< =
>


@?A @
CBEDA
A5DA
GF



 


 ❚ H5IKJ5L*M#N OQPSR,TT5L0IKT
❚ UVM PXWO;Y5Z[M \=W5]0P^\=_0`GUVM PaWOQYK\@_0\@b P)TKN T
❚ c.\TKN JGd*_J5M PXWOeN Y@_gfXIJ5]*_5N h[LIT
❚ H5IKJ5M IOji)IPk\@_0`Al*L5m*b N JGi
IP^UVM PaWO;YKTP)TOQI=noT
❚ pqN Z[N OQ\=b0HN Z[_\OeL*M IT
❚ rVLOs]I=_OeN J0\KOsN Y@_
  !#" $
%&
')(*" (*+,-'.(0/.1,
2 " 3
-4
,% (5" 76.18(5+
9;:
1 2

t A? uv
xw[y @
{zA=A ?.> @ †  ? ‡.ˆ 
A=
C @‰FŠ@K

v>
AA=
5CzA@ @AA ?A‹ @Œ
❚ rVb N JI=|[}KN M TO~W\=M OeN J5N W0\=_Oe ❚ Security on open networks: Alice wants to send a private
message to Bob over a public network
❚ c.Y@m*|aHKIJY@_`AW\=M OeN J*N W0\@_Os ❙ What if someone intercepts and reads this message?

UX\=M Yb |[l\=M OeN J*N W0\@_OjN _g\€Os]*M IIK[\=_`>‚;Y@L*M 0W\=M OQP (Confidentiality);

W5M Y5OQYKJY@b TK

❚ ❙ What if someone intercepts and alters this message?

❚ pƒ\„)I@|[l\=M OeN J5N W\=_OjN _g\€‚;Y@L*M W\=M OQP…W*M YKOQYKJY@b TK
(Integrity);
❙ What if someone pretending to be Alice forges a message
and sends it to Bob? ( Authentication);
❙ What if Alice denies sending of the message? (Non-
repudiation of origin, Digital Signature) ;
❙ What if Bob denies the receipt of the message? (Non-
repudiation of the destination).
❚ What if Bob wants to provide access to selective
individuals (Access Control).
3 4

yKAz @?z€ 
@
A Ž
>Cy5AzA Ag> @
Au
Insecure Channel
❚ A tool for confidentiality, integrity, authentication, non-
repudiation, and digital signatures. Plain Text Encryption Cipher Text Decryption Plain Text
A Algorithm Algorithm B
❚ Cryptography: the science of encryption (the good M C = E(K,M) M = D(K,C)

guys).
❚ Cryptanalysis: analysis of cryptographic algorithms (the Key= K Key= K
bad guys). Secure Channel
❚ Cryptosystems: C = E(K,M)
❙ Secret Key (also known as single key, symmetric key) M = D(K,C)
where
❘ existing for more than 1000 years.
K = key
❙ Public Key (also known as two key, asymmetric key) E = Encryption Algorithm
❘ since 1974; D= Decryption Algorithm
M = Plaintext Message
❘ both secret key and public key systems are in use and C = Ciphertext Message
competing with each other.
5 6

1
 ‘
A? @
A‰
ˆ€>w•
’
“
A
 ‡
Ž–
”
>G
— A5Az 
A ‡KAz ??˜>


● Uses: ❚ Objective of the cryptanalyst is to discover K

– Solves confidentiality and integrity problems (the real objective is to discover M).
– Can be used for Authentication ❚ Cryptanalyst is assumed to know E and D.
– Can be used to securely store information on insecure
media ❚ Four Scenarios:
– Integrity check ❙ Ciphertext only: Cryptanalyst knows only ciphertext.
❙ Known Plaintext:: Cryptanalyst knows some plaintext-
● Disadvantages: ciphertext pairs.
– Key Distribution Problem: How to get the key to Alice ❙ Chosen Plaintext:: Cryptanalyst knows some plaintext-
and Bob? and to others? ciphertext pairs for plaintext of the cryptanalyst's choice.
– If everyone knows the Key, it is no longer a secret ❙ Chosen Ciphertext:: Cryptanalyst knows some plaintext-
ciphertext pairs for ciphertext of the cryptanalyst's choice.

