Principle Security Program Manager, Microsoft Corporation. Boston Columbus Computer security: principles and practice / William Stallings, Lawrie Brown.— 2nd ed. p. cm. .. PDF files: Reproductions of all figures and tables from the book . COMPUTER SECURITY PRINCIPLES AND PRACTICE Second Edition William Stallings Lawrie Brown University of New South Wales, Australian Defence. Computer Security: Principles and Practice. First Edition by William Stallings and Lawrie Brown. Chapter 4 – Access Control. Access Control. ▫. “The prevention.

Author: | LAKEISHA OLDFATHER |

Language: | English, Spanish, Indonesian |

Country: | Morocco |

Genre: | Science & Research |

Pages: | 219 |

Published (Last): | 15.07.2016 |

ISBN: | 290-6-62069-667-3 |

ePub File Size: | 18.58 MB |

PDF File Size: | 20.81 MB |

Distribution: | Free* [*Regsitration Required] |

Downloads: | 35721 |

Uploaded by: | INGEBORG |

Computer security: principles and practice / William Stallings, Lawrie Brown, University of .. PDF files: Reproductions of all figures and tables from the book. Branch: master. software-development-ebooks/[Computer Security Principles and Practice (3rd Edition) 3rd Edition by William Stallings - ].pdf. Computer security: principles and practice / William Stallings, Lawrie Brown.— 2nd ed. p. cm. .. PDF files: Reproductions of all figures and tables from the book .

Design a method that will extend a key that is 64 bits long into a string of bits. Does your method support random access? Stimson ended the U. Show that the recipient will detect a cut-and-paste attack. Public Key Notation. These messages dealt with the most sensitive spy operations of the time.

Uses of Hash Functions. Other Crypto-Related Topics 5. Linear and Differential Cryptanalysis. Lattice Reduction and the Knapsack. Authentication Methods. Something You Have. Two-Factor Authentication. Single Sign-On and Web Cookies. Access Control Matrix.

Multilevel Security Models. Multilateral Security. Covert Channel. Inference Control. Simple Security Protocols. Authentication Protocols.

Authentication and TCP. Zero Knowledge Proofs. The Best Authentication Protocol? Digital Signature. Symmetric Key. Public Key Encryption. Math Essentials. DES S-Boxes. One of my goals in writing this book was to illuminate some of those black boxes that are so popular in information security books today.

As a result, I sometimes ignore details that I deem irrelevant to the topic at hand. Another goal of mine was to present the topic in a lively and interesting way.

Some security textbooks offer a large dollop of dry useless theory. Reading one of these books is about as exciting as reading a calculus textbook.

Other security books offer nothing but a collection of apparently unrelated facts, giving the impression that security is not really a coherent subject at all. Then there are books that present the topic as a collection of high-level managerial platitudes. Finally, some security books focus on the human factors in security. While it is certainly critical to understand the role that human nature plays in security, I would argue that a security engineer must have a solid understanding of the inherent strengths and weaknesses of the technology before the human factors can be fully appreciated.

My goal is to cover each topic in just enough detail so that a reader can appreciate the basic security issue at hand and to avoid getting bogged down in trivia. In particular, the mathematical formalism has been kept to a bare minimum the Appendix contains a review of all necessary math topics. Despite this self-imposed limitation, this book contains more substantive cryptography than most other security books.

Networking basics arise in a few sections. The schedule that I generally follow in my undergraduate security class appears in the table below. This schedule allows ample time to cover a few of the optional topics. Chapter 1. Introduction 2. Classic Cryptography 3. Symmetric Key Crypto 4. Public Key Crypto 5. Hash Functions Hours 1 3 4 4 3 6. Advanced Cryptanalysis 7. Authentication 8. Authorization 0 4 2 9. Authentication Protocols 4 Real-World Protocols Software Flaws and Malware Insecurity in Software 4 4 4 Sections 2.

Section 3. Omit 4. Cover 5. The remainder of 5. Omit entire chapter. Cover all. Cover 8. Sections 8. Sections 9. Sections Recommended to cover part of Then cover only the bare minimum of crypto and software topics. Although Chapter 6 is somewhat more technical than other chapters, it provides a solid introduction to cryptanalysis, a topic that is usually not treated in any substantive way, even in crypto books.

To stay within the time constraints, you can de-emphasize the software topics. In any incarnation, a security course based on this book is an ideal venue for individual or group projects. The annotated bibliography provides an excellent starting point to search for suitable projects.

In addition, many topics and problems lend themselves well to class discussions or in-class assignments see, for example, Problem 13 in Chapter 10 or Problem 11 in Chapter In addition, a solutions manual is available to instructors sorry students from the publisher. The Math Essentials of Appendix A-2 are required in various places. Elementary modular arithmetic A Permutations A The elementary linear algebra in A Appendix A-3 is only used as a reference for problems in Chapter 3.

