Kingdom of Saudi Arabia

Ministry of Higher Education

Al-Imam Muhammad Ibn Saud Islamic University
College of Computer and Information Sciences

Encryption Controls
T. Wed Ateeq

First Semester

2023

1
Overview
• Encryption technologies

• Combining encryption technologies for practice

• Using encryption technologies for identification – digital

signatures

• Public key infrastructure

2
2
Introduction
• Motivation
• Communication needs
• Transmission alone often not enough
• Privacy
• Identification
• Integrity

• Encryption accomplishes all these features

• Remember, though
• Encryption cannot compensate for human weakness
• Sharing passwords, not using encryption etc

3
3
Encryption overview

Plaintext Ciphertext Plaintext

Hello Encryption #er5*!@-+=hdg Decryption Hello

4
4
Encryption terminology
• A cipher or cryptosystem is used to encrypt the plaintext
• The result of encryption is ciphertext
• We decrypt ciphertext to recover plaintext
• A key is used to configure a cryptosystem
• A symmetric key cryptosystem uses the same key to
encrypt as to decrypt
• A public key cryptosystem uses a public key to encrypt
and a private key to decrypt

5
5
Encryption – limitations
• Enables secret communications by terrorists

• Reduces effectiveness of firewalls

• Impedes forensics

6
6
Encryption – requirements
• Desired properties
• Easy to use for owners
• Difficult to break for intruders

• Similar to locks
• Need not be perfect or unbreakable
• Only need to deter intruders by drawing the attention
of onlookers

• In information security
• Ease measured in terms of computational effort

7
7
Encryption keys
• In physical world
• Very few lock types
• Need to meet requirements
• Biometric, numeric, keys
• In information security world
• Again, very few encryption types
• Again, due to need to meet requirements
• How to use limited lock types to secure unlimited number
of gates?
• Change keys
• Or, combinations

8
8
Encryption keys (contd.)
• As with physical locks
• Change keys for each use of the same encryption algorithm
• Definitions
• Cryptographic algorithm
• Well-defined sequence of steps used to describe
cryptographic processes
• Cryptographic key
• Sequence of symbols that controls the operations of
encipherment and decipherment
• Encryption operation basics
• Users with the correct key can easily exchange information
• Eavesdroppers will take a prohibitively long time

9
9
Encryption key lengths
• How to increase security
• At worst, attackers can use brute force
• Consider number locks
• 1-digit lock
• Say, user takes 1 second to check one digit
• Expected time to break the lock?
• Minimum time – 1 second
• Maximum time – 10 seconds
• Expected time – 5.5 seconds
• Not very safe
• How to make it safer?
• Add more digits

10
10
General encryption operations
• Objective
• Diffusion of confusion
• Claude Shannon (1946)

• Confusion
• Making the relationship between the plaintext and ciphertext as
complex as possible

• Diffusion
• Spreading the impact of a change in one bit of the plaintext to all
bits in the ciphertext

11
11
General encryption operations
• Two basic encryption operations
• Substitution
• Specifying the output for each input
• Generates confusion

• Permutation
• Specifying the output position of each input bit
• Diffuses the confusion generated by substitution
• Prevents exploitation by specially crafted inputs

12
12
Encryption types
Encryption type Keys Applications

Hash function 0 Password protection, data integrity check

Secret key cryptography 1 Secure data storage and transmission

Public key cryptography 2 Secure key exchange, authentication, digital signatures

13
13
BASIC CRYPTO

14
14
Origins
• Caesar cipher
• Julius Caesar
• 100 B.C. – 44 B.C.
• A→D
• B→E
• Q→T
• W→Z
• X→A
• Y→B
• Z→C
• Mono-alphabetic
substitution

15
15
 Simple Substitution
• Plaintext: fourscoreandsevenyearsago
• Key:

