Download Symmetric Encryption Techniques in Cryptography and more Cheat Sheet Network security in PDF only on Docsity!
Module – 1 Classical Encryption Techniques Basics
- Plain text – original message
- Cipher text – coded message
- Encryption/Enciphering - Process convert from plain text to cipher text
- Decryption/Deciphering – Process convert from cipher text to plain text
- Cryptography – Area of study about encryption schemes
- Cryptanalysis – Techniques used for deciphering a message without any knowledge of the enciphering detail./breaking the code
- Cryptology = cryptography + cryptanalysis Symmetric Cipher Model Figure Simplified Model of Symmetric Encryption A symmetric encryption scheme has five ingredients:
- Plaintext: This is the original intelligible message or data that is fed into the algorithm as input.
- Encryption algorithm: The encryption algorithm performs various substitutions and transformations on the plaintext.
- Secret key: The secret key is also input to the encryption algorithm. The key is a value independent of the plaintext and of the algorithm. The algorithm will produce a different output depending on the specific key being used at the time. The exact substitutions and transformations performed by the algorithm depend on the key.
- Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the secret key. For a given message, two different keys will produce two different ciphertexts. The ciphertext is an apparently random stream of data and, as it stands, is unintelligible.
- Decryption algorithm: This is essentially the encryption algorithm run in reverse. It takes the ciphertext and the secret key and produces the original plaintext.
Cryptanalyst X ^ K ^ Message source
X X
Y = E(K, X) Destination K Secure channel Key source Decryption algorithm Encryption algorithm There are two requirements for secure use of conventional encryption:
1. A strong encryption algorithm i.e an opponent who knows the algorithm and has access to one or more cipher texts would be unable to decipher the cipher text or figure out the key. The opponent should be unable to decrypt cipher text or discover the key even if he or she is in possession of a number of cipher texts together with the plaintext that produced each cipher text. 2. Sender and receiver must have obtained copies of the secret key in a secure fashion and must keep the key secure. Let us take a closer look at the essential elements of a symmetric encryption scheme A source produces a message in plaintext, X = [ X 1, X 2, ......., XM ]. The M elements of X are letters in some finite alphabet. Alphabet usually consisted of the 26 capital letters. Binary alphabet {0, 1} is used. For encryption, a key of the form K = [ K 1, K 2, ....., KJ ] is generated. If the key is generated at the message source, then it must also be provided to the destination by means of some secure channel. Alternatively, a third party could generate the key and securely deliver it to both source and destination. With the message X and the encryption key K as input, the encryption algorithm forms the ciphertext Y = [ Y 1, Y 2, ...., YN ]. This can be written as Y = E( K , X ) This notation indicates that Y is produced by using encryption algorithm E as a function of the plaintext X , with the specific function determined by the value of the key K. The intended receiver, in possession of the key, is able to invert the transformation: X = D( K , Y ) An opponent, observing Y but not having access to K or X , may attempt to recover X or K or both X and K. It is assumed that the opponent knows the encryption (E) and decryption (D) algorithms. If the opponent is interested in only this particular message, then the focus of the effort is to recover X by generating a plaintext estimate X ^. Often, however, the opponent is interested in being able to read future messages as well, in which case an attempt is made to recover K by generating an estimate K^.
