Data Security B. R. Chandavarkar Asst. Prof., CSE Dept., NITK, - - PowerPoint PPT Presentation

Data Security

• B. R. Chandavarkar
• Asst. Prof., CSE Dept.,

NITK, Surathkal. brcnitk@gmail.com brc.nitk.ac.in

Contents

Data Security Introduction Transposition Techniques Substitution Techniques Classification Data Encryption Standard (DES) Advanced Encryption Standard (AES) Symmetric Crypto System Asymmetric Crypto System RSA LINUX Implementation MATLAB Implementation OpenSSL SSL/TLS

5 2 6 8 3 9 1 10 4 12 13 14 11

Advanced DES

7

Introduction

• Data is the raw form of information stored as columns and rows in
• ur databases, network servers and personal computers. This may

be a wide range of information from personal files and intellectual property to market analytics and details intended to top secret. Data could be anything of interest that can be read or otherwise interpreted in human form.

• Data security is the practice of keeping data protected from

corruption and unauthorized access. The focus behind data security is to ensure privacy while protecting personal or corporate data. - www.spamlaws.com

• Data security refers to protective digital privacy measures that

are applied to prevent unauthorized access to computers, databases and websites. Data security also protects data from

• corruption. Data security is the main priority for organizations of

every size and genre. Data security is also known as information security (IS) or computer security. – www.techopedia.com

Terminologies

• Plaintext - An original message.
• Ciphertext - Coded message.
• Enciphering (Encryption) - The process of converting from

plaintext to ciphertext.

• Deciphering (Decryption) - Restoring the plaintext from the

ciphertext.

• Cryptography - The many schemes used for encryption

constitute the area of study known as cryptography.

• Cryptographic system (Cipher) - Such a scheme is known as

a cryptographic system or a cipher.

• Cryptanalysis (Breaking the Code) - Techniques used for

deciphering a message without any knowledge of the enciphering details.

• Cryptology - The areas of cryptography and cryptanalysis

together are called cryptology.

Back

Characteristic of Cryptographic Systems

• 1. The type of operations used for transforming plaintext to

ciphertext. All encryption algorithms are based on two general principles: substitution, in which each element in the plaintext is mapped into another element, and transposition, in which elements in the plaintext are rearranged. Most systems, referred to as product systems, involve multiple stages of substitutions and transpositions.

• 2. The number of keys used.
• If both sender and receiver use the same key, the system is referred

to as symmetric (single-key, secret-key,

• r

conventional encryption).

• If the sender and receiver use different keys, the system is referred

to as asymmetric (two-key, or public-key encryption).

• 3. The way in which the plaintext is processed.
• A block cipher processes the input one block of elements at a

time, producing an output block for each input block.

• A stream cipher processes the input elements continuously,

producing output one element at a time, as it goes along.

Back

Substitution Techniques

• 1. Caesar Cipher
• Encryption: C = E(k, p) = (p + k) mod 26
• Decryption: p = D(k, C) = (C - k) mod 26
• 2. Monoalphabetic Cipher
• Uses permutation of plain text characters
• 3. Playfair Cipher
• Uses 5 X 5 matrix of keys
• 4. Hill Cipher
• Uses linear equations
• 5. Polyalphabetic Ciphers
• Vigenère Cipher
• Encryption: Ci = (Pi + Ki mod m) mod 26, Decryption: Pi = (Ci - Ki mod m) mod 26
• Vernam Cipher
• Encryption / Decryption: X-OR of Pi and Ki
• 6. One-Time Pad

Plaintext h (7) e (4) l (11) l (11) o (14) g (6)

• (14) o (14)

d (3) Key 3 3 3 3 3 3 3 3 3

• 1. Caesar Cipher

Plaintext H E L L O G O O D

• 2. Monoalphabetic Cipher

A B C D E F G H I J K L M N O P R T W X A D E G L O S Y B N (a) Key (b) Example Ciphertext k h

• p

m r r j Ciphertext E X S S N D N N W

Plaintext S E C U R I T Y D C

• 3. Playfair Cipher

Plaintext

p (15) a (0) y (24) m (12)

• (14)

r (17) e (4) m (12)

• (14)
• 4. Hill Cipher

(a) Key (c) Example Ciphertext L I / J E M A K Q D C H Ciphertext r r l m w b k a s M O N A R C H Y B D E F G I/J K L P Q S T U V W X Z (a) Key (b) Example 17 17 5 21 18 21 2 2 19 4 9 15 15 17 6 24 17 (b) Inverse Key

Plaintext h (7) e (4) l (11) l (11) o (14) g (6)

• (14) o (14)

d (3) Key d (3) a (0) t (19) a (0) d (3) a (0) t (19) a (0) d (3)

• 5. Polyalphabetic Cipher – Vigenere Cipher

Plaintext H E L L O G O O D Key S E C U R I T Y D

• 6. One-Time Pad

Ciphertext k e e l r g h

• g

Ciphertext ? ? ? ? ? ? ? ? ? Plaintext 1 1 1 1 1 Key Stream 1 1 1 1 1 Ciphertext 1 1 1 1 1 1

• 5. Polyalphabetic Cipher – Vernam Cipher

Back

Encryption Decryption Cipher Text Plain Text Plain Text Cipher Text Secrete Key Secrete Key User A (Sender) User B (Receiver) Symmetric (Private) Key Encryption Back

Data Encryption Standard (DES)

History

• In the late 1960s, IBM set up a research project in computer

cryptography led by Horst Feistel. The project concluded in 1971 with the development of an algorithm with the designation LUCIFER, which was sold to Lloyd's of London for use in a cash-dispensing system, also developed by IBM.

