Symmetric and Symmetric and Asymmetric CiphersAsymmetric Ciphers

Symmetric EncryptionSymmetric Encryption

or conventional / or conventional / private-keyprivate-key / single-key / single-key sender and recipient share a common keysender and recipient share a common key all classical encryption algorithms are all classical encryption algorithms are

private-keyprivate-key was only type prior to invention of public-was only type prior to invention of public-

key in 1970’skey in 1970’s and by far most widely usedand by far most widely used

Some Basic TerminologySome Basic Terminology

plaintextplaintext - original message - original message ciphertextciphertext - coded message - coded message ciphercipher - algorithm for transforming plaintext to ciphertext - algorithm for transforming plaintext to ciphertext keykey - info used in cipher known only to sender/receiver - info used in cipher known only to sender/receiver encipher (encrypt)encipher (encrypt) - converting plaintext to ciphertext - converting plaintext to ciphertext decipher (decrypt)decipher (decrypt) - recovering ciphertext from plaintext - recovering ciphertext from plaintext cryptographycryptography - study of encryption principles/methods - study of encryption principles/methods cryptanalysis (codebreaking)cryptanalysis (codebreaking) - study of principles/ - study of principles/

methods of deciphering ciphertext methods of deciphering ciphertext withoutwithout knowing key knowing key cryptologycryptology - field of both cryptography and cryptanalysis - field of both cryptography and cryptanalysis

Symmetric Cipher ModelSymmetric Cipher Model

RequirementsRequirements

two requirements for secure use of two requirements for secure use of symmetric encryption:symmetric encryption: a strong encryption algorithma strong encryption algorithm a secret key known only to sender / receivera secret key known only to sender / receiver

mathematically have:mathematically have:Y Y = E= EKK((XX))

X X = D= DKK((YY)) assume encryption algorithm is knownassume encryption algorithm is known implies a secure channel to distribute keyimplies a secure channel to distribute key

CryptographyCryptography

characterize cryptographic system by:characterize cryptographic system by: type of encryption operations usedtype of encryption operations used

• substitution / transposition / productsubstitution / transposition / product number of keys usednumber of keys used

• single-key or private / two-key or publicsingle-key or private / two-key or public way in which plaintext is processedway in which plaintext is processed

• block / streamblock / stream

CryptanalysisCryptanalysis

objective to recover key not just messageobjective to recover key not just message general approaches:general approaches:

cryptanalytic attackcryptanalytic attack brute-force attackbrute-force attack

More DefinitionsMore Definitions unconditional securityunconditional security

no matter how much computer power or time no matter how much computer power or time is available, the cipher cannot be broken is available, the cipher cannot be broken since the ciphertext provides insufficient since the ciphertext provides insufficient information to uniquely determine the information to uniquely determine the corresponding plaintext corresponding plaintext

computational securitycomputational security given limited computing resources (eg time given limited computing resources (eg time

needed for calculations is greater than age of needed for calculations is greater than age of universe), the cipher cannot be broken universe), the cipher cannot be broken

Brute Force SearchBrute Force Search

always possible to simply try every key always possible to simply try every key most basic attack, proportional to key size most basic attack, proportional to key size assume either know / recognise plaintextassume either know / recognise plaintext

Key Size (bits) Number of Alternative Keys

Time required at 1 decryption/µs

Time required at 106 decryptions/µs

32 232 = 4.3 109 231 µs = 35.8 minutes 2.15 milliseconds

56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours

128 2128 = 3.4 1038 2127 µs = 5.4 1024 years 5.4 1018 years

168 2168 = 3.7 1050 2167 µs = 5.9 1036 years 5.9 1030 years

26 characters (permutation)

26! = 4 1026 2 1026 µs = 6.4 1012 years 6.4 106 years

Confidentiality using Symmetric Confidentiality using Symmetric EncryptionEncryption

traditionally symmetric encryption is used traditionally symmetric encryption is used to provide message confidentialityto provide message confidentiality

