Embed Size (px)
Citation preview
COSC 4607: Computer COSC 4607: Computer Security Security Lecture Lecture 99
CryptographyCryptography
ContentsContents
Basic conceptsBasic concepts Cipher SchemesCipher Schemes Data Encryption Standard-DESData Encryption Standard-DES Public Key Systems-RSAPublic Key Systems-RSA Digital SignatureDigital Signature Cryptography AnalysisCryptography Analysis
Some basic definitionsSome basic definitions CryptographyCryptography: the study of mathematical : the study of mathematical
techniques related to information security techniques related to information security that have the following objectives:that have the following objectives: AuthenticationAuthentication: : corroboration of the identity corroboration of the identity
of an entity.of an entity. ConfidentialityConfidentiality:: ensuring information is ensuring information is
accessible only by authorized persons. accessible only by authorized persons. Data integrity: Data integrity: ensuring information has not ensuring information has not
been altered by unauthorized or unknown been altered by unauthorized or unknown means.means.
Non-repudiationNon-repudiation: : preventing the denial of preventing the denial of previous commitments or actions.previous commitments or actions.
DefinitionsDefinitions Cryptography is one tool (not the only) useful Cryptography is one tool (not the only) useful
for providing for providing security servicessecurity services such as:such as: AuthorizationAuthorization: conveyance of official sanction to : conveyance of official sanction to
do or be something to another entity.do or be something to another entity. AccessAccess ControlControl: restricting access to resources to : restricting access to resources to
privileged entities.privileged entities. AvailabilityAvailability: ensuring a system is available to : ensuring a system is available to
authorized entities when needed.authorized entities when needed. AnonymityAnonymity: concealing the identity of an entity : concealing the identity of an entity
involved in some processinvolved in some process CertificationCertification: endorsement of information by a : endorsement of information by a
trusted entity.trusted entity. RevocationRevocation: retraction of certification or : retraction of certification or
authorizationauthorization
The most widely used tool for securing The most widely used tool for securing information and services is cryptography.information and services is cryptography.
Cryptography relies on Cryptography relies on ciphersciphers: : mathematical mathematical functions used for functions used for encryptionencryption and and decryptiondecryption of a message.of a message. EncryptionEncryption: the process of disguising a message in : the process of disguising a message in
such a way as to hide its substance. such a way as to hide its substance. CiphertextCiphertext: an encrypted message: an encrypted message DecryptionDecryption: the process of returning an encrypted : the process of returning an encrypted
message back into message back into plaintext.plaintext.
CryptographyCryptography
Encryption DecryptionPlaintext Ciphertext
OriginalPlaintext
CiphersCiphers The security of a cipher may rest in the secrecy The security of a cipher may rest in the secrecy
of its of its restrictedrestricted algorithm .algorithm . Whenever a users leaves a group, the algorithm must Whenever a users leaves a group, the algorithm must
change.change. Can’t be scrutinized by people smarter than you.Can’t be scrutinized by people smarter than you. Unfortunately, secrecy is a popular approach.Unfortunately, secrecy is a popular approach.
Modern cryptography relies on Modern cryptography relies on keyskeys, a selected , a selected value from a large set (a keyspace), value from a large set (a keyspace), e.g., a 1024-e.g., a 1024-bit number. 2bit number. 210241024 values! values! Security is based on Security is based on secrecy of the keysecrecy of the key, not the details , not the details
of the algorithm.of the algorithm. Change of authorized participants requires only a Change of authorized participants requires only a
change in key.change in key.
CiphersCiphersFor some message For some message MM, , let’s denote the encryption let’s denote the encryption
of that message into cipher text asof that message into cipher text as
{M}{M}KabKab = C = C
KKabab is the key shared by participants A and B. The is the key shared by participants A and B. The decryption into plain text is written asdecryption into plain text is written as
{C}{C}KabKab = M = M
Notice,Notice,
{{M}{{M}KabKab}}KabKab = M = M symmetric key algorithmssymmetric key algorithms..
Some algorithms use different keys for each Some algorithms use different keys for each operation:operation:
{{M}{{M}K+K+}}K-K- = M = M public-key algorithmspublic-key algorithms..
