Chapter 8 Cryptography Part C

1
Chapter 8 Cryptography (Part C)

• Hybrid Encryption methods
• Message integrity
• PKI
• Cryptanalysis

2
Hybrid cryptosystem

• In a hybrid system, asymmetric algorithm and a a
  symmetric
• algorithm are used in a complementary manner
• An asymmetric algorithm creates keys that are
  used for automated key distribution.
• A symmetric algorithm creates keys that are used
  for encrypting bulk data

3

• Q1 Why do we use the asymmetric key on the
  symmetric key and the symmetric key on the
  message?
• Q2 Can you write the hybrid encryption/decryption
  process with formulas?

4
Session key in hybrid cryptosystem

• Review In proper implementations, we should be
  encrypting data with session keys
• A session key is good only for that one session
• A session key should be generated as the
  symmetric key in hybrid cryptosystems
• Hybrid cryptosystem is implemented in many
  applications (in later sections)

5
Index

• Hybrid Encryption methods
• Message integrity
• PKI
• Cryptanalysis

6
Message integrity

• Parity bits and cyclic redundancy check (CRC)
  functions have been used in protocols to detect
  modifications in streams of bits as they are
  passed from one computer to another
• can usually only detect unintentional
  modifications.
• Q 1 what is parity bit?
• Q 2 What is CRC?
• These measures cannot prevent intentional
  modifications.
• Attacker can intercept data, alter it, and
  calculate and new parity bits or CRC, and
  retransmit the modified data.
• The solution

7
One-way Hash

• A one-way hash is a function that takes a
  variable-length
• string, and produces a fixed-length hash value.
• The function is run in only one direction
• The hash value is also called message digest or
  fingerprint.
• The hashing one-way function takes place without
  the use of any keys.

8
One-way Hash

• How does one-way hash work?

9
Message authentication code (MAC)

• A plain hash cannot protect message integrity.
• We need to use message authentication code (MAC),
  a.k.a. message integrity code (MIC)
• A symmetric key is involved in MAC
• two basic types of MACs
• Hash MAC (HMAC)
• CBC-MAC.

10
Message authentication code (MAC)

• The use of the symmetric key ensures that the
  only person who can verify the integrity of the
  message is the person who has a copy of this key.
  
• No one else can verify the datas integrity
• Any modifications would be detected by the
  receiver.
• If someone were to make a change to the data, he
  could not generate the MAC value the receiver
  would be looking for.
• MAC provides a form of authentication. It
  provides data origin authentication.

11
Hash MAC (HMAC)

• The only difference between HMAC and a plain
  hash function is that
• the message is concatenated with a symmetric key
  before put through
• a hashing function

12
CBC-MAC

• In CBC mode, the sender encrypts the message with
  a symmetric block cipher. The output of the final
  block of ciphertext is used as the MAC. MAC
  attached to plaintext message is sent.
• The receiver receives the plaintext message and
  encrypts it with the same symmetric block cipher
  in CBC mode and calculates an independent MAC
  value.
• CBC-MAC does not use a hashing algorithm.

IV
13
Various Hashing Algorithms

• MD2 is a one-way hash function designed by Ron
  Rivest that creates a 128-bit message digest
  value
• Much slower in MD family
• MD4 is used for high-speed computation
• MD5 the newer version of MD4 algorithm, more
  complex, and harder to break
• SHA was designed by NIST and NSA
• is the successor to MD5
• produces a 160-bit hash value, then inputted into
  an asymmetric algorithm, which computes the
  signature for a message.
• SHA-1 and SHA-2 SHA-256, SHA-384, and SHA-512.
• SHA-1 is employed in several widely used security
  applications and protocols TLS and SSL, PGP,
  SSH, S/MIME, and IPsec.

14
Characteristics of good hash functions

• Characteristics of good hash functions
• should be computed over the entire message.
• should be a one-way function so that messages are
  not disclosed by their values.
• Given a message and its hash value, computing
  another message with the same hash value should
  be impossible.
• should be resistant to birthday attacks (details
  next)

15
Attack Against One-Way Hash Functions

• If the hash algorithm produces the same hash
  value for two distinctly different messages, this
  is called a collision.
• An attacker can attempt to force a collision,
  which is referred to as a birthday attack.
• Birthday paradox
• Q How many people must be in the same room for
  the probability is more than 50 that at least
  two of them will have the same birthday?

