Title: CSCE 790 Lecture 4 Cryptography
1CSCE 790Lecture 4Cryptography
2Reading Assignment
- Reading assignments for January 25
- Required
- Oppliger Ch 5.1, 5.2, 5.3
- Recommended
- NIST Cryptographic Toolkit (http//csrc.nist.gov/e
ncryption ) - Reading assignments for January 29
- Required
- Oppliger Ch 5.4, 5.5, 5.6,5.7,5.8
3Insecure communications
Confidential
Insecure channel
Sender
Recipient
4Secure communications
confidential
Insecure channel
Sender
Recipient
5Terminology
- Plaintext, cleartext an unhidden message
- Encryption transform a message to hide its
meaning - Ciphertext, cyphertext an encrypted message
- Cipher cryptographic algorithm. Mathematical
function used for encryption (encryption
algorithm) and decryption (decryption algorithm). - Decryption recovering plaintext from ciphertext
- Cryptography art and science of keeping messages
secure - Cryptanalysis art and science of breaking
ciphertext - Cryptology study of both cryptography and
cryptanalysis
6Cryptosystem requirements
- Enciphering and deciphering algorithms must be
efficient for all keys - Coding and decoding at the time of transmission ?
may be bottleneck - System must be easy to use
- Ease of finding key with an invertible
transformation - Security should depend on the the secrecy of the
keys not on the secrecy of the algorithms - Algorithms must be inherently strong, i.e.,
encryption cannot be broken by simply knowing the
method of encryption
7What makes a good cryptosystem?
- A good cryptosystem is one whose security does
not depend upon the secrecy of the algorithm.
This is why cryptographers are so unhappy about
NSA's refusal to release details of SkipJack
(Clipper). - From Schneier
- Good cryptographers rely on peer review to
separate the good algorithms from the bad.''
8Breakable v.s. Practically Breakable
- Unconditionally secure impossible to decrypt.
No amount of ciphertext will enable a
cryptanalyst to obtain the plaintext without
restrictions on technology - Computationally secure an algorithm that is not
breakable in practice based on worst case
scenario (based on the best known methods) and
current technology - Breakable all algorithms (except one-time pad)
are theoretically breakable
9Cryptanalysis
- Cryptanalysts goal
- Break message
- Break key
- Break algorithm
10Security requirements
- Computationally infeasible to systematically
determine the deciphering transformation for a
given cipher, even if the corresponding plaintext
is known - Prevents decoding additional ciphertexts
- Computationally infeasible to systematically
determine plaintext for a given cipher - Prevents decoding the given ciphertext
11Authenticity requirements
- Computationally infeasible to systematically
determine enciphering transformation for a given
cipher, even if the corresponding plaintext is
known - Prevents creating false ciphertext
- Computationally infeasible to find ciphertext
such that it deciphers into a valid plaintext - Prevents cipher substitution
12Taxonomy of Attacks
- Ciphertext-only attack attacker has ciphertext
for messages encrypted with E. - Known plaintext attack attacker additionally
knows the plaintext of the messages. - Chosen plaintext attack attacker can select the
encrypted plaintext for at least some messages. - Chosen ciphertext attack attacker can obtain
decrypted (plaintext) versions of selected
ciphertext.
13Cryptosystems
- Conventional (symmetric-key) cryptosystem
- Public-key (asymmetric-key) cryptosystem
- Quantum cryptosystem
- Hash Functions
14Conventional (Secret Key) Cryptosystem
Plaintext M
Ciphertext C
Plaintext M
Encryption
Decryption
Sender
Recipient
K
K
Secure channel
CE(K,M) MD(K,C)
Key source
15Secret Key Cryptosystem Vulnerabilities (1)
- Passive Attacker (Eavesdropper)
- Obtain and/or guess key and cryptosystem use
these to decrypt messages - Capture text in transit and try a ciphertext-only
attack to obtain plaintext.
16Secret Key Cryptosystem Vulnerabilities (2)
- Active Attacker
- Break communication channel (denial of service)
- Obtain and/or guess key and cryptosystem and use
these to send false messages
17Inherent Weaknesses of Symmetric Cryptography
- Key distribution must be done secretly (difficult
when parties are geographically distant, or don't
know each other) - Need a key for each pair of users
- n users need n(n-1)/2 keys
- If the secret key (and cryptosystem) is
compromised, the adversary will be able to
decrypt all traffic and produce fake messages
18Classical Encryption Techniques
- Steganography
- Substitution
- Permutation
- Combinations and iterations of these
19Steganography
- Conceals the existence of secret message
- Needs
- Carrier medium text, picture, etc.
