Computer Security

01- Introduction

**Material developed based on the Person’s online resource and Dr Anisi material, with thanks.
Module Schedule
• One lecture Wednesday from 14.00 to 16.00 each
week in the autumn term
• The live lectures will hold theory-focused
presentations
• One 1-hour lab Thursdays
• Laba01 - 11.00 to 12.00
• Laba02 – 16.00 to 17.00
(Note that first two weeks are a revision of Python!)

• There will also be two revision lectures in the summer

term.
Assessment
• One two-hour examination in May/June (70% of the
module credit)
• Two programming assignments (Lab reports) to be
submitted by 20/11/2021 and 24/12/2021 (10% each)
• We also have a progress test on Week 7 on Moodle.
(10%)
Recommended Reading
• The main recommended text for this module is
• Computer Security: Principles and Practice, Third Edition by
William Stallings & Lawrie Brown, Pearson; 3th edition (8
July 2014)
Alternative books include
• PFLEEGER, C., and PFLEEGER, S., Security in computing,
Prentice Hall 2002
• BISHOP, M., Computer Secuirty Art and Science, Pearson
Education, 2003
• GOLLMAN, D., Computer Security, Wiley 2006, 2nd ed
How to succeed in this module?
• Go through the examples given in the tutorials
• Complete the labs within a few days (mostly)
• Practice, practice, practice!!!
• Ask questions
• Communicate (with me and colleagues)!!
• Work on your assignments weekly (don’t leave to do it
right before the deadline)
• Make sure you attend the review lectures!!
• Make sure to revisit all available material (videos, slides,
etc) before the exam
Learning Outcomes
1. Identify and describe common security vulnerabilities
2. Identify and describe different types of attack on
computers
3. Recommend security tools and procedures to protect
against specific types of attack
4. Describe the nature of malware, how it may be
identified and the attack mitigated
5. Explain the distinction between different types of
cryptography and identify common algorithms that are
weak and strong
6. Describe the use of cryptography in certification and
authentication
Have you ever had
computer security
experience?
The NIST Internal/Interagency Report NISTIR
7298 (Glossary of Key Information Security
Terms , May 2013) defines the term computer
security as follows:

Measures and controls that ensure

confidentiality, integrity, and
availability of information system
assets including hardware, software,
firmware, and information being
processed, stored, and
communicated
Key Security Concepts

Preserving authorized restrictions on

information access and disclosure,
Confidentiality including means for protecting personal
privacy and proprietary information

Guarding against improper information

modification or destruction, including
Integrity ensuring information nonrepudiation and
authenticity

Ensuring timely and reliable access to and

Availability use of information
Key Security Concepts

The property of being genuine and being able

to be verified and trusted;
confidence in the validity of a transmission, a
Authenticity message, or message originator
verifying that users are who they say they are
Each input that come to the system is trusted

Generates the requirement for actions of an

entity to be traced uniquely to that entity
Supports nonrepudiation, deterrence, fault
Accountability isolation, intrusion detection and prevention,
and after-action recovery and legal action
System must keep records of their activities
for forensic analysis
Essential y
it
network and enti al
In
computer nf
id te
gr
ity
Co
security

Acc
requirements Data

o
and

unta

y
ticit
services

bilit

hen
y

Aut
Availability

Figure 1.1 Essential Network and Computer Security Requi

Levels of Impact

Low Moderate High

The loss could be
The loss could be The loss could be
expected to have a
expected to have a expected to have a
severe or
limited adverse serious adverse
catastrophic
effect on effect on
adverse effect on
organizational organizational
organizational
operations, operations,
operations,
organizational organizational
organizational
assets, or assets, or
assets, or
individuals individuals
individuals
1. Computer security is not as simple as it might first appear to the novice

2. In developing a particular security mechanism or algorithm, one must always consider potential attacks
on those security features

3. Procedures used to provide particular services are often counterintuitive

4. Physical and logical placement needs to be determined

5. Security mechanisms typically involve more than a particular algorithm or protocol and also require that
participants be in possession of some secret information which raises questions about the creation,
distribution, and protection of that secret information
6. Attackers only need to find a single weakness, while the designer must find and
eliminate all weaknesses to achieve perfect security

7. Security is still too often an afterthought to be incorporated into a system after the
design is complete, rather than being an integral part of the design process

8. Security requires regular and constant monitoring

9. There is a natural tendency on the part of users and system managers to perceive
little benefit from security investment until a security failure occurs

10. Many users and even security administrators view strong security as an impediment
to efficient and user-friendly operation of an information system or use of information
 • Adversary (threat agent) - Individual, group,
organization, or government that conducts or has
the intent to conduct detrimental activities.
• Attack - Any kind of malicious activity that
attempts to collect, disrupt, deny, degrade, or
destroy information system resources or the
information itself.
Computer • Countermeasure - A device or techniques that

Security
has as its objective the impairment of the
operational effectiveness of undesirable or
adversarial activity, or the prevention of
Terminology espionage, sabotage, theft, or unauthorized
access to or use of sensitive information or
information systems.
• Risk - A measure of the extent to which an entity
is threatened by a potential circumstance or
event, and typically a function of 1) the adverse
impacts that would arise if the circumstance or
event occurs; and 2) the likelihood of occurrence.
 • Security Policy - A set of criteria for the provision
of security services. It defines and constrains the
activities of a data processing facility in order to
maintain a condition of security for systems and
data.
• System Resource (Asset) - A major application,
general support system, high impact program,
physical plant, mission critical system, personnel,
equipment, or a logically related group of
Computer systems.
• Threat - Any circumstance or event with the
Security potential to adversely impact organizational
operations (including mission, functions, image,
Terminology or reputation), organizational assets, individuals,
other organizations, or the Nation through an
information system via unauthorized access,
destruction, disclosure, modification of
information, and/or denial of service.
• Vulnerability - Weakness in an information
system, system security procedures, internal
controls, or implementation that could be
exploited or triggered by a threat source.
Security Concepts and Relationships
Owners Threat agents
value
wish to abuse
wish to impose and/or
minimize may damage
give
rise to
countermeasures assets

to
reduce

to to
risk threats
that
increase

Figure 1.2 Security Concepts and Relationships

 Vulnerabilities, Threats
and Attacks

• Categories of vulnerabilities
• Corrupted (loss of integrity)
• Leaky (loss of confidentiality)
• Unavailable or very slow (loss of availability)
• Threats
• Capable of exploiting vulnerabilities
• Represent potential security harm to an asset
• Attacks (threats carried out)
• Passive – attempt to learn or make use of information from the
system that does not affect system resources
• Active – attempt to alter system resources or affect their
operation
• Insider – initiated by an entity inside the security parameter
• Outsider – initiated from outside the perimeter
Countermeasures
Means used to
deal with
security attacks
• Prevent
• Detect
• Recover

Residual
vulnerabilities
may remain

Goal is to
May itself
minimize
introduce new
residual level of
vulnerabilities
risk to the assets
 Threat Consequence Threat Action (Attack)
Unauthorized Exposure: Sensitive data are directly released to an
Disclosure unauthorized entity.
A circumstance or Interception: An unauthorized entity directly accesses
event whereby an sensitive data traveling between authorized sources and
entity gains access to destinations.
data for which the Inference: A threat action whereby an unauthorized entity
entity is not indirectly accesses sensitive data (but not necessarily the
authorized. data contained in the communication) by reasoning from
characteristics or byproducts of communications.

Threat Intrusion: An unauthorized entity gains access to sensitive

data by circumventing a system's security protections.

consequences Deception
A circumstance or
Masquerade: An unauthorized entity gains access to a
system or performs a malicious act by posing as an

and attacks
event that may result authorized entity.
in an authorized entity Falsification: False data deceive an authorized entity.
receiving false data Repudiation: An entity deceives another by falsely denying
and believing it to be responsibility for an act.
true.
Disruption Incapacitation: Prevents or interrupts system operation by
A circumstance or disabling a system component.
event that interrupts Corruption: Undesirably alters system operation by
or prevents the correct adversely modifying system functions or data.
operation of system Obstruction: A threat action that interrupts delivery of
services and system services by hindering system operation.
functions.
Usurpation Misappropriation: An entity assumes unauthorized logical
A circumstance or or physical control of a system resource.
event that results in Misuse: Causes a system component to perform a function
control of system or service that is detrimental to system security.
services or functions
by an unauthorized
entity.
Scope of Computer Security
Computer System Computer System
4 Sensitive files
must be secure
Data (file security) Data

1 Access to the data 3 Data must be

must be controlled securely transmitted
(protection) through networks
(network security)

Processes representing users Processes representing users

Guard Guard

2 Access to the computer

facility must be controlled
(user authentication)

Users making requests

Figure 1.3 Scope of Computer Security. This figure depicts security

concerns other than physical security, including control of access to
computers systems, safeguarding of data transmitted over communications
Computer and Network Assets, with Examples of
Threats

Availability Confidentiality Integrity

Equipment is stolen or
An unencrypted CD-
Hardware disabled, thus denying
ROM or DVD is stolen.
service.
A working program is
modified, either to
Programs are deleted, An unauthorized copy cause it to fail during
Software
denying access to users. of software is made. execution or to cause it
to do some unintended
task.
An unauthorized read
of data is performed. Existing files are
Files are deleted,
Data An analysis of modified or new files
denying access to users.
statistical data reveals are fabricated.
underlying data.
Messages are destroyed Messages are modified,
Communication or deleted. Messages are read. The delayed, reordered, or
Lines and Communication lines traffic pattern of duplicated. False
Networks or networks are messages is observed. messages are
rendered unavailable. fabricated.
Passive and Active Attacks
Passive Attack Active Attack

• Attempts to learn or make use • Attempts to alter system

of information from the system resources or affect their
but does not affect system operation
resources • Involve some modification of
• Eavesdropping on, or the data stream or the creation
monitoring of, transmissions of a false stream
• Goal of attacker is to obtain • Four categories:
information that is being • Replay
transmitted • Masquerade
• Two types: • Modification of messages
• Release of message contents • Denial of service
• Traffic analysis
 Table 1.4

Security
Requirements

(FIPS 200)

(page 1 of 2)

(Table can be found on pages 16-17 in the

textbook.)
 Table 1.4

Security
Requirements

(FIPS 200)

(page 2 of 2)

(Table can be found on pages 16-17 in the

textbook.)
Fundamental Security Design
Principles

Economy of Fail-safe Complete

Open design
mechanism defaults mediation

Separation of Least common Psychological

Least privilege
privilege mechanism acceptability

Isolation Encapsulation Modularity Layering

Least
astonishment
Security Design Principles
• Economy of mechanism means that the design of security
measures embodied in both hardware and software
should be as simple and small as possible.
• The motivation for this principle is that relatively simple, small
design is easier to test and verify thoroughly.
• Fail-safe default means that access decisions should be
based on permission rather than exclusion.
• That is, the default situation is lack of access, and the protection
scheme identifies conditions under which access is permitted.
• Complete mediation means that every access must be
checked against the access control mechanism.
• Systems should not rely on access decisions retrieved from a
cache.
Security Design Principles
• Open design means that the design of a security
mechanism should be open rather than secret.
• For example, although encryption keys must be secret,
encryption algorithms should be open to public scrutiny.
• Separation of privilege is defined as a practice in which
multiple privilege attributes are required to achieve
access to a restricted resource.
• A good example of this is multifactor user authentication, which
requires the use of multiple techniques, such as a password and
a smart card, to authorize a user.
• Least privilege means that every process and every user
of the system should operate using the least set of
privileges necessary to perform the task.
Security Design Principles
• Least common mechanism means that the design should
minimize the functions shared by different users,
providing mutual security.
• Psychological acceptability implies that the security
mechanisms should not interfere unduly with the work of
users, while at the same time meeting the needs of those
who authorize access.
• Isolation is a principle that applies in three contexts:
• First, public access systems should be isolated from critical
resources (data, processes, etc.) to prevent disclosure or
tampering.
• Second, the processes and files of individual users should be
isolated from one another except where it is explicitly desired.
• Finally, security mechanisms should be isolated in the sense of
preventing access to those mechanisms.
Security Design Principles
• Encapsulation can be viewed as a specific form of
isolation based on object oriented functionality.
• Modularity in the context of security refers both to the
development of security functions as separate, protected
modules and to the use of a modular architecture for
mechanism design and implementation.
• Layering refers to the use of multiple, overlapping
protection approaches addressing the people, technology,
and operational aspects of information systems.
• Least astonishment means that a program or user
interface should always respond in the way that is least
likely to astonish the user.
Attack Surfaces
Consist of the reachable and exploitable vulnerabilities
in a system