Shift cipher:Shift cipher: each plaintext character is replaced each plaintext character is replaced by a character by a character kk to the right. (When to the right. (When k=3k=3, it’s a , it’s a Caesar cipher).Caesar cipher). ““Watch out for Brutus!” => “Jngpu bhg sbe Oehghf!”(k = Watch out for Brutus!” => “Jngpu bhg sbe Oehghf!”(k =
13)13) Only 25 choices! Not hard to break by brute force.Only 25 choices! Not hard to break by brute force.
Substitution CipherSubstitution Cipher: each character in plaintext is : each character in plaintext is replaced by a corresponding character of replaced by a corresponding character of ciphertext.ciphertext. E.g., cryptograms in newspapers.E.g., cryptograms in newspapers.
plaintext code: a b c d e f g h i j k l m n o p q r s t u v w x y z plaintext code: a b c d e f g h i j k l m n o p q r s t u v w x y z ciphertext code: m n b v c x z a s d f g h j k l p o i u y t r e w q ciphertext code: m n b v c x z a s d f g h j k l p o i u y t r e w q
(26!) Possible pairs. (26!) Possible pairs. Is it really that hard to break?Is it really that hard to break?
Example CiphersExample Ciphers
•Give a serial number to each letter in the key (from a to z)•Arrange the message based on the key positions•For the ciphered text by get letters by columns with numbers from small to large.
Playfair CipherPlayfair Cipher
Firstly, the sender and receiver must agree on a Firstly, the sender and receiver must agree on a keyword. In this example, the keyword is keyword. In this example, the keyword is Wheatstone's name, CHARLES. The letters of Wheatstone's name, CHARLES. The letters of the alphabet are written in a square, as shown, the alphabet are written in a square, as shown, beginning with the keyword and with I-J beginning with the keyword and with I-J combined into one element. combined into one element.
Break the message into pairs of letters-diagraph. Break the message into pairs of letters-diagraph. The two letters in a digraph must be different, so The two letters in a digraph must be different, so an X has been added to split the double M in an X has been added to split the double M in 'hammersmith'. 'hammersmith'.
PlayFair CipherPlayFair Cipher Encryption depends on the type of digraph. The digraphs fall into Encryption depends on the type of digraph. The digraphs fall into
one of three categories one of three categories If both letters are in the same row, then they are replaced by the letters If both letters are in the same row, then they are replaced by the letters
to the immediate right of each one; 'mi' becomes 'NK'. If a letter is at the to the immediate right of each one; 'mi' becomes 'NK'. If a letter is at the end of a row , it is replaced by the letter at the beginning; 'ni' becomes end of a row , it is replaced by the letter at the beginning; 'ni' becomes 'GK'.'GK'.
If both letters are in the same column, then they are replaced by the If both letters are in the same column, then they are replaced by the letter immediately beneath each one; 'ge' becomes 'OG'. If a is at the letter immediately beneath each one; 'ge' becomes 'OG'. If a is at the bottom of a column, it is replaced by the letter at the top; 've' becomes bottom of a column, it is replaced by the letter at the top; 've' becomes 'CG'.'CG'.
If the digraph letters are neither in the same row nor the same column, If the digraph letters are neither in the same row nor the same column, the rule differs. To encipher the first letter, look along its row until you the rule differs. To encipher the first letter, look along its row until you reach the column containing the second letter; the letter at this reach the column containing the second letter; the letter at this intersection replaces the first letter. To encipher the second letter, look intersection replaces the first letter. To encipher the second letter, look along its row until you reach the column containing the first letter; the along its row until you reach the column containing the first letter; the letter at the intersection replaces the second letter. Hence, 'me' letter at the intersection replaces the second letter. Hence, 'me' becomes 'GD'.becomes 'GD'.
http://www.simonsingh.net/The_Black_Chamber/playfaircipher.htm
HashesHashes
Hashes are going to be a tool we use Hashes are going to be a tool we use primarily for authentication.primarily for authentication.
While related, these are not the While related, these are not the same hashes you would use as the same hashes you would use as the function in a hash table.function in a hash table.
They have stricter requirements.They have stricter requirements.
Hash FunctionsHash Functions A hash A hash HH is a is a one-wayone-way function that function that
operates on arbitrary-length message operates on arbitrary-length message m,m, and returns a fixed-length value and returns a fixed-length value hh..
h=H(m)h=H(m)
Given a message m, it is easy to compute H(m)Given a message m, it is easy to compute H(m) Given Given hh, it is hard to compute , it is hard to compute m m such that such that H(m)=h.H(m)=h. Given specific Given specific mm, it is hard to find another message , it is hard to find another message
m’m’, such that , such that H(m)=H(m’).H(m)=H(m’). Given a large set of messages Given a large set of messages MM, it’s difficult to , it’s difficult to
find any pair (mfind any pair (mii,m,mjj) that hash to the same value.) that hash to the same value.
