Professional Documents
Culture Documents
IS Merged
IS Merged
Scanned By MX Scanner
Scanned By MX Scanner
Scanned By MX Scanner
Scanned By MX Scanner
Scanned By MX Scanner
Scanned By MX Scanner
Scanned By MX Scanner
Chapter 6
Data Encryption Standard
(DES)
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 6.1
CONFUSION VS DIFFUSION
Confusion: to make the relation between the plaintext and the cipher text
as complex as possible
Change key values each round
Performed through substitution
Complicates plaintext/key relationship
Caesar ciphers have poor confusion
Polyalphabetic substitutions have good confusion
Diffusion: Change location of plaintext in cipher text
Done through
transposition
6.2
6.3
6.4
6.5
6-1 INTRODUCTION
6.7
6.1.2 Overview
6.9
6-2 DES STRUCTURE
6.11
6.12
6.13
6.14
6.2.1 Initial and Final Permutations
6.15
6.2.1 Continue
Table 6.1 Initial and final permutation tables
6.16
6.2.1 Continued
Example 6.1
Find the output of the final permutation box when the final
permutation input is given in hexadecimal as:
Solution
Only bit 25 and bit 63 are 1s; the other bits are 0s. In the final
permutation, bit 25 becomes bit 64 and bit 63 becomes bit 15.
The result is
6.17
6.2.1 Continued
Example 6.2
Prove that the initial and final permutations are the inverse
of each other by finding the output of the initial permutation
if the input is
Solution
The input has only two 1s; the output must also have only two
1s. Using Table 6.1, we can find the output related to these
two bits. Bit 15 in the input becomes bit 63 in the output. Bit
64 in the input becomes bit 25 in the output. So the output has
only two 1s, bit 25 and bit 63. The result in hexadecimal is
6.18
6.2.1 Continued
Note
6.19
6.2.2 Continued
DES Function
The heart of DES is the DES function. The DES function
applies a 48-bit key to the rightmost 32 bits to produce a
32-bit output.
Figure 6.5
DES function
6.21
6.2.2 Continue
Expansion P-box
Since RI−1 is a 32-bit input and KI is a 48-bit key, we first
need to expand RI−1 to 48 bits.
6.22
6.2.2 Continue
Although the relationship between the input and output
can be defined mathematically, DES uses Table 6.2 to
define this P-box.
6.23
6.2.2 Continue
Whitener (XOR)
After the expansion permutation, DES uses the XOR
operation on the expanded right section and the round
key. Note that both the right section and the key are 48-
bits in length. Also note that the round key is used only in
this operation.
6.24
6.2.2 Continue
S-Boxes
The S-boxes do the real mixing (confusion). DES uses 8
S-boxes, each with a 6-bit input and a 4-bit output. See
Figure 6.7.
6.25
S-BOX USED IN DES – S1
AND S2
• Since Z= 4821976F9A73HEX = 010010 000010 000110
010111 011011 111001 101001 110011
S1(010010) is the value 10 (at row 0 and column
10012= 910 )
S12 (at row 0 and column
S2(000010) = 110 = 0001
0001
Row 0 142=4110
13) 1 2 15 11 8 3 10 6 12 5 9 0 7
Row 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
Row 2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
Row 3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S2
Row 0 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
Row 1 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
Row 2 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
Row 3 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S-BOX USED IN DES – S3
AND S4
• Since Z= 4821976F9A73HEX = 010010 000010 000110
010111 011011 111001 101001 110011
S3(000110) = 1410 = 11102
S4(010111) = 1210 = 11002
S3
Row 0 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
Row 1 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
Row 2 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
Row 3 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S4
Row 0 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
Row 1 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
Row 2 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
Row 3 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
S-BOX USED IN DES – S5
AND S6
• Since Z= 4821 976F 9A73HEX = 010010 000010 000110
010111 011011 111001 101001 110011
S5(011011) = 910 = 10012
S6(111001) = 610 = 01102
S5
Row 0 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
Row 1 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
Row 2 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
Row 3 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S6
Row 0 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
Row 1 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
Row 2 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
Row 3 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S-BOX USED IN DES – S7
AND S8
• Since Z= 4821976F9A73HEX = 010010 000010 000110
010111 011011 111001 101001 110011
S7(101001) = 110 = 00012
S8(010011) = 910 = 11002
S7
Row 0 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
Row 1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
Row 2 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
Row 3 6 11 13 8 1 4 0 7 9 5 0 15 14 2 3 12
S8
Row 0 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
Row 1 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
Row 2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
Row 3 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
COMBINE ALL 8 S-BOXES
Now we have all outputs from 8 S-boxes
S(Z) = 1010 0001 1110 1100 1001 0110 0001
1100 = A1EC961CHEX
Input the result into P-box!
