Introduction to Network Security Gerald A. Marin These slides are provided solely for the use of FIT students taking this course in Network Security. No further copies are permitted Some materials are permitted for classroom use permitted. by other authors, who retain all copyrights. In particular, a number of slides in this section represent copyright protected material t i l that th t accompanies i the th text t t Computer C t Networking N t ki by b J. F. Kurose and K. W. Ross; they are used with the authors’ permission. Network Security

1-1

Organ zat on Organization What is network security? Principles of cryptography Security Requirements: Confidentiality, Confidentiality

authentication, … Key Distribution and certification Access control: firewalls Attacks and counter measures

Network Security

1-2

What iss network security? secur ty? Confidentiality: y only y sender, intended receiver should “understand” message contents sender encrypts message receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access Control and Availability: services must be accessible and available to intended users Non-repudiation: sender should not be able to disavow later. Network Security

1-3

Friends and enemies: Alice,, Bob,, Trudy y well-known in network security world Bob, Bob Alice (lovers!) want to communicate “securely” securely Trudy (intruder) may intercept, delete, add messages

Alice

data

channel secure sender

Bob

data, control messages

secure receiver rece ver

data

T d Trudy Network Security

1-4

Who m might ght Bob, Al Alice ce be? … well,,

real-life f Bobs and Alices!

Web browser/server for electronic

transactions (e.g., on-line purchases) on-line banking client/server DNS servers routers exchanging routing table updates other examples?

Network Security

1-5

There are bad g guys y (and ( girls) g ) out there! Q: What can a “bad guy” do? A: a lot! eavesdrop:

intercept messages actively y insert messages g into connection impersonation: can fake (spoof) source address in packet (or any field in packet) hijacking: “take take over over” ongoing connection by removing sender or receiver, inserting himself in place denial d i l off service i : preventt service i f from b being i used by others (e.g., by overloading resources)

more on this later …… Network Security

1-6

Organ zat on Organization What is network security? Principles of cryptography Security Requirements Key Distribution and certification Access Acc ss control: c nt l: firewalls fi lls Attacks and counter measures Security S it in i many llayers

Network Security

1-7

The language g g of f cryptography yp g p y Alice’s K encryption A key plaintext

encryption yp algorithm

Bob’s K decryption B key ciphertext p

decryption yp plaintext pla ntext algorithm

Symmetric key crypto: sender, receiver keys identical

Asymmetric key crypto: keys NOT identical. Public key crypto: encryption key public, decryption key Public-key secret (private) Network Security

1-8

Symmetric ymm key y cryptography yp g p y substitution cipher: substituting one thing for another

monoalphabetic l h b ti cipher: i h substitute b tit t one lletter tt f for another th

plaintext:

abcdefghijklmnopqrstuvwxyz

ciphertext:

mnbvcxzasdfghjklpoiuytrewq

E E.g.:

Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc

Q: How hard to break this simple cipher?: brute force (how hard?) other? h ? Network Security

1-9

Symmetric ymm key y cryptography yp g p y KA-B A B

KA-B p a nt t plaintext message, m

encryption yp ciphertext p algorithm K (m) A-B

decryption yp plaintext p algorithm m=K

A-B

( KA-B(m) )

symmetric key crypto: Bob and Alice share know same (symmetric) key: K A-B e.g., e key ke is knowing kn in substituti substitution np pattern ttern in m mono n alphabetic substitution cipher Q: how do Bob and Alice agree on key value? Network Security

1-10

Block C Cipher pher The idea of a block cipher is fundamental to the study of cyptography. h A block cipher is a function that encrypts fix-sized blocks. Today block ciphers commonly encrypt blocks of f 128 bits. bits They Th are said s id to t take t k 128 bits of f “pl plain in text” and produce 128 bits of “cipher text.” This is done using a secret key and a public algorithm. Plain text

E(K,p) or EK(p)

