BASIC CONCEPTS

2.2.2 Cryptographic Primitives

Cryptographic systems based on the use of keys can be thought of as analogous to combination locks. They involve both an algorithm and a secret value. The secret value is the key (analogous to the number that opens the combination lock) and this must be pro- tected from adversaries. The cryptographic algorithm can be considered to be analogous to the working of the combination lock. The design of the algorithm is expected to be known widely. In fact, making the design of the algorithm public can lead to analysis of its weak- nesses by the community. The security of the system should only depend on the secrecy of the key, and an adversary who desires to break the cryptographic system has to determine the key used to secure communications.

A basic approach that can be taken by the adversary is to try every key and see which breaks the system based on some information about the system. For example, if packets between two nodes are encrypted, then the adversary might have an idea as to the protocol being used, such as TCP or UDP. By trying every possible key to decrypt the packets, the adversary will come up with random strings. Only a few such strings will fit the format associated with a packet belonging to the protocol. More information about the data, such as the identity of the parties communicating or the port numbers being used for the communication, could be used to increase the probability of determining the right key being used. Such an approach is easy to pursue in wireless systems given the suscep- tibility of wireless links to eavesdropping, making all traffic going over the network available to the adversaries.

It is obvious that the effort required for such an attack to be successful is proportional to the length of the key. An 8 bit key length implies that there are 28differ- ent keys possible while an 80 bit key length implies that there are 280 different keys possible. This is similar to the case of combination locks. Even here, longer combi- nations of keys take longer to break as opposed to smaller combinations, assuming that all possible keys can be tried. However, we cannot conclude that longer key length always translates into better security for the system. In some cases, there can be other vulnerabilities in the system, including the encryption algorithm, that the adversary could take advantage of. For example, it has been shown that the security of WEP (the typical protocol used for securing 802.11b) can be broken irrespective of the size of the key used [8].

Hence, while key size is important, the evaluation of cryptographic primitives cannot be done solely based on the size of the keys. Other factors which are used to evaluate the various cryptographic primitives include:

. level of security;

. functionality;

. methods of operation;

. ease of implementation;

. performance.

The level of security afforded could be related to cost. A higher level of security could result in the system being secure even against well-funded adversaries. Note, though, that the level of security itself is a qualitative measure. The functionality would be related to the attributes that can be achieved using the proposed primitive. For example, nonrepudiation would need the use of concepts from asymmetric key cryptography.

The method of operation could also be different in order to achieve different functionality. For example, asymmetric key algorithms would require different modes when used to ensure confidentiality and nonrepudiation. Ease of implementation is another important factor. Performance also needs to be considered, especially in ad hoc networks given the resource constraints in such networks. It is well known that message digests, which we explain later, need the least amount of resources in terms of memory and computation power, while asymmetric key operations are the most expensive.

2.2.2.1 Attacks in Cryptographic Systems An adversary in any system protected by cryptographic primitives can have several objectives. For example, the adversary might aim for the total break whereby he/she obtains the secret keys being used to secure com- munication. A weaker objective of the adversary could be to obtain the ability to decrypt a ciphertext for which he/she has not seen the plaintext.1A still weaker objective could be to be able to distinguish between the encryptions of two plaintexts that the adversary has not seen before. A cryptosystem that does not permit distinguishability of ciphertexts is said to be semantically secure.

Given these goals of the adversary, there can be several types of attacks. Note that we consider generic attacks here instead of specific attacks (such as wormhole or sybil). An assumption here is that the adversary has access to all data transmitted over the ciphertext channel. In addition, we assume that the adversary knows all details of the encryption function except the secret keys. With these standard assumptions we can have the follow- ing types of generic attacks:

. ciphertext only;

. known plaintext;

. chosen plaintext;

. chosen ciphertext.

In case of the ciphertext only attack, the adversary possesses one or more strings of cipher- text. No additional information is available to the attacker. This is an easy attack to implement based on the standard assumptions for a wireless network. In such a case, the adversary has to search through all the possible keys to decrypt the ciphertext. There- fore, it is essential that the adversary be able to recognize when he/she has succeeded. This could be based on information about the plaintext that the adversary has. For example, if the adversary is aware of the protocol whose packets are being encrypted, he/she could look for decryptions that fit the structure of the expected packets. This, however, could lead to more than one candidate key. To further narrow down the list, the intruder might need to make use of more ciphertext values.

The goal of the adversary when trying to attack such systems will be to devise mech- anisms where the plaintext can be recovered from the ciphertext without any knowledge of the keys being used. As explained earlier, one possible way to achieve this objective is to try all possible keys by exhaustive search. If the key space is large enough then this approach might become impractical. In fact, the designer of the system should aim towards making this brute-force approach the best approach to break the system. If such a brute force approach is impractical, it will guarantee the security of the system.

