SECURITY IN

COMPUTING,
FIFTH EDITION
Chapter 2: Toolbox: Authentication, Access
Control, and Cryptography
Objectives for Chapter 2
• Survey authentication mechanisms
• List available access control implementation options
• Explain the problems encryption is designed to solve
• Understand the various categories of encryption tools as
well as the strengths, weaknesses, and applications of
each
• Learn about certificates and certificate authorities
Authentication
• Identification is the act of establishing who user
claims to be.
• Involves some unique identifier-user name, email,
emp. Id.
• Helps to distinguish one user from another.
• Authentication is the process of verifying the
Claim identity of a user.
• Authentication confirms that you are who you
purport to be
• Eg: Pswd, PINs, Biometrics, etc.
Identification Versus Authentication
• Identities are typically public or well known. Authentication
should be private
• Identities -often well known, predictable, or guessable - If you
send email to someone, you implicitly send along your email
account ID so the other person can reply to you
• Authentication, on the other hand, should be reliable;
otherwise, not secure
• Authentication Methods/ mechanisms/ three qualities
to confirm a user’s identity (Diff. Methods of
Authentication):
• Something the user knows
• Something the user is
• Something user has
Something You Know
• Something the user knows: Passwords, PIN numbers,
passphrases, a secret handshake, and mother’s
maiden name, Security questions
• Something the user is: biometrics, are based on a
physical characteristic of the user, such as a fingerprint,
the pattern of a person’s voice, or a face (picture)
• Something the user has: Identity badges, physical keys,
a driver’s license, or a uniform are common examples of
things people have that make them recognizable.
Two or more forms can be combined; for example, a
bank card and a PIN combine something the user has
(the card) with something the user knows (the PIN)
Classification of user authentication
• 1. Knowledge based authentication
• 2. Object based authentication
• 3. Bio metric authentication
 Knowledge based authentication
Knowledge based authentication
• Highly used
• Passwords-simple, inexpensive and portable
• Other Example: Passphrases, graphical
passwords, PINs, Digital Signature, etc.
• Disadvantages:
1. Easy to crack.
2. Tough to recall.
3. Sometime easy to guess.
4. Multiple application- difficult to guess
 Rules to improve password security
• Pswds should not be shared or written down
• No. of unsuccessful authentication attempts should
be limited by the system.
• Pswds should never be stored in clear text, they
should be encrypted.
• OTP
• Different categories of passwords:
• Primary passwords –System or user generated
• Secondary passwords-Sensitive application
• Question and Answer methods
 Q and A passwords
• Two types
1. Cognitive Password: based on opinion based question
2. Associative Password: Based on word associations.

Classification of passwords
3. Strong
4. Weak
5. Medium
• All are very poor form of authentication.
They can be easily cracked or hacked with the following attacks
1. Guessing
2. Brute force attack
3. Dictionary attack
 Several Other Challenges
• Multiple passwords or a passwords that needs to be
continuously changed-Very hard to remember by the user.

