Chapter 2

Cryptographic Tools
 Symmetric Encryption
• The universal technique for providing confidentiality for
transmitted or stored data
• Also referred to as conventional encryption or single-key
encryption

• Two requirements for secure use:

• Need a strong encryption algorithm
• Sender and receiver must have obtained copies
of the secret key in a secure fashion and must
keep the key secure
 Attacking Symmetric
Encryption
Cryptanalytic Attacks Brute-Force Attack
 Rely on:  Try all possible keys on some
 Nature of the algorithm ciphertext until an intelligible
 Some knowledge of the general translation into plaintext is obtained
characteristics of the plaintext  On average half of all possible keys
must be tried to achieve success
 Some sample plaintext-ciphertext
pairs
 Exploits the characteristics of the
algorithm to attempt to deduce a
specific plaintext or the key being
used
 If successful all future and past
messages encrypted with that key are
compromised
 Table 2.1

Comparison of Three Popular Symmetric

Encryption Algorithms
Data Encryption Standard
(DES)
The most widely used encryption scheme
FIPS PUB 46
Referred to as the Data Encryption Algorithm (DEA)
Uses 64 bit plaintext block and 56 bit key to produce a 64
bit ciphertext block

Strength concerns:
Concerns about algorithm
DES is the most studied encryption algorithm in existence
Use of 56-bit key
Electronic Frontier Foundation (EFF) announced in July
1998 that it had broken a DES encryption
 Table 2.2

Average Time Required for Exhaustive Key Search

 Triple DES (3DES)
 Repeats basic DES algorithm three times using either two or
three unique keys
 First standardized for use in financial applications in ANSI
standard X9.17 in 1985
 Attractions:
 168-bit key length overcomes the vulnerability to brute-force attack of
DES
 Underlying encryption algorithm is the same as in DES
 Drawbacks:
 Algorithm is sluggish in software
 Uses a 64-bit block size
 Advanced Encryption
Standard (AES)
NIST called for
Needed a Selected
proposals for a
replacement for Rijndael in
new AES in
3DES November 2001
1997
Should have a security
strength equal to or better
than 3DES

Significantly improved
3DES was not efficiency
Published as
reasonable for
long term use FIPS 197
Symmetric block cipher

128 bit data and

128/192/256 bit keys
Practical Security Issues
 Typically symmetric encryption is applied to a unit of data
larger than a single 64-bit or 128-bit block
 Electronic codebook (ECB) mode is the simplest approach to
multiple-block encryption
 Each block of plaintext is encrypted using the same key
 Cryptanalysts may be able to exploit regularities in the plaintext

 Modes of operation
 Alternative techniques developed to increase the security of symmetric
block encryption for large sequences
 Overcomes the weaknesses of ECB
 Block & Stream Ciphers
Block Cipher

• Processes the input one block of elements at a time

• Produces an output block for each input block
• Can reuse keys
• More common

Stream Cipher
• Processes the input elements continuously
• Produces output one element at a time
• Primary advantage is that they are almost always faster and use far less
code
• Encrypts plaintext one byte at a time
• Pseudorandom stream is one that is unpredictable without knowledge of
the input key
Message Authentication

Protects against
active attacks

Verifies received • Contents have not been altered

• From authentic source
message is authentic • Timely and in correct sequence

Can use
• Only sender & receiver share a
conventional key
encryption
Hash Function Requirements
Can be applied to a block of data of any size

Produces a fixed-length output

H(x) is relatively easy to compute for any given x

One-way or pre-image resistant

• Computationally infeasible to find x such that H(x) = h

Computationally infeasible to find y ≠ x such that H(y) = H(x)

Collision resistant or strong collision resistance

• Computationally infeasible to find any pair (x,y) such that H(x) = H(y)
Security of Hash Functions
SHA most widely
There are two used hash algorithm
Additional secure
approaches to
hash function
attacking a secure
applications:
hash function:

Cryptanalysis Passwords
• Exploit logical weaknesses in • Hash of a password is stored
the algorithm by an operating system

Brute-force attack Intrusion detection

• Strength of hash function • Store H(F) for each file on a
depends solely on the length system and secure the hash
of the hash code produced by values
the algorithm
Public-Key Encryption Structure

