COMPSCI4062/COMPSCI5063

Cyber Security Fundamentals

(CSF)

Dr Dongzhu Liu
Dr Emma Li

1
HOUSE KEEPING AND
GROUND RULES

2
 Course Aims
• Course Spec:
https://www.gla.ac.uk/coursecatalogue/course/?code=COMPSCI4062
• https://www.gla.ac.uk/coursecatalogue/course/?code=COMPSCI5063

• To provide an overview of Cyber Security, providing broad coverage.

• Explain cyber security fundamentals concepts including Ethical
hacking, Digital Forensics and Penetration testing;
• Explain a number of different security protocols;
• Evaluate an existing or proposed system in terms of potential
vulnerabilities and recommend the most appropriate security solution
to apply in a number of different scenarios;
• Summarise the key vulnerabilities, threats, and attacks with regards to
network security and explain approaches to mitigate these issues;
• Implement an aspect of cyber security;

3
 Communications
• Use Moodle Discussion Forum for general
questions
• Use Lab Assistants about coding during labs
• Use Moodle Coursework Questions forum for
questions about coursework
• Help each other through “peer support”
• Do not DM or email the course coordinators or the
lab assistants
Unless
• You have a problem that will affect your performance
ØPlease find our Office hours on Moodle page
4
 How To Do Well

Ø Attend all the classes and do the small exercises

and quizzes.
ü Learn as you go
ü It is too difficult to try and learn the course just before
the exam.
Ø Don’t spent too much time on the assessed
exercises for this and other courses trying to get
an A.
ü Most marks are in the exam.
ü You do well in the exam by learning the course as you
go.
5
 Code of conduct

– Please raise your hands if you would like to ask

a question

– We will all treat each other with respect and

dignity. Bullying and harassment will not be
tolerated.

6
 Schedules

• Lectures
Weeks 1-10

• Tutorials
Weeks 2-6 and Week 10

• Lab Sessions
Weeks 7-9
*Please check Moodle page for details.
7
 Assessments - COMPSCI5063
Deadlines
Quizzes open for 24
• In class Quizzes (10%) hours until 1pm on the
(L2-L6) next day of the lecture

• Lab report (10%) Due at 4pm 17th March

• Written Assignment (20%) ??

• Individual Exam (60%)

During April/May 8
 Assessments - COMPSCI4062
Deadlines
Quizzes open for 24 hours until
• In class Quizzes (10%) 1pm on the next day of the
(L2-L6) lecture

Lab report with code in it.

• Lab report (10%) Due at 4pm 17th March

• Individual Exam (80%) During April/May

9
 Plagiarism and Cheating

• If you copy someone else code without

contribution and present it as your own work this
is plagiarism

• If you cheat on the lab report, your individual

coursework mark will be set to 0 (i.e. you
automatically lose 20% (for COMPSCI4062) /40%
(COMPSCI5063) of your course mark)

10
INTRO TO CYBER SECURITY

11
 Name some cyber attacks
Weak Passwords
Phishing attacks
Trade secrets and insider data
theft
Ransomware

Malware Attacks
Sensitive data leaks and
Insider Threats breaches

12
 Question?

How many cyber attacks are there a day?

Please Join at slido.com with #1127946

13
High-level plan for secure system
Systematic thought is required for successful defense
ØGoal: Protect assets
Øonly legible entity/authorized users could receive a
file or use the system
ØAspects of Cyber Security (asset protection)
ü Confidentiality, Integrity, Availability, Authenticity,
Accountability, Non-repudiation
ØThreat model: assumptions about what the attacker
can do
ü e.g., can guess the password, cannot physically
steal our server
14
High-level plan for secure system
Systematic thought is required for successful defense
ØPolicy: Some plan (rules) that will get your system to
achieve the goal
ü e.g., set permissions on a file so it’s only readable
by Alice
ü Policy must include human components (e.g., do
not share passwords)
ØMechanism: Software/hardware that your system uses
to enforces policy
ü user accounts, passwords, encryption
ØOften layered: mechanism of one layer is policy of next
level down 15
 Why need Cyber Security?

ØTo protect
vAssets
• Assets are things that need protection and are usually digital,
such as files.
vSome assets, such as keys and passwords, are
important for cyber security but are not stored as
files.
ØAspects of Cyber Security (asset protection):
ü Confidentiality, Integrity, Availability, Authenticity,
Accountability, Non-repudiation

16
 Confidentiality

• The protection of information in the system so

that an unauthorized person cannot access it

• This implies an access control mechanism.

– Users must be identified.
– Users are then authenticated.
– Users are then authorised to access various assets.
The access can be controlled, for example, with read,
write and execute permissions.

17
 Confidentiality

• Privacy is the confidentiality of personal

information.
• Examples
– Using a password to control access.
– Encrypting files

18
 Integrity

• Ensure nothing is lost or deleted.

– Either accidentally or deliberately.
• Make sure nothing is changed.

• Examples.
– Use a message digest to detect if a file has been
changed.
– Use a public key certificate for network
communications.

19
 Availability

• Have capacity to meet demands.

• Resources are allocated fairly.
• Fault tolerance and recovery from failure.

• Examples
– Protect against denial of service attacks.

20
 Authenticity

• The property of being genuine and being able

to be verified and trusted; confidence in the
validity of a transmission, a message, or
message originator.
• It validates the source or origin of data and
other file transfers through proof of identity
– This ensures that the message (email, payment
transaction, digital file, etc.) was not corrupted or
intercepted during transmission
21
 Accountability

• Accountability
– a crucial element of Building Integrity (BI)
initiatives and one of the key principles of Good
Governance. A responsible, responsive, and
democratic security sector cannot be conceived
without accountable personnel, institutions, and
procedures.
– an essential part of an information security plan
– Pointed towards who is responsible for each cyber
role in an organization

22
 Non- repudiation

• Non-repudiation
– The author / owner of a document cannot say it was
not them.
– Assurance that the sender of information is
provided with proof of delivery and the recipient is
provided with proof of the sender's identity, so
neither can later deny having processed the
information.
– Non-repudiation provides evidence of data's
origin, authenticity, and integrity
– Digital file is properly tracked and users’
action are logged

23
 Case study

• What aspects of security does Gmail

have?
Confidentiality Availability
Integrity

Accountability Non-repudiation

• Can you give other examples?

24
 Threats

• What are we protecting assets from? Threats

• Different types of asset security are subjects to
different threats.
– A threat against confidentiality will be different from a
threat against availability.
• When protecting an asset, we need to consider
all possible threats.
• There are many different techniques to make
sure we have considered all threats.
– Standard lists of threats.
– Standard techniques for dealing with them.

25
 Vulnerabilities

• Different ways of protecting assets lead to

different vulnerabilities.
• We can check the security of a system in two
different ways.
– From the viewpoint of an attacker. What are the
attackers goals? How can they achieve them?
– From the viewpoint of the defender. What are the
system’s vulnerabilities?
• All the vulnerabilities collected together are
called the attack surface.
– As a defender, we want to reduce the attack surface.

26
 Protection and Risk

• Protecting our assets from threats leads to a

discussion of risks.
– Protection has a costs.
– The value of an asset might be less than the cost of
protecting it.
– Some forms of protection may be cheaper than
others.
• Risks involve the probability of something
happening, together with the effect of the attack
succeeding.

27
Technical Solutions are Essential
• Unbreakable encryption to keep secrets and ensure data is
not changed.
– The algorithm can’t be broken without the key.
– Keys must be kept secret.
• Digital signatures to allow legally enforceable contracts.
– So that signatures can’t be forged.
• Secure message digests to provide document fingerprints
without revealing the document content.
– So that two different documents can’t have the same message
digest.
• Secure protocols to make sure the basic building blocks of
encryption signatures and message digests are used
correctly.
– So that it is not possible to bypass the use of a key.
28
 ... but Not Enough
• People!

• Users may not comply with security policies.

• Organizations may develop policies that users find very
difficult to use.
• Developers may not adhere to security guidelines when
building systems.
• Regulatory bodies may not provide appropriate policies and
rules and then may not enforce them.

• Need to consider socio-technical systems.

– Consider people as well as the technical aspects of any system.

29
 Questions

1. Explain, with examples, how a system that uses all the

best encryption techniques can still be insecure.
2. Explain , with examples, the terms Confidentiality,
Integrity and Availability (CIA).
3. Explain with examples how security problems can
arise in hardware, software, networks, personnel, site
and organization.
• What CIA aspects are affected by each of your examples
4. What is Security Engineering and how is it similar to /
different from Software Engineering?

30
 Knowledge survey

• Please vote at Slido.com with the code

#2219123
– Do you have experience of using objective-
oriented Programming languages, e.g., Java,
Python, C++?
– Do you know seven-layer OSI model of computer
networking?

31
COMPSCI4062/COMPSCI5063
Cyber Security Fundamentals
(CSF)
Lecture 2
Cyber Attacks and Security Protocols

1
NETWORK STRUCTURES

2
 Network Types

• Local Area Network (LAN)

– Wireless Local Area Network (WLAN)
• Personal Area Network (PAN)
• Metropolitan Area Network (MAN)
• Wide Area Network (WAN)
• Virtual Private Network (VPN)

3
A Typical Network

4
 Open Systems Interconnection
model (OSI model)
Serves as a window for users and application
7. Application processes to access network service.
Concerned with the syntax and semantics of the
6. Presentation information exchanged between the two systems.
Establish, maintain and synchronizes the interaction between
5. Session communicating devices (authentication & Authorization)
Reliable transmission of data segments between
4. Transport points on a network (TCP, UDP protcols)
Structuring and managing a multi-node network,
3. Network including addressing, routing and traffic control
Transmission of data frames between two nodes
2. Data link connected by a physical layer (media access control)
Transmission and reception of raw bit streams over
1. Physical a physical medium (e.g., optical fibre, cable,
wireless radio)
5
CYBERATTACKS

6
 Defination

• A cyberattack is any offensive maneuver that

targets computer information systems, computer
networks, infrastructures, or personal computer
devices

7
 Types of attack

• Active attack
Øattempts to alter system resources or affect
their operation, e.g., Denial-of-service attack,
Spoofing, Man-in-the-middle attack, ARP
poisoning (Layer 2)
• Passive attack
Øattempts to learn or make use of information
from the system but does not affect system
resources, e.g., wiretapping, fiber tapping

8
 Forms of Cyber Threats

• Environmental
– Break-in, physical damage, natural disaster, etc.
• Unintentional
– Human error, poor training, insufficient
documentation, etc.
• Intentional
– Internal, e.g., Staff
• External
– Intelligence agencies, hackers, terrorists, crackers,
criminals, industrial intelligence, etc.
9
 Common Security Problems

• Snooping
– Unauthorized reading or interception of
information
• Modification
– Unauthorized change of information
• Masquerading or spoofing
– Impersonation of one entity by another

10
 Common Security Problems

• Repudiation
– False denial of sending or creating information
• Denial of receipt
– False denial of receiving information
• Delay
– Temporary inhibition of access to services or
information
• Denial of service
– Long-term or permanent inhibition of access to
services or information
11
 Denial-of-service attack

• A denial-of-service (DoS) attack is an

attempt to compromise availability by
hindering or blocking completely the
provision of some service
– Exhaust some critical resources associated with
the service
– Example: flooding a Web server with so many
spurious requests that it is unable to respond to
valid requests from users in a timely manner

12
• The resources could be attacked:
• Network bandwidth
• System resources
• Application resources
• A typical Network

13
 SYN Spoofing-1
• SYN spoofing attack targets the table of TCP
connections on the server (Layer 4)
• A type of DoS attack

14
 SYN Spoofing-2

TCP's three-way
handshake used
to establish a
connection

15
 SYN Spoofing -3
TCP’s SYN Spoofing
Attack
- Cause resources
on the server
binding on the
malicious use
- Legitimate clients
couldn’t use the
resource

16
 UDP Flood

* A type of DoS 17
 Distributed DoS
1. Application layer attacks
2. Protocol attacks
3. Volumetric attacks

18
 Defense Against DOS Attacks

• Anticipate the potential attacks in different

situations and prepared enough resource
– High traffic situation, e.g. sporting events like the
Olympics or Soccer World Cup match
• Attack prevention and preemption (Before the
attack)
• Attack detection and filtering (during the attack)
• Attack resource traceback and identification
(during and after the attack)
• Attack reaction (after the attack)

* These attacks cannot be prevented entirely. 19

Man-in-the middle Attack

A (Alice) B (Bob)

E
(Evesdropper)

Man-in-the-Middle (MITM)
20
MITM Attack

21
 Types of MITM Attack

• Wifi Eavesdropping
– Public wifi
• DNS Spoofing
– A Fraudulent web server, redirect a targeted user to a
malicious website under attacker contro
• IP spoofing
– The attackers imitate an approved console's IP address
• ARP spoofing
– fraudulent response, usually happens to a LAN with
ARP protocol
• E-mail Hacking
22
 Defending MITM
• Wireless Access Point Encryption
• Use a VPN
• Strong user Credentials
• Public Key Pair Authentication

23
SECURITY PROTOCOLS
-KEEPING A SECRET

24
 Keeping A Secret: Memorise

• We will start with the simplest cyber security

problem, keeping a secret.
• Our first protocol is to memorise the secret.

• This is only appropriate if the secret is fairly

short and easy to remember.
ØIt could be a password or an encryption key.
ØIt should not be a BitCoin ID!

25
 Keeping A Secret: Paper

• If the secret is too long to remember, the next protocol

is to write it down on a piece of paper
– There is a limit to how long the secret can be.
– It can be inconvenient to use if it has to be entered into a
computer.
• The confidentiality threat relies on the attacker having
physical access.
– They can search our home or office.
• An availability threat is losing the piece of paper.
– This can be mitigates by backups, making a copy.
– All copies now need to be secured.
– We must keep track of all copies
– destroy all copies when they are no longer needed
26
Keeping A Secret: Computer File

• Most documents are prepared on a computer,

which introduces a number of vulnerabilities
that can be exploited by attackers.
• The program used to create the document
may make periodic backups, and so there are
many different versions of the file that need to
be protected.
• It is easy to create copies of the file.
• Deleted files can be recovered.
27
 Computer File: Encryption
• An encryption program takes plaintext as input and
produces ciphertext as output.
• A decryption program takes ciphertext as input and
produces plaintext as output.
• Decryption must undo encryption.

• Encryption followed by decryption must produce the

same output as the original input.
• The original plaintext document must be erased.
– Including all copies and backups.
• This protocol has a time limited vulnerability.
– While the plaintext document is in the file system.
28
 Protocol: Secret Encryption
Algorithm
• The details of the encryption and decryption
algorithms are kept secret.
• Threat: finding the algorithms.
– The algorithms will be computer programs.
– They cannot be encrypted because they must be
run on the computer.
Alice’s
digital file

29
SECURITY PROTOCOLS
-COMMUNICATING A SECRET

30
Problem: Communicating a Secret

• Alice wants to send secret information to Bob

without Eve finding out.
• This is usually a confidentiality problem.
• It can also be an integrity problem.
– If Eve changes the message before forwarding it to
Bob.
• It can also be an availability problem.
– If Eve prevents Bob from receiving the message.
– How does Bob know that Alice has sent a message?
31
Protocol: Secure Transmission Medium

• Alice and Bob meet in a secure room or

location.
– The only secure transmission medium.
• Electronic transmissions are easy to intercept.
– Transponders can be attached to Ethernet cables
and the traffic analysed.
– Email is stored and can be analysed later.

32
Protocol: Secure Preparation

• Alice encrypts the message in a secure area.

• It is transmitted by an insecure medium
– We assume that Eve can intercept, see and
replace it.
• Bob decrypts the message in a secure area.
• Encryption followed by decryption cancel each
other out.

33
Using Encryption

34
Protocol: Use a Secret Algorithm

• Keep the details of the algorithm secret.

• This is bad for two reasons.
• The algorithm designers know the secret and
may be physically at risk.
– Threat of coercion.
• Peer review of a public algorithm reduces
flaws.
– It is easy to fool oneself that an algorithm is more
secure than it really is.

35
Protocol: Public Algorithm, Secret
Key (Private Key)
• Details of the encryption and decryption
algorithms are public.
• They have a parameter, the key, which is kept
secret.
• Knowledge of the algorithm is useless without
the key.
• Also called a one key system.
• Also called symmetric encryption.
36
Using a Secret Key

37
 Reference Book

• Book: Computer Security Principles and

Practice, by William Stallings and Lawrie
Brown, 2014

38
COMPSCI4062&5063: Cyber Security Fundamentals
Topic 3: Access Control

Dongzhu Liu
Email: [email protected]
Of ce: SAWB 510 (b)

1
fi



Quiz

• Active 24 hours (unless you have a proof of absence)

2
Tutorial

• Extension of the lecture

• More exercises for preparing the exam

Written Assignment for COMPSCI5063

Literature Review Due: 17 March 4 PM

Marking Criteria

• Meetthe number of words and references (at least 800 words,

and 10 state-of-the-art/latest cybersecurity publications) 25%

• Discuss advantages 25% (easy to be found in the section of

contribution)

• Discuss disadvantages 30%

• Discuss connections among different papers 10%

• Propose future research directions 10%

Overview

• Concept of Access Control

• De nition

• Access control in a broader context

• Basic elements
• Access Control Policies
• Discretionary access control (DAC)
• Role-based access control (RBAM)
• Attribute-based access control (ABAC)

Reading: Chapter 4 Access Control in Book “Computer Security Principles and Practice
(Third Edition)” by William Stallings and Lawrie Brown
5
fi

Concept of Access Control

• Access control implements a security policy that species who or

what (e.g., in the case of a process) may have access to each
speci c system resource and the type of access that is permitted
in each instance.

6
fi
fi
 An access control mechanism mediates between a user (or a process executing
on behalf of a user) and system resources, such as applications, operating systems,
firewalls, routers, files, and databases. The system must first authenticate an entity
seeking access. Typically, the authentication function determines whether the user
Access control in a broader context
Authorization: The granting of a right or
permission to a system entity to access a
Authorization system resource. This function determines
database
who is trusted for a given purpose.

Security administrator

Authentication Access control

Access
Authentication
control
function
function

Authentication: Veri cation

User
that the credentials of a user
or other system entity are System resources
valid.

Audit: An independent review and

Auditing examination of system records and
activities.

An access control mechanism mediates between a user and system resources such as
Figure 4.1 Relationship Among Access Control and Other Security Functions
applications, operating
Source: Based systems, rewalls, routers, les, and database.
on [SAND94].
7
fi
fi
fi
Basic Elements of Access Control
• Object: a resource to which access is controlled; an entity used to contain
and/or receive information (e.g., pages, les, mailboxes…)

• Subject: an entity capable accessing objects

• Owner (e.g., creator of a resource, system administrator)
• Group (membership in the group is suf cient to exercise the access rights)
• World (granted the least amount of access, not included in owner/group)
• Access right: describes the way in which a subject may access an object
• Read: view information in a system resources, including ability to copy or print
• Write: add, modify, or delete data; including read access
• Execute: execute speci ed programs
• Delete: delete certain system resources (e.g., les, records, programs)
• Create: create new les, records, or elds
• Search: list the les in a directory or otherwise search the directory

8
fi
fi
fi
fi

fi

fi
fi

Access Control Policies

• Discretionary access control (DAC)

• Mandatory access control (MAC)
• Role-based access control (RBAM)
• Attribute-based access control (ABAC)

Not mutually exclusive.

An access control mechanism can employ two or even all three of these
policies to cover different classes of system resources. 


Discretionary Access Control (DAC)

• DAC controls access based on the identity of the requestor and

on access rules (authorizations) stating what requestors are (or
are not) allowed to do.

• An entity may be granted access rights that permit the entity, by

its own volition, to enable another entity to access some
resources.

10


DAC: Access Matrix

Dimension 1: Identi ed subjects that may attempt data access to the resources

Dimension 2: objects that may be accessed

4.3 / DISCRETIONARY ACCESS CONTROL 119

OBJECTS
File 1 File 2 File 3 File 4

Own Own
User A Read Read
Write Write

Own
SUBJECTS User B Read Read Write Read
Write

Own
Read
User C Read Read
Write
Write

(a) Access matrix

Access Matrix (sparse)

File 1 A B C User A File 1 File 3

Own Own Own
R 11
R R R R
fi
DAC: Access Matrix to4.3 /ACL
DISCRETIONARY ACCESS CONTROL 119
OBJECTS
File 1 File 2 File
4.3 3 File 4
/ DISCRETIONARY ACCESS CONTROL 119

Own Own
OBJECTS
User A Read File 1 File 2Read File 3 File 4
Write Write
Access Matrix Own Own
User A Read
Own Read
Write Write
SUBJECTS User B Read Read Write Read
Write Own
SUBJECTS User B Read Read Write Read
Write
Own
Read
User C Read ReadOwn
Write Read
User C
Write
Read Write
Read
Write
(a) Access(a)matrix
Access matrix

File 1 A B C User A File 1 File 3

File 1
Access control lists A B Own C User A File 1Own File 3
Own
R
Own R R
W Own R OwnR
W R W
R R R W R
(Columns) W
W ACLW lists users
W and their permitted access rights
File 2 B C User B File 1 File 2 File 3 File 4
Own Own
B C R R File 1 R FileR2 W 3
File R File 4
File 2 W
User B W
Own Own
R R R R W R
W File 3 A B User C File 1 File 2
W File 4
Own Own
R
R W R R
W
W W
File 3 A B User C File 1 File 2 File 4
Own File 4 B C Own
(c) Capability lists for files of part (a)
R
R W Own R R
W
W R R W
W

File 4 B (b) Access

C control lists for files of part (a) 12 (c) Capability lists for files of part (a)
 (a

File 1 A B C

DAC: Access Control List Own

R
W
R
R
W

File 2 B C

• Advantage Own
R
W
R

• Contain a default, or public, entry (e.g. read-only access) File 3 A B

that users are not explicitly listed Own
R W
W

• For a given resources, it is convenient for determining

File 4 B C
which subjects have which rights Own
R R
W

• Disadvantage (b) Access control lists for files of part (a)

Figure 4.2 Example of Access Control Stru

• Not convenient for determining the access rights
available to a speci c user The convenient and inconve
of those for ACLs. It is easy to d
has, but more difficult to determi
specific resource.
[SAND94] proposes a data
but is more convenient than eithe
rization table contains one row fo
Sorting or accessing the table by
accessing the table by object is e
easily implement an authorization

13

fi

 DAC: Access Matrix to4.3 /Capability Tickets

DISCRETIONARY ACCESS CONTROL 119
4.3 / DISCRETIONARY ACCESS CONTROL 119
OBJECTS
OBJECTS
File 1 File 2 File 3 File 4
File 1 File 2 File 3 OwnFile 4 Own
User A Read Read
Own Own
Write Write
Access
User A Matrix Read
Write
Read
Write
Own
SUBJECTS
Own User B Read Read Write Read
BJECTS User B Read Read Write Read Write
Write
Own
Read
Own
Read User C Read Read
User C Read Write
Read
Write Write
Write
(a) Access matrix
(a) Access matrix

A B File 1 C A User A B File 1 C File 3 User A File 1 File 3

Own Own Own Own
CapabilityRtickets/lists
R
Own
R Own Capability tickets speci es authorized objects and
R R R R R R R
W W W
W W W operations
W for
W a particular user
(Rows)
B C File 2 B User B C File 1 File 2 FileB3
User File
File41 File 2 File 3 File 4
Own Own
R
Own R W R
Own
R R
W R R W R R W R
W W

A B User C File 1 File 2 File 4

Own File 3 A B User
OwnC File 1 File 2 File 4
R
R W Own R R Own
W R
W R W W R R
W
W W
B C (c) Capability lists for files of part (a)
Own File 4 B C 14 (c) Capability lists for files of part (a)
R R
fi
 (a) Access matrix

File 1 A B C User A File 1 File 3

DAC: Capability Tickets Own
R R
R
W
Own
R
Own
R
W W W

File 2 B C User B File 1 File 2 File 3 File 4

• Advantages Own
R R R
Own
R W R
W W
• Given a user, it is easy to determine the set of
access rights File 3 A B User C File 1 File 2 File 4
Own Own
R
R W R R
W
W W

• Disadvantages File 4 B C (c) Capability lists for files of part (a)

Own
• Given a speci c resource, itR is dif cult to determine the list of users
R
W
with speci c access rights
(b) Access control lists for files of part (a)
• Tickets may be authorized to loan or given to others, dispersed
Figure 4.2 Example of Access Control Structures
around the system —> security problem
The convenient and inconvenient aspects of capability tickets are the opposite
of those for ACLs. It is easy to determine the set of access rights that a given user
has, but more difficult to determine the list of users with specific access rights for a
specific resource.
[SAND94] proposes a data structure that is not sparse, like the access matrix,
but is more convenient than either ACLs or capability lists (Table 4.1). An autho-
rization table contains one row for one access right of one subject to one resource.
Sorting or accessing the table by subject is equivalent to a capability list. Sorting or
accessing the table by object is equivalent to an ACL. A relational database can
easily implement an authorization table of this type.

15
fi

fi

fi
 (a) Access matrix

File 1 A B C User A File 1 File 3

DAC: Capability Tickets Own
R R
R
W
Own
R
Own
R
W W W

File 2 B C User B File 1 File 2 File 3 File 4

• Advantages Own
R R R
Own
R W R
W W
• Given a user, it is easy to determine the set of
access rights File 3 A B User C File 1 File 2 File 4
Own Own
R
R W R R
W
W W

• Disadvantages File 4 B C (c) Capability lists for files of part (a)

Own
• Given a speci c resource, itR is dif cult to determine the list of users
R
W
with speci c access rights
(b) Access control lists for files of part (a)
• Tickets may be authorized to loan or given to others, dispersed
Figure 4.2 Example of Access Control Structures
around the system —> security problem
The convenient and inconvenient aspects of capability tickets are the opposite
Solution of those for ACLs. It is easy to determine the set of access rights that a given user
has, but more difficult to determine the list of users with specific access rights for a
Key idea: Make the ticket protected, guaranteed, and unforgeable
specific resource.
[SAND94] proposes a data structure that is not sparse, like the access matrix,
Solution 1: The operating system hold all tickets on behalf of users, but in a
but is more convenient than either ACLs or capability lists (Table 4.1). An autho-
region of memory inaccessible to users
rization table contains one row for one access right of one subject to one resource.
Sorting or accessing the table by subject is equivalent to a capability list. Sorting or
Solution 2: Include an unforgeable token (e.g., a large random pass word, or a
accessing the table by object is equivalent to an ACL. A relational database can
cryptographic message authentication code)
easily implement in the capability
an authorization table of this type.

16
fi

fi

fi
 DAC: Other Forms
APTER 4 / ACCESS CONTROL
COMPSCI 4062 & 5063 Cyber Security Fundamentals [2022-2023]
Table 4.1 Authorization Table for Files in Figure 4.2

Subject Access Mode Solution:

Object
A Own File 1
A Read File 1 4.1 a.
A Write File 1 Read
A Own File 3 Write
A Read File 3
Own F1 Own F2
A Write File 3
Read Read
B Read File 1
Write Write
B Own File 2 Read Read
B Read File 2
A B C
B Write File 2
Read
B Write File 3 Write
Own Own
B Read File 4 Read Read
C Read File 1 Write Write
F3 F4
C Write File 1
C Read File 2
b. For simplicity and clarity, the labels are omitted. Also, there should
C Own File 4 Directed Graph
be arrowed lines from each subject node to itself.
C Read File 4
F1 S2 D1
C Write File 4

Authorization Table
An Access Control Model F2 S1 D2
This section introduces a general model for DAC developed by Lampson, Graham,
nd Denning [LAMP71, GRAH72, DENN71]. The model assumes a set of subjects,
17 Let us
set of objects, and a set of rules that govern the access of subjects to objects.
DAC: Model

• Subjects, Objects, Rules

• Protection state: set of information,
at a given point in time, that
speci es the access rights for each subject with respect to each
object.

• Three requirements
• Representing the protection state
• Enforcing access rights
• Allowing subjects to alter the protection state in certain ways.

18
fi

DAC: Model

• How to represent the protection state?

4.3 / DISCRETIONARY ACCESS CONTROL 121
• Extended access control matrix
OBJECTS

Subjects Files Processes Disk drives Extended

S1 S2 S3 F1 F2 P1 P2 D1 D2
owner read
S1 control owner
control
read*
owner
wakeup wakeup seek owner
SUBJECTS

S2 control write* execute owner seek*

S3 control write stop

* copy flag set

Figure 4.3 Extended Access Control Matrix
-Processes: The ability to delete, stop(block), and wake up a process
• Subjects:
-Devices: The ability to read/writeAccess
the rights with respect
devices, to a subject
to control have to doand
its operation, with to
theblock/unblock
ability to grant the device for use
or delete access rights of that subject to other objects, as explained subsequently.
-Memory locations/regions: The ability to read/write certain regions of memory that are protected such that the
Figure 4.3 is an example. For an access control matrix A, each entry A[S, X] con-
default is to disallow access
tains strings, called access attributes, that specify the access rights of subject S to object
X. For
-Subjects: The ability example,
to grant or in Figurerights
delete 4.3, S1of
may read
that file F1, because
subject to other‘read’ appears in A[S1, F1].
objects
From a logical or functional point of view, a separate access control module is
associated with each type of object (Figure 194.4). The module evaluates each request

 ACCESS CONTROL 121

Files Processes Disk drives
F1 F2 P1 P2 D1 D2
es
er
DAC:
read
Model
Disk drives
read
4.3 / DISCRETIONARY ACCESS CONTROL 121
*1 wakeup wakeup seek owner
olP2 D D2
owner
OBJECTS
wakeup seek owner Subjects Files Processes Disk drives
write* execute owner seek*
S1 S2 S3 F1 F2 P1 P2 D1 D2
owner seek* owner read
ol write S1 control
stop owner
control
read*
owner
wakeup wakeup seek owner
SUBJECTS

S2 control write* execute owner seek*

trol Matrix S3 control write stop

ights with respect to a subject have* tocopy

doflag
with
set the ability to grant
ghts
o do of that
with thesubject togrant
other
abilityFigure
to objects, Access
4.3 Extended as explained subsequently.
Control Matrix
as explained
ample. For
For anansubsequently.
accesscontrol
access controlmatrix
matrixA,A,eacheachentry
entry A[S, X] con- contains strings, called access attributes, that specify the
ssA,attributes, Subjects:
• access Access
X.rights withSrespect to a subject have to do with the ability to grant
entrythat
access
each A[S,specify
rights of con-
X] the
subject rights
S to object of subject to object
or delete access rights of that subject to other objects, as explained subsequently.
re 4.3,of
rights may read
S1subject S to file F1, because
object ‘read’ appears in A[S1, F1].
functional
‘read’ Example:point
appears of view,
in A[S Figure
‘read’4.3,access
a separate
1, F1]. —>
is an example.
that is control
S1 may For an access
module
read leiscontrol
F1. matrix A, each entry A[S, X] con-
pe of object
e access (Figure
control module tains
4.4).
is Thestrings,
modulecalled access attributes,
evaluates that specify the access rights of subject S to object
each request
ule object
evaluates X. For example, in Figure 4.3, S1 may read file F1, because ‘read’ appears in A[S1, F1].
an to each request
determine if the access right exists. An access
From a logical or functional point of view, a separate access control module is
ess
owingrightsteps:
exists. An access
associated with each type of object (Figure 4.4). The module evaluates each request
s a request of type α forbyobject
a subject to access an object to determine if the access right exists. An access
X.
attempt triggers the following steps:
s the system (the operating system or an access control inter-
or an access control inter- 1. A subject S issues a request of type α for object X.
me sort) to generate a message of the0 form (S0, α, X) to the
the form (S0, α, X) to the 2. The request causes the system (the operating system or an access control inter-
20 a message of the form (S0, α, X) to the
face module of some sort) to generate
fi
DAC: Model
122
CHAPTER 4 / ACCESS CONTROL

System intervention

Subjects Access control mechanisms Objects

read F (Si , read, F ) File

Si Files
system

Memory
Segments
addressing
& pages
hardware

wakeup P (Sj , wakeup, P )

Sj Process
Processes
manager

Terminal
Terminal
& device
& devices
manager

Instruction
decoding Instructions
hardware
grant a to Sn , X (Sk , grant, a , Sn , X )
Sk
delete b from Sp , Y (Sm , delete, b , Sp , Y ) Access
Sm matrix
monitor

Access
write matrix read

Figure 4.4 An Organization of the Access Control Function

An Organization of the Access Control Function
subject X and, because of the presence of the copy flag, can transfer this right, with
21
or without copy flag, to another subject. Rule R1 expresses this capability. A subject
 * copy flag set
Figure 4.3 Extended Access Control Matrix

DAC:• Subjects:
Model Access rights with respect to a subject have to do with the ability to grant
or delete access rights of that subject to other objects, as explained subsequently.

• A Figure
separate4.3 is an example.
access For an access
control modulecontrol
is matrix A, each entry
associated with A[S,
each con- of
X] the
tains strings, called access attributes, that specify the access rights of subject S to object
objects
X. For example, in Figure 4.3, S1 may read file F1, because ‘read’ appears in A[S1, F1].
From a logical or functional point of view, a separate access control module is
• The module evaluates each request by the following steps
associated with each type of object (Figure 4.4). The module evaluates each request
by a subject to access an object to determine if the access right exists. An access
attempt triggers the following steps:
1. A subject S0 issues a request of type α for object X.
2. The request causes the system (the operating system or an access control inter-
face module of some sort) to generate a message of the form (S0, α, X) to the
controller for X.
3. The controller interrogates the access matrix A to determine if α is in A[S0, X].
If so, the access is allowed; if not, the access is denied and a protection viola-
tion occurs. The violation should trigger a warning and appropriate action.
Figure 4.4 suggests that every access by a subject to an object is mediated
by the controller for that object, and that the controller’s decision is based on the
current contents of the matrix. In addition, certain subjects have the authority to
make specific changes to the access matrix. A request to modify the access matrix is
treated as an access to the matrix, with the individual entries in the matrix treated as
objects. Such accesses are mediated by an22access matrix controller, which controls

DAC: Model
• How to modify the access matrix? 4.3 / DISCRETIONARY ACCESS CONTROL 123
• Access control system commands
Table 4.2 Access Control System Commands

Rule Command (by S0) Authorization Operation

R1 a* ‘a*’ in A[S0 , X] a*
transfer e f to S, X store e f in A[S, X]
a a
R2 a* ‘owner’ in A[S0 , X] a*
grant e f to S, X store e f in A[S, X]
a a
‘control’ in A[S0, S]

R3 delete α from S, X or delete α from A[S, X]

‘owner’ in A[S0, X]

‘control’ in A[S0, S]

R4 w d read S, X or copy A[S, X] into w

‘owner’ in A[S0, X]

R5 create object X None add column for X to A; store

‘owner’ in A[S0 , X]

R6 destroy object X ‘owner’ in A[S0, X] delete column for X from A

R7 create subject S none add row for S to A; execute

create object S; store
‘control’ in A[S, S]

R8 destroy subject S ‘owner’ in A[S0, S] delete row for S from A;

execute destroy object S

<latexit sha1_base64="22Z443h9rELDv7Jc/9ZbRiKDvzI=">AAAB73icbVDLSgNBEOyNrxhfUY9eBoMgHsKuBPUY9OIxgnlAEkPvZDYZMju7zswKYclPePGgiFd/x5t/4yTZgyYWNBRV3XR3+bHg2rjut5NbWV1b38hvFra2d3b3ivsHDR0lirI6jUSkWj5qJrhkdcONYK1YMQx9wZr+6GbqN5+Y0jyS92Ycs26IA8kDTtFYqdVBEQ/x4axXLLlldwayTLyMlCBDrVf86vQjmoRMGipQ67bnxqabojKcCjYpdBLNYqQjHLC2pRJDprvp7N4JObFKnwSRsiUNmam/J1IMtR6Hvu0M0Qz1ojcV//PaiQmuuimXcWKYpPNFQSKIicj0edLnilEjxpYgVdzeSugQFVJjIyrYELzFl5dJ47zsXZQrd5VS9TqLIw9HcAyn4MElVOEWalAHCgKe4RXenEfnxXl3PuatOSebOYQ/cD5/AKuej70=</latexit>

⇤
column of the access matrix. Rule R7 enables any subject to create a new subject;
↵ S
<latexit sha1_base64="Husc4nc7UXSbUzoIkZ/DYte4euo=">AAAB6nicbVBNS8NAEJ3Ur1q/qh69LBbBU0lE1GPRi8dK7Qe0oWy2k3bpZhN2N0IJ/QlePCji1V/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4bua3n1BpHstHM0nQj+hQ8pAzaqzUaPTdfrniVt05yCrxclKBHPV++as3iFkaoTRMUK27npsYP6PKcCZwWuqlGhPKxnSIXUsljVD72fzUKTmzyoCEsbIlDZmrvycyGmk9iQLbGVEz0sveTPzP66YmvPEzLpPUoGSLRWEqiInJ7G8y4AqZERNLKFPc3krYiCrKjE2nZEPwll9eJa2LqndVvXy4rNRu8ziKcAKncA4eXEMN7qEOTWAwhGd4hTdHOC/Ou/OxaC04+cwx/IHz+QPUrY2D</latexit>

-R1: With a copy ag , 0 can

the creator owns transfer this and
the new subject right
the with/without copy access
new subject has control ag to to another
itself. subject.
Rule R8 permits the owner of a subject to delete the row and column (if there are
-R4: Permits a subject to readcolumns)
subject that portion of the
of the access matrix matrix that
designated by it owns
that or controls
subject.
The set of rules in Table 4.2 is an example of the rule set that could be defined
for an access control system. The following are examples of additional or alternative
23
rules that could be included. A transfer-only right could be defined, which results in the
fl

fl
 dard, Security Requirements for Cryptographic Modules (FIPS PUB 140-3, September
2009), that requires support for access control and administration through roles.
The relationship of users to roles is many to many, as is the relationship of
roles to resources, or system objects (Figure 4.6). The set of users changes, in some
environments frequently, and the assignment of a user to one or more roles may

Role-Based Access Control (RBAC)

also be dynamic. The set of roles in the system in most environments is relatively

Users Roles Resources

Role 1

Role 2

Role 3

Figure 4.6 Users, Roles, and Resources

24
Role-Based Access Control (RBAC)

• RBAC controls access based on the roles that users have within
the system and on rules stating what accesses are allowed to
users in given roles (rather than user’s identity in DAC).

• Usersare assigned to different roles, either statically or

dynamically, according to their responsibilities.

• The relationship of users to roles is many to many, as is the

relationship of roles to resources, or system objects.

RBAC is active in commercial use and research :)

25

 U
with only occasional additions or deletions. Each role will have specific access
3

o one or more resources. The set of resources and the specific access rights
ted with a particular role are also likely to change infrequently. U4
RBAC: Access Control Matrix
We can use the access matrix representation to depict the key elements of an
system in simple terms, as shown in Figure 4.7. The upper matrix relates U5
ual users to roles. Typically there are many more users than roles. Each matrix

U6
R1 R2 Rn

U1

Um
U2

U3
OBJECTS
R1 R2 Rn F1 F2 P1 P2 D1 D2
U4
owner read
R1 control owner
control
read *
owner
wakeup wakeup seek owner

U5
R2 control write * execute owner seek *
ROLES

U6

Rn control write stop

Um
Figure 4.7 Access Control Matrix Representation of RBAC

OBJECTS
R2 Rn F1 F2 P1 P2 D1 D2

owner read * read 26

owner wakeup wakeup seek owner
control owner
RBAC: Models
4.5 / ROLE-BASED ACCESS CONTROL 131

RBAC3
Consolidated model

RBAC1 RBAC2
Role hierarchies Constraints

RBAC0
Base model

(a) Relationship among RBAC models

Role
hierarchy (RH) Oper-
ations

User Permission
assignment (UA) assignment (PA)
Users Roles 27 Permissions
 Base model

(a) Relationship among RBAC models

RBAC0: Base Model Role

hierarchy (RH) Oper-
ations

User Permission
assignment (UA) assignment (PA)
Users Roles
Permissions

user_sessions session_roles

Objects

Sessions

• User: An individual that has(b) RBAC

access
models to this computer system. Each
individualFigure
has4.8anAassociated user ID.
Family of Role-Based Access Control Models RBAC0 is
the minimum requirement for an RBAC system. RBAC1 adds role hierar-
• Role: A name
chies of job
and RBAC 2 addsfunction within
constraints. RBAC the RBAC
3 includes organization
1 and RBAC2 that
controls this
computer system. Typically, associated with each role is a description if the
authority The
andmany-to-many
responsibility conferred
relationships onusers
between thisandrole,
roles and on any
and between user who
roles
assumes this role.provide a flexibility and granularity of assignment not found in
and permissions
conventional DAC schemes. Without this flexibility and granularity, there is a greater
• Permission:
risk that a An
user approval of more
may be granted a particular mode than
access to resources of access to oneof or more
is needed because
the limited
objects. control over
Equivalent termstheare
typesaccess
of accessright,
that can be allowed.and
privilege, The NIST RBAC
authorization.
document gives the following examples: Users may need to list directories and modify
• Session: A mapping between a user and an activated subset of the set of
Table 4.3 Scope RBAC Models
roles to which the user is assigned.
Models Hierarchies Constraints
RBAC0 No
28 No

 Base model

(a) Relationship among RBAC models

RBAC0: Base Model Role

hierarchy (RH) Oper-
ations

User Permission
assignment (UA) assignment (PA)
Users Roles
Permissions
mapping to one
user_sessions session_roles

Objects
mapping to many
Sessions

• Many-to-many between users (b) RBAC models

and roles
Figure 4.8 A Family of Role-Based Access Control Models RBAC is 0
the minimum requirement for an RBAC system. RBAC adds role hierar-
• Many-to-many between
chies and RBAC roles RBAC
adds constraints.
2 and permissions
includes RBAC and RBAC
3
1
1 2

Flexibility and Granularity

The many-to-many relationships between users and roles and between roles
and permissions provide a flexibility and granularity of assignment not found in
conventional
Without exibility and DAC schemes. Without
granularity, there this
is aflexibility
greater andrisk
granularity,
that athere
useris amay
greater
be granted more
risk that a user may be granted more access to resources than is needed because of
access to resources thanover
the limited control is the
needed
types ofbecause of be
access that can theallowed.
limited
The control
NIST RBAC over the types of
access thatdocument
can be gives
allowed.
the following examples: Users may need to list directories and modify
Table 4.3 Scope RBAC Models

Models Hierarchies Constraints

RBAC0 No
29 No
fl

 subordinate roles. For example, in Figure 4.9, the Project Lead role includes all of
the access rights of the Production Engineer role and of the Quality Engineer role.
More than one role can inherit from the same subordinate role. For example, both
RBAC1: Role Hierarchies
the Production Engineer role and the Quality Engineer role include all of the access
rights of the Engineer role. Additional access rights are also assigned to the Produc-
tion Engineer Role and a different set of additional access rights are assigned to the
Quality Engineer role. Thus, these two roles have overlapping access rights, namely
the access rights they share with the Engineer role.
• Job functions with greater responsibility have greater authority to
CONSTRAINTS—RBAC2 Constraints provide a means of adapting RBAC to the
access specifics
resources of administrative and security policies in an organization. A constraint is
a defined relationship among roles or a condition related to roles. [SAND96] lists
• Role hierarchies make
the following types use of mutually
of constraints: the concept of inheritance
exclusive roles, to enable
cardinality, and prere-
quisite roles.
one role to implicitly include access rights associated with a
subordinate role
Director

Project lead 1 Project lead 2

Production Quality Production Quality

engineer 1 engineer 1 engineer 2 engineer 2

Engineer 1 Engineer 2

Engineering dept.
Figure 4.9 Example of Role Hierarchy
30

RBAC2: Constraints

• Constraints provide a means of adapting RBAC to the speci cs of

administrative and security policies in an organization.
• Mutually Exclusive Roles
• Cardinality
• Prerequisite Roles

31

fi
RBAC2: Constraints

• Mutually Exclusive Roles

Separation of duties and capabilities within an organization
• A user can only be assigned to one role in the set
• Any permission (access right) can be granted to only one role in the set

Purpose: To increase dif culty of collusion among individuals of different

skills or divergent job functions to thwart security policies

32
fi

RBAC2: Constraints

• Cardinality
Set a maximum number with respect to roles
• Set a maximum number of users that can be assigned to a given role
• Constraint on the number of roles that is a user assigned to
• Set a maximum number of roles that can be granted a particular permission

33

 subordinate roles. For example, in Figure 4.9, the Project Lead role includes all of
the access rights of the Production Engineer role and of the Quality Engineer role.
More than one role can inherit from the same subordinate role. For example, both
RBAC2: Constraints
the Production Engineer role and the Quality Engineer role include all of the access
rights of the Engineer role. Additional access rights are also assigned to the Produc-
tion Engineer Role and a different set of additional access rights are assigned to the
Quality Engineer role. Thus, these two roles have overlapping access rights, namely
the access rights they share with the Engineer role.
• Prerequisite role
CONSTRAINTS—RBAC2 Constraints provide a means of adapting RBAC to the
specifics
A user can onlyofbeadministrative
assignedandto asecurity policiesrole
particular in aniforganization.
it is alreadyA constraint
assigned is to
a defined
some other specirelationship
ed roles among roles or a condition related to roles. [SAND96] lists
the following types of constraints: mutually exclusive roles, cardinality, and prere-
quisite roles.
Example: In a hierarchy, a user assigned to a Project Lead role must also be assigned to at
the subordinate Production Engineer and Quality Engineer roles.
Director

Project lead 1 Project lead 2

Production Quality Production Quality

engineer 1 engineer 1 engineer 2 engineer 2

Engineer 1 Engineer 2

Engineering dept.
Figure 4.9 Example of Role Hierarchy
34
fi
Attribute-Based Access Control (ABAC)

• ABAC controls access based on attributes of the users, the

resources to be accessed, and current environmental conditions.

