NC7201 Communication. Dr.G.A.Sathish Kumar Professor EC

Transcription

1 NC7201 Communication Network Security Dr.G.A.Sathish Kumar Professor EC

2 Advanced Encryption Standard "It seems very simple." "It is very simple. But if you don't know what the key is it's virtually indecipherable." Talking to Strange Men, Ruth Rendell

3 Origins clear a replacement for DES was needed have theoretical attacks that can break it have demonstrated exhaustive key search attacks can use Triple-DES but slow, has small blocks US NIST issued call for ciphers in candidates accepted in Jun 98 5 were shortlisted in Aug-99 Rijndael was selected as the AES in Oct-2000 issued as FIPS PUB 197 standard in Nov-2001

4 The AES Cipher -Rijndael designed by Rijmen-Daemen in Belgium has 128/192/256 bit keys, 128 bit data an iterative rather than feistel cipher processes data as block of 4 columns of 4 bytes operates on entire data block in every round designed to be: resistant against known attacks speed and code compactness on many CPUs design simplicity

5 AES Encryption Process

6 AES Structure datablockof4columnsof4bytesisstate keyisexpandedtoarrayofwords has 9/11/13 rounds in which state undergoes: bytesubstitution(1s-boxusedoneverybyte) shift rows(permute bytes between groups/columns) mix columns(subs using matrix multiply of groups) addroundkey(xorstatewithkeymaterial) viewasalternatingxorkey&scrambledatabytes initial XOR key material& incomplete last round with fast XOR& table lookup implementation

7 AES Structure

8 Some Comments on AES 1. an iterative rather than feistel cipher 2. key expanded into array of 32-bit words 1. four words form round key in each round 3. 4 different stages are used as shown 4. has a simple structure 5. only AddRoundKey uses key 6. AddRoundKey a form of Vernam cipher 7. each stage is easily reversible 8. decryption uses keys in reverse order 9. decryption does recover plaintext 10.final round has only 3 stages

9 Substitute Bytes asimplesubstitutionofeachbyte uses one table of 16x16 bytes containing a permutation of all bit values eachbyteofstateisreplacedbybyteindexedbyrow (left 4-bits)& column(right 4-bits) eg.byte{95}isreplacedbybyteinrow9column5 whichhasvalue{2a} S-box constructed using defined transformation of valuesingf(2 8 ) designedtoberesistanttoallknownattacks

10 Substitute Bytes

11 Substitute Bytes Example

12 Shift Rows a circular byte shift in each each 1 st row is unchanged 2 nd row does 1 byte circular shift to left 3rd row does 2 byte circular shift to left 4th row does 3 byte circular shift to left decrypt inverts using shifts to right since state is processed by columns, this step permutes bytes between the columns

13 Shift Rows

14 Mix Columns each column is processed separately each byte is replaced by a value dependent on all 4 bytes in the column 8 effectively a matrix multiplication in GF(2 8 ) using prime poly m(x) =x 8 +x 4 +x 3 +x+1

15 Mix Columns

16 Mix Columns Example

17 AES Arithmetic uses arithmetic in the finite field GF(2 8 ) with irreducible polynomial m(x) = x 8 + x 4 + x 3 + x + 1 which is ( ) or {11b} e.g. {02} {87} mod {11b} = ( ) mod {11b} = ( ) xor ( ) = ( )

18 Mix Columns can express each colas 4 equations to derive each new byte in col decryption requires use of inverse matrix with larger coefficients, hence a little harder have an alternate characterisation each column a 4-term polynomial with coefficients in GF(2 8 ) and polynomials multiplied modulo (x 4 +1) coefficients based on linear code with maximal distance between codewords

19 Add Round Key XOR state with 128-bits of the round key again processed by column (though effectively a series of byte operations) inverse for decryption identical since XOR own inverse, with reversed keys designed to be as simple as possible a form of Vernam cipher on expanded key requires other stages for complexity / security

