Cryptographic

Algorithms
14th May 2012

P.R.Lakshmi Eswari
e-Security Team
C-DAC Hyderabad

Network Security

What is it ?

Why do we need it ?

How is it provided ?

Network Security Issues

Normal Flow

Network Security Issues

Normal Flow

Interruption

Network Security Issues

Normal Flow

Modification

Interruption

Network Security Issues

Normal Flow

Modification

Interruption

Interception

Network Security Issues

Normal Flow

Interruption

Modification

Fabrication

Interception

Network Security Issues

Normal Flow

Interruption

Modification

Fabrication

Interception

No!

Get it?

Sent it?

No!

Repudiation

Network Security Services

Availability

Requirement

Modification

Fabrication

Interception

No!

Get it?

Sent it?

No!

Repudiation

Network Security Services

Availability

Requirement

Integrity

Interception

Fabrication

No!

Get it?

Sent it?

No!

Repudiation

Network Security Services

Availability

Requirement

Integrity

Fabrication

Confidentiality

No!

Get it?

Sent it?

No!

Repudiation

Network Security Services

Availability

Requirement

Integrity

Confidentiality
No!

Get it?

Authenticity

Sent it?

No!

Repudiation

Network Security Services

Availability

Requirement

Integrity

Confidentiality

Authenticity

Non Repudiation

Security Mechanisms

Confidentiality
Integrity
Authentication
Non-Repudiation

Encryption
Hashing
Digital Certificates
Digital Signatures

Cryptographic Algorithms
Types of Cryptographic algorithms
Secret key cryptography or Symmetric Key

Public key cryptography or Asymmetric Key

Hash functions

Symmetric Cryptography

Asymmetric Cryptography

Types of Cryptosystems

Secret Key or Symmetric Cryptography

DES, IDEA, AES etc

Advantages: fast, cipher text secure

Disadvantages: must distribute key in advance, key

must not be divulged

Public-key or Asymmetric Cryptography

RSA, Diffie-Hellman key agreement protocol etc

Advantages: public key widely distributable, does digital

signatures

Disadvantages: slow

Secret Key Algorithms

Shared Secret Key

Decryption
algorithm

Encryption
algorithm

Plain text
input

Transmitted
Cipher text

Confidentiality

Plain text
output

Secret Key Encryption

Types

Block Cipher: Operates on a block of

message or plaintext at a time
Ex: DES, IDEA)

Data Encryption Standard (DES)

56-bit Key

64-bit
48-bitInput
K1

Generate keys

Permutation
Round 1

Round 2

...
Round 16
Swap
Permutation
64-bit Output

Initial Permutation
48-bit K1
48-bit K2
48-bit K16
Swap 32-bit halves
Final Permutation

Secret Key Encryption

Triple DES

Uses 3 keys and 3 executions of DES

algorithm.
Key1
Encrypt

Plain
text

Decrypt

Key3
Encrypt

Encryption
Key3

Cipher
text

Key2

Decrypt

Key2
Encrypt

Decryption

Cipher
text

Key1
Decrypt

Plain
text

Secret Key Encryption

Other Secret key algorithms
IDEA (International Data Encryption
Algorithm)

128 bit key, 8 rounds

Blowfish

Variable key length. (up to 448 bits).

Generally 128 bit key used. 16 rounds.
Easy to implement and high execution
speed.

Secret Key Encryption

Other Secret key algorithms

CAST 128

Key size between 40 and 128 bits.

F varies from round to round.

AES (Advanced Encryption Standard)

Variable block length (128, 192, 256 bits)

Variable key length (128, 192, 256 bits)
Ease of implementation in software and hardware.

Secret Key Encryption

Stream Cipher

A pseudo random no. generator

continuously generates bits known as
running key or keystream.
xoring the keystream to the plain text
produces the cipher text.
e.g. RC4, SEAL, A5/1 (used in GSM)

Secret Key Encryption

Stream Cipher
key

Keystream
generator

Encryption

key

Keystream
generator

plaintext

ciphertext

ciphertext

plaintext

Decryption
Keystream Generator is a pseudo random generator like linear feedback shift register

Key Distribution

Symmetric schemes require both parties to

share a common secret key
Issue is how to securely distribute this key
Often secure system failure due to a break in
the key distribution scheme

Public Key Cryptography

Uses two keys: private & public

Used for

Confidentiality
Authentication
Key distribution

Public Key Cryptography

Confidentiality

The sender encrypts using public key of

receiver
Only the receiver can decrypt the cipher
message with his private key

Public Key Algorithms

Public key ring

Private Key

Decryption
algorithm

Encryption
algorithm

Plain text
input

Transmitted
Cipher text

Confidentiality

Plain text
output

Public Key Cryptography

RSA

Key Generation

Select prime no.s p & q

Calculate n = p x q
Calculate (n) = (p-1)(q-1)
Select integer e such that e is relatively
prime to (n)
Calculate d = e-1mod (n)
(d = multiplicative inverse of e)
Public Key = {e, n} Private Key = {d, n}

Public Key Cryptography

RSA
Encryption
Plaintext M < n
Cipher text C = Me(mod n)

Decryption
Cipher text C
Plaintext M = Cd(mod n)

Cryptography
Strength of Cryptographic Algorithms
Identify the weakest links

Key length: key can be broken by brute force attack.