Examples:

• Open ports on outward facing Web and other servers, and code
listening on those ports
• Services available on the inside of a firewall
• Code that processes incoming data, email, XML, office documents,
and industry-specific custom data exchange formats
• Interfaces, SQL, and Web forms
• An employee with access to sensitive information vulnerable to a
social engineering attack
Attack Surface Categories

Network Software Human Attack

Attack Surface Attack Surface Surface

Vulnerabilities over an enterprise

Vulnerabilities in application,
network, wide-area network, or
utility, or operating system code
the Internet

Vulnerabilities created by
personnel or outsiders, such as
social engineering, human error,
and trusted insiders
Included in this category are
network protocol vulnerabilities,
such as those used for a denial-of- Particular focus is Web server
service attack, disruption of software
communications links, and various
forms of intruder attacks
Defence in Depth and Attack Surface

Shallow Medium High

Security Risk Security Risk
Layering

Low Medium
Deep

Security Risk Security Risk

Small Large
Attack Surface
An Attack Tree for Internet baking
authentication
Bank Account Compromise

User credential compromise UT/U1a User surveillance

UT/U1b Theft of token and

handwritten notes

Malicious software
Vulnerability exploit
installation
UT/U3a Smartcard analyzers UT/U2a Hidden code

UT/U3b Smartcard reader UT/U2b Worms

manipulator
UT/U2c E-mails with
malicious code
UT/U3c Brute force attacks
with PIN calculators

CC2 Sniffing

User communication
UT/U4a Social engineering
with attacker
UT/U4b Web page
obfuscation

Redirection of
Injection of commands CC3 Active man-in-the communication toward
middle attacks fraudulent site
User credential guessing IBS1 Brute force attacks CC1 Pharming

IBS2 Security policy IBS3 Web site manipulation

violation

Use of known authenticated Normal user authentication CC4 Pre-defined session

session by attacker with specified session ID IDs (session hijacking)
 Security Policy

•Formal statement of rules and practices that specify or

regulate how a system or organization provides security
services to protect sensitive and critical system resources

Security Implementation

•Involves four complementary courses of action:

•Prevention

Computer •Detection
•Response

Security
•Recovery

Assurance

Strategy •Encompassing both system design and system implementation,

assurance is an attribute of an information system that
provides grounds for having confidence that the system
operates such that the system’s security policy is enforced

Evaluation

•Process of examining a computer product or system with

respect to certain criteria
•Involves testing and may also involve formal analytic or
mathematical techniques
Computer Security Strategy
Security Policy
• A security policy is a formal statement of rules and
practices that specify or regulate how a system or
organization provides security services to protect sensitive
and critical system resources.
• In developing a security policy, a security manager needs
to consider the following factors:
• The value of the assets being protected
• The vulnerabilities of the system
• Potential threats and the likelihood of attacks
• The manager must also consider the following trade-offs:
• Ease of use versus security
• Cost of security versus cost of failure and recovery
Security Implementation
• Security implementation involves four
complementary courses of action:
• Prevention: An ideal security scheme is one in which no
attack is successful.
• Detection: In a number of cases, absolute protection is not
feasible, but it is practical to detect security attacks.
• Response: If security mechanisms detect an ongoing
attack, such as a denial of service attack, the system may
be able to respond in such a way as to halt the attack and
prevent further damage.
• Recovery: An example of recovery is the use of backup
systems, so that if data integrity is compromised, a prior,
correct copy of the data can be reloaded.
Assurance and Evaluation
• Assurance is the degree of confidence one has that the
security measures, both technical and operational, work
as intended to protect the system and the information it
processes.
• This encompasses both system design and system
implementation.
• Note that assurance is expressed as a degree of confidence, not
in terms of a formal proof that a design or implementation is
correct.
• Evaluation is the process of examining a computer
product or system with respect to certain criteria.
• Evaluation involves testing and may also involve formal analytic
or mathematical techniques.
Standards
Standards have been developed to cover management practices and the
overall architecture of security mechanisms and services

The most important of these organizations are:

• National Institute of Standards and Technology (NIST)

• NIST is a U.S. federal agency that deals with measurement science, standards, and
technology related to U.S. government use and to the promotion of U.S. private sector
innovation
• Internet Society (ISOC)
• ISOC is a professional membership society that provides leadership in addressing issues
that confront the future of the Internet, and is the organization home for the groups
responsible for Internet infrastructure standards
• International Telecommunication Union (ITU-T)
• ITU is a United Nations agency in which governments and the private sector coordinate
global telecom networks and services
• International Organization for Standardization (ISO)
• ISO is a nongovernmental organization whose work results in international agreements that
are published as International Standards
Moodle
CONTACT YOUR
LECTURER
[Link]@[Link]
Computer Security
02 – Cryptographic tools (1)
Friends and enemies: Alice, Bob, Trudy

Alice Bob
channel data, control
messages

data secure secure data

sender s
receiver

Trudy
Definitions
Plaintext Ciphertext Enciphering/encrypti
on
• An original message • The coded message
• The process of converting
from plaintext to
ciphertext

Deciphering/decrypti Cryptography Cryptographic

on system/cipher
• The area of study of the
• Restoring the plaintext many schemes used for • A scheme
from the ciphertext encryption

Cryptanalysis Cryptology
• Techniques used for • The areas of cryptography
deciphering a message
and cryptanalysis
without any knowledge of
the enciphering details
 The language of cryptography

Alice’s Bob’s
K encryption K decryption
A
key Bkey

plaintext encryption ciphertext decryption plaintext

algorithm algorithm

m plaintext message
KA(m) ciphertext, encrypted with key KA
m = KB(KA(m))
Encryption
Scheme Security
• Unconditionally secure
• No matter how much time an
opponent has, it is impossible for
him or her to decrypt the
ciphertext simply because the
required information is not there
• Computationally secure
• The cost of breaking the cipher
exceeds the value of the encrypted
information
• The time required to break the
cipher exceeds the useful
lifetime of the information
 Cryptographic Systems
• Characterized along three independent dimensions:

The type of
operations used for The number of keys The way in which the
transforming plaintext used plaintext is processed
to ciphertext

Symmetric, single-
key, secret-key,
Substitution Block cipher
conventional
encryption

Asymmetric, two-
Transposition key, or public-key Stream cipher
encryption
Simple encryption scheme
substitution cipher: substituting one thing for another
• monoalphabetic cipher: substitute one letter for another

plaintext: abcdefghijklmnopqrstuvwxyz

ciphertext: mnbvcxzasdfghjklpoiuytrewq

e.g.: Plaintext: bob. i love you. alice

ciphertext: nkn. s gktc wky. mgsbc

Encryption key: mapping from set of 26 letters

to set of 26 letters
A more sophisticated encryption approach
• n substitution ciphers, M1,M2,…,Mn
• cycling pattern:
• e.g., n=4: M1,M3,M4,M3,M2; M1,M3,M4,M3,M2; ..
• for each new plaintext symbol, use subsequent
subsitution pattern in cyclic pattern
• dog: d from M1, o from M3, g from M4

Encryption key: n substitution ciphers, and cyclic

pattern
• key need not be just n-bit pattern
Symmetric key cryptography

KS KS

plaintext encryption ciphertext decryption plaintext

message, m algorithm algorithm
K (m) m = KS(KS(m))
S

symmetric key crypto: Bob and Alice share same (symmetric)

key: K
S
• e.g., key is knowing substitution pattern in mono alphabetic
substitution cipher
Q: how do Bob and Alice agree on key value?
 The universal technique for providing
confidentiality for transmitted or
stored data

Also referred to as conventional

Symmetric encryption or single-key encryption
Encryption
Two requirements for secure use:

• Need a strong encryption algorithm

• Sender and receiver must have obtained copies
of the secret key in a secure fashion and must
keep the key secure
Symmetric key crypto: DES
DES: Data Encryption Standard
• US encryption standard [NIST 1993]
• 56-bit symmetric key, 64-bit plaintext input
• block cipher with cipher block chaining
• how secure is DES?
• DES Challenge: 56-bit-key-encrypted phrase decrypted
(brute force) in less than a day
• no known good analytic attack
• making DES more secure:
• 3DES: encrypt 3 times with 3 different keys
AES: Advanced Encryption Standard

• Symmetric-key NIST standard, replaced DES (Nov

2001)
• processes data in 128 bit blocks
• 128, 192, or 256 bit keys
• brute force decryption (try each key) taking 1 sec on
DES, takes 149 trillion years for AES
 DES Triple DES AES
Plaintext block size (bits) 64 64 128
Ciphertext block size (bits) 64 64 128
Key size (bits) 56 112 or 168 128, 192, or 256

DES = Data Encryption Standard

AES = Advanced Encryption Standard

Comparison of Two Popular Symmetric

Encryption Algorithms
Typically symmetric encryption is applied
to a unit of data larger than a single 64-bit
or 128-bit block

Electronic codebook (ECB) mode is the

simplest approach to multiple-block
encryption
• Each block of plaintext is encrypted using the same
key
• Cryptanalysts may be able to exploit regularities in
the plaintext

Modes of operation

• Alternative techniques developed to increase the

security of symmetric block encryption for large
sequences
• Overcomes the weaknesses of ECB
Public key cryptography
+ Bob’s public
K
B key

K - Bob’s private
B key

plaintext encryption ciphertext decryption plaintext

message, m algorithm algorithm message
K +(m) - +
B m = K (K (m))
B B
 RSA (Rivest, Most widely accepted and
Block cipher in which the

Shamir, Developed in 1977 implemented approach to

public-key encryption
plaintext and ciphertext are
integers between 0 and n-1
for some n.
Adleman)

Diffie-Hellman Enables two users to securely

reach agreement about a

key exchange shared secret that can be

used as a secret key for
Limited to the exchange of
the keys
subsequent symmetric
algorithm encryption of messages

Digital Provides only a digital

Signature signature function with SHA-
1
Cannot be used for
encryption or key exchange

Standard (DSS)

Elliptic curve
cryptography Security like RSA, but with
much smaller keys

(ECC)
 Block Cipher
• Processes the input one block of elements at
a time
• Produces an output block for each input block
• Can reuse keys
Block & • More common

Stream Stream Cipher

Ciphers • Processes the input elements continuously

• Produces output one element at a time
• Primary advantage is that they are almost
always faster and use far less code
• Encrypts plaintext one byte at a time
• Pseudorandom stream is one that is
unpredictable without knowledge of the
input key
How to
break an
encryption
scheme?
Breaking an encryption scheme
• cipher-text only attack: • known-plaintext attack: Trudy
Trudy has ciphertext she has plaintext corresponding
can analyze to ciphertext
• two approaches: • e.g., in monoalphabetic
• brute force: search cipher, Trudy determines
through all keys pairings for a,l,i,c,e,b,o,
• statistical analysis • chosen-plaintext attack:
Trudy can get ciphertext for
chosen plaintext
Brute-Force Attack

Involves trying every possible key until an intelligible

translation of the ciphertext into plaintext is
obtained

On average, half of all possible keys must be tried to

achieve success

To supplement the brute-force approach, some

degree of knowledge about the expected plaintext
is needed, and some means of automatically
distinguishing plaintext from garble is also needed
Types of
Attacks
on
Encrypted
Messages
Cryptography techniques
Substitution Technique