• LUCIFER is a Feistel block cipher that operates on blocks of 64 bits,

using a key size of 128 bits.

• Because of the promising results produced by the LUCIFER project, IBM

embarked on an effort to develop a marketable commercial encryption product that ideally could be implemented on a single chip. The effort was headed by Walter Tuchman and Carl Meyer, and it involved not only IBM researchers but also outside consultants and technical advice from NSA.

• The outcome of this effort was a refined version of LUCIFER that was

more resistant to cryptanalysis but that had a reduced key size of 56 bits, to fit on a single chip.

• The most widely used encryption scheme is based on the Data

Encryption Standard (DES) adopted in 1977 by the National Bureau of Standards (NBS), now the National Institute of Standards and Technology (NIST), as Federal Information Processing Standard 46 (FIPS PUB 46). The algorithm itself is referred to as the Data Encryption Algorithm (DEA).

• DES Characteristics:
• Plaintext and Ciphertext – 64-bit block
• Key – 56-bit
• Product cipher with 16 rounds
• Follows Feistel cipher structure

Feistel Cipher

Initial Permutation Round 1 Round 2 Round 16 32-bit Swap Inverse Initial Permutation

64-bit 64-bit 64-bit 64-bit 64-bit

64-bit Plain Text 64-bit Cipher Text Permuted Choice 1 Left Circular Shift Left Circular Shift Left Circular Shift Permuted Choice 2

56-bit 56-bit 56-bit

Permuted Choice 2 Permuted Choice 2

48-bit 48-bit 48-bit 56-bit 56-bit 56-bit

Key Generation Encryption 64-bit Key

K2 K1 K16

DES- Encryption

Back

Initial Permutation Inverse of Initial Permutation Back

Expansion / Permutation (E-Table) Substitution / Choice (S-Box) Permutation 32-bit Input 32-bit Input 32-bit Input 32-bit Input 48-bit Key

32-bit 48-bit 32-bit 48-bit 48-bit 32-bit 32-bit

Round Back

Expansion / Permutation (E-Table) Back

32-bit Permutation 32-bit Sub Key 48-bit 48-bit 32-bit Data Round Expansion S1 6-bit 4-bit S2 6-bit 4-bit S3 6-bit 4-bit S4 6-bit 4-bit S5 6-bit 4-bit S6 6-bit 4-bit S7 6-bit 4-bit S8 6-bit 4-bit 32-bit 48-bit Substitution (S-Box) Back

S-Box

Back

Permutation

Back

Permuted Choice 1 Left Circular Shift Left Circular Shift Left Circular Shift Permuted Choice 2 Permuted Choice 2 Permuted Choice 2

48-bit 48-bit 48-bit 56-bit 56-bit 56-bit

Key Generation

K2 K1 K16

64-bit Key

56-bit 56-bit 28-bit 28-bit 28-bit 28-bit 28-bit 28-bit 56-bit 56-bit

Back

Before Permutation Choice - 1 Permutation Choice - 1 Permutation Choice - 2 Schedule of Left Shifts Back

Encryption Encryption K1 K2 P C

Double DES

Decryption Decryption K2 K1 C P (a) Encryption (b) Decryption

Encryption Decryption K1 K2 P C

Triple DES with Two Keys

(a) Encryption (b) Decryption Encryption K1 Decryption Encryption K1 K2 C P Decryption K1

Encryption Decryption K1 K2 P C

Triple DES with Three Keys

(a) Encryption (b) Decryption Encryption K3 Decryption Encryption K3 K2 C P Decryption K1 Back

Advanced Encryption Standard (AES)

• The Advanced Encryption Standard (AES) was published by

the National Institute of Standards and Technology (NIST) in 2001. AES is a symmetric block cipher that is intended to replace DES as the approved standard for a wide range of applications.

• Compared to public-key ciphers such as RSA, the structure
• f AES and most symmetric ciphers is quite complex.
• AES takes a plaintext block size of 128 bits, or 16 bytes. The

key length can be 16, 24, or 32 bytes (128, 192, or 256 bits). The algorithm is referred to as AES-128, AES-192, or AES- 256, depending on the key length.

• The cipher consists of N rounds, where the number of rounds

depends on the key length: 10 rounds for a 16-byte key, 12 rounds for a 24-byte key, and 14 rounds for a 32-byte key.

