Embed Size (px)
Citation preview
Cryptology
Josef Zelenka
University of Hradec Kralove
The Czech Republic
Cryptology – basic terms• cryptology - the science that includes both cryptography and
cryptanalysis, and sometimes is said to include steganography• cryptography - the transformation of ordinary text (plaintext,
message, cleartext) into coded form (ciphertext) by encryption and the transformation of ciphertext into plaintext by decryption. Cryptography can be used to support digital signature, key management or key exchange, and data and communications privacy
• cryptanalysis - the analysis of a cryptographic system and/or its inputs and outputs to derive confidential variables and/or sensitive data including plaintext
• plaintext (message) – original text which is not encrypted; shortly P or M (in schemes, formulas)
• ciphertext – encrypted plaintext; shortly C• sender - entity in a bilateral communication which is the
legitimate transmitter of information• receiver - entity in a bilateral communication which is
the intended recipient of information• adversary - entity in a bilateral communication which is
neither the sender nor receiver, and which tries to defeat the information security service being provided between the sender and receiver. Various other synonymous names: enemy, attacker, opponent, tapper, eavesdropper, intruder, and interloper.
Comments to history of cryptology• very long history – more than 4.000 years• ancient Egypt, India (Kámasútra), Summer – changes of
letters, steganography (hidden of message)• ancient Greece – steganography, transposition ciphers, codes
(difference between code and cipher)• ancient Roma – Caesar cipher, encrypted communication
with troops• from 855 – description and theory of „classical“
cryptosystems• from 1500 Europe centre of cryptology development• World War I and II – cryptology „write history“ (battle near
Midway – break Japan purple code, break Germany Enigma –battle against Germany submarines)
• war Israel – Egypt• nowadays – E-business, diplomacy, banks, armies …
From - to Characteristic
ancient time - 15 century Codes, simple (classic“) ciphers, hidden messages
15 century – beginning of 20 century
Advanced simple ciphers, cryptanalysis of simple ciphers, basis of cryptology theory
20 century Complex theory, development of mechanic and electronic ciphering machines, modern symmetric and new asymmetric cryptology, cryptographic protocols, massive application of cryptology as one from the „building stones“ of the modern society
21 century Alternative computers, quantum cryptology?, probability cryptology
Information security - targets• privacy (confidentiality) - keeping information secret from all
but those who are authorized to see it. There are numerous approaches to providing confidentiality, ranging from physical protection to mathematical algorithms which render data unintelligible.
• data integrity - ensuring information has not been altered by unauthorized or unknown means. To assure data integrity, one must have the ability to detect data manipulation by unauthorized parties. Data manipulation includes such things as insertion, deletion, and substitution.
• non-repudiation - preventing the denial of previous commitments or actions
• authorization - conveyance, to another entity, of official sanction to do or be something. Two major classes: entity authentication and data origin authentication.
• cryptographic algorithm - an algorithm that employs the science of cryptography, including encryption algorithms, cryptographic hash algorithms, digital signature algorithms, and key agreement algorithms
• cryptographic key - usually shortened to just „key“. An input parameter that varies the transformation performed by a cryptographic algorithm.
• cryptographic system - a set of cryptographic algorithms together with the key management processes that support use of the algorithms in some application context
• block cipher - encryption scheme which breaks up the plaintext messages to be transmitted into strings (called blocks) of a fixed length t over an alphabet A, and encrypts one block at a time
• a hash function is a computationally efficient function mapping binary strings of arbitrary length to binary strings of some fixed length, called hash-values.
• a cryptographic protocol (protocol) is a distributed algorithm defined by a sequence of steps precisely specifying the actions required of two or more entities to achieve a specific security objective.
• a key management is the set of processes and mechanisms which support key establishment and the maintenance of ongoing keying relationships between parties, including replacing older keys with new keys as necessary.
