Professional Documents
Culture Documents
Cryptography and Network Security
Cryptography and Network Security
Cryptography and Network Security
to
Cryptography and
Network Security
C I A
Confidentiality
Sender Receiver
EVE
Eavesdropper
Integrity
Sender Receiver
EVE
Attacker
Availability
Sender Receiver
EVE
Attacker
Three Aspects of Security
n Security Attacks: Any action that
compromises the security of data owned
by an organisation
n Security Services: It ensures the security
of the data and its transfer by using some
of the security mechanisms.
n Security Mechanisms: Processes those
are designed to detect, prevent, or recover
from a security attack.
Security Attacks
The three goals of security-Confidentiality,
Integrity, and Availability¾can be threatened by
security attacks.
1. Attacks on Confidentiality
2. Attacks on Integrity
3. Attacks on Availability
Eve
Active vs Passive Attacks(contd…)
Peer-Entity Auth.
Access Control
Security
Confidentiality
Services
Data Integrity
Nonrepudiation
Availability
Security Mechanism
Relation between Services and Mechanisms
Mechanisms
Peer-Entity Auth.
Data Origin Auth.
Access Control
Confidentiality
Data Integrity
Nonrepudiation
Availability
• Mechanisms discussed in the previous
sections are only theoretical recipes to
implement security.
• The actual implementation of security goals
needs some techniques.
• Two techniques mostly used: Cryptography
and Steganography.
Cryptography
Secret Data
HI
Then divide the secret binary data into 16
bit chunks and represent by above pattern
What is the possible text cover and secret data?
Image Cover: Color image
a=q×n
Euclidean Algorithm
Fact 1: gcd (a, 0) = a
Fact 2: gcd (a, b) = gcd (b, r), where r is
the remainder of dividing a by b
Note
Note
Answer: 3
2. Find all additive inverse pairs in Z10.
Answer:
There are six pairs of additive inverses:
(0, 0), (1, 9), (2, 8), (3, 7), (4, 6), and (5, 5).
Multiplicative Inverse
Note
• In modular arithmetic, an integer may or may
not have a multiplicative inverse.
• When it has, the product of the integer and its
multiplicative inverse is congruent to 1 modulo n.
Examples
Example 1
Find the multiplicative inverse of 7 and 8 in Z10.
Multiplicative inverse of 7 is 3, but 8 has no
multiplicative inverse.
Note: gcd can help us to quickly find out whether a given number
has multiplicative inverse or not.
gcd(10,7)=1=> 7 has multiplicative inverse in modulo 10
gcd (10, 8) = 2 ≠ 1 => 8 has no multiplicative inverse in modulo 10
Example 2
Find all multiplicative inverses in Z10.
There are only three pairs: (1, 1), (3, 7) and (9, 9). The
numbers 0, 2, 4, 5, 6, and 8 do not have a multiplicative
inverse.
Continued
Example 3
Note
• The Extended Euclidean algorithm(EEA) finds
the multiplicative inverses of b in Zn when n
and b are given and gcd (n, b) = 1.
• The multiplicative inverse of b is the value of t
after being mapped to Zn.
Using Extended Euclidean algorithm to
find Multiplicative inverse
Continued
Example
Find the multiplicative inverse of 11 in Z26.
Note
• We need to use Zn when additive inverses are
needed
• We need to use Zn* when multiplicative
inverses are needed.
Two More Sets
Scalar multiplication
Determinant
Note
5 2 1
3 0 -4
2 1 6
Inverse of a Square matrix
Note
a b
For A= ,
c d
the inverse can be found by using the formula:
1 1 d b 1 d b
A
det A c a ad bc c a
Residue Matrix and Inverse
• Cryptography uses residue matrices.
• Matrices where all elements are in Zn.
• A residue matrix has a multiplicative
inverse if gcd (det(A), n) = 1.
Example
Find the inverse of a matrix 7 3
mod 26
1 2
12 21
The inverse of the given matrix mod 26
7 3
Traditional
Symmetric-Key Ciphers
Dr. Bimal Kumar Meher
Associate Professor, Dept. of CSE
Silicon Institute of Technology
Symmetric Key Cipher Model
Symmetric Key Cipher Model (Contd…)
Kerckhoff’s Principle
Note
• In monoalphabetic substitution, the relationship
between a symbol in the plaintext to a symbol
in the ciphertext is always one-to-one.
Example 1
The following shows a plaintext and its corresponding
ciphertext. The cipher is monoalphabetic because both l’s
are encrypted as O’s.
Example 2
The following shows a plaintext and its corresponding
ciphertext. The cipher is not monoalphabetic because each l
is encrypted by a different character.
ABNFZ
Additive Cipher
Note
• When the cipher is additive, the plaintext,
ciphertext, and key are integers in Z26.
Additive Cipher(Contd…)
Example
Use the additive cipher with key = 15 to encrypt the
message “hello”.
Solution
We apply the encryption algorithm to the plaintext,
character by character:
Additive Cipher(Contd…)
Example
P (C x
Note
• In a multiplicative cipher, the plaintext and
ciphertext are integers in Z26
• But, the key is an integer in Z26*.
Multiplicative Ciphers(Contd…)
Example 1
What is the key domain for any multiplicative cipher?
The key needs to be in Z26*. This set has only 12
members: 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25.
Example 2
Use a multiplicative cipher to encrypt the message “hello”
with a key of 7.
Affine Ciphers
• It is a combination of additive and multiplicative
ciphers with a pair of keys.
Affine Ciphers(Contd…)
Example
What is the key domain and its size in affine cipher ?
The affine cipher uses a pair of keys in which the first
key is from Z26* and the second is from Z26. The size
of the key domain is 26 × 12 = 312.
Example
Use affine cipher to encrypt the message “hello” with
the key pair (7, 2).
Affine Ciphers(Contd…)
Example
Use the affine cipher to decrypt the message “ZEBBW”
with the key pair (7, 2) in mod 26.
Note
• The additive cipher is a special case of an affine cipher in
which k1 = 1.
• The multiplicative cipher is a special case of affine cipher
in which k2 = 0.
Monoalphabetic Substitution Cipher
Example
Encrypt the plaintext “hello” using the key in above figure.
Decryption: P=CK-1,
K is invertible.
Cryptanalysis :
Because the key and the plaintext share the
same frequency distribution of letters, a statistical
technique can be applied.
Vernam Cipher
n Introduced by an AT&T engineer Gilbert Vernam in
1918.
n He proposed to choose a very long Key that has no
statistical relationship to the plaintext.
n His system works on binary data (bits) rather than
letters.
Vernam Cipher (Contd…)
Groups
Rings
Fields
❏ To emphasize on finite fields of type GF(p) and
GF(2n) that play significant role in modern
block cipher.
Groups
Example 2
The set Zn* with the multiplication operator(x), G = <Zn*,
x>, is also an abelian group.
More on Groups
Example:
Check whether group G=<Z10*,x> and G=<Z12*,x> are
cyclic groups? If yes find out their generators.
