CS 758 D.R. Stinson

CS 758: Cryptography / Network Security

• offered in the Fall Semester, 2003, by Doug Stinson

• my office: DC 3122

• my email address: dstinson@uwaterloo.ca

• my web page:

http://cacr.math.uwaterloo.ca/~dstinson/index.html

provides a link to the course web page

• lectures: Mondays and Wednesdays from 2:30 PM - 4:00 PM inE2 1303

Sept. 8, 2003 1

CS 758 D.R. Stinson

Objectives/Prerequisites

• basic cryptography concerns secure communication betweentwo parties, while in this course we are interested incryptographic protocols in multiuser/network context

• there is no overlap with

– C&O 685 (Mathematics of Public-Key Cryptography), orwith

– ECE 720 (Cryptographic Computations), or with

– ECE 710 (Sequence Design and Cryptography)

• prerequisites: a previous course in cryptography (e.g. C&O487, Applied Cryptography) is helpful but not required

• background: basic complexity theory, elementary numbertheory, algebra (finite groups, finite fields, linear algebra),probability (random variables), combinatorics

Sept. 8, 2003 2

CS 758 D.R. Stinson

Course Requirements

• students’ grades will be based on assignments (4 or 5, about70%) and a project (about 30%)

• the project will be a written project, possibly with a partner

• the project will involve

– preparing a report on a recent research paper on a topicrelated to the course material, or

– implementing and analyzing one or more protocols on atopic related to the course material

Sept. 8, 2003 3

CS 758 D.R. Stinson

Course Outline

• Review of cryptographic primitives and their applications toinformation security, and notions of cryptographic security.Discussion of public-key encryption, secret-key encryption,message authentication, signature schemes, and hash functions.

• Techniques for entity authentication. Passwords,challenge-response, identification schemes (e.g., Fiat-Shamir,Guillou-Quisquater), general techniques for zero-knowledgeproofs for NP-complete languages.

• Protocols for key establishment, transport, agreement andmaintenance. Online key distibution using a trusted server(Kerberos). Public-key techniques, including Diffie-Hellmankey agreement, man-in-the-middle attacks, STS and forwardsecrecy. Unconditionally secure key distribution, including theBlom scheme and combinatorial key distribution patterns.

Sept. 8, 2003 4

CS 758 D.R. Stinson

Course Outline (cont.)

• Cryptography in a multi-user setting. Secret sharing schemes(including Shamir threshold schemes and schemes for generalaccess structures). Conference key distribution and broadcastencryption. Copyright protection techniques and tracingschemes.

• Public-key infrastructure. Models for managing public keysand certificates (X.509 certificates, certification authorities,trust models, certificate verification and revocation, etc.).Applications, including PGP, SSL and IPsec.

Sept. 8, 2003 5

CS 758 D.R. Stinson

Goals of Cryptography

confidentiality

Confidentiality (or secrecy) means that data cannot beunderstood by an unauthorized party.

data integrity

Data integrity means that data cannot be modified by anunauthorized party.

data origin authentication

Data origin authentication is achieved when it can be verifiedthat data was transmitted by a particular source.

entity authentication

Entity authentication (or identification) refers to theverification of the identity of a person, computer or otherdevice.

Sept. 8, 2003 6

CS 758 D.R. Stinson

Goals of Cryptography (cont.)

non-repudiation

Non-repudiation occurs when it is impossible for someone todeny having transmitted a message that, in fact, they didtransmit.

access control

Access control refers to the restriction of electronic or physicalaccess to authorized parties.

anonymity

Anonymity refers to the anonymous transmission of data, sothat the origin cannot be determined.

Sept. 8, 2003 7

CS 758 D.R. Stinson

Cryptographic Tools

encryption schemes

Encryption schemes are used to achieve confidentiality.

signature schemes

Signature schemes are used to “sign” data. A signature helpsto ensure data integrity and data origin authentication, and itcan also provide non-repudiation.

message authentication codes

A message authentication code provides data integrity.

cryptographic hash functions

A hash function is used to provide random, unpredictableredundancy in data.

Sept. 8, 2003 8

CS 758 D.R. Stinson

Cryptographic Tools (cont.)

key agreement protocols

A key agreement protocol is used to establish a common secretkey known to two or more specified parties. Usually this key isto be subsequently used for another cryptographic purposesuch as symmetric-key encryption or message authentication.

identification schemes

An identification scheme provides entity authentication.

pseudorandom number generators

Pseudorandom number generators expand a small, trulyrandom, seed into a long string of bits that cannot bedistinguished from random bits. Pseudorandom numbergenerators are used in many cryptographic contexts, forexample, in the generation of keys.

