Sie sind auf Seite 1von 92

9/9/16

Cryptography & Network Security Course

Nirmalya Kar

Introduction

Course Overview

Dan Boneh

q Did you use any

cryptography

today?
Yesterday?
over the last week?
Dan Boneh
Nirmalya
Kar

9/9/16

Dan Boneh
Nirmalya
Kar

Dan Boneh
Nirmalya
Kar

9/9/16

Dan Boneh
Nirmalya
Kar

Welcome
Course objectives:
Learn how crypto primitives work
Learn how to use them correctly and reason about security
My recommendations:
Take notes
Answer the in-class questions

Dan Boneh
Nirmalya
Kar

9/9/16

Cryptography is everywhere
Secure communication:
web traffic: HTTPS
wireless traffic: 802.11i WPA2 (and WEP), GSM, Bluetooth

Encrypting files on disk: EFS, TrueCrypt


Content protection (e.g. DVD, Blu-ray): CSS, AACS
User authentication
and much much more
Dan Boneh
Nirmalya
Kar

Secure communication

no eavesdropping
no tampering

Dan Boneh
Nirmalya
Kar

9/9/16

Protected files on disk


Disk
File 1

Alice

File 2

Alice
No eavesdropping
No tampering

Analogous to secure communication:


Alice today sends a message to Alice tomorrow
Dan Boneh
Nirmalya
Kar

Building block: sym. encryption


Alice
m

Bob
E(k,m)=c

D(k,c)=m

E, D: cipher k: secret key (e.g. 128 bits)


m, c: plaintext, ciphertext

Encryption algorithm is publicly known


Never use a proprietary cipher
Dan Boneh
Nirmalya
Kar

9/9/16

Use Cases
Single use key: (one time key)
Key is only used to encrypt one message
encrypted email: new key generated for every email
Multi use key: (many time key)
Key used to encrypt multiple messages
encrypted files: same key used to encrypt many files
Need more machinery than for one-time key
Dan Boneh
Nirmalya
Kar

Things to remember
Cryptography is:
A tremendous tool
The basis for many security mechanisms
Cryptography is not:
The solution to all security problems
Reliable unless implemented and used properly
Something you should try to invent yourself
many many examples of broken ad-hoc designs
Dan Boneh
Nirmalya
Kar

9/9/16

Books to Read

And many more ..


Dan Boneh
Nirmalya
Kar

End of Segment

Dan Boneh

9/9/16

Nirmalya Kar

What is cryptography?

Dan Boneh

Good Guys and Bad Guys


Alice and Bob are the good guys

q Trudy is the bad guy


q Trudy is our generic intruder
Dan Boneh
Nirmalya
Kar

9/9/16

Good Guys and Bad Guys


Alice and Bob want to communicate securely
Typically, over a network

Alice or Bob might also want to store their data


securely
Trudy wants to read Alice and Bobs secrets
Or Trudy might have other devious plans
Cause confusion, denial of service, etc.
Dan Boneh
Nirmalya
Kar

CIA
Confidentiality Integrity Availability
Confidentiality: prevent unauthorized reading of
information
Integrity: prevent unauthorized writing of information
Availability: data is available in a timely manner when
needed
Availability is a new security concern
Due to denial of service (DoS) threats
Dan Boneh
Nirmalya
Kar

9/9/16

Crypto
Cryptology The art and science of making and breaking
secret codes
Cryptography making secret codes
Cryptanalysis breaking secret codes
Crypto all of the above (and more)

Dan Boneh
Nirmalya
Kar

How to Speak Crypto


A cipher or cryptosystem is used to encrypt the
plaintext
The result of encryption is ciphertext
We decrypt ciphertext to recover plaintext
A key is used to configure a cryptosystem

Dan Boneh
Nirmalya
Kar

10

9/9/16

Crypto as a Black Box


key

key

plaintext

Pi

encrypt

Ci

decrypt

Pi

plaintext

ciphertext

Note Pi is ith unit of plaintext


And Ci is corresponding ciphertext
Unit may be bit, letter, block of bits, etc.
Dan Boneh
Nirmalya
Kar

Who Knows What?


Alice

key

plaintext

Pi

encrypt

key

Trudy

Ci

decrypt

Bob

Pi

plaintext

ciphertext

Trudy knows the ciphertext


Trudy knows the cipher and how it works
Trudy might know a little more
Trudy does not know the key

Dan Boneh
Nirmalya
Kar

11

9/9/16

Cryptanalysis
This course focused on cryptanalysis
Trudy wants to recover key or plaintext
Trudy is not bound by any rules
For example, Trudy might attack the implementation, not
the algorithm itself
She might use side channel info, etc.

Dan Boneh
Nirmalya
Kar

Dan Boneh
Nirmalya
Kar

12

9/9/16

Why Study Cryptography?


