Chapter 2

Conventional
Encryption Message
Confidentiality
Henric Johnson

Blekinge Institute of Technology, Sweden

http://www.its.bth.se/staff/hjo/

[email protected]

1
 Outline
• Conventional Encryption Principles
• Conventional Encryption Algorithms
• Cipher Block Modes of Operation
• Location of Encryption Devices
• Key Distribution

2
 Conventional symmetric
Encryption Principles
• An encryption scheme has five ingredients:
– Plaintext
– Encryption algorithm
– Secret Key
– Ciphertext
– Decryption algorithm
• Security depends on the secrecy of the
key, not the secrecy of the algorithm

3
Conventional Encryption
Principles

4
 Cryptography
• Classified along three independent dimensions:
– The type of operations used for transforming
plaintext to ciphertext
– The number of keys used
• symmetric (single key)
• asymmetric (two-keys, or public-key encryption)
– The way in which the plaintext is processed

5
 Average time required for
exhaustive key search
Key Size Number of Time required at
(bits) Alternative Keys 106 Decryption/µs
32 232 = 4.3 x 109 2.15 milliseconds
56 256 = 7.2 x 1016 10 hours
128 2128 = 3.4 x 1038 5.4 x 1018 years
168 2168 = 3.7 x 1050 5.9 x 1030 years
6
 Feistel Cipher Structure
• Virtually all conventional block
encryption algorithms, including DES
have a structure first described by
Horst Feistel of IBM in 1973
• The realisation of a Fesitel Network
depends on the choice of the
following parameters and design
features (see next slide):
7
 Feistel Cipher Structure
• Block size: larger block sizes mean greater
security
• Key Size: larger key size means greater
security
• Number of rounds: multiple rounds offer
increasing security
• Subkey generation algorithm: greater
complexity will lead to greater difficulty of
cryptanalysis.
• Fast software encryption/decryption: the
speed of execution of the algorithm
becomes a concern
8
9
 Conventional Encryption
Algorithms
• Data Encryption Standard (DES)
– The most widely used encryption scheme
– The algorithm is reffered to the Data
Encryption Algorithm (DEA)
– DES is a block cipher
– The plaintext is processed in 64-bit
blocks
– The key is 56-bits in length
10
 DES History
• IBM developed Lucifer cipher
– by team led by Feistel in late 60’s
– used 64-bit data blocks with 128-bit key
• then redeveloped as a commercial cipher
with input from NSA and others
• in 1973 NBS issued request for proposals
for a national cipher standard
• IBM submitted their revised Lucifer which
was eventually accepted as the DES
11
 DES Design Controversy
• although DES standard is public,
considerable controversy over design
– in choice of 56-bit key (vs Lucifer 128-bit)
– and because design criteria were classified
• subsequent events and public analysis show
in fact design was appropriate
• use of DES has flourished
– especially in financial applications
– still standardised for legacy application use
12
 Multiple Encryption & DES
• clear a replacement for DES was needed
– theoretical attacks that can break it
– demonstrated exhaustive key search attacks
• AES is a new cipher alternative
– prior to this alternative was to use multiple
encryption with DES implementations
– Triple-DES is the chosen form

