OVERVIEW OF ENCRYPTION

AUTHOR DETAILS:CHANDRASEKHAR NAIDU MUTTINENIMail: chandu.saraswathi@gmail.comBlog: https://techpresentations.wordpress.com/ https://hack8d.wordpress.com/

Agenda• Cryptology and its History• Types of Ciphers• What is Encryption and types of Encryption• Types of Encryption Algorithms

• Symmetric and Asymmetric Algorithms• Choosing Encryption algorithms• Complexity Comparison• Hashing explained• Key management• TLS Model• Advanced Encryption System (AES-256) explained• Queries

Cryptology

- Symbiotic relation between each disciplines- Each makes the other one better- Each tries to be ahead of the other every time- World war II is the best example. Winning side was more successful in

breaking the codes than the losing side.- One cannot prove that an algorithm is secure. But they can prove it is

not vulnerable to the known attacks- All algorithms are vulnerable to brute-force attack. If every possible key

is tried, one of the keys has to work.

Cryptology

Cryptography Cryptanalysis

History of Cryptography

- Around 5000 years ago, Cryptography was widely used in diplomatic and Military circles

- Messengers from kings court takes encrypted messages to other courts- Caeser cipher is a simple substitution cipher used to secure military

communications- Thomas Jefferson invented a encryption system when he was serving US during

1790

History of Cryptography (contd.)

- Arthur Scherbius invented ‘Enigma’ machine and sold it to Germany.- Britishers cracked German Enigma machine resulting in significant advantages for

the allies in World war II- British arguably invented first computer ‘Colossus’ to break the encryption that was

used by Enigma machine.

Ciphers - Cipher – Algorithm used to encrypt or decrypt information. - Substitution Cipher

- Substitutes on letter to another- Ciphertext depends on the key- Also called as Caesar cipher- Vulnerable to frequency analysis

6

Ciphers (contd.)

- Polyalphabetic ciphers - Counters the early frequency analysis vulnerability - Still vulnerable to frequency analysis - Vigenere cipher is best example (‘Baise Vigenere is a French Cryptographer) - Lets see how it works

- Transposition: Permutation. - No letters are replaced, they are just rearranged or permuted - If key is to reverse the letters “ATTACK AT DAWN” is transported as “NWADTAKCATTA”. - Rail Fence cipher is good example of Transposition ciphers - DES, 3DES still uses transposition as part of their algorithm

Ciphers (contd.)

Ciphers (Contd.)

- Vernam Cipher- Applying XOR for the plain text with the random key- Most important in the history of Cryptography- RC4 uses OTP (One time pad)

OTP (XOR)

Encryption• Encryption is a process of disguising a message in a way as to hide its original contents• Decryption reverses the process• To maintain the confidentiality of the message being transmitted

Encryption (Contd.)

• Old encryption is based on the secrecy of the algorithm used• Modern encryption uses public domain algorithms. • Security of the information lies in the secrecy of the keys not on the algorithm• Encryption involves at all layers of OSI Network model.• Encryption is the key to setup VPN (Virtual Private Network)

Cryptanalysis- Breaking of codes to obtain the meaning of encrypted data

• Brute-Force attack: Trying every possible key for decryption. On average this succeeds about 50% of the way through the key space.

• Linear and Differential Cryptanalysis• Ciphertext-only: Access to cipher texts of several plain texts encrypted using same

key. • Known Plaintext: Access to plain text, Cipher text and algorithm. Ultimately uses

brute-force attacks by assuming the key space. • Choosen Plaintext: Attacker can choose the plain text and observe the cipher text. • Side Channel Attacks – Attacks based on studying and measuring the actual

implementation of the code.• Power Attacks – Watches power consumption by CPU or memory. Pipelining helps• Timing Attacks – Watches movement of data in and out of the CPU or memory

Encryption Algorithms• A good encryption algorithm (Cipher) has the following features

- Resist cryptographic attacks - Supports variable and long key lengths - Create an avalanche effects - Do not have import and export restrictions

Encryption Algorithms (Contd.)

