Professional Documents
Culture Documents
Is Combined
Is Combined
• The generic name for the collection of tools designed to protect data and to
thwart hackers is computer security
Introduction: Threat vs
Attack
•
1.2 Continued
1.12
Security Attacks
Passive Attack
• Passive attacks are in the nature of eavesdropping on, or monitoring of,
transmissions. The goal of the opponent is to obtain information that is
being transmitted
• Two types of passive attacks are release of message contents and traffic
analysis
• Passive attacks are very difficult to detect because they do not involve any
alteration of the data.
Security Attacks
Active Attacks
• Active attacks involve some modification of the data stream or the creation
of a false stream and can be subdivided into four categories:
1.20
Security Services
1.25
SECURITY
MECHANISMS
• Encipherment -: The use of mathematical algorithms to transform data
into a form that is not readily intelligible
1.29
A Model for Network
Security
If P is the plaintext, C is the ciphertext, and K is the key,
3.31
Figure 3.2 Locking and unlocking with the same key
3.32
3.1.1 Kerckhoff’s Principle
3.33
3.1.2 Cryptanalysis
As cryptography is the science and art of creating secret
codes, cryptanalysis is the science and art of breaking
those codes.
Two approaches to attack: Cryptanalysis and Brute
force
Figure 3.3 Cryptanalysis attacks
3.34
3.1.2 Continued
Ciphertext-Only Attack
3.35
3.1.2 Continued
Known-Plaintext Attack
3.36
3.1.2 Continued
Chosen-Plaintext Attack
3.37
3.1.2 Continued
Chosen-Ciphertext Attack
3.38
Types of attacks on encrypted
messages
Types of cryptanalytic
attacks
• Ciphertext-only attack
– The cryptanalyst does not know any of the underlying plaintext
– A basic assumption is that ciphertext is always available to an attacker
• Known-plaintext attack
– The attacker is having the ciphertext and as well as some of the
corresponding plaintext (One or more plaintext-ciphertext pairs formed
with the secret key)
Types of cryptanalytic
attacks
• Chosen plaintext attack
– cryptanalyst can encrypt a plaintext of his choosing and study the
resulting ciphertext
– This is most common against asymmetric cryptography, where a
cryptanalyst has access to a public key
• Plaintext
• Encryption algorithm
• Secret key
Symmetric Encryption
• Cipher text: Depends on the plaintext and the secret key.
• Decryption algorithm:
• An original message is known as the plaintext, while the coded message is
called the ciphertext
• The many schemes used for encryption constitute the area of study known
as cryptography. Such a scheme is known as a cryptographic system or a
cipher
• Brute-force attack
– The attacker tries every possible key on a piece of ciphertext until an
intelligible translation into plaintext is obtained
Unconditionally Secured &computationally
secured encryption schemes
• If both the above criteria are met, such an encryption scheme is said to be
computationally secure
3-2 SUBSTITUTION CIPHERS
A substitution cipher replaces one symbol with another. Substitution ciphers can be
categorized as either monoalphabetic ciphers or polyalphabetic ciphers.
Note
3.49
3.2.1 Monoalphabetic Ciphers
Note
3.50
3.2.1 Continued
Example 3.1
The following shows a plaintext and its corresponding ciphertext.
The cipher is probably monoalphabetic because both l’s (els) are
encrypted as O’s.
3.51
3.2.1 Continued
Additive Cipher
3.52
3.2.1 Continued
Figure 3.9 Additive cipher
Note
Solution
We apply the encryption algorithm to the plaintext, character by
character:
3.54
3.2.1 Continued
Example 3.4
3.55
3.2.1 Continued
Shift Cipher and Caesar Cipher
Historically, additive ciphers are called shift ciphers. Julius Caesar
used an additive cipher to communicate with his officers. For this
reason, additive ciphers are sometimes referred to as the Caesar
cipher. Caesar used a key of 3 for his communications.
Note
3.56
3.2.1 Continued
Example 3.5
Eve has intercepted the ciphertext “UVACLYFZLJBYL”. Show
how she can use a brute-force attack to break the cipher.
Solution
3.57
3.2.1 Continued
Table 3.1 Frequency of characters in English
3.58
3.2.1 Continued
Monoalphabetic Substitution Cipher
Example 3.13
We can use the key in Figure 3.12 to encrypt the message
The ciphertext is
3.60
3.2.2 Polyalphabetic Ciphers
Autokey Cipher
3.61
3.2.2 Continued
Example 3.14
Assume that Alice and Bob agreed to use an autokey cipher with
initial key value k1 = 12. Now Alice wants to send Bob the message
“Attack is today”. Enciphering is done character by character.
3.62
Substitution Ciphers
1. Repeating plaintext letters that are in the same
The 'key' for a playfair
pair are separated with a filler letter, such as x, so
cipher is generally a that full would be treated as fu lx lz
word, for the sake of 2. Two plaintext letters that fall in the same row of
example we will choose the matrix are each replaced by the letter to the
'monarchy'. This is then right, with the first element of the row circularly
used to generate a 'key following the last. For example, ar is encrypted as
RM.
square', e.g.