1_{Ciphertext is the encrypted version of the plaintext that a node is trying to transmit.}

In a known plaintext attack, the adversary is assumed to have knowledge of one or more pairs of plaintext and ciphertext. These pairs could then be used to determine the key or determine the plaintext values corresponding to other ciphertext values. In case of a chosen plaintext attack, ciphertext corresponding to the plaintext chosen by the adversary is assumed available. A slight variation of this is the adaptive chosen plaintext attack where the adversary can choose the plaintext messages depending on the previous pairs of plaintext and ciphertext messages. Under the chosen ciphertext attack, adversaries are allowed access to plaintext – ciphertext pairs for some number of ciphertext messages of their choice. An adversary could then use this information to recover the key or the plaintext corresponding to some new ciphertext. Note that the ability of the attacker keeps increasing as the number of pairs available increases.

Given the several types of generic attacks on cryptographic systems, it is necessary to be able to determine the strength of these attacks. This can be done by looking at three aspects, namely data complexity, storage complexity, and processing complexity. Data complexity is given by the expected number of input data units required by the adversary to achieve his objective. These input data units could just be ciphertext or could be pairs of ciphertext and plaintext messages, depending on the type of attack. Storage complexity corresponds to the expected number of storage units required in order for the adversary to meet his objective. Finally, processing complexity is the expected number of operations required to process input data so as to meet the adversary’s objective. The complexity of the attack then depends on the weakest of these three components.

Having discussed the generic attacks on cryptographic systems, we next focus on the cryptographic primitives used.

2.2.2.2 Symmetric Cryptography The working of a symmetric key cryptographic operation is shown in Figure 2.1. The plaintext messages are encrypted at the sender using the encryption key E. The resulting ciphertext can then be transmitted over the channel (wireless or wireline or a combination). Intruders are assumed to have access to the ciphertext on the channel as shown in the figure. Passive intruders can just record the ciphertext while active intruders can attempt to modify it. The ciphertext then reaches the receiver where it is decrypted using the decryption key D as shown. The decryption results in recovery of the original plaintext assuming that the ciphertext has not been modified in transmit by an active intruder. Typically both the E and the D keys are the same and this common key is typically called as the shared key. Such sym- metric key schemes can be used to achieve confidentiality, integrity, and authentication. A basic requirement for the symmetric key scheme is that the parties involved in the communication share a common key. This implies that the shared key must be distributed

over a secure communication channel as shown in Figure 2.2. This is related to the problem of key distribution and is a major problem, especially in wireless ad hoc net- works. We will address the problem of key management in more detail in Chapter 3. A question might arise, however: Why not use the same secure channel used to transmit the secret keys to also transmit the data. This may not be possible, either because of band- width limitations on such channels or because such channels may not be available when data has to be transmitted.

Symmetric key algorithms are of two types, namely block ciphers and stream ciphers. Block ciphers work on blocks of data at a time. All of the bits constituting a block have to be available before the block can be processed. Thus, block ciphers can be viewed as func- tions that map ann-bit plaintext to ann-bit ciphertext. The function must be a one-to-one function in order to allow for unique decryption. The right size of block lengths is important from a security, performance, and complexity point of view. Short block lengths can poss- ibly help the adversary construct the decryption table containing the plaintext – ciphertext pairs easily. Long block lengths can be inconvenient due to the complexity of performing the computations for encrypting and decrypting the data and also because of the perform- ance penalties associated with such computations. The normally used block lengths are 64 or 128 bits. This is the most widely used type of cryptographic algorithm.

Stream ciphers work on a bit or byte of the message at a time. Thus, the data is pro- cessed as a “stream.” Given the small size of the block (a bit or byte), stream ciphers might be inefficient. These are faster than block ciphers in hardware and require less complex circuitry. Many stream ciphers are proprietary and confidential.

We next look at block ciphers in more detail. There are two types of classical (tra- ditional) block ciphers: (1) substitution cipher; and (2) transposition cipher. A substitution cipher makes the relationship between the key and the ciphertext as complex as possible. This is the property of confusion. Here the core idea is to replace symbols with other symbols or groups of symbols. A simple example of a substitution cipher is the Caesar

Figure 2.2. Model of a symmetric key encryption system.

cipher. In this case, every letter of the plaintext might be substituted with a different letter three away from the original letter to obtain the ciphertext. Other schemes, such as mono- alphabetic substitution, polyalphabetic substitution, homophonic substitution, exist. Inter- ested readers could look at [7] for details.

A transposition cipher (also called permutation cipher) spreads redundancy in plaintext over the ciphertext. This is the property of diffusion. More precisely, diffusion dissipates the statistical structure of the plaintext over the bulk of the ciphertext. As a result, a change in a single bit of plaintext can result in changes to multiple ciphertext bits. In other words, the effect of a change in the plaintext is spread to many parts of the ciphertext. Classical transposition ciphers obtain the ciphertext from the plaintext by rearranging the order of letters. The actual letters used in the ciphertext are not altered from the plaintext.

