Академический Документы
Профессиональный Документы
Культура Документы
, Kharagpur
What is Cryptography ?
The science of converting normal text, which is intelligible to many people, into a special text which can be understood only by a select few. The normal text is called plain text or message text. The modified special text is called cipher text.
Why is it required ?
Information has value and needs to be communicated among users. However in this imperfect world there are people who, not entitled to be information, try to grab it any way.
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
Transmitter
Channel
Receiver
Passive Tapping :
The attacker collects data by accessing the transmission medium a process called wire tapping since in early days the data was collected from the telephone / telegraph wire by a tap The wire tapping could be passive in which the enemy only listens to the conversation
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
Or
Channel Transmitter Receiver
Active Tapping :
It could be active in which he breaks the line and introduces his own communication.
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
If we consider the storage and retrieval of information as a temporal communication, the attack variety increases. We get : browsing, replaying, modifying, insertion, deletion traffic analysis, inference and blocking. ( include cipher text searching ) We can guard against these attacks in two ways : By access control By encryption
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
Plain text
EncryptionKey
Decryption Key
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
DK : C M K K
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
The encryption and decryption transforms fits a selectable key into an encryption / decryption algorithm which is used in controlled manner ( or protocol ) The security of the system depends solely on the key. It is an axiom with cryptologists that the algorithm used is known to the enemy. In fact there is an advantage if the design of an encryption algorithm is made public. The fact that we have encrypted the plaintext requires that we transmit the key to the receiver. But if we do that the key may be available to the enemy through wire tapping.
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
How is it possible ?
To understand let us see what the encryption does. It replaces groups of information by other symbols which creates a confusion in the mind of the enemy. It also rearranges the groups, thus diffusing the information across the whole message.
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
10
If the message was a random string of characters there would be no problem. But it is a text controlled by the rules of language and as such has a structure, relationships and known probability distributions. The encryption process is unable to completely destroy these properties and the cryptanalyst searches out the residual structure to decrypt the message.
11
The earliest, ( classical ) systems were such that the decryption key was easily obtained from the encryption key and vice-versa. So both have to be kept secret for security. Hence the names : Single key Symmetric key Secret key The first three requirements for security were simultaneously met by these systems, but the last was not ( practically ) possible in them The modern ( public key ) systems are such that knowledge of either key does not ( automatically ) give knowledge of the other. We can therefore publish any one of these keys without compromising the other. Hence the names : Asymmetric key Two key Public key
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
12
If we publish the encryption key, any body can send us the message confidentially. Only we can read the message since the decryption key is secret. If we publish the decryption key, any body can receive the message with the confidence that it has come from us. Nobody else could have send the message since the encryption key is secret. Non repudiation is got by Digital Signatures which has public decryption keys.
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
13
How good is this algorithm ? Perfectly secure. No information is available about the message text, no matter how much cipher text is available. Unconditionally secure. No matter how much cipher text is available, there is not enough information to decipher the message text. Computationally secure. It is theoretically possible to decipher the cipher text but the effort ( time or memory ) involved is too large to decipher useful. What are the factors to consider in designing a crypto system ? Encryption / Decryption should not take too much computational power / time Keys should be easy to find Security of the system should depend only on the key. Systems where security depends on the secrecy of the algorithm are called restricted systems.
14
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
The earliest cryptosystems were the secret key systems. These systems can be divided into two categories : Transposition ciphers Substitution cipher Advanced cryptosystems can be considered as combinations of several transposition cipher and several substitution ciphers. In transposition ciphers, the message text is rearranged to give the cipher text. An example is the columnar transposition where in the message is written as rows of n characters and then read out column by column in some predetermined order ( say 3 5 1 6 4 2 ). In this system, the cipher text cannot be transmitted until total encryption has been done, and so often a fixed period cipher is used. In these ciphers the message text is broken into blocks of n characters, and each block is permuted to give a block of cipher text.