Zn*, the multiplicative group modulo n, is cyclic
if and only if n is 1 or 2 or 4 or pk or 2*pk for an
odd prime number p and k ≥ 1.
Ring
• A ring is a set R having two binary operations (+)
and (.) satisfying the following three sets of axioms:
• R is an abelian group under addition. That means:
• For a, b in R, a + b also in R (i.e., closure under +
•(a + b) + c = a + (b + c) for all a, b, c in R (i.e., +
is associative)
• a + b = b + a for all a, b in R (i.e., +
is commutative)
• There is an element 0 in R such that a + 0 = a for
all a in R (i.e., 0 is the additive identity)
• For each a in R there exists −a in R such that a +
(−a) = 0 (i.e., −a is the additive inverse of a).
Ring (contd…)
• R has following properties under multiplication:
• For a, b in R, a . b also in R (i.e., closure under .)
• (a . b) . c = a . (b . c) for all a, b, c in R (i.e.,
associative under .)
• distributive with respect to addition. That means:
a . (b + c) = (a . b) + (a . c) for
all a, b, c in R (left distributivity)
(b + c) . a = (b . a) + (c . a) for
all a, b, c in R (right distributivity)
• A ring R is said to be commutative if it satisfies the
commutative property. (a.b = b.a for all a, b in R)
Ring(Contd…)
Example
Note
0 1
Field: GF(5)
Example
8-bit word
Continued
Example
Note
Note
1
Example
BKM/SIT
• DES is a symmetric-key block cipher for
encrypting digital data.
• Developed by IBM in early 1970s.
• It was a modified form of the project
called Lucifer by Horst Feistel.
• The cipher was first published by NIST
in 1973.
• It was finally published in FIPS in 1977.
NIST: National Institute of Standards and Technology
FIPS: Federal Information Processing Standard
BKM/SIT
DES Overview
BKM/SIT
DES Basics
n It takes plain text of size 64-bits &
produces Ciphertext of size 64-bits.
n But it has a cipher key of size 56-bits.
n Building blocks of DES
n P-Box
n S-Box
n XOR
n Sixteen Feistel rounds
BKM/SIT
General Structure of DES
BKM/SIT
Initial and Final Permutations
BKM/SIT
Initial and final permutation tables(Contd…)
Solution
Only bit 15 and bit 64 are 1s; the other bits are 0s.
In the initial permutation, input bit 15 becomes
bit 63 in the output and input bit 64 becomes bit
25 in the output. The result is
BKM/SIT
Example 2
Find the output of the final permutation if the
input is
BKM/SIT
Rounds
• DES uses 16
rounds.
• Each round of
DES is a Feistel
cipher.
• A Feistel cipher
has both invertible
and non-invertible
components
• Figure shows a
single round in
DES encryption
BKM/SIT
DES Function
• The heart of
DES is the DES
function.
• T h e D E S
function applies
a 48-bit key to
the rightmost 32
bits to produce a
32-bit output.
BKM/SIT
Expansion P-box in the Function
30
BKM/SIT
Expansion P-box (Cont…)
Expansion P-box
Since RI−1 is a 32-bit input and KI is a 48-bit key,
we first need to expand RI−1 to 48 bits.
BKM/SIT
Whitener (XOR)
• After the expansion permutation, DES uses
the XOR operation on the expanded right
section and the round key.
• Note that both the right section and the key
are 48-bits in length.
• Also note that the round key is used only in
this operation.
BKM/SIT
S-Boxes
BKM/SIT
S-Box(Contd…)
S-box rule: The substitution in each box follows a
predefined rule based on a 4-row by 16-column table.
BKM/SIT
S-Box(Contd…)
• Following Table shows the contents for S-box 1.
• Refer textbook for the rest of the boxes .
Table: S-box 1
BKM/SIT
Continued
Example
BKM/SIT
Straight Permutation Table(P Box)
BKM/SIT
General Structure of DES
BKM/SIT
Key Generation
The round-key
generator creates
sixteen 48-bit keys
s out of a 56-bit
cipher key.
BKM/SIT
Key Generation(Contd…)
Parity Drop: It is a compression transposition step.
It drops the parity bit (bit 8, 16, 24, 32,…, 64) from the
64-bit key and permutes the rest of the bits according to
the following table
Parity-bit drop table
BKM/SIT
Key Generation(Contd…)
The 56-bit key is now divided into two 28-bit parts.
Then each part is left shifted(circularly) by either
one or two bits in each round as shown in the table.
Number of bits shifts
BKM/SIT
Analysis of DES
• The desired property of a block cipher is the
Avalanche effect.
• Avalanche effect means a small change in the
plaintext(or Key) should create a significant
change in the ciphertext (diffusion & confusion).
• Diffusion: The idea of diffusion is to hide the
relationship between the ciphertext and the plaintext.
• Confusion: The idea of confusion is to hide the
relationship between the ciphertext and the key.
BKM/SIT
Example
Let us encrypt two plaintext blocks (with
the same key) that differ only in one bit and
observe the differences in the number of
bits in each round.
BKM/SIT
Example (Contd…)
• Although the two plaintext blocks differ only
in the rightmost bit, the ciphertext blocks
differ in 29 bits.
• This means that changing approximately 1.5
percent of the plaintext creates a change of
approximately 45 percent in the ciphertext.
Number of bit differences for each round
BKM/SIT
Design Criteria
S-Boxes
The design provides confusion of bits from each round to
the next.
P-Boxes
They provide diffusion of bits.
Number of Rounds
DES uses sixteen rounds of Feistel ciphers. the ciphertext
is thoroughly a random function of plaintext and
ciphertext.
BKM/SIT
DES Weaknesses
• During the last few years researchers have found some
weaknesses in DES.
1. Weaknesses in S-boxes
2. Weaknesses in P-boxes
3. Weaknesses in Key
• What is the key domain of DES ?
• It is 256 number of possible keys.
Facts
• For a processor checking 1million keys/sec., it would take
more than 2000 years for brute-force attack.
• But, if we have 3500 networked computers, it may
find the key in 120 days!!!
BKM/SIT
Continued
1
BKM/SIT
Multiple DES
• The major criticism of DES regards its
key length.
• Techniques like Differential(1980) and
Linear Cryptanalysis(1992) could able to
break the cipher
• But, Linear Cryptanalysis needs 2 4 7
known plaintexts to break the cipher
• Therefore, the designer proposed the
double or triple DES to increase the key
size and security.
BKM/SIT
Double DES (2DES)
BKM/SIT
Meet-in-the-Middle Attack
BKM/SIT
Triple DES(with two keys)
BKM/SIT
BKM/SIT
Triple DES with Three Keys
BKM/SIT
Advanced Encryption Standard
(AES)
BKM/SIT
• The Advanced Encryption Standard (AES) is a
symmetric-key block cipher (also known as
Rijndael cipher)
• Published by the National Institute of Standards
and Technology (NIST) in December 2001(FIPS
197).
• Designers: Joan Daemen & Vincent Rijmen.
