Deterministic Encryption Same input, same output every time Probabilistic Encryption Same input but different out

every time Diffusion Operation to spread influence of 1 plaintext symbol over many cipertext symbols in order to hide statistical properties Confusion Operations to obscure in complex way the relationship between the key and the ciphertext to thwart key discovery attempts Transposition Substitution Ciphertext only attack Known: only a set of ciphertext encrypted using the same key and algorithm Attempt: discover certain plaintext properties (content statistic) Known plaintext attack Known: n < || possible p-c pairs Attempt: deduce k or discover a computationally feasible procedure to produce additional pairs Chosen plaintext attack Known: selected set of plaintext to get corresponding ciphertext Attempt: deduce hidden k or discover a computationally feasible procedure to produce additional pairs Adaptive attack: choose subsequent plaintexts based on earlier p-c pairs and properties of the cipher such that it may reveal structure of hidden k Chosen ciphertext attack Known: selected set of ciphertext to get corresponding plaintext Attempt: deduce hidden k or discover a computationally feasible procedure to produce additional pairs Adaptive attack: choose subsequent ciphertexts based on earlier p-c pairs and properties of the cipher such that it may reveal structure of hidden k Chosen text attack Known: selected set of plaintext/ciphertext to get corresponding ciphertext/plaintext Attempt: deduce hidden k or discover a computationally feasible procedure to produce additional pairs Adaptive attack: choose subsequent texts based on earlier p-c pairs and properties of the cipher such that it may reveal structure of hidden k Mode of Operation 1. Electronic Code Book (ECB) 2. Cipher Block Chaining (CBC) 3. Cipher Feedback (CFB) 4. Output Feedback (OFB) 5. Counter (CTR) Crypto Algorithm 1. DES o 64 bits input, output and key o Permutation and non-linear substitution o Structure such that some bits can be dropped yet it can be recovered o Why triple DES instead of double DES? 2. AES o 128 bits input and output, 128/192/256 bits key o Non-linear is from the multiplicative inverse o How matrix multiplicative help you in diffusion

Stream cipher 1. Asynchronous Each key-stream unit is a function of a fixed number of previous ciphertext 2. Synchronous Message text does not affect key-stream generation Characteristic of the key stream 1. Randomness Destroy statistically properties in message 2. Unpredictable Cannot predict next bits and cannot compute previous bits Properties of cryptographic secure random number generator RSA Square Multiply Miller Rabin Chinese Remainder Theorem Diffie-Hellman (Discrete log-based) ElGamal encryption and decryption Which one is public key, which is the private key, which is the message? What is the purpose of random integer, i? What happen if i repeat? What happen if i is a easy to guess value? Shared secret System Split the secret into few pieces in such that even one carrying a piece will not have more information than anybody else How to recovery back the secret (Exam) no GF2^ Hash Characteristic/Requirement/Properties of hash fuction Pg7 of C9 Probability of match pg10 of C9 Birthday attack using Birthday paradox (Exam) Extended Euclidss Algorithm

What to achieve with the use of cryptographic algorithms in cryptographic protocol 1. Message Confidentially Preventing attackers from eavesdropping the content of a message 2. Message Integrity Detecting attackers from modifying a message 3. Message Authentication Detecting attackers from spoofing a message 4. Entity Authentication Detecting attackers from masquerading as an authorised user 5. Non-repudiation Preventing originator from denying sending the message Perfect Secure Cipher 1. |K| |M| 2. Key cannot be reused Computationally Secure Cipher 1. |K| < |M| 2. Key can be reused 3. U = H(K) / D where H(K) is entropy and D is redundancy 4. If D0 and U, it can never be broken 5. If N<U, it may not be broken 6. If N>U, |K| must be large enough to withstand brute force attack Challenge of Distributing Secret Key Secure Channel is needed Public Key Cryptography (Asymmetric Cryptography) RSA & DSA No harder than factoring No need secure channel to distribute as knowing public key will not compromise private key Challenge of Distributing Public Key Trust of public key Digital Signature (Trusted Third Party, TTP to certify public keys) 1. Public Key Infrastructure (PKI) a. Used in SSL/TLS b. Certification Authority (CA) Companies setup as TTP c. Public key certified by CA before distributing 2. Concept of Web-Of-Trust a. Used in PGP b. Anyone can act as TTP to certify a public key by signing over it using own private key c. We decide who to trust in this world ourselves since CA may not be fully trustable 3. Key Continuity Management (KCM) a. Used in SSH b. Simply trust public key that have been used before without the need for signature c. Simply leaves the most difficult question to user on how to trust a new public key 4. Identity-Based Cryptography (IBC) a. Identity is used as the public key no requirement to bind public key to user b. Require a fully TTP to operate as Key Generation Centre (KGC) to generate all private keys using a master keys to prevent people to generate private key of others c. KGC can read all encrypted messages of users Quantum Key Distribution Eavesdropper can be detected no need secure channel for key distribution Based on photon (light) polarization states rectilinear & diagonal bases Distribute secret keys over insecure channel Use the secret keys as one time pad to encrypt the message BB84 QKD 1. Sender randomly choose a base for each bit 2. Recipient randomly choose a base to receive each bit 3. Verify their bases publicly 4. Bits corresponding to correct bases form the key bits 5. Discard the others 6. Verify some key bits to detect presence of Eve

