Information Security Management Cryptography

1
Information Security Management-- Cryptography
2
Summary

• Symmetric Encryption
• Public Encryption
• Digital Signature
• Key Distribution

3
Basic Terminology

• plaintext - the original message
• ciphertext - the coded message
• cipher - algorithm for transforming plaintext to
  ciphertext
• key - info used in cipher known only to
  sender/receiver
• encipher (encrypt) - converting plaintext to
  ciphertext
• decipher (decrypt) - recovering ciphertext from
  plaintext
• cryptography - study of encryption
  principles/methods
• cryptanalysis (codebreaking) - the study of
  principles/ methods of deciphering ciphertext
  without knowing key
• cryptology - the field of both cryptography and
  cryptanalysis

4
The language of cryptography
Alices encryption key
Bobs decryption key
encryption algorithm
decryption algorithm
ciphertext
plaintext
plaintext

• symmetric key crypto sender, receiver keys
  identical
• public-key crypto encryption key public,
  decryption key secret (private)

5
Symmetric Encryption

• or conventional / secret-key / single-key
• sender and recipient share a common key
• all classical encryption algorithms are
  private-key
• was only type prior to invention of public-key in
  1970s

6
Symmetric Cipher Model
7
Symmetric Key Cryptography
encryption algorithm
decryption algorithm
ciphertext
plaintext
plaintext message, m
K (m)
A-B

• symmetric key crypto Bob and Alice share know
  same (symmetric) key K
• e.g., key is knowing substitution pattern in mono
  alphabetic substitution cipher

A-B
8
Requirements

• two requirements for secure use of symmetric
  encryption
• a strong encryption algorithm
• a secret key known only to sender / receiver
• Y EK(X)
• X DK(Y)
• assume encryption algorithm is known
• implies a secure channel to distribute key

9
Cryptography

• can characterize by
• type of encryption operations used
• substitution / transposition / product
• number of keys used
• single-key or private / two-key or public
• way in which plaintext is processed
• block / stream

10
More Definitions

• unconditional security
• no matter how much computer power is available,
  the cipher cannot be broken since the ciphertext
  provides insufficient information to uniquely
  determine the corresponding plaintext
• computational security
• given limited computing resources (eg time needed
  for calculations is greater than age of
  universe), the cipher cannot be broken

11
Classical Substitution Ciphers

• where letters of plaintext are replaced by other
  letters or by numbers or symbols
• or if plaintext is viewed as a sequence of bits,
  then substitution involves replacing plaintext
  bit patterns with ciphertext bit patterns

12
Caesar Cipher

• earliest known substitution cipher
• by Julius Caesar
• first attested use in military affairs
• replaces each letter by 3rd letter later
• example
• meet me after the toga party
• PHHW PH DIWHU WKH WRJD SDUWB

13
Caesar Cipher

• can define transformation as
• a b c d e f g h i j k l m n o p q r s t u v w x y
  z
• D E F G H I J K L M N O P Q R S T U V W X Y Z A B
  C
• mathematically give each letter a number
• a b c d e f g h i j k l m
• 0 1 2 3 4 5 6 7 8 9 10 11 12
• n o p q r s t u v w x y Z
• 13 14 15 16 17 18 19 20 21 22 23 24 25
• then have Caesar cipher as
• C E(p) (p k) mod (26)
• p D(C) (C k) mod (26)

14
Cryptanalysis of Caesar Cipher

• only have 26 possible ciphers
• A maps to A,B,..Z
• could simply try each in turn
• a brute force search
• given ciphertext, just try all shifts of letters
• do need to recognize when have plaintext
• eg. break ciphertext ERE L ORYH BRX DOLFH"

15
Symmetric Encryption Example-- Substitution
encryption algorithm
decryption algorithm
ciphertext
plaintext
plaintext message, m
K (m)
A-B

• Plaintext
• KA-B
• Ciphertext
• Encryption algorithm
• Decryption algorithm

16
Monoalphabetic Ciphers

• Cipher line can be any permutation of the 26
  alphabetic char
• Statistical analysis
• Letters e and t are the most frequent
  occurring letters
• Two and three letter occurrences of letters
  appear quite often together, like the, in
• Guess the appearance of the words

