Professional Documents
Culture Documents
Exam questions
1. Describe the basic concepts of the cryptanalysis. What science is
connected with cryptanalysis? Explain main term of this science
Cryptanalysis (from the Greek krypts, "hidden", and analein, "to loosen"
or "to untie") is the study of analyzing information systems in order to study
the hidden aspects of the systems. [1] Cryptanalysis is used to breach
cryptographic security systems and gain access to the contents of encrypted
messages, even if the cryptographic key is unknown.
The other side of cryptography, it is used to break codes by finding weaknesses
within them. In addition to being used by hackers with bad intentions, this
discipline is also often used by the military. It is also appropriately used by
designers of encryption systems to find, and subsequently correct, any weaknesses
that may exist in the system under design.
There are several types of attacks that a cryptanalyst may use to break a code,
depending on how much information he or she has. A ciphertext-only attack is one
where the analyst has a piece of ciphertext (text that has already been encrypted),
with no plaintext (unencrypted text). This is probably the most difficult type of
cryptanalysis, and calls for a bit of guesswork. In a known-plaintext attack, the
analyst has both a piece of ciphertext and the corresponding piece of plaintext.
Other types of attacks may involve trying to derive a key through trickery or theft,
such as in the "man-in-the-middle" attack. In this method, the cryptanalyst places a
piece of surveillance software in between two parties that communicate. When the
parties' keys are exchanged for secure communication, they exchange their keys
with the attacker instead of each other.
The ultimate goal of the cryptanalyst is to derive the key so that all ciphertext can
be easily deciphered. A brute-force attack is one way of doing so. In this type of
attack, the cryptanalyst tries every possible combination until the correct key is
identified. Although using longer keys make the derivation less statistically likely
to be successful, faster computers continue to make brute-force attacks feasible.
Networking a set of computers together in a grid combines their strength, and their
cumulative power can be used to break long keys. The longest keys used, 128-bit
keys, remain the strongest, and less likely to be subject to this type of attack.
At its core, cryptanalysis is a science of mathematics, probability, and fast
computers. Cryptanalysts also usually require some persistence, intuition,
guesswork and some general knowledge of the target. The field also has an
interesting historical element; the famous Enigma machine, used by the Germans
, .
:
Online: ,
, ,
.
Offline: ,
, .
, ,
.
.
3. Analyze how Brute force attack works . List advantages and
disadvantages of Brute Force attack. Give an example.
In computer science, brute-force search or exhaustive search, also known
as generate and test, is a very general problem-solving technique that
consists of systematically enumerating all possible candidates for the
solution and checking whether each candidate satisfies the problem's
statement.
A brute-force algorithm to find the divisors of a natural number n would
enumerate all integers from 1 to the square root of n, and check whether
each of them divides n without remainder. A brute-force approach for the
eight queens puzzle would examine all possible arrangements of 8 pieces on
the 64-square chessboard, and, for each arrangement, check whether each
(queen) piece can attack any other.
While a brute-force search is simple to implement, and will always find a
solution if it exists, its cost is proportional to the number of candidate solutions
which in many practical problems tends to grow very quickly as the size of
the problem increases. Therefore, brute-force search is typically used when the
problem size is limited, or when there are problem-specific heuristics that can
be used to reduce the set of candidate solutions to a manageable size. The
method is also used when the simplicity of implementation is more important
than speed.
This is the case, for example, in critical applications where any errors in the
algorithm would have very serious consequences; or when using a computer
to prove a mathematical theorem. Brute-force search is also useful as a
baseline method when benchmarking other algorithms or metaheuristics.
Indeed, brute-force search can be viewed as the simplest metaheuristic.
Brute force search should not be confused with backtracking, where large
sets of solutions can be discarded without being explicitly enumerated (as in
the textbook computer solution to the eight queens problem above). The
brute-force method for finding an item in a table namely, check all entries
of the latter, sequentially is called linear search.
The most obvious advantage is that your chance of actually finding the
password is quite high since the attack uses so many possible answers.
Another advantage is that it is a fairly simplistic attack that doesn't require a
lot
of
work
to
setup
or
initiate.
.
,
. ,
, ,
. ,
.
, 3 ,
, ,
.
4. Describe types of attack, classify them. Which attack is most stable in
cryptanalysis on your opinion
5. Today DES is considered vulnerable to brute force attacks due to larger
computer power. Why were 3DES introduced and not 2DES to prevent
brute force attacks?