Cryptology – basic principles
Kerckhoffs’ desiderata, a set of requirements for cipher systems (1883)
• the system should be, if not theoretically unbreakable, unbreakable in practice;
• compromise of the system details should not inconvenience the correspondents;
• the key should be remember able without notes and easily changed;
• the cryptogram should be transmissible by telegraph;• the encryption apparatus should be portable and
operable by a single person; • the system should be easy, requiring neither the
knowledge of a long list of rules nor mental strain.
block cipher – often any rounds• advantages – high level of the diffusion
(dependence of plaintext on plaintext), low propensity to non-authorised modifications and misusage (its difficult to find the structure of plaintext; for example what was heading of message), often is possible manage security through lengthen block and key
• disadvantages – retardation during encryption, error propagation (typical is influence on the whole block, or by the method of feedback on longer part of message), usually slower than stream ciphers, usually more complicated implementation
stream cipher – symbol of plaintext is immediately change on symbol of ciphertext, ciphertext depend on given symbol, key and algorithm, by feedback on other previous symbols and/or input vectors
• advantages – speed, error don't propagate• disadvantages – low level of diffusion, propensity
to modification and misuse (for example number of account – although was not deciphered it can be connected to another message)
Cryptology – „classic“ ciphers
• the substitution ciphers (stream, symmetric)
• the transposition ciphers (block)
The substitution ciphers
• block/stream ciphers which replace symbols (or groups of symbols) by other symbols or groups of symbols
• simple substitution cipher (mono-alphabetic substitution cipher) – the same substitution of one letter to one another letter– N! is key space where N is number of letters in alphabet; brute
force attack is difficult/impossible); for 26 letters is 26! = 4 . 1026 keys; if you examine 1000.000 keys per second still you must compute 1,27. 1013 years – age of universe is app. 1,5.1010 years
– it is insecure – in ciphertext distribution of letters is the same as in plaintext (in the given language) – cryptoanalysis can combine frequency analysis of ciphertext (see Fig.1, Fig. 2, and Fig. 3) and ad hoc method
– there are possibilities to strengthen an algorithm - homophonic substitution cipher, polyalphabetic substitution cipher
Fig. 1 Frequency of distribution of letters of Czech and English language /5/
0
2
4
6
8
10
12
14
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
CzechEnglish
Fig. 2 Frequency of distribution of letters chosen languages /5/
0
2
4
6
8
10
12
14
16
18
20
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Czech Slowak English German
French Italy Spanish Portugal
Fig. 3 Frequency of distribution of letters of Czech language /5/
0
2
4
6
8
10
12
E A O I N S T R V L U D K M C P Z Y H J B F G X Q W
The substitution ciphers – the trivial shift cipher/Caesar cipher
• alphabetic shift through k characters for some fixed k
• Key space only n where n is the number of letters of alphabet
• cryptanalysis is trivial:– Brute force attack– Frequency analysis – to find most frequently letter
Th substitution ciphers - polygram substitution
• groups of characters being substituted by other groups of characters
• e.g. sequences of two plaintext characters (digrams) may be replaced by other digrams. In the same way the sequences of three plaintext characters (trigrams) can be replaced by other trigrams, or more generally using n-grams.
• In full digram substitution over an alphabet of 26 characters, the key may be any of the 262 digrams, arranged in a table with row and column indices corresponding to the first and second characters in the digram, and the table entries being the ciphertext digrams substituted for the plaintext pairs. There are then (262)! keys.
The substitution ciphers - polyalphabetic cipher
• variants of polyalphabetic cipher were used through centuries including the World War II (for example the legendary Enigma)
• examples of variants:
– Vigenére cipher
– Polyalphabetic cipher machines and rotors
• flatter distribution of letters using polyalphabetic cipher is clear from Fig. 4
Fig. 4 Flatter distribution of letters using polyalphabetic cipher /7/
0
0,01
0,02
0,03
0,04
0,05
0,06
0,07frequency ofaccidence
A C E G I K M O Q S U W Y
The substitution ciphers - homophonic substitution cipher
• algorithm uses substitution of one letter to another letter but for frequent letters this substituted letters are randomly chosen from the set of two, three or more letters
• as a result there is a „flatter“ distribution of letter frequencies and frequency analysis is difficult
• examples – E as a most frequent letter (e.g. English, Czech) is substituted by four letters, A by three letters etc.