Asymmetric
• Uses two
Publicly separate keys Some form of
proposed by Based on • Public key and protocol is
Diffie and mathematical private key needed for
Hellman in functions • Public key is
distribution
1976 made public for
others to use
 Plaintext
 Readable message or data that is fed into the algorithm as input
 Encryption algorithm
 Performs transformations on the plaintext
 Public and private key
 Pair of keys, one for encryption, one for decryption
 Ciphertext
 Scrambled message produced as output
 Decryption key
 Produces the original plaintext
 User encrypts data using his or her own
private key

 Anyone who knows the corresponding

public key will be able to decrypt the
message
 Table 2.3

Applications for Public-Key Cryptosystems

Requirements for Public-Key
Cryptosystems
Computationally easy to
create key pairs

Computationally easy
Useful if either key can for sender knowing
be used for each role public key to encrypt
messages

Computationally Computationally easy

infeasible for opponent for receiver knowing
to otherwise recover private key to decrypt
original message ciphertext

Computationally
infeasible for opponent to
determine private key
from public key
 Asymmetric Encryption
Algorithms
RSA (Rivest, Most widely accepted and
Block cipher in which the
Shamir, Developed in 1977 implemented approach to
public-key encryption
plaintext and ciphertext are
integers between 0 and n-1 for

Adleman) some n.

Diffie-Hellman Enables two users to securely

reach agreement about a
key exchange shared secret that can be used
as a secret key for subsequent
Limited to the exchange of the
keys

algorithm symmetric encryption of

messages

Digital
Signature Provides only a digital
signature function with SHA-1
Cannot be used for encryption
or key exchange

Standard (DSS)

Elliptic curve
cryptography Security like RSA, but with
much smaller keys

(ECC)
 Digital Signatures
 Used for authenticating both source and data integrity
 Created by encrypting hash code with private key
 Does not provide confidentiality
 Even in the case of complete encryption
 Message is safe from alteration but not eavesdropping
 Digital
Envelopes
 Protects a message without
needing to first arrange for
sender and receiver to have
the same secret key

 Equates to the same thing

as a sealed envelope
containing an unsigned
letter
Random  Keys for public-key
Numbers algorithms
 Stream key for symmetric
stream cipher
 Symmetric key for use as a
temporary session key or in
creating a digital envelope
Uses include
generation of:  Handshaking to prevent
replay attacks
 Random Number
Requirements
Randomness In applications such as reciprocal
 Criteria: authentication and session key generation
 Uniform distribution the successive members of the sequence
 Frequency of occurrence of each
are unpredictable
of the numbers should be
approximately the same
 Independence  Each number is statistically
 No one value in the sequence independent of other numbers in
can be inferred from the others the sequence
 Opponent should not be able to
predict future elements of the
sequence on the basis of earlier
elements
 Random versus
Pseudorandom
Cryptographic applications typically make use of algorithmic
techniques for random number generation
• Algorithms are deterministic and therefore produce sequences of numbers that are not
statistically random

Pseudorandom numbers are:

• Sequences produced by an algorithms that satisfy statistical randomness tests
• Likely to be predictable

True random number generator (TRNG):

• Uses a nondeterministic source to produce randomness
• Most operate by measuring unpredictable natural processes
• e.g. radiation, gas discharge, leaky capacitors
• Increasingly provided on modern processors
 Practical Application:
Encryption of Stored Data
Common to encrypt transmitted data

Much less common for stored data

There is often little protection
beyond domain authentication
and operating system access
controls
Approaches to encrypt stored data:
Data are archived for indefinite
periods
Use a commercially
Library based tape Background laptop/PC
available encryption Back-end appliance
encryption data encryption
package such as PGP
Even though erased, until disk sectors
are reused data are recoverable
 Summary
• Confidentiality with
symmetric encryption • Public-key encryption
 Symmetric encryption  Structure
 Applications for public-key
 Symmetric block encryption cryptosystems
algorithms  Requirements for public-key
 Stream ciphers cryptography
 Asymmetric encryption
• Message authentication algorithms
and hash functions • Digital signatures and
 Authentication using symmetric
encryption
key management
 Digital signature
 Message authentication without
 Public-key certificates
message encryption  Symmetric key exchange using
 Secure hash functions public-key encryption
 Other applications of hash functions  Digital envelopes

• Random and
pseudorandom numbers
 The use of random numbers
 Random versus pseudorandom