Prof. T. S. Lamba Dept. of Electronics & Electrical Communication Engineering I.I.T.

, Kharagpur

What is Cryptography ?
The science of converting normal text, which is intelligible to many people, into a special text which can be understood only by a select few. The normal text is called plain text or message text. The modified special text is called cipher text.

Why is it required ?
Information has value and needs to be communicated among users. However in this imperfect world there are people who, not entitled to be information, try to grab it any way.

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

The Study of Cryptology has now become important !

Earlier the common man did not use cryptography since his data was transmitted by physical methods and so attacks on the data were rare. There were, however, exceptions : Information was crucial to the military system. ( Remember, forewarned is forearmed ), It will be therefore no surprised to you to learn that the earliest encryption technology was developed by a military commander Julius Ceaser, c 4 BC. Other early users were lovers who contributed several methods of encryption to society. However the first major mathematical understanding of cryptology is due to C.E. Shannon. With electronic communication, attacks on communication have become easier, common place and dangerous for the normal public
3
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

The communication process consists of

Transmitter

Channel

Receiver

Passive Tapping :

The attacker collects data by accessing the transmission medium a process called wire tapping since in early days the data was collected from the telephone / telegraph wire by a tap The wire tapping could be passive in which the enemy only listens to the conversation

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

Or
Channel Transmitter Receiver

Active Tapping :
It could be active in which he breaks the line and introduces his own communication.

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

If we consider the storage and retrieval of information as a temporal communication, the attack variety increases. We get : browsing, replaying, modifying, insertion, deletion traffic analysis, inference and blocking. ( include cipher text searching ) We can guard against these attacks in two ways : By access control By encryption

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

We guard against the wire tapping by means of encryption

Plain text

Cipher text Plain text

EncryptionKey

Decryption Key

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

The encryption process has two entities :

The encryption algorithm and the key Ek (M) = C The decryption process likewise : Dk (C) = M Obviously, the keys at the two ends are related. The cryptographic system has five subsets : 1. The plain text space M 2. The cipher text space C 3. The key space K 4. The set of encryption transforms : EK : M C K k 5. The set of decryption transforms

DK : C M K K
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

The encryption and decryption transforms fits a selectable key into an encryption / decryption algorithm which is used in controlled manner ( or protocol ) The security of the system depends solely on the key. It is an axiom with cryptologists that the algorithm used is known to the enemy. In fact there is an advantage if the design of an encryption algorithm is made public. The fact that we have encrypted the plaintext requires that we transmit the key to the receiver. But if we do that the key may be available to the enemy through wire tapping.

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

So we need to transmit the key through a different secure channel.

But if we have such a channel, why encryption ?

COST !!

Having encrypted our information can we relax and be confident of it security ?

NO. Because the enemy knows the art of cryptanalysis with which he endeavours to decrypt the cipher text without the knowledge of the key.

How is it possible ?
To understand let us see what the encryption does. It replaces groups of information by other symbols which creates a confusion in the mind of the enemy. It also rearranges the groups, thus diffusing the information across the whole message.

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

10

If the message was a random string of characters there would be no problem. But it is a text controlled by the rules of language and as such has a structure, relationships and known probability distributions. The encryption process is unable to completely destroy these properties and the cryptanalyst searches out the residual structure to decrypt the message.

What attacks can a cryptanalyst use ?

A cipher text only attack A known plaintext attack A chosen plaintext attack

What do we seek to achieve with cryptography ?

Confidentiality the enemy can not understand the message Authenticity we are sure the message has not been sent by the enemy Integrity the enemy has not been able to modify the message Non repudiation the sender can not deny having sent the message.
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

11

The earliest, ( classical ) systems were such that the decryption key was easily obtained from the encryption key and vice-versa. So both have to be kept secret for security. Hence the names : Single key Symmetric key Secret key The first three requirements for security were simultaneously met by these systems, but the last was not ( practically ) possible in them The modern ( public key ) systems are such that knowledge of either key does not ( automatically ) give knowledge of the other. We can therefore publish any one of these keys without compromising the other. Hence the names : Asymmetric key Two key Public key
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

12

If we publish the encryption key, any body can send us the message confidentially. Only we can read the message since the decryption key is secret. If we publish the decryption key, any body can receive the message with the confidence that it has come from us. Nobody else could have send the message since the encryption key is secret. Non repudiation is got by Digital Signatures which has public decryption keys.

