DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

SEMESTER -VI

LECTURE NOTES CS1355 CRYPTOGRAPHY AND NETWORK SECURITY

PREPARED BY

S.SUBHASINI AP/CSE

CS1355

CRYPTOGRAPHY AND NETWORK SECURITY

3 1 0 100

UNIT I INTRODUCTION 10 OSI Security Architecture - Classical Encryption techniques Cipher Principles Data Encryption Standard Block Cipher Design Principles and Modes of Operation Evaluation criteria for AES AES Cipher Triple DES Placement of Encryption Function Traffic Confidentiality UNIT II PUBLIC KEY CRYPTOGRAPHY 10 Key Management - Diffie-Hellman key Exchange Elliptic Curve Architecture and Cryptography - Introduction to Number Theory Confidentiality using Symmetric Encryption Public Key Cryptography and RSA. UNIT III AUTHENTICATION AND HASH FUNCTION 9 Authentication requirements Authentication functions Message Authentication Codes Hash Functions Security of Hash Functions and MACs MD5 message Digest algorithm - Secure Hash Algorithm RIPEMD HMAC Digital Signatures Authentication Protocols Digital Signature Standard UNIT IV NETWORK SECURITY 8 Authentication Applications: Kerberos X.509 Authentication Service Electronic Mail Security PGP S/MIME - IP Security Web Security. UNIT V SYSTEM LEVEL SECURITY 8 Intrusion detection password management Viruses and related Threats Virus Counter measures Firewall Design Principles Trusted Systems. TUTORIAL 15 TEXT BOOK 1. TOTAL : 60

William Stallings, Cryptography And Network Security Principles and Practices, Prentice Hall of India, Third Edition, 2003.

REFERENCES 1. 2. 3. Atul Kahate, Cryptography and Network Security, Tata McGraw-Hill, 2003. Bruce Schneier, Applied Cryptography, John Wiley & Sons Inc, 2001. Charles B. Pfleeger, Shari Lawrence Pfleeger, Security in Computing, Third Edition, Pearson Education, 2003.

UNIT I Introduction
UNIT I INTRODUCTION 10 OSI Security Architecture - Classical Encryption techniques Cipher Principles Data Encryption Standard Block Cipher Design Principles and Modes of Operation Evaluation criteria for AES AES Cipher Triple DES Placement of Encryption Function Traffic Confidentiality

1.1 OSI Security Architecture 1.2 Classical Encryption techniques 1.3 Cipher Principles 1.4 Data Encryption Standard 1.5 Block Cipher Design Principles and Modes of Operation 1.6 Evaluation criteria for AES 1.7 AES Cipher 1.8 Triple DES 1.9 Placement of Encryption Function 1.10 Traffic Confidentiality

Introduction Information Security requirements have changed in recent times traditionally provided by physical and administrative mechanisms computer use requires automated tools to protect files and other stored information use of networks and communications links requires measures to protect data during transmission Computer Security - generic name for the collection of tools designed to protect data and to thwart hackers Network Security - measures to protect data during their transmission Internet Security - measures to protect data during their transmission over a collection of interconnected networks our focus is on Internet Security consists of measures to deter, prevent, detect, and correct security violations that involve the transmission of information Services, Mechanisms, Attacks need systematic way to define requirements consider three aspects of information security: security attack security mechanism security service consider in reverse order Security Service is something that enhances the security of the data processing systems and the information transfers of an organization intended to counter security attacks make use of one or more security mechanisms to provide the service replicate functions normally associated with physical documents eg. have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed Security Mechanism a mechanism that is designed to detect, prevent, or recover from a security attack no single mechanism that will support all functions required however one particular element underlies many of the security mechanisms in use: cryptographic techniques hence our focus on this area Security Attack any action that compromises the security of information owned by an organization information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems

have a wide range of attacks can focus of generic types of attacks note: often threat & attack mean same

1.1 OSI Security Architecture ITU-T X.800 Security Architecture for OSI defines a systematic way of defining and providing security requirements for us it provides a useful, if abstract, overview of concepts we will study Security Services X.800 defines it as: a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers RFC 2828 defines it as: a processing or communication service provided by a system to give a specific kind of protection to system resources X.800 defines it in 5 major categories Authentication - assurance that the communicating entity is the one claimed Access Control - prevention of the unauthorized use of a resource Data Confidentiality protection of data from unauthorized disclosure Data Integrity - assurance that data received is as sent by an authorized entity Non-Repudiation - protection against denial by one of the parties in a communication Security Mechanisms specific security mechanisms: encipherment, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization pervasive security mechanisms: trusted functionality, security labels, event detection, security audit trails, security recovery Classify Security Attacks as passive attacks - eavesdropping on, or monitoring of, transmissions to: obtain message contents, or monitor traffic flows active attacks modification of data stream to: masquerade of one entity as some other replay previous messages modify messages in transit denial of service Model for Network Security

using this model requires us to: design a suitable algorithm for the security transformation generate the secret information (keys) used by the algorithm develop methods to distribute and share the secret information specify a protocol enabling the principals to use the transformation and secret information for a security service

Model for Network Access Security

using this model requires us to: select appropriate gatekeeper functions to identify users implement security controls to ensure only authorised users access designated information or resources trusted computer systems can be used to implement this model

1.2 Classical Encryption Techniques 1.2.1 Symmetric Cipher Model 1.2.2 Substitution Techniques 1.2.3 Transposition Techniques 1.2.4 Rotor Machines 1.2.5 Steganography 1.2.1 Symmetric Cipher Model Symmetric Encryption or conventional / private-key / single-key sender and recipient share a common key all classical encryption algorithms are private-key was only type prior to invention of public-key in 1970s plaintext - the original message ciphertext - the coded message cipher - algorithm for transforming plaintext to ciphertext key - info used in cipher known only to sender/receiver encipher (encrypt) - converting plaintext to ciphertext decipher (decrypt) - recovering ciphertext from plaintext cryptography - study of encryption principles/methods cryptanalysis (codebreaking) - the study of principles/ methods of deciphering ciphertext without knowing key cryptology - the field of both cryptography and cryptanalysis

Symmetric Cipher Model Requirements o two requirements for secure use of symmetric encryption: o a strong encryption algorithm o a secret key known only to sender / receiver o Y = EK(X) o X = DK(Y) o assume encryption algorithm is known o implies a secure channel to distribute key Types of Cryptanalytic Attacks o ciphertext only o only know algorithm / ciphertext, statistical, can identify plaintext o known plaintext o know/suspect plaintext & ciphertext to attack cipher o chosen plaintext o select plaintext and obtain ciphertext to attack cipher o chosen ciphertext o select ciphertext and obtain plaintext to attack cipher o chosen text o select either plaintext or ciphertext to en/decrypt to attack cipher Brute Force Search o always possible to simply try every key o most basic attack, proportional to key size o assume either know / recognise plaintext

unconditional security o no matter how much computer power is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext computational security o given limited computing resources (eg time needed for calculations is greater than age of universe), the cipher cannot be broken 1.2.2 Substitution Techniques Caesar Cipher Monoalphabetic Cipher Playfair Cipher Polyalphabetic Ciphers Vigenre Cipher Kasiski Method Autokey Cipher One-Time Pad

Classical Substitution Ciphers o where letters of plaintext are replaced by other letters or by numbers or symbols o or if plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns Caesar Cipher o earliest known substitution cipher o by Julius Caesar o first attested use in military affairs o replaces each letter by 3rd letter on o example: o meet me after the toga party o PHHW PH DIWHU WKH WRJD SDUWB

can define transformation as: a b cd e fgh i j k l mno pq r s t u vw xy z DEFGHIJKLMNOPQRSTUVWXYZABC mathematically give each letter a number abcd efg hi j k l m 0 1 2 3 4 5 6 7 8 9 10 11 12 n o p q r s t u v w x y z 13 14 15 16 17 18 19 20 21 22 23 24 25 then have Caesar cipher as: C = E(p) = (p + k) mod (26) p = D(C) = (C k) mod (26) Cryptanalysis of Caesar Cipher o only have 26 possible ciphers o A maps to A,B,..Z o could simply try each in turn o a brute force search o given ciphertext, just try all shifts of letters o do need to recognize when have plaintext o eg. break ciphertext "GCUA VQ DTGCM" Monoalphabetic Cipher o rather than just shifting the alphabet o could shuffle (jumble) the letters arbitrarily o each plaintext letter maps to a different random ciphertext letter o hence key is 26 letters long o Plain: a b c d ef g h i j k l mn o pq r s t u vwx y z o Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN o Plaintext: i fwew i s ht o r e pl a c e l e t t e r s o Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA Monoalphabetic Cipher Security o now have a total of 26! = 4 x 1026 keys o with so many keys, might think is secure o but would be !!!WRONG!!! o problem is language characteristics Language Redundancy and Cryptanalysis o human languages are redundant o eg "th lrd s m shphrd shll nt wnt" o letters are not equally commonly used o in English e is by far the most common letter o then T,R,N,I,O,A,S o other letters are fairly rare o cf. Z,J,K,Q,X o have tables of single, double & triple letter frequencies

o o o o o o o o o

English Letter Frequencies

Use in Cryptanalysis o key concept - monoalphabetic substitution ciphers do not change relative letter frequencies o discovered by Arabian scientists in 9th century o calculate letter frequencies for ciphertext o compare counts/plots against known values o if Caesar cipher look for common peaks/troughs o peaks at: A-E-I triple, NO pair, RST triple o troughs at: JK, X-Z o for monoalphabetic must identify each letter o tables of common double/triple letters help Example Cryptanalysis o given ciphertext: o UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ o VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX o EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ o count relative letter frequencies (see text) o guess P & Z are e and t o guess ZW is th and hence ZWP is the o proceeding with trial and error fially get: it was disclosed yesterday that several informal but direct contacts have been made with political representatives of the viet cong in moscow Playfair Cipher o not even the large number of keys in a monoalphabetic cipher provides security o one approach to improving security was to encrypt multiple letters o the Playfair Cipher is an example o invented by Charles Wheatstone in 1854, but named after his friend Baron Playfair

Playfair Key Matrix o a 5X5 matrix of letters based on a keyword o fill in letters of keyword (sans duplicates) o fill rest of matrix with other letters o eg. using the keyword MONARCHY MONAR CHYBD EFGIK LPQST UVWXZ Encrypting and Decrypting o plaintext encrypted two letters at a time: o 1. if a pair is a repeated letter, insert a filler like 'X', eg. "balloon" encrypts as "ba lx lo on" o 2. if both letters fall in the same row, replace each with letter to right (wrapping back to start from end), eg. ar" encrypts as "RM" o 3. if both letters fall in the same column, replace each with the letter below it (again wrapping to top from bottom), eg. mu" encrypts to "CM" o 4. otherwise each letter is replaced by the one in its row in the column of the other letter of the pair, eg. hs" encrypts to "BP", and ea" to "IM" or "JM" (as desired) Security of the Playfair Cipher o security much improved over monoalphabetic o since have 26 x 26 = 676 digrams o would need a 676 entry frequency table to analyse (verses 26 for a monoalphabetic) o and correspondingly more ciphertext o was widely used for many years (eg. US & British military in WW1) o it can be broken, given a few hundred letters o since still has much of plaintext structure Polyalphabetic Ciphers o another approach to improving security is to use multiple cipher alphabets o called polyalphabetic substitution ciphers o makes cryptanalysis harder with more alphabets to guess and flatter frequency distribution o use a key to select which alphabet is used for each letter of the message o use each alphabet in turn o repeat from start after end of key is reached Vigenre Cipher o simplest polyalphabetic substitution cipher is the Vigenre Cipher o effectively multiple caesar ciphers o key is multiple letters long K = k1 k2 ... kd

o o o o

ith letter specifies ith alphabet to use use each alphabet in turn repeat from start after d letters in message decryption simply works in reverse

Example o write the plaintext out o write the keyword repeated above it o use each key letter as a caesar cipher key o encrypt the corresponding plaintext letter o eg using keyword deceptive key: deceptivedeceptivedeceptive plaintext: wearediscoveredsaveyourself ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ Aids o simple aids can assist with en/decryption o a Saint-Cyr Slide is a simple manual aid o a slide with repeated alphabet o line up plaintext 'A' with key letter, eg 'C' o then read off any mapping for key letter o can bend round into a cipher disk o or expand into a Vigenre Tableau (see text Table 2.3) Security of Vigenre Ciphers o have multiple ciphertext letters for each plaintext letter o hence letter frequencies are obscured o but not totally lost o start with letter frequencies o see if look monoalphabetic or not o if not, then need to determine number of alphabets, since then can attach each Kasiski Method o method developed by Babbage / Kasiski o repetitions in ciphertext give clues to period o so find same plaintext an exact period apart o which results in the same ciphertext o of course, could also be random fluke o eg repeated VTW in previous example o suggests size of 3 or 9 o then attack each monoalphabetic cipher individually using same techniques as before Autokey Cipher o ideally want a key as long as the message o Vigenre proposed the autokey cipher o with keyword is prefixed to message as key o knowing keyword can recover the first few letters o use these in turn on the rest of the message

o but still have frequency characteristics to attack o eg. given key deceptive key: deceptivewearediscoveredsav plaintext: wearediscoveredsaveyourself ciphertext:ZICVTWQNGKZEIIGASXSTSLVVWLA One-Time Pad o if a truly random key as long as the message is used, the cipher will be secure o called a One-Time pad o is unbreakable since ciphertext bears no statistical relationship to the plaintext o since for any plaintext & any ciphertext there exists a key mapping one to other o can only use the key once though o have problem of safe distribution of key 1.2.3 Transposition Techniques Rail Fence cipher Row Transposition Ciphers Product Ciphers now consider classical transposition or permutation ciphers these hide the message by rearranging the letter order without altering the actual letters used can recognise these since have the same frequency distribution as the original text Rail Fence cipher o write message letters out diagonally over a number of rows o then read off cipher row by row o eg. write message out as: mematrhtgpry e t efeteoaat o giving ciphertext MEMATRHTGPRYETEFETEOAAT Row Transposition Ciphers o a more complex scheme o write letters of message out in rows over a specified number of columns o then reorder the columns according to some key before reading off the rows o Key: 4312 567 o Plaintext: a t t a c k p o os tp one o dunt i l t o woamxyz o Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ

