Professional Documents
Culture Documents
SystemSecurity 011
SystemSecurity 011
E
Cryptosystem
𝒫 set of plain texts
𝒞 set of cipher texts
𝒦 set of possible keys
1< 𝒫, 𝒞, 𝒦 <∞
Usual notation:
𝑚 ∈ 𝒫 plain text (message)
𝑐 ∈ 𝒞 cipher text (encrypted message)
𝑘 ∈ 𝒦 key
Cryptosystem
Examples:
𝒫, 𝒞 and 𝒦 are sets of words over some alphabet:
- a text in a spoken language
- 01 sequences
𝐸𝑛𝑐𝑘𝐸 𝑚1 = 𝐸𝑛𝑐𝑘𝐸 𝑚2 ⟺ 𝑚1 = 𝑚2
Cryptosystem
Remarks:
4. The cryptosystem is called complete, if for all pairs (𝑘𝐸 , 𝑘𝐷 ) the
function
𝐸𝑛𝑐𝑘𝐸 𝑚
is surjective, e.g. for all cipher text 𝑐 ∈ 𝒞 there exists a plain text
𝑚 ∈ 𝒫 , such that 𝐸𝑛𝑐𝑘𝐸 𝑚 = 𝑐.
This implies 𝒫 = 𝒞 .
Cryptosystem
Remarks:
5. Natural requirements:
if 𝑘𝐸1 ≠ 𝑘𝐸2 then 𝐸𝑛𝑐𝑘𝐸1 ≠ 𝐸𝑛𝑐𝑘𝐸2
if (𝑘𝐸 , 𝑘𝐷1 ), (𝑘𝐸 , 𝑘𝐷2 ) ∈ 𝐾𝑒𝑦 then 𝑘𝐷1 ≠ 𝑘𝐷2
6. Let 𝒫 = 𝒞 . The key space is called complete, if for all bijective
function f: 𝒫 → 𝒞 there exists 𝑘𝐸 ∈ 𝒦, such that
𝐸𝑛𝑐𝑘𝐸 = 𝑓.
7. Properties 5. and 6. means 𝒦 = 𝒫 !
(factorial)
Crypto system
𝑚 ∈ 𝒫 plain text 𝑐 ∈ 𝒞 cipher text 𝑘𝐸 , 𝑘𝐷 ∈ 𝒦𝑒𝑦 pair of keys
m c c m
A Enc open channel Dec B
𝑘𝐸 𝑘𝐷
Alice Bob
E Eve
Cryptosystem
Definition:
The cryptosystem (𝒫, 𝒞, 𝒦, 𝐸𝑛𝑐, 𝐷𝑒𝑐, 𝐾𝑒𝑦) is called symmetric, if for all
pairs k E , k D ∈ 𝐾𝑒𝑦 either k E = k D or k D can be computed in
poynomial time from k E .
Definition :
The cryptosystem (𝒫, 𝒞, 𝒦, 𝐸𝑛𝑐, 𝐷𝑒𝑐, 𝐾𝑒𝑦) is called asymmetric, if
there are no polynomial time algorithms, which can compute k D from
k E for any pairs k E , k D ∈ 𝐾𝑒𝑦.
Crypto system
Definition:
A (𝒫, ℛ, 𝒞, 𝒦, 𝐸𝑛𝑐, 𝐷𝑒𝑐, 𝐾𝑒𝑦) cryptosystem is called randomized, if
𝐸𝑛𝑐: 𝒦 × 𝒫 × ℛ → 𝒞
and
𝐷𝑒𝑐: 𝒦 × 𝒞 → 𝒫.
The value 𝑟 ∈ ℛ can be randomly chosen.
Steganography
A special kind of hiding information. The message is not encrypted, but
we simple don’t know about the existence of it.
Example:
- modifying pixels of a digital image by some message
- modifying waves in audio files
-…
Classical cryptosystems
Crypto systems used before computers (BC) are called classical (or
historycal) cryptosystems.
Not uniquely defined, but approximately the systems which are easily
attackable by computers.