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

13

How good is this algorithm ? Perfectly secure. No information is available about the message text, no matter how much cipher text is available. Unconditionally secure. No matter how much cipher text is available, there is not enough information to decipher the message text. Computationally secure. It is theoretically possible to decipher the cipher text but the effort ( time or memory ) involved is too large to decipher useful. What are the factors to consider in designing a crypto system ? Encryption / Decryption should not take too much computational power / time Keys should be easy to find Security of the system should depend only on the key. Systems where security depends on the secrecy of the algorithm are called restricted systems.
14
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

The earliest cryptosystems were the secret key systems. These systems can be divided into two categories : Transposition ciphers Substitution cipher Advanced cryptosystems can be considered as combinations of several transposition cipher and several substitution ciphers. In transposition ciphers, the message text is rearranged to give the cipher text. An example is the columnar transposition where in the message is written as rows of n characters and then read out column by column in some predetermined order ( say 3 5 1 6 4 2 ). In this system, the cipher text cannot be transmitted until total encryption has been done, and so often a fixed period cipher is used. In these ciphers the message text is broken into blocks of n characters, and each block is permuted to give a block of cipher text.

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

15

These ciphers are broken by anagramming with the help of frequency distribution tables for digrams and trigrams. The unicity distance for a fixed period cipher is

H (K ) log 2 n! = U = D D
U 0.3 n log 2

(ne )

Taking D = 3.2 for English, Substitution ciphers are further subdivided into 4 classes : 1 Simple substitution cipher 2 Poly alphabetic substitution cipher 3 Homophonic substitution cipher 4 Polygram substitution cipher

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

16

In the simple substitution cipher, the plaintext alphabet is mapped on to a cipher text alphabet. Each character of the plaintext message is thus replaced by a cipher text character. Examples : Shifted alphabet cipher C = f(M) = ( M + K ) mod 26 ( for English )

The earliest cryptosystem ( the Caeser Cipher ) is this, with K = 3 To decode M = ( C K ) mod 26. The transform can be more complex f(M) = MK mod 26 or ( M K1 + K2 ) mod 26 ( K 13 ) ( affine transform )

or a completely random mapping

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

17

Since the single substitution ciphers retain the original single letter frequency distribution ( though rearranged ), they are easy to break. In order to change the frequency distribution, ( to make it more uniform ) we resort to polyalphabetic substitution ciphers. In these the mapping from plaintext alphabet to cipher text alphabet is changed from character to character in the message.

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

18

The first such cipher was developed by L. Battista Alberti who devised a cipher disc consisting of two concentric circular discs which could be rotated relative to each other.
Y X W U T S R Q P O N M L c q f n g w k e d i z a K I s h l r Z A u B C p y o t b x m D E F G H

Each disc was divided into n (24) sectors with the plaintext alphabet in the outer ring and the cipher text alphabet in the inner ring.
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

19

This defines a mapping which can be changed by rotating the discs, which is done after the encoding of every character. This gives a periodic substitution cipher of period n. ( Most common poly alphabetic substitution cipher are periodic

T S

X Y

h c q f n g w k
L

R Q P O N M

y o t b x m s e

A B C D

z
H

a
F G

K I

GSSST, IITKGP

T.S.LAMBA

INTERNETWORKING

20

Other early poly-alphabetic cipher where the Vignere cipher based on sequence of letters as a key : Ci = fi (Mi) = ( Mi + Ki ) mod 26 The Beaufort cipher, Ci = ( Ki - Mi ) mod 26 which is self inverting cipher The Variant Beaufort cipher : fi (Mi) = ( Mi - Ki ) mod 26 which is the decoder for the Vignere cipher. If the period of these cipher is n then the unicity distance is
U = H (K ) n log 2 26 = 1. 5 n D 3. 2