Hashes provide a fingerprint of Hashes provide a fingerprint of mm..
Modular ArithmeticModular Arithmetic
a a == b mod m if only if a-b =λ*m b mod m if only if a-b =λ*m (a mod m)+(b mod m) (a mod m)+(b mod m) == (a+b) mod m (a+b) mod m (a mod m)*(b mod m) (a mod m)*(b mod m) == (a*b) mod m (a*b) mod m
Multiplicative order moduloMultiplicative order modulo Let p be a prime and a an arbitrary Let p be a prime and a an arbitrary
integer. The multiplicative order integer. The multiplicative order modulo of a modulo p is the smallest modulo of a modulo p is the smallest integer n so that ainteger n so that ann == 1 mod p. 1 mod p.
For example, if p = 3, a = 5, then n = 2For example, if p = 3, a = 5, then n = 2
Modular ArithmeticModular Arithmetic
Fermat’s Little Theorem:Fermat’s Little Theorem: For every a For every a == 0 mod p, p prime, we have 0 mod p, p prime, we have aap-1 p-1 == 1 mode p 1 mode p
Discrete logarithm problem (DLP):Discrete logarithm problem (DLP): Given a prime modulus p, the basis a, and the Given a prime modulus p, the basis a, and the
value y = avalue y = ax x mod p, find the discrete logarithm mod p, find the discrete logarithm x of yx of y
n-th root problem: given integers m, n, a find n-th root problem: given integers m, n, a find an integer b=aan integer b=an n mod mmod m
Factorization: given an integer n, find its Factorization: given an integer n, find its prime factors.prime factors.
Common ToolsCommon Tools
The most common cryptographic tools areThe most common cryptographic tools are Symmetric key ciphersSymmetric key ciphers
DES, 3DES, AES, Blowfish, Twofish, IDEADES, 3DES, AES, Blowfish, Twofish, IDEA Fast and simple (based on addition, masks, and Fast and simple (based on addition, masks, and
shifts)shifts) One key shared and kept secret One key shared and kept secret Typical key lengths are 40, 128, 256, 512Typical key lengths are 40, 128, 256, 512
Asymmetric key ciphersAsymmetric key ciphers RSA, El GamalRSA, El Gamal two keystwo keys Slow, but versatile (usually requires exponentiation)Slow, but versatile (usually requires exponentiation) Typical key lengths are 512, 1024, 2048Typical key lengths are 512, 1024, 2048
Encryption, Decryption, Encryption, Decryption, and Key Generationand Key Generation
Encryption Algorithm:Encryption Algorithm: E(K E(KEE,M) => ,M) => CC
Decryption Algorithm:Decryption Algorithm: D(K D(KDD,C) => ,C) => MM
Key-pair: Key-pair: ((KKEE, K, KDD)) Correctness:Correctness: D(KD(KDD, E(K, E(KEE,M) ) = M,M) ) = M
Key SymmetryKey Symmetry
Symmetric key systemSymmetric key system: : private-key private-key systemsystem KKEE = K = KD D or or
KKDD be easily computed from K be easily computed from KEE
Asymmetrical: Asymmetrical: public-key systempublic-key system It is hard to compute KIt is hard to compute KDD from K from KEE
Symmetric Key SystemSymmetric Key System
X-OR SchemeX-OR Scheme KKEE = K = KD D = ( k= ( k1 1 kk2 2 ...... kkLL))
MM = ( m= ( m1 1 mm2 2 ...... mmLL))
Encryption:Encryption: E(K E(KEE,M) = ( c,M) = ( c1 1 cc2 2 ...... ccLL), ), where cwhere cii = k = kii xor m xor mii
Decryption:Decryption:
D(KD(KEE,C) = (k,C) = (kii xor c xor c1 1 kk22 xor xor cc2 2 ... k... kLL xor xor ccLL) ) =M =M
SecuritySecurity
Key generation: Key generation: choose Kchoose KEE uniformly at random uniformly at random
Implying C is uniformly at randomImplying C is uniformly at random Strength:Strength: Implying perfect security Implying perfect security
or unconditional securityor unconditional security Weakness:Weakness:
it can only be used once (one-time pad)it can only be used once (one-time pad)
Data Encryption Data Encryption StandardStandard
DES is a symmetric block cipher DES is a symmetric block cipher algorithm algorithm