Z
S1 S2 S3 S4 S5 S6 S7 S8
A1EC961CHEX
P
32 bits
6.2.2 Continued
Example 6.3
Solution
If we write the first and the sixth bits together, we get 11 in
binary, which is 3 in decimal. The remaining bits are 0001 in
binary, which is 1 in decimal. We look for the value in row 3,
column 1, in Table 6.3 (S-box 1). The result is 12 in decimal,
which in binary is 1100. So the input 100011 yields the output
1100.
6.31
6.2.2 Continued
Example 6.4
Solution
If we write the first and the sixth bits together, we get 00 in
binary, which is 0 in decimal. The remaining bits are 0000 in
binary, which is 0 in decimal. We look for the value in row 0,
column 0, in Table 6.10 (S-box 8). The result is 13 in decimal,
which is 1101 in binary. So the input 000000 yields the output
1101.
6.32
6.2.2 Continue
Straight Permutation
6.33
6.2.3 Continued
Figure 6.10
Key generation
6.41
6.2.3 Continued
Table 6.12 Parity-bit drop table : Drops parity bits ( 8,16, 24, 32… 64)
and permutes the rest.
6.42
6.2.3 Continued
6.43
6.44
6.50
6.65
6-4 Multiple DES
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 6.1
CONFUSION VS DIFFUSION
Confusion: to make the relation between the plaintext and the cipher text
as complex as possible
Change key values each round
Performed through substitution
Complicates plaintext/key relationship
Caesar ciphers have poor confusion
Polyalphabetic substitutions have good confusion
Diffusion: Change location of plaintext in cipher text
Done through
transposition
6.2
6.3
6.4
6.5
6-1 INTRODUCTION
6.7
6.1.2 Overview
6.9
6-2 DES STRUCTURE
6.11
6.12
6.13
6.14
6.2.1 Initial and Final Permutations
6.15
6.2.1 Continue
Table 6.1 Initial and final permutation tables
6.16
6.2.1 Continued
Example 6.1
Find the output of the final permutation box when the final
permutation input is given in hexadecimal as:
Solution
Only bit 25 and bit 63 are 1s; the other bits are 0s. In the final
permutation, bit 25 becomes bit 64 and bit 63 becomes bit 15.
The result is
6.17
6.2.1 Continued
Example 6.2
Prove that the initial and final permutations are the inverse
of each other by finding the output of the initial permutation
if the input is
Solution
The input has only two 1s; the output must also have only two
1s. Using Table 6.1, we can find the output related to these
two bits. Bit 15 in the input becomes bit 63 in the output. Bit
64 in the input becomes bit 25 in the output. So the output has
only two 1s, bit 25 and bit 63. The result in hexadecimal is
6.18
6.2.1 Continued
Note
6.19
6.2.2 Continued
DES Function
The heart of DES is the DES function. The DES function
applies a 48-bit key to the rightmost 32 bits to produce a
32-bit output.
Figure 6.5
DES function
6.21
6.2.2 Continue
Expansion P-box
Since RI−1 is a 32-bit input and KI is a 48-bit key, we first
need to expand RI−1 to 48 bits.
6.22
6.2.2 Continue
Although the relationship between the input and output
can be defined mathematically, DES uses Table 6.2 to
define this P-box.