Cryptographer &
IT Security Architect, Chief Cryptographer,
STMicroelectronics Cryptomathic
BKM/SIT
Block size, Key size and No. of Rounds
• AES is a non-Feistel cipher that encrypts and
decrypts a data block of 128 bits.
• It uses 10, 12, or 14 rounds. The key size, which
can be 128, 192, or 256 bits, depends on the
number of rounds.
BKM/SIT
General design of AES
BKM/SIT
Data Units in AES
BKM/SIT
Block-to-state and State-to-block transformation
BKM/SIT
Example
Changing plaintext to state
BKM/SIT
Structure of Each Round during encryption
BKM/SIT
To provide security, AES uses four types of
transformations:
• Substitution(SubBytes),
• Permutation(ShiftRows),
• Mixing(MixColumns),
• Key-adding(AddRoundKey).
BKM/SIT
Substitution-SubBytes & InvSubBytes
Note
BKM/SIT
SubBytes Table
BKM/SIT
SubBytes Table –Contd…
BKM/SIT
InvSubBytes Table
BKM/SIT
InvSubBytes Table -Contd...
BKM/SIT
Example
BKM/SIT
Transformation Using the GF(28) Field
Note
BKM/SIT
SubBytes and InvSubBytes processes
BKM/SIT
Example
BKM/SIT
Permutation-ShiftRows & InvShiftRows
BKM/SIT
Example
Figure shows how a state is transformed using ShiftRows
transformation. The figure also shows that InvShiftRows
transformation creates the original state.
BKM/SIT
Mixing
BKM/SIT
MixColumns
BKM/SIT
InvMixColumns
Note
BKM/SIT
Mixing-Contd…
Constant matrices used by MixColumns and InvMixColumns
BKM/SIT
Example
BKM/SIT
AddRoundKey
Note
BKM/SIT
AddRoundKey transformation
k0 k4 k8 k12
k1 k5 k9 k13
k2 k6 k10 k14
k3 k7 k11 k15
Key matrix
BKM/SIT
• To create round keys for each round, AES uses a
key-expansion process.
• If t he n u m b e r o f r o u n d s i s N r , t h e k e y -
expansion routine creates Nr + 1 ,128-bit round
keys from one single 128-bit cipher key.
• The key expansion routine creates round keys
word by word(word is an array of 4 bytes).
• The routine creates 4 x (Nr + 1) words called as
w0, w1, w2,…, w4(Nr + 1)-1
BKM/SIT
Therefore, in AES-128(10 rounds) has 44 words.
AES-192(12 rounds) has 52 words.
AES-256(14 rounds) has 60 words.
BKM/SIT
Key Expansion in AES-128
BKM/SIT
RCon Constants
BKM/SIT
Round keys
Let us take cipher key 1 and cipher key 2 which differ
only in one bit:
BKM/SIT
Avalanche effect
• Let us take all 0s for the plaintext and cipher key
shown below. See the ciphertext.
Observation:
• Assume that all bits in the cipher key are 0s.
• The words in the pre-round and the first round are all
the same.
• In the second round, the first word matches with the
third; the second word matches with the fourth.
• However, after the second round the pattern disappears;
every word is different.
BKM/SIT
Security
Statistical Attacks
Numerous tests have failed to do statistical analysis of the
ciphertext.
BKM/SIT
Simplicity and Cost
BKM/SIT
Assignment
BKM/SIT
Mathematics of Cryptography-III
Prime Numbers and Related
Algorithms
Example 1
What is the smallest prime?
Solution
The smallest prime is 2, which is divisible by 2 (itself) and 1.
Example 2
List the primes smaller than 10.
Solution
• There are four primes less than 10: 2, 3, 5, and 7.
• It is interesting to note that the percentage of primes in the
range 1 to 10 is 40%.
• The percentage decreases as the range increases.
Cardinality of Primes
Note
There is an infinite number of primes.
Number of Primes
Checking for Primeness
We can combine the above four rules to find the value of f(n).
Note
Example 1
What is the value of f(13)?
Solution
Because 13 is a prime, f(13) = (13 −1) = 12.
Example 2
What is the value of f(10)?
Solution
We can use the third rule: f(10) = f(2) × f(5) = 1 × 4 = 4, because
2 and 5 are primes.
Euler’s Phi-Function (Contd…)
Example 3
What is the value of f(240)?
Solution
We can write 240 = 24 × 31 × 51. Then
Example 4
Can we say that f(49) = f(7) × f(7) = 6 × 6 = 36?
Solution
No. The third rule applies when m and n are relatively prime.
Here 49 = 72. We need to use the fourth rule: f(49) = 72 − 71 = 42.
Euler’s Phi-Function (Contd…)
Example 5
What is the number of elements in Z14*?
Solution
The answer is f(14) = f(7) × f(2) = 6 × 1 = 6. The members are 1,
3, 5, 9, 11, and 13.
Note
ap − 1 ≡ 1 mod p
Second Version: If p is a prime and a is an
integer, then
ap ≡ a mod p
Application: It is useful for quickly finding a solution to
some exponentiations.
Fermat’s Little Theorem (Contd…)
Example 1
Find the result of 610 mod 11.
We have 610 mod 11 = 1. This is the first version of Fermat’s
little theorem where p = 11.
Example 2
Find the result of 312 mod 11.
Here the exponent (12) and the modulus (11) are not the
same. With substitution this can be solved using Fermat’s
little theorem.
Fermat’s Little Theorem (Contd…)
It can also help us to find Multiplicative Inverses
af(n) ≡ 1 (mod n)
Second Version: If n=p x q, a<n, and k is an integer, then
a k × f(n) + 1 ≡ a (mod n)
Note
The second version of Euler’s theorem is used in the
RSA cryptosystem
Euler’s Theorem (Contd…)
Example 1
Example 2
Find the result of 2062 mod 77.
Solution
If we let k = 1 on the second version, we have
2062 mod 77 = (20 mod 77) (20f(77) + 1 mod 77) mod 77
= (20)(20) mod 77 = 15.
Euler’s Theorem (Contd…)
a. 8-1 mod 77
b. 7-1 mod 15
c. 60-1 mod 187
d. 71-1 mod 100
Continued
Example
Assume n has 200 bits. What is the number of bit operations
needed to run the divisibility-test algorithm in a computer
capable of doing 230 bit operations per second ?
Solution
The bit-operation complexity of this algorithm is 2n /2. This
b
Solution
This algorithm needs only (log 2 200) 1 2 = 39,547,615,483 bit
operations. On a computer capable of doing 1 billion bit
operations per second, the algorithm needs only 40 seconds.
The AKS Team
Padmashree Dr. Manindra Agrawal, Professor, Dept. of CSE, IIT Kanpur
The Clay Research Award, 2002.
Dr Meghnad Saha Award in Mathematical Sciences, 2003.
ICTP Prize, 2003.
Shanti Swarup Bhatnagar Award in Mathematical Sciences, 2003.
Distinguished Alumnus Award by IIT, Kanpur, 2003.
