Information security: principles and practice / Mark Stamp. — 2nd ed. p. cm. Includes bibliographical references and index. ISBN ( hardback). Information security: principles and practice / Mark Stamp. p. cm. Includes bibliographical references and index. ISBN (cloth) ISBN Information Security: Principles and Practice, 2nd Edition. Information Security: ISBN: November Pages. E-Book $

Author: | FAWN GUARDIA |

Language: | English, Spanish, Indonesian |

Country: | Georgia |

Genre: | Health & Fitness |

Pages: | 628 |

Published (Last): | 29.03.2016 |

ISBN: | 907-5-59969-354-9 |

Distribution: | Free* [*Sign up for free] |

Uploaded by: | MARNI |

Information Security: Principles and Practice, Second Edition Print ISBN: |Online ISBN |DOI/. Stallings, William. Computer security: principles and practice / William Stallings, Lawrie Brown.—2nd ed. p. cm. ISBN (alk. paper). Information Security: Principles and. Practices. Second Edition. Mark S. Merkow ISBN 2 Information Security Principles of Success.

View Larger Image. Register your product to gain access to bonus material or receive a coupon. This eBook includes the following formats, accessible from your Account page after download:. EPUB The open industry format known for its reflowable content and usability on supported mobile devices. This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours. Fully updated for the newest technologies and best practices, Information Security: They offer easy-to-understand, practical coverage of topics ranging from security management and physical security to cryptography and application development security. Information Security Principles of Success. Download the sample pages includes Chapter 2 and Index. Principle Get unlimited day access to over 30, books about UX design, leadership, project management, teams, agile development, analytics, core programming, and so much more. All rights reserved. Add To My Wish List.

It has also been extensively reorganized to provide the optimal sequence for self-study. A four-part organization covers conventional encryption, public-key encryption and hash functions, network security practice, and system security. For anyone who wants the state of the art reference for network and computer security. The text covers leading-edge areas, including superscalar design, IA design features, and parallel processor organization trends.

It meets students' needs by addressing both the fundamental principles as well as the critical role of performance in driving computer design.

Providing an unparalleled degree of instructor and student support, including supplements and on-line resources through the book's website, the sixth edition is in the forefront in its field. William Stallings has made a unique contribution to understanding the broad sweep of technical developments in computer networking and computer architecture.

He has authored 18 titles, and counting revised editions, a total of 48 books on various aspects of this subject.

He is an independent consultant whose clients have included computer and networking manufacturers and customers, software development firms, and leading-edge government research institutions. He maintains the Computer Science Technical Resciurce site at http: Stallings holds a Ph. All of his Prentice Hall title's can he found at the Prentice Hall web site http: Convert currency. Add to Basket. Compare all 4 new copies. Prentice Hall, Hardcover.

Book Description Prentice Hall, More information about this seller Contact this seller. Seller Inventory M Book Description Condition: Ships with Tracking Number!

download with confidence, excellent customer service!. Seller Inventory n. William Stallings Cryptography and Network Security: Cryptography and Network Security: Principles and Practice 3rd Edition. William Stallings. Prentice Hall , This specific ISBN edition is currently not available. View all copies of this ISBN edition: Synopsis About this title Best-selling author William Stallings provides a practical survey of both the principles and practice of cryptography and network security.

Modern symmetric ciphers can be subdivided into stream ciphers and block ciphers. A block cipher is, in a sense, the generalization of a codebook. Conversely, when the key changes, a different codebook is selected.

While stream ciphers dominated in the post-World War II era, today block ciphers are the kings of symmetric key crypto—with a few notable exceptions. For example, if the input changes in one or more bits, the output should change in about half of its bits. By Kerckhoffs Principle, we assume that Trudy the cryptanalyst has complete knowledge of the inner workings of the algorithm. Another basic assumption is that Trudy has access to the ciphertext—otherwise, why bother to encrypt?

If Trudy only knows the algorithms and the ciphertext, then she must conduct a ciphertext only attack. That is, Trudy might know some of the plaintext and observe the corresponding ciphertext. These matched plaintext-ciphertext pairs might provide information about the key. If all of the plaintext were known, there would be little point in recovering the key.

For example, many kinds of data include stereotypical headers—e-mail being a good example. If such data is encrypted, the attacker can likely guess some of the plaintext and view the corresponding ciphertext. Often, Trudy can actually choose the plaintext to be encrypted and see the corresponding ciphertext. Not surprisingly, this goes by the name of chosen plaintext attack. How is it possible for Trudy to choose the plaintext? For example, Alice might forget to log out of her computer when she takes her lunch break.

