Security and Cryptography (CSS 322)

Assignment 1

Due: 23 December 2008, 5pm

This assignment involves developing and using ciphers using PHP. I have a brief overview of using PHP which should be sufficient to get users new to PHP started.

Tasks

Task 1

Implement and test either Simplified DES (SDES) or Simplified AES (SAES). You do not get to choose which one - the allocation to each student is here. You must provide an encrypt and decrypt function following the example for SAES (for SDES, replace SAES with SDES and change the lengths):

/**
 * Encryption with Simplified AES
 * @param String $plaintext Plaintext to be encrypted. 16 bits.
 * @param String $key Key to use for encryption. 16 bits.
 * @return String Ciphertext produced by encryption. 16 bits.
 */
function SAES_Encrypt ($plaintext, $key)

/**
 * Decryption with Simplified AES
 * @param String $ciphertext Ciphertext to be decrypted. 16 bits.
 * @param String $key Key to use for decryption. 16 bits.
 * @return String Plaintext produced by decryption. 16 bits. 
 */
function SAES_Decrypt ($ciphertext, $key)

Task 2

Implement Electronic Code Book (ECB) mode of operation, as well as either: Cipher Block Chaining (CBC) mode or Counter (CTR) mode (again, the allocation is here). Combine the two modes of operation into a generic encrypt and decrypt function following the example:

/**
 * Generic encryption
 * @param String $plaintext Plaintext to be encrypted
 * @param String $key Key to use for encryption. Must be correct length for the selected cipher
 * @param String $cipher Abbreviation of the cipher to use. 'SDES' or 'SAES'
 * @param String $mode Abbreviation of the block mode to use. 'ECB', 'CBC' or 'CTR'
 * @return String The ciphertext produced from the encryption
 */
function Crypto_Encrypt ($plaintext, $key, $cipher, $mode)

/**
 * Generic decryption
 * @param String $ciphertext Ciphertext to be decrypted
 * @param String $key Key to use for decryption. Must be correct length for the selected cipher
 * @param String $cipher Abbreviation of the cipher to use. See the source for list of ciphers available
 * @param String $mode Abbreviation of the block mode to use. See the source for list of modes available
 * @return String The plaintext produced from the decryption
 */
function Crypto_Decrypt ($ciphertext, $key, $cipher, $mode)

Task 3

Implement a converter from 7-bit ASCII characters to binary strings (and the inverse operation). The functions must be of the format:

/**
 * Converts an ASCII string into its binary equivalent, that is
 * 7-bits for each character
 * @param String $ascii text or words
 * @return String binary representation of input text or words
 */
function Crypto_ASCII2BinString ($ascii)

/**
 * Converts binary data into ASCII (7-bit) text
 * @param String $bin binary representation of text
 * @return String text 
 */
function Crypto_BinString2ASCII ($bin)

Task 4

Implement a brute force attack on the key so that the most likely plaintext(s) for a given ciphertext is produced. You may assume the attacker knows the cipher and mode of operation being used. The function must be of the format:

/**
 * Key brute force attack
 * @param String $ciphertext Ciphertext available to attacker
 * @param String $cipher Abbreviation of the cipher to use. See the source for list of ciphers available
 * @param String $mode Abbreviation of the block mode to use. See the source for list of modes available
 * @return ????
 */
function Crypto_KeyBruteForce ($ciphertext, $cipher, $mode)

Example

Selected example PHP code and results from executing the code are shown below.

echo "Task 1: single-block encryption/decryption using SDES\n";
$plaintext = '01110010';
$key = '1010000010';
$ciphertext = SDES_Encrypt($plaintext,$key);
echo $ciphertext . "\n";
$newplaintext = SDES_Decrypt($ciphertext,$key);
echo $newplaintext . "\n";
echo $plaintext . "\n\n";

echo "Task 2: generic encryption/decryption using SAES and ECB mode\n";
$plaintext = '11010111001010001101011100101000';
$key = '0100101011110101';
$ciphertext = Crypto_Encrypt($plaintext,$key,'SAES','ECB');
echo $ciphertext . "\n";
$newplaintext = Crypto_Decrypt($ciphertext,$key,'SAES','ECB');
echo $newplaintext . "\n";
echo $plaintext . "\n\n";

echo "Task 3: encryption/decryption of ASCII text\n";
$ciphertext = Crypto_Encrypt(Crypto_ASCII2BinString ('steve'),$key,'SAES','CTR');
echo $ciphertext . "\n";
echo Crypto_BinString2ASCII($ciphertext) . "\n";
$newplaintext = Crypto_Decrypt($ciphertext,$key,'SAES','CTR');
echo $newplaintext . "\n";
echo Crypto_BinString2ASCII($newplaintext) . "\n";
echo "steve\n\n";

echo "Task 4: brute force attack\n";
echo "??? the output is for you to decide\n";

sgordon@ginger:~/svn/Steve/Courses/CSS322/Assessment$ php crypto.php
Task 1: single-block encryption/decryption using SDES
01110111
01110010
01110010

Task 2: generic encryption/decryption using SAES and ECB mode
00100100111011000010010011101100
11010111001010001101011100101000
11010111001010001101011100101000

Task 3: encryption/decryption of ASCII text
101101010110001011101101110101110111001010111101
ZX]];J=
111001111101001100101111011011001010000000000000
steve~~
steve

Task 4: brute force attack
??? the output is for you to decide

Requirements

Correctness and Clarity

The primary requirement for you implementation is that it is correct. That is, the implemention must produce the correct results. A secondary (but much less important) requirement is clarity of the implementation. If you implement the algorithms correctly, and your code is clear, then you will receive full marks for the implementation. You are not required to optimise for performance.

