Introductory Cryptography

1
Information Security

• Computer security
• Protect system resources
• Protect data (dynamic/stored)
• Network security
• Protect network resources
• Protect exchanged data
Security = confidentiality + integrity + availability +
authenticity

2
Network Security Services
• Authentication
• validate authenticity claims (identity/data)
• Authorization
• Enforce selective access (information/resources)
• Confidentiality
• Prevent disclosure of data (entire message/selected
fields/traffic characteristics)
• Integrity
• Prevent tampering of data (entire message/selected fields)
• Non-repudiation
• Proof of origin, proof of delivery

CIA
3
 Topics of Discussion

• Conventional Cryptography
• DES
• 2DES, 3DES
• AES
• Stream Ciphers
• Sychronous
• Asynchronous
• A5
• RC4
• Public-key cryptography
• Diffie-Hellman
• RSA
• ECC
• Key distribution

4
Topics (Cont’d)

• Data Protection
• Hash functions
• Mac functions
• Digital Signatures
• Cryptanalysis
• Linear
• Differential
• Side-Channel Attacks

5
Terminology
• Cryptology  The art and science of making and
breaking “secret codes”
• Cryptography  making “secret codes”
• Cryptanalysis  breaking “secret codes”
• Crypto  all of the above (and more)

6
 Crypto

• Basis assumption
• The system is completely known to the attacker
• Only the key is secret
• Also known as Kerckhoffs Principle
• Crypto algorithms are not secret
• Why do we make this assumption?
• Experience has shown that secret algorithms are weak
when exposed
• Secret algorithms never remain secret
• Better to find weaknesses beforehand

7
Early Crypto Algorithms
• Caesar Cipher
• Mixed Alphabet
• Playfair Cipher
• One-time Pad
• Code book

8
 One-time Pad Encryption
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111

Encryption: Plaintext  Key = Ciphertext

h e i l h i t l e r
Plaintext:
001 000 010 100 001 010 111 100 000 101
Key:
111 101 110 101 111 100 000 101 110 000
Ciphertext: 110 101 100 001 110 110 111 001 110 101
s r l h s s t h s r

9
 One-time Pad Decryption

e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111

Decryption: Ciphertext  Key = Plaintext

s r l h s s t h s r

110 101 100 001 110 110 111 001 110 101
111 101 110 101 111 100 000 101 110 000
001 000 010 100 001 010 111 100 000 101
h e i l h i t l e r

10
Post-WWII History

• Claude Shannon  father of the science of

information theory
• Computer revolution  lots of data
• Data Encryption Standard (DES), 70’s
• Public Key cryptography, 70’s
• CRYPTO conferences, 80’s
• Advanced Encryption Standard (AES), 90’s
• Crypto moved out of classified world

11
 Claude Shannon

• The founder of Information Theory

• 1949 paper: Comm. Thy. of Secrecy Systems
• Confusion and diffusion
• Confusion  obscure relationship between plaintext and
ciphertext
• Diffusion  spread plaintext statistics through the
ciphertext
• Proved that one-time pad is secure
• One-time pad only uses confusion, while double
transposition only uses diffusion

12
 Cryptanalysis

• Ciphertext only
• Known plaintext
• Chosen plaintext
• “Lunchtime attack”
• Protocols might encrypt chosen text
• Adaptively chosen plaintext
• Related key
• Forward search (public key crypto only)
• Etc., etc.

13
 Modern Symmetric
Encryption Standards
DES, AES

14
Block Cipher
• Plaintext and ciphertext consists of fixed sized blocks
• Ciphertext obtained from plaintext by iterating a
round function
• Input to round function consists of key and the output
of previous round
• Usually implemented in software

15
Data Encryption Standard

• DES developed in 1970’s

• Based on IBM Lucifer cipher
• U.S. government standard
• DES development was controversial
• NSA was secretly involved
• Design process not open
• Key length was reduced
• Subtle changes to Lucifer algorithm

16
 DES Numerology

• DES is a Feistel cipher

• 64 bit block length
• 56 bit key length
• 16 rounds
• 48 bits of key used each round (subkey)
• Each round is simple (for a block cipher)
• Security depends primarily on “S-boxes”
• Each S-boxes maps 6 bits to 4 bits

