Index

1. Cryptography.1 2. Fiestel Networks...10 3. Data Encryption Standard..12 4. Modes of operation of DES.....20 5. Public key Cryptography26 6. RSA Algorithm.....28 7. Diffie Hellman Key Exchange.31 8. MAC and HASH function..33 9. Digital Signature.35 10. Questions..37

1. Cryptography
1.1 Introduction Definitions Plaintext Encoding/Encryption Ciphertext Decoding/Decryption Cryptography Cryptanalysis Cryptology "The original message before it is encoded." "The process of disguising the plaintext." "The enciphered version of the plaintext." "The process of reverting the cipher text back to the plain text." "The science of keeping messages secret and of ensuring authentication." "The science (and art) of deciphering encoded messages without the knowledge of the used key." Greek: krypts = hidden, lgos=science. "The combination of cryptography and cryptanalysis "The science of hidden, disguised information."

1.2 Types of Cryptography

1.2.1 Conventional Encryption/Private-key Cryptography

In a "One-Key-Encryption" or "Conventional Encryption", the sender and the recipient share the same key as their common secret

(source: www.PGPi.com): At some earlier point in time the two correspondents, the sender and the recipient, must have agreed on that key. If they are in different locations, they must trust a courier or a phone system to transmit the secret key in a secure manner. Surely, this is not very practical, particularly when many (new) parties are involved.

However, the major problem is the total number of keys involved. 2 correspondents use 1 key, 3 use 3 keys, 4 use 6 keys, 5 use 10 keys, 100 use 4950 keys, 1000 use 499500 keys, etc. And each key must be stored in a secure manner. Key management is enough of a difficult task that a name was invented for it: The Key Distribution Problem. It is the reason why One-Key-Cryptography is not appropriate for today's secure electronic data transfers between many parties involved. Every Cipher is made up of two ingredients: an encryption method (the "algorithm") and the set of all possible keys (the "key space"). The sender may now choose from the number of possible keys to encode his secret message. The security of the cryptosystem shall not be based on keeping the algorithm secret, but solely keeping the key secret. Private Key Cryptography means that the knowledge of the encoding key yields the decoding key. Such Ciphers are therefore also called "Symmetric Ciphers". If a Cipher only offers a small number of keys (i.e. the Caesar Cipher) it can be broken by simply testing the possible keys. A huge number of keys assures the security of a cipher Private Key Cryptography provides "high-security" ciphers, however, their usage is not practical because of the key distribution problem. It describes the difficulty of exchanging and handling a large number of keys. I.e. 1000 correspondents have to handle a total of 499500 keys. The number of keys increases with the square of the number of correspondents.
1.2.2 Two-key/Public-key Cryptography

The "Two-Key Cryptography" or "Public-Key Cryptography" was a major breakthrough in 1976. It makes the inconceivable reality: A Public Key is used to encode the plain text, its corresponding Private Key is used to decode the cipher text. The clue: Although the encoding key available to the whole world, nobody is capable of figuring out the decoding key. The figure below shows the how "Two-Key Cryptography" is performed.

(source: www.PGPi.com): The primary benefit of public key cryptography is that it allows people who have no preexisting security arrangement to exchange messages securely. The need for sender and receiver to share secret keys via some secure channel is eliminated; all communications involve only public keys, and no private key is ever transmitted or shared.

1.2.3 Transposition and Substitution Ciphers Substitution and Transposition Ciphers are two categories of ciphers used in classical cryptography. Substitution and Transposition differ in how chunks of the message are handled by the encryption process. Substitution ciphers encrypt plaintext by changing the plaintext one piece at a time. The Ceasar Cipher was an early substitution cipher. In the Caesar Cipher, each character is shifted three places up. Therefore, A becomes D and B becomes E, etc... This table shows "VOYAGER" being encrypted with the Caesar substution cipher: Plaintext V O Y A G E R +3 +3 +3 +3 +3 +3 +3 Key Ciphertext Y R B D J H U Transposition ciphers encrypt plaintext by moving small pieces of the message around. This table shows "VOYAGER" being encrypted with a primitive transposition cipher where every two letters are switched with each other: V OYAGE R O VAYE GR 1.2.4 Stream and Block Ciphers Block and Stream Ciphers are two categories of ciphers used in classical cryptography. Block and Stream Ciphers differ in how large a piece of the message is processed in each encryption operation. Block ciphers encrypt plaintext in chunks. Common block sizes are 64 and 128 bits. Stream ciphers encrypt plaintext one byte or one bit at a time. A stream cipher can be thought of as a block cipher with a really small block size. Generally speaking, block ciphers are more efficient for computers and stream ciphers are easier for humans to do by hand. 1.3 Caesar Substitution The simplest of all substitution ciphers is the one in which the cipher letters results from shifting plain letters by the same distance. Among those, the best known is called "Caesar Cipher", used by Julius Caesar, in which each A is encrypted as D, B as E, C as F,... etc. Here key is 3 Mathematically, the encryption and decryption functions can be described as follows: The sender encodes each plain text letter P using the key b as follows: C= (P+b) mod 26 The recipient decodes each cipher text letter C using the key b as follows: P=(C-b) mod 26 1.4 Playfair Cipher The best known substitution cipher that encrypts pairs of letters is the Playfair Cipher invented by Sir Charles Wheatstone but championed at the British Foreign Office by

Lyon Playfair, the first Baron Playfair of St. Andrews, whose name the cipher bears. Here, a 5 x 5-square matrix containing the 26 letters of the alphabet (I and J are treated as the same letter) is used to carry out the encryption. A key word, MONARCHY in this example, is filled in first, and the remaining unused letters of the alphabet are entered in their lexicographic order.