Cipher text

D(K,c) K is said to be a “symmetric” secret key. Network Security

1-11

3-bit 3 b t Example With 3 bits only 23 messages are possible. Notice that there are 23! ( 8!)) possible (or p permutations p of 23 messages. g Each ppermutation can be thought of as a "lookup table" that represents an encryption of the possible messages through a reordering. For example: 101 ⎫ 000 ⎫ 110 ⎪⎪ 001 ⎪⎪ 111 ⎪ 010 ⎪ ⎪ ⎪ 000 ⎪ 011 ⎪ ⎬ ⎬ becomes 001 ⎪ 100 ⎪ 010 ⎪ 101 ⎪ ⎪ ⎪ 011 ⎪ 110 ⎪ 100 ⎪⎭ 111 ⎪⎭

“Lookup table” represents one encryption (possible reordering) of all possible messages. messages A particular lookup table corresponds to one particular secret key. Thus, we need 16 bits to represent all 8!=40,320 possible poss ble keys. Network Security

1-12

An “Ideal” Cipher p Two commanders have eight possible messages to

send. Message 000 is “do send do not attack attack” while 001 is “attack at 1am,” message 002 is “attack at 2am,”…etc. Each has a code book that lists 8! = 40,320 40 320 “lookup lookup tables” generated randomly. All officers have a copy of this book. (Represents the algorithm.) Just J t before b f they th go to t their th i respective ti commands d they are directed to use table number 12,123 by the crypto staff. (Represents the secret key.) The ideal cipher represents the best that can be done. Namely, we choose one lookup table randomly y from all possible p lookup p tables. Network Security

1-13

Huge Lookup Tables If we think of a block cipher as a lookup table

(corresponding to a key), the size of real tables is a problem. For 32-bit blocks a table would be 16 gigabytes. F r For For F r 64 64-bit bit blocks bl cks a table w would uld be 150 million milli n terabytes. For 128-bit blocks a table would be 5 × 1039 bytes. Thus, real codes use encryption algorithms plus a key to generate ciphertext from plaintext directly. y.

Note that this approach may NOT produce an ideal cypher.

Network Security

1-14

Brute Force Example I created a message g using g the following g letters:

acelps. I have used a substitution code to encrypt it (again based only on the 6 letters above). Any spaces have been ignored, that is, no space becomes nospace. Th encrypted The t d text t t is i lcapclscaec. l l Find the key and break the code! Due 1/20/09 present his/her solution and and each student will p turn in a report with code.

How many possible messages are there? How many y possible p keys y are there?

Network Security

1-15

Kerckhoffs’ Principle Kerckhoffs Pr nc ple Security depends only on the secrecy of

the Key and not on the secrecy of algorithms. Algorithms

hard to change and built into system hardware/software Algorithms Al ith d don’t ’t change h f for llong periods i d Someone may obtain physical access to a laptop that contains the algorithms Algorithms SHOULD be published so that other experts can check them for vulnerabilities. Network Security

1-16

Cipher C pher Attacks Ciphertext-only attack: trying to decrypt a message when

all you know is the ciphertext. This is the most difficult case. case Known plaintext attack: trying to decrypt a message when you know both the plaintext and the ciphertext (by prior example or autoreply). autoreply) Chosen plaintext attack: now you get to specify specially prepared plaintexts for which you will then see the ciphertexts.

Offline: prepare plaintexts all ahead of time Online: prepare next plaintext after receiving ciphertexts from previous submissions.

Chosen Ch s n ciph ciphertext t xt attack: tt ck: Receive R c i the th ciphertext ciph t xt

corresponding to your chosen plaintext AND receive the plaintext corresponding to your chosen ciphertext.

Network Security

1-17

Birthday Attack (ciphertext attack example)

Named after the “birthday paradox.” If you have

23 p people p in a room,, then the probability p y that two of them have the same birthday is greater than 0.5.

Useful approximation approximation: for large n the probability of generating a duplicate (also called the probability of a collision) is close to 0.5 after approximately n attempts.

