network security unit 2
TRANSCRIPT
NETWORK SECURITY
Unit-2
Outline
Conventional Encryption Principles Conventional encryption algorithms Cipher block modes of operation Location of encryption devices Key distribution Approaches of Message Authentication Secure Hash Functions and HMAC.
CONVENTIONAL ENCRYPTION PRINCIPLES
Plain text
Secret Key
Encryption Algorithm
Cipher text
Decryption Algorithm
Security depends on the secrecy of the key, not the secrecy of the algorithm.
Encryption
Algorithm
Decryption Algorithm
Shared by sender and
receiver only
SIMPLIFIED MODEL OF CONVENTIONAL ENCRYPTION
Cryptography
Classified along three independent dimensions:
– The type of operations used for transforming plaintext to cipher text
– The number of keys used
• symmetric (single key)
• asymmetric (two-keys, or public-key encryption)
– The way in which the plaintext is processed
Cryptanalysis The process of discovering the key or the
plaintext. Types of Attacks:
1. Cipher text only
2. Known plaintext
3. Chosen plaintext
4. Chosen cipher text
5. Chosen text.
//It is assumed that the encryption algorithm
is known to a cryptanalyst.//
Types of AttacksTypes of Attacks Info. Known to Cryptanalyst
Cipher text only Cipher text to be decoded
Known plaintext Cipher text to be decoded.
Corresponding plaintext.
Chosen plaintext Plain text message of the
choice of cryptanalyst and
corresponding cipher text.
Types of Attacks
Chosen cipher text Cipher text to be decoded.
Purported cipher text chosen by cryptanalyst.
Along with corresponding plaintext.
Chosen text Chosen plaintext + Chosen cipher text
Average time required for exhaustivekey search
Key Size(bits)
Number of AlternativeKeys
Time required at 106Decryption/μs
32 2 32 =4.3*109 2.15 milliseconds
56 256 = 7.2 x 1016 10 hours
128 2128 = 3.4 x 1038 5.4 x 1018 years
168 2168 = 3.7 x 1050 5.9 x 1030 years
Feistel Cipher Structure Virtually all conventional block encryption
algorithms, including DES have a structure first
described by Horst Feistel of IBM in 1973.
Feistel Network depends on the choice of the following parameters and design features
Plain text
+ F
+ F
Sub key generation algorithm
2W bits
K1
K2
L0 R0
Cipher Text
Block size
Key size
Number of Rounds
Sub key generation Algorithm
Round function
Conventional Encryption algorithms DES
Triple DES
IDEA
Blowfish
Cast-128
Data Encryption Standard Adopted by NIST in 1977 Based on a cipher (Lucifer) developed
earlier by IBM for Lloyd’s of London for cash transfer.
DES uses the Feistel cipher structure with 16 rounds of processing.
DES is a block cipher. The plaintext is processed in 64-bit blocks. The key is 56-bits in length.
Phase1
•Initial permutation that rearranges the bits
Phase2
•16 iterations of the same function
Phase3
•Swapping to produce the pre-output and inverse of initial permutation.
DES Cracker
DES encryption was broken in 1999 by Electronics.
1998 – DES cracker machine built
– cost = $250,000
– attack length = 3 days
Time to break a code
Triple DES
Use three keys and three executions of the DES algorithm (encrypt-decrypt-encrypt)
• Effective key length of 168 bits.
C = EK3[DK2[EK1[P]]]
Conventional Encryption Algorithms
Algorithm Key size(bits)
Number ofRounds
Mathematical operations
Applications
DES 56 16 XOR, S-box SET,KERBEROS
TDEA 112 or 168 48 XOR, S-box PGP,SMIME
IDEA 126 16 XOR, S-box, add
Blowfish 40-448 16 Add, Sub, XOR, Rotation
Cast-128 40-128 16 Add, Sub, XOR, Rotation, S-box
PGP
Electronic Code Book Mode
Message is broken into independent blocks which are encryptedEach block is a value which is substituted, like a codebook, hence nameEach block is independent of all others
Cipher Feedback mode
Location of Encryption Device Link encryption:
– A lot of encryption devices
– High level of security
– Decrypt each packet at every switch
• End-to-end encryption
– The source encrypt and the receiver decrypts
– Payload encrypted
– Header in the clear
• High Security: Both link and end-to-end
encryption are needed
Key Distribution
1. A key could be selected by A and physically
delivered to B.
2. A third party could select the key and physically
deliver it to A and B.
3. If A and B have previously used a key, one
party could transmit the new key to the other,
encrypted using the old key.
4. If A and B each have an encrypted connection
to a third party C, C could deliver a key on the
encrypted links to A and B.
Key Distribution
• Session key:
– Data encrypted with a one-time session key. At the conclusion of the session the key is destroyed
• Permanent key:
– Used between entities for the purpose of distributing session keys
Authentication
Requirements - must be able to verify that:
1. Message came from apparent source or author,
2. Contents have not been altered,3. Sometimes, it was sent at a
certain time or sequence.
Protection against active attack (falsification of data and transactions)
Approaches to Message Authentication
Authentication Using Conventional EncryptionOnly the sender and receiver should share a key
Message Authentication without Message EncryptionAn authentication tag is generated and
appended to each message Message Authentication Code
Calculate the MAC as a function of the message and the key. MAC = F(K, M)
One-way HASH function
Secure HASH Functions Properties of a HASH function H :
1. H can be applied to a block of data at any size2. H produces a fixed length output3. H(x) is easy to compute for any given x.4. For any given block x, it is computationally
infeasible to find x such that H(x) = h5. For any given block x, it is computationally
infeasible to find with H(y) = H(x).6. It is computationally infeasible to find any pair
(x, y) such that H(x) = H(y)
Message Digest Generation Using SHA
Processing of single 512-Bit Block
Other Secure HASH functionsSHA-1 MD5 RIPEMD-
160Digest length 160 bits 128 bits 160 bitsBasic unit of processing
512 bits 512 bits 512 bits
Number of steps
80 (4 rounds of 20)
64 (4 rounds of 16)
160 (5 paired rounds of 16)
Maximum message size
264-1 bits
HMAC
ANY QUERIES