DES was developed in 1970’sDES was developed in 1970’s Based on IBM Lucifer cipherBased on IBM Lucifer cipher U.S. government standardU.S. government standard DES development was controversialDES development was controversial
NSA was secretly involvedNSA was secretly involved Design process not openDesign process not open Key length was reducedKey length was reduced Subtle changes to Lucifer algorithmSubtle changes to Lucifer algorithm
DESDES DES is a Feistel cipherDES is a Feistel cipher 64 bit block length64 bit block length 56 bit key length56 bit key length 16 rounds16 rounds 48 bits of key used each round (subkey)48 bits of key used each round (subkey) Each round is very simpleEach round is very simple Security depends primarily on “S-Security depends primarily on “S-
boxes”boxes” Each S-boxes maps 6 bits to 4 bitsEach S-boxes maps 6 bits to 4 bits
DES roundDES round
DES Expansion DES Expansion PermutationPermutation
Input 32 bitsInput 32 bits 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 150 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 3116 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Output 48 bitsOutput 48 bits31 0 1 2 3 4 3 4 5 6 7 831 0 1 2 3 4 3 4 5 6 7 8
7 8 9 10 11 12 11 12 13 14 15 167 8 9 10 11 12 11 12 13 14 15 16
15 16 17 18 19 20 19 20 21 22 23 2415 16 17 18 19 20 19 20 21 22 23 24
23 24 25 26 27 28 27 28 29 30 31 023 24 25 26 27 28 27 28 29 30 31 0
DES S-boxDES S-box
8 “substitution boxes” or S-boxes8 “substitution boxes” or S-boxes Each S-box maps 6 bits to 4 bitsEach S-box maps 6 bits to 4 bits S-box 1S-box 1input bits (0,5)input bits (0,5) input bits (1,2,3,4)input bits (1,2,3,4) | 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111| 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111------------------------------------------------------------------------------------------------------------------------------------------------------------------------00 | 1110 0100 1101 0001 0010 1111 1011 1000 0011 1010 0110 1100 0101 1001 0000 011100 | 1110 0100 1101 0001 0010 1111 1011 1000 0011 1010 0110 1100 0101 1001 0000 011101 | 0000 1111 0111 0100 1110 0010 1101 0001 1010 0110 1100 1011 1001 0101 0011 100001 | 0000 1111 0111 0100 1110 0010 1101 0001 1010 0110 1100 1011 1001 0101 0011 100010 | 0100 0001 1110 1000 1101 0110 0010 1011 1111 1100 1001 0111 0011 1010 0101 000010 | 0100 0001 1110 1000 1101 0110 0010 1011 1111 1100 1001 0111 0011 1010 0101 000011 | 1111 1100 1000 0010 0100 1001 0001 0111 0101 1011 0011 1110 1010 0000 0110 110111 | 1111 1100 1000 0010 0100 1001 0001 0111 0101 1011 0011 1110 1010 0000 0110 1101
DES P-boxDES P-box
Input 32 bitsInput 32 bits 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 150 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 3116 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
Output 32 bitsOutput 32 bits15 6 19 20 28 11 27 16 0 14 22 25 4 17 30 915 6 19 20 28 11 27 16 0 14 22 25 4 17 30 9
1 7 23 13 31 26 2 8 18 12 29 5 21 10 3 241 7 23 13 31 26 2 8 18 12 29 5 21 10 3 24
DES subkeyDES subkey
56 bit DES key, 0,1,2,…,5556 bit DES key, 0,1,2,…,55 Left half bits, Left half bits, LKLK
49 42 35 28 21 14 7 49 42 35 28 21 14 7 0 50 43 36 29 22 150 50 43 36 29 22 15 8 1 51 44 37 30 238 1 51 44 37 30 2316 9 2 52 45 38 3116 9 2 52 45 38 31
Right half bits, Right half bits, RKRK 55 48 41 34 27 20 1355 48 41 34 27 20 13 6 54 47 40 33 26 196 54 47 40 33 26 1912 5 53 46 39 32 2512 5 53 46 39 32 2518 11 4 24 17 10 318 11 4 24 17 10 3
DES subkeyDES subkey For rounds For rounds i=1,2,...,ni=1,2,...,n
Let Let LK = (LK LK = (LK circular shift left bycircular shift left by r rii)) Let Let RK = (RK RK = (RK circular shift left bycircular shift left by r rii)) Left half of subkey Left half of subkey SKSKii consists of consists of LKLK bits bits
13 16 10 23 0 4 2 27 14 5 20 913 16 10 23 0 4 2 27 14 5 20 922 18 11 3 25 7 15 6 26 19 12 122 18 11 3 25 7 15 6 26 19 12 1
