Selected Topics of Applied Cryptography - PDF

Document Sample
Selected Topics of Applied Cryptography - PDF Powered By Docstoc
					Selected Topics of Applied Cryptography                                                Hofbauer, Stutz
                                                                                                   ¨




            Selected Topics of Applied
                  Cryptography
                             Ciphers Used in the OpenSSH Tool
                                           Mathematisches Seminar SS/2003



                                          Hofbauer Heinz           Stutz Thomas
                                                                     ¨
                                   hhofbaue@cosy.sbg.ac.at    tstuetz@cosy.sbg.ac.at




  Previous Page                                      Quit    Full Screen                 Next Page
Selected Topics of Applied Cryptography                                  Hofbauer, Stutz
                                                                                     ¨



                                          Introduction to Cryptography

• governments, military ,espionage

• secure internal communication

• World War 2 : Enigma

• 20 years of public research

• wide range of state of the art cryptographic implementations for normal citi-
     zens

• Cryptography, What for?
    −    access control
    −    data security
    −    privacy
    −    digital signature
    −    ...


  Previous Page                                    Quit   Full Screen      Next Page
Selected Topics of Applied Cryptography                                  Hofbauer, Stutz
                                                                                     ¨



                                          Overview of our Presentation

• Terminology

• Asymmetric Ciphers
    −    Introduction
    −    Classification
    −    Diffie-Hellman
    −    ElGamal
    −    RSA

• Symmetric Ciphers
    −    Introduction
    −    Binary Basics
    −    DES
    −    Modes of Operation

• Usage of Ciphers in OpenSSH


  Previous Page                                    Quit   Full Screen      Next Page
Selected Topics of Applied Cryptography                         Hofbauer, Stutz
                                                                            ¨



                                          Terminology

• Cipher

• Ciphertext, Plaintext

• Sender, Receiver

• Cryptography, Cryptoanalysis, Cryptology

• Symmetric , Asymmetric Ciphers

• Public Key

• Key, Key Space




  Previous Page                            Quit   Full Screen     Next Page
Selected Topics of Applied Cryptography                                    Hofbauer, Stutz
                                                                                       ¨



                               Introduction to Public Key algorithms
Consist of

• a function ePK to encrypt

• a function dK decrypt

• a public key PK

• a private key K

The functions and the public key can be made public, the security does not depend on
this fact.

• to a Plaintext M the output of the function ePK (M) = C is calculated.

• To obtain the original message from the Ciphertext dK (M) is computed.

• The Concept of a One Way Function
     There must not be a simple way to deduct M or K from C,PK and the two
     functions.

  Previous Page                              Quit   Full Screen              Next Page
Selected Topics of Applied Cryptography                                       Hofbauer, Stutz
                                                                                          ¨



                                          Classification by Usage

There are generally spoken three classic types of usage for a public key algorithm.


• Encryption/Decryption
     This is what one would expect, that public key algorithms are used to encode
     and decode data.

• Digital Signature
     are used to securely identify a file with an owner.

    − sign function for a Person T : sT
    − verification function for T : vT

• Key Exchange
     This is a major topic since, asymmetric ciphers are quite slow, while symmetric
     ciphers do not have this complexity and time limitations. Therefore it is useful
     to use a public key system for key exchange




  Previous Page                                 Quit   Full Screen              Next Page
Selected Topics of Applied Cryptography                                       Hofbauer, Stutz
                                                                                          ¨



                                          Classification by Problem

• incomplete List

• every computational hard problem, (e.g. every NP-complete) could be used for
     a public key system

• many constraints

• property of a one way function to some degree
     This means that the computational effort for encryption is quite little, while the
     encryption without the public key is nearly impossible.