• Strong passwords are very hard to remember which may

lead to dictionary attack

• Medium and weak passwords can be easily be hacked or

cracked
Authentication Based on Phrases and
Facts/Passwords: Something You Know
• vulnerabilities in authentication using passwords: consider
the nature of passwords, criteria for selecting them, and
ways of using them for authentication
• Difficulties in Password Use
• Use. Supplying a password for each access to an object
can be inconvenient and time consuming
• Disclosure. If a user discloses a password to an
unauthorized individual, the object becomes immediately
accessible. If the user then changes the password to re-
protect the object, the user must inform any other
legitimate users of the new password because their old
password will fail.
Difficulties in Password Use
• Revocation. To revoke one user’s access right to an
object, someone must change the password, thereby
causing the same problems as disclosure.
• Loss. Depending on how the passwords are implemented,
it may be impossible to retrieve a lost or forgotten
password. The operators or system administrators can
certainly intervene and provide a new password, but often
they cannot determine what password a user had chosen
previously. If the user loses (or forgets) the password,
administrators must assign a new one.
• Attacking and Protecting Passwords
people pick passwords that do not even take advantage of
the number of bits available
12 steps an attacker might try in order to determine a
password. in increasing degree of difficulty (number of
guesses), and so they indicate the amount of work to which
the attacker must go in order to derive a password.
no password, the same as the user ID, is, or is derived
from, the user’s name, on a common word list (for example,
password, secret, private) plus common names and
patterns (e.g., qwerty, aaaaaa) (Contd…)
Contd…
contained in a short college dictionary, contained in a complete
English word list, contained in common non-English-language
dictionaries, contained in a short college dictionary with
capitalizations (PaSsWorD) or substitutions (digit 0 for letter O, and
so forth), contained in a complete English dictionary with
capitalizations or substitutions, contained in common non-English
dictionaries with capitalization or substitutions obtained by brute
force, trying all possible combinations of alphabetic characters,
obtained by brute force, trying all possible combinations from the
full character set
• Every password can be guessed; password strength is
determined by how many guesses are required.
• Note: For the most dedicated attacker time is not a limiting factor
• Dictionary Attacks
• Several network sites post dictionaries of phrases, science fiction
character names, places, mythological names, Chinese words,
Yiddish words, and other specialized lists.
• Dictionaries help site administrators identify users who have chosen
weak passwords
• Some utilities allow an administrator to scan a system for weak
passwords
• Password-cracking programs: Internet sites offer so-called password
recovery software as freeware or shareware
Note: attackers of sites can do all the above
• Picking a simple password and replacing certain characters, such as 0
(zero) for letter O, 1 (one) for letter I or L, 3 (three) for letter E or @
(at) for letter A fails: because users aren’t the only people who could
think up these substitutions.
Inferring Passwords Likely for a User &
Distribution of Password Types
• 3,289 passwords gathered; Of those passwords, 86
percent could be uncovered in about one week’s worth of
24-hour-a-day testing, using the very generous estimate
of 1 millisecond per password check
• Another study with 5,000 passwords. Klein reported that
2.7 percent of the passwords were guessed in only 15
minutes of machine time (at the speed of 1990s
computers), and 21 percent were guessed within a week!
Spafford found that the average password length was 6.8
characters and that 28.9 percent consisted of only
lowercase alphabetic characters
• About 30 per cent of users chose passwords of fewer
than seven characters.
• Nearly 50 per cent of people used names, slang words,
dictionary words or trivial passwords—consecutive digits,
adjacent keyboard keys and so on.
• Most popular passwords included 12345, 123456,
1234567, password, and iloveyou, in the top ten.
• Conclusion: people choose weak and easily guessed
passwords more frequently than some might expect.
Clearly, people find something in the password process
that is difficult or unpleasant: Either people are unable to
choose good passwords, perhaps because of the
pressure of the situation, or they fear they will forget solid
passwords. In either case, passwords are not always
good authenticators.
Password Storage by OS
Operating systems store passwords in hidden (encrypted) form so that
compromising the id–password list does not give immediate access to all
user accounts.

Plaintext Concealed
• Converting a password to its concealment form is simple, but
going the other way (starting with a concealed version and
deriving the corresponding password) is effectively impossible.

• For this reason, on some websites if you forget your password,

the system can reset your password to a new, random value,
but it cannot tell you what your forgotten password was.