Godel Prize, for the paper "PRIMES is in P", 2006
in 2013
Fulkerson Prize for the paper "PRIMES is in P", 2006
Infosys Mathematics Prize, 2008.
G D Birla Award for Scientific Research, 2009.
)
Example: Pollard rho factorization
Let n = 8051 and f(x) = (x2 + 1 ) mod 8051.
i xi yi GCD(|xi-yi|,8051)
1 5 26 1
2 26 7474 1
3 677 871 97
Complexity: Pollard rho has a running time of O(n¼),
which is exponential.
Continued
Example
S o l u t i o n
We follow the four steps.
1. M = 3 × 5 × 7 = 105
4. x = (2 × 35 × 2 + 3 × 21 × 1 + 2 × 15 × 1) mod 105 = 23
Example 2
2. It is a cyclic group.
Note:
But, when p is large, it is difficult to find the
values of x by using such a table
Discrete Logarithm
Example
Find x in each of the following cases:
a. 4 ≡ 3x (mod 7)
b. 6 ≡ 5x (mod 7)
Solution
We can easily find the discrete logarithms by
referring Table 1.
a. 4 ≡ 3x mod 7 → x = L34 mod 7 = 4 mod 7
b. 6 ≡ 5x mod 7 → x = L56 mod 7 = 3 mod 7
Algorithms for Discrete Logarithm
• Baby-step giant-step
• Index Calculus
• Pohling-Hellman algorithm
• Pollard rho algorithm for logarithms
For which value of n (=17, 20, 38, and 50), the group
G = <Zn*, ×> have primitive roots?
Solution
a. G = <Z17*, ×> has primitive roots, 17 is a prime.
b. G = <Z20*, ×> has no primitive roots.
c. G = <Z38*, ×> has primitive roots, 38 = 2 × 19 and
19 is prime.
d. G = <Z50*, ×>has primitive roots, 50 = 2 × 52 and 5
is a prime.
Continued
(Kpublic) (Kprivate)
(P ) (C ) (C ) (P )
C = f (Kpublic , P) P = g(Kprivate , C)
BKM/SIT
Trapdoor One-Way Function
BKM/SIT
One-Way Function (OWF)
Example
BKM/SIT
Trapdoor One-Way Function (TOWF)
Example
BKM/SIT
• A well-known public-key algorithm developed in
1977.
• Invented by Rivest, Shamir, and Adleman at MIT.
• It is based on the Factorization Problem.
ACM Turing Award Winner-2002
BKM/SIT
BKM/SIT
Two Algebraic Structures
• Let us assume:
Public key: (e,n)
Private key: (d)
BKM/SIT
RSA Key Generation Algorithm
BKM/SIT
RSA Encryption & Decryption
BKM/SIT
Proof of RSA
BKM/SIT
Encryption, decryption, and key generation in RSA
BKM/SIT
Some Trivial Examples
Example
BKM/SIT
Quiz:
(a) 51 (b) 29
(c) 43 (d) 58
BKM/SIT
A More realistic Example
BKM/SIT
Continued
BKM/SIT
Continued
BKM/SIT
Continued
BKM/SIT
Continued
BKM/SIT
Complexity of RSA
BKM/SIT
Attacks on RSA
n Factorization Attack
n Chosen-Ciphertext Attack
n Attacks on the encryption exponent
n Attacks on the decryption exponent
n Plaintext Attack
n Attacks on the modulus
To be secure from Factorization attack, RSA
presently requires that n should be more than 300
decimal digits which means that the modulus must
be at least 1024 bits
BKM/SIT
• Invented by Taher ElGamal in 1985.
• It is an asymmetric public-key cryptosystem
based on the discrete logarithm problem.
• The bit-operation complexity of encryption or
decryption is polynomial like RSA.
Taher ElGamal,
CTO, Security, salesforce.com
BKM/SIT
Key Generation Algorithm
BKM/SIT
ElGamal Encryption & Decryption Algorithm
BKM/SIT
Procedure
BKM/SIT
A Trivial Example
• Bob chooses p = 11, e1 = 2 and d = 3. e2 = e1d = 8.
• So the public keys are (2, 8, 11) and the private key is 3.
• Let Alice chooses r = 4 and calculates C1 and C2 for the
plaintext 7.
BKM/SIT
Attacks on ElGamal Cryptosystem
Note
• To prevent the low modulus attack, p must be at least 300
digits.
• To prevent known-plaintext attack, r must be new for
each encryption.
BKM/SIT
ELLIPTIC CURVE CRYPTOSYSTEM
(ECC)
Although RSA and ElGamal are secure asymmetric-key
cryptosystems, their security comes with a price(?)
• Large Key size
• Researchers have looked for alternatives that give
the same level of security with smaller key sizes.
• Elliptic Curve Cryptosystem (ECC) invented
around 1985 is best alternative.
• Developed independently by Victor Miller & Neil
Koblitz.
• The mathematical basis of ECC is ECDLP (Elliptic
Curve Discrete Logarithm Problem) which has
exponential time complexity.
BKM/SIT
Key size: Equivalent strength
comparison
BKM/SIT
A comparison of public key
cryptosystems
BKM/SIT
Elliptic Curves over Real Numbers
The general equation for an elliptic curve is
BKM/SIT
Addition in Elliptic Curve(three cases)
(b)
GF(p)
• We now represent the elliptic curve Ep(a,b), where,
p defines the modulus and a and b are the co-efficient of
the equation y2=x3+ax+b.
BKM/SIT
Points on an Elliptic Curve over GF(p)
Example
Let the elliptic curve be E13(1,1) and the equation be y2 =
x3 + x + 1, then find out the points on the curve.
BKM/SIT
Points on an Elliptic curve over GF(p)
(Contd…)
Example
Let us add two points in previous example. R = P + Q,
where P = (4, 2) and Q = (10, 6).
a. λ = (6 − 2) × (10 − 4)−1 mod 13 = 4 × 6−1 mod 13 = 5 mod 13.
b. x = (52 − 4 −10) mod 13 = 11 mod 13.
c. y = [5 (4 −11) − 2] mod 13 = 2 mod 13.
d. R = (11, 2), which is a point on the curve in previous example .
BKM/SIT
Points on an Elliptic Curve over GF(2n)
Example
BKM/SIT
Elements of GF(23) by using generator g
• Let us take the field GF(23) with the irreducible
polynomial f(x) = x3 + x + 1.
• Its elements can be expressed as{0, 1, g, g2, g3, g4, g5,
g6} by using g as a generator(root).
• We can derive these from f(x) = x3 + x + 1 by writing
g3 +g + 1 = 0 or g3 = g + 1.
• Other powers of g can be calculated accordingly.
• The following shows the values of the g’s.
BKM/SIT
Adding Two Points on an Elliptic Curve
over GF(2n)
1. If P = (x1, y1), Q = (x2, y2), Q ≠ −P, and Q ≠ P, then R =
(x3, y3)= P + Q can be found as:
BKM/SIT
Examples
Example 1
Example 2
Find R = 2P, where P = (g2, 1).