• secure implementation




  Previous Page                                  Quit   Full Screen             Next Page
Selected Topics of Applied Cryptography                                Hofbauer, Stutz
                                                                                   ¨



                                    Classification by Problem (Con’t)

• Knapsack

• Discrete Logarithm

• Factoring

• Square Roots Modulo n

• Elliptic Curve Cryptosystems




  Previous Page                                Quit   Full Screen        Next Page
Selected Topics of Applied Cryptography                                                     Hofbauer, Stutz
                                                                                                        ¨



                                                    Knapsack

For a given set of values {M1, . . . Mn} and a number S the Knapsack problem consists
of solving the following equation:

                                          S = b1M1 + b2M2 + . . . + bnMn

The values of the bi can either be 0 or 1. The time needed to solve this equations
seems to grow exponentially with n , the number of values (all possible solutions are
2n, which can be assumed to be worst case).

                      Plain Text:          1    1     1     0      0       1     0      0
                      Knapsack:            1    3     5     7     17      20   113    257
                      Ciphertext:          1   +3    +5    +0     +0     +20    +0   +0 =
                                          29




  Previous Page                                     Quit   Full Screen                        Next Page
Selected Topics of Applied Cryptography                                Hofbauer, Stutz
                                                                                   ¨



                                          Diffie-Hellman

key exchange algorithm can neither encrypt nor decrypt data


• Discrete Logarithm in a finite Field
    − Finite Field
      For a prime p the finite field mod p consists of the set of residues
      1, ..., p − 1.
    − Primitive
      A number q is called primitive in the finite field mod p, if and only if for
      each b in 1, . . . , p − 1, there exists some a, such that b ≡ qa mod p.




  Previous Page                             Quit   Full Screen           Next Page
Selected Topics of Applied Cryptography                                     Hofbauer, Stutz
                                                                                        ¨



                        A Step by Step Description of Diffie-Hellman

Consider two persons, let us name them Heinz and Franz, who want to securely
exchange a key.


1. They have to agree on a large prime number p and a number g, such that g is
   primitive mod p. Those two numbers can be said to be the public key. It is no risk
   to transfer them over an insecure channel.

2. Heinz chooses a random large integer x and sends Franz

                                          X = gx   mod p


3. Franz also chooses a random large integer y and sends Heinz

                                          Y = gy   mod p




       Previous Page                        Quit   Full Screen                Next Page
Selected Topics of Applied Cryptography                                      Hofbauer, Stutz
                                                                                         ¨



                   A Step by Step Description of Diffie-Hellman (Con’t)

4. Heinz now computes
                                          k = Yx     mod p

5. Franz computes
                                          k = Xy     mod p

k and k are equal to gxy mod p. Nobody can compute their value unless he/she
computes the discrete logarithm of X = gx or Y = gy. This is considered to be a hard
computational issue.




  Previous Page                           Quit     Full Screen                 Next Page
Selected Topics of Applied Cryptography                              Hofbauer, Stutz
                                                                                 ¨



                                          An Illustrated Example




  Previous Page                                 Quit   Full Screen     Next Page
Selected Topics of Applied Cryptography                             Hofbauer, Stutz
                                                                                ¨



                              A Simple Mathematica Implementation

<< NumberTheory‘NumberTheoryFunctions‘

(* Prime n and g are chosen, such that g is primitive modulo n*)

agree[i_] := {Prime[i], PrimitiveRoot[Prime[i]]}

heinzX[{n_, g_}, x_] := {Mod[gˆPrime[x] , n], n}

franzY[{n_, g_}, y_] := {Mod[gˆPrime[y] , n], n}

heinzKey[ {franzsY_ , n_}, x_] := Mod[franzYˆPrime[x], n]

franzKey[ {heinzX_, n_}, y_] := Mod[heinzXˆPrime[y], n]




  Previous Page                            Quit   Full Screen         Next Page
Selected Topics of Applied Cryptography                                       Hofbauer, Stutz
                                                                                          ¨



                                          ElGamal

The ElGamal scheme is based on the computation of the discrete logarithm. It was
proposed in 1985 by Taher ElGamal. It can be used for both digital signatures and
encryption. A variant of this scheme is DSA used in the digital signature standard
(DSS). DSA (Digital Signature Algorithm) which was proposed by the NIST (National
Institute of Standards and Technology). This means that DSA is used for digital
signatures in Federal Systems in the United States. It seems that this standard is more
or less a patchwork of other cryptosytems (including ElGamal,RSA, Diffie-Hellman, ...
). Three patent holders claim that the DSA infringes their patents, Diffie-Hellman,
Merkle-Hellman and Schnorr. Therefore it does not make sense to explain the
standard, but the algorithms it is based on.
Diffie-Hellman is an algorithm which can just be used to securely generate/exchange
keys.