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
15
These ciphers are broken by anagramming with the help of frequency distribution tables for digrams and trigrams. The unicity distance for a fixed period cipher is
H (K ) log 2 n! = U = D D
U 0.3 n log 2
(ne )
Taking D = 3.2 for English, Substitution ciphers are further subdivided into 4 classes : 1 Simple substitution cipher 2 Poly alphabetic substitution cipher 3 Homophonic substitution cipher 4 Polygram substitution cipher
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
16
In the simple substitution cipher, the plaintext alphabet is mapped on to a cipher text alphabet. Each character of the plaintext message is thus replaced by a cipher text character. Examples : Shifted alphabet cipher C = f(M) = ( M + K ) mod 26 ( for English )
The earliest cryptosystem ( the Caeser Cipher ) is this, with K = 3 To decode M = ( C K ) mod 26. The transform can be more complex f(M) = MK mod 26 or ( M K1 + K2 ) mod 26 ( K 13 ) ( affine transform )
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
17
Since the single substitution ciphers retain the original single letter frequency distribution ( though rearranged ), they are easy to break. In order to change the frequency distribution, ( to make it more uniform ) we resort to polyalphabetic substitution ciphers. In these the mapping from plaintext alphabet to cipher text alphabet is changed from character to character in the message.
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
18
The first such cipher was developed by L. Battista Alberti who devised a cipher disc consisting of two concentric circular discs which could be rotated relative to each other.
Y X W U T S R Q P O N M L c q f n g w k e d i z a K I s h l r Z A u B C p y o t b x m D E F G H
Each disc was divided into n (24) sectors with the plaintext alphabet in the outer ring and the cipher text alphabet in the inner ring.
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
19
This defines a mapping which can be changed by rotating the discs, which is done after the encoding of every character. This gives a periodic substitution cipher of period n. ( Most common poly alphabetic substitution cipher are periodic
T S
X Y
h c q f n g w k
L
R Q P O N M
y o t b x m s e
A B C D
z
H
a
F G
K I
GSSST, IITKGP
T.S.LAMBA
INTERNETWORKING
20
Other early poly-alphabetic cipher where the Vignere cipher based on sequence of letters as a key : Ci = fi (Mi) = ( Mi + Ki ) mod 26 The Beaufort cipher, Ci = ( Ki - Mi ) mod 26 which is self inverting cipher The Variant Beaufort cipher : fi (Mi) = ( Mi - Ki ) mod 26 which is the decoder for the Vignere cipher. If the period of these cipher is n then the unicity distance is
U = H (K ) n log 2 26 = 1. 5 n D 3. 2
For the general periodic substitution cipher the unicity distance becomes U = 27.6n
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
21
It becomes obvious that increasing n will increase the unicity distance and perhaps the security. So we try to make the period infinity. Such schemes include (A) the autokey systems : The plaintext is encrypted by a key sequence which is a key word followed the cipher text sequence. The key sequence is a keyword followed by the plain text itself. (B) the running key where the key sequence is a sample of another plain text. (C) the Vernam Cipher or one time pad. This was designed to code the binary code representation of alphanumeric character of teletypewriters by modulo 2 addition with a bit key sequence. Thus Ci = ( mi + ki ) mod 2 and the same key sequence would decode the cipher text.
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
22
Using a different sequence for each plaintext message we get the so called one time pad which has perfect secrecy. The only problem is the generation, transmission and storage of these key sequences. Further more, if the key sequence is periodic, this cipher reduces to a running key cipher, which is easily broken : Ci = mi + ki Ci+j = mi+j + ki C = Ci + Ci+j = mi + mi+j
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
23
During World War II, the poly-alphabetic substitution ciphers were mechanized by Rotor and Hagelin Machines. The rotor machine has a bank of rotors which are discs with electrical contacts on either side with a randomized connection between them. Each rotor implements a mapping f(m). Further if the rotor is rotated to a new position its mapping becomes g(m) = ( f ( m + k ) mod 26 k ) mod 26 The overall mapping of the machine thus becomes g1(m), g2(m), - - - - - - gk(m) The machine works like an odometer, with one rotor moving one step with each character, and each successive rotor moving one step when the previous rotor completes 26 steps. Thus the key has a period of 26K. It might seem that with these poly-alphabetic cipher we have reached the ultimate in security, but this is really not so.
24
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
Randomized connections
Randomized connections
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
25
The problem with the Vernam cipher is that most random sequence generated for keys are only psuedo-random and care has to be taken to ensure that they are cryptographically safe. Though the rotor machines have a long period, there are internal structures in the system, which can be exploited for cryptanalysis. To break running key ciphers, assume that each character of the cipher text was generated by a message text- key pair, both of which are common in the language the decoding. For poly-alphabetic cipher with short periods it is best to first find the period, k, and then divide the message into K groups each corresponding to one mapping and breaking the key for each group, treated as a simple substitution cipher.
