Principles of Cryptography

 Principles of cryptography
 Message integrity, authentication

Security: 8- 1
The language of cryptography
Alice’s Bob’s
KA encryption KB decryption
key key
plaintext encryption ciphertext decryption plaintext
algorithm algorithm

m: plaintext message
KA(m): ciphertext, encrypted with key KA
m = KB(KA(m))
Security: 8- 2
Types of Cryptography
 Crypto often uses keys:
• Algorithm is known to everyone
• Only “keys” are secret

 Public key cryptography

• Involves the use of two keys

 Symmetric key cryptography

• Involves the use of one key

 Hash functions
• Involves the use of no keys
• Nothing secret: How can this be useful?
Cryptography: Computational Security
Breaking an encryption scheme / Cryptanalysis
cipher-text only attack: known-plaintext attack:
Trudy has ciphertext she Trudy has plaintext
can analyze corresponding to ciphertext
two approaches: • e.g., in monoalphabetic
cipher, Trudy determines
• brute force: search pairings for a,l,i,c,e,b,o,
through all keys
• statistical analysis
chosen-plaintext attack:
Trudy can get ciphertext for
chosen plaintext

Security: 8- 5
 Cryptanalysis
 Attack depends on information available to adversary:
• Ciphertext-only: adversary only has the ciphertext available and wants to
determine the plaintext encrypted
• Known-plaintext attack: adversary learns one or more pairs of
ciphertext/plaintext encrypted under the same key, tries to determine plaintext
based on a different ciphertext
• Chosen-plaintext attack: adversary can obtain the encryption of any plaintext,
tries to determine the plaintext for a different ciphertext
• Chosen-ciphertext attack: adversary can obtain the decryption of any ciphertext
except the one the adversary wants to decrypt
• Chosen-text attack: adversary can obtain the encryption/decryption of any
plaintext/ciphertext
 Some Definitions
Unconditional Security: No matter how much computer
power or time is available, the cipher cannot be broken
since the ciphertext provides insufficient information to
uniquely determine the corresponding plaintext (hard
to achieve)
Computational Security: Given limited computing
resources (time needed for calculations is greater than
age of universe), the cipher cannot be broken
Brute Force Search
 Always possible to simply try every key

 Most basic attack, proportional to key size

 Assume either know / recognize plaintext !!!

26!
Symmetric Key Cryptography

Security: 8- 9
Symmetric key cryptography
KS KS

plaintext encryption ciphertext decryption plaintext

algorithm K S(m) algorithm

symmetric key crypto: Bob and Alice share same (symmetric)

key: K
 e.g., key is knowing substitution pattern in mono alphabetic
substitution cipher
Q: how do Bob and Alice agree on key value?
Security: 8- 10
Symmetric Key Crypto Requirements
Two requirements for secure use of symmetric encryption:
• A strong encryption algorithm. An opponent who knows the algorithm and
has access to one or more cipher texts should be unable to decipher the
cipher text or figure out the key
• A secret key known only to sender and receiver

Mathematically we have: Y = EK(X); X = DK(Y)

Assume encryption algorithm is known
Implies a secure channel to distribute key-random pad
Symmetric Key Crypto: Types
 Stream cipher – pseudo-random pad
• Generate pseudo-random stream of bits from short key
• Encrypt/decrypt by XORing as with one-time pad
• But NOT one-time PAD! (People who claim so are frauds!)

 Block cipher
• Operates on fixed-size blocks (e.g., 64 or 128 bits)
• Maps plaintext blocks to same size ciphertext blocks
• Today use AES; other algorithms: DES, Blowfish, etc.
Simple encryption scheme (1)
Caesar cipher: earliest known substitution cipher
 Very old, very simple symmetric key algorithm
 by Julius Caesar
 first attested use in military affairs
 replaces each letter by 3rd letter on
 example:
 meet me after the toga party
 PHHW PH DIWHU WKH WRJD SDUWB
Simple encryption scheme (2)
Caesar cipher:
 can define transformation as:
• abcdefghijk lmnopqrstuvwxyz How hard to break this
• DE FGH I J KLMNOPQR S TUVWXY Z ABC simple cipher?
 mathematically give each letter a number
• abcdefghi j k l m n o p q r s t u v w x y z
• 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

 then have Caesar cipher as:

• c = E(p) = (p + k) mod (26)
• p = D(c) = (c – k) mod (26)
Simple encryption scheme (3)
substitution cipher: substituting one thing for another
 monoalphabetic cipher: substitute one letter for another
How hard to break
plaintext: abcdefghijklmnopqrstuvwxyz
this simple cipher?
ciphertext: mnbvcxzasdfghjklpoiuytrewq

e.g.: Plaintext: bob. i love you. alice

ciphertext: nkn. s gktc wky. mgsbc

Encryption key: mapping from set of 26 letters

to set of 26 letters
Security: 8- 15
Cryptanalysis
 Ciphertext-only attack: intruder may have access to only intercepted
ciphertext. statistical analysis can help.

