# Notes

## Information Security

Information security means protecting *information* and *information systems* form unauthorized access, use, disclosure, disruption, modification, or destruction.

**Computer Security**: deals with the prevention and detection of unauthorized actions by users of a computer system.*Authorization*is central to definition. Sensible only relative to a*security policy*which states who (or what) may perform which actions.**Network Security**: consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator in order to protect the network and network-accessible resources from unauthorized access.**Information Security**: is even more general: it deals with information independently from computer systems. Remember that information is more abstract than data. Data conveys information, but information can be found without revealing underlying data.

### e-Hermitism vs e-Society

The only secure computer is one that is switched off, unplugged in a block of concrete etc.. But, we want and have an e-society where information is shared. **Is your data worth protecting?**.

## Agents (a.k.a Principals)

**Honest Agents/Principals**:

- Alice
- Bob
- Carol

**Dishonest Agents/Principals (Adversaries/Attackers)**:

- Eve (Only eavesdrops)
- Charlie
- Mallory
- Zoe

**Trusted and/or Neutral**:

- Simon (Trusted Server)
- Trent (Trusted Server)
- Peggy (Prover and Verifier)
- Victor (Prover and Verifier)

## Confidentiality, Privacy, Anonymity, Integrity

**Confidentiality**: Information is not learned by unauthorized principals.**Privacy**: You choose what you let other people know. Confidentiality of information that you don’t want to share.**Anonymity**: A condition in which your true identity is not known. Confidentiality of your identity.**Anonymity Set**: You can be anonymous in a group if your actions cannot be distinguished from anyone else in the group. This is known as an anonymity set.**Integrity**: Information has not been maliciously altered.**Availability**: Data or services can be accessed in a reliable and timely way.**Accountability**: Actions can be traced to responsible principals.**Non-repudiation**: Actions done cannot be denied by the principal.**Authentication**: Principals or data origin can be identified accurately.

## Security as risk minimisation

### Common Criteria

- Classification depicts fundamental concepts and interrelationships.
- Policy (here implicit) defines authorized actions on assets. i.e. what constitutes abuse.
- Security concerns the protection of
**assets**from**threats**. Threats are the potential for abuse of assets. - Owners value their assets and want to protect them.
**Threat agents**also value assets and seek to abuse them. **Owners**analyse threats to determine which ones apply. These are the**risks**that can be cost. This helps the selection of**countermeasures**, which reduce the**vulnerabilities**.- Vulnerabilities may remain leaving some residual risk; owners seek to minimise that risk, within other constraints (feasibility, expense).

Note: The above common criteria regards threats related to both malicious and accidental human activities. Usually we focus on malicious activity.

## Basic concepts

**Cryptology**: The study of secret writing.**Steganography**: The science of hiding messages in other messages.**Cryptography**: The science of secret writing.**Cryptanalysis**: The science of recovering the plaintext from a ciphertext without the key.

### A general model for (network) security

A *message* is to be transferred *from one principal to another* across a network. The two principals must cooperate for the exchange to take place. A logical *information channel* is established by defining a route through the network from source to destination and by the principals use of communication protocols e.g. TCP/IP.

A *trusted third-party* may be needed to achieve secure transmission.

The general model shows 4 basic tasks:

- Design an algorithm for performing security-related transformation. The algorithm should be such that an opponent cannot defeat its purpose.
- Generate the secret information to be used with the algorithm.
- Develop methods for the distribution and sharing of the secret information.
- Specify a protocol to be used by the two principals that makes use of the security algorithm and the secret information to achieve a particular security service.

#### Terminology

Word | Meaning |
---|---|

plaintext | Text that can be read and understood. |

Encryption | Transformation (function) that takes an input (commonly plaintext) and a key that generates a ciphertext. |

ciphertext | Transformed (scrambled) text that needs to be processed/decrypted to be understood. |

Decryption | Transformation (function) that takes an input (commonly ciphertext) and a key the generates a plaintext. |

Cipher | A function/algorithm for performing encryption/decryption. |

### Kerckhoff’s “La Cryptographie Militaire”

**Security depends only on secrecy of the key, not on the algorithm**

### A Mathematical Formalisation

Symbol | Meaning |
---|---|

The alphabet, a finite set. | |

The message space. is a plaintext (message). | |

The ciphertext space, whose alphabet may differ from | |

denotes the key space of keys. |

- Each determines a bijective function from to , denoted by . is the
*encryption function*or (*transformation*). We will write , which is the same as . - For each , denotes a bijection from to . is the
*decryption function*. - Applying (or ) is called
*encryption*(or*decryption*).