For the general periodic substitution cipher the unicity distance becomes U = 27.6n
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

21

It becomes obvious that increasing n will increase the unicity distance and perhaps the security. So we try to make the period infinity. Such schemes include (A) the autokey systems : The plaintext is encrypted by a key sequence which is a key word followed the cipher text sequence. The key sequence is a keyword followed by the plain text itself. (B) the running key where the key sequence is a sample of another plain text. (C) the Vernam Cipher or one time pad. This was designed to code the binary code representation of alphanumeric character of teletypewriters by modulo 2 addition with a bit key sequence. Thus Ci = ( mi + ki ) mod 2 and the same key sequence would decode the cipher text.

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

22

Using a different sequence for each plaintext message we get the so called one time pad which has perfect secrecy. The only problem is the generation, transmission and storage of these key sequences. Further more, if the key sequence is periodic, this cipher reduces to a running key cipher, which is easily broken : Ci = mi + ki Ci+j = mi+j + ki C = Ci + Ci+j = mi + mi+j

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

23

During World War II, the poly-alphabetic substitution ciphers were mechanized by Rotor and Hagelin Machines. The rotor machine has a bank of rotors which are discs with electrical contacts on either side with a randomized connection between them. Each rotor implements a mapping f(m). Further if the rotor is rotated to a new position its mapping becomes g(m) = ( f ( m + k ) mod 26 k ) mod 26 The overall mapping of the machine thus becomes g1(m), g2(m), - - - - - - gk(m) The machine works like an odometer, with one rotor moving one step with each character, and each successive rotor moving one step when the previous rotor completes 26 steps. Thus the key has a period of 26K. It might seem that with these poly-alphabetic cipher we have reached the ultimate in security, but this is really not so.
24

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

Randomized connections

Randomized connections

From Typewriter or Channel

From Channel or Typewriter

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

25

The problem with the Vernam cipher is that most random sequence generated for keys are only psuedo-random and care has to be taken to ensure that they are cryptographically safe. Though the rotor machines have a long period, there are internal structures in the system, which can be exploited for cryptanalysis. To break running key ciphers, assume that each character of the cipher text was generated by a message text- key pair, both of which are common in the language the decoding. For poly-alphabetic cipher with short periods it is best to first find the period, k, and then divide the message into K groups each corresponding to one mapping and breaking the key for each group, treated as a simple substitution cipher.
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

( E I O N R - - - in English ). It may be surprising to see so many

of the cipher characters actually come from such pairs, and guessing these helps in

26

If the cipher text contains two or more occurrences of any reasonably long cipher text pattern ( say 4 or more characters long ) then each repetition is likely to be at a distance equal to a multiple of the key period. This idea was first used by KASISKI to determine the period. If we plot the relative frequencies of a large block of cipher text which has been obtained by a simple substitution cipher, we will get a jagged graph whose values are the values of the relative frequencies of plaintext but rearranged. If the cipher text has been got by two keys, the graph will be the average of the graphs and so be more nearly uniform. As the number of keys increases the graph becomes more and more uniform. We can define the measure of roughness, which is dependent on the variance of the cipher text.
MR= =

(p )
i

1 2 n

[ n = 26 for English ]

p
i =0

25

2 i

- 0.038

and estimates of MR are known for the different numbers of keys and ranges from 0.028 for a single key to 0 for an infinity of keys. We can not measure the MR 2 directly. But we can measure pi which we will call the index of coincidence.
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