• For active authentication, that is, entering identity and

authenticator to be able to access a system, most systems
lockout a user who fails a small number of successive login
attempts. This failure count prevents an attacker from
attempting more than a few guesses
Rainbow table:
• People often use one of a few predictable passwords.
• Rainbow table: precomputed list of popular values,
such as passwords created by interceptor - a list of
the concealed forms of the common passwords
Salt:
• Used with scrambled passwords
• In (a), Pat and Roz have same passwords; someone who intercepts the table
can learn that users Pat and Roz have the same password.
• As a countermeasure, a salt is an extra data field different for each user,
perhaps the date the account was created or a part of the user’s name. The
salt value is joined to the password before the combination is transformed by
concealment. In this way, Pat+aaaaaa has a different concealment value from
Roz+aaaaaa as shown in (b)
•
• (a) (b)
Exhaustive /brute force attack
• In this attack, the attacker tries all possible passwords, usually in
some automated fashion
• the number of possible passwords depends on the implementation of
the particular computing system
• E.g. A–Z, length from 1 to 8 characters = > 261 + 262 + … + 268 = 5 *
1012 = five million million possible passwords - seems intractable -
speed up the search to one password per microsecond, takes two
months –reasonable time for an attacker if the reward is large; e.g.
an intruder may try brute force to break the password on a file of
credit card numbers or bank account information
• Password break-in time can be made even more tractable in a
number of ways
• Conclusion: All these techniques to defeat passwords, combined with
usability issues, indicate that we need to look for other methods of
authentication
Good Passwords
• Use a nonexistent word or a phrase- e.g. 2Brn2Bti? (derived from “to be or
not to be, that is the question”), PayTaxesApril15th; strings are long, they
are chosen from a large set of characters, and they do not appear in a
dictionary
• Use characters other than just a–z.
• Choose long passwords
• Avoid actual names or words
• Use a string you can remember; UcnB2s=> “you can never be too secure.”
• Use variants for multiple passwords: Ih1b2s (I have one brother, two
sisters); then append some patterns involving the first few vowels and
consonants like Ih1b2sIvs for vIsa, Ih1b2sAfc for fAcebook
• Change the password regularly
• Don’t write it down
• Don’t tell anyone else: The easiest attack is social engineering: the
attacker may phone a user, claim to be “system administration,” and ask
the user to verify the user’s password
Security Questions
• Use questions to which (presumably) only the right person
would know the answer - Such questions include mother’s
maiden name, street name from childhood, model of first
automobile, and name of favorite teacher
• But answers to some can be determined with little
difficulty
Biometrics: Something You Are
Hand Geometry Reader: The user places a hand on the sensors, which
detect lengths and widths of fingers, curvature, and other characteristics
• Hand Vein Reader: reads the pattern of veins in the hand
- does not require physical contact between the hand and
the reader -an advantage for hygiene.
List of biometric authentication technologies is still
growing
• fingerprint
• hand geometry (shape and size of fingers)
• retina and iris (parts of the eye)
• voice
• handwriting, signature, hand motion
• typing characteristics
• blood vessels in the finger or hand
• face
• facial features, such as nose shape or eye spacing
a biometric cannot be lost, stolen, forgotten, or shared and
is always available, always at hand, so to speak; difficult, if
not impossible, to forge
Problems with Biometrics
• Intrusive
• Expensive
• Single point of failure: Forgetting a password is a user’s
fault; failing biometric authentication is not
• Sampling error - Variation reduces accuracy
• False readings
• Speed
• Forgery
Tokens: Something You Have
• means that you have a physical object in your possession
e.g., keys, badges and identity cards
• Another kind of authentication token has data to
communicate invisibly - credit cards with a magnetic
stripe, credit cards with an embedded computer chip, or
access cards with passive or active wireless technology -
reader senses values from the card; Identity and values
from the token, if match, authenticates.
• Active and Passive Tokens: Passive tokens do not
change. Active tokens communicate with a sensor
(can have some variability or interaction with its
surroundings)
• Passive tokens: A photo or key is an example of a passive token in
that the contents of the token never change.
• Active tokens: When you insert the card into a reader, the machine
reads the current balance, subtracts the price of the trip and
rewrites a new balance; token is just a repository to hold the
current value
• Another form of active token initiates a two-way communication
with its reader, often by wireless or radio signaling; lead to static
and dynamic interaction tokens
1. Static: Keys, identity cards, passports, credit and other
magnetic-stripe cards, and radio transmitter cards (called RFID
devices) - useful for onsite authentication
• Remote authentication: able to prove your identity to a person or
computer somewhere else is susceptible to the problem of the
token having been forged.
Skimming
• Tokens are vulnerable to an attack called skimming.
• Skimming - Use of a device to copy authentication data surreptitiously and
relay it to an attacker. ATMs and POS credit card readers are particularly
vulnerable to skimming.
• At an ATM the thief attaches a small device over the slot into which you
insert your bank card. Because all bank cards conform to a standard format
(so you can use your card at any ATM or merchant), the thief can write a
simple piece of software to copy and retain the information recorded on the
magnetic stripe on your bank card.
• Some skimmers also have a tiny camera to record your key strokes as you
enter your PIN on the keypad.
• Either instantaneously (using wireless communication) or later (collecting
the physical device), the thief thus obtains both your account number and
its PIN. The thief simply creates a dummy card with your account number
recorded and, using the PIN for authentication, visits an ATM and withdraws
cash from your account or purchases things with a cloned credit card.
Dynamic tokens
Dynamic tokens: Overcomes copying of physical tokens or passwords,
whose value changes
A device that generates an unpredictable value that we might call a
pass number.
Federated Identity Management
Federated identity management unifies the identification and
authentication process for a group of systems.
Single Sign-On
Multifactor Authentication
• => Combining authentication information
Each authentication factor requires the system and its
administrators and the users to manage more security
information
• E.g., two-factor authentication:. two kinds of
authentication imply two pieces of software and perhaps
two kinds of readers, as well as the time to perform two
authentications
• Though superior to single factor, we not know which value
of n makes n-factor authentication optimal. From a
usability point of view, large values of n may lead to user
frustration and reduced security
Secure Authentication
• Passwords, biometrics, and tokens can all participate in
secure authentication