### Requirements for Symmetric-key Encryption

An encryption scheme and is *symmetric-key* if for each associated pair it is computationally “easy” to determine knowing only and to determine from . In practice .

The sender and recipient share a common-key.

**Requirements**:

- A strong encryption algorithm.

- Minimum: An attacker should be unable to decipher the ciphertext or key given the algorithm and one or more ciphertexts.
- Stronger: An attacker should be unable to decipher ciphertext or key given a collection of ciphertexts and their corresponding plaintexts.

- Sender and received must obtain copies of the secret key in a secure fashion and must keep the key secure.

- Anyone who knows the key can decrypt all communication using that key.

Because we only need to keep the key secret and the algorithm can be public, this makes symmetric encryption feasible for widespread use.

### 3 Characteristics of a Cryptographic System

- Type of operations used to transform plaintext into ciphertext. All encryption algorithms are based on two general principles:

**Substitution**: Each element in plaintext is mapped to another element.**Transposition**: Elements in the plaintext are rearranged.

Most systems involve multiple stages of substitutions and transpositions. 2. Number of keys used.

- Symmetric: 1 key shared.
- Asymmetric: 2 key-pairs.

- Way in which plaintext is processed.

**Block cipher**: Process input one block at a time, producing an output block for each input block.**Stream cipher**: Process input continuously producing one output element at a time as input comes in. The block length is 1.

## Cryptanalysis and Brute-forcing

**Cryptanalysis**: Attacks rely on the nature of the algorithm plus perhaps some knowledge on general characteristics of the plaintext. Exploits the the characteristics of the algorithm to attempt to deduce a specific plaintext or key.

**Brute-force attack**: Attacker tries every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained. On average, half of the key-space must be tried.

### Model of Attack (Not many marks)

- Input: Whatever the adversary knows from the beginning. e.g. public key, distribution of plaintexts etc.
- Oracle: Models the information an adversary can obtain during an attack. Different kinds of information characterize different types of attacks.
- Output: Whatever the adversary wants to compute, e.g. secret key, partial information of plaintext.

## Types of Attack

Type of Attack | Known to Cryptanalyst |
---|---|

ciphertext Only | - Encryption Algorithm - ciphertext |

Known plaintext | - Encryption Algorithm - ciphertext - One or more plaintext-ciphertext pairs formed with the secret key |

Chosen Plaintext | - Encryption Algorithm - Ciphertext - Plaintext chosen by the Cryptanalyst together with its corresponding ciphertext. |

Chosen Ciphertext | - Encryption Algorithm - Ciphertext - Ciphertext chosen by the Cryptanalyst together with its corresponding plaintext. |

Chosen Text | - Encryption Algorithm - Ciphertext - Both plaintext/ciphertext chosen by the Cryptanalyst together with its corresponding ciphertext/plaintext. |

### Classification of Security

#### Unconditional Security

Algorithm is secure even if attacker has unbounded computing power since the ciphertext provides insufficient information to uniquely discover the corresponding plaintext.

- Security is measured using
*information theory*. - With exception of one-time pad, there is no unconditionally secure encryption algorithm.
- Hence, strive for algorithm that meets one or both of (Algorithm is
**computationally secure**if either of these are met):- Cost of breaking cipher exceeds value of encrypted information.
- Time required to break cipher exceeds useful lifetime of information.

#### Conditional Security

System can be broken in principle, but this requires more computing power than a realistic attacker would have.

- Security is measured using
*complexity theory*.

## Substitution Techniques

*A substitution technique is one in which the letters of plaintext are replaced by other letters or numbers or symbols.* If the plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns.

### Mono-alphabetic substitution ciphers

A single cipher alphabet (mapping from plain alphabet to cipher alphabet) is used per message.

#### Caesar Cipher

Earliest known, simplest, substitution cipher (used by Julius Caesar). Used by shifting characters in the plaintext a specified amount of characters in the alphabet such that:

Where is the message and is a secret number, decryption is simple done with:

##### Brute-forcing

Brute-forcing this cipher is very easy as we can just try all possible 25 keys. This is possible as:

- The encryption/decryption algorithms are known.
- There are only 25 keys to try.
- The language of the plaintext is known and easily recognizable.

