Title: Why Computer Security
1Why Computer Security
- The past decade has seen an explosion in the
concern for the security of information - Malicious codes (viruses, worms, etc.) caused
over 28 billion in economic losses in 2003, and
will grow to over 75 billion by 2007 - Security specialists markets are expanding !
- Full-time information security professionals
will rise almost 14 per year around the world,
going past 2.1 million in 2008 (IDC report)
2Why Computer Security (contd)
- Internet attacks are increasing in frequency,
severity and sophistication - Denial of service (DoS) attacks
- Cost 1.2 billion in 2000
- 1999 CSI/FBI survey 32 of respondents detected
DoS attacks directed to their systems - Thousands of attacks per week in 2001
- Yahoo, Amazon, eBay, Microsoft, White House,
etc., attacked
3Why Computer Security (contd)
- Virus and worms faster and powerful
- Melissa, Nimda, Code Red, Code Red II, Slammer
- Cause over 28 billion in economic losses in
2003, growing to over 75 billion in economic
losses by 2007. - Code Red (2001) 13 hours infected gt360K machines
- 2.4 billion loss - Slammer (2003) 15 minutes infected gt 75K
machines - 1 billion loss - Spams, phishing
- New Internet security landscape emerging BOTNETS
!
4Outline
- History of Security and Definitions
- Overview of Cryptography
- Symmetric Cipher
- Classical Symmetric Cipher
- Modern Symmetric Ciphers (DES and AES)
- Asymmetric Cipher
- One-way Hash Functions and Message Digest
5The History of Computing
- For a long time, security was largely ignored in
the community - The computer industry was in survival mode,
struggling to overcome technological and economic
hurdles - As a result, a lot of comers were cut and many
compromises made - There was lots of theory, and even examples of
systems built with very good security, but were
largely ignored or unsuccessful - E.g., ADA language vs. C (powerful and easy to
use)
6Computing Today is Very Different
- Computers today are far from survival mode
- Performance is abundant and the cost is very
cheap - As a result, computers now ubiquitous at every
facet of society - Internet
- Computers are all connected and interdependent
- This codependency magnifies the effects of any
failures
7Biological Analogy
- Computing today is very homogeneous.
- A single architecture and a handful of OS
dominates - In biology, homogeneous populations are in danger
- A single disease or virus can wipe them out
overnight because they all share the same
weakness - The disease only needs a vector to travel among
hosts - Computers are like the animals, the Internet
provides the vector. - It is like having only one kind of cow in the
world, and having them drink from one single pool
of water!
8The Spread of Sapphire/Slammer Worms
9The Flash Worm
- Slammer worm infected 75,000 machines in lt15
minutes - A properly designed worm, flash worm, can take
less than 1 second to compromise 1 million
vulnerable machines in the Internet - The Top Speed of Flash Worms. S. Staniford, D.
Moore, V. Paxson and N. Weaver, ACM WORM Workshop
2004. - Exploit many vectors such as P2P file sharing,
intelligent scanning, hitlists, etc.
10The Definition of Computer Security
- Security is a state of well-being of information
and infrastructures in which the possibility of
successful yet undetected theft, tampering, and
disruption of information and services is kept
low or tolerable - Security rests on confidentiality, authenticity,
integrity, and availability
11The Basic Components
- Confidentiality is the concealment of information
or resources. - E.g., only sender, intended receiver should
understand message contents - Authenticity is the identification and assurance
of the origin of information. - Integrity refers to the trustworthiness of data
or resources in terms of preventing improper and
unauthorized changes. - Availability refers to the ability to use the
information or resource desired.
12Security Threats and Attacks
- A threat/vulnerability is a potential violation
of security. - Flaws in design, implementation, and operation.
- An attack is any action that violates security.
