1. Cybersecurity Research paper on
Encryption Algorithms
By-
Shubam Gupta
Rohit Dumbre
Sapna Bhat
Ming Zhou
Alexander Progacki
2. International Data Encryption Algorithm (IDEA)
By-Rohit Dumbre
Introduction:
In cryptography, the International Data Encryption Algorithm (IDEA), originally called Improved Proposed
Encryption Standard (IPES), is a symmetric-key block cipher designed by James Massey of ETH Zurich and Xuejia
Lai and was first described in 1991. The algorithm was intended as a replacement for the Data Encryption
Standard (DES). IDEA is a minor revision of an earlier cipher, Proposed Encryption Standard (PES).
The cipher was designed under a research contract with the Hasler Foundation, which became part of Ascom-Tech AG.
The cipher was patented in a number of countries but was freely available for non-commercial use. The name "IDEA"
is also atrademark. The last patents expired in 2012, and IDEA is now patent-free and thus completely free for all uses.
IDEA was used in Pretty Good Privacy (PGP) v2.0, and was incorporated after the original cipher used in
v1.0, BassOmatic, was found to be insecure.[4]
IDEA is an optional algorithm in the OpenPGP standard.
Operation:
Thought works on 64-bit squares utilizing a 128-piece key, and comprises of a progression of eight indistinguishable
changes (a round, see the delineation) and a yield change (the half-round). The procedures for encryption and
unscrambling are comparative. Thought infers a lot of its security by interleaving operations from various gatherings
— particular expansion and duplication, and bitwise eXclusive OR(XOR) — which are mathematically "contradictory"
in some sense. In more detail, these administrators, which all arrangement with 16-bit amounts, are:
Bitwise eXclusive OR (signified with a blue hovered in addition to ⊕).
Expansion modulo 216 (signified with a green boxed in addition to ⊞).
Increase modulo 216+1, where the every one of the zero word (0x0000) in inputs is translated as 216 and 216
in yield is deciphered as the each of the zero word (0x0000) (indicated by a red circumnavigated dab ⊙).
3. After the eight rounds comes a final “half round”, the output transformation illustrated below (the swap of the
middle two values cancels out the swap at the end of the last round, so that there is no net swap):
Let the four quarters of the plaintext be called A, B, C, and D, and the 52 subkeys called K(1) through K(52).
Before round 1, or as the first part of it, the following is done:
Multiply A by K(1). Add K(2) to B. Add K(3) to C. Multiply D by K(4).
Round 1 proper consists of the following:
Calculate A xor C (call it E) and B xor D (call it F).
Multiply E by K(5). Add the new value of E to F.
Multiply the new value of F by K(6). Add the result, which is also the new value of F, to E.
Change both A and C by XORing the current value of F with each of them; change both B and D by XORing the current
value of E with each of them.
Swap B and C.
Repeat all of this eight times, or seven more times, using K(7) through K(12) the second time, up to K(43) through
K(48) the eighth time. Note that the swap of B and C is not performed after round 8.
Then multiply A by K(49). Add K(50) to B. Add K(51) to C. Multiply D by K(52).
Decryption:
How can the round in IDEA be reversed,since all four quarters of the block are changed at the same time, based on a
function of all four of their old values? Well, the trick to that is that A xor C isn't changed when both A and C are
XORed by the same value, that value cancels out, no matter what that value might be. And the same applies to B xor
D. And since the values used are functions of (A xor C) and (B xor D), they are still available.
This cross-footed round, rather than a Feistel round, is the most striking distinguishing factor of IDEA, although its use
of multiplication, addition, and XOR to avoid the use of S-boxes is also important.
4. Those that are added are replaced by their two's complement. Those that are multiplied in are replaced by their
multiplicative inverse, modulo 65,537, in IDEAnotation when usedto change blocks directly, but those used to calculate
the cross-footed F-functions are not changed. Keys XORed in would not need to be changed, but there aren't any such
keys in IDEA. Due to the placement of the swap,the first four keys for decryption are moved somewhat differently than
the other keys used for the same operation between rounds.
The decryption key schedule is:
The first four subkeys for decryption are:
KD(1) = 1/K(49)
KD(2) = -K(50)
KD(3) = -K(51)
KD(4) = 1/K(52)
and they do not quite follow the same pattern as the remaining subkeys which follow.
