cse 331: introduction to networks and security fall 2001 instructor: carl a. gunter slide set 6
TRANSCRIPT
Introduction to Security
Goals Availability Integrity Confidentiality
Targets Hardware Software Data
Controls Physical security Limited interface Identification and
authorization Encryption
Analysis of costs and benefits
Progress and Risk
Security-critical considerations Credit card purchases on the web Voting on the web Banking on the web Mobile agents and active networks
Safety and security considerations Military systems, eg. Star Wars Actuators on public networks
Security Requirements
Banking Government Public Telecommunications Carriers Corporate / Private Networks Electronic Commerce
Banking
Electronic Funds Transfer (EFT) Prosecution of fraud problematic Financial system overall at risk
Automated Teller Machine (ATM)
Automatic Teller Machines
Goals Availability: Provide automated teller
operations 24x7 in convenient locations Integrity: Authorized users only,
transactional guarantees Confidentiality: Private communication
with branches or center Vulnerabilities and controls Risk analysis and liabilities
Government
National security of course, but also “Unclassified but sensitive
information” must not be disclosed Example: social security web page
Electronic signatures approved for government contractors
Public Telecom Carriers
Operations, Administration, Maintenance, and Provisioning (OAM&P) Customer network management
complexities Theft by hackers Unauthorized eavesdropping
Availability is a key concern Significant insider risks
Corporate Private Networks
Completely private networks are becoming a thing of the past because of telecommuting.
Protection of proprietary information of course, but also concerns like privacy in the health care industry.
Foreign government threat?
Electronic Commerce
Electronic Data Interchange (EDI) Electronic contracts need to be
binding ABA Resolution: “recognize that information
in electronic form, where appropriate, may be considered to satisfy legal requirements regarding a writing or signature to the same extent as information on paper or in other conventional forms, when appropriate security techniques, practices, and procedures have been adopted.”
Vera Buys a Lathe
Vera, owner of Vera’s Manufacturing, shops for a lathe on the internet using WWW.
She finds the desired product from Danielle’s Machine Makers and makes the order using a web form provided by Danielle’s.
Danielle’s confirms that the order really comes from Vera’s manufacturing.
Vera Pays for the Lathe
She sends her credit card number, suitably encrypted.
She sends an EDI payment order remittance advice transaction set instructing Vera’s bank to credit Danielle’s bank account.
She uses an online payment mechanism like a credit-card based payment protocol or electronic check.
The lathe is delivered through the usual distribution channels.
Inter-Corporate Trading
Danielle’s Machine Makers is a medium-sized company in Canada with long-established requirements for high-grade steel which it buys from Steelcorp.
Steelcorp aims to reduce costs of customer transactions by using secure messaging with its regular customers.
Origin and confidentiality of all correspondence must be ensured.
Nola’s Electronic Market
Nola is an entrepreneurial small businessperson who works from her home basement.
She buys items from suppliers willing to do business wholly electronically and sells them through a WWW storefront.
Effective marketing of the web page and very low overhead provide Nola’s competitive edge.
Legal Support
Mostly by analogy with other commerce rules, but there are challenges.
How to satisfy traditional legal requirements for reduction of agreements to signed writings.
How to apply rules of evidence. Interpreting, adapting, and
complying with existing legal standards for electronic transactions.
Safety and Security
Many things in common and some major differences.
Some similarities aid understanding of both.
System vs. Environment. Accident, breach. Hazard, vulnerability.
Accident and Security Breach
Accident Loss of life Injury Damage to property
Security Breach Secret is revealed Service is disabled Data is altered Messages are fabricated
Accident Definition
An accident is an undesired and unplanned (but not necessarily unexpected) event that results in (at least) a specified level of harm.
Define breach similarly. A security threat is a possible form of
breach
Hazards and Vulnerabilities
Hazard No fire alarms No fire extinguishers Rags close to furnace
Vulnerability Password too short Secret sent in plaintext over public
network Files not write protected
Hazard Definition
A hazard is a state or set of conditions of a system that, together with other conditions in the environment of the system, will lead inevitably to an accident.
Define security vulnerability similarly.
Other Terms
Asset: object of value. Exposure: threat to an asset. Attack: effort by an agent to exploit
a vulnerability and create a breach.
