Crypto

Confidentiality, Integrity &
Authentication
Confidentiality - Symmetric Key Encryption

Data Integrity – MD-5, SHA and HMAC
Public/Private Key mechanism - RSA
Digital Certificate
DH algorithm
CN8816: Network Security 1

1. Symmetric Key Algorithm
 Encryption
 Confidentiality - Keeping information out of the hands of
unauthorized users
 Technique: Data Encryption
Confidentiality, Integrity
and Authentication CN8816: Network Security 2
 Symmetric Key encryption

 encryption and decryption use the same key
 Data Encryption Standard (DES) - 1977
 Advanced Encryption Standard (AES) - 2001
Plain Text Encryption Cipertext Decryption Plain Text

P C P
Ks Ks
Same key
 Electronic Codebook (ECB) Mode

 The plain text is divided into a number blocks with fixed size
 DES – block size = 64 bits
 AES – block size = 128 bits
 Each block is encrypted and decrypted independently
Plain text with padding

B1 … Bn … BN
Ks En Ks En Ks En
C1 … Cn … CN
 DES Algorithm
 Data is divided into 64-bit blocks
 Basic operation:
KN+1
+ F( )
 Both encryption and decryption processes consist of 16 rounds
of basic operation
 Encryption and decryption have the same structure
Key Permutation Input

Key expansion
k1/k16
Basic Operation 1
…
k16/k1
…
Basic Operation 16
Left Right
Inverse Permutation Output

 DES3
 Cascading three DES blocks to support a longer key length
 Supports key lengths of 56, 112, and 168
key1 key2 key3
plaintext DES DES DES ciphertext

Encryp. Decryp. Encryp.
 Cipher block chaining (CBC) mode
Initial Vector
(IV)
 AES
 Use the concept of multiplicative inversion
-1
 P(x)*P (x) = 1
 Basic 8-bit multiplication operation:
8 4 3
 ( P(x) * Q(x) ) mod ( x +x +x +x+1)
8 4 3
 x +x +x +x+1 is an irreducible polynomial
 With the defined multiplication operation, all the 8-bit
numbers, except zero, have their own inverses

7 3 2
 Example: the inverse of x +x +x +1 is x, for
7 3 2 8 4 3
(x +x +x +1)*x mod ( x +x +x +x+1) = 1
 AES consists of N rounds of basic operation
 N= 10, 12, or 14 for the key size of 128, 192, or 256, respectively
k0
+ Input
Key expansion
k1
Key Basic Operation 1
…
…
K(N-1)
Basic Operation N-1
KN
Sub-byte and shift row Output
 AES
 Basic operation
 SubByte Processing
 From Pi,j , find Inv(Pi,j)
 Pi,j Inv(Pi,j ) Mod (x +x +x +x+1) = 1
8 4 3
 Inv(Pi,j) is then multiplied with a fixed 8x8 binary matrix and then
added with a fixed binary vector
Si,j = B1 Inv(Pi,j) + B2
c0 1 0 0 0 1 1 1 1 b0 1
c1 1 1 0 0 0 1 1 1 b1 1
c2 1 1 1 0 0 0 1 1 b2 0
c3 = 1 1 1 1 0 0 0 1 b3 + 0
c4 1 1 1 1 1 0 0 0 b4 0
c5 0 1 1 1 1 1 0 0 b5 1
c6 0 0 1 1 1 1 1 0 b6 1
c7 0 0 0 1 1 1 1 1 b7 0
 ShiftRow
R0 R1 R2 R3
S0,0 S0,1 S0,2 S0,3 S0,0 S0,1 S0,2 S0,3
S1,0 S1,1 S1,2 S1,3 S1,1 S1,2 S1,3 S1,0
S2,0 S2,1 S2,2 S2,3 S2,2 S2,3 S2,0 S2,1
S3,0 S3,1 S3,2 S3,3 S3,3 S3,0 S3,1 S3,2
R0 (x) = S3,3 x3 + S2,2 x2 + S1,1 x + S0,0