 Known-plaintext attack: when intruder knows some of the (plaintext,

ciphertext)

 Chosen-plaintext attack: if intruder could get Alice to send the message,

“The quick brown fox jumps over the lazy dog,’’ then intruder could
completely break cipher.
Mono-Alphabetic Cipher
Q: How hard to break this simple cipher?
 Brute force? Try all possible keys (26! = 4 x 1026)
 Other?
 Frequency analysis, pattern analysis, etc.
Language and Cryptanalysis

 letters are not equally commonly used

 in English E is by far the most common letter
• followed by T,R,N,I,O,A,S
 other letters like Z,J,K,Q,X are fairly rare
 have tables of single, double (th) & triple letter (the) frequencies for
various languages
English Letter Frequencies
Cryptanalyze the following…
Cryptanalyze the following…

 Look for the most frequent letter(s)

Cryptanalyze the following…

 Look for the common words, e.g., “the”

… which gives (r to e), (g to t), and (u to h)
A more sophisticated encryption approach
n substitution ciphers, M1,M2,…,Mn
cycling pattern:
• e.g., n=4: M1,M3,M4,M3,M2; M1,M3,M4,M3,M2; ..
for each new plaintext symbol, use subsequent substitution
pattern in cyclic pattern
• dog: d from M1, o from M3, g from M4

Encryption key: n substitution ciphers, and cyclic pattern

• key need not be just n-bit pattern

Security: 8- 23
Stream Cipher: One-Time Pad
 Share a random key K
 Encrypt plaintext by xor with sequence of bits
• encrypt(key, text) = key  text (bit-by-bit)
 Decrypt ciphertext by xor with same bits
• decrypt(key, text) = key  text (bit-by-bit)
 Advantages:
• Easy to compute encrypt, decrypt from key, text
• This is a theoretically secure cipher (unbreakable)
 Disadvantage:
• Key is as long as the plaintext!
• How does sender get key to receiver securely?
RC4 Stream Cipher
 RC4 is a popular stream cipher
• Was extensively analyzed and considered good
• Remarkable for its simplicity and speed in software
• Key can be from 1 to 256 bytes
• Used in WEP for 802.11
• Was used in SSL and its successor TLS

However, multiple vulnerabilities have been discovered in RC4,

rendering it insecure
Example: Use of Stream Cipher?
 Share secret s with web vendor
 Exchange payment information as follows:
• Send: E(s, “Visa card #3273. . . ”)
• Receive: E(s, “Order confirmed, have a nice day”)

 Can eavesdropper get out your Visa #?

Example: Use of Stream Cipher?
Suppose attacker overhears:
• c1 = Encrypt(s, “Visa card #3273. . . ”)
• c2 = Encrypt(s, “Order confirmed, have a nice day”)
Example: Use of Stream Cipher?
 Suppose attacker overhears:
• c1 = Encrypt(s, “Visa card #3273. . . ”)
• c2 = Encrypt(s, “Order confirmed, have a nice day”)

 Now compute

 Lesson: Never re-use keys with a stream cipher

• Basic problem with one-time pads
• This is why they’re called one-time pads!
Block Ciphers
 Message to be encrypted is processed in blocks of
k bits (e.g., 64-bit blocks).
 1-to-1 mapping is used to map k-bit block of
plaintext to k-bit block of ciphertext
Example with k=3:
input output input output
000 110 100 011
001 111 101 010
010 101 110 000
011 100 111 001
What is the ciphertext for 010110001111 ?
Block Ciphers
 How many possible mappings are there for k=3?
• How many 3-bit inputs?
• How many permutations of the 3-bit inputs?
• Answer: 40,320 ; not very many!

 In general, 2k! mappings; huge for k=64

 Problem:
• Table approach requires table with 264 entries, each entry with 64
bits
 Table too big: instead use function that simulates a randomly
permuted table
 From Kaufman

Prototype Function et al

64-bit input

8bits 8bits 8bits 8bits 8bits 8bits 8bits 8bits

S1 S2 S3 S4 S5 S6 S7 S8

8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits 8 bits

64-bit intermediate

Loop for
n rounds 64-bit output

S: 8-bit to 8-bit mapping

Why Rounds in Prototype?
 If only a single round, then one bit of input affects at most 8 bits of
output.

 In 2nd round, the 8 affected bits get scattered and inputted into multiple
substitution boxes.