Threats to Hardware
Interruption: crash, performance degradation
Interception: theft Modification: tapping Fabrication: spoofed devices
Threats to Software Code
Interruption: deletion, reset protection Interception: theft Modification
Trojan horse Logic bomb Virus Back door Information leak
Fabrication: spoofing software distribution on the web
Threats to Software Processes
Interruption: bad inputs Interception: attacks on agents Modification: of exploited data Fabrication: service spoofing (man-
in-the-middle)
Threats to Data
Interruption: deletion, perceived integrity violation
Interception: eavesdropping, snooping memory
Modification: alteration of important information
Fabrication: spoofing web pages
Principles of Security
Easiest Penetration: An intruder must be expected to use any available means of penetration.
Adequate Protection: Computer items must be protected only until they lose their value. They must be protected to a degree consistent with their value.
Effectiveness: Controls must be used to be effective. They must be efficient, easy to use, and appropriate.
Breakdown of S/W Controls
Program controls as exercised by the programmer as dictated by the programming
language or programming environment Operating system controls Development process controls
Basic Encryption
Monoalphabetic substitution ciphers Polyalphabetic substitution ciphers Transposition ciphers Other hiding techniques Stream versus block ciphers
What Can O Do to a Message?
Block it (availability) Intercept it (confidentiality) Modify it (integrity) Fabricate another (integrity)
Terminology
Encryption / Decryption Encode / Decode Plaintext / Ciphertext Cryptography: hidden writing. Cryptanalysis: uncovering what is
hidden.
Keyless Encryption
C = E(P) and P = D(C) P = D(E(P)) Transmit E(P), receiver applies D. Select D and E so that
Without knowing D or E it is hard to discover P from E(P).
It is feasible to know and apply D and E.
Caesar Cipher (Original)
E(p) = p + 3 (mod 26) D(p) = p - 3 (mod 26)
Easy to recall and calculate D and E. Create a table:
T R E A T Y I M P O S S I B L Ew u h d w b l p s r v v l e o h
A B C D E F G H I J K L M N O P Q R S T U V W X Y Zd e f g h I j k l m n o p q r s t u v w x y z a b c
Encryption Strategy: Confusion
The Caesar cipher confuses the letters of the alphabet, causing the result look like gibberish.
As we applied it in the previous example, a space is interpreted as a space, providing no confusion.
Note: changing one letter of plaintext changes exactly one letter of ciphertext.
Algorithm vs. Key
Moreover: It is hard to keep D and E secret if they
are much used, and Cryptanalysis is possible.
To address the first of these problems assume: algorithm is known, but key is not known.
Encryption with a Key
Symmetric key C = E(K, P) P = D(K, C) P = D(K, E(K, P))
Asymetric key C = E(Kpublic, P) P = D(Kprivate, C) P = D(Kprivate, E(Kpublic, P))
Permutation
Generalize Caesar cipher to allow other ways to permute the alphabet.
What is now called a Caesar cipher is any choice of an offset: () = (n + ) (mod 26). The number n is the key.
Generalize further: use any permutation as a key.
To encode, apply the key to each letter.
To decode, apply the inverse of the key to each letter.
Sample Permutations
Example: a passphrase like “this is a long key” can be a key.
Example: take every third letter.
() = (3 * ) (mod 26)
A B C D E F G H I J K L M N O P Q R S T U V W X Y Zt h i s a l o n g k e y b c d f j m p q r u v w x z
A B C D E F G H I J K L M N O P Q R S T U V W X Y Za d g j m p s v y b e h k n q t w z c f i l o r u x
Cryptanalysis of Monoalphabetic Ciphers
There are 26! permutation keys, so it is not feasible to try all possible keys.
Mapping a space to itself is a big clue: try to guess short words.