format always begins with the same pattern, or there may be a standardized header or banner to an electronic funds transfer message, and so on. All these are examples of known plaintext. With this knowledge, the analyst may be able to deduce the key on the basis of the way in which the known plaintext is transformed. Closely related to the known-plaintext attack is what might be referred to as a probable-word attack. If the opponent is working with the encryption of some general prose message, he or she may have little knowledge of what is in the message. However, if the opponent is after some very specific information, then parts of the message may be known. For example, if an entire accounting file is being transmitted, the opponent may know the placement of certain key words in the header of the file. As another example, the source code for a program developed by Corporation X might include a copyright statement in some standardized position. If the analyst is able somehow to get the source system to insert into the system a message chosen by the analyst, then a chosen-plaintext attack is possible. An example of this strategy is differential cryptanalysis; In general, if the analyst is able to choose the messages to encrypt, the analyst may deliberately pick patterns that can be expected to reveal the structure of the key. two other types of attack: chosen ciphertext and chosen text. These are less commonly employed as cryptanalytic techniques but are nevertheless possible avenues of attack. Only relatively weak algorithms fail to withstand a ciphertext-only attack. Generally, an encryption algorithm is designed to withstand a known-plaintext attack Table 1.1 Types of Attacks on Encrypted Messages Type of Attack Known to Cryptanalyst Ciphertext Only • Encryption algorithm
- Ciphertext Known Plaintext
- Encryption algorithm
- Ciphertext
- One or more plaintext–ciphertext pairs formed with the secret key Chosen Plaintext
- Encryption algorithm
- Ciphertext
- Plaintext message chosen by cryptanalyst, together with its corresponding ciphertext generated with the secret key Chosen Ciphertext
- Encryption algorithm
- Ciphertext
- Ciphertext chosen by cryptanalyst, together with its corresponding decrypted plaintext generated with the secret key Chosen Text •^ Encryption^ algorithm
- Ciphertext
- Plaintext message chosen by cryptanalyst, together with its corresponding ciphertext generated with the secret key
- Ciphertext chosen by cryptanalyst, together with its corresponding decrypted plaintext generated with the secret key
An encryption scheme is unconditionally secure if the ciphertext generated by the scheme does not contain enough information to determine uniquely the corresponding plaintext, no matter how much ciphertext is available. That is, no matter how much time an opponent has, it is impossible for him or her to decrypt the ciphertext simply because the required information is not there. With the exception of a scheme known as the one-time pad, there is no encryption algorithm that is unconditionally secure. Therefore, all that the users of an encryption algorithm can strive for is an algorithm that meets one or both of the following criteria:
- The cost of breaking the cipher exceeds the value of the encrypted information.
- The time required to break the cipher exceeds the useful lifetime of the information. An encryption scheme is said to be computationally secure if either of the foregoing two criteria are met. Unfortunately, it is very difficult to estimate the amount of effort required to cryptanalyze ciphertext successfully. All forms of cryptanalysis for symmetric encryption schemes are designed to exploit the fact that traces of structure or pattern in the plaintext may survive encryption and be discernible in the ciphertext. A brute-force attack involves trying every possible key until an intelligible translation of the ciphertext into plaintext is obtained. On average, half of all possible keys must be tried to achieve success. That is, if there are X different keys, on average an attacker would discover the actual key after X /2 tries. It is important to note that there is more to a brute-force attack than simply running through all possible keys. Unless known plaintext is provided, the analyst must be able to recognize plaintext as plaintext. If the message is just plain text in English, then the result pops out easily, although the task of recognizing English would have to be automated. If the text message has been compressed before encryption, then recognition is more difficult. And if the message is some more general type of data, such as a numerical file, and this has been compressed, the problem becomes even more difficult to automate. Thus, to supplement the brute-force approach, some degree of knowledge about the expected plaintext is needed, and some means of automatically distinguishing plaintext from garble is also needed.
Substitution Techniques
A substitution technique is one in which the letters of plaintext are replaced by other letters or by numbers or symbols.1 If the plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns.
Caesar Cipher
The earliest known, and the simplest, use of a substitution cipher was by Julius Caesar. The Caesar cipher involves replacing each letter of the alphabet with the letter standing three places further down the alphabet. For example, plain: meet me after the toga party cipher: PHHW PH DIWHU WKH WRJD SDUWB Note that the alphabet is wrapped around, so that the letter following Z is A. define the transformation by listing all possibilities, as follows: plain: a b c d e f g h i j k l m n o p q r s t u v w x y z cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C Let us assign a numerical equivalent to each letter: a b c d e f g h i j k l m 0 1 2 3 4 5 6 7 8 9 10 11 12
Figure Brute-Force Cryptanalysis of Caesar Cipher With only 25 possible keys, the Caesar cipher is far from secure.