Brute-forcing is normally impractical if:

- the algorithm employs a large key space
- the language of the plaintext is unknown
- The output is compressed/abbreviated

#### Security of Mono-alphabetic substitution ciphers

Key spaces are huge ( possible keys). However it is easy to crack using frequency analysis. The ciphertext still holds some information about the structure of the plaintext.

We can count the occurrences of a single cipher-character and make reasonable assumptions about what that character could mean in the plaintext.

### Homophonic substitution ciphers

A solution to the aforementioned frequency analysis is to use a homophonic cipher where each character in the plaintext alphabet can be mapped to multiple characters in the ciphertext alphabet. This results in more work decryption.

#### Security of Homophonic substitution ciphers

Unfortunately cryptanalysis is still straightforward with homophones as we can use digram frequencies to analyse multi-letter patterns which still survive in the ciphertext.

To lessen the extent of the structure of plaintext making its way into the plaintext, we can:

- encrypt multiple letters of plaintext (Playfair Cipher)
- Use multiple cipher alphabets (Polyalphabetic substitution - Viginere cipher)

## Playfair Cipher

- Uses a matrix of letters constructed using a keyword. e.g. if
`MONARCHY`

is the keyword we have:

**The plaintext is encrypted two letters at a time**:

- If a pair is a repeated letter, insert filler like
`X`

(e.g.`BALLOON`

`BA LX LO ON`

). Add an`X`

at the end if necessary. - If both letters fall in the same row, replace each with the letter letter to the right, wrapping back to start from end (e.g.
`AR`

is encrypted as`RM`

). - If both letters fall in the same column, replace each with the letter below it, wrapping top to bottom (e.g.
`MU`

is encrypted as`CM`

). - Otherwise each letter is replaced by the letter in the same row and inthe column of the other letter of the pair. (e.g.
`HS`

becomes`BP`

,`EA`

becomes`IM`

or`JM`

).

### Security of the Playfair cipher

- Much improved over mono-alphabetic: digrams vs letters.
- Would need a entry frequency table analyse and correspondingly more ciphertext.

However, breaking this cipher is still relatively easy:

- It still leaves much of the structure of the plaintext language intact.
- A few hundred letters of the ciphertext is generally sufficient enough to break the cipher.

## Polyalphabetic Substitution Ciphers

Use different mono-alphabetic substitutions as one proceeds through the plaintext message. The best known is the Viginere cipher.

### Vigenere cipher

- Use of a Vigenere
*tableau*. - The key has to be as long as the message (usually a repeating word).
- The key makes up the mod value in the caesar cipher for each character.

e.g.:

```
1key: deceptivedeceptivedeceptive
2plaintext: wearediscoveredsaveyourself
3ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
```

Expressed numerically:

Key | 3 | 4 | 2 | 4 | 15 | 19 | 8 | 21 | 4 | 3 | 4 | 2 | 4 | 15 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|

Plaintext | 22 | 4 | 0 | 17 | 4 | 3 | 8 | 18 | 2 | 14 | 21 | 4 | 17 | 4 |

Ciphertext | 25 | 8 | 2 | 21 | 19 | 22 | 16 | 13 | 6 | 17 | 25 | 6 | 21 | 19 |

**Strength**: multiple ciphertext letters for each plaintext letter, one for each unique letter of the keyword, therefore letter frequency information is obscured.- However not all knowlege of the plaintext structure is lost. (See
`VTW`

has been repeated when matchings in the key and plaintext are repeated). It is better than Playfair though.

### Vernam Cipher (XOR)

Properties of XOR:

so that:

XOR can be used as a polyalphabetic cipher:

#### Usage

The binary digit of the plaintext is XOR’d with the keystream to produce a ciphertext, .

This is difficult to break if the key is long, but is still breakable with a sufficient amount of ciphertext as we can use known/probable plaintext sequences.

### Perfect Secrecy (Maybe)

*Needs externally sourced work**

Before a ciphertext is intercepted, an attacker can only guess what the message is. Once the message is intercepted, the attacker could guess the key, but as there are the same amount of keys as messages; the attacker may as well just guess the message. The attacker has gained no more knowledge after intercepting the message.

#### One Time pad

Use a truly random key that is as long as the message, so that the key need not be repeated and, used to encrypt and decrypt a single message and then discarded.

- Each new message requires a new key of same length as .
- Produces random output with no statistical relation to plaintext.
**Unbreakable**: contains no information whatsoever about .

One-time pad is the only cryptosystem that exhibits *perfect secrecy*.

**Difficult in practice**:

- Making large quantities of random keys.
- Key distribution and protection, where for every message to be sent, a key of equal length is needed by both sender and receiver.