The substitution ciphers - Vernam Cipher
• synonyms: a one-time system or a one-time pad• Vernam cipher over the binary alphabet is defined by ci = miki for
i = 1; 2; 3…; where m1;m2;m3; … are the plaintext digits, k1; k2; k3; . (the keystream) are the key digits, c1; c2; c3; . are the ciphertext digits, and is the XOR function (bitwise addition modulo 2). Decryption is defined by mi = ciki. If the keystream digits are generated independently and randomly, the Vernam cipher is called a one-time pad, and is unconditionally secure against a ciphertext-only attack.
• Conditions of safety: – the key can be used only one time– the key is the same length as a message– the key must be delivered through the secret channel– to destroy key after usage– the key must be a sequence of random digits generated in natural
processes not generated via pseudorandom generators
Scheme of the binary Vernam cipher
XOR
plaintext
cipheringciphertext
XOR
deciphering
plaintext
The same key stream of random numbers
The substitution ciphers - Vernam Cipher
• characteristics of synchronous stream ciphers:
– synchronization requirements
– no error propagation – a ciphertext digit, that is modified (but not deleted) during transmission, does not affect the decryption of other ciphertext digits
– sensibility to active attacks – there must be control mechanisms of message change (for example hash of message)
The Symmetric Cryptology
The chosen symmetric algorithms
Name Typical characteristics
IDEA (International Data Encryption Algorithm)
key 128 b, block 64 b, patented, part of PGP, good diffusion, safety, high speed
DES (Data Encryption Standard)
key 64 b (but only 56 b ciphering), block 64 b, based on Feistel networks, until 1977 American standard for the symmetric encryption, at 2000 replaced by AES
3DES (Triple DES)
key 112 or 168 b, block 64 b, strengthen variant of DES (DES used three times, first and third step ciphering, second deciphering
The chosen symmetric algorithms
Name Typical characteristics
Blowfish Key from 32 to 448 b, block 64 b, author Schneier 1993, based on Feistel networks
FEAL (Fast Data Encryption Algorithm)
key 64 b, block 64 b, created in Japan (Nippon Telegraph a Telephone Corporation) 1986, based on Feistel networks, was enhanced through more rounds
Gost 28147-89 (Gosudarstvěnnyj standart)
key 256 b, block 64 b, 32 rounds, from 1989 Russian cryptographic standard for the state administration, based on Feistel networks
Other symmetric algorithms: SAFER, RC5, LOKI’89, CAST, 3-WAY, SHARK, SKIPJACK, RC2…
DES – the basic characteristics
• based on Feistel networks – scheme• operation (see scheme on next page) – substitution in S-boxes
(mixture of right side, subkeys), generation different subkeys for every round, permutation, mixture of left and right side
• only 56b long key (the exhaustive search app. hours), role of NIST
• well defined S-boxes– safety against linear and differential cryptanalysis
• 25 year used as a standard for non high-secret data• existence of weak keys and semi-weak keys
– a DES weak key is a key K such that EK(EK(x)) = x for all x– a pair of DES semi-weak keys is a pair (K1;K2) with EK1(EK2 (x)) = x
DES – the function of the right side
DES DES-1 DES
plaintext ciphertext K1 K2 K3
DES DES-1 DES
3DES
AuthorsVincent Rijmen – COSIC BelgiumJoan Daemen – Proton World Belgium
The reasons: DES is not safe and is breakable in the real time3DES – safe but slowThe beginning of Rijndael – the end of 1996 1997 – the first attempts of AES
NIST - National Institute of Science and Technology (1998 - 15, 1999 - 5 algorithm)FIPS - Federal Information Processing Standard AES – Advanced Encryption Standard (october 2000 chosen Rijndael)
The new cryptographic standard - AES (Rijndael) /4/
Key and block sizecan be 128b, 192b, or 256b (16B, 24B, or 32B)
Rijndael - AES
Rijndael - AES
The number of roundsdepends on the key and block size and can be 10, 12, 14 – see table below
Nb …. Number of bytes of block of dataNk …. Number of bytes of key
Rijndael - AES
Keys
New key for each roundspecial expansion procedure creates a big key from which
generates round keysTheir lenght is: block size * (number of round + 1)
Example: for 128b blok and 10 rounds it is 1408b block of data
big key is divided in different round keys in this way:
first key first N bitssecond key next N bits etc.