• Flexibility and expressive power

• Three key elements

• Attributes
• Architecture Model
• Policies

35

ABAC: Attributes
It de nes speci c aspects of the subject, object, environment conditions,
and/or requested operations that are prede ned or preassigned by an
authority.

• Subject attributes: De ne the identity and characteristics of the subject

(e.g., the subject’s identi er, name, organization, job titles…)

• Object attributes: Can be extracted from the metadata of the object

and leveraged to make access control decisions (e.g. title, date, author
of a Microsoft Word document )

• Environment attributes (ignored in most access control policies):

Describe the operational, technical, and even situational environment
or context in which the information access occurs; not associated with
a particular subject nor a object/resource (e.g., current data and time,
virus/hacker activities, and the network’s security level)

36
fi
fi
fi
fi

fi

 that fully leverage the flexibility of ABAC.

ABAC Logical Architecture

Figure 4.10 illustrates in a logical architecture the essential components of an ABAC
ABAC: Logical Architecture
system. An access by a subject to an object proceeds according to the following steps:
1. A subject requests access to an object. This request is routed to an access con-
trol mechanism.
• Use four independent
2. The access control sources for theby access
mechanism is governed control
a set of rules (2a) decision
that are defined
— powerful by
anda preconfigured access control policy. Based on these rules, the access control
exible
mechanism assesses the attributes of the subject (2b), object (2c), and current
environmental conditions (2d) to determine authorization.
Complexity and Performance Tradeoff
Access control
policy
Environmental
conditions

2a
2d

Rules

1
Enforce
Decision
3
Object
Access control
2b mechanism
Subject
2c

Clearance
Name Owner
Type
Affiliation
Etc. Classification
Etc.

Subject attributes
Object attributes
Figure 4.10 Simple ABAC Scenario
37
fl
 1 2 M
Figure
A 1 × 4.11
SA ×ACL
... and
× ABAC
SA Trust Relationships
R(o) ⊆ 2EA1 × EA2 × K... × EAN
A1138
× OA 2 × ...4 /×ACCESS
CHAPTER OAM CONTROL
A
on × EA2 ×for
1 notation ...the ×value
EAN assignment of individual attri-
3. We
ABAC: Policies now define
ATTR(s), ATTR(o),an and
ABAC policyaremodel,
ATTR(e) based
attribute on therelations
assignment model for
presented
sub- in
n for the [YUAN05].
value ject s, The following
assignment
object of conventions
individual
o, and are used:
attri- e, respectively:
environment
e(s) = “Service
1. S, O, andConsumer”
E are subjects, objects,
ATTR(s) ⊆ SA1 and environments,
× SA 2 × ... × SAK
respectively;
viceOwner(o)
“Service SAk (1= “XYZ,
2.Consumer” … k … K),Inc.”
OAm (1⊆…OA
ATTR(r) m1 …× M),
OA2and … Mn … N) are the pre-de-
EAn ×(1 OA
× ...
138 CHAPTER 4= / “01-23-2005”
rentDate(e) ACCESS CONTROL
er(o) = “XYZ,finedInc.”
attributes forATTR(o)
subjects,⊆objects,
EA ×and EA environments,
1 × ... × EArespectively;
2 N
e(e) = “01-23-2005”
rm, a Policy3.Rule, ATTR(s),
We alsowhich ATTR(o),
usedecides onand
the function ATTR(e)
whether
notation afor are
subject attribute assignment
s assignment
the value relationsattri-
of individual for sub-
n
ya particular
Rule, ject s,
butes. object
which environment
decides For e, and
o,
onexample: environment
is a Boolean
whether s e, respectively:
a subjectfunction of the
ar environment e, is a Boolean function of the
ATTR(s) =
Role(s) ⊆ “Service
SA1 × SA2Consumer”
× ... × SAK
(s, o, e) ← ƒ(ATTR(s), ServiceOwner(o) ATTR(r) ⊆ ATTR(e))
ATTR(o), OA1 × =OA“XYZ,
2 × ... Inc.” × OAM
e) ← ƒ(ATTR(s), ATTR(o), CurrentDate(e) ATTR(e))⊆ EA1 ×= EA
ATTR(o) “01-23-2005”
2 × ... × EAN
assignments of s, o, and e, if the function’s evaluation is
the
s ofresource
s, o, and4.ise,We
Inifthe
granted;
the most
also general
otherwise
function’s
use form, anotation
Policy
the access
evaluation
the function Rule,
is is denied. which
for the decides
value on whether
assignment a subject sattri-
of individual
epolicy
is granted; can access thean objectisodenied.
in a particular environment e, is a Boolean function of the
storeotherwise
butes.
may For
consist access
example:
of a number of policy rules,
attributes of s, o, and e:
re mayobjects
s and consistwithin
of a number
a security of domain.
policy rules,
The access con-
cts within a security domain. The Role(s)
access con- = “Service Consumer”
essence amounts Rule: to the evaluation (s,
can_access of applicable
o, e) ←policyƒ(ATTR(s), ATTR(o), ATTR(e))
mounts to the evaluation of applicable ServiceOwner(o)
policy = “XYZ, Inc.”
e.
Given all the attribute CurrentDate(e)
assignments of s, o,=and “01-23-2005”
e, if the function’s evaluation is
mple of an online true, then the accessstore
entertainment to thethat
resource is granted;
streams mov- otherwise the access is denied.
online 4. In the store
entertainment most that
general form,mov-
streams a Policy Rule, which decides on whether a subject s
5.
y fee. We willcan A policy
useaccess rule
this examplebase or
to policy
contrast store
RBACmay and
consist of a number of policy rules,
will use this example
covering to an object
contrast
many o inand
RBAC
subjects a particular
and
objects environment
within a security is a Boolean
e,domain. The function
access of the
con-
ore must enforce the following
attributes of s, o, and access
e: control policy
enforce
the movie’s the content
following access
trol decision
rating: control
process policy amounts to the evaluation of applicable policy
in essence
s content rating: rules in the policy store.
Rule: can_access (s, o, e) ← ƒ(ATTR(s), ATTR(o), ATTR(e))
Rating Users
NowAllowed
considerAccess
38
the example of an online entertainment store that streams mov-
 rules in the policy store.

Now consider the example of an online entertainment store that streams mov-
ABAC: Example
ies to users for a flat monthly fee. We will use this example to contrast RBAC and
ABAC approaches.
• An online The store must
entertainment storeenforce the following
enforces accessaccess
the following control policy
control
based on the
policy user’son
based agethe
anduser’s
the movie’s content
age and the rating:
movie content rating:

Movie Rating Users Allowed Access

R Age 17 and older
PG-13 Age 13 and older
G Everyone
-RBAC: Three roles (Adult, Juvenile, Child), Tree Permissions (can view R-rated
In an can
movies, RBAC
viewmodel, every movies,
PG-13-rated user would
and be
canassigned one of
view G-rated three roles:
movies). Adult,
User-to-
Juvenile, or Child, and
role assignment possibly during registration.
the permission-to-tole There would
assignment be three
are manual permissions
admin tasks.
created: Can view R-rated movies, Can view PG-13-rated movies, and Can view
G-rated
-ABAC: movies.
Without 4.7
The /Adult
IDENTITY,
explicitly de CREDENTIAL,
rolening
getsroles!
assigned AND
withACCESS
Whether aall three
user access a139
MANAGEMENT
permissions;
u can the Juve-
movie m (in a
nilesecurity
role gets Can view
environment PG-13-rated
e movies
which is ignored and
here) Can
would view
be G-rated
resolved bymovies permis-
evaluating
ment e which is ignored here) would be resolved by evaluating a policy rule such as
a
sions, the
and
policy thebelow.
rule Child role gets the Can view G-rated movies permission only. Both
following:
the user-to-role assignment and the permission-to-role assignment are manual
¿
R1:can_access(u, m, e) ←
administrative tasks.
¿
(Age(u) ≥ 17 ¿ Rating(m) ∈ {R, PG-13, G})
The (Age(u)
ABAC approach to this<application
≥ 13 ¿ Age(u) does ∈
17 ¿ Rating(m) not{PG-13,
need toG})
explicitly define
roles. Instead, whether
(Age(u) < 13a user u can access
¿ Rating(m) or view a movie m (in a security environ-
∈ {G})
where Age and Rating are the subject attribute and the object attribute, respectively.
The advantage of the ABAC model shown39here is that it eliminates the definition
fi
model, wetowould
enforcehave tothat
a policy double the number
only premium tasks
users offor
can roles,
view newto distinguish
user-to-role
movies. assignment each
For the RBAC anduser by ag
permissio
model,The
weadvantage
would have oftoABAC
doubleisthe
more clearly
number of seen when
roles, to we impose
distinguish finer-grained
each user byisage
and fee, and we would have to double the numberThe advantage
of separate of ABAC
permissions moreasclearly
well
policies. For example, suppose movies are classified
and fee, and we would have to double the policies.
number ofFor as either
separate New Release
permissions or Old
as well.
In general,
Release, if there
based on are
release K subject
date comparedattributes
to the and
current
example,
M
date, object
and
suppose
users are
moviesand
attributes,
classi-
are if
clas
fo
In general, if there are K subject attributes and M object attributes, and if for
ABAC: fied as Example
Premium User and Regular User, Release,
based on thebased
fee onpay.
they release
We date like
would compared to th
each attribute, Range() denotes the range
each attribute, Range() denotes the range of
fied
of possible
possible
as Premium
values values
it
User
can it
take,
and
can
then
Regular
take,
the then
User,
th
based
to enforce number
respective a policy of
that onlyand
roles premium usersrequired
permissions can viewfor newanmovies.
RBAC For modeltheare:
RBAC
espectivemodel,
number of roles
we would have toand permissions
double the number required
toofenforce
roles, to a for anthat
policy
distinguish RBAC
each only model
premium
user by age are:
users ca
q q
K M

q q
and fee, and we would K have to double the
Range(SA ) number
model,
and of
we separate
M would
Range(SA permissions
have
) to as well.
double the number of
•
Suppose movies
In general, if therekareare
= 1 K subject
Range(SA
k
classiattributes
edandasfee,
) and =either
mand New
M object
1 and we
Range(SA
m
Release
attributes,
would have)
and
to or
for Old
ifdouble the numb
each attribute, Range()on denotes k
the range of possible values to
it can m
take, then thedate,
Release, based k release date compared
In
= 1that as the number of attributes general, if the
there current
are
= 1 increases to accommodateK subject attribute
Thusnumber
respective we can ofseeroles and permissions requiredmfor an RBAC model are:
and userspolicies,
finer-grained are classi
theK numbered ofasrolesPremium
each Usergrows
attribute,
and permissions andexponentially.
Range() Regular
denotes User,
the
In range of p
q q
M
Thuscontrast,
we can
based onsee
the the that
ABAC feemodelas
they the
deals
pay.number of
withkadditional
Range(SA ) and attributes
respective number
attributes
Range(SA increases
inman
) of roles
efficientandto
way. accommodat
permissions
For req
this example, thethe
policy kR1
= 1 defined previously still
m = 1 applies. We need two new rules:

q
iner-grained policies, number of roles and permissions grows K exponentially. I
ontrast, the ABAC model
R2:can_access(u,
Thus we can deals
m,ase)
see that with
the additional
←number attributes
of attributes increases toin anRange(SA ) and
efficient kway.
accommodate Fo
finer-grained policies, the number
(MembershipType(u) = of k=1
roles and permissions grows exponentially.
Premium) In
his example, the policy R1 defined previously still applies. We need two new rule
contrast, the ABAC model deals
(MembershipType(u) = with additional
Regular attributes in an =
¿ MovieType(m) efficient way. For
OldRelease)
this example, the policy R1 defined previously Thus
still 4.7 /we
applies. canneed
We seetwo
IDENTITY, that as rules:
new the number
CREDENTIAL, of a
AND ACCE
R3:can_access(u,
R2:can_access(u, m, e) ← m, e) ← R3 ¿ R4
finer-grained policies, the number of roles and
R2:can_access(u, m, e)
With the ABAC model,
(MembershipType(u) =is ←Premium)
it also easycontrast,
to add environmental
the ABAC
ment e which is ignored
attributes.deals
here)model
Suppose
with addition
would be resolved by evalu
(MembershipType(u) = Premium)
we wish to add a new policy rule that is expressed in words as follows: Regular users are
(MembershipType(u) = Regular this ¿
example,
the following: the policy R1 =
MovieType(m) defined previously
OldRelease)
allowed to view new releases in promotional
(MembershipType(u) ¿ MovieType(m)
= Regularperiods. This would be=difficult to express
OldRelease)
R3:can_access(u,
inR3:can_access(u,
an RBAC model. In m,anm,e)e) ←model,
ABAC ← R3R3 ¿R4only
¿we R4 need add a conjunctive
R2:can_access(u,
R1:can_access(u, m, e) ←m, (AND) e)rule←
that checks to see the environmental attribute today’s
(Age(u) date
≥ falls¿in Rating(m)
17
(MembershipType(u)a promotional ∈ period.
{R,
= PG-13, G
Premium)
With the ABAC model, it is also easy to add environmental attributes. Suppose
WithwethewishABAC model,
to add a new policy it isthat
rule also easy toinadd
(Age(u)
is expressed ≥environmental
words 13 ¿ Age(u)
as follows:
(MembershipType(u) Regular <attributes.
users ¿ Regular
17=are Suppos
Rating(m) ¿∈
we wish
4.7toallowed
add atonew
IDENTITY, viewpolicy
new ruleinthat
CREDENTIAL,
releases isAND
expressed
promotional ACCESS
periods.
(Age(u) in<words
This MANAGEMENT
13 ¿ be
would
R3:can_access(u, asdifficult
follows:
Rating(m) m, ∈Regular
to express
e) ← R3users
{G}) ¿ R4ar
allowed toinview
an RBAC
newmodel. In anin
releases ABAC model, we only
promotional need add
periods. a conjunctive
This would (AND)
be rule to expre
difficult
that checks to see the environmental where
attributeAge and
today’s Rating
With
date fallsare
the in a the
ABAC subject
model,
promotional attribute
it is
period. and
also thetoobj
easy ad
n an RBAC model. In an ABAC model,
We now examine some concepts that we
are
The advantage
we
only
relevant
wish
need
to
of
to
an
add
add
access
the ABAC
a new
apolicy
conjunctive
control
model approach
shown here
rule that
(AND)
is
is thatru
expressed
it
centered on attributes. This sectionand provides
40 an overview of the concept of identity,
management of static roles, hence eliminating the ne
fi
fi
Summary
• Concept of Access Control
• De nition

• Access control in a broader context

• Basic elements: object, subject, access right
• Access Control Policies
• Discretionary access control (DAC)
• Access matrix -> access control list/capability tickets
• Model: protection state (extend access matrix)

• Role-based access control (RBAM)

• RBAC0, RBAC1 (hierarchies), RBAC2 (constraints)

• Attribute-based access control (ABAC)

• Subject/Object Attribute and Environment Attribute
41
fi

Thank You
Quiz Time

• 15 minutes

43
 COMPSCI4062&5063: Cyber Security Fundamentals
Topic 4: Cryptography I

Dongzhu Liu
Email: [email protected]
Of ce: SAWB 510 (b)

1

fi



 Overview

• Cryptography
• Context
• Ingredients
• Classi cation
• Attacks
• Symmetric Encryption: Block Cipher
• DES/Triple DES (Feistel Cipher Structure)
• AES
• Symmetric Encryption: Stream Cipher
• RC4
• Cipher Block Modes of Operation
Reading: Chapter 20 in Book “Computer Security Principles and Practice (Third Edition)” by William
Stallings and Lawrie Brown
2


fi

 Cryptography: Context

3

 Cryptography: Ingredients
• Plaintext: original message
• Encryption algorithm: substitution/transformations on the plain text
• Secret key: algorithm input, substitution/transformations depends on the key
• Ciphertext: algorithm output, depends on plain text and secret key
• Decryption algorithm: reverse of encryption

Plaintext

Key Encryption

Ciphertext Decryption
Key
560213/Error

4


 Cryptography: Classification

• The type of operations used for transforming plaintext to cipher

text
• Substitution: each element in the plaintext is mapped into another element
• Transposition: elements in the plaintext are rearranged
Fundamental requirement: No information be lost

• The way in which the plaintext is processed

• Block cipher: processes the input of one block of elements at a time
• Stream cipher: processes the input elements continuously
• The number of keys used
• Same key at sender and receiver — Symmetric Encryption
• Different keys at sender and receiver — Asymmetric Encryption

5


 Symmetric Encryption

• Communication overhead to share the key

• To receive information from multiple sender, the secret key is shared
among them, or create different keys for each sender.

6


 Asymmetric Encryption

• Public key is freely available to anyone who is a sender

• Encryption by public key can only be decrypted by secrete key
• What about encryption by secret key?
7


 Asymmetric Encryption

• Public key is freely available to anyone who is a sender

• Encryption by public key can only be decrypted by secrete key
• Encryption by secret key can be decrypted by anyone who has public
key (DON’T encrypt message by secret key)
8


 640 CHAPTER 20 / SYMMETRIC ENCRYPTION AND MESSAGE CONFIDENTIALITY

Types of Attacks on Encrypted Messages
Table 20.1 Types of Attacks on Encrypted Messages
Easier
Type of Attack Known to Cryptanalyst
(defend)
Ciphertext only • Encryption algorithm
• Ciphertext to be decoded
Known plaintext • Encryption algorithm
• Ciphertext to be decoded
• One or more plaintext-ciphertext pairs formed with the secret key
Chosen plaintext • Encryption algorithm
• Ciphertext to be decoded
• Plaintext message chosen by cryptanalyst, together with its corresponding cipher-
text generated with the secret key
Chosen ciphertext • Encryption algorithm
• Ciphertext to be decoded
• Purported ciphertext chosen by cryptanalyst, together with its corresponding
decrypted plaintext generated with the secret key
Chosen text • Encryption algorithm
• Ciphertext to be decoded
• Plaintext message chosen by cryptanalyst, together with its corresponding cipher-
text generated with the secret key
• Purported ciphertext chosen by cryptanalyst, together with its corresponding
decrypted plaintext generated with the secret key Harder
(defend)

Closely related to the known-plaintext attack is what might be referred to as a

probable-word attack. If the opponent is working with the encryption of some gen-
eral prose message, he or she may have little knowledge of what is in the message.
However, if the opponent is after some very9specific information, then parts of the

 Types of Attacks on Encrypted Messages

• Ciphertext only attack

• Encryption algorithm
• Ciphertext to be decoded

How to decrypt the message?

10


 Types of Attacks on Encrypted Messages

• Ciphertext only attack

• Encryption algorithm
• Ciphertext to be decoded

Brute force approach: try all possible keys until an intelligible

translation of the cipher text into plaintext is obtained.
Impractical if the key space is large!

• Computationally Secure
• The cost of breaking the cipher exceeds the value of the encrypted information
• The time required to break the cipher exceeds the useful lifetime of the information
Unfortunately, it is very dif cult to estimate the amount of effort required to
cryptanalyze ciphertext successfully.
11


fi

 Symmetric Encryption: Feistel

642 Cipher Structure CHAPTER 20 / SYMMETRIC ENCRYPTION AND MESSAGE CONFIDENT

Plaintext (2 bits)

• A structure for symmetric block encryption Round 1

L0 bits bits R0

algorithm K1

F
• The plaintext block is divided into two halves,
L0 and R0
L1 R1
• The two halves of the data pass through n
rounds of processing and then combine to Round i
Ki
produce the ciphertext block.
F
• The subkeys K are different from each other
i

• Applying a round function F to the right half of Li Ri

the data and then taking the XOR of the output

of F and the left half of the data (substitution Round n
Kn
on the left half)
F

Ln Rn

Ln + 1 Rn + 1

Ciphertext (2 bits)
12


 Symmetric Encryption: Design Features

• Block Size: larger block sizes mean greater security but reduced encryption/
decryption speed. A block size of 128 bits is a reasonable tradeoff and is
nearly universal among recent block cipher designs.

• Key Size: similar to block size, most common key length 128 bits.
• Number of rounds: a single round offers inadequate security but that multiple
rounds offer increasing security. A typical size is 16 rounds.

• Subkey generation algorithm: greater complexity in this algorithm should lead

to greater dif culty of cryptanalysis.

• Rond function: similar to subkey generation

• Fast software encryption/decryption: In many cases, encryption is embedded
in applications or utility functions in such a way as to preclude a hardware
implementation. Accordingly, the speed of execution of the algorithm
becomes a concern.

• Ease of Analysis: if the algorithm can be concisely and clearly explained, it is

easier to analyze that algorithm for cryptanalytic vulnerabilities and therefore
develop a higher level of assurance as to its strength.

13

fi

 Symmetric Encryption: DES

642 CHAPTER 20 / SYMMETRIC ENCRYPTION AND MESSAGE CONFIDENT

Plaintext (2 bits)

L0 bits bits R0
• Data Encryption Standard Round 1
K1

• Symmetric block cipher F

• Plaintext 64 bits, longer plaintext are

processed in 64-bit blocks L1 R1

• Key 56 bits Round i

Ki

• 16 rounds of processing F

• 16 subkeys are generated from the original

key Li Ri

Round n
Kn

Ln Rn

Ln + 1 Rn + 1

Ciphertext (2 bits)
14


 Symmetric Encryption: DES

642 CHAPTER 20 / SYMMETRIC ENCRYPTION AND MESSAGE CONFIDENT

Ciphertext Plaintext (2 bits)

L0 bits bits R0
• Decryption DES Round 1
K1

• Use the ciphertext as input to the DES F

algorithm
• Use the subkeys K in reverse order
i
L1 R1

Round i
Ki

Li Ri

Round n
Kn

Ln Rn

Ln + 1 Rn + 1

Plaintext Ciphertext (2 bits)

15


 Symmetric Encryption: DES

• A simpli ed example for DES

• Plaintext 8 bits
• Ciphertext 8 bits
• Key 10 bits
• Rounds 2
• Subkeys generated using permutations
and left shifts
• Encryption: initial permutation, round
function, switch halves
• Decryption: Same as encryption, except
round keys used in opposite order

16

fi

 Symmetric Encryption: DES

• A simpli ed example for DES

• Key generation
• Original key: 1 0 1 0 0 0 0 0 1 0
• After P10: 1 0 0 0 0 0 1 1 0 0
• Left 5: 1 0 0 0 0 Right 5: 0 1 1 0 0
• LS1(left 5): 0 0 0 0 1 LS1(right 5): 1 1 0 0 0
• Input P8: 0 0 0 0 1 1 1 0 0 0
• K1: 1 0 1 0 0 1 0 0

LS1: Circular left shift by 1 position

LS2: Circular left shift by 2 position
17

fi

 Symmetric Encryption: DES

• A simpli ed example for DES

• Key generation
• LS1(left 5): 0 0 0 0 1 LS1(right 5): 1 1 0 0 0
• Exercise: How to get K2?

LS1: Circular left shift by 1 position

LS2: Circular left shift by 2 position
18

fi

 Symmetric Encryption: DES

• A simpli ed example for DES

• Key generation
• LS1(left 5): 0 0 0 0 1 LS1(right 5): 1 1 0 0 0
• LS2 (left 5): 0 0 1 0 0 LS2(right 5): 0 0 0 1 1
• Input P8: 0 0 1 0 0 0 0 0 1 1
• K2: 0 1 0 0 0 0 1 1

LS1: Circular left shift by 1 position

LS2: Circular left shift by 2 position
19

fi

 Symmetric Encryption: DES

• A simpli ed example for DES

• Encryption: plaintext 0 1 1 1 0 0 1 0
• K1: 1 0 1 0 0 1 0 0 K2: 0 1 0 0 0 0 1 1

20

fi

 Symmetric Encryption: DES

• A simpli ed example for DES

• Encryption: plaintext 0 1 1 1 0 0 1 0
• IP: 1 0 1 0 1 0 0 1
• EP: 11000011
• XOR K1 (1 0 1 0 0 1 0 0):
! 011 0 0111

21

fi

 Symmetric Encryption: DES

• A simpli ed example for DES

• Output XOR: 0 1 1 0 0 1 1 1
• Input S0: 0 1 1 0
• S0: row index (1st, 4th digit) —> 00 and
column index (2nd, 3rd digit) —> 11
• Output S0: 10

22

fi

 Symmetric Encryption: DES

• A simpli ed example for DES

• Output XOR: 0 1 1 0 0 1 1 1
• Input S1: 0 1 1 1
• Exercise: Output S1?

23

fi

 Symmetric Encryption: DES

• A simpli ed example for DES

• Output XOR: 0 1 1 0 0 1 1 1
• Input S1: 0 1 1 1
• S1: row 01 and column 11
• Output S1: 11

24

fi

 Symmetric Encryption: DES

• A simpli ed example for DES

• S0: 10 S1: 11
• P4: 0 1 1 1
• IP: 1 0 1 0 1 0 0 1
• P4 XOR (1 0 1 0): 1 1 0 1
• left: 1101 right: 1001

25

fi

 Symmetric Encryption: DES

• A simpli ed example for DES

• left: 1101 right: 1001
1001 1101
• Swap: 1001 1101

• Exercise: Output of round 2?

! K2: 0 1 0 0 0 0 1 1

26

fi

 Symmetric Encryption: DES

• A simpli ed example for DES

• left: 1101 right: 1001

• Swap: 1001 1101

• Output f2: 1 1 1 0 1 1 0 1
• Ciphertext: 0 1 1 1 0 1 1 1

27

fi

 Symmetric Encryption: DES

• A simpli ed example for DES

• Decryption ciphertext: 0 1 1 1 0 1 1 1
• K1: 10100100 K2: 01000011
• Exercise: Can you recover plaintext
0 1 1 1 0 0 1 0?

key

28

fi

 K1 K2
(a) Encryption
A B
K3 K2 K1 P E D
Symmetric Encryption:
K3 K2 Triple DES
K1 (a) Encryption

K3 K2
B A
C D B E A D P
• 3 DES
C uses three D keys and threeE executions D of theCDES P algorithm.
D
B
E
A

The
644 function
CHAPTER 20 /follows
SYMMETRICan encrypt-decrypt-encrypt
AND MESSAGE CONFIDENTIALITY(EDE) sequence(b) Decryption
(b) Decryption
ENCRYPTION
(b) Decryption Figure 20.2 Triple DES
Figure 20.2 Triple K
DES K2 K3
Figure 20.2 Triple DES
1
3DES uses three keys and three executions o
tion follows an encrypt-decrypt-encrypt (EDE) sequ
3DES uses three keys and A
three B
executions of the
644 CHAPTER P
20 / E
SYMMETRIC ENCRYPTION D
3DES uses three keys and three executions AND MESSAGE DESDESC algorithm.
E CONFIDENTIALITY
of the algorithm. The The
func- func-
C = E(K , D(K , E(K , 3 2 1

tion follows an encrypt-decrypt-encrypt

tion follows an encrypt-decrypt-encrypt (EDE) sequence (Figure
where
(EDE) sequence (Figure 20.2a):
(a) Encryption 20.2a):
K1 K2 K3 C = ciphertext

C E(K
C ==E(K , D(K
3, 3D(K , E(K
, E(K 1K, p)))
1, p)))
P = plaintext
K 3 K 2 2 2 1 E[K, X] = encryption of X using key K
where
where
P
A B D[K, Y] = decryption of Y using key K
C
E D E
ciphertext B A Decryption is simply the same operation with t
CC==ciphertext
C D E D P
• Decryption
plaintext
(a) Encryption
is simply the same operation with the key reversed P = D(K , E(K , D(K , 1 2 3

PP==plaintext (b) Decryption There is no cryptographic significance to the u

E[K, X] = encryption Kof3 X
Figure 20.2 Triple using keyKK
DES 2 K1 stage of 3DES encryption. Its only advantage is t
E[K, X] = encryption of X using key K decrypt data encrypted by users of the older single D
D[K, Y] = 3DES
decryption
uses threeof
keys using
Yand threekey K of the DES algorithm. The func-
executions C = E(K1, D(K1, E(K1, P))) =
D[K, Y] tion decryption
= follows of Y using
B key K A
C an encrypt-decrypt-encrypt (EDE) sequence (Figure 20.2a): PWith three distinct keys, 3DES has an effecti
D E D
Decryption is simply the same operation
C = E(K with the keys reversed
3, D(K 2, E(K1, p)))
46-3 also(Figure 20.2b):
allows for the use of two keys, with K1 = K
Decryption
whereis simply the same operation
(b) Decryption with the keys of
reversed
112 bits. FIPS(Figure
46-3 includes20.2b):
the following guidelin
P = D(K ,
20.2 Triple DES 1
E(K2, D(K3, C))) • 3DES is the FIPS approved symmetric encryp
C =Figure
ciphertext
P = D(K , E(K , D(K , C)))
1 2 3 • The original DES, which uses a single 56-b
There is no3DES
Pcryptographic
= plaintext
uses three
significance
keys and three
to theofuse
executions the
of
DES
decryption
algorithm. The
for
standard the second
for legacy
func- systems only. New procur
E[K, X] = encryption of X using key K
There is no cryptographic significance to the use of decryption for the second
stage of 3DES
tion encryption. Its only advantage
follows an encrypt-decrypt-encrypt is that (Figure
(EDE) sequence
D[K, Y] = decryption of Y using key K29
it allows
users of 3DES
• Government
20.2a): to with legacy DES sy
organizations
tion to 3DES.
decrypt data encrypted by users of the older single DES:


 K1 K2
(a) Encryption
A B
P E D
Symmetric Encryption:
K3 K2 Triple DES
K1 (a) Encryption

K3 K2

B and three executions

A
• 3 DES
C uses three
D keys E D of theCDES
P algorithm.
D
B
E
A

The
644 function
CHAPTER 20 /follows
SYMMETRICan encrypt-decrypt-encrypt
ENCRYPTION AND MESSAGE CONFIDENTIALITY(EDE) sequence(b) Decryption
(b) Decryption Figure 20.2 Triple DES
K K2 K3
Figure 20.2 Triple DES
1
3DES uses three keys and three executions o
tion follows an encrypt-decrypt-encrypt (EDE) sequ
A B
3DES uses P
three keysEand
three D
executions
of the C
E DES algorithm. The func-
C = E(K 3, D(K 2, E(K1,
where
tion follows an encrypt-decrypt-encrypt (EDE) sequence (Figure 20.2a):
(a) Encryption
C = ciphertext
P = plaintext
C
K
= E(K 3, D(K
K 2
, E(K1, p)))
K
3 2 1 E[K, X] = encryption of X using key K
where D[K, Y] = decryption of Y using key K

C = ciphertext B A Decryption is simply the same operation with t

C D E D P
• Can triple DES reduce to single DES?
P = plaintext (b) Decryption
P = D(K1, E(K2, D(K3,
There is no cryptographic significance to the u
stage of 3DES encryption. Its only advantage is t
E[K, X] = encryption of X
Figure 20.2 Triple using key K
DES
decrypt data encrypted by users of the older single D
D[K, Y] = 3DES
decryption
uses threeof
keys using
Yand threekey K of the DES algorithm. The func-
executions C = E(K1, D(K1, E(K1, P))) =
tion follows an encrypt-decrypt-encrypt (EDE) sequence (Figure 20.2a):
With three distinct keys, 3DES has an effecti
Decryption is simply the same operation
C = E(K with the keys
3, D(K 2, E(K1, p)))
reversed
46-3 also(Figure 20.2b):
allows for the use of two keys, with K1 = K
where of 112 bits. FIPS 46-3 includes the following guidelin
P = D(K1, E(K2, D(K3, C))) • 3DES is the FIPS approved symmetric encryp
C = ciphertext
• The original DES, which uses a single 56-b
There is noPcryptographic
= plaintext significance to the use of decryption for the
standard second
for legacy systems only. New procur
E[K, X] = encryption of X using key K
stage of 3DES encryption. Its only advantage is that it allows
users of 3DES
• Government to with legacy DES sy
organizations
D[K, Y] = decryption of Y using key K30 tion to 3DES.
decrypt data encrypted by users of the older single DES:


 K1 K2
(b)
(a)Decryption
Encryption
A B
Figure 20.2 Triple DES P E D
Symmetric Encryption:
K3 K2 Triple DES
K1 (a) Encryption

3DES uses three keys and three executions of the DES algorithm. The func-
K3 K2
tion follows an encrypt-decrypt-encrypt (EDE) sequence (Figure 20.2a):
B and three executions
A
• 3 DES
C uses three
D Ckeys
= E(K 3 , E 2
D(K , E(K 1, p))) D of theCDES
P algorithm.
D
B
E
A
whereThe
644 function
CHAPTER 20 /follows
SYMMETRICan encrypt-decrypt-encrypt
ENCRYPTION AND MESSAGE CONFIDENTIALITY(EDE) sequence(b) Decryption
(b) Decryption Figure 20.2 Triple DES
C = ciphertext K1 K3 K2
Figure 20.2 Triple DES 3DES uses three keys and three executions o
P = plaintext tion follows an encrypt-decrypt-encrypt (EDE) sequ
A B
E[K, X] = encryption
P of
E X using key D K
3DES uses three keys and three executions of the C
E DES algorithm. The func-
C = E(K 3, D(K 2, E(K1,
where
tion D[K,
follows
Y]an= encrypt-decrypt-encrypt (EDE)
decryption of Y using(a)key K sequence (Figure 20.2a):
Encryption
C = ciphertext
P = plaintext
Decryption is simply the C = E(K
K3 same operation
3 , D(K , E(K ,
K2 2 with1theKkeys
p))) reversedE[K, (Figure 20.2b):
1 X] = encryption of X using key K
where D[K, Y] = decryption of Y using key K
P = D(K1, E(K2, D(K3, C)))
C = ciphertext B A Decryption is simply the same operation with t
C D E D P
•There
Can triple DES reduce
is no cryptographic
P = plaintext
to singletoDES?
significance the use of decryption for the second P = D(K1, E(K2, D(K3,

stage of 3DES encryption. Its only advantage (b) Decryption

is that it allows users There is ofno 3DES to significance to the u
cryptographic
• K1=K2=K3
E[K, X] = encryption of
Figure 20.2 TripleXDESusing
decrypt data encrypted by users of the older single DES: key K stage of 3DES encryption. Its only advantage is t
decrypt data encrypted by users of the older single D
D[K, Y] = 3DES decryption
uses threeof
keys using
Yand threekey K of the DES algorithm. The func-
executions C = E(K1, D(K1, E(K1, P))) =
tion followsC = E(K1, D(K1, E(K
an encrypt-decrypt-encrypt 1, P)))
(EDE) sequence E[K,20.2a):
= (Figure P] With three distinct keys, 3DES has an effecti
Decryption is simply the same operation
C = E(K with the keys reversed
3, D(K 2, E(K1, p)))
46-3 also(Figure 20.2b):
allows for the use of two keys, with K1 = K
With three
There iswhere distinct keys, 3DES has an effective
no cryptographic signi cance to the use of decryption key length of 168
of 112 bits. FIPS bits.
for 46-3 FIPS
theincludes
second the following guidelin
46-3 also allows for the use of = D(K
P two keys, 1, E(K
with 2,KD(K , C)))
3;isthis provides for athekey
stage of 3DES encryption.
C = ciphertext Its only 1 = 3K
advantage that • 3DES
it allows is
users oflength
FIPS approved symmetric encryp
3DES to
of 112decrypt
bits. FIPS
There isdata 46-3 includes
no cryptographic
P the following
encrypted bysignificance
= plaintext users of thetoolderguidelines
the use for 3DES:
of decryption
single
• The
DES. standard
original
for the
DES,
second
which uses a single 56-b
for legacy systems only. New procur
E[K, X] = encryption of X using key K
stage of 3DES
• 3DES is theencryption.
FIPS approvedIts only advantage
symmetric is that it
encryption allows
algorithm
users
• of of 3DES
choice.
Government to with legacy DES sy
organizations
D[K, Y] = decryption of Y using key K31 tion to 3DES.
decrypt data encrypted by users of the older single DES:

fi

 State

Symmetric Encryption:
Figure AES
20.4 AES Encryption Round

5. Only the Add Round Key stage makes use of the key. For this re
cipher begins and ends with an Add Round Key stage. Any ot
• Advanced encryption standard (AES) [more secure and ef cient]
applied at the beginning or end, is reversible without knowledge
and so would add no security.
• Block length 128 bits
• Key length can be6. The
128,Add
192,Round
or 256Key
bitsstage by itself would not be formidable. The o
stages together scramble the bits, but by themselves would provide n
• Not a Feistel structure, processes
because theuse
they do not entire
the data block
key. We caninview
parallel during
the cipher as each
alternat
tions of and
round using substitutions XORpermutation.
encryption (Add Round
[Feistel Key) ofhalf
structure: a block,
of thefollowed
data
bling the
block is used to modify of the block
other (the
half, other
and thenthree stages),are
the halves followed by XOR encry
swapped.]
so on. This scheme is both efficient and highly secure.
• Key operations: substitute bytes, shift rows, mix columns, and add round key.
7. Each stage is easily reversible. For the Substitute Byte, Shift Row
• All operations are Columns
reversible: for substitute
stages, an inversebytes, shift
function rows,inmix
is used the columns,
decryptionan algo
inverse function istheused
AddinRound
the decryption;
Key stage, theforinverse
add round key, the
is achieved inverse the
by XORing is sa
achieved by XOR the keysame
to theround
block, key
usingtothe
theresult — A ⊕ A ⊕ B = B.
blockthat
8. Asthat
• It is easy to verify with most block
decryption ciphers,
does the the
recover decryption
plaintextalgorithm makes u
by reversible
operations. expanded key in reverse order. However, the decryption algorit
identical to the encryption algorithm. This is a consequence of the
structure of AES.

32


fi

 Symmetric
646
Encryption: AES
CHAPTER 20 / SYMMETRIC ENCRYPTION AND MESSAGE CONFIDENTIALITY

Plaintext Key Plaintext

Add round key [0, 3] Add round key

Round 10
Substitute bytes Expand key Inverse sub bytes

Shift rows Inverse shift rows

Round 1 Mix columns Inverse mix cols

Add round key [4, 7] Add round key

Round 9
Inverse sub bytes

Inverse shift rows

Substitute bytes

Shift rows
Round 9

Mix columns Inverse mix cols

Add round key [36, 39] Add round key

Substitute bytes Inverse sub bytes

Round 1
Round 10

Shift rows Inverse shift rows

Add round key [40, 43] Add round key

Ciphertext Ciphertext
(a) Encryption (b) Decryption
Figure 20.3 AES Encryption and Decryption
33

 Symmetric
648
Encryption: AES CHAPTER 20 / SYMMETRIC ENCRYPTION AND MESSAGE CONFIDENTIALITY

9. Once it is established that all four stages are reversible, it is easy to verify
that decryption does recover the plaintext. Figure 20.3 lays out encryption
and decryption going in opposite vertical directions. At each horizontal point
• Substitute Bytes Transformation (e.g., the dashed line in the figure), State is the same for both encryption and
decryption.
20.3 / ADVANCED ENCRYPTION STANDARD 649

• AES
Table 20.2 de nes
AES S-Boxes 10. a
The16·16
final round matrix
of bothof byte values,
encryption called
and decryption anofS-box
consists only three
stages. Again,
(a) S-box this is a consequence of the particular structure of AES and is
required toymake the cipher reversible.
0 1 2 3 4 5 6 7 8 9 A B C D E F
0 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76
1
2
CA
B7
82
FD
Algorithm
C9
93
7D FA
26 36
59
3F
Details
47 F0 AD D4
F7 CC 34 A5
A2
E5
AF
F1
9C
71
A4
D8
72
31
C0
15
3 04 C7
We now look briefly at the principal elements
23 C3 18 96 05 9A 07 12 75
of AES in more detail.
80 E2 EB 27 B2
4 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84
5 53 D1 00 ED 20 FC BI 5B 6A CB BE 39 4A 4C 58 CF
6 S
D0 EF FB B
AA UBSTITUTE
43 4D T33YTES
85 45RANSFORMATION
F9 02 7F 50 TheA8forward substitute byte transformation,
3C 9F
x 7 51 A3
8F
called 92 40
9D
SubBytes, 38 F5
is aBC B6
simple DA 21
table 10 FF
lookup. F3
AESD2
defines a 16·16 matrix of byte values,
8 CD 0C 13 EC 5F 97 44 17 C4 A7 7E 3D 64 5D 19 73
9 60 81 4Fcalled
DC 22an 2A
S-box 90 (Table
88 46 EE20.2a),
B8 14that
DE contains
5E 0B DBa permutation of all possible 256 8-bit
A E0 32 3Avalues. Each individual byte of State isE4mapped
0A 49 06 24 5C C2 D3 AC 62 91 95 79 into a new byte in the following
B E7 C8 37 6D 8D D5 4E A9 6C 56 F4 EA 65 7A AE 08
C BA 78
way:
25 2E
The leftmost
1C A6 B4 C6
4E8 bits
DD 74
of the
1F
byte are used as a row value and the rightmost
4B BD 8B 8A
D 70 3E B54 bits
66 are
48 used
03 F6 as 0E a 61 column
35 57 value.
B9 86 These
C1 1D row9E and column values serve as indexes
E E1 F8
into the S-box to select a unique 8-bit output value. For example, the hexadecimal
98 11 69 D9 8E 94 9B 1E 87 E9 CE 55 28 DF

value4 {95} references row 9, column 5 of the S-box, which contains the value {2A}.
F 8C A1 89 0D BF E6 42 68 41 99 2D 0F B0 54 BB 16

Accordingly, the value {95} is mapped into the value {2A}.

