Security Attacks Passive Attacks Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions.

The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are release of message contents and traffic analysisThe release of message contents is easily understood (Figure 1.3a). A telephone conversation, an electronic mail message, and a transferred file may contain sensitive or confidential information. We would like to prevent an opponent from learning the contents of thesetransmissions traffic analysis, is subtler (Figure 1.3b). Suppose that we had a way of masking the contents ofmessages or other information traffic so that opponents, even if they captured the message, could not extract the information from themessage. The common technique for masking contents is encryption. If we had encryption protection in place, an opponent might still beable to observe the pattern of these messages. Active Attacks masquerade, replay, modification of messages, and denial of service A masquerade takes place when one entity pretends to be a different entity (Figure 1.4a). A masquerade attack usually includes one of theother forms of active attack. For example, authentication sequences can be captured and replayed after a valid authentication sequencehas taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges. Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect Modification of messages simply means that some portion of a legitimate message is altered, or that messages are delayed orreordered, to produce an unauthorized effect accounts" is modified to mean "Allow Fred Brown to read confidential file accounts." The denial of service prevents or inhibits the normal use or management of communications facilities (Figure 1.4d). This attack may havea specific target; for example, an entity may suppress all messages directed to a particular destination (e.g., the security audit service).Another form of service denial is the disruption of an entire network, either by disabling the network or by overloading it with messages soas to degrade performance. Symmetric Cipher ModelA symmetric encryption scheme has five ingredients (Figure 2.1): Plaintext: This is the original intelligible message or data that is fed into the algorithm as input. Encryption algorithm: The encryption algorithm performs various substitutions and transformations on the plaintext. Secret key: The secret key is also input to the encryption algorithm. The key is a value independent of the plaintext and of thealgorithm. The algorithm will produce a different output depending on the specific key being used at the time. The exactsubstitutions and transformations performed by the algorithm depend on the key. Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the secret key. For a givenmessage, two different keys will produce two different ciphertexts. The ciphertext is an apparently random stream of data and,as it stands, is unintelligible. Decryption algorithm: This is essentially the encryption algorithm run in reverse. It takes the ciphertext and the secret key andproduces the original plaintext. Substitution TechniquesIn this section and the next, we examine a sampling of what might be called classical encryption techniques. A study of these techniques enables us to illustrate the basic approaches to symmetric encryption used today and the types of cryptanalytic attacks that must be anticipated.The two basic building blocks of all encryption techniques are substitution and transposition. We examine these in the next two sections.Finally, we discuss a system that combines both substitution and transposition.A substitution technique is one in which the letters of plaintext are replaced by other letters or by numbers or symbols.If the plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns.

Transposition Techniques All the techniques examined so far involve the substitution of a ciphertext symbol for a plaintext symbol. A very different kind of mapping is achieved by performing some sort of permutation on the plaintext letters. This technique is referred to as a transposition cipher. The simplest such cipher is the rail fence technique, in which the plaintext is written down as a sequence of diagonals and then read off as a sequence of rows. For example, to encipher the message "meet me after the toga party" with a rail fence of depth 2, we write the following: [The Data Encryption Standard The algorithm transforms 64-bit input in a series of steps into a 64bit output. The same steps, with the same key, are used to reverse the encryption The overall scheme for DES encryption is illustrated in Figure 3.4. As with any encryption scheme, there are two inputs to the encryption function: the plaintext to be encrypted and the key. In this case, the plaintext must be 64 bits in length and the key is 56 bits in length. Initial Permutation The initial permutation and its inverse are defined by tables, as shown in Tables 3.2a and 3.2b, respectively. The tables are to be interpreted as follows. The input to a table consists of 64 bits numbered from 1 to 64. The 64 entries in the permutation table contain apermutation of the numbers from 1 to 64. Each entry in the permutation table indicates the position of a numbered input bit in the output,which also consists of 64 bits The Avalanche Effect A desirable property of any encryption algorithm is that a small change in either the plaintext or the key should produce a significant change in the ciphertext. In particular, a change in one bit of the plaintext or one bit of the key should produce a change in many bits of theciphertext. If the change were small, this might provide a way to reduce the size of the plaintext or key space to be searched AES The input to the encryption and decryption algorithms is a single 128-bit block. In FIPS PUB 197, this block is depicted as a square matrix of bytes. This block is copied into the State array, which is modified at each stage of encryption or decryption. After the final stage, State is copied to an output matrix. These operations are depicted inF igure 5.2a. Similarly, the 128-bit key is depicted as a square matrix of bytes. This key is then expanded into an array of key schedule words; each word is four bytes and the total key schedule is 44 words for the 128-bit key ( Four different stages are used, one of permutation and three of substitution: Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block ShiftRows: A simple permutation MixColumns: A substitution that makes use of arithmetic over GF(28) AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded keyAuthentication Requirements 1. Disclosure: Release of message contents to any person or process not possessing the appropriate cryptographic key. Traffic analysis: Discovery of the pattern of traffic between parties. In a connection-oriented application, the frequency and duration of connections could be determined. In either a connectionoriented or connectionless environment, the number andlength of messages between parties could be determined. 2.Masquerade: Insertion of messages into the network from a fraudulent source. This includes the creation of messages by an opponent that are purported to come from an authorized entity. Also included are fraudulent acknowledgments of message receipt or nonreceipt by someone other than the message recipient. 3. Content modification: Changes to the contents of a message, including insertion, deletion, transposition, and modification. 4.Sequence modification: Any modification to a sequence of messages between parties, including insertion, deletion, and reordering.5.Timing modification: Delay or replay of messages. In a connection-oriented application, an entire session or sequence of messages could be a replay of some previous valid session, or individual messages in the sequence could be delayed or replayed. In a connectionless application, an individual message (e.g., datagram) could be delayed or replayed.7. Source repudiation: Denial of transmission of message by source.8. Destination repudiation: Denial of receipt of message by destination

