Академический Документы
Профессиональный Документы
Культура Документы
AN INTRODUCTION
Magdy Saeb
OUTLINE
o IIntroduction
t d ti
o Cryptographic Algorithms I: Basic Concepts
o C
Cryptographic
hi Algorithms
Al ih II:
II Discussion
Di i off
some ciphers
o Key Exchange or Distribution
o Cryptanalysis
o I t d ti
Introduction tto N
Network
t kSSecurity
it
INTRODUCTION
| Objectives
Obj ti
| One-time pads
| Construction
C i off Modern
M d Ci
Ciphers
h
INFORMATION SECURITY OBJECTIVES
J
| Privacy or confidentiality:
Keeping information secret from all but those who are
authorized.
| Data
D Integrity:
I i
Ensuring information has not been altered by
unauthorized or unknown meansmeans.
| Identification:
V lid ti
Validating off th
the identity
id tit off an entity
tit ((e.g., a person, a
computer terminal, a credit card, etc.).
| Message Authentication:
A k
Acknowledgement
l d t th
thatt iinformation
f ti h
has bbeen received.
i d
| Confirmation:
A k
Acknowledgement
l d that
h servicesi h
have bbeen provided.
id d
| Ownership:
Alice
Bob
k
C= Ek(m)
m
k
Dk(C)
m
Mallory Eve
MODERN CRYPTOGRAPHY
| 1977: Data Encryption Standard (DES)
Adopted by the U.S. Federal Information
Processing g for encryptingg unclassified
information
9 6 Diffie
| 1976: eaandd Hellman
e a
Introduced the concept of public-key
cryptography Security is based on the
cryptography.
intractability of the discrete logarithm problem
| 1978: Rivest,
Rivest Shamir,
Shamir and Adleman (RSA)
The most well-known scheme; security is based
on the
th intractability
i t t bilit off factoring
f t i large
l integers.
i t
BASIC CONCEPTS IN CRYPTOGRAPHY
| Message Space and Plain Texts:
M denotes a set called the message space.
M consists of strings of symbols from an alphabet of
d fi i i
definition. A
An element
l off M is
i called
ll d a plaintext
l i
message or simply a plaintext. For example, M may
consist of binary strings
strings, English text,
text computer code,
code
etc.
| Ciphertext:
C denotes a set called the ciphertext space. C consists of
strings of symbols from an alphabet of definition, which
may differ from the alphabet of definition for M. An
element of C is called a ciphertext.
Electromechanical Device:
Three Rotors are the primary features of the machine
ENIGMA ARCHITECTURE
A CASE FOR (OR AGAINST) ONE
ONE--TIME PAD ?
UNCONDITIONALLY SECURED?
| Conventional Wisdom:
IF the OTP is used properly, with all the reservations that we clearly
know by now, it is unconditionally secure. However, the OTP is a very
difficult system to use properly, and the chance of a catastrophic key-
management failure is too high to neglect in most situations.
| Perspective:
The OTP which is "unconditionally secure" is not the same as the realized
OTP which is used in practice. The theoretical OTP has an ideal
random keying source. This source does not exist in reality.
Subsequently, the "unconditionally secure" OTP also does not exist in
reality.
There
h is another
h level
l l off deviation
d here
h before
b f discussing
d a stream
cipher. That is the ever-increasing "entropy in the output of the
practically-realized random generator used for OTP keying material.
actually, we cannot measure this entropy. However, there is the
possibility
p y that a the g generator pproduces less "entropy"
py than we do
expect, and d the
h plaintext
l h
has more "entropy"
" " than
h we dod expect. In
this case, the plaintext will not be protected. Actually, it will "leak"
information even if just a one bit.
Clearly,
Cl l any such h system
t could
ld nott b
be unconditionally
diti ll secure, even if
generally secure in practice.
FEISTEL NETWORKS
Remember the iterated step of DES:
L1=R0, R1=L0f(R0,K0).
Suppose
S that
h computing f(R f( 0,K0) is easy iff you know
k R0 and
d K0 but
b
impossible if you do not know K0.