Rijndael - AES
The algorithm
10, 12, or 14 roundsEncryption and decryption have 4 byte oriented transformation steps (procedures).
ciphering decipheringByteSub – nonlinearityShiftRow – intracolumn dispersionMixColumn – intercolumn dispersionRound key addition – addition of
round key
Round key addition – addition of round key
InvMixColumn - intercolumn dispersion
InvShiftRow - intracolumn dispersion
InvByteSub – non-linearity
Rijndael - AES
ByteSub
ByteSub transformation has two steps:•multiplicative inversion•afinne transformation
Bytes are transformed via S-box which is the only one for the algorithm.As a result there is a high non-linearity in the block.
Rijndael - AES
ShiftRow This function moves rows of matrix to different positions
Nb C1 C2 C3
4 1 2 3
6 1 2 3
8 1 3 4
Nb – size of block data
C1,C2,C3 – move in 1., 2. and 3. row (from 0)
Rijndael - AES
MixColumn
Collums are multiplied by polynom ‘03’x3 + ‘01’x2 + ‘01’x + ‘02’ and divided modulo x4 + 1
As a result there is a high intercolumn dispersion in the block.
Rijndael - AES
The round key addition
Here originates dependence of round function on round key.It is used merely XOR operation.
Rijndael - AES
SafetyAlgorithm will be tested every 5 years
Their structure eliminates weak keys.
It is safe against linear and differential cryptanalysis and the other known crypto analytical attacks include brute force attack.
Speed128b key and 128b block of data, Pentium 200MHz, implementation Visual C++ - 70Mb/s
Advantages of the symmetric-key cryptography
• can be designed to have high rates of data throughput - some hardware implementations achieve encryption rates of hundreds of megabytes per second, while software implementations may attain throughput rates in the megabytes per second
• keys for symmetric-key ciphers are relatively short• can be composed to produce stronger ciphers. Simple
transformations which are easy to analyse, and can be used to construct strong product ciphers.
• have an extensive history
Disadvantages of the symmetric-key cryptography
• in a bilateral communication, the key must remain secret at both ends
• in a large network, there are many key pairs to be managed
• In a bilateral communication between entities A and B, sound cryptographic practice dictates that the key be changed frequently, and perhaps for each communication session.
Asymmetric cryptography
Basic commentaries
• Definition: encryption scheme is asymmetric if there are minimum two keys one for the encryption and second one for the decryption
• asymmetric cryptography is not the same as the public-key cryptography• Definition: public-key cryptography is encryption scheme where there are
minimum two keys, one for the encryption and second one for the decryption (secret key), and at the same time key for the encryption (public key) could be published
• the basic principle of the public-key cryptography: one public and one private key, often authenticity connected with the public key (role of CA – certification authority)
• the public-key encryption is most commonly used in practice:– for the transport of keys subsequently used for bulk data encryption by
symmetric algorithms and other applications including data integrity and authentication
– for encrypting small data items such as credit card numbers and PIN's– to provide authentication guarantees in entity authentication (the digital
signatures)• scheme of asymmetric cryptosystem
Basis of safetybasic question: is possible to compute secret key from public key?different safety basis for different algorithmsany class of problems have the similar computational difficulty (for
example the integer factorisation problem and the discrete logarithm problem)– the integer factorisation problem– the discrete logarithm problem– the generalized discrete logarithm problem– subset sum problem– linear code decoding problem
most often is discussed the integer factorisation problem (RSA, Rabin, Blum-Goldwasser probabilistic)
The chosen algorithms
RSA (Rivest – Shamir – Adleman)
most used cipher in the field of digital signatures and hybrid cryptology, simple algorithm, but relatively slow (high exponents, modular arithmetics)
ECDSA digital signatures, based on elliptic curves (shorter keys)
D-H (Diffie – Hellman)
key exchange
ElGamal ciphering; safety - the discrete logarithm problem, Diffie-Hellman problem
The chosen algorithms
DSA (Digital Signature Algorithm)
digital signatures; safety - the discrete logarithm problem
Rabin encryption; safety - the integer factorisation problem
Mathematical principles - primality
• number of primes: N = n/ln (n) • the primality testing vs. factoring - the problem of deciding
whether an integer is composite or prime seems to be, in general, much easier than the factoring problem
• the probabilistic primality tests– Fermat’s test (if n is a prime and a is any integer, 1
a n-1, then an-1 1 (mod n); a is called a Fermat witness for n; problem - Carmichael numbers:
– Carmichael numbers: n is a composite integer such that an-1 1 (mod n) for all integers a which satisfy gcd (a; n)=1
– Solovay-Strassen test– Miller-Rabin test
RSA
• nowadays as standard for asymmetric cryptology• digital signatures and hybrid cryptology• encryption is slow – safety is based on difficulty of the integer
factorisation problem when integer has more than 200 decimal ciphers, and this order can have exponents in integer modular exponentiation:
C=Me mod (n)
RSA
Encryption and decryptionB encrypts a message m for A, which A decrypts
EncryptionB should do the following:(a) Obtain A’s authentic public key (n; e).(b) Represent the message as an integer m in the interval [0; n - 1].(c) Compute c = me mod n(d) Send the ciphertext c to A.