Product Ciphers o ciphers using substitutions or transpositions are not secure because of language characteristics o hence consider using several ciphers in succession to make harder, but: two substitutions make a more complex substitution two transpositions make more complex transposition but a substitution followed by a transposition makes a new much harder cipher o this is bridge from classical to modern ciphers 1.2.4 Rotor Machines before modern ciphers, rotor machines were most common product cipher were widely used in WW2 German Enigma, Allied Hagelin, Japanese Purple implemented a very complex, varying substitution cipher used a series of cylinders, each giving one substitution, which rotated and changed after each letter was encrypted with 3 cylinders have 263=17576 alphabets 1.2.5 Steganography an alternative to encryption hides existence of message o using only a subset of letters/words in a longer message marked in some way o using invisible ink o hiding in LSB in graphic image or sound file has drawbacks high overhead to hide relatively few info bits Character marking selected letters of printed or typewritten text are overwritten in pencil. The marks are ordinarily not visible unless the paper is held at an angle to bright light. Invisible ink a number of substances can be used for writing but leave no visible trace until heat or some chemical is applied to the paper. Pin punctures small pin punctures on selected letters are ordinarily not visible unless the paper is held up in front of a light. Typewriter correction ribbon used between lines typed with a black ribbon, the results of typing with the correction tape are visible only under a strong light. 1.3 Cipher Principles Modern Block Ciphers o will now look at modern block ciphers o one of the most widely used types of cryptographic algorithms o provide secrecy and/or authentication services o in particular will introduce DES (Data Encryption Standard)

Block vs Stream Ciphers o block ciphers process messages in into blocks, each of which is then en/decrypted o like a substitution on very big characters 64-bits or more o stream ciphers process messages a bit or byte at a time when en/decrypting o many current ciphers are block ciphers o hence are focus of course Block Cipher Principles o most symmetric block ciphers are based on a Feistel Cipher Structure o needed since must be able to decrypt ciphertext to recover messages efficiently o block ciphers look like an extremely large substitution o would need table of 264 entries for a 64-bit block o instead create from smaller building blocks o using idea of a product cipher Claude Shannon and Substitution-Permutation Ciphers o in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks o modern substitution-transposition product cipher o these form the basis of modern block ciphers o S-P networks are based on the two primitive cryptographic operations we have seen before: o substitution (S-box) o permutation (P-box) o provide confusion and diffusion of message Confusion and Diffusion o cipher needs to completely obscure statistical properties of original message o a one-time pad does this o more practically Shannon suggested combining elements to obtain: o diffusion dissipates statistical structure of plaintext over bulk of ciphertext o confusion makes relationship between ciphertext and key as complex as possible Feistel Cipher Structure o Horst Feistel devised the feistel cipher o based on concept of invertible product cipher o partitions input block into two halves o process through multiple rounds which o perform a substitution on left data half o based on round function of right half & subkey o then have permutation swapping halves o implements Shannons substitution-permutation network concept

Feistel Cipher Design Principles block size o increasing size improves security, but slows cipher key size o increasing size improves security, makes exhaustive key searching harder, but may slow cipher number of rounds o increasing number improves security, but slows cipher subkey generation o greater complexity can make analysis harder, but slows cipher round function o greater complexity can make analysis harder, but slows cipher fast software en/decryption & ease of analysis o are more recent concerns for practical use and testing Feistel Cipher Decryption

1.4 Data Encryption Standard (DES) most widely used block cipher in world adopted in 1977 by NBS (now NIST) as FIPS PUB 46 encrypts 64-bit data using 56-bit key has widespread use has been considerable controversy over its security DES History o IBM developed Lucifer cipher o by team led by Feistel o used 64-bit data blocks with 128-bit key o then redeveloped as a commercial cipher with input from NSA and others o in 1973 NBS issued request for proposals for a national cipher standard o IBM submitted their revised Lucifer which was eventually accepted as the DES

DES Design Controversy o although DES standard is public o was considerable controversy over design o in choice of 56-bit key (vs Lucifer 128-bit) o and because design criteria were classified o subsequent events and public analysis show in fact design was appropriate o DES has become widely used, especially in financial applications DES Encryption

Initial Permutation IP o first step of the data computation o IP reorders the input data bits o even bits to LH half, odd bits to RH half o quite regular in structure (easy in h/w) o see text Table 3.2 o example: IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb) DES Round Structure o uses two 32-bit L & R halves o as for any Feistel cipher can describe as: Li = Ri1 Ri = Li1 xor F(Ri1, Ki) o takes 32-bit R half and 48-bit subkey and:

expands R to 48-bits using perm E adds to subkey passes through 8 S-boxes to get 32-bit result finally permutes this using 32-bit perm P

Substitution Boxes S o have eight S-boxes which map 6 to 4 bits o each S-box is actually 4 little 4 bit boxes o outer bits 1 & 6 (row bits) select one rows o inner bits 2-5 (col bits) are substituted o result is 8 lots of 4 bits, or 32 bits o row selection depends on both data & key o feature known as autoclaving (autokeying) o example: S(18 09 12 3d 11 17 38 39) = 5fd25e03

DES Key Schedule o forms subkeys used in each round o consists of: initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves 16 stages consisting of: selecting 24-bits from each half permuting them by PC2 for use in function f, rotating each half separately either 1 or 2 places depending on the key rotation schedule K DES Decryption o decrypt must unwind steps of data computation o with Feistel design, do encryption steps again

o using subkeys in reverse order (SK16 SK1) o note that IP undoes final FP step of encryption o 1st round with SK16 undoes 16th encrypt round o . o 16th round with SK1 undoes 1st encrypt round o then final FP undoes initial encryption IP o thus recovering original data value Avalanche Effect o key desirable property of encryption alg o where a change of one input or key bit results in changing approx half output bits o making attempts to home-in by guessing keys impossible o DES exhibits strong avalanche Strength of DES Key Size o 56-bit keys have 256 = 7.2 x 1016 values o brute force search looks hard o recent advances have shown is possible o in 1997 on Internet in a few months o in 1998 on dedicated h/w (EFF) in a few days o in 1999 above combined in 22hrs! o still must be able to recognize plaintext o now considering alternatives to DES Strength of DES Timing Attacks o attacks actual implementation of cipher o use knowledge of consequences of implementation to derive knowledge of some/all subkey bits o specifically use fact that calculations can take varying times depending on the value of the inputs to it o particularly problematic on smartcards Strength of DES Analytic Attacks o now have several analytic attacks on DES o these utilise some deep structure of the cipher by gathering information about encryptions can eventually recover some/all of the sub-key bits if necessary then exhaustively search for the rest o generally these are statistical attacks o include differential cryptanalysis linear cryptanalysis related key attacks Differential Cryptanalysis o one of the most significant recent (public) advances in cryptanalysis o known by NSA in 70's cf DES design o Murphy, Biham & Shamir published 1990 o powerful method to analyse block ciphers o used to analyse most current block ciphers with varying degrees of success

o DES reasonably resistant to it, cf Lucifer Differential Cryptanalysis Compares Pairs of Encryptions o with a known difference in the input o searching for a known difference in output o when same subkeys are used

o have some input difference giving some output difference with probability p o if find instances of some higher probability input / output difference pairs occurring o can infer subkey that was used in round o then must iterate process over many rounds (with decreasing probabilities)

o perform attack by repeatedly encrypting plaintext pairs with known input XOR until obtain desired output XOR o when found o if intermediate rounds match required XOR have a right pair o if not then have a wrong pair, relative ratio is S/N for attack o can then deduce keys values for the rounds o right pairs suggest same key bits o wrong pairs give random values o for large numbers of rounds, probability is so low that more pairs are required than exist with 64-bit inputs o Biham and Shamir have shown how a 13-round iterated characteristic can break the full 16-round DES Linear Cryptanalysis o another recent development o also a statistical method o must be iterated over rounds, with decreasing probabilities o developed by Matsui et al in early 90's o based on finding linear approximations o can attack DES with 247 known plaintexts, still in practise infeasible o find linear approximations with prob p != o P[i1,i2,...,ia](+)C[j1,j2,...,jb] = K[k1,k2,...,kc] o where ia,jb,kc are bit locations in P,C,K o gives linear equation for key bits o get one key bit using max likelihood alg o using a large number of trial encryptions o effectiveness given by: |p| 1.5 Block Cipher Design Principles and Modes of Operation basic principles still like Feistel in 1970s number of rounds o more is better, exhaustive search best attack function f: o provides confusion, is nonlinear, avalanche key schedule o complex subkey creation, key avalanche Modes of Operation o block ciphers encrypt fixed size blocks o eg. DES encrypts 64-bit blocks, with 56-bit key o need way to use in practise, given usually have arbitrary amount of information to encrypt o four were defined for DES in ANSI standard ANSI X3.106-1983 Modes of Use o subsequently now have 5 for DES and AES o have block and stream modes Electronic Codebook Book (ECB) o message is broken into independent blocks which are encrypted

o each block is a value which is substituted, like a codebook, hence name o each block is encoded independently of the other blocks Ci = DESK1 (Pi) o uses: secure transmission of single values

Advantages and Limitations of ECB o repetitions in message may show in ciphertext o if aligned with message block o particularly with data such graphics o or with messages that change very little, which become a code-book analysis problem o weakness due to encrypted message blocks being independent o main use is sending a few blocks of data Cipher Block Chaining (CBC) o message is broken into blocks o but these are linked together in the encryption operation o each previous cipher blocks is chained with current plaintext block, hence name o use Initial Vector (IV) to start process Ci = DESK1(Pi XOR Ci-1) C-1 = IV o uses: bulk data encryption, authentication

Advantages and Limitations of CBC o each ciphertext block depends on all message blocks o thus a change in the message affects all ciphertext blocks after the change as well as the original block o need Initial Value (IV) known to sender & receiver however if IV is sent in the clear, an attacker can change bits of the first block, and change IV to compensate hence either IV must be a fixed value (as in EFTPOS) or it must be sent encrypted in ECB mode before rest of message o at end of message, handle possible last short block by padding either with known non-data value (eg nulls) or pad last block with count of pad size eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes pad+count Cipher FeedBack (CFB) o message is treated as a stream of bits o added to the output of the block cipher o result is feed back for next stage (hence name) o standard allows any number of bit (1,8 or 64 or whatever) to be feed back o denoted CFB-1, CFB-8, CFB-64 etc o is most efficient to use all 64 bits (CFB-64) Ci = Pi XOR DESK1(Ci-1) C-1 = IV o uses: stream data encryption, authentication

Advantages and Limitations of CFB o appropriate when data arrives in bits/bytes o most common stream mode o limitation is need to stall while do block encryption after every n-bits o note that the block cipher is used in encryption mode at both ends o errors propagate for several blocks after the error Output FeedBack (OFB) o message is treated as a stream of bits o output of cipher is added to message o output is then feed back (hence name) o feedback is independent of message o can be computed in advance Ci = Pi XOR Oi Oi = DESK1(Oi-1) O-1 = IV o uses: stream encryption over noisy channels

Advantages and Limitations of OFB o used when error feedback a problem or where need to encryptions before message is available o superficially similar to CFB o but feedback is from the output of cipher and is independent of message o a variation of a Vernam cipher o hence must never reuse the same sequence (key+IV) o sender and receiver must remain in sync, and some recovery method is needed to ensure this occurs o originally specified with m-bit feedback in the standards o subsequent research has shown that only OFB-64 should ever be used Counter (CTR) o a new mode, though proposed early on o similar to OFB but encrypts counter value rather than any feedback value o must have a different key & counter value for every plaintext block (never reused) Ci = Pi XOR Oi Oi = DESK1(i) o uses: high-speed network encryptions

Advantages and Limitations of CTR o efficiency can do parallel encryptions in advance of need good for bursty high speed links o random access to encrypted data blocks o provable security (good as other modes) o but must ensure never reuse key/counter values, otherwise could break (cf OFB) 1.6 Advanced Encryption Standard (AES) Evaluation Criteria AES Requirements o private key symmetric block cipher o 128-bit data, 128/192/256-bit keys o stronger & faster than Triple-DES o active life of 20-30 years (+ archival use) o provide full specification & design details o both C & Java implementations o NIST have released all submissions & unclassified analyses AES Evaluation Criteria o initial criteria: security effort to practically cryptanalyse cost computational algorithm & implementation characteristics o final criteria general security software & hardware implementation ease implementation attacks

 flexibility (in en/decrypt, keying, other factors) 1.7 AES Cipher - Rijendael designed by Rijmen-Daemen in Belgium has 128/192/256 bit keys, 128 bit data an iterative rather than feistel cipher o treats data in 4 groups of 4 bytes o operates an entire block in every round designed to be: o resistant against known attacks o speed and code compactness on many CPUs o design simplicity processes data as 4 groups of 4 bytes (state) has 9/11/13 rounds in which state undergoes: o byte substitution (1 S-box used on every byte) o shift rows (permute bytes between groups/columns) o mix columns (subs using matrix multipy of groups) o add round key (XOR state with key material) initial XOR key material & incomplete last round all operations can be combined into XOR and table lookups - hence very fast & efficient

Byte Substitution o a simple substitution of each byte o uses one table of 16x16 bytes containing a permutation of all 256 8-bit values o each byte of state is replaced by byte in row (left 4-bits) & column (right 4-bits) o eg. byte {95} is replaced by row 9 col 5 byte o which is the value {2A} o S-box is constructed using a defined transformation of the values in GF(28) o designed to be resistant to all known attacks Shift Rows o a circular byte shift in each 1st row is unchanged 2nd row does 1 byte circular shift to left 3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left o decrypt does shifts to right

o since state is processed by columns, this step permutes bytes between the columns Mix Columns o each column is processed separately o each byte is replaced by a value dependent on all 4 bytes in the column o effectively a matrix multiplication in GF(28) using prime poly m(x) =x8+x4+x3+x+1

Add Round Key o XOR state with 128-bits of the round key o again processed by column (though effectively a series of byte operations) o inverse for decryption is identical since XOR is own inverse, just with correct round key o designed to be as simple as possible

AES Round

AES Key Expansion o takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words o start by copying key into first 4 words o then loop creating words that depend on values in previous & 4 places back in 3 of 4 cases just XOR these together every 4th has S-box + rotate + XOR constant of previous before XOR together o designed to resist known attacks AES Decryption o AES decryption is not identical to encryption since steps done in reverse o but can define an equivalent inverse cipher with steps as for encryption o but using inverses of each step o with a different key schedule o works since result is unchanged when o swap byte substitution & shift rows o swap mix columns & add (tweaked) round key 1.8 Triple DES clear a replacement for DES was needed theoretical attacks that can break it demonstrated exhaustive key search attacks AES is a new cipher alternative prior to this alternative was to use multiple encryption with DES implementations

Triple-DES is the chosen form Why Triple-DES? o why not Double-DES? NOT same as some other single-DES use, but have o meet-in-the-middle attack works whenever use a cipher twice since X = EK1[P] = DK2[C] attack by encrypting P with all keys and store then decrypt C with keys and match X value can show takes O(256) steps Triple-DES with Two-Keys o hence must use 3 encryptions would seem to need 3 distinct keys o but can use 2 keys with E-D-E sequence C = EK1[DK2[EK1[P]]] nb encrypt & decrypt equivalent in security if K1=K2 then can work with single DES o standardized in ANSI X9.17 & ISO8732 o no current known practical attacks Triple-DES with Three-Keys o although are no practical attacks on two-key Triple-DES have some indications o can use Triple-DES with Three-Keys to avoid even these C = EK3[DK2[EK1[P]]] o has been adopted by some Internet applications, eg PGP, S/MIME 1.9 Placement of Encryption Function can place encryption function at various layers in OSI Reference Model o link encryption occurs at layers 1 or 2 o end-to-end can occur at layers 3, 4, 6, 7 o as move higher less information is encrypted but it is more secure though more complex with more entities and keys 1.10 Traffic Confidentiality is monitoring of communications flows between parties o useful both in military & commercial spheres o can also be used to create a covert channel link encryption obscures header details o but overall traffic volumes in networks and at end-points is still visible traffic padding can further obscure flows o but at cost of continuous traffic Questions: 1. What is information security? 2. What is computer security?