17
Security of DES

• Security of DES depends a lot on S-boxes

• Everything else in DES is linear
• Thirty years of intense analysis has revealed no
“back door”
• Attacks today use exhaustive key search
• Inescapable conclusions
• Designers of DES knew what they were doing
• Designers of DES were ahead of their time

18
Triple DES
• 3DES with 3 keys

• 3DES with 2 keys

• Use EDE combination
• Compatibility with DES

19
 Block Cipher Modes

20
Modes of Operation
• Block ciphers encrypt fixed size blocks
• Need ways to encrypt arbitrary amount of information
• Four were defined for DES in ANSI standard ANSI
X3.106-1983 Modes of Use
• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feed Back (CFB)
• Output Feed Back (OFB)
• Counter Mode (CTR)

21
 Advanced Encryption Standard
AES

22
Origins of AES

• In 1999, NIST issued a new standard that said

3DES should be used
• 168-bit key length
• Algorithm is the same as DES
• 3DES had drawbacks
• Algorithm is sluggish in software
• Only uses 64-bit block size

23
Origins of AES (Cont’d)
• In 1997, NIST issued a CFP for AES
• security strength >= 3DES
• improved efficiency
• must be a symmetric block cipher (128-bit)
• key lengths of 128, 192, and 256 bits

24
The AES Cipher

• Block length is 128 bits

• Key length is 128, 192, or 256 bits
• NOT a Feistel structure
• Processes entire block in parallel during each round using
substitutions and permutations
• The key that is provided as input is expanded
• Array of forty-four 32-bit words (w[i])
• Four distinct words serve as round key (128 bits)

25
Key/Block Size

Key Size 4/16/128 6/24/192 8/32/256

(words/bytes/bits)

Plaintext block size 4/16/128 4/16/128 4/16/128

(words/bytes/bits)

Number of rounds 10 12 14

Round key size 4/16/128 4/16/128 4/16/128

(words/bytes/bits)

Expanded key size 44/176 52/208 60/240

(words/bytes)

26
 Modern Stream Ciphers

27
 Block vs. Stream

• Block ciphers
• Process plaintext in relatively large blocks
• The same function is used to encrypt successive blocks
• Memory-less
• Stream ciphers
• Process plaintext in small blocks
• Encryption function may vary as plaintext is processed
• Have memory
• Sometimes called state ciphers since encryption
depends on not only the key and plaintext, but also on
the current state.

28
Pseudo Random Generators
• Compromise to computationally secure
• Instead of random, use pseudo random sequence based
on a short key
• the generated stream must be:
• statistically random (knowing part of seq not enough)
– PRG may be controlled without using data:
• Counter mode
– PRG may be controlled by data:
•
Cipher feedback mode

29
Synchronous Stream Ciphers
• Keystream generated independently of plaintext and of ciphertext

si mi si ci
si+1 si+1
f f

zi zi
k g h ci k g h-1

30
Self-synchronizing Ciphers
• Key-stream generated as a function of the key and a
fixed number of previous ciphertext digits

…
mi
zi
k g h ci

31
Linear Feedback Shift Registers

• LFSRS
• Well-suited to hardware implementation
• Can produce sequences of large period
• Can produce sequences with good statistical properties

c1 c2 Cl

32
A5 Algorithm

• Stream cipher used to encrypt GSM

phones
• Has several variants (A5, A5/1, A5/2)
• A5/1 uses 3 LFSRs of 19, 22 and 23 bits
using sparse feedback polynomials
(polys)

33
 A5/1

X x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18


Y y0 y1 y2 y3 y4 y5 y6 y7 y8 y9 y10 y11 y12 y13 y14 y15 y16 y17 y18 y19 y20 y21



Z z0 z1 z2 z3 z4 z5 z6 z7 z8 z9 z10 z11 z12 z13 z14 z15 z16 z17 z18 z19 z20 z21 z22


• Each value is a single bit
• Key is used as initial fill of registers
• Each register steps or not, based on (x8, y10, z10)
• Keystream bit is XOR of right bits of registers