Authentication Functions Any message authentication or digital signature mechanism has two levels of functionality. At the lower level, there must be some sort of function that produces an authenticator: a value to be used to authenticate a message. This lower-level function is then used as a primitive in a higher-level authentication protocol that enables a receiver to verify the authenticity of a message. This section is concerned with the types of functions that may be used to produce an authenticator. These may be grouped into three classes, as follows: Message encryption: The ciphertext of the entire message serves as its authenticator Message authentication code (MAC): A function of the message and a secret key that produces a fixed-length value that serves as the authenticator Hash function: A function that maps a message of any length into a fixed-length hash value, which serves as the authenticator Message EncryptionMessage encryption by itself can provide a measure of authentication. The analysis differs for symmetric and public-key encryption schemes. Symmetric Encryption Consider the straightforward use of symmetric encryption (Figure 11.1a). A message M transmitted from source A to destination B is encrypted using a secret key K shared by A and B. If no other party knows the key, then confidentiality is provided: No other party can recover the plaintext of the message. Message Authentication CodesA MAC, also known as a cryptographic checksum, is generated by a function C of the form MAC = C(K, M)where M is a variable-length message, K is a secret key shared only by sender and receiver, and CK(, M) is the fixed-length authenticator.The MAC is appended to the message at the source at a time when the message is assumed or known to be correct. The receiverauthenticates that message by recomputing the MAC. Requirements for MACsWhen an entire message is encrypted for confidentiality, using either symmetric or asymmetric encryption, the security of the schemegenerally depends on the bit length of the key. Barring some weakness in the algorithm, the opponent must resort to a brute-force attack using all possible keys. On average, such an attack will require 2( k-1) attempts for a k-bit key. In particular, for a ciphertext-only attack, the opponent, given ciphertext C, would perform Pi = D(Ki, C) for all possible key values Ki until a Pi was produced that matched the form of acceptable plaintext. [Message Authentication Code Based on DES The Data Authentication Algorithm, based on DES, has been one of the most widely used MACs for a number of years. The algorithm is both a FIPS publication (FIPS PUB 113) and an ANSI standard (X9.17). However, as we discuss in Chapter 12, security weaknesses in this algorithm have been discovered and it is being replaced by newer and stronger algorithms Hash Functions A hash value h is generated by a function H of the form h = H(M) where M is a variable-length message and H(M) is the fixed-length hash value. The hash value is appended to the message at the source at a time when the message is assumed or known to be correct. The receiver authenticates that message by recomputing the hash value.Because the hash function itself is not considered to be secret, some means is required to protect the hash value Requirements for a Hash Function 1. H can be applied to a block of data of any size. 2. H produces a fixed-length output.3. H(x) is relatively easy to compute for any given x, making both hardware and software implementations practical. For any given value h, it is computationally infeasible to find x such that H(x) = h. This is sometimes referred to in the literature as the one-way property. 4.For any given block x, it is computationally infeasible to find y x such that H(y) = H(x). This is sometimes referred to a.weak collision resistance.It is computationally infeasible to find any pair (x, y) such that H(x) = H(y). This is sometimes referred to as strong collision

Birthday Attacks Suppose that a 64-bit hash code is used. One might think that this is quite secure. For example, if an encrypted hash code C is transmitted with the corresponding unencrypted message M (Figure 11.5b or 11.5c), then an opponent would need to find an M' such that H(M') = H(M) to substitute another message and fool the receiver The source, A, is prepared to "sign" a message by appending the appropriate m-bit hash code and encrypting that hash code with A's private key (Figure 11.5c). 1. The opponent generates 2 m/2 variations on the message, all of which convey essentially the same meaning. The opponent prepares an equal number of messages, all of which are variations on the fraudulent message to be substituted for the real one. 2. The two sets of messages are compared to find a pair of messages that produces the same hash code. The probability of success, by the birthday paradox, is greater than 0.5. If no match is found, additional valid and fraudulent messages are generated until a match is made. 3. The opponent offers the valid variation to A for signature. This signature can then be attached to the fraudulent variation for transmission to the intended recipient. Because the two variations have the same hash code, they will produce the same signature; the opponent is assured of success even though the encryption key is not known Block Chaining Techniques A number of proposals have been made for hash functions based on using a cipher block chaining technique, but without the secret key. One of the first such proposals was that of Rabin [RABI78]. Divide a message M into fixed-size blocks M1, M2,..., MN and use a symmetric encryption system such as DES to compute the hash code G as follows Ho = initial value Hi = E(Mi, Hi, Hi1) G = HN [