• Leftmost 4 bits Here— anrow
is Inverse
(b) example
S-box
index, rightmost
of the SubBytes 4 bits — column index,
transformation: check S-
box for 8-bit The S-box value
output isyconstructed using properties of finite fields. The topic of finite
0 1 2fields
3 is beyond the scope
4 5 6 7 8 9 of
A this
B book;
C D itEis discussed
F in detail in [STAL14a].
0 52 09 6A D5 30 36 A5 38 BF 40 A3 9E 81 F3 D7 FB
1 7C E3 39 82 9B 2F FF 87 34 8E 43 44 C4 DE E9 CB

Example:
2
3
54
08
7B
2E
94
A1
32
66
A6
28
C2
D9
EA 3D
23
24 B2
04
EE
76
4C
5B
65
95
A2
0B
49
8542
6D
FA
8B
C3
D1
4E
25
87 F2 4D 97

4 72 F8 F6 64 86 68 9883 16 45
D4 A4 5D
5C CC 965D 65 B6 92 EC 6E 4C 90
5 6C 70 48 50 FD ED B9 DA 5E 15 46 57 A7 8D 9D 84
6 90 D8 AB 00 8C BC 5C 0A
D3 33
F7 E4 98
58 05 B0B8 B3 45 06 4A C3 46 E7
x 7 D0 2C 1E 8F CA 3F 0F 02 C1 AF BD 03 01 13 8A 6B
8 3A 91 11 41 4F 67 F0 EA
DC 2D
97 F2 AD
CF CE C5F0 B4 E6 73 8C D8 95 A6
9 96 AC 74 22 E7 AD 35 85 E2 F9 37 E8 1C 75 DF 6E
A 47 F1 1A 71 1D 29 C5 89 6F B7 62 0E AA 18 BE 1B
B FC 56 3E 4BThe
C6 D2inverse
79 20 substitute
9A DB C0 byte
FE transformation,
78 CD 5A FA called InvSubBytes, makes use of
C 1F DD
the inverse S-box shown in Table 20.2b.
A8 33 88 07 C7 31 B1 12 10 59 27 80
34Note, for example, that the input {2A} pro-
EC 5F
D 60 51 7F A9 19 B5 4A 0D 2D E5 7A 9F 93 C9 9C EF

fi

 0 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76
1 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0
2 B7 FD 93 26 36 3F F7 CC 34 A5 E5 F1 71 D8 31 15
3 04 C7 23 C3 18 96 05 9A 07 12 80 E2 EB 27 B2 75
4 09 83 2C 1A 1B 6E 5A A0 52 3B D6 B3 29 E3 2F 84
5 53 D1 00 ED 20 FC BI 5B 6A CB BE 39 4A 4C 58 CF

Symmetricx
648
Encryption: AES
6
7
8
D0
51
CD
EF
A3
0C
AA
40
FB
8F
CHAPTER
13 EC 5F 97
43
92
4D
9D
17
33
38
20 /44 SYMMETRIC
85
F5
45
BC
3D 64
B6
C4 A7 7E ENCRYPTION
5D
F9

19 AND
73
02
DA
7F
21
50
10
3C
FF
MESSAGE CONFIDENTIALITY
9F
F3
A8
D2

9 60 81 4F DC 22 2A 90 88 46 EE B8 14 DE 5E 0B DB
A E0 32 3A 0A 49 06 24 5C C2 D3 AC 62 91 95 E4 79
B E7 C8 37 6D9. 8DOnce
D5 4E it isA9established
6C 56 F4 EA that65 all7Afour
AE stages
08 are reversible, it is easy to verify
C BA 78 25 2E 1Cthat
A6 decryption
B4 C6 E8 DDdoes74 recover
1F 4B BD the8B plaintext.
8A Figure 20.3 lays out encryption
D 70 3E B5 66 48 03 F6 0E 61 35 57 B9 86 C1 1D 9E
andD9 decryption going inE9opposite vertical directions. At each horizontal point
• Inverse Substitute Bytes Transformation
E
F
E1
8C
F8
A1
98
89
11
0D BF
69
(e.g.,
E6 the
8E
42
94
dashed
68
9B
41
1E 87
99line
CE
2D in0Fthe
55 28
B0 figure),
54
DF
BB State
16 is the same for both encryption and
decryption.
• Inverse S-box
10. The final round of both encryption and decryption consists of only three
(b) Inverse S-box
stages. Again, y this is a consequence of the particular structure of AES and is
0 1 2 3 4required
5 6 to
7 make8 9 theA cipher
B C reversible.
D E F
0 52 09 6A D5 30 36 A5 38 BF 40 A3 9E 81 F3 D7 FB
1 7C E3 39 82 9B 2F FF 87 34 8E 43 44 C4 DE E9 CB
2 54 7B 94 Algorithm
32 A6 C2 23 Details
3D EE 4C 95 0B 42 FA C3 4E
3 08 2E A1 66 28 D9 24 B2 76 5B A2 49 6D 8B D1 25
4 72 F8 F6 We now look briefly at the principal elements
64 86 68 98 16 D4 A4 5C
92 of-A
CC low
AES5D correlation
in more
65 detail.
B6 between input bits and
5 6C 70 48 50 FD ED B9 DA 5E 15 46 57 A7 8D 9D 84

x
6
7
90
D0
D8 AB
SUBSTITUTE
2C 1E
8F CA 3F
00 8C BC
BYTES
0F 02
D3 0A F7
TRANSFORMATION
C1 AF BD 03 01
E4
13
58
The
8A
05 B8
output bits
B3 45 06
6B forward substitute byte transformation,
8 3A 91 11 called
41 4F SubBytes,
67 DC EA is97 a simple
F2 CF table
CE F0lookup.
B4 E6 AES
73 defines a 16·16 matrix of byte values,
9
A
96 AC 74
47 F1 1A
22
71
E7 AD 35
called
1D
an29 S-box
C5
85
89
E2
(Table
6F
F9
B7
37 E8
20.2a),
62
1C 75 DF 6E
that contains
0E AA 18 BE 1B
-The output
a permutation cannot
of all possible be described as a
256 8-bit
3E values.
C6 Each 79 individual C0 FEof 78State
9A DB byte is mapped into a new byte in the following
B
C
FC 56
1F DD A8
4B
33 88
D2
07 C7
20
31 B1 12 10 59 27
CD 5A
80
FA
EC 5F simple mathematical function of the input.
way: The leftmost 4 bits of the byte are used as a row value and the rightmost
D 60 51 7F A9 19 B5 4A 0D 2D E5 7A 9F 93 C9 9C EF
E A0 E0
4 bits are used
3B 4D AE 2A F5 B0
as C8
a column
EB BB 3C
value.
83
These
53 99
row and column values serve as indexes
61
F 17 2B 04 into the 77S-box
7E BA D6 to26 select
E1 69 a 14
unique
63 55 8-bit
21 output
0C 7D value. For example, the hexadecimal
4
value {95} references row 9, column 5 of the S-box, which contains the value {2A}.
Accordingly, the value {95} is mapped into the value {2A}.
• Leftmost 4 bits Here— is anrow example index, rightmost
of the SubBytes 4 bits — column index, check S-
transformation:
box for 8-bit outputThe S-box value is constructed using properties of finite fields. The topic of finite
fields is beyond the scope of this book; it is discussed in detail in [STAL14a].

Example: EA 04 65 85 87 F2 4D 97

83 45 5D 96 EC 6E 4C 90

5C 33 98 B0 4A C3 46 E7

F0 2D AD C5 8C D8 95 A6

The inverse substitute byte transformation, called InvSubBytes, makes use of

the inverse S-box shown in Table 20.2b.35Note, for example, that the input {2A} pro-


 Symmetric Encryption: AES

• Shift Row Transformation

• First row of state is not altered
• Second row: 1-byte circular left shift
• Third row: 2-byte circular left shift
• ….
650 CHAPTER 20 / SYMMETRIC ENCRYPTION AND MESSAGE CONFIDENTIALITY
• Inverse Shift Row Transformation
left shift is performed. For the third row, a 2-byte circular left shift is performed.
• Circular
For  shifts
the thirdin the
row,opposite direction
a 3-byte circular left shift is performed. The following is an
example of ShiftRows:

87 F2 4D 97 87 F2 4D 97

EC 6E 4C 90 6E 4C 90 EC
Example:
4A C3 46 E7 46 E7 4A C3

8C D8 95 A6 A6 8C D8 95

36
The inverse shift row transformation, called InvShiftRows, performs the cir-


 87 F2 4D 97 87 F2 4D 97

Symmetric Encryption: AES EC

4A
6E

C3
4C

46
90

E7
6E

46
4C

E7
90

4A
EC

C3

8C D8 95 A6 A6 8C D8 95

• Mix Column Transformation

The inverse shift row transformation, called InvShiftRows, performs the cir-
cular shifts in the opposite direction for each of the last three rows, with a 1-byte
circular right shift for the second row, and so on.
The shift row transformation is more substantial than it may first appear. This
is because the State, as well as the cipher input and output, is treated as an array of
four 4-byte columns. Thus, on encryption, the first 4 bytes of the plaintext are cop-
ied to the first column of State, and so on. Further, as will be seen, the round key is
applied to State column by column. Thus, a row shift moves an individual byte from
one column to another, which is a linear distance of a multiple of 4 bytes. Also note
that the transformation ensures that the 4 bytes of one column are spread out to
four different columns.

M IX C OLUMN T RANSFORMATION The forward mix column transformation,

called MixColumns, operates on each column individually. Each byte of a column
is mapped into a new value that is a function of all 4 bytes in the column. The
mapping makes use of equations over finite fields. The following is an example of
MixColumns:

Example: 87 F2 4D 97 47 40 A3 4C

6E 4C 90 EC 37 D4 70 9F

46 E7 4A C3 94 E4 3A 42

A6 8C D8 95 ED A5 A6 BC

The mapping is designed

37 to provide a good mixing among the bytes of each

 applied to State column by column. Thus, a row shift moves an individual byte from
one column to another, which is a linear distance of a multiple of 4 bytes. Also note
that the transformation ensures that the 4 bytes of one column are spread out to
four different columns.
Symmetric Encryption:
M C T
AES IX
IX OLUMN
OLUMN RANSFORMATION
RANSFORMATION The forward mix column transformation,
called MixColumns, operates on each column individually. Each byte of a column
is mapped into a new value that is a function of all 4 bytes in the column. The
mapping makes use of equations over finite fields. The following is an example of
• Mix Column Transformation
MixColumns:

87 F2 4D 97 47 40 A3 4C
Example: 87
6E
6E 4C
4C 90
90 EC
EC 37
37 D4
D4 70
70 9F
9F
46
46 E7
E7 4A
4A C3
C3 94
94 E4
E4 3A
3A 42
42
A6
A6 8C
8C D8
D8 95
95 ED
ED A5
A5 A6
A6 BC
BC

01 ⇤ x = x
<latexit sha1_base64="nwZFI1jFMUpkGxmRujdUZhIKMhA=">AAACM3icbVBNS0JBFJ1nX/b6etWyzZAk6kLmmVQbQWoTrQzyA3wi88ZRB+d9MDMvFPE/temPtAiiRRFt+w+NT4PSLlzmcM493LnHDTmTCqEXI7Gyura+kdw0t7Z3dves/YOaDCJBaJUEPBANF0vKmU+riilOG6Gg2HM5rbuDq6lev6dCssC/U6OQtjzc81mXEaw01bZu0sjOwSEsDaHjQDONCrkh1NBMTxud5oYlmEEF6AQhjyREdlbrMaXf7A8dm9tWCuVRXHAZ2HOQAvOqtK0npxOQyKO+IhxL2bRRqFpjLBQjnE5MJ5I0xGSAe7SpoY89Klvj+OYJPNFMB3YDodtXMGZ/O8bYk3LkuXrSw6ovF7Up+Z/WjFT3ojVmfhgp6pPZom7EoQrgNEDYYYISxUcaYCKY/iskfSwwUTpmU4dgL568DGqFvH2WL94WU+XLeRxJcASOQQbY4ByUwTWogCog4AE8gzfwbjwar8aH8TkbTRhzzyH4U8bXN7jGogo=</latexit>

The mapping is designed to provide a good mixing among the bytes of each
column. The mix column transformation combined with the shift row transforma-
02 ⇤ x x left most digit istion ensures
0 —> that after
binary a few rounds, all output bits depend on all input bits.
multiplication
x left most digit isADD ROUND
1DD—> shift Kleft
OUND TRANSFORMATION
EY by
EY RANSFORMATION forward
In the1B
1, then XOR with (0001add round
1011) key
transformation, called AddRoundKey, the 128 bits of State are bitwise XORed
03 ⇤ x = (02 with the 128 bits of the round key. The operation is viewed as a column-wise
01) ⇤ x = (02 ⇤ x) x

87=1000 0111 02*87: 1) shift left by 1: 0000 1110 2) XOR with 1B: 0001 0101
6E=0110 1110 02*6E=1101 1100 03*6E=(02*6E) XOR 6E= 1011 0010
46=0100 0110 01*46=0100 0110 XOR
A6=1010 0110 01*A6=1010 0110
38 0100 0111 —> 47

 Symmetric Encryption: AES

• Add Round Key Transformation

20.4 / STREAM CIPHERS AND RC4 65
• State XOR Round Key (element-wise)
peration between the four bytes of a State column 20.4 and one CIPHERS
/ STREAM word ofAND roun6
theRC4
ey; it can• Inverse
also be operation
viewed
Add Roundas a byte-level
Key operation.
Transformation The following is an examp
between the four bytes of a State column and one word of the rou
AddRoundKey:key; it can also be viewed as a byte-level operation. The following is an exam
• Identical to the forward, i.e., State XOR Round Key. XOR operation is its
of AddRoundKey:
own inverse.
20.4 / STREAM CIPHERS AND RC4 651
47 40 A3 4C AC 19 28 57 EB 59 8B 1B
47 40 A3between
operation 4C the four bytes
AC of a State
19 column 57one word of EB
28 and 59
the round 8B 1
key; it can also be viewed as a byte-level operation. The following is an example
37 D4 70 9F
37 D4 70 77 9F
of AddRoundKey:
FA D1
77 FA5C D1 5C 40 2E
40 2EA1 A1 C3C
+0100 0000 + 0001 1001 = 00 = 1001
0101
F2 38 13 13
94 E4 3A 94
42 E4 3A 42 66 DC 66
29 DC00 29 F2 38 424
47 40 A3 4C AC 19 28 57 EB 59 8B 1B
ED A5 A6 BC ED A5 A6 BC 1E 84 E7 D
ED A5 A6 BC
Example:
37 D4 ED70 A5
9F A6
77 FA BC
D1 5C 1E 2E
40 84
A1 C3 E7 D2
+ =
94 E4 3A 42 66 DC 29 00 F2 38 13 42

ED A5 A6 BC ED A5 A6 BC 1E 84 E7 D2
The first matrix is State, and the second matrix is the round key.
State Key
The inverse add round key transformation is identical to the forward a
The first matrix is State,
round and
The the issecond
first matrix
key transformation, matrix
State, and the
because isoperation
second matrix
the XOR the
is the round
round key. key.
is its own inverse.
The inverse add round39 key transformation is identical to the forward add


 Symmetric
46 Encryption: Stream Cipher
CHAPTER 2 / CRYPTOGRAPHIC TOOLS
652 CHAPTER 20 / SYMMETRIC ENCRYPTION AND MESSAGE CONFIDEN 652 CHAPTER 20 / SYMMETRIC ENCRYPTION AND MESSAGE CONFIDEN
P1 P2 Pn
Encryption
b structure
structure a key
a key is binput
is input to atopseudorandom
b a pseudorandom bitbitgenerator
generatorthat
thatproduc
produ
8-bit 8-bit numbers
numbersK that Ethat
crypt are
nare apparently
apparently random.
random. AApseudorandom
pseudorandomstream
stream
• Stream cipher
K Encrypt
b
processes
K Encrypt
b
theunpredictable
input
unpredictable without
elements
without knowledge
b knowledge
continuously,
of of
thethe inputkey
input keyand
andthat
thathas
has an
an aa
producingC1 output one element atdoma character.
time, asThe output of the generator, keystream,isis co
calleda akeystream, co
C2 dom character. The n it goes
Poutput of the along.
generator, called
at a time
at a time withwith
the the plaintext
plaintext stream
stream using
using thethebitwise
bitwiseexclusive-OR
exclusive-OR
tion. For example, if the next byte generated by the generator is 011
tion. For example, if the next byte generated by the generator is 011
• A key is input to a pseudorandom bit generator
next plaintext byte is 11001100, that produces
then the a byte is:
resulting ciphertext
next plaintext byte is 11001100, then the resulting ciphertext byte is:
stream of Cnumbers — key
C stream
1 2 Cn
11001100 plaintext
b b b 11001100 plaintext
Decryption

K Decrypt K Decrypt K Decrypt ⊕ 01101100 key stream

• A key stream XOR plaintext stream (bitwise) ⊕ 01101100
b 10100000
10100000
b
key stream
ciphertext
ciphertext
b
P1 P2 Pn
Decryption requires the use of the same pseudorandom sequen
• Decryption requires the use of the same pseudorandom sequence
Decryption requires the use of the same pseudorandom sequen
(a) Block cipher encryption (electronic codebook mode)

10100000 ciphertext
Key Key 10100000
⊕ 01101100 ciphertext
key stream
K K
⊕ 01101100
11001100 key stream
plaintext
11001100 plaintext
With a properly designed pseudorandom number genera
cipher can be as secure as block cipher of comparable key length
Pseudorandom byte With a byte
Pseudorandom properly designed pseudorandom number genera
advantage of a stream cipher is that stream ciphers are almost alw
generator cipher can be
generator as secure as block cipher of comparable key length
(key stream generator) (keyuse fargenerator)
stream less code than do block ciphers. The example in this section
advantage of a stream
implemented in justcipher is that
a few lines of stream ciphers
code. Table 20.3are almostexec
compares alw
use farRC4 less code
with than
three do block ciphers.
well-known symmetric The example
block in The
ciphers. this section
advant
k
implemented
cipherk is thatin just
youacanfewreuselineskeys.
of code. Tableif20.3
However, twocompares
plaintexts exec
are e
Plaintext RC4 the withsamethree well-known symmetric
byte stream
Ciphertext key usingPlaintext
a stream cipher,block
then ciphers. The advant
cryptanalysis is often
byte stream byte stream
M ENCRYPTION C cipher is that youIfcan
[DAWS96].
DECRYPTION thereuse
two keys. However, if two plaintexts are e
M ciphertext streams are XORed together
the same
the XOR key of using a stream
the original cipher, If
plaintexts. then cryptanalysis
the plaintexts is often
are text strin
(b) Stream encryption 40 numbers,Iforthe
[DAWS96]. othertwobyte streams with
ciphertext known
streams areproperties, then cryp
XORed together


 Symmetric Encryption: Stream Cipher

• As secure as block cipher of comparable key length

• Faster and use far less code
• Reuse key incurs security issue (block cipher can reuse keys)
• Example: Two plaintexts are encrypted with the same key using a stream
cipher, then XOR of two ciphertexts is the XOR of the original plaintexts

41


 Symmetric Encryption: RC4

• Stream cipher
• A variable length key 1-256 bytes
• Use key to initialize state vector S (permutation)
• Once S vector is initialized, the input key is no longer used
• Key stream is generated by S (cycling, swapping… ) and take
XOR with plaintext for encryption

42


 Cipher Block Modes of Operation

• DES/3DES the block length is 64 bits

• How to tackle a longer plaintext?

43


 Cipher Block Modes of Operation

• DES/3DES the block length is 64 bits

• How to tackle a longer plaintext?
• Break the plaintext into 64-bit blocks (padding the last block if necessary)

44


 Cipher Block Modes of Operation

• Electronic Code book

• Description: Each block of 64 plaintext bits is encoded independently
using the same key.
• Typical Application: Secure transmission of single values (e.g., an
encryption key)

45


 which the same plaintext block, if repeated, produces different ciphertext blocks.

Cipher Block Chaining Mode

Cipher Block Modes of Operation

In the cipher block chaining (CBC) mode (Figure 20.6), the input to the encryption
algorithm is the XOR of the current plaintext block and the preceding ciphertext
block; the same key is used for each block. In effect, we have chained together the
processing of the sequence of plaintext blocks. The input to the encryption func-
tionMODES
20.5 / CIPHER BLOCK for eachOF
plaintext block bears
OPERATION 657no fixed relationship to the plaintext block.
• Cipher Block Chaining (CBC)
Therefore, repeating patterns of b-bits are not exposed.
ch cipher block is passed through the decryption algorithm.
th the preceding ciphertext block Time
to produce
= 1 the plaintext
Time = 2 Time = N
orks, we can write
Initialization vector IV P1 P2 PN

Cj = E(K, [Cj - 1 ⊕ Pj]) CN - 1

cryption of plaintext X using key K, and ⊕ is the exclusive-

K Encrypt K Encrypt K Encrypt

D(K, Cj) = D(K, E(K, [Cj - i ⊕ Pj])) C1 C2 CN

D(K,20.5
Cj)/ = Cj - 1 ⊕
CIPHER Pj MODES OF OPERATION 657
BLOCK (a) Encryption

1 ⊕ D(K, Cj) = Cj - 1 ⊕ Cj - 1 ⊕ Pj = CP
1j C2 CN
on, each cipher block is passed through the decryption algorithm.
ed with the preceding ciphertext block to produce the plaintext
6b.
this works,
t block we can write
of ciphertext, K
vector (IV) isKXORed
Decrypt
an initialization Decrypt K Decrypt

aintext. OnCdecryption, the IV is XORed with the output of

j = E(K, [Cj - 1 ⊕ Pj])
m to recover the first block of plaintext.
IV CN - 1
nown to both of
he encryption the sender X
plaintext and receiver.
using key K, For maximum
and ⊕ secu-
is the exclusive-
rotected as well as the key. This could
en P1 be done by sending P2 PN
ption. One reason for protecting the IV is as follows: If an (b) Decryption
l the D(K, Cj) =
receiver D(K,
into E(K,a [C
using j-i ⊕
different
Figure
P]))Cipherfor
20.6j value IV,Chaining
Block then the
(CBC) Mode
ert selected D(K,
bits in
Cj)the
= Cfirst
j-1 ⊕block
Pj of plaintext. To see this,
Cj - 1 ⊕ D(K, Cj) = Cj - 1 ⊕ Cj - 1 ⊕ Pj = Pj
46
C = E(K, [IV ⊕ P ])
re 20.6b.

Cipher Block Modes of Operation

• Cipher Block Chaining (CBC)

• Initialization vector (IV) must be known to both the sender and receiver
• IV should be protected as key, e.g., adversary change bits in IV, then the
plaintext in block 1 can be changed.

• Typical application: General-purpose block-oriented transmission;

authentication

 First, consider encryption. The input to the encryption function is a b-bit

shift register that is initially set to some initialization vector (IV). The leftmost
(most significant) s bits of the output of the encryption function are XORed with
the first unit of plaintext P1 to produce the first unit of ciphertext C1, which is then
transmitted. In addition, the contents of the shift register are shifted left by s bits
Cipher Block Modes of Operation and C1 is placed in the rightmost (least significant) s bits of the shift register. This
process continues until all plaintext units have been encrypted.
For decryption, the same scheme is used, except that the received ciphertext
• Cipher Feedback (CFB) unit is XORed with the output of the encryption function to produce the plaintext
unit. Note that it is the encryption function that is used, not the decryption
• convert block cipher into a stream cipher
CM - 1
IV
Shift register Shift register Shift register
b – s bits s bits b – s bits s bits b – s bits s bits
64 64 64

K Encrypt K Encrypt K Encrypt

64 64 64
Select Discard Select Discard Select Discard
20.5 / CIPHER BLOCK MODES OF OPERATION
s bits b – s bits 659 s bits b – s bits s bits b – s bits
P1 s P2 s PM s
ily explained. Let Ss(X) be defined ass the most significant s s s

s
C1 = P1 ⊕ Ss [E(K, IV)] C1 C2 CM
(a) Encryption
CM - 1
P1 = C 1 ⊕ Ss [E(K, IV)] IV
Shift register Shift register Shift register
b – s bits s bits b – s bits s bits
holds for subsequent steps in the process. s bits
b – s bits
64 64 64

K Encrypt K Encrypt K Encrypt

20.5 / CIPHER BLOCK MODES OF OPERATION 659
64 s 64 64
the counter mode (CTR) has increased recently, with applica-
easily
hronousexplained.
transfer Let Ss(X)
mode) be defined
network as Select
security the
andmost significant s
Discard
IPSec
Select Discard Select Discard
s bits b – s bits(IP secu- s bits b – s bits s bits b – s bits
proposed early on (e.g., [DIFF79]). s s s
picts the CTR C1 =mode.
P1 ⊕ A counter
Ss [E(K, IV)]equal to the plaintext s block s s
C1 C2 CM
y requirement stated in SP 800-38A is that the counter value
each plaintext block that is encrypted. Typically, the counter
value and Pthen incremented by 1 for each
1 = C 1 ⊕ Ss [E(K, IV)]
P1 subsequent block P2 PM
is the block size). For encryption, the counter is encrypted and (b) Decryption
ng holds for subsequent steps in the process.
e plaintext block to produce the ciphertext block;
Figure 20.7 s-bitthere
Cipheris no
Feedback (CFB) Mode
48


 Cipher Block Modes of Operation

• Cipher Feedback (CFB)
• Decryption also uses the encryption function, but not decryption function

• Typical application: General-purpose stream-oriented transmission;

authentication

49


 C1 = P1 ⊕ Ss [E(K, IV)]

Therefore,
P1 = C 1 ⊕ Ss [E(K, IV)]

Cipher Block Modes of Operation

The same reasoning holds for subsequent steps in the process.

Counter Mode
Although interest in the counter mode (CTR) has increased recently, with applica-
tions to ATM (asynchronous transfer mode) network security and IPSec (IP secu-
• Counter (CTR)
rity), this mode was proposed early on (e.g., [DIFF79]).
Figure 20.8 depicts the CTR mode. A counter equal to the plaintext block
size is used. The only requirement stated in SP 800-38A is that the counter value
• Counter size = plaintext block size
must be different for each plaintext block that is encrypted. Typically, the counter
is initialized to some value and then incremented by 1 for each subsequent block
(modulo 2b, where b is the block size). For encryption, the counter is encrypted and
• Counter is initialized to some value and then incremented by 1 for each
then XORed with the plaintext block to produce the ciphertext block; there is no
subsequent block
Counter Counter + 1 Counter + N - 1

K Encrypt K Encrypt K Encrypt

P1 P2 PN

C1 C2 CN
(a) Encryption

Counter Counter + 1 Counter + N - 1

K Encrypt K Encrypt K Encrypt

C1 C2 CN

P1 P2 PN
(b) Decryption

Figure 20.8 Counter (CTR) Mode

50


 Cipher Block Modes of Operation

• Counter (CTR)
• No chain, multiple blocks process in parallel
• Counter at i block cannot be computed until i-1 prior blocks are computed
• Only need encryption algorithm

• Typical application: General-purpose block-oriented transmission; Useful

for high-speed requirements

51


 Summary
• Cryptography
• Context, Ingredients, Classi cation, Attacks
• Symmetric Encryption: Block Cipher
• DES/Triple DES (Feistel Cipher Structure)
• AES
• Symmetric Encryption: Stream Cipher
• RC4
• Cipher Block Modes of Operation
• Electronic Code book (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feedback (CFB)
• Counter (CTR)

52


fi

Thank You
 Quiz Time

• 15 minutes

54

COMPSCI4062&5063: Cyber Security Fundamentals
Topic 5: Cryptography II

Dr. Dongzhu Liu

Email: [email protected]
Of ce: SAWB 510 (b)

1
fi



Overview

• Asymmetric Encryption
• Con dentiality vs. Authentication
• Requirements
• Algorithms
• RSA
• Dif e-Hellman Key Exchange

• Tutorial Questions

2
fi
fi

Asymmetric Encryption 2.3 / PUBLIC-KEY ENCRYPTION 57

Bobs’s
public key
ring
Joy
Ted
Mike Alice

PUa Alice’s public PRa Alice’s private

key key

Transmitted X=
X ciphertext D[PRa, Y]
Y = E[PUa, X]

Plaintext Plaintext
Encryption algorithm Decryption algorithm
input output
(e.g., RSA)

Bob Alice
(a) Encryption with public key

• User generates a pair of keys Alice’s

public key
ring
• Places public key in accessible les, keep
Joy
private the other key
Ted
Bob
• Send a private message to “Alice” — Mike
encryption using Alices’ public key
PRb Bob’s private PUb Bob’s public

• Only Alice can decrypt the message with private key

key key

3 X=
Transmitted

fi

Asymmetric Encryption 2.3 / PUBLIC-KEY ENCRYPTION 57

Bobs’s
public key
ring
Joy
Ted
Mike Alice

PUa Alice’s public PRa Alice’s private

key key

Transmitted X=
X ciphertext D[PRa, Y]
Y = E[PUa, X]

Plaintext Plaintext
Encryption algorithm Decryption algorithm
input output
(e.g., RSA)

Bob Alice
(a) Encryption with public key

Con dentiality Alice’s

public key
ring
Joy
Ted
Mike Bob

PRb Bob’s private PUb Bob’s public

key key

4 X=
Transmitted
fi
 Plaintext Plaintext
Encryption algorithm Decryption algorithm
input output
(e.g., RSA)

Asymmetric Encryption Bob

(a) Encryption with public key
Alice

Alice’s
public key
ring
Joy
Ted
Mike Bob

PRb Bob’s private PUb Bob’s public

key key

Transmitted X=
X ciphertext D[PUb, Y]
Y = E[PRb, X]

Plaintext Plaintext
Encryption algorithm Decryption algorithm
input output
(e.g., RSA)

Bob Alice

(b) Encryption with private key

Authentication
Figure 2.6 Public-Key Cryptography

confidentiality is provided depends on a number of factors, including the security of

• A user is ablethe
toalgorithm,
recover whether the private key
the plaintext is kept Bob’s
using secure, and the security
public keyof any proto-
col of which the encryption function is a part.
The scheme of Figure 2.6b is directed toward providing authentication and/
• Only Bob encrypted the plaintext
or data integrity. — toauthentication
If a user is able successfully recover the plaintext from Bob’s
ciphertext using Bob’s public key, this indicates that only Bob could have encrypted
the plaintext, thus providing authentication. Further, no one but Bob would be
5

keys.
ed on Requirements
Diffie
two and Hellman
related keys. for
Diffie Public-Key
postulated
and thisbased
Hellman Cryptography
system without
on two
postulated dem-
related
this keys.
system Diffie and Hellman
without dem- postulat
The cryptosystem illustrated in Figureonstrating 2.6 depends
that on algorithms
such a cryptographic exist. algorithm
However, they did
gorithms
rating thatexist.
such However,
algorithms they did
exist. lay out the conditions that
basedThe oncryptosystem
two related keys. DiffieHowever,
illustrated in Figure
and Hellman
such
they did lay out
2.6 postulated
depends
algorithms must on the
this
fulfill
conditions
a cryptographic
system
[DIFF76]:
that
without algorithm
dem-
hfulfill [DIFF76]:
algorithms
based
Asymmetric
onstrating on must
two
that fulfill
related
such [DIFF76]:
keys. Diffie
Encryption:
algorithms exist. and Hellman
However, postulated
Conditions
they did lay out this system
the without
conditions dem-
that
onstrating that such algorithms exist. 1.However,
It is computationally
they did easy
lay out for a party
the B to gener
conditions that
nally
It iseasy
such for a party
algorithms
computationally must B to generate
fulfill
easy [DIFF76]:
for a partya pair
B to(public
generatekey a
private key PRb).
PU
pairb , (public key PU ,
b
such algorithms
. private key PR ). must fulfill [DIFF76]:
1. It is computationally
b easy for a party 2. ItBis to generate a pair
computationally easy(public key PU
for a sender ,
A, bknow
nally easy
1.• Computationally
It
It is private for
is a sender A, easyeasy
knowingfor atheparty B tokey
public generate
and
key PRb). easy for a sender A, knowing the public key(public
computationally
computationally for a party
messageB to
to the
generate
be a pair
encrypted, a of to
pair
M, keys
thekey
generate
and the PU
corre
b
ncrypted,
message M,to to
private
be generate
key PR
encrypted, the
). corresponding
to generate ciphertext:
2. It • isComputationally
computationallyeasy b M,easy for sendercorresponding
foraasender the A,knowing
A, knowingthe theciphertext:
C =
public
public E(PU
key
key b,and
and M)the
2. It
message Cis=
the computationally
toE(PU
plain b, M), to
betext
encrypted, easy
M,
Cgenerate
= to for
E(PU aM)
generate
the
,
3. sender
It the A,
corresponding
is knowing
corresponding
computationally the
easy public
ciphertext:
cipher-text
for the key and
receiver B to the
dec
b
message to be encrypted, M, to generate using thethe corresponding
private key to recover ciphertext:
the original messa
ally easy for the receiver B to C
decrypt = E(PU
the resulting, M) ciphertext
It is computationally easy for the receiver B bto decrypt the resulting ciphertext
key to recover the original message: C = E(PUb, M) M = D(PRb,C) = D[PRb, E(PU
using
3. Itthe is private key to recover
computationally easy the
for original
the receiver message:
BBtotodecrypt thethe
resulting ciphertext
• Computationally easy for a receiver 4. It is
decrypt
computationally
cipertext
infeasible for an
using
opponent, k
M = D(PR 3. It
using is
thecomputationally
,C) = D[PR
private key ,
D(PR E(PU
to easy,
recover for
M)] the
the receiver
original B to
message:decrypt the resulting ciphertext
the M =key b,C) = D[PRbto , E(PU b, M)]
b private b b
using the private key to recover the original message:determine the private key, PRb.
nally
It isinfeasible for an opponent,
computationally M = D(PR
infeasible knowing
for b,C) =the D[PR
an opponent, public key, bPU
b, knowing
E(PU b, public key, PUb,
, M)]
the
private key, PR M = D(PRbTable
b. private key, ,C) = D[PR b, E(PU b,Public-Key
M)]
to4.determine the
It is computationally infeasible PR . 2.3 Applications for
b for an opponent, knowing the public Cryptosystems
key, PUb,
4. determine
to It is computationally
the private infeasible
key, PRb. for an opponent, knowing the public Symmetrickey, PUb
Key
for Public-Key to determine the private key, PR
Cryptosystems b.
Algorithm Digital Signature Distribution
e 2.3 Applications for Public-Key Cryptosystems
RSA Yes Yes
Table 2.3 Applications for Public-Key
Symmetric Key Cryptosystems
Encryption
Symmetric Key of
Diffie-Hellman Encryption
No of Yes
al Table 2.3 Applications
Signature for Public-Key
Distribution Cryptosystems
Secret Keys
orithm Digital Signature Distribution
DSS
Symmetric Key Secret
Yes Keys
Encryption of No
Yes
A Algorithm Yes
Yes Yes Yes
Symmetric
Elliptic Curve
Distribution Key Yes Encryption
Secret
Yes Keys of Yes
Digital Signature
No Algorithm
ie-Hellman NoYes
Digital Signature YesNo Distribution No Secret Keys
RSA Yes 6 Yes Yes

Asymmetric Encryption: Conditions

• Computationally infeasible for an opponent, knowing the public key,

to determine the private key

• Computationally infeasible for an opponent, knowing the public key,

and a ciphertext, to recover the plaintext

 5. It is computationally infeasible for an opponent, knowing the public key, PU

and a ciphertext, C, to recover the original message, M.
Asymmetric
We can add a Encryption: Conditions
sixth requirement that, although useful, is not necessary for a
public-key applications:
6.•Either
Either of
of the
the two
tworelated
relatedkeys
keyscan be be
can usedused
for encryption, with the
for encryption, withother
the use
for decryption.
other used for decryption

M = D[PUb, E(PRb, M)] = D[PRb, E(PUb, M)]

Asymmetric Encryption Algorithms

In this subsection, we briefly mention the most widely used asymmetric encryptio
algorithms. Chapter 21 provides technical details.

RSA One of the first public-key schemes was developed in 1977 by Ron Rivest, A
Shamir, and Len Adleman at MIT and first published in 1978 [RIVE78]. The RS
scheme has since reigned supreme as the most widely accepted and implemente
approach to public-key encryption. RSA is a block cipher in which the plaintext an
ciphertext are integers between 0 and n – 1 for some n.
In 1977, the three inventors of RSA dared Scientific American readers to decod
a cipher they printed in Martin Gardner’s “Mathematical Games” column. The
offered a $100 reward for the return of8a plaintext sentence, an event they predicte
Algorithms: RSA

• Developed in 1977 by Ron Rivest, Adi Shamir, and Len Adleman

• Asymmetric encryption
• Block Cipher
• Application: Secure Sockets Layer (SSL), Transport Layer Security
(TLS)

 We examine RSA plus We

someexamine
security RSA plus some security
considerations in consideration
this section.1
D
implemented approach
plaintext and toare
ciphertext Description
public-key
integers between of 0the
encryption. andAlgorithm
nRSA
- 1 is
for a block
some n. cipher in
is covered in Section is covered in Section 21.4.
21.4.
Description of the Algorithm
Encryption and decryption
One are of the
firstfollowing form, for some
was plaintext
developedblock
plaintext and ciphertext are integers between 0 and n - 1 for some n.
of the public-key schemes in 1
OneMofand
theciphertext
Algorithms: block C:
RSA
first public-key
Encryption and schemes
decryption Description
Shamir,
was
are and
developed
of the ofinthe
Len Adleman1977Algorithm
following atbyMIT
Ronand
form, first Adi
Rivest,
for somepublished
plain
Description
Shamir, and Len Adleman ofat the
eMIT Algorithm
RSA scheme
and firsthas since thatintime
published 1978reigned supreme
[RIVE78]. as the m
The
and ciphertext
MRSA scheme C =C:M mod
block n of the first public-key schemes was develop
One
implemented
has since that time reigned supremeapproach
as theto public-key
most widely encryption.
accepted andRSA is a
One of the M first
= public-key
C d
mod n
Shamir,
plaintext = schemes
(M
and
e d
and) mod
Len
ciphertext was
n = developed
M
Adleman
are
ed
integersmodat n
MIT in and
between 1977
0 by
first
and n -Ro
pu1
implemented approach
• Shamir, and
Encryption to public-key
C =Len e
mod
M Adleman encryption.
n at MIT RSA is a block cipher in which the
plaintext and ciphertext arereceiver RSA scheme
integersmust Encryption
between 0 and has
and and
since first
n -decryption
1 for that
some
published
time
are n.of reigned
the insupreme
following 1978 form [R
Both sender and know the values of n and e, and only the receive
• RSA scheme
Encryption
knows the
Decryption and
value M
of =has C
decryption
d. Thissince
d M and
mod
are
is a that
of n
the time
implemented
public-key= (M
ciphertext reigned
following
eblock
) d
approach
mod
form,
encryption C:supreme
n
for to =
some
algorithm as
ed the encryption.
public-key
M mod
plaintext
with a most
n
block
public widely
key Ro
M and =implemented
PUciphertext block
{e, n} and C:approach
a private key of toPRpublic-key
plaintext = {d,and encryption.
n}.ciphertext
CFor Me mod
= this nRSA to
are integers
algorithm is between
abeblock ciphe
0 and
satisfactory
Both sender
plaintext
for public-key C
and
and receiver
ciphertext
encryption,
e the
must
are
following
know
Encryption
integers the values
and
between
requirements d must0of
decryption n
and
be
and
n are
met:- e,
e of
d1and
the
for only
followin
some th
n
ed
= M mod n M = C mod n = (M ) mod n = M
knows the value of Plaintext
d. This
Encryption d
is adecryption
and
block public-key
M and ciphertext
e d areencryption
of block
the
ed ed
C: algorithm
following form,with for somea pub p
M =toCfind
1. It is possible mod n = of
values (M e,)d,sender
Both mod n and
n such M
=that Mmod
receiver ne n know
must
mod = Mthe forvalues
all M of6nn. an
PU = {e, n} and ciphertext
M and a private key
Ciphertectblock
block ofC:PR
knows
=
the value
e
{d,
of
n}.
d.
d
For
C
This =
is
this
aM algorithm
mod
public-key n encryption
to be sa
algor
2. Itsender
Both is relatively
for public-key easy to
and receiver
encryption, calculate
must
the know the
following and
M valuesCoffor all e,
n and
requirements values
and
d of M
only
must 6receiver
the
be n. e d
met:
knows 3. theItvalue
Public key PU = {e,
of d. This
e n} and a private
C = M M key
= e,Cof
Sender:
mod mod= n{d,=n}.(M
n PRn algorithm ) this
For modalg
n
is infeasible toisdetermine
a public-key d encryption
given e and
for public-key encryption, n. with a public key of
the following requirements mus
ed
1. =It{e,
PU and a private
isn}possible to findkey values
Private ofMPR
key
= =C of{d,e,
d d,For
n}.
Both
mod this
nsender
nsuch
= (M algorithm
and
that
Receiver:
e d M tonmod
)receiver
e,
mod n, d be
= satisfactory
must Mnknow
ed= M thefor
mod value
ned al
for public-keyThe encryption,
first two requirements
the following are
1.knows is easily
Itrequirements
possible met.
thee value The
to find
must
of d. third
values
be
Thismet:requirement
of
is a can
d, n such that
e,public-key be me
M
encryptio mo
d
2. for
It is relatively
large values
Both ofeasy
e andto
sender calculate
n.and receiver
PU
2. It =
is Mmust
{e, n} and
relatively know
and C
a
easy
ed
for
the
private
to all
keyvalues
values
calculate of
M e nof
ofPRand and
=Cd e, 6
M{d,
for and
n}.
alln.
Foron
valu
1. It is possible
More to find
should bevalues
said of e, d,the
about n such
first that M mod n We
requirement. = M for all
need to M
find6 an.relation
3.2. ItIt is knows
infeasible the value
to of d. This
determine 3.forIt
ed isgiven
is a public-key
public-key
d e and
infeasible encryption
encryption,
n.
to determine the algorithm
following
d given n. with a
e andrequireme
shipisof relatively
the form easy to calculate M and C for all values of M 6 n.
PU = {e, n} and a private key of PR = {d, n}. For this algorithm to b
3. The
It is infeasible toRequirement
determine d given 1. ed
The e It is possible
first
and to find values
two requirements
n. of e, met.
are easily d, n such that
The third
first two requirements
for public-key encryption, M
for large
arethe easily
modfollowing
n = met.
M The
requirementsthird requirement
must be met: c
2. values of e and n.
It is relatively easy to calculate Me and Cd for
for large
The values
first twoof
Thepreceding e and n. holds
requirements
relationship are easily
More
if e met.
andshould
d The
are bethird
saidrequirement
about the
multiplicative can
first be met f(n)
ed requirement.
inverses modulo W
for large 1. of
values It eisand
possible
n. to find 3.values It is of e, d, nto
infeasible such that Md given
determine mod ne and = M n. f
Moref(n)
where should
is thebe saidtotient
Euler about
ship of the firstIt requirement.
the form
function. is shown
e
We need
in dAppendix to for
B that find p, aq
ship of More should
the
prime, 2.pq)
form
f( It be
is relatively
= ( p - 1)(q easy
- 1). to
said about the first
f(n),calculate
requirement.
Thereferred Mto
first two Weand
requirements
as the for
C Euler
need to edall
find avalues
are of
relation-
easily
totient
M mod n = M of M
met.
n, is 6
Th
the
ship of the form
number of 3. positive
It is infeasible
integers to
lessdetermine
forthanlarge values
10 n and given
drelatively e and
of e and n. n. to n. The relationship
prime

ws{e,the value of3.d.