Birthday attack: If keys are being generated

randomly, then a key collision will occur relatively soon.

Determine this has happened (see a ciphertext of header twice implies same key). Insert previous message ciphertext into current message and d it will ill b be accepted t db because th the keys k match. t h Network Security

1-18

Meet-in-Middle Attack (K (Known plaintext l i t t example) l ) Suppose pp we know a header or any y other part p of a

message always sent from Alice to Bob. Suppose further they use a 64-bit key. (Brute force attack requires q evaluating g 264 = 1.845 × 1019 keys.) y ) 32 Generate 2 keys randomly and encode the header with each of the keys (produce table). Watch for the encoded header in each message. message It will likely occur during during first 232 = 4.295 ×109 transactions. Usually applied to all authentication messages sent by Alice. Alice When encoded header occurs we look to see which key we used to generate it. Network Security

1-19

“Distinguishing” D st ngu sh ng Attack Many types of attacks: …decrypt only a specific message …reveal partial information about a message …other vulnerabilities?

G Given ven many kinds k nds of attacks crypto analysts

generally defend against a “distinguishing attack.” A distinguishing attack is an attack that detects a non-trivial difference between the ideal cipher and the actual cipher.

Encryption and decryption available for comparisons between ideal and actual. actual Free to choose any key. More about “non-trivial” later.

Network Security 1-20

Conventional Encryption Principles An encryption yp scheme has five f ingredients: g Plaintext Encryption algorithm Secret Key Ciphertext Decryption algorithm (perhaps different key) Security depends on the secrecy of the key, not

the secrecy of the algorithm In modern encryption encryp/decrypt is done with a block cipher – an encryption function for fixsized blocks. Network Security

1-21

Cryptography Classified along three independent

dimensions: The

type yp of operations p used for transforming g plaintext to ciphertext The number of keys used • symmetric (single (sin le key) • asymmetric (two-keys, or public-key encryption) The

way y in which the plaintext p is processed p

Network Security 1-22

Average time required for exhaustive h ti key k search h Key Size ((bits))

Number of Alternative Keys y

Time required at 106 Decryption/µs yp µ

32

232 = 4.3 x 109

2.15 milliseconds

56

256 = 7.2 x 1016

10 hours

128

2128 = 3 3.4 4 x 1038

5 4 x 1018 years 5.4

168

2168 = 3.7 x 1050

5.9 x 1030 years Network Security 1-23

Feistel Cipher Structure Virtually y all conventional block encryption yp

algorithms, including DES have a structure first described by Horst Feistel of IBM in 1973. Feistel ciphers are a special class of iterated block ciphers where the ciphertext is calculated from the plaintext by repeated application of the same transformation or “round” round function. function In a Feistel cipher, the text being encrypted is split into two halves. The round function f is applied to one half using a subkey and the output of f is exclusive exclusiveored with the other half. The two halves are then swapped. Each round follows the same pattern except for the last round where there is no swap swap. Network Security 1-24

Feistel Fe stel Structure (Continued) (Cont nued) A nice feature of a Feistel cipher is that

encryption and decryption are structurally identical identical, though the subkeys used during encryption at each round are taken in reverse order during decryption.

Network Security 1-25

Feistel Cipher Structure The realization of a Feistel Network

depends on the choice of the following parameters and design features:

Block size: larger block sizes mean greater security Key Size: larger key size means greater security Number of rounds: multiple rounds offer increasing security y Subkey generation algorithm: greater complexity will lead to greater difficulty of cryptanalysis. Fast software encryption/decryption: the speed of execution of the algorithm becomes a concern

Network Security 1-26

Network Security 1-27

Conventional Encryption Al Algorithms ith Data Encryption yp Standard (DES) ( ) WAS the most widely used encryption scheme (now vulnerable). DES is a block cipher. cipher The plaintext is processed in 64-bit blocks. The key is 56-bits in length Making M ki DES more secure: use three keys sequentially (3-DES) on each datum use cipher-block chaining The algorithm is referred to as the Data Encryption Algorithm (DEA).