If
If you know
k L1, R1 andd K0 then
th R0=L L1 and
d L0=RR1 f(L1,K
K0).
)
If you do not know f(L1,K0) it is impossible to learn L0.
By iterating twice it becomes impossible to learn R0 or L0 from R2 and
L2 without K.
K
| We h
W have so ffar discussed
di d only
l bl
block
k ciphers.
i h
These are ciphers that operate on fixed
lengths of data.
data What if you wish to encrypt
more than the block size?
| A table could be compiled with 2b elements defining the mapping. This would usually not be
practical. The name ECB came from here!
| If messages have lots of redundancy, or common runs of bits, these blocks will always encrypt
to the same plain text, and will be potentially recognized by an attacker irrespective of the
g of the cipher.
strength p
| Suppose the responses yes or no are often sent, if they are ever distinguished, then in the
future the attacker will always be able to distinguish
| In this mode,
identical message
encrypt to different
Attacks on this modes are outputs. This
now almost automated!! makes replay
impossible.
CBC SUMMARY (CONT)
| Efficiency:
+ Speed is the same as the block cipher.
Ciphertext is up to one block longer than the
-Ciphertext
plaintext, not counting the IV.
-No preprocessing is possible.
+/- Encryption is not parallelizable;
ll l bl
decryption is parallelizable and has a
random-access property.
p p y
| Fault-tolerance:
-A ciphertext error affects one full block of
plaintext
l i t t andd th
the corresponding
di bit iin th
the
next block.
y
-Synchronization error is unrecoverable.
CBC SUMMARY (CONT)
| Efficiency:
-A ciphertext
h error affects
ff one full
f ll block
bl k off
plaintext and the corresponding bit in the next
block.
-Synchronization error is unrecoverable.
CIPHER FEEDBACK (CFB MODE)
| Suppose you must encrypt blocks smaller than
the block size of the cipher. Cipher Feedback is
a mode that allows one to turn a block cipher
into a stream cipher:
CFB SUMMARY
| Security:
S i
+Plaintext patterns are concealed.
+Input to the block cipher is randomized.
+ More than one message can be encrypted
with
h the
h same provided
d d that
h a different
d ff IV is
used.
+/ l i t t iis somewhat
+/-plaintext h t difficult
diffi lt to
t
manipulate; blocks can be removed from the
beginning and end of the message,
message bits of
the first block can be changed, and
repetition allows some controlled changes.
CFB SUMMARY (CONT).
| Efficiency:
y
- Speed strictly less than the same as the block cipher.
+Ciphertext is the same size as the plaintext, not
countingg the IV.
+/- Encryption is not parallelizable; decryption is
parallelizable and has a random-access property.
-Some ppreprocessing
p g is p
possible before a block is seen;;
the previous ciphertext block can be encrypted.
| Fault-tolerance:
-A
A ciphertext error affects the corresponding bit of
plaintext and the next full block.
+ Synchronization errors of full block sizes are
recoverable. l-bit CFB can recover from the addition or
loss of single bits.
OUTPUT FEEDBACK (OFB MODE)
| OFB is
i another
th way tot encryptt smaller
ll blocks
bl k
of data at a time. This is very similar to CFB.
OFB SUMMARY
| S
Security:
it
+ Plaintext patterns are concealed.
+ Input to the block cipher is randomized.
randomized
+ More than one message can be encrypted with
the same key,y, p
provided that a different IV is
used.
-Plaintext is very easy to manipulate; any change in
ciphertext directly affects the plaintext
plaintext.
OFB SUMMARY (CONT.)
| Efficiency
y
-Speed is strictly less than the block cipher.
-Ciphertext is the same size as the plaintext, not
count-
+Speed is the same as the block cipher.
-Ciphertext is the same size as the plaintext, not
counting
g IV
+ Processing is possible before the message is seen.
+ OFB processing is not parallelizable
| Fault
Fault-tolerance:
tolerance:
+ A ciphertext error affects only the corresponding
bit of plaintext.
-Synchronization
Synchronization error is unrecoverable.
