Information Protection, Reliability

and Cryptography
Basics of Information Security
Professor dr.sc.ing. Viktor Gopejenko
Department of Computer Technologies and Natural Sciences
ISMA University of Applied Science, Riga, Latvia
 Lecture 2
Cryptographic Tools
 Learning Objectives

 The basic operations of symmetric block encryption algorithms

 Compare and contrast block encryption and stream encryption

 Secure hash function for message authentication

 The basic operations of asymmetric block encryption algorithms

 An overview of the digital signature mechanism and the concept

of digital envelopes

 The significance of random and pseudorandom numbers in

cryptography
 Detailed Content:

 Confidentiality with Symmetric Encryption

 Message Authentication and Hash Functions

 Public-Key Encryption

 Digital Signatures and Key Management

 Random and Pseudorandom Numbers

 Practical Application: Encryption of Stored Data

 Symmetric Encryption

 the universal technique for providing confidentiality for

transmitted or stored data

 also referred to as conventional encryption or single-key

encryption

 two requirements for secure use:

 need a strong encryption algorithm
 sender and receiver must have obtained copies
of the secret key in a secure fashion and must
keep the key secure
Simplified Model of Symmetric Encryption
 Attacking Symmetric
Encryption
Cryptanalytic Attacks Brute-Force Attack
 rely on:  try all possible keys on some
 nature of the algorithm ciphertext until an intelligible
 some knowledge of the translation into plaintext is
general characteristics of the obtained
plaintext  on average half of all possible
 some sample plaintext- keys must be tried to achieve
ciphertext pairs success
 exploits the characteristics of the
algorithm to attempt to deduce a
specific plaintext or the key being
used
 if successful all future and past
messages encrypted with that
key are compromised
Average Time Required for Exhaustive Key Search
Comparison of Three Popular Symmetric
Encryption Algorithms
Data Encryption Standard
(DES)
the most widely used encryption
scheme
• FIPS PUB 46
• referred to as the Data Encryption Algorithm
(DEA)
• uses 64 bit plaintext block and 56 bit key to
produce a 64 bit ciphertext block

strength concerns:
• concerns about algorithm
• DES is the most studied encryption algorithm in
existence
• use of 56-bit key
• Electronic Frontier Foundation (EFF) announced in
July 1998 that it had broken a DES encryption
Time to Break a Code (assuming 106 decryptions/ms) The graph
assumes that a symmetric encryption algorithm is attacked using
a brute-force approach of trying all possible keys
 Triple DES (3DES)
 repeats basic DES algorithm three times using either two or
three unique keys
 first standardized for use in financial applications in ANSI
standard X9.17 in 1985
 attractions:
 168-bit key length overcomes the vulnerability to brute-force
attack of DES
 underlying encryption algorithm is the same as in DES

 drawbacks:
 algorithm is sluggish in software
 uses a 64-bit block size
 Advanced Encryption Standard
(AES)
needed a NIST called for selected
replacement for proposals for a Rijndael in
3DES new AES in 1997 November 2001
should have a security
strength equal to or better
than 3DES

significantly improved
3DES was not efficiency
published as FIPS
reasonable for
197
long term use
symmetric block cipher

128 bit data and

128/192/256 bit keys
 Practical Security Issues

 typically symmetric encryption is applied to a unit of data

larger than a single 64-bit or 128-bit block

 electronic codebook (ECB) mode is the simplest approach

to multiple-block encryption
 each block of plaintext is encrypted using the same key
 cryptanalysts may be able to exploit regularities in the plaintext

 modes of operation
 alternative techniques developed to increase the security of
symmetric block encryption for large sequences
 overcomes the weaknesses of ECB
Block Cipher
Encryption

Stream
Encryption Types of Symmetric Encryption
 Block & Stream Ciphers
Block Cipher

• processes the input one block of elements at a time

• produces an output block for each input block
• can reuse keys
• more common

Stream Cipher
• processes the input elements continuously
• produces output one element at a time
• primary advantage is that they are almost always faster and use far
less code
• encrypts plaintext one byte at a time
• pseudorandom stream is one that is unpredictable without knowledge
of the input key
Message Authentication

protects against
active attacks

verifies received • contents have not been altered

message is • from authentic source
• timely and in correct sequence
authentic
can use
• only sender & receiver share a
conventional key
encryption
Message Authentication Codes

Message Authentication Using a Massage Authentication Code (MAC).

The MAC is a function of an input message and a secret key.
 Secure Hash
Functions

Block Diagram of Secure Hash Function; h = H(M)

 Message
Authentication
Using a
One-Way
Hash Function

Message Authentication Using a One-Way Hash Function.