Network Security 1-28

Symmetric key crypto: DES DES operation initial p permutation 16 identical “rounds” of function application, each using different 48 bits of key final permutation p

Network Security 1-29

Initial In t al Permutat Permutation on The 64 bits of the input block to be enciphered are first subjected to the following permutation, called the initial permutation IP:

L1

R1

58 50 42 34 26 18 10 60 52 44 36 28 20 12 62 54 46 38 30 22 14 64 56 48 40 32 24 16 57 49 41 33 25 17 9 59 51 43 35 27 19 11 61 53 45 37 29 21 13 63 55 47 39 31 23 15

2 4 6 8 1 3 5 7 Network Security 1-30

DES The overall processing at each iteration: Li =

Rii-11 Ri = Li-1 ⊕F(Ri-1, Ki) (XOR addition) Function F to be described. Ki is a ”subkey” formed as a permuted subset of the original 64-bit key.

Left L ft and d Right Ri ht are th then swapped s d for f next xt

iteration. It remains only to understand key generation and the function F (”mangler”) . Network Security

1-31

Key Generation Generat on Steps

Circular left shift.

Network Security 1-32

Permuted choice 1 is determined by the following table: C0

D0

57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 19 11 3 60 52 44 36 63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29

21 13 5 28 20 12 4 Note that bits 8, 16, …64 are not used; they are reserved for use as parity bits. The key is actually 56-bits. BUT Permuted Choice 2 from previous slide actually selects 48 of these bits at each step. Network Security 1-33

Shift Sh ft Schedule Iteration Number Number of Left Shifts

1 2 3 4 5 6 7 8 9 1 1 1 1 1 1 1 0 1 2 3 4 5 6 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

Network Security 1-34

Permuted Cho Choice ce 2 14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32

48 bit subkey.

This completes the subkey generation description. Network Security 1-35

Network Security 1-36

E-Table (E E (Expands p 32 bits to 48))

32 bit ((right) g )

32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 48 bits out 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1

Network Security 1-37

DES Round n, Encryption 64-bit input from last round 32-bit Ln

32-bit Rn Mangler

0 such that a | k and b | k . Example: lcm(12,16) = 48. It is well known that gcd(a, b) × lcm(a, b) = ab. Network Security 1-92

Euclid’s Eucl d s gcd Algor Algorithm thm Given two non-negative integers, the notation (a, b) implies that 0 ≤ a < b. ( x, y ) ← ( a , b ) While x > 0 ( x, y ) ← ( y mod x, x) gcd(a, b) ← y. Example: (21,30) → (9,21) → (3,9) → (0,3) ⇒ gcd(21,30) = 3. Definition: If gcd(a, b) = 1, then a and b are said to be relatively prime. Network Security 1-93

Extended Eucl Euclid d Algor Algorithm thm It is well known that there exist integers x and y such that gcd((a, b) = ax + byy. In the pprevious example, g p we want 3 = gcd(21,30) = 21x + 30 y. If we write down our intermediate steps, 1. 30 = 1× 21 + 9 2. 21 = 2 × 9 + 3 3. 9 = 3 × 3 + 0, which implies gcd(21,30) = 3. From step 2 we have 3 = 21 − 2 × 9. We use step 1 to substitute for the 9. This yields 3 = 21 − 2 × (30 − 1× 21) = 3 × 21 − 2 × 30. Th 3 = 3 × 21 − 2 × 30. Thus, 30 The Th extended-gcd t d d d algorithm l ith produ d ces the th two sought integers x and y. This, in turn, will enable division modulo a specified value, value which is a critical step in the RSA algorithm. algorithm Network Security 1-94

