Michigan State University - PowerPoint PPT Presentation

1 / 75
About This Presentation
Title:

Michigan State University

Description:

Birthday Theorem ... birthday paradox : the probability ... Backwards compatibility with DES... Michigan State University. Computer Science and Engineering ... – PowerPoint PPT presentation

Number of Views:152
Avg rating:3.0/5.0
Slides: 76
Provided by: richard139
Category:

less

Transcript and Presenter's Notes

Title: Michigan State University


1
Chapter 5 Cryptography
  • CSE 825

2
  • Cryptography, as covered in the text, seems worth
    spending some class time on

3
  • Egyptians used cryptography 4000 years ago.

4
Monoalphabetic Substitution Cipher
  • Julius Caesar (50 BC) used it.
  • abcdefghijklmnopqrstuvwxyz
  • SECURITYABDFGHJKLMNOPQVWXZ
  • What is?
  • YRFFJ VJMFU
  • Computers can determine key in 150 words.
  • Humans do better.

5
  • Given a sufficiently large encoded message, it
    can readily be "cracked" by comparing the
    frequency of letter occurrences in the coded
    message with the frequency of letter occurrences
    in the language used for the message.
  • Graph of letter frequencies the English language

6
Improvements
  • Stream cipher
  • encryption rule depends on the plaintext symbols
    position in the stream of plaintext symbols
  • Block cipher
  • encrypt several plaintext symbols at once in a
    block

7
Stream
  • As the name implies, you generate a long stream
    of ciphertext from a shorter key.

8
Vigenère Stream Cipher
  • 16th-century
  • polyalphabetic cipher based on using successively
    shifted alphabet.

9
  • Method 1
  • Using key LUCKY to encode first two letters
    CO
  • Select rows LU
  • Select cols CO
  • Result is NI

10
Method 2 Use key LUCKY to select rows in
order Then use only those rows for the table
(next slide)
11
Method 2 (cont) Key LUCKY is in the repeated
rows Use plaintext for column and then use rows
one at a time (next slide)
12
To encode the first letter C we use the row of
the code indicated by the arrow and the column
indicated by the arrow Hence the letter N is
substituted for C.
The next letter to be encoded is O. We now use
the second shifted alphabet from the code table
and the column headed by the letter O.
13
Note that the letter I in the message corresponds
to four different letters in the encoded message
(i.e. a stream cipher). Also in the encoded
message the letter E was substituted for two
different letters of the original message. Such
many-to-one substitutions make letter frequency
counting much more difficult.
14
  • The text describes the same process
    mathematically and much more simply
  • C P K mod 26
  • Where
  • P alphabetic position of plaintext character
  • K alphabetic position of key character
  • C alphabetic position of cipher character

15
Cracking the Vigenere Cipher
  • For 300 years the Vigenere cipher was considered
    to be practically unbreakable.
  • Then in 1863 a Prussian military officer noticed
    that given a long enough piece of ciphertext,
    repeated patterns appear at multiples of the
    keyword length.
  • A letter frequency analysis could be then be
    applied (see text for example).

16
One-Time Pad
  • Since repetition is a weakness, one solution is
    for the key sequence to be as long as the
    plaintext and to never repeat.
  • The one-time pad (WWI) can provide that.
  • Encryption/Decryption is simply an XOR of the
    plaintext stream with the keystream.

17
Perfect Secrecy
  • A cipher has perfect secrecy
  • if and only if there are as many possible keys
    as possible plaintexts, and if every key is
    equally likely.
  • The one-time pad is the only one which provides
    perfect secrecy (Shannon).

18
Expansion
  • Key distribution is expensive for one-time pads
  • so
  • it is more common for stream ciphers to use a
    suitable pseudorandom number generator to
    expand a short key into a long keystream.

19
Text Themes
  • Repetition is badany repetition provides
    sufficient clues for cracking.
  • Also, how you use a cipher is as important as
    the quality of the cipher itself, e.g. if you
    use it in a way that allows repetition, you
    lose.

20
Block vs. stream ciphers
  • Block cipher encrypts and decrypts one block at
    a time
  • Stream cipher encrypts and decrypts one
    character (or even a bit) at a time.