3. Two plaintext letters that fall in the same column
are each replaced by the letter beneath, with the top
element of the column circularly following the last.
For example, mu is encrypted as CM.
4. Otherwise, each plaintext letter in a pair is
replaced by the letter that lies in its own row and the
column occupied by the other plaintext letter. Thus,
hs becomes BP and ea becomes IM (or JM, as the
Note that there is no 'j', it is encipherer wishes).
combined with 'i'. We now
apply the encryption rules to
encrypt the plaintext.
3.2.2 Continued
Playfair Cipher
Figure 3.13 An example of a secret key in the Playfair cipher
Example 3.15
Let us encrypt the plaintext “hello” using the key in Figure 3.13.
3.64
Substitution Ciphers
Vigenere cipher
• Using more than one alphabet, switching between them systematically
• How this Cipher Works
1. Pick a keyword
2. Write your keyword across the top of the text you want to encipher,
repeating it as many times as necessary.
EXAMPLE:
3.2.2 Continued
Vigenere Cipher
Example 3.16
We can encrypt the message “She is listening” using the 6-
character keyword “PASCAL”.
3.66
3.2.2 Continued
Example 3.16
Let us see how we can encrypt the message “She is listening” using
the 6-character keyword “PASCAL”. The initial key stream is (15,
0, 18, 2, 0, 11). The key stream is the repetition of this initial key
stream (as many times as needed).
3.67
Vernam Cipher (One - time pad)
• It is implemented using a random set of characters as the key
• One-Time usgae
• Length of the key text is equal to the length of the original plain text
Algorithm
• Translate each plain text alphabet in to corresponding Number (i.e. A=0,
B=1,…,Z=25)
• Do the same for each character key text
• Add each number corresponding to the plain text alphabet to the
corresponding key text alphabet number
• If the sum thus produced is greater than 26, subtract 26 from it
• Translate each number of the sum back to the corresponding alphabet. This
gives the output ciphertext
Substitution Ciphers
Example
• Plain text message: HOW ARE YOU
• One-time pad (KEY TEXT) : NCBTZQARX
• Now read the text row-by-row, and write it sequentially. Thus we have:
• CMHMTMROOEOEOORW as the cipher text
Transposition Ciphers
2) Simple Columnar Transposition Technique
• Simple columnar transposition technique simply arranges the plaintext as a
sequence of rows of a rectangle that are read in columns randomly
– Write the plain text message row-by-row in a rectangle of a pre-defined
size
– Read the message column-by-column. However it need not be in order
of columns 1, 2, 3 etc. it can be in any order such as 2, 3, 1 etc
– The message thus obtained is the cipher text message
Example
• Original Plain text massage: Come Home Tomorrow
• Let us consider a rectangle with six columns. Therefore, when we write the
message in the rectangle row-by-row suppressing spaces
• Now , let us decide the order of columns as some random order, say 4, 6,
1, 2, 5 & 3. Then read the text in the order of these columns
• The ciphertext thus obtained would be EOWOOCMROEHMMTO
Transposition Ciphers
3) Simple Columnar Transposition Technique with multiple Rounds
• To improve the basic simple columnar, we can introduce more complexity
• Use the same basic operation of simple columnar technique, but do it more
than once
Algorithm:
– Write the plain text message row-by-row in a rectangle of a pre-defined
size
– Read the message column-by-column. However, it need not to be in
order of column 1, 2, 3 etc. it can be any random order such as 2, 3, 1
etc
– The message thus obtained is the cipher text message of round 1
– Repeat steps 1to 3 as many times as desired
3.3.2 Keyed Transposition Ciphers
3.74
3.3.2 Continued
Example 3.25
3.75
3.3.3 Combining Two Approaches
Example 3.26
Figure 3.21
3.76
3-4 STREAM AND BLOCK CIPHERS
3.77
3.4.1 Stream Ciphers
3.79
3.4.1 Continued
Example 3.30
3.80
3.4.1 Continued
Example 3.32
Vigenere ciphers are also stream ciphers according to the
definition. In this case, the key stream is a repetition of m values,
where m is the size of the keyword. In other words,
3.81
3.4.2 block Ciphers
3.82
3.4.2 Continued
Example 3.34
Playfair ciphers are block ciphers. The size of the block is m = 2.
Two characters are encrypted together.
3.83
Claude Shannon and
Substitution-Permutation
Ciphers
• in 1949 Claude Shannon introduced idea of substitution-permutation (S-P)
networks
– modern ciphers re -substitution-transposition- product cipher
• key size
– increasing size improves security, makes exhaustive key searching
harder, but may slow cipher
• number of rounds
– increasing number improves security, but slows cipher
• subkey generation
– greater complexity can make analysis harder, but slows cipher
• round function
– greater complexity can make analysis harder, but slows cipher
91
Data Encryption Standard
(DES)
• The algorithm has 16 rounds. Each
round has the following architecture:
93
94
DES
• Before any rounds, the plaintext bits are
permuted using an initial permutation.
• Hence, at the end of the 16 rounds the
inverse permutation is applied.