𝒫 = english alphabet
𝒞 = symbols
𝒦 = tables
𝑘𝐷 = 𝑘𝐸 the same tables
𝐸𝑛𝑐 maps the members of the second row to the members of the second
row
𝐷𝑒𝑐 vice versa
Monoalphabetic, substitutional
Classical cryptosystems
Caeser cipher:
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
𝑘𝐷 = 𝑘𝐸 = 10
Plain text: 𝑚[1 … 5] =fagyi
Cipher text: 𝑐 1 … 5 =pkqit
Key space: 25
Classical cryptosystems
Affine cipher:
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
𝒫 = 𝒞 = {0, … , 25}
𝒦 = 0, … , 25 × 0, … , 25
𝑘𝐸 = (𝛼, 𝛽) gcd 𝛼, 26 = 1
𝑘𝐷 = 𝛼 −1 , 𝛽
𝑐 = 𝐸𝑛𝑐 𝑘𝐸 , 𝑚 = 𝛼 ⋅ 𝑚 + 𝛽 𝑚𝑜𝑑 26
𝑚 = 𝐷𝑒𝑐 𝑘𝐷 , 𝑐 = 𝛼 −1 ⋅ 𝑐 − 𝛽 𝑚𝑜𝑑 26
Monoalphabetic
Classical cryptosystems
Affine cipher:
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
𝑘𝐸 = (5,3)
𝑘𝐷 = 21, 3 5 ⋅ 21 ≡ 1 (𝑚𝑜𝑑 26)
Plain text: 𝑚[1 … 5] =fagyi
Cipher text: 𝑐 1 … 5 =cdhtr
Key space: 25 ⋅ 25
If 𝑘𝐸 = (1,3) , then we get back the Caesar cipher.
Classical cryptosystems
General monoalphabetic cipher (single character):
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
𝒫 = 𝒞 = {0, … , 25}
𝒦 = {𝜋| where 𝜋 is a permutation of 𝒫}
𝑘𝐸 = 𝜋
𝑘𝐷 = 𝜋 −1
𝑐 = 𝐸𝑛𝑐 𝑘𝐸 , 𝑚 = 𝜋(𝑚)
𝑚 = 𝐷𝑒𝑐 𝑘𝐷 , 𝑐 = 𝜋 −1 𝑐
Classical cryptosystems
General monoalphabetic cipher (single character):
a b c d e f g h i j k l m n o p q r s t u v w x y z
c k p g d t n i s b u y a m e v j z q w x f l o h r
𝑘𝐸 = 𝑎𝑐𝑝𝑣𝑓𝑡𝑤𝑙𝑦ℎ𝑖𝑠𝑞𝑗𝑏𝑘𝑢𝑥𝑜𝑒𝑑𝑔𝑛𝑚
𝑘𝐷 = 𝑚𝑛𝑔𝑑𝑒𝑜𝑥𝑢𝑘𝑏𝑗𝑞𝑠𝑖ℎ𝑦𝑙𝑤𝑡𝑓𝑣𝑝𝑐𝑎
Plain text: 𝑚[1 … 5] =fagyi
Cipher text: 𝑐 1 … 5 =tcnhs
Key space: 52 !
Classical cryptosystems
General permutational cipher:
𝑛 ∈ ℕ\ {0}
𝒫 = 𝒞 = 0, … , 25 𝑛
𝒦 = {𝜋| where 𝜋 is a permutation of 1,2, … , 𝑛 }
𝑘𝐸 = 𝜋
𝑘𝐷 = 𝜋 −1
𝑐[𝑖] = 𝑚[𝜋 𝑖 ] , where 𝑖 = 1,2, … , 𝑛
𝑚 𝑗 = 𝑐 𝜋 −1 𝑗 , where 𝑗 = 1,2, … , 𝑛
Classical cryptosystems
General permutational cipher:
𝑛=5
𝑘𝐸 = 15342
𝑘𝐷 = 24351
Plain text: 𝑚[1 … 5] =fagyi
Cipher text: 𝑐 1 … 5 =ifyag
Key space: 𝑛!