27

The period of a poly-alphabetic cipher can be determined from the Index of Coincidence which was introduced by Friedman. For a block of N characters the
pi2 = ni (ni 1) N (N 1)

where ni is the number of times the ith character appears and so the I C =

n (n 1)
N (N 1)
i i

For K keys, the IC, estimated from the MR, is

.066

1 N K K 1 N + .038 K N 1 K N 1

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

28

The poly-alphabetic ciphers conceal the frequency distribution by using different mapping for the different keys, and so the legitimate receiver needs to synchronize with the transmitter. In homophonic substitution cipher, this problem is not there since the mapping remains the same for all the plaintext characters, but the mapping is one to many as for example Plain text A B C D E GSSST, IITKGP T.S.LAMBA

Cipher text 14, 23, 56, 84 31, 37 17, 19, 80 07, 32, 66, 97 09, 11, 25, 70, 86 ------------WIRELESS NETWORKS

29

Another poly-gram substitution cipher is the Hill Cipher which maps n plaintext characters as n cipher text characters, using a linear transform :

[C ] = [K ] [M ] mod 26
Deciphering is got by

M = [K ]1 C mod 26
where

[K ][K ]1 =

[ the n n identity matrix ]

The strength of n-gram cipher is that they work on n-grams, where relative frequencies are not that well known ( as single letter frequencies) and in any case have a greater variation.

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

30

MODERN SYSTEMS One of the most commonly used crypto systems is the Data Encryption Standard, Which was developed by IBM and based on its earlier Lucifer cipher, and was adopted by the National Bureau of standards in 1977. It works on data blocks of 64 bits and uses a 56 bit key. It has like most modern secret key systems a structure which can be called the istal system after the leader of the team that developed it. Before we look at the DES lets look at the istal concept.
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

31

Consider an encryption scheme encrypting n bits of data at a time. Treat it like a simple substitution cipher and we have a block diagram like this :

n-bit data

2n symbol n to 2n decoder General mapping

2n to n coder

What should be n ? It it is too small, it would be too easy to break and if too large the mapping would be too big to store and use conveniently. A compromise would be to use a large n but restrict the mappings to a subset which can be easily made rule based ( but not linear ! ). This makes it easier to break but by defining the encryption as the product of several encryptions ( i.e. the successive application of several encryptions, we obtain a cipher which is stronger than the sum of the individual ciphers used.
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

32

The Feistal scheme thus takes an n-bit block of data and passes it through k units of a basic encryption block. Since the encryption will often be done by using the same basic block again and again, we may refer to it as a round. Each basic block consists of two mappings, a substitution and a permutation, so the system becomes :
S. P. S. P . . . . . . . . . .S. P

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

33

The Feistal algorithm divides the data into two equal halves called L0 and R0, which are passed through the basic blocks and subsequently combined to produce the output. In each basic block, a substitution is carried out in the left half of the data. This substitution is done by modulo 2 addition of data and the output of a nonlinear function whose input is a combination of the right half of the data and a sub-key generated from the key. After this is is done, a transposition is carried out by interchanging the two halves :
Li = Ri 1 Ri = L1 + f Ri 1 , K i

A point to note : The permutation is not carried out in the last building block, to enable the same device to decode as well as encode.

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

34

To observe how this happens, note that at stage i) the two inputs to the modulo 2 adder are : In the encoder : In the decoder :

Li 1 and f R i 1 , k i , the output is R i R i and f R i 1 , k i , the output is Li -1

So each decoder basic block simply undoes what the building block did in the encoder. The exact structure that is used will depend on Data block size, n. (Large n more security, less speed) Key size Number of rounds The non linear function The subkey generator
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

35

Dat a

IP

L0

R0 K1

L1 = R0

f
R1= L0 f(R0, K1) K2

L2 = R1

f
R2= L1 f(R1, K2)

L15 = R14

R15= L14 f(R14, K15 K16

R16= L15 f(R15, K16)

f
L16 = R15

IP-1
Outpu t GSSST, IITKGP T.S.LAMBA

Flow Chart of DES CIPHER

WIRELESS NETWORKS

36

PC - 1

C0 LS1 C1

D0 LS1 D1 PC - 2 K1

C16

D16 PC - 2 K16

Sub-Key generation for DES

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

37

DES operates in on of four modes Electronic code book mode Cipher block chaining mode Cipher feed back mode Output feed back mode Triple DES