  Previous Page                           Quit   Full Screen                    Next Page
Selected Topics of Applied Cryptography                                   Hofbauer, Stutz
                                                                                      ¨



                                          ElGamal (Con’t)

• Digital Signature
     • not to encrypt message
     • to certify that they are from a distinct person T
     • every one who wants to sign a message, needs his own signature function
       sT
     • other people have to verify the signature of T and therefore need a verifica-
       tion function vT
     • private key for signing
     • public key for verification




  Previous Page                              Quit   Full Screen             Next Page
Selected Topics of Applied Cryptography                               Hofbauer, Stutz
                                                                                  ¨



                                          ElGamal, Key Generation

• Choose a prime p, g and x (both less than p).

• Compute y ≡ gx mod p

• Now you can make (y, g, p) public. The private key is x.

After generating the keys, a message m can be signed.




  Previous Page                                  Quit   Full Screen     Next Page
Selected Topics of Applied Cryptography                                         Hofbauer, Stutz
                                                                                            ¨



                                          ElGamal, Digital Signature

• In order to do so you randomly choose an integer k such that k and p − 1 are
     relatively prime.

• Compute
                                                  a ≡ gk     mod p
     and
                                            b ≡ k−1(m − xa) mod p − 1.

The signature is the pair (a, b), k and x are secret. The verification is done through


                                               yaab ≡ gm     mod p




  Previous Page                                   Quit     Full Screen            Next Page
Selected Topics of Applied Cryptography                                     Hofbauer, Stutz
                                                                                        ¨



                                          Encryption with ElGamal

For encryption with ElGamal you have to generate the keys as described in Digital
Signature with ElGamal.


• Choose a random number k, which is relatively prime to p − 1.

• Compute
                                                 a ≡ gk     mod p
                                                b ≡ yM      mod p

1. a and b are the cipher text, which has the double size of the original message.


To decrypt you have to use your private key x and calculate:

                                              M ≡ b/ax      mod p




  Previous Page                                  Quit     Full Screen         Next Page
Selected Topics of Applied Cryptography                                Hofbauer, Stutz
                                                                                   ¨



                                      ElGamal - Illustrated Examples




  Previous Page                                 Quit   Full Screen       Next Page
Selected Topics of Applied Cryptography                                  Hofbauer, Stutz
                                                                                     ¨



                                            RSA

• named after the three inventors, Ron Rivest, Adi Shamir, and Leonhard Adle-
     man.

• RSA gets its security from the difficulty of factoring large numbers.

• Mathematical Background

• Euler’s ϕ function
  ϕ(n) is the number of elements in the reduced set of residues mod n. In other
  words ϕ(n) is the number of positive integers less than n relative prime to n.




       Previous Page                      Quit    Full Screen              Next Page
Selected Topics of Applied Cryptography                                          Hofbauer, Stutz
                                                                                             ¨



                                           RSA (Con’t)

• Fermat’s little theorem
     If p is prime and x is not of the form x := k ∗ p for any integer k than:

                                          x p−1 ≡ 1      mod p.


• Euler’s generalization of Fermat’s little Theorem
     If the greatest common divisor of to numbers x and n is one, in short terms
     gcd(x, n) = 1, then
                                          xϕ(n)    mod n ≡ 1




  Previous Page                             Quit      Full Screen                  Next Page
Selected Topics of Applied Cryptography                                     Hofbauer, Stutz
                                                                                        ¨



                   A Step by Step Description of the RSA Algorithm

1. Randomly choose two large prime numbers p and q, with p = q.

2. Compute the product: n = pq.

3. Choose a number e, the encryption key, such that e and ϕ(n) = (p − 1)(q − 1) are
   relatively prime and e ≤ n.

4. Compute the decryption key d , using the extended Euklidian Algorithm, such that

                                           ed ≡ 1    mod (p − 1)(q − 1)
     or
                                          d ≡ e−1   mod ((p − 1)(q − 1))




       Previous Page                                Quit   Full Screen        Next Page
Selected Topics of Applied Cryptography                                                        Hofbauer, Stutz
                                                                                                           ¨



                                               RSA (Con’t)
5. Note that d, n are also relatively prime. The public key consists of the numbers e and
   n. d is the private key. The prime numbers p, q are no longer needed, but should not
   be revealed since the security of the process is based on their indeterminacy.