• Two classes of algorithms based on the usage of keys - Symmetric encryption algorithms - Asymmetric encryption algorithms

Symmetric Encryption Algorithms• Encryption and Decryption keys are same• Security rests in the secrecy of the key• Also called as the Secret-Key encryption algorithm• Typical key length ranges from 40 to 256 bits• DES – 56 bit keys• 3DES – 112 or 168 bit keys• AES – 128, 192 or 256 keys• IDEA – 128 bit keys• RC Series (RC2, RC4, RC5, RC6) – 128, 192 or 256 keys• Blowfish – 32 to 448 bit keys

Symmetric Encryption Algorithms (Contd.)

• Techniques: Block ciphers, Stream Ciphers, Message Authentication Codes (MACs)

• Symmetric algorithms are quite fast in encryption.• Used for bulk data protection• On the other hand, Key management is a challenge.

Symmetric Encryption Algorithms

(Contd.)

• Block ciphers - Converts fixed length block of plaintext into same length Cipher text - It refers to how much data can be encrypted at one time - Usually the block size is 128 bits. DES has a block size of 64 bits - Performs padding if data is less than one full block

Ex:• DES/3DES (CBC or ECB modes)• AES• IDEA• Blowfish• RSA

Symmetric Encryption Algorithms (Contd.)

• Stream ciphers - Operates on smaller units of plain text. - Transformation depends on when they are encountered during encryption - Much faster in operation - No padding of bits

Ex:

• DES/3DES (OFB or CFB modes)• RC4• SEAL (Software encryption algorithm)

Asymmetric Encryption Algorithms• Also called as Public key algorithms• Key length ranges from 512 to 4096 bits.• Involves complex mathematical calculations to derive the key set• The decryption key cannot in any reasonable amount of time be calculated using

the encryption key• Can be up to 1000 times slower than the symmetric algorithms• Used for Low volume cryptographic mechanisms such as digital signatures and key

exchange• The key management is simpler compared to Symmetric algorithms• Rivest, Shamir and Adleman (RSA) algorithm• Diffe-Hellman (DH) Algorithm

Choosing Encryption Algorithms• Algorithm is trusted by cryptographic community• It should adequately protects Brute-force attacks• Throughput and Latency • 3DES: Considered most trustworthy but not so efficient• AES: High throughput and Low latency environments. More efficient.• RSA and DH: Considered trustworthy Asymmetric algorithms

Comparing complexity • In symmetric algorithms, each additional bit doubles the difficulty in finding the key• In asymmetric algorithms, each additional bit nominally increases the difficulty in

finding the key• An 80-bit symmetric key is considered equal to 1024 asymmetric key RSA• An 128-bit symmetric key is considered equal to 3027 asymmetric key RSA

Hashing• Method for Data Integrity assurance• Based on one way mathematical functions• Easy to compute but harder to reverse• Ex: Grinding coffee. Easy to grind but it is near to impossible to put all the tiny pieces to

rebuild original beans• Digest or Fingerprint• Similar to CRC (Cyclic Redundancy Checksum)

Key Management• Key Generation : Automated random number generators• Key Verification: Finding weak keys• Key Storage: Storing in memory• Key Exchange: Securely over an untrusted medium• Key Revocation and Destruction: Erasing after usage/ after a security breach

• Key Space: Set of all possible key values. Key with n bits produces 2^n keys• Weak keys for DES:

• Strength of protection depends on the Length of key. This needs to be selected wisely

TLS/SSL explained• Provides secure communication over internet/intranet• Originally developed by Netscape • Universally accepted by the WWW community (e-mail to e-commerce)• TLS 1.0 still used even with the advent of TLS 3.0• It uses variety of encryption algorithms: Symmetric, Asymmetric, Hashing• VPNs from contractor PC to company network