If the plaintext is viewed as

Is one in which the letters of a sequence of bits, then
plaintext are replaced by substitution involves
other letters or by numbers replacing plaintext bit
or symbols patterns with ciphertext bit
patterns
Caesar Cipher
• Simplest and earliest known use of a substitution
cipher
• Used by Julius Caesar
• Involves replacing each letter of the alphabet with
the letter standing three places further down the
alphabet
• Alphabet is wrapped around so that the letter
following Z is A
plain: meet me after the toga party
cipher: PHHW PH DIWHU WKH WRJD SDUWB
Caesar Cipher Algorithm
• Can define transformation as:
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
• Mathematically give each letter a number
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
• Algorithm can be expressed as:
c = E(3, p) = (p + 3) mod (26)

• A shift may be of any amount, so that the general Caesar

algorithm is:
C = E(k , p ) = (p + k ) mod 26
• Where k takes on a value in the range 1 to 25; the
decryption algorithm is simply:
p = D(k , C ) = (C - k ) mod 26
 Brute-Force
Cryptanalysis
of
Caesar Cipher

(This chart can be found on page 75 in the

textbook)
Monoalphabetic Cipher
• Permutation
• Of a finite set of elements S is an ordered sequence of
all the elements of S , with each element appearing
exactly once

• If the “cipher” line can be any permutation of the

26 alphabetic characters, then there are 26! or
greater than 4 x 1026 possible keys
• This is 10 orders of magnitude greater than the key
space for DES
• Approach is referred to as a monoalphabetic
substitution cipher because a single cipher alphabet is
used per message
Example
Example
Monoalphabetic Ciphers
• Easy to break because they reflect the frequency
data of the original alphabet
• Countermeasure is to provide multiple
substitutes (homophones) for a single letter
• Digram
• Two-letter combination
• Most common is th
• Trigram
• Three-letter combination
• Most frequent is the
Playfair Cipher
• Best-known multiple-letter encryption cipher
• Treats digrams in the plaintext as single units and
translates these units into ciphertext digrams
• Based on the use of a 5 x 5 matrix of letters
constructed using a keyword
• Invented by British scientist Sir Charles
Wheatstone in 1854
• Used as the standard field system by the British
Army in World War I and the U.S. Army and other
Allied forces during World War II
Playfair Key Matrix
• Fill in letters of keyword (minus duplicates) from
left to right and from top to bottom, then fill in the
remainder of the matrix with the remaining letters
in alphabetic order
• Using the keyword PLAYFAIR:

ép l a fù
y
êi r b d úú
c
ê
êe g h k mú
ê ú
ên o q s tú
êë u v w x z úû
 Playfair encryption
ép l a fù
y 1. Break plaintext into letter pairs
êi r b d úú
c • If a pair would contain double letters, split
ê with x
êe g h k mú • Pad end with x
ê ú • hellothere becomes…
ên o q s tú
• he lx lo th er ex
êë u v w x z úû
2. For each pair,
• If they are in the same row, replace each
with the letter to its right (mod 5)
He lx lo th er ex • he à KG
• If they are in the same column, replace
KG YV RV QM GI KU each with the letter below it (mod 5)
• lo à RV
• Otherwise, replace each with letter we’d
get if we swapped their column indices
To decrypt, just reverse! • lx àYV
Hill Cipher
• Developed by the mathematician Lester Hill in
1929
• Strength is that it completely hides single-letter
frequencies
• The use of a larger matrix hides more frequency
information
• A 3 x 3 Hill cipher hides not only single-letter but also
two-letter frequency information
• Strong against a ciphertext-only attack but easily
broken with a known plaintext attack
Polyalphabetic Ciphers
• Polyalphabetic substitution cipher
• Improves on the simple monoalphabetic technique by
using different monoalphabetic substitutions as one
proceeds through the plaintext message

All these techniques have the following features

in common:
• A set of related monoalphabetic substitution
rules is used
• A key determines which particular rule is
chosen for a given transformation
Vigenère Cipher
• Best known and one of the simplest
polyalphabetic substitution ciphers
• In this scheme the set of related monoalphabetic
substitution rules consists of the 26 Caesar
ciphers with shifts of 0 through 25
• Each cipher is denoted by a key letter which is
the ciphertext letter that substitutes for the
plaintext letter a
Vigenère Cipher
Example of Vigenère Cipher

• To encrypt a message, a key is needed that is as

long as the message
• Usually, the key is a repeating keyword
• For example, if the keyword is deceptive, the
message “we are discovered save yourself” is
encrypted as:
key: deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
Vigenère Autokey System

• A keyword is concatenated with the plaintext

itself to provide a running key
• Example:
key: deceptivewearediscoveredsav
plaintext: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGKZEIIGASXSTSLVVWLA
• Even this scheme is vulnerable to cryptanalysis
• Because the key and the plaintext share the same
frequency distribution of letters, a statistical
technique can be applied
Vernam Cipher
One-Time Pad
• Improvement to Vernam cipher proposed by an Army
Signal Corp officer, Joseph Mauborgne
• Use a random key that is as long as the message so that
the key need not be repeated
• Key is used to encrypt and decrypt a single message and
then is discarded
• Each new message requires a new key of the same
length as the new message
• Scheme is unbreakable
• Produces random output that bears no statistical relationship
to the plaintext
• Because the ciphertext contains no information whatsoever
about the plaintext, there is simply no way to break the code
Difficulties
• The one-time pad offers complete security but, in
practice, has two fundamental difficulties:
• There is the practical problem of making large quantities of
random keys
• Any heavily used system might require millions of random characters
on a regular basis
• Mammoth key distribution problem
• For every message to be sent, a key of equal length is needed by
both sender and receiver
• Because of these difficulties, the one-time pad is of
limited utility
• Useful primarily for low-bandwidth channels requiring very
high security
• The one-time pad is the only cryptosystem that exhibits
perfect secrecy
Rail Fence Cipher

• Simplest transposition cipher

• Plaintext is written down as a sequence of
diagonals and then read off as a sequence of
rows
• To encipher the message “meet me after the toga
party” with a rail fence of depth 2, we would
write:
mematrhtgpry
etefeteoaat
Encrypted message is:
MEMATRHTGPRYETEFETEOAAT
Row Transposition Cipher

• Is a more complex transposition

• Write the message in a rectangle, row by row, and
read the message off, column by column, but
permute the order of the columns
• The order of the columns then becomes the key to the
algorithm
Key: 4312 5 67
Plaintext: atta c kp
ostpone
dunt i l t
w o a mx y z
Ciphertext:
TTNAAPTMTSUOAODWCOIXKNLYPETZ
Steganography
 • Character marking
• Selected letters of printed or
typewritten text are over-written in
Other pencil
• The marks are ordinarily not visible
Steganography unless the paper is held at an angle
to bright light
Techniques • Invisible ink
• A number of substances can be used
for writing but leave no visible trace
until heat or some chemical is
applied to the paper
• Pin punctures
• Small pin punctures on selected
letters are ordinarily not visible
unless the paper is held up in front
of a light
• Typewriter correction ribbon
• Used between lines typed with a
black ribbon, the results of typing
with the correction tape are visible
only under a strong light
Steganography
vs. Encryption?
Is there a
winner?
Steganography vs. Encryption

• Steganography • The advantage of

has a number of steganography
drawbacks when • It can be employed by
parties who have
compared to something to lose
encryption should the fact of their
secret communication
• It requires a lot of (not necessarily the
overhead to hide a content) be discovered
relatively few bits of • Encryption flags traffic as
important or secret or
information may identify the sender
• Once the system is or receiver as someone
discovered, it becomes with something to hide
virtually worthless
Exercise 1

• Decode the message using both brute force and

frequency analysis attacks
Exercise 2
Technique Easy to break? Complex Best way to break
implementation? it?
Caesar cypher
Most-frequent
substitution cypher
Playfair cypher
Vigenère cipher
Rail fence
Row Transposition
Steganography
CONTACT YOUR
LECTURER
[Link]@[Link]
Computer Security
03 – Cryptographic tools (2)
 Public Key Cryptography

symmetric key crypto public key crypto

• requires sender, receiver v radically different
know shared secret key approach [Diffie-
• Q: how to agree on key in Hellman76, RSA78]
first place (particularly if v sender, receiver do not
never “met”)? share secret key
v public encryption key
known to all
v private decryption key
known only to receiver
Misconceptions Concerning
Public-Key Encryption

• Public-key encryption is more secure

from cryptanalysis than symmetric
encryption
• Public-key encryption is a general-
purpose technique that has made
symmetric encryption obsolete
• There is a feeling that key distribution is
trivial when using public-key
encryption, compared to the
cumbersome handshaking involved
with key distribution centers for
symmetric encryption
Principles of Public-Key
Cryptosystems
§ The concept of public-key cryptography evolved from an
attempt to attack two of the most difficult problems
associated with symmetric encryption:
Key distribution
• How to have secure communications in general without having to trust
a KDC with your key

Digital signatures
• How to verify that a message comes intact from the claimed sender

§ Whitfield Diffie and Martin Hellman from Stanford

University achieved a breakthrough in 1976 by coming up
with a method that addressed both problems and was
radically different from all previous approaches to
cryptography
Public Key Cryptography

Encryption Public and

Plaintext Ciphertext Decryption key
algorithm private key
• Readable • Performs • Pair of keys, one • Scrambled • Produces the
message or data transformations for encryption, message original
that is fed into on the plaintext one for produced as plaintext
the algorithm as decryption output
input
 Conventional Encryption Public-Key Encryption
Needed to Work: Needed to Work:

1. The same algorithm with the 1. One algorithm is used for

same key is used for encryption encryption and a related algorithm
and decryption. for decryption with a pair of keys,
one for encryption and one for

CONVENTI
2. The sender and receiver must decryption.
share the algorithm and the key.
2. The sender and receiver must each
ONAL AND Needed for Security: have one of the matched pair of
keys (not the same one).

PUBLIC-KEY 1. The key must be kept secret.

Needed for Security:

ENCRYPTIO
2. It must be impossible or at least
impractical to decipher a message 1. One of the two keys must be kept
if the key is kept secret. secret.
N 3. Knowledge of the algorithm plus 2. It must be impossible or at least
samples of ciphertext must be impractical to decipher a message if
insufficient to determine the key. one of the keys is kept secret.

3. Knowledge of the algorithm plus

one of the keys plus samples of
ciphertext must be insufficient to
determine the other key.
Public key cryptography
+ Bob’s public
K
B key

K - Bob’s private
B key

plaintext encryption ciphertext decryption plaintext

message, m algorithm algorithm message
K +(m) - +
B m = K (K (m))
B B
 What does Trudy
have to do to break
an assymetric key?
 Public-Key Requirements
§ Conditions that these algorithms must fulfill:
§ It is computationally easy for a party B to generate a
pair (public-key PUb, private key PRb)
§ It is computationally easy for a sender A, knowing the
public key and the message to be encrypted, to
generate the corresponding ciphertext
§ It is computationally easy for the receiver B to decrypt
the resulting ciphertext using the private key to
recover the original message
§ It is computationally infeasible for an adversary,
knowing the public key, to determine the private key
§ It is computationally infeasible for an adversary,
knowing the public key and a ciphertext, to recover
the original message
§ The two keys can be applied in either order
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Public key encryption algorithms
requirements:

1 need K+
( )
B
.
and K
B
.
-( ) such that
- +
K (K (m)) = m
B B

2 given public key K +, it should be

B
impossible to compute private
-
key K
B

RSA: Rivest, Shamir, Adelson algorithm

 Prerequisite: modular arithmetic

• x mod n = remainder of x when divide by n

• facts:
[(a mod n) + (b mod n)] mod n = (a+b) mod n
[(a mod n) - (b mod n)] mod n = (a-b) mod n
[(a mod n) * (b mod n)] mod n = (a*b) mod n
• thus
(a mod n)d mod n = ad mod n
• example: x=14, n=10, d=2:
(x mod n)d mod n = 42 mod 10 = 6
xd = 142 = 196 xd mod 10 = 6
Applications for Public-Key
Cryptosystems
• Public-key cryptosystems can be classified into
three categories:

Encryption/decryption Key exchange

Digital signature
The sender encrypts a message The sender “signs” a message Two sides cooperate to
with the recipient’s public key with its private key exchange a session key