The Data Encryption Standard (DES) is an outdated symmetric-key method
of data encryption.
DES works by using the same key to encrypt and decrypt a message, so both
the sender and the receiver must know and use the same private key. Once
the go-to, symmetric-key algorithm for the encryption of electronic data,
DES has been superseded by the more secure Advanced Encryption
Standard (AES) algorithm.
In cryptography, Triple DES (3DES) is the common name for the Triple Data
Encryption Algorithm (TDEA or Triple DEA) symmetric-key block cipher,
which applies the Data Encryption Standard (DES) cipher algorithm three times to
each data block.
The original DES cipher's key size of 56 bits was generally sufficient when that
algorithm was designed, but the availability of increasing computational power
made brute-force attacks feasible. Triple DES provides a relatively simple method
of increasing the key size of DES to protect against such attacks, without the need
to design a completely new block cipher algorithm.
Double des is not safe poetomu 3 des ispolzuetsya
Triple DES (3DES) ,
, 1978
DES,
(56 ),
. 3DES
3 , DES, ,
3DES,
, , DES. 3DES
, DES,
( 1998 Electronic Frontier Foundation,
DES Cracker, DES 3
). 3DES DES.
3DES DES,
, DES.
6. Specify the main concepts of the Differential analysis.
(
, , - ).
. , ,
2,
. . DES,
FEAL , ,
90-. (AES, Camellia
.)
.
1990
,
DES. , DES
,
.
1994 IBM , ,
IBM 1974
, DES
. IBM . :
.
,
,
. ,
,
.
DES ,
. , ,
FEAL. 4 FEAL-4
8 , 31- FEAL
.
DES
1990
DES, ,
. ,
,
DES.
,
.
N- )
XOR ,
, 64- .
XOR 64
.
9. Write the possibility of Differential analysis for AES
Rijndael
[13],
AES. , Rijndael
:
1. ,
(
, ,
,
).
2. .
3.
.
4. Square- (
, AES, [11])
Rijndael.
5. .
10.Define the basic concept of differential cryptanalysis and write the
possibility of Differential analysis for GOST
28147-89
, 1990 , [1].
28147-89 .
. .
.
[2], .
, , ,
,
( ), , ,
1980-
.
,
1994 .
2014
.
,[8] ,
.
(slide attack) (reflection attack). ..,
.., .., .. [9]
,
.
, , , (
0 1) . ,
, , .
2011
, 28 (256)
2 64
/ . [10][11]
. , 264 / ,
, , .
,
,
, ,
.
.[4]
11.Explain how do you can use Differential Cryptanalysis for Multi-Round
Cipher in cryptanalysis ?
Multiround eto tot je des
12.Describe the basic concepts of the Linear analysis.
.
(Mitsuru Matsui). 1993 . ( -93)
DES FEAL.
.
.
.
.
,
,
.
.
/ ,
K.
K.
.. , .. ,
P 1/2
/
:
PI1 PI2 PIa CI1 CI2 CIb = KI1 KI2 KIc (1),
Pn, Cn, Kn n- , .
1 ,
1
T , (1)
0,
T>N/2, N .
, KI1 KI2 KIc = 0 ( P>1/2) 1 ( P<1/2).
,
:
(1).
.
14.
Define the basic concept of linear analysis and write possibility of
Linear analysis for AES
Advanced Encryption Standard (AES), Rijndael
( [rindal] ([1]))
( 128 , 128/192/256 ),
AES.
,
DES.
(. National Institute of Standards and Technology, NIST)
AES 26 2001 ,
15 . 26 2002 AES
. 2009 AES
. [2][3]
AES ( ) Intel x86
Intel Core i7-980X Extreme Edition, Sandy
Bridge.
,
.
(Mitsuru Matsui). 1993 . ( -93)
DES FEAL.
.
.
.
.
,
,
.
.
/ ,
K.
K.
.. , .. ,
P 1/2 /
:
PI1 PI2 PIa CI1 CI2 CIb = KI1 KI2 KIc (1),
Pn, Cn, Kn n- , .
1 ,
. .
.
[2], .
, , ,
,
( ), , ,
1980-
.
,
1994 .
2014
.
,[8]
, .
(slide attack)
(reflection attack). .., .., ..,
.. [9] ,
. ,
, , (
0 1) . ,
, ,
.