6. Divide the plain text’s numerical representation into blocks mi smaller than n.

7. To encrypt the whole plain text, encrypt all blocks mi. This is done quite simply by:

                                              ci ≡ me
                                                    i       mod n

     where ci is the encrypted message block mi.

8. To decrypt a message, take each block ci and compute:

                                                      mi = cd
                                                            i


     since
                                                  kϕ(n)+1              kϕ(n)
                             cd = (me)d = med = mi
                              i     i      i                = mimi             = m1 ∗ 1 = mi
     all modulo n.

  Previous Page                                Quit      Full Screen                             Next Page
Selected Topics of Applied Cryptography                              Hofbauer, Stutz
                                                                                 ¨



                                 Symmetric Block Cipher - Overview

• Basics
    − XOR
    − left-shift, rotational left-shift

• Feistel networks

• DES
    − f-function
    − key-function

• Modes of Operation
    −    ECB
    −    CBC
    −    CFB
    −    OFB



  Previous Page                              Quit   Full Screen        Next Page
Selected Topics of Applied Cryptography                                              Hofbauer, Stutz
                                                                                                 ¨



                                                   Basics - XOR

Most ciphers today operate on a binary representation of the plaintext denoted by the
alphabet Σ = {0, 1}, letters from this alphabet are called binary digits or bits.



The map ⊕ : Σ × Σ → Σ, (a, b) → a ⊕ b is called XOR and ⊕ is defined as follows:


                                                       ⊕     0       1
                                                       0     0       1
                                                       1     1       0



Let A, B ∈ Σn where A = (a1, . . . , an) and B = (b1, . . . , bn) with
∀ j ∈ {1, . . . , n} : a j , b j ∈ Σ then

                                          ⊕ : Σn × Σn → Σn
                                              (A, B) → (a1 ⊕ b1, . . . , an ⊕ bn).


  Previous Page                                       Quit       Full Screen           Next Page
Selected Topics of Applied Cryptography                                            Hofbauer, Stutz
                                                                                               ¨



                                           Basics - (cyclic) left-shift
Let A ∈ Σn then <<: Σn × N → Σ, (A, x) → A ∗ 2x mod 2n. The map << is called left
shift and for A << x we usually say a x -bit left shift of A.

Example: A = 01001011, n = 8 and x = 2 then:

                                          A << 2 = 01001011 << 2
                                                 = 01001011 ∗ 22          mod 28
                                                 = 01 00101100           mod 28
                                                 = 00101100



If the bits which are shifted out to the left, 01 in the above example, are added to A
after the leftshift is complete the operation is called cyclic or rotational left shift and
is denoted by <<<.

Example: From the above example:

                  A <<< 2 = (A << 2) + A ∗ 2x−n = 00101100 + 01 = 00101101

  Previous Page                                     Quit   Full Screen               Next Page
Selected Topics of Applied Cryptography                                                   Hofbauer, Stutz
                                                                                                      ¨



                                            Basics - Concatenation



Let A ∈ Σn and B ∈ Σm where A = (a1, . . . , an) and B = (b1, . . . , bm) with ∀i : ai, bi ∈ Σ
then by concatenating A and B we mean

                                          ◦ : Σn × Σm → Σn+m
                                              (A, B) → (a1, . . . , an, b1, . . . , bm)

A ◦ B is also often written (AB) or even (A, B).