- Encoding schema defines how to insert message
into the carrier medium - Not efficient good for small messages only
20Steganography Examples
- Before computers
- Character markings selected letters of printed
or typewritten text are overwritten in pencil - Invisible ink not visible until some chemical
reactions take place - Pin punctures tiny punctures on selected letters
- Computer aided
- Modification of digital carrier, e.g., digital
image, sound, etc. - Supported by secret key
- Digital watermarking
21Substitution Techniques
- Simple substitution
- Monoalphabetic cipher
- Multiple letter encryption
- Polyalphabetic cipher
22Simple Substitution Caesar Cipher
- CE(K,M), e.g., C(Mn) mod 26
- plaintext A B C D E
- ciphertext A B C D E F
- e.g., MCAB
- C ECD
- Advantages simple to implement
- Disadvantages easy to break (25 possibilities
for English alphabet)
23Monoalphabetic Substitution
- Arbitrary substitution for each plaintext symbol,
e.g., - C ?E, A ?C, B ? D
- MCAB
- C ECD
- Advantages large key space 26!
- Disadvantages trivially broken for known
plaintext attack
24Multiple-Letter Encryption
- Playfair (Sir Charles Wheatstone, 1854)
- Plaintext is encrypted as 2 letter blocks to
create 2 letter cipher blocks - Secret key is written into a 5x5 matrix and
filled up by the remaining alphabet (i/j
together) - Repeating plaintext letters are separated by a
filler (.e.g., by X) - Encoding
- Letters in the same row are substituted with
their neighbors on the right - Letters in the same column are substituted with
their neighbors underneath - Otherwise each letter is replaced with the
letter in its row and in the column of the other
letter
25Multiple-Letter Encryption
- MAR ? CRM
- MMU ? CCM
- MHS ? CBP
26Polyalphabetic Substitution
- A set of related monoalphabetic substitution
rules is used - A key determines which particular rule is chosen
for a given transformation - Example Vigenere cipher based on 26 Caesar
ciphers - Advantages there are multiple ciphertext for a
plaintext letter - Disadvantages periodic nature of key makes it
breakable with statistical cryptanalysis
27One-Time Pad
- Perfect Secrecy!
- Large, non-repeating set of keys
- Key is larger than the message
- Advantages immune to most attacks
- Disadvantages
- Need total synchronization
- Need very long, non-repeating key
- Key cannot be reused
28Transposition
- Letters of the message are rearranged
- Break patterns
- e.g., columnar transposition
- Plaintext this is a test
- t h i s
- i s a t tiehssiatst!
- e s t !
- Advantages easy to implement
- Disadvantages
- Easy to recognize same letter frequency as the
original plaintext - Trivially broken for known plaintext attack
- Easily broken for cipher only attack
- Multiple encipherment does not help
29Product Ciphers
- Substitution followed by permutation, followed by
substitution, followed by permutation - One encryption applied to the result of the other
En(En-1((E1(M))) - Broken for
- Chosen plaintext
30Data Encryption Standard
- Mathematics to design strong product ciphers is
classified - Breakable by exhaustive search for known
plaintext, chosen plaintext and chosen ciphertext
attacks - Security computational complexity of computing
the key under the above scenarios
31Data Encryption Standard (DES)
- DES is a product cipher
- 56 bit key size
- 64 bit block size for plaintext and cipher text
- Developed by IBM and adopted by NIST with NSA
approval - Encryption and decryption algorithms are public
but the design principles are classified
32DES Controversies
- Key size 56 bits threshold of allowing
exhaustive-search known plaintext attack - Built in trapdoor allegations
- The US Senate Select Committee of Intelligence
exonerated NSA from tampering with the design of
DES in any way
33DES Multiple Encryption
- Group Multiple encryptions are equivalent to a
single encryption - 1992 proven that DES is not a group
34DES Multiple Encryption
P
EK1(P)
EK2EK1(P)
Intermediate Ciphertext
Ciphertext
Plaintext
Encryption
Encryption
K1
K2
Known-plaintext meet-in-the-middle
attack Effective key size 57 bit
35DES Multiple Encryption
P
EK1(P)
DK2EK1(P)
EK1DK2EK1(P)
E
E
D
K1
K2
K1
Tuchman avoid meet-in-the-middle attack If
K1K2 single encryption
36DES Multiple Encryption
- Tuchmans technique is part of NIST standard
- Can be broken in 256 operations if one has 256
chosen plaintext blocks (Merkle, Hellman 1981) - Could use distinct K1,K2,K3 to avoid this attack
37DES Algorithm
64 bit plain
56 bit key
Permuted choice 1
Initial permutation
K1
Left circular shift
Permuted choice 2
Iteration 1
K2
Left circular shift
Permuted choice 2