• Limiting users to certain workstations or certain times of

access - can cause complications - added security they
provide, sometimes, outweighs inconvenience
Effective policy implementation
Access Policies
• Goals:
1. Check every access - revoke authorization if impersonated
2. Enforce least privilege - a subject should have access to the smallest
number of objects necessary to perform some task (Even if extra
information would be useless or harmless)
3. Verify acceptable usage: checking that the activity to be performed on an
object is appropriate e.g., legitimate stack accesses
• Track users’ access: administrators need to revisit the access policy to
determine whether it is working as it should – though management aspect,
they have a technical bearing on access control.
• Enforce at appropriate granularity: The finer the granularity, the larger
number of access control decisions that must be made, so there is a
performance penalty - a reasonable midpoint must apply.
• Use audit logging to track accesses: created and maintained by
• the system, and it is preserved for later analysis
• Access logs- audit log
Access Control
Tracking
• Implementing an appropriate policy is not the end of access
administration. Sometimes administrators need to revisit the
access policy to determine whether it is working as it should.
• Has someone been around for a long time and so has
acquired a large number of no-longer-needed rights?
• Do so many users have access to one object that it no
longer needs to be controlled?
• Or should it be split into several objects so that individuals
can be allowed access to only the pieces they need?
• Administrators need to consider these kinds of questions on
occasion to determine whether the policy and
implementation are doing what they should.
 Granuality
• By granularity we mean the fineness or specificity of access control. It is a spectrum:
At one end you can control access to each individual bit or byte, each word in a
document, each number on a spreadsheet, each photograph in a collection. That
level of specificity is generally excessive and cumbersome to implement.
• The finer the granularity, the larger number of access control decisions that must be
made, so there is a performance penalty.
• At the other extreme you simply say Adam has complete access to computer C1.
That approach may work if the computer is for Adam’s use alone, but if computer C1
is shared, then the system has no basis to control or orchestrate that sharing.
• Thus, a reasonable midpoint must apply. Typically, a file, a program, or a data space
is the smallest unit to which access is controlled. However, note that applications can
implement their own access control.
• For example, a database management system can have access to a complete
database, but it then carves the database into smaller units and parcels out access:
This user can see names but not salaries, that user can see only data on employees
in the western office.
• Hardware devices, blocks of memory, the space on disk where program code is
stored, specific applications, all these are likely objects over which access is
controlled.
Access log
Reasons for logging access include the following:
• Records of accesses can help plan for new or upgraded
equipment, by showing which items have had heavy use.
• If the system fails, these records can show what accesses
were in progress and perhaps help identify the cause of
failure.
• If a user misuses objects, the access log shows exactly
which objects the user did access.
• In the event of an external compromise, the audit log may
help identify how the assailant gained access and which
data items were accessed. These data for after-the-fact
forensic analysis have been extremely helpful in handling
major incidents
• Database, File, Hardware devices, blocks of memory, the
space on disk where program code is stored, specific
applications, all these are likely objects over which access
is controlled
 Limited Privilege
• Limited privilege is the act of restraining users and processes so that
any harm they can do is not catastrophic. A system that prohibits all
accesses to anything by anyone certainly achieves both
confidentiality and integrity, but it completely fails availability and
usefulness.
• We seek a midpoint that balances the need for some access against
the risk of harmful, inappropriate access. Certainly, we do not expect
users or processes to cause harm.
• But recognizing that not all users are ethical or even competent and
that not all processes function as intended, we want to limit exposure
from misbehaving users or malfunctioning processes.
• Limited privilege is a way to constrain that exposure. Limited privilege
is a management concept, not a technical control.
• The process of analyzing users and determining the privileges they
require is a necessary first step to authorizing within those limits.
After establishing the limits, we turn to access control technology to
Implementing Access Control
• Reference monitor
• Access control directory
• Access control matrix
• Access control list
• Privilege list
• Capability
• Procedure-oriented access control
• Role-based access control
Reference monitor:
• access control that is always invoked, tamperproof,
and verifiable
• is a notion, not a tool you can buy to plug into a port. It
could be embedded in an application (to control the
application’s objects), part of the operating system (for
system-managed objects) or part of an appliance
• several models of how access rights can be maintained
and implemented by the reference monitor
Access Control Directory
• protects an object that works like a file directory
• protect files (the set of objects) from users of a computing system
(the set of subjects)
• Every file has a unique owner who possesses “control” access
rights and to revoke access of any person at any time
• Each user has a file directory, which lists all the files to which that
user has access
• operating system must maintain all file directories, under
commands from the owners of files
• no user can be allowed to write in the file directory, because that
would be a way to forge access to a file
• rights to files are the
• Rights possessed by the owner: read, write, execute, grant and
revoke access rights.
Access Control Directory
Access Control Directory
• easy to implement because it uses one list per user, naming all
the objects that a user is allowed to access
• Difficulties:
1. List becomes too large if many shared objects are
accessible to all users: Directory of each user must have
one entry for each such shared object, even if the user
has no intention of accessing the object; Deletion must be
reflected in all directories
2. revocation of access time consuming especially with
propagation of access rights; owner may be unaware of
this propagation
3. Pseudonyms: necessitates the original owner’s
designation part of the file name; one subject may have
two distinct sets of access rights to the same object
Access Control Matrix
• a table in which each row represents a subject,
each column represents an object, and each
entry is the set of access rights for that subject to
that object
• Access rights are O, own; R, read; W, write; and
X, execute.

