Upload
others
View
21
Download
0
Embed Size (px)
Citation preview
Real scripts Real scripts –– backgrounder 3backgrounder 3-- Polyalphabetic enciphermentPolyalphabetic encipherment
-- XOR as a cipherXOR as a cipher
-- RSA algorithmRSA algorithm
David Morgan
XOR as a cipherXOR as a cipher
Bit element Bit element enciphermentencipherment
� elements are 0 and 1
� use modulo-2 arithmetic
1 0 0 0 1 1 0 1 1 1 0 0
1 1 1 0 0 1 1 0 1 1 1 0
message stream
key stream
0 1 1 0 1 0 1 1 0 0 1 0 resulting ciphertext
Example:
XOR XOR -- frequent appearancesfrequent appearances
XOR is often the operation when the data is binary
http://en.wikipedia.org/wiki/XOR_cipher
Binary XOR operationBinary XOR operation
XORing with 1:
1 XOR 1 is 0
0 XOR 1 is 1
XORing with 0:
1 XOR 0 is 1
0 XOR 0 is 0
� XORing a bit with 1 inverts it
� XORing a bit with 0 leaves it alone
XOR is mod2 additionXOR is mod2 addition
XORing with 1:
1 XOR 1 is 0
0 XOR 1 is 1
XORing with 0:
1 XOR 0 is 1
0 XOR 0 is 0
adding 1 mod2:
1 + 1 = 10 0
0 + 1 = 1
adding 0 mod2:
1 + 0 = 1
0 + 0 = 0
same thing
XOR twice with same bitXOR twice with same bit
leaves input as isleaves input as is
XORing twice with 1:
1 XOR 1 is 0 0 XOR 1 is 1
0 XOR 1 is 1 1 XOR 1 is 0
� by inverting twice (if XORing with 1)
– changes it, changes it back, or
� by inverting never (if XORing with 0)
XORing twice with 0:
1 XOR 0 is 1 1 XOR 0 is 1
0 XOR 0 is 0 0 XOR 0 is 0
or: ( A XOR B ) XOR B = A
double XOR = alteration & restorationdouble XOR = alteration & restoration
11000000 10101000 00000100 00000001
10111110 01001010 10111001 00001101
input:
XOR with:
result: 01111110 11100010 10111101 00001100
01111110 11100010 10111101 00001100
10111110 01001010 10111001 00001101
above result:
again with:
above input: 11000000 10101000 00000100 00000001
XOR becomes a symmetric stream cipherXOR becomes a symmetric stream cipher
11000000 10101000 00000100 00000001
10111110 01001010 10111001 00001101
plaintext:
key:
ciphertext: 01111110 11100010 10111101 00001100
01111110 11100010 10111101 00001100
10111110 01001010 10111001 00001101
ciphertext:
same key:
plaintext: 11000000 10101000 00000100 00000001
XOR operationXOR operation
� XORing key with plaintext yields ciphertext(that’s called encryption)
� XORing key with ciphertext yields plaintext(that’s called decryption)
and also
� XORing plaintext and ciphertext yields key
If key is random, so is If key is random, so is ciphertextciphertext
11000000 10101000 00000100 00000001
10111110 01001010 10111001 00001101
plaintextA:
keyA:
ciphertext: 01111110 11100010 10111101 00001100
01010110 11101010 00100001 01101001
00101000 00001000 10011100 01100101
plaintextB:
keyB:
ciphertext: 01111110 11100010 10111101 00001100
The (single) ciphertext shown is representative of both plaintexts, given the
corresponding key. A key can be constructed to convert any plaintext to this same
ciphertext. Attacker must ask which key was actually used, to arrive at the actual
plaintext. If key is produced randomly, he has no basis to choose any particular key
therefore none to choose the actual one.