3. What is network security? 4. What is internet security? 5. Why internetwork security is is both fascinating and complex? 6. What is a security service? 7. What is security mechanism? 8. What is security attack? 9. List any four attacks in network communication. 10. What are the three aspects of information security? 11. What is the difference between threat and attack? 12. What is authentication? 13. What is peer entity authentication? 14. What is data origin authentication? 15. What is access control? 16. What is data confidentiality? 17. What is data integrity? 18. What is nonrepudiation? 19. What is passive attack? Give example. 20. What is active attack? Give example. 21. How will you classify security attacks? 22. List some security mechanism. 23. What are the types of threats? 24. What is meant by information access threats? 25. What is meant by service threats? 26. What are plain text and cipher text? 27. What is enciphering or encryption? 28. What is deciphering or decryption? 29. What is cryptography? 30. What is crypt-analysis? 31. What is cryptology? 32. What is symmetric encryption or conventional encryption or single key encryption? 33. What are the ingredients of symmetric encryption? 34. List the disadvantages of symmetric ciphers. 35. What are the two requirements for secure use of conventional encryption? 36. What are the characteristic of cryptographic systems? 37. What is a block cipher? 38. What is a stream cipher? 39. What are the two general approaches to attacking a conventional encryption scheme? 40. What is Brute-force attack? 41. When an encryption scheme is said to be unconditionally secure? 42. When an encryption scheme is said to be computationally secure? 43. What are the criteria for an encryption scheme? 44. What are the various substitution techniques used for encryption? 45. What is Caesar cipher? 46. What is monoalphabetic cipher?

47. What is playfair cipher? 48. What is Hill cipher? 49. What is polyalphabetic cipher? 50. What is vigenere cipher? 51. What is one-time pad? 52. What are the difficulties of one-time pad? 53. What are the cryptanalysis of Caesar cipher? 54. What are the cryptoanalysis of monoalphabetic cipher? 55. What are the transposition techniques used for encryption? 56. What is steganography? 57. What are the various techniques used in steganography? 58. Define the term confusion. 59. Define the term diffusion. 60. What is avalanche effect? 61. What is timing attacks? 62. What is electronic codebook mode (ECB)? 63. What are the advantage and limitations of ECB? 64. What is cipher block chaining mode (CBC)? 65. What are the advantage and limitations of CBC? 66. What is cipher feedback mode (CFB)? 67. What are the advantage and limitations of CFB? 68. What is output feedback mode (OFB)? 69. What are the advantage and limitations of OFB? 70. What is counter mode (CTR)? 71. What are the advantage and limitations of CTR? 72. Compare DES and AES. 73. Compare simplified DES and DES. 74. What are the characteristic of AES? 75. What is GF(28)? 76. Write the pseudo code for AES key expansion algorithm. 77. Why triple DES? Why not double DES? 78. What are the disadvantages of double DES? 79. What is meet-in-the middle attack? 80. What are the two approaches to encryption placement? 81. What are the differences between link and end-to-end encryption? 82. What is eavesdropping? 83. What is point of vulnerability? 84. What is traffic confidentiality? 85. What are the types of information that can be derived from a traffic analysis attack? 86. What is covert channel? 87. What is traffic padding? Big Questions 88. Explain triple DES with two keys. (10 marks)

89. Explain triple DES with three keys. (6 marks) 90. Explain link and end-to-end encryption. (12 marks) 91. Compare link vs end-to-end encryption in detail. (10 marks) 92. Explain traffic confidentiality for link and end-to-end encryption approach? (8 marks) 93. Explain in detail about linear and differential cryptanalysis. (10 marks) 94. Explain the design principles of block cipher. (10 marks) 95. Explain the block cipher modes of operation. (16 marks) 96. Explain the strength of DES. (8 marks) 97. Describe the operation of AES with an example. (16 marks) 98. Explain the AES evaluation. (10 marks) 99. Explain DES in detail. (16 marks) 100. Explain simplified DES in detail with an example. (12 marks) 101. Explain block cipher principles in detail. (16 marks) 102. Explain Feistal cipher in detail. (16 marks) 103. Explain symmetric cipher model. (10 marks) 104. Explain various transposition ciphers in detail. (8 marks) 105. Explain the basic principles of rotor machine. (8 marks) 106. Explain steganography in detail. (6 marks) 107. Explain network security model. (8 marks) 108. Explain the OSI security architecture. (10 marks) 109. Explain in detail about various substitution techniques or classical encryption techniques. (16 marks)

UNIT II Public-key Cryptography

Key Management - Diffie-Hellman key Exchange Elliptic Curve Architecture and Cryptography - Introduction to Number Theory Confidentiality using Symmetric Encryption Public Key Cryptography and RSA.

2.1 Key Management 2.2 Diffie-Hellman key Exchange 2.3 Elliptic Curve Architecture and Cryptography 2.4 Introduction to Number Theory 2.5 Confidentiality using Symmetric Encryption 2.6 Public Key Cryptography and RSA

2.1 Key Management

2.1.1 Distribution of Public Keys 2.1.2 Public-Key Distribution of Secret keys public-key encryption helps address key distribution problems have two aspects of this: distribution of public keys use of public-key encryption to distribute secret keys 2.1.1 Distribution of Public Keys o can be considered as using one of: Public announcement Publicly available directory Public-key authority Public-key certificates o Public Announcement users distribute public keys to recipients or broadcast to community at large eg. append PGP keys to email messages or post to news groups or email list major weakness is forgery anyone can create a key claiming to be someone else and broadcast it until forgery is discovered can masquerade as claimed user o Publicly Available Directory can obtain greater security by registering keys with a public directory directory must be trusted with properties: contains {name,public-key} entries participants register securely with directory participants can replace key at any time directory is periodically published directory can be accessed electronically still vulnerable to tampering or forgery o Public-Key Authority improve security by tightening control over distribution of keys from directory has properties of directory and requires users to know public key for the directory then users interact with directory to obtain any desired public key securely

 does require real-time access to directory when keys are needed

o Public-Key Certificates certificates allow key exchange without real-time access to public-key authority a certificate binds identity to public key usually with other info such as period of validity, rights of use etc with all contents signed by a trusted Public-Key or Certificate Authority (CA) can be verified by anyone who knows the public-key authorities public-key

2.1.2 Public-Key Distribution of Secret Keys o use previous methods to obtain public-key

o can use for secrecy or authentication o but public-key algorithms are slow o so usually want to use private-key encryption to protect message contents o hence need a session key o have several alternatives for negotiating a suitable session o Simple Secret Key Distribution proposed by Merkle in 1979 A generates a new temporary public key pair A sends B the public key and their identity B generates a session key K sends it to A encrypted using the supplied public key A decrypts the session key and both use problem is that an opponent can intercept and impersonate both halves of protocol o if have securely exchanged public-keys:

2.2 Diffie-Hellman Key Exchange o first public-key type scheme proposed o by Diffie & Hellman in 1976 along with the exposition of public key concepts o note: now know that James Ellis (UK CESG) secretly proposed the concept in 1970 o is a practical method for public exchange of a secret key o used in a number of commercial products o a public-key distribution scheme o cannot be used to exchange an arbitrary message o rather it can establish a common key o known only to the two participants o value of key depends on the participants (and their private and public key information) o based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy o security relies on the difficulty of computing discrete logarithms (similar to factoring) hard o Diffie-Hellman Setup all users agree on global parameters: large prime integer or polynomial q

 a primitive root mod q each user (eg. A) generates their key chooses a secret key (number): xA < q compute their public key: yA = xA mod q each user makes public that key yA o shared session key for users A & B is KAB: o KAB = xA.xB mod q o = yAxB mod q (which B can compute) o = yBxA mod q (which A can compute) o KAB is used as session key in private-key encryption scheme between Alice and Bob o if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys o attacker needs an x, must solve discrete log o Diffie-Hellman Example users Alice & Bob who wish to swap keys: agree on prime q=353 and =3 select random secret keys: A chooses xA=97, B chooses xB=233 compute public keys: yA=397 mod 353 = 40 (Alice) yB=3233 mod 353 = 248 (Bob) compute shared session key as: KAB= yBxA mod 353 = 24897 = 160 (Alice) KAB= yAxB mod 353 = 40233 = 160 (Bob) 2.3 Elliptic Curve Cryptography majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials imposes a significant load in storing and processing keys and messages an alternative is to use elliptic curves offers same security with smaller bit sizes Real Elliptic Curves o an elliptic curve is defined by an equation in two variables x & y, with coefficients o consider a cubic elliptic curve of form o y2 = x3 + ax + b o where x,y,a,b are all real numbers o also define zero point O o have addition operation for elliptic curve o geometrically sum of Q+R is reflection of intersection R

Finite Elliptic Curves o Elliptic curve cryptography uses curves whose variables & coefficients are finite o have two families commonly used: o prime curves Ep(a,b) defined over Zp o use integers modulo a prime o best in software o binary curves E2m(a,b) defined over GF(2n) o use polynomials with binary coefficients o best in hardware Elliptic Curve Cryptography o ECC addition is analog of modulo multiply o ECC repeated addition is analog of modulo exponentiation o need hard problem equiv to discrete log o Q=kP, where Q,P belong to a prime curve o is easy to compute Q given k,P o but hard to find k given Q,P o known as the elliptic curve logarithm problem o Certicom example: E23(9,17) ECC Diffie-Hellman o can do key exchange analogous to D-H o users select a suitable curve Ep(a,b) o select base point G=(x1,y1) with large order n s.t. nG=O o A & B select private keys nA<n, nB<n o compute public keys: PA=nAG, PB=nBG o compute shared key: K=nAPB, K=nBPA o same since K=nAnBG ECC Encryption/Decryption o several alternatives, will consider simplest o must first encode any message M as a point on the elliptic curve Pm

o select suitable curve & point G as in D-H o each user chooses private key nA<n o and computes public key PA=nAG o to encrypt Pm : Cm={kG, Pm+k Pb}, k random o decrypt Cm compute: o Pm+kPbnB(kG) = Pm+k(nBG)nB(kG) = Pm ECC Security o relies on elliptic curve logarithm problem o fastest method is Pollard rho method o compared to factoring, can use much smaller key sizes than with RSA etc o for equivalent key lengths computations are roughly equivalent o hence for similar security ECC offers significant computational advantages 2.4 Introduction to Number Theory Prime Numbers o prime numbers only have divisors of 1 and self o they cannot be written as a product of other numbers o note: 1 is prime, but is generally not of interest o eg. 2,3,5,7 are prime, 4,6,8,9,10 are not o prime numbers are central to number theory o list of prime number less than 200 is: o 2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199 Prime Factorisation o to factor a number n is to write it as a product of other numbers: n=a b c o note that factoring a number is relatively hard compared to multiplying the factors together to generate the number o the prime factorisation of a number n is when its written as a product of primes o eg. 91=713 ; 3600=243252 Relatively Prime Numbers & GCD o two numbers a, b are relatively prime if have no common divisors apart from 1 o eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8 and of 15 are 1,3,5,15 and 1 is the only common factor o conversely can determine the greatest common divisor by comparing their prime factorizations and using least powers o eg. 300=213152 18=2132 hence GCD(18,300)=213150=6 Fermat's Theorem o ap-1 mod p = 1 o where p is prime and gcd(a,p)=1 o also known as Fermats Little Theorem

o useful in public key and primality testing Euler Totient Function (n) o when doing arithmetic modulo n o complete set of residues is: 0..n-1 o reduced set of residues is those numbers (residues) which are relatively prime to n o eg for n=10, o complete set of residues is {0,1,2,3,4,5,6,7,8,9} o reduced set of residues is {1,3,7,9} o number of elements in reduced set of residues is called the Euler Totient Function (n) o to compute (n) need to count number of elements to be excluded o in general need prime factorization, but o for p (p prime) (p) = p-1 o for p.q (p,q prime) (p.q) = (p-1)(q-1) o eg. o (37) = 36 o (21) = (31)(71) = 26 = 12 Euler's Theorem o a generalisation of Fermat's Theorem o a(n)mod N = 1 o where gcd(a,N)=1 o eg. o a=3;n=10; (10)=4; o hence 34 = 81 = 1 mod 10 o a=2;n=11; (11)=10; o hence 210 = 1024 = 1 mod 11 Primality Testing o often need to find large prime numbers o traditionally sieve using trial division o ie. divide by all numbers (primes) in turn less than the square root of the number o only works for small numbers o alternatively can use statistical primality tests based on properties of primes o for which all primes numbers satisfy property o but some composite numbers, called pseudo-primes, also satisfy the property Miller Rabin Algorithm o a test based on Fermats Theorem o algorithm is: o TEST (n) is: 1. Find integers k, q, k > 0, q odd, so that (n1)=2kq 2. Select a random integer a, 1<a<n1 3. if aq mod n = 1 then return (maybe prime"); 4. for j = 0 to k 1 do