Look for common English repeated letters like a “ss” or “oo”
Exploit frequency information
wklv phvvdjh lv qrw wrr kdug wr euhdnT--- ------- -- -OT TOO ---- TO -----
Sample Ciphertext
hqfubswlrq lv d phdqv rl dwwdlqlqj vhfxuh frpsxwdwlrq ryhu lqvhfxuh fkdqqhov eb xvlqj hqfubswlrq zh glvjxlvh wkh phvvdjh vr wkdw hyhq li wkh wudqvplvvlrq lv glyhuwhg wkh phvvdjh zloo qrw eh uhyhdohg
Caesar Cipher Examplehqfubswlrq lv d phdqv rl dwwdlqlqj vhfxuh frpsxwdwlrq ryhu lqvhfxuh fkdqqhov eb xvlqj hqfubswlrq zh glvjxlvh wkh phvvdjh vr wkdw hyhq li wkh wudqvplvvlrq lv glyhuwhg wkh phvvdjh zloo qrw eh uhyhdohg
ENCRYPTION IS A MEANS OF ATTAINING SECURE COMMUNICATION OVER INSECURE CHANNELS BY USING ENCRYPTION WE DISGUISE THE MESSAGE SO THAT EVEN IF THE TRANSMISSION IS DIVERTED THE MESSAGE WILL NOT BE REVEALED
Polyalphabetic Cipher
To beat frequency analysis we need to break the connection between frequently occurring ciphertext letters and frequently occurring plaintext letters.
This could be done by varying the translation of letters.
Consider using one translation for letters in even positions and a different one for letters in odd positions.
Two Table Cipher
First TableA B C D E F G H I J K L M N O P Q R S T U V W X Y Za d g j n o s v y b e h k n q t w z c f I l o r u x
Second TableA B C D E F G H I J K L M N O P Q R S T U V W X Y Zn s x c h m r w b g l q v a f k p u z e j o t y d i
Example TranslationTREAT YIMPO SSIBL Efumnf dyvtv czysh h
Vigenere Tableaux
The distribution can be further flattened by picking complementary permutations.
Another approach: use more tables. A Vigenere Tableaux is a collection
of 26 permutations.
Sample Encryption Using a Vigenere Tableau
Encrypt: but soft, what light through yonder window breaks?using keyword juliet
julie tjuli etjul ietju lietj uliet julie tjuli eBUTSO FTWHA TLIGH TTHRO UGHYO NDERW INDOW BREAK Skoeas ycqsi ...
One-Time Pad
Using a Vigenere tableau with more keys than letters in the message would defeat the techniques we have discussed.
Indeed, this is an unbreakable code. It’s disadvantage is the long keys
required.
History of the One Time Pad
G. Vernam patented an idea for telegraph encryption in 1919. This was based on punched tape from a teletype. 32 alphabets were used in no regular pattern.
W. Kunze, R. Schauffler, and E. Langlotz developed an approach to German diplomatic correspondence circa 1921-1923 from which the name “one time pad” derives.
Pads of 50 numbered sheets were used, with 48 five-digit groups on each. No sheets were used twice; they were destroyed after use.
Long Random Sequences
Middle digits from numbers in a phone book
Book of prose? Danger: frequency analysis possible!
Pseudo-random number generators
Linear congruential random number generator Seed r(0), constants a, b, n r(i+1) = (a * r(i) + b) mod n
Probable Word Attack Solve a family of equations
Transpositions (Permutations)
The order of the letters can be altered.
Columnar transposition example
Memory issues.
S M AL L EX A MP L E
slxpm lalae meSMALL EXAMPLE
Larger Example
THIS IS A MESSAGE TO SHOW HOW A COLUMNAR TRANSPOSITION WORKS
This is encoded using 5 columns and 10 rows.
T H I S IS A M E SS A G E TO S H O WH O W A CO L U M NA R T R AN S P O SI T I O NW O R K S
Other Encryption Ideas
Open code. Stegonagraphy. Fractionated Morse Code. Foreign languages.
1918 eight Choctaws in Company D, 141st Infantry.
50,000 Navaho speakers in WWII. Only 18 non-Navahos could speak it.
Stream and Block Ciphers
Stream ciphers convert one symbol of plaintext immediately into a symbol of ciphertext. Polyalphabetic substitution cipher, and Fractionated Morse, but Not columnar transposition.
Advantages and Disadvantages
Advantages Speed Low error propogation
Disadvantages Low diffusion Susceptibility to attacks on integrity
Block Ciphers
Block ciphers encrypt a group of plaintext symbols as one block. Columnar transposition is an example.
Advantages and Disadvantages
Advantages Diffusion Immunity to insertions
Disadvantages Slowness Error propogation
Confusion and Diffusion
Confusion: difficulty in determining how a change in the plaintext will affect the ciphertext.