Placement of EncryptionPlacement of Encryption

have two major placement alternativeshave two major placement alternatives link encryptionlink encryption

encryption occurs independently on every linkencryption occurs independently on every link implies we must decrypt traffic between linksimplies we must decrypt traffic between links requires many devices, but paired keysrequires many devices, but paired keys

end-to-end encryptionend-to-end encryption encryption occurs between original source encryption occurs between original source

and final destinationand final destination needs devices at each end with shared keysneeds devices at each end with shared keys

Placement of EncryptionPlacement of Encryption

Placement of EncryptionPlacement of Encryption

when using end-to-end encryption must when using end-to-end encryption must leave headers in clearleave headers in clear so network can correctly route informationso network can correctly route information

hence although contents protected, traffic hence although contents protected, traffic pattern flows are notpattern flows are not

ideally want both at onceideally want both at once end-to-end protects data contents over entire end-to-end protects data contents over entire

path and provides authenticationpath and provides authentication link protects traffic flows from monitoringlink protects traffic flows from monitoring

Traffic AnalysisTraffic Analysis

is monitoring of communications flows is monitoring of communications flows between partiesbetween parties useful both in military & commercial spheresuseful both in military & commercial spheres can also be used to create a covert channelcan also be used to create a covert channel

link encryption obscures header detailslink encryption obscures header details but overall traffic volumes in networks and at but overall traffic volumes in networks and at

end-points is still visibleend-points is still visible traffic padding can further obscure flowstraffic padding can further obscure flows

but at cost of continuous trafficbut at cost of continuous traffic

Key DistributionKey Distribution

symmetric schemes require both parties to symmetric schemes require both parties to share a common secret keyshare a common secret key

issue is how to securely distribute this keyissue is how to securely distribute this key often secure system failure due to a break often secure system failure due to a break

in the key distribution scheme in the key distribution scheme

Key DistributionKey Distribution

given parties A and B have various given parties A and B have various key key distributiondistribution alternatives: alternatives:

1.1. A can select key and physically deliver to BA can select key and physically deliver to B

2.2. third party can select & deliver key to A & Bthird party can select & deliver key to A & B

3.3. if A & B have communicated previously can if A & B have communicated previously can use previous key to encrypt a new keyuse previous key to encrypt a new key

4.4. if A & B have secure communications with a if A & B have secure communications with a third party C, C can relay key between A & Bthird party C, C can relay key between A & B

Private-Key CryptographyPrivate-Key Cryptography

traditional traditional private/secret/single keyprivate/secret/single key cryptography uses cryptography uses oneone key key

shared by both sender and receiver shared by both sender and receiver if this key is disclosed communications are if this key is disclosed communications are

compromised compromised also is also is symmetricsymmetric, parties are equal , parties are equal hence does not protect sender from hence does not protect sender from

receiver forging a message & claiming is receiver forging a message & claiming is sent by sender sent by sender

Public-Key CryptographyPublic-Key Cryptography

probably most significant advance in the probably most significant advance in the 3000 year history of cryptography 3000 year history of cryptography

uses uses twotwo keys – a public & a private key keys – a public & a private key asymmetricasymmetric since parties are since parties are notnot equal equal uses clever application of number uses clever application of number

theoretic concepts to functiontheoretic concepts to function complements complements rather thanrather than replaces private replaces private

key cryptokey crypto

Why Public-Key Why Public-Key Cryptography?Cryptography?

developed to address two key issues:developed to address two key issues: key distributionkey distribution – how to have secure – how to have secure

communications in general without having to communications in general without having to trust a KDC with your keytrust a KDC with your key

digital signaturesdigital signatures – how to verify a message – how to verify a message comes intact from the claimed sendercomes intact from the claimed sender

public invention due to Whitfield Diffie & public invention due to Whitfield Diffie & Martin Hellman at Stanford Uni in 1976Martin Hellman at Stanford Uni in 1976 known earlier in classified communityknown earlier in classified community