Pairs of plaintext letters are encrypted with the matrix by first locating the two plaintext letters in the matrix. They are (1) in different rows and columns or (2) in the same row or (3) in the same column or (4) alike. The corresponding encryption (replacement) rules are the following: 1. If the pair of letters are in different rows and columns, each letter is replaced by the letter that is in the same row but in the other column; i.e., to encrypt WE, W is replaced by U and E by G. 2. If two letters are in the same row simply shift both one position to the right. I.e. A and R are in the same row. A is encrypted as R and R (reading the row cyclically) as M. 3. Similarly, if two letters are in the same column shift both one position down. I.e. I and S are in the same column. I is encrypted as S and S as X. 4. If a double letter occurs, a spurious symbol, say Q, is introduced so that the MM in SUMMER would encrypt into NL for MQ and CL for ME. 5. An X is appended to the end of the plaintext if necessary to cause the plaintext to have an even number of letters. 1.5 Monoalphabetic substitution The Caesar Cipher, the Multiplication Cipher and the Linear Cipher have one property in common. They all fall in the category of Monoalphabetic Ciphers: "Same plain letters are encoded to the same cipher letter." i.e. in the Caesar Cipher each "a" turned into "d", each "b" turned into "e", etc. The reason why such Ciphers can be broken is the following: Although letters are changed the underlying letter frequencies are not! If the plain letter "a" occurs 10 times its cipher letter will do so 10 times. Therefore, any monoalphabetic Cipher can be broken with the aid of letter frequency analysis.

1.6 Polyalphabetic Substitution Polyalphabetic substitution cipher is simply a substitution cipher with an alphabet that changes. For example one could have two alphabets: Plain Alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ Cipher Alphabet #1: B D F H J L N P R T V X Z A C E G I K M O Q S U W Y Cipher Alphabet #2: Z Y X W V U T S R Q P O N M L K J I H G F E D C B A Now to encrypt the message ``The quick brown fox jumped over the lazy dog" we would alternate between the two cipher alphabets, using #1 for every first letter and #2 for every second, to get: ``Msj joxfp dicda ucu tfzkjw ceji msj xzyb hln". Polyalphabetic substitution ciphers are useful because they cannot be broken using frequency analysis.The number of letters encrypted before a polyalphabetic substitution cipher returns to its first cipher alphabet is called its period. The larger the period, the stronger the cipher. Vigenere Cipher The polyalphabetic substitution cipher involves the use of two or more cipher alphabets. Instead of there being a one-to-one relationship between each letter and its substitute, there is a one-to-many relationship between each letter and its substitutes. The Vigenere Cipher , proposed by Blaise de Vigenere is a polyalphabetic substitution based on the following tableau:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z B C D E F G H I J K L M N O P Q R S T U V W X Y Z A C D E F G H I J K L M N O P Q R S T U V W X Y Z A B D E F G H I J K L M N O P Q R S T U V W X Y Z A B C E F G H I J K L M N O P Q R S T U V W X Y Z A B C D F G H I J K L M N O P Q R S T U V W X Y Z A B C D E G H I J K L M N O P Q R S T U V W X Y Z A B C D E F H I J K L M N O P Q R S T U V W X Y Z A B C D E F G I J K L M N O P Q R S T U V W X Y Z A B C D E F G H J K L M N O P Q R S T U V W X Y Z A B C D E F G H I K L M N O P Q R S T U V W X Y Z A B C D E F G H I J L M N O P Q R S T U V W X Y Z A B C D E F G H I J K M N O P Q R S T U V W X Y Z A B C D E F G H I J K L N O P Q R S T U V W X Y Z A B C D E F G H I J K L M O P Q R S T U V W X Y Z A B C D E F G H I J K L M N P Q R S T U V W X Y Z A B C D E F G H I J K L M N O Q R S T U V W X Y Z A B C D E F G H I J K L M N O P R S T U V W X Y Z A B C D E F G H I J K L M N O P Q S T U V W X Y Z A B C D E F G H I J K L M N O P Q R T U V W X Y Z A B C D E F G H I J K L M N O P Q R S U V W X Y Z A B C D E F G H I J K L M N O P Q R S T V W X Y Z A B C D E F G H I J K L M N O P Q R S T U W X Y Z A B C D E F G H I J K L M N O P Q R S T U V X Y Z A B C D E F G H I J K L M N O P Q R S T U V W Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Z A B C D E F G H I J K L M N O P Q R S T U V W X Y

Note that each row of the table corresponds to a Caesar Cipher. The first row is a shift of 0; the second is a shift of 1; and the last is a shift of 25. The Vigenere cipher uses this table together with a keyword to encipher a message. For example, enciphering the plaintext message: TO BE OR NOT TO BE THAT IS THE QUESTION using the keyword RELATIONS. We begin by writing the keyword, repeated as many times as necessary, above the plaintext message. To derive the ciphertext using the tableau, for each letter in the plaintext, one finds the intersection of the row given by the corresponding keyword letter and the column given by the plaintext letter itself to pick out the ciphertext letter.
Keyword: Plaintext: Ciphertext: RELAT IONSR ELATI ONSRE LATIO NSREL TOBEO RNOTT OBETH ATIST HEQUE STION KSMEH ZBBLK SMEMP OGAJX SEJCS FLZSY

Decipherment of an encrypted message is equally straightforward. One writes the keyword repeatedly above the message:
Keyword: Ciphertext: Plaintext: RELAT IONSR ELATI ONSRE LATIO NSREL KSMEH ZBBLK SMEMP OGAJX SEJCS FLZSY TOBEO RNOTT OBETH ATIST HEQUE STION