Plaintext a b c d e f g h i j k l mn o p q r s t u v w x y z

Ciphertext D E F G H I J K L M N O P Q R S T U V WX Y Z A B C

 Ciphertext:
IRXUVFRUHDQGVHYHQBHDUVDJR
 Shift by 3 is “Caesar’s cipher”

16
Chapter 2: Crypto Basics 16
 Ceasar’s Cipher Decryption
 Suppose we know a Ceasar’s cipher is being
used:

Plaintext a b c d e f g h i j k l mn o p q r s t u v w x y z

Ciphertext DE F G H I J K L M N O P Q R S T U V WX Y Z A B C

 Given
ciphertext:
VSRQJHEREVTXDUHSDQWV
Plaintext: spongebobsquarepants •

17
Chapter 2: Crypto Basics 17
Double Transposition
Plaintext: attackxatxdawn •

Permute rows
and columns


 Ciphertext: xtawxnattxadakc
 Key is matrix size and permutations:
(3,5,1,4,2) and (1,3,2)
18
Chapter 2: Crypto Basics 18
 One-Time Pad: Encryption
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111

Encryption: Plaintext  Key = Ciphertext

h e i l h i t l e r
Plaintext: 001 000 010 100 001 010 111 100 000 101
Key: 111 101 110 101 111 100 000 101 110 000
Ciphertext: 110 101 100 001 110 110 111 001 110 101

s r l h s s t h s r

19
Chapter 2: Crypto Basics 19
 Codebook Cipher
• Literally, a book filled with “code words”
• Zimmerman Telegram encrypted via codebook
Februar 13605
fest 13732
finanzielle 13850
folgender 13918
Frieden 17142
Friedenschluss 17149

• Modern block ciphers are codebooks!

20
20
SYMMETRIC KEY CRYPTO

21
21
Symmetric Key Crypto
• Stream cipher  based on one-time pad
• Except that key is relatively short
• Key is stretched into a long keystream
• Keystream is used just like a one-time pad
• Block cipher  based on codebook concept
• Block cipher key determines a codebook
• Each key yields a different codebook
• Employs both “confusion” and “diffusion”

Part 1  Cryptography 22
22
 Symmetric key crypto

Block Cipher Stream Cipher

Feistel A5\1

DES RC4

AES

TEA

Part 1  Cryptography 23
23
 Part 1  Cryptography
24

Round Text Key

16 64 56 DES

3Triple each 16 round 112 112 3DES

10-14 128 128,192,256 AES

variable 64 128 TEA

24
Copyright © The McGraw-Hill Companies, Inc.
Stream Ciphers
• Once upon a time, not so very long ago,
stream ciphers were the king of crypto
• Today, not as popular as block ciphers
• We’ll discuss two stream ciphers…
• A5/1
• Based on shift registers
• Used in GSM mobile phone system
• RC4
• Based on a changing lookup table
• Used many places

Part 1  Cryptography 25
25
Secret key cryptography
• Simplest encryption procedure to understand

• Uses two procedures

• Block encryption
• Process of converting a plaintext block into an
encrypted block
• Cipher block chaining
• A way of combining encrypted blocks

• Example shown is based on DES

• Data Encryption Standard

26
26
Block encryption
• Block encryption overview
• Split data
• DES splits data into 64-bit blocks
• For each block
• Split data into two halves
• Computational simplicity
• Too many possible combinations with 64 bits

• Mangle the bits

• Substitution operation for generating confusion
• Combine the mangled bits
• Permutation operation for diffusing confusion
• Repeat multiple times
• For robustness
• DES repeats 16 times
• AES repeats 10 – 14 times
27
27
Block encryption
64-bit input to encryption round

32 bits 32 bits

Substitution Key Substitution

Repeat round

32 bits 32 bits

64-bit intermediate output of encryption round

Key Permutation

64-bit final output of encryption round

28
28
Electronic code book
Plaintext message

S e g m e n t a t i o n

Block 1 Block 2 Block 3 Block 4 Block 5 Block 6

Block Block Block Block Block Block

encryption encryption encryption encryption encryption encryption

Cipher block 1 Cipher block 2 Cipher block 3 Cipher block 4 Cipher block 5 Cipher block 6