Trudy could then encrypt some selected messages before Alice returns. Potentially more advantageous for the attacker is an adaptively chosen plaintext attack. In this scenario, Trudy chooses the plaintext, views the resulting ciphertext, and chooses the next plaintext based on the observed ciphertext.

The idea here is to look for a weakness in the system when the keys are related in some special way. There are other types of attacks that cryptographers occasionally worry about— mostly when they feel the need to publish another academic paper. In any case, a cipher can only be considered secure if no successful attack is known. Finally, there is one particular attack scenario that only applies to public key cryptography.

If either matches the ciphertext, then the message has been broken. This is known as a forward search. The forward search attack implies that in public key crypto, we must also ensure that the size of the plaintext message space is large enough that the attacker cannot simply encrypt all possible plaintext messages. We also discussed some elementary aspects of cryptanalysis. The following chapters cover public key cryptography, hash functions, and cryptanalysis. Cryptography will appear again in later parts of the book.

In particular, cryptography is a crucial ingredient in the chapters on security protocols. Give your answer in years. How does the Vigenere cipher work?

Give an example. Use your knowledge of the statistical attack on the simple substitution cipher to devise an attack on the Vigenere cipher.

Note that the same permutation was used for all three sentences. The weak ciphers of the election of used a partial codebook and a permutation of the words. Design a more secure version of this cipher. Discuss a classic cipher that employs only confusion and also discuss a classic cipher that employs only diffusion. Which cipher discussed in this chapter employs both confusion and diffusion? Decrypt the simple substitution example in ciphertext 2.

Decrypt the ciphertext that appears in the Alice in Wonderland quote at the beginning of the chapter. Decrypt the following message that was encrypted using a simple substitution cipher: Write a program to help an analyst decrypt a simple substitution cipher. Your program should take the ciphertext as input, compute letter frequency counts, and display these for the analyst. Extend the program developed in Problem 11 so that it initially tries to decrypt the message.

Here is one sensible way to proceed. Use the computed letter frequencies and the known frequencies of English for an initial guess at the key. Iterate this process until the score does not improve for an entire pass through the alphabet.

At this point you will pass your putative decryption to the analyst. In order to aid the analyst in the manual phase, your program should maintain all of the functionality of the program for Problem This message was encrypted with a double transposition using a matrix of 7 rows and 10 columns.

Using the letter encodings in Table 2. Find possible plaintexts for each message and the corresponding one-time pad. Suppose that you have a message consisting of bits. Design a method that will extend a key that is 64 bits long into a string of bits.

Then this bits will be XORed with the message, just like a one-time pad. Is the resulting cipher as secure as a one-time pad? Is it possible for any such cipher to be as secure as a one-time pad? Design a computerized version of a codebook cipher.

Your cipher should include many possible codebooks, with the key used to determine the codebook that will be employed to encrypt or decrypt a particular message. In the text, we described how a forward search attack can work against a public key cryptosystem. You condense it with locusts and tape: Still keeping one principal object in view— To preserve its symmetrical shape. Stream ciphers are like a one-time pad, except that we trade provable security for a relatively small and manageable key.

Block ciphers are based on the concept of a codebook, where the key determines the codebook. Internally, block ciphers employ both confusion and diffusion. Our goal in this section is to introduce symmetric key ciphers and gain some understanding of their inner workings and their uses. The use of the keystream is identical to the use of the key in a one-time pad cipher. To decrypt with a stream cipher, the same keystream is generated and XORed with the ciphertext.

Provided that both the sender and receiver have the same stream cipher algorithm and that both know the key K, this system is a practical generalization of the one-time pad—although not provably secure in the sense of the one-time pad. This algorithm has an algebraic description, but it also can be illustrated via a relatively simple picture. Register X holds 19 bits, which we label x0 , x1 ,.

The register Y holds 22 bits y0 , y1 ,. Not coincidentally, the key K is 64 bits. But before we can describe the keystream, we need to discuss the registers X, Y , and Z in more detail. Then the registers X, Y , and Z step according to the following rules: Also, the number of keystream bits that can be generated from a single bit key is virtually unlimited—though eventually the keystream will repeat. These systems were once the kings of symmetric key crypto, but in recent years the block cipher has clearly taken over that title.

Historically, shift register based stream ciphers were needed in order to keep pace with bit streams such as audio that are produced at a relatively high data rate.

In the past, software-based crypto could not generate bits fast enough for such applications. Today, however, there are few applications for which software-based crypto is not appropriate. This is one of the primary reasons why block ciphers are on the ascendancy. The RC4 algorithm is remarkably simple, because it is essentially just a lookup table containing a permutation of the byte values.