Information security is a big topic
Crypto, Access control, Protocols, Software
Real world info security problems abound

Cryptography is the part of information security that works


best
Using crypto correctly is important
The more we make other parts of security behave like crypto,
the better

Dan Boneh
Nirmalya
Kar

Why Study Cryptanalysis?


Study of cryptanalysis gives insight into all aspects of
crypto
Gain insight into attackers mindset
black hat vs white hat mentality

Cryptanalysis is more fun than cryptography


Cryptographers are boring
Cryptanalysts are cool

But cryptanalysis is hard

Dan Boneh
Nirmalya
Kar

13

9/9/16

Crypto core

Talking
to Alice

Talking
to Bob
Alice

Secret key establishment:

Bob

attacker???

m1

Secure communication:

m2
confidentiality and integrity
Dan Boneh
Nirmalya
Kar

But crypto can do much more


Digital signatures

Anonymous communication
Alice
signature

Who did I
just talk to?

Alice

Bob

Dan Boneh
Nirmalya
Kar

14

9/9/16

But crypto can do much more


Digital signatures

Anonymous communication
Anonymous digital cash
Can I spend a digital coin without anyone knowing who I am?
How to prevent double spending?

1$

Alice

Internet

Who was
that?

(anon. comm.)
Dan Boneh
Nirmalya
Kar

Crypto magic
Privately outsourcing computation
search
query

What did she


search for?

E[ query ]

Alice

E[ results ]
results

Zero knowledge (proof of knowledge)


N=pq

Alice

???

I know the factors of N !!


proof

Bob

N
Dan Boneh
Nirmalya
Kar

15

9/9/16

A rigorous science
The three steps in cryptography:
Precisely specify threat model
Propose a construction
Prove that breaking construction under
threat mode will solve an underlying hard problem
Dan Boneh
Nirmalya
Kar

End of Segment

Dan Boneh

16

9/9/16

Nirmalya
Kar
Dan Boneh

Online Cryptography Course

Introduction

Dan Boneh

Definitions
Computer Security - generic name for the collection of tools
designed to protect data and to thwart hackers
Network Security - measures to protect data during their
transmission
Internet Security - measures to protect data during their
transmission over a collection of interconnected networks
34

Dan Boneh
Nirmalya
Kar

17

9/9/16

Attacks, Services and Mechanisms


Security Attacks
Action compromises the information security
Could be passive or active attacks

Security Services
Such as authentication, identification, encryption, signature, secret
sharing and so on.

Security mechanism
The ways to provide such services
Detect, prevent and recover from a security attack
35

Dan Boneh
Nirmalya
Kar

Taxonomy of attacks with relation to security goals

Dan Boneh
Nirmalya
Kar

18

9/9/16

37

Dan Boneh
Nirmalya
Kar

Dan Boneh
Nirmalya
Kar

19

9/9/16

Dan Boneh
Nirmalya
Kar

Relation between security services and mechanisms

Dan Boneh
Nirmalya
Kar

20

9/9/16

Security Services (X.800)


Authentication
Peer Entity Authentication
Data Origin Authentication

Access Control
Data Confidentiality

Connection Confidentiality
Connectionless Confidentiality
Selective-Field Confidentiality
Traffic Flow Confidentiality
Dan Boneh
Nirmalya
Kar

contd
Data Integrity

Connection Integrity with Recovery


Connection Integrity without Recovery
Selective-Field Connection Integrity
Connectionless Integrity
Selective-Field Connectionless Integrity

Non-Repudiation Nonrepudiation, Origin


Nonrepudiation, Destination

Dan Boneh
Nirmalya
Kar

21

9/9/16

Types of Cryptanalytic Attacks

Dan Boneh
Nirmalya
Kar

Ciphertext-Only Attack

Dan Boneh
Nirmalya
Kar

22

9/9/16

Known-Plaintext Attack

Dan Boneh
Nirmalya
Kar

Chosen-Plaintext Attack

Dan Boneh
Nirmalya
Kar

23

9/9/16

Chosen-Ciphertext Attack

Dan Boneh
Nirmalya
Kar

End of Segment

Dan Boneh

24

9/9/16

Nirmalya
Kar
Dan Boneh

Online Cryptography Course

History
Classical
Encryption
Techniques
Dan Boneh

Symmetric Ciphers

Dan Boneh
Nirmalya
Kar

25

9/9/16

Few Historic Examples (all badly broken)


1. Substitution cipher

k :=

Dan Boneh
Nirmalya
Kar

Mono-alphabetic Cipher
rather than just shifting the alphabet could shuffle (jumble)
the letters arbitrarily
each plaintext letter maps to a different random ciphertext
letter
Plaintext
Ciphertext

: abcdefghijklmnopqrstuvwxyz
: DKVQFIBJWPESCXHTMYAUOLRGZN

Plaintext
Ciphertext

: ifwewishtoreplaceletters
: WIRFRWAJUHYFTSDVFSFUUFYA
Dan Boneh
Nirmalya
Kar

26

9/9/16

Caesar Cipher (no key)

Dan Boneh
Nirmalya
Kar

What is the size of key space in the substitution cipher


assuming 26 letters?