- Active adversary
- An attack has an implicit concept of intent
- Router mis-configuration or server crash can also
cause loss of availability, but they are not
attacks
13Friends and enemies Alice, Bob, Trudy
- well-known in network security world
- Bob, Alice (lovers!) want to communicate
securely - Trudy (intruder) may intercept, delete, add
messages
Alice
Bob
data, control messages
channel
secure sender
secure receiver
data
data
Trudy
14Eavesdropping - Message Interception (Attack on
Confidentiality)
- Unauthorized access to information
- Packet sniffers and wiretappers
- Illicit copying of files and programs
B
A
Eavesdropper
15Integrity Attack - Tampering With Messages
- Stop the flow of the message
- Delay and optionally modify the message
- Release the message again
B
A
Perpetrator
16Authenticity Attack - Fabrication
- Unauthorized assumption of others identity
- Generate and distribute objects under this
identity
B
A
Masquerader from A
17Attack on Availability
- Destroy hardware (cutting fiber) or software
- Modify software in a subtle way (alias commands)
- Corrupt packets in transit
- Blatant denial of service (DoS)
- Crashing the server
- Overwhelm the server (use up its resource)
18Classify Security Attacks as
- Passive attacks - eavesdropping on, or monitoring
of, transmissions to - obtain message contents, or
- monitor traffic flows
- Active attacks modification of data stream to
- masquerade of one entity as some other
- replay previous messages
- modify messages in transit
- denial of service
19Outline
- Overview of Cryptography
- Symmetric Cipher
- Classical Symmetric Cipher
- Modern Symmetric Ciphers (DES and AES)
- Asymmetric Cipher
- One-way Hash Functions and Message Digest
20Basic Terminology
- plaintext - the original message
- ciphertext - the coded message
- cipher - algorithm for transforming plaintext to
ciphertext - key - info used in cipher known only to
sender/receiver - encipher (encrypt) - converting plaintext to
ciphertext - decipher (decrypt) - recovering ciphertext from
plaintext - cryptography - study of encryption
principles/methods - cryptanalysis (codebreaking) - the study of
principles/ methods of deciphering ciphertext
without knowing key - cryptology - the field of both cryptography and
cryptanalysis
21Classification of Cryptography
- Number of keys used
- Hash functions no key
- Secret key cryptography one key
- Public key cryptography two keys - public,
private - Type of encryption operations used
- substitution / transposition / product
- Way in which plaintext is processed
- block / stream
22Secret Key vs. Secret Algorithm
- Secret algorithm additional hurdle
- Hard to keep secret if used widely
- Reverse engineering, social engineering
- Commercial published
- Wide review, trust
- Military avoid giving enemy good ideas
23Unconditional vs. Computational Security
- Unconditional security
- No matter how much computer power is available,
the cipher cannot be broken - The ciphertext provides insufficient information
to uniquely determine the corresponding plaintext
- Only one-time pad scheme qualifies
- Computational security
- The cost of breaking the cipher exceeds the value
of the encrypted info - The time required to break the cipher exceeds the
useful lifetime of the info
24Brute Force Search
- Always possible to simply try every key
- Most basic attack, proportional to key size
- Assume either know / recognise plaintext
Key Size (bits) Number of Alternative Keys Time required at 1 decryption/µs Time required at 106 decryptions/µs
32 232 4.3 ? 109 231 µs 35.8 minutes 2.15 milliseconds
56 256 7.2 ? 1016 255 µs 1142 years 10.01 hours
128 2128 3.4 ? 1038 2127 µs 5.4 ? 1024 years 5.4 ? 1018 years
168 2168 3.7 ? 1050 2167 µs 5.9 ? 1036 years 5.9 ? 1030 years
26 characters (permutation) 26! 4 ? 1026 2 ? 1026 µs 6.4 ? 1012 years 6.4 ? 106 years
25Outline
- Overview of Cryptography
- Classical Symmetric Cipher
- Substitution Cipher
- Transposition Cipher
- Modern Symmetric Ciphers (DES and AES)
- Asymmetric Cipher
- One-way Hash Functions and Message Digest
26Symmetric Cipher Model
27Requirements
- Two requirements for secure use of symmetric
encryption - a strong encryption algorithm
- a secret key known only to sender / receiver
- Y EK(X)
- X DK(Y)
- Assume encryption algorithm is known
- Implies a secure channel to distribute key
28Classical Substitution Ciphers
- Letters of plaintext are replaced by other
letters or by numbers or symbols - Plaintext is viewed as a sequence of bits, then
substitution replaces plaintext bit patterns with
ciphertext bit patterns
29Caesar Cipher
- Earliest known substitution cipher
- Replaces each letter by 3rd letter on
- Example
- meet me after the toga party
- PHHW PH DIWHU WKH WRJD SDUWB
30Caesar Cipher
- Define transformation as
- a b c d e f g h i j k l m n o p q r s t u v w x y
z - D E F G H I J K L M N O P Q R S T U V W X Y Z A B
C - Mathematically give each letter a number
- a b c d e f g h i j k l m
- 0 1 2 3 4 5 6 7 8 9 10 11 12
- n o p q r s t u v w x y Z
- 13 14 15 16 17 18 19 20 21 22 23 24 25
- Then have Caesar cipher as
- C E(p) (p k) mod (26)
- p D(C) (C k) mod (26)
31Cryptanalysis of Caesar Cipher
- Only have 25 possible ciphers
- A maps to B,..Z
- Given ciphertext, just try all shifts of letters
- Do need to recognize when have plaintext
- E.g., break ciphertext "GCUA VQ DTGCM
- How to make it harder?