This time one uses the keyword letter to pick a column of the table and then traces down the column to the row containing the ciphertext letter. The index of that row is the plaintext letter. The strength of the Vigenere cipher against frequency analysis can be seen by examining the above ciphertext. Note that there are 7 'T's in the plaintext message and that they have been encrypted by 'H,' 'L,' 'K,' 'M,' 'G,' 'X,' and 'L' respectively. This successfully masks the frequency characteristics of the English 'T.' One way of looking at this is to notice that each letter of our keyword RELATIONS picks out 1 of the 26 possible substitution alphabets given in the Vigenere tableau. Thus, any message encrypted by a Vigenere cipher is a collection of as many simple substitution ciphers as there are letters in the keyword. 1.7 Cryptanalysis Cryptanalysis (from the Greek krypts, "hidden", and analein, "to loosen" or "to untie") is the study of methods for obtaining the meaning of encrypted information, without access to the secret information which is normally required to do so. Typically, this involves finding the secret key. In non-technical language, this is the practice of code breaking or cracking the code, although these phrases also have a specialized technical meaning Types of Cryptanalytic attacks 1 Brute force Attacks: It is a method of defeating a cryptographic scheme by trying a large number of possibilities; for example, exhaustively working through all possible keys in order to decrypt a message. In most schemes, the theoretical possibility of a brute force attack is recognized, but it is set up in such a way that it would be computationally infeasible to carry out. Ciphertext-only: the cryptanalyst has access only to a collection of ciphertexts or codetexts.

3 4

Known-plaintext: the attacker has a set of ciphertexts to which he knows the corresponding plaintext. Chosen-plaintext (chosen-ciphertext): the attacker can obtain the ciphertexts (plaintexts) corresponding to an arbitrary set of plaintexts (ciphertexts) of his own choosing. Adaptive chosen-plaintext: like a chosen-plaintext attack, except the attacker can choose subsequent plaintexts based on information learned from previous encryptions. Similarly Adaptive chosen ciphertext attack. Related-key attack: Like a chosen-plaintext attack, except the attacker can obtain ciphertexts encrypted under two different keys. The keys are unknown, but the relationship between them is known; for example, two keys that differ in the one bit.

2. Fiestel Networks
In cryptography, a Feistel cipher is a block cipher with a particular structure, named after IBM cryptographer Horst Feistel; it is also commonly known as a Feistel network. A large proportion of block ciphers use the scheme, including the Data Encryption Standard(DES). The Feistel structure has the advantage that encryption and decryption operations are very similar, even identical in some cases, requiring only a reversal of the key schedule. Therefore the size of the code or circuitry required to implement such a cipher is nearly halved. Feistel networks and similar constructions are product ciphers, and so combine multiple rounds of repeated operations, such as:

Bit-shuffling (often called permutation boxes or P-boxes) Simple non-linear functions (often called substitution boxes or S-boxes) Linear mixing (in the sense of modular algebra) using XOR

to produce a function with large amounts of what Claude Shannon described as "confusion and diffusion". Bit shuffling creates the diffusion effect, while substitution is used for confusion. In Shannon's original definitions, confusion refers to making the relationship between the key and the ciphertext as complex and involved as possible; diffusion refers to the property that redundancy in the statistics of the plaintext is "dissipated" in the statistics of the ciphertext. The basic operation is as follows: Split the plaintext block into two equal pieces, (L0, R0) For each round Li = R i 1 where f is the round function and Ki is the sub-key. Then the ciphertext is (Ln, Rn). Regardless of the function f, decryption is accomplished via Ri 1 = Li One advantage of this model is that the function used does not have to be invertible, and can be very complex. This diagram illustrates both encryption and decryption. Note the reversal of the subkey order for decryption; this is the only difference between encryption and decryption: , compute

10

11

3. Data Encryption Standard

DES encrypts and decrypts data in 64-bit blocks, using a 64-bit key (although the effective key strength is only 56 bits, as explained below). It takes a 64-bit block of plaintext as input and outputs a 64-bit block of ciphertext. Since it always operates on blocks of equal size and it uses both permutations and substitutions in the algorithm, DES is both a block cipher and a product cipher. DES has 16 rounds, meaning the main algorithm is repeated 16 times to produce the ciphertext. It has been found that the number of rounds is exponentially proportional to the amount of time required to find a key using a brute-force attack. So as the number of rounds increases, the security of the algorithm increases exponentially. The block diagram of DES is depicted below.

12

3.1 Key Scheduling

Although the input key for DES is 64 bits long, the actual key used by DES is only 56 bits in length. The bits at positions of multiples of eight are ignored, thus resulting in a key length of 56 bits. The first step is to pass the 64-bit key through a permutation called Permuted Choice 1, or PC-1 for short. The table for this is given below. Note that in all subsequent descriptions of bit numbers, 1 is the left-most bit in the number, and n is the rightmost bit. PC-1: Permuted Choice 1 Bit 0 1 2 3 4 57 49 41 33 25 1 1 58 50 42 34 8 15 10 2 59 51 43 22 19 11 3 60 52 29 63 55 47 39 31 36 7 62 54 46 38 43 14 6 61 53 45 50 21 13 5 28 20 5 17 26 35 44 23 30 37 12 6 9 18 27 36 15 22 29 4

Now that we have the 56-bit key, the next step is to use this key to generate 16 48-bit subkeys, called K[1]-K[16], which are used in the 16 rounds of DES for encryption and decryption. The procedure for generating the subkeys - known as key scheduling - is fairly simple: 1. Set the round number R to 1. 2. Split the current 56-bit key, K, up into two 28-bit blocks, L (the left-hand half) and R (the right-hand half). 3. Rotate L left by the number of bits specified in the table below, and rotate R left by the same number of bits as well. 4. Join L and R together to get the new K. 5. Apply Permuted Choice 2 (PC-2) to K to get the final K[R], where R is the round number we are on. 6. Increment R by 1 and repeat the procedure until we have all 16 subkeys K[1]-K[16]. Here are the tables involved in these operations: Subkey Rotation Table Round Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1 Number of bits to rotate PC-2: Permuted Choice 2 Bit 0 1 2 3 4 5 14 17 11 24 1 5 1