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
of the cipher characters actually come from such pairs, and guessing these helps in
26
If the cipher text contains two or more occurrences of any reasonably long cipher text pattern ( say 4 or more characters long ) then each repetition is likely to be at a distance equal to a multiple of the key period. This idea was first used by KASISKI to determine the period. If we plot the relative frequencies of a large block of cipher text which has been obtained by a simple substitution cipher, we will get a jagged graph whose values are the values of the relative frequencies of plaintext but rearranged. If the cipher text has been got by two keys, the graph will be the average of the graphs and so be more nearly uniform. As the number of keys increases the graph becomes more and more uniform. We can define the measure of roughness, which is dependent on the variance of the cipher text.
MR= =
(p )
i
1 2 n
[ n = 26 for English ]
p
i =0
25
2 i
- 0.038
and estimates of MR are known for the different numbers of keys and ranges from 0.028 for a single key to 0 for an infinity of keys. We can not measure the MR 2 directly. But we can measure pi which we will call the index of coincidence.
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
27
The period of a poly-alphabetic cipher can be determined from the Index of Coincidence which was introduced by Friedman. For a block of N characters the
pi2 = ni (ni 1) N (N 1)
where ni is the number of times the ith character appears and so the I C =
n (n 1)
N (N 1)
i i
.066
1 N K K 1 N + .038 K N 1 K N 1
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
28
The poly-alphabetic ciphers conceal the frequency distribution by using different mapping for the different keys, and so the legitimate receiver needs to synchronize with the transmitter. In homophonic substitution cipher, this problem is not there since the mapping remains the same for all the plaintext characters, but the mapping is one to many as for example Plain text A B C D E GSSST, IITKGP T.S.LAMBA
Cipher text 14, 23, 56, 84 31, 37 17, 19, 80 07, 32, 66, 97 09, 11, 25, 70, 86 ------------WIRELESS NETWORKS
29
Another poly-gram substitution cipher is the Hill Cipher which maps n plaintext characters as n cipher text characters, using a linear transform :
[C ] = [K ] [M ] mod 26
Deciphering is got by
M = [K ]1 C mod 26
where
[K ][K ]1 =
The strength of n-gram cipher is that they work on n-grams, where relative frequencies are not that well known ( as single letter frequencies) and in any case have a greater variation.
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
30
MODERN SYSTEMS One of the most commonly used crypto systems is the Data Encryption Standard, Which was developed by IBM and based on its earlier Lucifer cipher, and was adopted by the National Bureau of standards in 1977. It works on data blocks of 64 bits and uses a 56 bit key. It has like most modern secret key systems a structure which can be called the istal system after the leader of the team that developed it. Before we look at the DES lets look at the istal concept.
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
31
Consider an encryption scheme encrypting n bits of data at a time. Treat it like a simple substitution cipher and we have a block diagram like this :
n-bit data
2n to n coder
What should be n ? It it is too small, it would be too easy to break and if too large the mapping would be too big to store and use conveniently. A compromise would be to use a large n but restrict the mappings to a subset which can be easily made rule based ( but not linear ! ). This makes it easier to break but by defining the encryption as the product of several encryptions ( i.e. the successive application of several encryptions, we obtain a cipher which is stronger than the sum of the individual ciphers used.
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
32
The Feistal scheme thus takes an n-bit block of data and passes it through k units of a basic encryption block. Since the encryption will often be done by using the same basic block again and again, we may refer to it as a round. Each basic block consists of two mappings, a substitution and a permutation, so the system becomes :
S. P. S. P . . . . . . . . . .S. P
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
33
The Feistal algorithm divides the data into two equal halves called L0 and R0, which are passed through the basic blocks and subsequently combined to produce the output. In each basic block, a substitution is carried out in the left half of the data. This substitution is done by modulo 2 addition of data and the output of a nonlinear function whose input is a combination of the right half of the data and a sub-key generated from the key. After this is is done, a transposition is carried out by interchanging the two halves :
Li = Ri 1 Ri = L1 + f Ri 1 , K i
A point to note : The permutation is not carried out in the last building block, to enable the same device to decode as well as encode.