32Monoalphabetic Cipher
- Rather than just shifting the alphabet
- Could shuffle (jumble) the letters arbitrarily
- Each plaintext letter maps to a different random
ciphertext letter - Key is 26 letters long
- Plain abcdefghijklmnopqrstuvwxyz
- Cipher DKVQFIBJWPESCXHTMYAUOLRGZN
- Plaintext ifwewishtoreplaceletters
- Ciphertext WIRFRWAJUHYFTSDVFSFUUFYA
33Monoalphabetic Cipher Security
- Now have a total of 26! 4 x 1026 keys
- Is that secure?
- Problem is language characteristics
- Human languages are redundant
- Letters are not equally commonly used
34English Letter Frequencies
Note that all human languages have varying letter
frequencies, though the number of letters and
their frequencies varies.
35Example Cryptanalysis
- Given ciphertext
- UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
- VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
- EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
- Count relative letter frequencies (see text)
- Guess P Z are e and t
- Guess ZW is th and hence ZWP is the
- Proceeding with trial and error finally get
- it was disclosed yesterday that several informal
but - direct contacts have been made with political
- representatives of the viet cong in moscow
36Transposition Ciphers
- Now consider classical transposition or
permutation ciphers - These hide the message by rearranging the letter
order, without altering the actual letters used - Any shortcut for breaking it?
- Can recognise these since have the same frequency
distribution as the original text
37Rail Fence Cipher
- Write message letters out diagonally over a
number of rows - Then read off cipher row by row
- E.g., write message out as
- m e m a t r h t g p r y
- e t e f e t e o a a t
- Giving ciphertext
- MEMATRHTGPRYETEFETEOAAT
38Product Ciphers
- Ciphers using substitutions or transpositions are
not secure because of language characteristics - Hence consider using several ciphers in
succession to make harder, but - Two substitutions make another substitution
- Two transpositions make a more complex
transposition - But a substitution followed by a transposition
makes a new much harder cipher - This is bridge from classical to modern ciphers
39Rotor Machines
- Before modern ciphers, rotor machines were most
common complex ciphers in use - Widely used in WW2
- German Enigma, Allied Hagelin, Japanese Purple
- Implemented a very complex, varying substitution
cipher
40Outline
- Overview of Cryptography
- Classical Symmetric Cipher
- Modern Symmetric Ciphers (DES/AES)
- Asymmetric Cipher
- One-way Hash Functions and Message Digest
41Block vs Stream Ciphers
- Block ciphers process messages in into blocks,
each of which is then en/decrypted - Like a substitution on very big characters
- 64-bits or more
- Stream ciphers process messages a bit or byte at
a time when en/decrypting - Many current ciphers are block ciphers, one of
the most widely used types of cryptographic
algorithms
42Block Cipher Principles
- Most symmetric block ciphers are based on a
Feistel Cipher Structure - Block ciphers look like an extremely large
substitution - Would need table of 264 entries for a 64-bit
block - Instead create from smaller building blocks
- Using idea of a product cipher
43Ideal Block Cipher
44Substitution-Permutation Ciphers
- Substitution-permutation (S-P) networks Shannon,
1949 - modern substitution-transposition product cipher
- These form the basis of modern block ciphers
- S-P networks are based on the two primitive
cryptographic operations - substitution (S-box)
- permutation (P-box)
- provide confusion and diffusion of message
45Feistel Cipher Structure
- Feistel cipher implements Shannons S-P network
concept - based on invertible product cipher
- Process through multiple rounds which
- partitions input block into two halves
- perform a substitution on left data half
- based on round function of right half subkey
- then have permutation swapping halves
46Feistel Cipher Structure
47Feistel Cipher Decryption
48DES (Data Encryption Standard)
- Published in 1977, standardized in 1979.