Classical cryptosystems
General permutational cipher:
𝑛 = 16
𝑘 𝐸 = 𝑘𝐷
v v l i v l i v l a i
a a a a g a l a g
n í n a í n y a í n y a í
f f l t f _ l
Classical cryptosystems
Vigenère cipher:
𝑛 > 1 , integer
𝒫 = 𝒞 = 0, … , 25
𝒦 = 0, … , 25 𝑛
𝑘 𝐸 = 𝑘𝐷
𝑐 = 𝐸𝑛𝑐(𝑘𝐸 , 𝑚) : 𝑐 𝑖 = 𝑚 𝑖 + 𝑘𝐸 𝑖 𝑚𝑜𝑑 𝑛 (𝑚𝑜𝑑 26)
𝑚 = 𝐷𝑒𝑐(𝑘𝐷 , 𝑚) : m 𝑖 = 𝑐 𝑖 − 𝑘𝐸 𝑖 𝑚𝑜𝑑 𝑛 (𝑚𝑜𝑑 26)
Key space: 𝒦 = 𝑝𝑛
Substitutional, polyalphabetic
Classical cryptosystems
Vernam cipher (One Time Pad, OTP):
𝑛 = 10, 𝑝 = 2
𝐸𝑛𝑐 𝑘, 𝑚 = 𝑘 𝐱𝐨𝐫 𝑚
𝐷𝑒𝑐 𝑘, 𝑐 = 𝑘 𝐱𝐨𝐫 𝑐
𝑚 = 0110001010
𝑘 = 1100111010
𝑐 = 1010110000
Classical cryptosystems
ENIGMA
Substitutional, polyalphabetic
cryptosystem.
An electromechanical encryption
and decryption device, developed
by German scientists for military
reasons.
After pressing a key, the rotors
were set to a position and with
a preset wireing (encryption key)
some lamps were light up. Hence
the cipher text could be read.
Classical cryptosystems
ENIGMA
The first versions were broken by
polish code breakers.
The later models were broken
by a british code breaker team
(during the world war) in which
A. Turing was participated.
They used the security gaps of
the system.
(Movie: Imitation game)
Security objectives
NIST (National Institute of Standards and Technology)
They publishes standards and recommendations
NIST Special Publication series 800: cyber security
NIST Special Publication 800-33 (2001. december):
Underlying Technical Models for Information Technology Security
Some of the recommendations became outdated.
Withdrawn: August 1, 2018 (together with 10 related
recommendations)
However, the explained security objectives are still exist.
Security objectives
1. Availability: system and data
The systems work promptly and service is not denied to authorized users.
Protects against:
a) intentional or accidental attempts to either:
- perform unauthorized deletion of data, or
- otherwise cause a denial of service or data.
b) attempts to use system or data for unauthorized purposes.
[Frequently the most important security objective.]
a) data integrity (the data has not been altered in an unauthorized manner while in storage,
during processing, or while in transit).
b) System integrity (the system has when performing the intended function in an unimpaired
manner, free from unauthorized manipulation).
Confidentiality Integrity
Integrity Confidentiality
Availability Accountability
Assurance.
Security objectives
Levels of security objectives and security violations
Lower level security objectives are more economical to implement, but
more insecure, easyer to attack.
The less important components of the system may have lower security
level, but one have to be careful with designing. The whole system can
be attacked trough a weak point.
Security objectives
Levels of security violations
Low: It has a limited effect on the organization or entity. The main functions
of the organization are still available. A small damage or income lost is
caused. Slight personal hurts.
e.g. The internal phone book of an enterprise is disclosed. An outdated e-
mail is deleted. The controller of an air condition system is terminated.
Medium: It has a serious effect on the organization or entity. The damage or
loss is significant, the organization can still operate, but efficiency is reduced.
e.g. The pay roll of an enterprise is disclosed. A Nyilvánosságra kerül egy
vállalat bérlistája. An order to sell some shares is changed to buy.
High: It has a fatal effect on the organization or entity. The damage is
catastrophic, the organization can’t operate, critical hurt for an entity.
e.g. Contracts, secret receipts or technology are disclosed. The control
system of an aircraft stops.
Security objectives
Authenticity
Discussd in NIST SP 800-33 but recently it is a separated objective.
Related to integrity and accountability.
1. Entity authentication (e.g. user authentication): the verification of
the identity of the entity.
2. Data authentication: the confirmation of the origin and integrity the
data.
Security attacks
Intentional violation of security objectives.
Passive attack:
Confidentiality may be violated.
Attacker may eavesdrop or analyze communication channels.
Hard to detect, no change in the system
Active attack:
Every objactive may be violated.
The intruder may modify the system, data. Messages can be
deleted, modified or fake message can be created. Authenticity
can be changed, system availability can be blocked.
Easier to detect, but more difficult to defend. (several way to
attack)
Security attacks
Passive attack: :
Typically effects communication.
e.g.
Obtaining the content of a message by eavesdropping the channel.