7 8

™ ? >. — 5Az @.

™ ?>. — 5AzA =.C 
AAšA
A 
A
š
ˆ›* @œ˜Až
1 2 3 4
❚ Substitution ABCDEFGHIJKL.... ❙ Permutation
FPAQFZYTLWXM 3 1 4 2
❙ Simple Alphabetic Substitution ❘Example: Caesar ciphers;
❘ Huge key space: 26! (approximately 10^26); ❘Key space: N ! for a block size of N;
❘ Trivially broken for known plaintext attack; ❘Trivially broken for known plaintext attack;
❘ Easily broken for ciphertext only attack (for natural ❘Easily broken for ciphertext only attack (for natural
language plaintext); language plaintext).
❘ Multiple encipherment does not help. ❙ Multiple encipherment does not help
❙ Combinations and iterations of substitution and
permutation

9 10

Ÿ ? @? — 5Az 
C  ?A?@
< @A ‡‡
z
A ›  Ÿ —  ž
❚ Substitution followed by permutation followed by
substitution followed by permutation .... ❚ DES is a product cipher with 56 bit key and 64 bit block
size for plaintext and ciphertext.
❚ Best known examples:
❚ Developed by IBM and adopted by NIST (1977) with
❙ DES (Data Encryption Standard); NSA approval for unclassified information (such as
❙ SKIPJACK. EFT).
❚ Mathematics to design a strong product cipher is ❚ Efficient to implement in hardware, but relatively slow if
classified. implemented in software.
❚ Breakable by exhaustive search of key space for ❚ Encryption and Decryption algorithms are public, but the
known plaintext, chosen plaintext, chosen design principles are classified.
ciphertext. ❚ The size of the key (56-bits) is one of the most
❚ Thus, security is based on computational complexity controversial aspects of DES.
of computing the key.
11 12

2
Ÿ¡— ¢›*AA =œ£ž Ÿ — ¥¤¡A
Encryption Decryption
❚ Algorithm: 64-bit input 64-bit output
❙ initial permutation;
❙ the 56 bit key is used to generate sixteen 48-bit keys; 32-bit Ln 32-bit Rn 32-bit Ln 32-bit Rn

❙ 16 rounds of substitution and permutation are

performed; Mangler Mangler
Kn Function Kn
❙ swap left and right halves; Function

❙ final permutation.
+ +
32-bit Rn+1 32-bit Ln+1 32-bit Rn+1
32-bit Ln+1

64-bit output 64-bit input

13 14

¦ >F  
AA=
v. Ÿ¡—  Œ ¦ G>F 
“
AAA
v

{. ¡Ÿ — “ŒŒ‰
§›*A @œsž

❚ 1977: approved as a Federal standard with 5 year cycle of re-

certification;
56 bits 76 bits 46 bits
❚ 1987: reluctantly re-approved for 5 years;
(3.8*10^22 trials) (3.5*10^13 trials)
❚ 1992: reaffirmed by NIST.
trials/second Time Time required Time
❚ DES known plaintext attack required required
❙ 56-bit key can be broken in 2^55 = 3.6*10^6 trials. 1 10^9 years 10^15 years 10^6 years
❙ Responding to RSA’s Challenge, in June 1997, hackers 10^3 10^6 years 10^12 years 10^3 years
led by Rocke Verser of Loveland, CO, broke DES in 5 10^6 10^3 years 10^9 years 1 year
months by distributing code breaking software over the 10^9 1 year 10^6 years 10 hours
Internet and making use of idle moments of computers. 10^12 10 hours 10^3 years 40 seconds

❙ Triple DES.

15 16

B @
A 
@
 ’Ž”
> ¿ € DA?AA
 — AAAz @

A
< @ @A.  =?AA?@v› ¿À—  ž
❚ H[i.Rl/˜(0¨srX/UVª«­i ¬ [9;(0s/ ❚ Responding to a challenge from RSA Data Security Inc.,
❙ ©
K% ¯
°% (-:ƒ+" ±²X1,(-6)"  ³
³8(K%
6.1
 ³
DES was broken in 22 + .. Hours (Feb 1999).

