Lecture 4 more cryptography

About This Presentation

Title:

Lecture 4 more cryptography

Description:

Lecture 4 - more cryptography. We will cover: entropy as a measure of uncertainty ... in some books you will mistakenly find block ciphers defined as ciphers that ... – PowerPoint PPT presentation

Number of Views:63

Avg rating:3.0/5.0

Slides: 43

Provided by: martin159

Category:

more less

Transcript and Presenter's Notes

Title: Lecture 4 more cryptography

1
Lecture 4 - more cryptography

We will cover
entropy as a measure of uncertainty
block and stream ciphers
perfect secrecy
the role and importance of keys
one way functions and their use
digital signatures
types of cryptographic attacks
Reading - Pfleeger, chapter 2

2
Entropy information

fundamental concepts here are entropy and
information (in a technical sense)
entropy is a measure of uncertainty and
information is a measure of how much an event
reduces uncertainty
basically we have a number of possible
alternative events only one of which has happened
or can happen - the uncertainty is our lack of
knowledge (information) about which alternative
event has or will happen

our uncertainty is at its greatest for a given
set of alternatives when all the alternatives are
equally likely (given our knowledge) i.e. we have
not got a clue as to what is more likely to
happen - for a normal coin, it is equally likely
that it would give a head or a tail if it was
tossed, but a coin that you knew had been
interfered with may give one side more frequently
than the other - my degree of uncertainty with an
unbiased coin is greater than a biased coin. The
uncertainty can be seen as inversely proportional
to the probability of guessing correctly the
outcome from your current knowledge

when the degree of uncertainty is measured it is
normally called entropy
Entropy is measured in bits - 2(21 ) equally
likely alternatives give an entropy of 1 bit
(and a probability of a correct guess of 1/21/21
), 4 ( 22 ) equally likely alternatives give an
entropy of 2 bits (and a probability of a correct
guess of 1/41/ 22), etc.
in general m equally likely alternatives give an
entropy of n bits where m2n - this is true even
if m is not an integer power of 2 i.e. n can be
fractional and you can measure entropy in
fractions of a bit

for equally likely alternatives - entropy log2
m log is the inverse of raising to a power so
log2 mn because 2nm - this is often called
information because it is a measure of how much
uncertainty reduces when we find out which event
happened
since m1/(probability of m) then log2 m log2
1/(prob. of m)
given that log2 1/n - log2 n (whatever n is),
then log2 1/(prob. of m) - log2 (prob. of m)
so entropy (information) of an individual event
- log2 (probability of event)
this generalisation enables us to measure the
entropy of a stream of events e.g. occurrence of
symbols where the events are not all equally
likely to happen

the equation gives the mean entropy of the event
sequence
mean entropy - sum over all events (prob of ith
event log2 prob of ith event)
this gives you a reasonable measure of the
uncertainty over the sequence of events (in our
case sequence of symbols)
the information that you obtain about the actual
occurrence of an event reduces your uncertainty
(i.e. entropy) about what event will happen to 0
(you know what happened and there is no
uncertainty) - information is therefore sometimes
also called negentropy (negative entropy)

7
Stream block ciphers

2 general ways of organising ciphers - stream
ciphers and block ciphers
They both divide the plaintext message into
blocks of symbols (although it could be a block
of size 1) and use a key value in an encryption
algorithm to produce the ciphertext for each
block in turn
A Block cipher uses the same key value as the
parameter to the encryption algorithm for all the
blocks of the plaintext (of course it may use
different keys for different plaintexts). Thus
ciphertext blocki encryption(key, plaintexti)

A Stream cipher effectively uses a keystream
generator to generate a sequence of key values
k1,k2....ki....kn where the ith key value is used
as a parameter in the encryption of the ith block
of plaintext symbols
ciphertext blocki encryption(keyi, plaintexti)
The sequence of key values generated by the
keystream generator may repeat after some given
number of key values (in which case it is called
periodic) or it may never repeat (in which case
it is called aperiodic)