21
Block Cipher
  • Divide input bit stream into n-bit sections,
    encrypt only that section, no
    dependency/history between sections

Courtesy Andreas Steffen
  • In a good block cipher, each output bit is a
    function of all n input bits and all k key bits

22
Stream Cipher
  • Stream ciphers
  • Rather than divide bit stream into discrete
    blocks, as block ciphers do, XOR each bit of
    your plaintext continuous stream with a bit from
    a pseudo-random sequence
  • At receiver, use same symmetric key, XOR again
    to extract plaintext

23
Diffusion and confusion(Claude Shannon)
  • Diffusion change a character of the plaintext,
    and several characters of the ciphertext should
    change. The statistical characteristics of
    letters in the plaintext are diffused over many
    letters in the ciphertext. Result much more
    ciphertext is needed to do a meaningful
    statistical attack.
  • Confusion the key does not relate in a simple
    way to the ciphertext. Each character of the
    ciphertext should depend on many parts of the
    key. The key cannot be solved piece by piece.

24
  • Vigenères allowed letter frequency analysis
  • Block ciphers flatten that distribution

25
Playfair (simple block cipher)
  • Block 5x5 grid of letters without J
  • Algorithm
  • If two letters are in the same row or column,
    replace by succeeding letters.
  • Otherwise, the two letters stand at two of the
    corners of a rectangle replace with letters at
    other two corners

26
Playfair
  • Invented around 1854 by Sir Charles Wheatstone
  • Keyword playfair
  • Plaintext meet at the schoolhouse
  • Plaintext1 me et at th es
  • ch ox ol ho us ex
  • Ciphertext eg mn fq qm kn bk sv vr gq xn ku

27
Analysis
  • Playfair allows one character change in input to
    change one character in output.
  • We want small changes in input to diffuse
    completely through the output.
  • Playfair has a block length of two.
  • DES, a modern block cipher, has a block length of
    64
  • DESs replacement, AES, has a block length of 128.

28
Random Function Desirable Characteristics
  • One-way functionsTrivial example is sum the
    sum of two numbers tells you nothing about the
    two numbers.
  • Output will not provide any information about any
    part of the input.
  • Hard to find collisionsM1 ? M2 with h(M1)
    h(M2)

29
Birthday Theorem
  • How many people do you invite to your party so
    that two will have the same birthday (with high
    probability)? v365
  • You need vN to have a high probability of a
    collision.

30
Birthday Attack
  • A birthday attack is a name used to refer to a
    class of brute-force attacks.
  • birthday paradox the probability that two or
    more people in a group of 23 share the same
    birthday is greater than ½
  • General formulation
  • function f() whose output is uniformly
    distributed over domain
  • On repeated random inputs n n1, n2, , .., nk
  • Pr(ni nj) 1.2k1/2, for some 1
  • E.g., 1.2(3651/2) 23
  • Q Why is resilience to birthday attacks
    important?

31
Feistel Cipher
  • 1950s IBM
  • On team that developed DES
  • He used multiple rounds of permutation blocks
    which were reversible.
  • Notation ?(f1 , f2 , f3 ) represents three
    Feistel cipher rounds

32
Luby-Rackoff(proof of Felstel Ciphers)
  • If fi were random functions,then ?(f1 , f2 , f3
    ) was indistinguishable from a random permutation
    under chosen plain text attack.
  • (chosen plain text attack opponent chooses some
    number of plain text inputs and sees the
    corresponding ciphertext outputs.)

33
Luby-Rackoff(proof of Felstel Ciphers)
  • If fi were random functions, ?(f1 , f2 , f3 ,
    f4 ) was indistinguishable under chosen
    plaintext/ciphertext attack,i.e. it was a
    pseudorandom permutation
  • That is, four rounds of Feistel are enough
  • (chosen plaintext/ciphertext attack can choose
    either plaintext or ciphertext and see
    corresponding result.)

34
How Feistel Cipher Scheme works
  • All conventional encryption schemes have the
    same structure
  • The input to the encryption algorithm are a
    plaintext block of length 2w bits and a key K.
  • The plaintext block is divided into two halves
    Li and Ri
  • The two halves pass through n rounds of
    processing and then combine to produce the
    ciphertext block

35
How Feistel Cipher Scheme works
  • 5. Each Round i has inputs Li-1 and Ri-1,
    derived from the previous round, as well as a
    unique subkey Ki generated by a sub-key
    generation algorithm
  • 6. All rounds have the same structure which
    involves substitution (mapping) and transposition
    (rearrangement of data) using a round function
    F and subkey Ki

36
(No Transcript)
37
Decryption with the Feistel Cipher Structure
  • Decryption with Feistel cipher is the same as
    the encryption process
  • The rule is to use the ciphertext as input to
    the same encryption algorithm but use the
    subkeys Ki in reverse order. That is, use kn in
    R1, Kn-1 in R2 and so on until k1 is used in Rn.
    The output will be the plaintext.
  • The advantage of this scheme is that we use the
    same algorithm for both encryption and
    decryption