13

7 13 19 25 31 37 43

3 23 16 41 30 44 46

28 19 7 52 40 49 42

15 12 27 31 51 39 50

6 4 20 37 45 56 36

21 26 13 47 33 34 29

10 8 2 55 48 53 32

3.2 Plaintext Preparation

Once the key scheduling has been performed, the next step is to prepare the plaintext for the actual encryption. This is done by passing the plaintext through a permutation called the Initial Permutation, or IP for short. This table also has an inverse, called the Inverse Initial Permutation, or IP^(-1). Sometimes IP^(-1) is also called the Final Permutation. Both of these tables are shown below. IP: Initial Permutation Bit 0 1 2 3 4 5 6 7 58 50 42 34 26 18 10 2 1 60 52 44 36 28 20 12 4 9 17 62 54 46 38 30 22 14 6 25 64 56 48 40 32 24 16 8 33 57 49 41 33 25 17 9 1 41 59 51 43 35 27 19 11 3 49 61 53 45 37 29 21 13 5 57 63 55 47 39 31 23 15 7 IP^(-1): Inverse Initial Permutation Bit 0 1 2 3 4 5 6 7 40 8 48 16 56 24 64 32 1 39 7 47 15 55 23 63 31 9 17 38 6 46 14 54 22 62 30 25 37 5 45 13 53 21 61 29 33 36 4 44 12 52 20 60 28 41 35 3 43 11 51 19 59 27 49 34 2 42 10 50 18 58 26 57 33 1 41 9 49 17 57 25 These tables are used just like PC-1 and PC-2 were for the key scheduling. By looking at the table is becomes apparent why one permutation is called the inverse of the other. For example, let's examine how bit 32 is transformed under IP. In the table, bit 32 is located at the intersection of the column labeled 4 and the row labeled 25. So this bit becomes bit 29 of the 64-bit block after the permutation. Now let's apply IP^(-1). In IP^(-1), bit 29 is located at the intersection of the column labeled 7 and the row labeled 25. So this bit becomes bit 32 after the permutation. And this is the bit position that we started with before the first permutation. So IP^(-1) really is the inverse of IP. It does the exact

14

opposite of IP. If you run a block of plaintext through IP and then pass the resulting block through IP^(-1), you'll end up with the original block.

3.3 DES Core Function

Once the key scheduling and plaintext preparation have been completed, the actual encryption or decryption is performed by the main DES algorithm. The 64-bit block of input data is first split into two halves, L and R. L is the left-most 32 bits, and R is the right-most 32 bits. The following process is repeated 16 times, making up the 16 rounds of standard DES. We call the 16 sets of halves L[0]-L[15] and R[0]-R[15]. 1. R[I-1] - where I is the round number, starting at 1 - is taken and fed into the E-Bit Selection Table, which is like a permutation, except that some of the bits are used more than once. This expands the number R[I-1] from 32 to 48 bits to prepare for the next step. 2. The 48-bit R[I-1] is XORed with K[I] and stored in a temporary buffer so that R[I-1] is not modified. 3. The result from the previous step is now split into 8 segments of 6 bits each. The leftmost 6 bits are B[1], and the right-most 6 bits are B[8]. These blocks form the index into the S-boxes, which are used in the next step. The Substitution boxes, known as S-boxes, are a set of 8 two-dimensional arrays, each with 4 rows and 16 columns. The numbers in the boxes are always 4 bits in length, so their values range from 0-15. The S-boxes are numbered S[1]-S[8]. 4. Starting with B[1], the first and last bits of the 6-bit block are taken and used as an index into the row number of S[1], which can range from 0 to 3, and the middle four bits are used as an index into the column number, which can range from 0 to 15. The number from this position in the S-box is retrieved and stored away. This is repeated with B[2] and S[2], B[3] and S[3], and the others up to B[8] and S[8]. At this point, we now have 8 4-bit numbers, which when strung together one after the other in the order of retrieval, give a 32-bit result. 5. The result from the previous stage is now passed into the P Permutation. 6. This number is now XORed with L[I-1], and moved into R[I]. R[I-1] is moved into L[I]. 7. At this point we have a new L[I] and R[I]. Here, we increment I and repeat the core function until I = 17, which means that 16 rounds have been executed and keys K[1]K[16] have all been used. When L[16] and R[16] have been obtained, they are joined back together in the same fashion they were split apart (L[16] is the left-hand half, R[16] is the right-hand half), then the two halves are swapped, R[16] becomes the left-most 32 bits and L[16] becomes the right-most 32 bits of the pre-output block and the resultant 64-bit number is called the pre-output.

15

Tables used in the DES Core Function

E-Bit Selection Table Bit 0 1 2 3 32 1 2 3 1 4 5 6 7 7 13 8 9 10 11 19 12 13 14 15 25 16 17 18 19 31 20 21 22 23 37 24 25 26 27 43 28 29 30 31 P Permutation Bit 0 1 2 16 7 20 1 29 12 28 5 1 15 23 9 13 5 18 31 17 2 8 24 21 32 27 3 25 19 13 30 29 22 11 4 S-Box 1: Substitution Box 1 Row / 0 1 2 3 4 5 6 7 Column 14 4 13 1 2 15 11 8 0 0 15 7 4 14 2 13 1 1 4 1 14 8 13 6 2 11 2 15 12 8 2 4 9 1 7 3 S-Box 2: Substitution Box 2 Row / 0 1 2 3 4 5 6 7 Column 15 1 8 14 6 11 3 4 0 3 13 4 7 15 2 8 14 1 0 14 7 11 10 4 13 1 2 13 8 10 1 3 15 4 2 3 S-Box 3: Substitution Box 3 Row / 0 1 2 3 4 5 6 7 Column 10 0 9 14 6 3 15 5 0 13 7 0 9 3 4 6 10 1 13 6 4 9 8 15 3 0 2 1 10 13 0 6 9 8 7 3 S-Box 4: Substitution Box 4 Row / Column 0 1 2 3 4 5 6 7 4 4 8 12 16 20 24 28 32 3 21 17 26 10 14 9 6 25 8 3 10 15 5 8 9 12 5 11 8 1 2 11 4 8 9 13 8 1 15 9 10 6 12 11 10 11 12 13 14 15 6 12 9 3 12 11 7 14 5 9 3 10 9 5 10 0 0 3 5 6 7 8 0 13 5 5 9 13 17 21 25 29 1