RSA: Choos RSA Choosing ng keys 1. Choose two large prime numbers p, q. ( (e.g., 2000 2000+ bi bits f for their h i product) d ) I used the small primes approach to find p = 39607 and q = 78517. 2. Compute n = pq, z = (p-1)(q-1)

n = 3109822819 Z = 3109704696

Network Security 1-95

RSA Keys Cont Continued nued 3. Choose e (with e

1-1

Organ zat on Organization What is network security? Principles of cryptography Security Requirements: Confidentiality, Confidentiality

authentication, … Key Distribution and certification Access control: firewalls Attacks and counter measures

Network Security

1-2

What iss network security? secur ty? Confidentiality: y only y sender, intended receiver should “understand” message contents sender encrypts message receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access Control and Availability: services must be accessible and available to intended users Non-repudiation: sender should not be able to disavow later. Network Security

1-3

Friends and enemies: Alice,, Bob,, Trudy y well-known in network security world Bob, Bob Alice (lovers!) want to communicate “securely” securely Trudy (intruder) may intercept, delete, add messages

Alice

data

channel secure sender

Bob

data, control messages

secure receiver rece ver

data

T d Trudy Network Security

1-4

Who m might ght Bob, Al Alice ce be? … well,,

real-life f Bobs and Alices!

Web browser/server for electronic

transactions (e.g., on-line purchases) on-line banking client/server DNS servers routers exchanging routing table updates other examples?

Network Security

1-5

There are bad g guys y (and ( girls) g ) out there! Q: What can a “bad guy” do? A: a lot! eavesdrop:

intercept messages actively y insert messages g into connection impersonation: can fake (spoof) source address in packet (or any field in packet) hijacking: “take take over over” ongoing connection by removing sender or receiver, inserting himself in place denial d i l off service i : preventt service i f from b being i used by others (e.g., by overloading resources)

more on this later …… Network Security

1-6

Organ zat on Organization What is network security? Principles of cryptography Security Requirements Key Distribution and certification Access Acc ss control: c nt l: firewalls fi lls Attacks and counter measures Security S it in i many llayers

Network Security

1-7

The language g g of f cryptography yp g p y Alice’s K encryption A key plaintext

encryption yp algorithm

Bob’s K decryption B key ciphertext p

decryption yp plaintext pla ntext algorithm

Symmetric key crypto: sender, receiver keys identical

Asymmetric key crypto: keys NOT identical. Public key crypto: encryption key public, decryption key Public-key secret (private) Network Security

1-8

Symmetric ymm key y cryptography yp g p y substitution cipher: substituting one thing for another

monoalphabetic l h b ti cipher: i h substitute b tit t one lletter tt f for another th

plaintext:

abcdefghijklmnopqrstuvwxyz

ciphertext:

mnbvcxzasdfghjklpoiuytrewq

E E.g.:

Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc

Q: How hard to break this simple cipher?: brute force (how hard?) other? h ? Network Security

1-9

Symmetric ymm key y cryptography yp g p y KA-B A B

KA-B p a nt t plaintext message, m

encryption yp ciphertext p algorithm K (m) A-B

decryption yp plaintext p algorithm m=K

A-B

( KA-B(m) )

symmetric key crypto: Bob and Alice share know same (symmetric) key: K A-B e.g., e key ke is knowing kn in substituti substitution np pattern ttern in m mono n alphabetic substitution cipher Q: how do Bob and Alice agree on key value? Network Security

1-10

Block C Cipher pher The idea of a block cipher is fundamental to the study of cyptography. h A block cipher is a function that encrypts fix-sized blocks. Today block ciphers commonly encrypt blocks of f 128 bits. bits They Th are said s id to t take t k 128 bits of f “pl plain in text” and produce 128 bits of “cipher text.” This is done using a secret key and a public algorithm. Plain text

E(K,p) or EK(p)