20 Add Round Key

21 AES Round

22 AES Key Expansion takes 128-bit (16-byte) key and expands into array of 44/52/60 32-bit words startbycopyingkeyintofirst4words then loop creating words that depend on valuesinprevious&4placesback in3of4casesjustxorthesetogether 1 st word in 4 has rotate + S-box + XOR round constantonprevious,beforexor4 th back

23 AES Key Expansion

24 Key Expansion Rationale designed to resist known attacks design criteria included knowing part key insufficient to find many more invertible transformation fastonwiderangeofcpu s use round constants to break symmetry diffusekeybitsintoroundkeys enough non-linearity to hinder analysis simplicity of description

25 AES Example Key Expansion

26 AES Example Encryption

27 AES Example Avalanche

28 AES Decryption AES decryption is not identical to encryption since steps done in reverse but can define an equivalent inverse cipher with steps as for encryption butusinginversesofeachstep with a different key schedule works since result is unchanged when swap byte substitution& shift rows swapmixcolumns&add(tweaked)roundkey

29 AES Decryption

30 Implementation Aspects can efficiently implement on 8-bit CPU byte substitution works on bytes using a table of 256 entries shiftrowsissimplebyteshift addroundkeyworksonbytexor s mix columns requires matrix multiply in GF(2 8 ) which works on byte values, can be simplified to usetablelookups&bytexor s

31 Implementation Aspects can efficiently implement on 32-bit CPU redefine steps to use 32-bit words can precompute 4 tables of 256-words theneachcolumnineachroundcanbecomputed using4tablelookups+4xors atacostof4kbtostoretables designers believe this very efficient implementation was a key factor in its selection as the AES cipher

32 Multiple Encryption & DES clearareplacementfordeswasneeded theoretical attacks that can break it demonstrated exhaustive key search attacks AESisanewcipheralternative prior to this alternative was to use multiple encryption with DES implementations Triple-DES is the chosen form

33 Double-DES? could use 2 DES encrypts on each block C = E K2 (E K1 (P)) issue of reduction to single stage and have meet-in-the-middle attack works whenever use a cipher twice since X = E K1 (P) = D K2 (C) attack by encrypting P with all keys and store then decrypt C with keys and match X value can show takes O(2 56 )steps

34 Triple-DES with Two-Keys hence must use 3 encryptions would seem to need 3 distinct keys but can use 2 keys with E-D-E sequence C = E K1 (D K2 (E K1 (P))) nb encrypt & decrypt equivalent in security if K1=K2then can work with single DES standardized in ANSI X9.17 & ISO8732 no current known practical attacks several proposed impractical attacks might become basis of future attacks

35 Triple-DES with Three-Keys although are no practical attacks on two-key Triple-DES have some indications can use Triple-DES with Three-Keys to avoid even these C = E K3 (D K2 (E K1 (P))) has been adopted by some Internet applications, eg PGP, S/MIME

36 Blowfish a symmetric block cipher designed by Bruce Schneier in 1993/94 characteristics fast implementation on 32-bit CPUs compactinuseofmemory simple structure eases analysis/ implemention variable security by varying key size has been implemented in various products

37 Blowfish Key Schedule uses a 32 to 448 bit key used to generate bit subkeysstored in K-array K j four 8x32 S-boxes stored in S i,j key schedule consists of: initialize P-array and then 4 S-boxes using pi XOR P-array with key bits (reuse as needed) loop repeatedly encrypting data using current P & S and replace successive pairs of P then S values requires 521 encryptions, hence slow in rekeying

38 Blowfish Encryption uses two primitives: addition & XOR data is divided into two 32-bit halves L 0 & R 0 for i = 1 to 16 do R i = L i-1 XOR P i ; L i = F[R i ] XOR R i-1 ; L 17 = R 16 XOR P 18 ; R 17 = L 16 XOR i 17 ; where F[a,b,c,d] = ((S 1,a + S 2,b ) XOR S 3,c ) + S 4,a