ASCII characters in plaintext

When converting text to binary (and vice versa), you can assume that the plaintext to be encrypted will be English and that it will only contain the ASCII characters from 32 (SPACE) to 122 ('z'). If the ciphertext contains characters outside of this range (that is, 0 to 31 and 123 to 127) then you should replace the character with character 126 ('~') in the resulting plaintext.

Padding

Pad any values with binary 0's when necessary.

Initial values

Any initial values (e.g. Initialisation Vector, Counter) can be 0. Although your algorithm must be able to work with other values, my tests will assume you use the value of 0.

Assessment

Each task will be assessed on correctness and clarity. Marks will also be given for the overall quality of the design/implementation. Bonus marks may be given for exceptional solutions.

Item	Correctness	Clarity
Task 1	25	10
Task 2	20	5
Task 3	5	-
Task 4	15	5
Overall	15

Submission

You must submit the source code in electronic form (email as an attachment).

1. You must submit via email to steve@siit.tu.ac.th
2. The subject of your email must be: CSS322 Assignment 1 ID where you replace ID with your ID number.
3. To the email, you must attach two PHP files:
   1. All of your functions in a file named IDcrypto.php, e.g. 4922123456crypto.php. See the example.
   2. Any test code in a file named IDtest.php, e.g. 4922123456test.php. You can the crypto file in the test file. See the example.
4. Do NOT zip/rar or process the file in any way.
5. For each Task, your source code must include the exact same function names/definitions as given in the above Task descriptions. In summary, the functions are:
   

   function SAES_Encrypt ($plaintext, $key)
   function SAES_Decrypt ($ciphertext, $key)
   function Crypto_Encrypt ($plaintext, $key, $cipher, $mode)
   function Crypto_Decrypt ($ciphertext, $key, $cipher, $mode)
   function Crypto_ASCII2BinString ($ascii)
   function Crypto_BinString2ASCII ($bin)
   function Crypto_KeyBruteForce ($ciphertext, $cipher, $mode) 
   

   The above functions may (and should) call other functions. Include all functions in your source code.
6. The output of the functions is defined in the Task descriptions. In all cases except Crypto_KeyBruteForce(), the function returns a String. Your submitted functions in the file IDcrypto.php MUST NOT echo any output to the screen. The exception is Crypto_KeyBruteForce(), which should echo the results of the brute force attack to the screen (in the format that you choose).
7. The file IDtest.php may contain echo statements (that is, output to the screen).
8. Your source code should not include anything related to HTML!
9. When I test your code I will create my own test.php file and use your functions (in the file IDcrypto.php).
10. I may not use your IDtest.php file. The main reason for submitting ithis file is in case your functions do not do as I expect (maybe your tests will give me insight into what is wrong). If all of your functions in IDcrypto.php work correctly, then I will not be concerned with the contents of your IDtest.php file.
11. Each function must include comments at the start explaining your approach to the design/implementation. It is important that you state any assumptions. The description of the Crypto_KeyBruteForce() function is essential - you must explain any input parameters, the approach you take and the output

Hints

These hints are only guidelines, not requirements. You do not have to follow them (and there may be better approaches than what I suggest).

Binary Numbers and Arrays

The ciphers operate on fixed length binary numbers. Although there are several ways to implement the cipher operations, I implemented using Arrays, where each element is a bit. Then I wrote functions that operate on Arrays of bits (I also refer to them as Binary Arrays). For example, Crypto_XOR($a, $b) takes two equal length Arrays and returns an Array contain the binary XOR of the inputs.

Arrays and Strings

If you do implement the operations on Arrays of bits, then you first have to convert a String (e.g. '1010') into an Array. the function str_split() is useful for this. The inverse operation can be performed using implode().

Galois Fields (SAES Only)

The GF multiplication may be implemented using a lookup table. You don't have to implement the mathematics behind the GF operations.

No Need for Error Checks

You can assume the users will enter the correct length keys and data, and use the operations correctly. You do not need to perform extensive error checking.

Function Names

I used the naming scheme of Crypto_OPERATION for generic cryptographic operations, SDES_OPERATION for SDES specific operations and SAES_OPERATION for SAES specific operations. The SDES/SAES operations generally following the names of operations used in lectures. You don't have to use this scheme, but at least should consider a naming scheme to assist with the clarity of the implementation.

Brute Force

Simply trying all keys and printing out all possible plaintexts is not a good solution. You should try to select the most likely plaintext (or perhaps give a ranking of possible plaintext).

Further hints may be posted to the mailing list. If you have questions, please email direct to me (not to the mail list). If I think the my response is useful for the entire class, I will reply via the mail list.

Task Allocation

Return to: CSS322 Home | Course List | Steven Gordon's Home | SIIT