R1 (x) = S3,0 x3 + S2,3 x2 + S1,2 x + S0,1
R2 (x) = S3,1 x3 + S2,0 x2 + S1,3 x + S0,2
R3 (x) = S3,2 x3 + S2,1 x2 + S1,0 x + S0,3
 MaxColumns transform
 Zi = a(x) × Ri(x) (mod) x4 + 1
 a(x) = {03}x
3 + {01}x2 + {01}x + {02}
 Zi = A Ri
02 03 01 01
 A=
01 02 03 01
01 01 02 03
03 01 01 02
 The product of the multiplication of the two coefficients is still
limited to the finite field of 8 bits
 Applying modular operation with the modulus of
x8 + x4 + x3 + x + 1
 AddRoundKey Transformation
Round Key
Z0,0 Z0,1 Z0,2 Z0,3 K0,0 K0,1 K0,2 K0,3
Z1,0 Z1,1 Z1,2 Z1,3 K1,0 K1,1 K1,2 K1,3

Xor
Z2,0 Z2,1 Z2,2 Z2,3 K2,0 K2,1 K2,2 K2,3
Z3,0 Z3,1 Z3,2 Z3,3 K3,0 K3,1 K3,2 K3,3
E0,0 E0,1 E0,2 E0,3
E1,0 E1,1 E1,2 E1,3

Encrypted output
E2,0 E2,1 E2,2 E2,3
E3,0 E3,1 E3,2 E3,3

2. Data Integrity
 Message Digest
 The digest is the hash function of a message
 A small change of the message will completely change the
hash value
Data: 1001011010… Hash 01101110
Data: 1001010010… Hash 11011001
2. Data Integrity
 Hash algorithms
 MD-5: 512-bit block, 128-bit hash
 Secure Hash Algorithm (SHA)
 SHA-1: 512-bit block, 160-bit hash
2. Data Integrity
 SHA-512
 Message Padding
 The padding includes the padding and length fields
 The length field holds the value of the message length
 The padding field contains the bit pattern 100…00
Padding 128
Message 100…00 Length
Integer multiple of 1024-bit blocks
2. Data Integrity
 Processing overview
M1 M2 … Mi … MN
Expansion Expansion Expansion Expansion
W0…W79 W0…W79 W0…W79 W0…W79

a=H0(0)
… Hashing Hashing Hashing Hashing HASH
h=H7(0) H0(N)|| … ||H7(N)
a=H0(1) a=H0(i-1) a=H0(N-1)
… … …
h=H7(1) h=H7(i-1) h=H7(N-1)
2. Data Integrity
 Keyed Hashing for Message Authentication (HMAC)

 Provides data integrity between two security entities sharing
the secret key
 Keyed hash = Hash(K+opad, Hash(K+ipad, text))
 K = Concatenation(Key, (M-Key_size) of zeros)
 ipad = 00110110 (Ox36) repeated M times
 opad = 01011100 (Ox5C) repeated M times
 M = Hash function message block size (in bytes)
 The hash function can be either MD5 or SHA
3. Private/Public Key Mechanism
 Public/Private Key – RSA and ECC (Elliptic Curve

Cryptography)
 Consists of a private key and a public key pair
 Public key can be known by the public
 RSA algorithm:
 Select two large prime numbers, P and Q
 Select an odd number E such that E and (P-1)(Q-1) are relative
prime
 Find a number D, which is the multiplicative inverse of E, such
that
 DE modulo (P-1)(Q-1) = 1
 Public key = (E, PQ)
Private key = (D, PQ)
 Encrytion/Decryption:
E
 Cipher Text (C) = M mod PQ
D ED
 Origin Text (M) = C mod PQ = M mod PQ
 RSAES-OAEP algorithm
 Provides integrity check to counter the chosen cipher
attack
L Hash
hash padding Ox01 secret
seed MGF O
+
Public_key
O
+ MGF
cipher
Ox00 masked seed Masked Data Block Encryption
text
 Session Key Encryption Application

 Second message authenticates Bob
 Third message authenticates Alice
1. Eb(A, Na)
2. Ea(Na, Nb, Ks)