Diffusion: spreading of the effect of a change in the plaintext to many parts of the ciphertext.
Attacks on Encryption
Ciphertext only Known (or probable) plaintext Chosen plaintext
Chosen sample of encrypted plaintext Adaptive chosen plaintext
Ability to gain new chosen samples of encrypted plaintext based on existing samples
Chosen or adaptive chosen ciphertext Temporary access to decryption
Encryption with a Key (Revision)
Symmetric key C = E(K, P) P = D(K, C) P = D(K, E(K, P))
Asymetric key C = E(Kpublic, P) P = D(Kprivate, C) P = D(Kprivate, E(Kpublic, P))
Definitions
Trusted Third Party (TTP) Unconditionally trusted TTP must be
trusted completely Functionally trusted TTP must be
trusted for availability and integrity.
Advantages of Symmetric
Efficient encryption Relatively short keys Useful as primitives for various
functions (pseudorandom number generators, hash functions, etc.)
Good composition properties Extensive history
Disadvantages of Symmetric
Key must remain secret at both ends.
Many key pairs must be managed in a large network. May require unconditionally trusted TTP.
Keys must be changed frequently. Large keys or TTP required for public
verification function of digital signatures.
Advantages of Asymmetric
Only the private key must be kept secret.
Key management requires only a functionally trusted TTP.
Long-lived keys. Efficient digital signatures with
relatively small keys for public verification function.
Disadvantage of Asymmetric
Lower throughput for encryption. Large key sizes. Security based on presumed
complexity of a small collection of number-theoretic problems.
Limited history.
Roundup Comparison
Asymmetric (public) key cryptography facilitates efficient digital signatures and key management.
Symmetric (shared secret) key cryptography provides efficient encryption.
Modern Cryptography
Diffie Hellman RSA Hash algorithms DES Clipper key escrow Modes of operation Digital signatures
Public Key Cryptography
Some number theory. Diffie-Hellman key exchange. Some more number theory. RSA public keys.
Establishing a Shared Secret
Suppose Alice has has an authenticated channel for communicating with Bob.
Alice and Bob wish to use this channel to established a shared secret.
However, Eve is able to learn everything sent over the channel.
If Alice and Bob have no other channel to use, can they establish a shared secret that Eve does not know?
General Strategy
Alice and Bob exchange information, each keeping a secret to themselves.
The secrets that they keep allow them to compute a shared secret.
Since Eve lacks either of these secrets she is unable to compute the shared secret.
Some Number Theory
Non-negative numbers: 0,1,2,3,… (Whole) number: 1,2,3,… Division Algorithm: For any numbers
a,b, there are unique numbers q,r such that 0<=r<b and a = q*b+r.
Write a mod b for r. Write a b (mod c) if a mod c = b
mod c.
Some More Number Theory
Write a|b if there is a number k such that a*k = b. This is the same as saying a 0 (mod b).
A number p is prime if it is neither 0 nor 1 and is divisible only by 1 and itself.
Notation for exponential: 2**5=32. Modular exponentiation: 3**3 2
(mod 5).
Primitive Roots
A primitive root of a prime p is a number such that {**1 mod p, …, **(p-1) mod p} = {1, …, p-1}.
Example: 2 is not a primitive root of 7, but 3 is a primitive root of 7.
Diffie-Hellman Key Exchange
Alice and Bob agree on a shared basis.
Alice selects a private key XA < q and calculates a public key YA from it using q and .
Bob does the same to get XB and YB. Alice and Bob exchange their public
keys (which are now known to Eve), but keep their private keys.
Diffie-Hellman, continued
Alice knows XA, YA, and YB. Bob knows XB, YB, and YA. Eve knows YA and YB. Alice combines XA with YB to get S,
the shared secret. Bob combines XB with YA to get S,
the (same) shared secret. Eve tries to get S from YA and YB,
but gives up in disgust.
What Must Alice and Bob Do?
Select and share the public information Select a prime number q and a primitive
root of this prime. Compute the private and public keys.
Alice chooses XA < q at random and takes YA to be **XA mod q.
Bob chooses XB < q at random and takes YB to be **XB mod q.
They use their respective information to calculate the shared secret. YB**XA S YA**XB (mod q).
