# Selected Topics of Applied Cryptography - PDF

Document Sample

```					Selected Topics of Applied Cryptography                                                Hofbauer, Stutz
¨

Selected Topics of Applied
Cryptography
Ciphers Used in the OpenSSH Tool
Mathematisches Seminar SS/2003

Hofbauer Heinz           Stutz Thomas
¨
hhofbaue@cosy.sbg.ac.at    tstuetz@cosy.sbg.ac.at

Previous Page                                      Quit    Full Screen                 Next Page
Selected Topics of Applied Cryptography                                  Hofbauer, Stutz
¨

Introduction to Cryptography

• governments, military ,espionage

• secure internal communication

• World War 2 : Enigma

• 20 years of public research

• wide range of state of the art cryptographic implementations for normal citi-
zens

• Cryptography, What for?
−    access control
−    data security
−    privacy
−    digital signature
−    ...

Previous Page                                    Quit   Full Screen      Next Page
Selected Topics of Applied Cryptography                                  Hofbauer, Stutz
¨

Overview of our Presentation

• Terminology

• Asymmetric Ciphers
−    Introduction
−    Classiﬁcation
−    Difﬁe-Hellman
−    ElGamal
−    RSA

• Symmetric Ciphers
−    Introduction
−    Binary Basics
−    DES
−    Modes of Operation

• Usage of Ciphers in OpenSSH

Previous Page                                    Quit   Full Screen      Next Page
Selected Topics of Applied Cryptography                         Hofbauer, Stutz
¨

Terminology

• Cipher

• Ciphertext, Plaintext

• Cryptography, Cryptoanalysis, Cryptology

• Symmetric , Asymmetric Ciphers

• Public Key

• Key, Key Space

Previous Page                            Quit   Full Screen     Next Page
Selected Topics of Applied Cryptography                                    Hofbauer, Stutz
¨

Introduction to Public Key algorithms
Consist of

• a function ePK to encrypt

• a function dK decrypt

• a public key PK

• a private key K

The functions and the public key can be made public, the security does not depend on
this fact.

• to a Plaintext M the output of the function ePK (M) = C is calculated.

• To obtain the original message from the Ciphertext dK (M) is computed.

• The Concept of a One Way Function
There must not be a simple way to deduct M or K from C,PK and the two
functions.

Previous Page                              Quit   Full Screen              Next Page
Selected Topics of Applied Cryptography                                       Hofbauer, Stutz
¨

Classiﬁcation by Usage

There are generally spoken three classic types of usage for a public key algorithm.

• Encryption/Decryption
This is what one would expect, that public key algorithms are used to encode
and decode data.

• Digital Signature
are used to securely identify a ﬁle with an owner.

− sign function for a Person T : sT
− veriﬁcation function for T : vT

• Key Exchange
This is a major topic since, asymmetric ciphers are quite slow, while symmetric
ciphers do not have this complexity and time limitations. Therefore it is useful
to use a public key system for key exchange

Previous Page                                 Quit   Full Screen              Next Page
Selected Topics of Applied Cryptography                                       Hofbauer, Stutz
¨

Classiﬁcation by Problem

• incomplete List

• every computational hard problem, (e.g. every NP-complete) could be used for
a public key system

• many constraints

• property of a one way function to some degree
This means that the computational effort for encryption is quite little, while the
encryption without the public key is nearly impossible.

• secure implementation

Previous Page                                  Quit   Full Screen             Next Page
Selected Topics of Applied Cryptography                                Hofbauer, Stutz
¨

Classiﬁcation by Problem (Con’t)

• Knapsack

• Discrete Logarithm

• Factoring

• Square Roots Modulo n

• Elliptic Curve Cryptosystems

Previous Page                                Quit   Full Screen        Next Page
Selected Topics of Applied Cryptography                                                     Hofbauer, Stutz
¨

Knapsack

For a given set of values {M1, . . . Mn} and a number S the Knapsack problem consists
of solving the following equation:

S = b1M1 + b2M2 + . . . + bnMn

The values of the bi can either be 0 or 1. The time needed to solve this equations
seems to grow exponentially with n , the number of values (all possible solutions are
2n, which can be assumed to be worst case).