Just as any large and complex piece of software must have bugs, this book inevitably has errors. I will try to maintain a reasonably up-to-data errata on the textbook website. Also, I would appreciate a copy of any software that you develop that is related to the topics in this book. Applets that illustrate algorithms and protocols would be especially nice. My work experience includes seven years at the National Security Agency followed by two years at a Silicon Valley startup company where I helped design and develop a digital rights management security product.

This real-world work was sandwiched between academic jobs. While in academia, my research interests have included a wide variety of security topics. With my return to academia in , I quickly realized that none of the available security textbooks had much connection with the real world.

I can say that many of my former students who are now at leading Silicon Valley companies tell me that the information they learned in my course has proved useful in the real world. I do have a life outside of information security.

I also spend too much time watching cartoons. Another favorite activity of mine is complaining about the absurd price of housing in the San Francisco Bay Area. I want to thank my thesis advisor, Clyde F. Martin for introducing me to this fascinating subject. In my seven years at NSA, I learned more about security than I could have learned in a lifetime anywhere else. Unfortunately, the people who taught me so much must remain anonymous.

At my ill-fated startup company, MediaSnap, Inc. In spite of these pressures, we produced a high-quality digital rights management product that was far ahead of its time. I want to thank all at MediaSnap, and especially Joe Pasqua and Paul Clarke, for giving me the chance to work on such a fascinating and challenging project. Richard Low, a colleague here at SJSU, provided helpful feedback on an early version of the manuscript.

David Blockus deserves special mention for giving me detailed comments on each chapter at a particularly critical juncture in the writing of this book. I want to thank all of the people at Wiley who applied their vast expertise to make the book writing process as painless as possible. Trudy is a generic bad guy who is trying to attack the system in some way.

Some authors employ a team of bad guys where the name implies the particular nefarious activity. Trudy will be our all-purpose bad guy.

Alice, Bob, Trudy and the rest of the gang need not be humans. For example, one possible scenario would be that Alice is a laptop, Bob a server, and Trudy a human. Information has integrity if unauthorized writing is prohibited. Denial of service, or DoS, attacks are a relatively recent concern. Such attacks try to reduce access to information. As a result of the rise in DoS attacks, data availability has become a fundamental issue in information security.

Bob might then take his business elsewhere. Although these two authentication problems look similar on the surface, under the surface they are completely different. Authentication over a network is open to many kinds of attacks. The messages sent over a network can be viewed by Trudy. To make matters worse, Trudy can not only intercept messages, she can alter messages and insert messages of her own making. She can also replay old messages in an effort to, say, convince AOB that she is really Bob.

Authentication in such a situation requires careful attention to the protocols that are used. Cryptography also has an important role to play in security protocols. Enforcing such restrictions is the domain of authorization. Note that authorization places restrictions on the actions of authenticated users. Modern software systems tend to be large, complex, and rife with bugs.

How can AOB be sure that its software is behaving correctly? On the other hand, some software is written with the intent of doing evil. Such malicious software, or malware, includes the all-too-familiar computer viruses and worms that plague the Internet today. What can Trudy do to increase the nastiness of such pests?

Bob also has many software concerns. For example, when Bob enters his password on his computer, how does he know that his password has not been captured and sent to Trudy? If Bob conducts a transaction at www.

Operating systems are themselves large and complex pieces of software. OSs also enforce much of the security in any system, so some knowledge of OSs is necessary in order to more fully appreciate the challenges of information security. What is the system supposed to do? How does it do it? Does it really work? I believe this is appropriate, since the strengths, weaknesses, and inherent limitations of the mechanisms directly affect all of the other critical aspects of security.

In other words, without a reasonable understanding of the mechanisms, it is not possible to have an informed discussion of any of the other three issues. These classic systems illustrate fundamental principles that are employed in modern digital cipher systems, but in a more user-friendly format. Hash functions are used in many different contexts in information security. Some of these uses are quite surprising and not always intuitive. In fact, weak passwords present a major security weakness in most systems.

The alternatives to passwords include biometrics and smartcards. Authorization deals with restrictions placed on authenticated users. Authorization leads naturally to a few relatively specialized topics.

If both types of information are on a single system, how can we enforce such restrictions? The idea behind such modeling is to lay out the essential security requirements of a system.

If so, the system would automatically inherit all of the security properties that are known to hold for such a model. Multilevel security also provides an opportunity to discuss covert channels and inference control. Covert channels are unintended channels of communication. Such channels are common and create potential security problems.

Inference control attempts to limit the information that can unintentionally leak out of a database due to legitimate user queries. Regardless of the type of access control employed, attacks are bound to occur.

An intrusion detection system IDS is designed to detect attacks in progress. Many examples will be provided, each of which illustrates a particular security pitfall. Cryptography will prove useful in authentication protocols. Hash functions also have an important role to play in security protocols. This nicely illustrates the challenges inherent in developing security protocols. These attacks include various combinations of attacks on the protocol itself, as well as the underlying cryptography.