The following is repeated eight times, adding 6 to every decryption key's index and subtracting 6 from every encryption
key's index:
KD(5) = K(47)
KD(6) = K(48)
KD(7) = 1/K(43)
KD(8) = -K(45)
KD(9) = -K(44)
KD(10) = 1/K(46)
Security:
The designers analysed IDEA to measure its strength against differential cryptanalysis and concluded that it is immune
under certain assumptions. No successful linear or algebraic weaknesses have been reported. Asof 2007,the best attack
which applied to all keys could break IDEA reduced to 6 rounds (the full IDEA cipher uses 8.5 rounds). Note that a
"break" is any attack which requires less than 2128
operations; the 6-round attack requires 264
known plaintexts and
2126.8
operations.
Bruce Schneier thought highly of IDEA in 1996, writing, "In my opinion, it is the best and most secure block algorithm
available to the public at this time." (Applied Cryptography,2nded.)However,by 1999 he wasno longer recommending
IDEA due to the availability of faster algorithms, some progress in its cryptanalysis, and the issue of patents.
In 2011 full 8.5-round IDEAwasbroken using a meet-in-the-middle attack. Independently in 2012, full 8.5 round IDEA
was broken using a narrow-bicliques attack,with a reduction of cryptographic strength of about two bits, similar to the
effect of the previous bicliques attack on AES.
Weak keys:
The very simple key schedule makes IDEA subject to a class of weak keys; some keys containing a large number of 0
bits produce weak encryption. These are of little concern in practice, being sufficiently rare that they are unnecessary
to avoid explicitly when generating keys randomly. A simple fix was proposed: exclusive-ORing each subkey with a
16-bit constant, such as 0x0DAE.
Larger classes of weak keys were found in 2002.
5. This is still of negligible probability to be a concern to a randomly chosen key, and some of the problems are fixed by
the constant XOR proposed earlier, but the paper is not certain if all of them are. A more comprehensive redesign of the
IDEA key schedule may be desirable.
6. RSA Algorithm
Ming Zhou
CS 573
My final projectisabout RSA algorithm. RSA is an algorithmforsecuringdata transmission,itisshort forthe
letters of the initial of the surname of the guys who published it. ” The concept is proposed in Diffie and
Hellman (1976) “New Directions in Cryptography and Public-key encryptionwas proposed in 1970 by James
Ellis. It is an asymmetric algorithm (different key to encryption and decryption) based on the difficulty of
factoring the product of two large prime numbers.
RSA derivesitssecurityfromthe difficultyof factoringlarge integersthatare the productof two large prime
numbers.Multiplyingthese twonumbersiseasy,butdeterminingthe original prime numbersfromthe total
-- factoring -- is considered infeasible due to the time it would take even using today’s super computers.
The publicandthe private key-generationalgorithmisthe mostcomplexpartof RSA cryptography.Twolarge
prime numbers, p and q, are generated using the Rabin-Miller primality test algorithm. A modulus n is
calculated by multiplying p and q. This number is used by both the public and private keys and provides the
linkbetweenthem.Itslength,usuallyexpressedinbits,iscalledthe keylength.The publickeyconsistsof the
modulus n, and a public exponent, e, which is normallyset at 65537, as it's a prime number that is not too
large. The e figure doesn’t have to be a secretly selected prime number as the public key is shared with
everyone.The privatekeyconsistsof the modulusnandthe private exponentd,whichiscalculatedusingthe
Extended Euclidean algorithm to find the multiplicative inverse with respect to the totient of n.
What is the steps for doing RSA algorithm for encryption and decryption? First, we need to do the key
generation.We select2 large prime numbersof about the same size,p and q, typically,the range of q and p
is between 512 and 2048 bits and reason for that is about the security. In that range the security can be
guaranteed. Afterthatwe needtocompute n=p*q,and (n) =(q-1)(p-1).Afterthatwe selecte, 1<e<(n),
s.t.gcd(e, (n)) =1. The final stepisto compute d, 1< d< (n) s.t. ed=1 mod (n).publickeyisthe pairof
e andn and the private keyisabout d.Basedon the publickeyandprivate keywe can do the encryptionand
decryption for our thing.