• Some algorithms are suitable for all three

applications, whereas others can be used only for
one or two
 RSA (Rivest, Most widely accepted and
Block cipher in which the

Shamir, Developed in 1977 implemented approach to

public-key encryption
plaintext and ciphertext are
integers between 0 and n-1
for some n.
Adleman)

Diffie-Hellman Enables two users to securely

reach agreement about a

key exchange shared secret that can be

used as a secret key for
Limited to the exchange of
the keys
subsequent symmetric
algorithm encryption of messages

Digital Provides only a digital

Signature signature function with SHA-
1
Cannot be used for
encryption or key exchange

Standard (DSS)

Elliptic curve
cryptography Security like RSA, but with
much smaller keys

(ECC)
 Applications for Public-Key
Cryptosystems

Algorithm Digital Signature Symmetric Key Encryption of

Distribution Secret Keys
RSA Yes Yes Yes
Diffie-Hellman No Yes No
DSS Yes No No
Elliptic Curve Yes Yes Yes
 Computationally easy
to create key pairs

Computationally easy
Useful if either key for sender knowing
can be used for each public key to encrypt
role messages

Computationally
Computationally easy
infeasible for
for receiver knowing
opponent to
private key to decrypt
otherwise recover
ciphertext
original message
Computationally
infeasible for opponent
to determine private
key from public key
 It is always possible to crack RSA by computing
someone's private key from their public key.
How to
(possibly) All it it takes is being able to factor the modulus
(the number n that's common to both the public
break an and private key) into its two prime factors.

asymmetrics Generally, when you read N-bit RSA it means that

the modulus (the number n that's shared by the
key public and private keys) is N-bits long.

encryption? If you are really worried about security, simply

increase the bit-size of your RSA keys!
Public-Key
Cryptanalysis
• A public-key encryption scheme is vulnerable to a brute-force attack
• Countermeasure: use large keys
• Key size must be small enough for practical encryption and
decryption
• Key sizes that have been proposed result in
encryption/decryption speeds that are too slow for general-
purpose use
• Public-key encryption is currently confined to key management
and signature applications

• Another form of attack is to find some way to compute the private key
given the public key
• To date it has not been mathematically proven that this form of
attack is infeasible for a particular public-key algorithm

• Three is a probable-message attack

• This attack can be thwarted by appending some random
bits to simple messages
Man in-the-middle attack
• Asymmetric (public key) encryption is almost magical —
you create security out of insecurity. However, there is still
one weakness in the system that's fundamental: you see
on a website something like
Hi, I'm Bob and my public key is
(106d231ecc13338084a1b857bb82a20b,a265d938
7a8a395527c98eeb024806dd)
• But how do you know that public key really belongs to the
guy you know as "Bob"? While you can be assured that, if
you encrypt a message with this key, only the key's owner
will be able to decrypt it, how can you be sure that the
key's owner is really "Bob"?
 Can these
algorithms be used
for authentication?
Message Authentication
Without Confidentiality

• Message encryption by itself does not provide a secure form of authentication

• It is possible to combine authentication and confidentiality in a single algorithm

by encrypting a message plus its authentication tag

• Typically message authentication is provided as a separate function from

message encryption

• Situations in which message authentication without confidentiality may be

preferable include:
• There are a number of applications in which the same message
is broadcast to a number of destinations
• An exchange in which one side has a heavy load and cannot
afford the time to decrypt all incoming messages
• Authentication of a computer program in plaintext is an
attractive service

• Thus, there is a place for both authentication and encryption in meeting

security requirements
Message Authentication
Requirements
• Disclosure • Sequence modification

• Release of message contents to any person • Any modification to a sequence of

or process not possessing the appropriate messages between parties, including
cryptographic key insertion, deletion, and reordering

• Traffic analysis • Timing modification

• Discovery of the pattern of traffic between • Delay or replay of messages
parties
• Source repudiation
• Masquerade
• Denial of transmission of message by
• Insertion of messages into the network source
from a fraudulent source
• Destination repudiation
• Content modification
• Denial of receipt of message by destination
• Changes to the contents of a message,
including insertion, deletion, transposition,
and modification
 Message Authentication Functions
• Hash function
• Two levels of functionality: • A function that maps a
message of any length into
Lower level a fixed-length hash value
which serves as the
• There must be some sort of function authenticator
that produces an authenticator
• Message encryption
• The ciphertext of the
entire message serves as
its authenticator

• Message authentication
code (MAC)
• A function of the message
Higher-level and a secret key that
produces a fixed-length
• Uses the lower-level function as a primitive in an value that serves as the
authentication protocol that enables a receiver to authenticator
verify the authenticity of a message
Message Authentication Code (MAC)
• Also known as a keyed hash function
• Typically used between two parties that share a
secret key to authenticate information exchanged
between those parties

Takes as input a secret key and a data block and produces a hash
value (MAC) which is associated with the protected message
• If the integrity of the message needs to be checked, the MAC
function can be applied to the message and the result compared
with the associated MAC value
• An attacker who alters the message will be unable to alter the
associated MAC value without knowledge of the secret key
Message

MAC
Transmit algorithm

Compare

MAC
algorithm
MAC

Figure 2.3 Message Authentication Using a Message

Authentication Code (MAC).
What is the main
issue with MAC?
 § A hash function H accepts a variable-
length block of data M as input and
produces a fixed-size hash value
§ h = H(M)
§ Principal object is data integrity
§ Cryptographic hash function
Hash § An algorithm for which it is
computationally infeasible to find
Functions either:
(a) a data object that maps to
a pre-specified hash result
(the one-way property)
(b) two data objects that map
to the same hash result (the
collision-free property)
To be useful for message
authentication, a hash function H must have the
following properties:

Can be applied to a block of data of any size

Produces a fixed-length output

H(x) is relatively easy to compute for any given x

One-way or pre-image resistant

• Computationally infeasible to find x such that H(x) = h

Computationally infeasible to find y ≠ x such that H(y) = H(x)

Collision resistant or strong collision resistance

• Computationally infeasible to find any pair (x,y) such that H(x) = H(y)
 There are two approaches to attacking a secure
hash function:
• Cryptanalysis
Security • Exploit logical weaknesses in the algorithm
• Brute-force attack
of Hash • Strength of hash function depends solely on the length of
the hash code produced by the algorithm

Functions SHA most widely used hash algorithm

Additional secure hash function applications:

• Passwords
• Hash of a password is stored by an operating system
• Intrusion detection
• Store H(F) for each file on a system and secure the hash
values
 L bits

Message or data block M (variable length) P, L

Hash value h
(fixed length)

P, L = padding plus length field

Figure 2.4 Cryptographic Hash Function; h = H(M)

Can you decrypt
a Hash?
 Attacks on Hash Functions

§ Does not depend on the § An attack based on

specific algorithm, only weaknesses in a particular
depends on bit length cryptographic algorithm
§ In the case of a hash § Seek to exploit some
function, attack depends property of the algorithm
only on the bit length of to perform some attack
the hash value other than an exhaustive
§ Method is to pick values search
at random and try each
one until a collision
occurs
Digital Signatures
l NIST FIPS PUB 186-4 defines a digital signature as:

”The result of a cryptographic transformation of data that,

when properly implemented, provides a mechanism for
verifying origin authentication, data integrity and signatory
non-repudiation.”
l Thus, a digital signature is a data-dependent bit pattern, generated by
an agent as a function of a file, message, or other form of data block

l FIPS 186-4 specifies the use of one of three digital signature

algorithms:

l Digital Signature Algorithm (DSA)

l RSA Digital Signature Algorithm
l Elliptic Curve Digital Signature Algorithm (ECDSA)
Digital Signature Properties

It must
It must verify the It must be
authenticate the
author and the verifiable by third
contents at the
date and time of parties to resolve
time of the
the signature disputes
signature
 Bob Alice

Message M Message M S

Cryptographic Cryptographic
hash hash
function function

Bob’s
h Bob’s h
public
private
key
key

Digital Digital
signature signature
generation verification
algorithm algorithm

Message M S Return
signature valid
Bob’s or not valid
signature
for M

(a) Bob signs a message (b) Alice verifies the signature

Figure 2.7 Simplified Depiction of Essential

Elements of Digital Signature Process
 Attacks
• C chooses a list
Known of messages Directed chosen • C may request
message before message attack from A
attack attempting to signatures of
break A’s • Similar to the messages
• C only that depend
• C is given signature generic attack,
knows A’s on previously
access to a scheme, except that the
public key obtained
set of independent of list of messages
messages A’s public key; C to be signed is message-
and their then obtains chosen after C signature
Key-only signatures from A valid knows A’s public pairs
attack signatures for key but before
the chosen any signatures
messages are seen
Adaptive
Generic chosen chosen
message
message attack
attack
Practical Application:
Encryption of Stored Data

Common to encrypt transmitted data

There is often little protection beyond domain

authentication and operating system access
Much less common for controls
Data are archived for indefinite periods
stored data Even though erased, until disk sectors are
reused data are recoverable

Use a commercially available encryption

Approaches to encrypt package

Back-end appliance

stored data: Library based tape encryption

Background laptop/PC data encryption
Some questions
• Do you have any encrypted data in your computer?
• What do you think should be encrypted?
Summary
• Public-key encryption • Digital signatures and key
§ Structure
§ Applications for public-key cryptosystems
management
§ Requirements for public-key cryptography § Digital signature
§ Asymmetric encryption algorithms
§ Public-key certificates
• Message authentication and hash functions
§ Authentication using symmetric encryption
§ Symmetric key exchange
§ Message authentication without message using public-key
encryption encryption
§ Secure hash functions
§ Other applications of hash functions § Digital envelopes
• Random and pseudorandom numbers • Practical Application:
§ The use of random numbers Encryption of Stored Data
§ Random versus pseudorandom
Ok, what is next in the module?

• In the next few weeks we will focus on learning

detailed techniques for
• Message authentication and digital signatures (week 5)
• Symmetric Cryptography (week 6,7)
• Public keys/asymmetric cryptography (week 8,9)

• Later in the module we will also see: user

authentication (week 10) malwares (week 11)
CONTACT YOUR
LECTURER
[Link]@[Link]
 Computer Security
04 – Message Authentication and
Hash Functions
Message Authentication
Requirements
§ Disclosure § Sequence modification

§ Release of message contents to any person § Any modification to a sequence of

or process not possessing the appropriate messages between parties, including
cryptographic key insertion, deletion, and reordering

§ Traffic analysis § Timing modification

§ Discovery of the pattern of traffic between § Delay or replay of messages
parties
§ Source repudiation
§ Masquerade
§ Denial of transmission of message by
§ Insertion of messages into the network source
from a fraudulent source
§ Destination repudiation
§ Content modification
§ Denial of receipt of message by destination
§ Changes to the contents of a message,
including insertion, deletion, transposition,
and modification
 Message Authentication Functions
§ Hash function
§ Two levels of functionality: § A function that maps a
message of any length into
Lower level a fixed-length hash value
which serves as the
• There must be some sort of function authenticator
that produces an authenticator
§ Message encryption
§ The ciphertext of the
entire message serves as
its authenticator

§ Message authentication
code (MAC)
§ A function of the message
Higher-level and a secret key that
produces a fixed-length
• Uses the lower-level function as a primitive in an value that serves as the
authentication protocol that enables a receiver to authenticator
verify the authenticity of a message
Hash Functions

A hash function H accepts a variable-length block of

data M as input and produces a fixed-size hash value
• h = H(M)
• Principal object is data integrity

Cryptographic hash function

• An algorithm for which it is computationally infeasible to find

either:
• (a) a data object that maps to a pre-specified hash result (the
one-way property)
• (b) two data objects that map to the same hash result (the
collision-free property)
Cryptographic Hash Function
 Source A Destination B

Message

Message

Message
Message
H

Compare

Authentica
H K K

E D
(a) Using symmetric encryption

tion Using

Message

Message

Message
a One-way
H

Compare

Hash
H PRa PUa

E D
(b) Using public-key encryption

function K

Message
K

Message

Message
H

K K
Compare
H

(c) Using secret value

Figure 2.5 Message Authentication Using a One-Way Hash Function.
 Examples
of Use of a
Hash
function
for
Message
Authentica
tion
Other Hash Function Uses

