SystemSecurity 011

System security techniques
and solutions asdkéldsa

Shannon’s model of communication
A Encoding Channel Decoding B

Basic model of cryptography
A Encryption Open channel Decryption B
E
Cryptosystem
𝒫 set of plain texts
𝒞 set of cipher texts
𝒦 set of possible keys
1< 𝒫, 𝒞, 𝒦 <∞
Usual notation:
𝑚 ∈ 𝒫 plain text (message)
𝑐 ∈ 𝒞 cipher text (encrypted message)
𝑘 ∈ 𝒦 key
Cryptosystem
Examples:
𝒫, 𝒞 and 𝒦 are sets of words over some alphabet:
- a text in a spoken language
- 01 sequences
𝒫, 𝒞 and 𝒦 are elements of some mathematical structure:

- integers
- polynomials
- residue classes
- elliptic curves
- finite fields
- vector spaces over finite fields
Cryptosystem
Definition:
The six touple (𝒫, 𝒞, 𝒦, 𝐸𝑛𝑐, 𝐷𝑒𝑐, 𝐾𝑒𝑦) is called a cryptosystem
(encryption scheme), if
𝐸𝑛𝑐: 𝒦 × 𝒫 → 𝒞 is an encryption function (algorithm),
𝐷𝑒𝑐: 𝒦 × 𝒞 → 𝒫 is a decryption function (algorithm) and
𝐾𝑒𝑦 ⊆ 𝒦 × 𝒦 is the pairs of keys.
Definition:
A cryptosystem provides correct decryption, if
for all 𝑘𝐸 , 𝑘𝐷 ∈ 𝐾𝑒𝑦 and 𝑚 ∈ 𝒫
𝐷𝑒𝑐 𝑘𝐷 , 𝐸𝑛𝑐 𝑘𝐸 , 𝑚 = 𝑚
Cryptosystem
Remarks:
1. The pair (𝑘𝐸 , 𝑘𝐷 ) is called encyption-decryption pair.
2. 𝑐 = 𝐸𝑛𝑐 𝑘𝐸 , 𝑚 is the encrypted message corresponding to the
plain text 𝑚
3. By definition, if the cryptosystem provides correct decryption and
(𝑘𝐸 , 𝑘𝐷 ) is fixed, then the function
𝐸𝑛𝑐𝑘𝐸 𝑚 = 𝐸𝑛𝑐 𝑘𝐸 , 𝑚
is injective, e.g.
𝐸𝑛𝑐𝑘𝐸 𝑚1 = 𝐸𝑛𝑐𝑘𝐸 𝑚2 ⟺ 𝑚1 = 𝑚2
Cryptosystem
Remarks:
4. The cryptosystem is called complete, if for all pairs (𝑘𝐸 , 𝑘𝐷 ) the
function
𝐸𝑛𝑐𝑘𝐸 𝑚
is surjective, e.g. for all cipher text 𝑐 ∈ 𝒞 there exists a plain text
𝑚 ∈ 𝒫 , such that 𝐸𝑛𝑐𝑘𝐸 𝑚 = 𝑐.
This implies 𝒫 = 𝒞 .
Cryptosystem
Remarks:
5. Natural requirements:
if 𝑘𝐸1 ≠ 𝑘𝐸2 then 𝐸𝑛𝑐𝑘𝐸1 ≠ 𝐸𝑛𝑐𝑘𝐸2
if (𝑘𝐸 , 𝑘𝐷1 ), (𝑘𝐸 , 𝑘𝐷2 ) ∈ 𝐾𝑒𝑦 then 𝑘𝐷1 ≠ 𝑘𝐷2
6. Let 𝒫 = 𝒞 . The key space is called complete, if for all bijective
function f: 𝒫 → 𝒞 there exists 𝑘𝐸 ∈ 𝒦, such that
𝐸𝑛𝑐𝑘𝐸 = 𝑓.
7. Properties 5. and 6. means 𝒦 = 𝒫 !
(factorial)
Crypto system
𝑚 ∈ 𝒫 plain text 𝑐 ∈ 𝒞 cipher text 𝑘𝐸 , 𝑘𝐷 ∈ 𝒦𝑒𝑦 pair of keys
m c c m
A Enc open channel Dec B
𝑘𝐸 𝑘𝐷
Alice Bob
E Eve
Cryptosystem
Definition:
The cryptosystem (𝒫, 𝒞, 𝒦, 𝐸𝑛𝑐, 𝐷𝑒𝑐, 𝐾𝑒𝑦) is called symmetric, if for all
pairs k E , k D ∈ 𝐾𝑒𝑦 either k E = k D or k D can be computed in
poynomial time from k E .
Definition :
The cryptosystem (𝒫, 𝒞, 𝒦, 𝐸𝑛𝑐, 𝐷𝑒𝑐, 𝐾𝑒𝑦) is called asymmetric, if
there are no polynomial time algorithms, which can compute k D from
k E for any pairs k E , k D ∈ 𝐾𝑒𝑦.
Crypto system
Definition:
A (𝒫, ℛ, 𝒞, 𝒦, 𝐸𝑛𝑐, 𝐷𝑒𝑐, 𝐾𝑒𝑦) cryptosystem is called randomized, if
𝐸𝑛𝑐: 𝒦 × 𝒫 × ℛ → 𝒞
and
𝐷𝑒𝑐: 𝒦 × 𝒞 → 𝒫.
The value 𝑟 ∈ ℛ can be randomly chosen.
Steganography
A special kind of hiding information. The message is not encrypted, but
we simple don’t know about the existence of it.
Example:
- modifying pixels of a digital image by some message
- modifying waves in audio files
-…
Classical cryptosystems
Crypto systems used before computers (BC) are called classical (or
historycal) cryptosystems.
Not uniquely defined, but approximately the systems which are easily
attackable by computers.
Typically used for encryption of spoken language messages.