Sept. 8, 2003 9

CS 758 D.R. Stinson

Tools and their Usage of Keys

A short summary of cryptographic tools and their usage of keys isprovided in the following table. An “X” indicates that the givenalgorithm and key combination is feasible.

keys

scheme public/private? secret? no key?

encryption scheme X X

signature scheme X

MAC X

hash function X

key agreement scheme X X

identification scheme X X

Sept. 8, 2003 10

CS 758 D.R. Stinson

Secure Socket Layer

client server

I’m Alice−−−−−−−−−−−−−−−−→

I’m Bob, Inc.←−−−−−−−−−−−−−−−−

PK , sigCA(PK )←−−−−−−−−−−−−−−−−verify PK

generate MSy = ePK (MS )−−−−−−−−−−−−−−−−→

MS = dPK (y)

K1, K2 = h(MS ) K1, K2 = h(MS )

Sept. 8, 2003 11

CS 758 D.R. Stinson

Cryptosystem

A cryptosystem is a five-tuple (P, C, K, E, D), where the followingconditions are satisfied:

1. P is a finite set of possible plaintexts

2. C is a finite set of possible ciphertexts

3. K, the keyspace, is a finite set of possible keys

4. For each K ∈ K, there is an encryption rule eK ∈ E and acorresponding decryption rule dK ∈ D. Each eK : P→ C anddK : C→ P are functions such that dK(eK(x)) = x for everyplaintext element x ∈ P.

Sept. 8, 2003 12

CS 758 D.R. Stinson

Public-key vs Secret-key Cryptosystems

• in a secret-key cryptosystem, K is known to both Alice andBob:

Alice Bob

K K

y = eK(x)y−−−−−−−−−−−−−−−−→ x = dK(y)

• in a public-key cryptosystem, K is known only to Bob and eK

is public:

Alice Bob

ek K

y = eK(x)y−−−−−−−−−−−−−−−−→ x = dK(y)

Sept. 8, 2003 13

CS 758 D.R. Stinson

A Substitution-Permutation Network

K1

K2

K3

K4

K5

u1

1v

w 1

u2

v 2

w 2

u3

v 3

w

u4

v 4

S1

2

S2

2

S3

2 S3

4S1

3

S1

4S

4

2 S4

3 S4

4

S2

1 S2

3 S2

4

S1

1 S1

4S1

3

S3

3

3

y

x

Sept. 8, 2003 14

CS 758 D.R. Stinson

The Advanced Encryption Standard (AES)

AES has a block length of 128 bits, and it supports key lengths of128, 192 and 256 bits. The number of rounds, Nr, depends on thekey length: Nr = 10 if the key length is 128 bits; Nr = 12 if the keylength is 192 bits; and Nr = 14 if the key length is 256 bits.

1. Given a plaintext x, initialize State to be x and performAddRoundKey, which x-ors the RoundKey with State.

2. For each of the first Nr− 1 rounds, perform a substitutionoperation called SubBytes on State using an S-box; perform apermutation ShiftRows on State; perform an operationMixColumns on State; and perform AddRoundKey.

3. Perform SubBytes; perform ShiftRows; and performAddRoundKey.

4. Define the ciphertext y to be State.

Sept. 8, 2003 15

CS 758 D.R. Stinson

AES States

All operations in AES are byte-oriented operations, and allvariables used are considered to be formed from an appropriatenumber of bytes. The plaintext x consists of 16 bytes, denotedx0, . . . , x15. State is represented as a four by four array of bytes,initialized as follows:

s0,0 s0,1 s0,2 s0,3

s1,0 s1,1 s1,2 s1,3

s2,0 s2,1 s2,2 s2,3

s3,0 s3,1 s3,2 s3,3

←−

x0 x4 x8 x12

x1 x5 x9 x13

x2 x6 x10 x14

x3 x7 x11 x15

Sept. 8, 2003 16

CS 758 D.R. Stinson

The Finite Field F256

The operation SubBytes performs a substitution on each byte ofState independently, which involves operations in the finite field

F28 = Z2[x]/(x8 + x4 + x3 + x + 1).

Let BinaryToField convert a byte to a field element; and letFieldToBinary perform the inverse conversion. This conversionis done in the obvious way: the field element

7∑

i=0

aixi

corresponds to the byte

a7a6a5a4a3a2a1a0,

where ai ∈ Z2 for 0 ≤ i ≤ 7.