Dan Boneh
Nirmalya
Kar

27

9/9/16

How to break a substitution cipher?


What is the most common letter in English text?
X
L
E
H
Dan Boneh
Nirmalya
Kar

How to break a substitution cipher?


(1)

Use frequency of English letters

Dan Boneh
Nirmalya
Kar

28

9/9/16

(2) Use frequency of English letters (diagrams and trigrams)

Dan Boneh
Nirmalya
Kar

2. Playfair cipher
q
q
q
q

( invented by Charles Wheatstone


in 1854, but named after his
friend Baron Playfair )

a 5X5 matrix of letters based on a keyword


fill in letters of keyword (minus duplicates)
fill rest of matrix with other letters
eg. using the keyword MONARCHY

Dan Boneh
Nirmalya
Kar

29

9/9/16

Encryption and Decryption technique

Plaintext encrypted two letters at a time:

1. if a pair is a repeated letter, insert a filler like 'X',


eg. "balloon" encrypts as "ba lx lo on"
2. if both letters fall in the same row, replace each with letter
to right (wrapping back to start from end),
eg. ar" encrypts as "RM"
Dan Boneh
Nirmalya
Kar

contd
3. if both letters fall in the same column, replace each with the
letter below it (again wrapping to top from bottom),
eg. mu" encrypts to "CM"
4. otherwise each letter is replaced by the one in its row in the
column of the other letter of the pair,
eg. hs" encrypts to "BP", and ea" to "IM" or "JM" (as desired)

Dan Boneh
Nirmalya
Kar

30

9/9/16

2. Vigener cipher (16th century, Rome)


k = C R Y P T O C R Y P T O C R Y P T
m = W H A T A N I C E D A Y T O D A Y

(+ mod 26)

c = Z Z Z J U C L U D T U N W G C Q S

suppose most common = H first letter of key = H E = C


Dan Boneh
Nirmalya
Kar

Example

62

Dan Boneh
Nirmalya
Kar

31

9/9/16

Vigenere Cipher (Crypanalysis)


determine the length of the keyword (Kasiski test )
Key
plaintext
ciphertext

: deceptivedeceptivedeceptive
: wearediscoveredsaveyourself
: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

Dan Boneh
Nirmalya
Kar

MODULAR ARITHMETIC
The division relationship (a = q n + r) has two inputs (a and n)
and two outputs (q and r).
But
In modular arithmetic, we are interested in only one of the
outputs, the remainder r.

Dan Boneh
Nirmalya
Kar

32

9/9/16

Modulo Operator
The modulo operator is shown as mod. The second input (n) is called
the modulus. The output r is called the residue.
Figure : Division algorithm and modulo operator

Dan Boneh
Nirmalya
Kar

Set of Residues
The modulo operation creates a set, which in modular arithmetic is
referred to as the set of least residues modulo n, or Zn.

Figure : Some Zn sets

Dan Boneh
Nirmalya
Kar

33

9/9/16

The congruence relation


Two integers a and b are said to be congruent modulo n, if their
difference (a - b) is an integer multiple of n.
or
Both numbers have the same remainder when divided by n.

67
Dan Boneh
Nirmalya
Kar

Properties of congruence
Property 1 Congruence is reflexive, i.e., a a (mod m) for every integer a and
natural number m.
Property 2 Congruence is symmetric, i.e., if a
b (mod m), then
b
a (mod m).
Property 3 Congruence is transitive, i.e., if
a b (mod m) and b
c (mod m), then a c (mod m).
Dan Boneh
Nirmalya
Kar

34

9/9/16

. Contd
Property 4 Congruences may be added : if
a b (mod m) and c d (mod m), then a + b c + d (mod m).
Property 5 Congruences may be multiplied : if
a b (mod m) and c d (mod m), then ab

cd (mod m).

Property 6 Both sides of a congruence may be divided by a number relatively


prime to m : if
ab

ac (mod m) and (a , m) = 1, then b

c (mod m).
Dan Boneh
Nirmalya
Kar

Inverses
In modular arithmetic, we often need to find the inverse of a
number relative to an operation.
We are normally looking for an
additive inverse (relative to an addition operation)
or
a multiplicative inverse (relative to a multiplication operation).