Traffic analysis. The attacker observes the patterns, formats, frequency,
source, sender, or target of the messages. The different side effects
imply some information about the messages.
Security attacks
Active attack:
May intervene at several points of the system. Not necessarily the
communication is the target. Erasing data, fake information or personality
may be an objective.
e.g.
Modification of the content of a message.
Replaying a message.
Delaying a message.
Generating fake message.
Deleting data.
Creating false identity (impersonation).
Denial of service attack (DOS).
Security attacks
Special attacks against cryptosystems
The attacker may want to decrypt a particular message or to break the
whole system by obtaining the secret key.
Security attacks
Special attacks against cryptosystems
Kerckhoffs’s principle: A cryptosystem should be secure even if everything
about the system, except the key, is public knowledge.
(Auguste Kerckhoffs , 1883.)
The security obtained by hiding the algorithms are dangerous.
In cases of small enterprises, hiding the algorithms may increase security.
In case of massive usage it is impossible to keep the algorithms in secret.
The errors of hidden algorithms are more difficult to find and correct.
The algorithms can be decompiled from the implementation.
The weaknesses and errors of an open system are faster recognized and
corrected.
Security attacks
Special attacks against cryptosystems
Ciphertext Only Attack
The attacker knows several message encrypted by the same key.
𝐸𝑛𝑐 𝑘, 𝑚1 , … , 𝐸𝑛𝑐 𝑘, 𝑚𝑛
Security attacks
Special attacks against cryptosystems
Known Plaintext Attack
The attacker knows several pairs of plain text-cipher text pairs
encrypted by the same key.
(𝑚1 , 𝐸𝑛𝑐 𝑘, 𝑚1 ), … , (𝑚𝑛 , 𝐸𝑛𝑐 𝑘, 𝑚𝑛 )
Security attacks
Special attacks against cryptosystems
Chosen Plaintext Attack
The attacker knows several pairs of plain text-cipher text pairs
encrypted by the same key. The messages are chosen by the attecker.
(𝑚1 , 𝐸𝑛𝑐 𝑘, 𝑚1 ), … , (𝑚𝑛 , 𝐸𝑛𝑐 𝑘, 𝑚𝑛 )
a. Non-adaptive:
the attacker determines the plain texts in advance
b. Adaptive:
the attacker determines the plain texts after receiving the
previus cipher text.
Security attacks
Special attacks against cryptosystems
Chosen Ciphertext Attack
The attacker knows several pairs of plain text-cipher text pairs
encrypted by the same key. The cipher texts are chosen by the attecker.
(𝑐1 , 𝐷𝑒𝑐 𝑘, 𝑐1 ), … , (𝑐𝑛 , 𝐷𝑒𝑐 𝑘, 𝑐𝑛 )
a. Non-adaptive:
the attacker determines the cipher texts in advance
b. Adaptive:
the attacker determines the cipher texts after receiving the
previus plain text.
Cryptographic schemes
Cryptographic primitives algorithms for particular security purposes.
(e.g. encryption, decryption, digital signature, hash, message
authentication)
Cryptographic protocols complex description with several participants,
based on cryptographic primitives. The computations and message
transmissions are properly determined. (e.g. key exchange,
authentication, secret sharing)
Cryptographic scheme a collection of cryptographic primitives and
protocols.