Example: A = 010 and B = 110 then

                                               A ◦ B = (AB) = 010110




  Previous Page                                        Quit      Full Screen                Next Page
Selected Topics of Applied Cryptography                                          Hofbauer, Stutz
                                                                                             ¨



                                          Feistel Networks 1



Feistel networks date back to the early 1970s and were created by H. Feistel. Many
modern block ciphers utilize feistel networks and are often referred to as feistel ciphers.
The list of block ciphers which use a feistel network includes, but is not limited to:


     − DES
     − Lucifer
     − Blowfish
     − GOST
     − FEAL
     − LOKI


We will in the following describe so called balanced feistel networks, where the
plaintext is split into two halves of equal length. Note that there are also unbalanced
feistel networks where the two halves need not be of equal size.



  Previous Page                               Quit   Full Screen                   Next Page
Selected Topics of Applied Cryptography                                                                           Hofbauer, Stutz
                                                                                                                              ¨



                                                                   Feistel Networks 2

                        Plaintext                                    The scheme for a 16-round feistel network is
                                                                     illustrated on the left.
                 L0                         R0


                                f
                                                             K1      Note that the number of iterations in an feistel
                                                                     network are not fixed. In the following we will
              L1=R0                  R1=L0 XOR f(K1,R0)


                                f
                                                                     describe the encryption and decryption for
                                                             K2
                                                                     n-round feistel networks.
               L2=R1                 R2=L1 XOR f(K2,R0)


                                                                     A plaintext-block of length n (where n must
                                                                     be even) is split into two halves (L0 and R0)
              L15=R14               R15=L14 XOR f(K15,R14)
                                                                     of length n .
                                                                               2
                                f
                                                             K16




       L16=L15 XOR f(K16,R15)             R16=R15




                        Chipertext




  Previous Page                                                        Quit    Full Screen                          Next Page
Selected Topics of Applied Cryptography                                                                            Hofbauer, Stutz
                                                                                                                               ¨



                                                                   Feistel Networks 3

                        Plaintext                                    The encryption is defined as an iterative pro-
                                                                     cess:
                 L0                         R0


                                f
                                                             K1
                                                                                 Li =Ri−1
              L1=R0                  R1=L0 XOR f(K1,R0)
                                                                                 Ri =Li−1 ⊕ f (Ri−1, Ki)
                                f
                                                             K2




               L2=R1                 R2=L1 XOR f(K2,R0)
                                                                     To form the ciphertext, the output of the feistel
                                                                     network is swapped an concatenated

              L15=R14               R15=L14 XOR f(K15,R14)
                                                                                             C = (RnLn)
                                f
                                                             K16




       L16=L15 XOR f(K16,R15)             R16=R15
                                                                     Clearly the security of the feistel cipher de-
                                                                     pends on the security of the function f . The
                        Chipertext                                   iteration however increase the security of f .




  Previous Page                                                        Quit    Full Screen                           Next Page
Selected Topics of Applied Cryptography                                                                               Hofbauer, Stutz
                                                                                                                                  ¨



                                                                   Feistel Networks 4

                        Plaintext                                    Decryption function exactly like encryption, it
                                                                     is however necessary to reverse the keyor-
                 L0                         R0
                                                                     der. So when decrypting K1 becomes Kn from
                                f
                                                             K1      encryption. Note that f doesn’t need to be in-
                                                                     vertible, it is sufficient that the keys can be
              L1=R0                  R1=L0 XOR f(K1,R0)


                                f
                                                                     reproduced and be brought into reverse or-
                                                             K2
                                                                     der.
               L2=R1                 R2=L1 XOR f(K2,R0)              Basically the last step of encryption is rever-
                                                                     sed by the first step of decryption:

              L15=R14               R15=L14 XOR f(K15,R14)


                                f
                                                             K16
                                                                       L1 =R0 = Ln = Rn−1
       L16=L15 XOR f(K16,R15)             R16=R15
                                                                       R1 =L0 ⊕ f (R0, K1)
                        Chipertext                                            =(Ln−1 ⊕ f (Rn−1, Kn)) ⊕ f (Rn−1, Kn)
                                                                              =Ln−1




  Previous Page                                                        Quit       Full Screen                           Next Page
Selected Topics of Applied Cryptography                                               Hofbauer, Stutz
                                                                                                  ¨



                                                   DES

                  plaintext               The keysize is 56, and the blocksize is 64 bit.