 5. if (a2jq mod n = n-1) then return(" maybe prime ") 6. return ("composite") Probabilistic Considerations o if Miller-Rabin returns composite the number is definitely not prime o otherwise is a prime or a pseudo-prime o chance it detects a pseudo-prime is < o hence if repeat test with different random a then chance n is prime after t tests is: o Pr(n prime after t tests) = 1-4-t o eg. for t=10 this probability is > 0.99999 Prime Distribution o prime number theorem states that primes occur roughly every (ln n) integers o since can immediately ignore evens and multiples of 5, in practice only need test 0.4 ln(n) numbers of size n before locate a prime o note this is only the average sometimes primes are close together, at other times are quite far apart Chinese Remainder Theorem o used to speed up modulo computations o working modulo a product of numbers o eg. mod M = m1m2..mk o Chinese Remainder theorem lets us work in each moduli mi separately o since computational cost is proportional to size, this is faster than working in the full modulus M o can implement CRT in several ways o to compute (A mod M) can firstly compute all (ai mod mi) separately and then combine results to get answer using:

Primitive Roots o from Eulers theorem have a(n)mod n=1 o consider ammod n=1, GCD(a,n)=1 o must exist for m= (n) but may be smaller o once powers reach m, cycle will repeat o if smallest is m= (n) then a is called a primitive root o if p is prime, then successive powers of a "generate" the group mod p o these are useful but relatively hard to find Discrete Logarithms or Indices o the inverse problem to exponentiation is to find the discrete logarithm of a number modulo p o that is to find x where ax = b mod p o written as x=loga b mod p or x=inda,p(b)

o o o o

if a is a primitive root then always exists, otherwise may not x = log3 4 mod 13 (x st 3x = 4 mod 13) has no answer x = log2 3 mod 13 = 4 by trying successive powers whilst exponentiation is relatively easy, finding discrete logarithms is generally a hard problem

2.5 Confidentiality Using Symmetric Encryption traditionally symmetric encryption is used to provide message confidentiality consider typical scenario o workstations on LANs access other workstations & servers on LAN o LANs interconnected using switches/routers o with external lines or radio/satellite links consider attacks and placement in this scenario o snooping from another workstation o use dial-in to LAN or server to snoop o use external router link to enter & snoop monitor and/or modify traffic one external links have two major placement alternatives o link encryption encryption occurs independently on every link implies must decrypt traffic between links requires many devices, but paired keys o end-to-end encryption encryption occurs between original source and final destination need devices at each end with shared keys Traffic Confidentiality o when using end-to-end encryption must leave headers in clear so network can correctly route information o hence although contents protected, traffic pattern flows are not o ideally want both at once end-to-end protects data contents over entire path and provides authentication link protects traffic flows from monitoring Placement of Encryption o can place encryption function at various layers in OSI Reference Model o link encryption occurs at layers 1 or 2 o end-to-end can occur at layers 3, 4, 6, 7 o as move higher less information is encrypted but it is more secure though more complex with more entities and keys Traffic Analysis o is monitoring of communications flows between parties o useful both in military & commercial spheres o can also be used to create a covert channel o link encryption obscures header details o but overall traffic volumes in networks and at end-points is still visible o traffic padding can further obscure flows

o but at cost of continuous traffic Key Distribution o symmetric schemes require both parties to share a common secret key o issue is how to securely distribute this key o often secure system failure due to a break in the key distribution scheme o given parties A and B have various key distribution alternatives: 1. A can select key and physically deliver to B 2. third party can select & deliver key to A & B 3. if A & B have communicated previously can use previous key to encrypt a new key 4. if A & B have secure communications with a third party C, C can relay key between A & B Key Distribution Scenario

Key Distribution Issues o hierarchies of KDCs required for large networks, but must trust each other o session key lifetimes should be limited for greater security o use of automatic key distribution on behalf of users, but must trust system o use of decentralized key distribution o controlling purposes keys are used for Random Numbers o many uses of random numbers in cryptography nonces in authentication protocols to prevent replay session keys public key generation keystream for a one-time pad o in all cases its critical that these values be statistically random with uniform distribution, independent unpredictable cannot infer future sequence on previous values Natural Random Noise o best source is natural randomness in real world o find a regular but random event and monitor

o do generally need special h/w to do this eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc o starting to see such h/w in new CPU's o problems of bias or uneven distribution in signal have to compensate for this when sample and use best to only use a few noisiest bits from each sample Published Sources o a few published collections of random numbers o Rand Co, in 1955, published 1 million numbers generated using an electronic roulette wheel has been used in some cipher designs cf Khafre o earlier Tippett in 1927 published a collection o issues are that: these are limited too well-known for most uses Pseudorandom Number Generators (PRNGs) o algorithmic technique to create random numbers o although not truly random o can pass many tests of randomness Linear Congruential Generator o common iterative technique using: Xn+1 = (aXn + c) mod m o given suitable values of parameters can produce a long random-like sequence o suitable criteria to have are: function generates a full-period generated sequence should appear random efficient implementation with 32-bit arithmetic o note that an attacker can reconstruct sequence given a small number of values Using Block Ciphers as Stream Ciphers o can use block cipher to generate numbers o use Counter Mode Xi = EKm[i] o use Output Feedback Mode Xi = EKm[Xi-1] o ANSI X9.17 PRNG uses date-time + seed inputs and 3 triple-DES encryptions to generate new seed & random Blum Blum Shub Generator o based on public key algorithms o use least significant bit from iterative equation: xi+1 = xi2 mod n where n=p.q, and primes p,q=3 mod 4 o unpredictable, passes next-bit test

o o o o

security rests on difficulty of factoring N is unpredictable given any run of bits slow, since very large numbers must be used too slow for cipher use, good for key generation

2.6 Public Key Cryptography and RSA Private-Key Cryptography o traditional private/secret/single key cryptography uses one key o shared by both sender and receiver o if this key is disclosed communications are compromised o also is symmetric, parties are equal o hence does not protect sender from receiver forging a message & claiming is sent by sender Public-Key Cryptography o probably most significant advance in the 3000 year history of cryptography o uses two keys a public & a private key o asymmetric since parties are not equal o uses clever application of number theoretic concepts to function o complements rather than replaces private key crypto o public-key/two-key/asymmetric cryptography involves the use of two keys: a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures o is asymmetric because those who encrypt messages or verify signatures cannot decrypt messages or create signatures

Why Public-Key Cryptography? o developed to address two key issues: key distribution how to have secure communications in general without having to trust a KDC with your key digital signatures how to verify a message comes intact from the claimed sender

o public invention due to Whitfield Diffie & Martin Hellman at Stanford University in 1976 known earlier in classified community Public-Key Characteristics o Public-Key algorithms rely on two keys with the characteristics that it is: computationally infeasible to find decryption key knowing only algorithm & encryption key computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known either of the two related keys can be used for encryption, with the other used for decryption (in some schemes) Public-Key Cryptosystems

Public-Key Applications o can classify uses into 3 categories: encryption/decryption (provide secrecy) digital signatures (provide authentication) key exchange (of session keys) o some algorithms are suitable for all uses, others are specific to one Security of Public Key Schemes o like private key schemes brute force exhaustive search attack is always theoretically possible o but keys used are too large (>512bits) o security relies on a large enough difference in difficulty between easy (en/decrypt) and hard (cryptanalyse) problems o more generally the hard problem is known, its just made too hard to do in practise o requires the use of very large numbers o hence is slow compared to private key schemes RSA o by Rivest, Shamir & Adleman of MIT in 1977 o best known & widely used public-key scheme

o based on exponentiation in a finite (Galois) field over integers modulo a prime nb. exponentiation takes O((log n)3) operations (easy) o uses large integers (eg. 1024 bits) o security due to cost of factoring large numbers nb. factorization takes O(e log n log log n) operations (hard) RSA Key Setup o each user generates a public/private key pair by: o selecting two large primes at random - p, q o computing their system modulus N=p.q note (N)=(p-1)(q-1) o selecting at random the encryption key e where 1<e<(N), gcd(e,(N))=1 o solve following equation to find decryption key d e.d=1 mod (N) and 0dN o publish their public encryption key: KU={e,N} o keep secret private decryption key: KR={d,p,q} RSA Use o to encrypt a message M the sender: obtains public key of recipient KU={e,N} computes: C=Me mod N, where 0M<N o to decrypt the ciphertext C the owner: uses their private key KR={d,p,q} computes: M=Cd mod N o note that the message M must be smaller than the modulus N (block if needed) How RSA Works? o because of Euler's Theorem: o a(n)mod N = 1 where gcd(a,N)=1 o in RSA have: N=p.q (N)=(p-1)(q-1) carefully chosen e & d to be inverses mod (N) hence e.d=1+k.(N) for some k o hence : Cd = (Me)d = M1+k.(N) = M1.(M(N))q = M1.(1)q = M1 = M mod N RSA Example 1. Select primes: p=17 & q=11 2. Compute n = pq =1711=187 3. Compute (n)=(p1)(q-1)=1610=160 4. Select e : gcd(e,160)=1; choose e=7 5. Determine d: de=1 mod 160 and d < 160 Value is d=23 since 237=161= 10160+1 6. Publish public key KU={7,187} 7. Keep secret private key KR={23,17,11}

o sample RSA encryption/decryption is: o given message M = 88 (nb. 88<187) o encryption: C = 887 mod 187 = 11 o decryption: M = 1123 mod 187 = 88 Exponentiation o can use the Square and Multiply Algorithm o a fast, efficient algorithm for exponentiation o concept is based on repeatedly squaring base o and multiplying in the ones that are needed to compute the result o look at binary representation of exponent o only takes O(log2 n) multiples for number n eg. 75 = 74.71 = 3.7 = 10 mod 11 eg. 3129 = 3128.31 = 5.3 = 4 mod 11

RSA Key Generation o users of RSA must: determine two primes at random - p, q select either e or d and compute the other o primes p,q must not be easily derived from modulus N=p.q means must be sufficiently large typically guess and use probabilistic test o exponents e, d are inverses, so use Inverse algorithm to compute the other RSA Security o three approaches to attacking RSA: brute force key search (infeasible given size of numbers) mathematical attacks (based on difficulty of computing (N), by factoring modulus N) timing attacks (on running of decryption) Factoring Problem o mathematical approach takes 3 forms: factor N=p.q, hence find (N) and then d determine (N) directly and find d find d directly o currently believe all equivalent to factoring have seen slow improvements over the years

as of Aug-99 best is 130 decimal digits (512) bit with GNFS biggest improvement comes from improved algorithm cf Quadratic Sieve to Generalized Number Field Sieve barring dramatic breakthrough 1024+ bit RSA secure ensure p, q of similar size and matching other constraints Timing Attacks o developed in mid-1990s o exploit timing variations in operations eg. multiplying by small vs large number or IF's varying which instructions executed o infer operand size based on time taken o RSA exploits time taken in exponentiation o countermeasures use constant exponentiation time add random delays blind values used in calculations Two Marks: 1. What are the two distinct aspects to the use of public-key cryptography related to key distribution? 2. What are the techniques used for distribution of public keys? 3. What are the essential ingredients of a public key directory? 4. What is public announcement? 5. What is the weakness of public announcement? 6. What is publicly available directory? 7. What is public authority? 8. What is public key certificate? 9. What are the requirements for the use of a public-key certificate scheme? 10. What are the various scheme used for public-key distribution of secret keys? 11. What is an elliptic curve? 12. What is zero point of an elliptic curve? 13. Explain one method of key distribution. 14. State Fermats theorem. 15. State Eulers theorem. 16. What is Eulers Totient function? 17. How will you test for primality? 18. State the Chinese remainder theorem. 19. Where the discrete logarithm is used? 20. How the miller-rabin test is used to test for primality? 21. What is primitive root of a number? 22. What is the difference between an index and discrete logarithms? 23. What are the two approaches to encryption placement? 24. What are the differences between link and end-to-end encryption? 25. What is eavesdropping? 26. What is point of vulnerability?

27. What is traffic confidentiality? 28. What are the types of information that can be derived from a traffic analysis attack? 29. What is covert channel? 30. What is traffic padding? 31. What is a session key and a master key? 32. What is PRNGs? 33. What is pseudorandom number? 34. What is public key cryptography or asymmetric cryptography? 35. What are the misconceptions concerned with public-key encryption? 36. What are the problems of symmetric encryption? 37. Differentiate between symmetric encryption or conventional encryption and asymmetric or public-key encryption. 38. What are the applications of public-key cryptosystems? 39. What are various public-key cryptanalysis? 40. What are three possible attacks for RSA? 41. What are the principle elements of a public-key cryptosystem? 42. What are roles of public key and private key? 43. What is one-way function? Big Questions: 44. Explain the various techniques used for distribution of public keys. (12 marks) 45. Explain various scheme used to distribute secret keys. (10 marks) 46. Explain simple secret key distribution and secret key distribution with confidentiality and authentication. (8 marks) 47. Explain in detail about diffie-hellman key exchange. (12 marks) 48. Explain elliptic curve arithmetic in detail. (12 marks) 49. Explain elliptic curve cryptography in detail. (12 marks) 50. Explain elliptic curve encryption/decryption. (10 marks) 51. State and prove Fermats theorem. (8 marks) 52. State and prove Eulers theorem. (8 marks) 53. Explain the Chinese remainder theorem. (8 marks) 54. Explain discrete logarithms. (8 marks) 55. Explain link and end-to-end encryption. (12 marks) 56. Compare link vs end-to-end encryption in detail. (10 marks) 57. Explain traffic confidentiality for link and end-to-end encryption approach? (8 marks) 58. Explain the key distribution scenario with neat diagram. (8 marks) 59. Explain key distribution in detail. (16 marks) 60. Explain the various methods for generating random numbers. (12 marks) 61. Explain blum blum shub generator. (4 marks) 62. Explain the principles of public-key encryption. (16 marks) 63. Explain public-key cryptosystems. (12 marks) 64. Explain the requirements for public-key cryptography. (8 marks) 65. Explain the RSA algorithm in detail with an example. (12 marks) 66. Explain the security of RSA. (12 marks)

UNIT III Authentication and Hash Function

Authentication requirements Authentication functions Message Authentication Codes Hash Functions Security of Hash Functions and MACs MD5 message Digest algorithm - Secure Hash Algorithm RIPEMD HMAC Digital Signatures Authentication Protocols Digital Signature Standard

3.1 Authentication requirements 3.2 Authentication functions 3.3 Message Authentication Codes 3.4 Hash Functions 3.5 Security of Hash Functions and MACs 3.6 MD5 message Digest algorithm 3.7 Secure Hash Algorithm 3.8 RIPEMD 3.9 HMAC 3.10 Digital Signatures 3.11 Authentication Protocols 3.12 Digital Signature Standard

Message Authentication and Hash Functions Message Authentication o message authentication is concerned with: protecting the integrity of a message validating identity of originator non-repudiation of origin (dispute resolution) o will consider the security requirements o then three alternative functions used: message encryption message authentication code (MAC) hash function 3.1 Authentication Requirements Communication across the network, the following attacks can be identified. o Disclosure release of message contents to any person or process not possessing the appropriate cryptographic key. o Traffic analysis discovery of the pattern of traffic between parties. In a connection oriented application, the frequency and duration of connections could be determined. In either a connection oriented or connectionless environment, the number and length of messages between parties could be determined. o Masquerade insertion of messages into the network from fraudulent acknowledgements of message receipt or nonreceipt by someone other than the message recipient. o Content modification changes to the contents of a message, including insertion, deletion, transposition, and modification. o Sequence modification any modification to a sequence of messages between parties, including insertion, deletion, and reordering. o Timing modification delay or replay of messages. In a connection oriented application, an entire session or sequence of messages could be replay of some previous valid session, or individual messages in the sequence could be delayed or replayed. In a connectionless application, an individual message (e.g., datagram) could be delayed or replayed. o Source repudiation denial of transmission of message by source. o Destination repudiation denial of receipt of message by destination. 3.2 Authentication Function Any message authentication or digital signature mechanism can be viewed as having fundamentally two levels.