Public-Key CryptographyPublic-Key Cryptography

public-key/two-key/asymmetricpublic-key/two-key/asymmetric cryptography cryptography involves the use of involves the use of twotwo keys: keys: a a public-keypublic-key, which may be known by anybody, and , which may be known by anybody, and

can be used to can be used to encrypt messagesencrypt messages, and , and verify verify signaturessignatures

a a private-keyprivate-key, known only to the recipient, used to , known only to the recipient, used to decrypt messagesdecrypt messages, and , and signsign (create) (create) signatures signatures

is is asymmetricasymmetric because because those who encrypt messages or verify signatures those who encrypt messages or verify signatures

cannotcannot decrypt messages or create signatures decrypt messages or create signatures

Public-Key CryptographyPublic-Key Cryptography

Public-Key CharacteristicsPublic-Key Characteristics

Public-Key algorithms rely on two keys where:Public-Key algorithms rely on two keys where: it is computationally infeasible to find decryption key it is computationally infeasible to find decryption key

knowing only algorithm & encryption keyknowing only algorithm & encryption key it is computationally easy to en/decrypt messages it is computationally easy to en/decrypt messages

when the relevant (en/decryption) key is knownwhen the relevant (en/decryption) key is known either of the two related keys can be used for either of the two related keys can be used for

encryption, with the other used for decryption (for encryption, with the other used for decryption (for some algorithms)some algorithms)

Public-Key CryptosystemsPublic-Key Cryptosystems

Public-Key ApplicationsPublic-Key Applications

can classify uses into 3 categories:can classify uses into 3 categories: encryption/decryptionencryption/decryption (provide secrecy) (provide secrecy) digital signaturesdigital signatures (provide authentication) (provide authentication) key exchangekey exchange (of session keys) (of session keys)

some algorithms are suitable for all uses, some algorithms are suitable for all uses, others are specific to oneothers are specific to one

Security of Public Key SchemesSecurity of Public Key Schemes like private key schemes brute force like private key schemes brute force exhaustive exhaustive

searchsearch attack is always theoretically possible attack is always theoretically possible but keys used are too large (>512bits) but keys used are too large (>512bits) security relies on a security relies on a large enoughlarge enough difference in difference in

difficulty between difficulty between easyeasy (en/decrypt) and (en/decrypt) and hardhard (cryptanalyse) problems(cryptanalyse) problems

more generally the more generally the hardhard problem is known, but problem is known, but is made hard enough to be impractical to break is made hard enough to be impractical to break

requires the use of requires the use of very large numbersvery large numbers hence is hence is slowslow compared to private key schemes compared to private key schemes

Message AuthenticationMessage Authentication

message authentication is concerned with: message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating identity of originator validating identity of originator non-repudiation of origin (dispute resolution)non-repudiation of origin (dispute resolution)

will consider the security requirementswill consider the security requirements then three alternative functions used:then three alternative functions used:

message encryptionmessage encryption message authentication code (MAC)message authentication code (MAC) hash functionhash function

Message EncryptionMessage Encryption

message encryption by itself also provides message encryption by itself also provides a measure of authenticationa measure of authentication

if symmetric encryption is used then:if symmetric encryption is used then: receiver knows sender must have created it receiver knows sender must have created it

since only sender and receiver know key usedsince only sender and receiver know key used content cannot bee alteredcontent cannot bee altered if message has if message has suitable structure, redundancy suitable structure, redundancy

or a checksum to detect any changesor a checksum to detect any changes

Message EncryptionMessage Encryption

if public-key encryption is used:if public-key encryption is used: encryption provides no confidence of senderencryption provides no confidence of sender since anyone potentially knows public-keysince anyone potentially knows public-key however if however if

