Computer Security lecture notes

Copyright © 2004 Mark Dermot Ryan
The University of Birmingham
Permission is granted to copy, distribute and/or modify this document
(except where stated) under the terms of the GNU Free Documentation License,

Symmetric-key cryptography

In symmetric-key cryptography, we encode our plain text by mangling it with a secret key. Decryption requires knowledge of the same key, and reverses the mangling.

ciphertext = encrypt( plaintext, key )

plaintext = decrypt( ciphertext, key )

Symmetric key cryptography is useful if you want to encrypt files on your computer, and you intend to decrypt them yourself. (But if you intend to send them to someone else to be decrypted, then you have a "key distribution problem".) In security, we assume the encryption algorithms that we have chosen to use are publically known; only the key is secret to the participants. Slogan: "obscurity is no security".

Caesar cipher

The key is a number between 1 and 25. Define code('a')=0, code('b')=1, ..., code('z')=25.

encryption(c, key) = code^-1( code(c)+key mod 26 )

Pros: simple.
Cons: crap.

Compression-then-substitution

Compress the text first (in an attempt to avoid the frequency-of-letters attack), and then do a substitution such as: 'a' goes to 'x', '¶' goes to 'Æ', etc. This map will be the key.
Pros: still simple, but much better.
Cons: may be some regularity in compressor output (header info, etc) which would aid cryptanalysis.

Symmetric key encryption: simplified DES

S-DES is a simplified version of the well-known DES (Data Encryption Standard) algorithm (see [2]). It closely resembles the real thing, with smaller parameters, to facilitate operation by hand for pedagogical purposes. It was designed by Edward Schaefer as a teaching tool to understand DES. S-DES (and DES) are examples of a block cipher: the plain text is split into blocks of a certain size, in this case 8 bits.

plaintext = b₁b₂b₃b₄b₅b₆b₇b₈
key = k₁k₂k₃k₄k₅k₆k₇k₈k₉k₁₀

Subkey generation

First, produce two subkeys K₁ and K₂:

K₁ = P8(LS(P10(key)))
K₂ = P8(LS(LS(P10(key))))

where P10(k₁k₂k₃k₄k₅k₆k₇k₈k₉k₁₀) = k₃k₅k₂k₇k₄k₁₀k₁k₉k₈k₆.

It's convenient to write such bit substitution operators in this notation:

P10

10 bits to 10 bits

10 bits to 8 bits

LS ("left shift")

10 bits to 10 bits

Encryption

The cipher text is defined from the plain text using the two subkeys K₁ and K₂.

ciphertext = IP^-1( f_K₂( SW( f_K₁( IP( plaintext ) ) ) ) )

where:

IP ("initial permutation")

8 bits to 8 bits

IP^-1

8 bits to 8 bits

SW ("switch")

8 bits to 8 bits

and f_K( ) is computed as follows. We write exclusive-or (XOR) as +.

f_K( L, R ) = ( L + F_K(R) , R )

F_K(R) = P4 ( S0( lhs( EP(R)+K )) , S1( rhs(EP(R)+K )) )

EP ("expansion/permutation")

4 bits to 8 bits

4 bits to 4 bits

lhs

8 bits to 4 bits

rhs

8 bits to 4 bits

S0(b₁b₂b₃b₄) = the [ b₁b₄ , b₂b₃ ] cell from the "S-box" S0 below, and similarly for S1.

	0	1	2	3
0	1	0	3	2
1	3	2	1	0
2	0	2	1	3
3	3	1	0	3

	0	1	2	3
0	0	1	2	3
1	2	0	1	3
2	3	0	1	0
3	2	1	0	3

Decryption

Decryption is a similar process.

plaintext = IP^-1( f_K₁( SW( f_K₂( IP( ciphertext ) ) ) ) )

Diagrams showing operation

These diagrams are reproduced from William Stallings' excellent book, Cryptography and Network Security [2]. These diagrams are copyright 2003 by Pearson Education Inc., and are not covered by the Gnu Free Documentation License which covers the other parts of this document.