Right half of subkey Right half of subkey SKSKii consists of consists of RKRK bits bits12 23 2 8 18 26 1 11 22 16 4 1912 23 2 8 18 26 1 11 22 16 4 1915 20 10 27 5 24 17 13 21 7 0 315 20 10 27 5 24 17 13 21 7 0 3
DES subkeyDES subkey
For rounds For rounds 1,2,91,2,9 and and 1616 the shift the shift rrii is is 11, , and in all other rounds and in all other rounds rrii is is 22
Bits Bits 8,17,21,248,17,21,24 of of LKLK are omitted each are omitted each roundround
Bits Bits 6,9,14,256,9,14,25 of of RKRK are omitted each are omitted each roundround
The function that yields the The function that yields the 4848 bit bit SKSKii is is known as the known as the compression permutationcompression permutation
DESDES
An initial perm P before round 1An initial perm P before round 1 A final permutation (inverse of P) is A final permutation (inverse of P) is
applied to applied to (R(R1616,L,L1616)) to yield cipher text to yield cipher text Security if DES depends on S-boxesSecurity if DES depends on S-boxes
Everything else in DES is linearEverything else in DES is linear 30 years of intense analysis has 30 years of intense analysis has
revealed no “back door”revealed no “back door” Attacks today use exhaustive key Attacks today use exhaustive key
searchsearch
Weakness of SymmetricWeakness of Symmetric Key System Key System
Key exchange must be supported Key exchange must be supported securelysecurely
Key maintenance is expensive: Key maintenance is expensive: imagine there are n users, then we imagine there are n users, then we need n(n-1)/2 keys, one for each pairneed n(n-1)/2 keys, one for each pair
When a new user is joining the club, When a new user is joining the club, everyone is involved in key everyone is involved in key generationgeneration
Public-Key SystemsPublic-Key Systems
Public-key for encryptionPublic-key for encryption Private-key for decryptionPrivate-key for decryption Requirement:Requirement:
Efficient encryption and decryption Efficient encryption and decryption with keyswith keys
Without private, it is hard to obtain the Without private, it is hard to obtain the plain-text from the cipher-textplain-text from the cipher-text
Computational hard to obtain the key Computational hard to obtain the key from each otherfrom each other
Key Generation for RSAKey Generation for RSA Choose two large random primes Choose two large random primes pp , ,
qq and and A private decryption exponent d with A private decryption exponent d with
gcd(d, p-1)=1 and gcd(d, q-1) =1gcd(d, p-1)=1 and gcd(d, q-1) =1 A public encryption key consisting A public encryption key consisting n n
= pq= pq And an exponent e withAnd an exponent e with
e*d = 1 mod lcm (p-1, q-1)e*d = 1 mod lcm (p-1, q-1)
RSA: RSA: Encryption/DecryptionEncryption/Decryption
EncryptionEncryption M=E(M=E(mm) = ) = mmee mod mod nn
DecryptionDecryption D(M) =MD(M) =Mdd = = mme*de*d mod n = mod n = mm mod mod nn
RSA Algorithm (1) RSA Algorithm (1) To find a key pair e, d: 1. Choose two large prime numbers, P and Q (each greater than 10100), and form:
N = P * Q Z = (P–1) *(Q–1)
2. For d choose any number that is relatively prime with Z (that is, such that d has no common factors with Z).We illustrate the computations involved using small integer values for P and Q:
P = 13, Q = 17 –> N = 221, Z = 192 d = 5
3. To find e solve the equation:e x d = 1 mod Z
That is, e x d is the smallest element divisible by d in the series Z+1, 2Z+1, 3Z+1, ... . e * d = 1 mod 192 = 1, 193, 385, ...385 is divisible by de = 385/5 = 77
RSA Algorithm (2)RSA Algorithm (2)• To encrypt text using the RSA method, the plaintext is divided
into equal blocks of length k bits where 2k < N (that is, such that the numerical value of a block is always less than N; in practical applications, k is usually in the range 512 to 1024).