13
 Double-DES
• could use 2 DES encrypts on each block
– C = EK2(EK1(P))
• issue of reduction to single stage
• and have “meet-in-the-middle” attack
– works whenever use a cipher twice
– since X = EK1(P) = DK2(C)
– attack by encrypting P with all keys and store
– then decrypt C with keys and match X value
– takes O(256) steps 14
15
 The AES Cipher - Rijndael
• designed by Rijmen-Daemen in Belgium
• has 128/192/256 bit keys, 128 bit data
• Much faster and secure than DES its advantage of
AES
• an iterative rather than feistel cipher
– processes data as block of 4 columns of 4 bytes
– operates on entire data block in every round
• designed to be:
– resistant against known attacks
– speed and code compactness on many CPUs
– design simplicity
16
 AES
Encryptio
n Process
 AES Structure
 data block of 4 columns of 4 bytes is state
 key is expanded to array of words
 has 9/11/13 rounds in which state undergoes:
 byte substitution (1 S-box used on every byte)
 shift rows (permute bytes between groups/columns)
 mix columns (subs using matrix multiply of groups)
 add round key (XOR state with key material)
 view as alternating XOR key & scramble data bytes
 initial XOR key material & incomplete last round
 with fast XOR & table lookup implementation
18
• The more popular and widely adopted symmetric encryption
algorithm likely to be encountered nowadays is the Advanced
Encryption Standard (AES). It is found at least six time faster than
triple DES.
• A replacement for DES was needed as its key size was too small. With
increasing computing power, it was considered vulnerable against
exhaustive key search attack. Triple DES was designed to overcome
this drawback but it was found slow.
• The features of AES are as follows −
• Symmetric key symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• Stronger and faster than Triple-DES
• Provide full specification and design details
• Software implementable in C and Java

19
 Operation of AES
• AES is an iterative rather than Feistel cipher. It is based on
‘substitution–permutation network’. It comprises of a series of
linked operations, some of which involve replacing inputs by
specific outputs (substitutions) and others involve shuffling bits
around (permutations).
• Interestingly, AES performs all its computations on bytes rather
than bits. Hence, AES treats the 128 bits of a plaintext block as
16 bytes. These 16 bytes are arranged in four columns and four
rows for processing as a matrix −
• Unlike DES, the number of rounds in AES is variable and
depends on the length of the key. AES uses 10 rounds for 128-
bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit
keys. Each of these rounds uses a different 128-bit round key,
which is calculated from the original AES key.
20
AES Structure

21
• Here, we restrict to description of a typical round
of AES encryption. Each round comprise of four
sub-processes. The first round process is depicted
below −

22
 Byte Substitution (SubBytes)
• The 16 input bytes are substituted by looking up a fixed table (S-box) given in
design. The result is in a matrix of four rows and four columns.
Shiftrows
• Each of the four rows of the matrix is shifted to the left. Any entries that ‘fall off’
are re-inserted on the right side of row. Shift is carried out as follows −
• First row is not shifted. (0th row)
• Second row is shifted one (byte) position to the left (1st row).
• Third row is shifted two positions to the left (2nd row) .
• Fourth row is shifted three positions to the left (3rd row).
• The result is a new matrix consisting of the same 16 bytes but shifted with respect
to each other.
MixColumns
• Each column of four bytes is now transformed using a special mathematical
function. This function takes as input the four bytes of one column and outputs four
completely new bytes, which replace the original column. The result is another new
matrix consisting of 16 new bytes. It should be noted that this step is not
performed in the last round.
23
Add roundkey
• The 16 bytes of the matrix are now considered as 128 bits and are
XORed to the 128 bits of the round key. If this is the last round then
the output is the ciphertext. Otherwise, the resulting 128 bits are
interpreted as 16 bytes and we begin another similar round.
Decryption Process
• The process of decryption of an AES ciphertext is similar to the
encryption process in the reverse order. Each round consists of the
four processes conducted in the reverse order −
• Add round key
• Mix columns
• Shift rows
• Byte substitution
• Since sub-processes in each round are in reverse manner, unlike for a
Feistel Cipher, the encryption and decryption algorithms needs to be
separately implemented, although they are very closely related.
AES Round

25
26
 Random and PseudoRandom
Number
• Random numbers play an important role in the use of encryption for various
network security applications.
• Generation of keys for the RSA public-key encryption algorithm
• Generation of a stream key for symmetric stream cipher
• Generation of a symmetric key for use as a temporary session key.
• In a number of key distribution scenarios, such as Kerberos (Chapter 4),random
numbers are used for handshaking to prevent replay attacks.
• RANDOMNESS
• Uniform distribution:
• The distribution of bits in the sequence should be uniform;that is, the
frequency of occurrence of ones and zeros should be approximately the same.
• Independence: No one subsequence in the sequence can be inferred from the
others.