The entire RC4 algorithm is byte based. RC4 initialization. Pseudo-code for the initialization of the permutation S appears in Table 3. One interesting feature of RC4 is that the key can be of any length from 0 to bytes. The key is only used to initialize the permutation S. After the initialization phase, each keystream byte is generated according to the algorithm in Table 3. This could be implemented by adding an extra steps to the initialization phase, where each additional step generates—and discards—a keystream byte following the algorithm in Table 3.

RC4 is used in many applications, including SSL. There seems to have been little effort to develop new stream ciphers in recent years. Although this may be a slight exaggeration, it is clear that block ciphers are in the ascendency today. TABL E 3. RC4 keystream byte. The ciphertext is obtained from the plaintext by iterating a function F over some number of rounds. The function F , which depends on the output of the previous round and the key K, is known as a round function, not because of its shape, but because it is applied at each round.

The subkey is derived from the key K according to a key schedule algorithm. The beauty of a Feistel cipher is that we can decrypt, regardless of the particular round function F. To do so, we simply solve equations 3.

Any round function F will work in a Feistel cipher, provided that the output of F produces the correct number of bits. In particular, there is no requirement that the function F be invertible. However, a Feistel cipher will not be secure for every possible F.

They came back and were all different. By the mid s, it was clear even to U.

At the time, the computer revolution was underway, and the amount—and sensitivity—of digital data was rapidly increasing. The upshot was that businesses had no way to judge the merits of a crypto product and the quality of most such products was very poor. The winning submission would become a U. At this point, NBS had a problem. Nevertheless, this suspicion tainted DES from its inception. Lucifer eventually became DES, but not before a few subtle—and a few not so subtle—changes were made.

The most obvious change was that the key length had been reduced from bits to 64 bits. However, 8 of the 64 key bits were discarded, so the actual key length is a mere 56 bits. By this measure, DES is times easier to break than Lucifer! Understandably, the suspicion was that NSA had had a hand in this. However, subsequent cryptanalysis of the DES algorithm has revealed attacks that require slightly less work than trying keys.

As a result, DES is probably about as strong with a key of 56 bits as it would have been with the longer key. The subtle changes to Lucifer involved the substitution boxes, or S-boxes, which are described below. These changes in particular fueled the suspicion of a backdoor. The DES S-boxes are one of its most important security features.

The S-boxes, taken together, map 48 bits to 32 bits. The same S-boxes are used at each round of DES. Since DES is a Feistel cipher, encryption follows the formulas given in equations 3. A single round of DES is illustrated in the wiring diagram in Figure 3. As required by equation 3. One round of DES. The expansion permutation expands its input from 32 to 48 bits, and the 48 bit subkey is XORed with the result.

The S-boxes then compress these 48 bits down to 32 bits before the result is passed through the P-box. The P-box output is then XORed with the old left half to obtain the new right half. In fact, some of these operations are of no security benefit whatsoever, and, when these are stripped away, the algorithm is even simpler.

The bit result of the DES expansion permutation consists of the bits 31 7 15 23 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 8 16 24 0 where the bit input is, according to our convention, numbered as 0 16 1 17 2 18 3 19 4 20 5 21 6 22 7 23 8 24 9 25 10 26 11 27 12 28 13 29 14 30 15 We give S-box number 1 below, where the input to the S-box is denoted b0 b1 b2 b3 b4 b5.

It was apparently hoped that DES would remain a hardware-only algorithm. Predictably, the DES S-boxes became public knowledge almost immediately. This is a somewhat convoluted process, but the ultimate result is simply that 48 of the 56 bits of key are selected at each round. The DES key schedule algorithm for generating the bit subkey Ki for round i can now be described as in Table 3.

For completeness, there are two other features of DES that we must mention. Also, when encrypting, the halves are swapped after last round, so the actual ciphertext is R16 , L16 instead of L16 , R A few words on the security of DES may be useful. First, mathematicians are very good at solving linear equations, and the only part of DES that is not linear is the S-boxes.

As a result, the S-boxes are crucial to the security of DES. DES key schedule algorithm. All of this will become much clearer after we discuss linear and differential cryptanalysis in a later chapter. For more details on the design of DES, see []. Today, DES is vulnerable simply because the key is too small, not because of any noteworthy shortcut attack.

Although some attacks have been developed that, in theory, require slightly less work than an exhaustive key search, all practical DES crackers built to date simply try all keys until they stumble across the correct one. The inescapable conclusion is that the designers of DES knew what they were doing.