Hence the one-time pad is limited in utility but useful for low-bandwidth channels requiring very high security. (Moscow-Washington communication was previously secured this way).

## Transposition Ciphers

Perform some sort of permutation on the plaintext letters. Works on blocks of letters of the plaintext.

### Rail-fence cipher

Plaintext is written down as a sequence of diagonals and then read off as a sequence of rows.

e.g. with rail fence of depth 2:

```
1plaintext: meet me after the toga party
2
3m e m a t r h t g p r y
4 e t e f e t e o a a t
5
6ciphertext: mematrhtgpryetefeteoaat
```

### Rotating(turning) grilles

Uses a mask “grille” with pre-cut holes.

Encoder writes plaintext in holes, removes masks then fills the remainder with blind, filler text so that it appears as an innocuous message.

Decrypter must possess an identical mask (or know the spacing that created it).

This is an example of Steganography but provides basis for transposition.

### Multi-stage transposition cipher

**Write the message in a rectangle, row-by-row, and read the message off column by column, but permute the order of the columns**

e.g. with key `4312567`

:

```
1Key: 4 3 1 2 5 6 7
2Plaintext: a t t a c k p
3 o s t p o n e
4 d u n t i l t
5 w o a m x y z
6Ciphertext: ttnaaptmtsuoaodwcoixknlypetz
```

This can be made significantly more secure by performing more than one round of transposition. e.g.

```
1Key: 4 3 1 2 5 6 7
2Plaintext: t t n a a p t
3 m t s u o a o
4 d w c o i x k
5 n l y p e t z
6Ciphertext: nscyauopttwltmdnaoiepaxttokz
```

- Multiple stages of encryption can produce an algorithm that is significantly more difficult to cryptanalyze.

## Steganography

Is all about concealing the existence of a message.

e.g.:

- Invisible ink
- pin punctures
- arrangement of words and letters (more complex anagrams)
- least significant bits of pixels in an image

#### Disadvantages with respect to encryption

- Requires a lot of overhead to hide a message.
- Once the system is discovered, it becomes worthless.

#### Advantages with respect to encryption

- Can be employed by parties with something to lose (that they are actually communicating in secret) should the fact of their secret communication be discovered.
- Encryption flags traffic as secret/important and may identify the sender/receiver as someone with something to hide.

## Composite (Product) ciphers

Substitution and transposition ciphers can be combined together to be more secure than single/multiple iterations of the same transposition/substitution cipher. MIX THEM UP.

**Execution of 2 or more simple ciphers in sequence so that the result (product) is cryptographically stronger than any of the component ciphers.**

### Feistel cipher

Many symmetric block encryptions in current use are based on a structure called **Feistel block cipher**.

The Feistel cipher alternates between substitutions (s-box) and transpositions(permutation (p-box)).

**Design features/parameters**:

- Block size:
- Larger means greater security but decreased en/decryption speed. Traditionally 64-bit offers a reasonable trade-off but the new AES standard uses a 128-bit block size.
- Greater security achieved by greater diffusion.

- Key Size:
- Larger increases security but
*may*reduce en/decryption speed. - Greater security.

#### Block Cipher

Encrypts -bit plaintext into -bit ciphertext.

- There are possible different plaintext blocks.
- If limited to reversible mappings, different transormations.
- The encryption must be reversible (for decryption to be possible).

e.g. for . ciphertext `01`

could come from plaintext `10`

or `11`

. It is a bijective mapping, i.e. we can go from and .

##### Problems of Block cipher

- A small block size is equivalent to classical substitution ciphers and thus easily attackable.
- A large block size is impractical for performance.

Feistel suggests an invertible product cipher. i.e. approximation to ideal block cipher for large , built out of easily recognizable components.

### 4 Rules to Remember

- (meaning that and ).
- Encryption: and .
- Decryption: and .
- There is a swap at the end of encryption and at the start of decryption (, , , )

2 and 3 can be determined from the fiestel diagrams.

### DES

- Block size: 64 bits

#### S-boxes and P-boxes

**S-boxes**:*confuse*input bits.**P-boxes**:*diffuse*bits across S-box inputs.

- Partition block into two halves.
- Process through multiple (16) rounds which:

- Perform a substitution on the left data half (based on round function of right half and subkey).
- then a permutation swapping halves.

#### DES Keys

If a 64-bit DES key is divided into 8 bytes, then sum of the 8 bits in each byte is odd.