Cipher text

D(K,c) K is said to be a “symmetric” secret key. Network Security

1-11

3-bit 3 b t Example With 3 bits only 23 messages are possible. Notice that there are 23! ( 8!)) possible (or p permutations p of 23 messages. g Each ppermutation can be thought of as a "lookup table" that represents an encryption of the possible messages through a reordering. For example: 101 ⎫ 000 ⎫ 110 ⎪⎪ 001 ⎪⎪ 111 ⎪ 010 ⎪ ⎪ ⎪ 000 ⎪ 011 ⎪ ⎬ ⎬ becomes 001 ⎪ 100 ⎪ 010 ⎪ 101 ⎪ ⎪ ⎪ 011 ⎪ 110 ⎪ 100 ⎪⎭ 111 ⎪⎭

“Lookup table” represents one encryption (possible reordering) of all possible messages. messages A particular lookup table corresponds to one particular secret key. Thus, we need 16 bits to represent all 8!=40,320 possible poss ble keys. Network Security

1-12

An “Ideal” Cipher p Two commanders have eight possible messages to

send. Message 000 is “do send do not attack attack” while 001 is “attack at 1am,” message 002 is “attack at 2am,”…etc. Each has a code book that lists 8! = 40,320 40 320 “lookup lookup tables” generated randomly. All officers have a copy of this book. (Represents the algorithm.) Just J t before b f they th go to t their th i respective ti commands d they are directed to use table number 12,123 by the crypto staff. (Represents the secret key.) The ideal cipher represents the best that can be done. Namely, we choose one lookup table randomly y from all possible p lookup p tables. Network Security

1-13

Huge Lookup Tables If we think of a block cipher as a lookup table

(corresponding to a key), the size of real tables is a problem. For 32-bit blocks a table would be 16 gigabytes. F r For For F r 64 64-bit bit blocks bl cks a table w would uld be 150 million milli n terabytes. For 128-bit blocks a table would be 5 × 1039 bytes. Thus, real codes use encryption algorithms plus a key to generate ciphertext from plaintext directly. y.

Note that this approach may NOT produce an ideal cypher.

Network Security

1-14

Brute Force Example I created a message g using g the following g letters:

acelps. I have used a substitution code to encrypt it (again based only on the 6 letters above). Any spaces have been ignored, that is, no space becomes nospace. Th encrypted The t d text t t is i lcapclscaec. l l Find the key and break the code! Due 1/20/09 present his/her solution and and each student will p turn in a report with code.

How many possible messages are there? How many y possible p keys y are there?

Network Security

1-15

Kerckhoffs’ Principle Kerckhoffs Pr nc ple Security depends only on the secrecy of

the Key and not on the secrecy of algorithms. Algorithms

hard to change and built into system hardware/software Algorithms Al ith d don’t ’t change h f for llong periods i d Someone may obtain physical access to a laptop that contains the algorithms Algorithms SHOULD be published so that other experts can check them for vulnerabilities. Network Security

1-16

Cipher C pher Attacks Ciphertext-only attack: trying to decrypt a message when

all you know is the ciphertext. This is the most difficult case. case Known plaintext attack: trying to decrypt a message when you know both the plaintext and the ciphertext (by prior example or autoreply). autoreply) Chosen plaintext attack: now you get to specify specially prepared plaintexts for which you will then see the ciphertexts.

Offline: prepare plaintexts all ahead of time Online: prepare next plaintext after receiving ciphertexts from previous submissions.

Chosen Ch s n ciph ciphertext t xt attack: tt ck: Receive R c i the th ciphertext ciph t xt

corresponding to your chosen plaintext AND receive the plaintext corresponding to your chosen ciphertext.

Network Security

1-17

Birthday Attack (ciphertext attack example)

Named after the “birthday paradox.” If you have

23 p people p in a room,, then the probability p y that two of them have the same birthday is greater than 0.5.

Useful approximation approximation: for large n the probability of generating a duplicate (also called the probability of a collision) is close to 0.5 after approximately n attempts.

Birthday attack: If keys are being generated

randomly, then a key collision will occur relatively soon.