This is a huge topic, and we can only cover selected issues. We then consider the requirements of a so-called trusted OS. A trusted OS provides strong assurances that the OS is performing properly. After this background, we consider a recent attempt by Microsoft to implement a trusted OS for the PC platform.

This discussion further illustrates the challenges inherent in implementing security in software. For example, suppose that Bob wants to purchase an item from Amazon. Various access control issues arise in such a transaction Part II , and all of these security mechanisms are enforced in software Part IV.

To take just one more example, a great deal of security today rests on passwords. Users want to choose easy to remember passwords, but this makes it easier for Trudy to guess passwords—as discussed in Chapter 7.

An obvious solution is to assign strong passwords to users. However, this is almost certain to result in passwords written on post-it notes and posted in prominent locations, making the system less secure than if users were allowed to choose their own relatively weak passwords.

My goal is to present just enough of the theory so that the reader can grasp the fundamental principles. The problem is expecting otherwise and thinking that having problems is a problem. Rubin 1. Give an example where availability is the overriding concern. RFID tags are extremely small devices capable of broadcasting a number over the air that can be read by a nearby sensor.

It is predicted that RFID tags will soon be found in all sorts of products, including paper money, clothing items, and so on. Discuss some privacy and other security concerns that this might raise.

Discuss an example where privacy is required. Read the article [] on Byzantine failure. Describe the problem and explain why the problem cannot occur if there are four generals, only one of which is a traitor.

Why is this problem relevant to information security? These characters, as any one might readily guess, form a cipher—that is to say, they convey a meaning.

This chapter will lay the foundation for the remaining crypto chapters, which, in turn, underpin much of the remainder of the book. Crypto as a black box. A handful of special topics are also covered. The precise meaning should be clear from context. The original data is known as plaintext, and the result of encryption is ciphertext. We decrypt the ciphertext to recover the original plaintext.

In public key crypto, the encryption key is appropriately known as the public key, whereas the decryption key, which must remain secret, is the private key. In symmetric key crypto, the key is known as a symmetric key.

A fundamental tenet of cryptography is that the inner workings of the cryptosystem are completely known to the attacker, Trudy, and the only secret is a key. What is the point of Kerckhoffs Principle? Reverse engineering efforts can easily recover algorithms from software, and algorithms embedded in tamper-resistant hardware are susceptible to similar attacks. And even more to the point, secret crypto-algorithms have a long history of failing to be secure once the algorithm has been exposed to public scrutiny—see [23] for a timely example.

For these reasons, the cryptographic community will not accept an algorithm as secure until it has withstood extensive analyses by many cryptographers over an extended period of time.

In other contexts, Kerckhoffs Principle is taken to mean that the security design itself is open. Although Kerckhoffs Principle in both forms is widely accepted in principle, there are many real-world temptations to violate this fundamental tenet, almost invariably with disastrous consequences for security.

Although the history of crypto is a fascinating topic [], the purpose of this material is simply to provide an elementary introduction to some of the crucial concepts that arise in modern cryptography. First on our agenda is the simple substitution, which is one of the oldest cipher systems—dating back at least 2, years—and one that is ideal for illustrating basic attacks.

We then turn our attention to a double transposition cipher, which includes important concepts that are used in modern ciphers. Finally, we consider the only practical cryptosystem that is provably secure—the onetime pad. Using the key of 3, we can encrypt the plaintext message fourscoreandsevenyearsago by looking up each letter in the plaintext row and substituting the corresponding letter in the ciphertext row or by simply replacing each letter by the letter that is three positions ahead of it in the alphabet.

To decrypt, we simply look up the ciphertext letter in the ciphertext row and replace it with the corresponding letter in the plaintext row, or simply shift each ciphertext letter backward by three. Then she can try each of the 26 possible keys, decrypting the message with each putative key and checking whether the resulting putative plaintext looks like sensible plaintext.

The brute force approach of trying all possible keys until we stumble across the correct one is known as an exhaustive key search.

How large of a keyspace is large enough? Extrapolating this to a state-of-the-art PC with a single 4 GHz processor, Trudy could test fewer than keys per second on one such machine.

The simple substitution cipher need not be limited to shifting by n. With our superfast computer that tests keys per second, a keyspace of size would take more than millennia to exhaust. Does this mean that a simple substitution cipher is secure?

The answer is no, as the attack described in the next section illustrates. Assuming the underlying message is English, Trudy can make use of the English letter frequency counts in Figure 2. English letter frequency counts. This attack also shows that cipher designers must guard against clever attacks. But how can we protect against all such attacks, since clever new attacks are developed all the time?

