Cryptography

1

History – Of Cryptography

Pen and Paper Cryptography 2000 B.C. – 1750 AD Examples: Caesar Vigenère

Mechanical cipher machines 1750- 1950 Confederate Army’s Cipher Disk Japanese Red and Purple Machines German Enigma

Modern Computer Cryptography DES, Rijndael / AES, RSA, ECC, Chameleon,

2

Crypto Vocabulary

Plaintext – A message in its natural format readable by an attacker

Ciphertext – Message altered to be unreadable by anyone except the intended recipients

Key – Sequence that controls the operation and behavior of the cryptographic algorithm

Keyspace – Total number of possible values of keys in a crypto algorithm

3

Crypto Vocabulary 2

Initialization Vector – Random values used with ciphers to ensure no patterns are created during encryption

Cryptosystem – The combination of algorithm, key, and key management functions used to perform cryptographic operations

4

Cryptosystem Services

ConfidentialityIntegrityAuthenticityNonrepudiationAccess Control

5

Types of Cryptography

Asymmetric, and Symmetric

Stream-based Ciphers Mixes plaintext with key stream Good for real-time services

Block Ciphers Substitution and transposition

6

Encryption Systems

Substitution Cipher Convert one letter to another Cryptoquip

Transposition Cipher Change position of letter in text Word Jumble

Monoalphabetic Cipher Caesar

7

Encryption Systems

Polyalphabetic Cipher VigenèreModular Mathematics Running Key CipherOne-time Pads Randomly generated keys

8

Steganography

Hiding a message within another medium, such as an imageExample Modify color map of JPEG image Image of Snowden’s GirlfriendLindsey Mills that contains encodedInformation that is still unknown

9

Cryptographic Methods

Symmetric Same key for encryption and decryption Key distribution problem

Asymmetric Mathematically related key pairs for

encryption and decryption Public and private keys

10

Cryptographic Methods

Hybrid Combines strengths of both methods Asymmetric distributes symmetric key

Also known as a session key Symmetric provides bulk encryption Example:

SSL negotiates a hybrid method

11

Attributes of Strong Encryption

Confusion Change key values each round Performed through substitution Complicates plaintext/key relationship

Diffusion Change location of plaintext in ciphertext Done through transposition

12

Symmetric Algorithms

DES3DESAES (ECB, CBC, TXC,)RC4, RC5IDEABlowfish, TwoFishChameleon

13

Symmetric Encryption

14

E, D: cipher k: secret key (e.g., 128 bits)m, c: plaintext, ciphertext n: nonce (aka IV)

Alice

Em, n E(k,m,n)=c

Bob

Dc, n D(k,c,n)=m

k k

15

First example: One Time Pad (single use key)

Vernam (1917)

Shannon ‘49: OTP is “secure” against ciphertext-only attacks

0 1 0 1 1 1 0 0 01Key:

1 1 0 0 0 1 1 0 00Plaintext:

1 0 0 1 1 0 1 0 01Ciphertext:

16

Stream ciphers (single use key)

Problem: OTP key is as long the messageSolution: Pseudo random key -- stream ciphers

Stream ciphers: RC4 (113MB/sec) , SEAL (293MB/sec)

key

PRBG

message

ciphertext

c PRBG(k) m

Dangers in using stream ciphers

One time key !! “Two time pad” is insecure:

C1 m1 PRBG(k)

C2 m2 PRBG(k)

Eavesdropper does:

C1 C2 m1 m2

Enough redundant information in English that:

m1 m2 m1 , m2

Symmetric encryption: nonce (IV)

18

E, D: cipher k: secret key (e.g., 128 bits)m, c: plaintext, ciphertext n: nonce (aka IV)

Alice

Em, n E(k,m,n)=c

Bob

Dc, n D(k,c,n)=m

k k

nonce

Use Cases

Single use key: (one time key) Key is only used to encrypt one message

encrypted email: new key generated for every email No need for nonce (set to 0)

Multi use key: Key used to encrypt multiple messages

SSL: same key used to encrypt many packets Need either unique nonce or random nonce

Multi use key, but all plaintexts are distinct: Can eliminate nonce (use 0) using special mode (SIV)

19

Block ciphers: crypto work horse

E, D CT Block

n Bits

PT Block

n Bits

Key k Bits

Canonical examples:

1. 3DES: n= 64 bits, k = 168 bits

2. AES: n=128 bits, k = 128, 192, 256 bits

IV handled as part of PT block

21

Building a block cipher

Input: (m, k)Repeat simple mixing operation several times DES: Repeat 16 times:

AES-128: Mixing step repeated 10 times

Difficult to design: must resist subtle attacks differential attacks, linear attacks, brute-force,

…

mL mR

mR mLF(k,mR)

Block Ciphers Built by Iteration

R(k,m): round function for DES (n=16), for AES (n=10)

key k

key expansion

k1 k2 k3 kn

R(k

1, )

R(k

2, )

R(k

3, )

R(k

n, )

m c

23

Incorrect use of block ciphers

Electronic Code Book (ECB):

Problem: if m1=m2 then c1=c2

PT:

CT:

m1 m2

c1 c2

AES

24

AES

AES

26

Chameleon

27

Asymmetric Algorithms

Diffie-HellmanRSAElliptic Curve Cryptography (ECC)

28

Complexity Classes

Answer in polynomial space may need exhaustive search

If yes, can guess and check in polynomial time

Answer in polynomial time, with high probability

Answer in polynomial time compute answer directly

P

BPP

NP

PSpace

easy

hard

Example: RSA

Arithmetic modulo pq Generate secret primes p, q Generate secret numbers a, b with xab x mod pq

Public encryption key n, a Encrypt(n, a, x) = xa mod n

Private decryption key n, b Decrypt(n, b, y) = yb mod n

Main properties This appears to be a “trapdoor permutation” Cannot compute b from n,a

Apparently, need to factor n = pq

n

Why RSA works (quick sketch)

Let p, q be two distinct primes and let n=p*q Encryption, decryption based on group Zn

* For n=p*q, order (n) = (p-1)*(q-1)

Proof: (p-1)*(q-1) = p*q - p - q + 1

Key pair: a, b with ab 1 mod (n) Encrypt(x) = xa mod n Decrypt(y) = yb mod n Since ab 1 mod (n), have xab x mod n

Proof: if gcd(x,n) = 1, then by general group theory, otherwise use “Chinese remainder theorem”.

Textbook RSA is insecure

What if message is from a small set (yes/no)? Can build table

What if I want to outbid you in secret auction? I take your encrypted bid c and submit c (101/100)e mod n

What if there’s some protocol in which I can learn other message decryptions?

OAEP [BR94, Shoup ’01]

Preprocess message for RSA

If RSA is trapdoor permutation, then this is chosen-ciphertext secure (if H,G “random oracles”)

In practice: use SHA-1 or MD5 for H and G

H+

G +

Plaintext to encrypt with RSA

rand.Message 01 00..0

Check padon decryption.Reject CT if invalid.

{0,1}n-1

Digital Signatures

Public-key encryption Alice publishes encryption key Anyone can send encrypted message Only Alice can decrypt messages with this key

Digital signature scheme Alice publishes key for verifying signatures Anyone can check a message signed by Alice Only Alice can send signed messages

Properties of signatures

Functions to sign and verify Sign(Key-1, message)

Verify(Key, x, m) =

Resists forgery Cannot compute Sign(Key-1, m) from m and Key Resists existential forgery:

given Key, cannot produce Sign(Key-1, m) for any random or arbitrary m

true if x = Sign(Key-1, m)false otherwise

RSA Signature Scheme

Publish decryption instead of encryption key Alice publishes decryption key Anyone can decrypt a message encrypted by Alice Only Alice can send encrypt messages

In more detail, Alice generates primes p, q and key pair a, b Sign(x) = xa mod n Verify(y) = yb mod n Since ab 1 mod (n), have xab x mod n

Generally, sign hash of message instead of full plaintext

Public-Key Infrastructure (PKI)

Anyone can send Bob a secret message Provided they know Bob’s public key

How do we know a key belongs to Bob? If imposter substitutes another key, can read Bob’s mail

One solution: PKI Trusted root authority (VeriSign, IBM, United Nations)

Everyone must know the verification key of root authority Check your browser; there are hundreds!!

