Professional Documents
Culture Documents
CHAPTER 2
Cryptographic Techniques
Faculty of Information & Communication Technology
Cryptography
Cryptology: This is the study of techniques for ensuring the
secrecy and/or authenticity of information. The two main
branches of cryptology are
o Cryptography: which is the study of the design of such
techniques; and
o Cryptanalysis: which deals with the defeating such
techniques, to recover information, or forging information
that will be accepted as authentic.
Systems Security
BIC3263
Security services
Security services: The assurance that the communicating entity
is the one that it claims to be.
The primary security services are divided into five categories,
although some of these services are interrelated.
-Confidentiality
-Integrity
-Non-repudiation
-Authentication
-Authorization /Access control
Privacy/Confidentiality: When a message is sent electronically,
the sender and receiver may desire that the message remain
confidential, and thus not be read by any other parties.
Systems Security
BIC3263
Security services
Integrity: The assurance that data received are exactly as sent by
an authorized entity (i.e., contain no modification, insertion, deletion,
or replay).
Nonrepudiation: Nonrepudiation prevents either sender or receiver
from denying a transmitted message. Thus, when a message is sent,
the receiver can prove that the alleged sender in fact sent the
message. Similarly, when a message is received, the sender can
prove that the alleged receiver in fact received the message.
Authentication: When an electronic message is received by a user
or a system, the identity of the sender need to be verified
(authenticated) in order to determine if the sender is who they claim
to be.
Access control: Limiting access to data and system only to
authorized users is the objective of access controls in order to gain
entry into the desired part of the system.
Systems Security
BIC3263
Security services
The five security services:
Security Issue
Security objective
Security Techniques
Confidentiality
Privacy of message
Encryption
Message Integrity
Deleting message
Tampering
Hashing (Digest)
Authentication
Origin verification
Digital signatures
Challenger response
Passwords
Biometric devices
Non-repudiation
Bi-directional hashing
Digital signatures
Transaction certificates
Time stamps
Confirmation services
Access
controls/Authorization
Firewalls
Passwords
Biometric devices
Systems Security
BIC3263
Systems Security
BIC3263
BIC3263
Systems Security
BIC3263
BIC3263
Symmetric encryption
Symmetric encryption implies that both parties to a
communication must first possess a copy of a single secret key,
as shown below. The most widely used algorithm in this
category was, until recently, the Data Encryption Standard
(DES).
Systems Security
BIC3263
10
Symmetric encryption
Systems Security
BIC3263
11
Symmetric encryption
Systems Security
BIC3263
12
Systems Security
BIC3263
13
BIC3263
14
Systems Security
BIC3263
15
Systems Security
BIC3263
16
Systems Security
BIC3263
17
Triple DES
Triple DES is a more secure alternative to DES and is appealing in
that it requires no new algorithms or hardware over and above
conventional
DES.
Figure below shows three 56-bit DES keys being used as input to
an
array of three DES chips (or software blocks).
The pattern used for the encryption step is encrypt-decrypt-encrypt
(EDE) with a DED pattern being used to reverse the process. Using
these combinations allows us to be backwardly compatible with the
single version of the DES algorithm.
In one variation of Triple DES, K1 is set to be equal to K3, giving a
112-bit key length. The latter mode is sometimes referred to as 2
key Triple DES ,as opposed to 3 key Triple DES when K1, K2, and K3
are distinct, yielding a total key length of 168 bits.
Systems Security
BIC3263
18
Triple DES
The Triple DES algorithm.
Its greatest appeal will be for the very large number of financial
institutions that have an installed base of equipment with DES hardware.
However, software implementations of Triple DES are slow in comparison,
as we have to compute three DES functions. Also, Triple DES uses the
same 64-bit block size as DES, which is considered to be weak.
Systems Security
BIC3263
19
BIC3263
20
Rijndael
Rijndael, had been selected as the proposed AES invented by
Vincent Rijmen and Joan Daeman
No patenting allowed
Round block cipher of similar structure to DES but faster, more
secure
Rijndael is a symmetric block cipher with variable key and block
sizes of 128, 192, and 256 bits.
However, since most of the cryptanalytic study during the
standards process focused on the 128-bit block size, this will be
the preferred block size included in the standard.
Rijndael has considerable speed improvements over DES in
both hardware and software implementations.
Systems Security
BIC3263
21
Rijndael
The cipher consists of between 10 or 14 rounds (Nr), depending
on the key length (Nk) and the block length (Nb). A plaintext
block X undergoes n rounds of operations to produce an output
block Y.
Each operation is based on the value of the nth round key.
The round keys are derived from the cipher key by first
expanding the key and then selecting parts of the expanded
key for each round.
Figure below shows an overview of the process.
Systems Security
BIC3263
22
Rijndael
Overall structure of Rijndael cipher.
Systems Security
BIC3263
23
BIC3263
24
RC5,RC6
The penultimate algorithm in the series is RC5 , which is a totally
parameterized system.
Among the items that may be changed are the block size, the key
length, and the number of rounds.
The basic algorithm is a block cipher, but stream versions are also
defined.
RC6 is the most recent block cipher designed by Ronald Rivest and
was among the five finalist candidate algorithms for the AES.
The main goal for the inventors was to meet the requirements for the
AES.
RC6 is based on RC5 and, like RC5, it is a parameterized algorithm in
which the block size, key size, and number of rounds are variable.
The upper limit to the key size for RC6 is 2,040 bits.
Systems Security
BIC3263
25
BIC3263
26
Systems Security
BIC3263
27
Systems Security
BIC3263
28
Systems Security
BIC3263
29
Systems Security
BIC3263
30
MD5 Algorithm
The MD5 algorithm is one of a series (including MD2 and
MD4) of
message digest algorithms developed by Ron Rivest.
It involves appending a length field to a message and padding it
up to a multiple of 512-bit blocks.
Each of these 512-bit blocks is then fed through a four-round
process involving rotation and a range of Boolean operations
producing a
chaining value that is input into the processing of the next 512-bit
block.
The hashed output is the 128-bit chaining value produced in
processing
the last block of the message.
Systems Security
BIC3263
31
Systems Security
BIC3263
32
Kerberos
Kerberos protocol, which provides message authentication and
confidentiality facilities for communicating parties and is used
as the basis for a number of payment systems.
It is based on the trusted third-party model presented by
Needham and Schroeder .
The Kerberos authentication service was developed at the
Massachusetts Institute of Technology (MIT) for Project Athena
and the following discussion is based on version 5 of the
protocol.
Kerberos allows a client to prove its identity to a third-party
server without sending any sensitive information across the
network and also encrypts the channel between the two.
Systems Security
BIC3263
33