6.23
6.2.2 Continue
Whitener (XOR)
After the expansion permutation, DES uses the XOR
operation on the expanded right section and the round
key. Note that both the right section and the key are 48-
bits in length. Also note that the round key is used only in
this operation.
6.24
6.2.2 Continue
S-Boxes
The S-boxes do the real mixing (confusion). DES uses 8
S-boxes, each with a 6-bit input and a 4-bit output. See
Figure 6.7.
6.25
S-BOX USED IN DES – S1
AND S2
• Since Z= 4821976F9A73HEX = 010010 000010 000110
010111 011011 111001 101001 110011
S1(010010) is the value 10 (at row 0 and column
10012= 910 )
S12 (at row 0 and column
S2(000010) = 110 = 0001
0001
Row 0 142=4110
13) 1 2 15 11 8 3 10 6 12 5 9 0 7
Row 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
Row 2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
Row 3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S2
Row 0 15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
Row 1 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
Row 2 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
Row 3 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S-BOX USED IN DES – S3
AND S4
• Since Z= 4821976F9A73HEX = 010010 000010 000110
010111 011011 111001 101001 110011
S3(000110) = 1410 = 11102
S4(010111) = 1210 = 11002
S3
Row 0 10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
Row 1 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
Row 2 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
Row 3 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S4
Row 0 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
Row 1 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
Row 2 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
Row 3 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
S-BOX USED IN DES – S5
AND S6
• Since Z= 4821 976F 9A73HEX = 010010 000010 000110
010111 011011 111001 101001 110011
S5(011011) = 910 = 10012
S6(111001) = 610 = 01102
S5
Row 0 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
Row 1 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
Row 2 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
Row 3 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S6
Row 0 12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
Row 1 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
Row 2 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
Row 3 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S-BOX USED IN DES – S7
AND S8
• Since Z= 4821976F9A73HEX = 010010 000010 000110
010111 011011 111001 101001 110011
S7(101001) = 110 = 00012
S8(010011) = 910 = 11002
S7
Row 0 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
Row 1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
Row 2 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
Row 3 6 11 13 8 1 4 0 7 9 5 0 15 14 2 3 12
S8
Row 0 13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
Row 1 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
Row 2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
Row 3 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
COMBINE ALL 8 S-BOXES
Now we have all outputs from 8 S-boxes
S(Z) = 1010 0001 1110 1100 1001 0110 0001
1100 = A1EC961CHEX
Input the result into P-box!
Z
S1 S2 S3 S4 S5 S6 S7 S8
A1EC961CHEX
P
32 bits
6.2.2 Continued
Example 6.3
Solution
If we write the first and the sixth bits together, we get 11 in
binary, which is 3 in decimal. The remaining bits are 0001 in
binary, which is 1 in decimal. We look for the value in row 3,
column 1, in Table 6.3 (S-box 1). The result is 12 in decimal,
which in binary is 1100. So the input 100011 yields the output
1100.
6.31
6.2.2 Continued
Example 6.4
Solution
If we write the first and the sixth bits together, we get 00 in
binary, which is 0 in decimal. The remaining bits are 0000 in
binary, which is 0 in decimal. We look for the value in row 0,
column 0, in Table 6.10 (S-box 8). The result is 13 in decimal,
which is 1101 in binary. So the input 000000 yields the output
1101.
6.32
6.2.2 Continue
Straight Permutation
6.33
6.2.3 Continued
Figure 6.10
Key generation
6.41
6.2.3 Continued
Table 6.12 Parity-bit drop table : Drops parity bits ( 8,16, 24, 32… 64)
and permutes the rest.
6.42
6.2.3 Continued
6.43
6.44
6.50
6.65
6-4 Multiple DES
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
1.1
Chapter 1
Objectives
❑ To define three security goals
❑ To define security attacks that threaten security
goals
❑ To define security services and how they are
related to the three security goals
❑ To define security mechanisms to provide security
services
❑ To introduce two techniques, cryptography and
steganography, to implement security mechanisms.