2011
, 2 8 (256)
264 / . [10][11]
. , 264
/ , ,
, .
,
, ,
.
.[4]
16.Analyze the important steps of the S box designing and explain the main
purpose of S box
In cryptography, an S-box (substitution-box) is a basic component
of symmetric key algorithms which performs substitution. In block ciphers,
they are typically used to obscure the relationship between the key and
the ciphertext . In general, an S-box takes some number of input bits, m,
and transforms them into some number of output bits, n, where n is not
necessarily equal to m.[1] An mn S-box can be implemented as a lookup
table with 2m words of n bits each. Fixed tables are normally used, as in
the Data Encryption Standard (DES), but in some ciphers the tables are
generated dynamically from the key (e.g. the Blowfish and the Twofish
encryption algorithms).
S- (S-box Substitution-box) ,
. S-
,
(S-)
,
n-
,
(
) ,
- n- . n S- n ,
,
( ).
.
S-
/,
, 2
.
.
, .
, ,
.
17. Explain the main purpose of S box and analyze the design of S box for
DES
The Data Encryption Standard (DES) is an outdated symmetric-key method
of data encryption.
DES works by using the same key to encrypt and decrypt a message, so
both the sender and the receiver must know and use the same private key.
Once the go-to, symmetric-key algorithm for the encryption of electronic
data, DES has been superseded by the more secure Advanced Encryption
Standard (AES) algorithm.
Originally designed by researchers at IBM in the early 1970s, DES was
adopted by the U.S. government
S-boxes ,
DES S-boxes c 6 4- , 48
32
18.Describe the main purpose of S box and analyze the design of S box for
AES.
The Advanced Encryption Standard (AES) is a symmetric-key block
cipher algorithm and U.S. government standard for secure and
classified data encryption and decryption.
19.Analyze the design of S box for GOST and write in short history of
GOST-who writes and where is developed
Block cipher GOST [5, 12] is a Feistel cipher with 32 rounds. Its block size
is 64 bits, and key-size is 256 bits. It is a Soviet and Russian
government standard symmetric key block cipher. Also based on this
block cipher is the GOST hash function.
The subkeys are chosen in a pre-specified order. The key schedule is very
simple: break the 256-bit key into eight 32-bit subkeys, and each subkey is
used four times in the algorithm; the first 24 rounds use the key words in
order, the last 8 rounds use them in reverse order.
The S-boxes accept a four-bit input and produce a four-bit output. The Sbox substitution in the round function consists of eight 4 4 S-boxes. The
S-boxes are implementation-dependent parties that want to secure their
communications using GOST must be using the same S-boxes. For extra
security, the S-boxes can be kept secret. In the original standard where
GOST was specified, no S-boxes were given, but they were to be supplied
somehow. This led to speculation that organizations the government
wished to spy on were given weak S-boxes. One GOST chip manufacturer
reported that he generated S-boxes himself using a pseudorandom number
generator.
20.Describe the basic concepts of the Boomerang attack.
In cryptography,
the boomerang
attack is
a
method
for
the cryptanalysis of block ciphers based on differential cryptanalysis. The
attack was published in 1999 by David Wagner, who used it to break
the COCONUT98 cipher.
The boomerang attack has allowed new avenues of attack for many
ciphers previously deemed safe from differential cryptanalysis.
Refinements on the boomerang attack have been published: the amplified
boomerang attack, then the rectangle attack.
.
,
(
).
.
-]
,
,
,
.
,
16-
DES
8
.
:
"-"
[1] ,
- ,
,
. , ,
,
-.
[5], ,
,
, -.
.
,
, . ,
,
.
[ |
-]
-
.
.
.
.
.
- ]
[2][
-
,
.
, .
.
, ,
:
,
.
, K- .
, (
) - ,
.
5- AES
6- AES
[4].
[4
.
30,29,. . . , 25-
( ).
s8
25.Describe the basic concepts of the Slide attacks, analyze about
importance of number of rounds
AES can be broken when it is only nine rounds, but the full strength cipher
still stands unbroken.
27.Describe the basic concepts of the Impossible Differential Cryptanalysis
In cryptography, impossible differential cryptanalysis is a form
of differential cryptanalysis for block ciphers. While ordinary
differential cryptanalysis tracks differences that propagate through the
cipher with greater than expected probability, impossible differential
cryptanalysis exploits differences that are impossible (having
probability 0) at some intermediate state of the cipher algorithm.