 Multiple passes: each input bit affects all output bits

 How many rounds?
• How many times do you need to shuffle cards?
• Becomes less efficient as n increases

 Block ciphers: DES, 3DES, AES

Symmetric key crypto: DES
DES: Data Encryption Standard
 US encryption standard [NIST 1993]
 56-bit symmetric key, 64-bit plaintext input
 block cipher with cipher block chaining
 how secure is DES?
• DES Challenge: 56-bit-key-encrypted phrase decrypted (brute force)
in less than a day
• no known good analytic attack
 making DES more secure:
• 3DES: encrypt 3 times with 3 different keys

Security: 8- 33
Symmetric key
crypto: DES

DES operation
initial permutation
16 identical “rounds” of
function application,
each using different 48
bits of key
final permutation
DES Strength – Key Size
 56-bit keys have 256= 7.2 x 1016 values
 Brute force search looks hard
 Recent advances have shown it is possible
• in 1997 on Internet in a few months
• in 1998 on dedicated hardware in a few days
• in 1999 above combined in 22hrs!
 Still must be able to recognize plaintext
 Must now consider alternatives to DES
DES Strength – Analytic Attacks
 Now have several analytic attacks on DES
 These utilize some deep structure of the cipher
• By gathering information about encryptions
• Can eventually recover some/all of the sub-key bits
• If necessary then exhaustively search for the rest

 Generally these are statistical attacks

 Include
• differential cryptanalysis
• linear cryptanalysis
• related key attacks
Other Options
 How to make DES more secure?
• Use three keys sequentially (3-DES)
• Use Advanced Encryption Standard (AES)
• Use cipher-block chaining
Triple DEA [3DES]
 Triple Data Encryption Algorithm
• Use three keys and three executions of the DES algorithm (encrypt-
decrypt-encrypt)
C = EK3[DK2[EK1[P]]]
• C = ciphertext
• P = Plaintext
• EK[X] = encryption of X using key K
• DK[Y] = decryption of Y using key K
 Effective key length of 168 bits
AES: Advanced Encryption Standard
symmetric-key NIST standard, replaced DES (Nov 2001)
processes data in 128 bit blocks
128, 192, or 256 bit keys
brute force decryption (try each key) taking 1 sec on DES,
takes 149 trillion years for AES

Security: 8- 39
Public Key Cryptography

Security: 8- 40
Public Key Cryptography
symmetric key crypto:
 requires sender, receiver
know shared secret key
 Q: how to agree on key in
first place (particularly if
never “met”)?
 Also in symmetric, parties
are equal
• Can NOT protect sender
from receiver forging a
message & claiming is sent
by sender
public key crypto
 radically different approach
[Diffie-Hellman76, RSA78]
 sender, receiver do not
share secret key
 public encryption key
known to all
 private decryption key
known only to receiver
Security: 8- 41
Why Public-Key Cryptography?
Developed to address two key issues:
 Key distribution–how to have secure communications in general
without having to trust a KDC with your key
 Digital signatures–how to verify a message comes intact from the
claimed sender
Public Key Cryptography
+
K Bob’s public key
B

- Bob’s private key

K
B

plaintext encryption ciphertext decryption plaintext

message, m algorithm +
K (m) algorithm - +
B m = KB (K (m))
B

Wow - public key cryptography revolutionized 2000-year-old (previously

only symmetric key) cryptography!
• similar ideas emerged at roughly same time, independently in US and UK (classified)
Security: 8- 43
Public Key Cryptography
+ Bob’s public
K
B key

- Bob’s private
K
B key

plaintext encryption ciphertext decryption plaintext

message, m algorithm + algorithm message
K (m) - +
B m = K B(K (m))
B

Encryption
Public Key Cryptography
- Alice’s Private
K
A key

+ Alice’s Public
K
A key

plaintext encryption ciphertext decryption plaintext

message, m algorithm - algorithm message
K (m) + -
A m = K A(K (m))
A

Authentication
Public key encryption algorithms
requirements:
1
+
. -.
need KB ( ) and K ( ) such that
B
- +
K (K (m)) = m
B B
+
2 given public key KB ,
it should be impossible to
-
compute private key K B

RSA: Rivest, Shamir, Adelson algorithm

Security: 8- 46
Public Key Characteristics
Public-Key algorithms rely on two keys where:

 It is computationally infeasible to find decryption key knowing

only algorithm & encryption key

 It is computationally easy to en/decrypt messages when the

relevant (en/decrypt) key is known

 Either of the two related keys can be used for encryption, with
the other used for decryption (for some algorithms)
Public Key Crypto - Secrecy
Public Key Crypto - Authentication
Authentication & Confidentiality
Public-Key Applications
Can classify uses into 3 categories:
• Encryption/decryption (provide secrecy)
• Digital signatures (provide authentication)
• Key exchange (of session keys)
Some algorithms are suitable for all uses, others are
specific to one
Security of Public Key Schemes
 Public key schemes are no more or less secure than private
key schemes
 Like private key schemes brute force exhaustive search
attack is always theoretically possible
 But keys used are too large (>512bits)
 More generally the hard problem is known, but is made hard
enough to be impractical to break
 Requires the use of very large numbers
 Hence is slow compared to private key schemes
Prerequisite: modular arithmetic
 x mod n = remainder of x when divide by n
 facts:
[(a mod n) + (b mod n)] mod n = (a+b) mod n
[(a mod n) - (b mod n)] mod n = (a-b) mod n
[(a mod n) * (b mod n)] mod n = (a*b) mod n
 thus
(a mod n)d mod n = ad mod n
 example: x=14, n=10, d=2:
(x mod n)d mod n = 42 mod 10 = 6
xd = 142 = 196 xd mod 10 = 6
Security: 8- 53
RSA: getting ready
 message: just a bit pattern
 bit pattern can be uniquely represented by an integer number
 thus, encrypting a message is equivalent to encrypting a
number
example:
 m= 10010001. This message is uniquely represented by the decimal
number 145.
 to encrypt m, we encrypt the corresponding number, which gives a
new number (the ciphertext).

Security: 8- 54
RSA: Creating public/private key pair
1. choose two large prime numbers p, q. (e.g., 1024 bits each)

2. compute n = pq, z = (p-1)(q-1)

3. choose e (with e<n) that has no common factors with z (e, z are
“relatively prime”).
4. choose d such that ed-1 is exactly divisible by z. (in other words: ed
mod z = 1 ).
5. public key is (n,e). private key is (n,d).
K B+ K B-
Security: 8- 55
RSA: encryption, decryption
0. given (n,e) and (n,d) as computed above
1. to encrypt message m (<n), compute
c = m e mod n
2. to decrypt received bit pattern, c, compute
m = c d mod n

magic happens! m = (m e mod n)d mod n

c

Security: 8- 56
RSA example:
Bob chooses p=5, q=7. Then n=35, z=24.
e=5 (so e, z relatively prime).
d=29 (so ed-1 exactly divisible by z).
encrypting 8-bit messages.

bit pattern m me c = memod n

encrypt:
0000l000 12 24832 17

decrypt:
c cd m = cdmod n
17 481968572106750915091411825223071697 12

Security: 8- 57
Why does RSA work?
 must show that cd mod n = m, where c = me mod n
 fact: for any x and y: xy mod n = x(y mod z) mod n
• where n= pq and z = (p-1)(q-1)
 thus,
cd mod n = (me mod n)d mod n
= med mod n
= m(ed mod z) mod n
= m1 mod n
=m

Security: 8- 58
RSA: another important property
The following property will be very useful later:
- + + -
KB(K (m)) = m = K (K (m))
B B B

use public key use private key

first, followed first, followed
by private key by public key

result is the same!

Security: 8- 59
 - + + -
Why KB(K (m)) = m = K (K (m)) ?
B B B

follows directly from modular arithmetic:

(me mod n)d mod n = med mod n

= mde mod n
= (md mod n)e mod n

Security: 8- 60
Why is RSA secure?
 suppose you know Bob’s public key (n,e). How hard is it to
determine d?
 essentially need to find factors of n without knowing the two
factors p and q
• fact: factoring a big number is hard

Security: 8- 61
RSA in practice: session keys
 exponentiation in RSA is computationally intensive
 DES is at least 100 times faster than RSA
 use public key crypto to establish secure connection, then
establish second key – symmetric session key – for
encrypting data
session key, KS
 Bob and Alice use RSA to exchange a symmetric session key KS
 once both have KS, they use symmetric key cryptography