Determine this has happened (see a ciphertext of header twice implies same key). Insert previous message ciphertext into current message and d it will ill b be accepted t db because th the keys k match. t h Network Security

1-18

Meet-in-Middle Attack (K (Known plaintext l i t t example) l ) Suppose pp we know a header or any y other part p of a

message always sent from Alice to Bob. Suppose further they use a 64-bit key. (Brute force attack requires q evaluating g 264 = 1.845 × 1019 keys.) y ) 32 Generate 2 keys randomly and encode the header with each of the keys (produce table). Watch for the encoded header in each message. message It will likely occur during during first 232 = 4.295 ×109 transactions. Usually applied to all authentication messages sent by Alice. Alice When encoded header occurs we look to see which key we used to generate it. Network Security

1-19

“Distinguishing” D st ngu sh ng Attack Many types of attacks: …decrypt only a specific message …reveal partial information about a message …other vulnerabilities?

G Given ven many kinds k nds of attacks crypto analysts

generally defend against a “distinguishing attack.” A distinguishing attack is an attack that detects a non-trivial difference between the ideal cipher and the actual cipher.

Encryption and decryption available for comparisons between ideal and actual. actual Free to choose any key. More about “non-trivial” later.

Network Security 1-20

Conventional Encryption Principles An encryption yp scheme has five f ingredients: g Plaintext Encryption algorithm Secret Key Ciphertext Decryption algorithm (perhaps different key) Security depends on the secrecy of the key, not

the secrecy of the algorithm In modern encryption encryp/decrypt is done with a block cipher – an encryption function for fixsized blocks. Network Security

1-21

Cryptography Classified along three independent

dimensions: The

type yp of operations p used for transforming g plaintext to ciphertext The number of keys used • symmetric (single (sin le key) • asymmetric (two-keys, or public-key encryption) The

way y in which the plaintext p is processed p

Network Security 1-22

Average time required for exhaustive h ti key k search h Key Size ((bits))

Number of Alternative Keys y

Time required at 106 Decryption/µs yp µ

32

232 = 4.3 x 109

2.15 milliseconds

56

256 = 7.2 x 1016

10 hours

128

2128 = 3 3.4 4 x 1038

5 4 x 1018 years 5.4

168

2168 = 3.7 x 1050

5.9 x 1030 years Network Security 1-23

Feistel Cipher Structure Virtually y all conventional block encryption yp

algorithms, including DES have a structure first described by Horst Feistel of IBM in 1973. Feistel ciphers are a special class of iterated block ciphers where the ciphertext is calculated from the plaintext by repeated application of the same transformation or “round” round function. function In a Feistel cipher, the text being encrypted is split into two halves. The round function f is applied to one half using a subkey and the output of f is exclusive exclusiveored with the other half. The two halves are then swapped. Each round follows the same pattern except for the last round where there is no swap swap. Network Security 1-24

Feistel Fe stel Structure (Continued) (Cont nued) A nice feature of a Feistel cipher is that

encryption and decryption are structurally identical identical, though the subkeys used during encryption at each round are taken in reverse order during decryption.

Network Security 1-25

Feistel Cipher Structure The realization of a Feistel Network

depends on the choice of the following parameters and design features:

Block size: larger block sizes mean greater security Key Size: larger key size means greater security Number of rounds: multiple rounds offer increasing security y Subkey generation algorithm: greater complexity will lead to greater difficulty of cryptanalysis. Fast software encryption/decryption: the speed of execution of the algorithm becomes a concern

Network Security 1-26

Network Security 1-27

Conventional Encryption Al Algorithms ith Data Encryption yp Standard (DES) ( ) WAS the most widely used encryption scheme (now vulnerable). DES is a block cipher. cipher The plaintext is processed in 64-bit blocks. The key is 56-bits in length Making M ki DES more secure: use three keys sequentially (3-DES) on each datum use cipher-block chaining The algorithm is referred to as the Data Encryption Algorithm (DEA).