16
Birthday paradox

• Birthday paradox
• given a group of 23 (or more) randomly chosen
  people, the probability is more than 50 that at
  least two of them will have the same birthday.
• For 60 or more people, the probability is greater
  than 99, although it cannot actually be 100
  unless there are at least 366 people

17
Birthday paradox

• Q What is the implication of birthday paradox to
  hash functions?

18
Birthday attack

• The main way that an attacker can find the
  corresponding hashing value that matches a
  specific message is through a brute force attack.
  Why?
• If an attacker finds two messages with the same
  hash values, it is equivalent to finding two
  people with the same birthday.
• Birthday attack is a type of brute force attack.
• Based on birthday paradox, if the output of a
  hashing algorithm is n bits, finding two messages
  that hash to the same value would require check
  of only 2n/2 messages.
• e.g., SHA-1 generates a 160-bit hash value. The
  attacker need approximately 280 computation to
  find a collision.
• A larger bit hash value is less vulnerable to
  brute force attack.

19
Digital Signatures

• Only using hash function isnt enough for
  integrity.
• The solution encrypt the hash value with the
  senders private key digital signature.

20
Digital Signatures

• The hashing function ensures the integrity of the
  message
• the signing of the hash value provides
  authentication and nonrepudiation.
• Digital signature standard
• In 1991, NIST proposed a federal standard called
  the Digital Signature Standard (DSS).
• RSA and DSA are the best known and most widely
  used digital signature algorithms.
• Q How to provide confidentiality,
  authentication, nonrepudiation, and integrity,
  all at once?

21
Digital Signature

• Construct that authenticated origin, contents of
  message in a manner provable to a disinterested
  third party (judge)
• Sender cannot deny having sent message (service
  is nonrepudiation)
• Limited to technical proofs
• Inability to deny ones cryptographic key was
  used to sign
• One could claim the cryptographic key was stolen
  or compromised
• Legal proofs, etc., probably required not dealt
  with here

22
Is this a digital signature ?

• Classical Alice, Bob share key k
• Alice sends m m k to Bob
• Is this a digital signature ?
• NO!
• Third party cannot determine whether Alice or
  Bob generated message

23
Classical Digital Signatures (details are not
required)

• Require trusted third party
• Alice, Bob each share keys with trusted party
  Cathy
• To resolve dispute, judge gets m kAlice, m
  kBob, and has Cathy decipher them if messages
  matched, contract was signed.

m kAlice
Alice
Bob
m kAlice
Cathy
Bob
m kBob
Cathy
Bob
24
Public Key Digital Signatures
25
Public Key Digital Signatures

• Alices keys are dAlice, eAlice
• Alice sends Bob
• m H(m) dAlice
• In case of dispute, judge computes
• H(m) dAlice eAlice
• and if it is m, Alice signed message
• Shes the only one who knows dAlice!

26
Index

• Hybrid Encryption methods
• Message integrity
• PKI
• Cryptanalysis

27
PKI

• PKI is an ISO authentication framework that uses
  public key cryptography and the X.509 standard.
• This framework enables authentication to happen
  across different networks and the Internet.
• Particular protocols and algorithms are not
  specified
• PKI is a hybrid system of symmetric and
  asymmetric key algorithms
• PKI vs. public-key cryptography
• Public-key cryptography is one piece in PKI
• PKI contains many other pieces
• identify users
• create and distribute certificates, maintain and
  revoke certificates
• distribute and maintain encryption keys
• enable all technologies to communicate and work
  together

28
PKI

• PKI supplies the following security services
• Confidentiality
• Access control
• Integrity
• Authentication
• Nonrepudiation
• PKI is made up of many different parts
• Certificate authorities (CA)
• Registration authorities (RA)
• Digital Certificates
• Keys
• Users

29
Digital certificate

• Each entity who wants to participate in a PKI
  requires a
• digital certificate
• Is a credential that contains the public key for
  that individual along with other identifying
  information.
• Is created and signed (digital signature) by a CA
  based on X.509 standard, which dictates the
  different fields used in the certificate and the
  valid values that can populate those fields

30
Digital certificate revocation

• Q why do we evocate digital certificates?
• Two approaches
• CRL
• A certificate revocation list (CRL) is a list of
  certificates (their serial numbers) which have
  been revoked, no longer valid
• CRL is always issued by the CA which issues the
  corresponding certificates.
• CRL is maintained and updated periodically.
• Problems with CRL
• CRL must be checked whenever one wants to rely on
  a certificate
• DoS against PKI
• OCSP
• An alternative to using CRLs which is especially
  useful for software clients is Online Certificate
  Status Protocol (OCSP).
• OCSP has the primary benefit of requiring less
  network bandwidth and thus enabling real-time and
  near real-time status checks for high volume or
  high value operations.