Dan Boneh
Nirmalya
Kar

35

9/9/16

Additive Inverse
In Zn, two numbers a and b are additive inverses of each other if

Note

In modular arithmetic, each integer has an additive


inverse. The sum of an integer and its additive inverse
is congruent to 0 modulo n.
Dan Boneh
Nirmalya
Kar

Multiplicative Inverse

In Zn, two numbers a and b are the multiplicative inverse of each


other if
Note

In modular arithmetic, an integer may or may not have


a multiplicative inverse.
When it does, the product of the integer and its
multiplicative inverse is congruent to 1 modulo n.
Dan Boneh
Nirmalya
Kar

36

9/9/16

Hill Cipher
takes m successive plaintext letters and substitutes for them m
ciphertext letters

Note

The key matrix in the Hill cipher needs to have a


multiplicative inverse.
Dan Boneh
Nirmalya
Kar

example
Consider the plaintext "pay more money" and use the encryption key

The first three letters of the plaintext are represented by the vector

the ciphertext for the entire plaintext is LNSHDLEWMTRW.


74

Dan Boneh
Nirmalya
Kar

37

9/9/16

For example, the plaintext code is ready can make a 3 4 matrix


when adding extra bogus character z to the last block and removing
the spaces. The ciphertext is OHKNIHGKLISS.

Dan Boneh
Nirmalya
Kar

Assume that Eve knows that m = 3. She has intercepted three


plaintext/ciphertext pair blocks (not necessarily from the same
message) as shown in Figure .

Dan Boneh
Nirmalya
Kar

38

9/9/16

She makes matrices P and C from these pairs. Because P is invertible,


she inverts the P matrix and multiplies it by C to get the K matrix as
shown in Figure

Now she has the key and can break any ciphertext encrypted with
that key.

Dan Boneh
Nirmalya
Kar

3. Rotor Machines (1870-1943)


Early example: the Hebern machine (single rotor)
A
B
C
.
.
X
Y
Z

key

K
S
T
.
.
R
N
E

E
K
S
T
.
.
R
N

N
E
K
S
T
.
.
R
Dan Boneh
Nirmalya
Kar

39

9/9/16

Rotor Machines (cont.)


Most famous: the Enigma (3-5 rotors)

# keys = 264 = 218 (actually 236 due to plugboard)


Dan Boneh
Nirmalya
Kar

Transposition Ciphers
A transposition cipher does not substitute one symbol for another,
instead it changes the location of the symbols.

Classification

q Keyless Transposition Ciphers


q Keyed Transposition Ciphers
q Combining Two Approaches

Dan Boneh
Nirmalya
Kar

40

9/9/16

Keyless Transposition Ciphers


A good example of a keyless cipher using the first method is the rail
fence cipher. The ciphertext is created reading the pattern row by
row. For example, to send the message Meet me at the park to
Bob, Alice writes
She then creates the ciphertext MEMATEAKETETHPR.
She creates the ciphertext
MMTAEEHREAEKTTP.
Dan Boneh
Nirmalya
Kar

Row Transposition Ciphers


write the message in a rectangle, row by row, and read the
message off, column by column, but permute the order of the
columns.
then reorder the columns according to some key before
reading off the rows
Plain text: attack postponed until two am

Dan Boneh
Nirmalya
Kar

41

9/9/16

Example

Dan Boneh
Nirmalya
Kar

Keys
In Example, a single key was used in two directions for the column
exchange: downward for encryption, upward for decryption. It is
customary to create two keys.

Figure: Encryption/decryption keys in transpositional ciphers

Dan Boneh
Nirmalya
Kar

42

9/9/16

Figure : Key inversion in a transposition cipher

Dan Boneh
Nirmalya
Kar

Double Transposition Ciphers

Dan Boneh
Nirmalya
Kar

43

9/9/16

Task :
For the given cipher text & key find the find the plain text if
double transposition of columns was employed by the sender
Cipher text
Key

: GOOYTPGRYAHPCROISD
: 241536 for both rounds.

87

Dan Boneh
Nirmalya
Kar

Stream And Block Ciphers

The literature divides the symmetric ciphers into two broad


categories: stream ciphers and block ciphers.
qA stream cipher is one that encrypts a digital data stream one bit
or one byte at a time.
Example:- the autokeyed Vigenre cipher and the Vernam
cipher.
qA block cipher is one in which a block of plaintext is treated as a
whole and used to produce a ciphertext block of equal length.
Typically, a block size of 64 or 128 bits is used.
Dan Boneh
Nirmalya
Kar

44

9/9/16

Stream Ciphers

Dan Boneh
Nirmalya
Kar

Block Ciphers
In a block cipher, a group of plaintext symbols of size m (m > 1)
are encrypted together creating a group of ciphertext of the
same size. A single key is used to encrypt the whole block even if
the key is made of multiple values.

Dan Boneh
Nirmalya
Kar

45

9/9/16

End of Segment

Dan Boneh

Nirmalya
Kar
Dan Boneh

Online Cryptography Course

Modern Block ciphers


Basics

Dan Boneh

46

9/9/16

A modern block cipher

Dan Boneh
Nirmalya
Kar

Problem
How many padding bits must be added to a message of 100
characters if 8-bit ASCII is used for encoding and the block
cipher accepts blocks of 64 bits?