It isM
This =
is C
a mod
public-key
infeasible to n = (M ) dmod
encryption
determine n =
given e M n.mod nwith a public key of
algorithm
and
n} and a privateapproach
implemented key oftoPR = {d,
public-key n}.
plaintextFor
and this
encryption. RSAalgorithm
ciphertextis aare to be
integers
block cipher insatisfactory
between
which0 and
the n
od {e,
= n n} and
blic-key Both asender
private
encryption,
plaintext The
and and key
the
first ofrequirements
receiver PR
must
following
two
ciphertext are {d,
=know
integers n}.
the For this
values0 of
Encryption
requirements
are
between easily algorithm
and
nand
must
met.
and and
e,1be
n -decryption
The torequirement
only
met:
third
for some be
the
are satisfactory
receiver
n.of the following
can befo
knows the
ublic-key value
for of values
encryption,
large
Encryptiond. This
the
andofis a and
e public-key
following
decryptionn. encryption
requirements
M and
are of ciphertext
the algorithm
must
following block be
form, C:with
met:
for a public
some key ofblock
plaintext
, and only the receiver
Algorithms: RSA ed
PU
t iswith {e,
possible n}
M andto and a
findprivate key of PR {d, n}. For this algorithm
ne to be nsatisfactory
M a6relat
of values
block of n suchthethat mod for to
allfind
= ciphertext
More should C: e,
be said =
d, about first M
requirement.
C = M =WeMneed
mod n.
m a public key ed
It for
is possible
public-key to
ship
find values
encryption,
of the form
of e, d,
the followinge
n such that
requirements
d
M modbenmet:
must = M for all M 6 n.
thm to be satisfactory
t is relatively easy to calculate d
n6= n. e d
e and
n Cd for all values
C = M M e
mod M = C ofmod M (M ) mod n =
eIt is relatively
met: easytotofind
calculate M and C for alledvalues of M 6 n.
1. It is possible M
values
C d of e,
mod
d,n
n such
M
(M
that
ed
e mod
) d M
mod nnmod MM
=and ned=modM forn
all M 6 n.
t is infeasible to determine =
Requirement
d given e =andBothn. sender = receiver must know the values of
e d
It is infeasible
2. It is
= M for all The to
relativelydetermine
easy
6preceding
MBoth to
n.sender and d given
calculate
relationship
M e and
and
knows
holds
C
if n.
the
e
for
and
all values
value
d of
are d. of M
This is a6public-key
multiplicative
n. encryption
inverses
receiver must know the values of n and e, and only the receiver modulo af
The
of M first
63. n.
Ittwo requirements
is where
infeasible toof
determineare
Public key PUemet.
daeasily
given =
and{e,n.
n}
Theand third
a private key of PR = {d,
requirement can Formet
n}.be this
knows the value
f(n) is the
d.
The first two requirements are easily Euler
This is totient function.
public-key
met. It
encryption is shown
algorithm
The encryption, in
third requirement Appendix
with a public
can B that
key
be met offor
for public-key the following requirements
ge values PUof
The = e and
prime,
{e,
first
arge values of e and n. n}f(
two n.
and ( p -key
pq)a private
= Private
requirements 1)(q
key -PR1).=met.
areofeasily {d, n}.
f(n), referred
TheFor to as the Euler
thisrequirement
third algorithm tocanbe totient
met of n, ise
satisfactory
be
for public-key
number e encryption,
of of positive thefirst
integers 1. than
following
less Itrequirements
is possible to find
must
n and relatively values
be met:
prime of to
e, d, suchrelation
n.nThe that M
More forshould
large
More should
quirement can bebebe
values said
metsaid about
and n. the
about the first requirement.
requirement. WeWe need
need to to find
find ae
a relation-
relation-
d
More between
should e and
be saidd can
aboutbe expressed
the first 2. as
It is relatively
requirement. We easy
needto calculate
to =find M
afor and
relation-C for all
the form
of the form 1. It is possible to find values of e, d, n such that M ed
mod n M all M 6 n.
ship of the form 3. ed It
e ismod
infeasible
df(n) = to determine
1 d given e and n.
eed to find a2.relation-
It is relatively easy to ed calculate
ed M and C for all values of M 6 n.
M Mmod mod
ed
mod nnn== MM
3. It is infeasible to determine d given eM =
The firstn.
and two requirements are easily met. The t
eceding relationship holds if e and for
d large
are values of e and
multiplicative n.inverses modulo
preceding
The preceding
The relationship
1 relationship
Thesection
This first twoholds
relationshipholdsholds
if
requirements
uses some and
if e
andand
elementaryare d are
d
are are
concepts multiplicative
multiplicative
multiplicative
easily frommet. The
number inverses
inverses
inverses
third
theory. modulo
modulo
modulo
requirement
For a review, can
see
f(n),
be
Appendix
f(n)
f(n),
, metB.
where isEuler
the Euler totient function. More
Itisisshownshould
shown in be said
Appendix aboutBB the
that first
for requirement
p, for
q p, p,
enverses
f(n)
f(n) ismodulo
isthe
for the
f(n)
largeEulervalues totient
totient
of e and function.
function.
n.
where f(n), is the Euler totient function. It
It is shown
ship of the form inin Appendix
Appendix B that
that for q q
prime,
e,f(f( pq) f( pq)
( p =
- p - 1)(q
(should
1)(q - - 1).
1). f(n), referred
referred toto as
as the
the Euler
Euler totient
totient of n,
of isn,the
is the
pendix pq)B
number
= =
that ( p
More
for -p,
ofofpositive
1)(q
q - be 1).
said about
f(n), referred
the first to as
requirement.the Euler
We
integers less than n and relatively prime to n. The relationship
need totient
to
M
find
ed
mod
of
a n, is
relation-
n = M
the
ber
ler totient
r of ship
ofpositive
positive
of n, the
is form
integers
the
integers less thanasn and
less and relatively
relativelyprime primetoton.n.The The relationship
relationship
between e and d can be expressed The
to n. The relationship ed preceding relationship holds if e and d are multipl
eene eand
en andddcan canbe beexpressed
expressed as as M mod n = M
ed mod wheref(n)f(n) = 1is the Euler totient function. It is shown
The preceding relationship ed holds
mod ifprime,
e andf(
f(n) = are
d pq)
1 multiplicative
= ( p - 1)(q -inverses1). f(n), modulo
referred to as
f(n),
ed modnumber
where f(n) is the Euler totient function.
f(n) = of
1is shownintegers
It positive in Appendix
less than B nthat
andfor p, q
relatively
1 prime,
This section uses = ( p - 1)(q
pq) elementary
f(some - 1).
concepts frombetween
f(n),
number e and dFor
referred
theory. can
to aas be
theexpressed
review, Euler as B. of n, is the
totient
see Appendix
number of positive integers less than 11 n and relatively prime to n. The relationship

 o requirements are easily met. The third requirement can be met

eand
fetwo n.
requirements
and n. are easily met. The third requirement can be met
d be said about
sbeof esaid
about the
and n. first requirement.
the first requirement.We Weneed
needtotofind
find a relation-
a relation-
Algorithms:
ould RSA
be said about the first requirement. We need to find a relation-
m
ed
• M
Preliminary ed
ed modnnn= ==
mod
M mod MMM
ationship
ationship
relationship
680 CHAPTERholds
holds
holds
211.if and
ee and
/ifPUBLIC-KEY are
anddddare
and are
are multiplicative
multiplicative
multiplicative
multiplicative
CRYPTOGRAPHY inverses inverses
inverses
inverses
AND modulo
MESSAGE mod modulo
modulo
f(n), f(n),
AUTHENTICATION f(n),
ethe
EulerEuler
Euler totient function.
totient
totient function. ItIt
function. Itis isshown
is shown
shownin Appendix
ininAppendix
AppendixB thatBfor p, qforfor
Bthat
that p, p,
q q
p -1)(q
(p=p (-- This is-equivalent
1)(q - 1). f(n),
1). f(n),toreferred
saying to as the Euler totient of n, is the
referred to asasthe Euler totient ofof is the
n, n,
1)(q - 1). referred
sitive integers less than n and relatively
to prime
ed mod
the Euler totient
f(n)to=n.1 The relationship
is the
ve integers
ed integers less
less
can be expressed as
than n and
and relatively
relatively prime
prime to
- 1ton. The
n. The relationship
relationship
d mod f(n) = e
ananbe beexpressed
expressed as as
That is, e anded dmod f(n) = 1 inverses mod f(n). According to the rules of
are multiplicative
ed mod
modular arithmetic, this =
is true 1
only
1 ifand
d (and therefore = is1 relatively prime to
(n), e) e)
<latexit sha1_base64="N1YLLJ/XhfLExEfBTviAiXTaIws=">AAACL3icbVDLSgMxFM3UV62vqks3wSK0IGVGiroRioK4rGAf0Cklk8m0oUlmSDJCGeaP3Pgr3Ygo4ta/MJ12oW1vCJyccy4393gRo0rb9ruVW1vf2NzKbxd2dvf2D4qHRy0VxhKTJg5ZKDseUoRRQZqaakY6kSSIe4y0vdHdVG8/E6loKJ70OCI9jgaCBhQjbah+8T5xJYcD7Kew7EZDWhaVc79y40DompOJSPgwnb3hCjeZuvvFkl21s4LLwJmDEphXo1+cuH6IY06Exgwp1XXsSPcSJDXFjKQFN1YkQniEBqRroECcqF6S7ZvCM8P4MAiluULDjP3bkSCu1Jh7xsmRHqpFbUqu0rqxDq57CRVRrInAs0FBzKAO4TQ86FNJsGZjAxCW1PwV4iGSCGsTccGE4CyuvAxaF1Xnslp7rJXqt/M48uAEnIIycMAVqIMH0ABNgMELmIAP8Gm9Wm/Wl/U9s+asec8x+FfWzy9da6Rf</latexit>

gcd(f(n)
(n), d) = gcd(
ed mod
f(n). Equivalently, f(n) == 11; that is, the greatest common divisor of f(n)
gcd(f(n),d)
and d is 1.
some elementary concepts from number theory. For a review, see Appendix B.
Figure 21.5 summarizes the RSA algorithm. Begin by selecting two prime
numbers,
me elementary p and from
concepts q, andnumber
calculating theirFor
theory. product n, which
a review, see isAppendix
the modulus B. for encryp-
e elementary concepts
tion and fromNext,
decryption. number theory.
we need For a review,
the quantity see Appendix
f(n). Then B. e that
select an integer
is relatively prime to f(n) [i.e., the greatest common divisor of e and f(n) is 1].
Finally, calculate d as the multiplicative inverse of e, modulo f(n). It can be shown
that d and e have the desired properties.
Suppose that user Acommon
has published
divisoritsexamples:
public key gcd(12,
and that13) user
=B 1 wishes to
<latexit sha1_base64="wWHItR9loavLfta72aZ+eZYB1W0=">AAACJ3icbVDLSgNBEJz1GeMr6tHLYBAUJOyqqAiK6MWjglEhCWF20hsH57HM9ErCkr/x4q94EVREj/6JE83BV5+Kqi66uuJUCodh+BYMDY+Mjo0XJoqTU9Mzs6W5+XNnMsuhyo009jJmDqTQUEWBEi5TC0zFEi7i66O+fnED1gmjz7CbQkOxthaJ4Aw91Szt1xE6mNO2NyE4pNwoZTRtiRvhjKXQYSqV4HZpj+Z1q2ibt3or0fpatLG6F9FmqRxWws+hf0E0AGUymJNm6bHeMjxToJFL5lwtClNs5Myi4BJ6xXrmIGX8mrWh5qFmClwj//yzR5c906KJj5UY3Y/q2e+OnCnnuir2m4rhlfut9cn/tFqGyU4jFzrNEDT/OpRkkqKh/dJ8GxY4yq4HjFvhs1J+xSzj6Kst+hKi3y//BefrlWirsnm6WT44HNRRIItkiayQiGyTA3JMTkiVcHJL7skTeQ7ugofgJXj9Wh0KBp4F8mOC9w84mKTN</latexit>

greatest
send the message M to A. Then B calculates C = Me (mod n) and transmits C. On <latexit sha1_base64="y53hTSet6M37076aT7YD/6nzo/8=">AAAB+nicbVDLSgMxFM3UV62vqS7dBItQQcpMKdWNUHTjsoJ9QDuUTCbThiaZIckoZeynuHGhiFu/xJ1/Y9rOQlsPXDiccy/33uPHjCrtON9Wbm19Y3Mrv13Y2d3bP7CLh20VJRKTFo5YJLs+UoRRQVqaaka6sSSI+4x0/PHNzO88EKloJO71JCYeR0NBQ4qRNtLALqZ9yeEQB9OyWz2vn13VB3bJqThzwFXiZqQEMjQH9lc/iHDCidCYIaV6rhNrL0VSU8zItNBPFIkRHqMh6RkqECfKS+enT+GpUQIYRtKU0HCu/p5IEVdqwn3TyZEeqWVvJv7n9RIdXnopFXGiicCLRWHCoI7gLAcYUEmwZhNDEJbU3ArxCEmEtUmrYEJwl19eJe1qxa1Xane1UuM6iyMPjsEJKAMXXIAGuAVN0AIYPIJn8ArerCfrxXq3PhatOSubOQJ/YH3+AM1Rkmg=</latexit>

receipt of this ciphertext, user A decrypts by calculating gcd(12,

M = C d6) = 6n).
(mod
An example, from [SING99], is shown in Figure 21.6. For 12)
this example, the
<latexit sha1_base64="Uree8TyEH+yF7NJV3q1aFglUr7Q=">AAAB+3icbVDLSsNAFJ3UV62vWJduBotQQUpSiroRim5cVrAPaEOZTCbt0JlJmJmIJeRX3LhQxK0/4s6/cdpmoa0HLhzOuZd77/FjRpV2nG+rsLa+sblV3C7t7O7tH9iH5Y6KEolJG0cskj0fKcKoIG1NNSO9WBLEfUa6/uR25ncfiVQ0Eg96GhOPo5GgIcVIG2lol9OB5HCEg6zqNs7d+tl1fWhXnJozB1wlbk4qIEdraH8NgggnnAiNGVKq7zqx9lIkNcWMZKVBokiM8ASNSN9QgThRXjq/PYOnRglgGElTQsO5+nsiRVypKfdNJ0d6rJa9mfif1090eOWlVMSJJgIvFoUJgzqCsyBgQCXBmk0NQVhScyvEYyQR1iaukgnBXX55lXTqNfei1rhvVJo3eRxFcAxOQBW44BI0wR1ogTbA4Ak8g1fwZmXWi/VufSxaC1Y+cwT+wPr8ATirkp0=</latexit>

gcd(14, =2
keys were generated as follows: 12

 The third requirement can be met

Algorithms:
ement. We need to find aRSA
relation-

M • Preliminary
multiplicative inverses modulo
2. f(n), is the Euler totient function.
shown in Appendix B that for p, q
to as the Euler totient of n, is the
atively prime to n. The relationship <latexit sha1_base64="O7pERFAvnKet03n6uJebwQWm9pA=">AAAB/HicbVDLSgMxFM3UV62v0S7dBIswXVhmpKgboejGZQX7gHYomTRtQzOZNMkIw1B/xY0LRdz6Ie78G9N2Ftp64F4O59xLbk4gGFXadb+t3Nr6xuZWfruws7u3f2AfHjVVFEtMGjhikWwHSBFGOWloqhlpC0lQGDDSCsa3M7/1SKSiEX/QiSB+iIacDihG2kg9u9gVI+qISfnaEWde2ZmY1rNLbsWdA64SLyMlkKHes7+6/QjHIeEaM6RUx3OF9lMkNcWMTAvdWBGB8BgNScdQjkKi/HR+/BSeGqUPB5E0xTWcq783UhQqlYSBmQyRHqllbyb+53ViPbjyU8pFrAnHi4cGMYM6grMkYJ9KgjVLDEFYUnMrxCMkEdYmr4IJwVv+8ippnle8i0r1vlqq3WRx5MExOAEO8MAlqIE7UAcNgEECnsEreLOerBfr3fpYjOasbKcI/sD6/AGBd5K9</latexit>

For p, q prime, n=pq, (pq) = (p 1)(q 1)

= 1
<latexit sha1_base64="zkMELAPnXmiyaghS5NZH228fiAk=">AAACRnicbVA9TxtBFNxzPiBOCE4o0zzFRILGukMIUiLSpAQpBiT7ZO3tvbNX7Jd23yGsk39dmtR0+QlpUgRFadkzLhLISCuNZua91ZvCKRkoTb8nnSdPnz1fW3/Rfflq4/Vm783bs2BrL3AorLL+ouABlTQ4JEkKL5xHrguF58Xlp9Y/v0IfpDVfaO4w13xqZCUFpyhNevnYzeSO2YUx4TU1IAPQDMHUukAPtgJngyR5hSAN4TRuAoWhDXED22YbuCnBo+JtRs3BeakRyLbeYDHp9dNBugQ8JtmK9NkKJ5Pezbi0otZoSCgewihLHeUN9ySFwkV3XAd0XFzyKY4iNVxjyJtlDQv4EJUSKuvjMwRL9e+JhusQ5rqISc1pFh56rfg/b1RT9TFvpHE1oRH3H1W1as9sO4VSehQUry8lFz7WJUDMuOeCYl/dWEL28OTH5GxvkB0M9k/3+0fHqzrW2Tv2nu2wjB2yI/aZnbAhE+wr+8F+sdvkW/Iz+Z38uY92ktXMFvsHHXYHQeuwaw==</latexit>

(n) is the number of positive integers less than n and relatively prime to n.

heory. For a review, see Appendix B.

13
2. Calculate n = pq = 17 * 11 = 187.
3. Calculate f(n) RSA
Algorithms: = (p - 1)(q - 1) = 16 * 10 = 160.

• Key generation Key Generation

Select p, q p and q both prime, p Z q
Calculate n = p * q
Calculate h(n) = (p - 1)(q - 1)
Select integer e gcd( h(n), e) = 1; 1 6 e 6 h(n)
Calculate d d e mod h(n) = 1
Public key KU = {e, n}
Private key KR = {d, n}

Example:
<latexit sha1_base64="DS5Rx5wx+bnB2Q33V+2zKYWcIho=">AAACGnicbZDLSgMxFIYzXut4G3XpJliEClImpbZuBopuXFawF+iUkknTNjSTGZOMUIY+hxtfxY0LRdyJG9/G9LLQ1gOBj/8/h5PzBzFnSrvut7Wyura+sZnZsrd3dvf2nYPDuooSSWiNRDySzQArypmgNc00p81YUhwGnDaC4fXEbzxQqVgk7vQopu0Q9wXrMYK1kToOir3CObz3ytD3oS08VDRg+/GA5cSZVzJMvYuJB+2uh5ChjpN18+604DKgOWTBvKod59PvRiQJqdCEY6VayI11O8VSM8Lp2PYTRWNMhrhPWwYFDqlqp9PTxvDUKF3Yi6R5QsOp+nsixaFSozAwnSHWA7XoTcT/vFaie5ftlIk40VSQ2aJewqGO4CQn2GWSEs1HBjCRzPwVkgGWmGiTpm1CQIsnL0O9kEelfPG2mK1czePIgGNwAnIAgTKogBtQBTVAwCN4Bq/gzXqyXqx362PWumLNZ47An7K+fgCgxpsH</latexit>

p = 2, q = 7 Encryption
Plaintext: n = 14 M6 n
(n) = 6
Ciphertext: e=5 C = M e (mod n)
dd==11
17 (multiple choices)
<latexit sha1_base64="T8Em9A2qcjNA62VkPD5oECckyHc=">AAAB63icbVBNS8NAEJ3Ur1q/qh69LBbBU0lErBeh6MVjBfsBbSibzaZdursJuxuhhP4FLx4U8eof8ua/cdPmoK0PBh7vzTAzL0g408Z1v53S2vrG5lZ5u7Kzu7d/UD086ug4VYS2Scxj1QuwppxJ2jbMcNpLFMUi4LQbTO5yv/tElWaxfDTThPoCjySLGMEml8IbrzGs1ty6OwdaJV5BalCgNax+DcKYpIJKQzjWuu+5ifEzrAwjnM4qg1TTBJMJHtG+pRILqv1sfusMnVklRFGsbEmD5urviQwLracisJ0Cm7Fe9nLxP6+fmujaz5hMUkMlWSyKUo5MjPLHUcgUJYZPLcFEMXsrImOsMDE2nooNwVt+eZV0LureVf3y4bLWvC3iKMMJnMI5eNCAJtxDC9pAYAzP8ApvjnBenHfnY9FacoqZY/gD5/MHNZKNtA==</latexit>

14
Algorithms: RSA
• Key generation
<latexit sha1_base64="c74gbttMbsVrAJfA/BZ82qeRdoo=">AAACC3icbZDLSsNAFIYn9VbjLerSzdAi1E1JpF42QtGNywr2Ak0ok8mkHTqZhJmJUEL3bnwVNy4UcesLuPNtnLRZaOsPAz/fOYcz5/cTRqWy7W+jtLK6tr5R3jS3tnd296z9g46MU4FJG8csFj0fScIoJ21FFSO9RBAU+Yx0/fFNXu8+ECFpzO/VJCFehIachhQjpdHAqgTEjeIAusmI1vjJlQNd1zyDGuTUaWgwsKp23Z4JLhunMFVQqDWwvtwgxmlEuMIMSdl37ER5GRKKYkampptKkiA8RkPS15ajiEgvm90yhceaBDCMhX5cwRn9PZGhSMpJ5OvOCKmRXKzl8L9aP1XhpZdRnqSKcDxfFKYMqhjmwcCACoIVm2iDsKD6rxCPkEBY6fhMHYKzePKy6ZzWnfN6465RbV4XcZTBEaiAGnDABWiCW9ACbYDBI3gGr+DNeDJejHfjY95aMoqZQ/BHxucP4gWXwQ==</latexit>

Example: de mod (n) = 1

5d5dmod
mod
6 =141 = 1
<latexit sha1_base64="QdeMny7J19SX6Y8BahKvSFnt/KI=">AAAB/XicbVDLSgMxFM3UV62v8bFzEy2CqzIjtboRim5cVrAP6Awlk0nb0EwyJBmhDsVfceNCEbf+hzv/xkw7C209lwuHc+4lNyeIGVXacb6twtLyyupacb20sbm1vWPv7rWUSCQmTSyYkJ0AKcIoJ01NNSOdWBIUBYy0g9FN5rcfiFRU8Hs9jokfoQGnfYqRNlLPPjgPoXeUFfQiEcIavHJhzy47FWcKuEjcnJRBjkbP/vJCgZOIcI0ZUqrrOrH2UyQ1xYxMSl6iSIzwCA1I11COIqL8dHr9BJ4YJYR9IU1zDafq740URUqNo8BMRkgP1byXif953UT3L/2U8jjRhOPZQ/2EQS1gFgUMqSRYs7EhCEtqboV4iCTC2gRWMiG4819eJK2zilurVO+q5fp1HkcRHIJjcApccAHq4BY0QBNg8AiewSt4s56sF+vd+piNFqx8Zx/8gfX5Axc8kmw=</latexit>

Use Euler’s algorithm to express 1 as an integer combination of 5 and 6

<latexit sha1_base64="IwdLcmZhXBlQkC9MLqXGOymYJ1s=">AAACgHicbVFbb9MwFHbCbYTLCjzycqCiKmItMdoKmhRpghceh7Ruk+qocpzT1poTR7YzqKL+Dv4Xb/wYJJy2D6PjWJY+fRfZ55ysUtK6OP4dhHfu3rv/YO9h9Ojxk6f7nWfPz62ujcCx0Eqby4xbVLLEsZNO4WVlkBeZwovs6kurX1yjsVKXZ25ZYVrweSlnUnDnqWnn56iX0P7R23cUGIuYwx+uOVugwZk2uGo52ktGg9Zy0yAtzOU1Wqjt8crzRzmwV+0BVugcRtBLJptUuiMwBhEzcr5w3Bj9HcBHewmsvQfAIE8GFKJo2unGw3hdcBvQLeiSbZ1OO79YrkVdYOmE4tZOaFy5tOHGSaFwFbHaYsXFFZ/jxMOSF2jTZj3AFbzxTA6+ZX9LB2v2ZqLhhbXLIvPOgruF3dVa8n/apHazT2kjy6p2WIrNQ7NagdPQbgNyaVA4tfSACyP9X0EsuOHC+Z21Q6C7Ld8G5x+GdDQ8/HbYPfm8HcceeUlekz6h5CM5IV/JKRkTQf4E3eAgGIRh2A/fh3RjDYNt5gX5p8Ljvx0ntJQ=</latexit>

6 = 1(5) + 1
Therefore
1=6 1(5)
This gives us:
5d mod 6 = [6 1(5)] mod 6
d= 1 + 6N for any integer N
<latexit sha1_base64="QmxKyeWbc9Qn3wk5SKWjnqMuUbM=">AAACDXicbVC7SgNBFJ31GeMramkzmAiCGHYlRBshaGMVIhgjJEuYndyNQ2Znl5m7YljyAzb+io2FIrb2dv6Nu0kKX6c6nHMv99zjRVIYtO1Pa2Z2bn5hMbeUX15ZXVsvbGxemTDWHJo8lKG+9pgBKRQ0UaCE60gDCzwJLW9wlvmtW9BGhOoShxG4Aesr4QvOMJW6hVLv5MDZr9ZpB+EOE+qHmjI1pEIh9EHTUr00yncLRbtsj0H/EmdKimSKRrfw0emFPA5AIZfMmLZjR+gmTKPgEkb5TmwgYnzA+tBOqWIBGDcZfzOiu6nSGwfxQ4V0rH7fSFhgzDDw0smA4Y357WXif147Rv/YTYSKYgTFJ4f8WFIMaVYN7QkNHOUwJYxrkWal/IZpxjEtMCvB+f3yX3J1WHaq5cpFpVg7ndaRI9tkh+wRhxyRGjknDdIknNyTR/JMXqwH68l6td4mozPWdGeL/ID1/gX65Zmg</latexit>

! 5d = 1(5), d = 1

15
 Calculate dh(n) = (p - 1)(q - 1)
Calculate d e mod h(n) = 1
Public key
Select integer e gcd( h(n), e) = 1; 1 6 e 6 h(n)
KU = {e, n}
Algorithms: RSA
Private keyd
Calculate KR = {d,h(n)
d e mod n} = 1

Public key
• Encryption KU = {e, n}
Private key Encryption
KR = {d, n}
Plaintext: M6 n
Ciphertext: C = M e (mod n)
Encryption
Plaintext: n = 14, e = 5, M = 2 M6 n
<latexit sha1_base64="HLcCWbVZ6bP+WomnjJkXLnaEJg0=">AAACDXicbVDLSsNAFJ3UV42vqEs3g1VwUUpSUnUTKHbjRqhgH9DEMplO26GTSZiZCKX0B9z4K25cKOLWvTv/xuljoa0HLhzOuZd77wkTRqWy7W8js7K6tr6R3TS3tnd296z9g7qMU4FJDccsFs0QScIoJzVFFSPNRBAUhYw0wkFl4jceiJA05ndqmJAgQj1OuxQjpaW2dcI9x81D4pXy8MYrQt+HZsWDxfsS9KO4Ax0Xem7bytkFewq4TJw5yYE5qm3ry+/EOI0IV5ghKVuOnahghISimJGx6aeSJAgPUI+0NOUoIjIYTb8Zw1OtdGA3Frq4glP198QIRVIOo1B3Rkj15aI3Ef/zWqnqXgYjypNUEY5ni7opgyqGk2hghwqCFRtqgrCg+laI+0ggrHSApg7BWXx5mdSLBee84N66ufLVPI4sOALH4Aw44AKUwTWoghrA4BE8g1fwZjwZL8a78TFrzRjzmUPwB8bnDyGmlpA=</latexit>

Example:
Ciphertext: C = 25 Decryption
mod 14 =4 C = M e (mod n)
Ciphertext: C
• Decryption
Plaintext: M = C d (mod n)
Decryption
Figure 21.5 The RSA Algorithm
Ciphertext: C
Plaintext: M = C d (mod n)

Figure 21.5 The RSA Algorithm

Example: d = 17, n = 14, C = 4
<latexit sha1_base64="Ude8zPb6t1tIKC/t/4jFsSP4xI0=">AAACD3icbVC7SgNBFJ31GeMramkzGBSLEHbCYmwWgmlshAjmAdkYZmcnyZDZ2WVmVghL/sDGX7GxUMTW1s6/cfIoNPHAhcM593LvPX7MmdK2/W2trK6tb2xmtrLbO7t7+7mDw4aKEklonUQ8ki0fK8qZoHXNNKetWFIc+pw2/WF14jcfqFQsEnd6FNNOiPuC9RjB2kjd3FngonIBChc5BVh1Heh5MHvjOvcpKo+hF0YBRI5b6ubydtGeAi4TNCd5MEetm/vygogkIRWacKxUG9mx7qRYakY4HWe9RNEYkyHu07ahAodUddLpP2N4apQA9iJpSmg4VX9PpDhUahT6pjPEeqAWvYn4n9dOdO+ykzIRJ5oKMlvUSzjUEZyEAwMmKdF8ZAgmkplbIRlgiYk2EWZNCGjx5WXSKBXRRdG5dfKVq3kcGXAMTsA5QKAMKuAa1EAdEPAInsEreLOerBfr3fqYta5Y85kj8AfW5w816ZfD</latexit>

M = 417 mod 14 = 2

16
 As an example of another use of the Diffie-Hellman algorithm, suppose
that in a group of users (e.g., all users on a LAN), each generates a long-lasting
private key and calculates a public key. These public values, together with global
public values for q and a, are stored in some central directory. At any time, user
B can access user A’s public value, calculate a secret key, and use that to send
Algorithms: Diffie-Hellman Key Exchange
an encrypted message to user A. If the central directory is trusted, then this form
of communication provides both confidentiality and a degree of authentication.
Because only A and B can determine the key, no other user can read the message
(confidentiality). User A knows that only user B could have created a message
using this key (authentication). However, the technique does not protect against
• Purpose: Two users exchange a secret key securely that can then
replay attacks.

be used for subsequent encryption of messages.

Alice Bob

prime q and c, such that prime q and c, such that

Alice and Bob share a Alice and Bob share a

c < q and c is a primitive c < q and c is a primitive

root of q root of q

Alice generates a private Bob generates a private

key XA such that XA < q key XB such that XB < q

key YA = cXA mod q key YB = cXB mod q

Alice calculates a public Bob calculates a public
YA YB

Alice receives Bob’s Bob receives Alice’s

public key YB in plaintext public key YA in plaintext

Alice calculates shared Bob calculates shared

secret key K = (YB)XA mod q secret key K = (YA)XB mod q

e.g., for a symmetric cipher

Figure 21.8 Diffie-Hellman Key Exchange
17
 Algorithms: Diffie-Hellman Key Exchange
86 CHAPTER 21 / PUBLIC-KEY CRYPTOGRAPHY AND MESSAGE AUTHENTICATION

Global Public Elements

q Prime number
c c 6 q and c a primitive root of q

User A Key Generation

Y = c
Select privateq X= 13, ↵ = 2 X A 6 q2 is a primitive root
<latexit sha1_base64="p2D9tAULrBHEkM3O9ao8ieE/u1M=">AAAB9XicbVDLSgNBEOz1GeMr6tHLYBA8SNiNQb0Egl48RjAPSNbQO5lNhsw+nJlVQsh/ePGgiFf/xZt/4yTZgyYWNBRV3XR3ebHgStv2t7W0vLK6tp7ZyG5ube/s5vb26ypKJGU1GolINj1UTPCQ1TTXgjVjyTDwBGt4g+uJ33hkUvEovNPDmLkB9kLuc4raSPcPZefslLRRxH0sFzu5vF2wpyCLxElJHlJUO7mvdjeiScBCTQUq1XLsWLsjlJpTwcbZdqJYjHSAPdYyNMSAKXc0vXpMjo3SJX4kTYWaTNXfEyMMlBoGnukMUPfVvDcR//NaifYv3REP40SzkM4W+YkgOiKTCEiXS0a1GBqCVHJzK6F9lEi1CSprQnDmX14k9WLBOS+Ubkv5ylUaRwYO4QhOwIELqMANVKEGFCQ8wyu8WU/Wi/Vufcxal6x05gD+wPr8AYVGkT4=</latexit>

Example: A 2 is not a primitive root

mod
X A 13 mod 7
Calculate public Y A A mod q
20
<latexit sha1_base64="OzWarx26HCKE7VkqERMiZGDPmuc=">AAAC9HicbdLNT9swFABwJwzWlQGFHXd5WgXaqYrT0o/DJLRddgSJAlJTKsd1wcL5wHaQqqh/xy47bJp23R+z2/6bOXUmGdiTIj393vNnHOeCKx0Efzx/48Xm1svGq+b2653dvdb+wYXKCknZmGYik1cxUUzwlI0114Jd5ZKRJBbsMr77VNUvH5hUPEvP9TJn04TcpHzBKdGGZvteM7wOIEqyOeAuHH3AEEUABrGDEBo1FrrWs9Z1bWit51rX2rFDfUt9h3C9xMA1bG3oTjcCiyPHjiurNl3iYOVOENjeEmOXB/80fNQMs1Y76ATrgOcJrpM2quN01vodzTNaJCzVVBClJjjI9bQkUnMq2KoZFYrlhN6RGzYxaUoSpqbl+qet4NDIHBaZNF+qYa3uiJIkSi2T2HQmRN+qp7UK/1ebFHoxnJY8zQvNUmoXWhQCdAbVC4A5l4xqsTQJoZKbvQK9JZJQbd5J01wCfnrk58lF2MH9Tu+s1z75WF9HA71F79B7hNEAnaDP6BSNEfXuvS/eN++7/+B/9X/4P22r79Vj3qBH4f/6Cy6dzao=</latexit>

mod 13 = 1 20
<latexit sha1_base64="Pv+oqCvDCFRez4T6+9QlaGPB+1E=">AAACbXicbZHLSgMxFIYz463W26i48IIEi5dVmRlr60YounFZwV6g05ZMJtOGZi4kGaGU7nxCd76CG1/BtFOwdjwQ+PnO+TnJHzdmVEjT/NT0ldW19Y3cZn5re2d3z9g/aIgo4ZjUccQi3nKRIIyGpC6pZKQVc4ICl5GmO3ya9ptvhAsaha9yFJNOgPoh9SlGUqGe8W53TegEkQcr8OrBgo4DYd7uWr8M2goqZC+gUopuF5CVolLWeJfxlZdsPaNgFs1Zwayw5qIA5lXrGR+OF+EkIKHEDAnRtsxYdsaIS4oZmeSdRJAY4SHqk7aSIQqI6IxnaU3gpSIe9COuTijhjC46xigQYhS4ajJAciCWe1P4X6+dSP++M6ZhnEgS4nSRnzAoIziNHnqUEyzZSAmEOVV3hXiAOMJSfdA0BGv5yVnRsItWuVh6KRWqj/M4cuAUXIAbYIEKqIJnUAN1gMGXZmjH2on2rR/pZ/p5Oqprc88h+FP69Q81xKqf</latexit>

mod 7 = 1
1
2 mod 13 = 2 21 mod 7 = 2
User B Key Generation2
2
mod 13 = 4
22 mod 7 = 4
3
2 mod 13 = 8

Y B = c2X5 B mod
Select private X B X B 6 q4 23 mod 7 = 1
2 mod 13 = 3
24 mod 7 = 2
Calculate public Y B mod13q= 6
6
25 mod 7 = 4
2 mod 13 = 12
7 26 mod 7 = 1
2 mod 13 = 11
Generation of Secret Key by 2User
8
modA13 = 9
K = (YB ) X A mod q 29 mod 13 = 5
210 mod 13 = 10
11
1 to q-1
2 mod 13 = 7
12
Generation of Secret Key
18 by User B
2 mod 13 = 1
X
CHAPTER 21 / PUBLIC-KEY CRYPTOGRAPHY AND MESSAGE AUTHENTICATION

Algorithms: Diffie-Hellman Key Exchange

Global Public Elements
q Prime number
c c 6 q and c a primitive root of q

User A Key Generation

Y A = cX A mod q
Select private X A XA 6 q
Calculate public Y A

User B Key Generation

Y B = cX B mod q
Select private X B XB 6 q
Calculate public Y B

q = 13, ↵ = 2
<latexit sha1_base64="p2D9tAULrBHEkM3O9ao8ieE/u1M=">AAAB9XicbVDLSgNBEOz1GeMr6tHLYBA8SNiNQb0Egl48RjAPSNbQO5lNhsw+nJlVQsh/ePGgiFf/xZt/4yTZgyYWNBRV3XR3ebHgStv2t7W0vLK6tp7ZyG5ube/s5vb26ypKJGU1GolINj1UTPCQ1TTXgjVjyTDwBGt4g+uJ33hkUvEovNPDmLkB9kLuc4raSPcPZefslLRRxH0sFzu5vF2wpyCLxElJHlJUO7mvdjeiScBCTQUq1XLsWLsjlJpTwcbZdqJYjHSAPdYyNMSAKXc0vXpMjo3SJX4kTYWaTNXfEyMMlBoGnukMUPfVvDcR//NaifYv3REP40SzkM4W+YkgOiKTCEiXS0a1GBqCVHJzK6F9lEi1CSprQnDmX14k9WLBOS+Ubkv5ylUaRwYO4QhOwIELqMANVKEGFCQ8wyu8WU/Wi/Vufcxal6x05gD+wPr8AYVGkT4=</latexit>

Example:
Generation of Secret Key by User A
3
<latexit sha1_base64="FWHlGiNw6LV4nGFiZ6YDf4fzl9E=">AAACD3icbVC7TgJBFJ3FF+Jr1dJmItFYkV0gSkOC2lhiIg/DIpkdBpgws7OZmdWQDX9g46/YWGiMra2df+MAWyh4kpucnHNv7r3HDxlV2nG+rdTS8srqWno9s7G5tb1j7+7VlYgkJjUsmJBNHynCaEBqmmpGmqEkiPuMNPzh5cRv3BOpqAhu9CgkbY76Ae1RjLSROvZxs3NeLkDoSdofaCSleIC3RoL5uwL0uOhCt1CGpY6ddXLOFHCRuAnJggTVjv3ldQWOOAk0ZkipluuEuh0jqSlmZJzxIkVChIeoT1qGBogT1Y6n/4zhkVG6sCekqUDDqfp7IkZcqRH3TSdHeqDmvYn4n9eKdK/UjmkQRpoEeLaoFzGoBZyEA7tUEqzZyBCEJTW3QjxAEmFtIsyYENz5lxdJPZ9zT3PF62K2cpHEkQYH4BCcABecgQq4AlVQAxg8gmfwCt6sJ+vFerc+Zq0pK5nZB39gff4AHZCZiw==</latexit>

X X = 3 ! Y = 2 mod 13 = 8
K = (YB ) A
mod q
A A

XB = 5 ! YB = 25
<latexit sha1_base64="JkMZ4zR6TewHCZsa/VuGI0TXRe0=">AAACD3icbVDLTsJAFJ36RHxVXbqZSDSuSIuAbkgIblxiIg8DtZlOpzBh2mlmphpC+AM3/oobFxrj1q07/8YBulDwJDc5Oefe3HuPFzMqlWV9G0vLK6tr65mN7ObW9s6uubfflDwRmDQwZ1y0PSQJoxFpKKoYaceCoNBjpOUNLid+654ISXl0o4YxcULUi2hAMVJacs2TtlurlCDsCtrrKyQEf4C3WoKFuxLshtyH9lkFll0zZ+WtKeAisVOSAynqrvnV9TlOQhIpzJCUHduKlTNCQlHMyDjbTSSJER6gHuloGqGQSGc0/WcMj7Xiw4ALXZGCU/X3xAiFUg5DT3eGSPXlvDcR//M6iQounBGN4kSRCM8WBQmDisNJONCngmDFhpogLKi+FeI+EggrHWFWh2DPv7xImoW8Xc4Xr4u5ai2NIwMOwRE4BTY4B1VwBeqgATB4BM/gFbwZT8aL8W58zFqXjHTmAPyB8fkDJCuZjw==</latexit>

mod 13 = 6
Generation of Secret Key by User B
K = (YA ) X B mod q
19
 Calculate public Y A Y A = cX A mod q

Algorithms: Diffie-Hellman
User B Key GenerationKey Exchange

Y B = cX B mod q
Select private X B XB 6 q
Calculate public Y B

Generation of Secret Key by User A

K = (YB ) X A mod q

Generation of Secret Key by User B

K = (YA ) X B mod q

Figure 21.7 The Diffie-Hellman Key Exchange Algorithm

The security of the Diffie-Hellman key exchange lies in the fact that, while it
is relatively easy to calculate exponentials modulo a prime, it is very difficult to cal-
culate discrete logarithms.
q = 13, For
↵ =large
2 primes, the latter task is considered infeasible.
<latexit sha1_base64="p2D9tAULrBHEkM3O9ao8ieE/u1M=">AAAB9XicbVDLSgNBEOz1GeMr6tHLYBA8SNiNQb0Egl48RjAPSNbQO5lNhsw+nJlVQsh/ePGgiFf/xZt/4yTZgyYWNBRV3XR3ebHgStv2t7W0vLK6tp7ZyG5ube/s5vb26ypKJGU1GolINj1UTPCQ1TTXgjVjyTDwBGt4g+uJ33hkUvEovNPDmLkB9kLuc4raSPcPZefslLRRxH0sFzu5vF2wpyCLxElJHlJUO7mvdjeiScBCTQUq1XLsWLsjlJpTwcbZdqJYjHSAPdYyNMSAKXc0vXpMjo3SJX4kTYWaTNXfEyMMlBoGnukMUPfVvDcR//NaifYv3REP40SzkM4W+YkgOiKTCEiXS0a1GBqCVHJzK6F9lEi1CSprQnDmX14k9WLBOS+Ubkv5ylUaRwYO4QhOwIELqMANVKEGFCQ8wyu8WU/Wi/Vufcxal6x05gD+wPr8AYVGkT4=</latexit>

Example:
Here is an example. Key exchange is based on the use of the prime 3
number <latexit sha1_base64="vljjMOWRE7lJhq7z9yk6gFDWsdY=">AAAB+nicbVDLTgIxFO3gC/E16NJNIzFxRWaEIBsSohsTN5jII4GRdDodaGink7ajIcinuHGhMW79Enf+jQVmoeBJbnJyzr259x4/ZlRpx/m2MmvrG5tb2e3czu7e/oGdP2wpkUhMmlgwITs+UoTRiDQ11Yx0YkkQ9xlp+6Ormd9+IFJREd3pcUw8jgYRDSlG2kh9O39Tg5X7EuxxEUC3BGvVvl1wis4ccJW4KSmAFI2+/dULBE44iTRmSKmu68TamyCpKWZkmuslisQIj9CAdA2NECfKm8xPn8JTowQwFNJUpOFc/T0xQVypMfdNJ0d6qJa9mfif1010WPUmNIoTTSK8WBQmDGoBZznAgEqCNRsbgrCk5laIh0girE1aOROCu/zyKmmdF91KsXxbLtQv0ziy4BicgDPgggtQB9egAZoAg0fwDF7Bm/VkvVjv1seiNWOlM0fgD6zPH5UakaI=</latexit>