This means that only 56 bits are needed because 7 of the 8 bits are used to determine the 8th bit in each byte. This also allows transmission errors of 1 bit can be spotted.

### DES Security

#### Meet-in-the-Middle attack (2DES)

Given a known Plaintext and Ciphertext, we can find all possible encryptions of the Plaintext encrypted by (). We can store these sorted in a table. We can then find all possible decryptions () of the Ciphertext decrypted by and look for a match. Each hit would be a candidate solution which can be validated with another plain/cipher pair. And this effort will succeed on operations, even though we have 2 56-bit keys (112-bits).

#### 3DES

Uses 3 stages of encryption with 2 keys .

- Encrypt ()
- Decrypt ()
- Encrypt ()

Maintains compatibility with standard DES (). And there is no practical attack. A brute force search takes operations.

3DES is not compatible with 2DES but is compatible with DES as

## Block/Stream Cipher modes of operation

We pad blocks with `0`

s!

Stream ciphers can be more desirable than block ciphers as the ciphertext will be the same length as the plaintext.

### ECB (Block)

Each block (64-bits) is encoded independently using the same key.

Is ideal for short amounts of data such as encryption keys.

### CBC (Block)

The input to the encryption algorithm is: previous 64 bits of ciphertext XOR next 64 bits of plaintext.

Is ideal for encrypting messages longer than bits.

**Encryption**:

**Decryption**:

**Proof of correctness**:

Via Encryption:

Via Decryption:

### CFB (Stream)

Input is processed bits at a time. Previous ciphertext is used as input to the encryption algorithm which produces pseudorandom output. This is XORed with the next plaintext to produce the next unit of output.

**Encryption**

**Decryption**

### OFB (Stream)

Similar to CFB, except that the input is the previous ciphertext and full blocks are used.

## Public Key Cryptography

Let and form an encryption scheme. Given transformation pairs and , it is infeasible to find an such that . This implies that it is infeasible to also determine from , hence is a trap-door one-way function with as the trap-door. can be public information.

It has 3 main uses:

- Encryption/Decryption
- Digital Signatures
- Key Exchange: exchanging a symmetric(session) key.

### Comparison with Symmetric-key encryption

**Symmetric-key**

```
1Needed to work:
21. The same algorithm with the same key is used for encryption/decryption.
32. The sender and received must share the algorithm and key.
4
5Needed for security:
61. The key must be kept secret.
72. It must be impossible (or at least impractical) to decipher a message if no other information is available.
83. Knowledge of the algorithm and having ciphertext samples must be insufficient to determine the key.
```

**Asymmetric-key**

```
1Needed to work:
21. One algorithm used for encryption/decryption with pair of keys. One for encryption and one for decryption.
32. The sender and receiver must each have a unique key-pair.
4
5Needed for security:
61. One of the two keys must be kept secret.
72. It must be impossible or at least impractical to decipher a message if no further information is available.
83. Knowledge of the algorithm plus one of the keys and ciphertext samples must be insufficient to determine the other key.
```

### Requirements for Public-key Cryptography

- It is computationally easy for any principal to generate a pair (public key , private key ).
- It is computationally easy for sender , knowing and , to generate .
- It is computationally easy for receiver to decrypt using to recover : .
- It is computationally infeasible for an adversary:

- Knowing to determine .
- Knowing and to recover .

- It is useful for the keys to be applicable in any order: .

### Functions

#### One-way function

A function is a **one-way function**, if is *easy* compute for all , but is *hard* or *infeasible* to compute.

e.g:

- square root
- modular cube root

#### Trapdoor one-way function

A **trapdoor one-way function** is a one-way function where, given extra information , it is feasible to find, for an where . Hence a trapdoor one-way functions holds:

- is easy if and are known.
- is easy if and are known.
- is infeasible if is known but is not.

### Number Theory

#### Prime Factorisation

When we **factor** a number, we write it as a product of other numbers. Multiplying numbers is easy, but **factoring** them is currently hard. **prime factorisation** is writing a number as a product of prime numbers.