27
 TRNGs, PRNGs, and PRFs
• The resulting sequences will pass many reasonable tests of randomness. Such
numbers are referred to as pseudorandom numbers. You may be somewhat uneasy
about the concept of using numbers generated by a deterministic algorithm as if
they were random numbers.
Figure shows contrasts a true random number generator (TRNG) with two
forms of pseudorandom number generators. A TRNG takes as input a source that
is effectively random; the source is often referred to as an entropy source.
• In essence, the entropy source is drawn from the physical environment of the
computer and could include things such as keystroke timing patterns, disk electrical
activity, mouse movements, and instantaneous values of the system clock.

28
 TRNG = true random number generator

PRNG = pseudorandom number generator

PRF = pseudorandom function

• a PRNG takes as input a fixed value, called the seed, and produces a sequence of
output bits using a deterministic algorithm.
• there is some feedback path by which some of the results of the algorithm are fed
back as input as additional output bits are produced.
• Pseudorandom number generator: open-ended sequence of bits is as input
• Pseudorandom function (PRF): A PRF is used to produce a pseudorandom
string of bits of some fixed length.

30
 STREAM CIPHERS AND RC4
• Stream Cipher Structure(bitspecific)(for
smaller units bits and bytes)
• A typical stream cipher encrypts plaintext one
byte at a time, although a stream cipher may be
designed to operate on one bit at a time or on
units larger than a byte at a time.
• some design considerations are:
– long period with no repetitions
– statistically random
– depends on large enough key, e.g. 128 bits
– large linear complexity 31
32
• With a properly designed pseudorandom number
generator, a stream cipher can be as secure as block
cipher of comparable key length.
• The primary advantage of a stream cipher is that
stream ciphers are almost always faster and use far less
code than do block ciphers.
• The advantage of a block cipher is that you can reuse
keys.

33
 The RC4 Algorithm
• RC4 is a stream cipher designed in 1987 by Ron Rivest for RSA
Security. It is a variable key-size stream cipher with byte-oriented
operations. The algorithm is based on the use of a random permutation.
• Eight to sixteen machine operations are required per output byte,
and the cipher can be expected to run very quickly in software.
• RC4 is used in the Secure Sockets Layer/Transport Layer Security
(SSL/TLS) standards that have been defined for communication
between Web browsers and servers.
• The RC4 algorithm is remarkably simple and quite easy to explain. A
variable length key of from 1 to 256 bytes (8 to 2048 bits) is used to
initialize a 256-byte state vector S, with elements S[0], S[1], . . ., S[255].
At all times, S contains a permutation of all 8-bit numbers from 0
through 255.
• For encryption and decryption, a byte k (see Figure 2.8) is generated
from S by selecting one of the 255 entries in a systematic fashion. As
each value of k is generated, the entries in S are once again permuted.
34
35
• INITIALIZATION OF S
• starts with an array S of numbers: 0..255
• use key to well and truly shuffle
• S forms internal state of the cipher
(initialization)
for i = 0 to 255 do
S[i] = i;
T[i] = K[i mod keylen];
(for initial permutation)
j = 0
for i = 0 to 255 do
j = (j + S[i] + T[i]) (mod 256);
swap (S[i], S[j]);

36
• encryption continues shuffling array values
• sum of shuffled pair selects "stream key"
value from permutation
• XOR S[t] with next byte of message to
en/decrypt
(stream generation)
i = j = 0;

for each message byte Mi (for plain text)

i = (i + 1) (mod 256);
j = (j + S[i]) (mod 256);
swap(S[i], S[j]);
t = (S[i] + S[j]) (mod 256);
Ci = Mi XOR S[t];
37
38
 Chapter 3
PUBLIC-KEY CRYPTOGRAPHY
AND MESSAGE AUTHENTICATION

