Network Security Essentials Chapter 2

1
Network Security EssentialsChapter 2

• Fourth Edition
• by William Stallings

2
Outline

• Conventional Encryption Principles
• Conventional Encryption Algorithms
• Cipher Block Modes of Operation
• Location of Encryption Devices
• Key Distribution

3
Conventional Encryption Principles

• An encryption scheme has five ingredients
• Plaintext
• Encryption algorithm
• Secret Key
• Ciphertext
• Decryption algorithm
• Security depends on the secrecy of the key, not
  the secrecy of the algorithm

4
Symmetric Cipher Model
5
Cryptography

• Classified along three independent dimensions
• The type of operations used for transforming
  plaintext to ciphertext
• Substitution
• Transposition
• The number of keys used
• symmetric (single key)
• asymmetric (two-keys, or public-key encryption)
• The way in which the plaintext is processed
• Block cipher
• Stream cipher

6
Symmetric Encryption

• or conventional / private-key / single-key
• sender and recipient share a common key
• all classical encryption algorithms are
  private-key
• was only type prior to invention of public-key in
  1970s
• and by far most widely used

7
Requirements

• two requirements for secure use of symmetric
  encryption
• a strong encryption algorithm
• a secret key known only to sender / receiver
• mathematically have
• Y EK(X)
• X DK(Y)
• assume encryption algorithm is known
• implies a secure channel to distribute key

8
Cryptography

• characterize cryptographic system by
• type of encryption operations used
• substitution / transposition / product
• number of keys used
• single-key or private / two-key or public
• way in which plaintext is processed
• block / stream

9
Cryptanalysis

• objective to recover key not just message
• general approaches
• cryptanalytic attack
• brute-force attack

10
Cryptanalytic Attacks

• ciphertext only
• only know algorithm ciphertext, is statistical,
  know or can identify plaintext
• known plaintext
• know/suspect plaintext ciphertext
• chosen plaintext
• select plaintext and obtain ciphertext
• chosen ciphertext
• select ciphertext and obtain plaintext
• chosen text
• select plaintext or ciphertext to en/decrypt

11
Brute Force Search

• always possible to simply try every key
• most basic attack, proportional to key size
• assume either know / recognise plaintext

12
Classical Substitution Ciphers

• where letters of plaintext are replaced by other
  letters or by numbers or symbols
• or if plaintext is viewed as a sequence of bits,
  then substitution involves replacing plaintext
  bit patterns with ciphertext bit patterns

13
Caesar Cipher

• earliest known substitution cipher
• by Julius Caesar
• first attested use in military affairs
• replaces each letter by 3rd letter on
• example
• meet me after the toga party
• PHHW PH DIWHU WKH WRJD SDUWB

14
Caesar Cipher

• can define transformation as
• a b c d e f g h i j k l m n o p q r s t u v w x y
  z
• D E F G H I J K L M N O P Q R S T U V W X Y Z A B
  C
• mathematically give each letter a number
• a b c d e f g h i j k l m n o p q r s t
  u v w x y z
• 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
  20 21 22 23 24 25
• then have Caesar cipher as
• c E(p) (p k) mod (26)
• p D(c) (c k) mod (26)

15
Cryptanalysis of Caesar Cipher

• only have 26 possible ciphers
• A maps to A,B,..Z
• could simply try each in turn
• a brute force search
• given ciphertext, just try all shifts of letters
• do need to recognize when have plaintext
• eg. break ciphertext "GCUA VQ DTGCM"

16
Monoalphabetic Cipher

• rather than just shifting the alphabet
• could shuffle (jumble) the letters arbitrarily
• each plaintext letter maps to a different random
  ciphertext letter
• hence key is 26 letters long
• Plain abcdefghijklmnopqrstuvwxyz
• Cipher DKVQFIBJWPESCXHTMYAUOLRGZN
• Plaintext ifwewishtoreplaceletters
• Ciphertext WIRFRWAJUHYFTSDVFSFUUFYA