As a result, a cipher can only be considered secure as long as no attack against it has yet been found. Ideally, we would like to have mathematical proof that there is no feasible attack on the system. Lacking a proof of the strength of a cipher, we could require that the best-known attack on the system is impractical. Ciphertext frequency counts. Both factors are necessary. The recipient who knows the key can simply put the ciphertext into the appropriate sized matrix and undo the permutations to recover the plaintext.

For example, to decrypt ciphertext 2. Then the columns are numbered as 4, 2, 1, 3 and rearranged to 1, 2, 3, 4. Unlike a simple substitution, the double transposition does nothing to disguise the letters that appear in the message. Abbreviated Alphabet. The double transposition is not a trivial cipher to break. Our alphabet and the corresponding binary representation of letters are given in Table 2.

It is important to note that the mapping between letters and bits is not secret.

Suppose a spy named Alice wants to encrypt the plaintext message heilhitler using a one-time pad. The one-time pad requires a key consisting of a randomly selected string of bits that is the same length as the message. The key is then XORed with the plaintext to yield the ciphertext. A fancier way to say this is that we add the plaintext and key bits modulo 2. Suppose the spy Alice has the key which is of the proper length to encrypt the message above. Then to encrypt, Alice computes plaintext: First, suppose that Alice has an enemy, Charlie, within her spy organization.

Suppose that Alice is captured by her enemies, who have also intercepted the ciphertext. The captors are eager to read the message, and Alice is encouraged to provide the key for this super-secret message.

Alice claims that she is actually a double-agent and to prove it she claims that the key is If the key is chosen at random, then an attacker who sees the ciphertext has no information about the message other than its length. And since we could pad the message with any number of random letters before encryption, the length is of no use either. So the ciphertext provides no information at all about the plaintext. This is the sense in which the one-time pad is provably secure.

Of course, this assumes that the cipher is used correctly. The pad, or key, must be chosen at random, used only once, and must be known only by the sender and receiver. However, there is one serious drawback to the one-time pad: If we can securely transmit the pad, why not simply transmit the plaintext by the same means and do away with the encryption? However, for modern high data-rate systems, a one-time pad cipher is totally impractical.

Why is it that the one-time pad can only be used once? In the cryptanalysis business, this is known as a depth. This cannot be good for anyone except for Trudy, the cryptanalyst. Using the same bit encoding as in Table 2. Then P1: But far more devastating is the fact that Trudy can now guess a putative message P1 and check her results using P2.

In the s and s, Soviet spies entering the United States brought one-time pad keys with them. The spies used these keys to encrypt important messages, which were then sent back to Moscow.

These messages dealt with the most sensitive spy operations of the time. Yesterday he learned that they had dismissed him from his work. His active work in progressive organizations in the past was cause of his dismissal. They meet once a month for the payment of dues. CHESTER is interested in whether we are satisfied with the collaboration and whether there are not any misunderstandings. The Soviet spies were well trained and never reused the key, yet many of the intercepted ciphertext messages were eventually decrypted by American cryptanalysts.

How can that be, given that the one-time pad is provably secure? As a result, many messages were in depth, which enabled the cryptanalysis of these messages. This message refers to David Greenglass and his wife Ruth. Table 2. The codebook in Table 2. A codebook is a substitution cipher, but the substitutions are far from simple, since substitutions are for entire words—or even phrases.

The codebook illustrated in Table 2. Excerpt from a German codebook. Ciphertext The ciphertext message, as shown in Figure 2. At the time, the British and French were at war with Germany and its allies, but the United States was neutral [].

The Russians had recovered a damaged version of the German codebook, and the partial codebook had been passed on to the British. Through painstaking analyses, the Figure 2. The Zimmermann telegram. The British were initially hesitant to release the Zimmermann telegram since they feared that the Germans would realize that their cipher was broken and, presumably, stop using it. However, in sifting through other cabled messages that had been sent at about the same time as the Zimmermann telegram, British analysts found that a variant of the telegram had been sent unencrypted.

The version of the Zimmermann telegram that the British subsequently released closely matched the unencrypted version of the telegram. Modern block ciphers use complex algorithms to generate ciphertext from plaintext and vice versa but at a higher level, a block cipher can be viewed as a codebook, where each key determines a distinct codebook.

The contestants in the election were Republican Rutherford B. Hayes and Democrat Samuel J. Tilden had obtained a slight plurality of the popular vote, but it is the electoral college that determines the presidency.

In the electoral college, each state sends a delegation and the entire delegation is supposed to vote for the candidate who received the largest number of votes in that particular state though there is no legal requirement for a delegate to vote for a particular candidate, and on rare occasion a delegate will vote for another candidate.

In , the electoral college delegations of four states were in dispute, and these held the balance. A commission of 15 members was appointed to determine which state delegations were legitimate—and thus determine the presidency. The commission decided that all four states should go to Hayes and he became president of the United States. One of the ciphers used was a partial codebook together with a transposition on the words.