31
CA

• A CA is a trusted organization (or server) that
  maintains and issues digital certificates.
• The CA can be internal to an organization
• Other CAs are organizations dedicated to this
  type of service, and other individuals and
  companies pay them to supply it.
• Some well-known CAs are Entrust and VeriSign.
• Different CAs can establish trust via a root CA
  or cross certification

32
RA

• The registration authority (RA) performs the
  certification registration duties.
• establishes and confirms the identity of an
  individual
• initiates the certification process with a CA on
  behalf of an end user
• performs certificate life-cycle management
  functions.
• The RA cannot issue certificates, but can act as
  a broker between the user and the CA.

33
PKI Structure
34
PKI Process obtain a digital certificate

• Alice generates a key pair, sends in her public
  key and identifying information to RA, requests
  digital certificate
• After verifying Alices ID, the RA sends
  certificate request to the CA.
• The CA creates a certificate with Alices public
  key and identity information embedded.
  Certificate is stored in a public directory and
  also sent to Alice

35
PKI Process Use digital certificate

• Alice wants to have a secure communication with
  Bob
• (they havent talked before)
• Alice requests Bobs public key from a public
  directory.
• The directory sends Bobs digital certificate to
  Alice. Alice verifies Bobs certificate. how?
• Alice extracts Bobs public key, and uses this
  key to encrypt a session key.
• Alice sends the encrypted session key and her
  certificate to Bob.
• Q Why does Bob need Alices certificate, given
  he already has a session key encrypted by his
  public key?
• Bob verify Alices certificate. how?
• Alice and Bob use the session key to encrypt
  their messages.

36
Index

• Hybrid Encryption methods
• Message integrity
• PKI
• Cryptanalysis

37
Passive attacks vs. Active attacks

• Passive attacks
• Eavesdropping and sniffing data as it passes over
  a network
• the attacker is not affecting the protocol,
  algorithm, key, message, or any parts of the
  encryption system
• hard to detect. In most cases methods are put in
  place to try to prevent them rather than detect
  and stop them.
• Active attacks
• Altering messages, modifying system files, and
  masquerading as another individual
• are usually used to gain information prior to
  carrying out an active attack.

38
Scenarios for cryptanalysis

• Cryptanalysis can be performed under a number of
  assumptions about
• how much can be observed or found out about the
  system under attack
• Ciphertext-Only Attack
• easy to get ciphertext by sniffing traffic
• Very difficult to figure out the key
• Known-Plaintext Attack
• The attacker has a few pairs of plaintext and
  ciphertext
• Chosen-Plaintext Attack
• The attacker can choose the plaintext and get the
  corresponding ciphertextds
• Chosen-Ciphertext Attack
• The attacker can choose the ciphertext and get
  the corresponding decrypted plaintext

39
Cryptanalysis

• Cryptanalysis is the study of methods for
  obtaining the meaning of encrypted information.
• Typically, cryptanalysis involves finding the
  secret key
• Cryptanalysis has coevolved together with
  cryptography. New ciphers are designed to replace
  old broken designs, and new cryptanalytic
  techniques invented to crack the improved
  schemes.
• Frequency analysis is the basic tool for breaking
  classical ciphers.
• In natural languages, certain letters of the
  alphabet appear more frequently than others
• E.g., in English, "E" is likely to be the most
  common letter in any given sample of text.
  Similarly, the digraph "TH" is the most likely
  pair of letters.

40
Cryptanalysis

• Asymmetric cryptography rely on "hard"
  mathematical
• problems as the basis.
• If an improved algorithm can be found to solve
  the problem, then the system is weakened.
• E.g. RSA security
• In 1980, factoring a 50-digit number needs 1012
  computer operations. By 1984, factoring
  algorithms had advanced. A 75-digit number can be
  factored in the same number of operations.
• Advances in computing technology mean that the
  operations could be performed much faster.
• By the start of the 21st century, 150-digit
  numbers were no longer considered a large enough
  key size for RSA.