Decryptionto recover plaintext m from c, A should do the following:(a) Use the private key d to recover m = cd mod n.
RSA
Key generation for RSA public-key encryption:
• generate two large random (and distinct) primes p and q, each roughly the same size
• compute n = pq and = (p - 1) (q - 1)• select a random integer e, 1 < e < , such that gcd(e; ) = 1• use the extended Euclidean algorithm to compute the unique
integer d, 1 < d < , such that ed 1 (mod )• public key is (n; e); private key is d
RSA
Definition: the integers e and d in RSA key generation are called the encryption exponent and the decryption exponent, respectively, while n is called the modulus
Safety
The problem of computing the RSA decryption exponent d from the public key (n; e), and the problem of factoring n, are computationally equivalent.
RSA – security problems
• Small encryption exponent e• Small decryption exponent d• Common modulus attack (but knowledge of any (ei; di) pair allows for the
factorisation of the modulus n)
How to choice p and q• 1024-bit or larger moduli should be used• p and q should be about the same bit length, and sufficiently large. For
example, if a 1024-bit modulus n is to be used, then each of p and q should be about 512 bits in length.
• difference (p − q) should not be too small. If d (p − q) is small, then p q and hence p sqrt (n). Thus, n could be factored efficiently simply by trial division by all odd integers close to sqrt (n). If p and q are chosen at random, then p − q will be appropriately large with overwhelming probability.
• Use strong primes???
RSA – security problems
the strong primes:
A prime p is said to be a strong prime if the following three conditions are fulfilled:
• p - 1 has a large prime factor, denoted r;
• p + 1 has a large prime factor;
• r - 1 has a large prime factor
• there is no especial reason for requiring the use of strong primes in RSA key generation
Advantages of the asymmetric-key cryptography
• Only the private key must be kept secret (authenticity of public keys must, however, be guaranteed).
• Depending on the mode of usage, a private key/public key pair may remain unchanged for considerable periods of time, e.g., many sessions (even several years).
• Many public-key schemes yield relatively efficient digital signature mechanisms.
• In a large network, the number of keys necessary may be considerably smaller than in the symmetric-key scenario.
Disadvantages of the asymmetric-key cryptography
• Throughput rates for the most popular public-key encryption methods are several orders of magnitude slower than the best known symmetric-key schemes.
• Key sizes are typically much larger than those required for symmetric-key encryption
• No public-key scheme has been proven to be secure (the same can be said for block ciphers). The most effective public-key encryption schemes found to date have their security based on the presumed difficulty of a small set of number-theoretic problems.
• Public-key cryptography does not have as extensive a history as symmetric-key encryption, being discovered only in the mid 1970s.
Hybrid cryptology
• suitable combination of advantages of symmetric and asymmetric cryptology
• scheme of hybrid cryptosystem• solve problems: speed of algorithms, key
management, authorisation of communicating parties, level of safety, digital signatures (data string which associates a message (in digital form) with some originating entity)
• detailed scheme
Steganography
Principles /6/
message
cover
secret key
stego-object
secret key
message
WENDY
Examples /8/Secret message M1• „Steganography is the art and science of communicating in a way
which hides the existence of the communication. In contrast to cryptography, where the “enemy” is allowed to detect, intercept and modify messages without being able to violate certain security premises guaranteed by a cryptosystem, the goal of steganography is to hide messages inside other “harm-less” messages in a way that does not allow any “enemy” to even detect that there is a second secret message present [Markus Kuhn 1995].“
• Secret picture M2
Examples /8/Cover picture C1
Cover picture C2
Examples /8/M1 + C1
M2 + C2
Examples – lingvistic steganography /9/
• News Eight Weather: Tonight increasing snow. Unexpected precipitation smothers eastern towns. Be extremely cautious and use snowtires especially heading east. The highways are knowingly slippery. Highway evacuation is suspected. Police report emergency situations in downtown ending near Tuesday.