3. Ks(Nb)
Data encrypted with Ks
Eb = encryption using Bob’s public key

Ea = encryption using Alice’s public key
Ks = session key
 Digital Signature Application
 Private/public key pair and hash function
 A public key is used to verify the digital signature
 Example: PGP (Pretty Good Privacy)

6. verify the
1. signed with the 5. decrypted with signature using
sender’s private key the session key the sender’s
public key
2. encrypted with
the session key
3. encrypted with the

4. decrypted with the
recipient’s public key
recipient’s private key
4. Digital Certificate
 Digital Certificate provides a more scalable

authentication approach
 The certificate is issued and signed by the certificate authority
(CA)
Certificate
Verification of the
certificate
 Signing of the certificate
 Verification of the certificate
Equal?
 CA Hierarchical structure
 the root CA delegates the certification authority to the
intermediate CA
 Public Key Infrastructure (PKI)

 To enable secure, convenient, and efficient acquisition of public
keys using digital certificate
 PKI architecture model:
User
Cert/CRL retrieval
Cert/CRL Repository
End entity
Cert pub. registration
Regist. Auth. revocation
Cert/CRL pub.
CA
CRL pub. cross
CRL issuer certification
Management CA
5. DH Algorithm
 Diffie-Hellman Key Exchange

 Used to generate a common secret (symmetric) key
Alice generates a large Bob generates a large

random number x random number y
gx mod n
gy mod n
key = gxy mod n
5. DH Algorithm
 DH exchange is susceptible to the man-in-the-middle attack
 Peers must require authentication
ga mod n ga’ mod n

Alice Trudy Bob
gb mod n
gb’ mod n
gab’ mod n gab’ mod n

ga’b mod n ga’b mod n
Trudy can intercept the messages
exchanged between Alice and Bob

Crypto

Uploaded by

Copyright:

Available Formats

Crypto

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Crypto

Uploaded by

Copyright:

Available Formats

Confidentiality, Integrity &

Confidentiality - Symmetric Key Encryption

Public/Private Key mechanism - RSA

CN8816: Network Security 1

 Symmetric Key encryption

Plain Text Encryption Cipertext Decryption Plain Text

 Electronic Codebook (ECB) Mode

Plain text with padding

Key Permutation Input

Inverse Permutation Output

key1 key2 key3

plaintext DES DES DES ciphertext

 Cipher block chaining (CBC) mode

 With the defined multiplication operation, all the 8-bit

numbers, except zero, have their own inverses

S1,0 S1,1 S1,2 S1,3 S1,1 S1,2 S1,3 S1,0

S2,0 S2,1 S2,2 S2,3 S2,2 S2,3 S2,0 S2,1

S3,0 S3,1 S3,2 S3,3 S3,3 S3,0 S3,1 S3,2

R0 (x) = S3,3 x3 + S2,2 x2 + S1,1 x + S0,0

Z1,0 Z1,1 Z1,2 Z1,3 K1,0 K1,1 K1,2 K1,3

Z3,0 Z3,1 Z3,2 Z3,3 K3,0 K3,1 K3,2 K3,3

E0,0 E0,1 E0,2 E0,3

E1,0 E1,1 E1,2 E1,3

E3,0 E3,1 E3,2 E3,3

Data: 1001011010… Hash 01101110

Data: 1001010010… Hash 11011001

 The padding field contains the bit pattern 100…00

Integer multiple of 1024-bit blocks

Expansion Expansion Expansion Expansion

W0…W79 W0…W79 W0…W79 W0…W79

 Keyed Hashing for Message Authentication (HMAC)

 Public/Private Key – RSA and ECC (Elliptic Curve

hash padding Ox01 secret

 Session Key Encryption Application

2. Ea(Na, Nb, Ks)

Eb = encryption using Bob’s public key

 Example: PGP (Pretty Good Privacy)

3. encrypted with the

 Digital Certificate provides a more scalable

 Signing of the certificate

 Verification of the certificate

 Public Key Infrastructure (PKI)

 Diffie-Hellman Key Exchange

Alice generates a large Bob generates a large

key = gxy mod n

ga mod n ga’ mod n

gab’ mod n gab’ mod n

You might also like