Mono alphabetic Cipher
A permutation of a finite set of elements S is an ordered sequence of all the elements of S , with each element appearing exactly once. For example, if S = {a, b, c}, there are six permutations of S : abc, acb, bac, bca, cab, cba In general, there are n! permutations of a set of n elements, because the first element can be chosen in one of n ways, the second in n - 1 ways, the third in n – 2 ways, and so on. In Caesar cipher: plain: a b c d e f g h i j k l m n o p q r s t u v w x y z cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C If, instead, the “cipher” line can be any permutation of the 26 alphabetic characters, then there are 26! or greater than 4 * 10^26 possible keys. a single cipher alphabet (mapping from plain alphabet to cipher alphabet) is used per message.
The cryptanalyst knows the nature of the plaintext (e.g., non compressed English text), then the analyst can exploit the regularities of the language The ciphertext to be solved is UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETXAIZ VUEPHzHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ First step, the relative frequency of the letters can be determined and compared to a standard frequency distribution for English, If the message were long enough, this technique alone might be sufficient, but because this is a relatively short message. relative frequencies of the letters in the ciphertext (in percentages) are as follows: P 13.33 H 5.83 F 3.33 B 1.67 C 0. Z 11.67 D 5.00 W 3.33 G 1.67 K 0. S 8.33 E 5.00 Q 2.50 Y 1.67 L 0. U 8.33 V 4.17 T 2.50 I 0.83 N 0. O 7.50 X 4.17 A 1.67 J 0.83 R 0. M 6. Cipher letters P and Z are the equivalents of plain letters e and t, but it is not certain which is which. The letters S, U, O, M, and H are all of relatively high frequency and probably correspond to plain letters from the set {a, h, i, n, o, r, s}. The letters with the lowest frequencies (namely, A, B, G, Y, I, J) are likely included in the set {b, j, k, q, v, x, z}. A powerful tool is to look at the frequency of two-letter combinations, known as digrams. A table similar to Figure 2.5 could be drawn up showing the relative frequency of digrams. The most common such digram is th. In our ciphertext, the most common digram is ZW, which appears three times. So we make the correspondence of Z with t and W with h. Then, by our earlier hypothesis, we can equate P with e. Now notice that the sequence ZWP appears in the ciphertext, and we can translate that sequence as “the.” This is the most frequent trigram (three-letter combination) in English, which seems to indicate that we are on the right track. Next, notice the sequence ZWSZ in the first line. We do not know that these four letters form a complete word, but if they do, it is of the form th_t. If so, S equates with a.
The Playfair algorithm is based on the use of a 5 * 5 matrix of letters constructed using a keyword. In this case, the keyword is monarchy. M O N A R C H Y B D E F G I/J K L P Q S T U V W X Z The matrix is constructed by filling in the letters of the keyword (minus duplicates) from left to right and from top to bottom, and then filling in the remainder of the matrix with the remaining letters inalphabetic order. The letters I and J count as one letter. Plaintext is encrypted two letters at a time, according to the following rules:
1. Repeating plaintext letters that are in the same pair are separated with a filler letter, such as x, so that balloon would be treated as ba lx lo on. 2. Two plaintext letters that fall in the same row of the matrix are each replaced by the letter to the right, with the first element of the row circularly following the last. For example, ar is encrypted as RM. 3. Two plaintext letters that fall in the same column are each replaced by the letter beneath, with the top element of the column circularly following the last. For example, mu is encrypted as CM. 4. Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its own row and the column occupied by the other plaintext letter. Thus, hs becomes BP and ea becomes IM (or JM, as the encipherer wishes). The Playfair cipher is a great advance over simple monoalphabetic ciphers. For one thing, whereas there are only 26 letters, there are 26 * 26 = 676 digrams, so that identification of individual digrams is more difficult. Furthermore, the relative frequencies of individual letters exhibit a much greater range than that of digrams, making frequency analysis much more difficult. For these reasons, the Playfair cipher was for a long time considered .It was used as the standard field system by the British Army in World War I and still enjoyed considerable use by the U.S. Army and other Allied forces during World War II. https://www.geeksforgeeks.org/playfair-cipher-with-examples/ The Playfair Cipher Encryption Algorithm: The Algorithm consists of 2 steps:
- Generate the key Square(5×5): The key square is a 5×5 grid of alphabets that acts as the key for encrypting the plaintext. Each of the 25 alphabets must be unique and one letter of the alphabet (usually J) is omitted from the table (as the table can hold only 25 alphabets). If the plaintext contains J, then it is replaced by I. The initial alphabets in the key square are the unique alphabets of the key in the order in which they appear followed by the remaining letters of the alphabet in order.
