Computer Security:

Principles and
Practice
Fourth Edition, Global Edition

By: William Stallings and Lawrie Brown

Chapter 3
Cryptographic Tools
 Introduction
• Provide four types of protection to messages
o Confidentiality
o Authentication
o Message integrity
o Anti-reply protection
• Classified along three independent dimensions:
o The type of operations used for transforming plaintext to
ciphertext
o The number of keys used
• Symmetric (single key)
• Asymmetric (two-keys, or public-key encryption)
o The way in which the plaintext is processed
 Cryptographic Tools
• Secret-Key Encryption / Symmetric
Encryption
• Hash Functions
• Public-Key Encryption / Asymmetric
Encryption
• Digital Signatures
• Pseudorandom Numbers
Symmetric Encryption
• The technique for providing confidentiality for
transmitted or stored data
• Also referred to as conventional encryption or
single-key encryption

• Two requirements for secure use:

• Need a strong encryption algorithm
• Sender and receiver must have obtained copies
of the secret key in a secure fashion
and must keep the key secure
Symmetric Encryption
• Classical Symmetric Key Encryption
o Substitution Ciphers
o Transposition Ciphers
• Modern Symmetric Key Encryption
• Block Cipher
• Stream Cipher
Block & Stream Ciphers
Block
Cipher
• Processes the input one block of bytes at a time
• Produces an output block for each input block
• Can reuse keys
• More common

Stream
Cipher
• Processes the input bytes continuously
• Produces output one byte at a time
• Primary advantage is that they are almost always faster
and use far less code
• Encrypts plaintext one byte at a time
• Pseudorandom stream is one that is unpredictable
without knowledge of the input key
 Practical Security
Issues
 Typically symmetric encryption is applied to a unit
of data larger than a single 64-bit or 128-bit block
 Electronic codebook (ECB) mode is the simplest
approach to multiple-block encryption
 Each block of plaintext is encrypted using the same key
 Cryptanalysts may be able to exploit regularities in the
plaintext
 Modes of operation
 Alternative
techniques developed to increase the security
of symmetric block encryption for large sequences
 Overcomes the weaknesses of ECB
ECB Mode
 CBC Block

https://github.com/abid134/Sample.git
 Confusion and
Diffusion
• Confusion means that each binary digit (bit) of the
ciphertext should depend on several parts of the key,
obscuring the connections between the two.

• The property of confusion hides the relationship between

the ciphertext and the key.

• This property makes it difficult to find the key from the

ciphertext and if a single bit in a key is changed, the
calculation of the values of most or all of the bits in the
ciphertext will be affected.
 Confusion and
Diffusion
• Diffusion means that if we change a single bit of the
plaintext, then (statistically) half of the bits in the ciphertext
should change, and similarly, if we change one bit of the
ciphertext, then approximately one half of the plaintext bits
should change.

• The idea of diffusion is to hide the relationship between the

ciphertext and the plain text.
 Attacking Symmetric
Encryption
Cryptanalytic Attacks Brute-Force Attacks
 Rely on:
 Try all possible keys on some
 Nature of the algorithm ciphertext until an intelligible
 Some knowledge of the translation into plaintext is
general characteristics of the obtained
plaintext  On average half of all

possible keys must be tried to
Some sample plaintext- achieve success
ciphertext pairs
 Exploits the characteristics of
the algorithm to attempt to
deduce a specific plaintext or
the key being used
 If successful all future and past
messages encrypted with that
key are compromised
3.2.1 Continued

Table 3.1 Frequency of characters in English

Table 3.2 Frequency of diagrams and trigrams

3.16
 Table 2.1

Comparison of Three Popular

Symmetric Encryption Algorithms
Data Encryption Standard
(DES)
Until recently was the most widely used
encryption scheme

Referred to as the Data Encryption

Algorithm (DEA)
Uses 64 bit plaintext block and 56 bit key to
produce a 64 bit ciphertext block

Strength concerns:
Concerns about the algorithm itself
DES is the most studied encryption
algorithm in existence
Concerns about the use of a 56-bit key
The speed of commercial off-the-shelf
processors makes this key length woefully
inadequate
 Table 2.2

