Key concepts

For over twenty years, information security has held confidentiality, integrity and availability (known as the CIA triad) to be the core principles of information security.[citation needed] There is continuous debate about extending this classic trio.[citation needed] Other principles such as Accountability[2] have sometimes been proposed for addition it has been pointed out[citation needed] that issues such as Non-Repudiation do not fit well within the three core concepts, and as regulation of computer systems has increased (particularly amongst the Western nations) Legality is becoming a key consideration for practical security installations.[citation needed] In 1992 and revised in 2002 the OECD's Guidelines for the Security of Information Systems and Networks[3] proposed the nine generally accepted principles: Awareness, Responsibility, Response, Ethics, Democracy, Risk Assessment, Security Design and Implementation, Security Management, and Reassessment. Building upon those, in 2004 the NIST's Engineering Principles for Information Technology Security[4] proposed 33 principles. From each of these derived guidelines and practices. In 2002, Donn Parker proposed an alternative model for the classic CIA triad that he called the six atomic elements of information. The elements are confidentiality, possession, integrity, authenticity, availability, and utility. The merits of the Parkerian hexad are a subject of debate amongst security professionals.[citation
needed]

[edit]Confidentiality Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. For example, a credit cardtransaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to atransaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred. Breaches of confidentiality take many forms. Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it could be a breach of confidentiality. If a laptop computer containing sensitive information about a company's employees is stolen or sold, it could result in a breach of confidentiality. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information. Confidentiality is necessary (but not sufficient) for maintaining the privacy of the people whose personal information a system holds.[citation needed] [edit]Integrity In information security, integrity means that data cannot be modified undetectably.[citation needed] This is not the same thing as referential integrity in databases, although it can be viewed as a special case of Consistency as understood in the classic ACID model of transaction processing. Integrity is violated when a message is actively modified in transit. Information security systems typically provide message integrity in addition to data confidentiality. [edit]Availability

For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-ofservice attacks. [edit]Authenticity In computing, e-Business, and information security, it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are. [edit]Non-repudiation In law, non-repudiation implies one's intention to fulfill their obligations to a contract. It also implies that one party of a transaction cannot deny having received a transaction nor can the other party deny having sent a transaction. Electronic commerce uses technology such as digital signatures and public key encryption to establish authenticity and non-repudiation

DiffieHellman key exchange (DH)[nb 1] is a specific method of exchanging keys. It is one of the earliest practical examples of key exchange implemented within the field of cryptography. The DiffieHellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. The scheme was first published by Whitfield Diffie and Martin Hellman in 1976, although it later emerged that it had been separately invented a few years earlier within GCHQ, the British signals intelligence agency, by Malcolm J. Williamson but was kept classified. In 2002, Hellman suggested the algorithm be called DiffieHellmanMerkle key exchange in recognition of Ralph Merkle's contribution to the invention ofpublic-key cryptography (Hellman, 2002). Although DiffieHellman key agreement itself is an anonymous (non-authenticated) key-agreement protocol, it provides the basis for a variety of authenticated protocols, and is used to provide perfect forward secrecy in Transport Layer Security's ephemeral modes (referred to as EDH or DHE depending on the cipher suite).
Contents
[hide]

1 History of the protocol 2 Description

2.1 Chart

3 Operation with more than two parties 4 Security 5 Other uses

5.1 Password-authenticated key agreement

5.2 Public Key

6 See also 7 Notes 8 References 9 External links

[edit]History

of the protocol

The DiffieHellman key agreement was invented in 1976 during a collaboration between Whitfield Diffie and Martin Hellman and was the first practical method for establishing a shared secret over an unprotected communications channel. Ralph Merkle's work on public key distribution was an influence. John Gill suggested application of the discrete logarithm problem. It had first been invented by Malcolm Williamson of GCHQ in the UK some years previously, but GCHQ chose not to make it public until 1997, by which time it had no influence on research in academia. The method was followed shortly afterwards by RSA, another implementation of public key cryptography using asymmetric algorithms. In 2002, Martin Hellman wrote: The system...has since become known as DiffieHellman key exchange. While that system was first described in a paper by Diffie and me, it is a public key distribution system, a concept developed by Merkle, and hence should be called 'DiffieHellmanMerkle key exchange' if names are to be associated with it. I hope this small pulpit might help in that endeavor to recognize Merkle's equal contribution to the invention of public key cryptography. [1] U.S. Patent 4,200,770, now expired, describes the algorithm and credits Hellman, Diffie, and Merkle as inventors. [edit]Description DiffieHellman establishes a shared secret that can be used for secret communications by exchanging data over a public network. The following diagram illustrates the general idea of the key exchange:

Here is an explanation which includes the encryption's mathematics:

The simplest, and original, implementation of the protocol uses the multiplicative group of integers modulo p, where p is prime and g isprimitive root mod p. Here is an example of the protocol, with nonsecret values in blue, and secret values in boldface red: Alice Bob

Secr et

Public

Calculates Sends Calculates

Public

Secr et

p, g

p,g

p, g, A

ga mod p =A

p, g

p, g, A

gb mod p p, g, A, =B B

a, s

p, g, A, Ba mod p B =s

Ab mod p p, g, A, b, s =s B

1. Alice and Bob agree to use a prime number p=23 and base g=5. 2. Alice chooses a secret integer a=6, then sends Bob A = ga mod p
A = 56 mod 23 A = 15,625 mod 23 A=8