Terms
Not precise definitions, but the most frequently used interpretations:
Cryptography
The science of key based encryption technics
Cryptanalysis
The science of analysis, attacks and breaks of key based encryption
technics
Cryptology
Cryptography + Cryptanalysis
Modern symmetric cryptosystems
Stream ciphers
Plain text: 𝑀 = 𝑚1 𝑚2 𝑚3 … 𝑚𝑛 ∈ 0,1 𝑛
Key: 𝑘𝐸 ∈ 0,1 𝑙
Key generator: 𝐺: 0,1 𝑙 → 0,1 ∞
K = 𝐺(𝑘𝐸 ) = 𝑘1 𝑘2 𝑘3 …
Cipher text: 𝐶 = 𝑐1 𝑐2 𝑐3 … 𝑐𝑛 ∈ 0,1 𝑛
𝑐𝑖 = 𝑚𝑖 ⨁𝑘𝑖 ⨁ the addition mod 2 or
xor
Modern symmetric cryptosystems
Stream ciphers
𝑀 𝑚1 𝑚2 𝑚3 𝑚4 … 𝑚1 𝑚2 𝑚3 𝑚4 … 𝑀
𝑘𝐸 ⨁ ⨁ ⨁ ⨁
𝑮 𝑘1 𝑘2 𝑘3 𝑘4 …
⨁ ⨁ ⨁ ⨁ 𝑮 𝑘1 𝑘2 𝑘3 𝑘4 …
𝑘𝐸
𝑐1 𝑐2 𝑐3 𝑐4 … 𝑐1 𝑐2 𝑐3 𝑐4 …
𝐶
Encryption Decryption
Modern symmetric cryptosystems
Stream ciphers
𝑘𝐸 𝑮 𝑘𝐸 𝑮
𝑘𝑖 𝑘𝑖
𝑐𝑖 𝑐𝑖
⨁ ⨁
𝑚𝑖
Encryption Decryption
Modern symmetric cryptosystems
Block ciphers
DES (Data Encryption Standard) and variants
AES (Advanced Encryption Standard)
…
Plain text: 𝑀 = 𝑚1 𝑚2 𝑚3 …
𝑚𝑖 ∈ 0,1 𝑛 , where 𝑖 = 1,2,3, …
Key: 𝑘𝐸 ∈ 0,1 𝑙 , usually 𝑛 = 𝑙
Cipher text: 𝐶 = 𝑐1 𝑐2 𝑐3 …
𝑐𝑖 = 𝐸𝑛𝑐 𝑘𝐸 , 𝑚𝑖
Modern symmetric cryptosystems
Block ciphers
𝑘𝐸 𝑘𝐷
𝑚𝑖 𝐸𝑛𝑐 𝑐𝑖 𝐷𝑒𝑐 𝑚𝑖
Encryption Decryption
Stream ciphers
Plain text : 𝑀 = 𝑚1 𝑚2 𝑚3 … 𝑚𝑛 ∈ 0,1 𝑛
Key: 𝑘𝐸 ∈ 0,1 𝑙
Key generator: 𝑮: 𝟎, 𝟏 𝒍 → 𝟎, 𝟏 ∞
𝑮(𝒌𝑬 ) = 𝒌𝟏 𝒌𝟐 𝒌𝟑 …
Cipher text: 𝐶 = 𝑐1 𝑐2 𝑐3 … 𝑐𝑛 ∈ 0,1 𝑛
𝑐𝑖 = 𝑚𝑖 ⨁𝑘𝑖 ⨁ the addition mod 2 or
xor
Stream ciphers
Key generator: 𝑮: 𝟎, 𝟏 𝒍 → 𝟎, 𝟏 ∞
𝑮(𝒌𝑬 ) = 𝒌𝟏 𝒌𝟐 𝒌𝟑 …
The values of 𝑘𝑖 ’s are hard to guess.
𝐺: pseudo random number generator
Most common:
𝐺: 0,1 𝑙 × 0,1 𝑠⋅𝑡 → 0,1 𝑠
,
where, 𝑙, 𝑠, 𝑡 ≥ 1
𝑙 the size of the key
𝑠 the size of 𝑘𝑖
𝑡 the order of the recurrence
Stream ciphers
Key generator : 𝑮: 𝟎, 𝟏 𝒍 → 𝟎, 𝟏 ∞
𝑮(𝒌𝑬 ) = 𝒌𝟏 𝒌𝟐 𝒌𝟑 …
…
Stream ciphers, pseudo random number generators
Linear Feedback Shift Register (LFSR)
𝑘𝑖 = 𝑎𝑙−1 𝑘𝑖−1 ⊕ 𝑎𝑙−2 𝑘𝑖−2 ⊕ ⋯ ⊕ 𝑎𝑖−𝑙 𝑘𝑖−𝑙
Otherwise:
𝑘𝑖 = 𝑎𝑙−1 𝑘𝑖−1 + 𝑎𝑙−2 𝑘𝑖−2 + ⋯ + 𝑎𝑖−𝑙 𝑘𝑖−𝑙 (mod 2)
E.g.
𝑎0 = 1, 𝑎1 = 0, 𝑎2 = 1, 𝑎3 = 1,
𝑘0 = 0, 𝑘1 = 0, 𝑘2 = 0, 𝑘3 = 1.