Main types:
- Substitutional cryptosystems:
one character (or one block of characters) of the plaintext is
replaced by another character (or block of characters).
monoalphabetic: the transformation does not change during
encryption
polyalphabetic: the transformation changes depending on the
position of the character
- Permutational cryptosystems :
the characters of the plaintext are permuted. (Only the order is
changed.)
Substitution of characters by abstract symbols.
Example:
a b c d e f g h i j k l m n o p q r s t u v w x y z
⌂ ─ │ ┌ ┐ └ ┘ ┬ ╨ ┤ ├ ○ ↘ ↗ ↖ → ↓ ← ᴜ ᴝ ⱡ Ⱡ < > ╥ ╧
𝒫 = english alphabet
𝒞 = symbols
𝒦 = tables
𝑘𝐷 = 𝑘𝐸 the same tables
𝐸𝑛𝑐 maps the members of the second row to the members of the second
row
𝐷𝑒𝑐 vice versa
Monoalphabetic, substitutional
Caeser cipher:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
𝒫 = the code of english alphabet

𝒞 = the code of english alphabet
𝒦 = {1,2, … , 25}
𝑘 𝐷 = 𝑘𝐸
𝑐 = 𝐸𝑛𝑐 𝑘, 𝑚 = 𝑘 + 𝑚 (𝑚𝑜𝑑 26)
𝑚 = 𝐷𝑒𝑐 𝑘, 𝑐 = 𝑐 − 𝑘 𝑚𝑜𝑑 26
Monoalphabetic, substitutional
Caeser cipher:
Example:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
𝑘𝐷 = 𝑘𝐸 = 10
Plain text: 𝑚[1 … 5] =fagyi
Cipher text: 𝑐 1 … 5 =pkqit
Key space: 25
Affine cipher:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
𝒫 = 𝒞 = {0, … , 25}
𝒦 = 0, … , 25 × 0, … , 25
𝑘𝐸 = (𝛼, 𝛽) gcd 𝛼, 26 = 1
𝑘𝐷 = 𝛼 −1 , 𝛽
𝑐 = 𝐸𝑛𝑐 𝑘𝐸 , 𝑚 = 𝛼 ⋅ 𝑚 + 𝛽 𝑚𝑜𝑑 26
𝑚 = 𝐷𝑒𝑐 𝑘𝐷 , 𝑐 = 𝛼 −1 ⋅ 𝑐 − 𝛽 𝑚𝑜𝑑 26
Monoalphabetic
Affine cipher:
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
𝑘𝐸 = (5,3)
𝑘𝐷 = 21, 3 5 ⋅ 21 ≡ 1 (𝑚𝑜𝑑 26)
Cipher text: 𝑐 1 … 5 =cdhtr
Key space: 25 ⋅ 25
If 𝑘𝐸 = (1,3) , then we get back the Caesar cipher.
General monoalphabetic cipher (single character):
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
𝒫 = 𝒞 = {0, … , 25}
𝒦 = {𝜋| where 𝜋 is a permutation of 𝒫}
𝑘𝐸 = 𝜋
𝑘𝐷 = 𝜋 −1
𝑐 = 𝐸𝑛𝑐 𝑘𝐸 , 𝑚 = 𝜋(𝑚)
𝑚 = 𝐷𝑒𝑐 𝑘𝐷 , 𝑐 = 𝜋 −1 𝑐
General monoalphabetic cipher (single character):
c k p g d t n i s b u y a m e v j z q w x f l o h r
𝑘𝐸 = 𝑎𝑐𝑝𝑣𝑓𝑡𝑤𝑙𝑦ℎ𝑖𝑠𝑞𝑗𝑏𝑘𝑢𝑥𝑜𝑒𝑑𝑔𝑛𝑚
𝑘𝐷 = 𝑚𝑛𝑔𝑑𝑒𝑜𝑥𝑢𝑘𝑏𝑗𝑞𝑠𝑖ℎ𝑦𝑙𝑤𝑡𝑓𝑣𝑝𝑐𝑎
Cipher text: 𝑐 1 … 5 =tcnhs
Key space: 26!

General monoalphabetic cipher (block of characters):
Not single symbols, but e.g. pairs of symbols are encrypted.
Key space: 262 !

General monoalphabetic cipher (randomzed):
𝒫 = {0, … , 25}
𝒞 = {0, … , 51}
𝒦 = {𝜋| where 𝜋 is a permutation of 𝒞}
𝑘𝐸 = 𝜋
𝑘𝐷 = 𝜋 −1
𝑐 = 𝐸𝑛𝑐 𝑘𝐸 , 𝑚 = 𝜋(2 ⋅ 𝑚 + 𝑟) , where 𝑟 is a random {0,1} value
𝜋−1 𝑐
𝑚 = 𝐷𝑒𝑐 𝑘𝐷 , 𝑐 = (integer part)
2
Key space: 52 !
General permutational cipher:
𝑛 ∈ ℕ\ {0}
𝒫 = 𝒞 = 0, … , 25 𝑛
𝒦 = {𝜋| where 𝜋 is a permutation of 1,2, … , 𝑛 }
𝑘𝐸 = 𝜋
𝑘𝐷 = 𝜋 −1
𝑐[𝑖] = 𝑚[𝜋 𝑖 ] , where 𝑖 = 1,2, … , 𝑛
𝑚 𝑗 = 𝑐 𝜋 −1 𝑗 , where 𝑗 = 1,2, … , 𝑛
𝑛=5
𝑘𝐸 = 15342
𝑘𝐷 = 24351
Cipher text: 𝑐 1 … 5 =ifyag
Key space: 𝑛!
𝑛 = 16
𝑘 𝐸 = 𝑘𝐷
Plain text: 𝑚[1 … 16] =vaníliafagylalt_

Cipher text: 𝑐 1 … 16 =vlaialagnyaítf_l
v v l i v l i v l a i
a a a a g a l a g
n í n a í n y a í n y a í
f f l t f _ l
Vigenère cipher:
𝑛 > 1 , integer
𝒫 = 𝒞 = 0, … , 25
𝒦 = 0, … , 25 𝑛
𝑘 𝐸 = 𝑘𝐷
𝑐 = 𝐸𝑛𝑐(𝑘𝐸 , 𝑚) : 𝑐 𝑖 = 𝑚 𝑖 + 𝑘𝐸 𝑖 𝑚𝑜𝑑 𝑛 (𝑚𝑜𝑑 26)
𝑚 = 𝐷𝑒𝑐(𝑘𝐷 , 𝑚) : m 𝑖 = 𝑐 𝑖 − 𝑘𝐸 𝑖 𝑚𝑜𝑑 𝑛 (𝑚𝑜𝑑 26)
Key space: 𝒦 = 26𝑛