9 10 11 12 13 14 15 7 0 8 6 2 1 12 7 13 10 6 12 12 6 9 0 0 9 3 5 5 11 2 14 10 5 15 9

10 11 12 13 14 15 12 5 2 14 7 14 12 3 11 12 5 11 4 11 10 5 2 15 14 2 8 1 7 12

9 10 11 12 13 14 15 16

7 13 14 3 0 13 8 11 5 1 10 6 9 0 2 3 15 0 6 3 S-Box 5: Substitution Box 5 Row / 0 1 2 3 Column 2 12 4 1 0 14 11 2 12 1 4 2 1 11 2 11 8 12 7 3 S-Box 6: Substitution Box 6 Row / 0 1 2 3 Column 12 1 10 15 0 10 15 4 2 1 9 14 15 5 2 4 3 2 12 3 S-Box 7: Substitution Box 7 Row / 0 1 2 3 Column 4 11 2 14 0 13 0 11 7 1 1 4 11 13 2 6 11 13 8 3 S-Box 8: Substitution Box 8 Row / 0 1 2 3 Column 13 2 8 4 0 1 15 13 8 1 7 11 4 1 2 2 1 14 7 3

0 6 12 10 4 7 4 10 1 5

6 15 11 1 6

9 0 7 13 7

10 3 13 8 8

1 4 15 9 9

2 7 1 4

8 2 3 5

5 12 14 11

11 1 5 12

12 10 2 7

4 14 8 2

15 9 4 14

10 11 12 13 14 15 3 15 12 0 15 10 5 9 13 3 6 10 0 9 3 4 14 8 0 5 9 6 14 3

10 7 13 14

11 13 7 2 6 6 9 12 15

6 1 8 13 7 8 5 3 10 7 13 10 14 7 7 1 4 2 13

8 5 15 6 8 0 6 7 11 8 3 14 10 9 8 10 12 0 15

5 0 9 15 9 13 1 0 14 9 12 3 15 5 9 9 5 6 12

4 5 9 7 2 9 4 15 4 12 1 4 6 10 9 4 5 15 3 12 10 2 12 8 5

10 11 12 13 14 15 3 13 4 1 4 14 10 7 14 0 1 6 7 11 13 0 5 3 11 8 11 8 6 13

5 6 0 9 3 4 8 1 7 10 6 11 7 14 8

10 11 12 13 14 15 9 5 6 0 7 12 8 15 5 2 0 14 10 15 5 2 6 8 9 3 1 6 2 12

10 11 12 13 14 15 3 6 10 9 14 11 13 0 5 0 15 3 0 14 3 5 12 9 5 6 7 2 8 11

3.4 How to use the S-Boxes

The purpose of this example is to clarify how the S-boxes work. Suppose we have the following 48-bit binary number: 011101000101110101000111101000011100101101011101 In order to pass this through steps 3 and 4 of the Core Function as outlined above, the number is split up into 8 6-bit blocks, labeled B[1] to B[8] from left to right: 011101 000101 110101 000111 101000 011100 101101 011101 Now, eight numbers are extracted from the S-boxes - one from each box:

17

B[1] B[2] B[3] B[4] B[5] B[6] B[7] B[8]

= = = = = = = =

S[1](01, S[2](01, S[3](11, S[4](01, S[5](10, S[6](00, S[7](11, S[8](01,

1110) 0010) 1010) 0011) 0100) 1110) 0110) 1110)

= = = = = = = =

S[1][1][14] S[2][1][2 ] S[3][3][10] S[4][1][3 ] S[5][2][4 ] S[6][0][14] S[7][3][6 ] S[8][1][14]

= = = = = = = =

3 4 14 5 10 5 10 9

= = = = = = = =

0011 0100 1110 0101 1010 0101 1010 1001

In each case of S[n][row][column], the first and last bits of the current B[n] are used as the row index, and the middle four bits as the column index. The results are now joined together to form a 32-bit number which serves as the input to stage 5 of the Core Function (the P Permutation): 00110100111001011010010110101001

3.5 Ciphertext Preparation

The final step is to apply the permutation IP^(-1) to the pre-output. The result is the completely encrypted ciphertext.

3.6 Encryption and Decryption

The same algorithm can be used for encryption or decryption. The method described above will encrypt a block of plaintext and return a block of ciphertext. In order to decrypt the ciphertext and get the original plaintext again, the procedure is simply repeated but the subkeys are applied in reverse order, from K[16]-K[1]. That is, stage 2 of the Core Function as outlined above changes from R[I-1] XOR K[I] to R[I-1] XOR K[17I]. Other than that, decryption is performed exactly the same as encryption.