3. Bob chooses a secret integer b=15, then sends Alice B = gb mod p

B = 515 mod 23 B = 30,517,578,125 mod 23 B = 19

4. Alice computes s = B a mod p

s = 196 mod 23 s = 47,045,881 mod 23 s=2

5. Bob computes s = A b mod p

s = 815 mod 23 s = 35,184,372,088,832 mod 23

s=2

6. Alice and Bob now share a secret: s = 2. This is because 6*15 is the same as 15*6. So
somebody who had known both these private integers might also have calculated s as follows:

s = 56*15 mod 23 s = 515*6 mod 23 s = 590 mod 23 s = 807,793,566,946,316,088,741,610,050,849,573,099,185,363,389,551,639,556,884,765, 625 mod 23

s=2

Both Alice and Bob have arrived at the same value, because (ga)b and (gb)a are equal mod p. Note that only a, b and gab = gba mod p are kept secret. All the other values p, g, ga mod p, and gb mod p are sent in the clear. Once Alice and Bob compute the shared secret they can use it as an encryption key, known only to them, for sending messages across the same open communications channel. Of course, much larger values of a, b, and p would be needed to make this example secure, since it is easy to try all the possible values of gab mod 23. There are only 23 possible integers as the result of mod 23. If p were a prime of at least 300 digits, and a and b were at least 100 digits long, then even the best algorithms known today could not find a given only g, p, gb mod p and ga mod p, even using all of mankind's computing power. The problem is known as the discrete logarithm problem. Note that g need not be large at all, and in practice is usually either 2 or 5. Here's a more general description of the protocol:

1. Alice and Bob agree on a finite cyclic group G and a generating element g in G. (This is usually
done long before the rest of the protocol; g is assumed to be known by all attackers.) We will write the group G multiplicatively.

2. Alice picks a random natural number a and sends ga to Bob. 3. Bob picks a random natural number b and sends gb to Alice. 4. Alice computes (gb)a. 5. Bob computes (ga)b.
Both Alice and Bob are now in possession of the group element gab, which can serve as the shared secret key. The values of (gb)a and (ga)bare the same because groups are power associative. (See also exponentiation.) In order to decrypt a message m, sent as mgab, Bob (or Alice) must first compute (gab)-1, as follows: Bob knows |G|, b, and ga. A result from group theory establishes that from the construction of G, x|G| = 1 for all x in G. Bob then calculates (ga)|G|-b = ga(|G|-b) = ga|G|-ab = ga|G|g-ab = (g|G|)ag-ab=1ag-ab=g-ab=(gab)-1. When Alice sends Bob the encrypted message, mgab, Bob applies (gab)-1 and recovers mgab(gab)-1 = m(1) = m.

[edit]Chart Here is a chart to help simplify who knows what. (Eve is an eavesdroppershe watches what is sent between Alice and Bob, but she does not alter the contents of their communications.)

Let s = shared secret key. s = 2 Let g = public base. g = 5 Let p = public (prime) number. p = 23 Let a = Alice's private key. a = 6 Let A = Alice's public key. A = ga mod p = 8 Let b = Bob's private key. b = 15 Let B = Bob's public key. B = gb mod p = 19 Alice Bob Eve

knows

doesn 't know

knows

doesn 't know

knows

doesn 't know

p = 23

b=?

p = 23

a=?

p = 23

a=?

base g = 5

base g = 5

base g = 5

b=?

a=6

b = 15

s=?

A = 56 mod 23 = 8

B = 515 mod 23 = 19

A = 5a mod 23 = 8

B = 5b mod 23 = 19

A = 5a mod 23 = 8

B = 5b mod 23 = 19

s = 196 mod 23 = 2

s = 815 mod 23 = 2

s = 19a mod 23

s = 8b mod 23 = 2

s = 19a mod 23 = 2

s = 8b mod 23

s = 196 mod 23 = 8b mod 23

s = 815 mod 23 = 19a mod 23

s = 19a mod 23 = 8b mod 23

s=2

s=2

Note: It should be difficult for Alice to solve for Bob's private key or for Bob to solve for Alice's private key. If it is not difficult for Alice to solve for Bob's private key (or vice versa), Eve may simply substitute her own private / public key pair, plug Bob's public key into her private key, produce a fake shared secret key, and solve for Bob's private key (and use that to solve for the shared secret key. Eve may attempt to choose a public / private key pair that will make it easy for her to solve for Bob's private key). A demonstration of Diffie-Hellman (using numbers too small for practical use) is given here

Man-in-the-middle attack
From Wikipedia, the free encyclopedia

Not to be confused with Meet-in-the-middle attack. In cryptography and computer security, the man-in-the-middle attack (often abbreviated MITM)[1] is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle).[citation needed] A man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to the satisfaction of the otherit is an attack on mutual authentication. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, SSL authenticates the server using a mutually trusted certification authority.[citation needed]
Contents
[hide]

1 Need for additional transfer over a secure channel 2 Example of an attack 3 Defenses against the attack 4 Forensic analysis of MITM attacks

5 Quantum cryptography 6 Beyond cryptography 7 Implementations 8 See also 9 References 10 External links

[edit]Need

for additional transfer over a secure channel

With the exception of Interlock Protocol, all cryptographic systems that are secure against MITM attacks require an additional exchange or transmission of information over some kind of secure channel. Many key agreement methods have been developed, with different security requirements for the secure channel.[citation
needed]

[edit]Example

of an attack

Illustration of man-in-the-middle attack.

Suppose Alice wishes to communicate with Bob. Meanwhile, Mallory wishes to intercept the conversation to eavesdrop and possibly deliver a false message to Bob. First, Alice asks Bob for his public key. If Bob sends his public key to Alice, but Mallory is able to intercept it, a man-in-the-middle attack can begin. Mallory sends a forged message to Alice that claims to be from Bob, but instead includes Mallory's public key. Alice, believing this public key to be Bob's, encrypts her message with Mallory's key and sends the enciphered message back to Bob. Mallory again intercepts, deciphers the message using her private key, possibly alters it if she wants, and re-enciphers it using the public key Bob originally sent to Alice. When Bob receives the newly enciphered message, he believes it came from Alice.

