CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Classical Cryptography

CSC 382: Computer Security Slide #1

CSC 382: Computer Security

Classical Cryptography


Overview

1. Modular Arithmetic Review

2. What is Cryptography?

3. Transposition Ciphers

4. Substition Ciphers1. Cæsar cipher

2. Vigènere cipher

5. Cryptanalysis: frequency analysis

6. Block Ciphers

7. DES


Modular Arithmetic

Congruence– a = b (mod N) iff a = b + kn– Equivalently, a = b (mod N) iff N / (a – b)– ex: 37=27 mod 10

b is the residue of a, modulo N– Ints 0..N-1 are complete set of residues mod N


Laws of Modular Arithmetic

1. (a + b) mod N = (a mod N + b mod N) mod N

2. (a - b) mod N = (a mod N - b mod N) mod N

3. ab mod N = (a mod N)(b mod N) mod N

4. a(b+c) mod N = ((ab mod N)+(ac mod N)) mod N


What is Cryptography?

Cryptography: The art and science of keeping messages secure.

Cryptanalysis: the art and science of decrypting messages.

Cryptology: cryptography + cryptanalysis


Terminology

• Plaintext: message to be encrypted. Also called cleartext.

• Encryption: altering a message to keep its contents secret.

• Ciphertext: encrypted message.

Plaintext

Ciphertext

EncryptionProcedure


History of CryptographyEgyptian hieroglyphics ~ 2000 B.C.E.

– Cryptic tomb enscriptions for regality.

Spartan skytale cipher ~ 500 B.C.E.– Wrapped thin sheet of papyrus around staff.– Messages written down length of staff.– Decrypted by wrapped around = diameter staff.

Cæsar cipher ~ 50 B.C.E.– Simple alphabetic substitution cipher.

al-Kindi ~ 850 C.E.– Cryptanalysis using letter frequencies.


History of CryptographyAlberti’s polyalphabetic cipher 1467Decryption of Zimmerman telegram 1917

– Leads US into World War I

Japanese Purple Machine cracked 1937– US breaks rotor machine for highest secrets.

German Enigma machine cracked 1933-45– Initially broken by Polish mathematician

Rejewski– Variants broken at Bletchley Park in UK– Colossus, world’s 1st electronic computer.


Cryptosystem Formal Definition

5-tuple (E, D, M, K, C)– M set of plaintexts– K set of keys– C set of ciphertexts– E set of encryption functions e: M K C– D set of decryption functions d: C K M


Example: Cæsar cipher

Letter shifting cipher (A=>D, B=>E, C=>F, …)

5-tuple– M = { all sequences of letters }

– K = { i | i is an integer and 0 ≤ i ≤ 25 }

– E = { Ek | k K and for all letters m,

Ek(m) = (m + k) mod 26 }

– D = { Dk | k K and for all letters c,

Dk(c) = (26 + c – k) mod 26 }

– C = M

History: Cæsar’s key was 3.


Example: Cæsar cipher

• Plaintext is HELLO WORLD• Change each letter to the third letter

following it (X goes to A, Y to B, Z to C)– Key is 3, usually written as letter ‘D’

• Ciphertext is KHOOR ZRUOG


A Transposition Cipher

Rearrange letters in plaintext.

Example: Rail-Fence Cipher– Plaintext is HELLO WORLD– Rearrange as

H L O O L

E L W R D– Ciphertext is HLOOL ELWRD


Cryptosystem Security Dependencies

1. Quality of shared encryption algorithm E2. Secrecy of key K


Cryptanalysis

Goals– Decrypt a given message.– Recover encryption key.

Adversarial models vary based on– Type of information available to adversary– Interaction with cryptosystem.


Cryptanalysis Adversarial Models

1. ciphertext only: adversary has only ciphertext; goal is to find plaintext, possibly key.

2. known plaintext: adversary has ciphertext, corresponding plaintext; goal is to find key.