                                          DES uses a 16-round feistel network with
                        IP                an initial and terminal permutation. The
                                          terminal permutation is the reverse of the
                                          initial permutation such that the basic way
                                          how decryption works remains the same as
          feistel network
                                          with feistel networks.

                                          To totally understand DES it is thus sufficient
                            -1
                       IP                 to look at:

                                          • key-function
                  ciphertext
                                          • f -function




  Previous Page                             Quit     Full Screen                        Next Page
Selected Topics of Applied Cryptography                                                                  Hofbauer, Stutz
                                                                                                                     ¨



                                                  DES - key function 1

                                                                          DES uses a 56 bit key which is
                    Key
                                                                          brought to 64 bits by adding a
                    PC1                                                   parity bit after every 7 key-bits.
            C0              D0




           Left            Left
                                                                          The 64 bit key is run through
          Shift1          Shift1

                                                                          a permutation an selection box
                                      C1    D1       PC2           K1
                                                                          (PC1). This box skips the parity
            C1              D1
                                                                          bits and permutates the 56 key
           Left            Left
                                                                          bits.
          Shift2          Shift2




                                      C2    D2        PC2          K2     The 56 permuted key bits are split
            C2              D2                                            into two equal sized parts C0 and
                                                                          D0 each containing 28 bits. C0 are
                                                                          the first 28 bits of PC1(K) and D0
           C15             D15                                            are the remaining 28 bits.
           Left            Left
          Shift16         Shift16




                                      C16   D16       PC2          K16




  Previous Page                                             Quit         Full Screen                       Next Page
Selected Topics of Applied Cryptography                                                                   Hofbauer, Stutz
                                                                                                                      ¨



                                                  DES - key function 2

                                                                          The 16 round keys K1 through K16
                    Key
                                                                          are generated by the following ite-
                    PC1                                                   ration:
            C0              D0
                                                                         1. Ci = Ci−1 <<< LSi
           Left            Left
          Shift1          Shift1




                                                                         2. Di = Di−1 <<< LSi
                                      C1    D1       PC2           K1



            C1              D1

                                                                         3. Ki = PC2(CiDi)
           Left            Left
          Shift2          Shift2



                                                                          Where 1 ≤ i ≤ 16, LSi is the
                                      C2    D2        PC2          K2
                                                                          left shift amount for this round
            C2              D2
                                                                          and PC2 being another selection
                                                                          and permutation box, which se-
                                                                          lects and permutates 48 bits from
           C15             D15
                                                                          the 56 bits which are (CiDi).
           Left            Left
          Shift16         Shift16




                                      C16   D16       PC2          K16




  Previous Page                                             Quit         Full Screen                        Next Page
Selected Topics of Applied Cryptography                                                                                         Hofbauer, Stutz
                                                                                                                                            ¨



                                                                                DES - f -function 1

                                                                                                 The round key for DES if of size
                   R                                                                 K
                                                                                                 48, but the R from the feistel
                                                                                                 network is only 32 bit, since the
                   E

                                                                                                 blocksize of DES is 64 bit.
                  E(R)




                                                                                                 So we first bring R up to the same
                                                                                                 size as the key K . To do this we
                         B1    B2    B3        B4        B5         B6   B7    B8
                                                                                                 use the E box (E for expansion).
                         S1   S2    S3     S4             S5        S6    S7    S8
                                                                                                 The E box duplicates ceratain bits
                                                                                                 and permutes them.
                               C1   C2    C3    C4       C5    C6   C7   C8




                                                     P
                                                                                                 Since E(R) and K are of equal si-
                                                f(R,K)                                           ze we can calculate

                                                                                                              B = E(R) ⊕ K




  Previous Page                                                                          Quit   Full Screen                       Next Page
Selected Topics of Applied Cryptography                                                                                           Hofbauer, Stutz
                                                                                                                                              ¨