Data Encryption Standard (DES)

• Operates in Block/Stream mode and encrypts data in 64-bit blocks• DES key is always 56 bits long. The remaining 8 bits are used for parity

ECB and CBC explained• ECB (Electronic Code Book) : Same plain text -> Same Cipher text• CBC (Cipher Block Chaining) : Same plain text -> Different Cipher text.• Here Plain text XOR’ed with previous cipher text before encryption.• First block is XOR’ed with a IV (Initialization Vector) • It still cannot help against sophisticated crypt analysis attack

ECB Mode CBC Mode

3DES (Triple DES)• The technique of applying DES 3 times in a row to a plain text is called 3DES• It uses a method called 3DES – EDE (Encrypt – Decrypt – Encrypt)• Message is encrypted using first 56-bit key ‘k1’ then is decrypted using second 56-bit key ‘k2’ and then

is encrypted using third 56-bit key ‘k3’• Message is decrypted using third 56-bit key ‘k3’ then is encrypted using second 56-bit key ‘k2’ and

then is decrypted using first 56-bit key ‘k1’• Encrypting data three times using 56-bit keys is equals to encrypting with a 58-bit key. So we use 3DES-

EDE here.

Advanced Encryption Standard (AES)• AES is an encryption specification of NIST, US.• Uses Rijndael algorithm which has variable block length and key length.• Credits to Vincent Rijmen and Joan Daemen• Key length is much stronger than DES• More efficient algorithm • Suitable for high throughput and low latency environments• Stronger than 3DES in 192 or 256 bit key lengths• Relatively young algorithm• AES standard is a variant of Rijndael where the block size is restricted to 128 bits

AES explained• AES has a fixed block size of 128 bits called a state

Ex input string: “ABCDEFGHIJKLMNOP”

A E I M 41 45 49 4DB F J N 42 46 4A 4EC G K O 43 47 4B 4FD H L P 44 48 4C 50

ASCII

AES explained (Contd.)

• AES key is either 128 bits, 192 bits or 256 bits

128 bits (4 words):

11223344556677889900AABBCCDDEEFF

11 22 33 4455 66 77 8899 00 AA BBCC DD EE FF

AES explained (Contd.)

• AddRoundKey : Addition is XOR

41 45 49 4D42 46 4A 4E43 47 4B 4F44 48 4C 50

11 22 33 4455 66 77 8899 00 AA BBCC DD EE FF

41 11 45 55 49 99 4D CC42 22 46 66 4A 00 4E DD 43 33 47 77 4B AA 4F EE44 44 48 88 4C BB 50 FF

50 10 D0 8160 20 4A 9370 30 E1 A100 C0 F7 AF

StateExpanded Key

w[0] w[4]

After AddRoundKey

XOR’ed

AES explained (Contd.)

• SubBytes is the SBOX for AES• This make AES a non-linear cryptographic system.• For every value of b there is a unique value for b’x

– It is faster to use a substitution table (and easier).

x is the inverse value of the byte b

1 0 0 0 1 1 1 11 1 0 0 0 1 1 11 1 1 0 0 0 1 11 1 1 1 0 0 0 11 1 1 1 1 0 0 00 1 1 1 1 1 0 00 0 1 1 1 1 1 00 0 0 1 1 1 1 1

11000110

x0

x1

x2

x3

x4

x5

x6

x7

+=

b'0b'1b'2b'3b'4b'5b'6b'7

0 1 2 3 4 5 6 7 8 9 a b c d e f0 63 7c 77 7b f2 6b 6f c5 30 1 67 2b fe d7 ab 761 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c02 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 153 4 c7 23 c3 18 96 5 9a 7 12 80 e2 eb 27 b2 754 9 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 845 53 d1 0 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf6 d0 ef aa fb 43 4d 33 85 45 f9 2 7f 50 3c 9f a87 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d28 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 739 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b dba e0 32 3a 0a 49 6 24 5c c2 d3 ac 62 91 95 e4 79b e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 8c ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8ad 70 3e b5 66 48 3 f6 0e 61 35 57 b9 86 c1 1d 9ee e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 dff 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16

Y

X

AES explained (Contd.)