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
34
To observe how this happens, note that at stage i) the two inputs to the modulo 2 adder are : In the encoder : In the decoder :
So each decoder basic block simply undoes what the building block did in the encoder. The exact structure that is used will depend on Data block size, n. (Large n more security, less speed) Key size Number of rounds The non linear function The subkey generator
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
35
Dat a
IP
L0
R0 K1
L1 = R0
f
R1= L0 f(R0, K1) K2
L2 = R1
f
R2= L1 f(R1, K2)
L15 = R14
f
L16 = R15
IP-1
Outpu t GSSST, IITKGP T.S.LAMBA
36
PC - 1
C0 LS1 C1
D0 LS1 D1 PC - 2 K1
C16
D16 PC - 2 K16
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
37
DES operates in on of four modes Electronic code book mode Cipher block chaining mode Cipher feed back mode Output feed back mode Triple DES
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
38
64 bit word (input) 128 bit key. basic unit 16 bits 17 rounds odd 4 keys even 2 keys Operations : bit wise exclusive or + mod 216 mod 216 + 1; 00.0 = 216 Key expansion 16 at a time. Offset 25 after 8
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
39
Odd round : Xa = Xa
ka
X b = X c + kc Xc = Xb + kb Xd = Xd kd Zin = Xc Xd Yin ) + Zin ) Yin ) + Yout kf even round : Yin = Xa Xb Yout = (( ke Zout = ( ke Xa,b = Xa,b Yout Xc,d = Xc,d Zout
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
40
Xa Ka Xa
Xb
Xc Kb
Xd Kc Kd Xd
+
Xb
+
Xc
Odd Round
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
41
Xa
Xb
Xc
Xd
+
Yin Zin Ke Kf Yout Zout
+ +
Xa Xb Yout = (( Ke Zout = ( Ke Yin ) + Zin ) Yin ) + Yout Kf
+ +
Xc Xd
Even Round
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
42
Blowfish
PT
P1
P16
F
P18 CT
P17
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
43
+ +
F Block
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
44
The four S-boxes contain 32 entries each. S1,0 S1,1 . . . . S1,255 S2,0 S2,1 . . . . S2,255
-----------------------------------------
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
45
Initialize P & S boxes using the bits representing the fractional part of Bit wise XOP P and K arrays.( reusing k words if necessary ) Encrypt all zeros word using P, S and put result as P1 P2 ; repeat till all P, S words are replaced to get the final P, S words ( with 521 executions of Blowfish ) S boxes are key dependent. Both sub-keys and S boxes got by using Blowfish Operations on each half Fast to execute. Brute force attack more difficult since sub-key generation is slow Large avalanche effect Each bit of F applied to only one S box ( contrast DES )
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
46
RC5
Suitable for hardware / software Fast Different word lengths, w, = 16,32,64 Variable no of rounds, v, = 0, 1 . . . .255 Variable key length, b, = 0, 1 . . . .255 8 bit bytes
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
47
S(0)
S(1)
<<<
S(3)
S(2 r)
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
S(2 r + 1)
48
S(0) . . . . . S(t-1)
t = 25 + 2
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
49
S(0)
S(1)
<<<
S(3)
S(2 r)
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
S(2 r + 1)
50
S(0) . . . . . S(t-1)
t = 25 + 2
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
51
In a public key system, the key at the receiver is different from the key at the transmitter. The designer of the system, having some hidden knowledge of the structure of the transmitting key, can calculate the receiving key, but others cannot. A standard public key algorithm is the RSA. In this algorithm C = M e mod n, n = p.q M = C d mod n ed = 1 mod (n)
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
52
The simplest public key signature scheme is based on the RSA Cipher,
A with private key dA and public key eA, nA can communicate with B, having the corresponding private key dB, and public keys eB, nB :
e Maintaining secrecy : C = M
A
B
mod nB
with a digital signature : M d mod nA or both by using the two operations one after the other, carrying out the operation with the smaller n first. For signature Verification nA < nB A sends B calculates Gives to judge checks
GSSST, IITKGP
53
( p 1 ) = 2 p strong ( p 1, q 1 ) small
prime
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
54
Public key signature are related to public key encryption algorithms. The basic idea is that we transform a given message into an apparently meaningless set of symbols : Ek ( M ) = C Using a transform E which is well known and a key, which involves the hidden component. From C we can get back