41
Two attacks on block ciphers

• Differential cryptanalysis
• Eli Biham and Adi Shamir discovered differential
  cryptanalysis in 1980s.
• Tracing differences through the network of
  transformations, discovering where the cipher
  exhibits non-random behavior, and exploiting such
  properties to recover the key.
• The basic method uses pairs of plaintext related
  by a constant difference -- a type of
  chosen-plaintext attack.
• The attacker then computes the differences of the
  corresponding ciphertexts, to detect statistical
  patterns in their distribution.
• New designs are expected to be resistant to
  Differential cryptanalysis.
• AES has been proven secure against the attack.

42
Two attacks on block ciphers (details are not
required)

• Linear cryptanalysis was discovered in 1992
• The attacker carries out a known-plaintext attack
  on several different messages encrypted with the
  same key.
• Attacker identifies specific output combinations
  and assigns probability values to different keys
  until one shows a continual pattern of having the
  highest probability.
• The attack on DES is not generally practical,
  requiring 243 known plaintexts.

43
Side Channel Attacks

• A side channel attack is any attack based on
  information gained from the physical
  implementation of a cryptosystem, rather than
  theoretical weaknesses in the algorithms --
  cryptanalysis
• power consumption, radiation emissions, and the
  time it takes for certain types of data processing

44
Replay Attack

• In replay attack, an attacker captures some type
  of data and resubmits it with the hopes of
  fooling the receiving device into thinking it is
  legitimate information.
• Timestamps and sequence numbers are two
  countermeasures to replay attacks keep the
  freshness of packets

45
Attacking the Substitution Cipher

• Exhaustive search
• If the key space is small enough, try all
  possible keys until you find the right one
• e.g. Caesar cipher has 26 possible keys, what is
  the expected number of trials?
• Statistical analysis
• Compare to 1-gram model of English

46
Statistical Attack (details are not required)

• Ciphertext is KHOOR ZRUOG
• Compute frequency of each letter in ciphertext
• G 0.1 H 0.1 K 0.1 O 0.3
• R 0.2 U 0.1 Z 0.1
• Apply 1-gram model of English

47
Character Frequencies (1-gram model of English)
(details are not required)
48
Statistical Analysis (details are not required)

• f(c) frequency of character c in ciphertext
• p(x) is frequency of character x in English
• ?(i) correlation of frequency of letters in
  ciphertext with corresponding letters in English,
  assuming key is i
• ?(i) ?0 c 25 f(c)p(c i)
• ?(i) 0.1p(6 i) 0.1p(7 i) 0.1p(10 i)
  0.3p(14 i) 0.2p(17 i) 0.1p(20 i)
  0.1p(25 i)

49
Correlation ?(i) for 0 i 25 (details are
not required)
50
The Result of Statistical Analysis (details are
not required)

• Most probable keys, based on ?
• i 6, ?(i) 0.0660
• plaintext EBIIL TLOLA
• i 10, ?(i) 0.0635
• plaintext AXEEH PHKEW
• i 3, ?(i) 0.0575
• plaintext HELLO WORLD
• i 14, ?(i) 0.0535
• plaintext WTAAD LDGAS
• Only English phrase is for i 3. Thats the key
  (3 or D)

51
Attacking Vigènere Cipher (details are not
required)

• Vigenere ciphers were regarded by many as
  practically unbreakable for 300 years.
• In 1863, a Prussian major named Kasiski proposed
  a method for breaking it.
• This method was not in fact invented by Kasiski
  but instead by Charles Babbage its attribution
  to Kasiski is a common misconception. Babbage's
  discovery was used to aid English military
  campaigns, and was not published until several
  years later as a result credit for the
  development was instead given to Friedrich
  Kasiski, who made the same discovery some years
  after Babbage.

52
The Target Cipher

• Establish period n
• Break cipher into n parts, each part being
  enciphered using the same key letter
• Solve each part ? leverage one part from another
• We want to break this cipher
• ADQYS MIUSB OXKKT MIBHK IZOOO
• EQOOG IFBAG KAUMF VVTAA CIDTW
• MOCIO EQOOG BMBFV ZGGWP CIEKQ
• HSNEW VECNE DLAAV RWKXS VNSVP
• HCEUT QOIOF MEGJS WTPCH AJMOC
• HIUIX

53
Step 1. Establish Period n (details are not
required)

• Repetitions in the ciphertext occur when
  characters of the key appear over the same
  characters in the plaintext
• e.g.
• Key VIGVIGVIGVIGVIGV
• plain THEBOYHASTHEBALL
• cipher OPKWWECIYOPKWIRG
• Note the key and plaintext line up over the
  repetitions (underlined).