Plain Text:          1    1     1     0      0       1     0      0
Knapsack:            1    3     5     7     17      20   113    257
Ciphertext:          1   +3    +5    +0     +0     +20    +0   +0 =
29

Previous Page                                     Quit   Full Screen                        Next Page
Selected Topics of Applied Cryptography                                Hofbauer, Stutz
¨

Difﬁe-Hellman

key exchange algorithm can neither encrypt nor decrypt data

• Discrete Logarithm in a ﬁnite Field
− Finite Field
For a prime p the ﬁnite ﬁeld mod p consists of the set of residues
1, ..., p − 1.
− Primitive
A number q is called primitive in the ﬁnite ﬁeld mod p, if and only if for
each b in 1, . . . , p − 1, there exists some a, such that b ≡ qa mod p.

Previous Page                             Quit   Full Screen           Next Page
Selected Topics of Applied Cryptography                                     Hofbauer, Stutz
¨

A Step by Step Description of Difﬁe-Hellman

Consider two persons, let us name them Heinz and Franz, who want to securely
exchange a key.

1. They have to agree on a large prime number p and a number g, such that g is
primitive mod p. Those two numbers can be said to be the public key. It is no risk
to transfer them over an insecure channel.

2. Heinz chooses a random large integer x and sends Franz

X = gx   mod p

3. Franz also chooses a random large integer y and sends Heinz

Y = gy   mod p

Previous Page                        Quit   Full Screen                Next Page
Selected Topics of Applied Cryptography                                      Hofbauer, Stutz
¨

A Step by Step Description of Difﬁe-Hellman (Con’t)

4. Heinz now computes
k = Yx     mod p

5. Franz computes
k = Xy     mod p

k and k are equal to gxy mod p. Nobody can compute their value unless he/she
computes the discrete logarithm of X = gx or Y = gy. This is considered to be a hard
computational issue.

Previous Page                           Quit     Full Screen                 Next Page
Selected Topics of Applied Cryptography                              Hofbauer, Stutz
¨

An Illustrated Example

Previous Page                                 Quit   Full Screen     Next Page
Selected Topics of Applied Cryptography                             Hofbauer, Stutz
¨

A Simple Mathematica Implementation

<< NumberTheory‘NumberTheoryFunctions‘

(* Prime n and g are chosen, such that g is primitive modulo n*)

agree[i_] := {Prime[i], PrimitiveRoot[Prime[i]]}

heinzX[{n_, g_}, x_] := {Mod[gˆPrime[x] , n], n}

franzY[{n_, g_}, y_] := {Mod[gˆPrime[y] , n], n}

heinzKey[ {franzsY_ , n_}, x_] := Mod[franzYˆPrime[x], n]

franzKey[ {heinzX_, n_}, y_] := Mod[heinzXˆPrime[y], n]

Previous Page                            Quit   Full Screen         Next Page
Selected Topics of Applied Cryptography                                       Hofbauer, Stutz
¨

ElGamal

The ElGamal scheme is based on the computation of the discrete logarithm. It was
proposed in 1985 by Taher ElGamal. It can be used for both digital signatures and
encryption. A variant of this scheme is DSA used in the digital signature standard
(DSS). DSA (Digital Signature Algorithm) which was proposed by the NIST (National
Institute of Standards and Technology). This means that DSA is used for digital
signatures in Federal Systems in the United States. It seems that this standard is more
or less a patchwork of other cryptosytems (including ElGamal,RSA, Difﬁe-Hellman, ...
). Three patent holders claim that the DSA infringes their patents, Difﬁe-Hellman,
Merkle-Hellman and Schnorr. Therefore it does not make sense to explain the
standard, but the algorithms it is based on.
Difﬁe-Hellman is an algorithm which can just be used to securely generate/exchange
keys.

Previous Page                           Quit   Full Screen                    Next Page
Selected Topics of Applied Cryptography                                   Hofbauer, Stutz
¨

ElGamal (Con’t)

• Digital Signature
• not to encrypt message
• to certify that they are from a distinct person T
• every one who wants to sign a message, needs his own signature function
sT
• other people have to verify the signature of T and therefore need a veriﬁca-
tion function vT
• private key for signing
• public key for veriﬁcation

Previous Page                              Quit   Full Screen             Next Page
Selected Topics of Applied Cryptography                               Hofbauer, Stutz
¨

ElGamal, Key Generation

• Choose a prime p, g and x (both less than p).