17
Types of Cryptanalytic Attacks

• ciphertext only
• only know algorithm / ciphertext, statistical,
  can identify plaintext
• known plaintext
• know/suspect plaintext ciphertext to attack
  cipher
• chosen plaintext
• select plaintext and obtain ciphertext to attack
  cipher

18
Brute Force Search

• always possible to simply try every key
• most basic attack, proportional to key size
• assume either know / recognise plaintext

19
Chosen-Plaintext Attack
Crook 1 changes his PIN to a number of his choice
repeat for any PIN value
20
Polyalphabetic encryption

• monoalphabetic ciphers Caesar cipher.
• Two Caesar ciphers (k5, k19)
• Repeating pattern c1, c2, c2, c1, c2

21
Transposition Ciphers

• now consider classical transposition or
  permutation ciphers
• these hide the message by rearranging the letter
  order
• without altering the actual letters used
• can recognise these since have the same frequency
  distribution as the original text

22
Rail Fence cipher

• write message letters out diagonally over a
  number of rows
• then read off cipher row by row
• eg. write message out as
• m e m a t r h t g p r y
• e t e f e t e o a a t
• giving ciphertext
• MEMATRHTGPRYETEFETEOAAT

23
Row Transposition Ciphers

• a more complex scheme
• write letters of message out in rows over a
  specified number of columns
• then reorder the columns according to some key
  before reading off the rows
• Key 4 3 1 2 5 6 7
• Plaintext a t t a c k p
• o s t p o n e
• d u n t i l t
• w o a m x y z
• Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ

24
Product Ciphers

• ciphers using substitutions or transpositions are
  not secure because of language characteristics
• hence consider using several ciphers in
  succession to make harder, but
• two substitutions make a more complex
  substitution
• two transpositions make more complex
  transposition
• but a substitution followed by a transposition
  makes a new much harder cipher
• this is bridge from classical to modern ciphers

25
Simple Idea One-Time Pad
10111101
----- ----- -----
10111101
?
?
10001111
00110010
00110010
Key is a never-repeating bit sequence as long as
plaintext
Decrypt by bitwise XOR of ciphertext and
key ciphertext ? key (plaintext ? key) ? key
plaintext ? (key ? key) plaintext
Encrypt by bitwise XOR of plaintext and
key ciphertext plaintext ? key
Cipher achieves perfect secrecy if and only if
there are as many possible keys as possible
plaintexts, and every key is equally likely
(Claude Shannons result)
26
Advantages of One-Time Pad

• Easy to compute
• Encryption and decryption are the same operation
• Bitwise XOR is very cheap to compute
• As secure as possible
• Given a ciphertext, all plaintexts are equally
  likely, regardless of attackers computational
  resources
• as long as the key sequence is truly random
• True randomness is expensive to obtain in large
  quantities
• as long as each key is same length as plaintext
• But how does the sender communicate the key to
  receiver?

27
Problems with One-Time Pad

• Key must be as long as plaintext
• Impractical in most realistic scenarios
• Still used for diplomatic and intelligence
  traffic
• Does not guarantee integrity
• One-time pad only guarantees confidentiality
• Attacker cannot recover plaintext, but can easily
  change it to something else
• Insecure if keys are reused
• Attacker can obtain XOR of plaintexts

28
Modern Block Ciphers

• will now look at modern block ciphers
• one of the most widely used types of
  cryptographic algorithms
• provide secrecy and/or authentication services
• in particular will introduce DES (Data Encryption
  Standard)

29
Block vs Stream Ciphers

• block ciphers process messages into blocks, each
  of which is then en/decrypted
• like a substitution on very big characters
• 64-bits or more
• stream ciphers process messages a bit or byte at
  a time when en/decrypting
• many current ciphers are block ciphers
• hence are focus of course

30
Block Ciphers

• Operates on a single chunk (block) of plaintext
• For example, 64 bits for DES
• Same key is reused for each block (can use short
  keys)
• Result should look like a random permutation
• As if plaintext bits were randomly shuffled
• Only computational guarantee of secrecy
• Not impossible to break, just very expensive
• If there is no efficient algorithm (unproven
  assumption!), then can only break by brute-force,
  try-every-possible-key search
• Time/cost of breaking the cipher exceeds the
  value and/or useful lifetime of protected
  information