Here is a simple example for how the algorithm is working. Alice generates her RSA keys by selecting two
primes: p=11 and q=13. The modulus n=p*q=143. The totient of n ϕ(n)=(p−1)x(q−1)=120. She chooses 7 for
her RSA publickeye and calculatesher RSA private keyusingthe ExtendedEuclideanAlgorithmwhichgives
her 103. Bob wants to send Alice an encrypted message Mso he obtains her RSA public key(n, e) which in
this example is (143, 7). His plaintext message is just the number 9 and is encrypted into cipher text C as
follows: Me mod n = 97 mod 143 = 48 = C. When Alice receivesBob’s message she decrypts it by using her
RSA private key (d, n) as follows C^d mod n = 48103 mod 143 = 9 = M. To use RSA keys to digitally sign a
message,Alicewouldcreate ahashormessage digestof hermessagetoBob,encryptthe hashvalue withher
RSA private keyand add it to the message.Bob can then verifythatthe message hasbeensentby Alice and
has not been altered by decrypting the hash value with her public key. If thisvalue matches the hash of the
original message,thenonlyAlice couldhave sentit(authenticationandnon-repudiation) andthe message is
exactly as she wrote it (integrity). Alice could, of course, encrypt her message with Bob’s RSA public key
(confidentiality) before sending it to Bob. A digital certificate contains information that identifies the
certificate'sownerandalsocontainsthe owner'spublickey.Certificatesare signedbythe certificateauthority
that issues them, and can simplify the process of obtaining public keys and verifying the owner.
7. Here is an real world example. Let us encrypt a message “attack at dawn”.
First, we needtotransferthismessage toa language computercanread and compute,itisa stringwe need
to transferthemto an integertocompute.We can everyalphabetrepresentanumberisASCIcharacter.It is
easytotransferanditis 1976620216402300889624482718775150. Afterthatwe needtopickourp andq, as
I said, the size of q and p shouldbe the same but not that close . for here I use Robin-Millerprimalitytestto
pick them. What is Robin- Miller primality test ? Let n>1 be odd with n-1=2^k m with an odd m. Choose a
randomintegera,1<a<n-1.Compute b0≡am(modn),if b0≡±1(modn), thenstopandnisprobablyprime,
otherwise letb1≡(b0)2(modn).If b1≡1 (modn), thenn is composite andgcd(b0-1,n) is a nontrivial factor
of n else if b1≡-1 (modn),stop and n is probablyprime,otherwise letb2≡(b1)2(modn).If b2≡1 (modn),
thenn iscomposite,elseif b2≡-1(modn),stopand n is probablyprime.Continue inthiswayuntil stopping
or reaching bk-1. If bk-1 !≡-1, then n is composite.
These number represent q and p.Q is
121310724392112718973236715316124404284724276337014109256345493123019643730420856193241
97365322416866541017057361365214171711713797974299334871062829803541
and p is
120275242554787488859562207937345121287333878036820754336538999839551798509887978998691
46900809131611153346817050832096022160146366346391812470987105415233.
Andthenwe compute n= pq,and (n) =(q-1)(p-1) andpicke(publickey) as65537, whichhasa gcd of 1 with
(n),and compute d (private key). Based on the keys we can do the encryption.
Encryption:
350521113386730266902124239370533285118807608115799816206428023466858106231098502359430
490809733862411137840407947041939782153784997654130836464387847409523069325349451950801
838615742252262188798272324539128205968864403775360824656817500744174591514854074458625
11023472235560823053497791518928820272257787786
Decryption:35052111338673026690212423937053328511880760811579981620642802346685810623109
850235943049080973386241113784040794704193978215378499765413083646438784740952306932534
945195080183861574225226218879827232453912820596886440377536082465681750074417459151485
407445862511023472235560823053497791518928820272257787786 mod n
A more concerned side is about the security. As discussed, the security of RSA relies on the computational
difficulty of factoring large integers. As computing power increases and more efficient factoring algorithms
are discovered, the ability to factor larger and larger numbers also increases. Encryptionstrength is directly
tiedto keysize,anddoublingkeylengthdeliversanexponential increase instrength,althoughitdoesimpair
performance.RSA keysare typically1024- or 2048-bits long,but expertsbelieve that1024-bit keyscouldbe
broken in the near future, which is why government and industry are moving to a minimum key length of
2048-bits. Barringan unforeseenbreakthroughinquantumcomputing,itshouldbe manyyearsbeforelonger
keysare required,butellipticcurve cryptographyisgainingfavorwithmanysecurityexpertsasanalternative
to RSA for implementing public-key cryptography. It can create faster, smaller and more efficient
cryptographic keys. Much of today’s hardware and software is ECC-readyand its popularity is likely to grow
as it can deliverequivalentsecuritywithlowercomputingpowerandbatteryresource usage,makingitmore
suitable formobile appsthanRSA.Finally,ateamof researcherswhichincludedAdi Shamir,aco-inventorof
8. RSA, has successfully determined a 4096-bit RSA key using acoustic cryptanalysis, however any encryption
algorithm is vulnerable to this type of attack.( http://searchsecurity.techtarget.com/definition/RSA)
FinallyIwant to what I have learntfromthis class.Before I took thiscourse I barelyknow any cybersecurity
applicationinmylife.Whatreallyimpressme isthatwhenItookthe lecture andheardRSA securityID.After
I learntthe knowledge of that,the firstthingcame to my mindis a real applicationIuse everyday.Itiscalled
QQ securityloginin.everytime whenyoutrytologinthe QQ applicationfromthe PC,youneeda temporary
passcode,soyouneedtocheckoutthe digitsonthe application,andgetthemtoputthem.Iwanttosay that
the knowledge is very practical and I already can apply them in my life.