Root authority can sign certificates Certificates identify others, including other authorities Leads to certificate chains

Public-Key Infrastructure

Certificate Authority

Client Server

Known public signature verification key Ka

Sign(Ka-1, Ks), Sign(Ks, msg)

CertificateSign(Ka-1, Ks)Ks

Server certificate can be verified by any client that has CA key Ka

Certificate authority is “off line”

Ka

Hashing Algorithms

MD5 Computes 128-bit hash value Widely used for file integrity checking

SHA-1 Computes 160-bit hash value NIST approved message digest algorithm

SHA-256

39

Birthday Attack

Collisions Two messages with the same hash value

Based on the “birthday paradox”Hash algorithms should be resistant to this attack

40

Message Authentication Codes

Small block of data generated with a secret key and appended to a messageHMAC (RFC 2104) Uses hash instead of cipher for speed Used in SSL/TLS and IPSec

41

Digital Signatures

Hash of message encrypted with private key

Digital Signature Standard (DSS)• DSA/RSA/ECD-SA plus SHA

DSS provides• Sender authentication• Verification of message integrity• Nonrepudiation

42

Encryption Management

Key Distribution Center (KDC) Uses master keys to issue session keys Example: Kerberos

ANSI X9.17 Used by financial institutions Hierarchical set of keys Higher levels used to distribute lower

43

Public Key Infrastructure

All components needed to enable secure communication Policies and Procedures Keys and Algorithms Software and Data Formats

Assures identity to usersProvides key management features

44

PKI Components

Digital Certificates• Contains identity and verification info

Certificate Authorities• Trusted entity that issues certificates

Registration Authorities• Verifies identity for certificate requests

Certificate Revocation List (CRL)

45

PKI Cross Certification

Process to establish a trust relationship between CAs

Allows each CA to validate certificates issued by the other CA

Used in large organizations or business partnerships

46

Cryptanalysis

The study of methods to break cryptosystems

Often targeted at obtaining a keyAttacks may be passive or active

47

Cryptanalysis

Kerckhoff’s Principle The only secrecy involved with a

cryptosystem should be the key

Cryptosystem Strength How hard is it to determine the secret

associated with the system?

48

Cryptanalysis Attacks

Brute force Trying all key values in the keyspace

Frequency Analysis Guess values based on frequency of

occurrence

Dictionary Attack Find plaintext based on common words

49

Cryptanalysis Attacks (statistical)

WORD COUNT PERCENT bar graph

the 53.10 B 7.14% the

of 30.97 B 4.16% ofand 22.63 B 3.04%

and to 19.35 B 2.60% to in 16.89 B 2.27% ina 15.31 B 2.06% a is 8.38 B 1.13% is that 8.00 B 1.08%

that for 6.55 B 0.88% for

50

LET COUNT PERCENT bar graphE 445.2 B 12.49% ET 330.5 B 9.28% TA 286.5 B 8.04% AO 272.3 B 7.64% OI 269.7 B 7.57% IN 257.8 B 7.23% NS 232.1 B 6.51% SR 223.8 B 6.28% RH 180.1 B 5.05% HL 145.0 B 4.07% LD 136.0 B 3.82% DC 119.2 B 3.34% CU 97.3 B 2.73% UM 89.5 B 2.51% MF 85.6 B 2.40% FP 76.1 B 2.14% P

Cryptanalysis Attacks

Replay Attack Repeating previous known values

Factoring Attacks Find keys through prime factorization

Ciphertext-OnlyKnown Plaintext

Format or content of plaintext available

51

Cryptanalysis Attacks

Chosen Plaintext Attack can encrypt chosen plaintext

Chosen Ciphertext Decrypt known ciphertext to discover key

Differential Power Analysis Side Channel Attack Identify algorithm and key length

52

Cryptanalysis Attacks

Social Engineering Humans are the weakest link

RNG Attack Predict IV used by an algorithm

Temporary Files May contain plaintext

53

E-mail Security Protocols

Privacy Enhanced Email (PEM)Pretty Good Privacy (PGP)

Based on a distributed trust model Each user generates a key pair

S/MIME Requires public key infrastructure Supported by most e-mail clients

54

Network Security

Link Encryption Encrypt traffic headers + data Transparent to users

End-to-End Encryption Encrypts application layer data only Network devices need not be aware

55

Network Security

SSL/TLS• Supports mutual authentication• Secures a number of popular network

services

IPSec• Security extensions for TCP/IP protocols• Supports encryption and authentication• Used for VPNs

56

Questions?

57