Then we discuss one truly simple block cipher in more detail. But before that, we need some notation. Let P be a block of plaintext, K a key, and C the corresponding block of ciphertext. It turns out that there is a clever way to use DES with a larger key length. This attack is a chosen plaintext attack. We select a particular plaintext P and obtain the corresponding ciphertext C.

First we precompute a table of size containing the pairs E P , K and K for all possible key values K. This attack on double DES requires that we pre-compute and store an enormous table of elements.

But the table computation is one-time work, so if we use this table many times by attacking double DES many times the work for computing the table can be amortized over the number of attacks. This has an expected work of , just as in an exhaustive key search attack on single DES. At least we can say that a meet-in-the-middle attack similar to the attack on double DES is impractical since the table pre-computation is infeasible—or the per attack work is infeasible if we reduce the table to a practical size.

Surprisingly, the answer is backwards compatibility with single DES. Triple DES is popular today. The crucial problem with DES is that the key length of 56 bits is susceptible to an exhaustive key search.

See [] for information on the AES competition and [54] for the details on the Rijndael algorithm. As a result, there are no plausible claims of a backdoor having been inserted into AES. In fact, AES is highly regarded in the cryptographic community. The major implication of this is that, in order to decrypt, the AES operations must be invertible. No crypto algorithm in history has received as much scrutiny in as short of a period of time as the AES.

See [5, ] for more information on the Rijndael algorithm. Some of the pertinent facts of AES are as follows. Three key lengths are available independent of selected block length: The result is the array of bij as illustrated below: The ByteSub lookup table appears in Table 3. Note that ShiftRow is inverted by simply shifting in the opposite direction. TABLE 3. AES ByteSub. The overall operation is nonlinear but invertible, and, as with ByteSub, it serves a similar purpose as the DES S-boxes.

The AddRoundKey operation is straightforward. Similar to DES, a key schedule algorithm is used to generate a subkey for each round. As a result, the entire algorithm is invertible, and consequently AES can decrypt as well as encrypt. Each of these has some particular noteworthy design feature.

Massey, one of the great—though lesserknown—cryptographers of modern times. The most innovative feature of IDEA is its use of mixed mode arithmetic. The algorithm combines addition modulo 2 XOR with addition modulo and the Lai-Massey multiplication, which is almost multiplication modulo These operations together produce the necessary nonlinearity, and as a result no explicit S-box is required.

See [] for more details on the design of IDEA. Schneier is a well-known cryptographer and a good writer on all things security related. RC6 is due to Ron Rivest, whose crypto accomplishments are truly remarkable, including the public key system RSA and the previously mentioned RC4 stream cipher, as well as one of the most popular hash functions, MD5. The unusual aspect of RC6 is its use of data-dependent rotations []. It is highly unusual to rely on the data as an essential part of the operation of a crypto algorithm.

These three ciphers illustrate some of the many variations that have been used in the quest for the ideal balance between security and performance in block cipher design. In a later chapter we discuss linear and differential cryptanalysis, which makes the trade-offs inherent in block cipher design clearer.

TEA nicely illustrates that such is not necessarily the case. TEA uses a bit block length and a bit key. The algorithm assumes a computing architecture with bit words, so all mathematical operations are implicitly modulo In block cipher design, there is a trade-off between the complexity of each round and the number of rounds required. Ciphers such as DES try to strike a balance between these two, while AES reduces the number of rounds but has a more complex round function.

TEA, on the other hand, uses a very simple round function; however, as a consequence, the number of rounds must be large to achieve a high level of security.

Pseudo-code for TEA encryption—assuming 32 rounds are used—appears in Table 3. TEA encryption. The TEA decryption algorithm, assuming 32 rounds, appears in Table 3. If a cryptanalyst knows that two TEA messages are encrypted with keys that are related to each other in a special way, then the plaintext can be recovered.

This is a low-probability attack that in most circumstances can probably be ignored. Using a block cipher is also easy, as long as you have exactly one block to encrypt.

But how should multiple blocks be encrypted with a block cipher? And how should a partial block be encrypted? It turns out that the answers are not as simple as it might seem. Suppose we have multiple plaintext blocks P0 , P1 , P2 ,. Following the codebook idea, the obvious thing to do is to use a block cipher in so-called electronic codebook, or ECB, mode.

TEA decryption. This approach works, but there are some security problems with ECB mode. Although this may seem innocent enough, there are cases where the attacker will know part of the plaintext, and any match with a known block reveals another block. Massey [] gives a dramatic illustration of this weakness of ECB mode.