3 K select
= 6 secret
modkeys13 = 8
<latexit sha1_base64="FWHlGiNw6LV4nGFiZ6YDf4fzl9E=">AAACD3icbVC7TgJBFJ3FF+Jr1dJmItFYkV0gSkOC2lhiIg/DIpkdBpgws7OZmdWQDX9g46/YWGiMra2df+MAWyh4kpucnHNv7r3HDxlV2nG+rdTS8srqWno9s7G5tb1j7+7VlYgkJjUsmJBNHynCaEBqmmpGmqEkiPuMNPzh5cRv3BOpqAhu9CgkbY76Ae1RjLSROvZxs3NeLkDoSdofaCSleIC3RoL5uwL0uOhCt1CGpY6ddXLOFHCRuAnJggTVjv3ldQWOOAk0ZkipluuEuh0jqSlmZJzxIkVChIeoT1qGBogT1Y6n/4zhkVG6sCekqUDDqfp7IkZcqRH3TSdHeqDmvYn4n9eKdK/UjmkQRpoEeLaoFzGoBZyEA7tUEqzZyBCEJTW3QjxAEmFtIsyYENz5lxdJPZ9zT3PF62K2cpHEkQYH4BCcABecgQq4AlVQAxg8gmfwCt6sJ+vFerc+Zq0pK5nZB39gff4AHZCZiw==</latexit>

X = 3 ! Y = 2 modcase
q = 353 and a primitive root of 353, in this
A A 13 a= =8 3. A and B
XA = 97 and XB = 233, respectively. 5Each computes its public key: 5
<latexit sha1_base64="JkMZ4zR6TewHCZsa/VuGI0TXRe0=">AAACD3icbVDLTsJAFJ36RHxVXbqZSDSuSIuAbkgIblxiIg8DtZlOpzBh2mlmphpC+AM3/oobFxrj1q07/8YBulDwJDc5Oefe3HuPFzMqlWV9G0vLK6tr65mN7ObW9s6uubfflDwRmDQwZ1y0PSQJoxFpKKoYaceCoNBjpOUNLid+654ISXl0o4YxcULUi2hAMVJacs2TtlurlCDsCtrrKyQEf4C3WoKFuxLshtyH9lkFll0zZ+WtKeAisVOSAynqrvnV9TlOQhIpzJCUHduKlTNCQlHMyDjbTSSJER6gHuloGqGQSGc0/WcMj7Xiw4ALXZGCU/X3xAiFUg5DT3eGSPXlvDcR//M6iQounBGN4kSRCM8WBQmDisNJONCngmDFhpogLKi+FeI+EggrHWFWh2DPv7xImoW8Xc4Xr4u5ai2NIwMOwRE4BTY4B1VwBeqgATB4BM/gFbwZT8aL8W58zFqXjHTmAPyB8fkDJCuZjw==</latexit>
<latexit sha1_base64="KWL701QURMMUOpc38y9WUzaX8LQ=">AAAB+nicbVDLSgMxFM3UV62vqS7dBIvgqsxo1W4KRTeCmwr2Ae1YMplMG5pkhiSjlLGf4saFIm79Enf+jWk7C60euHA4517uvcePGVXacb6s3NLyyupafr2wsbm1vWMXd1sqSiQmTRyxSHZ8pAijgjQ11Yx0YkkQ9xlp+6PLqd++J1LRSNzqcUw8jgaChhQjbaS+XbyuwerdKezxKIDuCaxV+3bJKTszwL/EzUgJZGj07c9eEOGEE6ExQ0p1XSfWXoqkppiRSaGXKBIjPEID0jVUIE6Ul85On8BDowQwjKQpoeFM/TmRIq7UmPumkyM9VIveVPzP6yY6rHopFXGiicDzRWHCoI7gNAcYUEmwZmNDEJbU3ArxEEmEtUmrYEJwF1/+S1rHZfesXLmplOoXWRx5sA8OwBFwwTmogyvQAE2AwQN4Ai/g1Xq0nq03633emrOymT3wC9bHN5takaY=</latexit>

XB = 5 ! YB = 2 mod 13 = 6 K=8 mod 13 = 8

A computes YA = 397 mod 353 = 40.
B computes YB = 3233 mod 353 = 248.
20
Algorithms: Diffie-Hellman Key Exchange

• Public q = 13, ↵ = 2, YA = 8, YB = 6
<latexit sha1_base64="FpPRBrWl9muNUe1+jpj5MGI409Q=">AAACB3icbVDLSgMxFM3UV62vUZeCBIvgopSZWmo3hVo3LivYh7TDkEkzbWjmYZIRytCdG3/FjQtF3PoL7vwbM+0stPXA5R7OuZfkHidkVEjD+NYyK6tr6xvZzdzW9s7unr5/0BZBxDFp4YAFvOsgQRj1SUtSyUg35AR5DiMdZ3yV+J0HwgUN/Fs5CYnloaFPXYqRVJKtH9/XzPMC7CMWjlCtVIB39mUNVpPeqFVytp43isYMcJmYKcmDFE1b/+oPAhx5xJeYISF6phFKK0ZcUszINNePBAkRHqMh6SnqI48IK57dMYWnShlAN+CqfAln6u+NGHlCTDxHTXpIjsSil4j/eb1IulUrpn4YSeLj+UNuxKAMYBIKHFBOsGQTRRDmVP0V4hHiCEsVXRKCuXjyMmmXimalWL4p5+uNNI4sOAIn4AyY4ALUwTVoghbA4BE8g1fwpj1pL9q79jEfzWjpziH4A+3zBykElaw=</latexit>

q = 13, ↵ = 2, XA = 3, YA = 8, YB = 6
<latexit sha1_base64="H3N2vk/25Nr/3XaoLf4SqM10SXc=">AAACDnicbVC7TgJBFJ3FF+Jr1dJmIiGxIGQXCdJsgthYYiIPA5vN7DDAhNmHM7MmZMMX2PgrNhYaY2tt5984C1soeJLJPTnn3ty5xw0ZFdIwvrXM2vrG5lZ2O7ezu7d/oB8etUUQcUxaOGAB77pIEEZ90pJUMtINOUGey0jHnVwlfueBcEED/1ZOQ2J7aOTTIcVIKsnRC/eWeV6EfcTCMbLKRdh1Li0l3KkCa0ltWNWco+eNkjEHXCVmSvIgRdPRv/qDAEce8SVmSIieaYTSjhGXFDMyy/UjQUKEJ2hEeor6yCPCjufnzGBBKQM4DLh6voRz9fdEjDwhpp6rOj0kx2LZS8T/vF4khzU7pn4YSeLjxaJhxKAMYJINHFBOsGRTRRDmVP0V4jHiCEuVYBKCuXzyKmmXS2a1VLmp5OuNNI4sOAGn4AyY4ALUwTVoghbA4BE8g1fwpj1pL9q79rFozWjpzDH4A+3zBwBSl6Y=</latexit>

• User A

q = 13, ↵ = 2, XB = 5, YB = 6, YA = 8
<latexit sha1_base64="h6QJ3gTwbtp5oX7CoQRKLOgmg7s=">AAACDnicbVC7TgJBFJ31ifhatbSZSEgsCNlFRJpNEBtLTORhYLOZHQaYMPtwZtaEbPgCG3/FxkJjbK3t/BtnYQsFTzK5J+fcmzv3uCGjQhrGt7ayura+sZnZym7v7O7t6weHLRFEHJMmDljAOy4ShFGfNCWVjHRCTpDnMtJ2x1eJ334gXNDAv5WTkNgeGvp0QDGSSnL0/L1lnhVgD7FwhKxSAXacunVegHeqVJJyacFq1tFzRtGYAS4TMyU5kKLh6F+9foAjj/gSMyRE1zRCaceIS4oZmWZ7kSAhwmM0JF1FfeQRYcezc6Ywr5Q+HARcPV/Cmfp7IkaeEBPPVZ0ekiOx6CXif143koOqHVM/jCTx8XzRIGJQBjDJBvYpJ1iyiSIIc6r+CvEIcYSlSjAJwVw8eZm0SkWzUizflHO1ehpHBhyDE3AKTHABauAaNEATYPAInsEreNOetBftXfuYt65o6cwR+APt8wcF4pep</latexit>

• User B

K = (YB )XA mod q = (YA )XB mod q

<latexit sha1_base64="HDodGoPXVa7KJGyQ6JoSUS0OKz0=">AAACLHicbVBLSwMxGMzWV62vqkcv0SLUS9mVol4KfVwELxXsQ7p1yWazbWg2uyZZoSz9QV78K4J4sIhXf4fp46CtEwLDzHwk37gRo1KZ5thIrayurW+kNzNb2zu7e9n9g6YMY4FJA4csFG0XScIoJw1FFSPtSBAUuIy03EFt4reeiJA05HdqGJFugHqc+hQjpSUnW7sp5e+d6tlD0nYqI2gfzw60g9CDj1DDhiUbQh2qTEPV5ZCTzZkFcwq4TKw5yYE56k72zfZCHAeEK8yQlB3LjFQ3QUJRzMgoY8eSRAgPUI90NOUoILKbTJcdwVOteNAPhb5cwan6eyJBgZTDwNXJAKm+XPQm4n9eJ1b+VTehPIoV4Xj2kB8zqEI4aQ56VBCs2FAThAXVf4W4jwTCSveb0SVYiysvk+Z5wbooFG+LuXJ1XkcaHIETkAcWuARlcA3qoAEweAav4AOMjRfj3fg0vmbRlDGfOQR/YHz/AJ1eocM=</latexit>

How to get K with the public information?

21

Algorithms: Diffie-Hellman Key Exchange

• Public q = 13, ↵ = 2, YA = 8, YB = 6
<latexit sha1_base64="FpPRBrWl9muNUe1+jpj5MGI409Q=">AAACB3icbVDLSgMxFM3UV62vUZeCBIvgopSZWmo3hVo3LivYh7TDkEkzbWjmYZIRytCdG3/FjQtF3PoL7vwbM+0stPXA5R7OuZfkHidkVEjD+NYyK6tr6xvZzdzW9s7unr5/0BZBxDFp4YAFvOsgQRj1SUtSyUg35AR5DiMdZ3yV+J0HwgUN/Fs5CYnloaFPXYqRVJKtH9/XzPMC7CMWjlCtVIB39mUNVpPeqFVytp43isYMcJmYKcmDFE1b/+oPAhx5xJeYISF6phFKK0ZcUszINNePBAkRHqMh6SnqI48IK57dMYWnShlAN+CqfAln6u+NGHlCTDxHTXpIjsSil4j/eb1IulUrpn4YSeLj+UNuxKAMYBIKHFBOsGQTRRDmVP0V4hHiCEsVXRKCuXjyMmmXimalWL4p5+uNNI4sOAIn4AyY4ALUwTVoghbA4BE8g1fwpj1pL9q79jEfzWjpziH4A+3zBykElaw=</latexit>

q = 13, ↵ = 2, XA = 3, YA = 8, YB = 6
<latexit sha1_base64="H3N2vk/25Nr/3XaoLf4SqM10SXc=">AAACDnicbVC7TgJBFJ3FF+Jr1dJmIiGxIGQXCdJsgthYYiIPA5vN7DDAhNmHM7MmZMMX2PgrNhYaY2tt5984C1soeJLJPTnn3ty5xw0ZFdIwvrXM2vrG5lZ2O7ezu7d/oB8etUUQcUxaOGAB77pIEEZ90pJUMtINOUGey0jHnVwlfueBcEED/1ZOQ2J7aOTTIcVIKsnRC/eWeV6EfcTCMbLKRdh1Li0l3KkCa0ltWNWco+eNkjEHXCVmSvIgRdPRv/qDAEce8SVmSIieaYTSjhGXFDMyy/UjQUKEJ2hEeor6yCPCjufnzGBBKQM4DLh6voRz9fdEjDwhpp6rOj0kx2LZS8T/vF4khzU7pn4YSeLjxaJhxKAMYJINHFBOsGRTRRDmVP0V4jHiCEuVYBKCuXzyKmmXS2a1VLmp5OuNNI4sOAGn4AyY4ALUwTVoghbA4BE8g1fwpj1pL9q79rFozWjpzDH4A+3zBwBSl6Y=</latexit>

• User A

q = 13, ↵ = 2, XB = 5, YB = 6, YA = 8
<latexit sha1_base64="h6QJ3gTwbtp5oX7CoQRKLOgmg7s=">AAACDnicbVC7TgJBFJ31ifhatbSZSEgsCNlFRJpNEBtLTORhYLOZHQaYMPtwZtaEbPgCG3/FxkJjbK3t/BtnYQsFTzK5J+fcmzv3uCGjQhrGt7ayura+sZnZym7v7O7t6weHLRFEHJMmDljAOy4ShFGfNCWVjHRCTpDnMtJ2x1eJ334gXNDAv5WTkNgeGvp0QDGSSnL0/L1lnhVgD7FwhKxSAXacunVegHeqVJJyacFq1tFzRtGYAS4TMyU5kKLh6F+9foAjj/gSMyRE1zRCaceIS4oZmWZ7kSAhwmM0JF1FfeQRYcezc6Ywr5Q+HARcPV/Cmfp7IkaeEBPPVZ0ekiOx6CXif143koOqHVM/jCTx8XzRIGJQBjDJBvYpJ1iyiSIIc6r+CvEIcYSlSjAJwVw8eZm0SkWzUizflHO1ehpHBhyDE3AKTHABauAaNEATYPAInsEreNOetBftXfuYt65o6cwR+APt8wcF4pep</latexit>

• User B

K = (YB )XA mod q = (YA )XB mod q

<latexit sha1_base64="HDodGoPXVa7KJGyQ6JoSUS0OKz0=">AAACLHicbVBLSwMxGMzWV62vqkcv0SLUS9mVol4KfVwELxXsQ7p1yWazbWg2uyZZoSz9QV78K4J4sIhXf4fp46CtEwLDzHwk37gRo1KZ5thIrayurW+kNzNb2zu7e9n9g6YMY4FJA4csFG0XScIoJw1FFSPtSBAUuIy03EFt4reeiJA05HdqGJFugHqc+hQjpSUnW7sp5e+d6tlD0nYqI2gfzw60g9CDj1DDhiUbQh2qTEPV5ZCTzZkFcwq4TKw5yYE56k72zfZCHAeEK8yQlB3LjFQ3QUJRzMgoY8eSRAgPUI90NOUoILKbTJcdwVOteNAPhb5cwan6eyJBgZTDwNXJAKm+XPQm4n9eJ1b+VTehPIoV4Xj2kB8zqEI4aQ56VBCs2FAThAXVf4W4jwTCSveb0SVYiysvk+Z5wbooFG+LuXJ1XkcaHIETkAcWuARlcA3qoAEweAav4AOMjRfj3fg0vmbRlDGfOQR/YHz/AJ1eocM=</latexit>

Find XA or XB by solving
<latexit sha1_base64="1XSyD0feeRDgrRhRt/K6ecZTu3w=">AAACDnicbZC7TgJBFIZnvSLeUEubiUBiRXYNUUvExFhiIpcECJkdZmHC7Mxm5iyRbHgCG1/FxkJjbK3tfBuHS6Hgqb78/zk55/x+JLgB1/12VlbX1jc2U1vp7Z3dvf3MwWHNqFhTVqVKKN3wiWGCS1YFDoI1Is1I6AtW9wfXE78+ZNpwJe9hFLF2SHqSB5wSsFInk28Be4DkhssuzjU6Vzms9ATKOeyPsFFiyGVv3Mlk3YI7LbwM3hyyaF6VTuar1VU0DpkEKogxTc+NoJ0QDZwKNk63YsMiQgekx5oWJQmZaSfTd8Y4b5UuDuwhgZKAp+rviYSExoxC33aGBPpm0ZuI/3nNGILLdsJlFAOTdLYoiAUGhSfZ4C7XjIIYWSBUc3srpn2iCQWbYNqG4C2+vAy1s4J3XijeFbOl8jyOFDpGJ+gUeegCldAtqqAqougRPaNX9OY8OS/Ou/Mxa11x5jNH6E85nz+qf5qf</latexit>

Attack Example:

2x mod 13 = 8 or 2x mod 13 = 6 (brute force approach)

<latexit sha1_base64="Fm2EnWCxDoXmNCRW7JAMXn1KriU=">AAACI3icbVC7SgNBFJ2N7/iKWtpcDYJV2I1BRRBEG0sF84AkhtnJbDJkdmeZuSuGJf9i46/YWChiY+G/OIkpNMmZ5nDOucy9x4+lMOi6X05mbn5hcWl5Jbu6tr6xmdvarhiVaMbLTEmlaz41XIqIl1Gg5LVYcxr6klf93tXQrz5wbYSK7rAf82ZIO5EIBKNopVburHj/CI290QtVG7wjOAc4BWggf8QUlIYBzMwct3J5t+COANPEG5M8GeOmlftotBVLQh4hk9SYuufG2EypRsEkH2QbieExZT3a4XVLIxpy00xHNw7gwCptCOw+gYoQRurfiZSGxvRD3yZDil0z6Q3FWV49weC0mYooTpBH7PejIJGACoaFQVtozlD2LaFMC7srsC7VlKGtNWtL8CZPniaVYsE7LpRuS/mLy3Edy2SX7JND4pETckGuyQ0pE0aeyAt5I+/Os/PqfDifv9GMM57ZIf/gfP8An++euA==</latexit>

The problems becomes impractical with larger numbers!

22

 As an example of another use of the Diffie-Hellman

that in aalgorithm, suppose
group of users (e.g., all users on a LAN), each generates a long-lasting
that in a group of users (e.g., all users on a LAN), each generates
private key and a long-lasting
calculates a public key. These public values, together with global
private key and calculates a public key. These public public
values,values
together
for with
q andglobal
a, are stored in some central directory. At any time, user
public values for q and a, are stored in some central B
directory.
can accessAt user
any time, user value, calculate a secret key, and use that to send
A’s public
B can access user A’s public value, calculate a secretankey, and usemessage
encrypted that to to
send
user A. If the central directory is trusted, then this form
Algorithms: Diffie-Hellman Key Exchange an encrypted message to user A. If the central directory is trusted,
a degreeonly
then this form
of communication provides both confidentiality and a degree of authentication.
of communication provides both confidentiality and Because of authentication.
A and B can determine the key, no other user can read the message
Because only A and B can determine the key, no other user can read the
(confidentiality). message
User A knows that only user B could have created a message
(confidentiality). User A knows that only user B couldusinghave
thiscreated a message
key (authentication). However, the technique does not protect against
using this key (authentication). However, the technique does
replay not protect against
attacks.
• Man-in-the-middle attack
replay attacks.

CHAPTER 21 / PUBLIC-KEY CRYPTOGRAPHY AND MESSAGE AUTHENTICATION

MAN-IN-THE-MIDDLE688 ATTACK The protocol

CHAPTER depicted CRYPTOGRAPHY
21 / PUBLIC-KEY in Figure 21.8 is insecure
688MESSAGE
AND CHAPTER AUTHENTICATION
21 / PUBLIC-KEY CRYPTOGR
against a man-in-the-middle
RYPTOGRAPHY AND MESSAGE attack. Suppose Alice and Bob wish to exchange keys,
AUTHENTICATION
and Darth is the adversary. TheMANattack proceeds
-IN-THE as follows:
-MIDDLE ATTACK The protocol depictedM inAN
Figure 21.8 isIDDLE
insecure
-IN-THE -M ATTACK The
CK The protocol depicted against
for theinattack
Figure a man-in-the-middle
by 21.8 is insecure attack. Suppose Alice and Bob wish to exchange keys,
1. Darth prepares generating two random private
adversary keys XD1 and
Alice against a man-in-the-middle
Bob attack. Su
Alice and Darth is the adversary. The
Bob
X and then computing the corresponding public keys Y and Y . attack proceeds as follows:
attack. Suppose Alice and Bob wish to exchange keys, and Darth is and
theBobadversary. The attack
byc,generating q and c,X
D2 AliceD1and Bob shareD2a Alice share a
Private keys X , X
<latexit sha1_base64="ZtIvlyhsw2m5Fzx+Euqp1RrdrHU=">AAACEnicbZA9SwNBEIb3/DZ+nVraLCaCgoS7ENRS1MIygtFAchx7m4ku2ftgd04Mx/0GG/+KjYUitlZ2/hs38QpNfGHh4Z0ZZucNEik0Os6XNTU9Mzs3v7BYWlpeWV2z1zeudJwqDk0ey1i1AqZBigiaKFBCK1HAwkDCddA/Hdav70BpEUeXOEjAC9lNJHqCMzSWb+91EO4xayhxxxBoHwaaVlp+dua7eWWfFlzLK7lvl52qMxKdBLeAMinU8O3PTjfmaQgRcsm0brtOgl7GFAouIS91Ug0J4312A22DEQtBe9nopJzuGKdLe7EyL0I6cn9PZCzUehAGpjNkeKvHa0Pzv1o7xd6Rl4koSREi/rOol0qKMR3mQ7tCAUc5MMC4EuavlN8yxTiaFEsmBHf85Em4qlXdg2r9ol4+PiniWCBbZJvsEpcckmNyThqkSTh5IE/khbxaj9az9Wa9/7ROWcXMJvkj6+MbylacQQ==</latexit>

prime q and c, such that c < qthat

prime q and c, such and c is a primitive c c
he attack proceeds
2. Alice asBob
Alice and
transmits follows:
Y share a
A to Bob. 1. Darth preparesAlice forandtheBobattack
primeaq and
share D1 that D2two random private
such primekeys
D1 and
such that

c c c c
X and then computing the corresponding public 1. YDarth
keys and
< qprepares
and
Y
is
.
a for the attack by
primitive
attack3.byDarth intercepts
<
generating q and
root of X
is a
two random
qD2
YA andprivate
primitive transmits
D2
keysYXD1 to<
and
D1 root
qBob. Darth also calculates
and
of q
is a root of q
primitive D1 root of q D2
XD2 and then computing the cor
K2 = (Y ) mod q. 2. Alice transmits Y to Bob.
<latexit sha1_base64="m+aafNetCBPBlDSsXWMsMedRTmU=">AAACKXicbVDLSiNBFK32bXxlnKWb0mQgAxK6RXQ2QlAXwmwcMCZDOtNUV26SItUPq26LoenfmY2/4kZBcdz6I1Mde+HrFAWnzrmXW/f4sRQabfufNTU9Mzs3v7BYWlpeWV0rf1k/11GiODR5JCPV9pkGKUJookAJ7VgBC3wJLX90lPutS1BaROEZjmPoBmwQir7gDI3klRsuwhWmCjiIS9C0+ttLjz0nq27T6k/POagV7+9/0rZ3mFF3Mz/UDaIevajSrOSVK3bdnoB+JE5BKqTAqVe+c3sRTwIIkUumdcexY+ymTKHgErKSm2iIGR+xAXQMDVkAuptONs3oN6P0aD9S5oZIJ+rrjpQFWo8D31QGDIf6vZeLn3mdBPs/uqkI4wQh5C+D+omkGNE8NtoTJiKUY0MYV8L8lfIhU4yjCTcPwXm/8kdyvlN39uq7v3YrjcMijgWyQbZIjThknzTICTklTcLJX3JD7smDdW3dWo/W00vplFX0fCVvYD3/ByqZo20=</latexit>

g the corresponding A public YAkeys YD1 and YD2 .

intercepts A YA and transmits YD to Bob
<latexit sha1_base64="fd/6estfY9Jt7aD+d3zh4cCccq0=">AAACIHicbVC7TsMwFHV4lvIKMLJYtEhMVYIQMPIaGItEW1BbRY57WywcJ7JvEFXUT2HhV1gYQAg2+BqctgMUjmTp6Jx7bZ8TJlIY9LxPZ2p6ZnZuvrBQXFxaXll119brJk41hxqPZayvQmZACgU1FCjhKtHAolBCI7w9zf3GHWgjYnWJ/QTaEesp0RWcoZUC96CFcI+ZUAj2wgQNLV8Hx2XKVIeiZspEYqRlZ4E/KFOM6UkcDoqBW/Iq3hD0L/HHpETGqAbuR6sT8zQChVwyY5q+l2A7YxoFlzAotlIDCeO3rAdNSxWLwLSzYcAB3bZKh3ZjbY9COlR/bmQsMqYfhXYyYnhjJr1c/M9rptg9bNv0SYqg+OihbirzmHlbtCM0cJR9SxjXwv6V8humGbd1mbwEfzLyX1Lfrfj7lb2LvdLRybiOAtkkW2SH+OSAHJFzUiU1wskDeSIv5NV5dJ6dN+d9NDrljHc2yC84X9/XHaIZ</latexit>

Alice transmits to Bob

<latexit sha1_base64="gYluIW2GXX2+ycgnfzEMmnnJGXI=">AAACDHicbVC7TsMwFHXKq5RXgZHFokViqhJUASOUhREkSovaqHLcW7DqOJF9g6iifgALv8LCAEKsfAAbf4PTZuB1JEtH55yr63uCWAqDrvvpFGZm5+YXioulpeWV1bXy+saliRLNockjGel2wAxIoaCJAiW0Yw0sDCS0guFJ5rduQRsRqQscxeCH7FqJgeAMrdQrV7oId5geS8GBombKhAINrV71jqsUI9qIgrFNuTV3AvqXeDmpkBxnvfJHtx/xJASFXDJjOp4bo58yjYJLGJe6iYGY8SG7ho6lioVg/HRyzJjuWKVPB5G2TyGdqN8nUhYaMwoDmwwZ3pjfXib+53USHBz6qVBxgqD4dNEgkdmVWTO0LzRwlCNLGNfC/pXyG6YZR9tfyZbg/T75L7ncq3n7tfp5vXLUyOsoki2yTXaJRw7IETklZ6RJOLknj+SZvDgPzpPz6rxNowUnn9kkP+C8fwGJ8Zql</latexit>

Alice generates a private Bobreceives YD1 , K1 = (YD1 )

generates a private
4. Bob receives Y
Alice generates aand 3. Darth
calculates
private K1 intercepts
= (Y ) X
Y
mod
BobB generates and
q.
akey XAtransmits
private
1
2.
such that XA < q Y D1 to Bob. Darthkey
Alice transmits
also calculates
XB such
Y to Bob.
that XB < q A
ob. D1 D1 A
< qA )XD2 mod q XB
<latexit sha1_base64="hEwWmww3XRHAZwnyRn/i2qwebvo=">AAACIXicbVDJSgNBEO1xjXGLevTSGgW9hJkg6kWIy0HwomA0kolDT6eSNOlZ7K4RwzC/4sVf8eJBEW/iz9iJObi9ouDxXhXd9fxYCo22/W6NjI6NT0zmpvLTM7Nz84WFxQsdJYpDlUcyUjWfaZAihCoKlFCLFbDAl3Dpdw/7/uUtKC2i8Bx7MTQC1g5FS3CGRvIKuy7CHaacSZ5IhqApXTvxynsbV97+5nVa89Ijr5xl1F3pF3WDqElv1ijNvELRLtkD0L/EGZIiGeLUK7y5zYgnAYTIJdO67tgxNlKmUHAJWd5NNMSMd1kb6oaGLADdSAcXZnTdKE3aipTpEOlA/b6RskDrXuCbyYBhR//2+uJ/Xj3B1m4jFWGcIIT866FWIilGtB8XbQoFHGXPEMaVMH+lvMMU42hCzZsQnN8n/yUX5ZKzXdo62ypWDoZx5MgyWSUbxCE7pEKOySmpEk7uySN5Ji/Wg/VkvVpvX6Mj1nBnifyA9fEJQLWhBw==</latexit>

<latexit sha1_base64="m+aafNetCBPBlDSsXWMsMedRTmU=">AAACKXicbVDLSiNBFK32bXxlnKWb0mQgAxK6RXQ2QlAXwmwcMCZDOtNUV26SItUPq26LoenfmY2/4kZBcdz6I1Mde+HrFAWnzrmXW/f4sRQabfufNTU9Mzs3v7BYWlpeWV0rf1k/11GiODR5JCPV9pkGKUJookAJ7VgBC3wJLX90lPutS1BaROEZjmPoBmwQir7gDI3klRsuwhWmCjiIS9C0+ttLjz0nq27T6k/POagV7+9/0rZ3mFF3Mz/UDaIevajSrOSVK3bdnoB+JE5BKqTAqVe+c3sRTwIIkUumdcexY+ymTKHgErKSm2iIGR+xAXQMDVkAuptONs3oN6P0aD9S5oZIJ+rrjpQFWo8D31QGDIf6vZeLn3mdBPs/uqkI4wQh5C+D+omkGNE8NtoTJiKUY0MYV8L8lfIhU4yjCTcPwXm/8kdyvlN39uq7v3YrjcMijgWyQbZIjThknzTICTklTcLJX3JD7smDdW3dWo/W00vplFX0fCVvYD3/ByqZo20=</latexit>

key XA such that XA < q

K2 = calculates
(Y ) K
XD2key XB such
mod q. 2 =
that XB(Y receives
3. Y
Darth
D , K = (Y
intercepts
1 D ) YAmod
and qtran
5. Bob transmits YB to Alice. A 1 1

= c K1 key YB = c A mod q mod q.

and transmits YD1 to Bob. Darth also calculates Alice calculates a public
X K2
Bob calculates X
= (Y )
a public
D2
4. Bob receives Y and calculates = (Y ) YA mod q.Y B
= cXA mod q B key YB = cXB mod q
X B X
6. Darth Alice
intercepts Y
calculates a public and transmits Y Bob
D1 to Alice.
calculates akey YADarth
public A mod qcalculatesD1
B
key YAX YA YB
D2
K1 = (YB) Xmod D1
q. 5. Bob transmits YB to Alice. 4. Bob receives YD1 and calculates
alculates K1 = (YD1) mod q. B
X
Alice receives Bob’s Bob receives Alice’s
7. Alice receives YD2
Alice receives and calculates
Bob’s 6. Darth = (YD2Bob
K2 intercepts ) receives
A
mod q.
andkeytransmits
Y BAlice’s
public YB in plaintext Y
D2 to Alice.5. Bob Darthtransmits
public keycalculates YB to Alice.
YA in plaintext
ce. public key YB in plaintext
(YBtheyXD1public key YA in plaintext
) mod
At this point, BobXAand Alice K1 think= that shareq.a secret key,
Alice calculates but instead
XDshared 6. Darth intercepts
Bob calculates shared Y B and tr <latexit sha1_base64="Uoz7jlFhywxiAqzxDb5631hGXsQ=">AAACF3icbVDLTsJAFJ3iC/GFunQzCia4IS0h6sYEHwsTN5jIw1BspsMAE6YPZ26NpOlfuPFX3LjQGLe6829sgYWi5+YmJ+fcm5l7bF9wBbr+paVmZufmF9KLmaXlldW17PpGXXmBpKxGPeHJpk0UE9xlNeAgWNOXjDi2YA17cJr4jTsmFffcKxj6rO2Qnsu7nBKIJStbNIHdQ5i/sEpHhWsrPLNK0d5N2LTC4yjC5nZS2HS8Dr7N4yhjZXN6UR8B/yXGhOTQBFUr+2l2PBo4zAUqiFItQ/ehHRIJnAoWZcxAMZ/QAemxVkxd4jDVDkd3RXg3Vjq468m4XcAj9edGSBylho4dTzoE+mraS8T/vFYA3cN2yF0/AObS8UPdQGDwcBIS7nDJKIhhTAiVPP4rpn0iCYU4yiQEY/rkv6ReKhr7xfJlOVc5mcSRRltoBxWQgQ5QBZ2jKqohih7QE3pBr9qj9qy9ae/j0ZQ22dlEv6B9fAPDVZ0k</latexit>

<latexit sha1_base64="/0Du3UXsX+0GIT2jCNg3w2ZlpkU=">AAACF3icbVDLTsJAFJ3iC/GFunQzCia4Ia0h6saEoAsTN5jIw1BspsMAE6YPZ26NpOlfuPFX3LjQGLe6829sgYWC5+YmJ+fcm5l7bF9wBbr+raXm5hcWl9LLmZXVtfWN7OZWXXmBpKxGPeHJpk0UE9xlNeAgWNOXjDi2YA17cJb4jXsmFffcaxj6rO2Qnsu7nBKIJStbNIE9QJi/tIzTwo0VVqKD27BpheeWEUXY3E0Km47XwXd5HGWsbE4v6iPgWWJMSA5NULWyX2bHo4HDXKCCKNUydB/aIZHAqWBRxgwU8wkdkB5rxdQlDlPtcHRXhPdjpYO7nozbBTxSf2+ExFFq6NjxpEOgr6a9RPzPawXQPWmH3PUDYC4dP9QNBAYPJyHhDpeMghjGhFDJ479i2ieSUIijTEIwpk+eJfXDonFULF2VcuXKJI402kF7qIAMdIzK6AJVUQ1R9Iie0St60560F+1d+xiPprTJzjb6A+3zB8L7nSM=</latexit>

and transmits KAlice

= Y (Y to
) Alice.
mod
shared key7.
q Darth calculates K = (Y ) 1 mod q X
Bob and Darth D2D2secret
2 calculates
share K1Alice receives
and Alice andYBobDarth
D2 and1share
calculatescalculates B K = (Y
secret
secret key
shared K2key
B =K2.
)XA mod q(YAll
D2)
A
mod q. K1 secret
= key (YKB=)X
X mod q
A) Bmod
(YD1
q. secret key K = (Y )XA mod q secret key K = (Y )XB mod q
future communication between B
Bob and Alice is compromisedA in the following way:
At this point, Bob and Alice think that they share a7.secret Alice key, but instead
receives YD2 and calculate
calculates K2 = (YD2)XA mod q.Bob and Alice think that they share a secret key
1. Alice sends an encryptedBob and Darth
message share
M: E(K2, secret key K1 and Alice and Darth share secret key K2. All
M).
a future
secret communication between Bob andDiffie-Hellman
Alice At this point, Bob and Alice th
Alice2.think
Darththat they share
intercepts the encrypted key, butand
message instead
decrypts it, to
Figure recover
21.8 M. is compromised
Key Exchange in the following way:
Bob-Adversary share K1 Alice-Adversary share K2share secret key K1 a
<latexit sha1_base64="uS6P+Mjxtckmqv2xyMw84ri3VlA=">AAAB63icbVBNS8NAEJ3Ur1q/qh69LBbBU0mkqMeiF8FLBfsBbSib7aZdursJuxOhlP4FLx4U8eof8ua/MWlz0NYHA4/3ZpiZF8RSWHTdb6ewtr6xuVXcLu3s7u0flA+PWjZKDONNFsnIdAJquRSaN1Gg5J3YcKoCydvB+Dbz20/cWBHpR5zE3Fd0qEUoGMVMuu97pX654lbdOcgq8XJSgRyNfvmrN4hYorhGJqm1Xc+N0Z9Sg4JJPiv1EstjysZ0yLsp1VRx60/nt87IWaoMSBiZtDSSufp7YkqVtRMVpJ2K4sgue5n4n9dNMLz2p0LHCXLNFovCRBKMSPY4GQjDGcpJSigzIr2VsBE1lGEaTxaCt/zyKmldVL3Lau2hVqnf5HEU4QRO4Rw8uII63EEDmsBgBM/wCm+Ocl6cd+dj0Vpw8plj+APn8wf+7I2Q</latexit>

Bob and Darth

<latexit sha1_base64="gCAEXlb58GWCIM7qf9HcYnhuJow=">AAAB63icbVBNS8NAEJ3Ur1q/qh69LBbBU0lKUY9FL4KXCrYW2lA220m7dHcTdjdCKf0LXjwo4tU/5M1/Y9LmoK0PBh7vzTAzL4gFN9Z1v53C2vrG5lZxu7Szu7d/UD48apso0QxbLBKR7gTUoOAKW5ZbgZ1YI5WBwMdgfJP5j0+oDY/Ug53E6Es6VDzkjNpMuuvXSv1yxa26c5BV4uWkAjma/fJXbxCxRKKyTFBjup4bW39KteVM4KzUSwzGlI3pELspVVSi8afzW2fkLFUGJIx0WsqSufp7YkqlMRMZpJ2S2pFZ9jLxP6+b2PDKn3IVJxYVWywKE0FsRLLHyYBrZFZMUkKZ5umthI2opsym8WQheMsvr5J2repdVOv39UrjOo+jCCdwCufgwSU04Baa0AIGI3iGV3hzpPPivDsfi9aCk88cwx84nz8AgI2R</latexit>

key K1 and Figure

Alice and21.8 Darth
Diffie-Hellman
share Key Exchange
secret key
= K2. All =
3. Darth sends Bob E(K1, M)1.or Alice E(K1,sends an encrypted
M ), where M is any message
message.M:InE(K2, M). future communication between Bob an
the first
en Bob and
case,Alice
Darth is simply
compromised
wants toin the following
eavesdrop on theway: 23
communication without altering
 include those in the first message. As an example of another use of the Diffie-Hellman algorithm, suppose
As an example
APTER 21 / PUBLIC-KEY of another use of
CRYPTOGRAPHY the MESSAGE
AND Diffie-Hellman
that in aalgorithm, suppose
group of users
AUTHENTICATION (e.g., all users on a LAN), each generates a long-lasting
that in a group of users (e.g., all users on a LAN), each generates
private key and a long-lasting
calculates a public key. These public values, together with global
private key and calculates a public key. These public public
MAN-IN-THE -MIDDLE ATTACK The protocol depicted invalues, Figure together
values is with
21.8for q andglobal
insecurea, are stored in some central directory. At any time, user
public values for q and a, are stored in some central B directory.
can accessAt user
any time,
A’s user value, calculate a secret key, and use that to send
public
Algorithms: Diffie-Hellman Key Exchange
gainst a man-in-the-middle
nd Darthan is encrypted
the adversary.
attack.
The
Suppose
attack
Alice
proceeds as
and Bob
follows:
message to user A. If the central directory
wish
B can access user A’s public value, calculate a secretankey,
to
encrypted
exchange
and usemessage
is trusted, then this
keys,
that to to
send
user A. If the central directory is trusted, then this form
form both confidentiality and a degree of authentication.
of communication provides
1. Darthof prepares
communication
for theprovides
attack byboth confidentiality
generating and Because
two random a degree ofkeys
only
private authentication.
A and
XD1 B and
can determine the key, no other user can read the message
XD2 Because
and thenonly A and B can determine the key, no other
computing the corresponding public keys user can read the
(confidentiality).
YD1 and YD2. User message
A knows that only user B could have created a message
(confidentiality). User A knows that only user B could usinghave
thiscreated a message
key (authentication). However, the technique does not protect against
2. Aliceusing
3. Darthreplay
• Man-in-the-middle attack
transmits to Bob.
YA(authentication).
this key
attacks. Y and transmits Y
intercepts
However, the technique does not
replay attacks. protect
to Bob. Darth also calculates
against
A D1
XD2
K2 = (YA) mod q.
4. Bob receives YD1 and calculates K1 = (YD1)XB mod q.
5. Bob transmits YB to Alice.
6. Darth intercepts Y B and transmits Y D2 to Alice. Darth calculates
K1 = (YB)XD1 mod q.
7. Alice receives YD2 and calculates K2 = (YD2)XA mod q.
Alice
adversary Bob
At this point, Bob and AliceAlice think that they share a secret key, but instead Bob
q and c, prime q and c, such that
Alice and Bob share a Alice and Bob share a
ob and Darth share secret key K1 and Alice and Darth share secret
primeakey K2. suchAll
c, c, c c c < q and c is a primitive
Alice and Bob share a Alice and Bob share that

c < q and c is a primitive c < q and c is aroot

uture communication between Bob and Alice is compromised in the following way:
prime q and such that prime q and <
suchq and
that is a primitive
of q
primitive root of q
1. Alice sends an
rootencrypted
of q message
M: E(K2, M).intercepts and decrypts by K2 root of q
<latexit sha1_base64="lva1bWHtcVxPX5wNGKEF1C2kHS0=">AAACEHicbVC7TsMwFHV4U14FRhaLFsFUJVUFjBUsSCwgUajURpXj3IKF40T2DSKq+gks/AoLAwixMrLxNzhtBqAcydLxuQ/7nCCRwqDrfjlT0zOzc/MLi6Wl5ZXVtfL6xqWJU82hxWMZ63bADEihoIUCJbQTDSwKJFwFt8d5/eoOtBGxusAsAT9i10r0BWdopV55t4twjwOhEOzCBA1lKqQhcJ3llyCj1dNevTrslStuzR2BThKvIBVS4KxX/uyGMU8jUMglM6bjuQn6A6ZRcAnDUjc1kDB+y66hY6liERh/MDI0pDtWCWk/1vYopCP158SARcZkUWA7I4Y35m8tF/+rdVLsH/rWbZIiKD5+qJ9KijHN06Gh0MBRZpYwroX9K+U3TDNu4zElG4L31/IkuazXvP1a47xRaR4VcSyQLbJN9ohHDkiTnJAz0iKcPJAn8kJenUfn2Xlz3setU04xs0l+wfn4BkeEnLQ=</latexit>

Alice generates a private Bob generates a private

2. Darth intercepts the encrypted message and decrypts it, to recover
recovers M. that
MX < q
<latexit sha1_base64="OKtdcsvuM6VHyvOYSPigTR8HZBg=">AAAB/HicbVDLSsNAFJ34rPUV7dLNYCu4KokUdVl040aoYB/QhjKZTtuhk0mYuRFDqL/ixoUibv0Qd/6NkzYLbT0wcDjnXObe40eCa3Ccb2tldW19Y7OwVdze2d3btw8OWzqMFWVNGopQdXyimeCSNYGDYJ1IMRL4grX9yXXmtx+Y0jyU95BEzAvISPIhpwSM1LdLPWCPkCpGwyyGK7eVad8uO1VnBrxM3JyUUY5G3/7qDUIaB0wCFUTrrutE4KVEAaeCTYu9WLOI0AkZsa6hkgRMe+ls+Sk+McoAD0NlngQ8U39PpCTQOgl8kwwIjPWil4n/ed0YhpdeymUUA5N0/tEwFhhCnDWBB9xcDSIxhFDFza6YjokiFEwRRVOCu3jyMmmdVd3zau2uVq5f5XUU0BE6RqfIRReojm5QAzURRQl6Rq/ozXqyXqx362MeXbHymRL6A+vzB3t3lKk=</latexit>

<latexit sha1_base64="MAiW76szr4RYi0eNA0xoOlmE85E=">AAAB8HicbVDLSgNBEOz1GeMr6tHLYBAiSNgNQT0GRRBEiGAekixhdjKbDJmZXWZmhbDkK7x4UMSrn+PNv3HyOGhiQUNR1U13VxBzpo3rfjtLyyura+uZjezm1vbObm5vv66jRBFaIxGPVDPAmnImac0ww2kzVhSLgNNGMLga+40nqjSL5IMZxtQXuCdZyAg2Vnq8Ltx2Sqfo7qSTy7tFdwK0SLwZycMM1U7uq92NSCKoNIRjrVueGxs/xcowwuko2040jTEZ4B5tWSqxoNpPJweP0LFVuiiMlC1p0ET9PZFiofVQBLZTYNPX895Y/M9rJSa88FMm48RQSaaLwoQjE6Hx96jLFCWGDy3BRDF7KyJ9rDAxNqOsDcGbf3mR1EtF76xYvi/nK5ezODJwCEdQAA/OoQI3UIUaEBDwDK/w5ijnxXl3PqatS85s5gD+wPn8AXw9jug=</latexit>

E(K , M )
Alice generates a private
2 Bob generates akey X such
private A A key XB such that XB < q
= = key XB such that XB < q
3. Darth sends Bob
key XAE(K1, XA < or
such that M) q E(K1, M ), where M is any message. In the first
YA = c A mod q key YB = cXB mod q
case, Darth simply wants to eavesdrop on the communication without Alice calculates a public
altering Bob calculates a public
YA
key YA = c mod q key YB = c B mod q Bob.
X
Alice calculates a public Bob calculates akey
public YB
it. In the second case,XA Darth wants toYmodify the message
A YB going
X to
0
<latexit sha1_base64="yGBIkTEgzk/BBiHKnsWixX9X6uU=">AAACFXicbVDLSgNBEJz1bXxFPXoZTEQFCbsi6lEigiBCBKNCEsLspNcMzs4sM71iWPITXvwVLx4U8Sp482+cxIDPOlVXddPdFSZSWPT9d29oeGR0bHxiMjc1PTM7l59fOLM6NRyqXEttLkJmQQoFVRQo4SIxwOJQwnl4td/zz6/BWKHVKXYSaMTsUolIcIZOauY36gg3mFlQLUvLOqTFg7WjZrBBj9eLVJuvcnW92G3mC37J74P+JcGAFMgAlWb+rd7SPI1BIZfM2lrgJ9jImEHBJXRz9dRCwvgVu4Sao4rFYBtZ/6suXXFKi0buiEgrpH31+0TGYms7ceg6Y4Zt+9vrif95tRSj3UYmVJIiKP65KEolRU17EdGWMMBRdhxh3Ah3K+VtZhhHF2TOhRD8fvkvOdssBdulrZOtwl55EMcEWSLLZI0EZIfskUNSIVXCyS25J4/kybvzHrxn7+WzdcgbzCySH/BePwD6f5rh</latexit>

sends Bob E(K 1 , M ) or E(K 1 , M )

The key exchange protocol is vulnerable to such an attack because it does
Alice receives Bob’snot Bob receives Alice’s
Alice receives Bob’s public key YB in plaintext
Bob receives Alice’s public key YA in plaintext
uthenticate the participants. This
public key YB in plaintext vulnerability can be public key YA inwith
overcome the use of
plaintext
igital signatures and public-key certificates; these topics are explored later inshared
Alice calculates this Bob calculates shared
hapter and in Chapter 2.
Alice calculates shared secret key K = (YB)XA mod q
Bob calculates shared secret key K = (YA)XB mod q
secret key K = (YB)XA mod q secret key K = (YA)XB mod q
Other Public-Key Cryptography Algorithms
wo other public-key algorithms have found commercial acceptance: DSS and
liptic-curve cryptography. Figure 21.8 Diffie-Hellman Key Exchange
Figure 21.8 Diffie-Hellman Key Exchange 24
Asymmetric Encryption

• Is public-key encryption more secure than symmetric encryption?