BLOCK CIPHER OR STREAM CIPHER?
THAT IS THE QUESTION!
STREAM CIPHER STRUCTURE
IV
Key
message
g PRG
Key stream
Cipher IV
Emulates a one-time
one time pad
PRG WITH KEY ONLY (old version)
Key
Key
y
setup S
Setup phase
h
Inner
f Key-stream
State
generation
phase
h
g
PRG WITH KEY/IV (new version)
Key
y IV
Hash
Key derivation
function Key/IV
Pseudo-random setup Setup phase
function
Inner
f Key-stream
State
generation
phase
g
STREAM CIPHERS: NARROW DEFINITION
| Let b be the block length of the stream cipher
cipher. Let
denote bitwise XOR, then the stream cipher works as
follows:
1. A pseudo
pseudo-random
random generator (PRG) expands a short
key and initialization vector (IV) into a long pseudo-
random key stream, consisting of b-bit words s0 , s1 ,
2. The plaintext is divided into b-bit blocks
m0 , m1 , ., ml-1
3. It is encrypted by computing b-bit ciphertext blocks ci =
mi si for i =0,1, 2, .., l-1
4. Decryption is performed by reconstructing the message: mi
= ci si for i =0,1, 2, .., l-1
The problem with this definition is that it does not cover all
types of stream ciphers, such as self-synchronizing stream
ciphers or stream ciphers with authentication. Also b can
be 1,
1 8,
8 32,
32 or even 64 bits!
UNIVERSAL SECURE ENCRYPTION (USE)
| Definition:
A universal secure encryption scheme is a cipher with
the additional p
properties
p that: ((a)) It can p
process
messages of arbitrary bit length and (b) it is
secure.
- Integer
g addition.
- Bitwise exclusive or (XOR).
- Concatenation.
RSA : THE RSA CRYPTO SYSTEM IS NAMED AFTER ITS
INVENTORS RIVEST, SHAMIR, AND ADLEMAN. AFTER
STUDYING THIS ALGORITHM, WE HAVE EXTRACTED THE
FOLLOWING LOW-LEVEL OPERATIONS:
- INTEGER MULTIPLICATION.
- INTEGER DIVISION.
- INVERSE.
- MOD.
- COMPARE.
- CONCATENATE
IDEA: ANALYZING THE INTERNATIONAL DATA
ENCRYPTION ALGORITHM, WE WERE ABLE TO EXTRACT
THE FOLLOWING LOW-LEVEL OPERATIONS:
- INTEGER ADDITION.
- INTEGER MULTIPLICATION.
- BITWISE EXCLUSIVE OR.
- SHIFT LEFT.
- SHIFT RIGHT.
SAFER: STUDYING THE SECURE AND FAST
ENCRYPTION ROUTINE ALGORITHM, WE HAVE
FOUND THAT THIS ALGORITHM IS BASED ON THE
FOLLOWING LOW-LEVEL OPERATIONS:
- BITWISE XOR.
- ADDITION.
- CIRCULATE LEFT.
- CIRCULATE
CU G .
RIGHT
RC5: RC5 IS A SYMMETRIC ENCRYPTION ALGORITHM
DEVELOPED BY RON RIVEST. RC5 WAS DESIGNED TO BE
SUITABLE FOR HARDWARE AND SOFTWARE
IMPLEMENTATIONS. WE HAVE FOUND THAT THIS
ALGORITHM IS BASED ON FOUR LOW-LEVEL
OPERATIONS:
- BITWISE XOR.
- ADDITION.
- SHIFT LEFT.
- SHIFT RIGHT.
YAEA : YET-A
ANOTHER-E
ENCRYPTION-A
ALGORITHM
WAS DEVELOPED BY SAEB AND BAITH. THIS ALGORITHM
CONTAINS ONLY TWO LOW-LEVEL OPERATIONS
- CIRCULATE LEFT.
- BITWISE XOR.