1. Alice sends a message to Bob, which is intercepted by Mallory:

Alice "Hi Bob, it's Alice. Give me your key"-->

Mallory

Bob

2. Mallory relays this message to Bob; Bob cannot tell it is not really from Alice:

Alice

Mallory "Hi Bob, it's Alice. Give me your key"-->

Bob

3. Bob responds with his encryption key:

Alice

Mallory

<--[Bob's_key] Bob

4. Mallory replaces Bob's key with her own, and relays this to Alice, claiming that it is Bob's key:

Alice

<--[Mallory's_key] Mallory

Bob

5. Alice encrypts a message with what she believes to be Bob's key, thinking that only Bob can read it:

Alice "Meet me at the bus stop!"[encrypted with Mallory's key]--> Mallory Bob

6. However, because it was actually encrypted with Mallory's key, Mallory can decrypt it, read it, modify it (if desired), re-encrypt with Bob's key, and forward it to Bob:

Alice

Mallory "Meet me in the windowless van at 22nd Ave!"[encrypted Bob

with Bob's key]-->

7. Bob thinks that this message is a secure communication from Alice. This example shows the need for Alice and Bob to have some way to ensure that they are truly using each other's public keys, rather than the public key of an attacker. Otherwise, such attacks are generally possible, in principle, against any message sent using public-key technology. Fortunately, there are a variety of techniques that help defend against MITM attacks.

The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128bit (16-byte) hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity. MD5 was designed by Ron Rivest in 1991 to replace an earlier hash function, MD4. An MD5 hash is typically expressed as a 32digit hexadecimal number. However, it has since been shown that MD5 is not collision resistant;[3] as such, MD5 is not suitable for applications like SSL certificates or digital signatures that rely on this property. In 1996, a flaw was found with the design of MD5, and while it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1 - which has since been found also to be vulnerable. In 2004, more serious flaws were discovered in MD5, making further use of the algorithm for security purposes questionable - specifically, a group of researchers described how to create a pair of files that share the same MD5 checksum.[4][5]Further advances were made in breaking MD5 in 2005, 2006, and 2007.[6] In December 2008, a group of researchers used this technique to fake SSL certificate validity.[7][8], and US-CERT now says that MD5 "should be considered cryptographically broken and unsuitable for further use."[9]and most U.S. government applications now require the SHA-2 family of hash functions.[10]
Contents
[hide]

1 History and cryptanalysis 2 Security

2.1 Collision vulnerabilities

2.2 Preimage vulnerability

2.3 Other vulnerabilities

3 Applications 4 Algorithm

4.1 Pseudocode

5 MD5 hashes 6 See also 7 Notes 8 References

9 External links

[edit]History

and cryptanalysis

MD5 is one in a series of message digest algorithms designed by Professor Ronald Rivest of MIT (Rivest, 1994). When analytic work indicated that MD5's predecessor MD4 was likely to be insecure, MD5 was designed in 1991 to be a secure replacement. (Weaknesses were indeed later found in MD4 by Hans Dobbertin.) In 1993, Den Boer and Bosselaers gave an early, although limited, result of finding a "pseudo-collision" of the MD5 compression function; that is, two different initialization vectors which produce an identical digest. In 1996, Dobbertin announced a collision of the compression function of MD5 (Dobbertin, 1996). While this was not an attack on the full MD5 hash function, it was close enough for cryptographers to recommend switching to a replacement, such as SHA-1 or RIPEMD-160. The size of the hash128 bitsis small enough to contemplate a birthday attack. MD5CRK was a distributed project started in March 2004 with the aim of demonstrating that MD5 is practically insecure by finding a collision using a birthday attack. MD5CRK ended shortly after 17 August 2004, when collisions for the full MD5 were announced by Xiaoyun Wang, Dengguo Feng, Xuejia Lai, and Hongbo Yu.[4][5][11] Their analytical attack was reported to take only one hour on an IBM p690 cluster. On 1 March 2005, Arjen Lenstra, Xiaoyun Wang, and Benne de Weger demonstrated[12] construction of two X.509 certificates with different public keys and the same MD5 hash, a demonstrably practical collision. The construction included private keys for both public keys. A few days later, Vlastimil Klima described[13] an improved algorithm, able to construct MD5 collisions in a few hours on a single notebook computer. On 18 March 2006, Klima published an algorithm[14] that can find a collision within one minute on a single notebook computer, using a method he calls tunneling. In 2009, the United States Cyber Command used an MD5 hash of their mission statement as a part of their official emblem.[15] On December 24, 2010, Tao Xie and Dengguo Feng announced the first published single-block MD5 collision (two 64-byte messages with the same MD5 hash given in Little endian notation).[16] Previous collision discoveries relied on multi-block attacks. For "security reasons", Xie and Feng did not disclose the new attack method. They have issued a challenge to the cryptographic community, offering a US$ 10,000 reward to the first finder of a different 64-byte collision before January 1, 2013. In 2011 an informational RFC was approved to update the security considerations in RFC 1321 (MD5) and RFC 2104 (HMAC-MD5). [17] [edit]Security The security of the MD5 hash function is severely compromised. A collision attack exists that can find collisions within seconds on a computer with a 2.6Ghz Pentium4 processor (complexity of 224.1). [18] Further, there is also a chosen-prefix collision attack that can produce a collision for two chosen arbitrarily different inputs within hours, using off-the-shelf computing hardware (complexity 239).[19] The

ability to find collisions has been greatly aided by the use of off-the-shelf GPUs. On an NVIDIA GeForce 8400GS graphics processor, 16-18 million hashes per second can be computed. An NVIDIA GeForce 8800 Ultra can calculate more than 200 million hashes per second.[20] These hash and collision attacks have been demonstrated in the public in various situations, including colliding document files[21][22] anddigital certificates.[7] [edit]Collision

