private key Y = a^y mod p, and sends this to Alice <- big Y is what Bob sends to Alice • Alice receives Y from Bob and computes: K = Y^x mod p <- Bob receives X from Alice and computes: K = X^y mod p • Alice and Bob have computed the same secret key, because what Alice computed is Y^xmod p = a^yx mod p = a^xy mod p = X^y mod p , which is what Bob computed
Bit-by-bit XOR Example: message = B37F19
To compute the bit-by-bit XOR of B37F19 using a block size of 4 bits: Graph in notes Hash value is 1000 = 8_16 So, what will be transmitted is the message, plus the hash value: B37F198