34
RC4
• Proprietary cipher owned by RSA
• Variable key size, byte-oriented stream cipher
• Widely used (web SSL/TLS, wireless WEP)
• Key forms random permutation of all 8-bit values
• Uses that permutation to scramble input info
processed one byte at a time

35
RC4 Key Schedule
• Starts with an array S of numbers: 0..255
• S forms internal state of the cipher
• given a key k of length l bytes
for i = 0 to 255 do
S[i] = i
j = 0
for i = 0 to 255 do
j = (j + S[i] + k[i mod l]) (mod 256)
swap (S[i], S[j])

36
Stream Generation
• Encryption continues shuffling array values
i = j = 0
for each message byte Mi
i = (i + 1) (mod 256)
j = (j + S[i]) (mod 256)
swap(S[i], S[j])
t = (S[i] + S[j]) (mod 256)
Ci = Mi XOR S[t]

37
WEP Encryption
• Key length = 40. IV length = 24

Message CRC
XOR
Keystream = RC(IV,k)

IV Cipher Text

38
Public-Key Cryptography
Asymmetric Encryption

39
 Public-Key Cryptography
• Involves the use of two keys:
• A public-key, which may be known by anybody, and can be
used to encrypt messages, and verify signatures
• A private-key, known only to the recipient, used to decrypt
messages, and sign (create) signatures
• Asymmetric, parties are not equal
• Clever application of number theory
• Single most significant advance in the 3000 year history of
cryptography

40
Basic Principle

• Public-key is easily computed from the private key and other

information about the cipher (a polynomial time (P-time) problem)
• However, knowing the public-key and public description of the
cipher, it is still computationally infeasible to compute the private
key (an NP-time problem)
• Public-key may be distributed to anyone wishing to communicate
securely with its owner
• Secure distribution of the public-key is a non-trivial problem

41
Merkle's Puzzles
• One of the first public-key systems to be described
• Idea
• A selects 1 million keys and 1 million puzzles to encode with them
• Sends to B, 1 million encoded puzzles
• B selects a random puzzle and brute force it to get the key (takes
almost 2 minutes)
• Encrypt a string with the key and send to A
• A encrypts the string with million keys to find which key B selected
• What is the complexity for the eavesdropper?

42
Diffie-Hellman Key Exchange
• Public information:
p is a prime number
g is a generating element of Zp
• Alice’s
• Private Key : a
• Public Key : ga mod p
• Bob’s
• Private Key : b
• Public Key : gb mod p

43
DH Key Exchange
• Key Exchange:
• Alice obtains gb and computes
(gb)a = gab mod p = ks
• Bob obtains ga and computes
(ga)b = gab mod p = ks
Alice and Bob have agreed upon key ks
• The well-known man-in-the-middle attack exploits the lack of
authentication

44
RSA Scheme
• Best known and widely regarded as most practical public-key scheme
• Proposed by Rivest, Shamir & Adleman (RSA) in 1977
• Based on exponentiation in a finite (Galois) field over integers modulo
a prime
• Security relies on the difficulty of calculating factors of large numbers

45
 RSA Setup

• First, each user generates their public/private key pair by:

• Selecting two large primes at random (~100 digit), p, q
• Computing their system modulus N=p.q
• Selecting at random the encryption key e, where e<N,
gcd(e,ø(N))=1
• Solving the following congruence to find the decryption key d:
e.d=1 mod ø(N) and 0<=d<=N
• Public encryption key ={e,N}
• Private decryption key ={d,p,q}

46
 RSA

• To encrypt message M compute

• C = Me mod N
• To decrypt C compute
• M = Cd mod N
• Recall that e and N are public
• If attacker can factor N, he can use e to easily find d since ed =
1 mod (p1)(q1)
• Factoring the modulus breaks RSA
• It is not known whether factoring is the only way to break RSA