Can be used to construct a

Commonly used to create a Can be used for intrusion pseudorandom function
one-way password file and virus detection (PRF) or a pseudorandom
number generator (PRNG)

When a user enters a Store H(F) for each file on

password, the hash of a system and secure the
that password is hash values
compared to the stored
hash value for
verification A common application
One can later determine
for a hash-based PRF is
if a file has been modified
for the generation of
by recomputing H(F)
symmetric keys
This approach to
password protection is
used by most operating An intruder would need
systems to change F without
changing H(F)
Two Simple Hash Functions

Consider two simple insecure hash functions that operate using the
following general principles:
• The input is viewed as a sequence of n-bit blocks
• The input is processed one block at a time in an iterative fashion to produce an n-bit
hash function

Bit-by-bit exclusive-OR (XOR) of every block

• Ci = bi1 xor bi2 xor . . . xor bim

• Produces a simple parity for each bit position and is known as a longitudinal redundancy
check
• Reasonably effective for random data as a data integrity check

Perform a one-bit circular shift on the hash value after each block is
processed
• Has the effect of randomizing the input more completely and overcoming any
regularities that appear in the input
Simple Hash Function Using Bitwise XOR

Bit 1 Bit 2 • • • Bit n

Block 1 b11 b21 bn1
Block 2 b12 b22 bn2
• • • •
• • • •
• • • •
Block m b1m b2m bnm
Hash code C1 C2 Cn
 Two
Simple
Hash
Functions
 SHA was originally developed by NIST

Secure Published as FIPS 180 in 1993

Hash Was revised in 1995 as SHA-1

Algorithm • Produces 160-bit hash values

(SHA) NIST issued revised FIPS 180-2 in 2002

• Adds 3 additional versions of SHA

• SHA-256, SHA-384, SHA-512
• With 256/384/512-bit hash values
• Same basic structure as SHA-1 but greater security

The most recent version is FIPS 180-4 which added two

variants of SHA-512 with 224-bit and 256-bit hash sizes
 § Well-known method to build cryptographic hash function
Merkle- § A message of arbitrary length is broken into blocks
§ length depends on the compression function f
Damgard § padding the size of the message into a multiple of the
block size.

Scheme § sequentially process blocks , taking as input the result of

the hash so far and the current message block, with the
final fixed length output
Is SHA-1 secure?
• An attack is to produce a collision.
• Birthday attack: randomly generate a set of messages
{m1, m2,..., mk}, hoping to produce a collision.
• n=160 is big enough to resist birthday attacks for now.
• There is no mathematical proof for its collision
resistance ability.
• In 2004, a collision for a "58 rounds" SHA-1 was
produced. (The compression function of SHA-1 has 80
rounds.)
• Newer SHA's have been included in the standard:
SHA-256, SHA-384, SHA-512.
SHA-512 Overview
 Requirements and Security

§ x is the preimage of h for a

hash value h = H(x) § Occurs if we have x ≠ y and
H(x) = H(y)
§ Is a data block whose hash
function, using the function § Because we are using hash
H, is h functions for data integrity,
collisions are clearly
§ Because H is a many-to-one undesirable
mapping, for any given
hash value h, there will in
general be multiple
preimages
Requirements for a Cryptographic Hash Function H
Relationship Among Hash Function
Properties
 Hash Function Resistance Properties Required for Various
Data Integrity Applications

* Resistance required if attacker is able to mount a chosen message attack

 Attacks on Hash Functions

§ Does not depend on the § An attack based on

specific algorithm, only weaknesses in a particular
depends on bit length cryptographic algorithm
§ In the case of a hash § Seek to exploit some
function, attack depends property of the algorithm to
only on the bit length of the perform some attack other
hash value than an exhaustive search
§ Method is to pick values at
random and try each one
until a collision occurs
 Attack
Against
Hash
Function
Message Authentication Code (MAC)

§ Also known as a keyed hash function

§ Typically used between two parties that share a
secret key to authenticate information exchanged
between those parties

Takes as input a secret key and a data block and produces a hash
value (MAC) which is associated with the protected message
• If the integrity of the message needs to be checked, the MAC
function can be applied to the message and the result compared
with the associated MAC value
• An attacker who alters the message will be unable to alter the
associated MAC value without knowledge of the secret key
Message Authentication Using a MAC
Code
Message

MAC
Transmit algorithm

Compare

MAC
algorithm
MAC

Figure 2.3 Message Authentication Using a Message

Authentication Code (MAC).
 • Interest in developing a MAC derived
from a cryptographic hash code
• Cryptographic hash functions
generally execute faster
• Library code is widely available
• SHA-1 was not deigned for use as
a MAC because it does not rely
HMAC on a secret key
• Issued as RFC2014
• Has been chosen as the mandatory-
to-implement MAC for IP security
• Used in other Internet protocols
such as Transport Layer Security
(TLS) and Secure Electronic
Transaction (SET)
HMAC Design Objectives

To allow for easy replaceability

To preserve the original
of the embedded hash function
To use, without modifications, performance of the hash
in case faster or more secure
available hash functions function without incurring a
hash functions are found or
significant degradation
required

To have a well-understood
cryptographic analysis of the
To use and handle keys in a strength of the authentication
simple way mechanism based on
reasonable assumptions on the
embedded hash function
HMAC
Overview
Security of HMAC

Security depends on the cryptographic strength of the underlying hash

function

The appeal of HMAC is that its designers have been able to prove an exact
relationship between the strength of the embedded hash function and the
strength of HMAC

For a given level of effort on messages generated by a legitimate user and

seen by the attacker, the probability of successful attack on HMAC is
equivalent to one of the following attacks on the embedded hash function:
• The attacker is able to compute an output of the compression function even with an IV that is
random, secret, and unknown to the attacker
• The attacker finds collisions in the hash function even when the IV is random and secret
 Can use any block cipher chaining mode and use final
block as a MAC

Using Data Authentication Algorithm (DAA) is a widely used

MAC based on DES-CBC using IV=0 and zero-pad of final
block encrypt message using DES in CBC mode and send

Symmetric just the final block as the MAC or the leftmost M bits
(16≤M≤64) of final block

Ciphers but final MAC is now too small for security…

for MACs
… can use message blocks in reverse order…
Data Authentication Algorithm
 previously saw the DAA (CBC-MAC)

widely used in govt & industry

but has message size limitation

CMAC
can overcome using 2 keys & padding

thus forming the Cipher-based Message

Authentication Code (CMAC)

adopted by NIST SP800-38B

CMAC Overview
 Operation is similar to that of the MAC
Digital The hash value of a message is encrypted
Signature with a user’s private key

Anyone who knows the user’s public key can

verify the integrity of the message

An attacker who wishes to alter the message

would need to know the user’s private key

Implications of digital signatures go beyond

just message authentication
Simplified Examples of Digital Signatures
 Bob Alice

Essential Message M Message M S

Elements Cryptographic
hash
Cryptographic
hash

of Digital
function function

Bob’s
h Bob’s h

Signature
public
private
key
key

Digital Digital

Process
signature signature
generation verification
algorithm algorithm

Message M S Return
signature valid
Bob’s or not valid
signature
for M

(a) Bob signs a message (b) Alice verifies the signature

Figure 2.7 Simplified Depiction of Essential

Elements of Digital Signature Process
Public-Key Certificate Use

Unsigned certificate: Bob's ID

contains user ID, Generate hash code
information
user's public key, of certificate not
as well as information including signature
concerning the CA Bob's public key
H

H CA
information

SG SV Return signature
valid or not valid
Generate hash Signed certificate
code of unsigned
certificate

Generate digital signature Verify digital signature

using CA's private key using CA's public key

Create signed Use certificate to

digital certificate verify Bob's public key
Digital Envelopes
Message E
Encrypted
Random message
symmetric
key
Digital
E envelope

Receiver's Encrypted
public symmetric
key key

(a) Creation of a digital envelope

D Message
Encrypted
message Random
symmetric
key
Digital
envelope D
Encrypted Receiver's
symmetric private
key key

(b) Opening a digital envelope

Figure 2.9 Digital Envelopes

CONTACT YOUR
LECTURER
[Link]@[Link]
Computer Security
05 – Symmetric Encryption and
Message Confidentiality
 • Also referred to as:
• Conventional encryption
• Secret-key or single-key
encryption
• Only alternative before public-key
encryption in 1970’s
Symmetric • Still most widely used
alternative
Encryption • Has five ingredients:
• Plaintext
• Encryption algorithm
• Secret key
• Ciphertext
• Decryption algorithm
Computationally Secure
Encryption Schemes

• Encryption is computationally secure if:

• Cost of breaking cipher exceeds value of
information
• Time required to break cipher exceeds the
useful lifetime of the information
• Usually very difficult to estimate the amount of
effort required to break
• Can estimate time/cost of a brute-force attack
Diffusion and Confusion
• Terms introduced by Claude Shannon to capture the
two basic building blocks for any cryptographic
system
• Shannon’s concern was to thwart cryptanalysis based on
statistical analysis
Diffusion
• The statistical structure of the plaintext is dissipated into long-range statistics of the
ciphertext
• This is achieved by having each plaintext digit affect the value of many ciphertext digits

Confusion
• Seeks to make the relationship between the statistics of the ciphertext and the value of
the encryption key as complex as possible
• Even if the attacker can get some handle on the statistics of the ciphertext, the way in
which the key was used to produce that ciphertext is so complex as to make it difficult
to deduce the key
What creates
diffusion and
confusion?
Feistel Cipher
• Feistel proposed the use of a cipher that alternates
substitutions and permutations
• Each plaintext element or group of elements is
Substitutions uniquely replaced by a corresponding ciphertext
element or group of elements

• No elements are added or deleted or replaced

Permutation in the sequence, rather the order in which the
elements appear in the sequence is changed

• Is a practical application of a proposal by Claude

Shannon to develop a product cipher that alternates
confusion and diffusion functions
• Is the structure used by many significant symmetric
block ciphers currently in use
Feistel Cipher Design Features
• Block size
• Larger block sizes mean greater • Round function F
security but reduced • Greater complexity generally
encryption/decryption speed for a means greater resistance to
given algorithm cryptanalysis
• Key size • Fast software
• Larger key size means greater encryption/decryption
security but may decrease • In many cases, encrypting is
encryption/decryption speeds embedded in applications or
utility functions in such a way
• Number of rounds as to preclude a hardware
• The essence of the Feistel cipher is implementation; accordingly,
that a single round offers the speed of execution of the
inadequate security but that algorithm becomes a concern
multiple rounds offer increasing
security • Ease of analysis
• If the algorithm can be
• Subkey generation algorithm concisely and clearly
• Greater complexity in this algorithm explained, it is easier to
should lead to greater difficulty of analyze that algorithm for
cryptanalysis cryptanalytic vulnerabilities
and therefore develop a
higher level of assurance as to
its strength
 Plaintext (2w bits)

Classical Feistel Round 1

L0 w bits w bits R0

Cipher
K1

• Inputs to the encryption algorithm are a plaintext

block of length 2 w bits and a key K
L1 R1
• The plaintext block is divided into two halves, L 0 and
R0
• The two halves of the data pass through n rounds of Round i
processing Ki

• Each round i has as inputs L i-1 and R i-1 , derived from F

the previous round, as well as a subkey Ki , derived
from the overall K
• the subkeys K i are generated by a subkey generation
algorithm. Li Ri
• A substitution is performed on the left half of the
data.
Round n
• This is done by applying a round function F to the Kn
right half of
• the data and then taking the exclusive-OR (XOR) of F
the output of that function and the left half of the
data.
• Following this substitution, a permutation is Ln Rn
performed that consists of the interchange of the two
halves of the data.
• The round function has the same general structure for
• each round but is parameterized by the round subkey Ln+1 Rn+1
Ki.