vulnerabilities

Further information: Collision attack In 1996, collisions were found in the compression function of MD5, and Hans Dobbertin wrote in the RSA Laboratories technical newsletter, "The presented attack does not yet threaten practical applications of MD5, but it comes rather close ... in the future MD5 should no longer be implemented...where a collisionresistant hash function is required."[23] In 2005, researchers were able to create pairs of PostScript documents[24] and X.509 certificates[25] with the same hash. Later that year, MD5's designer Ron Rivest wrote, "md5 and sha1 are both clearly broken (in terms of collision-resistance)."[26] On 30 December 2008, a group of researchers announced at the 25th Chaos Communication Congress how they had used MD5 collisions to create an intermediate certificate authority certificate which appeared to be legitimate when checked via its MD5 hash.[7] The researchers used a cluster of Sony Playstation 3s at the EPFL in Lausanne, Switzerland[27] to change a normal SSL certificate issued by RapidSSL into a working CA certificate for that issuer, which could then be used to create other certificates that would appear to be legitimate and issued by RapidSSL. VeriSign, the issuers of RapidSSL certificates, said they stopped issuing new certificates using MD5 as their checksum algorithm for RapidSSL once the vulnerability was announced.[28] Although Verisign declined to revoke existing certificates signed using MD5, their response was considered adequate by the authors of the exploit (Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, and Benne de Weger).[7] Bruce Schneier wrote of the attack that "[w]e already knew that MD5 is a broken hash function" and that "no one should be using MD5 anymore."[29] The SSL researchers wrote, "Our desired impact is that Certification Authorities will stop using MD5 in issuing new certificates. We also hope that use of MD5 in other applications will be reconsidered as well."[7] MD5 uses the MerkleDamgrd construction, so if two prefixes with the same hash can be constructed, a common suffix can be added to both to make the collision more likely to be accepted as valid data by the application using it. Furthermore, current collision-finding techniques allow to specify an arbitrary prefix: an attacker can create two colliding files that both begin with the same content. All the attacker needs to generate two colliding files is a template file with a 128-byte block of data, aligned on a 64-byte boundary that can be changed freely by the collision-finding algorithm. An example MD5 collision, with the two messages differing in 6 bits, is: d131dd02c5e6eec4 693d9a0698aff95c 2fcab58712467eab 4004583eb8fb7f89 55ad340609f4b302 83e488832571415a 085125e8f7cdc99f d91dbdf280373c5b d8823e3156348f5b ae6dacd436c919c6 dd53e2b487da03fd 02396306d248cda0 e99f33420f577ee8 ce54b67080a80d1e c69821bcb6a88393 96f9652b6ff72a70

d131dd02c5e6eec4 693d9a0698aff95c 2fcab50712467eab 4004583eb8fb7f89 55ad340609f4b302 83e4888325f1415a 085125e8f7cdc99f d91dbd7280373c5b d8823e3156348f5b ae6dacd436c919c6 dd53e23487da03fd 02396306d248cda0 e99f33420f577ee8 ce54b67080280d1e c69821bcb6a88393 96f965ab6ff72a70 Both produce the MD5 hash 79054025255fb1a26e4bc422aef54eb4.[30] [edit]Preimage

vulnerability

In April 2009, a preimage attack against MD5 was published that breaks MD5's preimage resistance. This attack is only theoretical, with a computational complexity of 2123.4 for full preimage.[31][32] [edit]Other

vulnerabilities

Main article: rainbow table A number of projects have published MD5 rainbow tables online, that can be used to reverse many MD5 hashes into strings that collide with the original input, usually for the purposes of password cracking. The use of MD5 in some websites' URLs means that search engines such as Google can also sometimes function as a limited tool for reverse lookup of MD5 hashes.[33] Both these techniques are rendered ineffective by the use of a sufficiently long salt. [edit]Applications MD5 digests have been widely used in the software world to provide some assurance that a transferred file has arrived intact. For example, file servers often provide a pre-computed MD5 (known as Md5sum) checksum for the files, so that a user can compare the checksum of the downloaded file to it. Unix-based operating systems include MD5 sum utilities in their distribution packages, whereas Windows users use third-party applications. However, now that it is easy to generate MD5 collisions, it is possible for the person who created the file to create a second file with the same checksum, so this technique cannot protect against some forms of malicious tampering. Also, in some cases the checksum cannot be trusted (for example, if it was obtained over the same channel as the downloaded file), in which case MD5 can only provide error-checking functionality: it will recognize a corrupt or incomplete download, which becomes more likely when downloading larger files. MD5 was widely used to store passwords.[34][35] Sound uses of MD5 include UUID (also known as GUID) version 3 specified in RFC 4122,CRAM specified in RFC 2195, and the IETF NomCom lottery specified in RFC 3797. MD5 and other hash functions are also used in the field of electronic discovery, in order to provide a unique identifier for each document that is exchanged during the legal discovery process. This method can be used to replace the Bates stamp numbering system that has been used for decades during the exchange of paper documents.