• In general, sparse matrix: Most subjects do not

have access rights to most objects
Access Control Matrix
List of Access Control Triples
• represented as a list of triples, each having the form subject, object,
rights
• more efficient than the access control matrix because there is no
triple for any empty cell of the matrix
• triples can be sorted by subject or object as needed
• But searching a large number of these triples is inefficient enough
that this implementation is seldom used
Access Control List
• corresponds to columns of the access control matrix =>
One such list for each object, and the list shows all
subjects who should have access to the object and what
their access is.
• differs from the directory list because there is one access
control list per object; a directory is created for each
subject
• Allows default rights: all possible subjects can share a
public object without the need for an entry for the
object in the individual directory of each user
Access Control List
Procedure-Oriented Access Control
• One goal of access control is restricting not just what subjects have
access to an object, but also what they can do to that object (other than
read or write); more complex control is not so easy to achieve
• Procedures can perform actions specific to a particular object in
implementing access control
• Procedure-oriented protection => the existence of a procedure that
controls access to objects (e.g., by performing its own user
authentication to strengthen the basic protection provided by the basic
operating system
• Procedure forms a capsule around the object, permitting only certain
specified accesses
• accesses to an object be made through a trusted interface
• implements the principle of information hiding because the means of
implementing an object are known only to the object’s control procedure
• But inefficient: there can be no simple, fast access checking, even if the
object is frequently used.
Role-Based Access Control
• Recognizes common needs of all
members of a set of subjects

• Some users to have significant privileges

while others to have lower privileges

• But role may change

Problems Addressed by Encryption
• Suppose a sender wants to send a message to a
recipient. An attacker may attempt to
• Block the message - availability
• Intercept the message - confidentiality
• Modify the message - Integrity
• Fabricate an authentic-looking alternate message -
Integrrity
Encryption Terminology
• Sender
• Recipient
• Transmission medium
• Interceptor/intruder
• Encrypt, encode, or encipher: encoding a message so
that its meaning is not obvious
• Decrypt, decode, or decipher: transforming an encrypted
message back into its normal, original form
• Cryptosystem; A system for encryption and decryption
• Plaintext: Original form of a message
• Ciphertext: encrypted form
• cryptography refers to the practice of using encryption to
conceal text
• A cryptanalyst studies encryption and encrypted messages,
hoping to find the hidden meanings
• Cryptanalysis: A cryptanalyst’s chore is to break an encryption
=> attempting to deduce the original meaning of a ciphertext
message => determining which decrypting algorithm, and
ideally which key, matches the encrypting algorithm to be able
to break other messages encoded in the same way
• cryptology is the research into and study of encryption and
decryption; it includes both cryptography and cryptanalysis
• work factor: Difficulty of breaking an encryption => amount of
effort needed to break an encryption
Encryption/Decryption Process
Symmetric vs. Asymmetric
Problem in Symmetric encryption
• Managing keys is the major difficulty in using symmetric encryption. In
general, n users who want to communicate in pairs need n * (n – 1)/2
keys. In other words, the number of keys needed increases at a rate
proportional to the square of the number of users. So a property of
symmetric encryption systems is that they require a means of key
distribution.
• Asymmetric or public key systems, on the other hand, typically have
precisely matched pairs of keys. The keys are produced together or
one is derived mathematically from the other. Thus, a process
computes both keys as a set.
• But for both kinds of encryption, a key must be kept well secured.
Once the symmetric or private key is known by an outsider, all
messages written previously or in the future can be decrypted (and
hence read or modified) by the outsider. So, for all encryption
algorithms, key management is a major issue. It involves storing,
safeguarding, and activating keys.
• Asymmetric systems excel at key management. By the
nature of the public key approach, you can send a public
key in an email message or post it in a public directory.
Only the corresponding private key, which presumably is
not disclosed, can decrypt
Stream and Block Ciphers
• Characteristics of encryption algorithms related to the nature of
the data to be concealed
• streaming video, perhaps a movie, from a satellite; stream may
come in bursts
• each bit, or perhaps each byte, of the data stream is encrypted
separately – streaming cipher
• can be applied immediately to whatever data items are ready to
transmit – expensive due to encryption algorithm complexity
• A block cipher encrypts a group of plaintext symbols as a
single block
• scalable by operating on large amounts of data at once
• Blocks for such algorithms are typically 64, 128, 256 bits or
more. The block size need not have any particular relationship
to the size of a character.
Stream Ciphers
Block Ciphers
Note: The previous plaintext pair is converted to po, the
current one being converted is IH, and the machine is soon to convert ES.
Stream vs. Block

Stream Block
Advantages  Sp eed of  High d iffu s ion
t ra n s fo r m a t ion  Im m u n it y t o
 Low err or in s ert ion of
p r o p a ga t ion s ym b o l

Disadvantages  Low d iffu s ion  Slown es s o f

 Su s cep t ibilit y t o en cryp t ion
m a liciou s  Pa d d in g
in s ert ion s a n d  Er r or
m od ifica t ion s p r o p a ga t ion
DES : The Data Encryption Standard
• DES is a careful and complex combination of two fundamental
building blocks of encryption: substitution and transposition
• algorithm derives its strength from repeated application of these two
techniques, one on top of the other, for a total of 16 cycles
• DES encrypts 64-bit blocks by using a 56-bit key
• user can pick a new key at will any time there is uncertainty about the
security of the old key
• uses only standard arithmetic and logical operations on binary data up
to 64 bits long
• Encrypting with DES involves 16 iterations, each employing replacing
blocks of bits (called a substitution step), shuffling the bits (called a
permutation step), and mingling in bits from the key (called a key
transformation)
• Although complex, the process is table driven and repetitive, making it
suitable for implementation on a single-purpose chip
Double DES
• Motivation: Increased computing power