Solution :

Dan Boneh
Nirmalya
Kar

47

9/9/16

Substitution or Transposition
Note
To be resistant to exhaustive-search attack,
a modern block cipher needs to be designed as a
substitution cipher.

Dan Boneh
Nirmalya
Kar

Problem
Suppose that we have a block cipher where n = 64. If there are 10
1s in the ciphertext, how many trial-and-error tests does Eve
need to do to recover the plaintext from the intercepted
ciphertext in each of the following cases?
a. The cipher is designed as a substitution cipher.
b. The cipher is designed as a transposition cipher.

Dan Boneh
Nirmalya
Kar

48

9/9/16

Components of modern Block Cipher


P-Box : Permutation box parallels the traditional transposition
cipher for characters.

Fig: Three types of P-Boxes


97

Dan Boneh
Nirmalya
Kar

Contd
Invertibility : A straight P-box can be used in the encryption
cipher & its inverse in the decryption cipher.

98

Dan Boneh
Nirmalya
Kar

49

9/9/16

Contd
Compression and expansion P-boxes are non-invertible

Dan Boneh
Nirmalya
Kar

S-Box

An S-box (substitution box) can be thought of as a miniature


substitution cipher.

Note
An S-box is an m n substitution unit, where m and n are not
necessarily the same.

Dan Boneh
Nirmalya
Kar

50

9/9/16

Example
In an S-box with three inputs and two outputs, we have

The S-box is linear because a1,1 = a1,2 = a1,3 = a2,1 = 1 and


a2,2 = a2,3 = 0. The relationship can be represented by matrices,
as shown below:

5.101

Dan Boneh
Nirmalya
Kar

Example
The following table defines the input/output relationship for an S-box
of size 3 2. The leftmost bit of the input defines the row; the two
rightmost bits of the input define the column. The two output bits are
values on the cross section of the selected row and column.

Based on the table, an input of 010 yields the output 01. An input of
101
yields the output of 00.
5.102

Dan Boneh
Nirmalya
Kar

51

9/9/16

XOR

XOR of two strings in {0,1}n is their bit-wise addition mod 2

0 1 1 0 1 1 1
1 0 1 1 0 1 0

Dan Boneh
Nirmalya
Kar

Circular Shift
Another component found in some modern block ciphers is the
circular shift operation.
Figure : Circular shifting an 8-bit word to the left or right

5.104

Dan Boneh
Nirmalya
Kar

52

9/9/16

Swap
The swap operation is a special case of the circular shift operation
where k = n/2.
Figure : Swap operation on an 8-bit word

5.105

Dan Boneh
Nirmalya
Kar

Split and Combine


Two other operations found in some block ciphers are split and
combine.
Figure : Split and combine operations on an 8-bit word

5.106

Dan Boneh
Nirmalya
Kar

53

9/9/16

Diffusion
The idea of diffusion is to hide the relationship between the
ciphertext and the plaintext.
Note

Diffusion hides the relationship between the


ciphertext and the plaintext.
5.107

Dan Boneh
Nirmalya
Kar

Confusion
The idea of confusion is to hide the relationship between the
ciphertext and the key.
Note

Confusion hides the relationship between the


ciphertext and the key.
5.108

Dan Boneh
Nirmalya
Kar

54

9/9/16

The Product cipher


A product cipher combines two or more transformations in a
manner intending that the resulting cipher is more secure
than the individual components.

109

Dan Boneh
Nirmalya
Kar

Two Classes of Product Ciphers


Modern block ciphers are all product ciphers, but they are divided
into two classes.
1. Feistel ciphers : Feistel designed a very intelligent and interesting
cipher that has been used for decades. A Feistel cipher can have
three types of components:

self-invertible
Invertible
noninvertible

2. Non-Feistel ciphers
Dan Boneh
Nirmalya
Kar

55

9/9/16

Figure : The first thought in Feistel cipher design

Dan Boneh
Nirmalya
Kar

Example

The plaintext and ciphertext are each 4 bits long and the key is 3 bits long.
Assume that the function takes the first and third bits of the key,
interprets these two bits as a decimal number, squares the number, and
interprets the result as a 4-bit binary pattern. Show the results of
encryption and decryption if the original plaintext is 0111 and the key is
101.

Solution
The function extracts the first and second bits to get 11 in binary or 3 in
decimal. The result of squaring is 9, which is 1001 in binary.

Dan Boneh
Nirmalya
Kar

56

9/9/16

Figure: Improvement of the previous Feistel design

Dan Boneh
Nirmalya
Kar

Figure : Final design of a Feistel cipher with two rounds

Dan Boneh
Nirmalya
Kar

57

9/9/16

115

Dan Boneh
Nirmalya
Kar

End of Segment

Dan Boneh

58

9/9/16

Nirmalya
Kar
Dan Boneh

Online Cryptography Course

Modern Stream ciphers


Basics

Dan Boneh

Modern Stream Ciphers


In a modern stream cipher, encryption and decryption are done r
bits at a time.
We have a plaintext bit stream P = pnp2 p1, a ciphertext bit
stream C = cnc2 c1, and a key bit stream K = knk2 k1, in which pi ,
ci , and ki are r-bit words.