39 Discussion key dependent S-boxes and subkeys, generated using cipher itself, makes analysis very difficult changing both halves in each round increases security provided key is large enough, brute-force key search is not practical, especially given the high key schedule cost

40 RC5 a proprietary cipher owned by RSADSI designed by Ronald Rivest (of RSA fame) used in various RSADSI products can vary key size / data size / no rounds very clean and simple design easy implementation on various CPUs yet still regarded as secure

41 RC5 Ciphers RC5 is a family of ciphers RC5-w/r/b w = word size in bits (16/32/64) nb data=2w r = number of rounds (0..255) b = number of bytes in key (0..255) nominal version is RC5-32/12/16 ie 32-bit words so encrypts 64-bit data blocks using 12 rounds with 16 bytes (128-bit) secret key

42 RC5 Key Expansion RC5 uses 2r+2 subkey words(w-bits) subkeys are stored in array S[i], i=0..t-1 thenthekeyscheduleconsistsof initializing S to a fixed pseudorandom value, based onconstantseandphi the byte key is copied (little-endian) into a c-word array L amixing operation then combines L and S to form thefinalsarray

43 RC5 Encryption split input into two halves A & B L 0 = A + S[0]; R 0 = B + S[1]; for i = 1 to r do L i = ((L i-1 XOR R i-1 ) <<< R i-1 ) + S[2 x i]; R i = ((R i-1 XOR L i ) <<< L i ) + S[2 x i + 1]; each round is like 2 DES rounds note rotation is main source of non-linearity need reasonable number of rounds (eg 12-16)

44 RC5 Modes RFC2040defines4modesusedbyRC5 RC5BlockCipher,isECBmode RC5-CBC,isCBCmode RC5-CBC-PAD, is CBC with padding by bytes with value being the number of padding bytes RC5-CTS, a variant of CBC which is the same size as the original message, uses ciphertext stealing to keep size same as original

45 Stream Ciphers processmessagebitbybit(asastream) have a pseudo random keystream combined(xor) with plaintext bit by bit randomness of stream key completely destroys statistically properties in message C i = M i XOR StreamKey i but must never reuse stream key otherwise can recover messages(cf book cipher)

46 Stream Cipher Structure

47 Stream Cipher Properties some design considerations are: long period with no repetitions statistically random depends on large enough key large linear complexity properly designed, can be as secure as a block cipher with same size key but usually simpler& faster

48 RC4 aproprietarycipherownedbyrsadsi another Ron Rivest design, simple but effective variable key size, byte-oriented stream cipher widely used(web SSL/TLS, wireless WEP/WPA) key forms random permutation of all 8-bit values uses that permutation to scramble input info processedabyteatatime

49 RC4 Key Schedule starts with an array S of numbers: use key to well and truly shuffle S forms internal stateof the cipher for i = 0 to 255 do S[i] = i T[i] = K[i mod keylen]) j = 0 for i = 0 to 255 do j = (j + S[i] + T[i]) (mod 256) swap (S[i], S[j])

50 RC4 Encryption encryption continues shuffling array values sum of shuffled pair selects"stream key" value from permutation XOR S[t] with next byte of message to en/decrypt i = j = 0 for each message byte M i i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(s[i], S[j]) t = (S[i] + S[j]) (mod 256) C i = M i XOR S[t]

51 RC4 Overview

52 RC4 Security claimed secure against known attacks have some analyses, none practical result is very non-linear sincerc4isastreamcipher,mustneverreuse akey have a concern with WEP, but due to key handling rather than RC4 itself

53 Motivation and outline symmetric encryption is used to provide message confidentiality Q: Where to put the encryption mechanism? How to distribute the secret key? Placement of encryption function Traffic confidentiality Key distribution

54 Confidentiality using Symmetric Encryption Whatto encrypt and wherethe encryption function should be located (4) Monitor traffic consider typical scenario: (2) dial-in, then intrude (3) Tap into wire (1) Eavesdropping by members

