Class 4 Na

CIS 4930-902: Computer Security
Jeremy Rasmussen, CISSP

University of South Florida
Spring, 2003
Class 4 - Asymmetric ciphers
AES (Rijndael)
• Rijndael is an iterated block cipher with a
variable block length and a variable key length.
– The block length and the key length can be
independently specified to 128, 192, or 256 bits.
• Several operations in Rijndael are defined at
byte level, with bytes representing elements in
the finite Galois field GF(28), which is
representative of the eight bits in a byte.
– Other operations are defined in terms of four-byte
words.
CIS 4930-902 - Computer Security - University of South Florida

Spring, 2003 - Jeremy Rasmussen, CISSP
AES (Rijndael)
• Addition corresponds with the simple bit-wise
XOR at the byte level.
• In the polynomial representation,
multiplication in GF(28) corresponds with
multiplication of polynomials modulo an
irreducible binary polynomial of degree 8.
– A polynomial is irreducible if it has no divisors
other than 1 and itself.
– See Stallings, pgs. 143-164

AES (Rijndael)
• For Rijndael, this irreducible polynomial is
called m(x) and given by:
– m(x) = (x8 + x4 + x3 + x + 1) or
– '11B' in hexadecimal representation
• The result will be a binary polynomial of
degree below 8.
– Unlike addition, there is no simple operation for
this at the byte level.

AES (Rijndael)
• The round transformation of Rijndael does not
have a Feistel structure.
• Instead, the round transformation is composed
of three distinct invertible uniform
transformations, called layers.
– "Uniform" here means that every bit of the State is
treated in a similar way.

AES - Layers
• Linear mixing layer: Guarantees high
diffusion over multiple rounds.
• Non-linear layer: Uses parallel application
of non-linear S-boxes.
• Key addition layer: Simple XOR of the
Round Key to the intermediate State.

AES - Round
• A round is composed of four different
transformations. In pseudo C notation these
are as follows:
Round(State,RoundKey)
{
ByteSub(State);
ShiftRow(State);
MixColumn(State);
AddRoundKey(State,RoundKey);
// XORing the Round Key to the State
}
AES - Round
• The final round of the cipher is slightly
different. It is defined by:
FinalRound(State,RoundKey)
{
ByteSub(State);
ShiftRow(State);
AddRoundKey(State,RoundKey);
}

AES - Round
• In this notation, the "functions" (Round,
ByteSub, ShiftRow,...) operate on arrays
pointed to by State and RoundKey
parameters.
• The ByteSub transformation is a non-linear
byte substitution, operating on each of the
State bytes independently.
• In ShiftRow, the rows of the State are
cyclically shifted over different offsets.
AES - Round
• In MixColumn, the columns of the State are
considered as polynomials over GF(28) and
multiplied modulo x4 + 1 with a fixed
polynomial c( x ), given by:
• c(x) = '03' x3 + '01' x2 +
'01' x + '02'.
– This polynomial is coprime to x4 + 1 and
therefore invertible.

AES - Key Schedule
• Round Keys are derived from the Cipher Key
by means of a key schedule.
• Key schedule has two components:
– Key Expansion and
– Round Key Selection.
• The total number of Round Key bits is equal to
the block length multiplied by the number of
rounds plus 1
– For example, for a block length of 128 bits and 10
rounds, 1408 Round Key bits are needed.
AES - Key Schedule
• The Cipher Key is expanded into an Expanded
Key.
• Round Keys are taken from this Expanded Key
in the following way:
– The first Round Key consists of the first Nb words
• (Nb = block length )
– The second one consists of the following Nb words
– And so on...

AES - putting it all together
• The cipher consists of: An initial Round Key
addition, Nr-1 Rounds, and a final round.
• In pseudo C code:
Rijndael(State,CipherKey)
{
KeyExpansion(CipherKey,ExpandedKey);
AddRoundKey(State,ExpandedKey);
For( i=1 ; i<Nr ; i++ )
Round(State,ExpandedKey + Nb*i);
FinalRound(State,ExpandedKey +
Nb*Nr).
}

AES - decryption
• Since Rijndael is invertible, the decryption
process just reverses the steps described.