• k = 7, since 27 = 128 • The function for encrypting a single block of plaintext M is:• E'(e, N, M) = Me mod N• for a message M, the ciphertext is M77 mod 221• The function for decrypting a block of encrypted text c to
produce the original plaintext block is:• D'(d, N, c) = cd mod N
RSA Algorithm (3)RSA Algorithm (3)• Rivest, Shamir and Adelman proved that E' and D'
are mutual inverses (that is, E'(D'(x)) = D'(E'(x)) = x) for all values of P in the range 0 ≤ P ≤ N.
• The two parameters e, N can be regarded as a key for the encryption function, and similarly d, N represent a key for the decryption function.
• So we can write Ke = <e, N> and Kd = <d, N>, and we
get the encryption function: • E(Ke, M) ={M}K (the notation here indicating that the
encrypted message can be decrypted only by the holder of the private key Kd) and D(Kd, ={M}K ) = M.
Digital SignaturesDigital Signatures Real signatures provide a number of featuresReal signatures provide a number of features
Authentic: Signature provides authenticity for a Authentic: Signature provides authenticity for a documentsdocuments
Unforgeable: Signatures are “hard” to forgeUnforgeable: Signatures are “hard” to forge Non-repudiable:Non-repudiable:
Signatures can’t be repudiated. The signers cannot Signatures can’t be repudiated. The signers cannot credibly deny that the document was signed by them.credibly deny that the document was signed by them.
Unalterable: Signatures are unalterable or Unalterable: Signatures are unalterable or erasable.erasable.
Non-reusable: Signatures, as parts of the Non-reusable: Signatures, as parts of the document, aren’t reusable.document, aren’t reusable.
In reality there are ways around all of these In reality there are ways around all of these for real signatures.for real signatures.
Signing with Hash Signing with Hash FunctionsFunctions
1. Alice produces a one-way has of the 1. Alice produces a one-way has of the document.document.
A: h=H(D)A: h=H(D)
2. Alice encrypts the hash 2. Alice encrypts the hash
A: {h}KA: {h}KA-A-
3. Alice sends the document and the signed 3. Alice sends the document and the signed hash to Bob.hash to Bob.
A->B: D, {h}KA->B: D, {h}KA-A-
4. Bob verifies by producing the same hash and 4. Bob verifies by producing the same hash and
decrypting the hash Alice sent.decrypting the hash Alice sent.
Signing Documents with Signing Documents with Private KeysPrivate Keys
1. Alice encrypts the hash of the document with her private 1. Alice encrypts the hash of the document with her private key.key.
2. Alice sends the document plus hash to Bob.2. Alice sends the document plus hash to Bob.
3. Bob hashes the document and compares the result to what 3. Bob hashes the document and compares the result to what he decrypted, thereby verifying the signature.he decrypted, thereby verifying the signature.
- The sig is - The sig is authenticauthentic (the hashes match) (the hashes match)
- The sig is - The sig is unforgeableunforgeable (as long as no one has the (as long as no one has the private key but Alice)private key but Alice)
- The sig is not - The sig is not reusablereusable (it’s a function of the (it’s a function of the document)document)
- The signed doc is - The signed doc is unalterableunalterable (the hashes wouldn’t (the hashes wouldn’t match)match)
- The document can’t be - The document can’t be repudiatedrepudiated..
Digital signatures with Digital signatures with public keyspublic keys
{h}Kpri
M
Signing
Verifying
E(Kpri , h)
128 bits
H(M) h
M
hH(doc)
D(Kpub ,{h}) {h}Kpri h'
h = h'?
M
signed doc
Low-cost signatures with Low-cost signatures with a shared secret keya shared secret key
M
Signing
Verifying
H(M+K) h
h'H(M+K)
h
h = h'?
K
M
signed doc
M
K
What can the hacker do?What can the hacker do?