• first letters hide message: Newt is upset because he thinks he is President
Examples – linguistic steganography
Cestovní ruch je komplexní a mnoha oblastmi a z mnoha hledisek se prolínající společenský jev bez jakýchkoli pevně stanovitelných hranic, který je synergickým souhrnem všech jevů, vztahů a dopadů v časoprostorovém kontextu, souvisejících s narůstající mobilitou lidí motivovanou uspokojováním jejich potřeb v oblasti využití volného času, rekreace, cestování, poznání, sociální, kulturní a v dalších oblastech. Jevovou náplní cestovního ruchu jsou především souhrnné aktivity účastníků cestovního ruchu, procesy související s budováním a provozováním zařízení, které poskytují služby pro účastníky cestovního ruchu, aktivity spojené s rozvojem a ochranou zdrojů pro cestovní ruch, souhrn politických a veřejně – správních aktivit (politika, propagace a regulace cestovního ruchu, mezinárodní spolupráce apod.) a současně i reakce místní komunity a místních ekosystémů (zpětná vazba) na uvedené aktivity
Examples – linguistic steganography
Cestovní ruch je komplexní a mnoha oblastmi a z mnoha hledisek se prolínající společenský jev bez jakýchkoli pevně stanovitelných hranic, který je synergickým souhrnem všech jevů, vztahů a dopadů v časoprostorovém kontextu, souvisejících s narůstající mobilitou lidí motivovanou uspokojováním jejich potřeb v oblasti využití volného času, rekreace, cestování, poznání, sociální, kulturní a v dalších oblastech. Jevovou náplní cestovního ruchu jsou především souhrnné aktivity účastníků cestovního ruchu, procesy související s budováním a provozováním zařízení, které poskytují služby pro účastníky cestovního ruchu, aktivity spojené s rozvojem a ochranou zdrojů pro cestovní ruch, souhrn politických a veřejně – správních aktivit (politika, propagace a regulace cestovního ruchu, mezinárodní spolupráce apod.) a současně i reakce místní komunity a místních ekosystémů (zpětná vazba) na uvedené aktivity
(Times New Roman as a basic font and CG Times for message, message „vesmír se rozpíná“ – „the universe is spreading“)
Marking - properties
robust marking system has the following properties:• Marks should not degrade the perceived quality of the work• Detecting the presence and/or value of a mark should require
knowledge of a secret• If multiple marks are inserted in a single object, then they
should not interfere with each other; moreover if different copies of an object are distributed with different marks, then different users should not be able to process their copies in order to generate a new copy that identities none of them
• The mark should survive all attacks that do not degrade the work's perceived quality, including re-sampling, re-quantisation, compression and especially combinations of these
Cryptanalysis
Cryptanalysis is much easier when /5, 7/:
1. There are apriori knowledge about plaintext – for example language in which the message could be written
2. Redundant information in plaintext – for example the structure of words, diacritics, own language redundancy
3. Knowledge of cryptographic system – for example the length and the structure of keys, dependence of ciphering time on length of the key, the way of deriving private key from public key
4. Failure in cryptographic protocol – for example the unsuitable way of signing of message without hashing of message, the repeated use of one-time key in Vernam cipher, the repeated use of the same moduli and different exponents in the RSA
5. Other specific knowledge – for example the access to the RSA public key enables specific form of brute force attack generating possible text and comparison with given ciphertext
The basic cryptanalytic attacks• A ciphertext-only attack - the adversary (or cryptanalyst) tries to deduce
the decryption key or plaintext by only observing ciphertext. Any encryption scheme vulnerable to this type of attack is considered to be completely insecure.
