Professional Documents
Culture Documents
Symmetric Encryption
Chapter 2
Cryptographic Tools
1
Cryptanalytic Attacks
Transmitted
ciphertext
Y = E[K, X]
Plaintext
input
Attacking Symmetric
Encryption
Encryption algorithm
(e.g., DES)
Rely on:
X = D[K, Y]
Decryption algorithm
(reverse of encryption
algorithm)
Plaintext
output
Brute-Force Attack
Try all possible keys on some
ciphertext until an intelligible
translation into plaintext is
obtained
1/19/2016
Table 2.1
DES
Triple DES
AES
64
64
128
64
64
128
56
112 or 168
Strength concerns*:
Table 2.2
Key size
(bits)
56
128
168
Cipher
DES
AES
Triple DES
Number of
Alternative
Keys
1 hour
192
AES
256
AES
Attractions:
168-bit key length overcomes the vulnerability to brute-force
attack of DES
Underlying encryption algorithm is the same as in DES
Drawbacks:
Algorithm is sluggish in software
was designed for mid-70s hardware implementation, and
does not produce efficient software code
Uses a 64-bit block size
8
1/19/2016
Advanced Encryption
Standard (AES)
Needed a
replacement for
3DES
Selected
Rijndael in
November 2001
Significantly improved
efficiency
Modes of operation
Published as
FIPS 197
Decryption
Encryption
P1
P2
Encrypt
b
C2
Cn
C1
C2
Cn
b
Decrypt
b
P1
Encrypt
b
C1
Pn
b
Encrypt
b
Decrypt
b
Decrypt
b
P2
Block Cipher
Pn
Key
K
Key
K
Pseudorandom byte
generator
(key stream generator)
Pseudorandom byte
generator
(key stream generator)
k
Plaintext
byte stream
M
ENCRYPTION
10
Stream Cipher
Processes the input elements continuously
Produces output one element at a time
Encrypts plaintext one byte at a time
Pseudorandom stream is one that is unpredictable without
knowledge of the input key
Primary advantage is that they are almost always faster
and use far less code
kk
Ciphertext
byte stream
C
DECRYPTION
Plaintext
byte stream
M
12
1/19/2016
Message
Message Authentication
K
Protects against
active attacks
Compare
MAC
algorithm
MAC
K
13
14
Message
Destination B
Message
Message
Source A
Compare
Message
Message
Message
PRa
PUa
Compare
Message
Message
Can use
conventional
encryption
Message
Verifies received
message is
authentic
MAC
algorithm
Transmit
Compare
15
16
1/19/2016
Cryptanalysis
Passwords
Exploit logical
weaknesses in the
algorithm
Hash of a password is
stored by an operating
system
Brute-force attack
Intrusion detection
17
18
Asymmetric
Publicly
proposed by
Diffie and
Hellman in
1976
Based on
mathematical
functions
Uses two
separate keys
Public key
and private
key
Public key is
made public
for others to
use
Some form of
protocol is
needed for
distribution
Plaintext
Encryption algorithm
Ciphertext
Decryption key
19
20
**
1/19/2016
Bobs's
public key
ring
Joy
Ted
Alice
Mike
PUa
Alice's public
key
X=
D[PRa, Y]
Transmitted
ciphertext
Y = E[PUa, X]
Plaintext
input
Encryption algorithm
(e.g., RSA)
Decryption algorithm
Bob
Plaintext
output
Alice
Alice's
public key
ring
Joy
PRb
PUb
Bob's private
key
Bob's public
key
X=
D[PUb, Y]
Transmitted
ciphertext
Table 2.3
Ted
Bob
Mike
Y = E[PRb, X]
Plaintext
input
Encryption algorithm
(e.g., RSA)
Bob
Decryption algorithm
Plaintext
output
Algorithm
Digital Signature
Symmetric Key
Distribution
Encryption of
Secret Keys
Alice
private key
RSA
Yes
Yes
Yes
Diffie-Hellman
No
Yes
No
DSS
Yes
No
No
Elliptic Curve
Yes
Yes
Yes
21
Computationally easy
to create key pairs
Computationally
easy for sender
knowing public key
to encrypt messages
Computationally
infeasible for
opponent to
otherwise recover
original message
Computationally
easy for receiver
knowing private key
to decrypt
ciphertext
Computationally
infeasible for
opponent to
determine private key
from public key
23
22
RSA (Rivest,
Shamir,
Adleman)
Developed in 1977
Diffie-Hellman
key exchange
algorithm
Digital
Signature
Standard (DSS)
Elliptic curve
cryptography
(ECC)
24
1/19/2016
Digital Signatures
Unsigned certificate:
contains user ID,
user's public key,
as well as information
concerning the CA
CA
information
Generate hash
code of unsigned
certificate
Bob's ID
information
Bob's public key
D
Signed certificate
Decrypt signature
with CA's public key
to recover hash code
Create signed
digital certificate
Use certificate to
verify Bob's public key
Message
Random
Numbers
E
Encrypted
message
Random
symmetric
key
Digital
envelope
26
Encrypted
symmetric
key
Receiver's
public
key
D
Encrypted
message
Protects a message
without needing to
first arrange for sender
and receiver to have
the same secret key
thing as a sealed
envelope containing
an unsigned letter
Digital
envelope
Message
Random
symmetric
key
D
Encrypted
symmetric
key
Receiver's
private
key
Uses include
generation of:
27
Handshaking to prevent
replay attacks
Session key
28
1/19/2016
Random versus
Pseudorandom
Random Number
Requirements
Randomness
Unpredictability
Cryptographic applications typically make use of
algorithmic techniques for random number generation
Criteria:
Uniform distribution
Frequency of occurrence
of each of the numbers
should be approximately
the same
Independence
No one value in the
sequence can be inferred
from the others
Each number is
statistically independent
of other numbers in the
sequence
29
Practical Application:
Encryption of Stored Data
Summary
Confidentiality with
symmetric encryption
Back-end appliance
Authentication using
symmetric encryption
Message authentication
without message encryption
Secure hash functions
Other applications of hash
functions
Random and
pseudorandom
numbers
Symmetric encryption
Symmetric block encryption
algorithms
Stream ciphers
Message
authentication and
hash functions
30
Background laptop/PC
data encryption
31
Public-key
encryption
Structure
Applications for publickey cryptosystems
Requirements for publickey cryptography
Asymmetric encryption
algorithms
Digital signatures
and key
management
Digital signature
Public-key certificates
Symmetric key exchange
using public-key
encryption
Digital envelopes
32