                                                                                DES - f -function 2

                                                                                                 B is split up into 8 blocks
                   R                                                                 K
                                                                                                 B1, . . . , B8 each 6 bit in size.
                   E

                                                                                                 Each of Bi is run through a
                  E(R)
                                                                                                 corresponding S-Box ( S for substi-
                                                                                                 tution) which generates Ci which 4
                                                                                                 bits in size.
                         B1    B2    B3        B4        B5         B6   B7    B8




                         S1   S2    S3     S4             S5        S6    S7    S8
                                                                                                 The transformation is a lookup in
                                                                                                 the S-box by taking the first and the
                                                                                                 last bit of Bi as index for the rows
                               C1   C2    C3    C4       C5    C6   C7   C8




                                                     P
                                                                                                 and the bits 2 through 5 as column
                                                f(R,K)                                           index.
                                                                                                 The looked up number is in the
                                                                                                 range from 0 to 15 which can be
                                                                                                 represented by 4 bit and directly
                                                                                                 corresponds to Ci.



  Previous Page                                                                          Quit   Full Screen                         Next Page
Selected Topics of Applied Cryptography                                                             Hofbauer, Stutz
                                                                                                                ¨



                    DES - f -function 3 - Example of an S-Box lookup

      B1B2B3B4B5B6
                                                    Let us try to transform B1 = 0101102 in-
                                                    to C1. The first and the last bit of B1 are
                                                    both zero, so the row index is 0. The co-
                    B2B3B4B5
                                                    lumn index is generated by bits 2 through 5
                                                    which are 10112 = 1110. When we look up
B1B6
                   S-box                            the eleventh element of the zero-row we get
                                                    12 which when represented in binary yields
                                                    C1 = 11002.


                                                       S-box 1
          0        1        2       3      4    5     6   7    8            9   10   11   12   13       14        15
  0      14        4       13       1      2   15    11   8    3           10    6   12    5    9        0         7
  1       0       15        7       4     14    2    13   1 10              6   12   11    9    5        3         8
  2       4        1       14       8     13    6     2 11 15              12    9    7    3   10        5         0
  3      15       12        8       2      4    9     1   7    5           11    3   14   10    0        6        13




  Previous Page                                       Quit   Full Screen                              Next Page
Selected Topics of Applied Cryptography                                                                                         Hofbauer, Stutz
                                                                                                                                            ¨



                                                                                DES - f -function 4

                                                                                                 The      concatenation of S =
                   R                                                                 K
                                                                                                C1, . . . ,C8 is already 32 bits
                                                                                                in length since the S-box lookup is
                   E

                                                                                                lossy.
                  E(R)




                                                                                                 The output S is permuted via the
                                                                                                 P-box and the output is
                         B1    B2    B3        B4        B5         B6   B7    B8




                         S1   S2    S3     S4             S5        S6    S7    S8
                                                                                                              f (R, K) = P(S)
                               C1   C2    C3    C4       C5    C6   C7   C8




                                                     P

                                                                                                 As can be seen clearly f (R, K) is
                                                f(R,K)
                                                                                                 irreversible.




  Previous Page                                                                          Quit   Full Screen                       Next Page
Selected Topics of Applied Cryptography                                       Hofbauer, Stutz
                                                                                          ¨



                                          Modes of Operation - ECB

                                          ECB - Electronic Codebook Mode


• Plaintext is expanded with random bits to be of size k ∗ 64 bits.

• Plaintext is split into blocks 64 bits in length.

• The ciphertext is produced by encoding each plaintext block and concatena-
     ting the ciphertext blocks.


Clearly this is a naive method. There is no position dependent information.




  Previous Page                                    Quit   Full Screen           Next Page
Selected Topics of Applied Cryptography                                     Hofbauer, Stutz
                                                                                        ¨



                                          Modes of Operation - CBC

                                          CBC - Cipherblock Chaining Mode


• Plaintext is expanded with random bits to be of size k ∗ 64 bits.

• Plaintext is split into blocks m1, . . . , mu each 64 bits in length.