• using a double encryption for greater secrecy; Take two

keys, k1 and k2, and perform two encryptions, one on top
of the other: E(k2, E(k1,m))

• But proved that two encryptions with different 56-bit keys

are equivalent in work factor to one encryption with a 57-
bit key; So, scarcely better
Triple DES
Three-key triple DES:
• C = E(k3, E(k2, E(k1,m)))
• gives a strength roughly equivalent to a 112-bit key
Two-key triple DES:
• C = E(k1, D(k2, E(k1,m)))
• its strength is rated at only about 80 bits key

• Note: A longer key means significantly more work for this

attack to bear fruit, with the work factor doubling for each
additional bit in key length
DES
• Symmetric block cipher
• Developed in 1976 by IBM for the US National Institute of
Standards and Technology (NIST)
AES: Advanced Encryption System
• Rijndael is now known more widely as AES
• fast algorithm; easily be implemented on simple
processors; has a strong mathematical foundation
• uses substitution, transposition, the shift, exclusive OR,
and addition operations. Like DES, AES uses repeat
cycles
• 10, 12, or 14 cycles (called rounds) for keys of 128, 192,
and 256 bits, respectively
• Bits from the key are frequently combined with
intermediate result bits, so key bits are also well diffused
throughout the result; these four steps are extremely fast
AES: Advanced Encryption System
• Symmetric block cipher
• Developed in 1999 by
independent Dutch
cryptographers
• Still in common use
DES vs. AES
Public Key (Asymmetric) Cryptography
• basis for public key encryption is to allow the key to be
divulged but to keep the decryption technique secret
• Accomplished by using two keys: one to encrypt and the
other to decrypt.
• Although these keys are produced in mathematically
related pairs, an outsider is effectively unable to use one
key to derive the other
• P = D(kPRIV, E(kPUB,P))
• P = D(kPUB, E(kPRIV,P))
• These two properties => public and private keys can be
applied in either order
Public Key (Asymmetric) Cryptography

• Instead of two users sharing one secret

key, each user has two keys: one public
and one private
• Messages encrypted using the user’s
public key can only be decrypted using the
user’s private key, and vice versa
Rivest–Shamir–Adelman (RSA)
Algorithm/cryptosystem
• a public key system - block cipher
• encryption key-e, decryption key-d, plaintext-P,
corresponding ciphertext-C.
• C = RSA(P,e).
• Also, because of the nature of the RSA algorithm, the
keys can be applied in either order:
ÞP = RSA(RSA(P, e), d) = RSA(RSA(P, d), e)
• RSA keys are long: 256 bits (minimum), 1000-2000 bits.
• Encryption by exponentiation, raising each plaintext block
to a power; that power is the key e; So, extremely time-
consuming; time to encrypt increases exponentially as the
exponent (key) grows longer; slower than DES and AES
Rivest–Shamir–Adelman (RSA)
Algorithm/cryptosystem
• The encryption algorithm is based on the underlying
problem of factoring large numbers in a finite set called a
field. So far, nobody has found a shortcut or easy way to
factor large numbers in a field.

• Therefore, people tend to use DES and AES as the major

cryptographic workhorses, and reserve slower RSA for
limited uses at which it excels.
Secret Key vs. Public Key Encryption
Public Key to Exchange Secret Keys
• problem of two previously unknown parties exchanging
cryptographic keys is both hard and important
Simple Key Exchange Protocol

1. A says: B, please send me your public key.

2. B replies: Here, A; this is my public key.
3. A responds: Thanks. I have generated a symmetric key
for us to use for this interchange. I am sending you the
symmetric key encrypted under your public key.

At step 2 the intruder intercepts B’s public key and passes

along the intruder’s.
Simple Key Exchange Protocol
Key Exchange Man in the Middle
• 1. Amy says: Bill, please send me your public key.

• 1a. Malvolio intercepts the message and fashions a new message

to Bill, purporting to come from Amy but with Malvolio’s return
address, asking for Bill’s public key.

• 2. Bill replies: Here, Amy; this is my public key. (Because of the

return address in step 1a, this reply goes to Malvolio.)
• 2a. Malvolio holds Bill’s public key and sends Malvolio’s own
public key to Amy, alleging it is from Bill.