[edit]Algorithm

Figure 1. One MD5 operation. MD5 consists of 64 of these operations, grouped in four rounds of 16 operations. F is a nonlinear function; one function is used in each round. Midenotes a 32-bit block of the message input, and Ki denotes a 32bit constant, different for each operation. addition modulo 2 .
32 s

denotes a left bit rotation by s places; s varies for each operation.

denotes

MD5 processes a variable-length message into a fixed-length output of 128 bits. The input message is broken up into chunks of 512-bit blocks (sixteen 32-bit little endianintegers); the message is padded so that its length is divisible by 512. The padding works as follows: first a single bit, 1, is appended to the end of the message. This is followed by as many zeros as are required to bring the length of the message up to 64 bits fewer than a multiple of 512. The remaining bits are filled up with a 64-bit little endian integer representing the length of the original message, in bits. The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words, denoted A, B, C and D. These are initialized to certain fixed constants. The main algorithm then operates on each 512-bit message block in turn, each block modifying the state. The processing of a message block consists of four similar stages, termed rounds; each round is composed of 16 similar operations based on a non-linear function F, modular addition, and left rotation. Figure 1 illustrates one operation within a round. There are four possible functions F; a different one is used in each round:

denote the XOR, AND, OR and NOT operations respectively.

he Data Encryption Standard (DES, /diis/ or /dz/) is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standardsas an official Federal Information Processing Standard (FIPS) for the United Statesin 1976 and which has subsequently enjoyed widespread use internationally. It is based on a symmetric-key algorithm that uses a 56-bit key. The algorithm was initially controversial because of classified design elements, a relatively short key length, and suspicions about a National Security Agency (NSA) backdoor. DES consequently came under intense academic scrutiny which motivated the modern understanding of block ciphers and their cryptanalysis. DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small; in January, 1999, distributed.net and theElectronic Frontier Foundation collaborated to publicly break a DES key in 22 hours and 15 minutes (see chronology). There are also some analytical results which demonstrate theoretical weaknesses in the cipher, although they are infeasible to mount in practice. The algorithm is believed to be practically secure in the form ofTriple DES, although there are theoretical attacks. In recent years, the cipher has been superseded by the Advanced Encryption Standard (AES). Furthermore, DES has been withdrawn as a standard by the National Institute of Standards and Technology (formerly the National Bureau of Standards). In some documentation, a distinction is made between DES as a standard and DES the algorithm which is referred to as the DEA (the Data Encryption Algorithm).
Contents
[hide]

1 History of DES

1.1 NSA's involvement in the design

1.2 The algorithm as a standard

1.3 Chronology

2 Replacement algorithms

3 Description

3.1 Overall structure 3.2 The Feistel (F) function

3.3 Key schedule

4 Security and cryptanalysis

4.1 Brute force attack 4.2 Attacks faster than brute-force

4.3 Minor cryptanalytic properties

5 See also 6 Notes 7 References 8 External links

[edit]History

of DES

The origins of DES go back to the early 1970s. In 1972, after concluding a study on the US government's computer security needs, the US standards body NBS (National Bureau of Standards) now named NIST (National Institute of Standards and Technology) identified a need for a governmentwide standard for encrypting unclassified, sensitive information.[1] Accordingly, on 15 May 1973, after consulting with the NSA, NBS solicited proposals for a cipher that would meet rigorous design criteria. None of the submissions, however, turned out to be suitable. A second request was issued on 27 August 1974. This time, IBM submitted a candidate which was deemed acceptable a cipher developed during the period 19731974 based on an earlier algorithm, Horst Feistel's Lucifer cipher. The team at IBM involved in cipher design and analysis included Feistel, Walter Tuchman, Don Coppersmith, Alan Konheim, Carl Meyer, Mike Matyas, Roy Adler, Edna Grossman, Bill Notz, Lynn Smith, and Bryant Tuckerman. [edit]NSA's

involvement in the design

On 17 March 1975, the proposed DES was published in the Federal Register. Public comments were requested, and in the following year two open workshops were held to discuss the proposed standard. There was some criticism from various parties, including from public-key cryptography pioneers Martin Hellman and Whitfield Diffie, citing a shortened key length and the mysterious "S-boxes" as evidence of improper interference from the NSA. The suspicion was that the algorithm had been covertly weakened by the intelligence agency so that they but no-one else could easily read encrypted messages. [2] Alan Konheim (one of the designers of DES) commented, "We sent the S-boxes off to Washington.

They came back and were all different."[3] The United States Senate Select Committee on Intelligence reviewed the NSA's actions to determine whether there had been any improper involvement. In the unclassified summary of their findings, published in 1978, the Committee wrote: In the development of DES, NSA convinced IBM that a reduced key size was sufficient; indirectly assisted in the development of the S-box structures; and certified that the final DES algorithm was, to the best of their knowledge, free from any statistical or mathematical weakness.[4] However, it also found that NSA did not tamper with the design of the algorithm in any way. IBM invented and designed the algorithm, made all pertinent decisions regarding it, and concurred that the agreed upon key size was more than adequate for all commercial applications for which the DES was intended.[5] Another member of the DES team, Walter Tuchman, stated "We developed the DES algorithm entirely within IBM using IBMers. The NSA did not dictate a single wire!"[6] In contrast, a declassified NSA book on cryptologic history states: In 1973 NBS solicited private industry for a data encryption standard (DES). The first offerings were disappointing, so NSA began working on its own algorithm. Then Howard Rosenblum, deputy director for research and engineering, discovered that Walter Tuchman of IBM was working on a modification to Lucifer for general use. NSA gave Tuchman a clearance and brought him in to work jointly with the Agency on his Lucifer modification."[7] and NSA worked closely with IBM to strengthen the algorithm against all except brute force attacks and to strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce the length of the key from 64 to 48 bits. Ultimately they compromised on a 56-bit key.[8] Some of the suspicions about hidden weaknesses in the S-boxes were allayed in 1990, with the independent discovery and open publication by Eli Biham and Adi Shamir of differential cryptanalysis, a general method for breaking block ciphers. The S-boxes of DES were much more resistant to the attack than if they had been chosen at random, strongly suggesting that IBM knew about the technique in the 1970s. This was indeed the case; in 1994, Don Coppersmith published some of the original design criteria for the S-boxes.[9] According to Steven Levy, IBM Watson researchers discovered differential cryptanalytic attacks in 1974 and were asked by the NSA to keep the technique secret.[10]Coppersmith explains IBM's secrecy decision by saying, "that was because [differential cryptanalysis] can be a very powerful tool, used against many schemes, and there was concern that such information in the public domain could adversely affect national security." Levy quotes Walter Tuchman: "[t]hey asked us to stamp all our documents confidential... We actually put a number on each one and locked them up in safes, because they were considered U.S. government classified. They said do it. So I did it".[10] Bruce Schneier observed that "It took the academic community two decades to figure out that the NSA 'tweaks' actually improved the security of DES."[11] [edit]The