We have λ = g2 + 1/g2 = g2 + g5 = g + 1 , hence R = (g6, g5).
BKM/SIT
ECC Simulating ElGamal
ElGamal cryptosystem using the elliptic curve
BKM/SIT
ElGamal
BKM/SIT
Continued
Encryption
Decryption
BKM/SIT
Security in ECC
Note
The security of ECC depends on the difficulty of
solving the elliptic curve logarithm problem.
BKM/SIT
Message Integrity
and
Message Authentication
BKM/SIT
• So far we have studied how to achieve
secrecy(or confidentiality), but not integrity.
• However, there are occasions where we may
not even need secrecy but instead must have
integrity
BKM/SIT
Difference
Note
The message digest needs to be safe from change.
BKM/SIT
Modification Detection Code (MDC)
BKM/SIT
Cryptographic Hash Function
BKM/SIT
Preimage Resistance
Preimage Attack
Given: y Find:M
such that y=h(M)
BKM/SIT
Second Preimage Resistance
BKM/SIT
Collision Resistance
BKM/SIT
Pigeonhole Principle
BKM/SIT
Pigeonhole Principle(Contd…)
Example
Assume that the messages in a hash function are 6 bits
long and the digests are only 4 bits long. Find out possible
no. of digests(pigeonholes) and messages(pigeons) and
prove the pigeonhole principle..
• Possible number of digests (pigeonholes) is 24 = 16,
• And the possible number of messages (pigeons) is 26 =
64.
• This means n = 16 and kn + 1 = 64, so k is larger than
3.
• The conclusion is that at least one digest corresponds
to five (=k + 1) messages.
BKM/SIT
RANDOM ORACLE MODEL
• It is an ideal mathematical model for a hash
function by Bellare and Rogaway (1993).
• Characteristics of this model:
• When a new message of any length is given, the
oracle creates a random fixed-length message
digest.
• When a message is given for which a digest exists,
the oracle simply gives the digest from the record.
• The digest for a new message shouldn’t match to
any previous digests.
BKM/SIT
Attacks on Random Oracle Model
• Suppose Eve is trying to attack a hash function.
• That means, for a given digest D, the
attacker(Eve) makes k queries to the Oracle so as
to match anyone with D, where, D is a random
variable having N(=2n) possible values between 0
to N-1.
• Following table shows the values of k with
probability of success(P=0.5) for different attacks:
BKM/SIT
Birthday Paradox
• What is the minimum number, k, of students in a
class room such that it is likely that at least two
students have the same birthday ?
BKM/SIT
Birthday Paradox
• What is the minimum number, k, of students in a
class room such that it is likely that at least two
students have the same birthday ?
• This problem can be generalized as:
• We have a uniformly distributed random variable
with N possible values (between 0 to N-1).
• What is the minimum number of instances, k,
such that it is likely that at least two instances are
equal ?
• So, here the digest is considered as a random
variable with possible values between 0 and N-1,
BKM/SITwhere N=2n.
Analysis of Preimage Attack
• The probability that the hash of an M[i], for any i, matches
with D is given by 1/N.
• Thus the probability it doesn’t match is 1-1/N.
• The probability that none of the k queries made by Eve
matches with D, is (1-1/N)k.
• Thus the success probability of Eve = 1- (1-1/N)k .
• Let us apply the series e-x =1- x + x2/2! - x3/3! + … to
approximate the probability.
• If x is small, we can replace 1-x by e-x .
• If N is large, then we can write 1-1/N = e-(1/N) .
• Thus we have P[success] = 1- e-k/N
• Assuming P=0.5, we get k = ln(0.5)N = 0.69x2n , where
N=2n
BKM/SIT
Example
A cryptographic hash function produces a digest of 64 bits.
How many digests does Eve need to create at the rate of 230
messages per second to find the original message with the
probability more than 0.5 for preimage attack?
Solution
• The number of digests to be created is k ≈ 0.69 × 2n ≈
0.69 × 264.
• This is a large number. Even if Eve can create 230 (almost
one billion) messages per second, it takes 0.69 × 2 34
seconds or more than 500 years.
• This means that a message digest of size 64 bits is secure
with respect to preimage attack
Caution: But, this digest size is not secure to collision attack.
BKM/SIT
Example
BKM/SIT
Standard Hash Functions
• MD5
• SHA-512
BKM/SIT
MESSAGE AUTHENTICATION
• A message digest discussed earlier (MDC)
does not authenticate the sender of the
message.
• That means, the receiver can’t able to know,
whether message has come from intended
sender or not.
• To provide message authentication, sender
Alice needs to provide a proof that it is Alice
sending the message and not an impostor.
• Therefore, we need a new mechanism called
message authentication code (MAC).
BKM/SIT
Message Authentication Code (MAC)
• It ensures the integrity as well as the originator
of the message.
• Therefore, MAC includes a Secret key (K) to
achieve this.
BKM/SIT
Security of MAC
• Suppose Eve has intercepted a message M and the digest
h(K|M). How can Eve forge a message without knowing
the secret key ?
• Methods of Attacks:
• Attack the key space
• Attack the MAC value
• Attack the key space
• If the attacker has a valid Message and MAC pair, then
he can try all possible keys (if the key domain is small)
• Since, MAC is many-to-one, so chance is there
more than one key produces the same MAC. Hence, he
can try additional Message-MAC pair to get unique key.
• Overall, he can try 2k possible keys for key of size k-bits.
BKM/SIT
Security of MAC
• Attack the MAC value
• Here, the attacker works on the MAC without attempting
to recover the key.
• That means, he generates a valid MAC for the given
Message or finds a message that matches a given MAC.
• In either case, he has to conduct the pre-image attack
which is of the order 2n.
BKM/SIT
Nested MAC
It provides improved security, as the hashing
is done in two steps.
BKM/SIT
HMAC
ipad=b/8 repetition of the
sequence 00110110
opad=b/8 repetition of the
sequence 01011100
Message Digest(MD)
Secure Hash Algorithm(SHA)
2. A symmetric-key block cipher serves as a
compression function:
Whirlpool
BKM/SIT
MD4
• Developed by Ron Rivest in 1990.
• Hash Code size is128-bits.
• The message block size is 512-bits.
• Further each block is divided into words of 32-
bits each.
• Each block is compressed by a compression
function consists of three rounds having 16-
operations each.
i fi ci
0…15 F(x,y,z) 0x00000000
16…31 G(x,y,z) 0x5a827999
32…47 H(x,y,z) 0x6ed9eba1
BKM/SIT
MD4 Structure
Round 1
Round 2
Round 3 Ci
si
Note:
+ denotes addition modulo 232
<<Si denotes a circular left shift by si positions
Mi denotes the message word to compress
Ci defines a round constant, which is same for each operation in a round.