Security: 8- 62
Session Keys
 Exponentiation is computationally intensive
 DES is at least 100 times faster than RSA
Session key, KS
 Bob and Alice use RSA to exchange a symmetric key KS
 Once both have KS, they use symmetric key cryptography
Breaking Ciphers: Cipher Strengths
 A cipher is no stronger than its key length
• If there are too few keys, an attacker can enumerate all possible keys
 DES has 56 bits — far too few today
• Crack the code: < 3days in 1998, 22 hours in 1999, msec nowadays
 Strength of cipher depends on how long it needs to resist attack
• Computational security
 No good reason to use less than 128 bits
• NSA rates 128-bit AES as good enough for SECRET traffic; 256-bit AES is good
enough for TOP-SECRET traffic
• Keys for certificate authorities should be at least 2048 bits
• But a cipher can be considerably weaker! A mono-alphabetic cipher over all
256 byte values has a 1684-bit key (log2 256! ≈ 1684), but is trivially solvable
Breaking Ciphers: Computational Power
 Adding one bit to the key doubles the work factor for brute
force attacks
• The effect on encryption time is often negligible or even free
 Going from 128-bit AES to 256-bit AES takes (at most) 40%
longer, but increases the attacker’s effort by a factor of 2128
 Using triple DES costs 3× more to encrypt, but increases the
attacker’s effort by a factor of 2112
Breaking Ciphers: Computational Power
 For RSA, doubling the modulus length increases encryption time by 4X
and decryption time by 8X
 Attack time against RSA is based on factoring algorithms, not brute
force: there are far too many possible primes for brute force to be ever
possible
 Hardware factoring machine (TWIRL):
• Initial R&D cost $20M
• 512-bit RSA keys can be factored with a device costing $5K in about 10 minutes
• 1024-bit RSA keys can be factored with a device costing $10M in about 6 weeks
Authentication

Security: 8- 67
Authentication
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap1.0: Alice says “I am Alice”

“I am Alice” failure scenario??

Security: 8- 68
Authentication
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap1.0: Alice says “I am Alice”

in a network, Bob
can not “see”
Alice, so Trudy
simply declares
“I am Alice” herself to be Alice

Security: 8- 69
Authentication: another try
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap2.0: Alice says “I am Alice” in an IP packet containing
her source IP address

Alice’s
IP address “I am Alice”
failure scenario??

Security: 8- 70
Authentication: another try
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap2.0: Alice says “I am Alice” in an IP packet containing
her source IP address

Trudy can create

a packet “spoofing”
Alice’s
Alice’s address
IP address “I am Alice”

Security: 8- 71
Authentication: a third try
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap3.0: Alice says “I am Alice” Alice says “I am Alice” and
sends her secret password to “prove” it.

Alice’s Alice’s
IP addr password “I am Alice” failure scenario??
Alice’s OK
IP addr

Security: 8- 72
Authentication: a third try
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap3.0: Alice says “I am Alice” Alice says “I am Alice” and
sends her secret password to “prove” it.
playback attack:
Alice’s Alice’s
IP addr password “I am Alice” Trudy records
Alice’s packet
and later
plays it back to Bob

Security: 8- 73
Authentication: a modified third try
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap3.0: Alice says “I am Alice” Alice says “I am Alice” and
sends her encrypted secret password to “prove” it.

Alice’s encrypted
IP addr password “I am Alice” failure scenario??
Alice’s OK
IP addr

Security: 8- 74
Authentication: a modified third try
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap3.0: Alice says “I am Alice” Alice says “I am Alice” and
sends her encrypted secret password to “prove” it.

Alice’s encrypted
IP addr password “I am Alice” playback attack still
works: Trudy records
Alice’s packet
and later plays it
back to Bob

Security: 8- 75
Authentication: a fourth try
Goal: avoid playback attack
nonce: number (R) used only once-in-a-lifetime
protocol ap4.0: to prove Alice “live”, Bob sends Alice nonce, R
 Alice must return R, encrypted with shared secret key
“I am Alice”

R
KA-B(R) Bob know Alice is live, and
only Alice knows key to
encrypt nonce, so it must
Failures, drawbacks? be Alice!
Security: 8- 76
Authentication: ap5.0
ap4.0 requires shared symmetric key - can we authenticate
using public key techniques?
ap5.0: use nonce, public key cryptography

“I am Alice”
Bob computes
R + -
- K (K (R)) = R
K A (R) A A
and knows only Alice could
Send me your public key have the private key, that
+ encrypted R such that
K A (R) + -
K (K (R)) = R
A A
Security: 8- 77
 Authentication: ap5.0 – there’s still a flaw!
man (or woman) in the middle attack: Trudy poses as Alice (to Bob) and
as Bob (to Alice)

I am Alice I am Alice
R
-
K (R)

Send me your public key
Trudy recovers Bob’s m:
- +
m = K (K (m))
A A
and she and Bob meet a week
later in person and discuss m,
not knowing Trudy knows m
?
T
R Where are Send me your public key
- mistakes +
K (R) K Bob computes
A made here? T + -
K (K T(R)) = R,
+ T
K authenticating
A Trudy as Alice
Trudy recovers m: +
+ - + K (m) Bob sends a personal
m = K (K (m)) T
K (m) T T message, m to Alice
A sends m to Alice
encrypted with
Alice’s public key
Security: 8- 78
Message Integrity