• Encryption for 1 ≤ i ≤ u is ci = Ek (ci−1 ⊕ mi).

− c0 is set to some initial vector IV .

• Decryption for 1 ≤ i ≤ u is mi = ci−1 ⊕ Dk (ci).

− Clearly c0 must be set to the same IV used for encryption.

Through the use of the previous ciphertext block CBC gains position dependent
encoding.



  Previous Page                                     Quit   Full Screen          Next Page
Selected Topics of Applied Cryptography                                           Hofbauer, Stutz
                                                                                              ¨



                                          Modes of Operation - CFB

                                          CFB - Cipherblock Feedback Mode


• Allows for smaller blocksizes than would be allowed by the underlying block
     cipher.

• Fills a different role than ECB and CBC.

• The costly part of the decoding function can be calculated on step ahead.

Since CFB does support smaller block than the block cipher we have to choose an r
with 1 ≤ r ≤ n where n is the block size of the cipher in use. The plaintext is split up
into m1, . . . , mu, each blocks of size r. Since the block cipher cannot encode blocks of
size r it encodes blocks Ii and those blocks are used to encrypt the plaintext.




  Previous Page                                     Quit   Full Screen              Next Page
Selected Topics of Applied Cryptography                                         Hofbauer, Stutz
                                                                                            ¨



                                          Modes of Operation - CFB 2

I1 is set to some initial vector IV and then encryption for blocks 1 ≤ j ≤ u works like
this:


            1. O j = Ek (I j )
            2. set x j to the first r bits of O j
            3. c j = m j ⊕ x j
            4. for j < u generate I j+1 = (I j << r) + c j


Decoding is likewise, again I1 = IV and for 1 ≤ j ≤ u:


            1. O j = Ek (I j )
            2. set x j to the first r bits of O j
            3. m j = c j ⊕ x j
            4. for j < u generate I j+1 = (I j << r) + c j




  Previous Page                                   Quit   Full Screen              Next Page
Selected Topics of Applied Cryptography                                            Hofbauer, Stutz
                                                                                               ¨



                                          Modes of Operation - OFB

                                           OFB - Output Feedback Mode


• Similar to CFB in it’s operation.

• Uses the Ek (Ii) for feedback instead of the ci.

• The costly part of the decoding function can be fully calculated ahead.

Like CFB we have to choose an r with 1 ≤ r ≤ n where n is the block size of the cipher
in use. The plaintext is split up into m1, . . . , mu, each blocks of size r. Since the block
cipher cannot encode blocks of size r it encodes blocks Ii and those blocks are used to
encrypt the plaintext.




  Previous Page                                    Quit   Full Screen                Next Page
Selected Topics of Applied Cryptography                                         Hofbauer, Stutz
                                                                                            ¨



                                          Modes of Operation - OFB 2

I1 is set to some initial vector IV and then encryption for blocks 1 ≤ j ≤ u works like
this:


            1. O j = Ek (I j )
            2. set x j to the first r bits of O j
            3. c j = m j ⊕ x j
            4. I j+1 = O j for j < u


Decoding is likewise, again I1 = IV and for 1 ≤ j ≤ u:


            1. O j = Ek (I j )
            2. set x j to the first r bits of O j
            3. m j = c j ⊕ x j
            4. I j+1 = O j for j < u




  Previous Page                                   Quit   Full Screen              Next Page
Selected Topics of Applied Cryptography                                    Hofbauer, Stutz
                                                                                       ¨



                                  Application: OpenSSH, Browser, ...

                                 How SSH negotiates an encrypted session


• The server has a 1024bit public/private key pair.

• On connection the server sends the client it’s public key.

• The client checks if the key has changed.

• The client generates a random 256 bit key and encrypts it with the servers
     public key.

• The client send the encrypted key to the server.

• The server decrypts the key.

• Since both now have the same key, the communication switches to a symme-
     tric cipher.


  Previous Page                                Quit   Full Screen            Next Page
Selected Topics of Applied Cryptography                        Hofbauer, Stutz
                                                                           ¨




                                           Fini




  Previous Page                           Quit   Full Screen     Next Page