- Key 64 bit quantity8-bit parity56-bit key
- Every 8th bit is a parity bit.
- 64 bit input, 64 bit output.
64 bit M
64 bit C
DES Encryption
56 bits
49DES Top View
56-bit Key
64-bit Input
48-bit K1
Generate keys
Permutation
Initial Permutation
48-bit K1
Round 1
48-bit K2
Round 2
...
48-bit K16
Round 16
Swap 32-bit halves
Swap
Final Permutation
Permutation
64-bit Output
50DES Summary
- Simple, easy to implement
- Hardware/gigabits/second, software/megabits/second
- 56-bit key DES may be acceptable for non-critical
applications but triple DES (DES3) should be
secure for most applications today - Supports several operation modes (ECB CBC, OFB,
CFB) for different applications
51Avalanche Effect
- Key desirable property of encryption alg
- Where a change of one input or key bit results in
changing more than half output bits - DES exhibits strong avalanche
52Strength of DES Key Size
- 56-bit keys have 256 7.2 x 1016 values
- Brute force search looks hard
- Recent advances have shown is possible
- in 1997 on a huge cluster of computers over the
Internet in a few months - in 1998 on dedicated hardware called DES
cracker by EFF in a few days (220,000) - in 1999 above combined in 22hrs!
- Still must be able to recognize plaintext
- No big flaw for DES algorithms
53DES Replacement
- Triple-DES (3DES)
- 168-bit key, no brute force attacks
- Underlying encryption algorithm the same, no
effective analytic attacks - Drawbacks
- Performance no efficient software codes for
DES/3DES - Efficiency/security bigger block size desirable
- Advanced Encryption Standards (AES)
- US NIST issued call for ciphers in 1997
- Rijndael was selected as the AES in Oct-2000
54AES
- Private key symmetric block cipher
- 128-bit data, 128/192/256-bit keys
- Stronger faster than Triple-DES
- Provide full specification design details
- Evaluation criteria
- Security effort to practically cryptanalysis
- Cost computational efficiency and memory
requirement - Algorithm implementation characteristics
flexibility to apps, hardware/software
suitability, simplicity
55AES Shortlist
- After testing and evaluation, shortlist in
Aug-99 - MARS (IBM) - complex, fast, high security margin
- RC6 (USA) - v. simple, v. fast, low security
margin - Rijndael (Belgium) - clean, fast, good security
margin - Serpent (Euro) - slow, clean, v. high security
margin - Twofish (USA) - complex, v. fast, high security
margin - Then subject to further analysis comment
56Outlines
- Symmetric Cipher
- Classical Symmetric Cipher
- Modern Symmetric Ciphers (DES and AES)
- Asymmetric Cipher
- One-way Hash Functions and Message Digest
57Private-Key Cryptography
- Private/secret/single key cryptography uses one
key - Shared by both sender and receiver
- If this key is disclosed communications are
compromised - Also is symmetric, parties are equal
- Hence does not protect sender from receiver
forging a message claiming is sent by sender
58Public-Key Cryptography
- Probably most significant advance in the 3000
year history of cryptography - Uses two keys a public a private key
- Asymmetric since parties are not equal
- Uses clever application of number theoretic
concepts to function - Complements rather than replaces private key
crypto
59Public-Key Cryptography
- Public-key/two-key/asymmetric cryptography
involves the use of two keys - a public-key, which may be known by anybody, and
can be used to encrypt messages, and verify
signatures - a private-key, known only to the recipient, used
to decrypt messages, and sign (create) signatures - Asymmetric because
- those who encrypt messages or verify signatures
cannot decrypt messages or create signatures
60Public-Key Cryptography
61Public-Key Characteristics
- Public-Key algorithms rely on two keys with the
characteristics that it is - computationally infeasible to find decryption key
knowing only algorithm encryption key - computationally easy to en/decrypt messages when
the relevant (en/decrypt) key is known - either of the two related keys can be used for
encryption, with the other used for decryption
(in some schemes) - Analogy to delivery w/ a padlocked box
62Public-Key Cryptosystems
- Two major applications
- encryption/decryption (provide secrecy)
- digital signatures (provide authentication)
63RSA (Rivest, Shamir, Adleman)
- The most popular one.