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

38

64 bit word (input) 128 bit key. basic unit 16 bits 17 rounds odd 4 keys even 2 keys Operations : bit wise exclusive or + mod 216 mod 216 + 1; 00.0 = 216 Key expansion 16 at a time. Offset 25 after 8

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

39

Odd round : Xa = Xa

ka

X b = X c + kc Xc = Xb + kb Xd = Xd kd Zin = Xc Xd Yin ) + Zin ) Yin ) + Yout kf even round : Yin = Xa Xb Yout = (( ke Zout = ( ke Xa,b = Xa,b Yout Xc,d = Xc,d Zout
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

40

Xa Ka Xa

Xb

Xc Kb

Xd Kc Kd Xd

+
Xb

+
Xc

Odd Round

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

41

Xa

Xb

Xc

Xd

+
Yin Zin Ke Kf Yout Zout

+ +
Xa Xb Yout = (( Ke Zout = ( Ke Yin ) + Zin ) Yin ) + Yout Kf

+ +
Xc Xd

Even Round
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

42

Blowfish
PT

P1

P16

F
P18 CT

P17

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

43

+ +

F Block
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

44

Blowfish key 32 448 bits ( 1 14, 32 bits words ) : K1 . . . . Kj ( j 14 )

Sub keys are stored as P1, P2 . . . . .P18

The four S-boxes contain 32 entries each. S1,0 S1,1 . . . . S1,255 S2,0 S2,1 . . . . S2,255
-----------------------------------------

S4,0 S4,1 . . . . S4,255

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

45

Initialize P & S boxes using the bits representing the fractional part of Bit wise XOP P and K arrays.( reusing k words if necessary ) Encrypt all zeros word using P, S and put result as P1 P2 ; repeat till all P, S words are replaced to get the final P, S words ( with 521 executions of Blowfish ) S boxes are key dependent. Both sub-keys and S boxes got by using Blowfish Operations on each half Fast to execute. Brute force attack more difficult since sub-key generation is slow Large avalanche effect Each bit of F applied to only one S box ( contrast DES )

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

46

RC5
Suitable for hardware / software Fast Different word lengths, w, = 16,32,64 Variable no of rounds, v, = 0, 1 . . . .255 Variable key length, b, = 0, 1 . . . .255 8 bit bytes

Data dependant rotations

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

47

S(0)

S(1)

( L R ) <<< R X <<< y Left rotation of X by y bits

S(2) + <<<

<<<

S(3)

S(2 r)

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

S(2 r + 1)

48

S(0) . . . . . S(t-1)

t = 25 + 2

Pw = Odd (( e 2 ) 2w ) Qw = Odd (( - 1 ) 2w ) S(0) = Pw S(i) = s(i 1 ) + Qw

Mix K with S S(i) = ( S(i) + X + Y ) <<< 3 X = S(i) i =i+1 j = j+1

L(j) = (L(j) + X + Y ) <<< (X + Y) Y = L(j)

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

49

S(0)

S(1)

( L R ) <<< R X <<< y Left rotation of X by y bits

S(2) + <<<

<<<

S(3)

S(2 r)

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

S(2 r + 1)

50

S(0) . . . . . S(t-1)

t = 25 + 2

Pw = Odd (( e 2 ) 2w ) Qw = Odd (( - 1 ) 2w ) S(0) = Pw S(i) = s(i 1 ) + Qw

Mix K with S S(i) = ( S(i) + X + Y ) <<< 3 X = S(i) i =i+1 j = j+1

L(j) = (L(j) + X + Y ) <<< (X + Y) Y = L(j)

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

51

In a public key system, the key at the receiver is different from the key at the transmitter. The designer of the system, having some hidden knowledge of the structure of the transmitting key, can calculate the receiving key, but others cannot. A standard public key algorithm is the RSA. In this algorithm C = M e mod n, n = p.q M = C d mod n ed = 1 mod (n)