At the lower level, there must be some sort of function that produces an authenticator: a value to be used to authenticate a message. This low-level function is then used as primitive in a higher-level authentication protocol that enables a receiver to verify the authenticity of a message. The types of function that may be used to produce an authenticator are grouped into three classes. Message Encryption the ciphertext of the entire message serves as its authenticator. Message Authentication Code (MAC) a public function of the message and a secret key that produces a fixed length value that serves as the authenticator. Hash Function a public function that maps a message of any length into a fixed-length hash value, which serves as the authenticator. Message Encryption o message encryption by itself also provides a measure of authentication o if symmetric encryption is used then: receiver know sender must have created it since only sender and receiver now key used know content cannot of been altered if message has suitable structure, redundancy or a checksum to detect any changes o if public-key encryption is used: encryption provides no confidence of sender since anyone potentially knows public-key however if sender signs message using their private-key then encrypts with recipients public key have both secrecy and authentication again need to recognize corrupted messages but at cost of two public-key uses on message 3.3 Message Authentication Code (MAC) generated by an algorithm that creates a small fixed-sized block depending on both message and some key like encryption though need not be reversible appended to message as a signature receiver performs same computation on message and checks it matches the MAC provides assurance that message is unaltered and comes from sender

as shown the MAC provides confidentiality can also use encryption for secrecy o generally use separate keys for each o can compute MAC either before or after encryption o is generally regarded as better done before why use a MAC? o sometimes only authentication is needed o sometimes need authentication to persist longer than the encryption (eg. archival use) note that a MAC is not a digital signature MAC Properties o a MAC is a cryptographic checksum MAC = CK(M) condenses a variable-length message M using a secret key K to a fixed-sized authenticator o is a many-to-one function potentially many messages have same MAC but finding these needs to be very difficult Requirements for MACs o taking into account the types of attacks o need the MAC to satisfy the following: 1. knowing a message and MAC, is infeasible to find another message with same MAC 2. MACs should be uniformly distributed 3. MAC should depend equally on all bits of the message Using Symmetric Ciphers for MACs o can use any block cipher chaining mode and use final block as a MAC o Data Authentication Algorithm (DAA) is a widely used MAC based on DES-CBC using IV=0 and zero-pad of final block encrypt message using DES in CBC mode and send just the final block as the MAC

or the leftmost M bits (16M64) of final block o but final MAC is now too small for security 3.4 Hash Functions condenses arbitrary message to fixed size usually assume that the hash function is public and not keyed o cf. MAC which is keyed hash used to detect changes to message can use in various ways with message most often to create a digital signature Hash Functions & Digital Signatures

Hash Function Properties o a Hash Function produces a fingerprint of some file/message/data h = H(M) condenses a variable-length message M to a fixed-sized fingerprint o assumed to be public Requirements for Hash Functions 1. can be applied to any sized message M 2. produces fixed-length output h 3. is easy to compute h=H(M) for any message M 4. given h is infeasible to find x s.t. H(x)=h one-way property 5. given x is infeasible to find y s.t. H(y)=H(x) weak collision resistance 6. is infeasible to find any x,y s.t. H(y)=H(x) strong collision resistance Simple Hash Functions o are several proposals for simple functions o based on XOR of message blocks o not secure since can manipulate any message and either not change hash or change hash also o need a stronger cryptographic function Birthday Attacks o might think a 64-bit hash is secure o but by Birthday Paradox is not o birthday attack works thus:

opponent generates 2m/2 variations of a valid message all with essentially the same meaning opponent also generates 2m/2 variations of a desired fraudulent message two sets of messages are compared to find pair with same hash (probability > 0.5 by birthday paradox) have user sign the valid message, then substitute the forgery which will have a valid signature o conclusion is that need to use larger MACs Block Ciphers as Hash Functions o can use block ciphers as hash functions using H0=0 and zero-pad of final block compute: Hi = EMi [Hi-1] and use final block as the hash value similar to CBC but without a key o resulting hash is too small (64-bit) both due to direct birthday attack and to meet-in-the-middle attack o other variants also susceptible to attack 3.5 Security of Hash Functions & MACs like block ciphers have: brute-force attacks exploiting o strong collision resistance hash have cost 2m/2 have proposal for h/w MD5 cracker 128-bit hash looks vulnerable, 160-bits better o MACs with known message-MAC pairs can either attack keyspace (cf key search) or MAC at least 128-bit MAC is needed for security cryptanalytic attacks exploit structure o like block ciphers want brute-force attacks to be the best alternative have a number of analytic attacks on iterated hash functions o CVi = f[CVi-1, Mi]; H(M)=CVN o typically focus on collisions in function f o like block ciphers is often composed of rounds o attacks exploit properties of round functions cryptanalytic attacks exploit structure o like block ciphers want brute-force attacks to be the best alternative have a number of analytic attacks on iterated hash functions o CVi = f[CVi-1, Mi]; H(M)=CVN o typically focus on collisions in function f o like block ciphers is often composed of rounds o attacks exploit properties of round functions. 3.6 MD5 message Digest algorithm Hash Algorithms

o see similarities in the evolution of hash functions & block ciphers increasing power of brute-force attacks leading to evolution in algorithms from DES to AES in block ciphers from MD4 & MD5 to SHA-1 & RIPEMD-160 in hash algorithms o likewise tend to use common iterative structure as do block ciphers MD5 o designed by Ronald Rivest (the R in RSA) o latest in a series of MD2, MD4 o produces a 128-bit hash value o until recently was the most widely used hash algorithm in recent times have both brute-force & cryptanalytic concerns o specified as Internet standard RFC1321 MD5 Overview 1. pad message so its length is 448 mod 512 2. append a 64-bit length value to message 3. initialise 4-word (128-bit) MD buffer (A,B,C,D) 4. process message in 16-word (512-bit) blocks: using 4 rounds of 16 bit operations on message block & buffer add output to buffer input to form new buffer value 5. output hash value is the final buffer value

MD5 Compression Function o each round has 16 steps of the form: a = b+((a+g(b,c,d)+X[k]+T[i])<<<s) o a,b,c,d refer to the 4 words of the buffer, but used in varying permutations note this updates 1 word only of the buffer after 16 steps each word is updated 4 times o where g(b,c,d) is a different nonlinear function in each round (F,G,H,I) o T[i] is a constant value derived from sin

MD4 o o o o

precursor to MD5 also produces a 128-bit hash of message has 3 rounds of 16 steps vs 4 in MD5 design goals: collision resistant (hard to find collisions) direct security (no dependence on "hard" problems) fast, simple, compact favours little-endian systems (eg PCs) Strength of MD5 o MD5 hash is dependent on all message bits o Rivest claims security is good as can be o known attacks are: Berson 92 attacked any 1 round using differential cryptanalysis (but cant extend) Boer & Bosselaers 93 found a pseudo collision (again unable to extend) Dobbertin 96 created collisions on MD compression function (but initial constants prevent exploit) o conclusion is that MD5 looks vulnerable soon 3.7 Secure Hash Algorithm (SHA-1) SHA was designed by NIST & NSA in 1993, revised 1995 as SHA-1 US standard for use with DSA signature scheme o standard is FIPS 180-1 1995, also Internet RFC3174 o nb. the algorithm is SHA, the standard is SHS produces 160-bit hash values now the generally preferred hash algorithm

based on design of MD4 with key differences SHA Overview 1. pad message so its length is 448 mod 512 2. append a 64-bit length value to message 3. initialise 5-word (160-bit) buffer (A,B,C,D,E) to (67452301,efcdab89,98badcfe,10325476,c3d2e1f0) 4. process message in 16-word (512-bit) chunks: expand 16 words into 80 words by mixing & shifting use 4 rounds of 20 bit operations on message block & buffer add output to input to form new buffer value 5. output hash value is the final buffer value SHA-1 Compression Function o each round has 20 steps which replaces the 5 buffer words thus: (A,B,C,D,E) <(E+f(t,B,C,D)+(A<<5)+Wt+Kt),A,(B<<30),C,D) o a,b,c,d refer to the 4 words of the buffer o t is the step number o f(t,B,C,D) is nonlinear function for round o Wt is derived from the message block o Kt is a constant value derived from sin

SHA-1 verses MD5 o brute force attack is harder (160 vs 128 bits for MD5) o not vulnerable to any known attacks (compared to MD4/5) o a little slower than MD5 (80 vs 64 steps) o both designed as simple and compact o optimised for big endian CPU's (vs MD5 which is optimised for little endian CPUs) Revised Secure Hash Standard o NIST have issued a revision FIPS 180-2 o adds 3 additional hash algorithms o SHA-256, SHA-384, SHA-512

o designed for compatibility with increased security provided by the AES cipher o structure & detail is similar to SHA-1 o hence analysis should be similar 3.8 RIPEMD - 160 RIPEMD-160 was developed in Europe as part of RIPE project in 96 by researchers involved in attacks on MD4/5 initial proposal strengthen following analysis to become RIPEMD-160 somewhat similar to MD5/SHA uses 2 parallel lines of 5 rounds of 16 steps creates a 160-bit hash value slower, but probably more secure, than SHA RIPEMD-160 Overview 1. pad message so its length is 448 mod 512 2. append a 64-bit length value to message 3. initialise 5-word (160-bit) buffer (A,B,C,D,E) to (67452301,efcdab89,98badcfe,10325476,c3d2e1f0) 4. process message in 16-word (512-bit) chunks: use 10 rounds of 16 bit operations on message block & buffer in 2 parallel lines of 5 add output to input to form new buffer value 5. output hash value is the final buffer value

RIPEMD-160 Compression Function

RIPEMD-160 Design Criteria o use 2 parallel lines of 5 rounds for increased complexity o for simplicity the 2 lines are very similar o step operation very close to MD5 o permutation varies parts of message used o circular shifts designed for best results RIPEMD-160 verses MD5 & SHA-1 o brute force attack harder (160 like SHA-1 vs 128 bits for MD5) o not vulnerable to known attacks, like SHA-1 though stronger (compared to MD4/5) o slower than MD5 (more steps) o all designed as simple and compact o SHA-1 optimised for big endian CPU's vs RIPEMD-160 & MD5 optimised for little endian CPUs Keyed Hash Functions as MACs o have desire to create a MAC using a hash function rather than a block cipher because hash functions are generally faster not limited by export controls unlike block ciphers o hash includes a key along with the message o original proposal: KeyedHash = Hash(Key|Message) some weaknesses were found with this o eventually led to development of HMAC

3.9 HMAC specified as Internet standard RFC2104 uses hash function on the message: HMACK = Hash[(K+ XOR opad) || Hash[(K+ XOR ipad)||M)]] where K+ is the key padded out to size and opad, ipad are specified padding constants overhead is just 3 more hash calculations than the message needs alone any of MD5, SHA-1, RIPEMD-160 can be used HMAC Overview

HMAC Security o know that the security of HMAC relates to that of the underlying hash algorithm o attacking HMAC requires either: brute force attack on key used birthday attack (but since keyed would need to observe a very large number of messages) o choose hash function used based on speed verses security constraints 3.10 Digital Signatures have looked at message authentication o but does not address issues of lack of trust digital signatures provide the ability to: o verify author, date & time of signature o authenticate message contents o be verified by third parties to resolve disputes hence include authentication function with additional capabilities Digital Signature Properties o must depend on the message signed o must use information unique to sender

 to prevent both forgery and denial o must be relatively easy to produce o must be relatively easy to recognize & verify o be computationally infeasible to forge with new message for existing digital signature with fraudulent digital signature for given message o be practical save digital signature in storage Direct Digital Signatures o involve only sender & receiver o assumed receiver has senders public-key o digital signature made by sender signing entire message or hash with private-key o can encrypt using receivers public-key o important that sign first then encrypt message & signature o security depends on senders private-key Arbitrated Digital Signatures o involves use of arbiter A validates any signed message then dated and sent to recipient o requires suitable level of trust in arbiter o can be implemented with either private or public-key algorithms o arbiter may or may not see message 3.11 Authentication Protocols used to convince parties of each others identity and to exchange session keys may be one-way or mutual key issues are o confidentiality to protect session keys o timeliness to prevent replay attacks Replay Attacks o where a valid signed message is copied and later resent simple replay repetition that can be logged repetition that cannot be detected backward replay without modification o countermeasures include use of sequence numbers (generally impractical) timestamps (needs synchronized clocks) challenge/response (using unique nonce) Using Symmetric Encryption o as discussed previously can use a two-level hierarchy of keys o usually with a trusted Key Distribution Center (KDC) each party shares own master key with KDC KDC generates session keys used for connections between parties master keys used to distribute these to them Needham-Schroeder Protocol

o original third-party key distribution protocol o for session between A B mediated by KDC o protocol overview is: 1. AKDC: IDA || IDB || N1 2. KDCA: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ] 3. AB: EKb[Ks||IDA] 4. BA: EKs[N2] 5. AB: EKs[f(N2)] o used to securely distribute a new session key for communications between A&B o but is vulnerable to a replay attack if an old session key has been compromised then message 3 can be resent convincing B that is communicating with A o modifications to address this require: timestamps (Denning 81) using an extra nonce (Neuman 93) Using Public-Key Encryption o have a range of approaches based on the use of public-key encryption o need to ensure have correct public keys for other parties o using a central Authentication Server (AS) o various protocols exist using timestamps or nonces Denning AS Protocol o Denning 81 presented the following: 1. AAS: IDA || IDB 2. ASA: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] 3. AB: EKRas[IDA||KUa||T] || EKRas[IDB||KUb||T] || EKUb[EKRas[Ks||T]] o note session key is chosen by A, hence AS need not be trusted to protect it o timestamps prevent replay but require synchronized clocks One-Way Authentication o required when sender & receiver are not in communications at same time (eg. email) o have header in clear so can be delivered by email system o may want contents of body protected & sender authenticated Using Symmetric Encryption o can refine use of KDC but cant have final exchange of nonces, vis: 1. AKDC: IDA || IDB || N1 2. KDCA: EKa[Ks || IDB || N1 || EKb[Ks||IDA] ] 3. AB: EKb[Ks||IDA] || EKs[M] o does not protect against replays could rely on timestamp in message, though email delays make this problematic Public-Key Approaches o have seen some public-key approaches o if confidentiality is major concern, can use:

AB: EKUb[Ks] || EKs[M] has encrypted session key, encrypted message o if authentication needed use a digital signature with a digital certificate: AB: M || EKRa[H(M)] || EKRas[T||IDA||KUa] with message, signature, certificate 3.12 Digital Signature Standard (DSS) US Govt approved signature scheme FIPS 186 uses the SHA hash algorithm designed by NIST & NSA in early 90's DSS is the standard, DSA is the algorithm a variant on ElGamal and Schnorr schemes creates a 320 bit signature, but with 512-1024 bit security security depends on difficulty of computing discrete logarithms DSA Key Generation o have shared global public key values (p,q,g): a large prime p = 2L where L= 512 to 1024 bits and is a multiple of 64 choose q, a 160 bit prime factor of p-1 choose g = h(p-1)/q where h<p-1, h(p-1)/q (mod p) > 1 o users choose private & compute public key: choose x<q compute y = gx (mod p) DSA Signature Creation o to sign a message M the sender: generates a random signature key k, k<q nb. k must be random, be destroyed after use, and never be reused o then computes signature pair: r = (gk(mod p))(mod q) s = (k-1.SHA(M)+ x.r)(mod q) o sends signature (r,s) with message M DSA Signature Verification o having received M & signature (r,s) o to verify a signature, recipient computes: w = s-1(mod q) u1= (SHA(M).w)(mod q) u2= (r.w)(mod q) v = (gu1.yu2(mod p)) (mod q) o if v=r then signature is verified o see book web site for details of proof why

Two Marks: 1. what are the attacks that can be identified across a network during communication? 2. What do you mean by disclosure? 3. What is traffic analysis? 4. What is masquerade? 5. What is content modification? 6. What is sequence modification? 7. What is timing modification? 8. What is source repudiation? 9. What is destination repudiation? 10. What is repudiation? 11. What are the measures of authentication? 12. What are the measures of message authentication? 13. What is message authentication? 14. What is digital signature? 15. What are the various classes of authentication function? 16. What is message authentication code (MAC) or cryptographic checksum? 17. What is hash function? 18. Give the simple way to perform a one-it circular shift or rotation on the hash value after each block is processed. 19. What is birthday attack? 20. What is meet-in-the-middle attack? 21. What are the properties of hash functions? 22. What is a role of compression function in a hash function? 23. What are the characteristics of secure hash fuctions? 24. Give the general structure of secure hash code. 25. What is MD5? 26. What are the goals of MD4? 27. What are the differences between MD4 and MD5? 28. What is SHA? 29. What are the properties of SHA? 30. Compare the properties of SHAs. 31. What is RIPEMD? 32. What is HMAC? 33. What are the design objectives of HMAC? 34. What is digital signature? 35. What are the requirements of digital signature? 36. What are the properties of digital signature? 37. What are the various approaches of digital signature function? 38. What is direct digital signature? 39. What is arbitrated digital signature? 40. What is mutual authentication protocols? 41. What are the two issues that central to the problem authenticated key exchange? 42. What are replays?

43. List the examples of replay attacs. 44. What is the difficulty of using repalay attack? 45. What is timestamps? 46. What is challenge/response? 47. What is KDC? 48. What is suppress-replay attacks? 49. What is DSS? 50. List two disputes that can arise in the context of message authentication. 51. What is the difference between direct and arbitrated digital signature? 52. In what order should the signature function and the confidentiality function be applied to a message, and why? 53. What are some threats associated with a direct digital signature scheme? 54. List three general approaches to dealing with replay attacks. 55. Give the principle of operation behind MD5 algorithm. Big Questions:

56. Explain in detail about the authentication functions. (16 marks) 57. Explain Message Encryption in detail. (10 marks) 58. Explain the measures of authentication for message encryption for symmetric and public-key encryption schemes. (10 marks) 59. Explain message authentication code in detail. (10 marks) 60. What are the ways in which a hash code can be used to provide message authentication? (4 marks) 61. Explain hash function. (10 marks) 62. Explain the requirements of MACs. (10 marks) 63. Explain the requirements of hash functions. (10 marks) 64. Explain the attacks that can be performed by hash function and MACs. (12 marks) 65. Explain the process of MD5 with neat sketch. (10 marks) 66. Explain MD5 compression function. (8 marks) 67. Explain the strength of MD5. (6 marks) 68. Explain SHA-1 logic with neat sketch. (10 marks) 69. Explain SHA-1 compression function. (8 marks) 70. Compare SHA-1 and MD5. (6 marks) 71. Explain RIPEMD logic with neat sketch. (10 marks) 72. Explain RIPEMD compression function. (8 marks) 73. Compare RIPEMD with MD5 and SHA-1. (6 marks) 74. Explain HMAC algorithm. (12 marks) 75. Explain the security of HMAC. (6 marks) 76. Explain the various approaches proposed for digital signature function. (12 marks) 77. Explain direct digital signature. (6 marks) 78. Explain arbitrated digital signature. (8 marks) 79. Explain authentication protocol in detail. (16 marks)

80. Explain mutual authentication as symmetric encryption approach and public-key encryption approach. (12 marks) 81. Explain one-way authentication as symmetric encryption approach and public-key encryption approach. (10 marks) 82. Explain the DSS approach. (12 marks) 83. Explain digital signature algorithm for signing and verifying. (12 marks) 84. What are authentication requirements? Explain. (6 marks)

UNIT IV Network Security

Authentication Applications: Kerberos X.509 Authentication Service Electronic Mail Security PGP S/MIME - IP Security Web Security.

4.1 Authentication Applications 4.2 Kerberos 4.3 X.509 Authentication Service 4.4 Electronic Mail Security 4.5 PGP 4.6 S/MIME 4.7 IP Security 4.8 Web Security

4.1 Authentication Applications will consider authentication functions developed to support application-level authentication & digital signatures will consider Kerberos a private-key authentication service then X.509 directory authentication service 4.2 Kerberos trusted key server system from MIT provides centralised private-key third-party authentication in a distributed network o allows users access to services distributed through network o without needing to trust all workstations o rather all trust a central authentication server two versions in use: 4 & 5 Kerberos Requirements o first published report identified its requirements as: security reliability transparency scalability o implemented using an authentication protocol based on NeedhamSchroeder Kerberos 4 Overview o a basic third-party authentication scheme o have an Authentication Server (AS) users initially negotiate with AS to identify self AS provides a non-corruptible authentication credential (ticket granting ticket TGT) o have a Ticket Granting server (TGS) users subsequently request access to other services from TGS on basis of users TGT

Kerberos Realms o a Kerberos environment consists of: a Kerberos server a number of clients, all registered with server application servers, sharing keys with server o this is termed a realm typically a single administrative domain o if have multiple realms, their Kerberos servers must share keys and trust Kerberos Version 5 o developed in mid 1990s o provides improvements over v4 addresses environmental shortcomings encryption alg, network protocol, byte order, ticket lifetime, authentication forwarding, interrealm auth and technical deficiencies double encryption, non-std mode of use, session keys, password attacks o specified as Internet standard RFC 1510 4.3 X.509 Authentication Service part of CCITT X.500 directory service standards o distributed servers maintaining some info database defines framework for authentication services o directory may store public-key certificates o with public key of user o signed by certification authority

also defines authentication protocols uses public-key crypto & digital signatures o algorithms not standardised, but RSA recommended X.509 Certificates o issued by a Certification Authority (CA), containing: version (1, 2, or 3) serial number (unique within CA) identifying certificate signature algorithm identifier issuer X.500 name (CA) period of validity (from - to dates) subject X.500 name (name of owner) subject public-key info (algorithm, parameters, key) issuer unique identifier (v2+) subject unique identifier (v2+) extension fields (v3) signature (of hash of all fields in certificate) o notation CA<<A>> denotes certificate for A signed by CA

Obtaining a Certificate o any user with access to CA can get any certificate from it o only the CA can modify a certificate o because cannot be forged, certificates can be placed in a public directory CA Hierarchy o if both users share a common CA then they are assumed to know its public key o otherwise CA's must form a hierarchy o use certificates linking members of hierarchy to validate other CA's each CA has certificates for clients (forward) and parent (backward)

o each client trusts parents certificates o enable verification of any certificate from one CA by users of all other CAs in hierarchy CA Hierarchy Use

Certificate Revocation o certificates have a period of validity o may need to revoke before expiry, eg: 1. user's private key is compromised 2. user is no longer certified by this CA 3. CA's certificate is compromised o CAs maintain list of revoked certificates the Certificate Revocation List (CRL) o users should check certs with CAs CRL Authentication Procedures o X.509 includes three alternative authentication procedures: o One-Way Authentication o Two-Way Authentication o Three-Way Authentication o all use public-key signatures One-Way Authentication o 1 message ( A->B) used to establish the identity of A and that message is from A message was intended for B integrity & originality of message o message must include timestamp, nonce, B's identity and is signed by A Two-Way Authentication o 2 messages (A->B, B->A) which also establishes in addition: the identity of B and that reply is from B that reply is intended for A

 integrity & originality of reply o reply includes original nonce from A, also timestamp and nonce from B Three-Way Authentication o 3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks o has reply from A back to B containing signed copy of nonce from B o means that timestamps need not be checked or relied upon X.509 Version 3 o has been recognised that additional information is needed in a certificate email/URL, policy details, usage constraints o rather than explicitly naming new fields defined a general extension method o extensions consist of: extension identifier criticality indicator extension value Certificate Extensions o key and policy information convey info about subject & issuer keys, plus indicators of certificate policy o certificate subject and issuer attributes support alternative names, in alternative formats for certificate subject and/or issuer o certificate path constraints allow constraints on use of certificates by other CAs 4.4 Electronic Mail Security email is one of the most widely used and regarded network services currently message contents are not secure o may be inspected either in transit o or by suitably privileged users on destination system Email Security Enhancements o confidentiality protection from disclosure o authentication of sender of message o message integrity protection from modification o non-repudiation of origin protection from denial by sender 4.5 Pretty Good Privacy (PGP) widely used de facto secure email developed by Phil Zimmermann selected best available crypto algorithms to use integrated into a single program

available on Unix, PC, Macintosh and Amiga systems originally free, now have commercial versions available also PGP Operation Authentication 1. sender creates a message 2. SHA-1 used to generate 160-bit hash code of message 3. hash code is encrypted with RSA using the sender's private key, and result is attached to message 4. receiver uses RSA or DSS with sender's public key to decrypt and recover hash code 5. receiver generates new hash code for message and compares with decrypted hash code, if match, message is accepted as authentic PGP Operation Confidentiality 1. sender generates message and random 128-bit number to be used as session key for this message only 2. message is encrypted, using CAST-128 / IDEA/3DES with session key 3. session key is encrypted using RSA with recipient's public key, then attached to message 4. receiver uses RSA with its private key to decrypt and recover session key 5. session key is used to decrypt message PGP Operation Confidentiality & Authentication o uses both services on same message create signature & attach to message encrypt both message & signature attach RSA encrypted session key PGP Operation Compression o by default PGP compresses message after signing but before encrypting so can store uncompressed message & signature for later verification & because compression is non deterministic o uses ZIP compression algorithm PGP Operation Email Compatibility o when using PGP will have binary data to send (encrypted message etc) o however email was designed only for text o hence PGP must encode raw binary data into printable ASCII characters o uses radix-64 algorithm maps 3 bytes to 4 printable chars also appends a CRC o PGP also segments messages if too big PGP Operation Summary

PGP Session Keys o need a session key for each message of varying sizes: 56-bit DES, 128-bit CAST or IDEA, 168-bit Triple-DES o generated using ANSI X12.17 mode o uses random inputs taken from previous uses and from keystroke timing of user PGP Public & Private Keys o since many public/private keys may be in use, need to identify which is actually used to encrypt session key in a message could send full public-key with every message but this is inefficient o rather use a key identifier based on key is least significant 64-bits of the key will very likely be unique o also use key ID in signatures PGP Key Rings o each PGP user has a pair of keyrings: public-key ring contains all the public-keys of other PGP users known to this user, indexed by key ID private-key ring contains the public/private key pair(s) for this user, indexed by key ID & encrypted keyed from a hashed passphrase PGP Key Management o rather than relying on certificate authorities o in PGP every user is own CA can sign keys for users they know directly o forms a web of trust

trust keys have signed can trust keys others have signed if have a chain of signatures to them o key ring includes trust indicators o users can also revoke their keys 4.6 S/MIME (Secure/Multipurpose Internet Mail Extensions) security enhancement to MIME email original Internet RFC822 email was text only MIME provided support for varying content types and multi-part messages with encoding of binary data to textual form S/MIME added security enhancements have S/MIME support in various modern mail agents: MS Outlook, Netscape etc., S/MIME Functions o enveloped data encrypted content and associated keys o signed data encoded message + signed digest o clear-signed data cleartext message + encoded signed digest o signed & enveloped data nesting of signed & encrypted entities S/MIME Cryptographic Algorithms o hash functions: SHA-1 & MD5 o digital signatures: DSS & RSA o session key encryption: ElGamal & RSA o message encryption: Triple-DES, RC2/40 and others o have a procedure to decide which algorithms to use S/MIME Certificate Processing o S/MIME uses X.509 v3 certificates o managed using a hybrid of a strict X.509 CA hierarchy & PGPs web of trust o each client has a list of trusted CAs certificates o and own public/private key pairs & certificates o certificates must be signed by trusted CAs Certificate Authorities o have several well-known CAs o Verisign one of most widely used o Verisign issues several types of Digital IDs o with increasing levels of checks & hence trust o Class Identity Checks Usage o 1 name/email check web browsing/email o 2+ enroll/addr check email, subs, s/w validate o 3+ ID documents e-banking/service access