39
3.1 Approaches to Message Authentication
Authentication Using Conventional Encryption
Message Authentication without Message Encryption
3.2 Secure Hash Functions
Hash Function Requirements
Security of Hash Functions
Simple Hash Functions
The SHA Secure Hash Function
3.3 Message Authentication Codes
HMAC
MACs Based on Block Ciphers
3.4 Public-Key Cryptography Principles
Public-Key Encryption Structure
Applications for Public-Key Cryptosystems
Requirements for Public-Key Cryptography
3.5 Public-Key Cryptography Algorithms
The RSA Public-Key Encryption Algorithm
Diffie-Hellman Key Exchange
Other Public-Key Cryptography Algorithms
3.6 Digital Signatures

40
 3.1 Approaches to Message Authentication
• Protection against such attacks is known as
message authentication.
• It is possible to combine authentication and
confidentiality in a single algorithm by encrypting
a message plus its authentication tag.
– Message Authentication without Message
Encryption
– Alarm System in Message BroadCasting
• Authentication is carried
• out on a selective basis with messages being chosen at random for checking.

41
 Hash Functions
 condenses arbitrary message to fixed size
h = H(M)
 usually assume hash function is public
 hash used to detect changes to message
 want a cryptographic hash function
 computationally infeasible to find data mapping to
specific hash (one-way property)
 computationally infeasible to find two data to same
hash (collision-free property)

42
Hash Function Requirements

43
 Attacks on Hash Functions
 have brute-force attacks and cryptanalysis
 a preimage or second preimage attack
 find y s.t. H(y) equals a given hash value
 collision resistance
 find two messages x & y with same hash so H(x) =
H(y)
 hence value 2m/2 determines strength of hash code
against brute-force attacks
 128-bits inadequate, 160-bits suspect

44
 Secure Hash Algorithm
 SHA originally designed by NIST & NSA in 1993
 was revised in 1995 as SHA-1
 US standard for use with DSA signature scheme
 standard is FIPS 180-1 1995, also Internet RFC3174
 The algorithm is SHA, the standard is SHS
 based on design of MD4 (128 key)with key differences
 produces 160-bit hash values
 recent 2005 results on security of SHA-1 have raised
concerns on its use in future applications

45
 Revised Secure Hash Standard
 NIST issued revision FIPS 180-2 in 2002
 adds 3 additional versions of SHA
 SHA-256, SHA-384, SHA-512
 designed for compatibility with increased security
provided by the AES cipher
 structure & detail is similar to SHA-1
 hence analysis should be similar
 but security levels are rather higher
• In 2005, NIST announced the intention to
phase out approval of SHA-1 and move to a
reliance on the other SHA versions by 2010.
46
SHA Versions

47
SHA-512 Overview

48
• Append Padding bits
• Append Length
• Initialize hash buffer
• Process message in 1024-bit blocks
• Output