M = D , (C )
k
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
55
If k easily computed from K secret key system else public key system Here if k is known to every body, we get Secrecy system :
DK ( C ) = M
Any one can send Ek ( M ) = C. Only the system owner can read C by
If k is known to every body, we get an authentication ( signature ) system : Only the system owner can send Ek ( M ) = C Any one can verify by
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
(C ) = M
56
# 1 Encryption 0 2 8 + nonzero 0 data Signing 0 1 8 + 1 ff 16 0 digest type + digest RSA e =3 65537 2 17 Multiplex random 768
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
57
What should be signed ? Not the message but a message digest Why ? Public key procedures are computationally expensive Enable widely different signature are nearly identical messages Prevents partial replays What is a message digest (hash) ? - a one way function of a variable length message into a fixed length digit Properties of digits :
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
58
Signing Message Digest Signing algorithm Private key Verification Message Compare accept/ reject Signature
Digest
Signature
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
59
The el- Gamal algorithm - an extension of the Diffie-Hellman secret sharing system The Diffie_Hellman algorithm A chooses SA A calculates TA = g
SA
B chooses SB
mod p, B computes TB = g
SB
mod p
mod p = k
TA
SB
mod p = k
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
60
El_Gamal algorithm : Each user has (1) a long term public/private key pair Public : ( g, p, T ) secret S gs mod p = T (2) a per message public/private key pair Sm and g
Sm
mod p = Tm
(3) dm = digest of m | Tm
m, X, Tm
dm
Verify : g = Tm T
Q g =g
X
mod p
Sm + dm S
=g
Sm
dm S
Tm T
dm
mod p
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
61
The Digital Signature Standard (DSS) of NIST based on Digital Signature Algorithm a modification of the El Gamal signature The DSA parameters
512 L 1024
Public parameters common to a group prime modulus p with 2L-1 < p < 2L, L = multiple of 64 q, prime divisor of p 1, 2159 < q < 2160 g = h(p-1)/q mod p, 1 < h < p-1 h(p-1)/q mod p > 1 [ requirement gq = 1 mod p ] Private and public parameters of users x random integer 0 < x < q y = gx mod p Private parameter for each signature K, random integer 0 < k < q
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
62
Signature Generation : S(M) = r, s with r = ( gk mod p ) mod q s = ( k 1 ( SMA (M) + xr )) mod q ( r 0, s 0 )160 bits Transmit M,s Signature Verification test 0 < r < q, 0 < s <q compute w = ( s ) 1 mod q v1 = ( SMA(M)w ) mod q v2 = (rw) mod q v = ((( g)v1 (y)v2 ) mod p) mod q check : v = r
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
63
Elliptic Curve DSA Just like DSA, but based on elliptic curves. The mathematics is just like that of same key size. Addition of 2 points : 1. If P is at infinity 0, - P = 0 P+0=P 2. if P = (x,y) - P = - (x, -y) 3. If P, Q, different x, l = P Q intersects curve at R ( l tangent at P, R=P) P+Q=-R 4. Q = - P; P + Q = 0 5. If P = Q, l tangent at P, R intersection of l with curve P + Q = - R; if double tangency at P, R = P ECDH and
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
64
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
65
Comparison of the systems : Strength of RSA factorization problem DSA, El_Gamal discrete logarithm problem ECDSA discrete logarithm in elliptic curve computation
RSA 13 1
DSA 17 33
ECC 7 4
Transmission size : DSA, ECDSA 340 bits RSA, key size 1024 bits
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
66
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
67
Security : ECC Key size MIPS Years 150 3.8 1010 205 7.1 1018 234 1.6 1028 Why DSA ? May have hidden flaws DSS key of 512 better than RSA 512 ( n = p.q ) Computation of < p, q, g > expensive So many users, advantage for attacker Trapdoor primes DSS requires secret number for each message patents
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
RSA Key size 572 768 1024 2048 MIPS Years 3 109 3 108 3 1011 3 1010
68
In El_Gamal all operations mod P ( p 512 bits ) DSS mod p (512 bits) mod q (160 bits ) so faster but inverse by both signer and verifier instead of only signer. However inverse can be precalculated by the signer
69
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
Attacks factorization/ other mathematical methods training timing brute force M1, M2 M1. M2
3
eg.