4.7 IP Security have considered some application specific security mechanisms o eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that cut across protocol layers would like security implemented by the network for all applications general IP Security mechanisms provides o authentication o confidentiality o key management applicable to use over LANs, across public & private WANs, & for the Internet IPSec Uses

Benefits of IPSec o in a firewall/router provides strong security to all traffic crossing the perimeter o is resistant to bypass o is below transport layer, hence transparent to applications o can be transparent to end users o can provide security for individual users if desired IP Security Architecture o specification is quite complex o defined in numerous RFCs incl. RFC 2401/2402/2406/2408 many others, grouped by category o mandatory in IPv6, optional in IPv4 IPSec Services o Access control o Connectionless integrity

o Data origin authentication o Rejection of replayed packets a form of partial sequence integrity o Confidentiality (encryption) o Limited traffic flow confidentiality Security Associations o a one-way relationship between sender & receiver that affords security for traffic flow o defined by 3 parameters: Security Parameters Index (SPI) IP Destination Address Security Protocol Identifier o has a number of other parameters seq no, AH & EH info, lifetime etc o have a database of Security Associations Authentication Header (AH) o provides support for data integrity & authentication of IP packets end system/router can authenticate user/app prevents address spoofing attacks by tracking sequence numbers o based on use of a MAC HMAC-MD5-96 or HMAC-SHA-1-96 o parties must share a secret key

Transport & Tunnel Modes

Encapsulating Security Payload (ESP) o provides message content confidentiality & limited traffic flow confidentiality o can optionally provide the same authentication services as AH o supports range of ciphers, modes, padding incl. DES, Triple-DES, RC5, IDEA, CAST etc CBC most common pad to meet blocksize, for traffic flow

Transport vs Tunnel Mode ESP o transport mode is used to encrypt & optionally authenticate IP data data protected but header left in clear can do traffic analysis but is efficient good for ESP host to host traffic

o tunnel mode encrypts entire IP packet add new header for next hop good for VPNs, gateway to gateway security Combining Security Associations o SAs can implement either AH or ESP o to implement both need to combine SAs form a security bundle o have 4 cases

Key Management o handles key generation & distribution o typically need 2 pairs of keys 2 per direction for AH & ESP o manual key management sys admin manually configures every system o automated key management automated system for on demand creation of keys for SAs in large systems has Oakley & ISAKMP elements Oakley o a key exchange protocol o based on Diffie-Hellman key exchange o adds features to address weaknesses cookies, groups (global params), nonces, DH key exchange with authentication o can use arithmetic in prime fields or elliptic curve fields ISAKMP o Internet Security Association and Key Management Protocol o provides framework for key management o defines procedures and packet formats to establish, negotiate, modify, & delete SAs o independent of key exchange protocol, encryption algorithm, & authentication method

4.8 Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats o integrity o confidentiality o denial of service o authentication need added security mechanisms SSL (Secure Socket Layer) o transport layer security service o originally developed by Netscape o version 3 designed with public input o subsequently became Internet standard known as TLS (Transport Layer Security) o uses TCP to provide a reliable end-to-end service o SSL has two layers of protocols SSL Architecture

SSL session o an association between client & server o created by the Handshake Protocol o define a set of cryptographic parameters o may be shared by multiple SSL connections SSL connection o a transient, peer-to-peer, communications link o associated with 1 SSL session SSL Record Protocol o confidentiality using symmetric encryption with a shared secret key defined by Handshake Protocol IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption o message integrity using a MAC with shared secret key similar to HMAC but with different padding SSL Change Cipher Spec Protocol o one of 3 SSL specific protocols which use the SSL Record protocol o a single message o causes pending state to become current o hence updating the cipher suite in use SSL Alert Protocol o conveys SSL-related alerts to peer entity o severity warning or fatal o specific alert unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown o compressed & encrypted like all SSL data SSL Handshake Protocol o allows server & client to: authenticate each other to negotiate encryption & MAC algorithms to negotiate cryptographic keys to be used o comprises a series of messages in phases Establish Security Capabilities Server Authentication and Key Exchange Client Authentication and Key Exchange Finish

TLS (Transport Layer Security) o IETF standard RFC 2246 similar to SSLv3 o with minor differences in record format version number uses HMAC for MAC a pseudo-random function expands secrets has additional alert codes some changes in supported ciphers changes in certificate negotiations changes in use of padding Secure Electronic Transactions (SET) o open encryption & security specification o to protect Internet credit card transactions o developed in 1996 by Mastercard, Visa etc o not a payment system o rather a set of security protocols & formats secure communications amongst parties trust from use of X.509v3 certificates privacy by restricted info to those who need it SET Components

SET Transaction 1. customer opens account 2. customer receives a certificate 3. merchants have their own certificates 4. customer places an order 5. merchant is verified 6. order and payment are sent 7. merchant requests payment authorization 8. merchant confirms order 9. merchant provides goods or service 10. merchant requests payment Dual Signature o customer creates dual messages order information (OI) for merchant payment information (PI) for bank o neither party needs details of other o but must know they are linked o use a dual signature for this signed concatenated hashes of OI & PI Purchase Request Customer

Purchase Request Merchant

o verifies cardholder certificates using CA sigs o verifies dual signature using customer's public signature key to ensure order has not been tampered with in transit & that it was signed using cardholder's private signature key

o processes order and forwards the payment information to the payment gateway for authorization (described later) o sends a purchase response to cardholder Payment Gateway Authorization 1. verifies all certificates 2. decrypts digital envelope of authorization block to obtain symmetric key & then decrypts authorization block 3. verifies merchant's signature on authorization block 4. decrypts digital envelope of payment block to obtain symmetric key & then decrypts payment block 5. verifies dual signature on payment block 6. verifies that transaction ID received from merchant matches that in PI received (indirectly) from customer 7. requests & receives an authorization from issuer 8. sends authorization response back to merchant Payment Capture o merchant sends payment gateway a payment capture request o gateway checks request o then causes funds to be transferred to merchants account o notifies merchant using capture response Two Marks: 1. What is Kerberos? 2. What are the three security approaches to secure user authentication in a distributed environment? 3. List the requirements of the Kerberos version 1. 4. What is an authentication server? 5. List some problems of authentication in an open network environment. 6. What are Kerberos realms? 7. What is nonce? 8. What is X.509 Authentication Service? 9. Draw the X.509 formats. 10. List the requirements that are not satisfied by the X.509 authentication service version 2. 11. What problem was Kerberos designed to address? 12. What are the three threats associated with user authentication over a network or internet? 13. What is the purpose of the X.509 standard? 14. What is a chain of certificates? 15. How is an X.509 certificate revoked? 16. What is PGP? 17. What are the reasons for the growth of PGP? 18. What are the services provided by the PGP? 19. What are the four types of keys used by PGP? 20. Give the general format of PGP message.

21. What is S/MIME? 22. Why does PGP generate a signature before applying compression? 23. Why is the segmentation and reassembly function in PGP needed? 24. How PGP does use the concept of trust? 25. What are the applications of IPSec? 26. What are the benefits of IPSec? 27. What is IPSec? 28. What are the services of IPSec? 29. What are the two protocols used to provide security for IPSec? 30. What is authentication header? 31. What is encapsulating security payload? 32. What is the difference between transport and tunnel mode? 33. What is replay attack? 34. Why does ESP include a padding field? 35. What are the two types of key management supported by IPSec architecture? 36. What are the features of Oakley? 37. What is ISAKMP? 38. Draw the ISAKMP header format. 39. What are the roles of the Oakley key determination protocol and ISAKMP in IPSec? 40. List some threats on the web. 41. What is SSL designed for? 42. What are the three higher layer protocol defined as part of SSL? 43. What are the two important SSL concepts? 44. What is SSL connection? 45. What is SSL Session? 46. What are the parameters defined for SSL session? 47. What are the parameters defined for SSL connection? 48. What are the services provided by the SSL record protocol? 49. Draw the SSL record format. 50. What is transport layer security? 51. What is SET? 52. What are the three services provided by the Set? 53. What are the requirements of SET? 54. What are the key features of SET? 55. Who are the participants of SET? 56. What is the purpose of dual signature? Big Questions: 57. Explain in detail about Kerberos Version 4. (16 Marks). 58. Differentiate between Kerberos Version 4 and Version 5 (10 Marks). 59. Explain in detail about Kerberos Version 5 (16 Marks). 60. Explain overview of Kerberos. (12 marks). 61. What are the environmental short comings and technical deficiencies of Kerberos Version 4? (4/6 marks).

62. Explain in detail about X.509 authentication service. (16 Marks). 63. Explain Authentication procedures. (8 marks). 64. Explain Authentication procedures. (8 marks). 65. Explain X.509 version 3 (8 marks). 66. Explain PGP in detail. (16 marks). 67. Explain the operational description of PGP. (16 marks). 68. Explain S/MIME in detail. (16 marks). 69. Explain the overview of IPSec. (8 marks). 70. Explain in detail about the IPSec Architecture. (16 Marks). 71. Explain transport and tunnel modes (8 marks). 72. Explain in detail about authentication header. (16 marks). 73. Explain in detail about ESP. (16 marks). 74. Explain the cases of basic combinations of security association. (8 marks). 75. Explain Oakley key determination protocol. (10 marks) 76. Explain ISAKMP (10 marks). 77. Explain SSL record protocol. (8 marks) 78. Explain in detail about SSL architecture. (16 marks) 79. Explain in detail about SSL record format. (12 marks) 80. Explain handshake protocol in detail. (10 marks) 81. Explain in detail about TLS. (16 marks). 82. Explain SET in detail. (16 marks). 83. Explain Secure Electronics Commerce in detail. (10 marks) 84. Explain the payment processing in detail. (16 marks).

UNIT V System Level Security

Intrusion detection password management Viruses and related Threats Virus Counter measures Firewall Design Principles Trusted Systems.

5.1 Intrusion detection 5.2 Password management 5.3 Viruses and related Threats 5.4 Virus Counter measures 5.5 Firewall Design Principles 5.6 Trusted Systems

5.1 Intrusion detection Intruders significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders: masquerader misfeasor clandestine user varying levels of competence clearly a growing publicized problem from Wily Hacker in 1986/87 to clearly escalating CERT stats may seem benign, but still cost resources may use compromised system to launch other attacks Intrusion Techniques aim to increase privileges on system basic attack methodology target acquisition and information gathering initial access privilege escalation covering tracks key goal often is to acquire passwords so then exercise access rights of owner Password Guessing one of the most common attacks attacker knows a login (from email/web page etc) then attempts to guess password for it try default passwords shipped with systems try all short passwords then try by searching dictionaries of common words intelligent searches try passwords associated with the user (variations on names, birthday, phone, common words/interests) before exhaustively searching all possible passwords check by login attempt or against stolen password file success depends on password chosen by user surveys show many users choose poorly Password Capture another attack involves password capture watching over shoulder as password is entered using a trojan horse program to collect monitoring an insecure network login (eg. telnet, FTP, web, email)

extracting recorded info after successful login (web history/cache, last number dialed etc) using valid login/password can impersonate user users need to be educated to use suitable precautions/countermeasures Intrusion Detection inevitably will have security failures so need also to detect intrusions so can block if detected quickly act as deterrent collect info to improve security assume intruder will behave differently to a legitimate user but will have imperfect distinction between Approaches to Intrusion Detection statistical anomaly detection threshold profile based rule-based detection anomaly penetration identification Audit Records fundamental tool for intrusion detection native audit records part of all common multi-user O/S already present for use may not have info wanted in desired form detection-specific audit records created specifically to collect wanted info at cost of additional overhead on system Statistical Anomaly Detection threshold detection count occurrences of specific event over time if exceed reasonable value assume intrusion alone is a crude & ineffective detector profile based characterize past behavior of users detect significant deviations from this profile usually multi-parameter Audit Record Analysis foundation of statistical approaches analyze records to get metrics over time counter, gauge, interval timer, resource use use various tests on these to determine if current behavior is acceptable mean & standard deviation, multivariate, markov process, time series, operational key advantage is no prior knowledge used Rule-Based Intrusion Detection

observe events on system & apply rules to decide if activity is suspicious or not rule-based anomaly detection analyze historical audit records to identify usage patterns & autogenerate rules for them then observe current behavior & match against rules to see if conforms like statistical anomaly detection does not require prior knowledge of security flaws rule-based penetration identification uses expert systems technology with rules identifying known penetration, weakness patterns, or suspicious behavior rules usually machine & O/S specific rules are generated by experts who interview & codify knowledge of security admins quality depends on how well this is done compare audit records or states against rules Base-Rate Fallacy practically an intrusion detection system needs to detect a substantial percentage of intrusions with few false alarms if too few intrusions detected -> false security if too many false alarms -> ignore / waste time this is very hard to do existing systems seem not to have a good record Distributed Intrusion Detection traditional focus is on single systems but typically have networked systems more effective defense has these working together to detect intrusions issues dealing with varying audit record formats integrity & confidentiality of networked data centralized or decentralized architecture

Distributed Intrusion Detection Architecture

Distributed Intrusion Detection Agent Implementation

Honeypots o decoy systems to lure attackers away from accessing critical systems to collect information of their activities to encourage attacker to stay on system so administrator can respond o are filled with fabricated information o instrumented to collect detailed information on attackers activities o may be single or multiple networked systems