Ciphertext (2w bits)

Figure 20.1 Classical Feistel Network

Feistel
Encryption
and
Decryption
(16 rounds)
Feistel Example
 Block Cipher Structure
• Symmetric block cipher consists of:
• A sequence of rounds
• With substitutions and permutations controlled by key
• Parameters and design features:

Subkey
Number of
Block size Key size generation
rounds
algorithm

Fast software
Ease of Round
encryption/de
analysis function
cryption
Why not a stream
cypher structure?
Data Encryption Standard (DES)

• Issued in 1977 by the National Bureau of Standards

(now NIST) as Federal Information Processing Standard
46
• Was the most widely used encryption scheme until the
introduction of the Advanced Encryption Standard
(AES) in 2001
• Algorithm itself is referred to as the Data Encryption
Algorithm (DEA)
• Data are encrypted in 64-bit blocks using a 56-bit key
• The algorithm transforms 64-bit input in a series of steps
into a 64-bit output
• The same steps, with the same key, are used to reverse the
encryption
General Depiction of DES Encryption Algorithm
DES
Example

Note: DES subkeys are shown as eight 6-bit values in hex format
Avalanche Effect in DES: Change in Plaintext
Avalanche Effect in DES: Change in Key
Triple DES
K1 K2 K3

P A B
E D E C

(a) Encryption

K3 K2 K1

C B A
D E D P

(b) Decryption

Figure 20.2 Triple DES

How to break the
DES?
Advanced Encryption Standard (AES)
• The Advanced Encryption Standard (AES) was issued
as a federal information processing standard FIPS 197
(Advanced Encryption Standard, November 2001).
• It is intended to replace DES and triple DES with an
algorithm that is more secure and efficient.
• AES uses a block length of 128 bits and a key length
that can be 128, 192, or 256 bits.
• In the description of this section, we assume a key
length of 128 bits, which is likely to be the one most
commonly implemented.
AES workings
• The input to the encryption and decryption algorithms is a single 128-bit
block.
• In FIPS PUB 197, this block is depicted as a square matrix of bytes. This
block is copied into the State array, which is modified at each stage of
encryption or decryption.
• After the final stage, State is copied to an output matrix.
• Similarly, the 128-bit key is depicted as a square matrix of bytes.
• This key is then expanded into an array of key schedule words; each word is
4 bytes and the total key schedule is 44 words for the 128-bit key. The
ordering of bytes within a matrix is by column.
• So, for example, the first 4 bytes of a 128-bit plaintext input to the
encryption cipher occupy the first column of the in matrix, the second 4
bytes occupy the second column, and so on.
• Similarly, the first 4 bytes of the expanded key, which form a word, occupy
the first column of the w matrix.
AES functions
• The following comments give some insight into AES:
1. One noteworthy feature of this structure is that it is not a Feistel structure. Recall
that in the classic Feistel structure, half of the data block is used to modify the
other half of the data block, and then the halves are swapped. AES does not use a
Feistel structure but processes the entire data block in parallel during each round
using substitutions and permutation.
2. The key that is provided as input is expanded into an array of forty-four 32-bit
words, w [ i ]. Four distinct words (128 bits) serve as a round key for each round.
3. Four different stages are used, one of permutation and three of substitution:
• Substitute Bytes: Uses a table, referred to as an S-box, to perform a byte-by- byte
substitution of the block
• Shift Rows: A simple permutation that is performed row by row
• Mix Columns: A substitution that alters each byte in a column as a function of all of
the bytes in the column
• Add Round key: A simple bitwise XOR of the current block with a portion of the
expanded key
Details of Each Round
AES Encryption and Decryption
Plaintext Key Plaintext

Add round key w[0, 3] Add round key

Round 10
Substitute bytes Expand key Inverse sub bytes

Shift rows Inverse shift rows

Round 1

Mix columns Inverse mix cols

Add round key w[4, 7] Add round key

Round 9
Inverse sub bytes

Inverse shift rows

Substitute bytes

Shift rows
Round 9

Mix columns Inverse mix cols

Add round key w[36, 39] Add round key

Substitute bytes Inverse sub bytes

Round 1
Round 10

Shift rows Inverse shift rows

Add round key w[40, 43] Add round key

Ciphertext Ciphertext

(a) Encryption (b) Decryption

SubBytes and InvSubBytes
SubBytes Operation
• The SubBytes operation involves 16 independent byte-to-byte
transformations.
• Interpret the byte as two hexadecimal
digits xy
S1,1 = xy16 • SW implementation, use row (x) and
column (y) as lookup pointer

x’y’16
AES S-box Table 20.2 AES S-Boxes
(a) S-box

y
0 1 2 3 4 5 6 7 8 9 A B C D E F
0 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76
1 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0
2 B7 FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15
3 04 C7 23 C3 18 96 05 9A 07 12 80 E2 EB 27 B2 75
4 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84
5 53 D1 00 ED 20 FC B1 5B 6A CB BE 39 4A 4C 58 CF
6 D0 EF AA FB 43 4D 33 85 45 F9 02 7F 50 3C 9F A8
7 51 A3 40 8F 92 9D 38 F5 BC B6 DA 21 10 FF F3 D2
x
8 CD 0C 13 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73
9 60 81 4F DC 22 2A 90 88 46 EE B8 14 DE 5E 0B DB
A E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79
B E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08
C BA 78 25 2E 1C A6 B4 C6 E8 DD 74 1F 4B BD 8B 8A
D 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E
E E1 F8 98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF
F 8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16
AES Inverse S-box
(b) Inverse S-box

y
0 1 2 3 4 5 6 7 8 9 A B C D E F
0 52 09 6A D5 30 36 A5 38 BF 40 A3 9E 81 F3 D7 FB
1 7C E3 39 82 9B 2F FF 87 34 8E 43 44 C4 DE E9 CB
2 54 7B 94 32 A6 C2 23 3D EE 4C 95 0B 42 FA C3 4E
3 08 2E A1 66 28 D9 24 B2 76 5B A2 49 6D 8B D1 25
4 72 F8 F6 64 86 68 98 16 D4 A4 5C CC 5D 65 B6 92
5 6C 70 48 50 FD ED B9 DA 5E 15 46 57 A7 8D 9D 84
6 90 D8 AB 00 8C BC D3 0A F7 E4 58 05 B8 B3 45 06
7 D0 2C 1E 8F CA 3F 0F 02 C1 AF BD 03 01 13 8A 6B
x
8 3A 91 11 41 4F 67 DC EA 97 F2 CF CE F0 B4 E6 73
9 96 AC 74 22 E7 AD 35 85 E2 F9 37 E8 1C 75 DF 6E
A 47 F1 1A 71 1D 29 C5 89 6F B7 62 0E AA 18 BE 1B
B FC 56 3E 4B C6 D2 79 20 9A DB C0 FE 78 CD 5A F4
C 1F DD A8 33 88 07 C7 31 B1 12 10 59 27 80 EC 5F
D 60 51 7F A9 19 B5 4A 0D 2D E5 7A 9F 93 C9 9C EF
E A0 E0 3B 4D AE 2A F5 B0 C8 EB BB 3C 83 53 99 61
F 17 2B 04 7E BA 77 D6 26 E1 69 14 63 55 21 0C 7D
Sample SubByte Transformation
• The SubBytes and InvSubBytes transformations are
inverses of each other.
ShiftRows
• Shifting, which permutes the bytes.
• A circular byte shift in each each
• 1st row is unchanged
• 2nd row does 1 byte circular shift to left
• 3rd row does 2 byte circular shift to left
• 4th row does 3 byte circular shift to left
• In the encryption, the transformation is called
ShiftRows
• In the decryption, the transformation is called
InvShiftRows and the shifting is to the right
ShiftRows Scheme
ShiftRows and InvShiftRows
MixColumns
• ShiftRows and MixColumns provide diffusion to the
cipher
• Each column is processed separately
• Each byte is replaced by a value dependent on all 4
bytes in the column
• Effectively a matrix multiplication in GF(28) using
prime poly m(x) =x8+x4+x3+x+1
MixClumns Scheme

The MixColumns transformation operates at the column level; it

transforms each column of the state to a new column.
MixColumn and InvMixColumn
AddRoundKey
• XOR state with 128-bits of the round key

• AddRoundKey proceeds one column at a time.

• adds a round key word with each state column matrix
• the operation is matrix addition

• Inverse for decryption identical

• since XOR own inverse, with reversed keys

• Designed to be as simple as possible

AddRoundKey Scheme
 AES Encryption Round
State

SubBytes S S S S S S S S S S S S S S S S

State

ShiftRows

State

MixColumns M M M M

State

r0 r1 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11 r12 r13 r14 r15

AddRoundKey

State
Can you break
an AES
cyphertext?
Attacks on Symmetric Encryption
• Timing attacks
• One in which information about the key or the plaintext is obtained by
observing how long it takes a given implementation to perform
decryptions on various ciphertexts
• Exploits the fact that an encryption or decryption algorithm often takes
slightly different amounts of time on different inputs
• So far it appears unlikely that this technique will ever be successful against
DES or more powerful symmetric ciphers such as triple DES and AES
• Exhaustive Key Search (bruteforce)
• Cryptoanalysis
• Differential/linear cryptoanalysis (known plaintext attack)

• BUT…

• Unlikely to work on AES.

Average Time Required for Exhaustive Key
Search
CONTACT YOUR
LECTURER
[Link]@[Link]
Computer Security
06 – Symmetric Encryption and
Message Confidentiality (2)
Random Numbers
§ A number of network security algorithms and
protocols based on cryptography make use of
random binary numbers:
§ Key distribution and reciprocal authentication
schemes
§ Session key generation
§ Generation of keys for the RSA public-key encryption
algorithm
§ Generation of a bit stream for symmetric stream
encryption

Randomness
There are two distinct
requirements for a
sequence of random
numbers:
Unpredictability
Randomness

§ The generation of a sequence of allegedly

random numbers being random in some well-
defined statistical sense has been a concern

Two criteria are used to validate that a

sequence of numbers is random:
Uniform distribution
• The frequency of occurrence of ones and zeros should be
approximately equal

Independence
• No one subsequence in the sequence can be inferred
from the others
Unpredictability
§ The requirement is not just that the sequence of
numbers be statistically random, but that the
successive members of the sequence are
unpredictable
§ With “true” random sequences each number is
statistically independent of other numbers in the
sequence and therefore unpredictable
§ True random numbers have their limitations,
such as inefficiency, so it is more common to
implement algorithms that generate
sequences of numbers that appear to be
random
§ Care must be taken that an opponent not be
able to predict future elements of the
sequence on the basis of earlier elements
 Cryptographic applications typically make use of
algorithmic techniques for random number
generation
Random versus • Algorithms are deterministic and therefore produce sequences
Pseudorandom of numbers that are not statistically random

Pseudorandom numbers are:

• Sequences produced that satisfy statistical randomness tests

• Likely to be predictable

True random number generator (TRNG):

• Uses a nondeterministic source to produce randomness

• Most operate by measuring unpredictable natural processes
• e.g. radiation, gas discharge, leaky capacitors
• Increasingly provided on modern processors
Have you used random of
pseudorandom number
generators before?
Random and Pseudorandom Number
Generators
Source of Context-
true specific
randomness Seed Seed values

Conversion Deterministic Deterministic

to binary algorithm algorithm

Random Pseudorandom Pseudorandom

bit stream bit stream value

(a) TRNG (b) PRNG (c) PRF

TRNG = true random number generator

PRNG = pseudorandom number generator
PRF = pseudorandom function
True Random Number Generator
(TRNG)
§ Takes as input a source that is effectively
random
§ The source is referred to as an entropy source
and is drawn from the physical environment of
the computer
§ Includes things such as keystroke timing patterns,
disk electrical activity, mouse movements, and
instantaneous values of the system clock
§ The source, or combination of sources, serve as input
to an algorithm that produces random binary output