25
Asymmetric Encryption

• Is public-key encryption more secure than symmetric encryption?

• No
• Security of encryption depends on
• The length of the key
• The computational work involved in breaking a cipher

26

Asymmetric Encryption

• Is symmetric encryption outdated?

27
Asymmetric Encryption

• Is symmetric encryption outdated?

• No — Symmetric encryption use less computational overhead
• Examples: AES is used to encrypt data at rest and in transit, e.g., SSD,
google cloud.

28

Asymmetric Encryption

• Is public key distribution trivial?

• No — need a central agent and protocols

29

 [email protected]

Tutorial Question 1
Problem 1. For any block cipher, the fact that it is a nonlinear function is crucial to its security. To
see this, suppose that we have a linear block cipher EL that encrypts 128-bit blocks of plaintext into
128-bit blocks of ciphertext. Let EL(k, m) denote the encryption of a 128-bit message m under a key
k (the actual bit length of k is irrelevant). Thus

EL(k, [m1 m2 ]) = EL(k, m1 ) EL(k, m2 ) for all 128-bit patterns m1 , m2 (1)

Describe how, with 128 chosen ciphertexts, an adversary can decrypt any ciphertext without knowl-
edge of the secret key k. (A “chosen ciphertext” means that an adversary has the ability to choose a
ciphertext and then obtain its decryption. Here, you have 128 plaintext/ciphertext pairs to work with
and you have the ability to chose the value of the ciphertexts.)
Solution: For 1  i  128, take ci 2 {0, 1}128 to be the string containing a 1 in position i and
Chosen ciphertext: Paired plaintext
then zeros elsewhere. Obtain the decryption of these128 ciphertexts. Let m1 , m2 , · · · , m128 be the
c 1 = [1, 0, 0, · · · , 0] m1
<latexit sha1_base64="cRZhhpnSeJjqe1e4s79Rm3dX6Wc=">AAACOnicbVBLSwMxGMzWV62vqkcvwSJ4WEpSinoRil48tmBV2F2WbDbbhmYfJFmhLP1dXvwV3jx48aCIV3+A6boHX0MCw8w3JN8EmeBKI/Ro1RYWl5ZX6quNtfWNza3m9s6VSnNJ2ZCmIpU3AVFM8IQNNdeC3WSSkTgQ7DqYnM/961smFU+TSz3NmBeTUcIjTok2kt8cUB+fQgfbEJkDbejSMNXKcM91G9TvnDrIxjayK72US6fAnZPZ3EVltvKx5zdbqI1KwL8EV6QFKvT95oMbpjSPWaKpIEo5GGXaK4jUnAo2a7i5YhmhEzJijqEJiZnyinL1GTwwSgijVJqbaFiq3xMFiZWaxoGZjIkeq9/eXPzPc3IdnXgFT7Jcs4R+PRTlAuoUznuEIZeMajE1hFDJzV8hHRNJqDZtN0wJ+PfKf8lVp42P2t1Bt9U7q+qogz2wDw4BBsegBy5AHwwBBXfgCbyAV+veerberPev0ZpVZXbBD1gfnzQHpf0=</latexit>

<latexit sha1_base64="XhJBAcgrJ6n29lR3YlsSIVFlBqg=">AAACAXicbZBNS8MwGMfT+TbrW9WL4CU4BE+jHUN3HHrxOMG9wFpKmqVbWNKWJBVGmRe/ihcPinj1W3jz25h2PejmAyE//v/nIXn+QcKoVLb9bVTW1jc2t6rb5s7u3v6BdXjUk3EqMOnimMViECBJGI1IV1HFyCARBPGAkX4wvcn9/gMRksbRvZolxONoHNGQYqS05Fsn3Heg65rcb+RXQZnTaM19q2bX7aLgKjgl1EBZHd/6ckcxTjmJFGZIyqFjJ8rLkFAUMzI33VSSBOEpGpOhxghxIr2s2GAOz7UygmEs9IkULNTfExniUs54oDs5UhO57OXif94wVWHLy2iUpIpEePFQmDKoYpjHAUdUEKzYTAPCguq/QjxBAmGlQzN1CM7yyqvQa9Sdy3rzrllrX5dxVMEpOAMXwAFXoA1uQQd0AQaP4Bm8gjfjyXgx3o2PRWvFKGeOwZ8yPn8AuJaUhA==</latexit>

corresponding plaintexts. Now, given any ciphertext c which does not consist of all zeros, there is a
uniquec2nonempty 0, · · ·of, 0]
= [0, 1,subset m2together to obtain c. Let I(c) ✓ {1, 2, · · · , 128}
the ci which we can XOR
…

denote this subset. Observe

…

0 1
c128 = [0, 0, 0, · · · , 1] M Mm128 M
c= ci = E(mi ) = E @ mi A (2)

Any non-zero string (ciphertext) can be

Lrepresented by using XOR of
i2I(c) i2I(c) i2I(c)
ci
<latexit sha1_base64="Bq1eeodPDpjU1Tsq2zKK/yYD0bE=">AAAB6nicbVBNS8NAEJ3Ur1q/qh69LBbBU0mkqMeiF48V7Qe0oWy2k3bpZhN2N0IJ/QlePCji1V/kzX/jts1BWx8MPN6bYWZekAiujet+O4W19Y3NreJ2aWd3b/+gfHjU0nGqGDZZLGLVCahGwSU2DTcCO4lCGgUC28H4dua3n1BpHstHM0nQj+hQ8pAzaqz0wPq8X664VXcOskq8nFQgR6Nf/uoNYpZGKA0TVOuu5ybGz6gynAmclnqpxoSyMR1i11JJI9R+Nj91Ss6sMiBhrGxJQ+bq74mMRlpPosB2RtSM9LI3E//zuqkJr/2MyyQ1KNliUZgKYmIy+5sMuEJmxMQSyhS3txI2oooyY9Mp2RC85ZdXSeui6l1Wa/e1Sv0mj6MIJ3AK5+DBFdThDhrQBAZDeIZXeHOE8+K8Ox+L1oKTzxzDHzifP0OAjcw=</latexit>

Thus, we obtain the plaintext of c by computing i2I(c) mi . Let 0 be the all-zero string. Note that
0 = 0 0. From this we obtain E(0) = E(0 0)30= E(0) E(0) = 0. Thus, the plaintext of c = 0
 roblem 1. For any block cipher, the fact that it is a nonlinear function is crucial to its security.
ee this, suppose that we have a linear block cipher EL that encrypts 128-bit blocks of plaintext in
28-bit blocks of ciphertext. Let EL(k, m) denote the encryption of a 128-bit message m under a k
Tutorial Question 1
(the actual bit length of k is irrelevant). Thus

EL(k, [m1 m2 ]) = EL(k, m1 ) EL(k, m2 ) for all 128-bit patterns m1 , m2 (

Describe how, withChosen

128 chosen ciphertexts, an adversary
ciphertext: can decrypt any ciphertext without know
Paired plaintext
dge of the secret key k.[1, 0, · · · , 0]ciphertext” means
(A0,“chosen
mthat
<latexit sha1_base64="cRZhhpnSeJjqe1e4s79Rm3dX6Wc=">AAACOnicbVBLSwMxGMzWV62vqkcvwSJ4WEpSinoRil48tmBV2F2WbDbbhmYfJFmhLP1dXvwV3jx48aCIV3+A6boHX0MCw8w3JN8EmeBKI/Ro1RYWl5ZX6quNtfWNza3m9s6VSnNJ2ZCmIpU3AVFM8IQNNdeC3WSSkTgQ7DqYnM/961smFU+TSz3NmBeTUcIjTok2kt8cUB+fQgfbEJkDbejSMNXKcM91G9TvnDrIxjayK72US6fAnZPZ3EVltvKx5zdbqI1KwL8EV6QFKvT95oMbpjSPWaKpIEo5GGXaK4jUnAo2a7i5YhmhEzJijqEJiZnyinL1GTwwSgijVJqbaFiq3xMFiZWaxoGZjIkeq9/eXPzPc3IdnXgFT7Jcs4R+PRTlAuoUznuEIZeMajE1hFDJzV8hHRNJqDZtN0wJ+PfKf8lVp42P2t1Bt9U7q+qogz2wDw4BBsegBy5AHwwBBXfgCbyAV+veerberPev0ZpVZXbBD1gfnzQHpf0=</latexit>

c1 = 1 an adversary has the ability to choose

<latexit sha1_base64="XhJBAcgrJ6n29lR3YlsSIVFlBqg=">AAACAXicbZBNS8MwGMfT+TbrW9WL4CU4BE+jHUN3HHrxOMG9wFpKmqVbWNKWJBVGmRe/ihcPinj1W3jz25h2PejmAyE//v/nIXn+QcKoVLb9bVTW1jc2t6rb5s7u3v6BdXjUk3EqMOnimMViECBJGI1IV1HFyCARBPGAkX4wvcn9/gMRksbRvZolxONoHNGQYqS05Fsn3Heg65rcb+RXQZnTaM19q2bX7aLgKjgl1EBZHd/6ckcxTjmJFGZIyqFjJ8rLkFAUMzI33VSSBOEpGpOhxghxIr2s2GAOz7UygmEs9IkULNTfExniUs54oDs5UhO57OXif94wVWHLy2iUpIpEePFQmDKoYpjHAUdUEKzYTAPCguq/QjxBAmGlQzN1CM7yyqvQa9Sdy3rzrllrX5dxVMEpOAMXwAFXoA1uQQd0AQaP4Bm8gjfjyXgx3o2PRWvFKGeOwZ8yPn8AuJaUhA==</latexit>

iphertext and then cobtain

2 = [0,its
1, 0, · · · , 0]
decryption. m2 128 plaintext/ciphertext pairs to work w
Here, you have

…
…

nd you have the ability to chose the value of the ciphertexts.)

olution: For 1  c128i =
 [0,
128, · · · ,c1]
0, 0,take i 2 {0, 1}
128 m128
to be the string containing a 1 in position i a
hen zeros elsewhere. Obtain the decryption of these128 ciphertexts. Let m1 , m2 , · · · , m128 be t
orrespondingExample:
plaintexts. Now,
[1, 0, given
1, · · ·any, 0]ciphertext
= c1 cc3which does not consist of all zeros, there is
<latexit sha1_base64="D9n5IvpPwr3nCrUIQkbJqjs3scU=">AAACDnicbZDLSsNAFIYn9VbrLerSzWApuCgl0aJuhKIblxXsBZIQJpNJO3SSCTMToYQ+gRtfxY0LRdy6dufbOG2z0NYfBj7+cw5nzh+kjEplWd9GaWV1bX2jvFnZ2t7Z3TP3D7qSZwKTDuaMi36AJGE0IR1FFSP9VBAUB4z0gtHNtN57IEJSntyrcUq8GA0SGlGMlLZ8s+bYdWjVoQ3r0MUhV1KD5V1h34YuT1kmIfbPfLNqNayZ4DLYBVRBobZvfrkhx1lMEoUZktKxrVR5ORKKYkYmFTeTJEV4hAbE0ZigmEgvn50zgTXthDDiQr9EwZn7eyJHsZTjONCdMVJDuVibmv/VnExFl15OkzRTJMHzRVHGoOJwmg0MqSBYsbEGhAXVf4V4iATCSidY0SHYiycvQ/e0YZ83mnfNauu6iKMMjsAxOAE2uAAtcAvaoAMweATP4BW8GU/Gi/FufMxbS0Yxcwj+yPj8ATarmH0=</latexit>

nique nonempty subset of the ci which we can XOR together to obtain c. Let I(c) ✓ {1, 2, · · · , 12
plaintext: m1 m3
<latexit sha1_base64="3eZJG8bd7zj39JqtFOEB8HyCJ08=">AAAB9XicbVBNSwMxEJ2tX7V+VT16CRbBU9nVoh6LXjxWsB/Qrks2zbahyWZJskpZ+j+8eFDEq//Fm//GtN2Dtj4YeLw3w8y8MOFMG9f9dgorq2vrG8XN0tb2zu5eef+gpWWqCG0SyaXqhFhTzmLaNMxw2kkUxSLktB2ObqZ++5EqzWR8b8YJ9QUexCxiBBsrPYjAQz2Z8FQjEZwH5YpbdWdAy8TLSQVyNILyV68vSSpobAjHWnc9NzF+hpVhhNNJqZdqmmAywgPatTTGgmo/m109QSdW6aNIKluxQTP190SGhdZjEdpOgc1QL3pT8T+vm5roys9YnKSGxmS+KEo5MhJNI0B9pigxfGwJJorZWxEZYoWJsUGVbAje4svLpHVW9S6qtbtapX6dx1GEIziGU/DgEupwCw1oAgEFz/AKb86T8+K8Ox/z1oKTzxzCHzifP3b8kdo=</latexit>

enote this subset. Observe

0 1
M M M
c= ci = E(mi ) = E @ mi A (
i2I(c) i2I(c) i2I(c)
L
hus, we obtain the plaintext of c by computing i2I(c) mi . Let 0 be the all-zero string. Note th
= 0 0. From this we obtain E(0) = E(0 0) = E(0) E(0) = 0. Thus, the plaintext of c =
31
128
 roblem 1. For any block cipher, the fact that it is a nonlinear function is crucial to its security.
ee this, suppose that we have a linear block cipher EL that encrypts 128-bit blocks of plaintext in
28-bit blocks of ciphertext. Let EL(k, m) denote the encryption of a 128-bit message m under a k
Tutorial Question 1
(the actual bit length of k is irrelevant). Thus

EL(k, [m1 m2 ]) = EL(k, m1 ) EL(k, m2 ) for all 128-bit patterns m1 , m2 (

Describe how, with 128 chosen ciphertexts, an adversary can decrypt any ciphertext without know
For all-zero string EL[k, 0]= 0 why?
dge of the secret key k. (A “chosen ciphertext” means that an adversary has the ability to choose
iphertext and then obtainEL[k,0]=1
Suppose its decryption.
then weHere, you have
will have 128 plaintext/ciphertext
the following contradiction pairs to work w
nd you have the ability to chose the value of the ciphertexts.)
olution: For 1setplaintext
i  128,as take
m1c= i 2m{0,= 1}
0 128
to be the string containing a 1 in position i a
<latexit sha1_base64="HnAmwKaCmRdHphdQzgNOFF8BQks=">AAACSHicbZBLSwMxFIUz9VXrq+rSTbAoLqTMlKJuCkURXLioYB/QGYZMmrahSWZMMkIp/XluXLrzN7hxoYg7M9Mq2nohcO537iXJCSJGlbbtZyuzsLi0vJJdza2tb2xu5bd3GiqMJSZ1HLJQtgKkCKOC1DXVjLQiSRAPGGkGg4vEb94TqWgobvUwIh5HPUG7FCNtkJ/3D7nvVLhfqtjQdXNJB90wYrGCBsIKnODL6/bgGM6YXsW0gtzBH9f7tlNiZjw/X7CLdlpwXjhTUQDTqvn5J7cT4pgToTFDSrUdO9LeCElNMSPjnBsrEiE8QD3SNlIgTpQ3SoMYwwNDOrAbSnOEhin9vTFCXKkhD8wkR7qvZr0E/ue1Y90980ZURLEmAk8u6sYM6hAmqcIOlQRrNjQCYUnNWyHuI4mwNtnnTAjO7JfnRaNUdE6K5ZtyoXo+jSML9sA+OAIOOAVVcAVqoA4weAAv4A28W4/Wq/VhfU5GM9Z0Zxf8qUzmCySRq58=</latexit>

2
hen zeros elsewhere. Obtain themdecryption
1 m2 = of0 these128 ciphertexts. Let m1 , m2 , · · · , m128 be t
orresponding plaintexts. Now, given
EL[k,any m1ciphertext
m2 ] =c1which doesm
6= EL[k, not] consist
EL[k, ofm
all ]zeros, there is
1 2
nique nonempty subset of the ci which we can XOR together to obtain c. Let I(c) ✓ {1, 2, · · · , 12
enote this subset. Observe
0 1
M M M
c= ci = E(mi ) = E @ mi A (
i2I(c) i2I(c) i2I(c)
L
hus, we obtain the plaintext of c by computing i2I(c) mi . Let 0 be the all-zero string. Note th
= 0 0. From this we obtain E(0) = E(0 0) = E(0) E(0) = 0. Thus, the plaintext of c =
32
128
Figure 2.3b) ishas
an adversary
Thus,
generated
we the
A from
ability
Solution:
obtain the to
temporary Schoose
by selecting
For
plaintext1a
vector,

of T, is
follows:
c i
by  follows:
one of the 255 entries
also
128,
L
created.
take
computing c 2 If
then
m{0,the
. K
1}
Letlength
128
to ofthe
be be
the thestring
is0 transferred keyto
all-zero Kcontaining
T.is Otherwise,
string. 256
Notebytes,a 1 infor
that po
c fashion. As each value of k is generated, the entries in S are once i
i2I(c) i
then
d.plaintext/ciphertext
0 = 0 0. From thenK
pairs to
this
iswork
zeros transferred
with E(0)
we elsewhere.
obtain
to T. Otherwise, for
Obtain
= E(0 the0)decryption
= E(0)
a keyelements
keylen of
E(0)
of length of
these128
= 0.
keylen
T are
ciphertexts.
Thus,
/* Initialization */ the
bytes,
copied
Let
plaintext
the first
ofmc 1=,from
m0 2 , · ·K
· ,a
keylen elements of T are copied 128 from K as and then K is
necessary to repeated
fill /*
out as many
T. times
Initializa
These prelimin
is m = 0. Hence we can
corresponding decrypt every
plaintexts. c 2Now,
{0, given
1} . any ciphertext which does not consist of all zero
Tutorial Question 2
N OF Scontaining
string To begin,atheas
1 innecessary
entries
position to
of S iare
and fill out T. These preliminary
set equal to the values from follows:
for i = 0 c
operationsto 255
can do
be summarized as
unique
in ascending order; follows:
that is, S[0]nonempty
= 0, S[1] subset
= 1, . . of = 255. weS[i]
the ci which
. , S[255] =i; together to obtain c. Let I(c) ✓ {1,
can XOR for i = 0 to
hertexts. Let m 1 , m2 , · · · , m128 be the
vector, T, is also created. If the length of the key K is 256 bytes, T[i] = K[i mod keylen];
denote this subset. Observe /*the=i;
Initializ
does not
sferred toconsist
Problem of all zeros,
2. What
T. Otherwise, for
RC4 there
a key islength
a will
keyofvalue keylen
leave
Next
bytes,
/*
we
the first during initialization?
S unchanged
Initialization
use T to produce the
*/
initial 0That S[i]
is,
permutation
after
of 1
S. This
initial
involves start
nts
to of T are
obtain copied
Let from K and then K is repeated as many times
c. I(c) ✓ {1, 2, · · · , 128}
permutation of S, the entries of S will be equal for to iM the
= 0 values
toM from
255 0do
through 255 in M ascending
to S[255], and, for each S[i], swapping S[i] with anoth i = 0 to
fororder.
o fill out T. These preliminary operationswith
can S[0] and going through
be summarized as T[i] = K[i mo
c = =i;
byte in S S[i]
according to cai scheme
= E@
E(mi )by=T[i]:
dictated mi A
S[i] =i;
0 1 i2I(c) i2I(c) i2I(c)
T[i] /*= Initial
K[i modPermutation
keylen]; of S */ T[i] = K[i m
@
M
i
A
/* Initialization */
mProblem 3. RC4 has a secret (2) Next we use T to produce the initial pe
internal state which
j =is0;
a permutation
Lof all the possible values of the
for i =Thus,
0 to we 255obtain
do the plaintext of c by computing m i .This
Let involves
0 be the starting
all-zero string
i2I(c) vector S and the two
S[i] =i;
Next we use
indices i T j.
and with S[0] and going through to S[255], and, fo
to produce the
forinitial
i = permutation
0 to 255 of
i2I(c)
do S.
Next we use T to produce the initial p
0 =S[0]
with 0 and0. From
goingthis we obtain
through E(0)
to S[255], ==(j
j and,E(0
for 0) S[i],
+ each
S[i] =+ E(0)
swapping
T[i]) modS[i]
E(0) 0. Thus,
= with
256; the plaint
another
Let 0 be theT[i] = K[i
all-zero keylen];
modNote
string. that byte in S according to a scheme dictated by T
Swapwith S[0]128
(S[i],
byte in S according to a scheme dictated by T[i]:
and going through to S[255], and, f
S[j]);
is m = 0. Hence we can decrypt every
1
cbyte .
2 {0,in1}S according to a scheme dictated by
E(0)
use 0. Thus,the
= produce
T to theinitial
plaintext of c = 0 of S. This involves starting
permutation Because the only operation on S is a swap, the only effect is a permutati
To make it simple, we
/*swapping
oing through to S[255], and, for each S[i], Initial
S still
use a key of
Permutation
S[i] with
contains allanother
the numbers
length 256, T from
is /* Initial Permutatio
a
*/ 255.
of 0Sthrough
copy of/*K (key).
Initial Permutati
ding to a scheme dictated by T[i]: j = 0;
Problem 2. What forRC4i = key0value will leave
to 255 j = 0;
do S unchanged during
j = initialization?
0; That is, aft
/* Initial Permutation of S */
Thatpermutation
Design
ngjinitialization?
= 0; T[i]
is, (K[i])
after of S, that
such
the initial the=entries
j (j +ofS[i] equal tofor
S will+beT[i]) ifor
the values
mod 256; =
from00=through
i to0 to255
255255indodo
ascend
Swap (S[i], S[j]);
bytes. The first j j are
two =bytes = +(j +that
S[i] +T[i
T[
for i = 0 to 255 do
Solution:
rom 0 through 255 in ascending order.
j = (j + S[i] + T[i]) mod 256;
Use a key of length 256 (j S[i]
zero; is +K[0] =
Thereafter, Swap (S[i], S[j]);
s areSwap
zero;(S[i],
that is K[0]
S[j]);= K[1] we
= have:
Because the only operation on S is a swap, the Swap
0. K[2] = 255; K[3] = 254; . . . K[255] = 2. (S[i],
only effect S[j]);
is a permutation.
. S still contains all the numbers from 0 through 255.
the only operation on S is a swap, the only effect is a permutation. Because the only operation on S is a
all the numbers from 0 through 255. Because the only operation on S is a s
S still contains all the numbers from 0 throu
1
S still contains all the numbers from 0 throug

33
a random permutation. Analysis shows that the period of the cipher is
ly likely to be greater than 10100 [ROBS95]. Eight lengthtokey of from
sixteen machine1 to 256 bytes (8 to 2048 bits) is used to initialize a 256-b
e required per output byte, and the cipher canstate vector S,towith
be expected elements S[0], S[1], . . . , S[255]. At all times, S contains a p
run very
ware. RC4 is used in the SSL/TLS (Secure Sockets mutation of all 8-bit numbers from 0 through 255. For encryption and decrypt
Layer/Transport
Tutorial Question 3
COMPSCI
y) standards that 4062 & 5063
have been Cyber
defined forSecurity Fundamentals
a byte
communication k (see
in a systematic
servers. It is also used in the WEP (Wired Equivalent
Figure
between
Privacy)
Web2.3b) is generated from S by selecting one of the 255 ent
[2022-2023]
proto- As each value of k is generated, the entries in S are o
fashion.
wer WiFi Protected Access (WPA) protocol that againarepermuted.
part of the IEEE
s LAN Problem
standard.3.RC4 RC4
washas
kepta as
secret
a tradeinternal state
secret by RSA which is aInpermutation of all the possible values of the
Security.
94, the RC4 algorithm was anonymously posted I on the InternetOF onSthe To begin, the entries of S are set equal to the values fr
vector S and the two indices i and j.
anonymous remailers list.
NITIALIZATION
0 through 255 in ascending order; that is, S[0] = 0, S[1] = 1, . . . , S[255] = 2
4 algorithm (a)is Using a straightforward
remarkably simple and quite scheme
easy
A to to store A
explain.
temporary the internal
variable-
vector, T, isstate,
also how many
created. If bits are used?
the length of the key K is 256 by
from 1 to 256 bytes (8 to 2048 bits) is usedthen to initialize a 256-byte
(b) Suppose we think of it from the point of view oftohow
K is transferred much information
T. Otherwise, for a keyisofrepresented by bytes,
length keylen the the f
with elements S[0], S[1], . . . , S[255]. At allkeylen
times, S contains of
elements a per-
T are copied from K and then K is repeated as many tim
state. In that case, we need to determine how
l 8-bit numbers from 0 through 255. For encryption and decryption, may different states there are, then take the log to the
as necessary to fill out T. These preliminary operations can be summarized
Figure 2.3b)
base 2 tois generated
find out how S by selecting
frommany one of the 255
bits offollows:
information thisentries
represents. Using this approach, how many bits
c fashion. As each value of k is generated, the entries in S are once
ed. would be needed to represent the state? /* Initialization */
Solution: for i = 0 to 255 do
ON OF S To begin, the entries of S are set equal to the values from
(a)
(a)Simply
iorder; store
for 0 that and 8
i, j,use
to 255, whichsame
S,bits, requires 8j,+S[0], 8 + (256 ⇥…, 2064 bits
8) S[255]
S[1],S[i] ==i;
in ascending is, S[0] = 0, S[1] = 1, . . . , for
S[255] = 255. use 8*256 bits
(b)isThe
vector, T, also number
created. of
If states is [256!
the length ⇥ 256
of the key K
2
]⇡ is 2
1700
. Therefore,
256 bytes, T[i]1700 bits mod
= K[i are required.
keylen];
nsferred to T. Otherwise, for a key of length keylen bytes, the first
nts of T are copied from K and then K is repeated Nextaswe use times
many T to produce the initial permutation of2S. This involves start
<latexit sha1_base64="IN6x7nbPN4AukaT5VdhPFLBNKY0=">AAACDXicbZC7TsMwFIYdrqXcAowshoJUliqJSstYwcJYJHqRmhA5rttadeLIdhBV1Bdg4VVYGECIlZ2Nt8FtM0DLL1n69J9zdHz+IGZUKsv6NpaWV1bX1nMb+c2t7Z1dc2+/KXkiMGlgzrhoB0gSRiPSUFQx0o4FQWHASCsYXk3qrXsiJOXRrRrFxAtRP6I9ipHSlm+euIz3fafonFeOXEVDIjXdOWfQRXEs+AO0q5blmwWrZE0FF8HOoAAy1X3zy+1ynIQkUpghKTu2FSsvRUJRzMg47yaSxAgPUZ90NEZI7/XS6TVjeKqdLuxxoV+k4NT9PZGiUMpRGOjOEKmBnK9NzP9qnUT1LryURnGiSIRni3oJg4rDSTSwSwXBio00ICyo/ivEAyQQVjrAvA7Bnj95EZpOya6UyjflQu0yiyMHDsExKAIbVEENXIM6aAAMHsEzeAVvxpPxYrwbH7PWJSObOQB/ZHz+AAktmQM=</latexit>

(b) Initialization of 0-255 —> with256!

S[0] andSwap
going 256*256
through to S[255],
log 2 (256!
and, for
⇥S[i],
each
256 ) ⇡ 1700
swapping S[i] with anot
to fill out T. These preliminary operations can be summarized as
Problem 4. Suppose an error occurs byte in a according
in S block of tociphertext
a scheme on transmission
dictated by T[i]: using Cipher Block
Chaining (CBC). What effect is produced on the recovered
/* Initialization */
plaintext
/* Initial blocks? of S */
Permutation
for i = 0 to 255 do j = 0;
i = 0 to 255 do
for ***
*** END
S[i] =i;
j = (j + S[i] + T[i]) mod 256;
T[i] = K[i mod keylen]; Swap (S[i], S[j]);
use T to produce the initial permutation of S. This involves
Because the starting
only operation on S is a swap, the only effect is a permutat
going through to S[255], and, for each S[i], swapping S[i] withallanother
S still contains the numbers from 0 through 255.
34
rding to a scheme dictated by T[i]:
 Solution:
which the same plaintext block, if repeated, produces different ciphertext blocks.
(a) Simply store i, j, and S, which requires 8 + 8 + (256 ⇥ 8) = 2064 bits
(b) The numberCipher Block
of states Chaining
is [256! ⇥ 256 Mode
2
] ⇡ 21700 . Therefore, 1700 bits are required.
Tutorial Question 4
In the cipher block chaining (CBC) mode (Figure 20.6), the input to the encryption
algorithm is the XOR of the current plaintext block and the preceding ciphertext
block; the same key is used for each block. In effect, we have chained together the
Problem processing
4. Suppose of the occurs
an error sequenceinof a
plaintext
block blocks. The input on
of ciphertext to the encryption func-
transmission using Cipher Block
tion for each plaintext block bears no fixed relationship to the plaintext block.
Chaining (CBC). Therefore,
What effect is produced
repeating onb-bits
patterns of the are
recovered plaintext blocks?
not exposed.

COMPSCI 4062 & 5063 Cyber Security Fundamentals [2022-2023]

20.5 / CIPHER BLOCK MODES OF OPERATION 657
Time = 1
P1
***TimeEND
P
= 2 *** Time = N
PN
IV 2
ach cipher block is passed through the decryption algorithm.
Problem
with the preceding 3. RC4
ciphertext block has the
to produce a secret
plaintextinternal state which is a permutation of all the possible values of the
works, we can write CN - 1
vector S and the two indices i and j.
Cj = E(K, [Cj - 1 ⊕ Pj])
(a) Using a straightforward scheme to store the internal state, how many bits are used?
ncryption of plaintext X using key K,Kand ⊕ is the Encrypt
exclusive- K Encrypt K Encrypt
(b) Suppose we think of it from the point of view of how much information is represented by the
D(K, Cj)20.5
= D(K, state.
/ CIPHER
E(K,BLOCK[CIn that
MODES
j - i ⊕ Pj]))
case, we need657
OF OPERATION to determine how may different states there are, then take the log to the
C1 C2 CN
D(K, C
on, each cipher j) base
block j - 12⊕
=isCpassed tothrough
Pj findthe out how many
decryption bits of information
algorithm. this represents. Using this approach, how many bits
(a) Encryption
ed with
-1 ⊕ the C
D(K, preceding
j) = Cj -ciphertext
1 ⊕ Cj - 1 ⊕ block
Pj =to P
produce the plaintext
this works, we can writewould be needed to represent j
C1 the state? C2 CN
0.6b.
j = E(K, Solution:
rst block ofCciphertext, [Cjan ⊕ Pj])
- 1 initialization vector (IV) is XORed
plaintext. On of
he encryption decryption,(a)
plaintext Xthe IVkey
Simply
using is XORed
K,Kstore
and ⊕ with the
isi,the
j, output
and ofwhich requires 8 + 8 + (256 ⇥ 8) = 2064 bits
S,
exclusive-
hm Decrypt K Decrypt K Decrypt
en to recover the first block of plaintext.
known to both the sender (b) and Thereceiver.
number For of statessecu-
maximum is [256! ⇥ 2562 ] ⇡ 21700 . Therefore, 1700 bits are required.
protected
D(K, Cas
j) well
= D(K,as E(K,
the key.
[Cj - iThis
⊕ Pjcould
])) be done by sending
ryption. One reason
D(K, Cj) =forCj -protecting
1 ⊕ Pj
the IV
IVis as follows: If an CN - 1
olCthe⊕receiver
D(K, Cj)into
= Cusing a different value for IV, then the
j-1 j - 1 ⊕ Cj - 1 ⊕ Pj = Pj
vert selected bits in the first block of plaintext. To see this,
re 20.6b. Problem 4. Suppose anP1 error occurs in a blockP2 of ciphertext on transmission
PN using Cipher Block
he first block of ciphertext, an initialization vector (IV) is XORed (b) Decryption
C1 =
of plaintext. OnE(K,Chaining
[IV ⊕ P
decryption, (CBC).
1])IV
the is XORedWhat
with theeffect
output ofis produced on the recovered plaintext blocks?
orithm to recover Figure 20.6 Cipher Block Chaining (CBC) Mode
P1 = IVthe⊕first
D(K,block
C1)of plaintext.
be known to both Solution:
the sender andIf an error
receiver. occurssecu-
For maximum in transmission of ciphertext block Ci , then this error propagates to the
be protected as well as the key. This could be done by sending
that X[ j] denotes recovered
the jth bit of the b-bit quantity
plaintext X. Then and P
encryption. One reason for protecting the IV is blocks
as follows:P
Ifian i+1 .
o fool the receiver into using a different value for IV, then the
P [i] = IV[i] ⊕ D(K, C1)[i] 35
o invert1 selected bits in the first block of plaintext. To see this,
Thank You
Quiz Time

• 15 minutes

37
COMPSCI4062&5063: Cyber Security Fundamentals
Topic 6: Network Security

Dr. Dongzhu Liu

Email: [email protected]
Of ce: SAWB 510 (b)

1
fi



Overview

• Internet Security
• Secure Sockets Layers (SSL) / Transport Layer Security (TLS)

• Wireless Network Security

• Wireless Networks Threats
• Wireless Security Measures
• IEEE 802.11 Wireless LAN
• IEEE 802.11i Wireless LAN Security

 One of the most widely used security services is the Secure Sockets Layer (SSL) and
the follow-on Internet standard known as Transport Layer Security (TLS), the lat-
ter defined in RFC 4346. TLS has largely supplanted earlier SSL implementations.
TLS is a general-purpose service implemented as a set of protocols that rely on
Transport Layer Security (TLS): Architecture
TCP. At this level, there are two implementation choices. For full generality, TLS
could be provided as part of the underlying protocol suite and therefore be trans-
parent to applications. Alternatively, TLS can be embedded in specific packages.
For example, most browsers come equipped with SSL, and most Web servers have
• TLSimplemented
is designed to make use of TCP to provide a reliable end-to-end
the protocol.
secure service.
TLS Architecture
• TwoTLS is designed to make use of TCP to provide a reliable end-to-end secure service.
layers
TLS is not a single protocol but rather two layers of protocols, as illustrated in
Figure 22.4.
• Record protocol:
The Record Protocol provides basic security services to various higher-layer
• Handshake, Changethe
protocols. In particular, Cipher Spec,
Hypertext Alter Protocol
Transfer Protocols:
(HTTP), which provides
the transfer service for Web client/server interaction, can operate on top of TLS.

Change
Handshake Alert Heartbeat
Cipher Spec HTTP
Protocol Protocol Protocol
Protocol

Record Protocol

TCP

IP

SSL/TLS Protocol Stack

Figure 22.4 SSL/TLS Protocol Stack
3

Transport Layer Security (TLS): Two Concepts

• TLS connection
• A transport that provides a suitable type of service
• peer-to-peer relationship
• transient, associated with one session
• TLS session
• An association between a client and a server
• Created by the Handshake Protocol
• De ne a set of cryptographic security parameters
• Security parameters can be shared among multiple connections
• Avoid negotiation of new security parameters for each connection

4
fi

 Transport Layer Security (TLS): Protocols

• Record Protocol
HAPTER 22 / INTERNET SECURITY PROTOCOLS AND STANDARDS

Application data Upper layer message Higher-level users

Fragment Reassemble

Compress Decompress
(optional)

Add MAC Message authentication code Verify

Encrypt Decrypt

Append TLS
record header
Received data
version and length elds
Figure 22.5 TLS Record Protocol Operation

TCP
5
fi
Transport Layer Security (TLS): Protocols

• Change Cipher Spec Protocol

• This protocol consists of a single message — a single byte with the value 1.
• Purpose: cause the pending state to be copied into the current state, which
updates the cipher suite to be used on this connection.

Transport Layer Security (TLS): Protocols

• Alert Protocol
• Purpose: Convey TLS-related alerts to the peer entity
• Each message in this protocol consists of two byte
• First byte: severity of the message (“warning” or “fatal”) — if “fatal”, TLS
immediately terminates the connection. Other connections on the same
session may continue, but no new connections on this session may be
established.
• Second byte: speci c alert

Fatal alert example: an incorrect message authentication code

Nonfatal alert example: close_notify message — noti es the recipient that the sender will not
send any more messages on this connection.

fi
fi

Transport Layer Security (TLS): Protocols

• Handshake Protocol
• Allows the server and client to authenticate each other
• Negotiate an encryption and MAC algorithm and cryptographic keys to be
used to protect data sent in an TLS record
• This protocol is used before any application data are transmitted

Transport Layer Security (TLS): Protocols

22.3 / SECURE SOCKETS LAYER (SSL) AND TRANSPORT LAYER SECURITY (TLS) 703

Client Server

• Handshake Protocol client_h

ello
Phase 1
Establish security capabilities, including
protocol version, session ID, cipher suite,
hello compression method, and initial random
Phase1 server_ numbers.

-Initiate a logical connection certifica

te

ge
key_exchan
-Establish the security capabilities server_ Phase 2
Server may send certificate, key exchange,
t
te _reques and request certificate. Server signals end
certifica
-Client_hello e
of hello message phase.

ver_hello_don
ser
Highest TLS version

Time
certifica
te
Random structure (for key exchange)
client_k Phase 3
ey_exch Client sends certificate if requested. Client
ange
Session ID (nonzero value for updating sends key exchange. Client may send
certifica certificate verification.
te_verif
the parameters of an existing connection y

or initiating a new connection on this

change_
session; zero value for establishing a new cipher_
spec
connection on a new session) finished

Phase 4
CipherSuite (cryptographic algorithms) Change cipher suite and finish
ciph er_spec handshake protocol.
change_
Compression method
finished

-Server_hello (same parameters as

client_hello) Note: Shaded transfers are
optional or situation-dependent
9 messages that are not always sent.
Transport Layer Security (TLS): Protocols
22.3 / SECURE SOCKETS LAYER (SSL) AND TRANSPORT LAYER SECURITY (TLS) 703

Client Server

• Handshake Protocol client_h

ello
Phase 1
Establish security capabilities, including
protocol version, session ID, cipher suite,
hello compression method, and initial random
Phase2 server_ numbers.

-Passing a certi cate to the client certifica

te

ge
r_key_exchan
-Additional key information serve Phase 2
Server may send certificate, key exchange,
t
te _reques and request certificate. Server signals end
certifica of hello message phase.
-Request for certi cate from the client llo_don
e
ver_he
ser

(public-key encryption)

Time
certifica
te
client_k Phase 3
ey_exch Client sends certificate if requested. Client
ange
sends key exchange. Client may send
-sever-done message, wait for a client certifica
te_verif
y
certificate verification.

response
change_
cipher_
spec

finished

Phase 4
Change cipher suite and finish
ciph er_spec handshake protocol.
change_

finished

Note: Shaded transfers are

optional or situation-dependent
10 messages that are not always sent.
fi
fi
Transport Layer Security (TLS): Protocols
22.3 / SECURE SOCKETS LAYER (SSL) AND TRANSPORT LAYER SECURITY (TLS) 703

Client Server

• Handshake Protocol client_h

ello
Phase 1
Establish security capabilities, including
protocol version, session ID, cipher suite,
hello compression method, and initial random
server_ numbers.
Phase3
te
certifica
-Verify the certi cate ge
er_key_exchan
serv Phase 2
-Check server_hello parameters te _reques
t
Server may send certificate, key exchange,
and request certificate. Server signals end
certifica of hello message phase.
e
if all is satisfactory, the clients sends ver_hello_don
ser

messages back to the server

Time
certifica
te
client_k Phase 3
ey_exch Client sends certificate if requested. Client
ange
sends key exchange. Client may send
certifica certificate verification.
te_verif
y

change_
cipher_
spec

finished

Phase 4
Change cipher suite and finish
ciph er_spec handshake protocol.
change_

finished

Note: Shaded transfers are

optional or situation-dependent
11 messages that are not always sent.
fi
 Transport Layer Security (TLS): Protocols
22.3 / SECURE SOCKETS LAYER (SSL) AND TRANSPORT LAYER SECURITY (TLS) 703

Client Server

• Handshake Protocol client_h

ello
Phase 1
Establish security capabilities, including
protocol version, session ID, cipher suite,
Phase4 server_
hello compression method, and initial random
numbers.