Biham, Biryukov and Shamir also presented a relatively efficient
specialized method for finding impossible differentials that they called
a miss-in-the-middle attack. This consists of finding "two events with
probability one, whose conditions cannot be met together.
. In normal differential analysis, we try to find a differential
characteristic that holds true with some high probability. If this
characteristic does from the plaintext to the input to the last round, we
can have a go at some straight-forward key recovery. If you need a
refresher, I recommend checking out my page on the differential
cryptanalysis of FEAL-4. Impossible differentials are a natural idea:
instead of looking for high-probability differentials, we look for those
that never happen. This give information about intermediate states in
the cipher that differ from a random permutation. Exploiting these
weaknesses can enable us to recover the key with less work than
exhaustive search.
28.Specify the main idea of the Meet-(miss) in the middle attacks. Analysis
of double and triple encryptions.
encryption layer, the attacker could possibly decrypt all the remaining
layers, assuming the same key is used for all layers.
To prevent that risk, one can use keys that are statistically independent for
each layer .
Double-DES is two successive DES instances, while Triple-DES is three
successive DES instances.
We use 3DES and not 2DES because 2DES does not yield the security
increase that you would believe. Namely, 2DES uses 112 key bits (two 56bit DES keys) but offers a security level of about 2 57, not 2112, because of a
"meet-in-the middle attack" which is well explained there (not to be
confused with "man-in-the-middle", a completely different concept).
Similarly, 3DES uses 168 key bits, but offers "only" 2 112security (which is
quite sufficient in practice). This also explains why 3DES is sometimes
used with a 112-bit key (the third DES key is a copy of the first): going to
168 bits does not actually make things more secure.
This can be summarized as: we use n-DES because a simple DES is too
weak (a 56-bit key can be brute-forced by a determined attacker), but in
order to really improve security, we must go to n 3. Of course, every
additional DES implies some computational overhead (simple DES is
already quite slow in software, 3DES thrice as much).
29.Analyze the main concepts of the Algebraic attack
Algebraic attacks are a class of techniques which rely for their success on
some block cipher exhibiting a high degree of mathematical structure.
An algebraic attack is a method of cryptanalysis against a cipher. It
involves:
The attacker can choose which algebraic system to use; for example,
against one cipher he might treat the text as a vector of bits and use
Boolean algebra while for another he might choose to treat it as a vector of
bytes and use arithmetic modulo 28.
What makes this attacks impractical is a combination of the sheer size of
the system of equations and nonlinearity in the relations involved. In any
algebra, solving a system of linear equations is more-or-less
straightforward provided there are more equations than variables. However,
31)Determine the main ideas of the Stream ciphers attacks, write which simple
operation is used here
A stream cipher is a symmetric key cipher where plaintext digits are combined
with a pseudorandom cipher digit stream (keystream). Stream ciphers, where
plaintext bits are combined with a cipher bit stream by an exclusive-or operation
(xor), can be very secure if used properly. However they are vulnerable to attack if
certain precautions are not followed:
-keys must never be used twice
-valid decryption should never be relied on to indicate authenticity
Stream ciphers are vulnerable to attack if the same key is used twice (depth of two)
or more.
Say we send messages A and B of the same length, both encrypted using same
key, K. The stream cipher produces a string of bits C(K) the same length as the
messages. The encrypted versions of the messages then are:
E(A) = A xor C
E(B) = B xor C
where xor is performed bit by bit. Say an adversary has intercepted E(A) and E(B).
He can easily compute:
E(A) xor E(B)
However, xor is commutative and has the property that X xor X = 0 (self-inverse)
so:
E(A) xor E(B) = (A xor C) xor (B xor C) = A xor B xor C xor C = A xor B
If one message is longer than the other, our adversary just truncates the longer
message to the size of the shorter and his attack will only reveal that portion of the
longer message. In other words, if anyone intercepts two messages encrypted with
the same key, they can recover A xor B, which is a form of running key cipher.
Even if neither message is known, as long as both messages are in a natural
language, such a cipher can often be broken by paper-and-pencil methods. If one
message is known, the solution is trivial.
32)Describe the basic concepts of the Attacks on hash functions, write any types of
hash functions in cryptography, which do you know
A cryptographic hash function is a hash function which takes an input (or
'message') and returns a fixed-size alphanumeric string, which is called the hash
value (sometimes called a message digest, a digital fingerprint, a digest or
a checksum).