Iteration 2
K3
Left circular shift
Permuted choice 2
Iteration 16
32 bit swap
Inverse initial permutation
64 bit ciphertext
38DES Cycle
32 bits
32 bits
L i-1
R i-1
Expansion permutation
48 bits
48 bits
Permuted key
48 bits
32 bits
32 bits
R i
39Modes of DES
- ECB Electronic Code Book
- CBC Cipher Block Chaining
- CFB Cipher FeedBack
- OFB Output FeedBack
- Part of NIST standard
40ECB Mode
64 bit data
56 bit key
56 bit key
E
D
64 bit data
Good for small messages Identical data block will
be identically encrypted
41CBC Mode
64 bit data
64 bit previous Ciphertext block
56 bit key
56 bit key
E
D
64 bit previous Ciphertext block
CnEkCn-1 ? Pn
64 bit data
Need initiation vector
42CFB Mode
Needs initialization vector Adv can encipher one
character at a time Error propagation current
transf. next 8 characters
8, 8 bit blocks
8, 8 bit blocks
Left shift
56 bit key
56 bit key
E
D
Left shift
8 bit cipher text
8 bit plain text
8 bit plain text
43OFB Mode
Needs initialization vector Adv can encipher one
character at a time Error propagation current
transfer only
8, 8 bit blocks
8, 8 bit blocks
Left shift
56 bit key
56 bit key
E
D
Left shift
8 bit cipher text
8 bit plain text
8 bit plain text
44Advanced Encryption Standard (AES)
- Adopted by NIST to replace DES
- January 2, 1997 NIST announces the initiation
of an effort to develop the AES (62 FR 93) - Based on Rijndael algorithm
45International Data Encryption Algorithm (IDEA)
- Designed by X. Lai and J. Massey Swiss Federal
Institute of Technology, 1990 - 64 bit block cipher
- Key size 128 bits
- Used by Pretty Good Privacy (PGP) to encrypt
electronic mail
46Design Principles
- Cryptographic strength
- Block size deter statistical analysis but easy
to implement encryption - Key length prevent exhaustive key search
- Confusion ciphertext should depend on the
plaintext and key in a complicated way - Diffusion each plaintext should influence every
ciphertext bit to prevent statistical analysis
47Other Secret Key Algorithms
- DESX modification of DES
- Blowfish fast, compact and simple block cipher.
Variable key length up to 448 bits - RC2 block cipher. Variable key length up to 2048
bits - RC4 stream cipher. Variable key length up to 448
bits - RC5 block cipher. Allows user defined key
length, data block size, and number of encryption
rounds.
48Hash Functions
- Hash function h maps an input x of arbitrary
length to a fixed length output h(x)
(compression) - Given h and x, h(x) is easy to compute (ease of
computation)
49Hash functions
- Preimage resistant (one-way) if for all
specified outputs, it is computationally
infeasible to find any input that hashes to that
output - Second-preimage resistent (weak collision
resistant) if it is computationally infeasible
to find any second input which has the same
output as any specified input - Collision resistant (strong collision resistant)
if it is computationally infeasible to find any
distinct inputs that has the same output
50Hash Functions
- Message digest
- Used for authenticity and integrity purposes
- Algorithms
- SHA-1MD2,MD4,
- MD5
51MD5 Message Digest Algorithm
- Input of arbitrary length
- Output 128 bits
- Block size 512 bits
52MD5 Processing
- Append padding bits so length ? 448 mod 512
(padded message 64 bits less than an integer
multiplied by 512) - Append length a 64-bit representation of the
length of the original message (before the
padding) ? total length of message k512 bits - Initialize MD buffer 128-bit buffer holds
intermediate and final results (4 32-bit
registers, ABCD)
53MD5 Processing
- Process message in 512-bit blocks
- 4 rounds of processing
- Similar structure but different logical function
- Each round takes the 512-bit input and values of
ABCD and modifies ABCD - Output from the last stage is a 128-bit digest
54Strength of MD5
- Every bit of plain text influences every bit of
the the hash code - Complex repetition of the basic functions ?
unlikely that two random messages would have
similar regularities - MD5 is as strong as possible for 128-bit digest
(Rivests conjecture) - Hasnt been disproved yet
55Secure Hash Algorithm
- SHA was developed by National Institute of
Standards and Technology - 1993 Published as Federal Information Processing
Standard (FIPS PUB 180) - Input maximum length 264 bits
- Output 160-bit digest
- Block size 512-bit
56MD5 v.s. SHA
- Very similar
- Security SHAs digest is 32 bits longer ?
without algorithm flows SHA is more secure - SpeedSHA has more steps and produces 160-bit
buffer ? SHA slower - Simplicity and compactness MD5 has more internal
steps with varying buffer modification ? SHA is
simplier