55 Typical scenario and attacks consider typical scenario workstations on LANs access other workstations & servers on LAN LANs interconnected using switches/routers with external lines or radio/satellite links consider attacks and placement in this scenario snooping from another workstation usedial-intolanorservertosnoop useexternalrouterlinktoenter&snoop monitor and/or modify traffic one external links

56 Confidentiality using Symmetric Encryption traditionally symmetric encryption is used to provide message confidentiality consider typical scenario workstations on LANs access other workstations & servers onlan LANs interconnected using switches/routers with external lines or radio/satellite links consider attacks and placement in this scenario snooping from another workstation usedial-intolanorservertosnoop useexternalrouterlinktoenter&snoop monitor and/or modify traffic one external links

57 Confidentiality using Symmetric Encryption have two major placement alternatives link encryption encryption occurs independently on every link implies must decrypt traffic between links requires many devices, but paired keys end-to-end encryption encryption occurs between original source and final destination needdevicesateachendwithsharedkeys

58 Confidentiality using Symmetric Encryption Which part to encrypt in a PSN Packet switching network traditionally symmetric encryption is used to provide message confidentiality Vulnerable points: snooping, monitoring or modifying by using another workstation dial-intolanorserverorexternalrouter by physically taping line in wiring closet end-to-end encryption (shared keys): protects data between source and destination, needs devices at each end. link encryption, (paired keys): protects traffic monitoring, is considered over every link, requires many devices, End[Link[]Link]End

59 Confidentiality using Symmetric Encryption Which part to encrypt in a PSN Packet switching network PSN

60 Confidentiality using Symmetric Encryption have two major placement alternatives linkencryption encryption occurs independently on every link implies must decrypt traffic between links requires many devices, but paired keys end-to-endencryption encryption occurs between original source and final destination needdevicesateachendwithsharedkeys

61 Placement of encryption have two major placement alternatives link encryption encryption occurs independently on every link implies must decrypt traffic between links requiresmanydevices,butpairedkeysforalllinks end-to-end encryption encryption occurs between original source and final destination needdevicesateachendwithsharedkeys

62 Placement of encryption (cont.) One key for each link One shared key

63 Problems with routing In a packet-switching network, we need packet header to route packets Link encryption: so packet must be decrypted before routing Vulnerable at each switch node End-to-end encryption: must leave headers in clear, so network can correctly route information hence although contents protected, traffic pattern is not protected ideallywantbothatonce end-to-end protects data contents over entire path and provides authentication link protects traffic flows from monitoring

64 Placement of Encryption can place encryption function at various layers in OSI Reference Model linkencryptionoccursatlayers1or2 end-to-endcanoccuratlayers3,4,6,7 as move higher less information is encrypted but it is more secure though more complex with more entities and keys

65 Placement of encryptionover OSI model can place encryption function at various layers in OSI Reference Model

66 OSI model and packetization Application level encryption TCP level encryption Link level encryption

67 Placement of encryptionover OSI model (cont.)

68 Placement of Encryption in the various levels of OSI Encapsulation Model (b) TCP Layer level (c) Link Layer Level

69 Traffic Analysis when using end-to-end encryption must leave headers in clear so network can correctly route information hence although contents protected, traffic pattern flows are not ideallywantbothatonce end-to-end protects data contents over entire path and provides authentication link protects traffic flows from monitoring

70 Traffic Analysis is monitoring of communications flows between parties useful both in military& commercial spheres canalsobeusedtocreateacovertchannel link encryption obscures header details butoveralltrafficvolumesinnetworksandatendpoints is still visible traffic padding can further obscure flows butatcostofcontinuoustraffic

71 Traffic Analysis In packet-switching network, the packet header cannot be encrypted Traffic analysis is monitoring of communications flows between parties Ex.knowwhoistalkingtowhominmilitaryusage Traffic analysis reveals Identities of partners How frequently the partners are communicating Message pattern, message length, quantity of messages,

72 Defense against traffic analysis link encryption obscures header details but overall traffic volumesin networks and at endpoints is still visible Traffic padding

73 Traffic monitoring The purpose of monitoring military& commercial can also be used to create a covert channel ifcontrolled Link encryption obscures headerdetails But overall traffic volumes in networks and at end- points will still bevisible Traffic padding can further obscure flows butat cost of continuoustraffic..