For For unbreakabilityunbreakability
� keystream must be as long as the plaintext
� keystream elements must be random
� same keystream must never be re-used
– possession of 2 ciphertexts from same keystream
facilitates recovering it
� same keystream must be shared by encryptorand decryptor
OneOne--time padtime pad
� this technique is called “one-time pad”(sometimes one-time tape or one-time key)
– random keystreams were written on paper pads
– each sheet to be used, torn off, and destroyed
– paper tapes were used later
� it is the only unbreakable cipher
� unless misued
– Soviet codes broken due to pad/keystream re-use(Venona project)
http://users.telenet.be/d.rijmenants/en/onetimepad.htm
XOR based oneXOR based one--time padtime pad
� XOR needs a random stream producer
� rc4 is (nearly) that
rc4 rc4 –– a stream ciphera stream cipherrc4 serves as a keystream machine, an endless font of utility data
"RC4 generates a pseudorandom stream of bits (a keystream). As with any
stream cipher, these can be used for encryption by combining it with the plaintext"
http://en.wikipedia.org/wiki/Rc4"
� physically secure hand delivery
� rc4 keystream reproducible on demand with a given key – don’t share the keystream, share the key that produces it
– shifts (and reduces) the keystream distribution problem to a key distribution problem
How to achieve How to achieve keystreamkeystream sharingsharing
Polyaphabetic Polyaphabetic
enciphermentencipherment
Demo Demo ––
trying to thwart frequency analysistrying to thwart frequency analysis
� plain text exhibits letter frequency patterns
� monoalphabetic substitution preserves patterns
� polyalphabetic substitution destroys them
Occurrence of English lettersOccurrence of English letters
Occurrence of letters:Occurrence of letters:
Gettysburg addressGettysburg address
http://www.mtholyoke.edu/courses/quenell/s2002/crypto/js/count.html
Occurrence of letters: Gettysburg Occurrence of letters: Gettysburg
address thru address thru ((monoalphabeticmonoalphabetic)) Caesar cipherCaesar cipher
Letters changed but statistical pattern preserved
Occurrence of letters: Gettysburg Occurrence of letters: Gettysburg
address thru differently sequenced* address thru differently sequenced*
monoalphabeticmonoalphabetic ciphercipher
*the substitution mapping, unlike that of Caesar cipher, doesn’t preserve the letters in the same sequence as that of the alphabet. They’re all there, but in reassigned positions.This mapping was: bdfhjlnprtvxzacegikmoqsuwye became j , t became m , etc(seen in both the mapping and the chart)
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
PolyalphabeticPolyalphabetic* ciphering* cipheringVigenereVigenere table, mod26 arithmetic helpertable, mod26 arithmetic helper
*use many alphabets--different ones for determining what to substitute for each letter in the plaintext. Without resequencing letters, there are 25 other alphabets readily available.
How many alphabets exist, altogether, if we do allow resequencing?
26*25*24*… = 26! = 4.03 x 1026
encrypt - take plaintext letter in the column header, key letter in row header. Ciphertext letter at intersection.
decrypt - take key letter in the row header, find ciphertextletter in that row. Plaintext letter at that column's header.
Occurrence of letters: Gettysburg Occurrence of letters: Gettysburg
address thru address thru polyalphabeticpolyalphabetic ciphersciphers
Letters changed and statistical pattern destroyed
Each time you remap a letter:
shift mapping alphabet fwd 1
letter, or
shift mapping alphabet back 1
letter, or
randomly generate a whole new one
RSARSA
Several algorithms withSeveral algorithms with
““publicpublic--key propertieskey properties””
� RSA Rivest, Shamir, Adelman; MIT
� ElGamal Taher ElGamal, Netscape
� DSA NSA, NIST
RSA key generation stepsRSA key generation steps
1. choose 2 primes call them p, q
2. multiply them call product n
3. multiply their “predecessors” (p-1,q-1) call product φ
4. pick some integer call it e
– between 1 and φ (exclusive)
– sharing no prime factor with φ
5. find the integer (there’s only one) that call it d
– times e divided by φ leaves 1
then your keys are:
– public: e together with n (e is for “encryption”)
– private: d together with n (d is for “decryption”)
Encrypting with public key Encrypting with public key {{e,ne,n}}( c = m( c = mee mod mod nn ))
1. choose a cleartext message call it m
– in the form of a number less than n
2. raise it to power e
3. divide that by n call remainder c
then your ciphertext result is c
Decrypting with private key Decrypting with private key {{d,nd,n}}
( m = ( m = ccdd mod mod nn ))
1. take ciphertext c
2. raise it to power d
3. divide that by n call remainder r
then your recovered result is r
– r is identically the original cleartext message m
How will we do How will we do keygenkeygen step 4?step 4?