49
 SHA-512 Compression Function
 heart of the algorithm
 processing message in 1024-bit blocks
 consists of 80 rounds
 updating a 512-bit buffer
 using a 64-bit value Wt derived from the current message block
 and a round constant based on cube root of first 80 prime numbers
Keyed Hash Functions as MACs
 want a MAC based on a hash function
 because hash functions are generally faster
 crypto hash function code is widely available
 hash includes a key along with message
 original proposal:
KeyedHash = Hash(Key|Message)
 some weaknesses were found with this
 eventually led to development of HMAC
50
 HMAC Design Objectives
 It use without modifications
 hash functions allow for easy replaceability of
embedded hash function
 It preserve original performance of hash
function without significant degradation
 It use and handle keys in a simple way.
 It have well understood cryptographic analysis
of authentication mechanism strength
 HMAC
• specified as Internet standard RFC2104
• uses hash function on the message:
HMACK(M)= Hash[(K+ XOR opad) ||
Hash[(K+ XOR ipad) ||
M)] ]
– where K+ is the key padded out to size
– opad, ipad are specified padding constants
• overhead is just 3 more hash calculations than the
message needs alone
• any hash function can be used
– eg. MD5, SHA-1, RIPEMD-160
 HMAC
Overview
 HMAC Security
• proved security of HMAC relates to that of
the underlying hash algorithm
• attacking HMAC requires either:
– brute force attack on key used
– birthday attack (but since keyed would need to
observe a very large number of messages)
• choose hash function used based on speed
verses security constraints
 CMAC
• previously saw the DAA (CBC-MAC)
• widely used in govt & industry
• but has message size limitation
• can overcome using 2 keys & padding
• thus forming the Cipher-based Message
Authentication Code (CMAC)
• adopted by NIST SP800-38B
CMAC Overview
 Authenticated Encryption
 simultaneously protect confidentiality and
authenticity of communications
 often required but usually separate
 approaches
 Hash-then-encrypt: E(K, (M || H(M))
 MAC-then-encrypt: E(K2, (M || MAC(K1, M))
 Encrypt-then-MAC: (C=E(K2, M), T=MAC(K1, C)
 Encrypt-and-MAC: (C=E(K2, M), T=MAC(K1, M)
 decryption /verification straightforward
 but security vulnerabilities with all these
 Counter with Cipher Block
Chaining-Message Authentication
Code (CCM)
• NIST standard SP 800-38C for WiFi
• variation of encrypt-and-MAC approach
• algorithmic ingredients
– AES encryption algorithm
– CTR mode of operation
– CMAC authentication algorithm
• single key used for both encryption & MAC
 CCM
Operation
 Private-Key Cryptography
 traditional private/secret/single key
cryptography uses one key
 shared by both sender and receiver
 if this key is disclosed communications are
compromised
 also is symmetric, parties are equal
 hence does not protect sender from receiver
forging a message & claiming is sent by
sender
 Public-Key Cryptography
• probably most significant advance in the
3000 year history of cryptography
• uses two keys – a public & a private key
• asymmetric since parties are not equal
• uses clever application of number theoretic
concepts to function
• complements rather than replaces private
key crypto
 Why Public-Key Cryptography?
• developed to address two key issues:
– key distribution – how to have secure
communications in general without having to trust
a KDC with your key
– digital signatures – how to verify a message
comes intact from the claimed sender
• public invention due to Whitfield Diffie &
Martin Hellman at Stanford Uni in 1976
– known earlier in classified community
 Public-Key Cryptography
• public-key/two-key/asymmetric cryptography involves
the use of two keys:
– a public-key, which may be known by anybody, and can be
used to encrypt messages, and verify signatures
– a related private-key, known only to the recipient, used to
decrypt messages, and sign (create) signatures
• infeasible to determine private key from public
• is asymmetric because
– those who encrypt messages or verify signatures cannot
decrypt messages or create signatures
Public-Key Cryptography
Symmetric vs Public-Key
 RSA
 by Rivest, Shamir & Adleman of MIT in 1977
 best known & widely used public-key scheme
 based on exponentiation in a finite (Galois) field over
integers modulo a prime
 nb. exponentiation takes O((log n)3) operations (easy)
 uses large integers (eg. 1024 bits)
 security due to cost of factoring large numbers
 nb. factorization takes O(e log n log log n) operations (hard)
 RSA En/decryption
• to encrypt a message M the sender:
– obtains public key of recipient PU={e,n}
– computes: C = Me mod n, where 0≤M<n