𝐾 = 0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0, …
Periodic, period length 2𝑙−1 − 1 = 23 − 1 = 7
Not uniformly distributed, not suitable
Stream ciphers, pseudo random number generators
Linear Feedback Shift Register (LFSR)
E.g.
𝑎0 = 1, 𝑎1 = 1, 𝑎2 = 1, 𝑎3 = 0, 𝑎4 = 0 ,
𝑘0 = 0, 𝑘1 = 0, 𝑘2 = 0, 𝑘3 = 0, 𝑘4 = 1.
𝐾 = 0, 0, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 0, 0, 1, …
Periodic, period length 2𝑙−1 ⋅ 2 = 23 ⋅ 2 = 16
Uniformly distributed, suitable
Stream ciphers, pseudo random number generators
Linear Recurrence Sequence (LSR)
The generalization of LFSR.
E.g. C/C++ rand()
𝑎 = 31835, 𝑏 = 1906
𝑘0 = 41
𝑘𝑖 = 𝑎 ⋅ 𝑘𝑖−1 + 𝑏 mod 215 if 𝑖 > 0 .
Periodic, period length 215
Uniformly distributed, suitable, but only for simple applications.
Stream ciphers, pseudo random number generators
Blum-Blum-Shub generator (BBS, 1986.):
Let 𝑝, 𝑞 be two carefully choosen large primes, 𝑚 = 𝑝 ⋅ 𝑞 and
𝑎0 s.t, gcd 𝑎0 , 𝑚 = 1 . Then
2
𝑎𝑖 = 𝑎𝑖−1 mod 𝑚 , for 𝑖 > 0 .
𝑘𝑖 = 𝑎𝑖 (mod 2) (or e.g. the parity of the bits of 𝑎𝑖 )
Assumption: 𝑝 ≡ 3 (mod 4), 𝑞 ≡ 3 (mod 4) , not too close to each
oder, …
Uniformly distributed, suitable.
Hard (exponential time) to compute the next 𝑎𝑖 from the previous
ones. Periodic with large period length (≈ 𝑝 ⋅ 𝑞), if gcd 𝑝 − 1, 𝑞 − 1 is
small.
Stream ciphers, pseudo random number generators
Blum-Blum-Shub generator (BBS, 1986.):
E.g.
Let 𝑝 = 7, 𝑞 = 11, a0 = 2. Then 𝑚 = 77,
the generated sequence:
𝑎0 = 8
𝑎1 ≡ 82 ≡ 64 77
𝑎2 ≡ 642 ≡ 15 77
𝑎3 ≡ 152 ≡ 71 77
…
Stream ciphers, pseudo random number generators
Blum-Blum-Shub generator (BBS, 1986.):
E.g.
𝑎𝑖 8 64 15 71 36 64 15 71 36
𝑎𝑖 2 0 0 1 1 0 0 1 1 0
𝑝𝑎𝑟. 1 1 0 0 0 1 0 0 0
Stream ciphers, pseudo random number generators
Mersenne twister (MT; Matsumoto, Nishimura, 1997.):
Most common: MT19937 (C++)
+ Good performance on most statistical tests.
+ Large period length. ( E.g. MT19937 → 219937 −1 )
+ Relative fast (compared to other generators with similar properties)
– Relative large memory requirement
– Relative slow (compared to simpler generators)
– Slow initialization
– Bad cryptographic properties (→ LRS, 624 length sequence) : CryptMT
Stream ciphers, RC4
RC4 (Rivest, 1987.)
Random permutations.
Period length > 10100
Very fast ( 8-16 machine level command/byte )
Cryptanalysis
Several published method for trying to break: not significant
One exception (Fluhrer, McGrew; 2000.):
crytical attack against WEP (confidentiality)
the problem is not with RC4, but the key distribution
Don’t appears in other systems with RC4.
DES (Data Encryption Standard)
H. Feistel (IBM, 1972.) → LUCIFER ( 128-bit key )
National Bureau of Standards (NBS → NIST):
request for proposals for a national cipher standard for
governmental data.
1977. After some minor modification:
Federal Information Processing Standards (FIPS)
- more secure against differential cryptanalysis
- weaker against brute force (trial) attacks
(computers were not as strong as recently)
DES (Data Encryption Standard)
The key size (56 bits) is too small for the present computer capacity.