Realization of the Approach
What must not be possible: use the public information and public keys to compute the shared secret.
Strategy: calculations by Alice and Bob involve modular exponentiation. The obvious calculation by Eve involves discrete logarithms.
Example
Alice and Bob agree that q=71 and =7. Alice selects a private key XA=5 and
calculates a public key YA 7**5 51 (mod 71). She sends this to Bob.
Bob selects a private key XB=12 and calculates a public key YB 7**12 4 (mod 71). He sends this to Alice.
Alice calculates the shared secret S YB**XA 4**5 30 (mod 71).
Bob calculates the shared secret S YA**XB 51**12 30 (mod 71).
Why Does it Work?
Security is provided by the difficulty of calculating discrete logarithms.
Feasibility is provided by The ability to find large primes. The ability to find primitive roots for
large primes. The ability to do efficient modular
arithmetic. Correctness is an immediate
consequence of basic facts about modular arithmetic.
More Number Theory Again
Given non-negative numbers a,b, their greatest common divisor gcd(a,b) is the largest number d such that d|a and d|b.
If gcd(a,b)=1 then a and b are said to be relatively prime.
Theorem: If gcd(a,b)=1 then there is a number k such that a*k 1 (mod b).
Proposition: If p|(a*b) then p|a or p|b.
RSA Public Keys
Named for Ron Rivest, Adi Shamir, and Len Adleman, published in 1978.
Most widely known and used public key system.
No shared secret is required.
Key Generation
Pick large random primes p,q. Let p*q = n and =(p-1)(q-1).
Choose a random number e such that: 1<e< and gcd(e, )=1.
Calculate the unique number d such that 1<d< and d*e 1 (mod ).
The public key is {e,n} and the private key is {d,n}.
Encryption and Decryption
Encryption: Suppose we are given a message m represented as a number such that 1<=m<n. The ciphertext is c where 0<=c<n and c m**e (mod n).
Decryption: Given c and the private key {d,n}, calculate c**d (m**e)**d m**(d*e) m (mod n).
Why Does it Work?
It is secure because it is difficult to find or d using only e and n. Finding d is equivalent in difficulty to factoring n as p*q.
It is feasible to encrypt and decrypt because: It is possible to find large primes. It is possible to find relative primes and
their inverses. Modular exponentiation is feasible.
Why Does it Work? continued
Theorem (Fermat): If p is a prime and gcd(m,p)=1 then m**(p-1) 1 (mod p).
Lemma 1: If p,q are distinct primes and a=b (mod p) and a b (mod q) then a b (mod p*q).
Lemma 2: For the RSA numbers e,d,p,q, we have m**(e*d) m (mod p) and m**(e*d) m (mod q). Proof.
Corollary: m**(d*e) m (mod p*q). (That is, decrypting the ciphertext yields the plaintext modulo p*q).
Large Primes
Not feasible to check for divisors. Fermat test is effective: look for
numbers p that satisfy the Fermat theorem for enough values a<p.
Theorem: If p is prime, then 1 and –1 are the only values of x that solve the equation x**2 1 (mod p).
Miller Rabin algorithm looks for solutions to this equation.
Euclid’s Algorithm
Finding relative primes cannot be done by enumerating all divisors.
Euclid’s Algorithm: If a,b are non-negative numbers and b>0, then gcd(a,b)=gcd(b, a mod b).
Since a mod b is less than a, this terminates if repeatedly applied. It also terminates quickly.
Extended Euclid Algorithm keeps some additional information so that if the result is 1, then the additional information includes the inverse of a.
Modular Exponentiation
Calculating m**e is infeasible if m and e are large.
Fortunately we want m**e (mod n). Even if n is large, this is not difficult. Basic facts:
a*b (mod n) = [(a (mod n))*(b (mod n))] (mod n)
a**(b*c) = (a**b)**c. Trick using squares reduces
multiplications needed.
Hash Algorithms
Reduce a message of variable size to a small digest of fixed size.
The probability that a randomly chosen message maps to an n-bit hash should ideally be 2**-n.
Example: The NIST Secure Hash Algorithm takes a message of less than 2**64 bits and produces a digest of 160 bits.