The ideal cryptographic hash function has four main properties:
Pre-image resistance
Given a hash h it should be difficult to find any message m such that h =
hash(m). This concept is related to that of one-way function. Functions that
lack this property are vulnerable to preimage attacks.
Collision resistance
large hash values. For example SHA-1, one of the most widely used cryptographic
hash functions, generates 160 bit values.
The security of the MD5 hash function is severely compromised. A collision
attack exists that can find collisions within seconds on a computer with a 2.6 GHz
Pentium 4 processor (complexity of 224.1)
In April 2009, a preimage attack against MD5 was published that breaks
MD5's preimage resistance. This attack is only theoretical, with a computational
complexity of 2123.4 for full preimage.
36)Explain the main term of hash function and analyze what kind of attack on
SHA-1, SHA-2 you know
In cryptography, SHA-1 is a cryptographic hash function designed by the United
States National Security Agency and is a U.S. In February 2005, the attacks can
find collisions in the full version of SHA-1, requiring fewer than 269 operations.
SHA-2 is a set of cryptographic hash functions designed by the NSA. In 2005,
security flaws were identified in SHA-1, namely that a mathematical weakness
might exist, indicating that a stronger hash function would be desirable. [6] Although
SHA-2 bears some similarity to the SHA-1 algorithm, these attacks have not been
successfully extended to SHA-2.
Currently, the best public attacks break preimage resistance 52 rounds of SHA-256
or 57 rounds of SHA-512, and collision resistance for 46 rounds of SHA-256, as
shown in the Cryptanalysis and validation section below.
Published in
New Collision
attacks Against
Up To 24-step
SHA-2 [25]
2008
Deterministic
Meet-in-themiddle
Attack
Collision
Preimage
24/64
228.5
SHA512
24/80
232.5
SHA-256
42/64
2251.7
43/64
2254.9
42/80
2502.3
46/80
2511.5
SHA-256
42/64
2248.4
SHA512
42/80
2494.6
46/64
2178
46/64
246
SHA-256
45/64
2255.5
SHA512
50/80
2511.5
SHA-256
52/64
2255
SHA512
57/80
2511
Collision
SHA-256
31/64
265.5
Pseudocollision
SHA-256
38/64
237
SHA-512
38/80
240.5
SHA512
Advanced meet-inthe-middle
2010
[27]
preimage attacks
Higher-Order
Differential Attack
2011
on Reduced SHA256 [2]
Meet-in-themiddle
Differential
Preimage
Pseudocollision
Preimage
Bicliques for
Preimages: Attacks
on
2011
Skein-512 and the
SHA-2 family [1]
Improving Local
Collisions: New
Attacks on
Reduced SHA256 [28]
Branching
Heuristics in
Differential
Collision
2013
2014
SHA-256
Biclique
Pseudopreimage
Differential
Heuristic
Differential
Pseudocollision
Search with
Applications to
SHA-512 [29]
the message space is small, then one could simply try to encrypt every
possible message block, until a match is found with one of the
ciphertext blocks. In practice this would be an insurmountable task
because the block sizes are quite large.
GUESSING D
Another possible attack is a known ciphertext attack. This time the
attacker knows both the plaintext and ciphertext (they simply has to
encrypt something). They then try to crack the key to discover the
private exponent, d. This might involve trying every possible key in the
system on the ciphertext until it returns to the original plaintext.
Once d has been discovered it is easy to find the factors of n (for
example use the algorithm in chapter 8 of The Handbook of Applied
Cryptography). Then the system has been broken completely and all
further ciphertexts can be decrypted.
The problem with this attack is that it is slow. There are an enormous
number of possible ds to try. This method is a factorizing algorithm as it
allows us to factor n. Since factorizing is an intractable problem we
know this is very difficult. This method is not the fastest way to
factorize n. Therefore one is suggested to focus effort into using a more
efficient algorithm specifically designed to factor n. This advice was
given in the original paper.
CYCLE ATTACK
This attack is very similar to the last. The idea is that we encrypt the
ciphertext repeatedly, counting the iterations, until the original text
appears. This number of re-cycles will decrypt any ciphertext. Again
this method is very slow and for a large key it is not a practical attack. A
generalisation of the attack allows the modulus to be factored and it
works faster the majority of the time. But even this will still have
difficulty when a large key is used. Also the use of p-- strong primes aids
the security.