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

52

 The simplest public key signature scheme is based on the RSA Cipher,
A with private key dA and public key eA, nA can communicate with B, having the corresponding private key dB, and public keys eB, nB :
e Maintaining secrecy : C = M
A
B

mod nB

with a digital signature : M d mod nA or both by using the two operations one after the other, carrying out the operation with the smaller n first. For signature Verification nA < nB A sends B calculates Gives to judge checks
GSSST, IITKGP

nA > nB C = DA (EB (M)) M = DB (EA (C)) M, C X = EB(M), X' = EA(C) X = X'

T.S.LAMBA WIRELESS NETWORKS

C = EB(DA(M)) M = EA (DB (C)) M, X =EA (X) M' = M

Judge calculates M' = EA(X)

53

( p 1 ) = 2 p strong ( p 1, q 1 ) small

prime

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

54

Public key signature are related to public key encryption algorithms. The basic idea is that we transform a given message into an apparently meaningless set of symbols : Ek ( M ) = C Using a transform E which is well known and a key, which involves the hidden component. From C we can get back

M = D , (C )
k

using a related transform D and a related key k

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

55

If k easily computed from K secret key system else public key system Here if k is known to every body, we get Secrecy system :

DK ( C ) = M
Any one can send Ek ( M ) = C. Only the system owner can read C by

If k is known to every body, we get an authentication ( signature ) system : Only the system owner can send Ek ( M ) = C Any one can verify by
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

(C ) = M

56

# 1 Encryption 0 2 8 + nonzero 0 data Signing 0 1 8 + 1 ff 16 0 digest type + digest RSA e =3 65537 2 17 Multiplex random 768

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

57

What should be signed ? Not the message but a message digest Why ? Public key procedures are computationally expensive Enable widely different signature are nearly identical messages Prevents partial replays What is a message digest (hash) ? - a one way function of a variable length message into a fixed length digit Properties of digits :

a one or zero are likely at each bit

each output has half its bits as 1 two outputs are uncorrelated irrespective of the similarity of the inputs

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

58

Signing Message Digest Signing algorithm Private key Verification Message Compare accept/ reject Signature

Digest

Verification algorithm Private key

Signature

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

59

The el- Gamal algorithm - an extension of the Diffie-Hellman secret sharing system The Diffie_Hellman algorithm A chooses SA A calculates TA = g
SA

B chooses SB
mod p, B computes TB = g
SB

mod p

A, B exchange TA, TB A computes B computes

TB
SA

mod p = k

TA

SB

mod p = k

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

60

El_Gamal algorithm : Each user has (1) a long term public/private key pair Public : ( g, p, T ) secret S gs mod p = T (2) a per message public/private key pair Sm and g
Sm

mod p = Tm

(3) dm = digest of m | Tm

Signature = Sm + dm S mod (p-1) = X Transmit

X

m, X, Tm
dm

Verify : g = Tm T
Q g =g
X

mod p

Sm + dm S

=g

Sm

dm S

Tm T

dm

mod p

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

61

The Digital Signature Standard (DSS) of NIST based on Digital Signature Algorithm a modification of the El Gamal signature The DSA parameters

512 L 1024

Public parameters common to a group prime modulus p with 2L-1 < p < 2L, L = multiple of 64 q, prime divisor of p 1, 2159 < q < 2160 g = h(p-1)/q mod p, 1 < h < p-1 h(p-1)/q mod p > 1 [ requirement gq = 1 mod p ] Private and public parameters of users x random integer 0 < x < q y = gx mod p Private parameter for each signature K, random integer 0 < k < q

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

62

Signature Generation : S(M) = r, s with r = ( gk mod p ) mod q s = ( k 1 ( SMA (M) + xr )) mod q ( r 0, s 0 )160 bits Transmit M,s Signature Verification test 0 < r < q, 0 < s <q compute w = ( s ) 1 mod q v1 = ( SMA(M)w ) mod q v2 = (rw) mod q v = ((( g)v1 (y)v2 ) mod p) mod q check : v = r
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