Network Security 1-28

Symmetric key crypto: DES DES operation initial p permutation 16 identical “rounds” of function application, each using different 48 bits of key final permutation p

Network Security 1-29

Initial In t al Permutat Permutation on The 64 bits of the input block to be enciphered are first subjected to the following permutation, called the initial permutation IP:

L1

R1

58 50 42 34 26 18 10 60 52 44 36 28 20 12 62 54 46 38 30 22 14 64 56 48 40 32 24 16 57 49 41 33 25 17 9 59 51 43 35 27 19 11 61 53 45 37 29 21 13 63 55 47 39 31 23 15

2 4 6 8 1 3 5 7 Network Security 1-30

DES The overall processing at each iteration: Li =

Rii-11 Ri = Li-1 ⊕F(Ri-1, Ki) (XOR addition) Function F to be described. Ki is a ”subkey” formed as a permuted subset of the original 64-bit key.

Left L ft and d Right Ri ht are th then swapped s d for f next xt

iteration. It remains only to understand key generation and the function F (”mangler”) . Network Security

1-31

Key Generation Generat on Steps

Circular left shift.

Network Security 1-32

Permuted choice 1 is determined by the following table: C0

D0

57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 19 11 3 60 52 44 36 63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29

21 13 5 28 20 12 4 Note that bits 8, 16, …64 are not used; they are reserved for use as parity bits. The key is actually 56-bits. BUT Permuted Choice 2 from previous slide actually selects 48 of these bits at each step. Network Security 1-33

Shift Sh ft Schedule Iteration Number Number of Left Shifts

1 2 3 4 5 6 7 8 9 1 1 1 1 1 1 1 0 1 2 3 4 5 6 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

Network Security 1-34

Permuted Cho Choice ce 2 14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32

48 bit subkey.

This completes the subkey generation description. Network Security 1-35

Network Security 1-36

E-Table (E E (Expands p 32 bits to 48))

32 bit ((right) g )

32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 48 bits out 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1

Network Security 1-37

DES Round n, Encryption 64-bit input from last round 32-bit Ln

32-bit Rn Mangler

0 such that a | k and b | k . Example: lcm(12,16) = 48. It is well known that gcd(a, b) × lcm(a, b) = ab. Network Security 1-92

Euclid’s Eucl d s gcd Algor Algorithm thm Given two non-negative integers, the notation (a, b) implies that 0 ≤ a < b. ( x, y ) ← ( a , b ) While x > 0 ( x, y ) ← ( y mod x, x) gcd(a, b) ← y. Example: (21,30) → (9,21) → (3,9) → (0,3) ⇒ gcd(21,30) = 3. Definition: If gcd(a, b) = 1, then a and b are said to be relatively prime. Network Security 1-93

Extended Eucl Euclid d Algor Algorithm thm It is well known that there exist integers x and y such that gcd((a, b) = ax + byy. In the pprevious example, g p we want 3 = gcd(21,30) = 21x + 30 y. If we write down our intermediate steps, 1. 30 = 1× 21 + 9 2. 21 = 2 × 9 + 3 3. 9 = 3 × 3 + 0, which implies gcd(21,30) = 3. From step 2 we have 3 = 21 − 2 × 9. We use step 1 to substitute for the 9. This yields 3 = 21 − 2 × (30 − 1× 21) = 3 × 21 − 2 × 30. Th 3 = 3 × 21 − 2 × 30. Thus, 30 The Th extended-gcd t d d d algorithm l ith produ d ces the th two sought integers x and y. This, in turn, will enable division modulo a specified value, value which is a critical step in the RSA algorithm. algorithm Network Security 1-94

RSA: Choos RSA Choosing ng keys 1. Choose two large prime numbers p, q. ( (e.g., 2000 2000+ bi bits f for their h i product) d ) I used the small primes approach to find p = 39607 and q = 78517. 2. Compute n = pq, z = (p-1)(q-1)

n = 3109822819 Z = 3109704696

Network Security 1-95

RSA Keys Cont Continued nued 3. Choose e (with e