The bottom line is that the generalized form of the cipher attack is
another factoring algorithm. It is not efficient, and therefore the attack is
not good enough compared with modern factoring algorithms (e.g.
Number Field Sieve).
I noticed an improvement on this algorithm. The suggested way is to use
the public exponent of the public key to re-encrypt the text. However
any exponent should work so long as it is coprime to (p-1).(q1) (where p, q are factors of the modulus). So I suggest using an
exponent such as 216 + 1. This number has only two 1s in its binary
representation. Using binary fast exponentiation, we use only 16
modular squarings and 1 modular multiplication. This is likely to be
faster than the actual public exponent. The trouble is that we cannot be
sure that it is coprime to (p-1).(q-1). In practice, many RSA systems
use 216 + 1 as the encrypting exponent for its speed.
COMMON MODULUS
One of the early weaknesses found was in a system of RSA where the
users within an organization would share the public modulus. That is to
say, the administration would choose the public modulus securely and
generate pairs of encryption and decryption exponents (public and
private keys) and distribute them all the employees/users. The reason for
doing this is to make it convenient to manage and to write software for.
However, Simmons shows how this would allow any eavesdropper to
view any messages encrypted with two keys; for example when a memo
is sent to several employees. DeLaurentis went further to demonstrate
how the system was at even more risk from insiders, who could break
the system completely, allowing them to view all messages and sign
with anybody's key.
FAULTY ENCRYPTION
Joye and Quisquater showed how to capitalise on the common modulus
weakness due to a transient error when transmitting the public key.
Consider the situation where an attacker, Malory, has access to the
communication channel used by Alice and Bob. In other words, Malory
can listen to anything that is transmitted, and can also change what is
transmitted. Alice wishes to talk privately to Bob, but does not know his
public key. She requests by sending an email, to which Bob replies. But
during transmission, Malory is able to see the public key and decides to
flip a single bit in the public exponent of Bob, changing (e,n) to (e',n).
When Alice receives the faulty key, she encrypts the prepared message
and sends it to Bob (Malory also gets it). But of course, Bob cannot
decrypt it because the wrong key was used. So he lets Alice know and
they agree to try again, starting with Bob re-sending his public key. This
time Malory does not interfere. Alice sends the message again, this time
encrypted with the correct public key.
Malory now has two ciphertexts, one encrypted with the faulty exponent
and one with the correct one. She also knows both these exponents and
the public modulus. Therefore she can now apply the common modulus
attack to retrieve Alice's message, assuming that Alice was foolish
enough to encrypt exactly the same message the second time.
A demonstation of the Common Modulus attack and the Faulty
Encryption attack can be found in this Mathematica notebook.
LOW EXPONENT
THAT THE
attacks. Both differential and linear cryptanalysis arose out of studies on the DES design. Today,
there is a palette of attack techniques against which a block cipher must be secure, in addition to
being robust against brute force attacks.
A block cipher consists of two paired algorithms, one for encryption, E, and the other for
decryption, D.[4] Both algorithms accept two inputs: an input block of size n bits and a key of
size k bits; and both yield an n-bit output block. The decryption algorithm D is defined to be
the inverse function of encryption, i.e., D = E1. More formally,[5][6] a block cipher is specified by an
encryption function
which takes as input a key K of bit length k, called the key size, and a bit string P of length n,
called the block size, and returns a string C of n bits. P is called the plaintext, and C is termed
the ciphertext. For each K, the function EK(P) is required to be an invertible mapping on {0,1} n.
The inverse for E is defined as a function
For example, a block cipher encryption algorithm might take a 128-bit block of plaintext as input, and
output a corresponding 128-bit block of ciphertext. The exact transformation is controlled using a
second input the secret key. Decryption is similar: the decryption algorithm takes, in this example,
a 128-bit block of ciphertext together with the secret key, and yields the original 128-bit block of plain
text.[7]
For each key K, EK is a permutation (a bijective mapping) over the set of input blocks. Each key
selects one permutation from the possible set of
.[8]
is
based
on
the
Rijndael
by
Daemen and Vincent Rijmen, who submitted a proposal to NIST during the AES selection process.
[6]
For AES, NIST selected three members of the Rijndael family, each with a block size of 128 bits, but
three different key lengths: 128, 192 and 256 bits.