63

Elliptic Curve DSA Just like DSA, but based on elliptic curves. The mathematics is just like that of same key size. Addition of 2 points : 1. If P is at infinity 0, - P = 0 P+0=P 2. if P = (x,y) - P = - (x, -y) 3. If P, Q, different x, l = P Q intersects curve at R ( l tangent at P, R=P) P+Q=-R 4. Q = - P; P + Q = 0 5. If P = Q, l tangent at P, R intersection of l with curve P + Q = - R; if double tangency at P, R = P ECDH and

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

64

An elliptic curve showing EC addition

y 2 = x 3 + ax + b

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

65

Comparison of the systems : Strength of RSA factorization problem DSA, El_Gamal discrete logarithm problem ECDSA discrete logarithm in elliptic curve computation

Performance Signature Verification

RSA 13 1

DSA 17 33

ECC 7 4

Transmission size : DSA, ECDSA 340 bits RSA, key size 1024 bits
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

66

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

67

Security : ECC Key size MIPS Years 150 3.8 1010 205 7.1 1018 234 1.6 1028 Why DSA ? May have hidden flaws DSS key of 512 better than RSA 512 ( n = p.q ) Computation of < p, q, g > expensive So many users, advantage for attacker Trapdoor primes DSS requires secret number for each message patents
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

RSA Key size 572 768 1024 2048 MIPS Years 3 109 3 108 3 1011 3 1010

68

 Per message secret number not to be disclosed :

S = k 1 ( SMA (M) + Xr )) mod q If k known Then ( kS SMA (M)) r 1 = X mod q If two messages have same SMA(M) ( S1 - S2 ) r [ SMA(M1) - SMA(M2)] = k mod q

In El_Gamal all operations mod P ( p 512 bits ) DSS mod p (512 bits) mod q (160 bits ) so faster but inverse by both signer and verifier instead of only signer. However inverse can be precalculated by the signer
69

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

 Attacks factorization/ other mathematical methods training timing brute force M1, M2 M1. M2
3

eg.

M1/M2

(M1) j

if small exponent, say 3 with padding take m md pad, take

md

round off to r

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

70

MD-2

(1 r 16 ) of r

arbitrary no of bytes padded on the right by r bytes to make multiple of 16 check sum calculated and appended to the end Final Pass message processed in 16 bytes to produce intermediate digest MD-5 works on 16 32 bit X words gives digest of 128 bit Padding ~ x not uses the operations x y and floor
x y or x y ex. or x+ y x y add mod 2
32

left rotate y times

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

71

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

72

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

73

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

74

SHA-1 message upto 264 bits output 160 bits padding as in MD 5 operations used are same in MD 5 Digest buffer is 5 x 16 word block Initialize buffer as A = 67452301 B = EFCDAB98 C = 98BADCFE D = 10325476 E = C3D2E1F0 for t = 0 to 79 B = old A C = old A 30 D = old C E = old D
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

75

A = E + A 5 + Wt + kt + f ( t, B, C, D )
kt = 2

2 = 5 A8 2 7 9 9 9 = 2 3 = 6 E D 9 B A1 = 2 5 = 8 F 1 B B C D C
30
30

30

=2

30

10 = C A 6 2 C 1 D 6

f (T , B, C , D) = ( B C ) (~ B D) =BC D = ( B C ) ( B D) (C D) =BC D

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

76

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

77

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

78

To test for primality integer w : put w = 1 + 2 t m, m odd Generate random b

2

1<b<w
for 1 j t

Compute Z0 = b m mod w Compute

Z j = Z j 1 mod w

Check if (1) Z 1 t or (2) 1 j t , Z j = 1 and Z j 1 n 1 If either (1) or (2) holds w is not prime otherwise with probability (3/4) w is prime Repeat with more bs ( as many as required )