31
Permutation
1
1
2
2
3
3
4
4
CODE becomes DCEO

• For N-bit input, N! possible permutations
• Idea split plaintext into blocks, for each block
  use secret key to pick a permutation, rinse and
  repeat
• Without the key, permutation should look random

32
Block Cipher Operation (Simplified)
Block of plaintext
Key
S
S
S
S
Add some secret key bits to provide confusion
S
S
S
S
Each S-box permutes its input bits in a
random-looking way to provide diffusion
(spread plaintext bits throughout ciphertext)
S
S
S
S
Procedure must be reversible (for decryption)
33
Block Cipher Principles

• needed since must be able to decrypt ciphertext
  to recover messages efficiently
• block ciphers look like an extremely large
  substitution
• instead create from smaller building blocks
• using idea of a product cipher

34
Claude Shannon and Substitution-Permutation
Ciphers

• in 1949 Claude Shannon introduced idea of
  substitution-permutation (S-P) networks
• modern substitution-transposition product cipher
• these form the basis of modern block ciphers
• S-P networks are based on the two primitive
  cryptographic operations we have seen before
• substitution (S-box)
• permutation (P-box)
• provide confusion and diffusion of message

35
Confusion and Diffusion

• cipher needs to completely obscure statistical
  properties of original message
• a one-time pad does this
• more practically Shannon suggested combining
  elements to obtain
• diffusion dissipates statistical structure of
  plaintext over bulk of ciphertext
• confusion makes relationship between ciphertext
  and key as complex as possible

36
Data Encryption Standard (DES)

• most widely used block cipher in world
• adopted in 1977 by NBS (now NIST
  http//www.itl.nist.gov/fipspubs/fip46-2.htm )
• encrypts 64-bit data using 56-bit key
• has widespread use
• has been considerable controversy over its
  security

37
DES History

• IBM developed Lucifer cipher
• by team led by Feistel
• used 64-bit data blocks with 128-bit key
• then redeveloped as a commercial cipher with
  input from NSA and others
• in 1973 NBS issued request for proposals for a
  national cipher standard
• IBM submitted their revised Lucifer which was
  eventually accepted as the DES

38
DES Encryption
39
Strength of DES Key Size

• 56-bit keys have 256 7.2 x 1016 values
• brute force search looks hard
• recent advances have shown is possible
• in 1997 on Internet in a few months
• in 1998 on dedicated h/w (EFF) in a few days
• in 1999 above combined in 22hrs!
• still must be able to recognize plaintext

40
Design Principles

• block size
• increasing size improves security, but slows
  cipher
• key size
• increasing size improves security, makes
  exhaustive key searching harder, but may slow
  cipher
• number of rounds
• increasing number improves security, but slows
  cipher
• subkey generation
• greater complexity can make analysis harder, but
  slows cipher
• round function
• greater complexity can make analysis harder, but
  slows cipher
• fast software en/decryption ease of analysis
• are more recent concerns for practical use and
  testing

41
Confidentiality using Symmetric Encryption

• have two major placement alternatives
• link encryption
• encryption occurs independently on every link
• implies must decrypt traffic between links
• end-to-end encryption
• encryption occurs between original source and
  final destination
• need devices at each end with shared keys

42
Placement of Encryption

• can place encryption function at various layers
  in OSI Reference Model
• link encryption occurs at layers 1 or 2
• end-to-end can occur at layers 3, 4, 6, 7
• as move higher less information is encrypted but
  it is more secure though more complex with more
  entities and keys

43
Summary

• Symmetric encryption
• Public encryption
• Digital Signature
• Key distribution

44
Private-Key Cryptography

• traditional private/secret/single key
  cryptography uses one key
• shared by both sender and receiver
• if this key is disclosed communications are
  compromised
• also is symmetric, parties are equal
• hence does not protect sender from receiver
  forging a message claiming is sent by sender

45
Public-Key Cryptography

• probably most significant advance in the 3000
  year history of cryptography
• uses two keys a public a private key
• asymmetric since parties are not equal
• uses clever application of number theoretic
  concepts to function
• complements rather than replaces private key
  crypto

46
Public-Key Cryptography

• public-key/two-key/asymmetric cryptography
  involves the use of two keys
• a public-key, which may be known by anybody, and
  can be used to encrypt messages, and verify
  signatures
• a private-key, known only to the recipient, used
  to decrypt messages, and sign (create) signatures
• is asymmetric because
• those who encrypt messages or verify signatures
  cannot decrypt messages or create signatures