R e a s s e m b l y

Ciphertext message

29
29
Encrypting larger messages – CBC
• Cipher block chaining
• How to prevent an attacker from guessing block encryption
algorithm?
• Eliminate block identity
• Use previous block as input while encrypting next
block
• What about the first block?
• Use a random vector to start

• Figure on next slide

30
30
Cipher block chaining

Block Block Block Block Block Block

1 2 3 4 5 6

Initialization
+ + + + + +
vector (IV)

Block Block Block Block Block Block

encryption encryption encryption encryption encryption encryption

Cipher Cipher Cipher Cipher Cipher Cipher

block 1 block 2 block 3 block 4 block 5 block 6

R e a s s e m b l y

Ciphertext message

31
31
Advanced Encryption Standard
• Replacement for DES
• AES competition (late 90’s)
• NSA openly involved
• Transparent process
• Many strong algorithms proposed
• Rijndael Algorithm ultimately selected (pronounced
like “Rain Doll” or “Rhine Doll”)
• Iterated block cipher (like DES)
• Not a Feistel cipher (unlike DES)

Part 1  Cryptography 32
32
 AES
• Block size:128 bits (others in Rijndael)
• Key length: 128, 192 or 256 bits (independent of block
size)
• 10 to 14 rounds (depends on key length)
• Each round uses 4 functions (3 “layers”)
• ByteSub (nonlinear layer)
• ShiftRow (linear mixing layer)
• MixColumn (nonlinear layer)
• AddRoundKey (key addition layer)

Part 1  Cryptography 33
33
Time for TEA

• Tiny Encryption Algorithm (TEA)

• 64 bit block, 128 bit key
• Assumes 32-bit arithmetic
• Number of rounds is variable (32 is considered secure)
• Uses “weak” round function, so large number of rounds
required

Part 1  Cryptography 34
34
PUBLIC KEY CRYPTO

35
35
Secret key cryptography – features
• Simple operations
• Bit dispersion
• XOR
• Hence extremely conservative in using computational
resources

• However, key exchange is a non-trivial challenge

• Role for Public-key cryptography

36
36
Public key cryptography
• Uses two keys

• One for encryption

• Widely distributed
• Hence called the public key
• Key benefit of technology

• A different key for decryption

• Kept confidential
• Hence called the private key

37
37
Public key cryptography – basic operation
• Public key cryptography relies on the modulo operation

• Modulo operation
• The number remaining when an integer is divided by another
integer
• E.g.
• 17 mod 10 = 7
• 94 mod 10 = 4

• Use in encryption demonstrated through example on next

slide

38
38
Public key cryptography - example
Number to encrypt n → 0 1 2 3 4 5 6 7 8 9
(plaintext)

Key (multiplier) m
↓
0 0 0 0 0 0 0 0 0 0 0
→ n * m mod 10 1 0 1 2 3 4 5 6 7 8 9
→ n * m mod 10 2 0 2 4 6 8 0 2 4 6 8
→ n * 3 mod 10 = ciphertext c 3 0 3 6 9 2 5 8 1 4 7
4 0 4 8 2 6 0 4 8 2 6
5 0 5 0 5 0 5 0 5 0 5
6 0 6 2 8 4 0 6 2 8 4
→ c * 7 mod 10 (plaintext) 7 0 7 4 1 8 5 2 9 6 3
8 0 8 6 4 2 0 8 6 4 2
9 0 9 8 7 6 5 4 3 2 1

