Chapter 2

Cryptographic Tools
 Outline
• Confidentiality with symmetric encryption
• Public key encryption
• Message authentication and hash function
• Digital signature and key management
• Random and pseudorandom numbers
• Practical application
 Confidentiality with
symmetric encryption
Symmetric Encryption
• The universal technique for providing
confidentiality for transmitted or stored data
• Also referred to as conventional encryption or
single-key encryption

• Two requirements for secure use:

• Need a strong encryption algorithm
• Sender and receiver must have obtained copies
of the secret key in a secure fashion
and must keep the key secure
 Attacking Symmetric
Encryption
Cryptanalytic Attacks Brute-Force Attack
 Rely on:
 Try all possible keys on some
 Nature of the algorithm
cipher text until an
 Some knowledge of the general intelligible translation into
characteristics of the plaintext plaintext is obtained
 Some sample plaintext-ciphertext  On average half of all
pairs possible keys must be tried to
 Exploits the characteristics of the achieve success

algorithm to attempt to deduce a

specific plaintext or the key
being used
 If successful all future and past
messages encrypted with that
key are compromised
 Table 2.1

Comparison of Three Popular

Symmetric Encryption Algorithms
Data Encryption Standard
(DES)
The most widely used encryption
scheme
FIPS PUB 46
Referred to as the Data Encryption
Algorithm (DEA)
Uses 64 bit plaintext block and 56 bit key
to produce a 64 bit ciphertext block

Strength concerns:
Concerns about algorithm
DES is the most studied encryption
algorithm in existence
Use of 56-bit key
Electronic Frontier Foundation (EFF)
announced in July 1998 that it had broken
a DES encryption
 Table 2.2

Average Time Required for Exhaustive Key

Search
 Triple DES (3DES)
 Repeats basic DES algorithm three times using
either two or three unique keys
 First standardized for use in financial applications
in ANSI standard X9.17 in 1985
 Attractions:
 168-bit key length overcomes the vulnerability to brute-
force attack of DES
 Underlying encryption algorithm is the same as in DES
 Drawbacks:
 Algorithm is sluggish in software
 Uses a 64-bit block size
 Advanced Encryption
Standard (AES)
NIST called Selected
Needed a
for proposals Rijndael in
replacement
for a new AES November
for 3DES
in 1997 2001
Should have a
security strength
equal to or better
than 3DES

Significantly
3DES was not improved efficiency
Published as
reasonable for
long term use FIPS 197
Symmetric block
cipher

128 bit data and

128/192/256 bit keys
 Practical Security
Issues
 Typically symmetric encryption is applied to a unit
of data larger than a single 64-bit or 128-bit block
 Electronic codebook (ECB) mode is the simplest
approach to multiple-block encryption
 Each block of plaintext is encrypted using the same key
 Cryptanalysts may be able to exploit regularities in the
plaintext
 Modes of operation
 Alternative
techniques developed to increase the security
of symmetric block encryption for large sequences
 Overcomes the weaknesses of ECB
 Block & Stream
Ciphers
Block
Cipher
• Processes the input one block of elements at a time
• Produces an output block for each input block
• Can reuse keys
• More common

Stream
Cipher
• Processes the input elements continuously
• Produces output one element at a time
• Primary advantage is that they are almost always faster
and use far less code
• Encrypts plaintext one byte at a time
• Pseudorandom stream is one that is unpredictable
without knowledge of the input key
Public key encryption
 Public-Key Encryption
Structure

Asymmetri
c
Publicly • Uses two Some form
proposed Based on separate of protocol
by Diffie mathemati keys is needed
and cal • Public key for
Hellman in functions and private distributio
1976 key n
• Public key
is made
public for
others to
use
 Plaintext
 Readable message or data that is fed into the algorithm as input
 Encryption algorithm
 Performs transformations on the plaintext
 Public and private key
 Pair of keys, one for encryption, one for decryption
 Ciphertext
 Scrambled message produced as output
 Decryption key
 Produces the original plaintext
 User encrypts data using his or
her own private key
 Anyone who knows the
corresponding public key will be
able to decrypt the message
 Table 2.3

Applications for Public-Key

Cryptosystems
Requirements for Public-Key
Cryptosystems
Computationally
easy to create key
pairs

Computationally
Useful if either easy for sender
key can be used knowing public key
for each role to encrypt messages

Computationally
infeasible for Computationally easy
opponent to for receiver knowing
otherwise private key to
recover original decrypt ciphertext
message
Computationally
infeasible for opponent
to determine private key
from public key
 Asymmetric Encryption
Algorithms
RSA (Rivest, Most widely accepted
Block cipher in which
the plaintext and
Shamir, Developed in 1977
and implemented
approach to public-key
ciphertext are integers
between 0 and n-1 for
Adleman) encryption
some n.