• Compute y ≡ gx mod p

• Now you can make (y, g, p) public. The private key is x.

After generating the keys, a message m can be signed.

Previous Page                                  Quit   Full Screen     Next Page
Selected Topics of Applied Cryptography                                         Hofbauer, Stutz
¨

ElGamal, Digital Signature

• In order to do so you randomly choose an integer k such that k and p − 1 are
relatively prime.

• Compute
a ≡ gk     mod p
and
b ≡ k−1(m − xa) mod p − 1.

The signature is the pair (a, b), k and x are secret. The veriﬁcation is done through

yaab ≡ gm     mod p

Previous Page                                   Quit     Full Screen            Next Page
Selected Topics of Applied Cryptography                                     Hofbauer, Stutz
¨

Encryption with ElGamal

For encryption with ElGamal you have to generate the keys as described in Digital
Signature with ElGamal.

• Choose a random number k, which is relatively prime to p − 1.

• Compute
a ≡ gk     mod p
b ≡ yM      mod p

1. a and b are the cipher text, which has the double size of the original message.

To decrypt you have to use your private key x and calculate:

M ≡ b/ax      mod p

Previous Page                                  Quit     Full Screen         Next Page
Selected Topics of Applied Cryptography                                Hofbauer, Stutz
¨

ElGamal - Illustrated Examples

Previous Page                                 Quit   Full Screen       Next Page
Selected Topics of Applied Cryptography                                  Hofbauer, Stutz
¨

RSA

• named after the three inventors, Ron Rivest, Adi Shamir, and Leonhard Adle-
man.

• RSA gets its security from the difﬁculty of factoring large numbers.

• Mathematical Background

• Euler’s ϕ function
ϕ(n) is the number of elements in the reduced set of residues mod n. In other
words ϕ(n) is the number of positive integers less than n relative prime to n.

Previous Page                      Quit    Full Screen              Next Page
Selected Topics of Applied Cryptography                                          Hofbauer, Stutz
¨

RSA (Con’t)

• Fermat’s little theorem
If p is prime and x is not of the form x := k ∗ p for any integer k than:

x p−1 ≡ 1      mod p.

• Euler’s generalization of Fermat’s little Theorem
If the greatest common divisor of to numbers x and n is one, in short terms
gcd(x, n) = 1, then
xϕ(n)    mod n ≡ 1

Previous Page                             Quit      Full Screen                  Next Page
Selected Topics of Applied Cryptography                                     Hofbauer, Stutz
¨

A Step by Step Description of the RSA Algorithm

1. Randomly choose two large prime numbers p and q, with p = q.

2. Compute the product: n = pq.

3. Choose a number e, the encryption key, such that e and ϕ(n) = (p − 1)(q − 1) are
relatively prime and e ≤ n.

4. Compute the decryption key d , using the extended Euklidian Algorithm, such that

ed ≡ 1    mod (p − 1)(q − 1)
or
d ≡ e−1   mod ((p − 1)(q − 1))

Previous Page                                Quit   Full Screen        Next Page
Selected Topics of Applied Cryptography                                                        Hofbauer, Stutz
¨

RSA (Con’t)
5. Note that d, n are also relatively prime. The public key consists of the numbers e and
n. d is the private key. The prime numbers p, q are no longer needed, but should not
be revealed since the security of the process is based on their indeterminacy.

6. Divide the plain text’s numerical representation into blocks mi smaller than n.

7. To encrypt the whole plain text, encrypt all blocks mi. This is done quite simply by:

ci ≡ me
i       mod n

where ci is the encrypted message block mi.

8. To decrypt a message, take each block ci and compute:

mi = cd
i

since
kϕ(n)+1              kϕ(n)
cd = (me)d = med = mi
i     i      i                = mimi             = m1 ∗ 1 = mi
all modulo n.