3.7 Strength of DES

1 2 3 With a key length of 56 bits, a brute force attack becomes impractical Design algorithm of S-boxes is kept a secret DES is also resistant to timing attacks

3.8 Comparison of modern symmetric key algorithms

Algorithm DES Plaintext 64 bits Ciphertext 64 bits Key size Rounds 56 bits 16 Advantages Simple and fast Less mathematical calculations Cryptanalysis is difficult More reliable Easy to upgrade the software to 3DES

3DES

64 bits

64 bits

168 bits

48 DES rounds

18

AES

128 bits

128 bits

Blowfish RC5

64 bits 32/64/128 bits

64 bits 32/64/128 bits

Longer keylength, difficult to crytanalyse 128/192/ 10/12/14 Longer keylengths 256 bits resp. supported More flexible 32-448 16 Fast and secure bits Compact 0-2040 variable Simple and fast bits Adaptable to processors of different word length Data dependent rotations

19

4 MODES OF OPERATION OF DES

4.1 ECB (Electronic Code Book) This is the regular DES algorithm. Data is divided into 64-bit blocks and each block is encrypted one at a time. Separate encryptions with different blocks are totally independent of each other. This means that if data is transmitted over a network or phone line, transmission errors will only affect the block containing the error. It also means, however, that the blocks can be rearranged, thus scrambling a file beyond recognition, and this action would go undetected. ECB is the weakest of the various modes because no additional security measures are implemented besides the basic DES algorithm. However, ECB is the fastest and easiest to implement, making it the most common mode of DES.

20

4.2 CBC (Cipher Block Chaining). In this mode of operation, each block of ECB encrypted ciphertext is XORed with the next plaintext block to be encrypted, thus making all the blocks dependent on all the previous blocks. This means that in order to find the plaintext of a particular block, you need to know the ciphertext, the key, and the ciphertext for the previous block. The first block to be encrypted has no previous ciphertext, so the plaintext is XORed with a 64-bit number called the Initialization Vector, or IV for short. So if data is transmitted over a network or phone line and there is a transmission error, the error will be carried forward to all subsequent blocks since each block is dependent upon the last. This mode of operation is more secure than ECB because the extra XOR step adds one more layer to the encryption process.

21

4.3 CFB (Cipher Feed Back) In this mode, blocks of plaintext that are less than 64 bits long can be encrypted. Normally, special processing has to be used to handle files whose size is not a perfect multiple of 8 bytes, but this mode removes that necessity (Stealth handles this case by adding several dummy bytes to the end of a file before encrypting it). The plaintext itself is not actually passed through the DES algorithm, but merely XORed with an output block from it, in the following manner: A 64-bit block called the Shift Register is used as the input plaintext to DES. This is initially set to some arbitrary value, and encrypted with the DES algorithm. The ciphertext is then passed through an extra component called the M-box, which simply selects the left-most M bits of the ciphertext, where M is the number of bits in the block we wish to encrypt. This value is XORed with the real plaintext, and the output of that is the final ciphertext. Finally, the ciphertext is fed back into the Shift Register, and used as the plaintext seed for the next block to be encrypted. As with CBC mode, an error in one block affects all subsequent blocks during data transmission. This mode of operation is similar to CBC and is very secure, but it is slower than ECB due to the added complexity.

22

4.4 OFB (Output Feed Back) This is similar to CFB mode, except that the ciphertext output of DES is fed back into the Shift Register, rather than the actual final ciphertext. The Shift Register is set to an arbitrary initial value, and passed through the DES algorithm. The output from DES is passed through the M-box and then fed back into the Shift Register to prepare for the next block. This value is then XORed with the real plaintext (which may be less than 64 bits in length, like CFB mode), and the result is the final ciphertext. Note that unlike CFB and CBC, a transmission error in one block will not affect subsequent blocks because once the recipient has the initial Shift Register value, it will continue to generate new Shift Register

23

plaintext inputs without any further data input. However, this mode of operation is less secure than CFB mode because only the real ciphertext and DES ciphertext output is needed to find the plaintext of the most recent block. Knowledge of the key is not required.

24

4.5 CTR (Counter) A counter, equal to the plaintext block size is used. The counter value must be different for each plaintext block that is encrypted. The counter is initialized to some value and then incremented by 1 for each substitution. For encryption, the counter is encrypted and then XORed with the plaintext block to produce the ciphertext block.

25

5. PUBLIC KEY CRYPTOGRAPHY

5.1 Comparison of Symmetric Key and Public Key Cryptography With symmetric-key encryption, the encryption key can be calculated from the decryption key and vice versa. With most symmetric algorithms, the same key is used for both encryption and decryption, as shown in Figure

Implementations of symmetric-key encryption can be highly efficient, so that users do not experience any significant time delay as a result of the encryption and decryption. Symmetric-key encryption is effective only if the symmetric key is kept secret by the two parties involved. If anyone else discovers the key, it affects both confidentiality and authentication. A person with an unauthorized symmetric key not only can decrypt messages sent with that key, but can encrypt new messages and send them as if they came from one of the two parties who were originally using the key. Public-key encryption (also called asymmetric encryption) involves a pair of keys--a public key and a private key--associated with an entity that needs to authenticate its identity electronically or to sign or encrypt data. Each public key is published, and the corresponding private key is kept secret. Data encrypted with the public key can be decrypted only with the private key. The figure shows a simplified view of the way public-key encryption works.

The scheme lets us freely distribute a public key, and only you will be able to read data encrypted using this key. In general, to send encrypted data to someone, we encrypt the data with that person's public key, and the person receiving the encrypted data decrypts it with the corresponding private key. Compared with symmetric-key encryption, publickey encryption requires more computation and is therefore not always appropriate for large amounts of data. However, it's possible to use public-key encryption to send a symmetric key, which can then be used to encrypt additional data. As it happens, the reverse of the scheme shown in Figure also works: data encrypted with your private key can be decrypted only with your public key. This would not be a

26

desirable way to encrypt sensitive data, however, because it means that anyone with your public key, which is by definition published, could decrypt the data. Nevertheless, private-key encryption is useful, because it means you can use your private key to sign data with your digital signature--an important requirement for electronic commerce and other commercial applications of cryptography.