38
Feistel Cipher Structure
  • Virtually all conventional block encryption
    algorithms, including data encryption standard
    (DES) have the same structure, first described
    by Horst Feistel of IBM in 1973
  • The realization or development of a Fesitel
    encryption scheme depends on the choice of the
    following parameters and design features (see
    next slide)

39
Feistel Cipher Structure
  • Block size larger block sizes mean greater
    security but slower processing
  • Key Size larger key size means greater security
    but slower processing
  • Number of rounds multiple rounds offer
    increasing security but slower processing
  • Subkey generation algorithm greater complexity
    will lead to greater difficulty of cryptanalysis.
  • Round Function greater complexity will lead to
    greater difficulty of cryptanalysis.

40
A Brief History of DES
  • In 1974, IBM proposed "Lucifer", an encryption
    algorithm using 64-bit keys.
  • Two years later (1977), NBS (now NIST) in
    consultation with NSA made a modified version of
    that algorithm into a standard.

41
A Brief History of DES
42
  • DES was the most widely-used block cipher in the
    80s and 90s. (e.g. Funds transfer security in
    banks)

43
DES
  • Consists of several phases
  • An initial permutation (IP)
  • Key transformation
  • 16 rounds of
  • Expansion permutation of input(Avalanche Effect)
  • Expands 32 bits to 48 bits, thus a single bit
    affects 2 substitutions. Dependency of output
    bits on input bits spread faster
  • S-box substitution (confusion)
  • P-box permutation (diffusion)
  • A final permutation (IP-1)

44
DES Algorithm
45
PeDEStrian attacks
  • Obvious attack guess the key. 256 keys
  • Complementation Property 255 keys
  • 1 million per second 1100 years
  • Store EK(P1) for all K 512 petabytes

46
DEStroying Security
  • Differential Cryptanalysis (1990) (in text)
  • Say you know plaintext, ciphertext pairs
  • Difference dP P1 ? P2, dC C1 ? C2
  • Distribution of dCs given dP may reveal key
  • Need lots of pairs to get lots of good dPs
  • Look at pairs, build up key in pieces
  • Could find some bits, brute-force for rest

47
DEServing of Praise
  • Against 8-round DES, attack requires
  • 214 16,384 chosen plaintexts, or
  • 238 known plaintext-ciphertext pairs
  • Against 16-round DES, attack requires
  • 247 chosen plaintexts, or
  • Roughly 255.1 known plaintext-ciphertext pairs
  • Differential cryptanalysis not effective
  • Designers knew about it

48
DESperate measures
  • Linear cryptanalysis (in text)
  • Look at algorithm structure find places where,
    if you XOR plaintext and ciphertext bits
    together, you get key bits
  • S-boxes not linear, but can approximate
  • Need 243 known pairs best known attack
  • DES apparently not optimized against this
  • Still, not an easy-to-mount attack

49
Characteristics of DES
  • Dependence All output bits depend on all input
    bits.
  • Avalanche effect a small alternation of the
    plaintext results in a large change of the
    ciphertext. A small change in the key results in
    a large change in the ciphertext.
  • Small space (4) of weak keys. A pair of keys is
    weak if after two subsequent encipherments with
    the keys, we get the original plaintext.
  • 12 semi-weak keys (the inverse of the key is
    another key).
  • Complimentarity
  • DESk(P)C ? DESco(k)(co(P))co(C)

50
Cracking DES
  • In the summer of 1998, the Electronic Frontier
    Foundation (EFF) built a DES cracker machine at a
    cost of 250,000
  • It had 1536 chips, worked at a rate of 88 billion
    keys per second, and was able to break a DES
    encrypted message in 56 hours
  • One year later, with the cracker working in
    tandem with 100,000 PCs over the Internet, a DES
    encrypted message was cracked in only 22 hours.
    They were testing 245 billion keys per second.

51
DES Problem
  • Key is too short (56 bits).
  • A linear attack requiring 242 known texts exists,
    but from a practical standpoint even 240 known
    texts is impractical.