Election of codebook. Plaintext Ciphertext Greenbacks Hayes votes Tilden telegram.. Copenhagen Greece Rochester Russia Warsaw.. A snippet of the codebook appears in Table 2. The permutation used for a message of 10 words was 9, 3, 6, 1, 10, 5, 2, 7, 4, 8. Situation unchanged. They are all idiots. The cryptanalysis of this weak cipher was relatively easy to accomplish [93]. Since a permutation of a given length was used repeatedly, many messages of particular length were in depth—with respect to permutation as well as the codebook.

The analyst had to be clever enough to consider the possibility that all messages of a given length were using the same permutation, but, with this insight, the permutations were easily recovered. The codebook was then deduced from context and also with the aid of some unencrypted messages that provided clues as to the substance of the ciphertext messages. And what did these decrypted messages reveal?

By any measure, this cipher was poorly designed and weak. In this case, each time a permutation was reused, it gave the cryptanalyst more information that could be collated to recover the permutation. In modern cipher systems, we try to limit the use of a single 26 CRYPTO BASICS key so that we do not allow a cryptanalyst to accumulate too much information about a particular key—and to limit the damage if a key is discovered.

Late in the 20th century, cryptography became a critical technology for commercial and business communications as well. In this section, we mention a few other historical highlights from the past century. In , Secretary of State Henry L. Stimson ended the U. This would prove to be a costly mistake in the run up to the Japanese attack on Pearl Harbor.

Shortly after the attack of December 7, , the United States restarted its cryptanalytic program in earnest. This cipher was broken by American cryptanalysts before the attack on Pearl Harbor, but the intelligence gained code named Magic provided no clear indication of the impending attack [61]. It is often claimed that the ULTRA intelligence was so valuable that in November of , Churchill decided not to inform the British city of Coventry of an impending attack by the German Luftwaffe, since the primary source of information on the attack came from Enigma decrypts [].

Churchill was supposedly concerned that a warning might tip off the Germans that their cipher had been broken. The Enigma was initially broken by the Poles. After the fall of Poland, the Polish cryptanalysts escaped to France. Shortly thereafter, France fell to the Nazis and the Polish cryptanalysts escaped to England, where they provided their knowledge to British cryptanalysts.

Remarkably, the Polish cryptanalysts were not allowed to continue their work on the Enigma. A picture of the Enigma appears in Figure 2. Confusion is designed to obscure the relationship between the plaintext and ciphertext, while diffusion is supposed to spread the plaintext statistics through the ciphertext. A simple substitution cipher and a one-time pad employ only confusion, whereas a double transposition is a diffusion-only cipher.

Figure 2. The Enigma cipher Courtesy of T. Perera and the Enigma Museum. In subsequent chapters, it will become clear how crucial these concepts are to modern block cipher design. Until recently, cryptography remained primarily the domain of governments. That changed dramatically in the s, primarily due to the computer revolution, which led to the need to protect large amounts of electronic data. By the mids, even the U. After DES, academic interest in cryptography grew rapidly.

Public key cryptography was discovered or, more precisely, rediscovered shortly after the arrival of DES. In the s, the Clipper Chip and the development of a replacement for the aging DES were two of the many crypto highlights. While the distinction between public keys and symmetric keys might seem minor, it turns out that public key crypto can do some useful things that are impossible to achieve with symmetric ciphers.

In public key cryptography, the encryption keys can be made public. If, for example, you post your public key on the Internet, anyone with an Internet connection can encrypt a message for you, without any prior arrangement regarding the key.

This is in stark contrast to a symmetric cipher, where the participants must agree on a key in advance. Prior to the adoption of public key crypto, secure delivery of symmetric keys was the Achilles heel of modern cryptography. A spectacular case of a failed symmetric key distribution system can be seen in the exploits of the Walker family spy ring. The Walker family sold cryptographic keys used by the U. Since the public key is public, anyone can decrypt this message.

However, it can be used as a digital form of a handwritten signature—anyone can read the signature, but only the signer could have created the signature. Anything we can do with a symmetric cipher we can also accomplish with a public key cryptosystem.

Public key crypto also enables us to do things that cannot be accomplished with a symmetric cipher. So why not use public key crypto for everything? The primary reason is speed. Symmetric key crypto is orders of magnitude faster than public key crypto. As a result, symmetric key crypto is used to encrypt the vast majority of data today. Yet public key crypto has a critical role to play in modern information security.

Each of the classic ciphers discussed above is a symmetric cipher. Modern symmetric ciphers can be subdivided into stream ciphers and block ciphers.

A block cipher is, in a sense, the generalization of a codebook. Conversely, when the key changes, a different codebook is selected. While stream ciphers dominated in the post-World War II era, today block ciphers are the kings of symmetric key crypto—with a few notable exceptions. For example, if the input changes in one or more bits, the output should change in about half of its bits. By Kerckhoffs Principle, we assume that Trudy the cryptanalyst has complete knowledge of the inner workings of the algorithm.