The hash function maps a message into a relatively small, fixed-size block.
 Hash Function Requirements
 can be applied to a block of data of any size
 produces a fixed-length output
 H(x) is relatively easy to compute for any given x
 one-way or pre-image resistant
 computationally infeasible to find x such that H(x) = h

 second pre-image resistant or weak collision resistant

 computationally infeasible to find y ≠ x such that
H(y) = H(x)
 collision resistant or strong collision resistance
 computationally infeasible to find any pair (x, y) such that
H(x) = H(y)
 Security of Hash Functions
 there are two approaches to attacking a secure hash
function:
 cryptanalysis
 exploit logical weaknesses in the algorithm
 brute-force attack
 strength of hash function depends solely on the length of the hash code
produced by the algorithm

 SHA most widely used hash algorithm

 additional secure hash function applications:
 passwords
 hash of a password is stored by an operating system
 intrusion detection
 store H(F) for each file on a system and secure the hash values
 asymmetric
publicly • uses two
separate keys some form of
proposed by based on
• public key and protocol is
Diffie and mathematical private key needed for
Hellman in functions • public key is distribution
1976 made public
for others to
use
  plaintext
 readable message or
data that is fed into
the algorithm as
input
 encryption algorithm
 performs
transformations on
the plaintext
 public and private key
 pair of keys, one for
encryption, one for
decryption
 ciphertext
 scrambled message
***directed toward providing confidentiality produced as output
 decryption algorithm
 produces the original
plaintext
  user encrypts data
using his or her own
private key

 anyone who knows the

corresponding public
key will be able to
decrypt the message

***directed toward providing authentication

Applications for Public-Key Cryptosystems
 computationally easy
to create key pairs

computationally easy
useful if either key for sender knowing
can be used for each public key to encrypt
role messages

computationally
computationally easy
infeasible for
for receiver knowing
opponent to
private key to decrypt
otherwise recover
ciphertext
original message
computationally
infeasible for opponent
to determine private
key from public key
 RSA (Rivest, most widely accepted and
block cipher in which the
plaintext and ciphertext
Shamir, developed in 1977 implemented approach to
public-key encryption
are integers between 0 and
n-1 for some n.
Adleman)

Diffie-Hellman enables two users to

securely reach agreement
about a shared secret that limited to the exchange of
key exchange can be used as a secret key the keys
for subsequent symmetric
algorithm encryption of messages

Digital provides only a digital cannot be used for

Signature signature function with
SHA-1
encryption or key
exchange
Standard (DSS)

Elliptic curve
security like RSA, but with
cryptography much smaller keys

(ECC)
 Digital Signatures

 used for authenticating both source and data integrity

 created by encrypting hash code with private key

 does not provide confidentiality

 even in the case of complete encryption
 message is safe from alteration but not eavesdropping
Public-Key Certificate Use
 Digital
Envelopes
 protects a message
without needing to first
arrange for sender and
receiver to have the
same secret key

***equates to the same thing as

a sealed envelope
containing an unsigned
letter

Digital Envelopes
Random  keys for public-key
algorithms
Numbers  stream key for
symmetric stream
cipher
 symmetric key for use
as a temporary
session key or in
creating a digital
envelope
 handshaking to
Uses include prevent replay attacks
 session key
generation of:
Random Number Requirements
Randomness Unpredictability
 criteria:  each number is statistically
 uniform distribution independent of other numbers
 frequency of occurrence of in the sequence
each of the numbers  opponent should not be able
should be approximately
to predict future elements of
the same
the sequence on the basis of
 independence
earlier elements
 no one value in the
sequence can be inferred
from the others
Random versus Pseudorandom
 cryptographic applications typically make use of algorithmic
techniques for random number generation
 algorithms are deterministic and therefore produce sequences of
numbers that are not statistically random

 pseudorandom numbers are:

 sequences produced that satisfy statistical randomness tests
 likely to be predictable

 true random number generator (TRNG):

 uses a nondeterministic source to produce randomness
 most operate by measuring unpredictable natural processes
 e.g. radiation, gas discharge, leaky capacitors
 increasingly provided on modern processors
 Practical Application:
Encryption of Stored Data

common to encrypt transmitted data

much less common for stored data

there is often little protection
beyond domain
authentication and operating
system access controls
approaches to encrypt stored data:
data are archived for
indefinite periods
use a commercially
library based tape background laptop/PC
available encryption back-end appliance
encryption data encryption
even though erased, until package
disk sectors are reused data
are recoverable
 Summary
 symmetric encryption
 digital signatures
 conventional or single-key only type
used prior to public-key  hash code is encrypted with private
key
 five parts: plaintext, encryption
algorithm, secret key, ciphertext, and
decryption algorithm  digital envelopes
 two attacks: cryptanalysis and brute  protects a message without needing
force to first arrange for sender and
 most commonly used algorithms are receiver to have the same secret key
block ciphers (DES, triple DES, AES)
 random numbers
 hash functions  requirements: randomness and
 message authentication unpredictability
 creation of digital signatures  validation: uniform distribution,
independence
 pseudorandom numbers
 public-key encryption
 based on mathematical functions
 asymmetric
 six ingredients: plaintext, encryption
algorithm, public and private key,
ciphertext, and decryption algorithm