A problem with both substitution and transposition ciphers is that they are not strong enough by themselves. Therefore, in order to create harder ciphering algorithms, research- ers did consider the use of several ciphers in succession. However, two substitutions make a more complex substitution. Similarly, two transpositions make a more complex transpo- sition. On the other hand it was observed that combining both these type of ciphers (sub- stitution followed by a transposition or vice versa) could lead to stronger symmetric key algorithms. Such hybrid ciphers are called product ciphers.

Product ciphers represent advancement over classical symmetric key cryptography and are considered to be the bridge from classical to modern symmetric ciphers. The basic idea behind product ciphers is to build a complex cipher by composing several simple operations. Each operation by itself offers insufficient protection while the combined operations offer complementary protection. Several modern symmetric ciphers such as data encryption standard (DES) and advanced encryption standard (AES) are product ciphers.

The current state of the art block cipher is AES. The other algorithm that was widely used but whose use is now deprecated is DES. DES was adopted in 1977 by what is now the National Institute of Standards and Technology (NIST). Originally, this was developed as the Lucifer cipher by a team from IBM led by Feistel. Lucifer used 64 bit data blocks with 128 bit keys. This algorithm was then redeveloped as a commercial cipher with input from the National Security Agency (NSA) and others. The revised Lucifer cipher was eventually accepted as DES. DES encrypts data in block sizes of 64 bits while using a 56 bit key. The 56 bit key is expanded to 64 bits using 8 parity bits. DES is efficient to implement in hardware and is relatively slow if implemented in soft- ware. DES has seen considerable controversy over its security. There was speculation that the reason for the short key was to have weak security. This could allow NSA to break the key. Additionally, the design criteria were also classified, strengthening the speculation. Subsequent events and public analysis show in fact that the design was appropriate. DES had come to be widely used, especially in financial applications.

Encryption in DES is done over 16 stages (rounds) with each round being functionally equivalent. Each round has eight fixed carefully selected substitution mappings and also a permutation function. Each round also makes use of a 48 bit subkey. These subkeys are generated from the initial 64 bit key. The structure of DES corresponds to a Feistel cipher [7]. DES has many desirable properties. Each bit of the ciphertext depends on all bits of the key and all bits of the plaintext. Further, there is no statistical relationship evident between plaintext and ciphertext. Altering any single plaintext or key bit alters each ciphertext bit with a 50 percent probability. Altering a ciphertext bit results in an unpredictable change to the recovered plaintext. This makes attempts by the adversary to “home-in” by guessing keys impossible. However, brute force approaches to break

DES are now practical. During 1997, it would take a few months to break DES using the brute force approach, while in 1999, an attempt to do so succeeded in 22 hours. In addition several theoretical attacks that can break DES have also been demonstrated. Thus, a repla- cement for DES was needed.

This replacement is the AES algorithm, which was selected in October 2000. AES has been designed to be resistant to known attacks and exhibits simplicity of design. Originally called as Rijndael, this was issued as a Federal Information Processing Standards (FIPS) standard in November 2001. AES uses three different key sizes, namely 128, 192, and 256 bits. The block size is 128 bits. It treats data in four groups of four bytes, each called the state. AES has been designed to have one of 9, 11, or 13 rounds. In each round the state undergoes four operations, namely byte substitution, shifting of rows, mixing of columns and XORing with the subkey of the round. All operations can be combined into XOR and table lookups. Hence these are very fast and efficient.

DES and AES are not the only block ciphers widely considered. In fact, there are several others, such as Triple-DES, Blowfish, IDEA etc. No block cipher is ideally suited for all applications. There are several factors that go into the selection of a crypto- graphic algorithm for a given scenario. These include the desirable key size, block size, complexity of cryptographic mapping, tolerance to error, and the estimated security level. As explained earlier, longer key sizes are desirable but this imposes additional costs associated with generation, transmission, and storage. An interesting technique used by block ciphers such as Khufu and stream ciphers such as SEAL is to make the task of changing cipher keys computationally expensive while allowing encryption to remain relatively efficient. Larger block size is desirable but might be more costly to implement. It might also affect performance, say by requiring padding. Complexity of cryptographic mapping affects implementation and development costs as well as the real- time performance. In fact some ciphers are more efficient when implemented in hardware and other ciphers are more efficient when implemented in software. The effects of corrupt ciphertext during decryption indicate the error propagation characteristics of the cipher. This is also an important factor to consider given the lossy wireless links in an ad hoc environment. The estimated security level of a cipher can be assumed to be proportional to the amount of expert cryptanalysis withstood.

2.2.2.3 Asymmetric Encryption Asymmetric encryption represents a very significant advance in the three thousand year history of cryptography. We have seen earlier that con- ventional symmetric key cryptography uses one key that is shared by both the sender and