- Algorithm to encrypt the plain text: The plaintext is split into pairs of two letters (digraphs). If there is an odd number of letters, a Z is added to the last letter. For example: PlainText : "instruments" After Split: 'in' 'st' 'ru' 'me' 'nt' 'sz' 1. Pair cannot be made with same letter. Break the letter in single and add a bogus letter to the previous letter. Plain Text: “hello” After Split: ‘he’ ‘lx’ ‘lo’ Here ‘x’ is the bogus letter. 2. If the letter is standing alone in the process of pairing, then add an extra bogus letter with the alone letter Plain Text: “helloe” AfterSplit: ‘he’ ‘lx’ ‘lo’ ‘ez’ Here ‘z’ is the bogus letter. Rules for Encryption: If both the letters are in the same column : Take the letter below each one (going back to the top if at the bottom). For example: Diagraph: "me" Encrypted Text: cl Encryption: m -> c e -> l If both the letters are in the same row : Take the letter to the right of each one (going back to the leftmost if at the rightmost position). For example: Diagraph: "st" Encrypted Text: tl Encryption: s -> t t -> l
A = A -1mod 26 = AA -1= mod 26 = Determinant of A is = (5x3)-(8x17)=-121 mod 26 = 9 9 -1mod 26 = 3,because 9 * 3 = 27 mod 26 = The Hill Algorithm This encryption algorithm takes m successive plaintext letters and substitutes for them m ciphertext letters. The substitution is determined by m linear equations in which each character is assigned a numerical value (a = 0, b = 1, c, z = 25). For m = 3, the system can be described as c 1 = ( k 11 p 1 + k 21 p 2 + k 31 p 3) mod 26 c 2 = ( k 12 p 1 + k 22 p 2 + k 32 p 3) mod 26 c 3 = ( k 13 p 1 + k 23 p 2 + k 33 p 3) mod 26 This can be expressed in terms of row vectors and matrices: ( c 1 c 2 c 3) = ( p 1 p 2 p 3) k 11 k 12 k 13 k 21 k 22 k 23 mod 26 k 31 k 32 k 33 or C = PK mod 26 where C and P are row vectors of length 3 representing the plaintext and ciphertext, and K is a 3 * 3 matrix representing the encryption key. Operations are performed mod 26. For example, consider the plaintext “paymoremoney” and use the encryption key K = 17 17 5 21 18 21 2 2 19 The first three letters of the plaintext are represented by the vector (15 0 24). Then(15 0 24) K = (303 303 531) mod 26 = (17 17 11) = RRL. Continuing in this fashion, the ciphertext for the entire plaintext is RRLMWBKASPDH. Decryption requires using the inverse of the matrix K. Compute det K = 23, and therefore, (det K )-1mod 26 = 17. compute the inverse as 4 9 15 K -1= 15 17 6 24 0 17 K K-1^ KK-1^ = I 17 17 5 4 9 15 443 442 442 1 0 0 21 18 21 15 17 6 858 495 780 mod 26= 0 1 0 2 2 19 24 0 17 494 52 365 0 0 1 the Hill system can be expressed as C = E( K , P ) = PK mod 26 P = D( K , C ) = CK -1 mod 26 = PKK -1 = P The strength of the Hill cipher is that it completely hides single-letter frequencies. Indeed, with Hill, the use of a larger matrix hides more frequency information. Thus, a 3 * 3 Hill cipher hides not only single-letter but also two-letter frequency information.Hill cipher is strong against a ciphertext-only attack, it is easily broken with a known plaintext attack. Consider another example.