Another basic assumption is that Trudy has access to the ciphertext—otherwise, why bother to encrypt? If Trudy only knows the algorithms and the ciphertext, then she must conduct a ciphertext only attack.

That is, Trudy might know some of the plaintext and observe the corresponding ciphertext. These matched plaintext-ciphertext pairs might provide information about the key. If all of the plaintext were known, there would be little point in recovering the key. For example, many kinds of data include stereotypical headers—e-mail being a good example. If such data is encrypted, the attacker can likely guess some of the plaintext and view the corresponding ciphertext.

Often, Trudy can actually choose the plaintext to be encrypted and see the corresponding ciphertext. Not surprisingly, this goes by the name of chosen plaintext attack. How is it possible for Trudy to choose the plaintext? For example, Alice might forget to log out of her computer when she takes her lunch break. Trudy could then encrypt some selected messages before Alice returns. Potentially more advantageous for the attacker is an adaptively chosen plaintext attack.

In this scenario, Trudy chooses the plaintext, views the resulting ciphertext, and chooses the next plaintext based on the observed ciphertext. The idea here is to look for a weakness in the system when the keys are related in some special way. There are other types of attacks that cryptographers occasionally worry about— mostly when they feel the need to publish another academic paper.

In any case, a cipher can only be considered secure if no successful attack is known. Finally, there is one particular attack scenario that only applies to public key cryptography.

If either matches the ciphertext, then the message has been broken. This is known as a forward search. The forward search attack implies that in public key crypto, we must also ensure that the size of the plaintext message space is large enough that the attacker cannot simply encrypt all possible plaintext messages.

We also discussed some elementary aspects of cryptanalysis. The following chapters cover public key cryptography, hash functions, and cryptanalysis.

Cryptography will appear again in later parts of the book. In particular, cryptography is a crucial ingredient in the chapters on security protocols. Give your answer in years. How does the Vigenere cipher work? Give an example. Use your knowledge of the statistical attack on the simple substitution cipher to devise an attack on the Vigenere cipher. Note that the same permutation was used for all three sentences.

The weak ciphers of the election of used a partial codebook and a permutation of the words. Design a more secure version of this cipher. Discuss a classic cipher that employs only confusion and also discuss a classic cipher that employs only diffusion. Which cipher discussed in this chapter employs both confusion and diffusion?

Decrypt the simple substitution example in ciphertext 2. Decrypt the ciphertext that appears in the Alice in Wonderland quote at the beginning of the chapter. Decrypt the following message that was encrypted using a simple substitution cipher: Write a program to help an analyst decrypt a simple substitution cipher. Your program should take the ciphertext as input, compute letter frequency counts, and display these for the analyst.

Extend the program developed in Problem 11 so that it initially tries to decrypt the message. Here is one sensible way to proceed. Use the computed letter frequencies and the known frequencies of English for an initial guess at the key. Iterate this process until the score does not improve for an entire pass through the alphabet. At this point you will pass your putative decryption to the analyst. In order to aid the analyst in the manual phase, your program should maintain all of the functionality of the program for Problem This message was encrypted with a double transposition using a matrix of 7 rows and 10 columns.

Using the letter encodings in Table 2. Find possible plaintexts for each message and the corresponding one-time pad. Suppose that you have a message consisting of bits. Design a method that will extend a key that is 64 bits long into a string of bits. Then this bits will be XORed with the message, just like a one-time pad. Is the resulting cipher as secure as a one-time pad?

Is it possible for any such cipher to be as secure as a one-time pad? Design a computerized version of a codebook cipher. Your cipher should include many possible codebooks, with the key used to determine the codebook that will be employed to encrypt or decrypt a particular message. In the text, we described how a forward search attack can work against a public key cryptosystem.

You condense it with locusts and tape: Still keeping one principal object in view— To preserve its symmetrical shape. Stream ciphers are like a one-time pad, except that we trade provable security for a relatively small and manageable key. Block ciphers are based on the concept of a codebook, where the key determines the codebook. Internally, block ciphers employ both confusion and diffusion. Our goal in this section is to introduce symmetric key ciphers and gain some understanding of their inner workings and their uses.

The use of the keystream is identical to the use of the key in a one-time pad cipher. To decrypt with a stream cipher, the same keystream is generated and XORed with the ciphertext. Provided that both the sender and receiver have the same stream cipher algorithm and that both know the key K, this system is a practical generalization of the one-time pad—although not provably secure in the sense of the one-time pad.

This algorithm has an algebraic description, but it also can be illustrated via a relatively simple picture. Register X holds 19 bits, which we label x0 , x1 ,. The register Y holds 22 bits y0 , y1 ,. Not coincidentally, the key K is 64 bits. But before we can describe the keystream, we need to discuss the registers X, Y , and Z in more detail. Then the registers X, Y , and Z step according to the following rules: Also, the number of keystream bits that can be generated from a single bit key is virtually unlimited—though eventually the keystream will repeat.