47
 Simple RSA Example

• Example of RSA
• Select “large” primes p = 11, q = 3
• Then N = pq = 33 and (p1)(q1) = 20
• Choose e = 3 (relatively prime to 20)
• Find d such that ed = 1 mod 20, we find that d = 7
works
• Public key: (N, e) = (33, 3)
• Private key: d = 7
• Suppose message M = 8
• Ciphertext C is computed as
C = Me mod N = 83 = 512 = 17 mod 33
• Decrypt C to recover the message M by
M = Cd mod N = 177 = 410,338,673
= 12,434,505  33 + 8 = 8 mod 33

48
Security of RSA
• Brute force
• Trying all possible private keys
• Mathematical attacks
• Equivalent to factoring product of two primes
• Timing attacks
• Based on the running time of the decryption algorithm
• Cube-root attack
• Blinding attack

49
Elliptic Curve Crypto (ECC)
• “Elliptic curve” is not a cryptosystem
• Elliptic curves are a different way to do the math in public key system
• Elliptic curve versions of DH, RSA, etc.
• Elliptic curves may be more efficient
• Fewer bits needed for same security
• But the operations are more complex

50
 Key Distribution

51
Where to Put Encryption
• Link encryption vs. end-to-end
• Both techniques hide user data (payload)
• Link encryption
• Hides address information
• Buffers clear data in each node
• E-T-E encryption
• Leaves addresses in the clear
• No need to buffer decrypted payload
• Use both techniques?

52
Key Distribution
• Most important component in secure transmission.
• Options: (between A and B).
• A selects a key and physically delivers it to B.
• A trusted third party key distribution center (KDC) selects
a key and physically delivers it to A and B.
• If A and B already have have a viable key, it can be used
to distribute a new key.
• If A and B have a secure link to KDC, can receive the key
through that channel.

53
 Public-Key Authority
Public-key (4) Request|T2
authority

(5) EKd_auth[Ke_a|Request|T2]
(1) Request|T1
(2) EKd_auth[Ke_b|Request|T1]

(3) EKe_b[IDA| N1]

A (6) EKe_a[N1|N2]
B

(7) EKe_b[N2]

54
 Exchange of Public-key Certificates

Certificate
Authority Ke_b

CB= EKd_auth[T2, IDB, Ke_b]

Ke_a
CA= EKd_auth[T1, IDA, Ke_a]

(1) CA

A (2) CB
B

B does: DKe_auth(CA)= DKe_auth(EKd_auth[T1, IDA, Ke_a]) = (T1, IDA, Ke_a), hence

gets the public key of A

55
 Distribution With Confidentiality and Authentication

(1) EKu_b[N1|IDA]

(2) EKu_a[N1| N2]

A B
(3) EKu_b[N2]

(4) EKu_b[EKr_a[Ks]]

56
 Message Authentication
MAC and Hash

57
Message Authentication
Requirements
• Masquerade
• Content modification
• Insertion, deletion, transposition, modification of message contents
• Sequence modification
• Insertion, deletion, reordering of sequenced messages
• Timing modification
• Delay, replay
• Repudiation
• Denial of message transmission or receipt

58
Authentication Functions
• Message encryption
• Ciphertext itself serves as authenticator
• Hash function
• Public function maps message into fixed length value
• Message authentication code
• Public function combines message and secret key into fixed length
value

59
Message Authentication Code (MAC)
• Cryptographic checksum
• Mixes message with (shared) secret key to produce a fixed size block
• Assurances:
• Message has not been altered
• Message is from alleged sender
• Message sequence is unaltered (requires internal sequencing)
• MAC algorithm need not be reversible

60
Why Use MACs?
• Why not just use encryption?
• Clear-text stays clear
• MAC might be cheaper
• Broadcast
• Authentication of executables
• Architectural flexibility
• Separation of authentication check from message use
• Prolong the period of protection

61
One-way Hash Functions
• Converts a variable size message M into fixed size hash code H(M)
• Can be used with encryption for authentication
• E(M || H)
• M || E(H)
• M || signed H
• E( M || signed H ) gives confidentiality
• M || H( M || K )
• E( M || H( M || K ) )

62
Hash Function Requirements
• H can be applied to any size data block
• H produces fixed length output
• H is fast
• H is one-way, i.e., given h, it is computationally
infeasible to find any x s.t. h = H(x)