AES - Links
• For more information on AES (Rijndael):
– Rijndael home page:
http://www.esat.kuleuven.ac.be/~rijmen/rijndael/
– NIST AES home page:
http://csrc.nist.gov/encryption/aes/
– Schneier Cryptogram page on possible crack
to Rijndael:
http://www.counterpane.com/crypto-gram-0209.html#1

Public Key Cryptography

Crypto Key Management
• The longer a cryptographic variable (or key) is
used, the more likely it is to be compromised
– Successful attack
– More likely: stolen or coerced
• Keys must be produced, distributed, and held
in secret; destroyed after use
• Public key cryptography--a means of
distributing secret key

Public key cryptography
• Introduced by Diffie & Hellman in 1976
(NSA probably using it prior to this)
• Assume we have two integer functions, E
and D, that operate on messages (or
integers), M.

• Make the following assumptions:
1. D(E(M)) = M
2. E(D(M)) = M
3. Given E, it is not possible to determine D
4. Given D, it is not possible to determine E
• Each person has a pair of functions that satisfies
the above conditions
• Each person makes his E function public, but
keeps his D function secret

• When person A wants to send a message M
to person B:
– A looks up EB in a published list and computes
EB(M).
– By property (2) stated above:
DB((EB(M)) = M, so B can decrypt the message
– By property (2) stated above:
No one else can figure out DB, so only B can
read

Signing a message
• A wants to send a message M to B, and the
identity of A is important to prove, but A
doesn’t care if anyone else sees the
contents, then:
– A computes DA(M) [digital signature]
– Sends DA(M) along with M to B
– B looks up A’s public function EA, uses it to
decrypt EAD(DA(M)) = M, compares this with
M, and if the two match, B can be sure M came
from A

Signing a message
• Note that the likelihood of producing a
fictitious X such that EA(X)= M is
infinitesimally small

Signing a secret message
• A computes a signature S = DA(M)
• A concatenates this to message M to form M,S
• A then encrypts both the message and signature
using B’s public key EB(M,S) and sends to B
• B applies his private function DB(EB(M,S)) = M,S
• B then computes EA(S) = EA(DA(M)) = M and
compares it to the decrypted message M; if they
match he knows A sent the message

• Note that signing a message could be a very long
process if the message is large; so, alternately, A
could compute a one-way hash of message before
sending.
• A hash is a function that returns a fixed-sized value
for an arbitrarily large message; it also has these
characteristics:
– Given M, it’s easy to compute h = H(M)
– Given h, it’s hard to compute M such that H(M) = h
– Given M, it’s hard to find another message M’ such that
H(M) = H(M’)

• A computes message digest (one-way hash); MD =
H(M)
• A computes signature S = DA(MD)
• A concatenates this to message M and message
digest MD to form M,MD, S
• A then encrypts both the message and signature
using B’s public key EB(M, S) and sends to B
(message digest may or may not be encrypted)
• B applies his private function DB(EB(M,S)) = M,S
• B then computes EA(S) = EA(DA(MD)) = MD and
compares it to the included MD; if they match he
knows A sent the message

Public key functions
• Do such functions really exist to meet 1, 2, 3,
and 4 mentioned previously?
• Yes, if we relax conditions 3 and 4.
• It need only be computationally infeasible to
recover D from E (and vice-versa)
• Such functions do exist. One is the RSA
algorithm, named for developers Rivest,
Shmair, and Adleman

Description of RSA
• Take two large prime numbers, p and q
• By large, we mean hundreds of digits (only very
large numbers make it computationally
infeasible to meet conditions 3 and 4)
• Prime number: has no divisors but itself and 1;
all are odd (except 2)
• Define a number n as the product of p and q:
– n = pq
• Define another number t as:
– t = (p-1)(q-1)