74 Key Distribution symmetric schemes require both parties to share a common secret key issue is how to securely distribute this key often secure system failure due to a break in often secure system failure due to a break in the key distribution scheme

75 How to distribute key symmetric schemes require to share a common secret key often secure system failure due to a break in the key distribution scheme given parties A and B have various key distribution alternatives: 1. PhysicallydeliveryfromAtoB 2. Third party can issue & deliver key to A & B, if A & B have secure communicationswithathirdpartyc,ccanrelaykeybetweena&b DistributionofKeyisbasedonaHierarchy,atleasttwolevelsof keys are used temporary key referred as session key used for the duration of a logical connection between users for one logical session then discarded masterkey usedtoencryptsessionkeys sharedbyuser&keydistributioncenter

76 Key Distribution given parties A and B have various key distribution alternatives: 1.AcanselectkeyandphysicallydelivertoB 2.thirdpartycanselect&deliverkeytoA&B 3.if A & B have communicated previously can use previous keytoencryptanewkey 4.if A & B have secure communications with a third party C, CcanrelaykeybetweenA&B

77 Key Distribution Scenario Assume that user A wishes to establish a logical connection with B and requires a one-time session key to protect the data transmitted over the logical connection tob.ahas hasamaster key, K a, known only to itself and the KDC; similarly, B shares the masterkeyk b with the KDC. Thefollowing steps occur:

78 a.aissues a requesttothe the KDC for a session keytob including the identity of A and B and a unique session identifier, N 1, valid for this transaction, nonce: a timestamp, a counter, orarandomrandom number; differs with each request. I.e. to prevent masquerading, suppose something like, a random number. a. b.thekdc sresponsetoa:k A Thus,onlyAcandecrypt themessage.one-timesessionkey,k S,tobeusedfor thesession.itemsfora:theoriginalmessagesothat,a can verify the original request not altered before reception by the KDC. Thenonce, so that this isnot areplay of some previous request. Items for B: The one time session key K S and ID SA (e.g., its network address), both encrypted with K B (the master key that thekdcshareswithb).

79 Key Distribution Issues hierarchies of KDC s required for large networks, but must trust each other session key lifetimes should be limited for greater security use of automatic key distribution on behalf of users, but must trust system use of decentralized key distribution controlling purposes keys are used for

80 Key Management and Distribution No Singhalese, whether man or woman, would venture out of the house without a bunch of keys in his hand, for without such a talisman he would fear that some devil might take advantage of his weak state to slip into his body. The Golden Bough, Sir James George Frazer

81 Key Management and Distribution topics of cryptographic key management / key distribution are complex cryptographic, protocol, & management issues symmetric schemes require both parties to share a common secret key public key schemes require parties to acquire valid public keys have concerns with doing both

82 Key Distribution symmetric schemes require both parties to share a common secret key issue is how to securely distribute this key whilst protecting it from others frequent key changes can be desirable often secure system failure due to a break in the key distribution scheme

83 Key Distribution given parties A and B have various key distribution alternatives: 1. AcanselectkeyandphysicallydelivertoB 2. thirdpartycanselect&deliverkeytoa&b 3. if A & B have communicated previously can use previouskeytoencryptanewkey 4. if A & B have secure communications with a thirdpartyc,ccanrelaykeybetweena&b

84 Key Distribution Task

85 Key Hierarchy typically have a hierarchy of keys session key temporary key used for encryption of data between users for one logical session then discarded master key used to encrypt session keys shared by user & key distribution center