1.2
1.3
1.4
1-1 SECURITY GOALS
1.5
1.1 Continued
Figure 1.1 Taxonomy of security goals
1.6
1.1.1 Confidentiality
1.7
1.1.2 Integrity
1.8
1.1.3 Availability
1.9
1-2 ATTACKS
1.11
1.2.1 Attacks Threatening Confidentiality
1.12
1.2.2 Attacks Threatening Integrity
1.13
1.2.3 Attacks Threatening Availability
1.14
1.2.4 Passive Versus Active Attacks
1.15
1-3 SERVICES AND MECHANISMS
1.16
1.3.1 Security Services
Figure 1.3 Security services
1.17
1.3.2 Security Mechanism
Figure 1.4 Security mechanisms
1.18
1.3.3 Relation between Services and Mechanisms
1.19
1-4 TECHNIQUES
1.20
1.21
Symmetric--key Distribution
Symmetric
Symmetric
Symmetric--key cryptography is more efficient than
asymmetric--key cryptography for enciphering large
asymmetric
messages.. Symmetric
messages Symmetric--key cryptography, however, needs a
shared secret key between two parties
parties..
If Alice wants to exchange messages with N people, she needs
N different symmetric (secret) keys.keys. If N people need to
communicate
i t with
ith each
h other,
th a total
t t l off N(N
N(N--1)/
)/22 keys
k would
ld
be needed assuming a single key is used in both directions of
communications between a pair of peoplepeople.. This is normally
referred to as the N^2
N^2 problem
problem..
The distribution of keys is another problemproblem.. We need an
efficient and reliable (trusted) way to maintain and distribute
secret keys.
keys.
15.2
Key-Distribution Center: KDC
15.3
Key-Distribution Center: KDC
The procedure to get a session key between Alice and Bob is as follows
15.4
Flat Multiple KDCs.
When the number of people using a KDC increases, the system becomes
unmanageable. To solve this problem, we divide the community into
domains. Each domain has one KDC (or more if redundancy is desired
for fault tolerance). If Alice is in one domain and Bob is in another
domain, Alice contacts her KDC which in turn contacts the KDC in
Bob’s domain. The two KDC’s can create a secret key between Alice
and Bob. This system is called Flat multiple KDCs.
15.5
Hierarchical Multiple KDCs
The hierarchical multiple KDC system has one (or more) KDC at the top of the
hierarchy. For example, if Alice and Bob are in two different countries. Alice sends
the request to her local KDC, which relays the request to the national KDC, which
forwards it to the international KDC
KDC. The request is then relayed all the way down
to the local KDC where Bob lives.
15.6
Session Keys
The
Th secret key
k established
bli h d between
b the
h KDC andd a member
b can
be used only between that member and the KDC, not between two
members.
The KDC can help two members (after authenticating their secret
key with the KDC) establish a temporary key that can be used by
the two members for a single session.
session After communication is
terminated, the session key becomes invalid.
15.7
A Simple Protocol Using a KDC
15.9
Otway-Rees Protocol
15.12
Kerberos Operation
Diagram
g is on next slide
The client process (Alice) can access the real server process (Bob) in six
steps
1 Alice sends her request to AS in plaintext.
2 The AS sends a message encrypted with Alice’s key KA-AS. The
message contains a session key KA-TGS that will be used by Alice to contact
TGS and a ticket for TGS encrypted using TGS’s key KAS-TGS. When the
message arrives, Alice types her password which is used by the client
process to create KA-AS, then decrypt the message to extract the session key
and the ticket.
3 Alice sends three items to TGS: the ticket from AS, AS the name of the
real server (Bob), and a timestamp encrypted with KA-TGS.
4 TGS sends to Alice two tickets both containing the session key KA-B
between Alice and Bob.
Bob Alice
Alice’ss ticket is encrypted with the session key
KA-TGS and Bob’s ticket is encrypted with Bob’s password/key KTGS_B.
5 Alice sends Bob’s ticket with the timestamp encrypted with KA-B.
6 Bob responds
p byy subtractingg 1 from
f the timestampp and encrypts
yp the
response with KA-B.