Substitutional, polyalphabetic
Vigenère cipher:
𝑛 = 5 , integer
𝑘𝐸 = 𝑘𝐷 = fagyi
Plain text: 𝑚[1 … 15] =vaníliafagylalt

Cipher text: 𝑐 1 … 15 =aat
Vernam cipher (One Time Pad, OTP):
The idea is the same as in Vigenère cipher, but the size of the key is equal to
the size of the message. It is a (pseude) random symbol sequence.
𝑛 > 1, 𝑝 > 1 , integer
𝒫 = 𝒞 = 0, … , 𝑝 − 1 𝑛
𝒦 = 0, … , 𝑝 − 1 𝑛
𝑘𝐸 = 𝑘𝐷
𝑐 = 𝐸𝑛𝑐(𝑘𝐸 , 𝑚) : 𝑐 𝑖 = 𝑚 𝑖 + 𝑘𝐸 𝑖 (𝑚𝑜𝑑 𝑝)
𝑚 = 𝐷𝑒𝑐(𝑘𝐷 , 𝑚) : m 𝑖 = 𝑐 𝑖 − 𝑘𝐸 [𝑖] (𝑚𝑜𝑑 𝑝)
Key space: 𝒦 = 𝑝𝑛
Vernam cipher (One Time Pad, OTP):
𝑛 = 10, 𝑝 = 2
𝐸𝑛𝑐 𝑘, 𝑚 = 𝑘 𝐱𝐨𝐫 𝑚
𝐷𝑒𝑐 𝑘, 𝑐 = 𝑘 𝐱𝐨𝐫 𝑐
𝑚 = 0110001010
𝑘 = 1100111010
𝑐 = 1010110000
ENIGMA
cryptosystem.
An electromechanical encryption
and decryption device, developed
by German scientists for military
reasons.
After pressing a key, the rotors
were set to a position and with
a preset wireing (encryption key)
some lamps were light up. Hence
the cipher text could be read.
ENIGMA
The first versions were broken by
polish code breakers.
The later models were broken
by a british code breaker team
(during the world war) in which
A. Turing was participated.
They used the security gaps of
the system.
(Movie: Imitation game)
Security objectives
NIST (National Institute of Standards and Technology)
They publishes standards and recommendations
NIST Special Publication series 800: cyber security
NIST Special Publication 800-33 (2001. december):
Underlying Technical Models for Information Technology Security
Some of the recommendations became outdated.
Withdrawn: August 1, 2018 (together with 10 related
recommendations)
However, the explained security objectives are still exist.
Security objectives
1. Availability: system and data
The systems work promptly and service is not denied to authorized users.
Protects against:
a) intentional or accidental attempts to either:
- perform unauthorized deletion of data, or
- otherwise cause a denial of service or data.
b) attempts to use system or data for unauthorized purposes.
[Frequently the most important security objective.]
2. Integrity system and data
a) data integrity (the data has not been altered in an unauthorized manner while in storage,
during processing, or while in transit).
b) System integrity (the system has when performing the intended function in an unimpaired
manner, free from unauthorized manipulation).
[Frequently the second most important security objective after availability.]