Secret Key Cipher: Ek (M) Confidentiality & Message Authentication MAC: M || Ck (M) Message Authentication & Integrity MAC followed by encryption: Ek2 (M || Ck1 (M)) Encryption followed by MAC: Ek2 (M) || Ck1 (Ek2 (M)) Confidentiality& Message Authentication & Integrity Public Key Cipher for Encryption: Eku (M) Confidentiality Used to encrypt secret key Ek (M) || Eku (K) Public Key Cryptography to generate signature: M || Skr ( H(M)) Message Authentication & Integrity & Non-repudiation Signature followed by Encryption: Ek (M || Skr ( H(M))) || Eku (k) Confidentiality & Integrity & Message Authentication & Non-repudiation Authentication Protocol To detect masquerading attack which is to verify that a person is really who he claims he is Unilateral Authentication (Client/Server authentication) Mutual Authentication 1. Basic Password Authentication: id || pw Vulnerable to eavesdropping attack 2. Hashed Password Authentication: (id || H (pw)) Vulnerable to replay attack 3. One-time password generated by hash-chain (P99 = H99 (pw)) Vulnerable to pre-play attack (user did not know and send Pi-1 to MITM and MITM use it) Challenge-Response Authentication Protocol To achieve freshness generate a nonce (new challenge) HTTP-NTLM: (Ns, Nc || RESPc|| IDc) Vulnerable to dictionary attack as RESPc depend on the unknown password Secret Key Encryption Authentication: Ek() prevent dictionary attack MAC Authentication: MACk() Digital Signature: SIGNkr() prevent cloning attack 1. A B: Na 2. B A: Ek (IDa || Na || Nb) //B is authenticated as other than A, B is the only one that can Ek(Na) 3. A B: Ek (Nb || Na) //A is authenticated as other than B, A is the only one that can Ek(Nb) Nonce prevent replay attack (replay or pre-play) ID of recipient inside encryption prevent reflection attack Nb in 2 can be outside Na in 3 can be omitted Still vulnerable to relay attack Needham-Schroeder Public Key Authentication: Eku() 1. A B: Ekub (Na || IDa) 2. B A: Ekua (Na || Nb || IDb) //B is authenticated as only B can decrypt Ekub(Na || IDa) 3. A B: Ekub (Nb) //A is authenticated as only A can decrypt Ekua(Na ||Nb || IDb) Nonce prevent replay attack (replay or pre-play) ID of sender in 1 B know which public key to use

ID of sender in 2 prevent interleaving attack Authentication Key Establishment Protocol (AKE) Perfect Forward Secrecy Compromise long term key will not compromise past short term session keys Resistance to Known Key Attack Compromise past session keys will not compromise future session keys or result in impersonation attack in future Decentralized VS Centralized 1. Both parties interact directly to establish the session key 2. One party interacts with KDC/KTC to establish the session key Key Transport Protocol VS Key Agreement/Exchange Protocol 1. One party generates the session key and securely transfer it to other party 2. Both parties contribute some key materials which are jointly used to derive the session key Key Confirmation 1. A B: Esk (Na) 2. B A: Esk ((Na)) // (Na) can be just = Na - 1 MS-CHAPv2 Vulnerable to dictionary attack If dictionary attack is successful, session key can also Needham-Schroeder Secret Key Protocol 1. A T: IDa || IDb || Na 2. T A: Eka [Na || IDb || SKab || Ekb (IDa || SKab)] 3. A B: Ekb (IDa || SKab) Ekb (IDa || SKab) vulnerable to known key attack Add Timestamp (T) inside Eka[..] of 2 and Ekb (IDa || SKab) of 2 prevent known key attack Secret key is derived from password by flattening & folding vulnerable to dictionary attack Dictionary attack is successful no perfect forward secrecy Needham-Schroeder Public Key Protocol 1. A B: Ekub (Na || IDa) 2. B A: Ekua (Na || Nb || IDb) 3. A B: Ekub (Nb) SK = H (Na || Nb) Compromise kua and kub no perfect forward secrecy Diffie-Hellman Key Exchange (DH-KE) 1. A B: p || g || Ew (g^a MOD p) 2. B A: Ew (g^b MOD p) No Authentication vulnerable to MITM attack SK = g^ab MOD p Ew () Encrypted Key Exchange (EKE) Vulnerable if all stored password is recovered Skr () Signature-based DH-KE Vulnerable identity misbinding (key share attack) Secure Remote Password (SRP) User cannot identify authentic website correctly Phishing attack 2FA for user to authenticate user, so not a solution EV Cert still relies on user to identify website correctly but can they? Potential Solution Password remain safe even when wrongly going to phishing websites Integrate SRP to SSL/TLS