• The initial permutation is public
knowledge
95
DES Round Structure
98
DES Round Structure
column
99
DES: S Blocks.
• S blocks takes in as input 6-bit arguments
and outputs four bits.
• This is the substitution part of the cipher.
• Each S block has a different functionality as
defined by the corresponding tables.
100
101
102
DES
• consists of:
– initial permutation of the key (PC1) which selects 56-bits in two 28-bit
halves
– 16 stages consisting of:
• selecting 24-bits from each half
• permuting them by PC2 for use in function f,
• rotating each half separately either 1 or 2 places depending on the
key rotation schedule K
DES Decryption
• decrypt must unwind steps of data computation
• with Feistel design, do encryption steps again
• using subkeys in reverse order (SK16 … SK1)
106
Avalanche Effect
• key desirable property of encryption algorithm.
•
Strength of DES (cont.)
• Avalanche effect in
DES
– If a small change in
either the plaintext or
the key, the ciphertext
should change
markedly.
• DES exhibits a strong
avalanche effect.
Strength of DES – Key Size
• 56-bit keys have 256 = 7.2 x 1016 values
8.112
8-1 Continued
8.113
8.1.1 Electronic Codebook (ECB) Mode
8.114
Electronic Codebook Book
(ECB)
• message is broken into independent blocks which are encrypted
8.118
8.1.2 Continued
8.119
8.1.2 Continued
Example 8.4
It can be proved that each plaintext block at Alice’s site is recovered
exactly at Bob’s site. Because encryption and decryption are inverses
of each other,
8.120
Cipher FeedBack (CFB)
Output FeedBack (OFB)
• message is treated as a stream of bits
Note
SubBytes
The first transformation, SubBytes, is used at the
encryption site. To substitute a byte, we interpret the byte
as two hexadecimal digits.
Note
InvSubBytes
1.2.1 Continue
InvSubBytes (Continued)
1.2.1 Continue
Example 1.2
MixColumns
The MixColumns transformation operates at the column
level; it transforms each column of the state to a new
column.
InvMixColumns
The InvMixColumns transformation is basically the same
as the MixColumns transformation.
Note
AddRoundKey
AddRoundKey proceeds one column at a time.
AddRoundKey adds a round key word with each state
column matrix; the operation in AddRoundKey is matrix
addition.
Note
Statistical Attacks
Numerous tests have failed to do statistical analysis of
the ciphertext.
1.6.2 Implementation
7.171
Modes of Operation
• It is a technique for enhancing the effect of cryptographic algorithm or
adapting the algorithm for an application.
• Five modes defined by NIST(SP-800-38A)
Electronic Codebook Book
(ECB)
• message is broken into independent blocks which are encrypted
• each previous cipher blocks is chained with current plaintext block, hence
name
• thus a change in the message affects all ciphertext blocks after the change
as well as the original block
• note that the block cipher is used in encryption mode at both ends
• sender and receiver must remain in sync, and some recovery method is
needed to ensure this occurs
• subsequent research has shown that only OFB-64 should ever be used
Counter (CTR)
• a “new” mode, though proposed early on
• similar to OFB but encrypts counter value rather than any feedback value
• must have a different key & counter value for every plaintext block (never
reused)
Ci = Pi XOR Oi
Oi = DESK1(i)
• but must ensure never reuse key/counter values, otherwise could break (cf
OFB)
7.190
Mathematics of
Cryptography
2.1
Note Greatest Common Divisor
Note
Note
2.4
2.1.4 Continued
Example 2.7
Find the greatest common divisor of 2740 and 1760.
Solution
We have gcd (2740, 1760) = 20.
2.5
2.1.4 Continued
Example 2.8
Find the greatest common divisor of 25 and 60.
Solution
We have gcd (25, 65) = 5.
2.6
2.1.4 Continued
Extended Euclidean Algorithm
Given two integers a and b, we often need to find other two
integers, s and t, such that
2.7
2.1.4 Continued
Figure 2.8.b Extended Euclidean algorithm, part b
2.8
2.1.4 Continued
Figure 2.8.a Extended Euclidean algorithm, part a
2.9
2.1.4 Continued
Example 2.9
Given a = 161 and b = 28, find gcd (a, b) and the values of s
and t.
Solution
We get gcd (161, 28) = 7, s = −1 and t = 6.
2.10
2.1.4 Continued
Example 2.10
Given a = 17 and b = 0, find gcd (a, b) and the values of s
and t.
Solution
We get gcd (17, 0) = 17, s = 1, and t = 0.
2.11
2.1.4 Continued
Example 2.11
Solution
We get gcd (0, 45) = 45, s = 0, and t = 1.
2.12
2.1.4 Continued
Example 2.14
Find the result of the following operations:
a. 27 mod 5 b. 36 mod 12
c. −18 mod 14 d. −7 mod 10
Solution
a. Dividing 27 by 5 results in r = 2
b. Dividing 36 by 12 results in r = 0.
c. Dividing −18 by 14 results in r = −4. After adding the
modulus r = 10
d. Dividing −7 by 10 results in r = −7. After adding the
modulus to −7, r = 3.