AES became effective as a federal government standard on May 26, 2002 after approval by
the Secretary of Commerce. AES is included in the ISO/IEC 18033-3 standard. AES is available in
many different encryption packages, and is the first publicly accessible and open cipher approved by
the National Security Agency (NSA) for top secret information when used in an NSA approved
cryptographic module (see Security of AES, below).
AES has a fairly simple algebraic description. [15] In 2002, a theoretical attack, termed the "XSL
attack", was announced by Nicolas Courtois and Josef Pieprzyk, purporting to show a weakness in
the AES algorithm due to its simple description. [16] Since then, other papers have shown that the
attack as originally presented is unworkable; see XSL attack on block ciphers.
During the AES process, developers of competing algorithms wrote of Rijndael, "...we are concerned
about [its] use...in security-critical applications." [17] However, in October 2000 at the end of the AES
selection process, Bruce Schneier, a developer of the competing algorithm Twofish, wrote that while
he thought successful academic attacks on Rijndael would be developed someday, he does not
"believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic." [18]
On July 1, 2009, Bruce Schneier blogged [19] about a related-key attack on the 192-bit and 256-bit
versions of AES, discovered by Alex Biryukov and Dmitry Khovratovich,[20] which exploits AES's
somewhat simple key schedule and has a complexity of 2 119. In December 2009 it was improved to
299.5. This is a follow-up to an attack discovered earlier in 2009 by Alex Biryukov, Dmitry Khovratovich,
and Ivica Nikoli, with a complexity of 296 for one out of every 235 keys.[21]
Another attack was blogged by Bruce Schneier [22] on July 30, 2009 and released as a preprint [23] on
August 3, 2009. This new attack, by Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry
Khovratovich, and Adi Shamir, is against AES-256 that uses only two related keys and 2 39 time to
recover the complete 256-bit key of a 9-round version, or 2 45 time for a 10-round version with a
stronger type of related subkey attack, or 2 70 time for an 11-round version. 256-bit AES uses 14
rounds, so these attacks aren't effective against full AES.
Side-channel attacks do not attack the underlying cipher, and thus are not related to security in that
context. They rather attack implementations of the cipher on systems which inadvertently leak data.
There are several such known attacks on certain implementations of AES.
In April 2005, D.J. Bernstein announced a cache-timing attack that he used to break a custom server
that used OpenSSL's AES encryption.[27] The attack required over 200 million chosen plaintexts.
[28]
The custom server was designed to give out as much timing information as possible (the server
reports back the number of machine cycles taken by the encryption operation); however, as
Bernstein pointed out, "reducing the precision of the server's timestamps, or eliminating them from
the server's responses, does not stop the attack: the client simply uses round-trip timings based on
its local clock, and compensates for the increased noise by averaging over a larger number of
samples."[27]
In October 2005, Dag Arne Osvik, Adi Shamir and Eran Tromer presented a paper demonstrating
several cache-timing attacks against AES. [29] One attack was able to obtain an entire AES key after
only 800 operations triggering encryptions, in a total of 65 milliseconds. This attack requires the
attacker to be able to run programs on the same system or platform that is performing AES.
3DES is ubiquitous: most systems, libraries, and protocols include support for it.
Advantages
of
AES
over
AES supports larger key sizes than 3DES's 112 or 168 bytes.
3DES:
AES's 128-bit block size makes it less open to attacks via the birthday problem than
3DES with its 64-bit block size.
AES is required by the latest U.S. and international standards.
43)Analyze the main requirements for modern cipher, list the ciphers which you
know in cryptography
Most modern ciphers can be categorized in several ways
By whether they work on blocks of symbols usually of a fixed size (block ciphers), or on a
continuous stream of symbols (stream ciphers).
By whether the same key is used for both encryption and decryption (symmetric key
algorithms), or if a different key is used for each (asymmetric key algorithms). If the algorithm is
symmetric, the key must be known to the recipient and sender and to no one else. If the
algorithm is an asymmetric one, the enciphering key is different from, but closely related to, the
deciphering key. If one key cannot be deduced from the other, the asymmetric key algorithm has
the public/private key property and one of the keys may be made public without loss of
confidentiality.
Modern encryption methods can be divided by two criteria: by type of key used, and by type of input
data.
By type of key used ciphers are divided into:
symmetric key algorithms (Private-key cryptography), where the same key is used for
encryption and decryption, and
asymmetric key algorithms (Public-key cryptography), where two different keys are used for
encryption and decryption.