Suppose that the plaintext “hillcipher” is encrypted using a 2 * 2 Hill cipher to yield the ciphertext HCRZSSXNSP. (7 8) K mod 26 = (7 2); (11 11) K mod 26 = (17 25); and so on. Using the first two plaintext–ciphertext pairs, we have 7 2 7 8 17 25 11 11 K mod 26 The inverse of X can be computed: 7 8-1 = 25 22 1 23 11 11 K = 25 22 7 2 = 549 600 mod 26 3 2 1 23 17 25 398 577 = 8 5 This result is verified by testing the remaining plaintext–ciphertext pairs
Polyalphabetic Ciphers
Another improve on the simple monoalphabetic technique is to use different monoalphabetic substitutions as one proceeds through the plaintext message. The general name for this approach is polyalphabetic substitution cipher. All these techniques have the following features in common:
- A set of related monoalphabetic substitution rules is used.
- A key determines which particular rule is chosen for a given transformation. Vigenère Cipher The best known, and one of the simplest, polyalphabetic ciphers is the Vigenère cipher. In this scheme, the set of related mono alphabetic substitution rules consists of the 26 Caesar ciphers with shifts of 0 through 25. Each cipher is denoted by a key letter, which is the ciphertext letter that substitutes for the plaintext letter a. Thus, a Caesar cipher with a shift of 3 is denoted by the key value
The Vigenère cipher is expressed in the following manner. Assume a sequence of plaintext letters P = p 0 , p 1 , p 2 , …….., pn-1 and a key consisting of the sequence of letters K = k 0 , k 1 , k 2 , ……, km-1, where typically m < n. The sequence of ciphertext letters C = C 0 , C 1 , C 2 , …….., Cn-1 is calculated as follows: C = C 0 , C 1 , C 2 , ….., Cn-1 = E(K, P) = E[(k 0 , k 1 , k 2 , ……., km-1), (p 0 , p 1 , p 2 , …., pn-1)] = (p 0 + k 0 )mod 26, (p 1 + k 1 )mod 26, …….., (pm-1 + km-1)mod 26, (pm + k 0 )mod 26, (pm+1 + k 1 )mod 26, c, (p2m-1 + km-1)mod 26, …… Thus, the first letter of the key is added to the first letter of the plaintext, mod 26, the second letters are added, and so on through the first m letters of the plaintext. For the next m letters of the plaintext, the key letters are repeated. This processcontinues until all of the plaintext sequence is encrypted. A general equation of the encryption process is Ci = (pi + kimod m) mod 26 Similarly, decryption is pi = (Ci - kimod m) mod 26 To encrypt a message, a key is needed that is as long as the message. Usually, the key is a repeating keyword. For example, if the keyword is deceptive, The message “we are discovered save yourself” is encrypted as key:deceptivedeceptivedeceptive plaintext: wearediscoveredsaveyourself ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ key 3 4 2 4 15 19 8 21 4 3 4 2 4 15 plaintext 22 4 0 17 4 3 8 18 2 14 21 4 17 4 ciphertext 25 8 2 21 19 22 16 13 6 17 25 6 21 19
Eventhisschemeisvulnerabletocryptanalysis.Becausethekeyandtheplaintextsharethesamefrequenc y distribution of letters, a statistical technique can be applied. Vernam Cipher Figure 2.7 Vernam Cipher His system works on binary data (bits) rather than letters. The system can be expressed succinctly as follows (Figure): ci= pi⊕ki where pi = ith binary digit of plaintext ki = ith binary digit of key ci = ith binary digit of ciphertext ⊕ = exclusive-or (XOR) operation Thus, the ciphertext is generated by performing the bitwise XOR of the plaintext and the key. Because of the properties of the XOR, decryption simply involves the same bitwise operation: p (^) i = ci ⊕ki. The essence of this technique is the means of construction of the key. Vernam proposed the use of a running loop of tape that eventually repeated the key, so that in fact the system worked with a very long but repeating keyword. Although such a scheme, with a long key, presents formidable
cryptanalytic difficulties, it can be broken with sufficient ciphertext, the use of known or probable plaintext sequences, or both
One-Time Pad