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

79

k1 k2
DT

EDE

+
EDE Ri

EDE

vi +1

vi

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

80

Some Practical Aspects

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

81

82
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

83
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

84
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

85
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

86

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

87

Operations for Key Management

1. Set master key smk (KMO) 2. Encipher under master key emk(K)=EKmo(K) 3. Encipher ecph(X,M)=EK(M) 4. Decipher dcph(X,C)=DK(C) 5. Reencipher from master key rfmk(W,X)=EKMT(K) 6. Reencipher to.master key rtmk(W,X)=EKMO(K)

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

88

X=EKMO(K)

DKMO
K

EK

EK(M)

X=EKMO(K)

DKMO
K

DK

DK(C)

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

89

W=EKM1(KMT)

DKM1
KMT

X=EKMO(K)

DKMO

EKMT

EKMT(K)

W=EKM2(KNF)

DKMO
KMT

X=EKNF(K)

DKMO

EKMO

EKMO(K)

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

90

a. dmk b. ecph c. dcph

H A : R = E KMOA (k ) H B : rfmk (WA , R ) = EKNC ( K ) H B : rtmk(WB , EKNC (K )) = EKMOB (K )

H A A Z = rfmk (YA , R) = EKMT ( K )

A

YA = EKM 1A ( KMTA )
A: dmk Z K likewise HB

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

91

These are several ways in which privacy can be retained in electronic communications If A wishes to send an anonymous message to B, it uses a central system to pass the message to B C = ES [ B, EB ( M )] S, deciphers C using its private key and passes the message to B. (after shuffling) If A wants a reply from B it sends an untraceable return address C = Es ( B, EB ( M, U, K ) with U = Es (A) The return message C = Es ( U , EK ( M )) is deciphered by S, (twice) to obtain A and pass on the message Ex ( M ) to A.

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

92

Another problem arises when it is required that f or data to be obtained, t out of w users are present. This is done by breaking the key K into W shadows and giving one to each user. The shadows are got from the random polynomial
h( X ) = ( ai X i ), mod p
i =0 t 1

K = h (o ) K j = h( X j )

From the points h(x), x We can generate the

t

h( X ) = K i
s =1

X Xj Xi X j

js j =1

mod p

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

93

Selected Bibliography 1. Cryptography and Data Security D.E.R. Denning Addison - Wesley Publishing Co. 2. Network and Internet Security - V. Ahuja AP Professional 3. A Course in Number Theory & Cryptography N. Koblitz Springer-Verlag Inc. 4. Cryptography and Network Security - W. Stalling Prentice Hall Inc. 5. Applied Cryptography - B. Schneir John Wiley & Sons Inc.
94

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

Selected Bibliography 1. Cryptography and Data Security D.E.R. Denning Addison - Wesley Publishing Co. 2. Network and Internet Security - V. Ahuja AP Professional 3. A Course in Number Theory & Cryptography N. Koblitz Springer-Verlag Inc. 4. Cryptography and Network Security - W. Stalling Prentice Hall Inc. 5. Applied Cryptography - B. Schneir John Wiley & Sons Inc.
95

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

Message Digest
easy to compute computed in rounds cant find m from MD cant find any m to give MD cant find 2 messages with same digest Collision Most common digests in use MD2 MD5 SMA-1 RIPEMD 160 MD 2 16 Byte digest, widely used, but flaws found Collision found but not on demand In use only because of old certificates
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS

96

Control your broadcast area Lock each AP Ban rogue access points Use 128-bits WEP Choose good SSIDs Limit access rights Limit the number of user addresses Authenticate users

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

97

HIPERLAN key-set key

key Identifier Initialization vector

key Identifier Initialization Vector Encrypted

HIPERLAN key-set key

Random sequence generator data Transmitter XOR

Random sequence XOR generator data

data

Encrypted Transmission

Receiver

HIPERLAN encryption - decryption scheme

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

98

IV IV Secret Key Plaintext Integrity Alg WEP PRNG

Ciphertext I CV

Secret Key IV Ciphertext Integrity Alg I CV 802.11 WEP WEP PRNG

Plaintext ICV = ICV?

GSSST, IITKGP

T.S.LAMBA

WIRELESS NETWORKS

99