2.13
2.2.3 Congruence
2.14
2.2.4 Continued
Properties
2.15
2.2.5 Continue
Multiplicative Inverse
In Zn, two numbers a and b are the multiplicative inverse of
each other if
Note
2.16
2.2.5 Continued
Example 2.22
Find the multiplicative inverse of 8 in Z10.
Solution
There is no multiplicative inverse because gcd (10, 8) = 2 ≠ 1.
In other words, we cannot find any number between 0 and 9
such that when multiplied by 8, the result is congruent to 1.
Example 2.23
Find all multiplicative inverses in Z10.
Solution
There are only three pairs: (1, 1), (3, 7) and (9, 9). The
numbers 0, 2, 4, 5, 6, and 8 do not have a multiplicative
inverse.
2.17
2.2.5 Continued
Example 2.24
2.18
2.2.5 Continued
Figure 2.15 Using extended Euclidean algorithm to
find multiplicative inverse
2.19
2.2.5 Continued
Example 2.25
Find the multiplicative inverse of 11 in Z26.
Solution
2.20
2.2.5 Continued
Example 2.26
Find the multiplicative inverse of 23 in Z100.
Solution
2.21
9.1.4 Euler’s Phi-Function
9.22
9.1.4 Continued
Note
The difficulty of finding f(n) depends on the
difficulty of finding the factorization of n.
9.23
9.1.4 Continued
Example 9.7
What is the value of f(13)?
Solution
Because 13 is a prime, f(13) = (13 −1) = 12.
Example 9.8
What is the value of f(10)?
Solution
We can use the third rule: f(10) = f(2) × f(5) = 1 × 4 = 4, because 2
and 5 are primes.
9.24
9.1.4 Continued
Example 9.9
What is the value of f(240)?
Solution
We can write 240 = 24 × 31 × 51. Then
Example 9.10
Can we say that f(49) = f(7) × f(7) = 6 × 6 = 36?
Solution
No. The third rule applies when m and n are relatively prime. Here
49 = 72. We need to use the fourth rule: f(49) = 72 − 71 = 42.
9.25
Public key cryptography /
Asymmetric key cryptography
Public key encryption structure
1. Encryption / Decryption
Sender encrypts a message with the
recipient’s public key
2. Digital signature
sender signs a message with private key
3. Key exchange
two sides cooperate to exchange a session key
Applications of public key
cryptosystems
Requirements of PKC
10.1.4 Trapdoor One-Way Function
Functions
10.33
10.1.4 Continued
One-Way Function (OWF)
1. f is easy to compute.
2. f −1 is difficult to compute.
10.34
10.1.4 Continued
Example 10. 1
When n is large, n = p × q is a one-way function. Given p and
q , it is always easy to calculate n ; given n, it is very difficult to
compute p and q. This is the factorization problem.
Example 10. 2
When n is large, the function y = xk mod n is a trapdoor one-
way function. Given x, k, and n, it is easy to calculate y. Given
y, k, and n, it is very difficult to calculate x. This is the discrete
logarithm problem.
10.35
Requirements for public key
cryptography
1. Pair of keys (public key KUb, private key KRb)
2. Easy to encrypt the message C=E KUb(M)
3. Easy to decrypt the ciphertext
M = DKRb(C)=DKRb[ E KUb(M) ]
4. Knowing KUb, it is infeasible to determine KRb
5. Knowing C & KUb, it is infeasible to determine M
6. Either of 2 keys can be used for encryption
M = DKRb[ EKUb(M) ] = DKUb[ EKRb(M) ]
Public Key Cryptanalysis
Brute force Attack
Complexity in invertible mathematical functions, key size is large
enough for brute force impractical, small enough for ease of
enc/dec
Compute Private key with Public key – Not mathematically proven
that it is infeasible for PKC.
9.38
RSA ALGORITHM
-Discrete Logarithms
9.46
4-1 ALGEBRAIC STRUCTURES
4.47
9.48
9.49
9.6.2 Continued
9.50
9.6.2 Continued
9.51
9.52
9.53
9.54
Diffie-Hellman Key Exchange
Example
q=11 α=3
XA = 5
YA = 35 mod 11 = 1
XB = 3
YB = 33 mod 11 = 27 mod 11= 5
K1= 55 mod 11 = 1
3
K2= 1 mod 11 = 1
A & B can share 1 without transmitting
q=23 α=5
XA = 6 XB = 15
K=?
Man –in- the- Middle attack
Middle man attack / bucket bridage attack
Alice Carol Bob
q=11 α=7 q=11 α=7 q=11 α=7
XA = 3 MXA=8 MXB=6 XB = 9
YA = 73 mod 11 YA= 78 mod 11 YB = 79 mod 11
=2 =9 =8
YB = 4 YB= 76 mod 11 YA = 9
=4
K1= 43 mod 11 YA=2 YB=8 K2= 99 mod 11
=9 K1= 88 mod 11 =5
=5
K2= 26 mod 11
=9
10-4 ELGAMAL CRYPTOSYSTEM
10.62
10.4.2 Procedure
10.63
10.4.2 Continued
Key Generation
10.64
10.4.2 Continued
10.65
10.4.2 Continued
10.66
10.4.3 Continued
Example 10. 10
10.67
9-4 CHINESE REMAINDER THEOREM
9.70
9-4 Continued
Example 9.35
The following is an example of a set of equations with different
moduli:
The solution to this set of equations is given in the next section; for
the moment, note that the answer to this set of equations is x = 23.