17
Monoalphabetic Cipher Security

• now have a total of 26! 4 x 1026 keys
• with so many keys, might think is secure
• but would be !!!WRONG!!!
• problem is language characteristics

18
Language Redundancy and Cryptanalysis

• human languages are redundant
• eg "th lrd s m shphrd shll nt wnt"
• letters are not equally commonly used
• in English E is by far the most common letter
• followed by T,R,N,I,O,A,S
• other letters like Z,J,K,Q,X are fairly rare
• have tables of single, double triple letter
  frequencies for various languages

19
English Letter Frequencies
20
Modern Block Ciphers

• now look at modern block ciphers
• one of the most widely used types of
  cryptographic algorithms
• provide secrecy /authentication services
• focus on DES (Data Encryption Standard)
• to illustrate block cipher design principles

21
Block vs Stream Ciphers

• block ciphers process messages in blocks, each of
  which is then en/decrypted
• like a substitution on very big characters
• 64-bits or more
• stream ciphers process messages a bit or byte at
  a time when en/decrypting
• many current ciphers are block ciphers
• broader range of applications

22
Feistel Cipher Structure

• Virtually all conventional block encryption
  algorithms, including DES have a structure first
  described by Horst Feistel of IBM in 1973
• The realization of a Fesitel Network depends on
  the choice of the following parameters and design
  features (see next slide)

23
Feistel Cipher Structure

• Horst Feistel devised the feistel cipher
• partitions input block into two halves
• process through multiple rounds which
• perform a substitution on left data half
• based on round function of right half subkey
• then have permutation swapping halves

24
Feistel Cipher Structure

• Block size larger block sizes mean greater
  security
• Key Size larger key size means greater security
• Number of rounds multiple rounds offer
  increasing security
• Subkey generation algorithm greater complexity
  will lead to greater difficulty of cryptanalysis.
• Fast software encryption/decryption the speed of
  execution of the algorithm becomes a concern

25
Feistel Cipher Structure
26
(No Transcript)
27
Conventional Encryption Algorithms

• Data Encryption Standard (DES)
• The most widely used encryption scheme
• The algorithm is reffered to the Data Encryption
  Algorithm (DEA)
• DES is a block cipher
• The plaintext is processed in 64-bit blocks
• The key is 56-bits in length

28
Data Encryption Standard (DES)

• most widely used block cipher in world
• adopted in 1977 by NBS (now NIST)
• as FIPS PUB 46
• encrypts 64-bit data using 56-bit key
• has widespread use
• has been considerable controversy over its
  security

29
DES History

• IBM developed Lucifer cipher
• by team led by Feistel in late 60s
• used 64-bit data blocks with 128-bit key
• then redeveloped as a commercial cipher with
  input from NSA and others
• in 1973 NBS issued request for proposals for a
  national cipher standard
• IBM submitted their revised Lucifer which was
  eventually accepted as the DES

30
DES Design Controversy

• although DES standard is public
• was considerable controversy over design
• in choice of 56-bit key (vs Lucifer 128-bit)
• and because design criteria were classified
• subsequent events and public analysis show in
  fact design was appropriate
• use of DES has flourished
• especially in financial applications
• still standardised for legacy application use

31
(No Transcript)
32
DES Encryption Overview
33
Initial Permutation IP

• first step of the data computation
• IP reorders the input data bits
• even bits to LH half, odd bits to RH half
• quite regular in structure (easy in h/w)
• example
• IP(675a6967 5e5a6b5a) (ffb2194d 004df6fb)

34
(No Transcript)
35
DES Round Structure

• uses two 32-bit L R halves
• as for any Feistel cipher can describe as
• Li Ri1
• Ri Li1 ? F(Ri1, Ki)
• F takes 32-bit R half and 48-bit subkey
• expands R to 48-bits using perm E
• adds to subkey using XOR
• passes through 8 S-boxes to get 32-bit result
• finally permutes using 32-bit perm P