27

6. RSA Algorithm
The algorithm was described in 1977 by Ron Rivest, Adi Shamir and Len Adleman at MIT; the letters RSA are the initials of their surnames. This is the most commonly used algorithm in public key cryptography 6.1 Key Generation Suppose a user X wishes to allow Y to send a private message over an insecure transmission medium. X takes the following steps to generate a public key and a private key: 1. Choose two large prime numbers independently of each other. 2. Compute . . which is coprime to . and such that , randomly and

3. Compute the totient 4. Choose an integer e such that 5. Compute d such that The public key consists of

n, the modulus, and e, the public exponent (sometimes encryption exponent). n, the modulus, which is public and appears in the public key, and d, the private exponent (sometimes decryption exponent), which must be kept secret.

The private key consists of

6.2 Encrypting messages

Suppose Bob wishes to send a message M to Alice. He turns M into a number m < n, using some previously agreed-upon reversible protocol known as a padding scheme. Bob now has m, and knows n and e, which Alice has announced. He then computes the ciphertext c corresponding to m: Bob then transmits c to Alice

6.3 Decrypting messages

Alice receives c from Bob, and knows her private key d. She can recover m from c by the following procedure:

The proof is given in Appendix 28

6.4 A working example

Here is an example of RSA encryption and decryption. The parameters used here are artificially smallWe let p = 61 q = 53 n = pq = 3233 e = 17 d = 2753 - first prime number (to be kept secret or deleted securely) - second prime number (to be kept secret or deleted securely) - modulus (to be made public) - public exponent (to be made public) - private exponent (to be kept secret)

The public key is (e, n). The private key is d. The encryption function is: encrypt(m) = me mod n = m17 mod 3233 where m is the plaintext. The decryption function is: decrypt(c) = cd mod n = c2753 mod 3233 where c is the ciphertext. To encrypt the plaintext value 123, we calculate encrypt(123) = 12317 mod 3233 = 855 To decrypt the ciphertext value 855, we calculate decrypt(855) = 8552753 mod 3233 = 123

6.5 Security of RSA The security of the RSA cryptosystem is based on two mathematical problems: the problem of factoring very large numbers, and the RSA problem. Full decryption of an RSA ciphertext is thought to be infeasible on the assumption that both of these problems are hard, i.e., no efficient algorithm exists for solving them. The RSA problem is defined as the task of taking eth roots modulo a composite n: recovering a value m such that me=c mod n, where (e, n) is an RSA public key and c is an RSA ciphertext. Currently the most promising approach to solving the RSA problem is to factor the modulus n. With the ability to recover prime factors, an attacker can compute the secret exponent d from a public key (e, n), then decrypt c using the standard procedure. To accomplish this, an attacker factors n into p and q, and computes (p-1)(q-1) which allows the determination of d from e. No polynomial-time method for factoring large integers on a classical computer has yet been found, but it has not been proven that none exists. 6.6 Practical Considerations Speed RSA is much slower than DES and other symmetric cryptosystems.

29

Key distribution As with all ciphers, how RSA public keys are distributed is important to security. Key distribution must be secured against a man-in-the-middle attack. In principle, neither sender nor receiver would be able to detect an outsiders presence. Defenses against such attacks are often based on digital certificates. Timing attacks

6.7 Comparison of RSA and DES Feature speed data block length key length use of data space DES high 64 bits 56 bits full, 64 bits (264), 8 bytes ciphering & deciphering same key ciphering & deciphering different algorithm algorithm contains only no XOR and branching cryptanalysis method differential method RSA low minimum 512 bits minimum 512 bits variable, limited, not defined, different same no product factorization

30

7. Diffie Hellman Key Exchange

Diffie-Hellman key agreement was invented in 1976 during a collaboration between Whitfield Diffie and Martin Hellman and was the first practical method for establishing a shared secret over an unprotected communications channel. 7.1 Description The simplest, and original, implementation of the protocol uses the multiplicative group of integers modulo p, where p is prime and g is primitive mod p. Modulo (or mod) simply means that the integers between 1 and p 1 are used with normal multiplication, exponentiation and division, except that after each operation the result keeps only the remainder after dividing by p. Here is an example of the protocol: 1. Alice and Bob agree to use a prime number p=23 and base g=5. 2. Alice chooses a secret integer a=6, then sends Bob (ga mod p)
o

56 mod 23 = 8. 515 mod 23 = 19. 196 mod 23 = 2. 815 mod 23 = 2.

3. Bob chooses a secret integer b=15, then sends Alice (gb mod p)
o

4. Alice computes (gb mod p)a mod p

o

5. Bob computes (ga mod p)b mod p Both Alice and Bob have arrived at the same value, because gab and gba are equal. Note that only a, b, gab and gba are kept secret. All the other values are sent in the clear. Once Alice and Bob compute the shared secret they can use it as an encryption key, known only to them, for sending messages across the same open communications channel. Of course, much larger values of a,b, and p would be needed to make this example secure, since it is easy to try all the possible values of gab mod 23 (there will be, at most, 22 such values, even if a and b are large). If p was a prime of more than 300 digits, and a and b were at least 100 digits long, then even the best known algorithms for finding a given only g, p, and ga mod p (known as the discrete logarithm problem) would take longer than the lifetime of the universe to run. g need not be large at all, and in practice is usually either 2 or 5. Here's a more general description of the protocol: 1. Alice and Bob agree on a finite cyclic group G and a generating element g in G. (This is usually done long before the rest of the protocol; g is assumed to be known by all attackers.) We will write the group G multiplicatively. 2. 3. 4. Alice picks a random natural number a and sends ga to Bob. Bob picks a random natural number b and sends gb to Alice. Alice computes (gb)a.

