Security - Telenor
Security - Telenor
Security - Telenor
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
L i = R i-1 , R i = L i-1 ⊕ F(R i-1 , K i ) (4)<br />
where K i is the round-key of round i. DES is an<br />
example of a Feistel cipher.<br />
3.3.5 Round Keys (Key Scheduling)<br />
In the round function, the output of the last<br />
round is mixed with the current round-key.<br />
Typically, these entities are approximately<br />
equal in length, i.e. equal to the block length.<br />
The encryption key must be expanded (typically<br />
r-fold). Ideally, all round-key bits should be<br />
dependent on all encryption key bits to maintain<br />
maximal entropy. The expansion of the encryption<br />
key to round keys is known as key scheduling.<br />
3.3.6 S-boxes<br />
An m × n substitution box or S-box is a mapping<br />
that takes an m-bit input and returns an n-bit output.<br />
A one-to-one n × n S-box is a permutation.<br />
S is non-linear if for two numbers a and b, where<br />
a ≠ b, S(a) ⊕ S(b) is not equal to S(a ⊕ b). Sboxes<br />
are typically used to provide non-linearity<br />
(often they are only non-linear operations in an<br />
encryption algorithm), and are thus very important.<br />
A number of criteria for selection (generation)<br />
and testing of S-boxes have been proposed, i.e.<br />
the strict avalanche criterion (SAC), which states<br />
that flipping one input bit should cause a change<br />
in (on average) 50 % of the output bits.<br />
S-boxes are generally visualized and implemented<br />
as look-up tables, but some may additionally<br />
be computed arithmetically. Smart-card<br />
implementations of look-up tables are vulnerable<br />
to power attacks (attacks that measure power<br />
consumption on the chip when performing encryption).<br />
Countermeasures to power attacks<br />
include duplicating the look-up tables in RAM;<br />
thus large S-boxes are more difficult to protect<br />
than small ones. If an S-box can be implemented<br />
arithmetically, protection against power attacks<br />
becomes much easier.<br />
3.4 Public Keys<br />
In 1976, Diffie, Merkle, and Hellman described<br />
the principles for asymmetric or public key cryptography.<br />
The principle is to use different keys<br />
for encryption and decryption, thereby avoiding<br />
some key management problems. In addition,<br />
asymmetric cryptography presents the ability<br />
to make digital signatures, with approximately<br />
the same features as ordinary hand-written signatures.<br />
It has turned out that researchers at the<br />
British Communications-Electronics <strong>Security</strong><br />
Group (CESG) discovered these principle as<br />
Telektronikk 3.2000<br />
early as 1970; see [2]. This work was, however,<br />
not made available to the non-governmental<br />
crypto-community until 1997.<br />
In a traditional (symmetric) cipher, the sender<br />
and the receiver must have access to a common,<br />
secret key. This key must be distributed in a<br />
secure way before the communication takes<br />
place. In an asymmetric cipher, each user has a<br />
private and a public key. Asymmetric ciphers<br />
are therefore often called public key ciphers. In<br />
principle there is a distinction here, as it is conceivable<br />
to have an asymmetric cipher without<br />
public keys. The distinction is, however, somewhat<br />
academic, and no secret-key asymmetric<br />
cipher has been published, so we will treat these<br />
as synonyms. The private key is only known to<br />
the user (it is called “private” rather than<br />
“secret” in order to avoid confusion with symmetric<br />
ciphers), while the public key is broadcast<br />
to all parties the user wants to communicate<br />
securely with.<br />
A message that is encrypted with a public key<br />
can only be decrypted with the corresponding<br />
private key, and vice versa. Knowledge of a private<br />
key shall not make it possible to reconstruct<br />
the corresponding private key.<br />
3.4.1 Usage<br />
Assume that Alice wants to send a confidential<br />
message to Bob. Alice encrypts the message<br />
with Bob’s public key. Now only somebody who<br />
has access to Bob’s private key (presumably<br />
only Bob) can decrypt and read the message.<br />
Assume on the other hand that Alice does not<br />
care about secrecy, but she wants every reader of<br />
the message to be sure that Alice is the source.<br />
She then encrypts the message with her own private<br />
key. Now everybody with knowledge of<br />
Alice’s public key can read the message. In addition,<br />
since the message can be decrypted with<br />
Alice’s public key, only Alice can have encrypted<br />
it. This is a kind of electronic signature.<br />
Alice can combine these features by first encrypting<br />
the message with her own private key,<br />
and then encrypt the result with Bob’s public<br />
key. Now only Bob can decrypt and read the<br />
message, and he can be convinced that Alice<br />
is the source.<br />
Asymmetric ciphers are typically much slower<br />
than symmetric. Hybrid systems are common,<br />
where messages are encrypted with a symmetric<br />
cipher, while the (symmetric) key(s) are protected<br />
with an asymmetric cipher. An efficient<br />
variation of the digital signature above, is to<br />
generate a hash value (or checksum) of the message,<br />
encrypt it with one’s private key and send<br />
it together with the message. A recipient can<br />
7