3. chosen plaintext: adversary may supply plaintexts and obtain corresponding ciphertext; goal is to find key.


Classical Cryptography

Sender & receiver share common key– Keys may be the same, or trivial to derive from

one another.– Sometimes called symmetric cryptography.


Substitution Ciphers

Substitute plaintext chars for ciphered chars.– Simple: Always use same substitution function.– Polyalphabetic: Use different substitution

functions based on position in message.


Cryptanalysis of Cæsar Cipher

Exhaustive search– If the key space is small enough, try all possible

keys until you find the right one.– Cæsar cipher has 26 possible keys.


General Simple Substitution Cipher

Key Space: All permutations of alphabet.

Encryption:– Replace each plaintext letter x with K(x)

Decryption:– Replace each ciphertext letter y with K-1(y)

Example: A B C D E F G H I J K L M N O P Q R S T U V W X Y ZK= F U B A R D H G J I L K N M P O S Q Z W X Y V T C E

CRYPTO BQCOWP


General Substitution Cryptanalysis

Exhaustive search impossible– Key space size is 26! =~ 4 x 1026– Historically thought to be unbreakable.– Yet people solve them as newspaper puzzles

every day…

Solution: frequency analysis.

Lesson: A large key space is necessary but not sufficient for security of a cryptosystem.


Cryptanalysis: Frequency Analysis

Languages have different frequencies of– letters– digrams (groups of 2 letters)– trigrams (groups of 3 letters)– etc.

Simple substitution ciphers preservefrequency distributions.


English Letter Frequencies


Additional Frequency Features

1. Digram frequencies– Common digraphs: EN, RE, ER, NT, TH

2. Trigram frequencies– Common trigrams: THE, ING, THA, ENT

3. Vowels other than E rarely followed by another vowel.

4. The letter Q is followed only by U.

5. Many others.


Countering Frequency Analysis

Nulls– Insert additional symbols (numbers) which have no

meaning in random places.

Idiosyncratic spellings– Hacker speak: www.google.com/intl/xx-hacker

Homophonic substitution– Each letter has multiple substitutions.

These techniques increase difficulty of frequency analysis but don’t make it impossible.


Countering Frequency Analysis

Primary weakness of simple substition:– Each ciphertext letter corresponds to only one

letter of plaintext.

Solution: polyalphabetic substitution– Use multiple cipher alphabets.– Switch between cipher alphabets from character

to character in the plaintext.


Letter Frequency Distributions


Vigènere Cipher

Use phrase instead of letter as key.Example:

– Message THE BOY HAS THE BALL– Key VIG– Encipher using Cæsar cipher for each letter:

key VIGVIGVIGVIGVIGVplain THEBOYHASTHEBALLcipher OPKWWECIYOPKWIRG

Key space size is 26m.


Relevant Parts of Tableau

G I VA G I VB H J WE L M ZH N P CL R T GO U W JS Y A NT Z B OY E H T

Tableau shown has relevant rows, columns only.

Example encipherments:1. key V, letter T: follow V

column down to T row (giving “O”)

2. Key I, letter H: follow I column down to H row (giving “P”)


Useful Terms

period: length of key– In earlier example, period is 3

tableau: table used to encipher and decipher– Vigènere cipher has key letters on top, plaintext

letters on the left.


Simple Attacks

1. Chosen Plaintext– Choose plaintext of all a’s.– If long enough, it will be encrypted to the

key.

2. Dictionary Attack– Guess key from dictionary and try decryption.

3. Brute Force– Try every possible key in turn.– Is there a ciphertext only attack that’s faster?


Vigènere Cryptanalysis

1. Find key length (period).2. Break message into n parts, each part being

enciphered using the same key letter.3. Use frequency analysis to solve resulting

simple substition ciphers.



Kaskski Test• Conjunction of key repetition with repeated

portion of plaintext produces repeated ciphertext.• Example:


Key and plaintext line up over the repetitions.