15.13
Kerberos Operation
15.14
Kerberos 4 Overview
Public--key Distribution
Public
In asymmetric
asymmetric--key cryptography, people do not need to
know a symmetric shared key key;; everyone shields a
private key and advertises a public key
key..
Public Announcement
Bob makes his public key available on
his web site. Alice can get Bob’s public
key by accessing Bob’s site or sending
email to him.
him This method is simple but
is not secure and is subject to forgery.
15.16
Trusted Center
15.17
Controlled Trusted Center
A controlled trusted center achieves higher level of
security by adding control on the distribution of
the public key. Requests for the public key must
i l d a timestamp.
include i The
Th response off theh center to
the request includes the timestamp signed with the
private key of the center. Alice decrypts the
response using the center’s public key to verify the
timestamp before accepting Bob’s public key.
15.18
Certification Authority
Security
S i certificates
ifi are usedd to reduce
d the
h load
l d on trustedd
centers.
A server ((Bob)) can request
q a certificate
f ffrom a certification
f
authority (CA), which could be a cross-certified* company or
state or federal organization. Bob’s request contains his
identification and his public key.
key
The CA checks the identification of Bob. If verified, the CA
writes Bob’s public key on the certificate and signs it with its
own private
i key.
k
Bob can now upload the signed certificate and store it on his
site or Bob mayy send the certificate
f to users upon
p request.
q
Any user who wants Bob’s public key can download the
certificate and decrypts it using the CA’s public key to extract
Bob’ss public key.
Bob
* Cross-certification will be explained at the end of this chapter
15.19
Certification Authority
15.20
X.509
Thee Internet
te et cocommunity
u ity hasas accepted tthee ITU-T*
U recommendation
eco e datio X.509
.509 as
a way to unify certificate formats. In X.509, the certificate has the following
important fields:
Version number: this field is the version of X.509 (current version is 3).
Serial number: this field is the serial number assigned to each certificate and
is unique for each certificate issuer.
Signature algorithm ID: this field identifies the signature algorithm used in
the certificate. This field is repeated in the signature field.
Issuer name: this field identifies the CA that issued the certificate.
Validity Period: this field defines the earliest (not before) time and the latest
(not after) time during which the certificate is valid.
valid
Subject name: this field defines the entity that owns the public key stored in
this certificate.
Subject public key: this field gives the value of the public key of the owner of
the certificate and defines the public key algorithm.
Signature: this field contains the digest of all other fields in the certificate
encrypted
yp byy the CA’s pprivate key,
y, and also contains the ID off the signature
g
algorithm.
* ITU-T = International Telecommunication Union- Telecommunication Standardization Sector
15.21
X.509
I X.509,
In X 509 the
th certificate
tifi t has
h the
th following
f ll i fields:
fi ld
The optional Issuer or Subject unique identifier allows two issuers or two subjects to have
the same value in the Issuer or Subject name field, provided their unique identifiers are
different.
15.22
X.509
Certificate Renewal
Each certificate has a period of validity. If there is no problem with
the certificate, the CA issues a new certificate before the old one
expires.
Certificate
f Revocation
In some cases a certificate must be revoked before its expiration (e.g.,
the private key of the subject or of the CA has been compromised). The
revocation is done by periodically issuing a certificate revocation list
(CRL) that contains all revoked certificates that have not expired on the
date the CRL is issued. To ensure the validity of a certificate, the user
must check the latest CRL published by the CA that issued the
certificate.
Public-Key Infrastructure (PKI)
PKI is a model for creating
creating, distributing and revoking certificates based
on the X.509. IETF (Internet Engineering Task Force) has created the
public-key infrastructure X.509 (PKIX).
X << Y >>
15.25
Public-Key Infrastructures (PKI)
Example
p 15.3
User1 knows only the public key of the root CA. Show how can User1 obtain
a verified copy of User3’s public key.