Security objectives
3. Confidentiality: system and data
Private or confidential information not be disclosed to unauthorized individuals.
(During data storage, processing and in transit.)
[Imprtance is often after availability and integrity. For some systems
confidentiality is extremely important.]
4. Accountability: to the individual level
Actions of an entity may be traced uniquely to that entity.
[Often is a policy requirement and directly supports nonrepudiation,
deterrence, fault isolation, intrusion detection and prevention, and after-action
recovery and legal action.]
Security objectives
5. Assurance: the other four objectives have been adequately met
The basis for confidence that the security measures, both technical and
operational, work as intended to protect the system and the information it
processes.
[Essential; without it the other objectives are not met. However, assurance is a
continuum; the amount of assurance needed varies between systems.]
Security objectives
The five security objectives are interdependent. Achieving one
objective without consideration of the others is seldom possible.
Fundamental: assurance for the expected operation. All other
objectives depends on it.
Integrity⟹ Confidentiality:
if the integrity of the system is lost, then there is no longer a
reasonable expectation that the confidentiality mechanisms are still
valid.
Confidentiality⟹ Integrity:
if the confidentiality of certain information is lost (e.g., the superuser
password), then the integrity mechanisms are likely to be by-passed.
Security objectives
Integrity + Confidentiality⟹ Availability
Integrity + Confidentiality⟹ Accountability
1. if confidentiality is lost for certain informadon (e.g., superuser
password), the mechanisms implementing these objectives are
easily by-passable;
2. if system integrity is lost, then confidence in the validity of the
mechanisms implementing these objectives is also lost.
Assurance:
When designing a system, an assurance level as a target should be
established.
Assurance highlights the fact that for a system to be secure, it must not only
provide the intended functionality, but also ensure that undesired actions do
not occur.
Security objectives
Confidentiality Integrity
Integrity Confidentiality
Availability Accountability
Confidentiality Integrity Confidentiality Integrity
Assurance.
Security objectives
Levels of security objectives and security violations
Lower level security objectives are more economical to implement, but
more insecure, easyer to attack.
The less important components of the system may have lower security
level, but one have to be careful with designing. The whole system can
be attacked trough a weak point.
Security objectives
Levels of security violations
Low: It has a limited effect on the organization or entity. The main functions
of the organization are still available. A small damage or income lost is
caused. Slight personal hurts.
e.g. The internal phone book of an enterprise is disclosed. An outdated e-
mail is deleted. The controller of an air condition system is terminated.
Medium: It has a serious effect on the organization or entity. The damage or
loss is significant, the organization can still operate, but efficiency is reduced.
e.g. The pay roll of an enterprise is disclosed. A Nyilvánosságra kerül egy
vállalat bérlistája. An order to sell some shares is changed to buy.
High: It has a fatal effect on the organization or entity. The damage is
catastrophic, the organization can’t operate, critical hurt for an entity.
e.g. Contracts, secret receipts or technology are disclosed. The control
system of an aircraft stops.
Security objectives
Authenticity
Discussd in NIST SP 800-33 but recently it is a separated objective.
Related to integrity and accountability.
1. Entity authentication (e.g. user authentication): the verification of
the identity of the entity.
2. Data authentication: the confirmation of the origin and integrity the
data.
Security attacks
Intentional violation of security objectives.
Passive attack:
Confidentiality may be violated.
Attacker may eavesdrop or analyze communication channels.
Hard to detect, no change in the system
Active attack:
Every objactive may be violated.
The intruder may modify the system, data. Messages can be
deleted, modified or fake message can be created. Authenticity
can be changed, system availability can be blocked.
Easier to detect, but more difficult to defend. (several way to
attack)
Security attacks
Passive attack: :
Typically effects communication.
e.g.
Obtaining the content of a message by eavesdropping the channel.
Traffic analysis. The attacker observes the patterns, formats, frequency,
source, sender, or target of the messages. The different side effects
imply some information about the messages.
Security attacks
Active attack:
May intervene at several points of the system. Not necessarily the
communication is the target. Erasing data, fake information or personality
may be an objective.
e.g.
Modification of the content of a message.
Replaying a message.
Delaying a message.
Generating fake message.
Deleting data.
Creating false identity (impersonation).
Denial of service attack (DOS).
Security attacks
Special attacks against cryptosystems
The attacker may want to decrypt a particular message or to break the
whole system by obtaining the secret key.
Security attacks
Kerckhoffs’s principle: A cryptosystem should be secure even if everything
about the system, except the key, is public knowledge.
(Auguste Kerckhoffs , 1883.)
The security obtained by hiding the algorithms are dangerous.
In cases of small enterprises, hiding the algorithms may increase security.
In case of massive usage it is impossible to keep the algorithms in secret.
The errors of hidden algorithms are more difficult to find and correct.
The algorithms can be decompiled from the implementation.
The weaknesses and errors of an open system are faster recognized and
corrected.
Security attacks
Ciphertext Only Attack
The attacker knows several message encrypted by the same key.
𝐸𝑛𝑐 𝑘, 𝑚1 , … , 𝐸𝑛𝑐 𝑘, 𝑚𝑛
Security attacks
Known Plaintext Attack
The attacker knows several pairs of plain text-cipher text pairs
encrypted by the same key.
(𝑚1 , 𝐸𝑛𝑐 𝑘, 𝑚1 ), … , (𝑚𝑛 , 𝐸𝑛𝑐 𝑘, 𝑚𝑛 )
Security attacks
Chosen Plaintext Attack
encrypted by the same key. The messages are chosen by the attecker.
(𝑚1 , 𝐸𝑛𝑐 𝑘, 𝑚1 ), … , (𝑚𝑛 , 𝐸𝑛𝑐 𝑘, 𝑚𝑛 )
a. Non-adaptive:
the attacker determines the plain texts in advance
b. Adaptive:
the attacker determines the plain texts after receiving the
previus cipher text.
Security attacks
Chosen Ciphertext Attack
encrypted by the same key. The cipher texts are chosen by the attecker.
(𝑐1 , 𝐷𝑒𝑐 𝑘, 𝑐1 ), … , (𝑐𝑛 , 𝐷𝑒𝑐 𝑘, 𝑐𝑛 )
a. Non-adaptive:
the attacker determines the cipher texts in advance
b. Adaptive:
the attacker determines the cipher texts after receiving the
previus plain text.
Cryptographic schemes
Cryptographic primitives algorithms for particular security purposes.
(e.g. encryption, decryption, digital signature, hash, message
authentication)
Cryptographic protocols complex description with several participants,
based on cryptographic primitives. The computations and message
transmissions are properly determined. (e.g. key exchange,
authentication, secret sharing)
Cryptographic scheme a collection of cryptographic primitives and
protocols.
Terms
Not precise definitions, but the most frequently used interpretations:
Cryptography
The science of key based encryption technics
Cryptanalysis
The science of analysis, attacks and breaks of key based encryption
technics
Cryptology
Cryptography + Cryptanalysis
Modern symmetric cryptosystems
Stream ciphers
Plain text: 𝑀 = 𝑚1 𝑚2 𝑚3 … 𝑚𝑛 ∈ 0,1 𝑛
Key: 𝑘𝐸 ∈ 0,1 𝑙
Key generator: 𝐺: 0,1 𝑙 → 0,1 ∞
K = 𝐺(𝑘𝐸 ) = 𝑘1 𝑘2 𝑘3 …
Cipher text: 𝐶 = 𝑐1 𝑐2 𝑐3 … 𝑐𝑛 ∈ 0,1 𝑛
𝑐𝑖 = 𝑚𝑖 ⨁𝑘𝑖 ⨁ the addition mod 2 or
xor
Stream ciphers
𝑀 𝑚1 𝑚2 𝑚3 𝑚4 … 𝑚1 𝑚2 𝑚3 𝑚4 … 𝑀
𝑘𝐸 ⨁ ⨁ ⨁ ⨁
𝑮 𝑘1 𝑘2 𝑘3 𝑘4 …
⨁ ⨁ ⨁ ⨁ 𝑮 𝑘1 𝑘2 𝑘3 𝑘4 …
𝑘𝐸
𝑐1 𝑐2 𝑐3 𝑐4 … 𝑐1 𝑐2 𝑐3 𝑐4 …
𝐶
Encryption Decryption
Stream ciphers
𝑘𝐸 𝑮 𝑘𝐸 𝑮
𝑘𝑖 𝑘𝑖
𝑐𝑖 𝑐𝑖
⨁ ⨁
𝑚𝑖
Block ciphers
DES (Data Encryption Standard) and variants
AES (Advanced Encryption Standard)
…
Plain text: 𝑀 = 𝑚1 𝑚2 𝑚3 …
𝑚𝑖 ∈ 0,1 𝑛 , where 𝑖 = 1,2,3, …
Key: 𝑘𝐸 ∈ 0,1 𝑙 , usually 𝑛 = 𝑙
Cipher text: 𝐶 = 𝑐1 𝑐2 𝑐3 …
𝑐𝑖 = 𝐸𝑛𝑐 𝑘𝐸 , 𝑚𝑖
Block ciphers
𝑘𝐸 𝑘𝐷
𝑚𝑖 𝐸𝑛𝑐 𝑐𝑖 𝐷𝑒𝑐 𝑚𝑖
Stream ciphers
Plain text : 𝑀 = 𝑚1 𝑚2 𝑚3 … 𝑚𝑛 ∈ 0,1 𝑛
Key: 𝑘𝐸 ∈ 0,1 𝑙
Key generator: 𝑮: 𝟎, 𝟏 𝒍 → 𝟎, 𝟏 ∞
𝑮(𝒌𝑬 ) = 𝒌𝟏 𝒌𝟐 𝒌𝟑 …
Cipher text: 𝐶 = 𝑐1 𝑐2 𝑐3 … 𝑐𝑛 ∈ 0,1 𝑛
𝑐𝑖 = 𝑚𝑖 ⨁𝑘𝑖 ⨁ the addition mod 2 or
xor
Stream ciphers
Key generator: 𝑮: 𝟎, 𝟏 𝒍 → 𝟎, 𝟏 ∞
𝑮(𝒌𝑬 ) = 𝒌𝟏 𝒌𝟐 𝒌𝟑 …
The values of 𝑘𝑖 ’s are hard to guess.
𝐺: pseudo random number generator
Most common:
𝐺: 0,1 𝑙 × 0,1 𝑠⋅𝑡 → 0,1 𝑠
,
where, 𝑙, 𝑠, 𝑡 ≥ 1
𝑙 the size of the key
𝑠 the size of 𝑘𝑖
𝑡 the order of the recurrence
Stream ciphers
Key generator : 𝑮: 𝟎, 𝟏 𝒍 → 𝟎, 𝟏 ∞
𝑮(𝒌𝑬 ) = 𝒌𝟏 𝒌𝟐 𝒌𝟑 …
𝐺: 0,1 𝑙 × 0,1 𝑠⋅𝑡 → 0,1 𝑠