• Distance between reptitions is 9– Repeated phrase “OPK” at 1st and 10th positions.– Period is a multiple of 9 (1, 3 or 9.)


Example Vigènere Ciphertext

ADQYS MIUSB OXKKT MIBHK IZOOOEQOOG IFBAG KAUMF VVTAA CIDTWMOCIO EQOOG BMBFV ZGGWP CIEKQHSNEW VECNE DLAAV RWKXS VNSVPHCEUT QOIOF MEGJS WTPCH AJMOCHIUIX


Repetitions in ExampleLetters Start End Distance Factors

MI 5 15 10 2, 5

OO 22 27 5 5

OEQOOG 24 54 30 2, 3, 5

FV 39 63 24 2, 2, 2, 3

AA 43 87 44 2, 2, 11

MOC 50 122 72 2, 2, 2, 3, 3

QO 56 105 49 7, 7

PC 69 117 48 2, 2, 2, 2, 3

NE 77 83 6 2, 3

SV 94 97 3 3

CH 118 124 6 2, 3


Estimate of Period

• OEQOOG is probably not a coincidence– Two character repetitions may be chance.– Period may be 1, 2, 3, 5, 6, 10, 15, or 30

• Most others (7/10) have 2 in their factors

• Almost as many (6/10) have 3 in their factors.

• Begin with period of 2 3 = 6.


Letter Coincidence

• Coincidence: Picking two letters at random from a message that are identical.

• Probability of picking two a’s– Let there be n letters in the ciphertext.

– Let there be na a’s in the ciphertext.

– The probability of selecting two a’s at random

n

n

n

n

a a

1

1


Index of Coincidence

Probability of chosing two identical letters

Coincidence probabilities for two letters:– English plaintext: 0.0667– Random English letters: 1/26 0.0385

n

n

n

n

n

n

n

n

n

n

n

n

a a b b z z1

1

1

1

1

1. . .


English Letter Frequencies

a 0.080 h 0.060 n 0.070 t 0.090

b 0.015 i 0.065 o 0.080 u 0.030

c 0.030 j 0.005 p 0.020 v 0.010

d 0.040 k 0.005 q 0.002 w 0.015

e 0.130 l 0.035 r 0.065 x 0.005

f 0.020 m 0.030 s 0.060 y 0.020

g 0.015 z 0.002


Coincidence Counting

Simple Language: f(A)=0.75, f(B)=0.25

Simple Cipher: Swap A’s and B’s

AA .5625

BB .0625

AB .1875

BA .1875

AA .1875

BB .1875

AB .5625

BA .0625

Plaintext Plaintext/Ciphertext


Friedman Test

Expected IC– Random: 0.0385– Plaintext: 0.0667

0.0385

Expected IC by period– 2: 0.052– 3: 0.047– 4: 0.045– 5: 0.044– 10: 0.041

0.0667

Index of CoincidenceShorter Key

Longer Key


Compute I.C. for Example

For our ciphertext, IC = 0.043– Indicates a key of slightly more than 5.– A statistical measure, so it can be in error, but it

agrees with the previous estimate (6).If the key has m characters, then every mth

character is enciphered with the same shift.– The string of letters won’t be recognizable.– But its letter frequencies should be the same as

English as it’s a monoalphabetic ciphertext.


Splitting Into Alphabets

Alphabet ICAIKHOIATTOBGEEERNEOSAI 0.069DUKKEFUAWEMGKWDWSUFWJU 0.078QSTIQBMAMQBWQVLKVTMTMI 0.078YBMZOAFCOOFPHEAXPQEPOX 0.056SOIOOGVICOVCSVASHOGCC 0.124MXBOGKVDIGZINNVVCIJHH 0.043

Divide cipher into 6 (period) alphabets.

IC indicates single alphabet, except #4 and #6.