Relation with DES

SDES is a simplification of a real algorithm. DES operates on 64 bit blocks, and uses a key of 56 bits, from which sixteen 48-bit subkeys are generated. There is an initial permutation (IP) of 56 bits followed by a sequence of shifts and permutations of 48 bits. F acts on 32 bits.

ciphertext = IP^-1( f_K₁₆( SW( f_K₁₅( . . . ( SW( f_K₁(IP( plaintext ) ) ) ). . . ) ) ) )

Analysis of DES and SDES

The key question about the design of (S)DES is: why? What motivated the design choices? The munging of the bits appears to be so complicated that it has so far proved impossible to do a systematic cryptanalysis. For example, a known-plaintext attack (in which we attempt to calculate a key, given ciphertext and plaintext) involves solving 8 nonlinear equations in 10 unknowns in the case of SDES, which is hard, and many more equations in more unknowns for full DES.

A brute force attack remains the most promising approach. For SDES, it is trivial; there are only 1024 keys. For DES it is much harder; there are 7 × 10¹⁶ keys. This would take over 2000 years if you checked each key in one microsecond. Michael Wiener designed a DES cracker with millions of specialised chips on specialised boards and racks [1, p.153]. He concluded in 1995 that for $1 million, a machine could be built that would crack a 56-bit DES key in 7 hours. Schneier estimates that this would be doable for $100,000 in 2000, so we might extrapolate to $10,000 in 2005. For these reasons, algorithms based on 56-bit keys, like DES, are no longer thought secure. Schneier: "insist on at least 112 bit keys."

Cracking DES "This book describes a machine which we actually built to crack DES. ... We have donated our design to the public domain, so it is not proprietary. ... We have published its details so that other scientists and engineers can review, reproduce, and build on our work. There can be no more doubt. DES is not secure." Basic statistics: 1998, < $250,000, cracked a key in 3 days.

Other symmetric key algorithms

3DES (which is DES then inverse-DES then DES again, with different keys)
IDEA, rated by Schneier as the best one partly because of its "impressive theoretical foundations" [sic]. It mixes XOR, addition modulo 2¹⁶, and multiplication modulo 2¹⁶-1, and is based on a 128-bit key.
Blowfish, invented by Schneier to be fast, compact, easy to implement, and to have variable key length (up to 448 bits),

Stream ciphers

Stream ciphers encrypt streams, e.g. a byte at a time, in cases that you can't wait for an entire block of text before starting the encyption. Typically, a stream is generated from the key, and the plaintext is XOR'd with the stream. Like a one-time pad generated on the fly.

Block ciphers can be used in different modes:
ECB (Electronic codebook mode) - the regular usage, but vulnerable to block replays
CBC (Cipher block chaining mode) - each block XOR'd with previous block; helps overcome replay attack
CFB (Cipher feedback mode) - makes a block cipher into a stream cipher, by maintaining a queue block (initialised to some initial value).
OFB (Output feedback mode) - same idea as CFB, different detail.

RC4 is a variable-key-size stream cipher developed in 1987 by Rivest. For seven years it was proprietary, but anonymously posted on the internet in 1994. It works in OFB: the keystream is independent of the plaintext. It maintains a vector S[0]...S[255], whose entries are a permutation of the numbers 0...255. The following algo encrypts a stream:

    // initialise S
    for i = 0 ... 255
        S[i] = i
    for i = 0 ... 255 {
        j = (j + S[i] + key[i mod key_length]) mod 256
        swap (S[i],S[j])
        }

    i = 0
    j = 0
    while (still some bytes left to encrypt/decrypt) {
        i = (i + 1) mod 256
        j = (j + S[i]) mod 256
        swap(S[i],S[j])
        k = S[(S[i] + S[j]) mod 256]
        output k XOR next_byte_of_input
        }

References

[1] Bruce Schneier, Applied Cryptography. Second Edition, J. Wiley and Sons, 1996.
[2] William Stallings, Cryptography and Network Security, Principles and Practice, Prentice Hall, 1999. Third Edition, 2003.
[3] The University of British Columbia Theoretical Physics department has a web page on cryptography, with lots of interesting remarks and links.