Previous Page                                Quit      Full Screen                             Next Page
Selected Topics of Applied Cryptography                              Hofbauer, Stutz
¨

Symmetric Block Cipher - Overview

• Basics
− XOR
− left-shift, rotational left-shift

• Feistel networks

• DES
− f-function
− key-function

• Modes of Operation
−    ECB
−    CBC
−    CFB
−    OFB

Previous Page                              Quit   Full Screen        Next Page
Selected Topics of Applied Cryptography                                              Hofbauer, Stutz
¨

Basics - XOR

Most ciphers today operate on a binary representation of the plaintext denoted by the
alphabet Σ = {0, 1}, letters from this alphabet are called binary digits or bits.

The map ⊕ : Σ × Σ → Σ, (a, b) → a ⊕ b is called XOR and ⊕ is deﬁned as follows:

⊕     0       1
0     0       1
1     1       0

Let A, B ∈ Σn where A = (a1, . . . , an) and B = (b1, . . . , bn) with
∀ j ∈ {1, . . . , n} : a j , b j ∈ Σ then

⊕ : Σn × Σn → Σn
(A, B) → (a1 ⊕ b1, . . . , an ⊕ bn).

Previous Page                                       Quit       Full Screen           Next Page
Selected Topics of Applied Cryptography                                            Hofbauer, Stutz
¨

Basics - (cyclic) left-shift
Let A ∈ Σn then <<: Σn × N → Σ, (A, x) → A ∗ 2x mod 2n. The map << is called left
shift and for A << x we usually say a x -bit left shift of A.

Example: A = 01001011, n = 8 and x = 2 then:

A << 2 = 01001011 << 2
= 01001011 ∗ 22          mod 28
= 01 00101100           mod 28
= 00101100

If the bits which are shifted out to the left, 01 in the above example, are added to A
after the leftshift is complete the operation is called cyclic or rotational left shift and
is denoted by <<<.

Example: From the above example:

A <<< 2 = (A << 2) + A ∗ 2x−n = 00101100 + 01 = 00101101

Previous Page                                     Quit   Full Screen               Next Page
Selected Topics of Applied Cryptography                                                   Hofbauer, Stutz
¨

Basics - Concatenation

Let A ∈ Σn and B ∈ Σm where A = (a1, . . . , an) and B = (b1, . . . , bm) with ∀i : ai, bi ∈ Σ
then by concatenating A and B we mean

◦ : Σn × Σm → Σn+m
(A, B) → (a1, . . . , an, b1, . . . , bm)

A ◦ B is also often written (AB) or even (A, B).

Example: A = 010 and B = 110 then

A ◦ B = (AB) = 010110

Previous Page                                        Quit      Full Screen                Next Page
Selected Topics of Applied Cryptography                                          Hofbauer, Stutz
¨

Feistel Networks 1

Feistel networks date back to the early 1970s and were created by H. Feistel. Many
modern block ciphers utilize feistel networks and are often referred to as feistel ciphers.
The list of block ciphers which use a feistel network includes, but is not limited to:

− DES
− Lucifer
− Blowﬁsh
− GOST
− FEAL
− LOKI

We will in the following describe so called balanced feistel networks, where the
plaintext is split into two halves of equal length. Note that there are also unbalanced
feistel networks where the two halves need not be of equal size.

Previous Page                               Quit   Full Screen                   Next Page
Selected Topics of Applied Cryptography                                                                           Hofbauer, Stutz
¨

Feistel Networks 2

Plaintext                                    The scheme for a 16-round feistel network is
illustrated on the left.
L0                         R0

f
K1      Note that the number of iterations in an feistel
network are not ﬁxed. In the following we will
L1=R0                  R1=L0 XOR f(K1,R0)

f
describe the encryption and decryption for
K2
n-round feistel networks.
L2=R1                 R2=L1 XOR f(K2,R0)

A plaintext-block of length n (where n must
be even) is split into two halves (L0 and R0)
L15=R14               R15=L14 XOR f(K15,R14)
of length n .