Frequency ExaminationABCDEFGHIJKLMNOPQRSTUVWXYZ

1 310040113010013001120000002 100222100130100000104040003 120000002011400040130210004 211022010000104310000002115 105000212000005000300200006 01110022311012100000030101

HMMMHMMHHMMMMHHMLHHHMLLLLLUnshifted frequencies (H high, M medium, L low)


Begin Decryption• First matches characteristics of unshifted alphabet• Third matches if I shifted to A• Sixth matches if V shifted to A• Substitute into ciphertext (bold are substitutions)ADIYS RIUKB OCKKL MIGHK AZOTO EIOOL IFTAG PAUEF VATAS CIITW EOCNO EIOOL BMTFV EGGOP CNEKIHSSEW NECSE DDAAA RWCXS ANSNPHHEUL QONOF EEGOS WLPCM AJEOC MIUAX


Look For Clues

AJE in last line suggests “are”, meaning second alphabet maps A into S:

ALIYS RICKB OCKSL MIGHS AZOTOMIOOL INTAG PACEF VATIS CIITEEOCNO MIOOL BUTFV EGOOP CNESIHSSEE NECSE LDAAA RECXS ANANPHHECL QONON EEGOS ELPCM AREOCMICAX


Next Alphabet

MICAX in last line suggests “mical” (a common ending for an adjective), meaning fourth alphabet maps O into A:

ALIMS RICKP OCKSL AIGHS ANOTO MICOL INTOG PACET VATIS QIITE ECCNO MICOL BUTTV EGOOD CNESI VSSEE NSCSE LDOAA RECLS ANAND HHECL EONON ESGOS ELDCM ARECC MICAL


Got It!

QI means that U maps into I, as Q is always followed by U:

ALIME RICKP ACKSL AUGHS ANATO MICAL INTOS PACET HATIS QUITE ECONO MICAL BUTTH EGOOD ONESI VESEE NSOSE LDOMA RECLE ANAND THECL EANON ESSOS ELDOM ARECO MICAL


Countering Frequency Analaysis

• Observation: If Vigènere key is very long, frequency analysis won’t work.

• Problem: Long keys are hard to remember.

• Solution: Use multiple encryptions.– Encrypting with a key m and key n is same as

encryption by key whose length is least common multiple of m and n.

– If m and n are relatively prime, then the least common multiple is mn.


Rotor Machines

Use multiple rounds of Vigènere substitution.– Machine contains multiple cylinders.– Each cylinder has 26 states (ciphers).– Cylinders rotate to change states on different

schedules.– m-cylinder machine has 26m substitution ciphers.


Enigma Machine

• 3 rotors: 17576 substitutions.

• 3 rotors can be used in any order: 6 combinations.

• Plug board: 6 pairs of letters can be swapped.

• Total keys ~ 1016


Perfect Security: The One-Time Pad

• A Vigenère cipher with a random key at least as long as the message.

• Provably unbreakable.• Example ciphertext: DXQR. • Equally likely to correspond to

– plaintext DOIT (key AJIY)

– plaintext DONT (key AJDY)

– and any other 4 letters.


One-Time Pad

• Warning: keys must be random, or you can attack the cipher by trying to regenerate the key.

• Approximations, such as using computer pseudorandom number generators to generate keys, are not random.


Block Ciphers

• Encrypt groups (blocks) of chars at once.

• Improvement over single char substitution– Cryptanalysis must use digraph frequencies for

two-char blocks.– Longer blocks are more difficult to analyze.– Modern ciphers are block ciphers.

• Example: Playfair Cipher, 1854


Playfair Cipher

Create 5x5 table – Fill in spaces with

letters of key, dropping duplicate letters.

– Fill remaining spaces with unused letters of alphabet in order

• Drop Q … or

• I = J

P L A Y F

I|J R E X M

B C D G H

K N O Q S

T U V W Z


Playfair Cipher

Encryption Algorithm1. If letters of pair are identical (or only one

letter remains), add an “X” after first letter.

2. If two letters are in same row or column, replace them with the succeeding letters.

3. Otherwise, two letters form a rectangle, and we replace them with letters on the same row respectively at the other pair of corners.