In a symmetric key algorithm (e.g., DES and AES), the sender and receiver must have a shared key
set up in advance and kept secret from all other parties; the sender uses this key for encryption, and
the receiver uses the same key for decryption. The Feistel cipher uses a combination of substitution
and transposition techniques. Most block cipher algorithms are based on this structure. In an
asymmetric key algorithm (e.g., RSA), there are two separate keys: a public key is published and
enables any sender to perform encryption, while a private key is kept secret by the receiver and
enables only him to perform correct decryption.
Ciphers can be distinguished into two types by the type of input data:
DIFFERENTIAL CRYPTANALYSIS
46.
47.
Describe the basic concepts of the Frequency attack,
analyze who are the first uses Frequency attack in history
Encrypted text is sometimes achieved by replacing one letter
by another. To start deciphering the encryption it is useful to
get a frequency count of all the letters. The most frequent
letter may represent the most common letter in English E
followed by T, A, O and I whereas the least frequent are Q, Z
and X. Common percentages in standard English are:
and ranked in order:
e
12
.7
m
2.
4
t
9
.
1
w
2
.
4
a
8
.
2
f
2
.
2
o
7
.
5
y
2
.
0
i
7
.
0
g
2
.
0
n
6
.
7
p
1
.
9
s
6
.
3
b
1
.
5
h
6
.
1
v
1
.
0
r
6
.
0
k
0
.
8
d
4
.
3
x
0
.
2
l
4
.
0
j
0
.
2
u
2
.
8
q
0
.
1
c
2
.
8
z
0
.
1
of Latin and Italian text.[5] Arabic Letter Frequency and a detailed study
of letter and word frequency analysis of the entire book of Qur'an are
provided by Intellaren Articles.[6]
48.
Avalanche effect is a desirable property in cipher systems.
Describe what this effect is
In cryptography, the avalanche effect refers to a desirable property of
cryptographic algorithms, typically block ciphers and cryptographic hash
functions. The avalanche effect is evident if, when an input is changed
slightly (for example, flipping a single bit) the output changes
significantly (e.g., half the output bits flip). In the case of high-quality
block
ciphers,
such
small
change
in
either
the key or
the plaintext should cause a drastic change in the ciphertext. The actual
term was first used by Horst Feistel,[1] although the concept dates back
to at least Shannon's diffusion.
The SHA-1 hash function exhibits good avalanche effect. When a single
bit is changed the hash sum becomes completely different.
If a block cipher or cryptographic hash function does not exhibit the
avalanche effect to a significant degree, then it has poor randomization,
and thus a cryptanalyst can make predictions about the input, being
given only the output. This may be sufficient to partially or completely
break the algorithm. Thus, the avalanche effect is a desirable condition
from the point of view of the designer of the cryptographic algorithm or
device.
hash
function is
a hash
function which
is
considered practically impossible to invert, that is, to recreate the input data
from its hash value alone. These one-way hash functions have been called
"the workhorses of modern cryptography". [1] The input data is often called
the message, and the hash value is often called themessage digest or
simply the digest.
The ideal cryptographic hash function has four main properties:
VERIFICATION [EDIT]
such
typically
use
SECURITY[EDIT]
A generalization some make from Kerckhoffs's principle is: "The fewer and
simpler the secrets that one must keep to ensure system security, the
easier it is to maintain system security." Bruce Schneier ties it in with a
belief that all security systems must be designed to fail as gracefully as
possible:
complex
that
it
is
useless
for
6 and 11 quest
57.
What is the probability of finding a collision for an ideal 60bit hash function? What is the main reason for this probability?
Great, so this magic expression serves as our probability that
all values are unique. Subtract it from one, and you have the
probability of a hash collision:
1ek(k1)2N
Here is a graph for N=232. This illustrates the probability of collision
when using 32-bit hash values. Its worth noting that a 50% chance of
collision occurs when the number of hashes is 77163.
Every hash function with more inputs than outputs will necessarily have
collisions. [1]:136Consider a hash function such as SHA-256 that produces
256 bits of output from an arbitrarily large input. Since it must generate one
of 2256outputs for each member of a much larger set of inputs,
the pigeonhole principle guarantees that some inputs will hash to the same
output. Collision resistance doesn't mean that no collisions exist; simply
that they are hard to find.[1]:143
as
some
hard
mathematical
problem
(such
as integer