These systems were once the kings of symmetric key crypto, but in recent years the block cipher has clearly taken over that title. Historically, shift register based stream ciphers were needed in order to keep pace with bit streams such as audio that are produced at a relatively high data rate.

In the past, software-based crypto could not generate bits fast enough for such applications. Today, however, there are few applications for which software-based crypto is not appropriate.

This is one of the primary reasons why block ciphers are on the ascendancy. The RC4 algorithm is remarkably simple, because it is essentially just a lookup table containing a permutation of the byte values. The entire RC4 algorithm is byte based. RC4 initialization. Pseudo-code for the initialization of the permutation S appears in Table 3. One interesting feature of RC4 is that the key can be of any length from 0 to bytes.

The key is only used to initialize the permutation S. After the initialization phase, each keystream byte is generated according to the algorithm in Table 3.

This could be implemented by adding an extra steps to the initialization phase, where each additional step generates—and discards—a keystream byte following the algorithm in Table 3. RC4 is used in many applications, including SSL. There seems to have been little effort to develop new stream ciphers in recent years.

Although this may be a slight exaggeration, it is clear that block ciphers are in the ascendency today. TABL E 3. RC4 keystream byte. The ciphertext is obtained from the plaintext by iterating a function F over some number of rounds. The function F , which depends on the output of the previous round and the key K, is known as a round function, not because of its shape, but because it is applied at each round.

The subkey is derived from the key K according to a key schedule algorithm. The beauty of a Feistel cipher is that we can decrypt, regardless of the particular round function F. To do so, we simply solve equations 3. Any round function F will work in a Feistel cipher, provided that the output of F produces the correct number of bits.

In particular, there is no requirement that the function F be invertible. However, a Feistel cipher will not be secure for every possible F. They came back and were all different. By the mid s, it was clear even to U. At the time, the computer revolution was underway, and the amount—and sensitivity—of digital data was rapidly increasing.

The upshot was that businesses had no way to judge the merits of a crypto product and the quality of most such products was very poor. The winning submission would become a U. At this point, NBS had a problem.

Nevertheless, this suspicion tainted DES from its inception. Lucifer eventually became DES, but not before a few subtle—and a few not so subtle—changes were made. The most obvious change was that the key length had been reduced from bits to 64 bits. However, 8 of the 64 key bits were discarded, so the actual key length is a mere 56 bits. By this measure, DES is times easier to break than Lucifer!

Understandably, the suspicion was that NSA had had a hand in this. However, subsequent cryptanalysis of the DES algorithm has revealed attacks that require slightly less work than trying keys.

As a result, DES is probably about as strong with a key of 56 bits as it would have been with the longer key. The subtle changes to Lucifer involved the substitution boxes, or S-boxes, which are described below. These changes in particular fueled the suspicion of a backdoor. The DES S-boxes are one of its most important security features. The S-boxes, taken together, map 48 bits to 32 bits. The same S-boxes are used at each round of DES.

Since DES is a Feistel cipher, encryption follows the formulas given in equations 3. A single round of DES is illustrated in the wiring diagram in Figure 3. As required by equation 3. One round of DES. The expansion permutation expands its input from 32 to 48 bits, and the 48 bit subkey is XORed with the result. The S-boxes then compress these 48 bits down to 32 bits before the result is passed through the P-box.

The P-box output is then XORed with the old left half to obtain the new right half. In fact, some of these operations are of no security benefit whatsoever, and, when these are stripped away, the algorithm is even simpler. The bit result of the DES expansion permutation consists of the bits 31 7 15 23 0 8 16 24 1 9 17 25 2 10 18 26 3 11 19 27 4 12 20 28 3 11 19 27 4 12 20 28 5 13 21 29 6 14 22 30 7 15 23 31 8 16 24 0 where the bit input is, according to our convention, numbered as 0 16 1 17 2 18 3 19 4 20 5 21 6 22 7 23 8 24 9 25 10 26 11 27 12 28 13 29 14 30 15 We give S-box number 1 below, where the input to the S-box is denoted b0 b1 b2 b3 b4 b5.

It was apparently hoped that DES would remain a hardware-only algorithm. Predictably, the DES S-boxes became public knowledge almost immediately. This is a somewhat convoluted process, but the ultimate result is simply that 48 of the 56 bits of key are selected at each round.

The DES key schedule algorithm for generating the bit subkey Ki for round i can now be described as in Table 3. For completeness, there are two other features of DES that we must mention. Also, when encrypting, the halves are swapped after last round, so the actual ciphertext is R16 , L16 instead of L16 , R A few words on the security of DES may be useful.