Solution
User3 sends a chain of certificates, CA<<CA1>> and CA1<<User3>>, to User1.
a. User1 validates CA<<CA1>> using the public key of CA.
b. User1 extracts the public key of CA1 from CA<<CA1>>.
c. User1
U 1 validates
lid t CA1<<User3>>
CA1<<U 3>> using i the
th public
bli key
k off CA1.
CA1
d. User1 extracts the public key of User 3 from CA1<<User3>>.
Users1 has used the following chain CA<<CA1>> CA1<<User3>>
CA Hierarchy-Certificate Validation Path (Chain)
A only knows the public key of X and B only knows the public key of Z.
Z
A acquires B’s certificate using the chain: X<<W>> W<<V>> V<<Y>> Y<<Z>> Z<<B>>
B acquires A’s certificate using the chain: Z<<Y>> Y<<V>> V<<W>> W<<X>> X<<A>>
Example 15.4
Some Web browsers,, such Internet Explorer,p , include a set of
certificates from independent roots without a single, high-level,
authority to certify each root. One can find the
list of these roots in the Internet Explorer at Tools/Internet
Options/Contents/Certificate/Trusted roots (using pull-down
menu). The user then can choose any of these roots and view the
certificate.
15.28
Message Integrity
and
Authentication
11.1
11-1 MESSAGE INTEGRITY
11.2
11.1.1 Document and Fingerprint
11.3
11.1.2 Message and Message Digest
11.4
11.1.3 Difference
Note
The message digest needs to be safe from change.
11.5
11.1.4 Checking Integrity
11.6
11.1.5 Cryptographic Hash Function Criteria
11.7
11.1.5 Continued
Preimage Resistance
11.8
11.1.5 Continued
Second Preimage Resistance
11.9
11.1.5 Continued
Collision Resistance
11.10
11-2 RANDOM ORACLE MODEL
The Random Oracle Model, which was introduced in
1993 by Bellare and Rogaway, is an ideal
mathematical model for a hash function. A function
based on this model behaves as follows
1.When a message of any length given, the oracle creates and
gives a fixed length message digest of random string of 0’s
and 1’s by recording message and message digest.
11.11
11-2 Continued
Example 11.4
11.12
11-3 MESSAGE AUTHENTICATION
11.13
11.3.1 Modification Detection Code (MDC)
11.14
11.3.1 Continued
11.15
11.3.2 Message Authentication Code (MAC)
11.16
11.3.2 Continued
Note
The security of a MAC depends on the security of
the underlying hash algorithm.
11.17
11.3.2 Continued
Nested MAC
Figure 11.11 Nested MAC
11.18
HMAC: NIST issued standard for MAC
HMAC
Figure 11.12
Details of HMAC
11.19
11.20
Hash Functions
12.21
12-1 INTRODUCTION
12.22
12.1.1 Iterated Hash Function
Merkle-Damgard Scheme
12.23
12.1.2 Two Groups of Compression Functions
12.24
12.1.2 Continued
12.25
12.1.2 Continued
Rabin Scheme
Challenge: MIM
12.26
12.1.2 Continued
Davies-Meyer Scheme
12.27
12.1.2 Continued
Matyas-Meyer-Oseas Scheme
12.30
12.2.1 Introduction
12.31
12.2.1 Continued
Message Preparation
SHA-512 insists that the length of the original message be
less than 2128 bits.
Note
SHA-512 creates a 512-bit message digest out of a
message less than 2128.
12.32
12.2.1 Continued
Example 12.2
This example also concerns the message length in SHA-512. How
many pages are occupied by a message of 2128 bits?
Solution
Suppose that a character is 32, or 26, bits. Each page is less than
2048, or approximately 212, characters. So 2128 bits need at least
2128 / 218, or 2110, pages. This again shows that we need not worry
about the message length restriction.
12.33
12.2.1 Continued
12.34
12.2.1 Continued
Example 12.3
What is the number of padding bits if the length of the original
message is 2590 bits?
Solution
We can calculate the number of padding bits as follows:
12.35
12.2.1 Continued
Example 12.4
Do we need padding if the length of the original message is already
a multiple of 1024 bits?