Description of RSA
• Example: let p = 3 and q = 7
– These are not large primes, but the concept is the same
– Then, n = 21, and t = 12
– Next step in RSA algorithm: select an number e that
has no common divisors with t
• Can’t take 1, 2, 3, or 4; how about 5
– Next step is: find an integer d such that ed-1 is evenly
divisible by t [Denoted as “ed = 1 mod t”]
• Try 1: (5*1)-1 / 12; no
• Try 2: (5*2)-1 / 12; no
• Try 3: (5*3)-1 / 12; no
• Try 4: (5*4)-1 / 12; no
• Try 5: (5*5)-1 / 12; yes [Note that e and d not often the same
as they are in our example]

Description of RSA
• OK, now the numbers d, p, and q are all kept
secret
• They are used to create the user’s secret D
function
• The numbers e and n are not secret; they are used
to create the public E function
• e is usually called the public key
• d is usually called the secret key
• n is called the modulus
• Once p and q are used to produce n and t, they are
no longer needed, but they should be destroyed
and not made public

Description of RSA
• To encrypt the message, you convert the message
into a string of integers m1, m2, … all smaller than
n. You then compute:
ci = E(mi) = mie mod n
• That is, you raise mi to the eth power and then
divide by n
• The remainder is ci = E(mi).
• In our example, we suppose that m1 = 9. Thus, we
compute: c1 = 95 mod 21 = 59049 mod 21
• 59049 = 89979 * 21 + 18; thus ci = 18 mod 21

Description of RSA
• The decryption function D(ci) = cid mod n
• So, in our example:
18d mod n = 185 mod 21 = 1889668 mod 21
• 1889568 = 889979*21 + 9; thus D(18) = 9, the
message we started with
• To demonstrate that the decryption function
always works to decrypt the message (I.e.,
properties 1 and 2 before), requires a result from
number theory: Euler’s Generalization of
Fermat’s Little Theorem

Description of RSA
• Security of RSA depends on resistance of n to
being factored
• If one can factor n into its prime factors, p and q,
then one can compute t, then easily find d
• So, it’s important to select p and q such that it’s
not likely anyone can factor n
• In 1983, the best factoring algorithm by the best
computers could factor a number of about 71
decimal (235 binary) digits
• By 1994, 129 digits (428 bits) were being factored

Description of RSA
• Current implementations of RSA generate p and q on the
order of 256 to 1024 bits, so n is about 512 to 2048 bits.
• Attacking RSA by factoring the modulus n is a form of
algebraic attack
• Algebraic attack reduces search space of a brute-force
attack
• Factoring a number, n, takes at most on the order of
square root of n calculations or about 1050 for a 100-digit
number
– While still a very large number, it is a vast improvement over
brute force

A word on hashes...

Hashes
• A hash is the mathematical transformation
of an arbitrarily long string of characters
into a short, fixed-length value.
• Hashing is used to index and retrieve items
in a database because it is faster to find the
item using the shorter hashed key than to
find it using the original value.
• It is also used in many encryption
algorithms.

Hashes
• A hash guarantees integrity, but necessarily
authenticity (unless it is cryptographically
“signed”)
• A hash may be thought of as simply a more
advanced form of a checksum—one which
cannot be reproduced easily with false data.

Hashes
• Two key things about hashes:
– Hashing is a one-way operation. While the hash
uniquely represents the input value, there
should be no way to "reverse engineer" the hash
to find out what the input value was.
– A good hash function also should not produce
the same hash value from two different inputs.
If it does, this is known as a collision. A hash
function that offers an extremely low risk of
collision may be considered acceptable.

Re-hashing hashes
• A hash is produced by running a message
through a mathematical function (a hashing
algorithm) that produces a fixed-length
message digest
• E.g., 128 bits in MD5, developed by Ron
Rivest, and 160 bits in SHA-1, developed
by NIST).

How hashes work
• Here are some relatively simple hash functions
that have been used:
– Division-remainder method: The size of the number
of items in the table is estimated. That number is then
used as a divisor into each original value or key to
extract a quotient and a remainder. The remainder is the
hashed value.
– Folding: This method divides the original value (digits
in this case) into several parts, adds the parts together,
and then uses the last four digits (or some other
arbitrary number of digits that will work ) as the hashed
value or key.