Playfair Cipher Example

Plaintext is HELLO WORLD– Pair HE is rectangle, replace with DM– Pair LX (X inserted) is rectangle, YR– Pair LO is rectangle, replace with AN– Pair WO is rectangle, replace with VQ– Pair RL is in column, replace with CR– Pair DX is rectangle, replace with GE

Ciphertext is DMYRANVQCRGE


Transposition Cipher Cryptanalysis

Anagramming– If

• 1-gram frequencies match English frequencies,

• but other n-gram frequencies do not,

– then, message likely ciphered via transposition.– Rearrange letters to form n-grams with highest

frequencies.


Cryptanalysis Example

Ciphertext: HLOOLELWRDFrequencies of 2-grams beginning with H

– HE 0.0305– HO 0.0043– HL, HW, HR, HD < 0.0010

Frequencies of 2-grams ending in H– WH 0.0026– EH, LH, OH, RH, DH ≤ 0.0002

Implies E follows H


Cryptanalysis Example

Arrange so the H and E are adjacentHELLOWORLD

Read across, then down, to recover plaintext.


Shannon Criteria

1. Kerchoff’s Principle– The only secret should be the key.– Cipher should be secure if mechanism known

but not the key.

2. Incorporate both confusion + diffusion– Confusion: hide local patterns of language.– Diffusion: hide large-scale patterns by mixing

different parts of plaintext.


SP-Networks

Combine Substitution+Permutation (transposition)– Confusion: adding unknown key values will confuse

attacker about value of plaintext symbol.

– Diffusion: Transposing text to ensure nothing is left in its original position.

Designing for Security– Block Size

– Number of Rounds

• Each input bit is XOR of several output bits from previous round.

– Choice of S-boxes


Overview of the DES

1. Block cipher: encrypts blocks of 64 bits– 56-bit key + 8 parity bits

2. Product cipher– substitution + transposition

3. 16 rounds (iterations) of encryption– Round key generated from user key

– Each round is a Feistel network.


Feistel Network• Start: string of 2n bits• Group into two halves, L and R, each a vector of n bits.• Let f be any function that

– Accepts inputs of n bits.– Produces output of n bits.

• Feistel network Ff is

F L R L f R Rf ( , ) ( ( ) , ) • Ff is its own inverse

F F L R F L f R R

L f R f R R

L R

f f f( ( , )) ( ( ) , )

( ( ) ( ) , )

( , )


Generation of Round Keys

key

PC-1

C0 D0

LSH LSH

D1

PC-2 K1

K16LSH LSH

C1

PC-2

Drop parity bits, reducing effective key size to 56 bits.

Permute and extract 48 bits for round key.


Encipherment

input

IP

L0 R0

f K1

L1 = R0 R1 = L0 f(R0, K1)

R16 = L15 f (R15, K16) L16 = R15

IPŠ1

output

Split 64-bit block

L0=init left half

R0=init right half

Encrypt with

f=round fn

K1=round 1 key

Join L + R halves

L16=round 16 left half

R16=round 16 right half


The f Function

RiŠ1 (32 bits)

E

RiŠ1 (32 bits)

Ki (48 bits)

S1 S2 S3 S4 S5 S6 S7 S8

6 bits into each

P

32 bits

4 bits out of each

Each round has effect:Li = Ri-1 Ri = Li-1 f(Ri-1, Ki)


Controversy

Considered too weak– Diffie, Hellman said in a few years technology

would allow DES to be broken in days (1976).• EFF built “Deep Crack” in 1998 for $100,000.

• Brute forced DES in 56 hours.

– Design decisions not public• NSA involved in weakening cipher.

• 128-bit key reduced to 56 bits.

• S-boxes may have backdoors.


Undesirable Properties• 4 weak keys

– They are their own inverses.

• 12 semi-weak keys– Each has another semi-weak key as inverse.