This value satisfies all equations: 23 ≡ 2 (mod 3), 23 ≡ 3 (mod 5),
and 23 ≡ 2 (mod 7).
9.71
9-4 Continued
9.72
9-4 Continued
Example 9.36
Find the solution to the simultaneous equations:
Solution
We follow the four steps.
1. M = 3 × 5 × 7 = 105
9.73
Quadratic Residues and Nonresidue
In the equation x2 ≡ a (mod p), a is called a quadratic
residue (QR) if the equation has two solutions; a is called
quadratic nonresidue (QNR) if the equation has no
solutions.
9.1
9.5.1 Continued
Example 9.41
9.2
9.5.1 Continued
Euler’s Criterion
a. If a(p−1)/2 ≡ 1 (mod p), a is a quadratic residue
modulo p.
b. If a(p−1)/2 ≡ −1 (mod p), a is a quadratic nonresidue
modulo p.
Example 9.42
Special Case: p = 4k + 3
9.4
10-3 RABIN CRYPTOSYSTEM
10.5
10-3 Continued
10.6
10.3.1 Procedure
Key Generation
10.7
10.3.1 Continued
Encryption
10.8
10.3.1 Continued
Decryption
Note
The Rabin cryptosystem is not deterministic:
Decryption creates four plaintexts.
10.9
10.3.1 Continued
Example 10. 9
10.10
10.3.1 Continued
Example 10. 9
10.11
Message Integrity
and
Message Authentication
11.1
11-1 MESSAGE INTEGRITY
11.2
11.1.1 Document and Fingerprint
11.3
11.1.2 Message and Message Digest
11.4
11.1.3 Difference
Note
The message digest needs to be safe from change.
11.5
11.1.4 Checking Integrity
11.6
11.1.5 Cryptographic Hash Function Criteria
11.7
11.1.5 Continued
Preimage Resistance
11.8
11.1.5 Continued
Second Preimage Resistance
11.9
11.1.5 Continued
Collision Resistance
11.10
11-2 RANDOM ORACLE MODEL
The Random Oracle Model, which was introduced in
1993 by Bellare and Rogaway, is an ideal
mathematical model for a hash function. A function
based on this model behaves as follows
1.When a message of any length given, the oracle creates and
gives a fixed length message digest of random string of 0’s
and 1’s by recording message and message digest.
11.11
11-3 MESSAGE AUTHENTICATION
11.12
11.3.1 Modification Detection Code (MDC)
11.13
11.3.1 Continued
11.14
11.3.2 Message Authentication Code (MAC)
11.15
11.3.2 Continued
Note
The security of a MAC depends on the security of
the underlying hash algorithm.
11.16
11.3.2 Continued
Nested MAC
Figure 11.11 Nested MAC
11.17
11.3.2 Continued
HMAC
Figure 11.12
Details of HMAC
11.18
11.19
12:Cryptographic
Hash Functions
12.20
12-1 INTRODUCTION
12.21
12.1.1 Iterated Hash Function
Merkle-Damgard Scheme
12.22
12.1.2 Two Groups of Compression Functions
12.23
12.1.2 Continued
12.24
HASH FUNCTIONS BASED ON BLOCK CIPHERS
11.25
12.1.2 Continued
Rabin Scheme
12.26
• Based on Merkle Damgard scheme
• Only encryption used
• Size of digest is size of data block
• Demerit: MIM (adversary can use decryption algorithm)
11.27
DAVIS MEYER SCHEME
11.28
12.1.2 Continued
Matyas-Meyer-Oseas Scheme
12.29
12.1.2 Continued
Miyaguchi-Preneel Scheme(used in Whirlpool)
12.31
12-3 WHIRLPOOL message preparation
12.32
12-3 Continued
12.33
12.3.1 Whirlpool Cipher
Figure 12.13 General idea of the Whirlpool cipher
12.34
12.3.1 Continued
Figure 12.14 Block and state in the Whirlpool cipher
12.35
12.3.1 Continued
12.36
12.3.1 Continued
12.37
12.3.1 Continued
12.38
12.3.1 Continued
ShiftColumns
Figure 12.18 ShiftColumns transformation in the Whirlpool cipher
12.39
12.3.1 Continued
12.40
12.3.1 Continued
12.41
12.3.1 Continued
Figure 12.21 Key expansion in the Whirlpool cipher
12.42
12.3.2 Summary
12.43
12-2 SHA-512
12.44
12.2.1 Introduction
12.45
12.2.1 Continued
Message Preparation
SHA-512 insists that the length of the original message be
less than 2128 bits.
Note
SHA-512 creates a 512-bit message digest out of a
message less than 2128.