First, mathematicians are very good at solving linear equations, and the only part of DES that is not linear is the S-boxes. As a result, the S-boxes are crucial to the security of DES. DES key schedule algorithm. All of this will become much clearer after we discuss linear and differential cryptanalysis in a later chapter. For more details on the design of DES, see [].

Today, DES is vulnerable simply because the key is too small, not because of any noteworthy shortcut attack. Although some attacks have been developed that, in theory, require slightly less work than an exhaustive key search, all practical DES crackers built to date simply try all keys until they stumble across the correct one. The inescapable conclusion is that the designers of DES knew what they were doing.

Then we discuss one truly simple block cipher in more detail. But before that, we need some notation. Let P be a block of plaintext, K a key, and C the corresponding block of ciphertext. It turns out that there is a clever way to use DES with a larger key length. This attack is a chosen plaintext attack. We select a particular plaintext P and obtain the corresponding ciphertext C. First we precompute a table of size containing the pairs E P , K and K for all possible key values K.

This attack on double DES requires that we pre-compute and store an enormous table of elements. But the table computation is one-time work, so if we use this table many times by attacking double DES many times the work for computing the table can be amortized over the number of attacks.

This has an expected work of , just as in an exhaustive key search attack on single DES. At least we can say that a meet-in-the-middle attack similar to the attack on double DES is impractical since the table pre-computation is infeasible—or the per attack work is infeasible if we reduce the table to a practical size. Surprisingly, the answer is backwards compatibility with single DES.

Triple DES is popular today. The crucial problem with DES is that the key length of 56 bits is susceptible to an exhaustive key search. If you're interested in creating a cost-saving package for your students, contact your Pearson rep.

William Stallings authored 18 textbooks, and, counting revised editions, a total of 70 books on various aspects of these subjects. He has 11 times received the award for the best Computer Science textbook of the year from the Text and Academic Authors Association. In over 30 years in the field, he has been a technical contributor, technical manager, and an executive with several.

Currently he is an independent consultant whose clients have included computer and networking manufacturers and customers, software development firms, and leading-edge government research institutions. This site provides documents and links on a variety of subjects of general interest to computer science students and professionals.

He is a member of the editorial board of Cryptologia, a scholarly journal devoted to all aspects of cryptology. His articles appear regularly at http: His professional interests include communications and computer systems security and cryptography, including research on pseudo-anonymous communication, authentication, security and trust issues in Web environments, the design of secure remote code execution environments using the functional language Erlang, and on the design and implementation of the LOKI family of block ciphers.

During his career, he has presented courses on cryptography. During his career, he has presented courses on cryptography, cybersecurity, data communications, data structures, and programming in Java to both undergraduate and postgraduate students. Cloth Bound with Access Card. We're sorry! We don't recognize your username or password. Please try again. The work is protected by local and international copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning.

You have successfully signed out and will be required to sign back in should you need to download more resources. Principles and Practice, 4th Edition.

William Stallings Lawrie Brown. The content in the book is unified by four basic themes. Although the scope of this book is broad, there are a number of basic principles that appear repeatedly as themes and that unify this field, for example, authentication and access control. The book highlights these principles and examines their application in specific areas of computer security. Design approaches: The book examines alternative approaches to meeting specific computer security requirements.

Standards have come to assume an increasingly important, indeed dominant, role in this field. An understanding of the current status and future direction of technology requires a comprehensive discussion of the related standards. Real-world examples: Engaging features that enhance learning Hands-on projects reinforce concepts from the textbook Hacking exercises: Two projects that enable students to gain an understanding of the issues in intrusion detection and prevention.

Laboratory exercises: A series of projects that involve programming and experimenting with concepts from the book. Security education SEED projects: The SEED projects are a set of hands-on exercises, or labs, covering a wide range of security topics. Research projects: A series of research assignments that instruct the student to research a particular topic on the Internet and write a report.

Programming projects: A series of programming projects that cover a broad range of topics and that can be implemented in any suitable language on any platform.

Practical security assessments: A set of exercises to examine current infrastructure and practices of an existing organization.

Firewall projects: A portable network firewall visualization simulator is provided, together with exercises for teaching the fundamentals of firewalls.

Case studies: A set of real-world case studies, including learning objectives, case description, and a series of case discussion questions. A list of papers that can be assigned for reading and writing a report, plus suggested assignment wording. Writing assignments: A list of writing assignments to facilitate learning the material.

Webcasts for teaching computer security: A catalog of webcast sites that can be used to enhance the course. Case studies and examples provides real-world context to the text material. Numerous homework problems cover a wide range of difficulty along with numerous review questions.

An Instructor's Manual contains solutions to all problems and questions. Extensive use of figures and tables clarify concepts.

List of key words , recommended reading list, and recommended Web sites at the end of each chapter. List of acronyms on back endpaper.

Companion website at www. To limit the size and cost of the book, some chapters of the book are provided in PDF format.