Diffie- Enables two users to

securely reach
Hellman key agreement about a
shared secret that can Limited to the

exchange be used as a secret key

for subsequent
exchange of the keys

symmetric encryption
algorithm of messages

Digital
Signature Provides only a digital
signature function with
Cannot be used for
encryption or key
Standard SHA-1 exchange

(DSS)

Elliptic curve
cryptography Security like RSA, but
with much smaller keys

(ECC)
Message authentication
and hash function
 Message
Authentication

Protects against
active attacks
• Contents have not been
Verifies received altered
message is • From authentic source
• Timely and in correct
authentic sequence

Can use
• Only sender & receiver
conventional share a key
encryption
 Hash Function
Requirements
Can be applied to a block of data of any size

Produces a fixed-length output

H(x) is relatively easy to compute for any given x

One-way or pre-image resistant

• Computationally infeasible to find x such that H(x) = h

Computationally infeasible to find y ≠ x such that H(y) = H(x)

Collision resistant or strong collision resistance

• Computationally infeasible to find any pair (x,y) such that H(x) = H(y)
 Security of Hash
Functions
There are two
SHA most widely Additional secure
approaches to
used hash hash function
attacking a secure
algorithm applications:
hash function:

Cryptanalysis Passwords
• Exploit logical • Hash of a password is
weaknesses in the stored by an operating
algorithm system

Brute-force attack Intrusion detection

• Strength of hash • Store H(F) for each file
function depends solely on a system and secure
on the length of the the hash values
hash code produced by
the algorithm
Digital signature and
key management
 Digital Signatures
 Used for authenticating both source and data
integrity
 Created by encrypting hash code with private key
 Does not provide confidentiality
 Even in the case of complete encryption
 Message is safe from alteration but not
eavesdropping
Digital
Envelop
es
 Protects a message
without needing to
first arrange for
sender and receiver
to have the same
secret key

 Equates to the same

thing as a sealed
envelope containing
an unsigned letter
 Random and
pseudorandom numbers
Random  Keys for public-key

Numbers algorithms
 Stream key for symmetric
stream cipher
 Symmetric key for use as
a temporary session key
or in creating a digital
envelope
Uses include  Handshaking to prevent
generation of: replay attacks
 Session key
 Random Number
Requirements
Randomness Unpredictability
 Criteria:  Opponent should not
 Uniform distribution be able to predict
 Frequency of occurrence

of each of the numbers

future elements of
should be approximately the sequence on the
the same
 Independence
basis of earlier
 No one value in the elements
sequence can be inferred
from the others
 Random versus
Pseudorandom
Cryptographic applications typically make use of
algorithmic techniques for random number
generation
• Algorithms are deterministic and therefore produce sequences of
numbers that are not statistically random

Pseudorandom numbers are:

• Sequences produced that satisfy statistical randomness tests
• Likely to be predictable

True random number generator (TRNG):

• Uses a nondeterministic source to produce randomness
• Most operate by measuring unpredictable natural processes
• e.g. radiation, gas discharge, leaky capacitors
• Increasingly provided on modern processors
Practical Application:
Encryption of Stored
Data
 Practical Application:
Encryption of Stored Data
Common to encrypt transmitted data

Much less common for stored data

There is often little
protection beyond
domain authentication

Approaches to encrypt stored

and operating system
access controls

Data are archived for

data:
indefinite periods

Use a commercially Background

Library based tape
available encryption Back-end appliance laptop/PC data
encryption
Even though erased, package encryption
until disk sectors are
reused data are
recoverable
 Summary
• Confidentiality with
symmetric encryption • Public-key


Symmetric encryption
Symmetric block encryption
encryption
 Structure
algorithms
 Applications for public-
 Stream ciphers
key cryptosystems
• Message authentication  Requirements for public-
key cryptography
and hash functions  Asymmetric encryption
 Authentication using symmetric algorithms
encryption
 Message authentication without • Digital signatures
message encryption and key
 Secure hash functions
 Other applications of hash
management
functions  Digital signature
 Public-key certificates
• Random and  Symmetric key exchange
pseudorandom numbers using public-key
 encryption
The use of random numbers
 Digital envelopes
 Random versus pseudorandom