#### Relatively Prime Numbers and Greatest Common Divisor (gcd)

Two natural numbers are **relatively prime** if they have no **common** factors apart from 1. i.e. Their *Greatest Common Divisor* is 1. .

e.g. and are relatively prime:

- Factors of :
- Factors of :

#### Euclid’s Algorithm and Extended Euclid’s Algorithm

##### Euclid’s Algorithm

Based on the theorem: for any positive integers and .

```
1Euclid(a, b):
2 if b == 0:
3 return a
4 else:
5 return Euclid(b, a % b)
```

##### Extended Euclid’s Algorithm

We use extended euclid’s algorithm to compute integer coefficients such that .

```
1Extended-Euclid(a, b):
2 if b == 0:
3 return (a, 1, 0)
4 else:
5 (d', x', y') = Extended-Euclid(b, a % b)
6 (d, x, y) = (d', y', x' - ([a/b] * y'))
7 return (d, x, y)
```

**Quotient**: . The result without remainder. e.g. because goes into once remainder .

First 3 columns for finding (Greatest Common Divisor). Last 3 columns for Extended Euclid’s Algorithm.

**REMEMBER** (going backwards):

#### Modular Arithmetic

**Remainder**: Modulo gives us the remainder. .

**Congruent modulo**: are congruent modulo if . This is written as .

#### Fermat’s Little Theorem

For a given and , if they are:

- relatively prime.
- is prime.

then .

**Proof**:

- Consider the set of positive integers less than .
- Multiply each element by to get the set .
- Observe that none of the elements in are because does not divide .
- No two of the integers in are equal:

- Assume that for .
- and are relatively prime so we can eliminate from both sides and obtain . This is impossible as we assumed that and are both positive integers less than , with .

- From this, we know that the elements of are all positive integers with no two elements equal.
- Hence, consists of the set of integers in some order.
- Multiplying the numbers in both sets, and taking the result yields:

- As is prime, is relatively prime to ; so cancelling the yields as desired.

#### Euler’s Totient Function and Euler’s Theorem

**Properties**:

- .
- if is prime.
- if and are prime and .

**Euler’s Theorem**: for all such that .

### RSA

- (relative prime)
- (calculate using Extended Euclid’s algorithm)

and are public. is secret.

**Encryption**: .

**Decryption**: .

#### Requirements

- It is possible to find values of such that for all .
- It is relatively easy to calculate and for all values of .
- It is infeasible to determine given and .

**Example**:

Consider the primes and . Calculate and

For this we should know:

Explain which of the values or is usable as a public key for this given .

We have to choose an where and .

Let’s try first.

As we can see, . Let’s try just to show the difference.

As we can see, , therefore is **NOT** suitable. is suitable.

Use the Extended Euclid’s algorithm to calculate with the you have chosen.

We find our by finding the top value of in our previous table. We use the following rules (going backwards)

We get , therefore .

Encrypt and then decrypt the resulting ciphertext.

We use .

**Decryption**:

Using .

#### Correctness of RSA

We must show that exists such that

It can be shown that the above equation holds if and are multiplicative inverses :

This is true only if and are relatively prime to .

### Diffie-Hellman

Based on discrete-logarithms where it is difficult to calculate an such that . Advantageous over RSA because the key, , is never transmitted, it is calculated by both parties.

**Remember**:

where:

- is each principal’s randomly generated number.
- and are public.
- is the computed key for
*Alice*and*Bob*.

*Alice*generates and calculates and sends it to*Bob*.*Bob*generates and calculates and sends it to*Alice*.*Bob*also calculates .*Alice*calculates .

#### Man-in-the-middle attack

As the keys are **unauthenticated**, the Diffie-Hellman key exchange is vulnerable to a Man-in-the-middle attack.

An attacker, can intercept and forward messages so that shares a key with and shares a key with .

- prepares to randomly generated private keys and . They also calculate the corresponding public keys and .
- generates and transmits to .
- intercepts and transmits to . calculates as the key to share with .
- receives , generates and calculates .
- transmits to .
- intercepts and transmits to . calculates .
- receives and calculates .

Now we end up with shared secret keys and .

#### Group Diffie-Hellman

- Alice, Bob and Carol all generate their random large private integer , , respectively and calculate their public integer .
- Each agent sends another agent’s public integer raised with their private key to another agent (in a circular chain).

- Alice sends Carol’s public integer raised with her private integer () to Bob.
- Bob sends Alice’s public integer raised with his private integer () to Carol.
- Carol sends Bob’s public integer raised with her private integer () to Alice.

- Each agent calculates the shared key by raising what they receivied with their private integer.

- Alice calculates .
- Bob calculates .
- Carol calculates .

#### El-Gamal variant of Diffie-Hellman

El Gamal is a sped up version of DH where agent , can respond to with an encrypted message. In the following protocol:

- . calculates and sends it to .
- . calculates
**AND**computes the shared key and uses it to encrypt a message . - calculates to get the shared key .