Client
te
certifica

-Sends a change_cipher_spec message er_key_exchan

ge
serv Phase 2
and copies the pending CipherSpec into te _reques
t
Server may send certificate, key exchange,
and request certificate. Server signals end
certifica
the current CipherSpec (Change Cipher e
of hello message phase.

ver_hello_don
ser
Spec Protocol)

Time
certifica
-Sends the nished message under the te
client_k Phase 3
new algorithms, keys, and secrets — key ey_exch
ange Client sends certificate if requested. Client
sends key exchange. Client may send
exchange and authentication processes certifica
te_verif
y
certificate verification.

were successful
change_
cipher_
spec

finished

Server: change_cipher_spec, sends Phase 4

Change cipher suite and finish
ciph er_spec handshake protocol.
nished message change_

finished

Note: Shaded transfers are

Complete Handshake optional or situation-dependent
12 messages that are not always sent.
fi
fi
 One of the most widely used security services is the Secure Sockets Layer (SSL) and
the follow-on Internet standard known as Transport Layer Security (TLS), the lat-
ter defined in RFC 4346. TLS has largely supplanted earlier SSL implementations.
TLS is a general-purpose service implemented as a set of protocols that rely on
Transport Layer Security (TLS): Protocols
TCP. At this level, there are two implementation choices. For full generality, TLS
could be provided as part of the underlying protocol suite and therefore be trans-
parent to applications. Alternatively, TLS can be embedded in specific packages.
• Heartbeat Protocol
For example, most browsers come equipped with SSL, and most Web servers have
implemented
Heartbeat the protocol.
is a periodic signal generated by hardware or software to indicate normal operation
or to synchronize other parts of a system.
TLS Architecture
• runs
TLS ison top oftothe
designed TLS
make userecord
of TCP protocol
to provide a reliable end-to-end secure service.
TLS is not a single protocol but rather two layers of protocols, as illustrated in
• message
Figure 22.4.types: heartbeat_request & heartbeat_response
The Record Protocol provides basic security services to various higher-layer
• established during Handshake Protocol Phase 1
protocols. In particular, the Hypertext Transfer Protocol (HTTP), which provides
• the transfer1)service
Purpose: for Web
recipient client/server
is still alive 2)interaction, can operate
avoids closure by aon rewall
top of TLS.
that does not
tolerate idle connections
Change
Handshake Alert Heartbeat
Cipher Spec HTTP
Protocol Protocol Protocol
Protocol

Record Protocol

TCP

IP

SSL/TLS Protocol Stack

Figure 22.4 SSL/TLS Protocol Stack
13

fi

Transport Layer Security (TLS): Attack

• SSL/TLS Exhaustion DDoS Attack

• Targets the SSL handshake protocol
• Sends worthless data to a target SSL server
• Extra workload to process garbage data as a legitimate handshake
• Firewalls don't help in this case because they are usually not capable of
differentiating between valid and invalid SSL handshake packets

14

 • Accidental association: Company wireless LANs or wireless access points to

wired LANs in close proximity (e.g., in the same or neighboring buildings) may
create overlapping transmission ranges. A user intending to connect to one
LAN may unintentionally lock on to a wireless access point from a neighboring
Wireless Security network. Although the security breach is accidental, it nevertheless exposes
resources of one LAN to the accidental user.
• Malicious association: In this situation, a wireless device is configured to
appear to be a legitimate access point, enabling the operator to steal passwords
from legitimate users and then penetrate a wired network through a legitimate
• All security threats and countermeasures discussed in wired
wireless access point.
networks
• Ad hoc networks: These are peer-to-peer networks between wireless
• Unique computers
aspectswithin no
wireless environment
access point —>networks
between them. Such highercanrisk
pose a
security threat due to a lack of a central point of control.

• Channel: broadcast communication —> eavesdropping, jamming
• Nontraditional networks: Nontraditional networks and links, such as personal
network smartphones
Bluetooth devices, barcode readers,
haveand handheld PDAsoperating
pose a
• Resources: and tablets sophisticated
security risk both in terms of eavesdropping and spoofing.
systems but
limited memory and processing resources to counter threats —> DoS, malware
• Identity theft (MAC spoofing): This occurs when an attacker is able to
eavesdrop on network traffic and identify may
the MAC
be address of a computer
• Accessibility: some wireless
with network privileges.
devices left unattended in remote and/or
hostile location (e.g., sensors and robots) —> physical attacks
• Man-in-the middle attacks: This type of attack is described in Chapter 21 in
the context of the Diffie-Hellman key exchange protocol. In a broader sense,
• Mobility —> accidental association, malicious association
this attack involves persuading a user and an access point to believe that they
are talking to each other when in fact the communication is going through an

Endpoint Access point

Figure 24.1 Wireless Networking Components

15

Wireless Network Threats

• Accidental association
• Malicious association
• Ad hoc networks
• Nontraditional networks
• Man-in-the middle attacks
• Denial of service (DoS)
•…

16

Wireless Network Threats

• Accidental association: A user intending to connect to one LAN may

unintentionally lock on to a wireless access point from a neighboring
network — exposes resources of one LAN to the accidental users

17
Wireless Network Threats

• Malicious association: a wireless device is con

gured to appear to be
a legitimate access point, enabling the operator to steal passwords
from legitimate users and then penetrate a wired network through a
legitimate wireless access point.

18
fi
Wireless Network Threats

• Ad hoc networks: peer-to-peer networks between wireless devices

with no access point between them. This can pose a security threat
due to a lack of a central point of control.

19
Wireless Network Threats

• Nontraditional networks: personal network Bluetooth devices, barcode

readers, and handheld PDAs pose a security risk both in therms of
eavesdropping and spoo ng.

20
fi
Wireless Network Threats

• Man-in-the middle attacks: In a broader sense, this attack involves

persuading a user and an access point to believe that they are talking
to each other when in fact the communication is going through an
intermediate attacking device. Wireless networks are particularly
vulnerable to such attacks.

21


Wireless Network Threats

• Denial of service (DoS): an attacker continually bombards a

wireless access point with various protocol messages designed to
consume system resources. The wireless environment lends itself
to this type of attack, because it is so easy for the attacker to direct
multiple wireless messages at the target.

22
Wireless Security Measures

• Secure wireless transmissions

• Signal-hiding techniques: make it more dif cult for an attacker to locate
their wireless access points (e.g., reducing signal strength, directional
antennas, signal-shielding …)

• Encryption

23

fi
Wireless Security Measures

• Secure wireless networks

• Use encryption for router-to-router traf c
• Use anti-virus and anti-spyware software, and a rewall
• Turn off identi er broadcasting: Wireless routers are typically con gured to
broadcast an identifying signal so that any device within range can learn
of the router’s existence. If a network is con gured so that authorized
devices know the identity of routers, this capability can be disabled, so as
to thwart attackers.
• Change the identi er on your router from the default
• Change your router’s pre-set password for administration
• Allow only speci c computers to access your wireless network

24
fi
fi
fi

fi

fi
fi

fi
Wireless Security Measures

• Secure wireless access points

• IEEE 802.1X standard for port-based access control
• Provides an authentication mechanism for devices wishing to attach to a
LAN or wireless network
• The use of 802.1X can prevent rogue access points and other
unauthorized devices from becoming insecure backdoors

25

IEEE 802.11 Wireless LAN

• IEEE 802 is a committee that has developed standards for a wide

range of local area networks (LANs)

• In 1990, IEEE 802 Committee formed a new working group, IEEE

802.11, with a charter to develop a protocol and transmission
speci cations for wireless LANs (WLANs).

26
fi

IEEE 802.11 Protocol Architecture

• Layered Protocol Stack

24.3 / IEEE 802.11 WIRELESS LAN OVERVIEW 743
General IEEE 802 Specific IEEE 802.11
functions functions

Logical Link Flow control

Control Error control

Assemble data
into frame Reliable data delivery
Medium Access
Addressing Wireless access control
Control
Error detection protocols
Medium access

Encoding/decoding
Frequency band
of signals
definition
Physical Bit transmission/
Wireless signal
reception
encoding
Transmission medium Antenna characteristics

Figure 24.3 IEEE 802.11 Protocol Stack

27
IEEE 802.11 Protocol Architecture

• Physical layer
• Signal encoding/decoding
• Bit transmission/reception
• Speci cation of the transmission medium
24.3 / IEE
• For IEEE 802.11: frequency bands and antenna characteristics
Gener
fu

Logical Link Flo

Control Err

Ass
into
Medium Access
Add
Control
Err
Me

Enc
of s
Physical Bit
rece
Tra

28
fi

IEEE 802.11 Protocol Architecture

• Medium access control: receives data from a higher-layer

protocol, typically the logical link control (LLC) layer, in the form of
a block of data — MAC service data unit (MSDU). In general, the
MAC layer performs the following functions:
• On transmission, assemble data into a frame — MAC protocol data unit 24.3 / IEE
(MPDU) with address and error-detection elds.
Gener
• On reception, disassemble frame, and perform address recognition and fu

error detection.
• Govern access to the LAN transmission medium. Logical Link
Control
Flo
Err

Ass
into
Medium Access
Add
Control
Err
Me

Enc
of s
Physical Bit
rece
Tra

29

fi

IEEE 802.11 Protocol Architecture

• Medium access control

744 • MAC 24
CHAPTER protocol data unit
/ WIRELESS (MPDU)SECURITY
NETWORK

MAC Destination Source

MAC Service Data Unit (MSDU) CRC
Control MAC Address MAC Address

MAC header MAC trailer

Figure 24.4 General IEEE 802 MPDU Format

! MAC Destination
• control: ThisMAC Address: any
eld contains The protocol
destination physical
control address on
information the LAN
needed for
for the
this MPDU.
functioning of the MAC protocol. e.g., a priority level could be indicated here.
! MAC • service Data Unit:
Source MAC The data
Address: The from
sourcethephysical
next higher layeron the LAN for this
address
! CRC: MPDU.
The cyclic redundancy check eld.This is an error-detecting code, such as
that• which
MACisService
used in other
Data data-link
Unit: control
The data fromprotocols. The CRC
the next higher layer.is calculated
based on the bits in the entire MPDU.
• CRC: The cyclic redundancy check field, also known as the Frame Check
Sequence (FCS) field. This is an error-detecting code, such as that which is
used in other data-link control protocols.
30
The CRC is calculated based on the
fi

fi
IEEE 802.11 Protocol Architecture

• Logical link control (LLC)

• MAC layer is responsible for detecting errors and discarding any frames
that contain errors.
• The LLC layer optionally keeps track of which frames have been
successfully received and retransmits unsuccessful frames.
24.3 / IEE

Gener
fu

Logical Link Flo

Control Err

Ass
into
Medium Access
Add
Control
Err
Me

Enc
of s
Physical Bit
rece
Tra

31

IEEE 802.11 Network Architectural Model

• Smallest building block: basic service set (BSS)

• BSS may be isolated or connect to a backbone distributed system
through an access point (AP)
• Client stations do not communicate directly, but use AP as a relay: MAC
frame is rst sent from original station to AP and then from AP to the
destination station.
24.3 / IEEE 802.11 WIRELESS LAN OVERVIEW 745

Distribution System

AP 2

AP 1
Basic Service
Set (BSS)
Basic Service STA 1
Set (BSS)
STA 8
STA 2

STA 6 STA 7
STA 4

STA 3
32
fi

IEEE 802.11 Network Architectural Model

• Smallest building block: basic service set (BSS)

• BSS = cell; DS can be a switch, a wired network, or a wireless network
• Independent BSS: ad hoc network, mobile stations communicate directly
with one another and no AP is involved.
• A single station could participate in more than one BSS
24.3 / IEEE 802.11 WIRELESS LAN OVERVIEW 745
• Dynamic association; stations may turn off, go in/out of range.

Distribution System

AP 2

AP 1
Basic Service
Set (BSS)
Basic Service STA 1
Set (BSS)
STA 8
STA 2

STA 6 STA 7
STA 4

STA 3
33

 IEEE 802.11 Services

• The service provider can be either the station or the DS.

• (De)authentication, privacy for control access and con dentiality
46 CHAPTER 24 / WIRELESS NETWORK SECURITY
• Other services for supporting delivery
Table 24.2 IEEE 802.11 Services
Service Provider Used to support
Association Distribution system MSDU delivery
Authentication Station LAN access and security
Deauthentication Station LAN access and security
Disassociation Distribution system MSDU delivery
Distribution Distribution system MSDU delivery
Integration Distribution system MSDU delivery
MSDU delivery Station MSDU delivery
Privacy Station LAN access and security
Reassociation Distribution system MSDU delivery

34
fi

IEEE 802.11 Services

• Distribution and Integration

• Distribution is the primary service used by stations to exchange MAC
protocol data units (MPDUs) when the MPDUs must traverse the
distributed system (DS) to get from a station in one basic service set
(BSS) to a station in another BSS. [e.g., STA 2 —> STA 7]

24.3 / IEEE 802.11 WIRELESS LAN OVERVIEW 745

Distribution System

AP 2

AP 1
Basic Service
Set (BSS)
Basic Service STA 1
Set (BSS)
STA 8
STA 2

STA 6 STA 7
STA 4

STA 3
35

IEEE 802.11 Services

• Distribution and Integration

• The integration service enables transfer of data between a station on an
IEEE 802.11 LAN and a station on an integrated IEEE 802.x LAN.
• “Integrated” refers to a wired LAN that is physically connected to the DS
and whose stations may be logically connected to an IEEE 802.11 LAN
via the integration service.
24.3 / IEEE 802.11 WIRELESS LAN OVERVIEW 745

Distribution System

AP 2

AP 1
Basic Service
Set (BSS)
Basic Service STA 1
Set (BSS)
STA 8
STA 2

STA 6 STA 7
STA 4

STA 3
36

IEEE 802.11 Services

• Association-Related Services
Before the distribution service can deliver data or accept data from a station,
that station must be associated.
24.3 / IEEE 802.11 WIRELESS LAN OVERVIEW 745
24.3 / IEEE 802.11 WIRELESS LAN OVERVIEW 745

• Transition Types 24.3 / IEEE 802.11 WIRELESS LAN OVERVIEW 745

! No transition: A station is either stationary or moves within the range of a single BSS Distribution System

! BSS transition: A station moves from one BSS to another BSS within the same ESS
Distribution System

! ESS transition: A station moves from a BSS in one ESS to a BSS within another ESS
Distribution System
AP 2

(802.11 cannot be guaranteed,

AP 2 disruption is likely
24.3 / IEEE 802.11
AP 1
toLAN
WIRELESS occur)
OVERVIEW 745
Basic Service
AP 1 AP 2 Set (BSS)
Basic Service
Basic Service STA 1
Set (BSS)
AP 1 Set (BSS)
Basic Service STA 8
Access point STA 1 Basic Service
Set (BSS) STA Set
2 (BSS)STA 8
Distribution System
Basic Service STA 1 STA 7
STA 2 STA 6
Set (BSS) STA 4
STA 8
STA 6 STA 7
STA 2 STA 4 STA 3
AP 2
STA 3 STA 6 STA 7
STA 4
Figure
AP 1 24.5 IEEE 802.11 Extended Service Set
STA 3 Basic Service
Figure 24.5 IEEE 802.11 Extended Service Set Set (BSS)
Basic Service STAto
1 what is referred to as a cell in the literature. The
The BSS generally corresponds
Figure 24.5 IEEE 802.11 Extended Service Set
Set (BSS)
DS can be a switch, a wired network, or a wireless network. STA 8
The BSS generally corresponds to what is referred to as a cell in the literature. The
STAnetwork.
2 When all the stations in the BSS are mobile stations that communicate directly
DS can be a switch, a wired network, or a wireless
with one another (not using an AP) the BSS is called an independent BSS (IBSS).
When all BSS
The the stations in the
generally BSS are mobile
corresponds to whatstations that to
is referred communicate directly
as a cell in the literature. The STA 7
STA 6 In an IBSS,
An IBSS is typically
STA 4 an ad hoc network.
37 the stations all communicate
with one another (not
DS can be using ana wired
a switch, AP) the BSS is or
network, called an independent
a wireless network. BSS (IBSS).

IEEE 802.11 Services

• Association-Related Services
Distributed system need to know the identity of the AP to which the message
should be delivered in order for that message to reach the destination station.
— A station must maintain an association with the AP within its current BSS. 

• Association: Establishes an initial association between a station and an
AP. The AP can then communicate this information to other APs within the
ESS to facilitate routing and delivery of addressed frames.
• Reassociation: Enables an established association to be transferred from
one AP to another, allowing a mobile station to move from one BSS to
another.
• Disassociation: A noti cation from either a station or an AP that an
existing association is terminated. A station should give this noti cation
before leaving an ESS or shutting down.

38

fi

fi
IEEE 802.11i Wireless LAN Security

• 802.11i standard is referred to as Robust Security Network (RSN)

• IEEE 802.11i security is concerned only with secure communication
between station and its access point, i.e. within each BSS.

39

 cause cryptographic keys to be generated and placed on the AP and the STA.
Frames are exchanged between the AP and STA only.
• Protected data transfer: Frames are exchanged between the STA and the end
station through the AP. As denoted by the shading and the encryption module
IEEE 802.11i Operation
icon, secure data transfer occurs between the STA and the AP only; security is
not provided end-to-end.

STA (STA)
Station AccessAP
Point (AP) AS Server (AS)
Authentication End Station

Phase 1 - Discovery

Phase 2 - Authentication

Phase 3 - Key Management

Phase 4 - Protected Data Transfer

Phase 5 - Connection Termination

Figure 24.7 IEEE 802.11i Phases of Operation

40
IEEE 802.11i Operation

• Phase 1 Discovery

• An AP uses messages called Beacons and Probe Responses to advertise

its IEEE 802.11i security policy.

• The STA identi es an AP for a WLAN with which it wishes to communicate.

• The STA associates with the AP, which it uses to select the cipher suite
and authentication mechanism when the Beacons and Probe Responses
present a choice.

41
fi



IEEE 802.11i Operation

• Phase 2 Authentication

• STA and AS prove their identities to each other.

• The AP blocks nonauthentication traf c between the STA and AS until the
authentication transaction is successful.
• The AP does not participate in the authentication transaction other than
forwarding traf c between the STA and AS.

42
fi

fi

IEEE 802.11i Operation

• Phase 3 Key Management

• The AP and the STA perform several operations that cause cryptographic
keys to be generated and placed on the AP and the STA.
• Frames are exchanged between the AP and STA only.

43

IEEE 802.11i Operation

• Phase 4 Protected data transfer

• Frames are exchanged between the STA and the end station through the
AP.
• Secure data transfer occurs between the STA and the AP only; security is
not provided end-to-end.

44

IEEE 802.11i Operation

• Phase 5 Connection termination

• The AP and STA exchange frames.

• The secure connection is torn down and the connection is restored to the
original state.

45



Summary

• SSL/TLS
• Protocol Architecture
• Connection & Session
• Protocols
• Attack

• Wireless Network Security

• Wireless environment —> higher security risk
• Wireless Security Measures
• IEEE 802.11 Wireless LAN: protocols, network model, services
• IEEE 802.11i Wireless LAN Security: operations

46

Thank You
Quiz Time

• 15 minutes

48
COMPSCI4062/COMPSCI5063
Cyber Security Fundamentals
(CSF)

1
Identification & Access
Authentication Control
System/
network
resources

Identity (a user, an
application)

2
 Identity, Identification and
Authentication
• Definitions
– Identity
• Representation of an entity inside a computer system
• It often implies the use of a unique name for an entity
vA person’s identity can change or be falsified, e.g., last name
– Identification
• is the claim of a user or an application that is using/running in
the system
• This could be achieved by a user ID, process ID, a smart
card or anything else that may uniquely identify a subject or a
person.
vThe ID, smart card could be stolen
– Authentication
• Verification/prove process of the identity of an entity

3
 Identity
• Purposes
– For access control
– For accountability
• Logging & Auditing
• Identities in a security system
– A data file (an object in general)
• File name: for the human being
• File descriptor: for a process
• File allocation table entry: for the kernel (MS-DOS and
Windows 9x OS)
• A user
– Any name comprised of an arbitrary number of
alphanumeric characters
• May be constrained in some ways, e.g., name + organization
4
 Groups and Roles
• An identity may refer to an entity that is
comprised of a group of entities
– A convenient way of performing access control and
other security functions to a set of entities at the same
time
– Models of groups
• Static: alias to a set of entities
• Dynamic: construct for grouping a set of entities
• An identity may refer to a role
• To tie entities together
• To represent rights or security functions to which entities are
assigned or entitled 5
 Identity and Certificate
• Certificate issued by a certificate authority (CA)
• CA acts as a trusted 3rd party
– Class 1
• Authentication of an e-mail address, web application,
– Class 2
• Verification of real name and address through an online
database - online purchasing
– Class 3
• Background check by an investigative service- a higher
level of assurance
– Example: Certificate Authority Security Council (CASC)
funded in 2013- dedicated to addressing industry issues
and educating the public on internet security.
6
 Trust of Identity
• Trust of a certificate
– Depending on the trustworthiness of the certificate
authority (CA)
– Depending on the level of trust indicated by the CA
• High: a passport
• Low: an unsworn statement
– It’s all relative
• The point
– Identity has the trust issue
– Certificate also has the trust issue

7
 Authentication
• Purpose
– To verify that a stated identity really belongs to the right
entity
• Methods
– What the entity knows – knowledge-based authentication
• Password, PIN, DoB, mother’s maiden name, etc
– What the entity has – token-based authentication
• Badge, ID card, key, etc.
– What the entity is – Biometric authentication
• Fingerprints, personal characteristics, gait and motion
biometrics, etc.
– Where the entity is
• Specific terminal, special access device, etc

8
 Authentication Components
• For creating and storing authentication
information Identification &
Authentication
– Authentication information: A
• For an entity to prove its identity
– Complementary information: C
A C=f(A)
• For a system to store authentication information
along with the corresponding identity
• For a system to verify authentication information
– Complementary functions: F
• For a system to generate the complementary
information from the authentication information
• For f belongs to F, f: Aà C
9
 Authentication Components
• For performing authentication
– Authentication functions: L
• For the system to verify an Identification & l(A, C)à{true, false}
identity Authentication

• For l ∈L, l: A ×Cà{true, false}

• For managing authentication
information A C

– For an entity to create or to

alter the authentication and the
corresponding complementary
information
10
 Passwords
• Purpose
– To use information that an entity knows to verify that
a stated identity really belongs to the entity
• Authentication method
– What an entity knows
• Password protection
– Passwords are not allowed to be transmitted without
proper protection
– For f ∈ F, f: Aà C uses a one-way hash function

11
Password Attacks-Dictionary Attack
• Dictionary attack
– Most passwords are not random sequences of
characters and numbers, but instead are combinations
of “normal” words, proper names, acronyms, etc.
• E.g., “Betty23” or “ChocolateFrog”
– In a dictionary attack a list of possible passwords is used
in order to break into an account
• The list might contain common words, names, acronyms,
common passwords, etc.
• This vastly reduces the search space

12
 Password Attacks-
Brute-Force Attacks
• Brute-Force Attacks (exhaustive attack) involves trying
every possible combination of characters until the
correct password is found
• The time required to crack a password depends upon
the length of the password
– e.g., if a password is between 1 and 8 characters long, and is
comprised of upper or lower case letter (52), numbers (10),
or special characters (32 in an English keyboard). Then there
are ∑$!"# 94! = 6.1×10#% possible passwords
– If the password is exactly 8 characters long, then there are
94$ possible passwords. (∑&!"# 94! less possible passwords)
– Making a password standards public can be a security risk

13
 Counter-Measures to Password
Guessing
• Goal
– To maximize the amount of time consumed before the
password is correctly guessed
• Calculation
– P: probability of correctly guessing a password in a
specified period of time, e.g., 0.5
ØIn number of time units
– G: number of password guesses that can be carried out
in one time unit
– T: number of time units for the calculation
– N: total number of possible passwords
– Anderson’s Formula: P≥TG/N or N≥TG/P

14
An Example of Password Guessing
• The objective
– To determine the minimum length of password in a system
• Parameters
– A=96 characters
– G=10!per second
– P=0.5
– T=365 days =365 ×24 ×60 ×60 seconds=31.536 ×10"
• Assumptions
– The length of time required to try out each password is
constant
– All passwords are equally like to be selected
• The result
– N≥TG/P=6.31× 10##
– N=∑&$%# 96$ ≥ 6.31× 10## S≥ 6
15
 Password Selection
• Theorem
– When the selection of a password from a set of
possible passwords is equally probable, the expected
time that is needed for guessing a password is the
longest
• Strong passwords
– At least one digit
– At least one letter (upper and lower)
– At least one special character, e.g., punctuation,
control character
16
Methods against Password Guessing
• Exponential back-off
– Wait for 𝑡 !"# seconds before the next log-in when the
𝑛$% authentication attempt fails
• t is a system parameter
• Disconnection
– Disconnect after a specified number of failed attempts
• Disabling
– Disable after a specified number of failed attempts
• Jailing (Honey pot)
– Fool the attacker, then record all the activities that the
attacker conducts
17
 Biometrics
• Purpose
– The use of automated measurement of biological or
behavioural features to characterize and hence,
identify an entity
• Methods (requires special sensors)
– Fingerprints
– Voices recognition
– Eyes
– Faces
– Keystrokes (pressure, interval, duration, position, etc)
– Gaits and motion biometrics
18
 Strong authentication

• Authentication mechanisms utilize one or more of the

flowing to establish a user’s identity:
– What the entity knows – knowledge-based authentication
• Password, PIN, DoB, mother’s maiden name, etc
– What the entity has – token-based authentication
• Badge, ID card, key, etc.
– What the entity is – Biometric authentication
• Fingerprints, personal characteristics, gait and motion biometrics,
etc.
– Where the entity is
• Specific terminal, special access device, etc
• Combing two or more of these authentication
mechanisms strengthens the authentication process

19
 Kerberos Authentication
• Foundation
– Needham-Schroeder protocol plus
Denning and Sacco modification AS
TGS
• Kerberos application scenario
Authentication
– A system consist of a central
authentication server AS, a ticket- service
granting server TGS and one or more Ticket -granting 𝑆#
application servers 𝑆#, … , 𝑆' service
– AS authenticates a user to the
Kerberos system User
– TGS issues tickets to the user to 𝑆(
authenticate to the application Application
servers service
– 𝑆#, 𝑆(, … , 𝑆' can be accessed by the
user by presenting tickets issued by
TS 𝑆'
20
 Components of the Kerberos
Protocol
• Secret key based cryptography
• The authentication server AS shares a secret
key with each and every user and with the
ticket-Granting server TGS
– Question: how to achieve the above?
• The ticket-Granting Server TGS shares a secret
key with each and every of the applications
severs 𝑆! , … , 𝑆"

21
 Components of the Kerberos
Protocol
• Ticket
– 𝑇)*$+,,&,./,. =
𝐴𝑙𝑖𝑐𝑒 𝐴𝑙𝑖𝑐𝑒 0 𝑠 𝑎𝑑𝑑𝑟𝑒𝑠𝑠 𝑣𝑎𝑙𝑖𝑑 𝑡𝑖𝑚𝑒‖𝐾)*$+,,&,./,. 𝐾1,./,.
v𝐾!"#$%,'%()%( is the session key generated by the server that created the
ticket to be shared between “Alice” and “Server” so as to access “Server”
v𝐾*%()%( is the secret key that “Server” shares with the server that created
the ticket
– To be presented by Alice to Server for access
• Authenticator
– 𝐴)*$+,,&,./,. = 𝐴𝑙𝑖𝑐𝑒 𝑡 𝐾2 𝐾)*$+,,&,./,.
v𝐾!"#$%,'%()%( is the session key that is shared between “Alice” and “Server”
so as to access “Server”
v𝑡 is the timestamp when the authenticator is created
v𝐾+ is an alternative session key
– To prove to Server that Alice has the session key 22
 The Kerberos Protocol
TGS S
AS
4.
3. 𝑆‖𝐴!"#$%,'( 7 𝐴𝑙𝑖𝑐𝑒‖ 𝐾!"#$%,( 𝐾!"#$%,'( =
𝑇!"#$%,'( 𝑇!"#$%,'(

2. 𝐾!"#$%,'( 𝐾!"#$% ‖
𝑇!"#$%,'( 5.
1. Alice‖𝑇𝑆
𝐴!"#$%,( 7𝑇!"#$%,(

Alice
23
 The Kerberos Protocol

• Kerberos protocol messages are protected against eavesdropping and replay

attacks.
24
*This figure is from website
 Significance of Kerberos

• Single sign-on
– User only needs to log in once with the Authentication
Server (AS)
vResult: a ticket-issuing ticket is issued to the user to access
the Ticket-Granting Server (TGS)
– TGS issues tickets to the user to access the application
servers
vResult: logging-in to the application servers is transparent to
the user
• Widely used in financial systems and large-scale
e-commerce applications

25
 Summary

• Identity
• Identification
• Authentication
• Passwords and password attacks
– Challenge and response
– Biometrics
– The Kerberos protocol
• Reference book: Introduction to Computer
Security by Matt Bishop, 2004

26
 Lab report

• Lab work and report instruction

• Moodle group (COMPSCI5063)

• Moodle group (COMPSCI4062)

• Lab 1 example

27
COMPSCI4062/COMPSCI5063
Cyber Security Fundamentals
(CSF)
Lecture 8
Web application security

1
 Web Application
• Web Application
– an application program that is stored on a remote
server and delivered over the internet through a
browser interface
– Interactive
– Examples?
• Webpage
– A document which can be displayed in a web browser
such as Firefox, Google Chrome, Microsoft Edge, or
Apple Safari
2
 Web Applications
• The HTTP protocol
– HTTP is the carrier protocol which allows our browsers
and applications to receive content such as HTML ("Hyper
Text Markup Language"), CSS ("Cascading Style Sheets"),
images and videos from a server

• FTP: a standard communication protocol used for

the transfer of computer files from a server to a
client on a computer
– does not encrypt its traffic; all transmissions are in clear
text, and usernames, passwords, commands and data can
be read by anyone able to perform packet capture
(sniffing) on the network

3
 A secure protocol
• HTTPS: An extension of HTTP. It uses encryption for
the secure communication over a computer
network
– The HTTP protocol does not support encryption for data-in-
transit, hence a wrapper around HTTP is added for encryption
support. This is indicated with a S following HTTP, i.e. HTTPS
– The encryption used to be SSL ("Secure Sockets Layer"), but
has since been deprecated. Instead TLS ("Transport Layer
Security") is typically used to enforce encryption
– All major web browsers today will show a lock icon in the URL
address bar if HTTPS is used

– A warning will display if TLS/SSL connections are

compromised
4
 Web Applications
• URLs, Query Parameters and Scheme
– To access a web application, we use a URL
– e.g., https://moodle.gla.ac.uk/course/view.php?id=343
– https://moodle.gla.ac.uk/course/view.php?id=343&n
otifyeditingon=1

5
• Sessions & State

A session cookie contains is a random number identifier (key) used to

index the server's session cache.

6
 Web Application Attacks

* https://lab.wallarm.com/owasp-top-10-2021-proposal-based-on-a-statistical-data/ 7
 Three main web application
vulnerabilities
• SQL Injection
– Browser sends malicious input to server
– Bad input checking leads to malicious SQL query
• CSRF-Cross-site request Forgery
– Bad web site sends browser request to good web
site, using credentials of an innocent victim
• XSS - Cross-site scripting
– Bad web site sends innocent victim a script that
steals information from an honest web site

8
 Three main web application
vulnerabilities
Uses SQL to change meaning of
• SQL Injection database command
– Browser sends malicious input to server
– Bad input checking leads to malicious SQL query
• CSRF-Cross-site request Forgery
Leverage user’s session at victim sever
– Bad web site sends browser request to good web site,
using credentials of an innocent victim
• XSS - Cross-site scripting
– Bad web site sends innocent victim a script that steals
information from an honest web site
Inject malicious script into trusted context 9
 SQL injection
1. Hacker identifies 2. Malicious SQL query
vulnerable, SQL- driven is validated &
website & injects Command is executed
malicious SQL query by database
via input data
Website Input Fields

3. Hacker is granted access to view and

alter records or potentially act as
database administrator

Hacker Database

10
 Command Injection

• Attack goal: execute arbitrary code on the

server
• Example: Code injection using system ()
– Normal: PHP server-side code for sending email
$email = $_POST[“email”]
$subject = $_POST[“subject”]
system(“mail $email –s $subject < /tmp/joinmynetwork”)
– Attacker can post
http://yourdomain.com/mail.php?
[email protected] &
subject=foo < /usr/passwd; ls
11
• PHP: Hypertext Preprocessor" PHP is a
widely-used, open source scripting language.
PHP scripts are executed on the server.
• Different from HTML
– PHP is a scripting language | HTML is a markup
language.
– PHP code is executed on the server | HTML code
is parsed by the client browser.
– PHP creates dynamic web pages | HTML creates
static web pages.
– PHP can access a database | Database cannot
be accessed using HTML
12
 Database queries with PHP
• Sample PHP

$recipient = $_POST[‘recipient’];
$sql = "SELECT PersonID FROM Person WHERE
Username='$recipient'";
$rs= $db->executeQuery($sql);

• Problem
– What if ‘Recipient’ is malicious string that changes
the meaning of the query?

13
 Normal Query

Enter Select * FROM Users

Username WHERE user=“me”
& AND pwd=‘1234’
Password
Web
Web
Browser DataBase
(Client) Server

14
• Bad input
–Suppose user = "'or 1=1 -- " (URL
encoded)
–Then scripts does:
ok= execute (SELECT …
WHERE user = ' or 1=1 -- …)
–The “--” causes rest of line to be ignored
–Now the login always succeeds
15
 CardSystem Attack

• CardSystems
– Credit card payment processing company
– SQL injection attack in June 2005
– Put out of business
• The Attack
– 263,000 credit card numbers stolen from database
– Credit card numbers stored unencrypted
– 43 million credit card numbers exposed

16
 Preventing SQL Injection

• Never build SQL commands yourself!

– User parameterized/prepared SQL
– Use (Object Relational Mapping) ORM
framework
• Provide a layer of abstraction between the
application code and the database
• Allow developers to interact with the database
using high-level object-oriented code instead
of raw SQL queries

17
 Cross Site Request Forgery
• Cross-site request forgery (also known as
XSRF or CSRF) is an attack against web-
hosted apps
• Web browsers send some types of
authentication tokens automatically with
every request to a website.
• Also known as a one-click attack or session
riding because the attack takes advantage
of the user's previously authenticated
session.
18
 Recall: Session using cookies
Browser Server
POST/
L ogin.cg
i

k ie : a uthe nticator
Set-coo

GET…
cookie
: authe
nticato
r

se
Respon

Vulnerabilities? 19
 CSRF

1: A user signs into www.good-banking-

site.example.com using with authentication credentials

2: The server authenticates the user and issues a

response that includes an authentication cookie

q u est
3: The user visits a malicious
r g e d re
site, (e.g. www.bad-crook- n d s fo ate nk
se im b a
site.example.com.) Which ac ker s legit m the
H a ro
contains an HTML form similar 4: guised ation f
d is u n ic c u ted
to this m exe usly
com t is
es revio
re q u p
g e d si n g ken
o r k u to
5: F e ban idation ie)
h l k
by t ned va on coo
g i
assi enticat
h
( au t
Malicious website 20
 HTML form

Notice that the form's action posts to the vulnerable site,

not to the malicious site. This is the "cross-site" part of
CSRF.

21
 CSRF defense

• Not click malicious links

– Be able to identify malicious link
– Especially a http url
– Use https is more secure
• Use a CSRF session token
– Token needs to be unique per user session
and should be of large random value to make
it difficult to guess.

22
 Cross Site Scripting (XSS)

• An XSS vulnerability is present when an

attacker can inject scripting code into pages
generated by a web application

23
Three main web site vulnerabilities
Attacker’s malicious code
• SQL Injection executed on victim server
– Browser sends malicious input to server
– Bad input checking leads to malicious SQL query
• CSRF-Cross-site request Forgery
Attacker site forges request from victim
browser to victim server
– Bad web site sends browser request to good web site,
using credentials of an innocent victim
• XSS - Cross-site scripting
– Bad web site sends innocent victim a script that steals
information from an honest web site
Attacker’s malicious code executed on victim browser 24
 Cross-site scripting (XSS)

to v i ctim
e cte d l in k
sc r i pt- in j
cke r s e nd
1. Atta a i l sc a m )
(e.g., em b l e d a ta
S e n d v alu a Attacker
4.
2. Victim click
s on link and
requests legit
imate website
3. Victim’s
browser lo
site, but a ads legitim
lso execut ate
Victim user e s malicious
script
Victim server

25
 Two different XSS attacks
• Reflected XSS (“type 1”)
– The attacker script is reflected back to the user as
part of a page from the victim site

• Stored XSS (“type 2”)

– The attacker is able to inject malicious code into a
web application that is stored permanently on the
server, such as in a database. This code is then
served to users who view the affected page.

26
 Reflected XSS attack

to v i ctim
e ct e d l in k
sc r i pt- in j
cke r s e nd
1. Atta a i l sc a m )
(e.g., em b l e d a ta
S e n d v alu a Attacker
4.
2. Victim click
s on link and
requests legit
imate website
3. Victim’s
browser lo
site, but a ads legitim
lso execut ate
Victim user e s malicious
script

Victim server
27
 Stored XSS attack

d ata Attacker
a b le
va l u
n d 1. Inject
Se Store bad
4. malicious
2. Victim requ script stuff
e sts content
3. Victim r
eceives an
malicious d execute
script s
Victim user

Victim server
28
 XSS defenses
• Proxy-based: analyze the HTTP traffic exchanged
between user’s web browser and the target web
server by scanning for special HTML characters and
encoding them before executing the page on the
user’s web browser
• Application level firewall: anaylze browsed HTML
pages for hyperlinks that might lead to leakage of
sensitive information
• Auditing system: monitor execution of JavaScript
code and compare the operations against high level
policies to detect malicious behaviour
29
• Reference Book:
Andrew Hoffman, Web Application Security,
O’Reilly, 2020

30
COMPSCI4062/COMPSCI5063
Cyber Security Fundamentals
(CSF)
Lecture 9
Digital Forensics

1
 Digital Forensics

• is a digital investigation focuses on a digital

device
– Computer
– Router
– Switch
– Cell-phone
– SIM-card
– ….

2
• Focuses on a digital device involved in an incident
or crime
– Computer intrusion
– Generic criminal activity
• Perpetrator uses internet to gather information used in the
perpetration of a crime
– Digital device is an instrument of a crime
• Perpetrator uses cell-phone to set-off a bomb
• Email scams
• Internet auction fraud
• Computer is used for intrusion of another system
3
 Digital Forensics
• Digital Investigation has different goals
– Prevention of further intrusions
vGoal is to reconstruct modus operandi of intruder to predict
and prevent further intrusions
– Assessment of damage
vGoal is to certify system for safe use
– Reconstruction of an incident
vFor criminal proceeding
vFor organization-internal proceedings

4
• Process where we develop and test hypotheses
that answer questions about digital events
– We can use an adaptation of the scientific method
where we establish hypotheses based on findings
and then (if possible) test our hypotheses against
findings resulting from additional investigations

5
• Evidence
• Procedural notion
• That on what our findings are based
• Legal notion
• Defined by the “rules of evidence”
• Differ by legislation
• “hear-say” is procedurally evidence, but excluded
(under many circumstances) as legal evidence

6
Types of digital forensics
Computer Forensics Network Forensics

Mobile Forensics
Forensic Data Analysis (FDA)

7
• Digital Forensics is a procedure of acquiring and
processing data found in digital devices. Digital
Forensics was used as a synonym of computer
forensics in early years but now there are different
categories depending on the type of the digital
evidence and procedures.
• Computer Forensics is the procedure of acquiring
a snapshot of the internal state of a computer
system (cloning the hard drive/memory) and
moving on in analysing the acquired copy.
8
• Network forensics is focusing on the
communication aspect of the device and it
captures the traffic as data for further analysis;
helps in intrusion detection.
• Mobile Forensics is representing practices
employed for recovering data from a mobile
device.
• Forensic data analysis is another branch which
focuses on structured data analysis relevant to
financial crimes.
• Most of the time these practices are used in
digital crime investigations and the goal is to
lead into successful prosecution
9
 Who should know about digital
forensics
• Those involved in legal proceedings that might
use digital evidence
– Judges, prosecutors, attorneys, law enforcement,
expert witnesses
• Those involve in systems administration
– Systems administrators, network administrators,
security officers
– Those writing procedures
– Managers

10
Is computer Forensics Important?

• Need to know how to

recover data

• What if you work as an

investigator in the Law
enforcement?

• Be able to discover
malicious activities
11
 Computer Forensics Steps

1. Seizure

2. Acquisition

3. Analysis: Physical searching + whitelist + registry

examination + Browser Analysis + Timeline
Reconstruction

4. Reporting

12
 Note
• Upon arriving at a crime scene a forensic investigator should
be cautious. The forensic investigator must search the crime
scene extensively, label and register in a formal form all the
hardware equipment found and place them safely in antistatic
bags. The hard drive must be removed if a desktop is
discovered powered off and placed in a safe box. If a desktop
is powered on an investigator needs to decide if he/she will
proceed with a live forensics procedure.

• All these steps will be analysed in the following slides.

• Taking pictures and screenshots for supporting evidence is
essential in the investigation.
13
 Step 1: Seizure (1/2)

• Purpose: prevent digital devices being used

and data getting changed
• Inspection of equipment – labelling – Registry
– Bagging – Bios Time (F10) & Hard Drive
details
• Be prepared for a tower bomb or even USBs
hidden inside a plug
• Equipment is on; What now?
Should the investigator turn off the found computer in the scene?
14
Step 1: Seizure (2/2)

15
• Note
– Getting the time from BIOS is important as if this is
set wrongly some evidence might be pointing us in
the wrong direction.
– A registry table example

16
 Step 2: Acquisition

• Creating a digital forensic copy! A forensic

copy can have different types of format but
we will just concentrate on the raw format.
Use of write blockers is important!
• Bit-by-bit copy of the data using a tool like
Data Duplication or FKT imager to create a
forensic image of the device

17
Step 2: Acquisition

18
• After the seizure has taken place the forensic
investigator will take the hard drive or laptop and
generate a clone copy of its content.
• For this clone a specific hash value will be
generated and kept safely; in this way the forensic
examiner will ensure that while analysing the data
he\she will not make any changes in the copy and
use it as a proof that can be presented in court.
• It is a good practice for an investigator to work on a
second copy; so if anything goes wrong he/she
does not have to re-do this step.
19
• Tools can be used (e.g., FTK Imager) to
acquire a copy of a forensic image.
• There’re the different types of format that
exist; raw format is a bit by bit copy often
accompanied with metadata of the suspect
drive.
• Write blockers ensure that nothing can be
written on the suspect drive which helps in
eliminating the possibility of contaminating
evidence
20
 Step 3: Analysis – Physical
Searching (1/3)
• Creating a case using Autopsy
üFirst thing is to make a hash check
üString commands, indexing, grep search via
index & foremost, file carving
üUse of foremost for extracting all the files
üForemost is command-line tool to recover deleted
files from disk images

21
Step 3: Analysis – Physical
Searching (2/3)

22
23
24
25
26
 Notes
• In the analysis step the forensics investigator
searches for evidence in the acquired copy. There
are multiple searching techniques that can be
employed that will result in different types of
information.
• List of users, emails, documents, and pictures are
some of the files that can be fully recovered and
examined.
• Always make a hash comparison to ensure your
copy has not been compromised in any way. A good
tool that can be used for loading an image and
moving into the analysis is called Autopsy. 27
 Notes
• There are different commands that can be used upon
searching for evidence in a forensic copy. Keyword
searching reminds a bit of google searching. Depending on
what type of investigation you have different relevant words
that can be “good” candidates.
• The grep command is used for specific files that you want to
be extracted. Foremost is one of the most useful ones as it
can extract from our copy all the recovered data and separate
them in different folders depending on their file type; one for
.doc, .pdf etc.
• Metacam is specifically used for getting into the .jpeg
directory. As you dig deeper you might find information also
about the type of the camera that was used to take these
photos
28
 Step 3: Analysis – Whitelist
Production
• Creation of Windows XP image (qemu)
containing known “good” hashes for filtering

ØUse of md5deep for creating lists

ØUse of cut and grep commands for comparing the
lists

29
 Notes

• Depending on the suspect’s operating system

in this case Windows XP you will have to load
and create a good hashing list (whitelist) and
then compare it with the list that you can
extract from your forensic copy

30
 Step 3: Analysis - Registry
Examination (1/2)
• Identifying the users and all the installed
applications and devices on the suspect OS

üCopy the registry files from the suspect image file

üUse of regviewer for the registry examination

31
 Step 3: Analysis - Registry
Examination (2/2)
• User Activity Tracking

• Malware Analysis

• Network Activity Analysis

• Recovery of Deleted Data

• User Authentication Analysis

32
 Note

• You have to examine all the registry files in

order to identify all the users and the
applications which were part of the system.
RegViewer is a tool that will help you
examine registry files and it gives the data in
a structured

33
Step 3: Analysis - Browser Analysis
(1/2)

• Analysis of Browser activities

ØUse of Autopsy for discovering the browser
files and also the history index.dat file from
the browser
ØAnalysis of bookmarks and recent items

34
Step 3: Analysis - Browser Analysis
(2/2)

35
• Notice that the suspect has installed a
windows update and has been accessing some
photos saved on their device

36
 Step 3: Analysis & Reconstruction
• Creation of .fls file
and use of Zeitline
for examining all
the events
• Creation of events’
timeline by using
Zeitline;
• Filtering and dig
further

37
 Notes

• Identification of current user at a certain

time is really important as this can be used
as evidence.
• So establishing a timeline is one of the most
crucial parts of the investigation

38
 Step 4: Report

• Job Description and Instructions

• Description of recovered/examined items
• Analysis of methodology
• Production list and associated description

39
 Note

• Once the analysis is complete the forensic

investigator will need to prepare a report with all
the findings and prepare to testify if needed in
court. The report should be extensive containing
a register of evidence not biased by any
personal opinions.
• In the report a specific structure should be
followed and all evidence should be referenced
and presenting with not any personal opinions
emerging
40
 Interesting hot topics

• Main “Computer crime” acts?