9. CS 573 A– Cybersecurity (Spring 2016)
Hash Based Message Authentication Code
Compiled by: SAPNA BHAT – 10404894 (Group 4)
Introduction
In cryptography, a keyed-hash message authentication code (HMAC) is a specific type of message
authentication code (MAC) involving a cryptographic hash function (hence the 'H') in combination with a
secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and
the authentication of a message. Any cryptographic hash function, such as MD5 or SHA-1, may be used in the
calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA1 accordingly. The
cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function,
the size of its hash output, and on the size and quality of the key.
An iterative hash function breaks up a message into blocks of a fixed size and iterates over them with a
compression function. For example, MD5 and SHA-1 operate on 512-bit blocks. The size of the output of HMAC
is the same as that of the underlying hash function (128 or 160 bits in the case of MD5 or SHA-1, respectively),
although it can be truncated if desired.
The definition and analysis of the HMAC construction was first published in 1996 by Mihir Bellare, Ran Canetti,
and Hugo Krawczyk, who also wrote RFC 2104. This paper also defined a variant called NMAC that is rarely, if
ever, used. FIPS PUB 198 generalizes and standardizes the use of HMACs. HMAC-SHA1 and HMAC-MD5 are
used within the IPsec and TLS protocols.
Definition
This definition is taken from RFC 2104:
where
H is a cryptographic hash function,
K is the secret key,
m is the message to be authenticated,
K' is another secret key, derived from the original key K (by padding K to the right with extra zeroes to
the input block size of the hash function, or by hashing K if it is longer than that block size),
10. || denotes concatenation,
⊕ denotes exclusive or (XOR),
opad is the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant),
and ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant).
Design principles
The design of the HMAC specification was motivated by the existence of attacks on more trivial mechanisms for
combining a key with a hash function. For example, one might assume the same security that HMAC provides
could be achieved with MAC = H (key ∥ message). However, this method suffers from a serious flaw: with most
hash functions, it is easy to append data to the message without knowing the key and obtain another valid MAC
("length-extension attack"). The alternative, appending the key using MAC =H (message ∥ key), suffers from the
problem that an attacker who can find a collision in the (unkeyed) hash function has a collision in the MAC (as
two messages m1 and m2 yielding the same hash will provide the same start condition to the hash function
before the appended key is hashed, hence the final hash will be the same). Using MAC = H
(key ∥message ∥ key) is better, but various security papers have suggested vulnerabilities with this approach,
even when two different keys are used.
No known extensions attacks have been found against the current HMAC specification which is defined as H
(key ∥ H(key ∥ message)) because the outer application of the hash function masks the intermediate result of
the internal hash. The values of ipad and opad are not critical to the security of the algorithm, but were defined
in such a way to have a large Hamming distance from each other and so the inner and outer keys will have
fewer bits in common. The security reduction of HMAC does require them to be different in at least one bit.
11. The Keccak hash function, that was selected by NIST as the SHA-3 competition winner, doesn't need this
nested approach and can be used to generate a MAC by simply prepending the key to the message, as it is not
susceptible to length-extension-attacks.
Security
The cryptographic strength of the HMAC depends upon the size of the secret key that is used. The most
common attack against HMACs is brute force to uncover the secret key. HMACs are substantially less affected
by collisions than their underlying hashing algorithms alone. Therefore,HMAC-MD5 does not suffer from the
same weaknesses that have been found in MD5.
In 2006, Jongsung Kim, Alex Biryukov, Bart Preneel, and Seokhie Hong showed how to distinguish HMAC with
reduced versions of MD5 and SHA-1 or full versions of HAVAL, MD4, and SHA-0 from a random function or
HMAC with a random function. Differential distinguishers allow an attacker to devise a forgery attack on HMAC.
Furthermore, differential and rectangle distinguishers can lead to second-preimage attacks. HMAC with the full
version of MD4 can be forged with this knowledge. These attacks do not contradict the security proof of HMAC,
but provide insight into HMAC based on existing cryptographic hash functions.