algorithm as a standard

Despite the criticisms, DES was approved as a federal standard in November 1976, and published on 15 January 1977 as FIPS PUB 46, authorized for use on all unclassified data. It was subsequently reaffirmed as the standard in 1983, 1988 (revised as FIPS-46-1), 1993 (FIPS-46-2), and again in 1999 (FIPS-46-3),

the latter prescribing "Triple DES" (see below). On 26 May 2002, DES was finally superseded by the Advanced Encryption Standard (AES), following a public competition. On 19 May 2005, FIPS 46-3 was officially withdrawn, but NIST has approved Triple DES through the year 2030 for sensitive government information.[12] The algorithm is also specified in ANSI X3.92,[13] NIST SP 800-67[12] and ISO/IEC 18033-3[14] (as a component of TDEA). Another theoretical attack, linear cryptanalysis, was published in 1994, but it was a brute force attack in 1998 that demonstrated that DES could be attacked very practically, and highlighted the need for a replacement algorithm. These and other methods of cryptanalysis are discussed in more detail later in this article. The introduction of DES is considered to have been a catalyst for the academic study of cryptography, particularly of methods to crack block ciphers. According to a NIST retrospective about DES, The DES can be said to have "jump started" the nonmilitary study and development of encryption algorithms. In the 1970s there were very few cryptographers, except for those in military or intelligence organizations, and little academic study of cryptography. There are now many active academic cryptologists, mathematics departments with strong programs in cryptography, and commercial information security companies and consultants. A generation of cryptanalysts has cut its teeth analyzing (that is trying to "crack") the DES algorithm. In the words of cryptographer Bruce Schneier,[15] "DES did more to galvanize the field of cryptanalysis than anything else. Now there was an algorithm to study." An astonishing share of the open literature in cryptography in the 1970s and 1980s dealt with the DES, and the DES is the standard against which every symmetric key algorithm since has been compared

Vigenre cipher
From Wikipedia, the free encyclopedia

The Vigenre cipher is named for Blaise de Vigenre (pictured), although Giovan Battista Bellaso had invented the cipher earlier. Vigenre did invent a strongerautokey cipher.

A reproduction of the Confederacy's cipher disk on display at the National Cryptologic Museum

The Vigenre cipher is a method of encrypting alphabetic text by using a series of differentCaesar ciphers based on the letters of a keyword. It is a simple form of polyalphabetic substitution. The Vigenre (French pronunciation: [vin]) cipher has been reinvented many times. The method was originally described by Giovan Battista Bellaso in his 1553 book La cifra del. Sig. Giovan Battista Bellaso; however, the scheme was later misattributed to Blaise de Vigenre in the 19th century, and is now widely known as the "Vigenre cipher". This cipher is well known because while it is easy to understand and implement, it often appears to beginners to be unbreakable; this earned it the description le chiffre indchiffrable (French for 'the indecipherable

cipher'). Consequently, many people have tried to implement encryption schemes that are essentially Vigenre ciphers, only to have them broken.[1]
Contents
[hide]

1 History 2 Description 3 Algebraic description 4 Cryptanalysis

4.1 Kasisk i examinati on

4.2 Fried man test

4.3 Frequ ency analysis

4.4 Key eliminatio n

5 Variants 6 See also 7 References 8 Sources 9 External links

9.1 Article s

9.2 Progra mming

[edit]History
The first well documented description of a polyalphabetic cipher was formulated by Leon Battista Alberti around 1467 and used a metal cipher disc to switch between cipher alphabets. Alberti's system only switched alphabets after several words, and switches were indicated by writing the letter of the corresponding alphabet in the ciphertext. Later, in 1508, Johannes Trithemius, in his work Poligraphia, invented the tabula recta, a critical component of the Vigenre cipher. The Trithemius cipher, however, only provided a progressive, rigid and predictable system for switching between cipher alphabets. What is now known as the Vigenre cipher was originally described by Giovan Battista Bellaso in his 1553 book La cifra del. Sig. Giovan Battista Bellaso. He built upon the tabula recta of Trithemius, but added a repeating "countersign" (a key) to switch cipher alphabets every letter. Whereas Alberti and Trithemius used a fixed pattern of substitutions, Bellaso's scheme meant the pattern of substitutions could be easy changed simply by selecting a new key. Keys were typically single words or short phrases, known to both parties in advance, or transmitted "out of band" along with the message. Bellaso's method thus required strong security for only the key. As it is relatively easy to secure a short key phrase, say by a previous private conversation, Bellaso's system was considerably more secure. Blaise de Vigenre published his description of a similar but stronger autokey cipher before the court of Henry III of France, in 1586. Later, in the 19th century, the invention of Bellaso's cipher was misattributed to Vigenre. David Kahn in his book The Codebreakers lamented the misattribution by saying that history had "ignored this important contribution and instead named a regressive and elementary cipher for him [Vigenre] though he had nothing to do with it".[2] The Vigenre cipher gained a reputation for being exceptionally strong. Noted author and mathematician Charles Lutwidge Dodgson (Lewis Carroll) called the Vigenre cipher unbreakable in his 1868 piece "The Alphabet Cipher" in a children's magazine. In 1917, Scientific American described the Vigenre cipher as "impossible of translation".[3] This reputation was not deserved. Charles Babbage was known to have broken a variant of the cipher as early as 1854; however, he didn't publish his work.[4] Kasiski entirely broke the cipher and published the technique in the 19th century. Even before this, though, some skilled cryptanalysts could occasionally break the cipher in the 16th century.[2]

Cryptographic slide rule used as a calculation aid by the Swiss Army between 1914 and 1940.