54
Repetitions in this cipher (details are not
required)
55
Estimate of Period n (details are not required)

• OEQOOG is probably not a coincidence
• Its too long for that
• Period may be 1, 2, 3, 5, 6, 10, 15, or 30
• Some others have 2 in their factors, many have 3
  in their factors
• estimate period 2 ? 3 6

56
Check Period n (details are not required)

• Index of coincidence (IC) is probability that two
  randomly chosen letters from ciphertext will be
  the same
• IC n (n 1)1 ?0i25 Fi (Fi 1)
• n is length of ciphertext
• Fi the number of times character i occurs in
  ciphertext
• Tabulated IC for different periods
• 1 0.066 3 0.047 5 0.044
• 2 0.052 4 0.045 10 0.041
• Large 0.038

57
Check Period n by Computing IC (details are not
required)

• Here, IC 0.043
• Indicates a key of slightly more than 5
• A statistical measure, so it can be in error, but
  it agrees with the previous estimate (which was 6)

58
Break cipher into n parts (details are not
required)

• alphabet 1 AIKHOIATTOBGEEERNEOSAI
• alphabet 2 DUKKEFUAWEMGKWDWSUFWJU
• alphabet 3 QSTIQBMAMQBWQVLKVTMTMI
• alphabet 4 YBMZOAFCOOFPHEAXPQEPOX
• alphabet 5 SOIOOGVICOVCSVASHOGCC
• alphabet 6 MXBOGKVDIGZINNVVCIJHH
• ICs (1, 0.069 2, 0.078 3, 0.078 4, 0.056
  5, 0.124 6, 0.043) indicate all alphabets have
  period 1,
• Exceptions 4 and 6 assume statistics off

59
Solve each part (1) Frequency Examination
(details are not required)

• ABCDEFGHIJKLMNOPQRSTUVWXYZ
• 1 31004011301001300112000000
• 2 10022210013010000010404000
• 3 12000000201140004013021000
• 4 21102201000010431000000211
• 5 10500021200000500030020000
• 01110022311012100000030101
• Unshifted alphabet frequencies
  HMMMHMMHHMMMMHHMLHHHMLLLLL

60
Solve each part (2) (details are not required)

• First matches characteristics of unshifted
  alphabet
• Third matches if I ? A
• Sixth matches if V ? A
• Substitute into ciphertext (bold are
  substitutions)
• ADIYS RIUKB OCKKL MIGHK AZOTO EIOOL IFTAG PAUEF
  VATAS CIITW EOCNO EIOOL BMTFV EGGOP CNEKIHSSEW
  NECSE DDAAA RWCXS ANSNP HHEUL QONOF EEGOS WLPCM
  AJEOC MIUAX

61
Solve each part (3) (details are not required)

• AJE in last line suggests ARE, meaning second
  alphabet maps A into S
• ALIYS RICKB OCKSL MIGHS AZOTO
• MIOOL INTAG PACEF VATIS CIITE
• EOCNO MIOOL BUTFV EGOOP CNESI
• HSSEE NECSE LDAAA RECXS ANANP
• HHECL QONON EEGOS ELPCM AREOC
• MICAX

62
Solve each part (4) (details are not required)

• MICAX in last line suggests mical (a common
  ending for an adjective), meaning fourth alphabet
  maps O into A
• ALIMS RICKP OCKSL AIGHS ANOTO MICOL INTOG PACET
  VATIS QIITE ECCNO MICOL BUTTV EGOOD CNESI VSSEE
  NSCSE LDOAA RECLS ANAND HHECL EONON ESGOS ELDCM
  ARECC MICAL

63
Got It! (details are not required)

• QI means that U maps into I, as Q is always
  followed by U
• ALIME RICKP ACKSL AUGHS ANATO MICAL INTOS PACET
  HATIS QUITE ECONO MICAL BUTTH EGOOD ONESI VESEE
  NSOSE LDOMA RECLE ANAND THECL EANON ESSOS ELDOM
  ARECO MICAL