1998. : the first published break
1999. : 22 h 15 m
2006. : COPACOBANA (Cost-Optimized Parallel Code Breaker - FPGA)
<10000$ , appr. 8.7 days
Initialization, finalization:
𝐼𝑃: 𝒫 → 𝒫 Initial Permutation
𝐹𝑃: 𝒫 → 𝒫 Final Permutation
𝐹𝑃 = 𝐼𝑃−1
DES (Data Encryption Standard)
𝑚 64
Feistel network (F. structure, F. ladder) IP
𝑚 𝐿0 32 𝑠𝑘1 48 𝑅0 32
𝐼𝑃 𝑚 = 𝐿1 𝑅1 F
FP
DES (Data Encryption Standard)
Decryption: ( DES-1
) 𝑐
IP
64
𝐿0 = 𝐿1 ⊕ 𝐹 𝑠𝑘1 , 𝑅1 𝑅0 = 𝑅1 F
𝐿1 32 𝑠𝑘1 48 𝑅1 32
𝑚 = 𝐹𝑃(𝐿0 𝑅0 ) = 𝐹𝑃 𝐼𝑃 𝑚 F
FP
DES (Data Encryption Standard)
Feistel function
𝑅𝑖 32 𝑠𝑘𝑖 48
𝐸
48
𝑆1 𝑆2 𝑆3 𝑆4 𝑆5 𝑆6 𝑆7 𝑆8
32
𝑃
32
DES (Data Encryption Standard)
Feistel function
𝒦𝑠 = 0,1 48
32 1 2 3 4 5
𝐹: 𝒦𝑠 × 0,1 32 → 0,1 32 4 5 6 7 8 9
8 9 10 11 12 13
12 13 14 15 16 17
Extension: 𝐸: 0,1 32 → 0,1 48 16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 30 31 32 1
1 2 3 4 5 6 7 8 25 26 27 28 29 30 31 32
32 1 2 3 4 5 4 5 6 7 8 9 24 25 26 27 28 29 28 29 30 31 32 1
DES (Data Encryption Standard)
Feistel function
Permutation: 𝑃: 0,1 32 → 0,1 32
16 7 20 21 29 12 28 17
1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9
19 13 30 6 22 11 4 25
DES (Data Encryption Standard)
Feistel-függvény
S-box: 𝑆𝑖 : 0,1 6 → 0,1 4 𝑖 = 1 … 8
Substitution tables.
𝑎 = 𝑎1 𝑎2 … 𝑎5 𝑎6 𝑏1 = 𝑎1 𝑎6 𝑏2 = 𝑎2 … 𝑎5
𝑆1 𝑎 = 𝑆1 𝑏1 , 𝑏2
e.g. 𝑆1 101101 = 𝑆1 11,0110 = 𝑆1 3,6 = 0001
𝑆1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
DES (Data Encryption Standard)
Feistel function
𝑅𝑖 32 𝑠𝑘𝑖 48
𝐸
48
𝑆1 𝑆2 𝑆3 𝑆4 𝑆5 𝑆6 𝑆7 𝑆8
32
𝑃
32
DES (Data Encryption Standard)
Key generator 𝑘𝐸 64
𝐺: 𝒦 → 𝒦𝑠16 ≪ ≪
𝑠𝑘1
PC2
𝑃𝐶1: 𝒦 → 0,1 28 × 0,1 28 48
𝑠𝑘2 ≪ ≪
56 48 PC2
𝑃𝐶2: 0,1 → 0,1 48
𝑠𝑘16 ≪ ≪
PC2
48
DES (Data Encryption Standard)
Key generator 𝑘𝐸 64
≪ ≪
PC1𝑅 𝑠𝑘2
PC2
63 55 47 39 31 23 15 48
7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4 𝑠𝑘15 ≪ ≪
PC2
48
Every 8th bit is eliminated
𝑠𝑘16 ≪ ≪
PC2
48
DES (Data Encryption Standard)
Key generator 𝑘𝐸 64
PC2 PC1
28 28
14 17 11 24 1 5 3 28
15 6 21 10 23 19 12 4 𝑠𝑘1 ≪ ≪
26 8 16 7 27 20 13 2 PC2
48
41 52 31 37 47 55 30 40
51 45 33 48 44 49 39 56 𝑠𝑘2 ≪ ≪
34 53 46 42 50 36 29 32 PC2
48
𝑠𝑘16 ≪ ≪
PC2
48
DES (Data Encryption Standard)
Key generator 𝑘𝐸 64
Rotation: PC1
28 28
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1 ≪ ≪
𝑠𝑘1
PC2
48
Sum of rotation positions: 28
𝑠𝑘2 ≪ ≪
PC2
48
𝑠𝑘15 ≪ ≪
PC2
48
𝑠𝑘16 ≪ ≪
PC2
48
DES Cryptanalysis
Analysis of DES results a lot of knowledge on symmetric CS’s.