The Vigenre cipher is simple enough to be a field cipher if it is used in conjunction with cipher disks.
[5]

The Confederate States of America, for example, used a brass cipher disk to implement the Vigenre cipher

during the American Civil War. The Confederacy's messages were far from secret and the Union regularly cracked their messages. Throughout the war, the Confederate leadership primarily relied upon three key phrases, "Manchester Bluff", "Complete Victory" and, as the war came to a close, "Come Retribution".[6] Gilbert Vernam tried to repair the broken cipher (creating the Vernam-Vigenre cipher in 1918), but, no matter what he did, the cipher was still vulnerable to cryptanalysis. Vernam's work, however, eventually led to the onetime pad, a provably unbreakable cipher.

[edit]Description

The Vigenre square or Vigenre table, also known as the tabula recta, can be used for encryption and decryption.

In a Caesar cipher, each letter of the alphabet is shifted along some number of places; for example, in a Caesar cipher of shift 3, A would become D, B would become E, Ywould become B and so on. The Vigenre cipher consists of several Caesar ciphers in sequence with different shift values. To encrypt, a table of alphabets can be used, termed a tabula recta, Vigenre square, or Vigenre table. It consists of the alphabet written out 26 times in different rows, each alphabet shifted cyclically to the left

compared to the previous alphabet, corresponding to the 26 possible Caesar ciphers. At different points in the encryption process, the cipher uses a different alphabet from one of the rows. The alphabet used at each point depends on a repeating keyword. For example, suppose that the plaintext to be encrypted is:

attackatdawn
The person sending the message chooses a keyword and repeats it until it matches the length of the plaintext, for example, the keyword "LEMON":

LEMONLEMONLE
Each row starts with a key letter. The remainder of the row holds the letters A to Z (in shifted order). Although there are 26 key rows shown, you will only use as many keys (different alphabets) as there are unique letters in the key string, here just 5 keys, {L, E, M, O, N}. For successive letters of the message, we are going to take successive letters of the key string, and encipher each message letter using its corresponding key row. Choose the next letter of the key, go along that row to find the column heading that matches the message character; the letter at the intersection of [key-row, msgcol] is the enciphered letter. For example, the first letter of the plaintext, A, is paired with L, the first letter of the key. So use row L and column A of the Vigenre square, namely L. Similarly, for the second letter of the plaintext, the second letter of the key is used; the letter at row E and column T is X. The rest of the plaintext is enciphered in a similar fashion:

Plaintext: attackatdawn Key: LEMONLEMONLE

Cipherte LXFOPVEFRNHR xt:

Decryption is performed by going to the row in the table corresponding to the key, finding the position of the ciphertext letter in this row, and then using the column's label as the plaintext. For example, in row L (from LEMON), the ciphertext L appears in column A, which is the first plaintext letter. Next we go to row E (from LEMON), locate the ciphertext X which is found in column T, thus T is the second plaintext letter.

[edit]Algebraic

description

Vigenre can also be viewed algebraically. If the letters AZ are taken to be the numbers 025, and addition is performed modulo 26, then Vigenre encryption E using the key K can be written,

and decryption D using the key K, , whereas and is the message, is the used key. with key letter the calculation is the ciphertext

Thus using the previous example, to encrypt would result in .

Therefore to decrypt in .

with key letter

the calculation would result

[edit]Cryptanalysis

The Vigenre cipher masks the characteristic letter frequencies of English plaintexts, but some patterns remain.

The idea behind the Vigenre cipher, like all polyalphabetic ciphers, is to disguise plaintext letter frequencies, which interferes with a straightforward application of frequency analysis. For instance, if P is the most frequent letter in a ciphertext whose plaintext is in English, one might suspect that P corresponds to E, because E is the most frequently used letter in English. However, using the Vigenre cipher, E can be enciphered as different ciphertext letters at different points in the message, thus defeating simple frequency analysis. The primary weakness of the Vigenre cipher is the repeating nature of its key. If a cryptanalyst correctly guesses the key's length, then the cipher text can be treated as interwoven Caesar ciphers, which individually are easily broken. The Kasiski and Friedman tests can help determine the key length.

[edit]Kasiski

examination

For more details on this topic, see Kasiski examination. In 1863 Friedrich Kasiski was the first to publish a successful general attack on the Vigenre cipher. Earlier attacks relied on knowledge of the plaintext, or use of a recognizable word as a key. Kasiski's method had no such dependencies. Kasiski was the first to publish an account of the attack, but it's clear that there were others who were aware of it. In 1854, Charles Babbage was goaded into breaking the Vigenre cipher when John Hall Brock Thwaites submitted a "new" cipher to the Journal of the Society of the Arts. When Babbage showed that Thwaites' cipher was essentially just another recreation of the Vigenre cipher, Thwaites challenged Babbage to break his cipher encoded twice, with keys of different length. Babbage succeeded in decrypting a sample, which turned out to be the poem "The Vision of Sin", by Alfred Tennyson, encrypted according to the keyword "Emily", the first name of Tennyson's wife. Babbage never explained the method he used. Studies of Babbage's notes reveal that he had used the method later published by Kasiski, and suggest that he had been using the method as early as 1846.[7] The Kasiski examination, also called the Kasiski test, takes advantage of the fact that repeated words may, by chance, sometimes be encrypted using the same key letters, leading to repeated groups in the ciphertext. For example, Consider the following encryption using the keyword ABCD:

Key: Plaintext:

ABCDABCDABCDABCDABCDABCDABCD CRYPTOISSHORTFORCRYPTOGRAPHY

Ciphertext: CSASTPKVSIQUTGQUCSASTPIUAQJB
There is an easily seen repetition in the ciphertext, and the Kasiski test will be effective. Here the distance between the repetitions ofCSASTP is 16. Assuming that the repeated segments represent the same plaintext segments, this implies that the key is 16, 8, 4, 2, or 1 characters long. (All factors of the distance are possible key lengths a key of length one is just a simple shift cipher, where cryptanalysis is much easier.) Since key lengths 2 and 1 are unrealistically short, one only needs to try lengths 16, 8, or 4. Longer messages make the test more accurate because they usually contain more repeated ciphertext segments. The following ciphertext has two segments that are repeated:

Ciphertext: VHVSSPQUCEMRVBVBBBVHVSURQGIBDUGRNICJQUCERVUAXSSR
The distance between the repetitions of VHVS is 18. Assuming that the repeated segments represent the same plaintext segments, this implies that the key is 18, 9, 6, 3, 2, or 1 characters long. The distance between the repetitions of QUCE is 30 characters. This means that the key length could be 30, 15, 10, 6, 5, 3, 2, or 1 characters long. By taking the intersection of these sets one could safely conclude that the most likely key length is 6, since 3, 2, and 1 are unrealistically short.

[edit]Friedman

test

The Friedman test (sometimes known as the kappa test) was invented during the 1920s by William F. Friedman. Friedman used the index of coincidence, which measures the unevenness of the cipher letter frequencies to break the cipher. By knowing the probability p that any two randomly chosen sourcelanguage letters are the same (around 0.067 for monocase English) and the probability of a coincidence for a uniform random selection from the alphabet r (1/26 = 0.0385 for English), the key length can be estimated as:

from the observed coincidence rate

where c is the size of the alphabet (26 for English), N is the length of the text, and n1 through nc are the observed ciphertext letter frequencies, as integers. This is, however, only an approximation whose accuracy increases with the size of the text. It would in practice be necessary to try various key lengths close to the estimate.[8] A better approach for repeating-key ciphers is to copy the ciphertext into rows of a matrix having as many columns as an assumed key length, then compute the average index of coincidence with each column considered separately; when this is done for each possible key length, the highest average I.C. then corresponds to the most likely key length.[9] Such tests may be supplemented by information from the Kasiski examination.

[edit]Frequency

analysis

Once the length of the key is known, the ciphertext can be rewritten into that many columns, with each column corresponding to a single letter of the key. Each column consists of plaintext that has been encrypted by a single Caesar cipher; the Caesar key (shift) is just the letter of the Vigenre key that was used for that column. Using methods similar to those used to break the Caesar cipher, the letters in the ciphertext can be discovered. An improvement to the Kasiski examination, known as Kerckhoffs' method, matches each column's letter frequencies to shifted plaintext frequencies to discover the key letter (Caesar shift) for that column. Once every letter in the key is known, the cryptanalyst can simply decrypt the ciphertext and reveal the plaintext.[10] Kerckhoffs' method is not applicable when the Vigenre table has been scrambled, rather than using normal alphabetic sequences, although Kasiski

examination and coincidence tests can still be used to determine key length in that case.

[edit]Key

elimination

The Vigenre cipher function is essentially modulo arithmetic, and thus commutative. So if the key length is known (or guessed) then subtracting the cipher text from itself, offset by the key length will produce the cipher text encrypted with itself. If any words in the cipher text are known or can be guessed, then the plain text and also the key, will be revealed. This is useful if the key is an obscure sequence of letters because the plain text will generally be ordinary words. Key elimination is useful for making short versions of the plain text.

[edit]Variants
The running key variant of the Vigenre cipher was also considered unbreakable at one time. This version uses as the key a block of text as long as the plaintext. Since the key is as long as the message the Friedman and Kasiski tests no longer work (the key is not repeated). In 1920, Friedman was the first to discover this variant's weaknesses. The problem with the running key Vigenre cipher is that the cryptanalyst has statistical information about the key (assuming that the block of text is in a known language) and that information will be reflected in the ciphertext. If using a key which is truly random, is at least as long as the encrypted message and is used only once, the Vigenre cipher is theoretically unbreakable. However, in this case it is the key, not the cipher, which provides cryptographic strength and such systems are properly referred to collectively as one-time pad systems, irrespective of which ciphers are employed. Vigenre actually invented a stronger cipher: an autokey cipher. The name "Vigenre cipher" became associated with a simpler polyalphabetic cipher instead. In fact, the two ciphers were often confused, and both were sometimes called "le chiffre indchiffrable". Babbage actually broke the much stronger autokey cipher, while

Kasiski is generally credited with the first published solution to the fixed-key polyalphabetic ciphers. A simple variant is to encrypt using the Vigenre decryption method, and decrypt using Vigenre encryption. This method is sometimes referred to as "Variant Beaufort". This is different from the Beaufort cipher, created by Sir Francis Beaufort, which nonetheless is similar to Vigenre but uses a slightly modified enciphering mechanism and tableau. The Beaufort cipher is a reciprocal cipher. Despite the Vigenre cipher's apparent strength it never became widely used throughout Europe. The Gronsfeld cipher is a variant created by Count Gronsfeld which is identical to the Vigenre cipher, except that it uses just 10 different cipher alphabets (corresponding to the digits 0 to 9). The Gronsfeld cipher is strengthened because its key is not a word, but it is weakened because it has just 10 cipher alphabets. Gronsfeld's cipher did become widely used throughout Germany and Europe, despite its weaknesses.