For a 32 bit key max. possible combinations is 232.
Hence size of key is crucial.

Symmetric algorithms: key sizes currently used is 128 bits

Public key algorithms: require much larger key sizes since
an extra structure i.e. public key is available to
cryptanalyst. Hence keys with 1024 bits and more are
safer.

Public Key Algorithms

Public key ring

Private Key

Decryption
algorithm

Encryption
algorithm

Plain text
input

Transmitted
Cipher text

Authentication

Plain text
output

Public Key Algorithms

Public key ring

Private Key

Session
key

Encryption
algorithm

encrypted
key

Decryption
algorithm

Key Exchange

Shared
session
key

Key Management
Diffie-Hellman Key Exchange

Enables 2 users to exchange a secret key

securely that can be used for subsequent
encryption of messages.
If p is prime no., its primitive root a is such
that a mod p, a2 mod p, ap-1 mod p are
distinct integers from 1 to p-1 in some
permutation.

Public Key Cryptography

Diffie Hellman key exchange

User A

prime p
primitive root
random no. x

prime p
primitive root
random no. y

Public key
pk1 = xmod p

Public key
pk2 = ymod p

Secret Key
pk2xmod p
K = pk
2
= xymod p

Secret Key
ymod
1
K = pk1pk
p
= xymod p

User B

Symmetric vs. Asymmetric

Asymmetric

Fastest implementation of RSA (asymmetric) can

encrypt kilobits/sec

2048-bit key

Symmetric

Fastest implementation of DES (symmetric) can

encrypt megabits/sec

56-bit key

The Hybrid Model

Very common practice: hybrid symmetric and
asymmetric

Asymmetric encryption is used to share a secret

key, which is then used for symmetric encryption
Advantages

Speed of symmetric, flexibility of asymmetric

Integrity

Encryption protects only against

passive attack.
Integrity

A message digest is computed which is

appended to message using hash
functions.

Hash Functions
A public function that maps a plaintext message of
any length into a fixed length hash value used as the
authenticator

Pros

One way transformation

Offers integrity without the cost of encryption
Message can be read when authentication is
unnecessary

Cons

No Confidentiality
Can be altered by attackers to match altered message

Integrity
Secure Hash Algorithm (SHA-1)

Takes input as 512 bit blocks and produces 160 bit

message digest.

Original message

zero padding

512 x m bits

message
length

64 bits

Authentication
Digital Signatures

An authentication mechanism which enables the

creator of a message to attach a code that acts as a
signature
Encrypt a small block of bits that is a function of
the document (authenticator), using senders
private key.
This serves as signature that verifies origin and
content.
SHA-1 can be used as this function.

Digital Certificates

An answer to Internet trust problem

Trusted 3rd parties issue certificates to

people or companies who prove their ID

Digital Certificates Manage key

Used for distribution of public keys.

Public key certificate consisting of
public key and user ID of key owner is
signed by a trusted third party.
The third party is called Certificate
Authority(CA).

Digital Certificates

A Digital Certificate typically contains

Owners public key

Owners name
Expiration date of the public key
Name of the issuer (CA that issued the Digital
ID)
Serial number of the Digital ID
Digital signature of the issuer
X.509

X.509 Authentication Service

Part of CCITT X.500 directory service standards

distributed servers maintaining some info database
Defines framework for authentication services
directory may store public-key certificates

with public key of user

signed by certification authority
Also defines authentication protocols
Uses public-key crypto & digital signatures
algorithms not standardised, but RSA recommended

X.509 Certificates

Issued by a Certification Authority (CA), containing:

version (1, 2, or 3)
serial number (unique within CA) identifying certificate
signature algorithm identifier
issuer X.500 name (CA)
period of validity (from - to dates)
subject X.500 name (name of owner)
subject public-key info (algorithm, parameters, key)
issuer unique identifier (v2+)
subject unique identifier (v2+)
extension fields (v3)
signature (of hash of all fields in certificate)
Notation CA<<A>> denotes certificate for A signed by CA

X.509 Certificates

Network Security Protocols

What is a protocol ?
Why do we need a network security protocol ?
Authentication
Data integrity
Confidentiality
Key exchange
Cipher Suite Negotiation

Protocol Layers
Where to Implement Security?

TCP/IP protocol stack

Application Layer
Transport Layer
Network Layer
Link Layer

Deployment of Cryptography
Application-Layer Encryption
Application
Layers (5-7)

Network-Layer Encryption
Transport/Network
Layers (3-4)

Link/Physical
Layers (1-2)

Link-Layer
Encryption

Link-Layer
Encryption

Evolution of Security Protocols