• sender sender signssigns message using their private-key, message using their private-key, then encrypts with recipients public key, we have then encrypts with recipients public key, we have both secrecy and authenticationboth secrecy and authentication

again need to recognize corrupted messagesagain need to recognize corrupted messages but at cost of two public-key uses on messagebut at cost of two public-key uses on message

Message Authentication Code Message Authentication Code (MAC)(MAC)

generated by an algorithm that creates a generated by an algorithm that creates a small fixed-sized blocksmall fixed-sized block depending on both message and some keydepending on both message and some key like encryption though need not be reversiblelike encryption though need not be reversible

appended to message as a appended to message as a signaturesignature receiver performs same computation on receiver performs same computation on

message and checks it matches the MACmessage and checks it matches the MAC provides assurance that message is provides assurance that message is

unaltered and comes from senderunaltered and comes from sender

Message Authentication CodeMessage Authentication Code

Message Authentication Message Authentication CodesCodes

as shown the MAC provides authenticationas shown the MAC provides authentication can also use encryption for secrecycan also use encryption for secrecy

generally uses separate keys for eachgenerally uses separate keys for each can compute MAC either before or after encryptioncan compute MAC either before or after encryption is generally regarded as better done beforeis generally regarded as better done before

why use a MAC?why use a MAC? sometimes only authentication is neededsometimes only authentication is needed sometimes we need authentication to persist longer sometimes we need authentication to persist longer

than the encryption (eg. archival use)than the encryption (eg. archival use) note that a MAC is not a digital signaturenote that a MAC is not a digital signature

Digital SignaturesDigital Signatures

have looked at have looked at message authentication message authentication but does not address issues of lack of trustbut does not address issues of lack of trust

digital signatures provide the ability to: digital signatures provide the ability to: verify author, date & time of signatureverify author, date & time of signature authenticate message contents authenticate message contents be verified by third parties to resolve disputesbe verified by third parties to resolve disputes

hence include authentication function with hence include authentication function with additional capabilitiesadditional capabilities

Digital Signature PropertiesDigital Signature Properties

must depend on the message signedmust depend on the message signed must use information unique to sendermust use information unique to sender

to prevent both forgery and denialto prevent both forgery and denial

must be relatively easy to producemust be relatively easy to produce must be relatively easy to recognize & verifymust be relatively easy to recognize & verify be computationally infeasible to forge be computationally infeasible to forge

with new message for existing digital signaturewith new message for existing digital signature with fraudulent digital signature for given messagewith fraudulent digital signature for given message

be practical save digital signature in storagebe practical save digital signature in storage

Direct Digital SignaturesDirect Digital Signatures

involve only sender & receiverinvolve only sender & receiver assumed receiver has sender’s public-keyassumed receiver has sender’s public-key digital signature made by sender signing digital signature made by sender signing

entire message or hash with private-keyentire message or hash with private-key can encrypt using receivers public-keycan encrypt using receivers public-key important that sign first then encrypt important that sign first then encrypt

message & signaturemessage & signature security depends on sender’s private-keysecurity depends on sender’s private-key

Arbitrated Digital SignaturesArbitrated Digital Signatures

involves use of arbiter Ainvolves use of arbiter A validates any signed messagevalidates any signed message then dated and sent to recipientthen dated and sent to recipient

requires suitable level of trust in arbiterrequires suitable level of trust in arbiter can be implemented with either private or can be implemented with either private or

public-key algorithmspublic-key algorithms arbiter may or may not see messagearbiter may or may not see message

Authentication ProtocolsAuthentication Protocols

used to convince parties of each others used to convince parties of each others identity and to exchange session keysidentity and to exchange session keys

may be one-way or mutualmay be one-way or mutual key issues arekey issues are

confidentiality – to protect session keysconfidentiality – to protect session keys timeliness – to prevent replay attackstimeliness – to prevent replay attacks

published protocols are often found to published protocols are often found to have flaws and need to be modifiedhave flaws and need to be modified