§ The TRNG may simply involve conversion of an

analog source to a binary output
§ The TRNG may involve additional processing to
overcome any bias in the source
Pseudorandom Number Generator
(PRNG)
§ Takes as input a fixed
value, called the seed, and
produces a sequence of Two different forms of PRNG
output bits using a
deterministic algorithm Pseudorandom Pseudorandom
§ Quite often the seed is number function (PRF)
generated by a TRNG generator • Used to produce a
§ The output bit stream is • An algorithm that is pseudorandom string
determined solely by the used to produce an of bits of some fixed
input value or values, so an open-ended length
adversary who knows the sequence of bits • Examples are
algorithm and the seed can • Input to a symmetric symmetric
reproduce the entire bit stream cipher is a encryption keys and
stream common application nonces
for an open-ended
sequence of bits
§ Other than the number of
bits produced there is no
difference between a
PRNG and a PRF
PRNG Requirements
§ The basic requirement when a PRNG or PRF
is used for a cryptographic application is that
an adversary who does not know the seed is
unable to determine the pseudorandom
string
§ The requirement for secrecy of the output of
a PRNG or PRF leads to specific
requirements in the areas of:
§ Randomness
§ Unpredictability
§ Characteristics of the seed
Randomness

§ The generated bit stream needs to appear

random even though it is deterministic
§ There is no single test that can determine if a
PRNG generates numbers that have the
characteristic of randomness
§ If the PRNG exhibits randomness on the basis of
multiple tests, then it can be assumed to satisfy the
randomness requirement
§ NIST SP 800-22 specifies that the tests should
seek to establish three characteristics:
§ Uniformity
§ Scalability
§ Consistency
 Randomness Tests
§ SP 800-22 lists 15
separate tests of Runs test
randomness • Focus of this test is the total
Maurer’s
number of runs in the sequence,
where a run is an uninterrupted universal
Frequency test sequence of identical bits bounded statistical test
before and after with a bit of the
• The most basic test opposite value • Focus is the number
and must be included • Purpose is to determine whether of bits between
in any test suite the number of runs of ones and matching patterns
• Purpose is to zeros of various lengths is as • Purpose is to detect
determine whether expected for a random sequence whether or not the
the number of ones sequence can be
and zeros in a significantly
sequence is compressed without
approximately the loss of information.
same as would be A significantly
expected for a truly compressible
random sequence
Three sequence is
considered to be

tests
non-random
Unpredictability
§ A stream of pseudorandom numbers should
exhibit two forms of unpredictability:
§ Forward unpredictability
§ If the seed is unknown, the next output bit in the sequence
should be unpredictable in spite of any knowledge of
previous bits in the sequence
§ Backward unpredictability
§ It should not be feasible to determine the seed from
knowledge of any generated values
§ No correlation between a seed and any value generated
from that seed should be evident
§ Each element of the sequence should appear to be the
outcome of an independent random event whose
probability is 1/2
§ The same set of tests for randomness also
provides a test of unpredictability
§ A random sequence will have no correlation with a
fixed value (the seed)
Seed Requirements
§ The seed that serves as input to the PRNG must
be secure and unpredictable
§ The seed itself must be a random or
pseudorandom number
§ Typically the seed is generated by TRNG
Generation of Seed Input to PRNG
Entropy
source

True random
number generator
(TRNG)

Seed

Pseudorandom
number generator
(PRNG)

Pseudorandom
bit stream
Stream
Ciphers
Processes input elements
continuously

Key input to a pseudorandom

bit generator
Produces Unpredictable
XOR keystream
stream of without
output with
random like knowing input
plaintext bytes
numbers key
Stream Cipher Design Considerations
• A pseudorandom number generator uses a function that produces a
The encryption sequence should deterministic stream of bits that eventually repeats; the longer the
have a large period period of repeat the more difficult it will be to do cryptanalysis

The keystream should • There should be an approximately equal number of 1s and 0s

approximate the properties of a
• If the keystream is treated as a stream of bytes, then all of the 256
true random number stream as
possible byte values should appear approximately equally often
close as possible

• The output of the pseudorandom number generator is conditioned

A key length of at least 128 bits is on the value of the input key
desirable
• The same considerations that apply to block ciphers are valid

With a properly designed

pseudorandom number • A potential advantage is that stream ciphers that do not use block
generator a stream cipher can be ciphers as a building block are typically faster and use far less code
as secure as a block cipher of than block ciphers
comparable key length
Stream Ciphers
Generic Structure of a Typical Stream
Cipher
Stream Cipher Stream Cipher

K i f K i f

IV IV
g g

zi zi
pi ci pi

plaintext pi key K state i

ciphertext ci Initialization Value IV next-state function f
keystream zi keystream function g
RC4
• Designed in 1987 by Ron Rivest for RSA
Security
• Variable key size stream cipher with byte-oriented
operations
• Normally uses 64 bit and 128 bit key sizes.
• Based on the use of a random permutation
• Eight to sixteen machine operations are required
per output byte and the cipher can be expected
to run very quickly in software
• RC4 was kept as a trade secret by RSA
Security until September 1994 when the RC4
algorithm was anonymously posted on the
Internet on the Cypherpunks anonymous
remailers list
RC4-based Usage
• RC4 is used in the WiFi Protected Access (WPA)
protocol that are part of the IEEE 802.11 wireless
LAN standard
• WEP
• WPA default
• Bit Torrent Protocol Encryption
• Microsoft Point-to-Point Encryption
• SSL (optionally)
• SSH (optionally)
• Remote Desktop Protocol
• Kerberos (optionally)
RC4 Block Diagram
Secret Key

RC4

Keystream

Encrypted
Plain Text + Text

Cryptographically very strong and easy to implement

RC4 …Inside
• Consists of 2 parts:
• Key Scheduling Algorithm (KSA)
• Pseudo-Random Generation
Algorithm (PRGA)

• KSA
• Generate State array KSA
• PRGA on the KSA PRGA
• Generate keystream
• XOR keystream with the data
to generated encrypted
stream
The KSA
• Use the secret key to initialize and permutation of state vector
S, done in two steps
• Use 8-bit index pointers i and j

1 2
j = 0;
for i = 0 to 255 do for i = 0 to 255 do
S[i] = i; j = (j+S[i]+T[i])(mod 256)
T[i] = K[i mod(|K|)]); swap (S[i], S[j])

[S], S is set equal to the values from 0 to 255

S[0]=0, S[1]=1,…, S[255]=255 • Use T to produce initial permutation of S
[T], A temporary vector • The only operation on S is a swap;
[K], Array of bytes of secret key S still contains number from 0 to 255
|K| = Keylen, Length of (K)

After KSA, the input key and the temporary vector T will be no longer used
The PRGA
• Generate key stream k , one by one
• XOR S[k] with next byte of message to encrypt/decrypt

i = j = 0;
While (more_byte_to_encrypt)
i = (i + 1) (mod 256);
j = (j + S[i]) (mod 256);
swap(S[i], S[j]);
k = (S[i] + S[j]) (mod 256);
Ci = Mi XOR S[k];

Sum of shuffled pair selects "stream key" value

from permutation
S 0 1 2 3 4 253 253 255

keylen
K

(a) Initial state of S and T

T T[i]

j = j + S[i] + T[i]

S S[i] S[j]
i Swap

(b) Initial permutation of S

j = j + S[i]

S S[i] S[j] S[t]

i Swap

t = S[i] + S[j]
k
(c) Stream Generation
Figure 20.6 RC4
Strength of RC4

A fundamental vulnerability Recent cryptanalysis results

was revealed in the RC4 key exploit biases in the RC4
scheduling algorithm that keystream to recover
reduces the amount of repeatedly encrypted
effort to discover the key plaintexts

As a result of the
In its latest TLS guidelines,
discovered weaknesses the
NIST also prohibited the
IETF issued RFC 7465
use of RC4 for government
prohibiting the use of RC4
use
in TLS
Block Cipher Modes of Operation
 • Simplest mode
• Plaintext is handled b bits at a
time and each block is encrypted
using the same key
• “Codebook” is used because there
Electronic is an unique ciphertext for every b-
bit block of plaintext
Codebook • Not secure for long messages
(ECB) since repeated plaintext is
seen in repeated ciphertext
• To overcome security deficiencies
you need a technique where the
same plaintext block, if repeated,
produces different ciphertext
blocks
Cipher Block Chaining (CBC) Mode
Time = 1 Time = 2 Time = N
IV P1 P2 PN

CN–1

K Encrypt K Encrypt K Encrypt

C1 C2 CN

(a) Encryption

C1 C2 CN

K Decrypt K Decrypt K Decrypt

IV CN–1

P1 P2 PN

(b) Decryption

Figure 20.7 Cipher Block Chaining (CBC) Mode

s-bit Cipher Feedback (CFB) Mode
IV CM–1
Shift register Shift register Shift register
b – s bits s bits b – s bits s bits b – s bits s bits
64 64 64

K Encrypt K Encrypt K Encrypt

64 64 64
Select Discard Select Discard Select Discard
s bits b – s bits s bits b – s bits s bits b – s bits
P1 s P2 s PM s
s s s

s
C1 C2 CM
(a) Encryption

IV CM–1
Shift register Shift register Shift register
b – s bits s bits b – s bits s bits b – s bits s bits
64 64 64

K Encrypt K Encrypt K Encrypt

64 s 64 64
Select Discard Select Discard Select Discard
s bits b – s bits s bits b – s bits s bits b – s bits
s s s
s s s
C1 C2 CM

P1 P2 PM
(b) Decryption
Counter (CTR) Mode
Counter Counter + 1 Counter + N – 1

K Encrypt K Encrypt K Encrypt

P1 P2 PN

C1 C2 CN

(a) Encryption

Counter Counter + 1 Counter + N – 1

K Encrypt K Encrypt K Encrypt

C1 C2 CN

P1 P2 PN
(b) Decryption

Figure 20.9 Counter (CTR) Mode

Performance Comparison of Symmetric
Ciphers on a 3-GHz Processor

12
Throughput (Mbps)

10

0
E D E D E D E D E D E D E D E D E D
8

6
8

6
B ES

B ES

B ES

C S

C S

C S
2

5
2

B AE

B AE

B AE
-1

-1

-2

-1

-1

-2
-1

-1

-2
EC A

EC A

EC A
4

4
C

C
R

C
E = encryption
D = decryption

Figure 20.5 Performance Comparison of Symmetric Ciphers

Key Distribution

• The means of delivering a key to two parties that

wish to exchange data without allowing others to
see the key
• Two parties (A and B) can achieve this by:
• A key could be selected by A and physically delivered to B
1

• A third party could select the key and physically deliver it to A

2 and B

• If A and B have previously and recently used a key, one party could
3 transmit the new key to the other, encrypted using the old key

• If A and B each have an encrypted connection to a third party C,

4 C could deliver a key on the encrypted links to A and B
Key Distribution
Session key: When two end systems (hosts, terminals, etc.)
wish to communicate, they establish a logical connection (e.g.,
virtual circuit). For the duration of that logical connection, all user
data are encrypted with a one-time session key. At the
conclusion of the session, or connection, the session key is
destroyed.
Permanent key: A permanent key is a key used between
entities for the purpose of distributing session keys. The
configuration consists of the following elements:
Key distribution center: The key distribution center (KDC)
determines which systems are allowed to communicate with
each other. When permission is granted for two systems to
establish a connection, the KDC provides a one-time session
key for that connection.
Security service module (SSM): This module, which may
consist of functionality at one protocol layer, performs end-to-end
encryption and obtains session keys on behalf of users.
Key Distribution
To stablish the key distribution, the following steps should be followed:
1. When one host wishes to set up a connection to another host, it
transmits a connection request packet (step 1).
2. The SSM saves that packet and applies to the KDC for permission
to establish the connection (step 2).
3. The communication between the SSM and the KDC is encrypted
using a master key shared only by this SSM and the KDC. If the
KDC approves the connection request, it generates the session
key and delivers it to the two appropriate SSMs, using a unique
permanent key for each SSM (step 3).
4. The requesting SSM can now release the connection request
packet, and a connection is set up between the two end systems
(step 4).
5. All user data exchanged between the two end systems are
encrypted by their respective SSMs using the one-time session
key.
Automatic Key Distribution for Connection-
Oriented Protocol
Key
1. Host sends packet requesting connection. distribution
2. Security service buffers packet; asks center
KDC for session key.
3. KDC distributes session key to both hosts.
4. Buffered packet transmitted.