We give a similar example in Figure 3. While every block of the right-hand image in Figure 3. Fortunately, there are several solutions to this weakness of ECB mode.

In CBC mode, the ciphertext from a block is used to obscure the plaintext of the next block before it is encrypted. Figure 3. Alice and ECB mode. Since the ciphertext is not secret and since the IV plays the role of a ciphertext block, it need not be secret either.

But the IV should be randomly selected. A possible concern with CBC mode is the effect of errors. When the ciphertext is transmitted, garbles might occur—a 0 could become a 1 or vice versa.

If a single Figure 3. Alice prefers CBC mode. Fortunately, this is not the case. Suppose the ciphertext block Ci is garbled to, say, G. The fact that a single-bit error causes two entire blocks to be garbled could be a serious concern in high error rate environments such as wireless. Stream ciphers do not have this problem—a single garbled ciphertext bit results in a single garbled plaintext bit—and that is one reason why stream ciphers are sometimes preferred in wireless applications.

Another concern with a block cipher is a cut-and-paste attack. You might think that CBC mode would eliminate the cut-and-paste attack. This is explored further in the problems in Section 3. It is also possible to use a block cipher to generate a keystream, which can then be used just like a stream cipher keystream. CTR mode is often selected when random access is required. However, random access is also straightforward with CBC mode. There are many other block cipher modes; see [] for descriptions of the more common ones.

For example, suppose that you electronically transfer funds from one account to another. This is where integrity comes into the picture. Here we show that block ciphers can also be used to provide data integrity.

Encryption with any cipher—from the one-time pad to block ciphers, in any of their modes—does not protect the data from malicious or inadvertent changes. If Trudy manipulates the ciphertext say, by a cut-and-paste attack or if garbles occur in transmission, the integrity of the data has been destroyed. We want to be able to automatically detect when the received data is not the same as the sent data.

If there is any difference, the receiver knows that the data or MAC has changed; however, if there is no difference, then the data is almost certainly correct. Why does the MAC work? Any change to a plaintext block propagate through the subsequent blocks to the computed MAC. Recall that with CBC encryption, a change in a ciphertext block only affects two of the recovered plaintext blocks.

In contrast, the example above shows that any change in the plaintext affects all subsequent blocks in CBC encryption. This is the crucial property that enables a MAC to provide integrity. This cannot provide any additional security. This topic is explored in more detail in the problems at the end of the chapter. There are two distinct types of symmetric ciphers: Stream ciphers generalize the one-time pad, where provable security is traded for practicality.

We then considered various modes of using block ciphers. We also showed that block ciphers can be used for data integrity. On the one hand, we can encrypt data that is to be transmitted over an insecure channel. On the other hand, we might encrypt data that is stored on an insecure media, such as a computer hard drive.

Symmetric key crypto—in the form of a MAC—can also be used to ensure data integrity. Chapter 6, which deals with advanced cryptanalysis, is highly recommended for anyone who wants to gain a deeper understanding of block cipher design principles. Make a table that contains the number of subkeys in which each bit ki is used. Can you design a DES key schedule algorithm in which each key bit is used an equal number of times?

Decrypt the resulting ciphertext to obtain the original plaintext. Then encrypt and decrypt the message Four score and seven years ago our fathers brought forth on this continent, a new nation, conceived in Liberty, and dedicated to the proposition that all men are created equal.

In each case, use the key given above. Draw diagrams to illustrate encryption and decryption in CBC mode. Is this secure? If so, why? If not, describe an attack. AES consists of four functions in three layers. Which of the functions are primarily for confusion and which are primarily for diffusion? Which of the layers are for confusion and which are for diffusion?

Justify your answers. Implement the RC4 algorithm. Suppose the key consists of the following seven bytes: List the permutation S after the initialization phase. List the permutation S after generating bytes of the keystream.

Write the truth table for this function and derive the boolean function that is equivalent to maj x, y, z. Print the contents of X, Y and Z after the 32 keystream bits have been generated. What is a Feistel Cipher? What is the corresponding decryption rule? Give two security disadvantages to this mode compared with CBC mode. A stream cipher can be viewed as a generalization of a one-time pad.

Recall that the one-time pad is provably secure. For any stream cipher, why must the keystream eventually repeat? For DES, how many bits are in the key, how many bits are in a plaintext block, how many bits are in each subkey, how many rounds, and how many S-boxes? What is the purpose of this swap? The swap serves no security purpose. Recall the attack on double DES discussed in the text. An IV need not be secret, but does it need to be random?