He/She has to break almost all the He/She has to break almost all the 222020 messages to decrypt messages to decrypt (expected (expected 221919) ) of themof them
Cryptoanalysis is the science of Cryptoanalysis is the science of recovering the plaintext of a recovering the plaintext of a message without access to the key.message without access to the key.
Doesn’t have to discover the key Doesn’t have to discover the key necessarily.necessarily.
The loss of a key without cryptoanalysis is The loss of a key without cryptoanalysis is called a called a compromise.compromise.
Cryptanalysis -- AttacksCryptanalysis -- Attacks Ciphertext-only attackCiphertext-only attack
Learning from samples of Ciphertexts Learning from samples of Ciphertexts Given: CGiven: C11 = E = EKK(M(M11) , C) , C22 = E = EKK(M(M22) ,…, C) ,…, Cii= E= EKK(M(Mii) )
Deduce either MDeduce either M11, M, M22,…,M,…,Mi,i, or k or infer M or k or infer Mi+1i+1 from C from Ci+1i+1
Known-plaintext attackKnown-plaintext attack Learning from samples of Ciphertext-plaintext pairsLearning from samples of Ciphertext-plaintext pairs Given: MGiven: M11 C C11 = E = EKK(M(M11) , M) , M22 C C22 = E = EKK(M(M22),…, M),…, Mii C Cii= E= EKK(M(Mii) )
Deduce either k or infer MDeduce either k or infer Mi+1i+1 from C from Ci+1i+1
Cryptanalysis -- AttacksCryptanalysis -- Attacks
Chosen-plaintext attackChosen-plaintext attack Learning from samples of Ciphertext-plaintext pairs Learning from samples of Ciphertext-plaintext pairs
where the hacker chooses the plaintextwhere the hacker chooses the plaintext Given: MGiven: M11 C C11 = E = EKK(M(M11) , M) , M22 C C22 = E = EKK(M(M22),…, M),…, Mii C Cii= E= EKK(M(Mii) ) Deduce either k or infer MDeduce either k or infer Mi+1i+1 from C from Ci+1i+1
Chosen-ciphertext attackChosen-ciphertext attack Learning from samples of Ciphertext-plaintext pairs Learning from samples of Ciphertext-plaintext pairs
where the hacker chooses the ciphertextwhere the hacker chooses the ciphertext Given: MGiven: M11 C C11 = E = EKK(M(M11) , M) , M22 C C22 = E = EKK(M(M22),…, M),…, Mii C Cii= E= EKK(M(Mii) ) Deduce kDeduce k
Rubbery-attackRubbery-attack Well….Well…. Threats, blackmails, torture, pay-offs.Threats, blackmails, torture, pay-offs.
Compromising SecurityCompromising Security Totally break:Totally break: e.g., obtain the decryption key e.g., obtain the decryption key Global deduction:Global deduction: find an alternative way to find an alternative way to
decryptiondecryption Instance (local) deduction:Instance (local) deduction: find the plaintext find the plaintext
of the intercepted ciphertextof the intercepted ciphertext Information deduction:Information deduction: some information some information
about the plaintext or the keyabout the plaintext or the key
CryptoanalysisCryptoanalysis Ideally, the attacker has to use brute Ideally, the attacker has to use brute
force in an force in an exhaustiveexhaustive searchsearch of the key- of the key-space.space.
It is the complexity of launching the It is the complexity of launching the attack that secures us:attack that secures us: Data complexityData complexity: a large number of : a large number of
expected inputs (e.g., ciphertext)expected inputs (e.g., ciphertext) Storage complexityStorage complexity: a large amount of : a large amount of
storage units required.storage units required. Processing complexityProcessing complexity: a large number of : a large number of
operations required.operations required.
CryptoanalysisCryptoanalysis A simple substitution cipher over a A simple substitution cipher over a
natural language can be easy.natural language can be easy. ““Don’t attack. We aren’t ready.”Don’t attack. We aren’t ready.” ““Vkj’u muumbf. Rc mocj’u ocmvw.”Vkj’u muumbf. Rc mocj’u ocmvw.”
With 26! tries, you will definitely get a With 26! tries, you will definitely get a pattern to decrypt. pattern to decrypt.
SummarySummary
Basic conceptsBasic concepts Cipher SchemesCipher Schemes Data Encryption Standard-DESData Encryption Standard-DES Public Key Systems-RSAPublic Key Systems-RSA Digital SignatureDigital Signature Cryptography AnalysisCryptography Analysis