• A known-plaintext attack - the adversary has a quantity of plaintext and corresponding ciphertext.
• A chosen-plaintext attack - the adversary chooses plaintext and is then given corresponding ciphertext. Subsequently, the adversary uses any information deduced in order to recover plaintext corresponding to previously unseen ciphertext.
• special types:– rubber-hose cryptanalysis– corruption cryptanalysis
Cryptoanalysis and the key space
• An encryption scheme can be broken by trying all possible keys to see which one the communicating parties are using (assuming that the class of encryption functions is public knowledge). This is called an exhaustive search of the key space. It follows then that the number of keys (i.e. the size of the key space) should be large enough to make this approach computationally infeasible. It is the objective of a designer of an encryption scheme that this be the best approach to break the system.
Cryptanalysis of the classical ciphers
• language statistics• method of Kasiski – the number of mono-
alphabetic substitution in polyalphabetic substitution; the number of characters between the beginning of the repeated ciphertext segments is a multiple of the keyword length
• index of coincidence - an alternative to Kasiski’s method
Cryptanalysis of the classical ciphers
language index of coincidence language index of coincidence English 0,066895 Holland 0,079805 Danish 0,070731 German 0,076667 Finnish 0,073796 Italy 0,073294 French 0,074604 Russian 0,056074 Spanish 0,076613 Slovak 0,06027
index of coincidence of the chosen languages /7/
Cryptanalysis of the classical ciphers
index of coincidence in the dependence of key length /7/
key length I(C)*100000 key length I(C)*100000 1. 6027 1. 4044 2. 4936 2. 4028 3. 4573 3. 4014 4. 4391 4. 4002 5. 4282 5. 3991 6. 4295 6. 3982 7. 4157 7. 3974 8. 4119 8. 3967 9. 4088 9. 3961 10. 4064 10. 3955
Brute force attack
• Only one against high quality algorithms• Can be supported by other techniques which reduce key space (differential
cryptanalysis, linear cryptanalysis, timing attack, meet-in-the middle attack etc.)• The most known is attack using all keys from the key space (variant of attack
against key space) but there are many other variants not only against key space but other characteristics of algorithms:– Attack generating ciphertext above possible texts and comparison ciphertext
and database of generated ciphertext (mainly against cryptography with public key, hash function)
– Factorisation of module – attack against key in RSA– Finding of discrete logarithm
• What to do against brute force attack:– Long key– Long block (against accompanied methods)– Random numbers at part of block– To analyse progress in alternative computing– To publish algorithms
Brute force attack
• New possible techniques, methods:
– Quantum computers
– DNA computers
– Different versions of the parallel computing (partly as ideas):
• Biological computer
• Chinese lottery
• Users of internet
• Computer viruses
Brute force attack - quantum computers
• Most progressive technology (high speed, new concept of computing) but…
• High technology difficulties – low temperatures, high stability of laser pulses, errors and their detection etc.
• Last year – factorisation of number 15
Initial conditions Development
in time
Detection of final state
Attacks against protocols (Menezes et al)• known-key attack. In this attack an adversary obtains some keys used
previously and then uses this information to determine new keys.• replay. In this attack an adversary records a communication session and
replays the entire session, or a portion thereof, at some later point in time.
• impersonation. Here an adversary assumes the identity of one of the legitimate parties in a network.
• dictionary. This is usually an attack against passwords. Typically, a password is stored in a computer file as the image of an unkeyed hash function. When a user logs on and enters a password, it is hashed and the image is compared to the stored value. An adversary can take a list of probable passwords, hash all entries in this list, and then compare this to the list of true encrypted passwords with the hope of finding matches.
• forward search. This attack is similar in spirit to the dictionary attack and is used to decrypt messages.