In 2009, Xiaoyun Wang et al. presented a distinguishing attack on HMAC-MD5 without using related keys. It can
distinguish an instantiation of HMAC with MD5 from an instantiation with a random function with 2^97 queries
with probability 0.87.
In 2011 an informational RFC 6151 was approved to update the security considerations in MD5 and HMAC-
MD5. For HMAC-MD5 the RFC summarizes that - although the security of the MD5 hash function itself is
severely compromised - the currently known "attacks on HMAC-MD5 do not seem to indicate a practical
vulnerability when used as a message authentication code."
In improperly-secured systems a timing attack can be performed to find out a HMAC digit by digit.
References
https://en.wikipedia.org/wiki/Hash-based_message_authentication_code
https://www.ietf.org/rfc/rfc2104.txt
12. BLOWFISH
by Alex Rogacki
Blowfish was a cipher designed in 1993 by Bruce Schneier as a replacement for the aging DES encryption
algorithm. Like DES, Blowfish is a symmetric-key block cipher, meaning it used the same key to encrypt and
decrypt, and it cuts up the plaintext it intends to encrypt into blocks and encrypts them individually. Unlike
other algorithms at the time, which were patented by companies or governments, Blowfish was released
into the public domain, in hopes that it would allow people to use encryption without having to deal with
the legal battles that would ensue from the patents on other algorithms. The algorithm has yet to be
broken.
The cipher itself is fairy fast, but there is some overhead from processing the key. Blowfish
generates the functions it uses for encryption based on the key it is given. The tables it generates from the
key requires the same amount of time as processing four kilobytes of text, which is slow compared to
other similar algorithms. While not an incredibly large problem, this prevents the use of the algorithm on
embedded systems, and some models of smartcards. The algorithm also has a known weakness when
utilizing a specific set of weak keys, and it is not recommended for use on large files, such as ones larger
than 4 gigabytes, due to the small block size compared to more modern algorithms. However, its
weaknesses can be eliminated by using longer keys, as the algorithm has a maximum key size of 448 bits.
Twofish is the successor to Blowfish. Similarly, it is a symmetric-key block cipher, this time using a
block size of 128 bits, and allowing up to a 256 block key. Twofish was designed by the same man as its
predecessor, Bruce Schneier, and was one of the five finalists to be selected for standardization as the
13. Advanced Encryption Standard. Much like Blowfish, the algorithm generated its S-boxes based on the key
it was given. More specifically, Twofish would split the key in half, using the first half to generate the S-box
functions and the second half to encrypt the plain text. It has been suggested that splitting the key in this
manner could lead to exploits or methods of breaking the cipher, but no such method has surfaced.
Most conversations about Twofish result in comparisons with the other AES finalists. While Twofish
proved to be a very secure algorithm, it lost to the AES winner, Rijndael, in two categories. Following in the
footsteps of Blowfish, Twofish had a complicated key-preparation algorithm. This led to the cipher running
slower than some others when using key sizes smaller than 256 bits. The relative complexity of the
algorithm also, like Blowfish, made the algorithm run slowly when implemented into hardware, and when
put on smartcards. While Twofish was considered more secure than Rijndael, these speed issues are what
led to Rijandael being selected over it.
The other AES finalist that was ranked higher than Twofish was an algorithm called Serpent.
Serpent was slower than both Rijandael and Twofish by far, even though the designers built the systemto
maximize parallelismas much as possible. It was ranked highly because it employed 32 rounds of
encryption, meaning the data was encrypted 32 times, which, while making it the slowest algorithm, gave
it the highest margin of safety with Twofish coming in just behind it. It was not selected to be the
Advanced Encryption Standard for the same reason as Twofish, however, as it was a slow algorithm, and
could not efficiently be implemented on low end systems, smartcards, or be easily given hardware
acceleration.
Like Blowfish, Twofish was not patented, and one of its implementations was placed into public
domain, so it could be used by anyone who needed it. Twofish has also had two possible attacks proposed
against it. In 1999, an impossible differential attack was put forth, which broke six of the cipher’s sixteen
14. rounds of encryption. In 2000, a truncated differential analysis was proposed that could substantially
reduce the effort required to break the full sixteen encryption rounds of the cipher. While the first
proposed attack does present a weakness, it is not enough to break the algorithm as a whole. The second,
however, was merely presented as a theoretical attack and, as of yet, no successful attempt has been
made to break the cipher using this method. Despite the fact that Twofish remains unbroken and is a
perfectly good algorithm for use on modern-day computers, it has seen substantially less use that
Rijandael due to the latter’s status as the Advanced Encryption Standard, and its predecessor Blowfish,
likely because of how long Blowfish has been available.