❙ ®
❚ Jan, 1997, NIST initiated the development of AES

❙ ´
*
: +87K +,/[-,% K³,¯
:0:ƒ%ƒ9;(0818 © 4o30:
µeK°:ƒ$
" ¯­1,:ƒ" ¯ ❙ Features

❚ Rpqdr·¶8R_OQI=M#_\OeN Y_\=bpa\OQ\d5_J*M PXW0OsN Y_¸rVb Z*YM#N Os]*no¹

❘ unclassified, royalty-free algorithms;

❙ ©
/˜(0/jº,»
ª^¬
 @9Q(e/ ❘ support 128-bit block sizes and 128-, 192-, and

2❙ ¼ 7(5+j$8/8(¯^ +68:ƒ+8Q$
+,6£8 :ƒ+@°j 81j³
$
¬"  6o9Q(0 256- bit key sizes.

6)% ³8 :3*% K³

1,e½K/
$86.1[/o +@818(~4
4*¾³0% : :06£:ƒ" ❚ Apr 1999, selected five candidate algorithms.
❚ May 2000, will propose AES.
❚ Summer 2001, the standard will be completed.

17 18

3
 ¤¡
uv?Á§C 
A
A ‡Ž”
€ ¤ 
uv?Á§C 
A
A yŽ–
€
·> @
Auv Â> =
uv‰›*A @œ˜ž
❚ Confidentiality depends only on the secrecy of the key.
❚ Attacker is assumed to know E and D. ❚ Long-term keys
❚ Uses: ❙ prolonged use increases exposure.
❙ Solves confidentiality and integrity problems; ❚ Session keys
❙ Can be used for Authentication; ❙ short-term keys communicated by means of
❙ Can be used to securely store information on insecure media; ❘ long-term secret keys;
❙ Integrity check.
❘ public key technology.
❚ Disadvantages:
❙ do not scale well: ❚ Public Key Cryptosystem
❘ With N parties we need to generate and distribute N*(N-1)/2 ❙ solves the problem of key distribution provided a
keys. reliable channel for communication of public keys can
❙ Key Distribution Problem: How to get the key to Alice and be implemented.
Bob? and to others?
❙ If everyone knows the Key, it is no longer a secret. 19 20

< ‹.
vŽ”
>ŠyKAz =g> @
Au < ŽÃ‡KAz ÄAG @
u ›ƒA @œ˜ž
Plaintext Encryption
Ciphertext
Decryption
Plaintext ❚ A brief history
A B
Algorithm Algorithm ❙ Concept conceived by Diffe and Hellman in 1976.
❙ Rivest, Shamir and Adleman (RSA) were first to describe
B's Public Key B's Private Key a public key system in 1978.
Reliable Channel ❙ Merkle and Hellman published a different solution, later in
C = E(KE-B,,M) 1978.
security is based on infeasibility of M = D(KD-B,C)
■
where
❙ Many proposal have been broken (including the 1978
computing B's private key, given KE-B = Public (encryption) key of B, Kerkle-Hellman proposal broken by Shamir).
the knowledge of known to all
KD-B = Private (decryption) key of B, ❚ Current systems
– B's public key
– chosen plaintext
known only to B ❙ RSA;
E = Encryption Algorithm
– chosen ciphertext D= Decryption Algorithm ❙ Diffie-Hellman;
M = Plaintext Message
C = Ciphertext Message ❙ El Gamal
21 22

< ŽÃAz A¸AG @
u ›ƒA @œ˜Až ¤  ¿

❚ public key KE is (n,e)
❚ Solves the key distribution problem provided there ❚ private key KD is (n,d)
is a reliable channel for communication of public
keys. ❚ n is a 200 digit number
❚ Requires reliable dissemination of one public ❚ C = Me mod n; M = Cd mod n
key/party. ❚ Generation of public and private keys
❚ Scales well for large scale systems. ❙ choose 2 large (100 digit) prime numbers p and q;
❚ Confidentiality based on infeasibility of computing ❙ compute n = p*q;
B’s private key from B’s public key. ❙ choose e relatively prime to (p-1)*(q-1);
❚ Key sizes are large (512 bits and more) to make this ❙ Compute d such that e*d = 1 mod (p-1)*(q-1);
computation infeasible ❘ If factorization of n into p*q is known, this is easy
to do otherwise, it is very hard to do.
23 24