Ideally the sequence of key values in the
keystream should be random - this is not in
practice achievable as the key generator must use
an algorithm to produce the keystream - hence it
is pseudo-random
where the sequence of key values generated is
dependent only on the starting key value (called
the Seed), then it is called a synchronous stream
cipher
where the sequence of key values is also
dependent upon previous plaintext blocks or
ciphertext blocks as well as the seed, then it is
called a non-synchronous stream cipher

in some books you will mistakenly find block
ciphers defined as ciphers that operate on fixed
sized blocks and stream ciphers defined as
ciphers that operate on one symbol at a time as
we have seen this is technically wrong.
They are often defined in this way, because
typically the size of a unit that is operated on
in a stream cipher is small - 1 bit or 8 bits (1
byte) - whereas the unit size for block ciphers
is typically 64 bits or 128 bits. However, this
is not essential - a stream cipher can operate on
64 bits just as well as on 8 bits.

Stream ciphers tend to operate on small blocks of
data (1-8 bits) because the security in the
system comes from the generation of an
appropriately keystream sequence. The encryption
operation can then be very simple e.g. in many
applications the key values in the keystream are
simply XORed with the bits of the plaintext
message to produce the ciphertext message.
Fundamentally it is an n-gram substitution where
the size of n is equal to the period of
repetition of the keystream sequence - and the
period size may, depending on the key generator
used, be thousands to many billions in length.

On the other hand with block ciphers the security
comes from the use of a more complex series of
encryption operations (permutations and
substitutions) using a relatively small single
key value (e.g. 64 bits, 128 bits, etc.)

13
Perfect Secrecy

An ideal cryptographic system should be one in
which the ciphertext gives the cryptanalyst no
information that will help him/her in identifying
the original plaintext.
the ciphertext must not give any information i.e.
reduce the uncertainty of the probability of the
occurrence of various plaintexts
a cryptographic system that provides this
property is said to provide perfect secrecy

to achieve perfect secrecy each individual symbol
replacement mapping must be independent of every
other individual symbol replacement mapping
2 events are independent if the probability of
event A given the occurrence of event B is the
same as the probability of event A alone e.g. the
probability of getting a heads on the next toss
of a coin is the same whether you have just got a
head or a tails, whereas the probability that the
next card drawn from a pack of cards is dependent
upon the values of any cards that have already
been drawn from the pack (assuming the cards are
not replaced)

the sequence of key values defines the sequence
of symbol replacement mappings used, thus for the
sequence of symbol replacement mappings to be
independent the sequence of key values must also
be independent events i.e. they must be random.
This implies
1. the sequence of key values must not be
periodic i.e. The sequence must not repeat - it
would not be random if it did
2. such a cipher cannot be a block cipher where
the same key is used in the transformation of
each block, it must be a stream cipher
3. the key value sequence must be as long as the
plaintext message itself i.e. Keystream length is
not fixed

3. in turn implies that there will be as many key
value sequences as possible plaintexts and any
given ciphertext may have been produced by any of
the key value sequences from some possible
plaintext message of the same length. This means
that all plaintexts are just as likely as any
other from a knowledge of the ciphertext alone.
However a BIG problem - the requirement that the
key be as long as the plaintext message and the
requirement that the key be kept secret makes the
perfectly secret cipher system impractical in
most circumstances.

17
One Time Pad

One-time pad is the name given to a cryptographic
system that has perfect secrecy
it is one-time because the sequence of key values
that are used are destroyed after one use (a
one-time use). This is an important requirement
for a one-time pad encryption. If the pad
(sequence of key values was to be used more than
once, then it would become a periodic (repeating)
key sequence and would thus lose the
characteristics of perfect secrecy.

18
Vernam cipher

Vernam cipher was an example of a one-time pad.
It produces ciphertext by simply XORing plaintext
with a non-repeating sequence of random numbers
that forms the key.
XOR is a simple reversible operation and provides
powerful encryption when used with a one-time
pad, however if used with a periodic key sequence
it becomes a particularly weak form of encryption
(see handout on problems with XOR)

19
Role of the key

Throughout the following discussion we are
looking at keys that are of a fixed size (not the
variable sized keys required in perfect secrecy)
the role of the key parameter in substitutions
and permutations is
1. to determine exactly how symbols are
substituted for by other symbols (i.e. which of
many different mappings to use at a given
location in the plaintext)
2. to determine exactly how symbols are permuted
(i.e. What exact rule is going to be used to
perform the re-ordering or mixing up of the
symbols)

encryption and decryption algorithms map from
ltkey,symbol stringgt pair to a symbol string
one-to-one mapping i.e. One ltkey,symbol stringgt
pair will be associated by the algorithm with one
output symbol string i.e. Only One output symbol
string is consistent with the proper execution of
the algorithm
for encryption the input symbol string is the
plaintext message to be encrypted, while for
decryption the input symbol string is the
ciphertext