The keys are computed by the recursion
𝑘𝑖 = 𝐺(𝑘𝐸 , 𝑘𝑖−𝑡 , 𝑘𝑖−𝑡+1 , … , 𝑘𝑖−1 )
for 𝑖 ≥ 𝑡.
Stream ciphers, pseudo random number generators
Key generator → Pseudo random number generator (PRNG)
Recommendations for PRNG’s:
NIST SP 800-22 Rev. 1a
A Statistical Test Suite for Random and Pseudorandom Number
Generators for Cryptographic Applications
Main test types:
1. frequency tests (monobit, block)
2. extremal behaviours (runs: 11111 … , 00000 … )
3. linear dependency and periodicity
4. patterns
5. random walks
Linear Feedback Shift Register (LFSR)
Let 𝑙 ≥ 1 be an integer, 𝑠 = 1, 𝑎0 , … , 𝑎𝑙−1 , 𝑘0 , … , 𝑘𝑙−1 ∈ {0,1} and for
𝑖≥𝑙
𝑘𝑖 = 𝑎𝑙−1 𝑘𝑖−1 ⊕ 𝑎𝑙−2 𝑘𝑖−2 ⊕ ⋯ ⊕ 𝑎0 𝑘𝑖−𝑙
For carefully choosen 𝑎0 , … , 𝑎𝑙−1 , 𝑘0 , … , 𝑘𝑙−1 it provides a sequence
with good statistical properties and fast computations. From
cryptographic point of view not completly satisfactory. If one knows
2 ⋅ 𝑙 consecutive elements of the sequence, then the coefficients
𝑎0 , … , 𝑎𝑙−1 can be computed.
Folyamtitkosítás, álvéletlenszám-generátorok
𝑘𝑖 = 𝑎𝑙−1 𝑘𝑖−1 ⊕ 𝑎𝑙−2 𝑘𝑖−2 ⊕ ⋯ ⊕ 𝑎𝑖−𝑙 𝑘𝑖−𝑙
Physical (hardware) implementation:
𝑘𝑖−1 𝑘𝑖−2 𝑘𝑖−3 … 𝑘𝑖−𝑙+1 𝑘𝑖−𝑙
𝑎𝑙−1 𝑎𝑙−2 𝑎𝑙−3 𝑎1 𝑎0
…
𝑘𝑖 = 𝑎𝑙−1 𝑘𝑖−1 ⊕ 𝑎𝑙−2 𝑘𝑖−2 ⊕ ⋯ ⊕ 𝑎𝑖−𝑙 𝑘𝑖−𝑙
Otherwise:
𝑘𝑖 = 𝑎𝑙−1 𝑘𝑖−1 + 𝑎𝑙−2 𝑘𝑖−2 + ⋯ + 𝑎𝑖−𝑙 𝑘𝑖−𝑙 (mod 2)
E.g.
𝑎0 = 1, 𝑎1 = 0, 𝑎2 = 1, 𝑎3 = 1,
𝑘0 = 0, 𝑘1 = 0, 𝑘2 = 0, 𝑘3 = 1.
𝐾 = 0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0, …
Periodic, period length 2𝑙−1 − 1 = 23 − 1 = 7
Not uniformly distributed, not suitable
E.g.
𝑎0 = 1, 𝑎1 = 1, 𝑎2 = 1, 𝑎3 = 0, 𝑎4 = 0 ,
𝑘0 = 0, 𝑘1 = 0, 𝑘2 = 0, 𝑘3 = 0, 𝑘4 = 1.
𝐾 = 0, 0, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0, 0, 1, …
Periodic, period length 2𝑙−1 ⋅ 2 = 23 ⋅ 2 = 16
Uniformly distributed, suitable
Linear Recurrence Sequence (LSR)
The generalization of LFSR.
E.g. C/C++ rand()
𝑎 = 31835, 𝑏 = 1906
𝑘0 = 41
𝑘𝑖 = 𝑎 ⋅ 𝑘𝑖−1 + 𝑏 mod 215 if 𝑖 > 0 .
Periodic, period length 215
Uniformly distributed, suitable, but only for simple applications.
Blum-Blum-Shub generator (BBS, 1986.):
Let 𝑝, 𝑞 be two carefully choosen large primes, 𝑚 = 𝑝 ⋅ 𝑞 and
𝑎0 s.t, gcd 𝑎0 , 𝑚 = 1 . Then
2
𝑎𝑖 = 𝑎𝑖−1 mod 𝑚 , for 𝑖 > 0 .
𝑘𝑖 = 𝑎𝑖 (mod 2) (or e.g. the parity of the bits of 𝑎𝑖 )
Assumption: 𝑝 ≡ 3 (mod 4), 𝑞 ≡ 3 (mod 4) , not too close to each
oder, …
Uniformly distributed, suitable.
Hard (exponential time) to compute the next 𝑎𝑖 from the previous
ones. Periodic with large period length (≈ 𝑝 ⋅ 𝑞), if gcd 𝑝 − 1, 𝑞 − 1 is
small.
E.g.
Let 𝑝 = 7, 𝑞 = 11, a0 = 2. Then 𝑚 = 77,
the generated sequence:
𝑎0 = 8
𝑎1 ≡ 82 ≡ 64 77
𝑎2 ≡ 642 ≡ 15 77
𝑎3 ≡ 152 ≡ 71 77
…
E.g.
𝑎𝑖 8 64 15 71 36 64 15 71 36
𝑎𝑖 2 0 0 1 1 0 0 1 1 0
𝑝𝑎𝑟. 1 1 0 0 0 1 0 0 0
Mersenne twister (MT; Matsumoto, Nishimura, 1997.):
Most common: MT19937 (C++)
+ Good performance on most statistical tests.
+ Large period length. ( E.g. MT19937 → 219937 −1 )
+ Relative fast (compared to other generators with similar properties)
– Relative large memory requirement
– Relative slow (compared to simpler generators)
– Slow initialization
– Bad cryptographic properties (→ LRS, 624 length sequence) : CryptMT
Stream ciphers, RC4
RC4 (Rivest, 1987.)
Random permutations.
Period length > 10100
Very fast ( 8-16 machine level command/byte )
SSL/TLS (Secure Sockets Layer/Transport Layer Security)