BKM/SIT
MD4(Contd…)
Initial Values(IV)
H1 (for Register A) 0x67452301
H2 (for Register B) 0xefcdab89
H3 (for Register C) 0x98badcfe
H4 (for Register D) 0x10325476
Bitwise Boolean Functions
F(x,y,z)=xy xz z
G(x,y,z)=xy xz yz
H(x,y,z)=x y z
i Si
0-15 3,7,11,19,3,7,11,19,3,7,11,19,3,7,11,19
16-31 3,5,9,13,3,5,9,13,3,5,9,13,3,5,9,13
32-47 3,9,11,15,3,9,11,15,3,9,11,15,3,9,11,15
BKM/SIT
MD5
BKM/SIT
MD5 Structure
Round 1
Round 2
Round 3
Round 4
Note:
+ denotes addition modulo 232
<<<s denotes a circular left shift by s places; s varies for each operation
Mi denotes the message word to compress
Ki defines a round constant, which is same for each step in a round.
BKM/SIT
MD5 (contd…)
BKM/SIT
Improvements of MD5 over MD4
= 9e107d9d372bb6826bd81d3542a419d6
= e4d909c290d0fb1ca068ffaddf22cbd0
BKM/SIT
SHA-512
• Designed by National Security Agency and
published by NIST in 2001.
• SHA-512 belongs to the family of Hash functions
named as SHA-2 by NSA.
• This version, like the others in the SHA family of
algorithms, is based on the Merkle-Damgard scheme
and the latest of this family.
BKM/SIT
Message digest creation SHA-512
BKM/SIT
Padding and length field in SHA-512
BKM/SIT
Message Block, Message Digest and Words
BKM/SIT
Compression Function SHA-512
BKM/SIT
Compression Function SHA-512
BKM/SIT
Message Digest Initialization Vectors(IV)
BKM/SIT
Structure of each round in SHA-512
BKM/SIT
Functions used in the Mixers
Majority Function
Conditional Function
Rotate Functions
BKM/SIT
Word expansion in SHA-512
• Although each message block is 1024 bits = 16 words of
64 bits each, but they have to be expanded to 80 words
as required by subsequent processing.
BKM/SIT
Constants used in 80 rounds of SHA-512
BKM/SIT
Generating the Constants
BKM/SIT
Example 1
BKM/SIT
Digital Signature
BKM/SIT
Introduction
BKM/SIT
Verification Method
BKM/SIT
Relationship
BKM/SIT
Duplicity
BKM/SIT
PROCESS
BKM/SIT
Do Digital Signature needs Keys?
Note
A digital signature needs a public-key system.
The signer signs with her private key; the verifier
verifies with the signer’s public key.
BKM/SIT
Public key Encryption/Decryption
vs Digital Signature
Note
BKM/SIT
Digital Signature(Contd…)
BKM/SIT
SERVICES
BKM/SIT
Message Integrity
BKM/SIT
Nonrepudiation
Note
Note
BKM/SIT
A Trivial Example
BKM/SIT
RSA Signature on the Message Digest
Note
When the digest is signed instead of the message itself,
the susceptibility of the RSA digital signature scheme
depends on the strength of the hash algorithm.
BKM/SIT
ElGamal Digital Signature
Key Generation
• The key generation procedure here is exactly the same as the one
used in the cryptosystem like RSA. This works on a group Zp*
BKM/SIT
Schnorr Digital Signature Scheme
• This scheme is also based on discrete logarithm
problem.
• Here, the main part of signature generation
doesn’t depend on the message.
• Hence, it minimizes the message-dependant
computation.
Key Generation in Schnorr
1) Select primes p and q, such that q is a prime factor of p-1.
2) Chooses an integer e1 , such that e1q =1 mod p
3) Choose a random integer d (0< d < q) , as her private key.
5) Calculate e2 = e1d mod p.
6) So, public key is (e1, e2, p, q); and private key is (d).
BKM/SIT
Schnorr Digital Signature Algorithms
BKM/SIT
A Trivial Example
BKM/SIT
Digital Signature Algorithm (DSA)
n It is also called the Digital Signature Standard(DSS).
n It is an efficient variant of ElGamal’s signature
scheme.
n The reduction in the running time arises due to Zq*
which is a subgroup of Zp*
BKM/SIT
DSA Key Generation
1) Choose primes p and q, such that q is prime divisor of
p-1. So, it uses the groups <Zp*, × > and <Zq*, ×>.
BKM/SIT
DSA Signing and Verifying
BKM/SIT
A Trivial Example
BKM/SIT
Comparative Analysis
BKM/SIT
Elliptic Curve Digital Signature Algorithm
BKM/SIT
ECDSA(Contd…)
Key Generation
1) Alice chooses an elliptic curve Ep(a, b).
BKM/SIT
Time Stamped Signatures
BKM/SIT
Key Management
• Symmetric-key cryptography is more efficient
than asymmetric-key cryptography for
enciphering large messages.
• Symmetric-key cryptography, however, needs
a shared secret key between two parties.
• The distribution of keys is another problem.
• A Trusted third party.
• To reduce the no. of keys, each person
establishes a shared secret key with KDC.
BKM/SIT
Key-Distribution Center: KDC
BKM/SIT
Flat Multiple KDCs
BKM/SIT
Hierarchical Multiple KDCs
BKM/SIT
Session Keys
• A KDC creates a secret key for each member.
• This secret key can be used only between the member
and the KDC, not between two members.
• If Alice needs to communicate secretly with Bob, she
needs another secret key between herself and Bob.
• Therefore, KDC can create a session key between Alice
& Bob.
• After communication ends, the session key is invalid.
Note
BKM/SIT
A Simple Protocol Using a KDC
BKM/SIT
Counter measures for Replay Attack
n By using random numbers used only once also
called nonce(used in HTTP digest access
authentication, IV and stream ciphers)
n By using session id or session token(often used
by shopping websites to assign a token to the
shopper for some time)
n By using one time passwords (often used by
banks and other finance companies)
n By timestamps (often used in digital
photographs, digital signatures, file system and
15.8
databases)
Needham-Schroeder Protocol
15.9
KERBEROS
• Kerberos is an authentication protocol, and at
the same time a KDC, that has become very
popular.
• Several OS, including Windows , use Kerberos.
• Originally designed at MIT, it has gone through
several versions(Latest: Kerberos-5).
• Three servers are involved:
• An authentication server(AS)
• A Ticket Granting server(TGS)
• A real(data) server
BKM/SIT
KERBEROS Contd…)
Authentication Server (AS)
• The authentication server (AS) is the KDC in the
Kerberos protocol.
• Each user registers with the AS & is granted used-id &
password.
• The AS verifies the user, issues a session key to be used
between Alice & TGS, and sends a ticket for the TGS .
BKM/SIT
KERBEROS Contd…)
Ticket-Granting Server (TGS)
• It is also a part of KDC,which issues a ticket for the
real server (Bob).
• It also provides the session key(KAB) between Alice &
Bob.
• Although Alice verifies her user-id only once with AS,
but she can contact TGS multiple times to obtain ticket
for different real servers.
Real Server
• The real server (Bob) provides services for the user
(Alice).