12.46
12.2.1 Continued
12.47
12.2.1 Continued
Example 12.3
What is the number of padding bits if the length of the original
message is 2590 bits?
Solution
We can calculate the number of padding bits as follows:
12.48
12.2.1 Continued
Example 12.4
Do we need padding if the length of the original message is already
a multiple of 1024 bits?
Solution
Yes we do, because we need to add the length field. So padding is
needed to make the new block a multiple of 1024 bits.
12.49
12.2.1 Continued
Example 12.5
What is the minimum and maximum number of padding bits that
can be added to a message?
Solution
12.50
12.2.1 Continued
12.51
12.2.1 Continued
Words
12.52
12.2.1 Continued
Word Expansion
12.53
The 1024 bits becomes the first 16 words,rest words
come from already made words.
11.54
11.55
12.2.1 Continued
Example 12.6
Solution
Each word in the range W16 to W79 is made from four
previously-made words. W60 is made as
12.56
12.2.1 Continued
12.57
12.2.2 Compression Function
Figure 12.10 Compression function in SHA-512
12.58
12.2.2 Continued
Figure 12.11 Structure of each round in SHA-512
12.59
12.2.2 Continued
Majority Function
Conditional Function
Rotate Functions
12.60
12.2.2 Continued
12.61
12.2.2 Continued
12.62
12.2.2 Continued
Example 12.7
We apply the Majority function on buffers A, B, and C. If the
leftmost hexadecimal digits of these buffers are 0x7, 0xA, and 0xE,
respectively, what is the leftmost digit of the result?
Solution
The digits in binary are 0111, 1010, and 1110.
a. The first bits are 0, 1, and 1. The majority is 1.
b. The second bits are 1, 0, and 1. The majority is 1.
c. The third bits are 1, 1, and 1. The majority is 1.
d. The fourth bits are 1, 0, and 0. The majority is 0.
Example 12.8
We apply the Conditional function on E, F, and G buffers. If the
leftmost hexadecimal digits of these buffers are 0x9, 0xA, and 0xF
respectively, what is the leftmost digit of the result?
Solution
The digits in binary are 1001, 1010, and 1111.
a. The first bits are 1, 1, and 1. The result is F1, which is 1.
b. The second bits are 0, 0, and 1. The result is G2, which is 1.
c. The third bits are 0, 1, and 1. The result is G3, which is 1.
d. The fourth bits are 1, 0, and 1. The result is F4, which is 0.
12.65
Chapter 13
Digital Signature
13.1
13.1.1 Inclusion
13.2
13.1.2 Verification Method
13.3
13.1.3 Relationship
13.4
13.1.4 Duplicity
13.5
PROCESS
13.6
13.2.1 Need for Keys
Note
A digital signature needs a public-key system.
The signer signs with her private key; the verifier
verifies with the signer’s public key.
13.7
13.2.1 Continued
Note
A cryptosystem uses the private and public keys of
the receiver: a digital signature uses
the private and public keys of the sender.
13.8
13.2.2 Signing the Digest
13.9
Can a secret key sign and verify signature?
13.10
13-3 SERVICES
13.11
13.3.1 Message Authentication
Note
A digital signature provides message authentication.
13.12
13.3.2 Message Integrity
Note
13.13
13.3.3 Nonrepudiation
Note
Note
Key-Only Attack
Known-Message Attack
the attacker has one or more message signature pairs for a variety of
messages known by the attacker but not chosen by the attacker. Similar
to known plaintext attack.
Chosen-Message Attack
the attacker first learns signatures on arbitrary messages of the attacker's
choice.
13.16
Forgery: Result of successful attack
Existential Forgery
13.17
13-5 DIGITAL SIGNATURE SCHEMES
13.18
13.5.1 Continued
Key Generation
Key generation in the RSA digital signature scheme is
exactly the same as key generation in the RSA
Note
In the RSA digital signature scheme, d is private;
e and n are public.
13.19
13.5.1 Continued
13.20
Attacks on RSA signature: Safe against
identified attacks
13.21
13.22
13.23
13.5.1 Continued
13.24
13.5.1 Continued
Note
When the digest is signed instead of the message
itself, the susceptibility of the RSA digital signature
scheme depends on the strength of the hash
algorithm.
13.25
13.26
13.27
13.5.2 ElGamal Digital Signature Scheme
Figure 13.9 General idea behind the ElGamal digital signature scheme
13.28
13.5.2 Continued
Key Generation
The key generation procedure here is exactly the same as
the one used in the cryptosystem.
13.29
13.5.2 Continued
13.30
13.31
13.32
13.33
13.34
13.5.3 Schnorr Digital Signature Scheme
Figure 13.11 General idea behind the Schnorr digital signature scheme
13.35
13.5.4 Digital Signature Standard (DSS)
13.36
13.5.4 Continued
13.37
13.5.5 Elliptic Curve Digital Signature Scheme
13.38
13-6 VARIATIONS AND APPLICATIONS
13.39
13.6.1 Variations
Blind Signatures
Sometimes we have a document that we want to get
signed without revealing the contents of the document to
the signer.