WEP (Wired Equivalent Privacy)
WPA (WiFi Protected Access)
Stream ciphers, RC4
Seed: 𝑆 ∈ 0, … , 255 256 a permutation of the numbers 0, … , 255 .
Master key: 𝐾 ∈ 0, … , 255 ∗ arbitrary length (only the first 256
bytes are used)
Initialization:
Temporary array: 𝑇 ∈ 0, … , 255 256
𝐟𝐨𝐫 𝑖 ← 0 … 255 𝐝𝐨 𝑗←0
𝑆 𝑖 =𝑖 𝐟𝐨𝐫 𝑖 ← 0 … 255 𝐝𝐨
𝑇 𝑖 = 𝐾 𝑖 𝐦𝐨𝐝 𝑙 𝐾 𝑗 = (𝑗 + 𝑆[𝑖] + 𝑇[𝑖]) 𝐦𝐨𝐝 256
𝐞𝐧𝐝𝐟𝐨𝐫 𝑆 𝑖 ⟷ 𝑆[𝑗]
𝐞𝐧𝐝𝐟𝐨𝐫
Stream ciphers, RC4
Key generation:
𝑖, 𝑗 ← 0
𝐰𝐡𝐢𝐥𝐞 𝑡𝑟𝑢𝑒 𝐝𝐨
𝑖 = (𝑖 + 1) 𝐦𝐨𝐝 256
𝑗 = 𝑗 + 𝑆 𝑖 𝐦𝐨𝐝 256
𝑆 𝑖 ⟷ 𝑆[𝑗]
𝑡 = 𝑆 𝑖 + 𝑆 𝑗 𝐦𝐨𝐝 256
𝑘 = 𝑆[𝑡]
𝐞𝐧𝐝𝐟𝐨𝐫
Encryption (byte wise): 𝑐 = 𝑘 ⊕ 𝑚

Stream ciphers, RC4
Cryptanalysis
Several published method for trying to break: not significant
One exception (Fluhrer, McGrew; 2000.):
crytical attack against WEP (confidentiality)
the problem is not with RC4, but the key distribution
Don’t appears in other systems with RC4.
DES (Data Encryption Standard)
H. Feistel (IBM, 1972.) → LUCIFER ( 128-bit key )
National Bureau of Standards (NBS → NIST):
request for proposals for a national cipher standard for
governmental data.
1977. After some minor modification:
Federal Information Processing Standards (FIPS)
- more secure against differential cryptanalysis
- weaker against brute force (trial) attacks
(computers were not as strong as recently)
The key size (56 bits) is too small for the present computer capacity.
1998. : the first published break
1999. : 22 h 15 m
2006. : COPACOBANA (Cost-Optimized Parallel Code Breaker - FPGA)
<10000$ , appr. 8.7 days
Triple DES (3DES, TDES): practically secure

𝒫 = 𝒞 = 0,1 64
𝒦 = 0,1 64 𝒦𝑠 = 0,1 48
Key generator:
𝐺: 𝒦 → 𝒦𝑠16
𝐺 𝑘𝐸 = (𝑠𝑘1 , … , 𝑠𝑘16 )
Encryption function (Feistel function):
𝐹: 𝒦𝑠 × 0,1 32 → 0,1 32
Initialization, finalization:
𝐼𝑃: 𝒫 → 𝒫 Initial Permutation
𝐹𝑃: 𝒫 → 𝒫 Final Permutation
𝐹𝑃 = 𝐼𝑃−1
𝑚 64
Feistel network (F. structure, F. ladder) IP
𝑚 𝐿0 32 𝑠𝑘1 48 𝑅0 32
𝐼𝑃 𝑚 = 𝐿1 𝑅1 F
𝐿𝑖+1 = 𝑅𝑖 𝑅𝑖+1 = 𝐿𝑖 ⊕ 𝐹(𝑠𝑘𝑖 , 𝑅𝑖 ) 𝐿1 32 𝑠𝑘2 48 𝑅1 32