Rijndael’s SBOX:

AES explained (Contd.)

50 10 D0 8160 20 4A 9370 30 E1 A100 C0 F7 AF

Sbox( 50 ) Sbox( 10 ) Sbox( D0 ) Sbox( 81 )Sbox( 60 ) Sbox( 20 ) Sbox( 4A ) Sbox( 93 )Sbox( 70 ) Sbox( 30 ) Sbox( E1 ) Sbox( A1 )Sbox( 00 ) Sbox( C0 ) Sbox( F7 ) Sbox( AF )

53 CA 70 0CD0 B7 D6 DC51 04 F8 3263 BA 68 79

State

State after SubBytes

• ShiftRows

AES explained (Contd.)

53 CA 70 0CD0 B7 D6 DC51 04 F8 3263 BA 68 79

53 CA 70 0CB7 D6 DC D0F8 32 51 0479 63 BA 68

Simple routine which performs a left shift rows 1, 2 and 3 by 1, 2 and 3 bytes respectively

Before Shift Rows After Shift Rows

02 03 01 01

01 02 03 01

01 01 02 03

03 01 01 02

a0

a1

a2

a3

a’0

a’1

a’2

a’3

=

a’0 = 2a0 3a1 a2 a3

a’1 = a0 2a1 3a2 a3

a’2 = a0 a1 2a2 3a3

a’3 = 3a0 a1 a2 2a3

MixColumns: With ShiftRows, this provides Diffusion

AES explained (Contd.)

MixColumns :

Input String Key Output String (HEX)

ABCDEFGHIJKLMNOP 11223344556677889900AABBCCDDEEFF BC4784A37D6F46452656B993D53393F5

ABCDEFGHIJKLMNOP 01223344556677889900AABBCCDDEEFF 855866490543FDF6504FC84088FEDCA0

ABCDEFFHIJKLMNOP 11223344556677889900AABBCCDDEEFF 372CCA446C0D391C4381392344630EE1

Input String(HEX) Key Output String (HEX)

00000000000000000000000000000000 00000000000000000000000000000000 66E94BD4EF8A2C3B884CFA59CA342B2E

00000000000000000000000000000000 00000000000000000000000000000001 0545AAD56DA2A97C3663D1432A3D1C84

00000000000000000000000000000001 00000000000000000000000000000001 A17E9F69E4F25A8B8620B4AF78EEFD6F

Encryption Examples:

AES explained (Contd.)

AES 256 CBC explained

AddRoundKey

SubBytes

ShiftRows

MixColumns

AddRoundKey

SubBytes

ShiftRows

AddRoundKey

1st Round

Repeat Nr -1 Round

Last Round

AddRoundKey

InvShiftRows

InvSubBytes

AddRoundKey

InvMixColumns

InvShiftRows

InvSubBytes

AddRoundKey

1st Round

Repeat Nr -1 Round

Last Round

PlainText Cipher Text

CipherText Plain Text

Encryption Decryption

RoundKey*RoundKey

RoundKey

RoundKey

RoundKey*

RoundKey*

Hashing Message Digest 5 (MD5) with 128-bit digestsSecure Hash Algorithm 1 (SHA-1) with 160-bit digests

Hashing HMACs Keyed MD5, based on the MD5 hashing algorithmKeyed SHA-1, based on the SHA-1 hashing algorithm

Thank You. For any queries, please find contact details below:

• CHANDRASEKHAR NAIDU MUTTINENI• Mail: chandu.saraswathi@gmail.com• Blog: https://techpresentations.wordpress.com/• https://hack8d.wordpress.com/