4
 ¤¡ ¿ ›*A =œ£ž ¤  ¿ D
@GA Ÿ—
❚ Example: ❚ Fastest implementations of RSA can encrypt kilobits/sec;
❙ d= 3 ❚ Fastest implementations of DES can encrypt megabits/sec;
❙ e= 7 ❚ This thousand-fold difference in speed is likely to remain
❙ n = 10 independent of technological advances;
❙ Let M = 2 ❚ It is often proposed that RSA be used for secure exchange of
DES keys;
❙ C = 27 mod 10 = 128 mod 10 = 8
❚ Key size of RSA is selected by the user;
❙ M = 83 mod 10 = 512 mod 10 = 2
❙ many implementations choose n to be 154 digits (512 bits)
❙ This works for any M
so the key (n,e) is 1024 bits;
❚ How hard it is to compute d given (e,n)? ❙ key size of DES is 64 bits (56 bits plus 8 parity bits) ;
❙ We do not know. But it is no harder than factoring n into ❚ Key size should be chosen conservatively;
p*q.
❙ at present it appears that 130 digit numbers can be
❙ Thus, security of RSA is no better than complexity of the factored in several months using lot of idle workstations.
factoring problem.
25 26

Ÿ A @?A AA? @@
A§

Ť  ¿
Ÿ 
 @?A 
A? @@
‰
Ť  ¿ ›*A =œ£ž
A
Decryption
Algorithm
Encryption B
Algorithm
❚ RSA has an important property not shared by Plaintext Ciphertext Plaintext

other public key systems

❙ encryption and decryption are commutative; A's Private Key A's Public Key

❘ encryption followed by decryption yields the original Reliable Channel

message (Me mod n)d mod n = M;
❘ Decryption followed by encryption yields the original
message (Md mod n)e mod n = M Decryption
A
Encryption
Algorithm
Algorithm B
❚ Any cryptosystem which preserves message Plaintext Ciphertext Plaintext

length will have this commutative property.

B's Public Key B's Private Key

27
Reliable Channel 28

 AA? @@
A‰?A — AKAz @. t Aƃ¤¡
z

? 

Encrypted
A Signed
Signed
Signed B ❚ In general, non-repudiation requires a notarized
Plain Text Plain Text
Plain Text Plain Text
D
E D E
Plain Text signature, involving a third party in addition to A
and B.
A's Private B's Public B's Private A's Public ❚ In large systems this can involve hierarchies of
Key Key Key Key notarization.
❚ We could do the encryption first followed by the
signature. Signature first has the advantage that the
signature can be verified by parties other than B.
❚ We could use DES for encryption

29 30

5
 Ÿ 8w5w[

Æ ¦
.
u{?CŽ
G
—·Ç ?
B”
AÆ8FŠ?€ ¦ ?> ‘ A @
A
❚ System-wide constants for all principals ❚ Also known as message digest or message authentication
❙ p prime number; codes
❙ g integer. ❚ H(M) = m
❚ A chooses random SA, sends TA = gSA mod p to A. ❙ H is the one-way function, i.e., easy to compute but difficult to
❚ B chooses random SB, sends TB = gSB mod p to B. invert;
❚ A computes K = TBSA mod p = g(SB*SA)mod p. ❙ M is a long message (say 1 megabyte);
❚ B computes K = TASB mod p = g(SA*SB)mod p. ❙ m is a short (say 128 bit) digest.
❚ Requires no prior communication between A and B.
❚ Authenticity of a message can be checked by computing
❚ Security depends on the difficulty of computing
H(M) = m, and comparing with the transmitted m.
x given y=gx mod p
This is the discrete logarithm problem which has similar but ❚ This requires that the digest m be either
not identical complexity to factorization. ❙ transmitted over a more secure channel than M, e.g., M is a
❚ Susceptible to the bucket-brigade (intruder-in-the-middle) attack. disk transmitted by mail, m is transmitted via phone, or
K1 K2 ❙ m be digitally signed which may be easier than signing M.
A
A C B 31 32

B
Æ,FŠ?€ ¦ ?A> ‘ AA =


›5A @œ˜ž ¿  @
 
? @.
❚ Weak hash function ❚ Authentication is a process of reliably verifying the
❙ given M and H(M) it should be difficult to find M' such that identity of a person or a computer system.
H(M') = H(M)
❚ Approaches
❚ Strong hash function ❙ password-based;
❙ it should be difficult to find any two M1 and M2 such that ❙ address-based;
H(M1) = H(M2);
❙ Cryptographic.
❙ for a n bit digest birthday attack will allow M1, M2 to be
found in 2(n/2) operation; ❚ Commercial system: Kerberos
❙ strong hash function should have 128 bits.