Security: 8- 79
Message Integrity /Message Authentication
 Message authentication is concerned with:
• Protecting the integrity of a message
• Validating identity of originator
• Non-repudiation of origin (dispute resolution)

 Will consider the security requirements

 Then three alternative functions used:
• Message encryption
• Hash function
• Message authentication code (MAC)
Security Requirements
 Disclosure: release of message contents
 Traffic analysis: discovering traffic pattern
 Masquerade: inserting a message from a fraudulent source
 Content modification
 Sequence modification: message reordering
 Timing modification: delay/replay of messages
 Source repudiation: denial by source
 Destination repudiation: denial by destination
Authentication Functions
 There must be some sort of a function that produces an
authenticator: a value to be used to authenticate a message.
Such functions may be grouped into:
• Message encryption
• Hash functions: map any size message into a fixed-length hash value
• Message authentication codes (MAC): a function of the message and a
secret code that produces a fixed-length value
Message Encryption
 Message encryption by itself provides a measure of
authentication
 If symmetric encryption is used then:
• Receiver knows sender must have created it
• Since only sender and receiver know key used
• He knows content cannot be altered by someone who does not have
the key
• However, if message can be any bit pattern how to make sure it is
legitimate and not random for ex.?
• If message has suitable structure, redundancy or a checksum can be
used to detect any changes
Message Encryption
 If public-key encryption is used:
• Encryption provides no confidence of sender
• Since anyone potentially knows public-key
• However if
• Sender signs message using his private-key
• Then encrypts with recipients public key
• Have both secrecy and authentication

• Again need to recognize corrupted messages

• Confidentiality + authentication come at the cost of two public-key uses
on message
Digital signatures
cryptographic technique analogous to hand-written signatures:
 sender (Bob) digitally signs document: he is document owner/creator.
 verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob,
and no one else (including Alice), must have signed document
 simple digital signature for message m:
• Bob signs m by encrypting with his private key KB, creating “signed” message, KB-(m)
- Bob’s private -
Bob’s message, m KB m,K B(m)
key
Dear Alice Dear Alice
Oh, how I have missed Oh, how I have missed
you. I think of you all the
Public key
you. I think of you all the
time! …(blah blah blah) encryption time! …(blah blah blah)
algorithm -
Bob Bob K B(m)

Security: 8- 85
Digital signatures
-
 suppose Alice receives msg m, with signature: m, KB(m)
+ -
 Alice verifies m signed by Bob by applying Bob’s public key KB to KB(m)
+ -
then checks KB(KB(m) ) = m.
+ -
 If KB(KB(m) ) = m, whoever signed m must have used Bob’s private key
Alice thus verifies that:
 Bob signed m
 no one else signed m
 Bob signed m and not m’
non-repudiation: -
 Alice can take m, and signature KB(m) to court and prove that Bob
signed m
Security: 8- 86
Message digests
computationally expensive to public-key-encrypt long messages
goal: fixed-length, easy- to-compute digital “fingerprint”
 apply hash function H to m, get fixed size message digest, H(m)

large
message H: Hash
Function H(m)
m

Hash function properties:

 many-to-1
 produces fixed-size msg digest (fingerprint)
 given message digest x, computationally infeasible to find m such that x =
H(m)
Security: 8- 87
Internet checksum: poor crypto hash function
Internet checksum has some properties of hash function:
 produces fixed length digest (16-bit sum) of message
 is many-to-one
but given message with given hash value, it is easy to find another
message with same hash value:
message ASCII format message ASCII format
IOU1 49 4F 55 31 IOU9 49 4F 55 39
00.9 30 30 2E 39 00.1 30 30 2E 31
9BOB 39 42 D2 42 9BOB 39 42 D2 42
B2 C1 D2 AC different messages B2 C1 D2 AC
but identical checksums!
Security: 8- 88
Digital signature = signed message digest
Bob sends digitally signed message: Alice verifies signature, integrity
of digitally signed message:
large
message H: Hash
m Function H(m) encrypted
message digest
-
KB(H(m))
digital
Bob’s signature large
private -
key KB (encrypt) message
m digital
Bob’s signature
public +
key KB (decrypt)
encrypted H: Hash
message digest function
+ -
KB(H(m))
H(m) H(m)

?
equal
Security: 8- 89
Hash Functions

Security: 8- 90
Hash function algorithms
 MD5 hash function widely used (RFC 1321)
• computes 128-bit message digest in 4-step process.
• arbitrary 128-bit string x, appears difficult to construct msg m whose
MD5 hash is equal to x
• suffer from extensive vulnerabilities
 SHA-1 is also used
• US standard [NIST, FIPS PUB 180-1]
• 160-bit message digest