Are there any security disadvantages or advantages if IVs are selected in sequence instead of being generated at random? Suppose that ciphertext blocks C0 , C1 , C2 ,. Show that a cut-and-paste attack is possible; that is, show that it is possible to rearrange the blocks so that some of the blocks decrypt correctly, even though they are not in the correct order. Explain how to do random access on data encrypted using CBC mode. CTR mode generates a keystream using a block cipher.

Give another method for using a block cipher as a stream cipher. Does your method support random access? The ciphertext and the MAC are sent to the recipient. Show that the recipient will detect a cut-and-paste attack. Mimic the meet-in-the-middle attack for double DES discussed in the book. Give two ways to encrypt a partial block using a block cipher. Discuss any possible security concerns of your two methods. What is the ciphertext C if the round function is a.

Let X be data. Suppose that the ciphertext in equation 3. If Trudy believes ECB mode is used and tries the same cut-and-paste attack, which blocks decrypt correctly?

View the encrypted image. Suppose that Alice and Bob always choose the same IV. Discuss one security problem this creates if CBC mode is used. Discuss one security problem this creates if CTR mode is used. What are the security advantages and disadvantages of this approach compared with using a random IV? Give a diagram analogous to that in Figure 3. She then sends the plaintext and the corresponding MAC to Bob.

If Trudy alters one block of plaintext before Bob receives it, what is the probability that Bob does not detect the change? She then sends the IV and ciphertext to Bob. Upon receiving the ciphertext, Bob plans to verify the integrity as follows.

Will Bob detect that the data lacks integrity? Suppose that Trudy is able to change any of the ciphertext blocks before they are received by Bob. Bob attempts to verify the integrity of the data by decrypting using key K2 and then computing a MAC using key K1 on the putative plaintext. Suppose that Alice and Bob only share a single symmetric key K. Does this create any security problem?

In symmetric key cryptography, the same key is used to both encrypt and decrypt. In public key cryptography, one key is used to encrypt and a different key is used to decrypt. As a result, the encryption key can be made public. This solves one of the most vexing problems of symmetric key crypto, namely, how to securely distribute the symmetric key. Public key crypto is a relative newcomer, having been invented by cryptographers working for GCHQ the British equivalent of NSA in the late s and early s and, independently, by academic researchers shortly thereafter [].

The government cryptographers clearly did not grasp the full potential of their discovery, and it lay Information Security: The ultimate effect has been nothing short of a revolution in cryptography. There are nowhere near the number of public key cryptosystems as there are symmetric ciphers, since public key system are based on very special mathematical structures, whereas just about anyone can design a plausible symmetric cipher.

The purpose of the trap door is to ensure that an attacker cannot use the public information to recover the secret information. A warning on notation is required. In symmetric key crypto, the plaintext is P and the ciphertext is C. But in public key crypto, tradition has it that we encrypt a message M, although, strangely, the result is still ciphertext C.

Below, we follow this tradition. To do public key crypto, Bob must have a key pair consisting of a public key and a private key. You might reasonably wonder what possible use this could be. In fact, this is one of the most useful features of public key crypto.

A digital signature is like a handwritten signature—only more so. Only Bob, the holder of the private key, can digitally sign, just as only Bob can write his handwritten signature. But a digital signature forgery can be detected by anyone.

While ECC is not a cryptosystem per se, it does offer a different mathematical realm in which to do the math that arises in many public key systems. If you have not yet done so, this would be a good place to review the information on modular arithmetic found in the Appendix. Shortly thereafter, the Merkle-Hellman knapsack cryptosystem was proposed by—believe it or not—Merkle and Hellman. He wrote a groundbreaking paper [] that also foreshadowed public key cryptography. The Merkle-Hellman knapsack cryptosystem is based on a problem1 that is known to be NP-complete [88].

This seems to make it an ideal candidate for a secure public key cryptosystem. The knapsack problem can be stated as follows. Given a set of n weights W0 , W1 ,. Although the general knapsack problem is known to be NP-complete, there is a special case that can be solved in linear time. A superincreasing knapsack, is similar to the general knapsack except that when the weights are arranged from least to greatest, each weight is greater than sum of all previous weights. For example, 3, 6, 11, 25, 46, 95, , 4.

Solving a superincreasing knapsack problem is easy. Suppose we are given the set of weights in equation 4. Nevertheless, the cryptosystem is universally known as the knapsack. Generate a superincreasing knapsack. Convert the superincreasing knapsack into a general knapsack. The public key is the general knapsack. The private key is the superincreasing knapsack together with the conversion factors. To convert the superincreasing knapsack into a general knapsack, we choose a multiplier m and a modulus n so that m and n are relatively prime and n is greater than the sum of all elements in the superincreasing knapsack.