5.2 Password Management front-line defense against intruders users supply both: o login determines privileges of that user o password to identify them passwords often stored encrypted o Unix uses multiple DES (variant with salt) o more recent systems use crypto hash function Managing Passwords o need policies and good user education o ensure every account has a default password o ensure users change the default passwords to something they can remember o protect password file from general access o set technical policies to enforce good passwords minimum length (>6) require a mix of upper & lower case letters, numbers, punctuation block know dictionary words o may reactively run password guessing tools note that good dictionaries exist for almost any language/interest group o may enforce periodic changing of passwords o have system monitor failed login attempts, & lockout account if see too many in a short period o do need to educate users and get support o balance requirements with user acceptance o be aware of social engineering attacks Proactive Password Checking o most promising approach to improving password security o allow users to select own password o but have system verify it is acceptable simple rule enforcement (see previous slide) compare against dictionary of bad passwords use algorithmic (markov model or bloom filter) to detect poor choices 5.3 Viruses and related threats Malicious Software Viruses and Other Malicious Content o computer viruses have got a lot of publicity o one of a family of malicious software o effects usually obvious o have figured in news reports, fiction, movies (often exaggerated) o getting more attention than deserve

o are a concern though

Trapdoors o secret entry point into a program o allows those who know access bypassing usual security procedures o have been commonly used by developers o a threat when left in production programs allowing exploited by attackers o very hard to block in O/S o requires good s/w development & update Logic Bomb o one of oldest types of malicious software o code embedded in legitimate program o activated when specified conditions met eg presence/absence of some file particular date/time particular user o when triggered typically damage system modify/delete files/disks Trojan Horse o program with hidden side-effects o which is usually superficially attractive eg game, s/w upgrade etc o when run performs some additional tasks allows attacker to indirectly gain access they do not have directly o often used to propagate a virus/worm or install a backdoor o or simply to destroy data Zombie o program which secretly takes over another networked computer o then uses it to indirectly launch attacks o often used to launch distributed denial of service (DDoS) attacks

o exploits known flaws in network systems Viruses o a piece of self-replicating code attached to some other code cf biological virus o both propagates itself & carries a payload carries code to make copies of itself as well as code to perform some covert task Virus Operation o virus phases: dormant waiting on trigger event propagation replicating to programs/disks triggering by event to execute payload execution of payload o details usually machine/OS specific exploiting features/weaknesses Virus Structure program V := {goto main; 1234567; subroutine infect-executable := {loop: file := get-random-executable-file; if (first-line-of-file = 1234567) then goto loop else prepend V to file; } subroutine do-damage := {whatever damage is to be done} subroutine trigger-pulled := {return true if some condition holds} main: main-program := {infect-executable; if trigger-pulled then do-damage; goto next;} next: } Types of Viruses o can classify on basis of how they attack o parasitic virus o memory-resident virus o boot sector virus o stealth o polymorphic virus o macro virus Macro Virus o macro code attached to some data file o interpreted by program using file eg Word/Excel macros especially using auto command & command macros o code is now platform independent o is a major source of new viral infections

o blurs distinction between data and program files making task of detection much harder o classic trade-off: "ease of use" vs "security" Email Virus o spread using email with attachment containing a macro virus cf Melissa o triggered when user opens attachment o or worse even when mail viewed by using scripting features in mail agent o usually targeted at Microsoft Outlook mail agent & Word/Excel documents Worms o replicating but not infecting program o typically spreads over a network cf Morris Internet Worm in 1988 led to creation of CERTs o using users distributed privileges or by exploiting system vulnerabilities o widely used by hackers to create zombie PC's, subsequently used for further attacks, especially DoS o major issue is lack of security of permanently connected systems, especially PC's Worm Operation o worm phases like those of viruses: dormant propagation search for other systems to infect establish connection to target remote system replicate self onto remote system o triggering o execution Morris Worm o best known classic worm o released by Robert Morris in 1988 o targeted Unix systems o using several propagation techniques simple password cracking of local pw file exploit bug in finger daemon exploit debug trapdoor in sendmail daemon o if any attack succeeds then replicated self Recent Worm Attacks o new spate of attacks from mid-2001 o Code Red exploited bug in MS IIS to penetrate & spread probes random IPs for systems running IIS had trigger time for denial-of-service attack 2nd wave infected 360000 servers in 14 hours o Code Red 2

 had backdoor installed to allow remote control o Nimda used multiple infection mechanisms email, shares, web client, IIS, Code Red 2 backdoor 5.4 Virus Counter measures viral attacks exploit lack of integrity control on systems to defend need to add such controls typically by one or more of: o prevention - block virus infection mechanism o detection - of viruses in infected system o reaction - restoring system to clean state Anti-Virus Software o first-generation scanner uses virus signature to identify virus or change in length of programs o second-generation uses heuristic rules to spot viral infection or uses program checksums to spot changes o third-generation memory-resident programs identify virus by actions o fourth-generation packages with a variety of antivirus techniques eg scanning & activity traps, access-controls Advanced Anti-Virus Techniques o generic decryption use CPU simulator to check program signature & behavior before actually running it o digital immune system (IBM) general purpose emulation & virus detection any virus entering org is captured, analyzed, detection/shielding created for it, removed Behavior-Blocking Software o integrated with host O/S o monitors program behavior in real-time eg file access, disk format, executable mods, system settings changes, network access o for possibly malicious actions if detected can block, terminate, or seek ok o has advantage over scanners o but malicious code runs before detection 5.5 Firewall Design Principles Introduction o seen evolution of information systems

o now everyone want to be on the Internet o and to interconnect networks o has persistent security concerns o cant easily secure every system in org o need "harm minimisation" o a Firewall usually part of this What is a Firewall? o a choke point of control and monitoring o interconnects networks with differing trust o imposes restrictions on network services only authorized traffic is allowed o auditing and controlling access can implement alarms for abnormal behavior o is itself immune to penetration o provides perimeter defence Firewall Limitations o cannot protect from attacks bypassing it eg sneaker net, utility modems, trusted organisations, trusted services (eg SSL/SSH) o cannot protect against internal threats eg disgruntled employee o cannot protect against transfer of all virus infected programs or files because of huge range of O/S & file types Firewalls Packet Filters

o o o o

simplest of components foundation of any firewall system examine each IP packet (no context) and permit or deny according to rules hence restrict access to services (ports)

o possible default policies that not expressly permitted is prohibited that not expressly prohibited is permitted

Attacks on Packet Filters o IP address spoofing fake source address to be trusted add filters on router to block o source routing attacks attacker sets a route other than default block source routed packets o tiny fragment attacks split header info over several tiny packets either discard or reassemble before check Firewalls Stateful Packet Filters o examine each IP packet in context keeps tracks of client-server sessions checks each packet validly belongs to one o better able to detect bogus packets out of context

Firewalls - Application Level Gateway (or Proxy)

o use an application specific gateway / proxy o has full access to protocol user requests service from proxy proxy validates request as legal then actions request and returns result to user o need separate proxies for each service some services naturally support proxying others are more problematic custom services generally not supported Firewalls - Circuit Level Gateway

relays two TCP connections imposes security by limiting which such connections are allowed once created usually relays traffic without examining contents typically used when trust internal users by allowing general outbound connections o SOCKS commonly used for this Bastion Host o highly secure host system o potentially exposed to "hostile" elements o hence is secured to withstand this o may support 2 or more net connections o may be trusted to enforce trusted separation between network connections o runs circuit / application level gateways o or provides externally accessible services Firewall Configurations

o o o o

Access Control o given system has identified a user o determine what resources they can access o general model is that of access matrix with subject - active entity (user, process) object - passive entity (file or resource) access right way object can be accessed o can decompose by columns as access control lists rows as capability tickets Access Control Matrix

5.6 Trusted Computer Systems information security is increasingly important have varying degrees of sensitivity of information o cf military info classifications: confidential, secret etc subjects (people or programs) have varying rights of access to objects (information) want to consider ways of increasing confidence in systems to enforce these rights known as multilevel security o subjects have maximum & current security level o objects have a fixed security level classification Bell LaPadula (BLP) Model o one of the most famous security models o implemented as mandatory policies on system o has two key policies: o no read up (simple security property) a subject can only read/write an object if the current security level of the subject dominates (>=) the classification of the object o no write down (*-property) a subject can only append/write to an object if the current security level of the subject is dominated by (<=) the classification of the object Reference Monitor

Evaluated Computer Systems o governments can evaluate IT systems o against a range of standards: TCSEC, IPSEC and now Common Criteria o define a number of levels of evaluation with increasingly stringent checking

o have published lists of evaluated products though aimed at government/defense use can be useful in industry also.

Two Marks
1. What is an intruder? 2. What are the three classes of intruders? 3. What is masquerader? 4. What is misfeasor? 5. What is clandestine user? 6. How password file is is protected? 7. What are the approaches to intrusion detection? 8. What is statistical anomaly detection? 9. What is rule based detection? 10. What are audit record and its types? 11. What is native audit record? 12. What is detection specific audit record? 13. What is threshold detection? 14. What is profile based statistical anomaly detection? 15. What is rule based anomaly detection? 16. What is penetration identification? 17. List some fields that contains in the audit record. 18. What are the metrics that are useful for profile based intrusion detection? 19. What are the various tests that can be performed to determine whether the current activity fits within acceptable limits? 20. What is the base-rate fallacy? 21. What is a honey pot? 22. What is the purpose of salt? 23. What is salt value? 24. What are the basic techniques used for password selection strategies? 25. What is the difference between reactive password checking and proactive password checking? 26. What are the two categories that a software threats or malicious programs are divided? 27. What is trapdoor? 28. What is logic bomb? 29. What is Trojan horse? 30. What is zombie? 31. What is virus? 32. What are the four phases of virus? 33. What are the types of virus? 34. What is micro virus? 35. What is E-mail virus? 36. What are worms? 37. What is the major difference between virus and worms?

38. What are the two approaches of antivirus? 39. What are the elements of generic decryption? 40. What is generic decryption? 41. What is behavior blocking software? 42. What is a firewall? 43. What are the characteristics of firewall? 44. List four general techniques that firewalls uses to control access and enforce the sites security policy. 45. What are the capabilities of firewall? 46. What are the limitations of firewall? 47. What is the prime disadvantage of application level gateway? 48. What is the strength of application level gateway compare to packet filter? 49. What is bastion host? 50. What is a trusted system? 51. What are the basic elements of a access matrix? 52. What is simple security property? 53. What is *-property? 54. What is multilevel security? 55. What multilevel security ensure? 56. What is reference monitor? 57. What are the properties of reference monitor?

Big Questions: 58. Explain in detail about intrusion techniques. (8 marks) 59. Explain in detail about intrusion detection. (16 marks) 60. Explain in detail about statistical anomaly detection. (8 marks). 61. Explain rule-based intrusion detection. (8 marks). 62. Explain in detail about distributed intrusion detection. (8 marks). 63. Explain honey pots in detail. (8 marks) 64. Explain password management in detail. (16 marks). 65. Explain in detail about malicious program. (10 marks). 66. Explain virus in detail. (16 marks). 67. Explain in detail about worms. (10 marks). 68. Explain in detail about the generation of antivirus. (6 marks). 69. Explain in detail about advanced antivirus techniques. (12 marks). 70. Explain in detail about digital immune system. (8 marks). 71. Explain in detail about the types of firewall. (12 marks). 72. Explain packet filtering router in detail. (10 marks) 73. What are the attacks that can be made on packet filtering router? Give also its counter measures (4 marks). 74. What are the characteristics of bastion host? (4/6 marks) 75. Explain firewall configuration. (8 marks). 76. Explain in detail about trusted system. (16 marks). 77. Explain data access control. (8 marks)

78. Explain the concepts of trusted systems. (8 marks) 79. Explain reference monitor in detail. (8 marks). 80. Explain Trojan horse defense. (8 marks).

B.E DEGREE EXAMINATION, MAY 2008 IT1352 CRYPTOGRAPHY AND NETWORK SECURITY Part A 1. What is the advantage and disadvantage of one time pad encryption algorithm. 2. If a bit error occurs in plain text block p1 , how far does the error propagate in CBC mode of DES 3. When do we say an integer a, less than n is a primitive root of n. state the conditions for having at least one primitive root or n. 4.What for the miller-rabin algorithm is used. 5. Draw a simple public key encryption model that provides authentication alone. 6. Identify any two applications where one way authentication is necessary. 7. Why the leading two octets of message digest are stored in PGP message along with the encrypted message digest. 8. State any tow advantages of Oakley key determination protocol over diffie hellman key exchange protocol. 9. How are the passwords stored in password file in UNIX operating system. 10. What is meant by polymorphic viruses. Part B 11. A) i. Discuss any four substitution cipher encryption methods and list their merits and demerits . ii. how are diffusion and confusion achieved in DES. OR b) i. in AES, explain how the encryption key is expanded to produce keys for the 10 rounds. ii. Explain the types of attacks on double DES and triple DES. 12. A) i. How are arithmetic operations on integers carried out from their residues modulo a set of pair wise relatively prime moduli. Give the procedure to reconstruct the integers form the residue. ii. How is discrete logarithm evaluated for a number . what is the role of discrete logarithms in the diffie hellman key exchange in exchanging the secret key among two users. OR b) i. Identify the possible threats for RSA algorithm and list their counter measures. ii. state the requirements for the design of an elliptic curve crypto system. Using that , explain how secret keys are exchanged and messages are encrypted. 13. A). i. Describe digital signature algorithm and show how signing and verification is done using DSS. ii. Consider any message M of length 4120 bits ending with ABCDEF in hexadecimal form. Construct the last block of message to be given as input for the MD5.

OR b) i. Explain the processing of a message block of 512 bits using SHA1. ii. write about the symmetric encryption approach for digital signatures. 14. a) i.Describe the authentication dialogue used by Kerberos for obtaining services from another realm. ii. Explain with the help of an example how a users certificate is obtained from another certification authority in x509 scheme. OR b). i. what are the functions included in MIME in order to enchance security how are they done.. ii. why does PGP maintain key rings with every users. Explain how the messages are generated and received by pgp. 15). A) i. Explain any tow approached for intrusion detection. ii. Suggest any three password selection strategies and identify their advantages and disadvantages if any. OR b). i. Identify a few malicious programs that need a host program for their existence. ii. Describe the familiar types of firewall configurations.

B.E DEGREE EXAMINATION, NOV 2007 IT1352 CRYPTOGRAPHY AND NETWORK SECURITY Part A 1. What is avalanche effect. 2. What are the types of attacks on encrypted message. 3. Find gcd(56,86) using euclids algorithm. 4. Why elliptic curve cryptography is considered to be better than RSA. 5. what is masquerading. 6. Define weak collision property of a hash function. 7. what is x.509 standard. 8. Give IPSEC ESP FORMAT. 9. What are honey pots. 10. List down the four phases of virus. Part B 11. A) Discuss in detail encryption and decryption process of AES. OR b) i. Briefly explain design principles of block cipher. ii. Discuss in detail block cipher modes of operation.

12. A) i. Discuss in detail RSA algorithm , highlighting its computational aspect and security. ii. Perform decryption and encryption using RSA algorithm with p=3 q=11 e=7 and N=5. OR b) Briefly explain Deffie Hellman key exchange with an example. 13. A). i. Explain authentication functions in detail. ii. What is meant by message digest give example. OR b) i. Briefly explain digital signature algorithm. ii. Discuss clearly secure hash algorithm. 14. a) i. What is Kerberos . Explain how it provides authenticated service. ii. Explain the architecture of IPSEC. OR b). i. Explain handshake protocol actions of SSL. ii. Discuss in detail secure electronic transaction. 15). A) i. Explain firewalls and how they prevent intrusions. ii.Explain the concept of reference monitor. OR b). i. Define intrusion detection and the different types of detection mechanisms, in detail. ii. Comment on password selection strategies and their significance.