• Kerberos is designed for a client-server program, such
as FTP, HTTP etc. It is not used for person-to-person
BKM/SIT
authentication.
KERBEROS Server Operation
BKM/SIT
KERBEROS operation in detail
15.14
Using Different Servers
15.15
SYMMETRIC-KEY AGREEMENT
BKM/SIT
Diffie-Hellman Key Agreement
BKM/SIT
An Example
Alice and Bob want to exchange the shared secret key
by using Deffie-Hellman technique. Assuming, g = 7
and p = 23 find out the K. (Assume x=3 and y=6)
1. Alice chooses x = 3. So, R1 = 73 mod 23 = 21.
2. Bob chooses y = 6. So, R2 = 76 mod 23 = 4.
3. Alice sends the number 21 to Bob.
4. Bob sends the number 4 to Alice.
5. Alice calculates the symmetric key K = 43 mod 23 = 18.
6. Bob calculates the symmetric key K = 216 mod 23 = 18.
7. The value of K is the same for both Alice and Bob;
gxy mod p = 718 mod 23 = 18.
BKM/SIT
Security of Diffie-Hellman
BKM/SIT
Station-to-Station Key Agreement (A soln. to
Man-in-the-Middle Attack)
15.22
PUBLIC-KEY DISTRIBUTION
BKM/SIT
Trusted Center
• A more secured approach than public announcement.
• A dynamically updated directory of public keys(sent
by the user) is maintained and advertised.
• Each user must be registered with TC.
BKM/SIT
Controlled Trusted Center
It provides another level of security by using timestamp.
BKM/SIT
Certificate Authority (as of Nov 2021)
1 IdenTrust 36.0%
2 Digicert 16.9%
3 Sectigo 15.3%
5 GoDaddy 5.6%
BKM/SIT
X.509
• It is a standardised certificate format designed by ITU-T.
• All certificate authorities should follow it.
• It uses a well-known protocol called ASN.1.
BKM/SIT
X.509 (Certificate Request)
BKM/SIT
X.509 (Certificate Request)-Contd…
BKM/SIT
X.509 (Contd…)
Certificate Renewal
• Each certificate has a period of validity. If there is no
problem with the certificate, the CA issues a new
certificate before the old one expires.
Certificate Revocation
• In some cases a certificate must be revoked before its
expiration.
• If User’s private key is compromised.
• If CA is not willing to certify the user
• If CA’s private key is compromised
• The revocation is done by periodically issuing a
Certificate Revocation list( CRL) .
BKM/SIT
X.509 (Contd…)
Certificate revocation format
BKM/SIT
Public-Key Infrastructures (PKI)
• It is a model for creating, distributing and revoking
Certificates based on X.509.
• It helps in secure information transfer in e-commerce,
Internet banking and confidential mail.
BKM/SIT
Trust Model of PKI
BKM/SIT
Browser Support for Certificates
BKM/SIT
E-mail Architecture
BKM/SIT
E-mail Security
Cryptographic Algorithms
Since there is no session created between sender & receiver,
the sender of the message needs to include the name or
identifiers of the algorithms used in the message.
Cryptographic Secrets
The encryption is done using a symmetric-key algorithm,
and the secret key is sent to the receiver(with the message)
after encrypting it with the public key of the receiver.
Certificates
It is essential because the sender uses receiver's public key
and receiver may use sender’s public key.
BKM/SIT
PGP
BKM/SIT
Some other features of PGP
Code Conversion
• PGP uses Radix-64 conversion to get ASCII data
from non-ASCII data.
Segmentation
• PGP allows segmentation of the message to get
uniform size unit of the message after applying
Radix-64 which is required by the underlying e-mail
protocol .
Compression
• PGP uses compression techniques to reduce the size
of the message.
BKM/SIT
Radix-64 conversion
• This is useful for sending image, audio, video etc.
• It divides the binary data into 24-bit blocks.
• Each block is then divided into four sections, 6bits each.
BKM/SIT
Continued
BKM/SIT
Key Rings in PGP
BKM/SIT
Key Rings in PGP-Contd…
BKM/SIT
PGP Algorithms
BKM/SIT
PGP Algorithms (Contd…)
BKM/SIT
PGP Algorithms (Contd…)
BKM/SIT
PGP Algorithms (Contd…)
BKM/SIT
Private key ring table maintained by each entity
• Used ID Here also the user-id is usually the e-mail id of the entity.
• Key ID Here also the key id is first 64 bits of the public key.
• Public Key This the public key of the entity.
• Producer Trust defines the trust level of the producer: full, partial
or none.
• Certificate(s) It holds the certificates signed by other entities for this
entity.
• Certificate Trust(s) It represents the certificate trust value of an
entity, which is taken from Producer Trust value after receiving a
certificate from another entity.
• Key Legitimacy This value is calculated by PGP based on the value
of the certificate trust and the weight for each certificate trust.
• Timestamp This column holds the date and time of the row creation.
BKM/SIT
Example
BKM/SIT
Continued
BKM/SIT
Continued
BKM/SIT
Trust Model in PGP
• Following shows a model of trust for Alice at
some point in time.
• The diagram may change with changes in the
public key ring
BKM/SIT
Key Revocation
BKM/SIT
PGP vs X.509 Certificates
BKM/SIT
PGP Packets
Format of packet header
BKM/SIT
S/MIME
• Secure/Mul t i purpose Int e rne t M a i l E xt e nsi on
(S/MIME).
• This is an enhancement of the supplementary protocol
called MIME which has been integrated to the email
system.
• MIME helps to transmit non-ASCII data(which were
not allowed earlier) to be sent over the same email.
• MIME transforms non-ASCII data at the sender site to
NVT ASCII data and delivers it to the client MTA to be
sent through the Internet.
• At the receiving site, it is again transformed back to
original data.
BKM/SIT
MIME
BKM/SIT
MIME Header
BKM/SIT
MIME Header(Contd…)
Text
BKM/SIT
MIME Header(Contd…)
BKM/SIT
Quoted-printable
• This encoding can be suitable if the data consists of
mostly of ASCII characters with a small non-ASCII
portions.
• If a character is ASCII, it is sent as it is, but if it is
non-ASCII, it is sent as three characters.
• First character is a ‘=‘sign , then next two are the
hexadecimal representations of the byte.
BKM/SIT
S/MIME and CMS
BKM/SIT
Key Management
BKM/SIT
Cryptographic Algorithms
BKM/SIT
Security at the
Transport Layer:
SSL and TLS
BKM/SIT
SSL
• Secure Sockets Layer-developed by Netscape in
1994.
• It is a cryptographic protocol to provide
communications security over the internet.
• Provides following services to data received
from any application layer protocol(usually
HTTP).
• Message Integrity
• Confidentiality
• Authentication
• Fragmentation
•
BKM/SIT Compression
Location of SSL and TLS in the Internet model
BKM/SIT
SSL PROTOCOL
• SSL defines four protocols in two layers, as
shown below.