86 Key Hierarchy

87 Key Distribution Scenario

88 Key Distribution Issues hierarchies of KDC s required for large networks, but must trust each other session key lifetimes should be limited for greater security use of automatic key distribution on behalf of users, but must trust system use of decentralized key distribution controlling key usage

89 Symmetric Key Distribution Using Public Keys public key cryptosystems are inefficient so almost never use for direct data encryption rather use to encrypt secret keys for distribution

90 Simple Secret Key Distribution Merkle proposed this very simple scheme allows secure communications no keys before/after exist

91 Man-in-the-Middle Attack this very simple scheme is vulnerable to an active man-in-the-middle attack

92 Secret Key Distribution with Confidentiality and Authentication

93 Hybrid Key Distribution retain use of private-key KDC shares secret master key with each user distributes session key using master key public-key used to distribute master keys especially useful with widely distributed users rationale performance backward compatibility

94 Distribution of Public Keys can be considered as using one of: public announcement publicly available directory public-key authority public-key certificates

95 Public Announcement users distribute public keys to recipients or broadcast to community at large eg. append PGP keys to messages or post to news groups or list major weakness is forgery anyone can create a key claiming to be someone else and broadcast it until forgery is discovered can masquerade as claimed user

96 Publicly Available Directory can obtain greater security by registering keys with a public directory directory must be trusted with properties: contains {name,public-key} entries participants register securely with directory participants can replace key at any time directory is periodically published directory can be accessed electronically still vulnerable to tampering or forgery

97 Public-Key Authority improve security by tightening control over distribution of keys from directory has properties of directory and requires users to know public key for the directory then users interact with directory to obtain any desired public key securely does require real-time access to directory when keys are needed may be vulnerable to tampering

98 Public-Key Authority

99 Public-Key Certificates certificates allow key exchange without realtime access to public-key authority a certificate binds identity to public key usually with other info such as period of validity, rights of use etc with all contents signed by a trusted Public- Key or Certificate Authority (CA) can be verified by anyone who knows the public-key authorities public-key

100 Public-Key Certificates

101 X.509 Authentication Service part of CCITT X.500 directory service standards distributed servers maintaining user info database defines framework for authentication services directory may store public-key certificates with public key of user signed by certification authority also defines authentication protocols uses public-key crypto & digital signatures algorithms not standardised, but RSA recommended X.509 certificates are widely used have 3 versions

102 X.509 Certificate Use

103 X.509 Certificates issued by a Certification Authority (CA), containing: version V (1, 2, or 3) serial number SN (unique within CA) identifying certificate signature algorithm identifier AI issuer X.500 name CA) period of validity TA (from -to dates) subject X.500 name A (name of owner) subject public-key info Ap (algorithm, parameters, key) issuer unique identifier (v2+) subject unique identifier (v2+) extension fields (v3) signature (of hash of all fields in certificate) notation CA<<A>> denotes certificate for A signed by CA

104 X.509 Certificates

105 Obtaining a Certificate any user with access to CA can get any certificate from it only the CA can modify a certificate because cannot be forged, certificates can be placed in a public directory

106 CA Hierarchy if both users share a common CA then they are assumed to know its public key otherwise CA's must form a hierarchy use certificates linking members of hierarchy to validate other CA's each CA has certificates for clients (forward) and parent (backward) each client trusts parents certificates enable verification of any certificate from one CA by users of all other CAs in hierarchy

107 CA Hierarchy Use

108 Certificate Revocation certificates have a period of validity may need to revoke before expiry, eg: 1. user's private key is compromised 2. user is no longer certified by this CA 3. CA's certificate is compromised CA s maintain list of revoked certificates the Certificate Revocation List (CRL) users should check certificates with CA s CRL

109 X.509 Version 3 has been recognised that additional information is needed in a certificate /url, policy details, usage constraints rather than explicitly naming new fields defined a general extension method extensions consist of: extension identifier criticality indicator extension value