### Massey-Omura scheme

Both attach locks to messages (from everyday Cryptography).

## Message Integrity & Cryptographic hashes

### Hash vs Cryptographic Hash functions

#### Hash functions

A **hash function** has the properties:

*Compression*: maps an input of arbitrary bit length to an output of fixed bit length .- Polynomial time computable.

#### Cryptographic Hash functions

is a **cryptographic** hash function if it is **additionally**:

- One-way (preimage resistant)
- Either:

- 2nd-preimage resistant. It is infeasible to find a second input that has the same output as another input.
- Collision resistant.

## Message Authentication

a.k.a *data-origin authentication*, different to *entity authentication*.

Prevents an adversary from changing who appears to have sent the message.

*Message authentication* implies *message integrity*

**2 options**:

- MACs (without non-repudiation)
- Digital Signatures (includes non-repudiation)

### Message Authentication Codes (MACs)

A MAC algorithm is a family of hash functions parameterised by a secret key . The must be **computation-resistant** (given zero or more MAC pairs (, )), it is infeasible to compute (, ) for any new input .

Alice and Bob can share a secret-key that they both use to generate a hash of the message. Alice sends the message along with the hash to Bob, and Bob can hash the message and compare his result with the hash that Alice sent. An attacker Charlie cannot alter the message as he does not know the secret .

MACs do not offer non-repudiation as anyone with the key can generate MACs for arbitrary messages.

### Digital Signatures

Use asymmetric cryptography to prove *data origin*. This can be based on reversible(Encryption/Decryption is the same function) public-key cryptosystems (such as RSA).

**Forgery**

An attacker can select a random signature from the signature space and find the corresponding message. The entity didn’t sign this message, but will be able to find messages that they do not want signed. Digital Signatures are only considered secure when the message space is sufficiently small.

## Authentication Protocols

### Needham-Schroeder (NSPK)

is a nonce (a random number used only once).

#### Man-in-the-middle attack on Needham-Schroeder

An attacker can perform the protocol with both and and forward the response. i.e. he plays the game with both principals at the same time copying their moves. The problem is that in step 2, only sends . This doesn’t tie his nonce to a name and so anyone can take it. The solution is for to send .

### Kerberos

Is a protocol for authentication in open distributed environments.

**Requirements**:

- Secure: An eavesdropper should not be able to impersonate users.
- Reliable: Lots of services rely on Kerberos for access control, therefore it must highly reliable.
- Transparent: Users should only need a single password to obtain access to services. (Singe sign-on)
- Scalable: The system should be able to scale to support large amounts of users.

#### Steps

**KAS**: Kerberos Authentication Server.

**TGS**: Ticket Granting Server.

- User logs onto workstation and requests service on host.
- KAS verifies user’s access rights in database, creates ticket-granting ticket and session key. Results are encrypted using key derived from user’s password.
- Workstation prompts user for password and uses password to decrypt incoming message, then sends ticket and authenticator that contains user’s name, network address and time to TGS.
- TGS decrypts ticket and authenticator, verifies request, then creates ticket for requested server.
- Workstation sends ticket and authenticator to server.
- Server verifies that ticket and authenticator match, then grants access to service. If mutual authentication is required, server returns an authenticator.

#### Limitations of Kerberos 4

- Encryption is not needed, but an attacker can flood the KAS with requests.
- Double encryption is redundant.
- Relies on uncompromised and synchronised clocks. If a host is compromised, then the clock can be adjusted and replay attacks are easy.

## Passwords

**Authentication**: The verification of identity of a person or system. Methods for authentication are usually:

*something you have*: e.g. an entrycard*something you know*: e.g. a password*something you are*: e.g. fingerprint, signature

**Strong authentication**: Cryptographic challenge-response protocols. One entity *proves* its identity to another entity by demonstrating knowledge of a secret known to be associated with that entity without revealing the secret itself to the verifier.

**Weak authentication**: Conventional password schemes.

### PIN numbers

Fixed (time-invariant) passwords. Used in conjunction with *something you have*.

### Multi Factor Authentication (MFA)

The user has to successfully present authentication factors from at least 2 of the 3 aforementioned categories (*something you have*, *something you know*, *something you are*).

### One-time passwords

Fixed password schemes are vulnerable to replay attacks via eavesdropping. A partial solution is to use **one-time passwords**, where each password is only used/accepted once.