52
3DES
  • One common way to make DES more secure today is
    to encrypt three times using DES.
  • triple-DES (3DES).
  • 3DES is extremely slow, so a better algorithm
    was needed.
  • Provides us with a key space of 2112 keys

53
Triple DES (3-DES)
  • The keyspace of DES is too small
  • 3-DES was designed to use the widely installed
    base of DES
  • Why not just use DES twice?
  • Subject to meet-in-the-middle attack
  • A known plaintext attack is one order of
    magnitude harder in double DES than single DES
  • Alright, how about using 3 keys?
  • Key space unwieldy?
  • Backwards compatibility with DES

54
The Advanced Encryption Standard (AES)
  • Although Triple DES can solve the key length
    problem, it has a slow operation and a short
    block length (64 bit)
  • NIST worked with the cryptographic community to
    develop the Advanced Encryption Standard (AES)
  • AES has a block length of 128 bits supporting
    key sizes of 128, 192 and 256 bits
  • Rijndael developed by Daemen and Rijmen from
    Belgium, was selected to be the AES
  • The effect date of AES was May 26, 2002
  • NIST anticipates that AES will be in use for
    20-30 years
  • NIST plans to formally reevaluate AES every 5
    years and make the needed maintenance

55
AES Requirements
  • Motivation
  • To replace DES with a single block encryption
    algorithm with a strength equal to or better than
    3DES and with significantly improved efficiency
  • Minimum Acceptability Requirements
  • implement symmetric (private) key cryptography
  • be a block cipher
  • work on 128-bit blocks with three key sizes
    128, 192, 256 bits

56
AES Evaluation Criteria
57
Block Cipher Design
  • General Design Principles
  • Confusion
  • obscure relationship among key, plaintext and
    ciphertext
  • Diffusion
  • every bit of plaintext influences each bit of
    ciphertext
  • Iteration
  • thorough mixing of bits
  • Related balance, non-linearity,
    correlation-immunity

58
Rijndael Encryption Algo
  • Rijndael(State, Key)
  • KeyExpansion( Key, ExpandedKey )
  • AddRoundKey( State, ExpandedKey )
  • for (i1 i
  • Round(State, ExpandedKey4)
  • FinalRound(State,ExpandedKey4X10)
  • Round(State, RoundKey)
  • ByteSub(State)
  • ShiftRow(State)
  • MixColumn(State)
  • AddRoundKey(State, RoundKey)
  • State -- array of 4 words(each 32 bits) of a
    block
  • No. of Rounds -- 10 rounds for key-block
    combination of 128-128 bits
  • KeyExpansion -- consists of XOR of keywords(each
    3bits),
  • S-box lookups, intra-word byte rotation
  • AddRoundKey -- bitwise-XOR with keywords for
    whitening
  • FinalRound -- similar to Round except without
    MixColumn

59
Rijndael Key and State Bytes
Key and State bytes are arranged in rectangular
arrays.
Variable Key size 16, 24 or 32 bytes
Variable State size 16, 24 or 32 bytes
60
Round Function ByteSub
  • ByteSub acts on individual bytes of the State.
  • Purpose (high) non-linearity
  • Note only 1 S-box (8 bits x 8 bits)
  • ByteSub is a non-linear byte substitution
  • constructed by the composition of two
    transformations
  • Take multiplicative inverse in GF(28) (00
    mapped to itself)
  • Apply an affine ( over GF(2) ) transformation
    8F a i,j ? A6

61
Round Function ShiftRow
no shift
cyclic shift by 3
cyclic shift by 2
cyclic shift by 1
ShiftRow operates on the rows of the
State. Purpose inter-column diffusion
62
Round Function MixColumn
MixColumn operates on the columns of the State.
The columns of the State are considered as
polynomials over GF(28) and multiplied module
x41 with a fixed polynomial c(x) c(x) 03x3
01x2 01x 02 MixColumn is implemented using
operations of XOR, conditional bit-shifts. Purpos
e inter-byte diffusion within columns (based on
ECC theory) Together with ShiftRow, it ensures
that after a few rounds,all output bits depend on
all input bits. Coefficients of the matrix were
also chosen for efficient implementation.
63
Round Function AddRoundKey
?

In AddRoundKey, the Round Key is bitwise XORed to
the State. Purpose makes round function
key-dependent Key-XORing with plaintext or
ciphertext is sometimes called whitening. This
is a cheap way of adding to the security of the
cipher by preventing the collection of
plaintext-ciphertext pairs.
64
  • Play animation here

65
Why Rijndael was selected
  • When considered together, Rijndaels combination
    of security, performance, efficiency, ease of
    implementation, and flexibility makes it an
    appropriate selection for the AES. Specifically,
    Rijndael appears to be consistently a very good
    performer in both hardware and software across a
    wide range of computing environments regardless
    of its use in feedback or non-feedback modes.
    NIST fact sheet
  • It was my favourite of the algorithms a clean
    and succinct description, good reasons for its
    design parameters, efficient implementations.
    S. Landau, senior staff engineer, Sun
    Microsystems
  • Symmetric and parallel structure
  • affords flexibility in implementation
  • not allowed effective cryptanalytic attacks
  • Well adapted to modern processors
  • Pentium
  • RISC and parallel processors
  • Suitable for smart cards
  • Flexible in dedicated hardware -- Daemen
    Rijmen