Synchronous Stream Ciphers


Nonsynchronous Stream Ciphers
Dan Boneh
Nirmalya
Kar

59

9/9/16

Figure: Stream cipher

5.119

Note
In a modern stream cipher, each r-bit word in the plaintext stream is
enciphered using an r-bit word in the key stream to create the
corresponding r-bit word in the ciphertext stream.
Dan Boneh
Nirmalya
Kar

Synchronous Stream Ciphers


Note
In a synchronous stream cipher the key is independent of the
plaintext or ciphertext.
Figure : One-time pad

Dan Boneh
Nirmalya
Kar

60

9/9/16

Figure : Feedback shift register (FSR)

Dan Boneh
Nirmalya
Kar

Example

Create a linear feedback shift register with 5 cells in which


b5 = b4 b2 b0 .

Solution
If ci = 0, bi has no role in calculation of bm. This means that bi is not
connected to the feedback function. If ci = 1, bi is involved in calculation
of bm. In this example, c1 and c3 are 0s, which means that we have
only three connections. Bellow figure shows the design.

Dan Boneh
Nirmalya
Kar

61

9/9/16

Example

Create a linear feedback shift register with 4 cells in which


b4 = b1 b0. Show the value of output for 20 transitions (shifts) if
the seed is (0001)2.

Solution:

Dan Boneh
Nirmalya
Kar

Table :

Cell values and key sequence for previous Example


5.124
Dan Boneh
Nirmalya
Kar

62

9/9/16

Table :

Cell values and key sequence for previous Example


5.125
Dan Boneh
Nirmalya
Kar

Note that the key stream is 100010011010111 10001. This


looks like a random sequence at first glance, but if we go through
more transitions, we see that the sequence is periodic. It is a
repetition of 15 bits as shown below:
The key stream generated from a LFSR is a pseudorandom
sequence in which the the sequence is repeated after N bits.
Note

The maximum period of an LFSR is to 2m 1.


Dan Boneh
Nirmalya
Kar

63

9/9/16

Nonsynchronous Stream Ciphers


In a nonsynchronous stream cipher, each key in the key stream
depends on previous plaintext or ciphertext.
Note

In a nonsynchronous stream cipher, the key depends on


either the plaintext or ciphertext.

Dan Boneh
Nirmalya
Kar

End of Segment

Dan Boneh

64

9/9/16

Online Cryptography Course

Nirmalya
Kar
Dan Boneh

Block ciphers
Simplified DES

Dan Boneh

Classification of DES in the Field of Cryptology

Dan Boneh
Nirmalya
Kar

65

9/9/16

Simplified DES
The S-DES encryption algorithm takes an 8-bit block of
plaintext (example: 10111101) and a 10-bit key as input and
produces an 8-bit block of ciphertext as output.
The S-DES decryption algorithm takes an 8-bit block of
ciphertext and the same 10-bit key used to produce that
ciphertext as input and produces the original 8-bit block of
plaintext.
131

Dan Boneh
Nirmalya
Kar

Contd
The encryption algorithm involves five functions:
an initial permutation (IP)
a complex function labeled fK, which involves both permutation and
substitution operations and depends on a key input (k1 )
a simple permutation function that switches (SW) the two halves of
the data
The function fK again with key input (k2 )
and finally a permutation function that is the inverse of the initial
permutation (IP1 )
132

Dan Boneh
Nirmalya
Kar

66

9/9/16

Contd

133

Dan Boneh
Nirmalya
Kar

Contd

Ciphertext = IP-1 fK2( SW ( fK1( IP ( plaintext ) ) )

) )

where

K1 = P8 Shift(P10(key))

( (

K2 = P8 Shift Shift(P10(key))

))
) )

Plaintext = IP-1 fK1( SW ( fK2( IP ( ciphertext ) ) )

134

Dan Boneh
Nirmalya
Kar

67

9/9/16

S-DES Key Generation

135

Dan Boneh
Nirmalya
Kar

Contd
Let the 10-bit key be designated as (k1, k2, k3, k4, k5, k6, k7, k8,
k9, k10).
Then the permutation P10 is defined as:
P10
3 5 2 7 4 10 1 9 8 6

each position in the table gives the identity of the input bit that
produces the output bit in that position.
For example, the key (1010000010) is permuted to
(1000001100)
136

Dan Boneh
Nirmalya
Kar

68

9/9/16

Contd
Next, perform a circular left shift (LS-1), or rotation, separately on the first five
bits and the second five bits.
Eg:- the result is (00001 11000).
Next apply P8, which picks out and permutes 8 of the 10 bits according to the
following rule:
P8
6 3 7 4 8 5 10 9

The result is subkey 1 (K1). In our example, this yields (10100100)


Go back to the pair of 5-bit strings produced by the two LS-1 functions and
perform a circular left shift of 2 bit positions on each string.
(00001 11000) becomes (00100 00011).