110 Certificate Extensions key and policy information convey info about subject & issuer keys, plus indicators of certificate policy certificate subject and issuer attributes support alternative names, in alternative formats for certificate subject and/or issuer certificate path constraints allow constraints on use of certificates by other CA s

111 Public Key Infrastructure

112 PKIX Management functions: registration initialization certification key pair recovery key pair update revocation request cross certification protocols: CMP, CMC

113 Stream Ciphers and Random Number Generation The comparatively late rise of the theory of probability shows how hard it is to grasp, and the many paradoxes show clearly that we, as humans, lack a well grounded intuition in this matter. In probability theory there is a great deal of art in setting up the model, in solving the problem, and in applying the results back to the real world actions that will follow. The Art of Probability, Richard Hamming

114 Random Numbers many uses of random numbersin cryptography nonces in authentication protocols to prevent replay session keys public key generation keystream for a one-time pad in all cases its critical that these values be statistically random, uniform distribution, independent unpredictability of future values from previous values true random numbers provide this care needed with generated random numbers

115 Pseudorandom Number Generators (PRNGs) often use deterministic algorithmic techniques to create random numbers although are not truly random can pass many tests of randomness known as pseudorandom numbers created by Pseudorandom Number Generators (PRNGs)

116 Random & Pseudorandom Number Generators

117 PRNG Requirements randomness uniformity, scalability, consistency unpredictability forward & backward unpredictability use same tests to check characteristics of the seed secure if known adversary can determine output so must be random or pseudorandom number

118 Linear Congruential Generator common iterative technique using: X n+1 = (ax n + c) mod m given suitable values of parameters can produce a long random-like sequence suitable criteria to have are: function generates a full-period generated sequence should appear random efficient implementation with 32-bit arithmetic note that an attacker can reconstruct sequence given a small number of values have possibilities for making this harder

119 Blum Blum Shub Generator based on public key algorithms use least significant bit from iterative equation: x i = x i-12 mod n where n=p.q, and primes p,q=3 mod 4 unpredictable, passes next-bit test security rests on difficulty of factoring N is unpredictable given any run of bits slow, since very large numbers must be used too slow for cipher use, good for key generation

120 Using Block Ciphers as PRNGs for cryptographic applications, can use a block cipher to generate random numbers often for creating session keys from master key CTR X i = E K [V i ] OFB X i = E K [X i-1 ]

121 ANSI X9.17 PRG

122 Stream Ciphers process message bit by bit (as a stream) have a pseudo random keystream combined (XOR) with plaintext bit by bit randomness of stream keycompletely destroys statistically properties in message C i = M i XOR StreamKey i but must never reuse stream key otherwise can recover messages (cf book cipher)

123 Stream Cipher Structure

124 Stream Cipher Properties some design considerations are: long period with no repetitions statistically random depends on large enough key large linear complexity properly designed, can be as secure as a block cipher with same size key but usually simpler & faster

125 Natural Random Noise best source is natural randomness in real world find a regular but random event and monitor do generally need special h/w to do this eg. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc starting to see such h/w in new CPU's problems of biasor uneven distribution in signal have to compensate for this when sample, often by passing bits through a hash function best to only use a few noisiest bits from each sample RFC4086 recommends using multiple sources + hash

126 Published Sources a few published collections of random numbers Rand Co, in 1955, published 1 million numbers generated using an electronic roulette wheel has been used in some cipher designs cf Khafre earlier Tippett in 1927 published a collection issues are that: these are limited too well-known for most uses

127 Summary have considered: the AES selection process the details of Rijndael the AES cipher looked at the steps in each round the key expansion implementation aspects

128 Summary Multiple Encryption & Triple-DES Modes of Operation ECB, CBC, CFB, OFB, CTR, XTS-AES

129 Summary have considered: some other modern symmetric block ciphers Triple-DES Blowfish RC5 briefly introduced stream ciphers RC4