• Complementation property– DESk(m) = c DESk´(m´) = c´

• S-boxes exhibit irregular properties– Distribution of odd, even numbers non-random.– Outputs of fourth box depends on input to third box.


Differential Cryptanalysis• A chosen ciphertext attack

– Biham and Shamir (1990)– Examines pairs of plaintext with particular diffs.– Requires 247 plaintext, ciphertext pairs.– Only 214 pairs required with 8 round DES.

• Revealed several properties– S-box designed to resist differential cryptanalysis.– IBM revealed knowledge of technique at design time.

• Linear cryptanalysis improves result– Linear approximation of DES.– Requires 243 plaintext, ciphertext pairs.– DES not designed to resist this technique.


DES Modes

• Electronic Code Book Mode (ECB)– Encipher each block independently. Insecure.

• Cipher Block Chaining Mode (CBC)– XOR each block with previous ciphertext block.– Requires an initialization vector for the first one.

• Triple DES: Encrypt-Decrypt-Encrypt Mode (3 keys: k, k´, k´´)– c = DESk(DESk´

–1(DESk’’(m)))– Double-encryption vulnerable to meet-in-middle

attack, reducing difficulty from 2112 to 257.


CBC Mode Encryption

init. vector m1

DES

c1

m2

DES

c2

sent sent

…

…

…


CBC Mode Decryption

init. vector c1

DES

m1

…

…

…

c2

DES

m2


Self-Healing Property• Plaintext “heals” after 2 blocks.

– i.e., if ciphertext altered, error propagated 2 blocks.

• Initial message– 3231343336353837 3231343336353837 3231343336353837 3231343336353837

• Received as (underlined 4c should be 4b)– ef7c4cb2b4ce6f3b f6266e3a97af0e2c 746ab9a6308f4256 33e60b451b09603d

• Which decrypts to– efca61e19f4836f1 3231333336353837 3231343336353837 3231343336353837


Current Status of DES

• Design for computer system, associated software that could break any DES-enciphered message in a few days published in 1998.

• Several challenges to break DES messages solved using distributed computing.

• NIST selected Rijndael as Advanced Encryption Standard, successor to DES.– 128-bit block product cipher.

– Designed to withstand attacks that succeeded on DES.

– Keys: 128, 192, or 256 bits.


Key Points

1. Cryptography is the art of securing messages.2. Types of ciphers

1. Substitition2. Transposition (permutation)3. Product

3. Cryptanalysis1. Language features can be used to break ciphers.2. Frequency analysis: Kaski test, Index of Coincidence.

4. Block ciphers1. DES


References1. Matt Bishop, Introduction to Computer Security, Addison-Wesley,

2005.2. Paul Garrett, Making, Breaking Codes: An Introduction to Cryptology,

Prentice Hall, 2001.3. David Kahn, The Codebreakers, MacMillan, 1967.4. Wenbo Mao, Modern Cryptography: Theory and Practice, Prentice

Hall, 2004.5. Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone,

Handbook of Applied Cryptography, http://www.cacr.math.uwaterloo.ca/hac/, CRC Press, 1996.

6. NIST, FIPS Publication 46-3: Data Encryption Standard (DES), 1999, http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

7. Bruce Schneier, Applied Cryptography, 2nd edition, Wiley, 1996.8. US Government Dept of the Army, FM 34-40-2 FIELD MANUAL,

1990, http://www.umich.edu/~umich/fm-34-40-2/9. John Viega and Gary McGraw, Building Secure Software, Addison-

Wesley, 2002.

http://www.cacr.math.uwaterloo.ca/hac/authors/ajm.html

http://www.cacr.math.uwaterloo.ca/hac/authors/pvo.html

http://www.cacr.math.uwaterloo.ca/hac/authors/sav.html

http://www.cacr.math.uwaterloo.ca/hac/

Documents

CSC 382: Computer SecuritySlide #1 CSC 382: Computer Security Classical Cryptography