**Variations**:

: User and system use a set of secret passwords which are only valid once.**Shared lists**: Initially only a secret password is shared, then during authentication, the user sends a new encrypted password.**Sequentially updated one-time passwords**.**One-time password sequences based on a one-way function**

### Fiat-Shamir ZKP

**Principals**:

- Prover Peggy
- Verifier Victor
- Trusted Third Party Trent

**Setup**:

- Trent chooses large primes and calculates .
- is public, whereas are secret.
- Peggy chooses a secret such that and calculates . is kept private and is public.

Peggy aims to convince Victor that she knows without telling Victor what is.

**Verification**:

- Peggy chooses a random number
, such that . Peggy calculates the**commitment**, and sends it to Victor.**witness** - Victor sends the
, to Peggy where is either or .**challenge** - Peggy calculates the
, to show that she knows her private key .**response** - Victor calculate and . If these values are congruent, then Peggy knows the value of or she has calculated the value through dishonest means.

These 4 steps constitute a * round* which is repeated several times with different random

*, where Peggy must pass each round to be verified.*

**challenges**## Security Protocols

A **protocol** consists of a set of rules (conventions) that determine the exchange of messages between two or more principles. In short, a **distributed algorithm** with emphasis on communication.

**Security** (or cryptographic) protocols use cryptographic mechanisms to achieve security objectives.

## Social Engineering

The weakest link in a secure system is usually the human being.

## Revision lecture

### Exam

4 questions. Must answer first question, pick 2 of the other 3 questions.

- Proof of theorems.

### Lecture 1

- Terminology
- Define security properties (what is confidentiality, integrity etc.) + Draw a diagram. What is an attack/defence?
- Privacy & Anonymity, Anonymity set.
- Know what is risk minimisation. Not expected to reproduce diagram.
- Don’t need to know about OWASP

### Lecture 2

- Encryption/Decryption with simple ciphers
- Terminology. e.g. what is the difference between asymmetric and symmetric encryption. Must know slide 20, 21, 22.
- Requirements for symmetric encryption.
- What is a substitution, transposition, reversability.
- Difference between block and stream-ciphers
- Model of Attack (41 - not many marks)
- Types of attack (43)
- Caesar Cipher (a=0, z=25)
- No brute-forcing of ciphertexts. But may be given a cipher and asked for its characteristics.
- Mono-alphabetic and Homophonic cipher definitions.
- Playfair, Vigenere (No questions on ciphers from coursework! :D), security and pitfalls.
- Vernam (XOR)
- Perfect secrecy (maybe)
- One-time pad. Definition. Think about one-time pad, Reasoning on whether some keys are good keys (based on properties.)
- Transposition ciphers (substitution, rail-fence). No rotating grilles (how does it work).
- A more complex transposition cipher (115) and multi-stage.
- Steganography definition.
- Fiestel!
- Reversible/Irreversible mapping.
- Draw picture! for corresponding rounds. Show that proofs (142).
**Will come up.** - No hexadecimal or carrying out complete encryption.

- DES!
- Setup (64-bit + structure of key)
- Overall scheme (157)
- The DES property for DES keys (158). Given a key, is it a valid DES key? with justification.
- Know how to use the tables. P-boxes, S-boxes.
- Security of DES and Triple DES. (Meet-in-the-Middle attack), to what extent.

- No AES! :D How many bits does it use?
- Block/Stream Cipher modes of operation (everything). Try remembering the picture in order to determine the definition. Diagrams!
- ECB
- CBC
- CFB
- OFB

### Lecture 3

- Key distribution, to what extend public key is a solution.
- Public key formalisation.
- Comparison of public/symmetric.
- Requirements for public key cryptography.
- One-way function definitions, examples.
- Definitions for number theory.
- Euclids and Extended euclids. Check . Write out algorithm (function).
- Modular arithmetic
- Fermat’s little theorem proof.
- Euler’s totient definition.
- RSA properties, correctness, ingredients.
- Diffie-Hellman, Discrete logarithms, protocol for DH. Both Man-in-the-middle attack.
- El-Gamal
- Massey-Omura definition
- Hash function definitions (complete - 102)
- MACs and Digital Signatures definitions. No construction of MACs. How to use them.
- No appendix

### Lecture 4

- Needham-Schroeder
- Man-in-the-middle attack
- Solution properties
- Kerberos in detail.
- 6 messages.

### Lecture 5

- Properties of Passwords, Definitions. MFA.
- Fiat-Shamir algorithm (No other ZKP)
- No Malware viruses etc. and Firewalls