63
 Hash Requirements (cont’d)

• H is weakly collision resistant: given x, it is

computationally infeasible to find any x’ s.t. H(x) =
H(x’)
• H is strongly collision resistant: it is computationally
infeasible to find any x and y s.t. H(x) = H(y)
• One-way property is essential for authentication
• Weak collision resistance is necessary to prevent
forgery
• Strong collision resistance is important for resistance
to birthday attack

64
Birthday Attack

• If the adversary can generate 2m/2 variants of a valid

message and an equal number of fraudulent
messages
• The two sets are compared to find one message
from each set with a common hash value
• The valid message is offered for signature
• The fraudulent message with the same hash value is
inserted in its place
• Moral – length of hash code should be substantial

65
 Crypto-Hashes

66
Popular Algorithms

67
HMD5 = 4-round compression function message
length
Message 100…0
L X 512 bits

512 bits

Block0 Bloc ... Blockn ... BlockL-1

k1
512
128
MD HMD5 HMD5 HMD5 HMD5
buffer0 MD
MD MD bufferL-1
buffer1 buffern
128-bit
digest
68
 SHA 1

• Developed by NIST and published as FIP PUB

180 in 1993.
• Revised version (SHA-1) issued as FIPS PUB 180-
1 in 1995
• The algorithm takes as input a message with a
maximum length of less than 264 bits and produces
a 160-bit message digest.
• The input is processed in 512-bit blocks.

69
 SHA-1 vs. MD5

• Security against brute-force attacks

• 32 bits longer than the MD5
• Producing any message having a given message
digest is on the order 2160 for SHA-1
• Producing 2 messages having the same message
digest is on the order 280 for SHA-1
• Stronger against brute-force attack

70
HMAC

• Developing a MAC derived from a cryptographic

hash code
• Motivations
• generally execute faster in software than symmetric block
ciphers
• No export restrictions from US or other countries for
cryptographic hash code

71
Algorithm (cont’d)

5. XOR K+ with opad to produce

the b-bit block So
6. Append the hash result from
step 4 to So
7. Apply H to the stream
generated in step 6 and output
the result

72
Advanced Cryptanalysis
• Modern cryptanalysis
• Differential cryptanalysis
• Linear cryptanalysis
• Side channel attack on RSA
• Hellman’s TMTO attack on DES

73
 Side Channel Attacks

• Sometimes possible to recover key without directly

attacking the crypto algorithm
• A side channel consists of “incidental information”
• Side channels can arise due to
• The way that a computation is performed
• Media used, power consumed, unintended
emanations, etc.
• Induced faults can also reveal information
• Side channel may reveal a crypto key

74
 Side Channels

• Emanations security (EMSEC)

• Electromagnetic field (EMF) from computer screen can allow
screen image to be reconstructed at a distance
• Smartcards have been attacked via EMF emanations
• Differential power analysis (DPA)
• Smartcard power usage depends on the computation
• Differential fault analysis (DFA)
• Key stored on smartcard in GSM system could be read using
a flashbulb to induce faults
• Timing analysis
• Different computations take different time
• RSA keys recovered over a network (openSSL)!

75
 ACCESS CONTROL
Suku Nair

76
Access Control
• Two parts to access control
• Authentication: Who goes there?
• Determine whether access is allowed
• Authenticate human to machine
• Authenticate machine to machine
• Authorization: Are you allowed to do that?
• Once you have access, what can you do?
• Enforces limits on actions
• Note: Access control often used as synonym for authorization

Ref: Information Security Principles and

Practice by Mark Stamp
77
 Authentication

• How to authenticate a human to a machine?

• Can be based on…
• Something you know
• For example, a password
• Something you have
• For example, a smartcard
• Something you are
• For example, your fingerprint

78
Something You Know
• Passwords
• Lots of things act as passwords!
• PIN
• Social security number
• Mother’s maiden name
• Date of birth
• Name of your pet, etc.

79
Trouble with Passwords

• “Passwords are one of the biggest practical problems facing security

engineers today.”
• “Humans are incapable of securely storing high-quality cryptographic
keys, and they have unacceptable speed and accuracy when
performing cryptographic operations. (They are also large, expensive
to maintain, difficult to manage, and they pollute the environment. It is
astonishing that these devices continue to be manufactured and
deployed.)”