• Is there any difference between England’s and

Scotland’s legislation?

• What is a Trojan defense?

• What if someone used your wireless broadband

for illegal activities?
Summary 41
Note 1/4

42
Note 2/4

43
Note 3/4

44
Note 4/4

45
 Summary

• Discussed different types of Digital Forensics

• Demonstrated the different steps in Computer

Forensics

• Explained different techniques and tools for

recovering evidence

46
 Fundamentals of
Bitcoin & Blockchain

Nguyen Truong
[email protected]

Good morning everyone,

I’m Nguyen Truong, a lecturer in cyber-security at University of Glasgow, the United
Kingdom
Today, I would like to give you a talk about Fundamentals to Bitcoin and Blockchain!
Hope you guys here enjoy the talk and grasp some basic concepts/knowledge about
Bitcoin and Blockchain technology

1
 A bit about myself

Hanoi University of Science and Pohang University of Science and DASAN Networks Corporation,
Technology, Vietnam (BSc) Technology, South Korea (MSc) South Korea (Software Engineer)

Liverpool John Moores Imperial College London, Research University of Glasgow, Lecturer
University, Ph.D (2015-2018) Associate (2018-2022) (2022-onward)

Firstly, I would like to introduce a bit about my self My name is Nguyen Truong. I did
my bachelor at Hanoi University of Science and Technology in Vietnam, Master at
Pohang University of Science and Technology in South Korea. I graduated PhD from
Liverpool John Moores University in Liverpool in 2018 and after that (October 2018), I
went to Imperial College London to work as Research Associate/Fellow at Data
Science Institute, Department of Computing. I joined the Uni of Glasgow as an
assistant professor from February this year.
I also have some industry experience as well as I worked as a Software Engineer for a
networking/communications corporation in Seoul Korea for 3 years, programming
some wireless communication protocols (IEEE 802.11ac) for their wireless routers.

2
 Outline

I. Concept of Bitcoin
II. Cryptography in Bitcoin
III. Bitcoin Protocol & Blockchain Technology
1. Bitcoin Addresses
2. Bitcoin Distributed Ledger: a Blockchain
3. Transactions in Bitcoin and Blockchain
4. Consensus Mechanism: Proof-of-Work
IV. Research on Bitcoin Security & Privacy
V. Q&A Section

Right, Let’s get to the outline of the lecture, which consists of 4 parts:

In the first part, I briefly introduce the concept of Bitcoin and cryptocurrencies in
comparison with the traditional banking system.

The next section is to remind/present basic background and cryptography techniques

used in Bitcoin including public-key cryptography, digital signatures, hash functions,
and data structure etc.

The third section, which is the most important knowledge to be delivered in this
seminar, is to present about how bitcoin works as well as introduce the underlying
technology behind Bitcoin called Blockchain. This section is quite long and consists of
4 parts as you can see here:

1. Bitcoin Addresses
2. Bitcoin Distributed Ledger: a Blockchain
3. Transactions in Bitcoin and Blockchain
4. Consensus Mechanism: Proof-of-Work

3
The forth section is to open some ongoing research directions related to the security
and privacy in bitcoin

The last section is dedicated to the Q&A

3
 I. Concept of Bitcoin

Here come to the first part of the talk, I would like to give you some basic concept
about bitcoin.

4
 Bitcoin vs Traditional (centralised) Banking system

Ok, before going further to answer the question What Bitcoin IS, we need to
understand the concept of cryptocurrencies and the decentralized payment/banking
system

Let’s take a look at the history and innovation of payment systems throughout the
years.

To record balance and payments, we have a LEDGER, which contains information

about transactions (payment from A to B), and the balance sheet (how much money
A and B have).

It starts from a balance sheet Mesopotamia written onto a stone, the Ancient
Accounting Systems in Babylon in 2040BC (Now this stone is in Louve museum,
France.)

After that, we have various the centralized banking systems including American
Express, Bank of America HSBC, VISA, Mastercard.
Until 983, we have an “electronic cash” system proposed by Chaum, which is the
initial idea of crypto-currency.

5
The main difference of electronic cash proposed by Chaum and Cryptocurrency is that
the electronic cash system is a privacy-preserving banking but not decentralized. It
still relies on a centralized banking to operate.

And then, we come to the introduction of Bitcoin in 2008,.which is the most

famous./successful instance of cryptocurrencies, follows by many other
cryptocurrencies such as Ethereum or ZCash,.

5
 David Chaum and E-Cash

➢ Prevent double-spending
➢ Blind Signature: to provide anonymity
➢ Various practical issues:
▪ Need for trusted central party
▪ Computationally expensive
▪ Etc.

Chaum published the idea of anonymous electronic money in a 1983

paper;[1] eCash software on the user's local computer stored money in a digital
format, cryptographically signed by a bank. The user could spend the digital
money at any shop accepting eCash, without having to open an account with
the vendor first, or transmitting credit card numbers. Security was ensured by
public key digital signature schemes.

In Electronic cash system, Chaum proposed the the RSA blind signatures that
was to ensure the unlinkability between withdrawal and spend transactions.
Depending on the payment transactions, one distinguishes between on-line
and off-line electronic cash: If the payee has to contact a third party (e.g., the
bank or the credit-card company acting as an acquirer) before accepting a
payment, the system is called an on-line system.[2] In 1990, Chaum together
with Moni Naor proposed the first off-line e-cash system, which was also
based on blind signatures.[3]

However, Electronic cash system proposed by Chaum contains various

practical issues including Need for trusted central party and computationally
expensive

6
 Ideas of Cryptocurrencies

➢ They don’t have a central authority.

▪ They use a peer-to-peer system with all peers equal.
➢ This requires enough of the peers to agree on which transactions
have happened.
▪ A ledger that can’t be altered.
▪ How are disagreements resolved?
➢ They also need techniques to prevent forgery and double
spending.
➢ They should also prevent a denial-of-service attack
▪ So that someone is not prevented from spending their money.

This come to the initial idea of a cryptocurrency. A “perfect” cryptocurrency should

have these following features:

➢ They don’t have a central authority.

▪ They use a peer-to-peer system
with all peers equal.
➢ This requires enough of the peers to
agree on which transactions have
happened.
▪ A ledger that can’t be altered.

7
 ▪ How are disagreements resolved?
➢ They also need techniques to
prevent forgery and double
spending.
➢ They should also prevent a denial-
of-service attack
▪ So that someone is not prevented
from spending their money.

7
 Protocol Consideration

➢ Consumer:
▪ Privacy; Security; Protection; Regulation
➢ Business:
▪ Availability of anonymity; Cost and ease of acquisition; Availability; Risk
of fraud; Liability for fraud.
➢ Financial And Government:
▪ Consumer protection; Financial loss; Privacy vs fighting crime; Federal
reserve regarding the money.
➢ Technical Challenges:
▪ Anonymous spending; Privacy; Preventing fraud, like double spending;
Cost effective

Some considerations should be taken into account when designing and developing a
digital cash payment. From the perspective of:

➢Consumer:
▪ Privacy; Security; Protection;
Regulation
➢ Business:
▪ Availability of anonymity; Cost
and ease of acquisition;

8
 Availability; Risk of fraud;
Liability for fraud.
➢ Financial And Government:
▪ Consumer protection; Financial
loss; Privacy vs fighting crime;
Federal reserve regarding the
money.
➢ Technical Challenges:
▪ Anonymous spending; Privacy;
Preventing fraud, like double
spending; Cost effective

8
 What is Bitcoin?

• A distributed, decentralized digital

currency system
• Effectively “a bank” run by an “ad-hoc
(peer-to-peer) network”
• Digital checks
• A distributed transaction log
• Nodes running Bitcoin protocol
(lightweight, full nodes)
• Released by Satoshi Nakamoto 2008

So, as the most successful instance of cryptocurrency, What is Bitcoin?

I believe most of folks here have heard about Bitcoin and Cryptocurrency.

- It is a distributed, decentralized digital currency system

- Effectively a bank run by an ad-

hoc (peer-to-peer) network, no
need to rely on any centralized
party.
- Released by Satoshi Nakamoto
2008

9
Note that Satoshi Nakamoto: The anonymous person or a group of people
believed to have invented Bitcoin.

It seems a simple definition of Bitcoin, right?!

But the related concepts and underlying background knowledge is quite
complicated, ranging from cryptography techniques, networking and distributed
systems, electronic cash system, a new consensus mechanism Proof-of-work, and
other factors like incentive scheme.

Im going to introduce these underlying knowledge about bitcoin and blockchain

technology right now.

Let’s go through it step by step.

9
 Bitcoin vs Traditional (centralised) Banking system

• Centralised ledger: • Distributed Ledger

• Identity: sort-code/account number • Identity: public-key (e.g., Bitcoin
• Authentication: physical bank card, Address = hash of hash of public-key)
internet/mobile banking account • Authentication: digital signature
• Transactions: verified and recorded • Transactions: verified and recorded
(on to the ledger) by a commercial & (onto distributed ledger (i.e., Bitcoin
central bank blockchain) by participants in the
network.

So, let’s see what are the main differences between the traditional centralised
payment system (central bank or financial service provider) versus Decentralised
payment system (e.g., bitcoin)
We consider three main features: 1- identity, 2- authentication, and 3- transactions
In centralised banking system, it maintains a ledger to record all transactions and
balance sheet:
- Identity is your sort-code, account number.
- To authenticate the user, it is either Physical bank card with PIN, or
Internet/Mobile Banking, and authorised by the banking system.
- How about the transaction: Let say Alice transfers 1USD/1BTC to Bob:
- Record the transaction, then update the balances:
- Alice balance will be deduced by 1
- Bob balance will be added by 1

How about in decentralised payment system like Bitcoin?

We have a new type of LEDGER called Distributed Ledger where every node in the
Bitcoin network can retrieve and store. In this decentralised payment system:

- Identity: public-key (e.g., Bitcoin Address = hash of hash of public-key)

10
- Authentication: using (elliptic curve) digital signature
- Transactions: verified and recorded (onto distributed ledger (i.e., Bitcoin
blockchain) by participants in the network.

10
 Bitcoin vs Traditional (centralised) Banking system

Centralised Ledger Bitcoin distributed ledger: chain of block (Blockchain)

Look at these two figures, we can see the Comparison between centralised ledger
and bitcoin ledger.

The bitcoin distributed ledger is composed by a chain of block in which the current
block is linked with the previous block using the hash of the previous block header: as
you can see in the figure.
That’s why it coined the term: blockchain
Blockchain is the Underlying technology of Bitcoin.

We will go into detail how Bitcoin and Blockchain technology in the next few slides.

11
 II. Cryptography and Data
Structure in Bitcoin

Before going into detail of Bitcoin and the underlying Blockchain technology in
Bitcoin,
I would like to remind you some of the crypto techniques used in Bitcoin system.

12
 Blockchain Technology

➢ Blockchain is the technology behind Bitcoin

▪ Understanding How Bitcoin protocol is to understand Blockchain
➢ Bitcoin underpins Blockchain tech, but Blockchain goes further
than only Bitcoin

https://bitsonblocks.net/2015/09/09/a-gentle-introduction-to-blockchain-technology/

CRYPTOGRAPHY AND SECURE DEVELOPMENT 13

DR. NGUYEN TRUONG: [email protected]

Unravelling what the blockchain is, how it works, and what its benefits are is pretty
difficult. It took me many weeks to only get a rough idea of what is going on.

➢ Blockchain is the technology

behind Bitcoin
▪ Understanding How Bitcoin
protocol is to understand
Blockchain
➢ Bitcoin underpins Blockchain

13
tech, but Blockchain goes
further than only Bitcoin

13
 Public-key Crypto

• Key pair: public-key and private-key

• In Bitcoin: Elliptic Curve Secp256k1

In Bitcoin, Public-key crypto, in particular, Elliptic Curve public-key crypto called

Secp256k1 is used. The elliptic curve is X^3 + 7.

It is used for two purposes : 1) generating identity in Bitcoin system and 2) digital
signature for verifying transactions in bitcoin system.

Basically, Secp256k1 is used to generate a keypair: public key and private key
for each user of Bitcoin system. It takes the Secp256k1 with a cryptographic
pseudo random generator to generate the key pair.

Ok, how about digital signature? Next slide

14
 Public-key Crypto: Digital Signatures

• First, create a message digest using a

cryptographic hash
• Then, encrypt the message digest with
your private key

→ In Bitcoin Elliptic Curve Digital

Signature Algorithm (ECDSA, Secp256k1)
with cryptographic hash (SHA256) is used
for authentication/transaction verification
Authentication
Integrity
Non-repudiation

Elliptic Curve Digital Signature Algorithm or ECDSA is a cryptographic

algorithm used by Bitcoin to ensure that funds can only be spent by
their rightful owners (authentication/transaction verification). It is dependent
on the curve order and hash function used. For bitcoin these are Secp256k1
and SHA256 respectively.

Basically, in order to create a digital signature of a message, firstly, we create a

message digest using a cryptographic hash function (SHA256). Then, secondly,
encrypt the message digest with the private key as you can see in the right figure.
ECDSA ensures the authentication, integrity, and non-repudiation of a
message.

15
 Cryptographic Hash Functions

• Consistent: hash(X) always yields same result

• Pre-image Resistance (One-way): any given Y in the output space,
hard to find X s.t. H(X) = Y
• Second Pre-image Resistance: For a given message X, it is
hard to find Y s.t. X ≠ Y and H(X) = H(Y)
• Collision resistance: given H(W) = Z, hard to find X such that H(X) = Z

Fixed Size
Message of arbitrary length Hash Fn Hash

16

So, what is a cryptographic hash function.

- A hash function is any function that can be used to map data of arbitrary size
to fixed-size values. The values returned by a hash function are called hash
values, hash codes, digests, or simply hashes.
- A cryptographic hash function must have these properties: Consistent, Pre-
image Resistance, Second Pre-image Resistance and Collision resistance.

• Consistent: hash(X) always yields same result

• Pre-image Resistance (One-way): any given Y in the output space,
hard to find X s.t. H(X) = Y
• Second Pre-image Resistance: For a given message X, it is
hard to find Y s.t. X ≠ Y and H(X) = H(Y)
• Collision resistance: given H(W) = Z, hard to find X such that H(X) = Z

16
 Linked List and Blockchain

➢ A linked list is a basic data structure where a series of data blocks are linked
together.
➢ Each block contains the ID of the next one in the chain.
➢ It is possible to get to all of the blocks if we start with a pointer to the first
block in the list.

➢ If each block also contains a hash of the previous block, then it is called a chain
of block. The Bitcoin Ledger is stored in a chain of block, or Blockchain
➢ It is not possible to insert a block in the middle of the list.
▪ One of the hashes would disagree.

In Bitcoin, the LEDGER is stored in a chain of blocks, which is a special type of linked
list data structure; hence the name Blockchain.

➢ A linked list is a basic data structure where a series of data blocks are linked
together.
➢ Each block contains the ID of the next one in the chain.
➢ It is possible to get to all of the blocks if we start with a pointer to the first
block in the list.

➢ If each block also contains a HASH of the PREVIOUS BLOCK, then it is called
a Block Chain.
➢ It is not possible to insert a block in the middle of the list. Because if we do that
→ One of the hashes would disagree.

17
 lock lock lock
ea er ea er ea er

ash f revious ash f revious ash f revious

lock ea er lock ea er lock ea er

erkle oot erkle oot erkle oot

lock lock lock

ransactions ransactions ransactions

i plifie itcoin lock hain 18

Here are the figures of linked list and blockchain, a special type of linked list.

18
 Data Structure:
Binary and Merkle Tree

➢ A binary tree is like a linked list, but each block has pointers to two
other blocks.
➢ In a sorted binary tree, the left and right linked blocks are in sorted
order.
▪ Left before, right after.
➢ It is possible to find a block or prove that a block is not in a sorted tree,
much quicker than a linked list.
▪ Not all the blocks need to be checked.
➢ Each block in a binary tree can also contain the hashes of the two
linked blocks. It is then called a Merkle tree.
▪ It is impossible to insert a block in the middle of the tree
afterwards.

In each block, many transactions are recorded. These transactions are stored using
Merkle tree data structure.
Before going to Merkle tree data structure, I would like to remind a bit about Binary
tree.

➢ A binary tree is like a linked list, but each block has pointers to two other blocks.
➢ In a sorted binary tree, the left and right linked blocks are in sorted order.
▪ Left before, right after.
➢ It is possible to find a block or prove that a block is not in a sorted tree, much
quicker than a linked list.
▪ Not all the blocks need to be checked.

Ok, so what is Merkle tree:

➢ Each block in a binary tree can also contain the hashes of the two linked
blocks. It is then called a Merkle tree.
▪ It is impossible to insert a block in the middle of the tree
afterwards.

19
 20

Here is the figures illustrate the Merkle tree data structure, and how the transactions
Tx0, Tx1, Tx2, and Tx3 is stored in Merkle tree in one Bitcoin Block (right hand side
figure).
Note that: The root of the Merkle tree is put in the block header.

20
 Back to Bitcoin

Miner P2P
Network
Developer

• How to perform secure decentralized payments in Bitcoin?

• How to exchange privacy-preserving payments?
• How to make decentralized systems efficient?

Ok, let assume that we grasp necessary knowledge about cryptography techniques to
be used in Bitcoin,
Now, we’re going back to Bitcoin.

To enable Bitcoin, we have to answer three general questions:

• How to perform secure decentralized payments in Bitcoin

• How to operate the digital currency system in a secure and

decentralized manner)?

• Existing digital currency systems have been introduced in 1980s

(David Chaum as an anonymous cryptographic electronic cash
(micropayment) system in 1983 for instance. RSA, blind
signatures), however it has never taken off (might be it depends on
large banks, not quite decentralised). How Bitcoin overcome such
challenges?

21
• How to exchange privacy-preserving payments?

• How to make sure the privacy of the payment

• How to make decentralized systems efficient?

• Increase the throughput, transactions per seconds (7-8 trans/sec),

15mins-2h to permanently confirmed

To do so, bitcoin protocol is introduced:

I’m going to present the detailed of the Bitcoin protocol in the next section.

21
 III. Bitcoin Protocol

1. Bitcoin Addresses
2. Bitcoin Distributed Ledger: Bitcoin Blockchain
3. Transactions
4. Consensus Mechanism: Proof-of-Work

the Bitcoin protocol are in the 5 main aspects:

Let’s go one by one.

22
 BTC Addresses: Identity

• Identity: each user owns a private/public key pair

• a ress is generate fro user’s public-key:
• Unique identifier
• Hash of hash of a public key

• F.Y.I: Total Balance < 21M BTC

• Satoshi = = 10-8 Bitcoin

1EGam2BeXd8sgphB44mEYqnDyDszw4YTEr
3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy

The first important thing is the Identities in Bitcoin system called Bitcoin Addresses.
As I mentioned in the previous slide, each user has a public and Private key-pair.
And the Bitcoin address is generated using Hash of Hash of the user’s public-key (two
HASH operations for better security)
This Address is then used in the transactions to exchange Bitcoin and written onto the
distributed ledger (i.e., the bitcoin blockchain).
And this is the detail how the Bitcoin Addresses is generated.

An example of Bitcoin Address: 1EGam2BeXd8sgphB44mEYqnDyDszw4YTEr

3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy

23
 Bitcoin Ledger: a Blockchain

• Remind:
• Bitcoin distributed ledger is a chain of blocks (i.e., Bitcoin blockchain)
• Each block contains Header and Transactions
• Nodes in the Bitcoin network are expected to store exactly the same
ledger (i.e., blockchain) → reach the consensus

We have identity in the ledger, now let’s see how the bitcoin ledger is constituted:

Bitcoin distributed ledger is a chain of blocks (i.e., Bitcoin blockchain)

Each block contains Header and Transactions
Nodes in the Bitcoin network are expected to store exactly the same blockchain. In
other word, we expect all the nodes in the bitcoin network reach the consensus
about the ledger.

24
 Bitcoin Block

• Each block contains Header and Transactions

• Header: serialized in the 80-byte format
• Version
• Prev. Block Header Hash
• This ensures no previous blocks can be changed without also changing
this block’s hea er.
• Merkle Root hash
• Time
• Nonce:

https://bitcoin.org/en/developer-reference#block-headers

Here the detailed structure of the block: Each block contains Header and Transactions

Header: serialized in the 80-byte format contains some information:

- Prev. Hash: A SHA256(SHA256()) hash in internal byte order of the previous block’s
header. This ensures no previous block can be changed without also changing this
block’s header.
- Merkle Root hash
- Time
- Nonce: An arbitrary number miners change to modify the header hash in order to
produce a hash less than or equal to the target threshold

25
 Transactions in Bitcoin

• Transactions:
• Data Types: Merkle Tree
• Root hash of the Merkle Tree is
written in the header
• If any transaction is modified, then the
Root hash is changed
→ resulting in the change of the hash of
Block header.

And here is how transactions are stored in the Block:

It leverages a data structure called Merkle Tree.
a hash tree or Merkle tree is a tree in which every "leaf" (node) is labelled
with the cryptographic hash of a data block, and every node that is not a leaf is
labelled with the cryptographic hash of the labels of its child nodes.
A hash tree allows efficient and secure verification of the contents of a
large data structure. A hash tree is a generalization of a hash list and a hash
chain.

- Root hash of the Merkle Tree is written in the header

- If any transaction is modified, then the Root hash is changed
→ resulting in the change of the hash of Block header.

26
 Transactions in Bitcoin

• Transaction:
• Alice transfers 0.25 BTC to Bob

Alice Bob
Transaction

@Alice @Bob
Wallet Wallet

Ok, we understand the content of a block in the Bitcoin ledger.

It contains “header” and “a number of transactions” structured using Merkle tree.

So: what is a transaction: it is a a transfer of Bitcoin value (e.g, from Alice to

Bob) that is then broadcast to the network and collected and stored into
blocks.
For instance: a transaction records the information of transferring 0.25BTC from Alice
to Bob.
In the transaction, two types of information needs to be specified: input (specify Alice
balance) and output (movement from Alice balance to Bob balance).

27
 1. {"hash":"7c4025...",
2. "ver":1,
Transaction in Bitcoin 3. "vin_sz":1,
4. "vout_sz":1,
5. "lock_time":0,
• ransaction Data ype: “Input”, 6. "size":224,
“ utput” an other para eters 7. "in":[ Tx Input
8. {"prev_out":
• Input of the transaction is an output of 9. {"hash":"2007ae...",
another transaction. 10. "n":0},
• Alice needs to claim she has 1BTC by
showing the output of another transaction 11. "scriptSig":"304502... 042b2d..."}],
(which is 1BTC) belong to her. 12. "out":[ Tx Output
• To do that, Alice needs to use her private- 13. {"value":"0.25",
key to generate her digital signature 14. "scriptPubKey":"OP_DUP OP_HASH160 a7db6f
• Outputs: Define conditions using a OP_EQUALVERIFY OP_CHECKSIG"} Condition to
scripting system {"value":"0.75", Bob
• The conditions must be satisfied in order to 15. "scriptPubKey":"OP_DUP OP_HASH160 34sa6f
spend the output in the next transactions OP_EQUALVERIFY OP_CHECKSIG"}]} Condition to
Alice

Content of a Bitcoin transaction with 1 input and 2

outputs. Transaction verification using a scripting system

Here is the detailed structure of a Bitcoin transaction:

Defines the conditions which must be satisfied to spend this output.

Input of the transaction is an output of another transaction.

Alice needs to claim she has 1BTC by showing
the output of another transaction (which is
1BTC) belong to her.
To do that, Alice needs to use her private-key
to generate her digital signature
Outputs: Define conditions using a scripting system
The conditions must be satisfied in order to
spend the output in the next transactions

28
28
 Bitcoin Scripting System

➢ Stack-based programming language

➢ If evals to true → Bitcoin transaction is valid
➢ Many opcodes defined
➢ Execution time is critical to prevent DoS attacks
Example Script
https://developer.bitcoin.org/reference/transactions.html

<signature><publicKey> OP_CHECKSIG

Constants Operation
are pushed onto executed on
the stack stack values
CRYPTOGRAPHY AND SECURE DEVELOPMENT 29
DR. NGUYEN TRUONG: [email protected]

To verify the transaction (inputs and outputs), a

scripting system is defined in Bitcoin, consisting of
various opcodes.

• Stack-based programming language

• If evals to true → Bitcoin transaction is
valid
• Many opcodes defined
• Execution time is critical to prevent DoS
attacks

29
 Transactions in Bitcoin

0.25 BTC

@Bob
1 BTC 0.5 BTC

@Alice @Eve
0.75 BTC 0.75 BTC

@Alice @Alice
0.25 BTC

@Alice
Transaction 1 Transaction 2
https://developer.bitcoin.org/reference/transactions.html

Another example here, Alice after the transaction 1 wants to transfer 0.5BTC to Eve
(transaction 2):
She claims the output of the transaction1 as the input of the transaction2 and so on…

Ok, now we understand the whole structure of a block in the Bitcoin blockchain (the
ledger).
Remind: header (contains previous hash of the previous block’s header) and number
of transactions which are structured using Merkle tree.

Now, let’s move on how a new Block is appended to the ledger → this is call the
consensus mechanism/consensus algorithm/consensus protocol

30
 Consensus Mechanism: Proof-of-Work

• itcoin is a “ istribute le ger blockchain”, therefore:

• Information added to the ledger must be accurate and honest
• Entire network agrees with the le ger’s content
• A mechanism for all nodes in Bitcoin network to cooperate and reach to a
common opinion (consensus):
• Reach agreement on adding blocks to the blockchain
• Transactions are verified
• Content of the block is not falsified
• Approved by all the nodes in the blockchain network
• “Longest chain wins” rule
• Keep all nodes in the network synchronized
• When a new block is propagated, all nodes must validate the block and its
transactions by verifying the signatures provided in the transactions

Probably many of you guys here heard about the term Proof-of-work in Bitcoin.
Let’s see what it is.

Bitcoin is a “distributed ledger blockchain”, therefore:

Information added to the ledger must be accurate and honest
Entire network agrees with the ledger’s content
A mechanism for all nodes in Bitcoin network to cooperate and reach to a common
opinion (consensus):
Reach agreement on adding blocks to the blockchain
Transactions are verified
Content of the block is not falsified
Approved by all the nodes in the blockchain network
“Longest chain wins” rule
Keep all nodes in the network synchronized
When a new block is propagated, all nodes must validate the block and
its transactions by verifying the signatures provided in the transactions

31
 Consensus Mechanism: Proof-of-Work

• Nonce?
• Number only used once
• Some nodes in the Bitcoin network try to find
Nonce N, s.t.:
→ this process is known as “mining”, an the
no es are “miners”

Hold on, we understand all of the information in a Bitcoin BLOCK, except the
term NONCE.
A nonce is an abbreviation for "number only used once”.

The "nonce" in a bitcoin block is a 32-bit (4-byte) field whose value is adjusted
by miners so that the hash of the block will be less than or equal to the
current target of the network.

Any change to the block data (such as the nonce) will make the block hash
completely different.
Since it is believed infeasible to predict which combination of bits will result in
the right hash, many different nonce values are tried, and the hash is
recomputed for each value until a hash less than or equal to the
current target of the network is found.

The target required is also represented as the difficulty, where a

higher difficulty represents a lower target. As this iterative calculation requires
time and resources, the presentation of the block with the correct nonce value
constitutes proof of work.

32
 Consensus Mechanism: Proof-of-Work

Hash(Hash(B3)|txs|N) < target = 0x000**

Hash(Block_3 | merkle_root | 0xbeed) = 0x03ef..

Hash(Block_3 | merkle_root | 0xbeee) = 0x12ef..

Hash(Block_3 | merkle_root | 0xbeef) = 0x000f..

This miner successfully find the Nonce, as a result

correctly form a new block. He claims his work by
broadcasting this block to the network
The verification is easy. But Proof-of-Work is hard.

 Proof-of-work:
 Pick a nouce such that H(prev hash, nounce,
Tx) < E. E is a variable that the system
specifies. Basically, this amounts to finding a
hash value whose leading bits are zero.
 There is no way to bypass/short cut the
calculation. Only try all possibilities to find
the nonce.
 The work required is exponential in the
number of zero bits required.

33
 An example here, we try out values of the nonce
N to satisfy Hash(Hash(B3)|txs|N) < target
= 0x000**

The last value of Nonce: 0xbeef produce the

hash: 0x000f.. Which satisfy the inequality,
in other word, we successfully mine a block.

 The property of the proof of work consensus

mechanism is that it is Verification is easy. But
proof-of-work is hard.

33
 Successful
Proof-of-Work: Miner C
Update Rule and Forks

• What happens if some miners

successfully calculate “Nonce” Node Y
and broadcast their own new
block to the network Successful
• Network partition Miner B
Successful Node X
• Fork Miner A
• Soft-fork: temporary
• Hard-fork: permanent Block 4 Block 4’
• Update Rule:
Block 4’ Block 4
• Longest chain wins
Block 4’’ Block 4’’

What happens if so e iners successfully calculate “Nonce” an broa cast

their own new block to the network at relatively same time.

This usually happens due to a it is huge network, lots of miners, and the
transmission of the broadcast of the new block takes time to reach all nodes in
the network.
Let consider: we have to miners A and B successfully mine a block. Both
successfully find the nonce to produce a new block (not that the list of
transactions might be different) and broadcast their new blocks to the network

Consider node X and node Y in the network. X receives the new Block from miner A
first, consequently, when it receives the new block from miner B, it will discard this
block.
On the other hands, node Y receives block from B first, thus discard the block
broadcasted from A.
This will create two different blockchains in the network, called Forks.

34
 Proof-of-Work:
Update Rule and Fork

Eventually all the nodes will have a same blockchain (the longest one).

So at this point of time, there are two blockchain in the network. That’s alright, don’t
worry.
Let consider the next block, for instance, Miner C computes the nonce for the next
block (look at the figure in the previous slide)
The current blockchain in the miner C contains the block from miner A the miner C
mined on this blockchain.
Then when it broadcast its new block to the whole network, node Y for instance, see
this blockchain from miner C and it will replace this new blockchain as this blockchain
from miner C is longer than the current one.
In other word, the previous block from miner B is discarded, and the block is called
orphan block.

→ Eventually all the nodes will have a same blockchain (the longest one)

35
IV. Research on Bitcoin Security &
Privacy

36
 Security in Bitcoin

• Authentication → Public Key Crypto: Digital Signatures

• Am I paying the right person? Not some other impersonator?
• Availability→ Broadcast messages to the P2P network
• Can I make a transaction anytime I want?
• Integrity → Digital Signatures and Cryptographic Hash
• Is the coin double-spent?
• Can an attacker reverse or change transactions?
• Confidentiality→ Pseudonymity
• Are my transactions private? Anonymous?

Ok, basically we understand the Bitcoin protocol.

Now let’s consider some security challenges in Bitcoin.

Authentication → Public Key Crypto: Digital Signatures

Am I paying the right person? Not some other impersonator?

Availability→ Broadcast messages to the P2P network

Can I make a transaction anytime I want?

Integrity → Digital Signatures and Cryptographic Hash

Is the coin double-spent?
Can an attacker reverse or change transactions?

Confidentiality→ Pseudonymity
Are my transactions private? Anonymous?

37
The first two challenges are nicely solved by using public-key cryptography/ Peer-to-
peer network protocols as mentioned in the previous slides.

We are now considering the integrity and the confidentiality security aspects:

37
 Why Proof-of-Work?

• Why do we need to use an extremely

resource-intensive computation for
“Nonce”
• F.Y.I: Bitcoin currently consumes around 110
Terawatt Hours per year — 0.55% of global
electricity production* (2021)
• From CPU to GPU to ASICs
• Integrity: To prevent from transaction
alteration/reverse and Double-spend.
• Intuitively, to change/reverse Tx, a
malicious miner needs to re-compute
nonce for several blocks while racing
with other honest miners for new
block → nearly impossible

*https://ccaf.io/cbeci/index

The question here is that:

Why do we need to use an extremely resource-intensive computation for “Nonce” →
it is for Bitcoin integrity:
Integrity: To prevent from transaction alteration/reverse and Double-spend.
Intuitively, to change/reverse Tx, a malicious miner needs to re-compute
nonce for several blocks while racing with other honest miners for new block
→ nearly impossible

According to the Cambridge Center for Alternative Finance (CCAF), Bitcoin currently
consumes around 110 Terawatt Hours per year — 0.55% of global electricity
production, or roughly equivalent to the annual energy draw of small countries like
Malaysia or Sweden.

Bitcoin has set a new hashrate record of at just shy of 150 exa-
hashes per second — 150 with 18 zeroes. This is coming less than
10 days before the 2020 bitcoin halving.

The effects of the hashrate surge are already evident with block
explorers registering 16 blocks mined in one hour just days ago.

38
This is way above the six blocks per hour on average the network is
used to.

38
 Bitcoin Security: Double-spend

• Attacker executes a transaction that attacks carried out before payment.

• Secretly mining using the block that includes this last transaction.
• Wait for the transaction sending the money to the victim V to receive enough
confirming blocks
→ Victim V hands over his goods, sure that the money is finally appropriated to him.
• Continue to mine the secret alternative branch until it becomes more than public, after
which it is broadcast to the network
→ Since the new branch is longer than all other known, it will be considered valid,
and BTC transfer to the victim V will be replaced by sending coins to the attacker.
Attacker
Attacker

Victim V

Double-spending problem is the successful use of the same funds twice.

Here is the strategy for attacker performing double-spend attack:

Attacker make a transaction transferring its money to victim V. it also mines a

new block contains this transaction.
This new block is then appended to the blockchain, and victim V see the block
has been confirmed → victim will hand over his goods, for instance a Tesla
car!!!
Immediately when receiving the good, attacker makes another transaction with
its money to another attacker account. Mine a block contains this transaction,
as well as another block after this block (another fork).
Then it broadcast this new fork to the network. As the blockchain in this fork is
longer than the first one (the victim V confirms), the first one, which contains
the transaction to victim V will be discarded. → the first transaction to V is
invalidated, attacker successfully carries out double.spend.

39
 Bitcoin Security: Double-spend

• Double-spend attack: a race between

attackers (malicious miners) and honest
miners.
• Basically, to be successful in the double-
spend attack, the attackers need to control
> 50% computation power of the whole
Bitcoin network (i.e., 51% attack)
• This is practically impossible.
• Mining Pools:
• Probability of finding a block alone is
very small
• Unite in Mining pools
• Payout is done proportional to the work
• What if the mining pools collude and
carry out double-spend attack?

Double-spending of Bitcoin is not possible as Bitcoin is protected against a

double-spending problem thanks to the proof-of-work and the verification of
each transaction which is added to the blockchain, resulting in the majority of
funds contained in this transaction cannot have been previously spent.
This is because:
•Double-spend attack: a race between
attackers (malicious miners) and honest
miners.
•Basically, to be successful in the double-
spend attack, the attackers need to control >
50% computation power of the whole Bitcoin
network (i.e., 51% attack)

40
 This is practically impossible.
However, we have a concept of Mining pool, it is because the

Probability of finding a block alone is very

small
Thus, miners Unite in Mining pools
Payout is done proportional to the
work
What if the mining pools collude and
carry out double-spend attack?
As you can see, ~65% of the hash-rate is divided among 5 mining pools alone!
Theoretically speaking, these big mining pools can simply team up with each
other and launch a 51% on the bitcoin network.

40
 Bitcoin Privacy: Pseudonimity

• Bitcoin is pseudo-anonymous as due to its BTC

addresses
• What’s wrong?
• Alice BTC relates to each other due to the
definition of transactions
• Combined with other side-information or
low-layer network information (e.g., IP
addresses) in the Bitcoin network
• There is a change of figuring out the real
identity of BTC owners.
• Solutions:
• Mixer, JoinCoin, k-anonymity Privacy, N-
anonymity Privacy, Zeno-Knowledge-Proof

•We’re also looking at another security

aspect of Bitcoin, which is Confidentiality.
• asically, bitcoin users on’t want to
reveal their activities in the Bitcoin
network. Obviously, because bitcoin ledger
contains all transactions, balances, etc.

Here we have:
•Bitcoin is pseudo-anonymous as due to
its BTC addresses (like a random string of

41
characters)
ut What’s wrong? e e ber the
transactions from Alice to Bob, and Alice to
Eve:
Alice BTC relates to each other due to
the definition of transactions
Combined with other side-information
or low-layer network information (e.g.,
IP addresses) in the Bitcoin network
There is a change of figuring out the
real identity of BTC owners.
Some Solutions have been proposed such
as
Mixer, JoinCoin, k-anonymity Privacy,
N-anonymity Privacy, Zeno-
Knowledge-Proof
However, there is always a trade of
between privacy and performance. It is
still an ongoing research topic.

This is the end of the talk.

Thank you for listening.

41
Thank you for
your listening

#UofGWorldChangers
@UofGlasgow

42
 DayOfWeek, DayOfMonth Month 2XXX
XX.XX am/pm XX.XX am/pm
(2 hours)

DEGREES OF MSci, MEng, BEng, BSc, MA and MA (Social Sciences)

CYBER SECURITY FUNDAMENTALS (M/H)

COMPSCI5063/4062

Answer all 8 questions

This examination paper is an open book, and is worth a total of 60 marks.

Note: the questions without answers are from tutorials and quizzes.
The answers can be found in the Moodle page (tutorials and quizzes)
1. This part consists of 10 multiple-choice questions. A correct answer to the question is
worth 1.5 marks, an incorrect answer will result in -0.5 mark, and no answer will result in
0 marks. Only one answer is correct. [15]
(a) Which of the following is not the purpose of user authentication?
(A) access control
(B) accountability
(C) confidentiality
(D) availability
(b) Which is not the purpose of Man-in-the-middle attack?
(A) render a service inaccessible
(B) manipulate transmitted content
(C) collect information
(D) collect personal data
(c) From technique side, which of the following is the most reasonable way to recognise a
phishing email?
(A) Checking the sender name appears in the email
(B) Clicking the link in the email content
(C) Replying the email to confirm information
(D) Checking the contents of the email in a sandbox environment
(d) Which is the most important for the Acquisition step in computer forensics?
(A) Shut down the computer in the scene
(B) Using specific devices (e.g. write blockers) to save the raw data
(C) Save the data in a personal device
(D) Save in a format that’s easy to be analysis
(e) what is the common part of the SQL injection and cross-site request forgery?
(A) attack via SQL code
(B) attackers can edit the data saved in the server
(C) attackers can change the information shown in the website
(D) attack via sending a malicious link to the user
(f) For basic elements of access control, which of the following can be an object?
(A) Records
(B) Directory trees
(C) Mailboxes
(D) All of the above
(g) Which of the following are ignored in most access control policies?

1 CONTINUED OVERLEAF
 (A) Subject attributes
(B) Object attributes
(C) Environment attributes
(D) None of the above
(h) Which of the cipher block modes supports the multiple blocks processing in parallel?
(A) Cipher Block Chaining
(B) Cipher Feedback
(C) Counter
(D) None of the above
(i) In RSA, we have p=7, q=2, e=5, which of the following can be a value of d?
(A) 3
(B) 19
(C) 11
(D) None of the above
(j) What protocol is NOT a part of SSL/TLS?
(A) Handshake protocol
(B) Change cipher spec protocol
(C) Record protocol
(D) Heartbeat protocol
2. Assume a system with N job positions. For job position i, the number of individual users
in that position is Ui and the number of permissions required for the job position is Pi .
(a) For a traditional discretionary access control (DAC) scheme, how many relationships
between users and permissions must be defined? [2]
(b) For a role-based access control (RBAC) scheme, how many relationships between users
and permissions must be defined? [2]
3. (a) Briefly explain the difference between cross-site request forgery and cross-site scripting.
Focus on the difference on 1) where the vulnerability come from 2) the consequence if the
attack happens . [6]
(b) List the possible methods to prevent the above attacks and explain why. (list two methods
for each attack)? Q3: This assesses the two attacks in the web application. [4]
4.
The answers can be found in Lecture 8
Explain how user authentication works. List the three main types of user authentication.[6]
Q4: This assesses the the user authentication. The answer can be found in Lecture 7
5. In IEEE 802.11, open system authentication simply consists of two communications. An
authentication is requested by the client, which contains the station ID (typically the MAC
address). This is followed by an authentication response from the AP/router containing a
success or failure message. An example of when a failure may occur is if the client’s MAC
address is explicitly excluded in the AP/router configuration.

2 CONTINUED OVERLEAF
 (a) What are the benefits of this authentication scheme? [2]
(b) What are the security vulnerabilities of this authentication scheme? [2]

6. For WEP, data integrity and data confidentiality are achieved using the RC4 stream en-
cryption algorithm. The transmitter of an MAC protocol data unit (MPDU) performs the
following steps, referred to as encapsulation:
1. The transmitter selects an initial vector (IV) value.
2. The IV value is concatenated with the WEP key shared by transmitter and receiver to
form the seed, or key input, to RC4.
3. A 32-bit cyclic redundancy check (CRC) is computed over all the bits of the MAC data
field and appended to the data field. The CRC is a common error-detection code used in
data link control protocols. In this case, the CRC serves as a integrity check value (ICV).
4. The result of step 3 is encrypted using RC4 to form the ciphertext block.
5. The plaintext IV is prepended to the ciphertext block to form the encapsulated MPDU
for transmission.
(a) Draw a block diagram that illustrates the encapsulation process. [3]
(b) Describe the steps at the receiver end to recover the plaintext and perform the integrity
check. [3]
(c) Draw a block diagram that illustrates part b. [3]

7. Perform encryption and decryption using the RSA algorithm for the following
(a) p = 3; q = 11; e = 7; M = 5. [2]
(b) p = 5; q = 11; e = 3; M = 9. [3]
(c) p = 17; q = 31; e = 7; M = 2. [3]

8. For any block cipher, the fact that it is a nonlinear function is crucial to its security. To
see this, suppose that we have a linear block cipher EL that encrypts 128-bit blocks of
plaintext into 128-bit blocks of ciphertext. Let EL(k, m) denote the encryption of a 128-bit
message m under a key k (the actual bit length of k is irrelevant). Thus

EL(k, [m1 ⊕ m2 ]) = EL(k, m1 ) ⊕ EL(k, m2 ) for all 128-bit patterns m1 , m2

Describe how, with 128 chosen ciphertexts, an adversary can decrypt any ciphertext with-
out knowledge of the secret key k. (A “chosen ciphertext” means that an adversary has
the ability to choose a ciphertext and then obtain its decryption. Here, you have 128
plaintext/ciphertext pairs to work with and you have the ability to chose the value of the
ciphertexts.) [4]

3 END OF QUESTION PAPER