Finally, P8 is applied again to produce K2.


Eg:- the result is (01000011).

137

Dan Boneh
Nirmalya
Kar

S-DES Encryption

138

Dan Boneh
Nirmalya
Kar

69

9/9/16

Simplified DES Encryption


8
4

IP
4

E/P

E/P
8

K2

8
4

4
S0

S1
2

Plaintext

K1

S0

S1
2

2
P4

2
P4

4
4

4
IP-1
8

SW
Ciphertext

Dan Boneh
Nirmalya
Kar

Contd
Initial and Final Permutations
First permute 8-bit block of plaintext using the IP function:
2 6 3 1

IP
4 8 5 7

At the end of the algorithm, the inverse permutation is used:


IP-1
4 1 3 5 7 2 8 6

140

Dan Boneh
Nirmalya
Kar

70

9/9/16

Contd

The function fk
the function fK, consists of a combination of permutation and
substitution functions.
Let L and R be the leftmost 4 bits and rightmost 4 bits of the 8-bit
input to fK , and let F be a mapping from 4-bit strings to 4-bit strings.
fK(L, R) = (L F(R, SK), R)
where SK is a subkey.
Example: The output of the IP stage is (10111101) and F(1101, SK) =
(1110) for some key SK.
Then fK(10111101) = (01011101) because (1011) (1110) = (0101).
141

Dan Boneh
Nirmalya
Kar

Contd

Mapping of F
input is a 4-bit number (n1n2n3n4).
The first operation is an expansion/permutation operation:
E/P
4 1 2 3 2 3 4 1

depict the result in this fashion:


n4|n1
n2|n3
n2|n3
n4|n1
The 8-bit subkey K1 = ( K11, K12, K13, K14, K15, K16,K17,K18 ) is
added to this value using exclusive-OR :
142

Dan Boneh
Nirmalya
Kar

71

9/9/16

Contd
Let us rename these 8 bits:
The first 4 bits (first row of the preceding matrix) are fed into
the S-box S0 to produce a 2-bit output, and the remaining 4 bits
(second row) are fed into S1 to produce another 2-bit output.

143

Dan Boneh
Nirmalya
Kar

Contd

The S-boxes operate as follows The first and fourth input bits are treated as a 2-bit number that
specify a row of the S-box,
the second and third input bits specify a column of the S-box.
The entry in that row and column, in base 2, is the 2-bit output.

144

Dan Boneh
Nirmalya
Kar

72

9/9/16

Contd
Example:-

0
1

1
0

0
0

0
1

For S0
first and fourth input bits are 00 or 0 or row 0
second and third input bits are 10 or 2 or column 2

For S1
first and fourth input bits are 11 or 3 or row 3
second and third input bits are 00 or 0 or column 0

145

Dan Boneh
Nirmalya
Kar

Contd
Next, the 4 bits produced by S0 and S1 undergo a further
permutation as follows:

The output of P4 is the output of the function F.

146

Dan Boneh
Nirmalya
Kar

73

9/9/16

End of Segment

Dan Boneh

Nirmalya
Kar
Dan Boneh

Online Cryptography Course

Block ciphers
DES

Dan Boneh

74

9/9/16

History
Early 1970s: Horst Feistel designs Lucifer at IBM
key-len = 128 bits ; block-len = 128 bits
1973: NBS asks for block cipher proposals.
IBM submits variant of Lucifer.
1976: NBS adopts DES as a federal standard
key-len = 56 bits ; block-len = 64 bits
1997: DES broken by exhaustive search
2000: NIST adopts Rijndael as AES to replace DES
Widely deployed in banking (ACH) and commerce
Dan Boneh
Nirmalya
Kar

Contd

Figure : Encryption and decryption with DES

Dan Boneh
Nirmalya
Kar

75

9/9/16

DES Structure

Figure :
General
structure of
DES

Dan Boneh
Nirmalya
Kar

Figure :
A round in DES
(encryption site)
DES uses 16
rounds. Each round
of DES is a Feistel
cipher.
Dan Boneh
Nirmalya
Kar

76

9/9/16

The heart of DES is the


DES function. The DES
function applies a 48bit key to the rightmost
32 bits to produce a
32-bit output.

Dan Boneh
Nirmalya
Kar

Contd

154
Dan Boneh
Nirmalya
Kar

77

9/9/16

Contd

Figure :
Key generation

Dan Boneh
Nirmalya
Kar

Multiple DES
The major criticism of DES regards its key length. Fortunately DES is not a
group. This means that we can use double or triple DES to increase the key
size.