• 3. Amy responds: Thanks. I have generated a symmetric key for

us to use for this interchange. I am sending you the symmetric
key encrypted under your public key.
Key Exchange Man in the Middle
3a. Malvolio intercepts this message and obtains and holds
the symmetric key Amy has generated.
3b. Malvolio generates a new symmetric key and sends it
to Bill, with a message purportedly from Amy: Thanks. I
have generated a symmetric key for us to use for this
interchange. I am sending you the symmetric key
encrypted under your public key.
• In summary, Malvolio now holds two symmetric encryption
keys, one each shared with Amy and Bill. Not only can
Malvolio stealthily obtain all their interchanges, but Amy
and Bill cannot communicate securely with each other
because neither shares a key with the other.
Key Exchange Man in the Middle
man-in-the-middle failure
• An attack in which an unauthorized third party intercedes
in an activity presumed to be exclusively between two
people – man-in--the-middle failure.
Revised Key Exchange Protocol
• Protocol proposed by Rivest and Shamir

• The intruder can be foiled if A and B exchange half a key

at a time. Half a key is useless to the intruder because it
is not enough to encrypt or decrypt anything. Knowing half
the key does not improve the intruder’s ability to break
encryptions in the future
Revised Key Exchange Protocol
1. Amy sends her public key to Bill.
2. Bill sends his public key to Amy.
3. Amy creates a symmetric key, encrypts it using Bill’s
public key, and sends half of the result to Bill. (Note: half of
the result might be the first n/2 bits, all the odd numbered
bits, or some other agreed-upon form.)
4. Bill responds to Amy that he received the partial result
(which he cannot interpret at this point, so he is confirming
only that he received some bits). Bill encrypts any random
number with his private key and sends half the bits to
Amy.
5. Amy sends the other half of the encrypted result to Bill.
Revised Key Exchange Protocol
6. Bill puts together the two halves of Amy’s result, decrypts
it using his private key and thereby obtains the shared
symmetric key. Bill sends the other half of his encrypted
random number to Amy.
7. Amy puts together the two halves of Bill’s random
number, decrypts it using her private key, extracts Bill’s
random number, encrypts it using the now-shared
symmetric key, and sends that to Bill.
8. Bill decrypts Amy’s transmission with the symmetric key
and compares it to the random number he selected in step
6. A match confirms the validity of the exchange.
Nonce
• At step 4 Bill picks any random number, which Amy later
returns to Bill to show she has successfully received the
encrypted value Bill sent. Such a random value is called a
nonce, a value meaningless in and of itself, to show
activity (liveness) and originality (not a replay).

• In some protocols the receiver decrypts the nonce, adds 1

to it, re-encrypts the result, and returns it. Other times the
nonce includes a date, time, or sequence number to
• show that the value is current.
Authenticity as a solution to
person in the middle

Amy should send to Bill E(kPUB-B, E(kPRIV-A, K))

ÞThis function ensures that only Bill, using kPRIV-B, can remove the
encryption applied with kPUB-B, and Bill knows that only Amy could
have applied kPRIV-A that Bill removes with kPUB-A.

Asymmetric cryptosystems provide both authenticity & confidentiality

as follows:
• E(kPRIV-A, K) provides authenticity => Amy seals the protected
information with her private key so that it can be opened only with
Amy’s public key => only Amy can have applied the encryption that is
reversed with Amy’s public key
• E(kPUB-B, E(kPRIV-A, K)) => Amy then locks the information with Bill’s
public key=> this step adds confidentiality because only Bill’s private
key can decrypt data encrypted with Bill’s public key.
Advantages of asymmetric cryptographic functions
in exchanging cryptographic key
• asymmetric cryptographic functions are a powerful means
for exchanging cryptographic keys between people who
have no prior relationship

• Asymmetric cryptographic functions are slow, but they are

used only once, to exchange symmetric keys. Therefore,
slow speed of asymmetric cryptography would not be a
significant problem because it is performed only once, to
establish shared keys.

• Other usefulness of asymmetric: for digital signature

• Digital signature is a powerful construct for confirming
electronic documents
• A human signature on a paper document is a strong
attestation:
• It signifies both agreement (you agree to the terms in the
document you signed) and understanding (you know what
you are signing). People accept written signatures as a
surrogate for an in-person confirmation

• A digital signature uses integrity codes, key certificates,

and finally signatures themselves – discussed next
Error Detecting Codes - Message Digests
• way to determine that the transmission is complete and intact
• make transmission errors apparent and to perform minor repairs
• come under many names, such as hash codes, message digests,
checksums, integrity checks, error detection and correction codes,
and redundancy tests
• message digest will (sometimes) signal that content has changed,
but it is less solid at demonstrating no modification, even though
that is what we really want
• Collision: Two inputs that produce the same output; problems that
arise because the code is a many-to-one function: two or more
inputs produce the same output
• all message digests are many-to-one functions, and thus when they
report a change, one did occur, but when they report no change, it
is only likely—not certain—that none occurred because of the
possibility of a collision.
Error Detecting Codes - Message Digests
• Collisions are usually not a problem because –
1. occur infrequently
2. functions are unpredictable
Error Detecting Codes
Demonstrates that a block of data has been modified
1. Simple error detecting codes:
• Parity checks – fingerprint (extra bit) is added to an
existing group of data bits, depending on their sum; parity
does not detect two-bit errors
• Cyclic redundancy checks - detects errors in recording
and playback
• Error correction codes: can detect multiple-bit errors (two
or more bits changed in a data group) and may be able to
pinpoint the changed bits (which are the bits to reset to
correct the modification).
Error Detecting Codes
2. Cryptographic error detecting codes:
a) One-way hash functions
• Functions which are much easier to compute than their
inverses
• Useful in creating a change detection algorithm – this
function must depend on all bits of the file being sealed
• An attacker cannot “undo” the function to see what the
original file was, so there is no simple way to find a set
of changes that produce the same function value will
alter the checksum result
Error Detecting Codes
b) Cryptographic checksums
• Digest function that produces a checksum using a cryptographic key
that is presumably known only to the originator and the proper
recipient of the data