Application Application
2
1

Security Security
service service
4
HOST HOST
Network
CONTACT YOUR
LECTURER
[Link]@[Link]
Computer Security
07 – Public-Key Cryptography
(Part 1)
Key Distribution

§The means of delivering a key to two parties that

wish to exchange data without allowing others to
see the key
§Two parties (A and B) can achieve this by:
• A key could be selected by A and physically delivered to B
1

• A third party could select the key and physically deliver it to A

2 and B

• If A and B have previously and recently used a key, one party could
3 transmit the new key to the other, encrypted using the old key

• If A and B each have an encrypted connection to a third party C,

4 C could deliver a key on the encrypted links to A and B
Symmetric Key Hierarchy
Simple Use of Public-Key Encryption to
Establish a Session Key
Man-in-the-Middle Attack
Public-Key Distribution of Secret
Keys
Uncontrolled Public-Key
Distribution
Public-Key Publication
 Session key: When two end systems (hosts, terminals, etc.) wish to
communicate, they establish a logical connection (e.g., virtual
circuit). For the duration of that logical connection, all user data
are encrypted with a one-time session key. At the conclusion of the
session, or connection, the session key is destroyed.

Permanent key: A permanent key is a key used between entities

for the purpose of distributing session keys. The configuration

Key consists of the following elements:

Distribution Key distribution center: The key distribution center (KDC)

determines which systems are allowed to communicate with each
other. When permission is granted for two systems to establish a
connection, the KDC provides a one-time session key for that
connection.

Security service module (SSM): This module, which may consist of

functionality at one protocol layer, performs end-to-end
encryption and obtains session keys on behalf of users.
Key Distribution
To stablish the key distribution, the following steps should be followed:
1. When one host wishes to set up a connection to another host, it
transmits a connection request packet (step 1).
2. The SSM saves that packet and applies to the KDC for permission
to establish the connection (step 2).
3. The communication between the SSM and the KDC is encrypted
using a master key shared only by this SSM and the KDC. If the
KDC approves the connection request, it generates the session
key and delivers it to the two appropriate SSMs, using a unique
permanent key for each SSM (step 3).
4. The requesting SSM can now release the connection request
packet, and a connection is set up between the two end systems
(step 4).
5. All user data exchanged between the two end systems are
encrypted by their respective SSMs using the one-time session
key.
Automatic Key Distribution for Connection-
Oriented Protocol
Key
1. Host sends packet requesting connection. distribution
2. Security service buffers packet; asks center
KDC for session key.
3. KDC distributes session key to both hosts.
4. Buffered packet transmitted.

Application Application
2
1

Security Security
service service
4
HOST HOST
Network
Public-Key Distribution Scenario
Key Distribution Between Two
Communicating Entities
Principles of Public-
Key Cryptosystems
• The concept of public-key cryptography evolved from
an attempt to attack two of the most difficult
problems associated with symmetric encryption:
• Key distribution
• How to have secure communications in general
without having to trust a KDC with your key
• Digital signatures
• How to verify that a message comes intact from
the claimed sender
• Whitfield Diffie and Martin Hellman from Stanford
University achieved a breakthrough in 1976 by coming
up with a method that addressed both problems and
was radically different from all previous approaches to
cryptography
Public-Key Cryptography (1 of 2)
Public-Key Cryptography (2 of 2)
Misconceptions Concerning Public-Key
Encryption

Public-key encryption is more secure from cryptanalysis than

symmetric encryption

Public-key encryption is a general-purpose technique that has

made symmetric encryption obsolete

There is a feeling that key distribution is trivial when using public-

key encryption, compared to the cumbersome handshaking
involved with key distribution centers for symmetric encryption
Public-Key Requirements (1 of 2)
• Conditions that these algorithms must fulfill:
• It is computationally easy for a party B to generate a pair (public-
key PUb, private key PRb)
• It is computationally easy for a sender A, knowing the public key
and the message to be encrypted, to generate the corresponding
ciphertext
• It is computationally easy for the receiver B to decrypt the
resulting ciphertext using the private key to recover the original
message
• It is computationally infeasible for an adversary, knowing the
public key, to determine the private key
• It is computationally infeasible for an adversary, knowing the
public key and a ciphertext, to recover the original message
• The two keys can be applied in either order
Public-Key Requirements (2 of 2)
• Need a trap-door one-way function
• A one-way function is one that maps a domain into a range such that
every function value has a unique inverse, with the condition that the
calculation of the function is easy, whereas the calculation of the
inverse is infeasible
• Y = f(X) easy
• X = f–1(Y) infeasible
• A trap-door one-way function is a family of invertible functions fk, such that
• Y = fk(X) easy, if k and X are known
• X = fk–1(Y) easy, if k and Y are known
• X = fk–1(Y) infeasible, if Y known but k not known
• A practical public-key scheme depends on a suitable trap-door one-way
function
Public-Key
Cryptanalysis
• A public-key encryption scheme is vulnerable to a brute-force attack
• Countermeasure: use large keys
• Key size must be small enough for practical encryption and
decryption
• Key sizes that have been proposed result in
encryption/decryption speeds that are too slow for general-
purpose use
• Public-key encryption is currently confined to key management
and signature applications
• Another form of attack is to find some way to compute the private key
given the public key
• To date it has not been mathematically proven that this form of
attack is infeasible for a particular public-key algorithm
• Finally, there is a probable-message attack
• This attack can be thwarted by appending some random bits to
simple messages
Rivest-Shamir-Adleman (RSA)
Algorithm
• Developed in 1977 at MIT by Ron Rivest, Adi Shamir & Len
Adleman
• Most widely used general-purpose approach to public-key
encryption
• Is a cipher in which the plaintext and ciphertext are integers
between 0 and n – 1 for some n
• A typical size for n is 1024 bits, or 309 decimal digits
RSA Algorithm
• RSA makes use of an expression with exponentials
• Plaintext is encrypted in blocks with each block having a binary value
less than some number n
• Encryption and decryption are of the following form, for some
plaintext block M and ciphertext block C
C = Me mod n
M = Cd mod n = (Me)d mod n = Med mod n
• Both sender and receiver must know the value of n
• The sender knows the value of e, and only the receiver knows the
value of d
• This is a public-key encryption algorithm with a public key of
PU={e,n} and a private key of PR={d,n}
 • For this algorithm to be satisfactory
for public-key encryption, the
following requirements must be met:
• It is possible to find values of e,
d, n such that Med mod n = M for
Algorithm all M < n
Requirements • It is relatively easy to calculate
Me mod n and Cd mod n for all
values of M < n
• It is infeasible to determine d
given e and n
The RSA Algorithm
Example of RSA Algorithm

1. Select two prime numbers, p = 17 and q = 11.

2. Calculate n = pq = 17 * 11 = 187.
3. Calculate f(n) = (p - 1)(q - 1) = 16 * 10 = 160.
4. Select e such that e is relatively prime to f(n) = 160 and less than f(n) ; we
choose e = 7.
5. Determine d such that de mod 160 = 1 and d < 160. The correct value is
d = 23, because 23 * 7 = 161.
RSA Processing of Multiple Blocks (1 of 2)
RSA Processing of Multiple Blocks (2 of 2)
Exponentiation in Modular Arithmetic
• Both encryption and decryption in RSA involve raising an
integer to an integer power, mod n
• Can make use of a property of modular arithmetic:
[(a mod n) x (b mod n)] mod n =(a x b) mod n
• With RSA you are dealing with potentially large exponents so
efficiency of exponentiation is a consideration
• For that you must use the exponentiation algorithm for performing
fast modular arithmetics
Efficient Operation Using the Public Key

To speed up the operation of the R S A

algorithm using the public key, a specific choice
of e is usually made

The most common choice is 65537 (216 + 1)

Each of these choices has only two 1
With a very small public key, such as
Two other popular choices are e=3 bits, so the number of
e = 3, R S A becomes vulnerable to a
and e=17 multiplications required to perform
simple attack
exponentiation is minimized
 • Decryption uses exponentiation to
power d
• A small value of d is vulnerable to
Efficient a brute-force attack and to other
forms of cryptanalysis
Operation • Can use the Chinese Remainder
Theorem (CRT) to speed up
Using the computation
• The quantities d mod (p – 1) and
Private d mod (q – 1) can be
precalculated
Key • End result is that the calculation
is approximately four times as
fast as evaluating M = Cd mod n
directly
Key Generation
• Before the application of the public-key cryptosystem each
participant must generate a pair of keys:
• Determine two prime numbers p and q
• Select either e or d and calculate the other
• Because the value of n = pq will be known to any potential
adversary, primes must be chosen from a sufficiently large set
• The method used for finding large primes must be
reasonably efficient
 Pick Pick an odd integer n at random

Procedure
for Picking
a Prime Pick Pick an integer a < n at random

Number

Perform the probabilistic primality test with a as a

Perform parameter. If n fails the test, reject the value n and
go to step 1

Accept If n has passed a sufficient number of tests, accept

n; otherwise, go to step 2
 • Five possible approaches to attacking RSA are:
• Brute force
• Involves trying all possible private keys
• Mathematical attacks
• There are several approaches, all

The equivalent in effort to factoring the

product of two primes

Security
• Timing attacks
• These depend on the running time of
the decryption algorithm

of RSA • Hardware fault-based attack

• This involves inducing hardware faults
in the processor that is generating
digital signatures
• Chosen ciphertext attacks
• This type of attack exploits properties
of the RSA algorithm
Factoring Problem
• We can identify three approaches to attacking RSA
mathematically:
• Factor n into its two prime factors. This enables calculation
of ø(n) = (p – 1) x (q – 1), which in turn enables
determination of d = e-1 (mod ø(n))
• Determine ø(n) directly without first determining p and q.
Again this enables determination of d = e-1 (mod ø(n))
• Determine d directly without first determining ø(n)
 Number of Number of Bits Date Achieved
Decimal Digits
100 332 April 1991
110 365 April 1992
120 398 June 1993 Progress in
Factorization
129 428 April 1994
130 431 April 1996
140 465 February 1999
155 512 August 1999
160 530 April 2003
174 576 December 2003
200 663 May 2005
193 640 November 2005
232 768 December 2009
Timing Attacks
• Paul Kocher, a cryptographic consultant, demonstrated that a
snooper can determine a private key by keeping track of how
long a computer takes to decipher messages
• Are applicable not just to RSA but to other public-key
cryptography systems
• Are alarming for two reasons:
• It comes from a completely unexpected direction
• It is a ciphertext-only attack
Countermeasures
• Constant exponentiation time
• Ensure that all exponentiations take the same amount of time before
returning a result; this is a simple fix but does degrade performance
• Random delay
• Better performance could be achieved by adding a random delay to the
exponentiation algorithm to confuse the timing attack
• Blinding
• Multiply the ciphertext by a random number before performing
exponentiation; this process prevents the attacker from knowing what
ciphertext bits are being processed inside the computer and therefore
prevents the bit-by-bit analysis essential to the timing attack
Fault-Based Attack
• An attack on a processor that is generating RSA digital signatures
• Induces faults in the signature computation by reducing the
power to the processor
• The faults cause the software to produce invalid signatures
which can then be analyzed by the attacker to recover the
private key
• The attack algorithm involves inducing single-bit errors and
observing the results
• While worthy of consideration, this attack does not appear to be a
serious threat to RSA
• It requires that the attacker have physical access to the target
machine and is able to directly control the input power to the
processor
Chosen Ciphertext Attack (CCA)
• The adversary chooses a number of ciphertexts and is then
given the corresponding plaintexts, decrypted with the target’s
private key
• Thus the adversary could select a plaintext, encrypt it with
the target’s public key, and then be able to get the plaintext
back by having it decrypted with the private key
• The adversary exploits properties of RSA and selects blocks
of data that, when processed using the target’s private key,
yield information needed for cryptanalysis

• To counter such attacks, RSA Security Inc. recommends

modifying the plaintext using a procedure known as optimal
asymmetric encryption padding (OAEP)
Encryption Using Optimal Asymmetric
Encryption Padding (OAEP)
CONTACT YOUR
LECTURER
[Link]@[Link]