33 34

< ?A>¸FCÆ ™ ?>
 ¿ zAz@? ¿ @
A>GÆ ™ ?>
 ¿ zz@?

❚ Authentication is done by sending a password to ❚ Not based on passwords
the server and the server verifying the password. ❚ Rather, identification is based on the network address of the
❚ Problem: eavesdropping. source.
❚ Typically the passwords are stored in an encrypted ❚ If a user who has an account on A requests access to system B
form ❙ B maintains a list of addresses of all machines
❙ either within the server; ❘ if B has A's address, then access is granted;
❘ How can the key be kept secret? ❘ requires users to have the same login name on all systems;
❙ at an authentication storage node such as Sun's Network ❘ in UNIX /etc/hosts.equiv file.
Information Service (NIS). ❙ B maintains <address, remote account name, local account
❚ On-line as well as off-line password guessing name>
attacks are possible. ❘ a request from A is honored if the user local account name
is authorized to do the request;
❘ in UNIX, .rhosts file which a user can create.
35 36

6
¿  @
A>ÈÆ ™ ?A>
 ¿ zAz@?A
›5A @œ˜ž ‡KAz @?zAA ¿ zzA@?A
❚ Secret key cryptography
❚ Is safe from eavesdropping (thus more secure than ❙ Alice and Bob verify each other's identity
password based) but is vulnerable to other attacks; ❘ r is a key.
❙ what if someone gains access to system A; A rA B
challenge
❙ network address impersonation. rA encrypted with KAB

challenge rB
rB encrypted with KAB

37 38

yKAz @?z ¿ zzA@?A

›5A @œ˜ž ¤ 
€w[
A =.v?  @?AÁ
A rA B
❚ Public key cryptography challenge
rAencrypted with KAB
❙ Alice verifies Bob's identity:
Decrypt with dB rB
challenge
rB encrypted with KAB
A r encrypted with eB B
r ❚ É!IK‚£b IJOsN Y@_¸\KO;OQ\J*Ê£ËT0IJ5M IKOjÊ£IP
❙ Bob verifies Alice’s identity rA
rB, rA encrypted with KAB
“I’m Alice” rB encrypted with KAB
r Ì!Í#Î[ÏeÐ Ñ Ñ Î£Ò7ΘÓÔ)՘ÎsÖ8ÍXÑ ×eÒØ£ÙÔ ÚΣÓÔ Ð Û#ØsÔ Ð ÓÜƒÝƒÞ Ð Û#ÎØsÓÏqß×eàeá
Ì!Í#Î[ÏeÐ Ñ Ñ Î£Ò7ΘÓÔ)Û#Ú0Ø£Þ Î£ÓÜeÎsÍaÑ ×eÒÔ ÚÎÐ ÓeÐ Ô Ð ØsÔ ×eÒØ£ÓÏqÒ7ÎsÍ#âe×sÓÏeÎsÒ ã
❙
r encrypted with dB ❙
Decrypt with eA 39 40

¤¡
€w[

 @
A{?A  =?AÁv›ƒ @œ£ž => =
Aóò
A =
A=uC
A.?@

❚ îìXé@ïðìñ­êƒìí ❚ KDC (Key Distribution Center)
❙ With secret key cryptographic authentication each
A “I’m Alice” encrypted with KAB, timestamped B node needs to know n-1 keys if there are n nodes;
Reply encrypted with KAB, timestamp+1 ❙ Alternatively, all keys are stored at a single place,

ä@åæ=ç è éëêƒìí
KDC;
❚ ❙ If A wants to talk to B,
“I’m Alice” encrypt r1 with eB ❘ A first talks to KDC securely since A and KDC share a key
and asks for B's key;
r1, encrypt r2 with eA ❘ KDC authenticates A, generates a key KAB common to A
and B, sends it to A by encrypting it with A's key, sends
r2 the same to B by encrypting with B's key (ticket).