36
DES Round Structure
37
Substitution Boxes S

• have eight S-boxes which map 6 to 4 bits
• each S-box is actually 4 little 4 bit boxes
• outer bits 1 6 (row bits) select one row of 4
• inner bits 2-5 (col bits) are substituted
• result is 8 lots of 4 bits, or 32 bits
• row selection depends on both data key
• feature known as autoclaving (autokeying)
• example
• S(18 09 12 3d 11 17 38 39) 5fd25e03

38
Strength of DES Key Size

• 56-bit keys have 256 7.2 x 1016 values
• brute force search looks hard
• recent advances have shown is possible
• in 1997 on Internet in a few months
• in 1998 on dedicated h/w (EFF) in a few days
• in 1999 above combined in 22hrs!
• still must be able to recognize plaintext
• must now consider alternatives to DES

39
DES

• The overall processing at each iteration
• Li Ri-1
• Ri Li-1 F(Ri-1, Ki)
• Concerns about
• The algorithm and the key length (56-bits)

40
Triple DEA

• Use three keys and three executions of the DES
  algorithm (encrypt-decrypt-encrypt)
• C ciphertext
• P Plaintext
• EKX encryption of X using key K
• DKY decryption of Y using key K
• Effective key length of 168 bits

C EK3DK2EK1P
41
Triple DEA
42
Other Symmetric Block Ciphers

• International Data Encryption Algorithm (IDEA)
• 128-bit key
• Used in PGP
• Blowfish
• Easy to implement
• High execution speed
• Run in less than 5K of memory

43
Other Symmetric Block Ciphers

• RC5
• Suitable for hardware and software
• Fast, simple
• Adaptable to processors of different word lengths
• Variable number of rounds
• Variable-length key
• Low memory requirement
• High security
• Data-dependent rotations
• Cast-128
• Key size from 40 to 128 bits
• The round function differs from round to round

44
AES (Advanced Encryption Standard)
45
Origins

• clear a replacement for DES was needed
• have theoretical attacks that can break it
• have demonstrated exhaustive key search attacks
• can use Triple-DES but slow, has small blocks
• US NIST issued call for ciphers in 1997
• 15 candidates accepted in Jun 98
• 5 were shortlisted in Aug-99
• Rijndael was selected as the AES in Oct-2000
• issued as FIPS PUB 197 standard in Nov-2001

46
AES Requirements

• private key symmetric block cipher
• 128-bit data, 128/192/256-bit keys
• stronger faster than Triple-DES
• active life of 20-30 years ( archival use)
• provide full specification design details
• both C Java implementations
• NIST have released all submissions unclassified
  analyses

47
AES Evaluation Criteria

• initial criteria
• security effort for practical cryptanalysis
• cost in terms of computational efficiency
• algorithm implementation characteristics
• final criteria
• general security
• ease of software hardware implementation
• implementation attacks
• flexibility (in en/decrypt, keying, other factors)

48
AES Shortlist

• after testing and evaluation, shortlist in
  Aug-99
• MARS (IBM) - complex, fast, high security margin
• RC6 (USA) - v. simple, v. fast, low security
  margin
• Rijndael (Belgium) - clean, fast, good security
  margin
• Serpent (Euro) - slow, clean, v. high security
  margin
• Twofish (USA) - complex, v. fast, high security
  margin
• then subject to further analysis comment
• saw contrast between algorithms with
• few complex rounds verses many simple rounds
• which refined existing ciphers verses new
  proposals

49
The AES Cipher - Rijndael

• designed by Rijmen-Daemen in Belgium
• has 128/192/256 bit keys, 128 bit data
• an iterative rather than feistel cipher
• processes data as block of 4 columns of 4 bytes
• operates on entire data block in every round
• designed to be
• resistant against known attacks
• speed and code compactness on many CPUs
• design simplicity

50
Rijndael

• data block of 4 columns of 4 bytes is state
• key is expanded to array of words
• has 9/11/13 rounds in which state undergoes
• byte substitution (1 S-box used on every byte)
• shift rows (permute bytes between groups/columns)
  