Average Time Required for Exhaustive Key

Search
 Triple DES (3DES)
 Repeats basic DES algorithm three times using
either two or three unique keys
 Attractions:
 168-bit key length overcomes the vulnerability to brute-
force attack of DES
 Underlying encryption algorithm is the same as in DES
 Drawbacks:
 Algorithm is slow in software
Advanced Encryption
Standard (AES)
NIST called Selected
Needed a
for proposals Rijndael in
replacement
for a new AES November
for 3DES
in 1997 2001
Should have a
security strength
equal to or better
than 3DES

Significantly
3DES was not improved efficiency
Published as
reasonable for
long term use FIPS 197
Symmetric block
cipher

128 bit data and

128/192/256 bit keys
DES
3DES
AES
Stream Cipher RC4
 Message
Authentication

Protects against
active attacks
• Contents have not been
Verifies received altered
message is • From authentic source
• Timely and in correct
authentic sequence

Can use
• Only sender and receiver
conventional share a key
encryption
 Message
Authentication
• The following methods are used for Message
Authentication without encryption:
 1) MESSAGE AUTHENTICATION CODE
 https://xorbin.com/tools/sha1-hash-calculator
 2) ONE-WAY HASH FUNCTION
 https://cryptotools.net/hmac
 Latest Algorithms
• Message Authentication Code (MAC):
o HMAC (Hash-based Message Authentication Code)
o CBC-MAC (Cipher Block Chaining Message Authentication Code)
o CMAC (Cipher-based Message Authentication Code)

• One-Way Hash Function:

o MD5 (Message Digest Algorithm 5)
o SHA-1 (Secure Hash Algorithm 1)
o SHA-256, SHA-384, SHA-512 (Secure Hash Algorithm 2, with different
output sizes)
o BLAKE2 (a high-performance hash function)
 Message Authentication
Without Confidentiality
• Message encryption by itself does not provide a
secure form of authentication
• It is possible to combine authentication and
confidentiality in a single algorithm by encrypting
a message plus its authentication tag
• Typically message authentication is provided as a
separate function from message encryption
• Situations in which message authentication
without confidentiality may be preferable include:
• Thus, there is a place for both authentication and
encryption in meeting security requirements
Message Authentication
Code (MAC)
 Continued…
 One authentication technique involves the use of a secret key
to generate a small block of data, known as a message
authentication code (MAC), that is appended to the message.
 This technique assumes that two communicating parties, say A
and B, share a common secret key KAB.
 When A has a message to send to B, it calculates the message
authentication code as a function of the message and the key:
MACM = F(KAB,M).
 The message plus code are transmitted to the intended
recipient.
 The recipient performs the same calculation on the received
message, using the same secret key, to generate a new
message authentication code.
 The received code is compared to the calculated code. If we
assume that only the receiver and the sender know the identity
of the secret key.
 ONE WAY HASH FUNCTIONS
• Cryptographic hashes are used to verify
and ensure data integrity.
• Hashing is based on a one-way
mathematical function that is relatively
easy to compute, but significantly harder
to reverse.
• A hash function takes a variable block of
binary data, called the message, and
produces a fixed-length, condensed
representation, called the hash.
• The resulting hash is also sometimes
called the message digest, digest, or
digital fingerprint.
• With hash functions, it is computationally
infeasible for two different sets of data to
come up with the same hash output.
• Every time the data is changed or
altered, the hash value also changes.
 Properties of hash function

Can be applied to a block of data of any size

Produces a fixed-length output

H(x) is relatively easy to compute for any given x

One-way or pre-image resistant

• Computationally infeasible to find x such that H(x) = h

Computationally infeasible to find y ≠ x such that H(y) = H(x)

Collision resistant or strong collision resistance

• Computationally infeasible to find any pair (x,y) such that H(x) = H(y)
 Security of Hash
Functions
There are two
SHA most widely Additional secure
approaches to
used hash hash function
attacking a secure
algorithm applications:
hash function:

Cryptanalysis SHA-1 Passwords

• Exploit logical • Hash of a password is
weaknesses in the SHA-256 stored by an operating
algorithm SHA-384 system