47
Public-Key Cryptography
48
Public-Key Characteristics

• Public-Key algorithms rely on two keys with the
  characteristics that it is
• computationally infeasible to find decryption key
  knowing only algorithm encryption key
• computationally easy to en/decrypt messages when
  the relevant (en/decrypt) key is known
• either of the two related keys can be used for
  encryption, with the other used for decryption
  (in some schemes)

49
Public-Key Cryptosystems
50
Public-Key Applications

• can classify uses into 3 categories
• encryption/decryption (provide secrecy)
• digital signatures (provide authentication)
• key exchange (of session keys)
• some algorithms are suitable for all uses, others
  are specific to one

51
Security of Public Key Schemes

• like private key schemes brute force exhaustive
  search attack is always theoretically possible
• but keys used are too large (gt512bits)
• security relies on a large enough difference in
  difficulty between easy (en/decrypt) and hard
  (cryptanalysis) problems
• more generally the hard problem is known, its
  just made too hard to do in practise
• requires the use of very large numbers
• hence is slow compared to secret key schemes

52
Public key encryption algorithms
Requirements
.
.

-

• need K ( ) and K ( ) such that

B
B

given public key K , it should be impossible to
compute private key K
B
-
B
RSA Rivest, Shamir, Adelson algorithm
53
RSA Choosing keys
1. Choose two large prime numbers p, q.
(e.g., 1024 bits each)
2. Compute n pq, z (p-1)(q-1)
3. Choose e (with eltn) that has no common
factors with z. (e, z are relatively prime).
4. Choose d such that ed-1 is exactly divisible
by z. (in other words ed mod z 1 ).
5. Public key is (n,e). Private key is (n,d).
54
RSA Encryption, decryption
0. Given (n,e) and (n,d) as computed above
2. To decrypt received bit pattern, c, compute
d
(i.e., remainder when c is divided by n)
Magic happens!
c
55
RSA example
Bob chooses p5, q7. Then n35, z24.
e5 (so e, z relatively prime). d29 (so ed-1
exactly divisible by z.
e
m
m
letter
encrypt
l
12
1524832
17
c
letter
decrypt
17
12
l
481968572106750915091411825223071697
56
RSA Why is that
Useful number theory result If p,q prime and n
pq, then
(using number theory result above)
(since we chose ed to be divisible by (p-1)(q-1)
with remainder 1 )
57
RSA another important property
The following property will be very useful later
use public key first, followed by private key
use private key first, followed by public key
Result is the same!
58
Summary

• Symmetric encryption
• Public encryption
• Digital Signature
• Key distribution

59
Digital Signatures

• Cryptographic technique analogous to hand-written
  signatures.
• sender (Bob) digitally signs document,
  establishing he is document owner/creator.
• verifiable, nonforgeable recipient (Alice) can
  prove to someone that Bob, and no one else
  (including Alice), must have signed document

60
Digital Signatures

• Simple digital signature for message m
• Bob signs m by encrypting with his private key
  KB, creating signed message, KB(m)

-
-
Bobs private key
Bobs message, m
(m)
Dear Alice Oh, how I have missed you. I think of
you all the time! (blah blah blah) Bob
Bobs message, m, signed (encrypted) with his
private key
Public key encryption algorithm
61
Digital Signatures (more)
-

• Suppose Alice receives msg m, digital signature
  KB(m)
• Alice verifies m signed by Bob by applying Bobs
  public key KB to KB(m) then checks KB(KB(m) )
  m.
• If KB(KB(m) ) m, whoever signed m must have
  used Bobs private key.

-
-

-

• Alice thus verifies that
• Bob signed m.
• No one else signed m.
• Bob signed m and not m.
• Non-repudiation
• Alice can take m, and signature KB(m) to court
  and prove that Bob signed m.