Uses for Hashing Algorithms
Hash functions without secret keys are used: To condense a message for digital signature. To check the integrity of an input if the hash
has been previously recorded. Such functions are called Modification
Detection Codes (MDC’s). Hash functions that use secret keys are
called Message Authentication Codes (MAC’s). They are used for data origin authentication.
Properties of MDC’s
Hash functions h for cryptographic use as MDC’s fall in one or both of the following classes. Collision Resistant Hash Function (CRHF):
It should be computationally infeasible to find two distinct inputs that hash to a common value ( i.e.. h(x) = h(y) ).
One Way Hash Function (OWHF): Given a specific hash value y, it should be computationally infeasible to find an input x such that h(x)=y.
Secure Hash Algorithm
Pad message so it can be divided into 512-bit blocks, including a 64 bit value giving the length of the original message.
Process each block as 16 32-bit words called W(t) for t from 0 to 15.
Expand from these 16 words to 80 words by defining as follows for each t from 16 to 79: W(t) := W(t-3) W(t-8) W(t-14) W(t-16)
NBS Requirements for DES
Provide a high level of security. Completely specified and easy to understand. Security must not depend on secrecy of the
algorithm. Available to all users. Adaptable for diverse applications. Economical to implement in electronic
devices. Efficient to use. Able to be validated. Exportable.
DES History
Based on Lucifer algorithm of IBM. Algorithm developed by IBM for NBS
became known as the Digital Encryption Standard.
Assistance provided by NSA. Official name in the US: Data
Encryption Algorithm (DEA). Official name internationally: Data
Encryption Algorithm-1 (DEA-1).
DES Characterized
Substitution-Permutation (SP) Network
Iterated block cipher: sequential repetition of round function
Feistel cipher: iterated cipher on halved inputs combined at each round in a specific way
Summary
64 bit keys with each 8th bit designated as a parity bit, thus 56 significant bits
Rotations and choice permutations on original key are used to create 16 subkeys K(I), each 48 bits
f(I)(R(I-1)) = g(R(I-1), K(I)) g(R(I-1), K(I)) = P( S(E(R(I-1)) K(I)) ) E is an expansion permutation, S is a
substitution, and P is a permutation
Subkeys
Start with the 56 significant bits of the key, divide into two 28 bit halves.
Apply left circular shift to each half using the following table to indicate how much to shift
Subkeys continued
After the shifts, concatenate the two 28 bit vectors and use the following table to select 48 of these bits
Expansion Permutation E
E is applied to 32 bit vector R(I-1) to obtain a 48 bit vector. It is defined by the following table
“S Box” Substitutions S
S is applied to the result of exclusive or combination of the expansion of R(I-1) and the subkey K(I). It is essentially a substitution cipher on 6 bit words, mapping them to 4 bit words, defined by the table on the slide after next.
S Boxes Continued
Use the first and last bit of the 6 bit block to determine the value for the row, and use the middle 4 bits to determine the value for the column.
Example: 011011 for box 4 Outer bits 01 yield 1 Inner bits 1101 yield 13 Result is 10 (decimal) or 1010
(binary)
End-of-Round Permutation P
After applying the S box substitutions a permutation is made using the following table
R(I-1) K(I)
E
P
g(R(I-1), K(I)) = P(S(E(R(I-1)) K(I)))
S1 S2 S3 S4 S5 S6 S7 S8
8 x 6 bits
8 x 4 bits
Substitutions
32
48
48
48
6
4
32
32
DES Properties
Each bit of the ciphertext depends on all bits of the key and all bits of the plaintext.
There is no statistical relationship evident between plaintext and ciphertext.
Altering any single plaintext or key bit alters each ciphertext bit with probability 1/2.
Altering a ciphertext bit results in an unpredictable change to the recovered plaintext.
Weak and Semi-Weak Keys
A weak key is a key K such that E(K,E(K,x)) = x for all x. That is, E(K,-) is an involution.
DES has 4 weak keys. A pair of DES keys K and L is semi-weak if
E(K,E(L,x)) = x. That is, encryption for K acts like decryption for L.
DES has 6 semi-weak key pairs. These arise when the subkeys K(1) to
K(16) correspond to L(16) to L(1).
Security and Law Enforcement
Wire taps by law enforcement agencies are allowed when approved by court.
Can a wire tap succeed against a triple-DES encoded conversation?