80
Why Passwords?
• Why is “something you know” more popular than
“something you have” and “something you are”?
• Cost: passwords are free
• Convenience: easier for SA to reset password than to
issue new smartcard

81
 Keys vs Passwords

• Crypto keys • Passwords

• Suppose key is 64 bits
• Then 264 keys
• Choose key at random
• Then attacker must try about 263
keys
• Say, passwords are 8 characters, and
256 different characters
• Then 2568 = 264 pwds
• Users do not select passwords at
random
• Attacker has far less than 263 pwds to
try (dictionary attack)

82
Attacks on Passwords
• Attacker could…
• Target one particular account
• Target any account on system
• Target any account on any system
• Common attack path
• Outsider  normal user  administrator
• May only require one weak password!

83
Password Retry
• Suppose system locks after 3 bad passwords. How
long should it lock?
• 5 seconds
• 5 minutes
• Until SA restores service
• What are pros and cons of each?

84
 Password File

• Bad idea to store passwords in a file

• But need a way to verify passwords
• Cryptographic solution: hash the passwords
• Store y = hash(password)
• Can verify entered password by hashing
• If attacker obtains password file, he does not obtain
passwords
• But attacker with password file can guess x and check
whether y = hash(x)
• If so, attacker has found password!

85
 Dictionary Attack

• Attacker pre-computes hash(x) for all x in a dictionary of

common passwords
• Suppose attacker gets access to password file containing
hashed passwords
• Attacker only needs to compare hashes to his pre-
computed dictionary
• Same attack will work each time
• Can we prevent this attack? Or at least make attacker’s job
more difficult?

86
Password File

• Store hashed passwords

• Better to hash with salt
• Given password, choose random s, compute
y = hash(password, s)
and store the pair (s,y) in the password file
• Note: The salt s is not secret
• Easy to verify password
• Attacker must recompute dictionary hashes for each user 
lot more work!

87
 Password Cracking: Complexity

• Assumptions
• Pwds are 8 chars, 128 choices per character
• Then 1288 = 256 possible passwords
• There is a password file with 210 pwds
• Attacker has dictionary of 220 common pwds
• Probability of 1/4 that a pwd is in dictionary
• Work is measured by number of hashes

88
Password Cracking (cont’d)
• Attack 1 password without dictionary
• Must try 256/2 = 255 on average
• Just like exhaustive key search
• Attack 1 password with dictionary
• Expected work is about
1/4 (219) + 3/4 (255) = 254.6
• But in practice, try all in dictionary and quit if not found  work is at
most 220 and probability of success is 1/4

89
 Password Cracking

• Attack any of 1024 passwords in file

• Without dictionary
• Assume all 210 passwords are distinct
• Need 255 comparisons before expect to find password
• If no salt, each hash computation gives 210 comparisons 
the expected work (number of hashes) is 255/210 = 245
• If salt is used, expected work is 255 since each comparison
requires a new hash computation

90
Password Cracking

• Attack any of 1024 passwords in file

• With dictionary
• Probability at least one password is in dictionary is 1 -
(3/4)1024 = 1
• We ignore case where no pwd is in dictionary
• If no salt, work is about 219/210 = 29
• If salt, expected work is less than 222
• Note: If no salt, we can precompute all dictionary hashes
and amortize the work

91
 Other Password Issues

• Too many passwords to remember

• Results in password reuse
• Why is this a problem?
• Who suffers from bad password?
• Login password vs ATM PIN
• Failure to change default passwords
• Social engineering
• Error logs may contain “almost” passwords
• Bugs, keystroke logging, spyware, etc.

92
Passwords

• The bottom line

• Password cracking is too easy!
• One weak password may break security
• Users choose bad passwords
• Social engineering attacks, etc.
• The bad guy has all of the advantages
• All of the math favors bad guys
• Passwords are a big security problem

93
 Password Cracking Tools

• Popular password cracking tools

• L0phtCrack and LC4 (Windows)
• John the Ripper (Unix)
• Admins should use these tools to test for weak passwords
since attackers will!

94