66
After the selection
  • AES FIPS(Federal Information Processing
    Standards) by NIST became official in November
    2001.
  • Cryptanalytic attacks on AES?
  • mid-2002 Coutois and Peiprzyk claimed XSL
    technique using one or two known plaintext for a
    2100-ish attack against AES and 2200-ish attack
    against Serpent attack based on the complexity
    of the non-linear components
  • 2002 Fuller and Millan, showed AESs 8x8-bit
    S-box is really 8x1 bit S-box
  • 2002 Filiol claimed some biases in Boolean
    functions of AES
  • Crypto2002 Murply and Robshaw showed all of AES
    can be expressed in a single field allowed a
    representation with nice properties which make it
    easier to cryptanalyze
  • (Basically, these are theoretical attacks, but
    worrisome if they are improved.)
  • IETF protocols
  • most that use encryption are naturally AES
    ready
  • AES phased in over next 2 or 3 years from year
    2000
  • DES will remain for backwards compatibility till
    2003

67
Finally
  • a standard for cryptographic algorithms to
    protect international commerce and communications
  • Everything in the cipher world from now on will
    be measured, quantified, and compared to AES.
    Be it speed, strength, block size, key size,
    number of rounds, and so on it will be relative
    to the AES. It is the yardstick! --Raif S.
    Naffah, senior software engineer, Forge Research
  • openness about the design
  • strong endorsement of the public-sector
    cryptographic expertise

68
Levels of security
  • An encryption scheme is unconditionally secure if
    the ciphertext generated by the scheme does not
    contain enough information to determine uniquely
    the corresponding plaintext.
  • An encryption scheme is computationally secure
    if the cost of breaking the cipher exceeds the
    value of the encrypted information or the time
    requited to break the cipher exceeds the lifetime
    of the information.

69
Average time needed to break a secret key
cryptosystem
70
Public Key Cryptography
  • Public Key cryptography
  • Each key pair consists of a public and private
    component k (public key), k- (private key)
  • D( E(p, k), k- ) p
  • D( E(p, k-), k ) p
  • Public keys are distributed (typically) through
    public key certificates
  • Anyone can communicate secretly with you, if
    they have your certificate
  • E.g., SSL-base web commerce

71
RSA (Rivest, Shamir, Adelman)
  • A dominant public key algorithm
  • The algorithm itself is conceptually simple
  • Why it is secure is very deep (number thoery)
  • Use properties of exponentiation modulo a product
    of large primes
  • "A method for obtaining Digital Signatures and
    Public Key Cryptosystems, Communications of the
    ACM, Feb., 1978 21(2) pages 120-126.

72
RSA Key Generation
  • Pick two large primes p and q
  • Calculate n pq
  • Pick e such that it is relatively prime to phi(n)
    (q-1)(p-1) Eulers Totient Function
  • d e-1 mod phi(n) or
  • de mod phi(n) 1
  • p3, q11
  • n 311 33
  • phi(n) (210) 20
  • e 7 GCD(20,7) 1 Euclids Algorithm
  • d 7-1 mod 20
  • d7 mod 20 1
  • d 3

To Crack factor n into p q
73
RSA Encryption/Decryption
  • Public key k is e,n and private key k- is
    d,n
  • Encryption and Decryption
  • E(k,P) ciphertext plaintexte mod n
  • D(k-,C) plaintext ciphertextd mod n
  • Example
  • Public key (7,33), Private Key (3,33)
  • Data 4 (encoding of actual data)
  • E(7,33,4) 47 mod 33 16384 mod 33 16
  • D(3,33,16) 163 mod 33 4096 mod 33 4

74
Encryption using private key
  • Encryption and Decryption
  • E(k-,P) ciphertext plaintextd mod n
  • D(k,C) plaintext ciphertexte mod n
  • E.g.,
  • E(3,45,4) 43 mod 33 64 mod 33 31
  • D(7,45,19) 317 mod 33 27,512,614,111 mod 33
    4
  • Q Why encrypt with private key?

75
The symmetric/asymmetric key tradeoff
  • Symmetric (shared) key systems
  • Efficient (Many MB/sec throughput)
  • Difficult key management
  • Kerberos
  • Key agreement protocols
  • Asymmetric (public) key systems
  • Slow algorithms (so far )
  • Easy key management
  • PKI - public key infrastructures
  • Webs of trust (PGP)
Write a Comment
User Comments (0)
About PowerShow.com