How hashes work
• Here are some relatively simple hash functions
that have been used:
– Radix transformation: Where the value or key is
digital, the number base (or radix) can be changed
resulting in a different sequence of digits. High-order
digits could be discarded to fit a hash value of uniform
length.
– Digit rearrangement: This is simply taking part of the
original value or key such as digits in positions 3
through 6, reversing their order, and then using that
sequence of digits as the hash value or key.
A simplistic hashing example
• Here is a simple example of a hash:
– In this example, the hash will be produced by
incrementing each counter for the number of
digits of that type in the message. When the
counter reaches 10, it rolls over to zero again.
Here’s our “arbitrarily long” input message:
– 23858291437590214705689014278590784392
17589743218957142390677

Hashing example
Count 0 1 2 3 4 5 6 7 8 9
0 X X X X X X X X X X
1 X X X X X X X X X X
2 X X X X X X X X X
3 X X X X X X X X X
4 X X X X X X X X X
5 X X X X X X X X
6 X X X X X X X
7 X X X X
8 X X
9 X
• Fixed Length Hash = 4675452989

• If even one bit of the input changed, the hash would
change by at least two digits.
• This is a simple example, and probably easily
cryptanalzed, but you get the idea.

Digital signatures
• Used to verify that a message really comes from
the claimed sender
• Digital signature of a document is created by
computing a message digest (MD) from the
document, and concatenating it with information
about the signer, a timestamp, etc.
• MD is encrypted using private key; recipient uses
public key to decrypt

Digital signatures
• Resulting string is then encrypted using the
private key of the signer using a suitable
algorithm. The resulting encrypted block of
bits is the signature.
• It is often distributed together with
information about the public key that was
used to sign it.

Digital signature algorithms
• Signing is not necessarily just “encryption with a
private key”
• Can be done in different ways, for example, in which
two parties each generate a number separately, and
use a combination of the two numbers, along with
their secret number, to verify messages
• El Gamal: the early example of this
• From El Gamal, the Digital Signature Algorithm
(DSA) was developed

Discrete Log Problem
• Another tough problem that turns out to be
quicker is the discrete logarithm problem.
• Given a number b, the base, and x, the log-
arithm, one can easily compute bx or bx mod
N for any N.
• It turns out to be very difficult to solve the
reverse problem for large integers.
• That is, given a large integer y and a base b,
find x so that bx, = y Mod N.

Discrete Log Problem
• The known procedures (algorithms) require
about the same level of computation as
finding the factors of a large integer.
• Diffie and Hellman exploited this difficulty
to define their public key distribution
algorithm.

Diffie-Hellman Key Exchange
• S and T want to exchange a secret cryptovariable
for use in a conventional symmetric encryption
system, say a DES encryption device.
• S and T together select a large prime p and a base
b.
• The numbers p and b are assumed to be public
knowledge.
• Next S chooses a number s and keeps it secret. T
chooses a number t and keeps it secret. The
numbers s and t must be between 1 and p-1.

• Sarah and Tanya then compute
(respectively):
• x = bs Mod p (S)
• y = bt Mod p (T)
• In the next step of the process S and T
exchange the numbers x and y; T sends y to
S, and S sends x to T.

• Now S can compute
– ys = bts Mod p
• And T can compute
– Xt = bst Mod p
• But,
– bts Mod p = bst Mod p = K, which becomes their
common key

• In order for a third party to recover K, that party
must solve the discrete logarithm problem to
recover s and t.
• To be more precise, solving the discrete logarithm
problem is sufficient to recover the key, but it
might not be necessary. It is not known if there is
another way to find bst given bs and bt.
• It is conjectured that the latter problem is at least
as difficult as the discrete logarithm problem.

Digital signature algorithms
• Some signing algorithms can also be used for

public key encryption algorithms because they
are reversible
• RSA is such an algorithm


Class 4 Na

Uploaded by

Copyright:

Available Formats

You might also like

Class 4 Na

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Class 4 Na

Uploaded by

Copyright:

Available Formats

CIS 4930-902: Computer Security

Jeremy Rasmussen, CISSP

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

• Fixed Length Hash = 4675452989

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

CIS 4930-902 - Computer Security - University of South Florida

• Some signing algorithms can also be used for

CIS 4930-902 - Computer Security - University of South Florida

You might also like