Solution
Yes we do, because we need to add the length field. So padding is
needed to make the new block a multiple of 1024 bits.
12.36
12.2.1 Continued
Example 12.5
What is the minimum and maximum number of padding bits that
can be added to a message?
Solution
12.37
12.2.1 Continued
12.38
12.2.1 Continued
Words
12.39
12.2.1 Continued
Word Expansion
Figure 12.9 Word expansion in SHA-512
12.40
12.2.1 Continued
Example 12.6
Solution
Each word in the range W16 to W79 is made from four
previously-made words. W60 is made as
12.41
12.2.1 Continued
12.42
12.2.2 Compression Function
Figure 12.10 Compression function in SHA-512
12.43
12.2.2 Continued
Figure 12.11 Structure of each round in SHA-512
12.44
12.2.2 Continued
Majority Function
Conditional Function
Rotate Functions
12.45
12.2.2 Continued
12.46
12.2.2 Continued
12.47
12-3 WHIRLPOOL
12.48
12-3 Continued
12.49
12.3.1 Whirlpool Cipher
Figure 12.13 General idea of the Whirlpool cipher
12.50
12.3.1 Continued
Figure 12.14 Block and state in the Whirlpool cipher
12.51
12.3.1 Continued
12.52
12.3.1 Continued
12.53
12.3.1 Continued
12.54
12.3.1 Continued
ShiftColumns
Figure 12.18 ShiftColumns transformation in the Whirlpool cipher
12.55
12.3.1 Continued
12.56
12.3.1 Continued
12.57
12.3.1 Continued
Figure 12.21 Key expansion in the Whirlpool cipher
12.58
12.3.1 Continued
12.59
12.3.2 Summary
12.60
12.3.3 Analysis
12.61
Chapter 8
Encipherment Using
Modern Symmetric-Key
Ciphers
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
8.1
Chapter 18
Objectives
❏ To show how modern standard ciphers, such as
DES or AES, can be used to encipher long
messages.
❏ To discuss five modes of operation designed to be
used with modern block ciphers.
❏ To define which mode of operation creates stream
ciphers out of the underlying block ciphers.
❏ To discuss the security issues and the error
propagation of different modes of operation.
❏ To discuss two stream ciphers used for real-time
processing of data.
8.2
8-1 USE OF MODERN BLOCK CIPHERS
8.3
8-1 Continued
8.4
8.1.1 Electronic Codebook (ECB) Mode
8.5
8.1.1 Continued
Error Propagation
A single bit error in transmission can create errors in
several in the corresponding block. However, the error
does not have any effect on the other blocks.
8.8
8.1.2 Cipher Block Chaining (CBC) Mode
8.10
8.1.2 Continued
Figure 8.3 Cipher block chaining (CBC) mode
8.11
8.1.3 Cipher Feedback (CFB) Mode
In some situations, we need to use DES or AES as secure
ciphers, but the plaintext or ciphertext block sizes are to
be smaller.
Figure 8.4 Encryption in cipher feedback (CFB) mode
8.15
8.1.3 Continued
Note
In CFB mode, encipherment and decipherment use
the encryption function of the underlying block
cipher.
8.16
8.1.3 Continued
8.18
18.1.4 Output Feedback (OFB) Mode
8.19
8.1.4 Continued
8.21
8.1.5 Counter (CTR) Mode
8.22
8.1.5 Continued
8.24
8.1.5 Continued
8.25
Public key distribution
• Public announcement
• Publicly available directory
• Public-key authority
• Public-key certificates
Public key certificates
• Public key authority could be bottle neck.
• Solution : Certificates.
X.509 Certificates
Notations
Obtaining a Certificate
• if both users share a common CA then they are assumed to know its
public key
• otherwise CAs must form a hierarchy
• use certificates linking members of hierarchy to validate other CAs
– each CA has certificates for clients (forward) and parent
(backward)
• each client trusts parents certificates
• enable verification of any certificate from one CA by users of all
other CAs in hierarchy
CA Hierarchy Use
CA Hierarchy Use
EX:
A verify the certificate of B, Z<<B>>
X<<W>>,W<<V>>,V<<Y>>,Y<<Z>>,Z<<B>>
X.509 v2 drawbacks-
• 1.Subject field is inadequate to convey the identity of a key owner to
a public key user and recognizes entities by e-mail address,a URL
etc.