M1/M2
(M1) j
md
round off to r
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
70
MD-2
(1 r 16 ) of r
arbitrary no of bytes padded on the right by r bytes to make multiple of 16 check sum calculated and appended to the end Final Pass message processed in 16 bytes to produce intermediate digest MD-5 works on 16 32 bit X words gives digest of 128 bit Padding ~ x not uses the operations x y and floor
x y or x y ex. or x+ y x y add mod 2
32
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
71
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
72
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
73
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
74
SHA-1 message upto 264 bits output 160 bits padding as in MD 5 operations used are same in MD 5 Digest buffer is 5 x 16 word block Initialize buffer as A = 67452301 B = EFCDAB98 C = 98BADCFE D = 10325476 E = C3D2E1F0 for t = 0 to 79 B = old A C = old A 30 D = old C E = old D
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
75
A = E + A 5 + Wt + kt + f ( t, B, C, D )
kt = 2
2 = 5 A8 2 7 9 9 9 = 2 3 = 6 E D 9 B A1 = 2 5 = 8 F 1 B B C D C
30
30
30
=2
30
10 = C A 6 2 C 1 D 6
f (T , B, C , D) = ( B C ) (~ B D) =BC D = ( B C ) ( B D) (C D) =BC D
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
76
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
77
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
78
1<b<w
for 1 j t
Check if (1) Z 1 t or (2) 1 j t , Z j = 1 and Z j 1 n 1 If either (1) or (2) holds w is not prime otherwise with probability (3/4) w is prime Repeat with more bs ( as many as required )
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
79
k1 k2
DT
EDE
+
EDE Ri
EDE
vi +1
vi
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
80
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
81
82
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
83
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
84
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
85
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
86
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
87
1. Set master key smk (KMO) 2. Encipher under master key emk(K)=EKmo(K) 3. Encipher ecph(X,M)=EK(M) 4. Decipher dcph(X,C)=DK(C) 5. Reencipher from master key rfmk(W,X)=EKMT(K) 6. Reencipher to.master key rtmk(W,X)=EKMO(K)
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
88
X=EKMO(K)
DKMO
K
EK
EK(M)
X=EKMO(K)
DKMO
K
DK
DK(C)
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
89
W=EKM1(KMT)
DKM1
KMT
X=EKMO(K)
DKMO
EKMT
EKMT(K)
W=EKM2(KNF)
DKMO
KMT
X=EKNF(K)
DKMO
EKMO
EKMO(K)
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
90
YA = EKM 1A ( KMTA )
A: dmk Z K likewise HB
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
91
These are several ways in which privacy can be retained in electronic communications If A wishes to send an anonymous message to B, it uses a central system to pass the message to B C = ES [ B, EB ( M )] S, deciphers C using its private key and passes the message to B. (after shuffling) If A wants a reply from B it sends an untraceable return address C = Es ( B, EB ( M, U, K ) with U = Es (A) The return message C = Es ( U , EK ( M )) is deciphered by S, (twice) to obtain A and pass on the message Ex ( M ) to A.
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
92
Another problem arises when it is required that f or data to be obtained, t out of w users are present. This is done by breaking the key K into W shadows and giving one to each user. The shadows are got from the random polynomial
h( X ) = ( ai X i ), mod p
i =0 t 1
K = h (o ) K j = h( X j )
h( X ) = K i
s =1
X Xj Xi X j
js j =1
mod p
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
93
Selected Bibliography 1. Cryptography and Data Security D.E.R. Denning Addison - Wesley Publishing Co. 2. Network and Internet Security - V. Ahuja AP Professional 3. A Course in Number Theory & Cryptography N. Koblitz Springer-Verlag Inc. 4. Cryptography and Network Security - W. Stalling Prentice Hall Inc. 5. Applied Cryptography - B. Schneir John Wiley & Sons Inc.
94
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
Selected Bibliography 1. Cryptography and Data Security D.E.R. Denning Addison - Wesley Publishing Co. 2. Network and Internet Security - V. Ahuja AP Professional 3. A Course in Number Theory & Cryptography N. Koblitz Springer-Verlag Inc. 4. Cryptography and Network Security - W. Stalling Prentice Hall Inc. 5. Applied Cryptography - B. Schneir John Wiley & Sons Inc.
95
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
Message Digest
easy to compute computed in rounds cant find m from MD cant find any m to give MD cant find 2 messages with same digest Collision Most common digests in use MD2 MD5 SMA-1 RIPEMD 160 MD 2 16 Byte digest, widely used, but flaws found Collision found but not on demand In use only because of old certificates
GSSST, IITKGP T.S.LAMBA WIRELESS NETWORKS
96
Control your broadcast area Lock each AP Ban rogue access points Use 128-bits WEP Choose good SSIDs Limit access rights Limit the number of user addresses Authenticate users
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
97
data
Encrypted Transmission
Receiver
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
98
Ciphertext I CV
GSSST, IITKGP
T.S.LAMBA
WIRELESS NETWORKS
99