-
62
Internet checksum poor crypto hash function

• Internet checksum has some properties of hash
  function
• produces fixed length digest (16-bit sum) of
  message
• is many-to-one

But given message with given hash value, it is
easy to find another message with same hash
value
message
ASCII format
message
ASCII format
I O U 9 0 0 . 1 9 B O B
49 4F 55 39 30 30 2E 31 39 42 D2 42
I O U 1 0 0 . 9 9 B O B
49 4F 55 31 30 30 2E 39 39 42 D2 42
B2 C1 D2 AC
B2 C1 D2 AC
different messages but identical checksums!
63
Message Digests

• Computationally expensive to public-key-encrypt
  long messages
• Goal fixed-length, easy- to-compute digital
  fingerprint
• apply hash function H to m, get fixed size
  message digest, H(m).

• Hash function properties
• many-to-1
• produces fixed-size msg digest (fingerprint)
• given message digest x, computationally
  infeasible to find m such that x H(m)

64
Digital signature signed message digest

• Alice verifies signature and integrity of
  digitally signed message

Bob sends digitally signed message
H(m)
Bobs private key
Bobs public key
equal ?
65
Digital Envelopes-- Symmetric Asymmetric

• Generate a secret key (session key) at random.
• Encrypt the message using the session key and
  symmetric algorithm.
• Encrypt the session key with the recipients
  public key. This becomes the digital envelope.
• Send the encrypted message and the digital
  envelope to the recipient.
• Figure

66
Summary

• Symmetric encryption
• Public encryption
• Digital Signature
• Key distribution

67
Key Distribution

• symmetric schemes require both parties to share a
  common secret key
• issue is how to securely distribute this key
• often secure system failure due to a break in the
  key distribution scheme

68
Key Distribution

• given parties A and B have various key
  distribution alternatives
• A can select key and physically deliver to B
• third party can select deliver key to A B
• if A B have communicated previously can use
  previous key to encrypt a new key
• if A B have secure communications with a third
  party C, C can relay key between A B

69
Trusted Intermediaries

• Symmetric key problem
• How do two entities establish shared secret key
  over network?
• Solution
• trusted key distribution center (KDC) acting as
  intermediary between entities

• Public key problem
• When Alice obtains Bobs public key (from web
  site, e-mail, diskette), how does she know it is
  Bobs public key, not Trudys?
• Solution
• trusted certification authority (CA)

70
Key Distribution Center (KDC)

• Alice, Bob need shared symmetric key.
• KDC server shares different secret key with each
  registered user (many users)
• Alice, Bob know own symmetric keys, KA-KDC KB-KDC
  , for communicating with KDC.

KDC
71
Key Distribution Center (KDC)
Q How does KDC allow Bob, Alice to determine
shared symmetric secret key to communicate with
each other?
KDC generates R1
KA-KDC(A,B)
KA-KDC(R1, KB-KDC(A,R1) )
Alice knows R1
Bob knows to use R1 to communicate with Alice
KB-KDC(A,R1)
Alice and Bob communicate using R1 as session
key for shared symmetric encryption
72
Key Management (public)

• public-key encryption helps address key
  distribution problems
• have two aspects of this
• distribution of public keys
• use of public-key encryption to distribute secret
  keys

73
Distribution of Public Keys

• can be considered as using one of
• Public announcement
• Publicly available directory
• Public-key authority
• Public-key certificates

74
Public Announcement

• users distribute public keys to recipients or
  broadcast to community at large
• eg. append PGP keys to email messages or post to
  news groups or email list
• major weakness is forgery
• anyone can create a key claiming to be someone
  else and broadcast it
• until forgery is discovered can masquerade as
  claimed user

75
Certification Authorities

• Certification authority (CA) binds public key to
  particular entity, E.
• E (person, router) registers its public key with
  CA.
• E provides proof of identity to CA.
• CA creates certificate binding E to its public
  key.
• certificate containing Es public key digitally
  signed by CA CA says this is Es public key

Bobs public key
CA private key
certificate for Bobs public key, signed by CA
-
Bobs identifying information
76
Certification Authorities

• When Alice wants Bobs public key
• gets Bobs certificate (Bob or elsewhere).
• apply CAs public key to Bobs certificate, get
  Bobs public key

Bobs public key
CA public key

77
A certificate contains

• Serial number (unique to issuer)
• info about certificate owner, including algorithm
  and key value itself (not shown)

• info about certificate issuer
• valid dates
• digital signature by issuer

78
Summary

• Symmetric encryption
• Public encryption
• Digital Signature
• Key distribution