2
f
K16

L16=L15 XOR f(K16,R15)             R16=R15

Chipertext

Previous Page                                                        Quit    Full Screen                          Next Page
Selected Topics of Applied Cryptography                                                                            Hofbauer, Stutz
¨

Feistel Networks 3

Plaintext                                    The encryption is deﬁned as an iterative pro-
cess:
L0                         R0

f
K1
Li =Ri−1
L1=R0                  R1=L0 XOR f(K1,R0)
Ri =Li−1 ⊕ f (Ri−1, Ki)
f
K2

L2=R1                 R2=L1 XOR f(K2,R0)
To form the ciphertext, the output of the feistel
network is swapped an concatenated

L15=R14               R15=L14 XOR f(K15,R14)
C = (RnLn)
f
K16

L16=L15 XOR f(K16,R15)             R16=R15
Clearly the security of the feistel cipher de-
pends on the security of the function f . The
Chipertext                                   iteration however increase the security of f .

Previous Page                                                        Quit    Full Screen                           Next Page
Selected Topics of Applied Cryptography                                                                               Hofbauer, Stutz
¨

Feistel Networks 4

Plaintext                                    Decryption function exactly like encryption, it
is however necessary to reverse the keyor-
L0                         R0
der. So when decrypting K1 becomes Kn from
f
K1      encryption. Note that f doesn’t need to be in-
vertible, it is sufﬁcient that the keys can be
L1=R0                  R1=L0 XOR f(K1,R0)

f
reproduced and be brought into reverse or-
K2
der.
L2=R1                 R2=L1 XOR f(K2,R0)              Basically the last step of encryption is rever-
sed by the ﬁrst step of decryption:

L15=R14               R15=L14 XOR f(K15,R14)

f
K16
L1 =R0 = Ln = Rn−1
L16=L15 XOR f(K16,R15)             R16=R15
R1 =L0 ⊕ f (R0, K1)
Chipertext                                            =(Ln−1 ⊕ f (Rn−1, Kn)) ⊕ f (Rn−1, Kn)
=Ln−1

Previous Page                                                        Quit       Full Screen                           Next Page
Selected Topics of Applied Cryptography                                               Hofbauer, Stutz
¨

DES

plaintext               The keysize is 56, and the blocksize is 64 bit.

DES uses a 16-round feistel network with
IP                an initial and terminal permutation. The
terminal permutation is the reverse of the
initial permutation such that the basic way
how decryption works remains the same as
feistel network
with feistel networks.

To totally understand DES it is thus sufﬁcient
-1
IP                 to look at:

• key-function
ciphertext
• f -function

Previous Page                             Quit     Full Screen                        Next Page
Selected Topics of Applied Cryptography                                                                  Hofbauer, Stutz
¨

DES - key function 1

DES uses a 56 bit key which is
Key
brought to 64 bits by adding a
PC1                                                   parity bit after every 7 key-bits.
C0              D0

Left            Left
The 64 bit key is run through
Shift1          Shift1

a permutation an selection box
C1    D1       PC2           K1
(PC1). This box skips the parity
C1              D1
bits and permutates the 56 key
Left            Left
bits.
Shift2          Shift2

C2    D2        PC2          K2     The 56 permuted key bits are split
C2              D2                                            into two equal sized parts C0 and
D0 each containing 28 bits. C0 are
the ﬁrst 28 bits of PC1(K) and D0
C15             D15                                            are the remaining 28 bits.
Left            Left
Shift16         Shift16

C16   D16       PC2          K16

Previous Page                                             Quit         Full Screen                       Next Page
Selected Topics of Applied Cryptography                                                                   Hofbauer, Stutz
¨

DES - key function 2

The 16 round keys K1 through K16
Key
are generated by the following ite-
PC1                                                   ration:
C0              D0
1. Ci = Ci−1 <<< LSi
Left            Left
Shift1          Shift1

2. Di = Di−1 <<< LSi
C1    D1       PC2           K1

C1              D1

3. Ki = PC2(CiDi)
Left            Left
Shift2          Shift2

Where 1 ≤ i ≤ 16, LSi is the
C2    D2        PC2          K2
left shift amount for this round
C2              D2
and PC2 being another selection
and permutation box, which se-
lects and permutates 48 bits from
C15             D15
the 56 bits which are (CiDi).