AES CANDIDATES
RC6 : RC6 IS ONE OF THE FIVE FINALISTS FOR THE
ADVANCED ENCRYPTION STANDARD (AES). RC6 ALGORITHM
WAS DEVELOPED BY THE RSA SECURITY LABORATORIES. IT IS A
BLOCK CIPHER ALGORITHM DESIGNED TO HANDLE 128
INPUT/OUTPUT BLOCKS, WE HAVE DEDUCED THE FOLLOWING
LOW-LEVEL OPERATIONS.
- BASE-TWO LOGARITHM
- BITWISE EXCLUSIVE OR.
- INTEGER ADDITION.
- INTEGER SUBTRACTION.
- INTEGER MULTIPLICATION.
- CIRCULATE LEFT.
- CIRCULATE RIGHT.
MARS : AFTER ANALYZING MARS ALGORITHM, WE
HAVE DEDUCED SEVEN OPERATIONS.
- BITWISE XOR.
- ADDITION.
- SHIFT LEFT.
- SHIFT RIGHT.
- MULTIPLICATION.
- CIRCULATE LEFT.
- CIRCULATE RIGHT.
RIJNDAEL : AFTER ANALYZING THE RIJNDAL
ALGORITHM, WE FOUND ONLY TWO OPERATIONS.
- MATRIX MULTIPLICATION.
- BITWISE XOR.
SERPENT: WE HAVE DEDUCED THE FOLLOWING
THREE OPERATIONS THAT ARE EASY TO IMPLEMENT IN
FPGA.
- BITWISE XOR.
- CIRCULATE LEFT.
- CIRCULATE RIGHT.
TWOFISH: AFTER ANALYZING THE TWOFISH
ALGORITHM, WE HAVE DEDUCED THE FOLLOWING FIVE
OPERATIONS
- BITWISE XOR.
- ADDITION.
- SHIFT RIGHT
- SHIFT LEFT.
- MULTIPLICATION.
Ciphers number of low-
low-level operations
versus time
DES IDEA RC5 SAFER RC6 TwoFish YAEA MARS Rijndael SERPENT
3 5 4 4 5 4 2 5 3 3
1976 1990 1995 1994 1998 1998 1998 1999 1999 2000
Time
| XOR
| INV
| ROT
j
Rijndael SERPENT MARS
Simplicity Complexity
RC6 TwoFish
Rijndael MARS
S ll
Small L
Large
Security Security
Margin RC6 TwoFish SERPENT Margin
RELATIVE SCORES FINALISTS
MARS RC6 Rijndael Serpent TwoFish
General Security 3 2 2 3 3
Implementation 1 1 3 3 2
Software 2 2 3 1 1
Performance
Hardware 1 2 3 3 2
Performance
Design Features 2 1 2 1 3
ROUNDS AND KEY SPACE FOR A SELECTED
NUMBER OF CIPHERS
K K
e e
y y
Ordered
O d d IInformation
f i Disordered
Di d dDData
(Entropy is low) (Entropy is High)
Bijection Function
k
Plaintext Ciphertext
k
The better the key (more random for the same number of bits), the more separation, measured in
Hamming Distance, between the plaintext and the ciphertext. As the key approaches an empty
set,, then the separation
p tends to be zero or collapsed
p state. The maximum separation
p or in other
words, Hamming distance equal to 1.0 is achieved by the most robust key!. The key represents
not only the excitation agent required to change the state from plaintext to ciphertext, but also the
required external input to perform this process.
KEYLESS?
| NO!
| The
Th kkey iis the
h E
Entropy S
Source!
!
| You have to have a secret to secretly
communicate.
i t
VISUAL CRYPTOGRAPHY
| Example
E l
| Secret Sharing
y All n parties
i can get together
h to recover a secret S
y Less than n parties can not recover secret
| Model
y Introduced by Shamir and Naor at Eurocrypt 94.
y Used to encrypt printed material
y Decoding is performed by human visual system
directly
y The image is encoded into n shadow images and
each participant receives one share
BASIC METHOD
h
horizontal
l shares
h verticall shares
h diagonal
d l shares
h
RIJMEN AND PRENEELS METHOD