BKM/SIT
Handshake Protocol
BKM/SIT
Phase I of Handshake Protocol
BKM/SIT
Continued
Note
BKM/SIT
Continued
Note
BKM/SIT
Phase III of Handshake Protocol
BKM/SIT
Continued
Note
BKM/SIT
Phase IV of Handshake Protocol
BKM/SIT
Continued
Note
BKM/SIT
Alert Protocol
BKM/SIT
Record Protocol
• This protocol takes message from the upper layers
and does the job of Fragmentation and Compression.
BKM/SIT
Cryptographic Secrets
BKM/SIT
Generation of Key Material from Master Secret
• The master secret is used to create variable-length key
material by applying the same set of hash functions &
prepending with different constants.
• The length of the key material block depends on the
cipher suite selected & size of the keys needed for the
suite.
BKM/SIT
Extractions of Cryptographic Secrets from
Key Material
• Six different keys are extracted from the key
material as shown below.
BKM/SIT
Key Exchange Algorithms
• We know that, Master Secret delivers six cryptographic
secrets(four keys and two IVs) for authentication and
encryption/decryption.
• The client/server needs one key for message
authentication, one key for encryption and one IV for
block encryption.
• The algorithms are:
• NULL
• RSA
• Anonymous Diffie-Hellman
• Ephemeral Diffie-Hellman
• Fixed Diffie-Hellman
• Fortezza
BKM/SIT
Null
BKM/SIT
RSA key exchange; server public key
BKM/SIT
Anonymous Diffie-Hellman
BKM/SIT
Ephemeral Diffie-Hellman key exchange
BKM/SIT
Continued
Fixed Diffie-Hellman
• Another solution is the fixed Diffie-Hellman method.
• All entities in a group can prepare fixed DH
parameters (g and p).
• CA will send the certified half keys to each of the
parties.
Fortezza
• Fortezza is a registered trademark of the U.S.
National Security Agency (NSA).
• It is a family of security protocols developed for the
Defense Department.
BKM/SIT
Encryption/Decryption Algorithms
BKM/SIT
Hash Algorithm for message integrity
BKM/SIT
Compression Algorithms
BKM/SIT
Sessions and Connections
• For two entities to exchange data, the establishment of
a session is necessary, but not sufficient.
• So, they need to create a connection between them as
shown below.
• A session involves creating a master key, but not the
connection.
BKM/SIT
Continued
BKM/SIT
Session State
BKM/SIT
Connection State
BKM/SIT
• The Transport Layer Security (TLS) protocol is the
IETF standard version of the SSL protocol.
• The two are very similar, with slight differences.
• The current version of SSL is 3.0; the current
version of TLS is 1.0.
• SSLv3.0 is compatible with TLSv1.0.
• TLS does not support Fortezza for key exchange or
for encryption/decryption.
BKM/SIT
Cipher Suite for TLS
BKM/SIT
Generation of Cryptographic Secrets
BKM/SIT
The data-expansion function
• The data expansion function uses a predefined
HMAC (either MD5 or SHA-1) to expand the
secret to longer one.
BKM/SIT
Pseudorandom Function(PRF)
BKM/SIT
Pseudorandom Function(PRF)
BKM/SIT
Master secret generation
• TLS uses the PRF to create the master secret from the
pre-master secret.
• Here, the PM is taken as secret, the string “Master
Secret” as the label and the concatenation of CR and SR
as the seed.
• The label describes the type of output we want to create
& is actually the ASCII code of the string.
BKM/SIT
Key material generation
BKM/SIT
Alert Protocol
BKM/SIT
Alerts defined for TLS
BKM/SIT
Handshake Protocol
BKM/SIT
Security at the
Network Layer: IPSec
BKM/SIT
• Internet Protocol Security
• It is a collection of protocols designed by the
IETF to provide security for packets at the IP
layer.
• It can enhance the security of email and other
client-server applications using HTTP and also
routing protocols.
• It is a must for those client-server programs that
don’t use TCP, but use UDP .
• Because, SSL/TLS designed for providing
security to TCP only.
BKM/SIT
TCP/IP Protocol Suite and IPSec
BKM/SIT
Transport Mode vs Tunnel Mode
BKM/SIT
IPSec in transport mode & tunnel mode
Transport mode
Tunnel mode
BKM/SIT
Comparison
Transport mode and tunnel mode
BKM/SIT
Security Protocols of IPSec
• IPSec defines two protocols to provide
authentication and/or encryption for packets
at the IP layer. They are:
• The Authentication Header (AH) Protocol
and
• The Encapsulating Security Payload (ESP)
Protocol
• Note: The ESP protocol was designed after
the AH protocol was already in use.
• ESP does whatever AH does with additional
functionality (privacy).
BKM/SIT
Authentication Header (AH)
BKM/SIT
Authentication Header (AH)
n Next Header: Type of the next header, indicating what
upper-layer protocol was protected.
n Payload Length: The length of this Authentication
Header.
n Security Parameter Index: Arbitrary value which is
used (together with the destination IP address) to
identify the security association of the receiving party.
n Sequence Number: A strictly increasing sequence
number (incremented by 1 for every packet sent) to
prevent replay attacks.
Encapsulating Security Payload (ESP)
BKM/SIT
SECURITY ALGORITHMS
• HMAC-SHA1/SHA2
• for integrity protection and authentication.
• TripleDES-CBC
• for confidentiality
• AES-CBC
• for confidentiality.
• AES-GCM
• for confidentiality and authentication
together efficiently.
BKM/SIT
SECURITY ASSOCIATION(SA)
BKM/SIT
An example of a simple SA
BKM/SIT
Security Association Database (SAD)
BKM/SIT
Typical SA Parameters
Parameters Description
BKM/SIT
SECURITY POLICY
• Note that, before using SAD, each host that is
using IPsec, needs to keep a Security Policy
Database(SPD).
• Security Policy defines
• the type of security applied to a packet when
it is to be sent or when it is to be received.
• Therefore, it is also classified as
• outbound SPD or
• inbound SPD.
BKM/SIT
An SPD
BKM/SIT
Outbound processing in SPD
BKM/SIT
Inbound processing in SPD
BKM/SIT
INTERNET KEY EXCHANGE (IKE)
BKM/SIT
Weakness of Diffie-Hellman
BKM/SIT
Diffie-Hellman with cookies
• A cookie is the result of hashing:
• a unique id. of the peer(an IP address, port no. etc.),
• a secret random number known to both and
• a timestamp.
BKM/SIT
Protection against Attacks
Note
To protect against a clogging attack, IKE uses cookies.
Note
To protect against a replay attack, IKE uses nonces.
Note
To protect against man-in-the-middle attack, IKE requires
that each party shows that it possesses a secret.
BKM/SIT
ISKAMP
• Internet Security Association and Key Management
Protocol
• It is useful for managing Security Associations
(SAs).
• It also defines payloads for exchanging key
generation and authentication data in IKE.
• Following shows the general header:
BKM/SIT
Payloads
BKM/SIT
Firewall
and
Intrusion Detection System
37
Thank You…