Aims of key escrow: Provide strong symmetric key security Provide for wire taps on encrypted
communications.
NSA Clipper Program
Key split into two parts, held by two government agencies.
Law enforcement officials with good cause can obtain a court order and get the two key halves.
Encryption algorithm classified. NSA to provide only hardware embodiments of the algorithm.
Keys and Fields
Skipjack algorithm: 80 bit keys encrypting 64 bit blocks in 32 rounds.
D(K,E(K,M)) = M as usual Law Enforcement Agents’ Field
(LEAF): E(f, E(u,k)&n&a)) where f is an 80-bit key for Clipper chips n is a 30-bit identifier for the unit a is an escrow authenticator u is an 80-bit unit-specific key k is an 80-bit session key
Who Knows What
Known to law enforcement agencies: The key f.
Split between two government agencies: The key u.
Indexed by each agency The identifier n.
“Wire Tapping” Protocol
Intercept communication Determine that encoding uses
Clipper Decrypt E(f, E(u,k)&n&a)) to get n Deliver n and court order to escrow
agencies Get the two halves of u Use u to decrypt E(u,k) to get k Use k to decrypt session
Capstone
Clipper chip: implements encryption and appending of LEAF.
Capstone cryptographic device: performs basic algorithm together with key exchange, hashing, and digital signature authentication.
Capstone also known as Tessera. Clipper program also known as Mosaic.
Panel Conclusions about Clipper
There is no significant risk that Skipjack will be broken by exhaustive search in the next 30 to 40 years.
There is no significant risk that Skipjack will be broken through a shortcut method of attack.
The strength of Skipjack encryption does not depend on the secrecy of the algorithm.
Revision on Cryptography
Public (Asymmetric) Key Systems Diffie-Hellman RSA
Hash Functions (Collision Resistant, One Way) SHA-1
Secret (Symmetric) Key Systems DES
Modes of Operation
Electronic codebook (ECB) mode. Chain block chain (CBC) mode. Cipher feedback (CFB) mode. Output feedback (OFB) mode. For details, see 7.2.2 in: Handbook
of Applied Cryptography, AJ Menezes, PC van Ooschot, and SA Vanstone, 1996.
Electronic Codebook (ECB)
Encrypt each block individually Properties
Identical plaintext blocks yield identical ciphertext.
Order matters, but each successive block can be enciphered without regard to previous blocks
Bit errors affect only the block in which they occur.
Cipher Block Chaining (CBC)
Take an exclusive or of each plaintext block with the previous ciphertext block before encrypting.
Properties Depends on initialization vector (IV). Ciphertext depends on all previous
plaintext blocks. Bit errors in ciphertext propagate to two
blocks. (“Self-synchronizing.”)
Cipher Feedback (CFB)
Encrypt blocks to produce encrypted plaintext of shorter length by using a shift register.
Properties Depends on initialization vector (IV). Ciphertext depends on all previous
plaintext blocks. Self-synchronizing: bit errors in
ciphertext propagate to a limited number of blocks.
Output Feedback (OFB)
Like CFB, but not using the enciphered text in creating the key stream.
Properties Like CFB, but the key stream is
independent of the input plaintext and can therefore be pre-computed.
Digital Signatures
Notation for Symmetric Keys E(K,P) encrypt plaintext P using key K D(K,C) decrypt ciphertext C using key K
Notation for Asymmetric key pair A EA(P) encrypt P (using public part of A) DA(C) decrypt C (using private part of A)
Digital signature DA(P) sign P (using private part of A) EA(DA(P)) = P verify the signature on P
(using the public part of A).
Formal Definition of Signature
Cryptography: Theory and Practice, Douglas R. Stinson,CRC Press, 1995.
Data Authentication Algorithm
To create a Message Authentication Code (MAC), use DES and CBC.
Let D1, D2, …, Dn be 64 bit blocks of the message, padded with zeros. Use an IV of zeros. O1 = E(K, D1) O2 = E(K, D2 O1) … On = E(K, Dn O(n-1))
On is the Data Authentication Code (DAC).
Internet MAC
Modular use of cryptographic hash function for MAC.
Use existing kinds of hash functions. Avoid significant degradation in
performance of hashing. Well-understood cryptographic
analysis.