An Army Signal Corp officer, Joseph Mauborgne, proposed an improvement to the Vernam cipher that yields the ultimate in security. Mauborgne suggested using a random key that is as long as the message, so that the key need not be repeated. In addition, the key is to be used to encrypt and decrypt a single message, and then is discarded. Each new message requires a new key of the same length as the new message. Such a scheme, known as a one-time pad, is unbreakable. It produces random output that bears no statistical relationship to the plaintext. Because the ciphertext contains no information whatsoever about the plaintext, there is simply no way to break the code. Anexampleshouldillustrateourpoint.SupposethatweareusingaVigenère scheme with 27 characters in which the twenty-seventh character is thespace character, but with a one-time key that is as long as the message. Considertheciphertext ANKYODKYUREPFJBYOJDSPLREyIUNOFDOIUERFPLUYTS Wenowshowtwodifferentdecryptionsusingtwodifferentkeys: ciphertext:ANKYODKYUREPFJByOJDSPLREYIUNOFDOIUERFPLUYTS key: pxlmvmsydofuyrvzwctnlebnecvgdupahfzzlmnyih plaintext:mrmustardwiththecandlestickinthehall ciphertext:ANKYODKYUREPFJBYOJDSPLREYIUNOFDOIUERFPLUYTS key: pftgpmiydgaxgoufhklllmhsqdqogtewbqfgyovuhwt plaintext:missscarletwiththeknifeinthelibrary Suppose that a cryptanalyst had managed to find these two keys. Two posssibleplaintextsareproduced.Howisthecryptanalysttodecidewhichisthecorrectdecryption (i.e., which is the correct key)? If the actual key were produced in a trulyrandomfashion,thenthecryptanalystcannotsaythatoneofthesetwokeysismorelikelythanthe other.Thus,thereisnowaytodecidewhichkeyiscorrectandthere-forewhichplaintextiscorrect. Infact,givenanyplaintextofequallengthtotheciphertext,thereisakeythatproduces that plaintext. Therefore, if you did an exhaustive search of all possiblekeys, you would end up with many legible plaintexts, with no way of knowing whichthe intended plaintext was.Therefore,thecodeisunbreakable. The security of the one-time pad is entirely due to the randomness of the key. If the stream of characters that constitute the key is truly random, then the stream of characters that constitute the ciphertext will be truly random. Thus, there are no patterns or regularities that a cryptanalyst can use to attack the ciphertext. In theory, we need look no further for a cipher. The one-time pad offers complete security but, in practice, has two fundamental difficulties:
Motivation for the Feistel Cipher structure
A block cipher operates on a plaintext block of n bits to produce a ciphertext block of n bits. There are 2n^ possible different plaintext blocks and, for the encryption to be reversible (i.e., for decryption to be possible), each must produce a unique ciphertext block. Such a transformation is called reversible, or non singular. The following examples illustrate non singular and singular transformations for n = 2. In the latter case, a ciphertext of 01 could have been produced by one of two plaintext blocks. So reversible mappings, the number of different transformations is 2n!. Figure 3.2 illustrates the logic of a general substitution cipher for n = 4. A 4-bit input produces one of 16 possible input states, which is mapped by the substitution cipher into a unique one of 16 possible output states, each of which is represented by 4 cipher text bits. The encryption and
decryption mappings can be defined by a tabulation, as shown in Table 3.1. This is the most general form of block cipher and can be used to define any reversible mapping between plaintext and ciphertext. Figure 3.2 General n-bit-n-bit Block Substitution (shown with n = 4) Table 3.1 Encryption and Decryption Tables for Substitution Cipher of Figure 3. Feistel refers to this as the ideal block cipher , because it allows for the maximum number of possible encryption mappings from the plaintext block [FEIS75]. But there is a practical problem with the ideal block cipher. If a small block size, such as n = 4, is used, then the system is equivalent to a classical substitution cipher. Such systems, as we have seen, are vulnerable to a statistical analysis of the plaintext. This weakness is not inherent in the use of a substitution cipher but rather results from the use of a small block size. If n is sufficiently large and an arbitrary reversible substitution between plaintext and ciphertext is allowed, then the statistical characteristics of the source plaintext are masked to such an extent that this type of cryptanalysis is infeasible. An arbitrary reversible substitution cipher (the ideal block cipher) for a large block size is not practical, however, from an implementation and performance point of view. For such a transformation, the mapping itself constitutes the key. Consider again Table 3.1, which defines one