1. choose 2 primes easy
2. multiply them easy
3. multiply their “predecessors” (p-1,q-1) easy
4. pick some integer e not easy
– between 1 and φ (exclusive)
– sharing no prime factor with φ
5. find the integer d (there’s only one) that not easy
– times e divided by φ leaves 1
then your keys are:
– public: e together with n (e is for “encryption”)
– private: d together with n (d is for “decryption”)
Numbers Numbers sanssans common prime factorcommon prime factor
� numbers whose gcd* is 1 will do
� find x such that gcd(x, φ)=1
� how do we find gcd of 2 numbers
– Euclid’s algorithm
*greatest common divisor
How will we do How will we do keygenkeygen step 5?step 5?
1. choose 2 primes easy
2. multiply them easy
3. multiply their “predecessors” (p-1,q-1) easy
4. pick some integer e not easy
– between 1 and φ (exclusive)
– sharing no prime factor with φ
5. find the integer d (there’s only one) that not easy
– times e divided by φ leaves 1
then your keys are:
– public: e together with n (e is for “encryption”)
– private: d together with n (d is for “decryption”)
Successively test candidatesSuccessively test candidates
� multiply each integer, from 1, by e
� divide by φ
� check if remainder is 1
� keep going till you find the one that is
RSA key generation exampleRSA key generation example
1. choose 2 primes p=5 q=11
2. multiply them n=55
3. multiply their “predecessors” (p-1,q-1) φ=40
4. pick some integer e=3
– between 1 and φ (exclusive)
– sharing no prime factor with φ
5. find the integer (there’s only one) that d=27
– times e divided by φ leaves 1
then your keys are:
– public: e together with n 3, 55
– private: d together with n 27, 55
Encrypting with public key Encrypting with public key {{e,ne,n}}( c = m( c = mee mod mod nn ))
1. choose a cleartext message m=7
– in the form of a number less than n
2. raise it to power e 73=343
3. divide that by n 343 = 55x6+13
then your ciphertext result is c c=13
e = 3
n = 55
Decrypting with private key Decrypting with private key {{d,nd,n}}
( m = ( m = ccdd mod mod nn ))
1. take ciphertext c 13
2. raise it to power d1327
=1192533292512492016559195008117
3. divide that by n1192533292512492016559195008117 = 55 x 2497646399408352339319763167 + 7
then your recovered result is r r=7
– r is identically the original cleartext message m
d = 27
n = 55
How to encrypt messages?How to encrypt messages?
� RSA doesn’t encrypt “messages”
� only individual numbers
� but all digital data is numeric
� so split arbitrary data into “small-enough” bit blocks, then treat them individually
� how?
– any way it can be done, doesn’t matter in theory
– up to you
Blocking data Blocking data -- possibility 1possibility 1
� RED APPLE = 826968326580807669
� use 3-decimal-digit blocks
� separately encrypt:826 968 326 580 807 669
� be prepared for maximum ~ 999
� minimum φ 1000, eg p=31 q=37
Blocking data Blocking data -- possibility 2possibility 2
� ABC = 01000001 01000010 01000011
� use 12-bit blocksize
� separately encrypt:010000010100 001001000011
� be prepared for maximum – 4096
� minimum φ 4097, eg p=67 q=71
Some considerationsSome considerations
� RSA “key size” – refers to n
� p and q should be about equal length
� but not extremely close (eg avoid successive primes)
� larger key, slower operation
– double n � pubkey ops 2x slower, privkey 4x
– e can stay fixed while n rises, but d up proportionately
� practical keylengths, 1024 or 2048 bits
� RSA and DES per-keylength security comparisons apples and oranges
http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/how-large-a-key-should-be-used.htm
Info sources Info sources -- RSARSA
� RSA and “A Miniature RSA Example”http://www.informit.com/articles/article.aspx?p=102212&seqNum=4
� “Exploring RSA Encryption, ” Linux Journalhttp://www.linuxjournal.com/article/6695