Avalanche effect:
small change in the plain text (or key) → large change in cipher text
Brute force: still the most efficient
Possible weak point: S-boxes – no publicly known weakness
some pattern and unexpected property
the original design principle is still not known
DES Cryptanalysis
Differential cryptanalysis:
it was considered during design (altough the first public results
are from 1990.),
S-boxes and permutations are designed against DCA
DCA: observes two messages simultaneously, tries to follow the change
of the difference.
256 → 247 key trial
Linear cryptanalysis:
more recent
Transformations are represented by linear functions.
247 → 243 key trial
3DES
Idea: repeat encryption with a different key → bigger key
Doubling was found weak.
Repat 3 times, with 2 keys: 𝐸𝑛𝑐 𝑘1 , 𝐸𝑛𝑐 𝑘2 , 𝐸𝑛𝑐 𝑘1 , 𝑚
not much better
Repat 3 times, with 2 keys, middle encryption is reversed:
𝐸𝑛𝑐 𝑘1 , 𝐷𝑒𝑐 𝑘2 , 𝐸𝑛𝑐 𝑘1 , 𝑚
better, but not secure enough
Repat 3 times, with 3 keys:
𝐸𝑛𝑐 𝑘3 , 𝐸𝑛𝑐 𝑘2 , 𝐸𝑛𝑐 𝑘1 , 𝑚
acceptable security
3DES
Multi dimensional MITM – still have the chance to break
Not recommended to use:
NIST SP 800-131A Revision 1 (2015.)
3DES
3DES with 3 different keys:
𝐸𝑛𝑐 𝑘3 , 𝐸𝑛𝑐 𝑘2 , 𝐸𝑛𝑐 𝑘1 , 𝑚
restrictions: at most 220 plaintexts with the same key
Birthday paradox → Sweet32 attack for 64 bits block ciphers
analysis 32GB of data
NIST 3DES is not recommended for TLS (Transport Layer Security), IPsec
(Internet Security Protocol), SSH, OpenVPS and other protocolls (e.g.
3G communication).
Observing appr. 785GB data traffic is enough. (e.g. malware)
Recommended: change to AES as soon as possible.
AES (Advanced Encryption Standard)
NIST: U.S. FIPS PUB 197 (FIPS 197) (2001.)
5 years of negotiations with 15 competing candidates.
Rijndael (V. Rijmen, J. Daemen) cipher
3 variants: block size – 128 bits ; key size –128, 192 or 256 bits.
The structure of the algorithm is similar to DES.
1. Initialization
2. Iteration
3. Post processing
Different number of iteration steps corresponding to the different key size.
128 – 10
192 – 12
256 – 14
AES (Advanced Encryption Standard)
1. Initialization:
AddRoundKey
2. Iteration:
SubBytes
ShiftRows
MixColumns
AddRoundKey
3. Post processing:
SubBytes
ShiftRows
AddRoundKey
AES (Advanced Encryption Standard)
Key generator: sequence of 128-bit subkeys from the master key.
The block is represented as a 4 × 4 bytes matrix (128 bits = 16 bytes)
During the encryption process: state matrix.
AddRoundKey: xor operation between the state matrix and the
corresponding subkey.
SubBytes: S-boxes are used; operations over the finite field 𝔽256
computing inverse and affine transformations in the form 𝑎𝑥 + 𝑏
ShiftRows: rotation of th rows. 1st row 0, 2nd row 1, …, 4th row 3
positions
02 03 01 01
MixColumns: linear transformation for the separated columns: 01 02 03 01
01 01 02 03
03 01 01 02
AES (Advanced Encryption Standard)
Cryptanalysis:
2002.: Courtois, Pieprzyk – XSL: nice theoretical idea, but practically
useless
2009.: Biryukov, Khovratovich: – key schedule attack
2009.: Gilbert, Peyrin – AES ciphertext is distinguishable from random
sequences
2011.: first key recovery attack
NSA: (Snowden) research with tau-statistic cryptanalysis