- Support both public key encryption and digital
signature. - Assumption/theoretical basis
- Factoring a big number is hard.
- Variable key length (usually 512 bits).
- Variable plaintext block size.
- Plaintext must be smaller than the key.
- Ciphertext block size is the same as the key
length.
64What Is RSA?
- To generate key pair
- Pick large primes (gt 256 bits each) p and q
- Let n pq, keep your p and q to yourself!
- For public key, choose e that is relatively
prime to ø(n) (p-1)(q-1), let pub lte,ngt - For private key, find d that is the
multiplicative inverse of e mod ø(n), i.e., ed
1 mod ø(n), let priv ltd,ngt
65RSA Example
- Select primes p17 q11
- Compute n pq 1711187
- Compute ø(n)(p1)(q-1)1610160
- Select e gcd(e,160)1 choose e7
- Determine d de1 mod 160 and d lt 160 Value is
d23 since 237161 101601 - Publish public key KU7,187
- Keep secret private key KR23,17,11
66How Does RSA Work?
- Given pub lte, ngt and priv ltd, ngt
- encryption c me mod n, m lt n
- decryption m cd mod n
- signature s md mod n, m lt n
- verification m se mod n
- given message M 88 (nb. 88lt187)
- encryption
- C 887 mod 187 11
- decryption
- M 1123 mod 187 88
67Is RSA Secure?
- Factoring 512-bit number is very hard!
- But if you can factor big number n then given
public key lte,ngt, you can find d, hence the
private key by - Knowing factors p, q, such that, n pq
- Then ø(n) (p-1)(q-1)
- Then d such that ed 1 mod ø(n)
- Threat
- Moores law
- Refinement of factorizing algorithms
- For the near future, a key of 1024 or 2048 bits
needed
68Symmetric (DES) vs. Public Key (RSA)
- Exponentiation of RSA is expensive !
- AES and DES are much faster
- 100 times faster in software
- 1,000 to 10,000 times faster in hardware
- RSA often used in combination in AES and DES
- Pass the session key with RSA
69Outline
- History of Security and Definitions
- Overview of Cryptography
- Symmetric Cipher
- Classical Symmetric Cipher
- Modern Symmetric Ciphers (DES and AES)
- Asymmetric Cipher
- One-way Hash Functions and Message Digest
70Confidentiality gt Authenticity ?
- Symmetric cipher ?
- Shared key problem
- Plaintext has to be intelligible/understandable
- Asymmetric cipher?
- Too expensive
- Plaintext has to be intelligible/understandable
- Desirable to cipher on a much smaller size of
data which uniquely represents the long message
71Hash Functions
- Condenses arbitrary message to fixed size
- h H(M)
- Usually assume that the hash function is public
and not keyed - Hash used to detect changes to message
- Can use in various ways with message
- Most often to create a digital signature
72Hash Functions Digital Signatures
73Requirements for Hash Functions
- Can be applied to any sized message M
- Produces fixed-length output h
- Is easy to compute hH(M) for any message M
- Given h is infeasible to find x s.t. H(x)h
- One-way property
- Given x is infeasible to find y s.t. H(y)H(x)
- Weak collision resistance
- Is infeasible to find any x,y s.t. H(y)H(x)
- Strong collision resistance
74Birthday Problem
- How many people do you need so that the
probability of having two of them share the same
birthday is gt 50 ? - Random sample of n birthdays (input) taken from k
(365, output) - kn total number of possibilities
- (k)nk(k-1)(k-n1) possibilities without
duplicate birthday - Probability of no repetition
- p (k)n/kn ? 1 - n(n-1)/2k
- For k366, minimum n 23
- n(n-1)/2 pairs, each pair has a probability 1/k
of having the same output - n(n-1)/2k gt 50 ? ngtk1/2
75How Many Bits for Hash?