13.40
13.41
13.42
13.43
KEY MANAGEMENT
31.1
31-7 KEY MANAGEMENT
31.2
31.3
Figure 31.19 KDC
31.4
31.5
31.6
31.7
31.8
31.9
31.10
31.11
Figure 31.21 Kerberos servers
31.12
31.13
Figure 31.22 Kerberos example
31.14
31.15
31.16
31.17
31.18
31.19
31.20
31.21
31.22
X.509 Certificates
31.24
Certificate Revocation
X.509 v2 drawbacks-
1.Subject field is inadequate to convey the identity of a key
owner to a public key user and recognizes entities by e-mail
address,a URL etc.
2.there is a need to indicate security policy information.this
enables a security application or function such as IPSec,to relate
an X.509 certificate to a given policy.
3.there is a need to limit the damage that can result from a
faulty or malicious CA by setting constraints on the applicability
of a particular cetificate.
4.it is important to be able to identify different keys to be used
by the same owner at different times.This feature supports key
life cycle management-in particular the ability to update keypairs
for users and CA on regular basis under exceptional conditions.
Extensions
Three categories-
1.Key and Policy Information
2.Certificate subject and issuer
attributes
3.Certification Path constraints.
1.Key and Policy Information
1.basic constraints
2.name constraints
3.policy constraints
PKI
Security at the
Transport Layer:
SSL and TLS
17.1
17 Continued
17.2
17-1 SSL ARCHITECTURE
17.4
17.1.2 Continued
17.5
17.1.2 Key Exchange Algorithms
17.6
17.1.2 Continued
Null
Note
17.7
17.1.2 Continued
RSA
17.8
17.1.2 Continued
Anonymous Diffie-Hellman
17.9
17.1.2 Continued
Ephemeral Diffie-Hellman key exchange
17.10
Solution to MIM problem
Signature is used, certificates are exchanged
using RSA/DSS
17.11
17.1.2 Continued
Fixed Diffie-Hellman
Another solution is the fixed Diffie-Hellman method.
All entities in a group can prepare fixed Diffie-
Hellman parameters (g and p).
Fortezza
Fortezza is a registered trademark of the U.S. National
Security Agency (NSA). It is a family of security
protocols developed for the Defense Department.
17.12
17.1.3 Encryption/Decryption Algorithms
17.13
17.1.3 Continued
NULL
The NULL category simply defines the lack of an
encryption/decryption algorithm.
Stream RC
Two RC algorithms are defined in stream mode.
Block RC
One RC algorithm is defined in block mode.
DES
All DES algorithms are defined in block mode.
17.14
17.1.3 Continued
IDEA
The IDEA algorithm defined in block mode is
IDEA_CBC, with a 128-bit key.
Fortezza
17.15
17.1.4 Hash Algorithm
17.16
17.1.4 Continued
NULL
The two parties may decline to use an algorithm. In
this case, there is no hash function and the message is
not authenticated.
MD5
The two parties may choose MD5 as the hash
algorithm. In this case, a 128-key MD5 hash
algorithm is used.
SHA-1
The two parties may choose SHA as the hash
algorithm. In this case, a 160-bit SHA-1 hash
algorithm is used.
17.17
17.1.5 Cipher Suite
17.18
17.1.5 Continued
Table 17.1 SSL cipher suite list
17.19
17.1.6 Compression Algorithms
17.20
17.21
17.22
17.23
17.24
17.25
17.26
17.27
17.2.1 Handshake Protocol
17.28
17.2.1 Continued
17.29
17.2.1 Continued
Note
17.31
17.2.1 Continued
Note
17.32
17.2.1 Continued
17.33
17.2.1 Continued
Note
17.34
17.2.1 Continued
Figure 17.19 Phase IV of Handshake Protocol
17.35
17.2.1 Continued
Note
17.36
17.37
17.38
17.39
17-4 Transport Layer Security (TLS)
17.41
17.4.2 Continued
17.42
17.4.3 Generation of Cryptographic Secrets
Figure 17.40 Data-expansion function
17.43
17.4.3 Continued
Figure 17.41 PRF
17.44
17.4.3 Continued
Figure 17.42 Master secret generation
17.45
17.4.3 Continued
Figure 17.43 Key material generation
17.46
17.4.4 Alert Protocol
17.47
17.4.4 Continued
Table 17.7 Alerts defined for TLS
17.48
17.4.5 Handshake Protocol
17.49
17.4.5 Continued
Figure 17.45 Hash for Finished message in TLS
17.50
17.4.6 Record Protocol
Figure 17.46 HMAC for TLS
17.51
FIREWALLS
What is a Firewall?
• a choke point of control and monitoring
• interconnects networks with differing trust
• imposes restrictions on network services
• only authorized traffic is allowed
• auditing and controlling access
• can implement alarms for abnormal behavior
• provide NAT & usage monitoring
• implement VPNs using IPSec
• must be immune to penetration
FIREWALLS
•
What is a Firewall?