F
𝑖 = 1 … 15
𝐿16 = 𝐿15 ⊕ 𝐹 𝑠𝑘16 , 𝑅15 𝑅16 = 𝑅15

𝐿14 32 𝑠𝑘15 48 𝑅14 32
F
𝑐 = 𝐹𝑃(𝐿16 𝑅16 )
𝐿15 32 𝑠𝑘16 48 𝑅15 32
F
FP
Decryption: ( DES-1
) 𝑐
IP
64
𝑐 = 𝐹𝑃 𝐿16 𝑅16 𝐿16 32 𝑠𝑘16 48 𝑅16 32

𝐼𝑃 𝑐 = 𝐼𝑃 𝐹𝑃 𝐿16 𝑅16 = 𝐿16 𝑅16 F
𝐿15 = 𝐿16 ⊕ 𝐹 𝑠𝑘16 , 𝑅16 𝑅15 = 𝑅16 𝐿15 32 𝑠𝑘15 48 𝑅15 32

F
𝐿𝑖−1 = 𝑅𝑖 𝑅𝑖−1 = 𝐿𝑖 ⊕ 𝐹(𝑠𝑘𝑖 , 𝑅𝑖 )

𝑖 = 15 … 1
𝐿2 32 𝑠𝑘2 48 𝑅2 32
𝐿0 = 𝐿1 ⊕ 𝐹 𝑠𝑘1 , 𝑅1 𝑅0 = 𝑅1 F
𝐿1 32 𝑠𝑘1 48 𝑅1 32
𝑚 = 𝐹𝑃(𝐿0 𝑅0 ) = 𝐹𝑃 𝐼𝑃 𝑚 F
FP
Feistel function
𝑅𝑖 32 𝑠𝑘𝑖 48
𝐸
48
𝑆1 𝑆2 𝑆3 𝑆4 𝑆5 𝑆6 𝑆7 𝑆8
32
𝑃
32
Feistel function
𝒦𝑠 = 0,1 48
32 1 2 3 4 5
𝐹: 𝒦𝑠 × 0,1 32 → 0,1 32 4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
Extension: 𝐸: 0,1 32 → 0,1 48 16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
1 2 3 4 5 6 7 8 25 26 27 28 29 30 31 32
32 1 2 3 4 5 4 5 6 7 8 9 24 25 26 27 28 29 28 29 30 31 32 1
Feistel function
Permutation: 𝑃: 0,1 32 → 0,1 32
16 7 20 21 29 12 28 17
1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9
19 13 30 6 22 11 4 25
Feistel-függvény
S-box: 𝑆𝑖 : 0,1 6 → 0,1 4 𝑖 = 1 … 8
Substitution tables.
𝑎 = 𝑎1 𝑎2 … 𝑎5 𝑎6 𝑏1 = 𝑎1 𝑎6 𝑏2 = 𝑎2 … 𝑎5
𝑆1 𝑎 = 𝑆1 𝑏1 , 𝑏2
e.g. 𝑆1 101101 = 𝑆1 11,0110 = 𝑆1 3,6 = 0001
𝑆1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
Feistel function
𝑅𝑖 32 𝑠𝑘𝑖 48
𝐸
48
𝑆1 𝑆2 𝑆3 𝑆4 𝑆5 𝑆6 𝑆7 𝑆8
32
𝑃
32
Key generator 𝑘𝐸 64
𝒦 = 0,1 64 𝒦𝑠 = 0,1 48 PC1

28 28
𝐺: 𝒦 → 𝒦𝑠16 ≪ ≪
𝑠𝑘1
PC2
𝑃𝐶1: 𝒦 → 0,1 28 × 0,1 28 48
𝑠𝑘2 ≪ ≪
56 48 PC2
𝑃𝐶2: 0,1 → 0,1 48
≪ : left rotation ( 1 or 2 bit(s) ) ≪ ≪

𝑠𝑘15
PC2
48
𝑠𝑘16 ≪ ≪
PC2
48
PC1𝐿 (permuted choice)

PC1
57 49 41 33 25 17 9
28 28
1 58 50 42 34 26 18
10 2 59 51 43 35 27 𝑠𝑘1 ≪ ≪
19 11 3 60 52 44 36 PC2
48
≪ ≪
PC1𝑅 𝑠𝑘2
PC2
63 55 47 39 31 23 15 48
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4 𝑠𝑘15 ≪ ≪
PC2
48
Every 8th bit is eliminated
𝑠𝑘16 ≪ ≪
PC2
48
PC2 PC1
28 28
14 17 11 24 1 5 3 28
15 6 21 10 23 19 12 4 𝑠𝑘1 ≪ ≪
26 8 16 7 27 20 13 2 PC2
48
41 52 31 37 47 55 30 40
51 45 33 48 44 49 39 56 𝑠𝑘2 ≪ ≪
34 53 46 42 50 36 29 32 PC2
48
Every 7th bit is eliminated ≪ ≪