41 42

7
  @A> @
Åò
 @
@uC
.?@
A => =
Aóò
A =
A=uC
A.?@

›5A @œ˜ž ›*A =œ£ž
❚ Certification Authority
❚ KDC continued ❙ public key equivalent of KDC;
❙ Disadvantages: ❙ generates signed messages called certificates for
❘ If KDC is compromised, all the network resources are each node (X.509 specifies the standard);
vulnerable;
❙ unlike KDC
❘ Failure of KDC stalls everything in the network;
❘ CA need not be on-line;
❘ KDC might be a performance bottleneck;
❘ not security-sensitive;
❘ multiple KDCs can alleviate the last two problems. ❘ network will not crash if CA crashes (but creating a new
user could be a problem);
❘ does not cause performance bottleneck;
❘ thus multiple CAs are not required.

43 44

 @A> @
Åò
 @
@uC
.?@
A
›5A @œ˜ž ¿ 
A>§A @=
ô!õ.ö ÷5ø ùeõ.úö;õ.ùeõ.ø ÷5õ¸öQõ
ûü!õ.ú&ýþÄõ.ú£úsÿ !õ.ú .ý !õ )öQþ
❚
 
     !
"#$&
%!'    

($)+* ,.-/* ($021˜Ð ÍXØsÓqÐ ÏeÎsÓÔ Ð Ô Ö=×eÒKØ[Í#ÎsÔ)×sÑ)Û#Ò7ΣÏeÎsÓÔ Ð ØsÞ ÍaÑ ×sÒKÔ ÚÎ
❚ CA continued
❙ Disadvantage:
❘ certificate revocation is not trivial;
❙
âe)+5Ò768Ð Ó7Û 9.Ð âe)+-:ؘ5Þ 3qÐ ÏeØ£Îs՘ÓÐ Ô ÓÐ Ñ Ü Ð ÎsÔ ÍXÚ0ÔÎ[ÚÒ7ÎÎ Ò74£ÎsÙ0Í#Σ×sÍ#ÙÔ Ò7á Û#Î[Ô ×!;ƒÚÐ Û Ú Ô ÚÎ[×eâeÎsÒ ØsÔ Ð ×eÓ Ô ×
❘ periodically posts a certificate revocation list (CRL) àeÎ[ØsâeâeÞ Ð ÎsÏ£ã
❙

(specified in X.509); ❚ <[ùeùeõ.ú£úþÄÿ8ý£öQø =­> þ ?!
õ @ principals

❘ applications or users need to verify (1) if a node
has a signed, unexpired CA and is not included in A subset of
CRL ABC D
B&E D FGB&H I generic access
resources rights, or
operations

45 46

 

KC?A ¿ 
A>
y @@
❚ *l M YK„XN `*I€J0Y_0OQI=_OQ0m\KTI!`G\@LOs]YM#N J\OsN Y_5
l*M YK„XN `*I€TIJ*L5M IW0\PXnjI=_Ojn~IKJ5]\=_5N TKnLK€N Oe]>b YMK
YK„)I@M#]I\!`G‚;Y@M d0U¡no\OQI=M#N \=b TK
❚

❚ l*M YK„XN `*I·noIKJ5]\_*N TKnoTgO;Y€\=b b $ Y K \=_0Y_0PXnoYLTj\JJ0IKTT

O;Y>‚;IIm\KTI`AdU
❚ l*M YK„XN `*I·noIKJ5]\_*N TKnoTgO;Y€\=L`N O\JJIT0ToY5‚~d0U
Y@Om N8IKJ0OQPT K­]*N b IÂL*W*]0Y@b `[N _0ZGJ0Y_‚£N `*I=_0OsN \=b N OQPX
❚ H[L5W*WYM OJY=WPXM#N Z[]O~W5M Y5OQIJ0OeN Y_¸\_`>J0YWP
W*M I„)I=_OeN Y@_*
47