Then the general knapsack is computed from the superincreasing knapsack by modular multiplication: The resulting general knapsack is 82, , , 83, , , 10, , which appears to be a general non-superincreasing knapsack.

The public key is the general knapsack Public key: The private key is the superincreasing knapsack together with the modular inverse of the conversion factor m, that is, Private key: Then she uses the 1 bits to select the elements of the general knapsack that are summed to give the ciphertext.

Only elementary properties of modular arithmetic are required to verify that the decryption formula works. Proving that the decryption formula works in general is equally straightforward.

The trapdoor in the knapsack occurs when we convert the superincreasing knapsack into the general knapsack using modular arithmetic. The conversion factors are unavailable to an attacker. Unfortunately, this clever knapsack public key cryptosystem is insecure. It was broken by Shamir in using an Apple II computer []. Much research has been done on the knapsack problem since the Merkle-Hellman knapsack was broken. For more information on the knapsack cryptosystem, see [65, , ].

In fact, Rivest and Shamir are two of the giants of modern crypto. That is, factoring is not known to be NP-complete. Denote this inverse of e by d. Now forget the factors p and q. The number N is the modulus, whereas e is the encryption exponent and d is the decryption exponent. The RSA key pair consists of Public key: N, e and Private key: In RSA, encryption and decryption are accomplished via modular exponentiation.

Assume for a moment that it does work. In other words, factoring the modulus breaks RSA. However, it is not known whether factoring is the only way to break RSA. Why does RSA work? Now we have all of the necessary pieces of the puzzle to verify that RSA decryption works.

We have Public key: One such trick is the method of repeated squaring for modular exponentiation. Suppose we want to compute In a secure implementation of RSA, the modulus N is at least bits. Fortunately, the method of repeated squaring allows us to compute such an exponentiation without creating extremely large numbers at any intermediate step.

Repeated squaring works by building up the exponent e one bit at a time. At each step we double the current exponent and if the binary expansion of e has a 1 in the corresponding position, we also add one to the exponent. How can we double and add one to an exponent? Using basic properties of modular arithmetic, we can reduce each of the intermediate results by the modulus, thereby avoiding any extremely large numbers. An example should clarify the process.

Consider again First, note that the exponent 20 is in binary. Compare this to equation 4. As far as anyone knows, this does not weaken RSA in any way. The decryption exponents the private keys of different users will be different, provided different p and q are chosen for each key pair. With this choice of e, each public key encryption only requires two multiplications.

However, the private key operations remain expensive since there is no special structure for d. This is often desirable since all of the encryption may be done by a central server, while the decryption is effectively distributed among the clients. Of course, if the server needs to sign, then a small e does not reduce its workload. In any case, it would certainly be a bad idea to choose the same d for all users.

With this e, each encryption requires only 17 steps of the repeated squaring algorithm.

This is no mean feat, since the key establishment problem is one of the fundamental pitfalls to symmetric key cryptography. The mathematical setup for DH is relatively simple. The values p and the generator g are public. Now for the key exchange, Alice generates her secret exponent a and Bob generates his secret exponent b. Alice sends g a mod p to Bob and Bob sends g b mod p to Alice. A DH key exchange is illustrated in Figure 4.

An attacker Trudy can see g a mod p and g b mod p, and it seems that Trudy is tantalizingly close to knowing the secret g ab mod p. But as far as is known, the only way to break DH is to solve the discrete log problem. The DH algorithm is susceptible to a man-in-the-middle, or MiM, attack.

Trudy simply establishes a shared secret, say, g at mod p with Alice, and another shared secret g bt mod p with Bob, as illustrated in Figure 4. Neither Alice nor Bob has any clue that anything is amiss, yet Trudy is able to read and change any messages passing between Alice and Bob.

The MiM attack in Figure 4. How can we prevent this MiM attack? There are several possibilities, including 1. Figure 4. Instead, elliptic curves simply provide another way to perform the complex mathematical operations required in public key cryptography.

The advantage of elliptic curve cryptography ECC is that fewer bits are needed for the same level of security as in the non-elliptic curve case. On the down side, elliptic curves are more complex, and, as a result, mathematics on elliptic curves is somewhat more expensive.