However, without the key the algorithm ceases to
be one-to-one but becomes one-to-many - this
means that in the absence of a key the encryption
and decryption algorithms associate with each
plaintext (for encryption) and ciphertext (for
decryption) - a large number of possible output
symbol strings i.e. A large number of output
symbol strings would be consistent with the
proper execution of the algorithm.
In general there are as many output symbol
strings for a given input symbol string for a
given algorithm as there are possible keys

so in decryption without a key the given
ciphertext would be consistent with as many
possible candidate plaintexts as there are
possible keys
thus the number of possible keys is very
important
one way of attempting to decrypt a ciphertext
when you dont have the key is to guess the key
used - you systematically search through all the
possible keys and try each one in turn until you
recover the plaintext - called a brute force
search

you would need to know which algorithm to use -
in practice this is not often difficult because
the standard algorithms are in the public domain
and there are not that many of them - some people
advertise how secure their systems are by telling
everyone which algorithm they use (so you can be
impressed) - it is safest to assume that any
attacker knows which algorithm you are using
to defeat a brute force search you need to have a
large a number of possible keys to search through
- the number of alternatives to try is called the
search space - so we must have such a large
search space that it is infeasible to do the
search

the number of possible keys is related to the
size of the key value that can be used as a
parameter to the algorithm - because we are
working with digital keys that have a given
number of bits and thus the number of possible
keys is fixed by the size in bits of the key
value that can be used as a parameter to the
algorithm
number of possible values that can be represented
in n bits is 2n - thus the larger the size of the
key value in bits the larger the number of
possible keys
size of the key - example - a 40 bit key can have
240 approx. one trillion possible keys

for a search to be infeasible means that the
resources needed to search through enough keys so
that you have a 50 chance of finding the correct
key is so large that it is impractical - normally
the resource constraint that is quoted is that of
time e.g. it would take a machine that could test
1000 billion (1 trillion) keys per second approx.
239 seconds approx. 1.5 billion years to have
50 chance of finding the correct key when the
key size is 80 bits

of course note
improvements in technology in general leads to a
doubling in processing power in computers of a
given cost every 1½ years
the increasing use of distributed systems of
computers can of course also greatly increase the
effective computing power available
But still the difficulty of guessing the correct
keys looks practically insurmountable - hurrah
for the keys!

BUT - these results are true for random keys
only i.e where the choice of key value made by a
user is random and thus the entropy for the key
is maximum (all n-bit keys are equally likely) -
giving n bits of entropy (uncertainty as to which
key is correct and which one to guess)
However, many keys are not random, because the
choice of key value on many systems is related to
a choice of a password or pass-phrase chosen by a
user that is then converted into a key value -
e.g. a 10 character password may be converted to
a 80 bit key value

BUT such passwords/pass phrases are usually not
random - they are often intelligible English, -
thus not all keys are equally likely - entropy is
less than maximum
passwords typically have an actual entropy value
of 4 bits per character, thus our 80 bit key will
have an effective entropy of 40 bits and not 80
bits - this means that on average it would take a
machine that could only test 1 billion keys per
second about 8 minutes to find the correct key
50 of the time

somebody should tell Microsoft this since they
often base their 128 bit key encryption
(wonderful huge key) on the users normal password
(dismal - any key cracking software would try
names of people/places (including uncommon ones)
very early on including versions with 0,1,2,3,
etc after them and 0s substituted for os and 1s
for is etc - all the common tricks) - about as
secure as a babys bottoms tendency to be dry!
So best to use keys generated from some random
number generator, but if you have to use a
password or pass-phrase try to be both memorable
(for you) but also obscure!