Approaches:
q Double DES
q Triple DES

Dan Boneh
Nirmalya
Kar

78

9/9/16

Double DES
Meet-in-the-Middle Attack
However, using a known-plaintext attack called meet-in-the-middle
attack proves that double DES improves this vulnerability slightly (to
257 tests), but not tremendously (to 2112).

Dan Boneh
Nirmalya
Kar

Contd

Dan Boneh
Nirmalya
Kar

79

9/9/16

Triple DES

Figure : Triple DES with two keys

Dan Boneh
Nirmalya
Kar

End of Segment

Dan Boneh

80

9/9/16

Online Cryptography Course Dan Boneh

Nirmalya Kar

Block ciphers
AES

Dan Boneh
Nirmalya
Kar

Introduction
The Advanced Encryption Standard (AES) is a symmetric-key
block cipher published by the National Institute of Standards and
Technology (NIST) in December 2001.

Topics to be discuss :
q
q
q
q

Criteria
Rounds
Data Units
Structure of Each Round
Dan Boneh
Nirmalya
Kar

81

9/9/16

qCriteria
The criteria defined by NIST for selecting AES fall into three
areas:
1. Security
2. Cost
3. Implementation.

Dan Boneh
Nirmalya
Kar

qRounds.
AES is a non-Feistel cipher that encrypts and decrypts a data
block of 128 bits. It uses 10, 12, or 14 rounds. The key size, which
can be 128, 192, or 256 bits, depends on the number of rounds.
Note
AES has defined three versions, with 10, 12, and 14 rounds.
Each version uses a different cipher key size (128, 192, or 256),
but the round keys are always 128 bits.

Dan Boneh
Nirmalya
Kar

82

9/9/16

Figure : General design of AES encryption cipher

Contd

Dan Boneh
Nirmalya
Kar

qData units used in AES

Dan Boneh
Nirmalya
Kar

83

9/9/16

Contd
Figure : Block-to-state and state-to-block transformation

Dan Boneh
Nirmalya
Kar

Contd
Example

Figure : Changing plaintext to state

Dan Boneh
Nirmalya
Kar

84

9/9/16

q Structure of each round at the encryption site

Dan Boneh
Nirmalya
Kar

End of Segment

Dan Boneh

85

9/9/16

Online Cryptography Course

Nirmalya
Kar
Dan Boneh

Block ciphers
Attacks on Block
Ciphers

Dan Boneh

Differential Cryptanalysis
Eli Biham and Adi Shamir introduced the idea of differential
cryptanalysis.
This is a chosen-plaintext attack.

Dan Boneh
Nirmalya
Kar

86

9/9/16

Example
Assume that the cipher is made only of one exclusive-or operation.
Without knowing the value of the key, Eve can easily find the
relationship between plaintext differences and ciphertext differences if
by plaintext difference we mean P1 P2 and by ciphertext difference,
we mean C1 C2. The following proves that C1 C2 = P1 P2:

Figure : Diagram for Example

Dan Boneh
Nirmalya
Kar

Differential cryptanalysis technique:


Observe the difference between the two ciphertexts as a
function of the difference between the corresponding
plaintexts
Find the highest probability differential input (called
characteristic) which can be traced through several rounds
Assign probabilities to the keys and locate the most probable
key

174

Dan Boneh
Nirmalya
Kar

87

9/9/16

Linear Cryptanalysis
Linear cryptanalysis was presented by Mitsuru Matsui in 1993.
The analysis uses known plaintext attacks.

Dan Boneh
Nirmalya
Kar

Contd
Figure : A simple cipher with a linear S-box

Dan Boneh
Nirmalya
Kar

88

9/9/16

Contd

Solving for three unknowns, we get.

This means that three known-plaintext attacks can find the


values of k0, k1, and k2 .
Dan Boneh
Nirmalya
Kar

Confidentiality using Symmetric Encryption


Traditionally symmetric encryption is used to provide message
confidentiality
consider typical scenario

workstations on LANs access other workstations & servers on LAN


LANs interconnected using switches/routers
with external lines or radio/satellite links

consider attacks and placement in this scenario

snooping from another workstation


use dial-in to LAN or server to snoop
use external router link to enter & snoop
monitor and/or modify traffic one external links

Dan Boneh
Nirmalya
Kar

89

9/9/16

Contd
have two major placement alternatives
link encryption
encryption occurs independently on every link
implies must decrypt traffic between links
requires many devices, but paired keys
end-to-end encryption
encryption occurs between original source and final
destination
need devices at each end with shared keys
Dan Boneh
Nirmalya
Kar

Contd

Encryption Across a Packet-Switching Network

180

Dan Boneh
Nirmalya
Kar

90

9/9/16

Contd
Characteristics of Link and End-to-End Encryption

181

Dan Boneh
Nirmalya
Kar

Figure:- Encryption Coverage Implications of Store-and-Forward Communications

182

Dan Boneh
Nirmalya
Kar

91

9/9/16

End of Segment

Dan Boneh

92