• Attacker can certainly change the plaintext, but the attacker does not
have a key with which to re-compute the checksum.
• E.g. employ any non-cryptographic checksum function to derive an n-
bit digest of the sensitive data

• Two major uses of cryptographic checksums:

1. Code-tamper protection: implemented in the way similar to detecting changes to files
2. Message integrity protection in transit: A checksum on data in communication
identifies data that have been changed in transmission, maliciously or accidentally.
E.g. Secure Hash Standard or Algorithm (SHS or SHA), actually a collection of
algorithms, for computing checksums
Error Detecting Codes
c) Digital signatures
• a way by which a person or organization can affix a bit pattern to a file such
that it implies confirmation, pertains to that file only, cannot be forged, and
demonstrates authenticity
• often uses asymmetric or public key cryptography

Characteristics of Signatures:
A digital signature must meet two primary conditions:
• It must be unforgeable. If person S signs message M with signature Sig(S,M),
no one else can produce the pair [M,Sig(S,M)].
• It must be authentic. If a person R receives the pair [M, Sig(S,M)] purportedly
from S, R can check that the signature is really from S. Only S could have
created this signature, and the signature is firmly attached to M.
 Digital Signature
Additional characteristics of Signatures:

• It is not alterable. After being transmitted, M

cannot be changed by S, R, or an interceptor.
• It is not reusable. A previous message
presented again will be instantly detected by R.
 Digital Signature
Components of Signatures:
Technical components: a hash function, public key cryptography, and a
protocol
Assume that the public key encryption for user S is accessed through E(M,KS)
and that the private key transformation for S is written as D(M,KS).
• If S wishes to send M to R, S uses the authenticity transformation to produce
D(M, KS). S then sends D(M, KS) to R. R decodes the message with the public
key transformation of S, computing E(D(M, KS), KS) = M. Since only S can
create a message that makes sense
• under E(–,KS), the message must genuinely have come from S. This test
satisfies the authenticity requirement. R will save D(M, KS).
• If S should later allege that the message is a forgery (not really from S), R can
simply show M and D(M, KS). Anyone can verify that since D(M, KS) is
transformed to M with the public key transformation of S—but only S could
have produced D(M, KS)—then D(M, KS) must be from S. This test satisfies
the unforgeable requirement.
 Digital Signature
Non- technical component: Trust
• signer S can certainly perform the protocol to produce a
digital signature, and anyone who has S’s public key can
determine that the signature did come from S. But who is
S? We have no reliable way to associate a particular
human with that public key. Even if someone says “this
public key belongs to S,” on what basis do we believe that
assertion?
• How do you know that a Microsoft web page really
belongs to Microsoft, for example?
• confidence underpins the whole concept of a digital
signature
 Digital Signature
• Establishing Trust Between People:
• concept of “vouching for” by a third party can be a basis
for trust in commercial settings where two parties do not
know each other
• Trust issue to address for digital signatures is, authenticity
of the public key
• E.g. If Monique signs a document with her private key,
anyone else can decrypt the signature with her public key
to verify that only Monique could have signed it. The only
problem is being able to obtain Monique’s public key in a
way in which we can adequately trust that the key really
belongs to her, that is, that the key was not circulated by
some evil actor impersonating Monique.
Digital Signature
• A public key and user’s identity are bound together in a
certificate, which is then signed by someone called a
certificate authority, certifying the accuracy of the binding
• Assume that Diana is subordinate to Edward.
• Edward selects a public key pair, posts the public part where
everyone in the company can retrieve it, and retains the private
part. Then, each division manager, such as Diana, creates her
public key pair, puts the public key in a message together with
her identity, and passes the message securely to Edward.
Edward signs it by creating a hash value of the message and
then encrypting the hash with his private key. By signing the
message, Edward affirms that the public key (Diana’s) and the
identity (also Diana’s) in the message are for the same person.
This message is called Diana’s certificate.
Digital Signature
Certificate Signing and Hierarchy
Cryptographic Tool Summary
Summary
• Users can authenticate using something they know,
something they are, or something they have
• Systems may use a variety of mechanisms to implement
access control
• Encryption helps prevent attackers from revealing,
modifying, or fabricating messages
• Symmetric and asymmetric encryption have
complementary strengths and weaknesses
• Certificates bind identities to digital signatures