Security: 8- 91
Applications of Hash Functions
Password files (one way)

Digital signatures (collision resistant)

• Sign hash of message instead of entire message

Data integrity
• Compute and store hash of some data
• Check later by recomputing hash and comparing
Keyed hash for message authentication
• MAC – Message Authentication Code
Applications of Hash Functions

Authentication and Confidentiality

authentication but NO confidentiality [Usually a MAC]

Applications of Hash Functions

Authentication and Digital Signature

Authentication (Digital Signature) and Confidentiality

Applications of Hash Functions

Authentication (secret is not sent)

Authentication (secret not sent) and Confidentiality

Requirements for Hash Functions
 Can be applied to any sized message M
 Produces fixed-length output h
 Is easy to compute h=H(M) for any message M
 Given h is infeasible to find x such that H(x)=h
• one-way property
 Given x is infeasible to find y such that H(y)=H(x)
• weak collision resistance
 Is infeasible to find any x, y such that H(y)=H(x)
• strong collision resistance
Message Authentication Code (MAC)

Security: 8- 97
Message Authentication Code (MAC)
 Generated by an algorithm that creates a small fixed-
sized block
• Depending on both message and some key
• Like encryption though need not be reversible
 Appended to message as a signature
 Receiver performs same computation on message and
checks it matches the MAC
 Provides assurance that message is unaltered and
comes from sender
 Applications of MAC Functions

authentication and Confidentiality [authentication tied to plaintext]

authentication and Confidentiality [authentication tied to ciphertext]

HMAC
 Popular MAC standard
 Addresses some subtle security flaws

1. Concatenates secret to front of message

2. Hashes concatenated message
3. Concatenates the secret to front of digest
4. Hashes the combination again
Requirements for MACs
 Taking into account the types of attacks need the MAC
to satisfy the following:
• knowing a message and MAC, is infeasible to find another
message with same MAC
• MACs should be uniformly distributed among the different
messages
• MAC should depend equally on all bits of the message
 Data Authentication Algorithm (DAA) is a widely used
MAC based on DES
Order of Encryption and MACs
 Should you Encrypt then MAC, or vice versa?
Order of Encryption and MACs
Should you Encrypt then MAC, or vice versa?

MACing encrypted data is always secure

Encrypting {Data+MAC} may not be secure!

MAC-then-Encrypt
 Does not provide any integrity on
the ciphertext
 Plaintext integrity
 If the cipher scheme is
malleable*, it may be possible to
alter the message to appear valid
 MAC cannot provide any
information on the plaintext since
it is encrypted

*An encryption algorithm is malleable if it is possible to transform a

ciphertext into another ciphertext
Encrypt-then-MAC
 Provides integrity of Ciphertext.
 Plaintext integrity.
 If the cipher scheme is
malleable, we need not be so
concerned, since the MAC
code will filter out this
invalid ciphertext.
 The MAC does not provide
any information on the
plaintext.
In other words, we haven't carried any structure from the
plaintext into the MAC code.
Encrypt-and-MAC
 No integrity on ciphertext (MAC taken against plaintext)
 Plaintext integrity
 If the cipher scheme is
malleable, the contents
of the ciphertext could
well be altered, but on
decryption we ought to
find the plaintext is invalid
 May reveal information about the plaintext in the MAC.
Digital Signatures

Security: 8- 107
Digital Signatures
Cryptographic technique analogous to hand-written
signatures
Sender (Bob) digitally signs document, establishing that he
is document owner/creator
Goal is similar to that of a MAC, except now use public-key
cryptography
Verifiable, non-forgeable: recipient (Alice) can prove to
someone that Bob, and no one else (including Alice), must
have signed document
Digital Signatures
Message authentication protects two parties from a third
party but it does not protect them against each other:
Alice may forge a different message and claim that it
came from Bob. She appends an authentication code
using the key she shares with Bob
Bob can deny sending a message to Alice because he
knows it is possible for her to forge one.
Digital Signatures
In case of no trust between sender and receiver, a solution is
the digital signature which is similar to handwritten signature:
It must verify the author and the date and time of signature
It must authenticate the contents at the time of signature
It must be verifiable by third parties to resolve disputes
Digital Signatures Properties
 Must depend on the message being signed
 Must use information unique to sender
• To prevent both forgery and denial
 Must be relatively easy to produce
 Must be relatively easy to recognize & verify
 Be computationally infeasible to forge
• With new message for existing digital signature
• With fraudulent digital signature for given message
 Be practical to save digital signature in storage
Digital Signatures
Simple digital signature for message m:
 Bob signs m by encrypting with his private key KB,
-
creating “signed” message, KB(m) -