SHA-512

Brute-force attack Intrusion detection

• Strength of hash • Store H(F) for each file
function depends solely on a system and secure
on the length of the the hash values
hash code produced by
the algorithm
 Public-Key Encryption
Structure

Asymmetri
c
Publicly • Uses two Some form
proposed Based on separate of protocol
by Diffie mathemati keys is needed
and cal • Public key for
Hellman in functions and private distributio
1976 key n
• Public key
is made
public for
others to
use
 Plaintext
 Readable message or data that is fed into the algorithm as input
 Encryption algorithm
 Performs transformations on the plaintext
 Public and private key
 Pair of keys, one for encryption, one for decryption
 Ciphertext
 Scrambled message produced as output
 Decryption key
 Produces the original plaintext
 User encrypts data using his or
her own private key
 Anyone who knows the
corresponding public key will be
able to decrypt the message
 Table 2.3

Applications for Public-Key

Cryptosystems
Requirements for Public-Key
Cryptosystems
Computationally
easy to create key
pairs

Either of the two Computationally

related keys can be easy for sender
used for encryption, knowing public key
with the other used to encrypt
for decryption messages

Computationally
Computationally infeasible for
easy for receiver
an opponent, knowing the
knowing private key
public key, and the cipher text
to decrypt
to recover the original message
ciphertext
Computationally
infeasible for
opponent to
determine private
key from public key
 Asymmetric Encryption
Algorithms
RSA (Rivest, Most widely accepted
Block cipher in which
the plaintext and
Shamir, Developed in 1977
and implemented
approach to public-key
ciphertext are integers
between 0 and n-1 for
Adleman) encryption
some n.

Diffie- Enables two users to

securely reach
Hellman key agreement about a
shared secret that can Limited to the

exchange be used as a secret key

for subsequent
exchange of the keys

symmetric encryption
algorithm of messages

Digital
Signature Provides only a digital
signature function with
Cannot be used for
encryption or key
Standard SHA-1 exchange

(DSS)

Elliptic curve
cryptography Security like RSA, but
with much smaller keys

(ECC)
RSA
 Digital Signatures
 NIST FIPS PUB 186-4 defines a digital signature as:
”The result of a cryptographic transformation of data that,
when properly implemented, provides a mechanism for
verifying origin authentication, data integrity and
signatory non-repudiation.”
 Thus, a digital signature is a data-dependent bit pattern,
generated by an agent as a function of a file, message, or other
form of data block
 FIPS 186-4 specifies the use of one of three digital signature
algorithms:
 Digital Signature Algorithm (DSA)
 RSA Digital Signature Algorithm
 Elliptic Curve Digital Signature Algorithm (ECDSA)
Random  Keys for public-key
Numbers algorithms
 Stream key for
symmetric stream
Uses include cipher
generation of:  Symmetric key for use
as a temporary session
key or in creating a
digital envelope
 To prevent replay
 Random Number
Requirements
 Uniform distribution Unpredictability
 Frequency of occurrence  Opponent should not be able
of each of the numbers to predict future elements of
should be approximately the sequence on the basis of
the same earlier elements
 Independence Repeatability
 Each random number  It should be deterministic.
generated should be
The sequence of pseudo-
statistically independent
random numbers should be
of previous or subsequent
repeatable given the same
numbers
initial state or seed value.
 Summary
• Confidentiality with
symmetric encryption • Public-key encryption
 Symmetric encryption  Structure
 Symmetric block encryption  Applications for public-key
algorithms cryptosystems
 Stream ciphers  Requirements for public-key
• Message authentication cryptography
 Asymmetric encryption
and hash functions algorithms
 Authentication using symmetric
encryption
• Digital signatures and
 Message authentication without key management
message encryption  Digital signature
 Secure hash functions  Public-key certificates
 Other applications of hash  Symmetric key exchange using
functions public-key encryption
 Digital envelopes
• Random and
• Practical Application:
pseudorandom numbers Encryption of Stored
 The use of random numbers
 Random versus pseudorandom
Data