Left            Left
Shift16         Shift16

C16   D16       PC2          K16

Previous Page                                             Quit         Full Screen                        Next Page
Selected Topics of Applied Cryptography                                                                                         Hofbauer, Stutz
¨

DES - f -function 1

The round key for DES if of size
R                                                                 K
48, but the R from the feistel
network is only 32 bit, since the
E

blocksize of DES is 64 bit.
E(R)

So we ﬁrst bring R up to the same
size as the key K . To do this we
B1    B2    B3        B4        B5         B6   B7    B8
use the E box (E for expansion).
S1   S2    S3     S4             S5        S6    S7    S8
The E box duplicates ceratain bits
and permutes them.
C1   C2    C3    C4       C5    C6   C7   C8

P
Since E(R) and K are of equal si-
f(R,K)                                           ze we can calculate

B = E(R) ⊕ K

Previous Page                                                                          Quit   Full Screen                       Next Page
Selected Topics of Applied Cryptography                                                                                           Hofbauer, Stutz
¨

DES - f -function 2

B is split up into 8 blocks
R                                                                 K
B1, . . . , B8 each 6 bit in size.
E

Each of Bi is run through a
E(R)
corresponding S-Box ( S for substi-
tution) which generates Ci which 4
bits in size.
B1    B2    B3        B4        B5         B6   B7    B8

S1   S2    S3     S4             S5        S6    S7    S8
The transformation is a lookup in
the S-box by taking the ﬁrst and the
last bit of Bi as index for the rows
C1   C2    C3    C4       C5    C6   C7   C8

P
and the bits 2 through 5 as column
f(R,K)                                           index.
The looked up number is in the
range from 0 to 15 which can be
represented by 4 bit and directly
corresponds to Ci.

Previous Page                                                                          Quit   Full Screen                         Next Page
Selected Topics of Applied Cryptography                                                             Hofbauer, Stutz
¨

DES - f -function 3 - Example of an S-Box lookup

B1B2B3B4B5B6
Let us try to transform B1 = 0101102 in-
to C1. The ﬁrst and the last bit of B1 are
both zero, so the row index is 0. The co-
B2B3B4B5
lumn index is generated by bits 2 through 5
which are 10112 = 1110. When we look up
B1B6
S-box                            the eleventh element of the zero-row we get
12 which when represented in binary yields
C1 = 11002.

S-box 1
0        1        2       3      4    5     6   7    8            9   10   11   12   13       14        15
0      14        4       13       1      2   15    11   8    3           10    6   12    5    9        0         7
1       0       15        7       4     14    2    13   1 10              6   12   11    9    5        3         8
2       4        1       14       8     13    6     2 11 15              12    9    7    3   10        5         0
3      15       12        8       2      4    9     1   7    5           11    3   14   10    0        6        13

Previous Page                                       Quit   Full Screen                              Next Page
Selected Topics of Applied Cryptography                                                                                         Hofbauer, Stutz
¨

DES - f -function 4

The      concatenation of S =
R                                                                 K
C1, . . . ,C8 is already 32 bits
in length since the S-box lookup is
E

lossy.
E(R)

The output S is permuted via the
P-box and the output is
B1    B2    B3        B4        B5         B6   B7    B8

S1   S2    S3     S4             S5        S6    S7    S8
f (R, K) = P(S)
C1   C2    C3    C4       C5    C6   C7   C8

P

As can be seen clearly f (R, K) is
f(R,K)
irreversible.

Previous Page                                                                          Quit   Full Screen                       Next Page
Selected Topics of Applied Cryptography                                       Hofbauer, Stutz
¨

Modes of Operation - ECB

ECB - Electronic Codebook Mode

• Plaintext is expanded with random bits to be of size k ∗ 64 bits.

• Plaintext is split into blocks 64 bits in length.

• The ciphertext is produced by encoding each plaintext block and concatena-
ting the ciphertext blocks.

Clearly this is a naive method. There is no position dependent information.

Previous Page                                    Quit   Full Screen           Next Page
Selected Topics of Applied Cryptography                                     Hofbauer, Stutz
¨

Modes of Operation - CBC

CBC - Cipherblock Chaining Mode

• Plaintext is expanded with random bits to be of size k ∗ 64 bits.