• mix columns (subs using matrix multipy of groups)
  
• add round key (XOR state with key material)
• view as alternating XOR key scramble data bytes
• initial XOR key material incomplete last round
• with fast XOR table lookup implementation

51
Rijndael
52
Byte Substitution

• a simple substitution of each byte
• uses one table of 16x16 bytes containing a
  permutation of all 256 8-bit values
• each byte of state is replaced by byte indexed by
  row (left 4-bits) column (right 4-bits)
• eg. byte 95 is replaced by byte in row 9 column
  5
• which has value 2A
• S-box constructed using defined transformation of
  values in GF(28)
• designed to be resistant to all known attacks

53
Byte Substitution
54
S-Box (Byte Substitution)
55
Shift Rows

• a circular byte shift in each each
• 1st row is unchanged
• 2nd row does 1 byte circular shift to left
• 3rd row does 2 byte circular shift to left
• 4th row does 3 byte circular shift to left
• decrypt inverts using shifts to right
• since state is processed by columns, this step
  permutes bytes between the columns

56
Shift Rows
57
Mix Columns

• each column is processed separately
• each byte is replaced by a value dependent on all
  4 bytes in the column
• effectively a matrix multiplication in GF(28)
  using prime poly m(x) x8x4x3x1

58
Mix Columns
59
Mix Columns

• can express each col as 4 equations
• to derive each new byte in col

60
Add Round Key

• XOR state with 128-bits of the round key
• again processed by column (though effectively a
  series of byte operations)

61
AES Round
62
AES Key Expansion

• takes 128-bit (16-byte) key and expands into
  array of 44/52/60 32-bit words
• start by copying key into first 4 words
• then loop creating words that depend on values in
  previous 4 places back
• in 3 of 4 cases just XOR these together
• 1st word in 4 has rotate S-box XOR round
  constant on previous, before XOR 4th back

63
AES Key Expansion
64
AES Decryption

• AES decryption is not identical to encryption
  since steps done in reverse
• but can define an equivalent inverse cipher with
  steps as for encryption
• but using inverses of each step
• with a different key schedule

65
AES Decryption
66
Implementation Aspects

• can efficiently implement on 8-bit CPU
• byte substitution works on bytes using a table of
  256 entries
• shift rows is simple byte shift
• add round key works on byte XORs
• mix columns requires matrix multiply in GF(28)
  which works on byte values, can be simplified to
  use table lookups byte XORs

67
Implementation Aspects

• can efficiently implement on 32-bit CPU
• redefine steps to use 32-bit words
• can precompute 4 tables of 256-words
• then each column in each round can be computed
  using 4 table lookups 4 XORs
• at a cost of 4Kb to store tables
• designers believe this very efficient
  implementation was a key factor in its selection
  as the AES cipher

68
Location of Encryption Device

• Link encryption
• A lot of encryption devices
• High level of security
• Decrypt each packet at every switch
• End-to-end encryption
• The source encrypt and the receiver decrypts
• Payload encrypted
• Header in the clear
• High Security Both link and end-to-end
  encryption are needed (see Figure 2.9)

69
(No Transcript)
70
Key Distribution

• A key could be selected by A and physically
  delivered to B.
• A third party could select the key and physically
  deliver it to A and B.
• If A and B have previously used a key, one party
  could transmit the new key to the other,
  encrypted using the old key.
• If A and B each have an encrypted connection to a
  third party C, C could deliver a key on the
  encrypted links to A and B.

71
Key Distribution (See Figure 2.10)

• Session key
• Data encrypted with a one-time session key.At the
  conclusion of the session the key is destroyed
• Permanent key
• Used between entities for the purpose of
  distributing session keys

72
(No Transcript)
73
Recommended Reading

• Stallings, W. Cryptography and Network Security
  Principles and Practice, 2nd edition. Prentice
  Hall, 1999
• Scneier, B. Applied Cryptography, New York
  Wiley, 1996
• Mel, H.X. Baker, D. Cryptography Decrypted.
  Addison Wesley, 2001