• 2.there is a need to indicate security policy information.this enables
a security application or function such as IPSec,to relate an X.509
certificate to a given policy.
• 3.there is a need to limit the damage that can result from a faulty or
malicious CA by setting constraints on the applicability of a
particular cetificate.
• 4.it is important to be able to identify different keys to be used by the
same owner at different times.This feature supports key life cycle
management-in particular the ability to update keypairs for users
and CA on regular basis under exceptional conditions.
Extensions
• Three categories-
• 1.Key and Policy Information
• 2.Certificate subject and issuer attributes
• 3.Certification Path constraints.
9/25/21, 10:34 AM Security of RSA - GeeksforGeeks
Security of RSA:-
These are explained as following below.
3. Factorisation attack:
If attacker will able to know P and Q using N, then he could find out value of private key.
This can be failed when N contains atleast 300 longer digits in decimal terms, attacker will
not able to find. Hence it fails.
https://www.geeksforgeeks.org/security-of-rsa/ 1/2
9/25/21, 10:34 AM Security of RSA - GeeksforGeeks
Attention reader! Don’t stop learning now. Practice GATE exam well before the actual exam
with the subject-wise and overall quizzes available in GATE Test Series Course.
Learn all GATE CS concepts with Free Live Classes on our youtube channel.
Like 0
Previous Next
https://www.geeksforgeeks.org/security-of-rsa/ 2/2
V SEMESTER B.TECH. (CCE) IN - SEMESTER EXAMINATIONS NOVEMBER 2021
SUBJECT: INFORMATION SECURITY [ICT 3172] SET 1 SCHEME
Date of Exam: 17/11/2021 Time of Exam: 4:00 PM TO 5:30 PM Max. Marks: 20
1. Give an example of replay attacks. List and explain any three general approaches for
dealing with replay attacks. 3
Suppose Alice wants to prove her identity to Bob. Bob requests her password as proof
of identity, which Alice dutifully provides (possibly after some transformation like
hashing, or even salting, the password); meanwhile, Eve is eavesdropping on the
conversation and keeps the password (or the hash). After the interchange is over, Eve
(acting as Alice) connects to Bob; when asked for proof of identity, Eve sends Alice's
password (or hash) read from the last session which Bob accepts, thus granting Eve
access. [1 M]
Assume Eve records the exchanges in a session between Alice and Bob. If is somehow
successful to obtain the session key, KAB, Eve now launches a new session starting with
the third exchange; she resends the ticket to Bob. Bob responds by sending a new nonce,
RB. Eve can decrypt this message (she knows the session key) and obtain RB. Eve now
responds using RB−1. A session has been created between Bob and Eve. The flaw in the
protocol is that there is not a nonce that glues the five exchanges in the session. The first
nonce, RA, is active only for the first two messages; the second nonce, RB, is active only
for the last two messages. Eve can partially replay the second part of the these messages.
In Otway-Rees protocol, a third nonce, R, is used to be active during all four exchanges. 3
Eve cannot replay only part of the message.
4. Difference between stateful and stateless IDS. Comment on their levels of security in
detecting intrusion with examples.
3
5. Given the hex code of the ciphertext {41 9c 12 3c 5a 3d 23 2a 6b 4a 5e 4d 7c 90 4b 2f}
and the initial key {73 61 74 69 73 68 63 6a 69 73 62 6f 72 69 6e 67} answer the following
by applying the functions of Advanced Encryption Standard- AES 128. Refer to the tables
5 (a) and 5 (b).
i. Show the original State displayed as 4X4 matrix.
ii. Show the value of the State after SubBytes.
iii. For the above output, show the value of the State after ShiftRows.
iv. Using Key Expansion method compute W4 and W5 for the initial key stream given
above.
Table 5 (a): RCON Constants