𝑠𝑘15
PC2
48
𝑠𝑘16 ≪ ≪
PC2
48
Rotation: PC1
28 28
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1 ≪ ≪
𝑠𝑘1
PC2
48
Sum of rotation positions: 28
𝑠𝑘2 ≪ ≪
PC2
48
𝑠𝑘15 ≪ ≪
PC2
48
𝑠𝑘16 ≪ ≪
PC2
48
DES Cryptanalysis
Analysis of DES results a lot of knowledge on symmetric CS’s.
Avalanche effect:
small change in the plain text (or key) → large change in cipher text
Brute force: still the most efficient
Possible weak point: S-boxes – no publicly known weakness
some pattern and unexpected property
the original design principle is still not known
DES Cryptanalysis
Differential cryptanalysis:
it was considered during design (altough the first public results
are from 1990.),
S-boxes and permutations are designed against DCA
DCA: observes two messages simultaneously, tries to follow the change
of the difference.
256 → 247 key trial
Linear cryptanalysis:
more recent
Transformations are represented by linear functions.
247 → 243 key trial
3DES
Idea: repeat encryption with a different key → bigger key
Doubling was found weak.
Repat 3 times, with 2 keys: 𝐸𝑛𝑐 𝑘1 , 𝐸𝑛𝑐 𝑘2 , 𝐸𝑛𝑐 𝑘1 , 𝑚
not much better
Repat 3 times, with 2 keys, middle encryption is reversed:
𝐸𝑛𝑐 𝑘1 , 𝐷𝑒𝑐 𝑘2 , 𝐸𝑛𝑐 𝑘1 , 𝑚
better, but not secure enough
Repat 3 times, with 3 keys:
𝐸𝑛𝑐 𝑘3 , 𝐸𝑛𝑐 𝑘2 , 𝐸𝑛𝑐 𝑘1 , 𝑚
acceptable security
3DES
Multi dimensional MITM – still have the chance to break
Not recommended to use:
NIST SP 800-131A Revision 1 (2015.)
3DES
3DES with 3 different keys:
𝐸𝑛𝑐 𝑘3 , 𝐸𝑛𝑐 𝑘2 , 𝐸𝑛𝑐 𝑘1 , 𝑚
restrictions: at most 220 plaintexts with the same key
Birthday paradox → Sweet32 attack for 64 bits block ciphers
analysis 32GB of data
NIST 3DES is not recommended for TLS (Transport Layer Security), IPsec
(Internet Security Protocol), SSH, OpenVPS and other protocolls (e.g.
3G communication).
Observing appr. 785GB data traffic is enough. (e.g. malware)
Recommended: change to AES as soon as possible.
NIST: U.S. FIPS PUB 197 (FIPS 197) (2001.)
5 years of negotiations with 15 competing candidates.
Rijndael (V. Rijmen, J. Daemen) cipher
3 variants: block size – 128 bits ; key size –128, 192 or 256 bits.
The structure of the algorithm is similar to DES.
1. Initialization
2. Iteration
3. Post processing
Different number of iteration steps corresponding to the different key size.
128 – 10
192 – 12
256 – 14
1. Initialization:
AddRoundKey
2. Iteration:
SubBytes
ShiftRows
MixColumns
AddRoundKey
3. Post processing:
SubBytes
ShiftRows
AddRoundKey
Key generator: sequence of 128-bit subkeys from the master key.
The block is represented as a 4 × 4 bytes matrix (128 bits = 16 bytes)
During the encryption process: state matrix.
AddRoundKey: xor operation between the state matrix and the
corresponding subkey.
SubBytes: S-boxes are used; operations over the finite field 𝔽256
computing inverse and affine transformations in the form 𝑎𝑥 + 𝑏
ShiftRows: rotation of th rows. 1st row 0, 2nd row 1, …, 4th row 3
positions
02 03 01 01
MixColumns: linear transformation for the separated columns: 01 02 03 01
01 01 02 03
03 01 01 02
Cryptanalysis:
2002.: Courtois, Pieprzyk – XSL: nice theoretical idea, but practically
useless
2009.: Biryukov, Khovratovich: – key schedule attack
2009.: Gilbert, Peyrin – AES ciphertext is distinguishable from random
sequences
2011.: first key recovery attack
NSA: (Snowden) research with tau-statistic cryptanalysis
At the moment there are no published practically applicable method.

Cryptanalysis :
Side-channel attacks
The systems applying AES is observed. Timing, power consumption, …
Inducing intentional error.

SystemSecurity 011

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SystemSecurity 011

Uploaded by

Copyright:

Available Formats

System security techniques

and solutions asdkéldsa

A Encoding Channel Decoding B

A Encryption Open channel Decryption B

𝒫, 𝒞 and 𝒦 are elements of some mathematical structure:

Typically used for encryption of spoken language messages.

𝒫 = the code of english alphabet

Key space: 26!

Key space: 262 !

Plain text: 𝑚[1 … 16] =vaníliafagylalt_

Key space: 𝒦 = 26𝑛

Plain text: 𝑚[1 … 15] =vaníliafagylalt

2. Integrity system and data

[Frequently the second most important security objective after availability.]

Confidentiality Integrity Confidentiality Integrity

𝐺: 0,1 𝑙 × 0,1 𝑠⋅𝑡 → 0,1 𝑠

𝑘𝑖−1 𝑘𝑖−2 𝑘𝑖−3 … 𝑘𝑖−𝑙+1 𝑘𝑖−𝑙

𝑎𝑙−1 𝑎𝑙−2 𝑎𝑙−3 𝑎1 𝑎0

SSL/TLS (Secure Sockets Layer/Transport Layer Security)

Encryption (byte wise): 𝑐 = 𝑘 ⊕ 𝑚

Triple DES (3DES, TDES): practically secure

𝐿𝑖+1 = 𝑅𝑖 𝑅𝑖+1 = 𝐿𝑖 ⊕ 𝐹(𝑠𝑘𝑖 , 𝑅𝑖 ) 𝐿1 32 𝑠𝑘2 48 𝑅1 32

𝐿16 = 𝐿15 ⊕ 𝐹 𝑠𝑘16 , 𝑅15 𝑅16 = 𝑅15

𝑐 = 𝐹𝑃 𝐿16 𝑅16 𝐿16 32 𝑠𝑘16 48 𝑅16 32

𝐿15 = 𝐿16 ⊕ 𝐹 𝑠𝑘16 , 𝑅16 𝑅15 = 𝑅16 𝐿15 32 𝑠𝑘15 48 𝑅15 32

𝐿𝑖−1 = 𝑅𝑖 𝑅𝑖−1 = 𝐿𝑖 ⊕ 𝐹(𝑠𝑘𝑖 , 𝑅𝑖 )

𝒦 = 0,1 64 𝒦𝑠 = 0,1 48 PC1

≪ : left rotation ( 1 or 2 bit(s) ) ≪ ≪

PC1𝐿 (permuted choice)

Every 7th bit is eliminated ≪ ≪

At the moment there are no published practically applicable method.

You might also like