• to decrypt the ciphertext C the owner:
– uses their private key PR={d,n}
– computes: M = Cd mod n
• note that the message M must be smaller
than the modulus n (block if needed)
 RSA Key Setup
• each user generates a public/private key pair by:
• selecting two large primes at random: p, q
• computing their system modulus n=p.q
– note ø(n)=(p-1)(q-1)
• selecting at random the encryption key e
– where 1<e<ø(n), gcd(e,ø(n))=1
• solve following equation to find decryption key d
– e.d=1 mod ø(n) and 0≤d≤n
• publish their public encryption key: PU={e,n}
• keep secret private decryption key: PR={d,n}
 Why RSA Works
• because of Euler's Theorem:
– aø(n)mod n = 1 where gcd(a,n)=1
• in RSA have:
– n=p.q
– ø(n)=(p-1)(q-1)
– carefully chose e & d to be inverses mod ø(n)
– hence e.d=1+k.ø(n) for some k
• hence :
Cd = Me.d = M1+k.ø(n) = M1.(Mø(n))k
= M1.(1)k = M1 = M mod n
 RSA Example - Key Setup
1. Select primes: p=17 & q=11
2. Calculate n = pq =17 x 11=187
3. Calculate ø(n)=(p–1)(q-1)=16x10=160
4. Select e: gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160
Value is d=23 since 23x7=161= 10x160+1
6. Publish public key PU={7,187}
7. Keep secret private key PR={23,187}
 RSA Example - En/Decryption
 sample RSA encryption/decryption is:
 given message M = 88 (nb. 88<187)
 encryption:
C = 887 mod 187 = 11
 decryption:
M = 1123 mod 187 = 88
 Diffie-Hellman Key Exchange
• first public-key type scheme proposed
• by Diffie & Hellman in 1976 along with the
exposition of public key concepts
– note: now know that Williamson (UK CESG)
secretly proposed the concept in 1970
• is a practical method for public exchange of
a secret key
• used in a number of commercial products
 Diffie-Hellman Key Exchange
• a public-key distribution scheme
– cannot be used to exchange an arbitrary message
– rather it can establish a common key
– known only to the two participants
• value of key depends on the participants (and their
private and public key information)
• based on exponentiation in a finite (Galois) field
(modulo a prime or a polynomial) - easy
• security relies on the difficulty of computing
discrete logarithms (similar to factoring) – hard
 Diffie-Hellman Setup
• all users agree on global parameters:
– large prime integer or polynomial q
– a being a primitive root mod q
• each user (eg. A) generates their key
– chooses a secret key (number): xA < q
– compute their public key: yA = axA mod q
• each user makes public that key yA
 Diffie-Hellman Key Exchange
• shared session key for users A & B is KAB:
xA.xB
KAB = a mod q
xB
= yA mod q (which B can compute)
xA
= yB mod q (which A can compute)
• KAB is used as session key in private-key
encryption scheme between Alice and Bob
• if Alice and Bob subsequently communicate, they
will have the same key as before, unless they
choose new public-keys
• attacker needs an x, must solve discrete log
 Diffie-Hellman Example
• users Alice & Bob who wish to swap keys:
• agree on prime q=353 and a=3
• select random secret keys:
– A chooses xA=97, B chooses xB=233
• compute respective public keys:
– y =397 mod 353 = 40 (Alice)
A
– y =3233 mod 353 = 248 (Bob)
B
• compute shared session key as:
– K = y xA mod 353 = 24897 = 160 (Alice)
AB B
– K = y xB mod 353 = 40233 = 160 (Bob)
AB A
 Key Exchange Protocols
• users could create random private/public D-H
keys each time they communicate
• users could create a known private/public D-H
key and publish in a directory, then consulted
and used to securely communicate with them
• both of these are vulnerable to a meet-in-the-
Middle Attack
• authentication of the keys is needed
 Man-in-the-Middle Attack
1. Darth prepares by creating two private / public keys
2. Alice transmits her public key to Bob
3. Darth intercepts this and transmits his first public key to Bob.
Darth also calculates a shared key with Alice
4. Bob receives the public key and calculates the shared key (with
Darth instead of Alice)
5. Bob transmits his public key to Alice
6. Darth intercepts this and transmits his second public key to
Alice. Darth calculates a shared key with Bob
7. Alice receives the key and calculates the shared key (with Darth
instead of Bob)
 Darth can then intercept, decrypt, re-encrypt, forward all
messages between Alice & Bob
 Digital Signatures
• have looked at message authentication
– but does not address issues of lack of trust
• digital signatures provide the ability to:
– verify author, date & time of signature
– authenticate message contents
– be verified by third parties to resolve disputes
• hence include authentication function with
additional capabilities
Digital Signature Model
 Digital
Signature
Model