n * m mod N

39
39
.Public key cryptography example – contd
• The table can be used to encrypt any single digit number
• To encrypt
• Multiple the number by three (key)
• Take modulus with respect to 10
• E.g. to encrypt 7 (plaintext)
• Ciphertext = n * m mod N
• 7 * 3 = 21 mod 10
• Cipher text = 21 mod 10 = 1
• Shown in row highlighted in red
• To decrypt
• Multiply cipher text by 7 (key) and take mod with respect to 10
• E.g. 1 * 7 = 7 and 7 mod 10 = 7
• Shown in row highlighted in green
40
40
.Public key cryptography example – contd
• Some properties of public key encryption
• As seen in the example
• Encryption key cannot be used as the decryption key
• E.g. 1 * 3 mod 10 = 3 ≠ 7
• Keys are reversible
• E.g. we can use 7 as the encryption key and 3 as the corresponding
decryption key
• 7 * 7 mod 10 = 9 >> ciphertext
• 9 * 3 mod 10 = 7 >> plaintext after decryption

• Key length is important for security

• Keys in example can be easily guessed
• Only 10 tries needed
• Hence long keys necessary for security
• 1,00+ digits common in practice
41
41
 Knapsack Problem
• Given a set of n weights W0,W1,...,Wn-1and a
sum S, is it possible to find ai{0,1}so that
S = a0W0+a1W1 +...+ an-1Wn-1

(technically, this is “subset sum” problem)

• Example
• Weights (62,93,26,52,166,48,91,141)
• Problem: Find subset that sums to S=302
• Answer: 62+26+166+48=302
• The (general) knapsack is NP-complete

42
Part 1 - Cryptography 42
Public key cryptography in practice – RSA
• Most popular public key encryption
• Named after creators of algorithm
• Ron Rivest
• Adi Shamir
• Leon Adleman

• A method for obtaining digital signatures and public-key

cryptosystems

43
43
RSA algorithm
• Start with two large prime numbers, called p and q
• Compute n = p * q
• Compute φ = (p – 1)*(q – 1)
• Choose a number e that is relatively prime to φ
• i.e. the two numbers do not share any common factors
• Choose a number d that is the multiplicative
inverse of e mod φ
• i.e. a number d such that d*is divisible by φ
• <e, n> is the public key and is used for encryption
• <d, n> is the private key and is used for decryption
44
44
RSA algorithm
Key generation: The public key is (n, e); the private key (p, q,
:d),obtained as follows
1. Let p, q be distinct primes, randomly chosen from the set of
all primes of a certain size.
2. Compute n = pq.
3. Select e with gcd(e, φ(n)) = 1.
4. Compute d = mod φ(n).
5. The public key is the pair n and e.
6. The private key is the values p, q and d.
Note: e need not be random, can be fixed, e.g., to e = 65537
...Notice: “mod φ (n)” in step 4

45
45
Diffie-Hellman
• Public: g and p
• Private: Alice’s exponent a, Bob’s exponent b

 Alice’s public key is ga , Bob’s public key

is gb
 Alice computes (gb)a = gba= gab mod p
 Bob computes (ga)b = gab mod p
46
 Use K = Part
g mod p as symmetric key
ab1 - Cryptography
46
Certificate authorities
• How do you verify public
key?
• I am USF
• Really?

• Browsers come with the

knowledge of some
“certifiers”
• Called certificate authorities
• Act as DMV of the Internet

47
47
.Certificate authorities – contd

Certificate authority (CA)

5
4 1
Verification received Sends public key to CA
Receives public key
for verification

Sends public key

Browser Server
and CA name
3
Looks up CA contact details Certificate
in internal database

“CA not found alert”

to user

48
48
.Certificate authorities – contd
• Server obtains public key from well-known public key provider
• Called certificate authorities (CA)
• CA encrypts web server’s public key and IP address with its own private
key for use as a certificate
• Certificate is a bundle of information containing
• Encrypted public key of the server
• Identification of the key provider
• Servers send their certificate to clients as identification
• Certificate is decrypted using the authority’s known public key
• Decrypted certificate contains the web server’s public key
• For verification, browser compares
• Web server’s IP address in the certificate
• IP address of the server it is connected to

49
49
END

50
50