- Bob’s private
Bob’s message, m K B key
-
K B(m)
Dear Alice
Bob’s message, m,
Oh, how I have missed
you. I think of you all
Public key signed
the time! …(blah blah encryption (encrypted) with
blah) algorithm his private key
Bob
Digital Signature = Signed MAC
Alice verifies signature and
Bob sends digitally signed
integrity of digitally signed
message: message:
large
message H: hash encrypted
m function H(m)
msg digest
-
KB(H(m))
Bob’s digital large
private signature message
key - (encrypt) m Bob’s digital
KB public
+ signature
key KB
encrypted H: hash (decrypt)
msg digest function
-
+ KB(H(m))
H(m) H(m)

equal
?
Digital Signatures

Public-key encryption
• Alice publishes encryption key
• Anyone can send encrypted message
• Only Alice can decrypt messages with this key
Digital signature scheme
• Alice publishes key for verifying signatures
• Anyone can check a message signed by Alice
• Only Alice can send signed messages
Certificate Authority (CA)

Security: 8- 115
 Authentication: ap5.0 – let’s fix it!!
Recall the problem: Trudy poses as Alice (to Bob) and as Bob (to Alice)

I am Alice I am Alice
R
-
K (R)

Send me your public key
Trudy recovers Bob’s m:
- +
m = K (K (m))
A A
and she and Bob meet a week
later in person and discuss m,
not knowing Trudy knows m
?
T
R Where are Send me your public key
- mistakes +
K (R) K Bob computes
A made here? T + -
K (K T(R)) = R,
+ T
K authenticating
A Trudy as Alice
Trudy recovers m: +
+ - + K (m) Bob sends a personal
m = K (K (m)) T
K (m) T T message, m to Alice
A sends m to Alice
encrypted with
Alice’s public key
Security: 8- 116
Need for certified public keys
motivation: Trudy plays pizza prank on Bob
• Trudy creates e-mail order:
Dear Pizza Store, Please deliver to me
four pepperoni pizzas. Thank you, Bob
• Trudy signs order with her private key
• Trudy sends order to Pizza Store
• Trudy sends to Pizza Store her public key,
but says it’s Bob’s public key
• Pizza Store verifies signature; then
delivers four pepperoni pizzas to Bob
• Bob doesn’t even like pepperoni
Security: 8- 117
Public key Certification Authorities (CA)
 certification authority (CA): binds public key to particular entity, E
 entity (person, website, router) registers its public key with CE
provides “proof of identity” to CA
• CA creates certificate binding identity E to E’s public key
• certificate containing E’s public key digitally signed by CA: CA says “this is E’s
public key”

Bob’s digital
public + signature +
key KB (encrypt) KB

CA’s
private
K
- certificate for Bob’s
Bob’s key
identifying
CA public key, signed by CA
information

Security: 8- 118
Public key Certification Authorities (CA)
 when Alice wants Bob’s public key:
• gets Bob’s certificate (Bob or elsewhere)
• apply CA’s public key to Bob’s certificate, get Bob’s public key

digital Bob’s
+
KB signature + public
(decrypt) KB key

CA’s
public +
key K CA

Security: 8- 119
Certificates: Content
 Primary standard X.509 (RFC 2459)
 Certificate contains:
• Issuer name
• Entity name, address, domain name, etc.
• Entity’s public key
• Digital signature (signed with issuer’s private key)

 Public-Key Infrastructure (PKI)

• Certificates and certification authorities
Certificates: Content
 Serial number (unique to issuer)
 Info about certificate owner, including algorithm and key
value itself (not shown)
 info about
certificate
issuer
 valid dates
 digital
signature by
issuer
Public-Key Infrastructure
Known public signature verification key Ka
Certificate
Certificate
Sign(Ka-1, Ks)
Ka Authority
Ks

Client Sign(Ka-1, Ks), Sign(Ks, msg) Server

Server certificate can be verified by any client that has CA key Ka

Certificate authority is “off line”
Cryptography or Cryptosystems
 Most security problems are not crypto problems
• This is good: Cryptography works!
• This is bad: People make other mistakes; crypto doesn’t solve them
 Crypto is only a tiny piece of the security puzzle, but an
important one
 Why do cryptosystems fail?
• Incorrect requirements or specifications
• Implementation errors
• Sloppy operation
• Difficult to use; cannot know if correct
• Social engineering
Crypto: Important Principles
 Don’t design your own crypto algorithm (too difficult)
• Use standards
• Use quality libraries
 Avoid using “proprietary” encryption (products)
• Review feedback from crypto community

 Make sure you understand parameter choices

 Make sure you understand algorithm interactions
• E.g. authenticate then encrypt or vice versa