Sept. 8, 2003 17

CS 758 D.R. Stinson

SubBytes

Algorithm: SubBytes(a7a6a5a4a3a2a1a0)

external FieldInv,BinaryToField,FieldToBinary

z ← BinaryToField(a7a6a5a4a3a2a1a0)

if z �= 0

then z ← FieldInv(z)

(a7a6a5a4a3a2a1a0)← FieldToBinary(z)

(c7c6c5c4c3c2c1c0)← (01100011)

for i← 0 to 7

do bi ← (ai + ai+4 + ai+5 + ai+6 + ai+7 + ci) mod 2

return b7b6b5b4b3b2b1b0

Sept. 8, 2003 18

CS 758 D.R. Stinson

ShiftRows

The operation ShiftRows acts on State as shown in the followingdiagram:

s0,0 s0,1 s0,2 s0,3

s1,0 s1,1 s1,2 s1,3

s2,0 s2,1 s2,2 s2,3

s3,0 s3,1 s3,2 s3,3

←

s0,0 s0,1 s0,2 s0,3

s1,1 s1,2 s1,3 s1,0

s2,2 s2,3 s2,0 s2,1

s3,3 s3,0 s3,1 s3,2

Sept. 8, 2003 19

CS 758 D.R. Stinson

MixColumns

Algorithm: MixColumn(c)

external FieldMult,BinaryToField,FieldToBinary

for i← 0 to 3

do ti ← BinaryToField(si,c)

u0 ← FieldMult(x, t0)⊕ FieldMult(x + 1, t1)⊕ t2 ⊕ t3

u1 ← FieldMult(x, t1)⊕ FieldMult(x + 1, t2)⊕ t3 ⊕ t0

u2 ← FieldMult(x, t2)⊕ FieldMult(x + 1, t3)⊕ t0 ⊕ t1

u3 ← FieldMult(x, t3)⊕ FieldMult(x + 1, t0)⊕ t1 ⊕ t2

for i← 0 to 3

do si,c ← FieldToBinary(ui)

Sept. 8, 2003 20

CS 758 D.R. Stinson

Modes of Operation

• ECB (electronic code book) mode corresponds to the naive useof a block cipher: given a sequence x1x2 · · · of plaintext blocks(each consisting of 128 bits, in the case of the AES), each xi isencrypted with the same key K, producing a string ofciphertext blocks, y1y2 · · · .• In CBC (cipher block chaining) mode, each ciphertext block yi

is x-ored with the next plaintext block, xi+1, before beingencrypted with the key K. More formally, we start with aninitialization vector, denoted by IV, and define y0 = IV. Thenwe construct y1, y2, . . . , using the rule

yi = eK(yi−1 ⊕ xi),

i ≥ 1.

Sept. 8, 2003 21

CS 758 D.R. Stinson

CBC Mode

0IV = y +

Ke

+

Ke

0IV = y + +

x2

y

1x

2

K Kd d

1

1y

decrypt

encrypt

2

21y y

x x

Sept. 8, 2003 22

CS 758 D.R. Stinson

The RSA Public-key Cryptosystem

Let n = pq, where p and q are large primes. Let P = C = Zn, anddefine

K = {(n, p, q, a, b) : ab ≡ 1 (mod φ(n))}.For K = (n, p, q, a, b), define

eK(x) = xb mod n

anddK(y) = ya mod n

(x, y ∈ Zn). The values n and b comprise the public key, and thevalues p, q and a form the private key.

Sept. 8, 2003 23

CS 758 D.R. Stinson

A Toy Example

• suppose Bob chooses primes p = 101 and q = 113

• then n = 11413 and φ(n) = 100× 112 = 11200

• suppose Bob chooses public encryption exponent b = 3533

• then his private decryption exponent isa = b−1 mod 11200 = 6597

• suppose Alice wants to encrypt the plaintext x = 9726

• she will compute

y = 97263533 mod 11413 = 5761

and send y to Bob

• when Bob receives the ciphertext y = 5761, he computes

x = 57616597 mod 11413 = 9726.

Sept. 8, 2003 24

CS 758 D.R. Stinson

The Rabin Cryptosystem

Let n = pq, where p and q are primes. Let P = C = Zn∗, and define

K = {(n, p, q)}.For K = (n, p, q), define

eK(x) = x2 mod n

anddK(y) =

√y mod n.

The value n is the public key, while p and q are the private key.

Note: there are four square roots of y modulo n.

Sept. 8, 2003 25

CS 758 D.R. Stinson

A Toy Example

• suppose Bob chooses primes p = 7 and q = 11

• then the encryption function is

eK(x) = x2 mod 77

and the decryption function is

dK(y) =√

y mod 77

• suppose Alice encrypts the plaintext x = 32 to send to Bob

• the ciphertext is y = 322 mod 77 = 23

• the four square roots of 23 modulo 77 are ±10,±32 mod 77

• the four possible plaintexts are x = 10, 32, 45 and 67

Sept. 8, 2003 26