thus another way to find a key is to use
heuristic search on the set of possible keys
(again assuming we know the algorithm) -
heuristic search means that you search
systematically using clues and information you
have available to reduce the entropy of the key
you are trying to find and reduce the size of the
search space - you try those keys that are more
likely first, less likely next, etc.
Attacks based on checking all the words that
occur in a dictionary is called a dictionary
attack and succeeds more often than is comfortable

31
Recognising plaintext

how does an attacker recognise the output symbol
string from decryption as the plaintext that was
encrypted rather than other text that could have
been encrypted but was not
this is easy because most decryptions with the
wrong key do not exhibit the structure of the
appropriate type of plaintext e.g. the decrypted
output looks nothing like English

this is because the number of possible strings of
characters that are valid English is very very
small compared to the number of possible
non-English combinations of letter values
the larger the text being decrypted the smaller
the probability of finding a valid English text
by chance. i.e. for a given ciphertext the
probability that more than one of the possible
keys will map onto something meaningful is very
(very!) small. note - as we have seen this is
not true of systems with perfect secrecy

33
one way or hash functions

one way or hash functions map some text onto
something that is normally called a hash value or
a message digest
strictly speaking a one way function is something
that maps an input onto an output, but there does
not exist a way of reversing the process to
reconstitute the original input from the output
directly - the best you can do is simply input
values, calculate the output and keep a record of
the ltinput,outputgt pair for later reference

this is different from encryption where the
decryption algorithm with the correct key allows
the original plaintext to be computed from the
ciphertext
in practice functions where it is very difficult
to invert the computation (rather than
impossible) are used
hash value hash_function(input text)
a pseudo-random function is usually used for a
hash function

a pseudo random function is one that is not
actually random in that its output is the result
of an algorithm, but the output it produces is
indistinguishable from a true mathematical random
function according to various statistical tests
that can be run on its output - it looks random
and hence the output does not contain any useful
information about the input - you cannot make
predictions about the input from your knowledge
of the output

36
Uses of one way functions

one way functions are used to provide
authentication of identities and messages
in password verification systems - user inputs
password, one way function is applied to
password to give hash value, the hash value is
then compared with a stored password hash value
for that user - thus the system can verify
whether the password is correct, but without
needing to store the actual password on the
system. The original password cannot be recovered
from the hash value (because it is one way).

in message authentication - you want to be sure
that the message has not been tampered with, so
sender perform hash(messageSender sent) to give
hash value which is encrypted along with the rest
of the message, the recipient then decrypts the
message (including the hash value), the recipient
then performs hash(messageReceiver decrypted) to
get a hash value - if the hash value is the same
as the hash value sent with the message then the
message has not been tampered with - because if
the message the receiver received was different
from that the sender sent or if the hash value
had been changed then the computed hash value
would be different from that sent

38
Digital signatures

you can use an asymmetric key system in which the
encryption (locking) key is private and the
decryption (unlocking) key was public - this
would seem to be the opposite of security - all
could read the messages you encrypted
however, it provides a mechanism for
authenticating that a message came from the
source that claimed to have sent it - like a real
signature it is meant to authenticate the source
of the item as coming from the right person
a hash function is used to produce a
representation of the message (the message
digest)

this is encrypted using the senders private key
and accompanies the full message (possibly
encrypted but not necessarily)
Once received, if the whole message was encrypted
then it will have to be decrypted then
the recipient can use the public key of the
sender to decrypt the message-digest, then apply
the hash function to the message and if the
message digest it produces matches the actual
message digest value that was decrypted along
with the message then the message can only have
come from the person who holds the private key
that belongs to the public key you used to
decrypt the signature - the sender

40
types of cryptographic attack

3 types of attack in general
1. ciphertext only attacks - the attacker only
has the ciphertext available to determine the key
- the brute force and heuristic searches we have
considered previously are examples of ciphertext
only attacks

2. known-plaintext attacks - the attacker has
both the ciphertext and the plaintext (if you
have the plaintext why bother to find the key -
but there may be other messages that could be
decrypted once you have the key - an example of
having a known plaintext is knowing that you have
a word document - the headers (first few hundred
bytes) to word documents are fixed and known -
this provides cracker with more information
greatly reducing the entropy of the key used

3. Chosen-plaintext attack - attacker can choose
which plaintext is to be encrypted - this
provides even more information than 2. so that
the entropy of the key can be further reduced

Write a Comment

User Comments (0)