Here is the main page of the project: http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Crypto/Crypto_Encryption/
Here is the detail description of the project: http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Crypto/ Crypto_Encryption/Crypto_Encryption.pdf
The learning objective of this lab is for students to get familiar with the concepts in the secret-key encryption. After finishing the lab, students should be able to gain a first-hand experience on encryption algorithms, encryption modes, paddings, and initial vector (IV). Moreover, students will be able to use tools and write programs to encrypt/decrypt messages.
1. Lab Environment
In the instruction given we need to install OpenSSL and GHex inside our Ubuntu virtual machine. Fortunately, the SEEDLab virtual machine that we installed already had the prerequisite software for this lab. If you miss the part installing the Lab environment the SEED Lab project, you can refers to this post.
1.1. OpenSSL
Secure Sockets Layer (SSL) is an application-level protocol which was developed by the Netscape Corporation for the purpose of transmitting sensitive information, such as Credit Card details, via the Internet (obiwanbd, 2014).
OpenSSL is a robust, commercial-grade implementation of SSL tools, and related general purpose library based upon SSLeay, developed by Eric A. Young and Tim J. Hudson (obiwanbd, 2014).
First I go to the directory of openssl whose location with command cd (change directory) in the SEEDUbuntu is /home/seed/openssl-1.0.1/, then I need to use sudo in front of these commands because only root user could run these commands otherwise I will get Permission denied.
I then can execute the rest of the commands:
- sudo make
- sudo make test
- sudo make install
1.2. GHex
In this lab, we need to be able to view and modify files of binary format. We have installed in our VM GHex a hex editor for GNOME. It allows the user to load data from any file, view and edit it in either hex or ascii. GHex was installed in the SEEDUbuntu.
A hex editor uses these two-digit representations to provide a simple grid that can be easily navigated, something that would be harder with 3 digit decimal numbers. These tools can be very powerful, but it is also easy to corrupt binary files, so please use them with care.
2. Encryption using different ciphers and modes
The algorithm seems to follow the pattern:
(Algorithm name)-(key size)-(encryption mode)
Noted: If the key size is omitted or excluded then it means there is only one key-size for that algorithm.
- Algorithm name: Sometimes there is number included in the algorithm name whose usage is to distinguish the version of the algorithm; for instance, RC2 and RC4.
- Key size: key size is in bit. The longer the key the stronger your encryption is, but the slower operation it takes.
- Encryption mode: there are five main encryption mode that widely use in block cipher mode operation, Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR)
There are several encryption algorithm in OpenSSL as shown in image below.
To implement the encryption methods, I created a plain text file in /home/seed/Desktop/lab1_crypto/task1. The content of the file is “My name is Vortana SAY”.
- For cipher and mode: -aes-128-cbc
- Encryption
As can be seen, cipher_aes_128_cbc.bin is an encrypted file of the plain.txt file produced by the OpenSSL. When I try to open cipher_aes_128_cbc.bin with normal text editor, it will show as error above because this is a binary file and contains hex value that is why I use GHex, hex editor to open it.
In /home/seed/Desktop/lab1_crypto/task1, I used ghex editor as follow to open cipher_aes_128_cbc.bin
- Decryption
- For cipher and mode: -aes-256-cfb
- Encryption
- Decryption
- For cipher and mode: -bf-ecb
- Encryption
- Decryption
3. Encryption mode – ECB vs. CBC
Encryption – ECB
The Electronic Codebook (ECB) mode is a confidentiality mode that features the message is divided into blocks, and each block is encrypted separately. The Electronic Codebook (ECB) mode is defined as follows (Evans, Bond, & Bement, 2001):
In ECB encryption, the forward cipher function is applied directly and independently to each block of the plaintext. The resulting sequence of output blocks is the cipher text.
In ECB decryption, the inverse cipher function is applied directly and independently to each block of the cipher text. The resulting sequence of output blocks is the plaintext.
With ECB, if the same b-bit block of plaintext appears more than once in the message, it always produces the same cipher text. Because of this, for lengthy messages, the ECB mode may not be secure.
The figure below show both encryption and decryption processes of ECB (Block cipher mode of operation, 2015).
I use the image provided by the website of the lab, pic_original.bmp. I then encrypted the image using the electronic codebook encryption mode.
When I try to view the encrypted image using the software to display it, it show error “BMP image has bogus header data” because the .bmp file, the first 54 bytes contain the header information about the picture, I have to set it correctly, so the encrypted file can be treated as a legitimate .bmp file. I use ghex editor tool to change those 54 bytes.
I opened two files, pic_original.bmp and cipher_pic_aes_128_ecb.bmp of images with ghex. The selected areas in the pic_original.bmp are the 54 bytes values that we need to put in the header of cipher_pic_aes_128_ecb.bmp; I also drew a rectangle around the 54 bytes that need to change.
Here is the bytes that I changed:
After changed the header of the cipher_pic_aes_128_ecb.bmp, I can view this file with image software.
Encryption – CBC
The Cipher Block Chaining (CBC) mode is a confidentiality mode whose encryption process features the combining (“chaining”) of the plaintext blocks with the previous ciphertext blocks. The CBC mode requires an IV to combine with the first plaintext block. The IV need not be secret, but it must be unpredictable; The CBC mode is defined as follows (Evans, Bond, & Bement, 2001):
In CBC mode, each block of plaintext is XORed with the previous cipher text block before being encrypted. This way, each cipher text block depends on all plaintext blocks processed up to that point. To make each message unique, an initialization vector must be used in the first block.
The figure below show both encryption and decryption processes of CBC (Block cipher mode of operation, 2015)
I encrypted the pic_original.bmp with the encryption mode cbc.
In order to be able to view the image, I have to change the 54 bytes header of the encrypted image, cipher_pic_aes_128_cbc.bmp.
Here is the contents of both files after I changed the header bytes of the encrypted image.
Here is the encrypted image viewed by the image software viewer.
Observation
The disadvantage of ECB method is that when identical plaintext blocks are encrypted into identical cipher text blocks; thus, data patterns are not well hidden. So no confidentiality is provided. On the other hand, CBC provides more secure mechanism because it used the operation XOR before encryption of each cipher text block.
Here is the brief description of each encryption mode (William & Brown, 2012):
In this part, we discussed mainly the different encryption methods. In part 2, I am going to discuss the next tasks which are, Encryption Mode – Corrupted Cipher Text, Padding, and Programming using the Crypto Library.
Crypto Lab – Secret-Key Encryption (Part 2) 