- m bits, takes 2m/2 to find two with the same hash
- 64 bits, takes 232 messages to search (doable)
- Need at least 128 bits
76Using Hash for Authentication
- Assuming share a key KAB
- Alice to Bob challenge rA
- Bob to Alice MD(KABrA)
- Bob to Alice rB
- Alice to Bob MD(KABrB)
- Only need to compare MD results
77General Structure of Secure Hash Code
- Iterative compression function
- Each f is collision-resistant, so is the
resulting hashing
78MD5 Message Digest Version 5
input Message
Output 128 bits Digest
- Until recently the most widely used hash
algorithm - in recent times have both brute-force
cryptanalytic concerns - Specified as Internet standard RFC1321
79MD5 Overview
80MD5 Overview
- Pad message so its length is 448 mod 512
- Append a 64-bit original length value to message
- Initialise 4-word (128-bit) MD buffer (A,B,C,D)
- Process message in 16-word (512-bit) blocks
- Using 4 rounds of 16 bit operations on message
block buffer - Add output to buffer input to form new buffer
value - Output hash value is the final buffer value
81Processing of Block mi - 4 Passes
mi
MDi
ABCDfF(ABCD,mi,T1..16)
A
C
D
B
ABCDfG(ABCD,mi,T17..32)
ABCDfH(ABCD,mi,T33..48)
ABCDfI(ABCD,mi,T49..64)
MD i1
82Secure Hash Algorithm
- Developed by NIST, specified in the Secure Hash
Standard (SHS, FIPS Pub 180), 1993 - SHA is specified as the hash algorithm in the
Digital Signature Standard (DSS), NIST
83General Logic
- Input message must be lt 264 bits
- not really a problem
- Message is processed in 512-bit blocks
sequentially - Message digest is 160 bits
- SHA design is similar to MD5, a little slower,
but a lot stronger
84SHA-1 verses MD5
- Brute force attack is harder (160 vs 128 bits for
MD5) - A little slower than MD5 (80 vs 64 steps)
- Both work well on a 32-bit architecture
- Both designed as simple and compact for
implementation - Cryptanalytic attacks
- MD4/5 vulnerability discovered since its design
- SHA-1 no until recent 2005 results raised
concerns on its use in future applications
85Revised Secure Hash Standard
- NIST have issued a revision FIPS 180-2 in 2002
- Adds 3 additional hash algorithms
- SHA-256, SHA-384, SHA-512
- Collectively called SHA-2
- Designed for compatibility with increased
security provided by the AES cipher - Structure detail are similar to SHA-1
- Hence analysis should be similar, but security
levels are rather higher
86Backup Slides
87Cryptanalysis Scheme
- Ciphertext only
- Exhaustive search until recognizable plaintext
- Need enough ciphertext
- Known plaintext
- Secret may be revealed (by spy, time), thus
ltciphertext, plaintextgt pair is obtained - Great for monoalphabetic ciphers
- Chosen plaintext
- Choose text, get encrypted
- Pick patterns to reveal the structure of the key
88One-Time Pad
- If a truly random key as long as the message is
used, the cipher will be secure - One-Time pad - E.g., a random sequence of 0s and 1s XORed to
plaintext, no repetition of keys - Unbreakable since ciphertext bears no statistical
relationship to the plaintext - For any plaintext, it needs a random key of the
same length - Hard to generate large amount of keys
- Have problem of safe distribution of key
89Confusion and Diffusion
- Cipher needs to completely obscure statistical
properties of original message - A one-time pad does this
- More practically Shannon suggested S-P networks
to obtain - Diffusion dissipates statistical structure of
plaintext over bulk of ciphertext - Confusion makes relationship between ciphertext
and key as complex as possible
90Bit Permutation (1-to-1)
1 2 3 4 32
.
0 0 1 0 1
Input
1 bit
..