FIREWALL CHARACTERISTICS
CHARCTERISTICS
CAPABILITIES
Firewall Limitations
• cannot protect from attacks bypassing it
• cannot protect against internal threats
• eg disgruntled or colluding employees
• cannot protect against access via WLAN
• if improperly secured against external use
• cannot protect against malware imported via laptop, PDA, storage
infected outside
Firewalls – Packet Filters
• IP address spoofing
• fake source address to be trusted
• add filters on router to block
• source routing attacks
• attacker sets a route other than default
• block source routed packets
• tiny fragment attacks
• split header info over several tiny packets
• either discard or reassemble before check
Firewalls – Stateful Packet Filters
• traditional packet filters do not examine higher layer context
• ie matching return packets with outgoing flow
• stateful packet filters address this need
• they examine each IP packet in context
• keep track of client-server sessions
• check each packet validly belongs to one
• hence are better able to detect bogus packets out of context
• may even inspect limited application data
Firewalls - Application Level Gateway
(or Proxy)
have application specific gateway / proxy
has full access to protocol
user requests service from proxy
proxy validates request as legal
then actions request and returns result to user
can log / audit traffic at application level
need separate proxies for each service
some services naturally support proxying
others are more problematic
Firewalls - Application Level Gateway (or
Proxy)
Firewalls - Circuit Level Gateway
• relays two TCP connections
• imposes security by limiting which such connections are allowed
• once created usually relays traffic without examining contents
• typically used when trust internal users by allowing general outbound
connections
• SOCKS is commonly used
Firewalls - Circuit Level Gateway
Bastion Host
host-resident firewall
screening router
single bastion inline
single bastion T
double bastion inline
double bastion T
distributed firewall configuration
Summary
• have considered:
• firewalls
• types of firewalls
• packet-filter, stateful inspection, application proxy, circuit-level
• basing
• bastion, host, personal
• location and configurations
• DMZ, VPN, distributed, topologies
Intrusion detection and
prevention systems
Intruders
•
Approaches to Intrusion Detection
•
Audit Records
•
Audit Record Analysis
Entity Authentication
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
14.1
14-1 INTRODUCTION
14.2
14.1.1 Data-Origin Versus Entity Authentication
Something possessed :
passport,cards
Something inherent
14.4
14-2 PASSWORDS
14.5
14.2.1 Fixed Password
First Approach
Figure 14.1 User ID and password file
14.6
Attacks: Eavesdropping, Stealing, Accessing password file
14.7
14.2.1 Continued
Second Approach
Figure 14.2 Hashing the password
14.8
14.2.1 Continued
14.9
14.2.1 Continued
Third Approach
14.10
14.2.1 Continued
14.11
14.2.1 Continued
Fourth Approach
In the fourth approach, two identification techniques are
combined. A good example of this type of authentication
is the use of an ATM card with a PIN (personal
identification number).
14.12
14.2.2 One-Time Password
First Approach
In the first approach, the user and the system agree upon a list of passwords.
Cons: long list of pwds, searching difficult in list
Reuse of pwd useless.
Second Approach
In the second approach, the user and the system agree to sequentially update the
password.
Pi is used to encrypt pi+1
14.13
14.2.2 One-Time Password
Third Approach
In the third approach, the user and the system create a sequentially updated
password using a hash function.
User and system agree on original password ,p0 and a counter n.
The system stores identity of user,value of n and value of hn(p0)
14.14
14.2.2 Continued
14.15
14-3 CHALLENGE-RESPONSE
Note
In challenge-response authentication, the claimant
proves that she knows a secret without sending it to
the verifier.
Note
The challenge is a time-varying value sent by the
verifier; the response is the result
of a function applied on the challenge.
14.17
14.3.1 Using a Symmetric-Key Cipher
First Approach
14.18
14.3.1 Continued
14.19
14.3.1 Continued
Third Approach.
14.20
14.3.2 Using Keyed-Hash Functions
14.21
14.3.3 Using an Asymmetric-Key Cipher
First Approach
14.22
14.3.3 Continued
Second Approach
Figure 14.10 Bidirectional, asymmetric-key
14.23
14.3.4 Using Digital Signature
First Approach
Figure 14.11 Digital signature, unidirectional
14.24
14.3.4 Continued
Second Approach
14.25
14-4 ZERO-KNOWLEDGE
14.26
14.4.1 Fiat-Shamir Protocol
14.27
14.28
14.29
14.4.2 Feige-Fiat-Shamir Protocol
Figure 14.15 Feige-Fiat-Shamir protocol
14.30
14.4.3 Guillou-Quisquater Protocol
Figure 14.16 Guillou-Quisquater protocol
14.31
14.4.3 Continued
Figure 14.16 Guillou-Quisquater protocol
14.32
14-5 BIOMETRICS
14.34
14.5.2 Enrollment
14.35
14.5.3 Authentication
Verification
Identification
14.36
14.5.4 Techniques
14.37
14.5.4 Continued
Physiological Techniques
Fingerprint Hands
Iris Voice
Retina DNA
Face
14.38
14.5.4 Continued
Behavioral Techniques
Signature
Keystroke
14.39
14.5.5 Accuracy
14.40
14.5.6 Applications
14.41