But overall, elliptic curves appear to offer a computational advantage. For this reason, ECC is particularly popular in resource-constrained environments such as handheld devices. An elliptic curve E is the graph of a function of the form E: The graph of a typical elliptic curve appears in Figure 4. To add the points P1 and P2 , a line is drawn through the two points. This line Figure 4. An elliptic curve. For cryptography, we require a discrete set of points. Doing so, we obtain the results in Table 4.

Then the points on the elliptic curve in equation 4. Note that 2, 0 is also on the on the curve in equation 4. Addition on an elliptic curve mod p. The public information consists of a curve and a point on the curve. Next, we can select any point x, y and determine b so that this point lies on the resulting curve. Now the public information is Public: Alice sends this result to Bob. Actually, for a given number of bits, the elliptic curve version is harder to break, which allows for the use of smaller values for an equivalent level of security.

All is not lost for Trudy. There are many good sources of information on elliptic curves. See [] for a readable treatment and [28] for more of the mathematical details. Since public key crypto uses two keys per user, adapting the notation that we used for symmetric key crypto would be awkward. In addition, a digital signature is an encryption with the private key , but the same operation is a decryption when applied to ciphertext.

Never forget that the public key is public. On the other hand, the private key is private, so only Alice has access to her private key. The implication is that anyone can encrypt a message for Alice, but only Alice can decrypt the ciphertext. In terms of signing, only Alice can sign M, but, since the public key is public, anyone can verify the signature. It also includes integrity, where public key signing plays the role of a symmetric key MAC. But public key crypto offers two major advantages over symmetric key crypto.

The second major advantage is that digital signatures offer not only integrity but also non-repudiation. Is there any way that we can get the best of both worlds? The answer is an emphatic yes.

The way to achieve this highly desirable result is with a hybrid cryptosystem, where public key crypto is used to establish a symmetric key, and the resulting symmetric key is then used to encrypt the data. A hybrid cryptosystem is illustrated in Figure 4. The hybrid cryptosystem in Figure 4. Recall that, with symmetric key crypto, a MAC provides for integrity.

Public key signatures provide integrity, but they also provide Figure 4. Hybrid cryptosystem. Suppose Alice orders shares of stock from her favorite stockbroker, Bob.

At this point Alice claims that she did not place the order, that is, she repudiates the transaction. Can Bob prove that Alice placed the order?

No, he cannot. Since Bob also knows the symmetric key KAB , he could have forged the message in which Alice placed the order. Now consider the same scenario, but with Alice using a digital signature in place of the MAC computation.

As with the MAC computation, the signature provides integrity. Now suppose that Alice tries to repudiate the transaction. Can Bob prove that the order came from Alice? Yes he can, since only Alice has access to her private key. Digital signatures therefore provide integrity and non-repudiation.

Can the order possibly matter? First, suppose that Alice and Bob are romantically involved. Pitfall of sign and encrypt. Bob then sends this message to Charlie, as illustrated in Figure 4. Alice, having learned her lesson from this bitter experience, vows to never sign and encrypt again.

Some time later, after Alice and Bob have resolved their earlier dispute, Alice develops a great new theory that she wants to send to Bob. Charlie has heard that Alice is working on a great new theory, and he suspects that this particular encrypted and signed message has something to do with it.

This scenario is illustrated in Figure 4. When Alice learns that Charlie has taken credit for her great new theory, she swears never to encrypt and sign again!

What is the problem here? Pitfall of encrypt and sign. The problem in this case is that Charlie does not understand public key crypto. In this case, it is Bob who does not understand the limitations of public key crypto. In public key crypto, anyone can do the public key operations. That is, anyone can encrypt a message and anyone can verify a signature.

For a discussion of some of the risks inherent in PKI, see [73]. That someone else could then have acted electronically, at least as Microsoft. To summarize, any PKI must deal with the following issues: A basic issue in public key cryptography is determining whose signature you are willing to trust. There are several possible trust models that can be employed. Perhaps the most obvious trust model is the monopoly model, where one universally trusted organization is the CA for the known universe.

This approach is naturally favored by whoever happens to be the biggest commercial CA at the time currently, VeriSign. Some have suggested that the government should play the role of the monopoly CA. One major drawback to the monopoly model is that it creates a very big target for attack. The oligarchy model is one step away from the monopoly model. In this model, there are multiple trusted CA.

The securityconscious user is free to decide which of the oligarchy CAs he is willing to trust and which he is not. At the opposite extreme from the monopoly model is the anarchy model. Should you then trust Frank? This is clearly beyond the patience of the average user, who is likely to simply trust anybody or nobody in order to avoid headaches like this. The fact that there is no agreed upon trust model is itself one of the major problems with PKI.