• Plaintext is split into blocks m1, . . . , mu each 64 bits in length.

• Encryption for 1 ≤ i ≤ u is ci = Ek (ci−1 ⊕ mi).

− c0 is set to some initial vector IV .

• Decryption for 1 ≤ i ≤ u is mi = ci−1 ⊕ Dk (ci).

− Clearly c0 must be set to the same IV used for encryption.

Through the use of the previous ciphertext block CBC gains position dependent
encoding.

Previous Page                                     Quit   Full Screen          Next Page
Selected Topics of Applied Cryptography                                           Hofbauer, Stutz
¨

Modes of Operation - CFB

CFB - Cipherblock Feedback Mode

• Allows for smaller blocksizes than would be allowed by the underlying block
cipher.

• Fills a different role than ECB and CBC.

• The costly part of the decoding function can be calculated on step ahead.

Since CFB does support smaller block than the block cipher we have to choose an r
with 1 ≤ r ≤ n where n is the block size of the cipher in use. The plaintext is split up
into m1, . . . , mu, each blocks of size r. Since the block cipher cannot encode blocks of
size r it encodes blocks Ii and those blocks are used to encrypt the plaintext.

Previous Page                                     Quit   Full Screen              Next Page
Selected Topics of Applied Cryptography                                         Hofbauer, Stutz
¨

Modes of Operation - CFB 2

I1 is set to some initial vector IV and then encryption for blocks 1 ≤ j ≤ u works like
this:

1. O j = Ek (I j )
2. set x j to the ﬁrst r bits of O j
3. c j = m j ⊕ x j
4. for j < u generate I j+1 = (I j << r) + c j

Decoding is likewise, again I1 = IV and for 1 ≤ j ≤ u:

1. O j = Ek (I j )
2. set x j to the ﬁrst r bits of O j
3. m j = c j ⊕ x j
4. for j < u generate I j+1 = (I j << r) + c j

Previous Page                                   Quit   Full Screen              Next Page
Selected Topics of Applied Cryptography                                            Hofbauer, Stutz
¨

Modes of Operation - OFB

OFB - Output Feedback Mode

• Similar to CFB in it’s operation.

• Uses the Ek (Ii) for feedback instead of the ci.

• The costly part of the decoding function can be fully calculated ahead.

Like CFB we have to choose an r with 1 ≤ r ≤ n where n is the block size of the cipher
in use. The plaintext is split up into m1, . . . , mu, each blocks of size r. Since the block
cipher cannot encode blocks of size r it encodes blocks Ii and those blocks are used to
encrypt the plaintext.

Previous Page                                    Quit   Full Screen                Next Page
Selected Topics of Applied Cryptography                                         Hofbauer, Stutz
¨

Modes of Operation - OFB 2

I1 is set to some initial vector IV and then encryption for blocks 1 ≤ j ≤ u works like
this:

1. O j = Ek (I j )
2. set x j to the ﬁrst r bits of O j
3. c j = m j ⊕ x j
4. I j+1 = O j for j < u

Decoding is likewise, again I1 = IV and for 1 ≤ j ≤ u:

1. O j = Ek (I j )
2. set x j to the ﬁrst r bits of O j
3. m j = c j ⊕ x j
4. I j+1 = O j for j < u

Previous Page                                   Quit   Full Screen              Next Page
Selected Topics of Applied Cryptography                                    Hofbauer, Stutz
¨

Application: OpenSSH, Browser, ...

How SSH negotiates an encrypted session

• The server has a 1024bit public/private key pair.

• On connection the server sends the client it’s public key.

• The client checks if the key has changed.

• The client generates a random 256 bit key and encrypts it with the servers
public key.

• The client send the encrypted key to the server.

• The server decrypts the key.

• Since both now have the same key, the communication switches to a symme-
tric cipher.

Previous Page                                Quit   Full Screen            Next Page
Selected Topics of Applied Cryptography                        Hofbauer, Stutz
¨

Fini

Previous Page                           Quit   Full Screen     Next Page

```
DOCUMENT INFO
Shared By:
Categories:
Stats:
 views: 20 posted: 5/13/2010 language: English pages: 47