31

5. Bob computes (ga)b. Both Alice and Bob are now in possession of the group element gab which can serve as the shared secret key. 7.2 Security The protocol is considered secure against eavesdroppers if G and g are chosen properly. The eavesdropper must solve the Diffie-Hellman problem to obtain gab. This is currently considered difficult. An efficient algorithm to solve the discrete logarithm problem would make it easy to compute a or b and solve the Diffie-Hellman problem, making this protocol insecure. The order of G should be prime or have a large prime factor to prevent obtaining a or b. The secret integers a and b are discarded at the end of the session. Therefore, DiffieHellman key exchange by itself trivially achieves perfect forward secrecy because no long-term private keying material exists to be disclosed. 7.3 Authentication In the original description, the Diffie-Hellman exchange by itself does not provide authentication of the parties, and is thus vulnerable to man in the middle attack. The manin-the-middle may establish two distinct Diffie-Hellman keys, one with Alice and the other with Bob, and then try to masquerade as Alice to Bob and/or vice-versa, perhaps by decrypting and re-encrypting messages passed between them. Some method to authenticate these parties to each other is generally needed

32

8. Message Authentication Code (MAC) and Hash Functions

Message authentication is concerned with a) Protecting integrity of the message b) Validating identity of the originator c) Non-repudiation of origin There are three different ways to achieve message authentication 1 2 3 Message Encryption MAC Hash functions

Message encryption can be either a symmetric key encryption or public key encryption. If symmetric key encryption is used receiver and sender should communicate the secret key, which is a hazardous task. If public key encryption is used and public key is used for encryption, there is no confidence of sender. However if sender uses private key for encryption, both confidentiality and authentication is provided. But still we need to recognize corrupted messages 8.1 MAC A cryptographic message authentication code (MAC) is a short piece of information used to authenticate a message. A MAC algorithm accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protects both a message's integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content. A MAC is a cryptographic checksum MAC = CK(M) MAC is a many-to-one function. Potentially many messages have same MAC. But finding these needs to be very difficult Requirements for MAC 1. Knowing a message and MAC, is infeasible to find another message with same MAC 2. MACs should be uniformly distributed 3. MAC should depend equally on all bits of the message

33

8.2 HASH Functions A hash function H is a transformation that takes a variable-size input m and returns a fixed-size string, which is called the hash value h (that is, h = H(m)). Hash functions with just this property have a variety of general computational uses, but when employed in cryptography the hash functions are usually chosen to have some additional properties. The basic requirements for a cryptographic hash function are:
o o o o o

the input can be of any length, the output has a fixed length, H(x) is relatively easy to compute for any given x , H(x) is one-way, H(x) is collision-free.

A hash function H is said to be one-way if it is hard to invert, where "hard to invert" means that given a hash value h, it is computationally infeasible to find some input x such that H(x) = h. If, given a message x, it is computationally infeasible to find a message y not equal to x such that H(x) = H(y) then H is said to be a weakly collision-free hash function. A strongly collision-free hash function H is one for which it is computationally infeasible to find any two messages x and y such that H(x) = H(y).

34

9. Digital Signature
Digital signature (or public-key digital signature) is a type of method for authenticating digital information analogous to ordinary physical signatures on paper, but implemented using techniques from the field of public-key cryptography. A digital signature method generally defines two complementary algorithms, one for signing and the other for verification, and the output of the signing process is also called a digital signature. Digital signature has also been used as a broader term encompassing both public-key digital signature techniques and message authentication codes. Instead of encrypting the data itself, the signing software creates a one-way hash of the data, then uses the private key to encrypt the hash. The encrypted hash, along with other information, such as the hashing algorithm, is known as a digital signature. The figure shows a simplified view of the way a digital signature can be used to validate the integrity of signed data. Using a digital signature to validate data integrity

The figure shows two items transferred to the recipient of some signed data: the original data and the digital signature, which is basically a one-way hash (of the original data) that has been encrypted with the signer's private key. To validate the integrity of the data, the receiving software first uses the signer's public key to decrypt the hash. It then uses the same hashing algorithm that generated the original hash to generate a new one-way hash of the same data. (Information about the hashing algorithm used is sent with the digital signature, although this isn't shown in the figure.) Finally, the receiving software compares the new hash against the original hash. If the two hashes match, the data has not changed since it was signed. If they don't match, the data may have been tampered with since it was signed, or the signature may have been created with a private key that doesn't correspond to the public key presented by the signer. If the two hashes match, the recipient can be certain that the public key used to decrypt the digital signature corresponds to the private key used to create the digital signature. Confirming the identity of the signer, however, also requires some way of confirming that the public key really belongs to a particular person or other entity

35

The significance of a digital signature is comparable to the significance of a handwritten signature. Once you have signed some data, it is difficult to deny doing so later-assuming that the private key has not been compromised or out of the owner's control. This quality of digital signatures provides a high degree of non repudiation--that is, digital signatures make it difficult for the signer to deny having signed the data. In some situations, a digital signature may be as legally binding as a handwritten signature.

36

QUESTIONS
1. What is cryptography? 2. What is a block cipher? 3. What is a Fiestel cipher? 4. What are weak keys? 5. What is DES? 6. What is triple DES? 7. What are ECB and CBC modes? 8. What is Blowfish? 9. What is multiple encryption? 10. What is stream cipher? 11. What is public key cryptography? 12. What are the key management issues involved in public key cryptography? 13. What are certificates? 14. What are the advantages of public key cryptography over symmetric key cryptography? 15. What is a one-way function? 16. What is the significance of one way function in cryptography? 17. What is RSA? 18. What are the different types of attacks on RSA? 19. What is the RSA factoring challenge? 20. How is RSA used for authentication in practice? 21. What is Diffie Hellman key exchange? 22. What is the significance of factoring in cryptography? 23. What is the discrete logarithm problem? 24. What are MACs? 25. What is a hash function?

37