Case study: Attacks against protocol for RSA• Alice have ciphertext C, where C me mod n and wish to read it; she
is looking for plaintext as a result of M Cd mod n. What are Alice knowledges: public key e, module n, C
• She choice random number r, rn, and compute x, y a t. • x re mod n y xc mod n t r–1 mod n• If x re mod n, than r xd mod n. Now she send to signature via
secret key y and return u yd mod n• Alice compute• tu r–1 yd mod n r–1 xd cd mod n r–1 r cd mod n cd mod n m• and although she does not known secret key she can read the message• Conclusion: • cryptographic protocol has the same importance as the message• never signature unknown message without use of hash function
Case study: Attacks against protocol for RSA
• common modulus n• c1 me1 mod n• c2 me2 mod n• Alice know n, e1, e2, c1, c2 (modulus, public keys, unsuitable
encrypted same messages)• gcd (e1, e2) = 1 (definition – their connection to (p–1)*(q–1)),
she can find r and s so, that • re1 + se2 = 1, choice r0• compute• (c1–1)–r * c2s (me1 mod n)r * me2s mod n mre1+se2 mod n m
mod n
Conclusion• nowadays cryptology offer a big amount of cryptographic
tools; these tools can be combine and optimally chose according targets
• symmetric and asymmetric cryptology have their typical advantages; advantages can be combine in the hybrid cryptology
• cryptographic protocol has for the safety of cryptosystem the same importance as the cryptographic algorithm
• role of the modern cryptology is not only in the privacy (or hidden) of messages but in ensuring data integrity (hash function), non-repudiation (digital signature) and authorization (digital signature, hash function)
• cryptology is a basis of E-business• cryptosystem has the same strong (safety) as the weakest
element (cryptographic algorithm, key management, cryptographic protocol)
• cryptology can be strong security service
Cryptology
1. Which method can you effectively use for cryptoanalysis of Caesar cipher?
– the frequency analysis of letters– ad hoc method– combination of ad hoc method and the frequency analysis of letters– brute force attack
2. Which method can you effectively use for cryptoanalysis of monoalphabetic cipher?
– the frequency analysis of letters– ad hoc method– combination of ad hoc method and the frequency analysis of letters– brute force attack
3. What is a basis of security of RSA?– Obscurity of algorithm– Difficulty of factorisation of large integer– Good secrecy of the key
Cryptology4. Which methods (principally) of proving primality are used in
cryptology? – Probability testing– Dividing by primes until sqrt (n)– Frequency analysis– Kasiski method5. Can you use frequent analysis for cryptanalysis of modern encryption
algorithms?6. What is advantage combining steganography and cryptology?7. Does exist theoretically unbrecable encryption algorithm?8. What kind of use has hash function in the cryptology? 9. What is the difference between electronic and digital signature?
Cryptology10. Can you compare the role of biometry and cryptology in the process of entity
authorisation?11. Why you use hash function in the cryptographic protocol for digital signature?12. What is difference between one-way function and pseudo-one-way function?13. Which knowledge you can use in the attack against „classic“ cryptosystems?14. Which knowledge you can use in the attack against modern cryptosystems?15. What is common brute force attack against symmetric cryptosystems and
asymmetric cryptosystems?16. What is a „dictionary attack? Can you describe their forms? What kind of
countermeasures you can made?17. What are the problems of frequent analysis of ciphertext?18. Can be used techniques of „classic“ crypographic algorithms used nowadays?
Cryptology19. What is the most important property of Vernam cipher?20. Why is so frequently discussed problem of factorising on
integers?21. What describe legislation about digital signature?
Literature, information resources
1. Kahn: The Codebreakers2. Menezes, A. J., van Oorschot, P. C., Vanstone, S. A.: Handbook of
Applied Cryptography, CRC Press 19963. Schneier, B.: Applied Cryptography Second Edition: protocols,
algorithms, and source code in C, John Wiley & Sons, 19964. Daemen, J. - Rijmen, V.: The Rijndael Block Cipher, AES Proposal,
20005. Zelenka, J. et all: Ochrana dat. Kryptologie. Gaudeamus Hradec
Králové 20036. SIMMONS, G.J.: The Prisoners' Problem and the Subliminal Channel,
in Advances in Cryptology, Proceedings of Crypto ‘83, Plenum press, 1984, s. 51-67
7. Grošek O., Porubský Š: Šifrovanie, Grada 1992, ISBN 80-85424-62-28. JOHNSON, Neil F. Steganography [online], 2000 [cit. 2002-02-26],
www.jjtc.com/stegdoc/9. PETITCOLAS, Fabien A.P. History of Steganography [online], [cit.
2002-02-26], <www.cl.cam.ac.uk/~fapp2/steganography/history.html>