AES Parameters

AES-128 AES-192 AES-256 Key Size (w/B/b) 4/16/128 6/24/192 8/32/256 Block Size (w/B/b) 4/16/128 4/16/128 4/16/128

• Nos. of Rounds

10 12 14 Round Key Size (w/B/b) 4/16/128 4/16/128 4/16/128 Expanded Key Size (W/B) 44/176 52/208 60/240

AES Encryption and Decryption

Encryption Decryption

S-Box (Encryption)

S-Box (Decryption)

Mix Columns

AES Key Generation

Modes of Operation

• What if the block of plaintext to be encrypted is greater than

b-bits ?

• A mode of operation is a technique for enhancing the effect of

a cryptographic algorithm or adapting the algorithm for an application, such as applying a block cipher to a sequence of data blocks or a data stream.

• These modes are intended for use with any symmetric block

cipher, including triple DES and AES.

• Examples:

1. Electronic Code Book (ECB) 2. Cipher Block Chaining (CBC) Mode 3. Cipher Feedback (CFB) Mode 4. Output Feedback (OFB) Mode 5. Counter (CTR) Mode

Coverts Block Cipher into Stream Cipher

Modes of Operation

Encrypt

56-bit 64-bit 64-bit

P1 C1 K Encrypt

56-bit 64-bit 64-bit

P2 C2 K Encrypt

56-bit 64-bit 64-bit

Pn Cn K Decrypt

56-bit 64-bit 64-bit

C1 P1 K Decrypt

56-bit 64-bit 64-bit

C2 P2 K Decrypt

56-bit 64-bit 64-bit

Cn Pn K

• 1. Electronic Codebook (ECB) Mode

(a) (b) Decryption Encryption

Encrypt

56-bit 64-bit 64-bit

P1 C1 K Encrypt

56-bit 64-bit 64-bit

P2 C2 K Encrypt

56-bit 64-bit 64-bit

Pn Cn K Decrypt

56-bit 64-bit 64-bit

C1 P1 K Decrypt

56-bit 64-bit 64-bit

C2 P2 K Decrypt

56-bit 64-bit 64-bit

Cn Pn K

• 2. Cipher Block Chaining (CBC) Mode

IV IV (a) (b) Decryption Encryption Back

Encryption Decryption Cipher Text Plain Text Plain Text Cipher Text Receiver Public Key Receiver Private Key User A (Sender) User B (Receiver)

Asymmetric (Public) Key Encryption

Entities:

• Public-key and Private-key with every user.
• Encryption – Using public-key of receiver
• Decryption – Using private-key of receiver

Public-Key Cryptosystem

• Public-key algorithms are based on mathematical functions rather than
• n substitution and permutation.
• Public-key cryptography is asymmetric, involving the use of two separate

keys, in contrast to symmetric encryption, which uses only one key.

• We can classify the use of public-key cryptosystems into three categories:
• Encryption/decryption: The sender encrypts a message with the

recipient’s public key.

• Digital signature: The sender “signs” a message with its private
• key. Signing is achieved by a cryptographic algorithm applied to the

message or to a small block of data that is a function of the message.

• Key exchange: Two sides cooperate to exchange a session key.

Several different approaches are possible, involving the private key(s)

• f one or both parties.

Algorithm Enc /Dec Digital Sign. Key Exchange RSA Yes Yes Yes Elliptic-Curve Yes Yes Yes Diffie-Hellman No No Yes DSS No Yes No Back

Rivest-Shamir-Adleman (RSA)

• The scheme developed in 1978 by Rivest, Shamir, and Adleman makes

use of an expression with exponentials.

• The RSA scheme is a block cipher in which the plaintext and ciphertext

are integers between 0 and n-1 for some n.

• A typical size for n is 1024 bits, or 309 decimal digits. That is, n is less

than 21024.

• Plaintext is encrypted in blocks, with each block having a binary value

less than some number n. That is, the block size must be less than or equal to log2(n);

Step 1: Select two primes p1 and q1 (p1 ≠ q1) Step 2: Calculate n1 = p1 X q1 Step 3: Calculate Ø (n1) = (p1-1)(q1-1) Step 4: Select integer e1 [gcd (Ø (n1), e1) = 1 and 1 < e1 < Ø (n1)] Step 5: Calculate d1 ≡ e1-1 (mod Ø (n1)) Step 1: Select two primes p2 and q2 (p2 ≠ q2) Step 2: Calculate n2 = p2 X q2 Step 3: Calculate Ø (n2) = (p2-1)(q2-1) Step 4: Select integer e2 [gcd (Ø (n2), e2) = 1 and 1 < e2 < Ø (n2)] Step 5: Calculate d2 ≡ e2-1 (mod Ø (n2)) User A User B (e1, n1) (e2, n2) C = Me2 (mod n2) M = Cd2 (mod n2) M M C C

Rivest-Shamir-Adleman (RSA)

RSA Example

Back