Output
1 0 1 1 1
22 6 13 32 3
91Per-Round Key Generation
Initial Permutation of DES key
C i-1
D i-1
28 bits
28 bits
Circular Left Shift
Circular Left Shift
One round
Round 1,2,9,16 single shift Others two bits
Permutation with Discard
48 bits Ki
C i
D i
28 bits
28 bits
92A DES Round
32 bits Ln
32 bits Rn
E
One Round Encryption
48 bits
Mangler Function
48 bits Ki
S-Boxes
P
32 bits
32 bits Ln1
32 bits Rn1
93Mangler Function
The permutation produces spread among the
chunks/S-boxes!
94Bits Expansion (1-to-m)
1 2 3 4 5 32
.
Input
0 0 1 0 1 1
Output
..
1 0 0 1 0 1 0 1
1 0
1 2 3 4 5 6 7 8
48
95S-Box (Substitute and Shrink)
- 48 bits gt 32 bits. (86 gt 84)
- 2 bits used to select amongst 4 substitutions for
the rest of the 4-bit quantity
96S-Box Examples
Each row and column contain different numbers.
0 1 2 3 4 5
6 7 8 9. 15
0 14 4 13 1 2
15 11 8 3
1 0 15 7 4 14
2 13 1 10
2 4 1 14 8 13
6 2 11 15
3 15 12 8 2 4
9 1 7 5
Example input 100110 output ???
97Padding Twist
- Given original message M, add padding bits 10
such that resulting length is 64 bits less than a
multiple of 512 bits. - Append (original length in bits mod 264),
represented in 64 bits to the padded message - Final message is chopped 512 bits a block
98Why Does RSA Work?
- Given pub lte, ngt and priv ltd, ngt
- n pq, ø(n) (p-1)(q-1)
- ed 1 mod ø(n)
- xe?d x mod n
- encryption c me mod n
- decryption m cd mod n me?d mod n m mod n
m (since m lt n) - digital signature (similar)
99Using Hash to Encrypt
- One-time pad with KAB
- Compute bit streams using MD, and K
- b1MD(KAB), biMD(KABbi-1),
- ? with message blocks
- Is this a real one-time pad ?
- Add a random 64 bit number (aka IV)
b1MD(KABIV), biMD(KABbi-1),
100MD5 Process
- As many stages as the number of 512-bit blocks in
the final padded message - Digest 4 32-bit words MDABCD
- Every message block contains 16 32-bit words
m0m1m2m15 - Digest MD0 initialized to A01234567,B89abcdef,C
fedcba98, D76543210 - Every stage consists of 4 passes over the message
block, each modifying MD - Each block 4 rounds, each round 16 steps
101Different Passes...
- Each step i (1 lt i lt 64)
- Input
- mi a 32-bit word from the message
- With different shift every round
- Ti int(232 abs(sin(i)))
- Provided a randomized set of 32-bit patterns,
which eliminate any regularities in the input
data - ABCD current MD
- Output
- ABCD new MD
102MD5 Compression Function
- Each round has 16 steps of the form
- a b((ag(b,c,d)XkTi)ltltlts)
- a,b,c,d refer to the 4 words of the buffer, but
used in varying permutations - note this updates 1 word only of the buffer
- after 16 steps each word is updated 4 times
- where g(b,c,d) is a different nonlinear function
in each round (F,G,H,I)
103MD5 Compression Function
104Functions and Random Numbers
- F(x,y,z) (x?y)?(x ? z)
- selection function
- G(x,y,z) (x ? z) ?(y ? z)
- H(x,y,z) x?y? z
- I(x,y,z) y?(x ? z)
105Basic Steps for SHA-1
- Step1 Padding
- Step2 Appending length as 64 bit unsigned
- Step3 Initialize MD buffer 5 32-bit words
- Store in big endian format, most significant bit
in low address - ABCDE
- A 67452301
- B efcdab89
- C 98badcfe
- D 10325476
- E c3d2e1f0
106Basic Steps...
- Step 4 the 80-step processing of 512-bit blocks
4 rounds, 20 steps each. - Each step t (0 lt t lt 79)
- Input
- Wt a 32-bit word from the message
- Kt a constant.
- ABCDE current MD.
- Output
- ABCDE new MD.