Upload
karsen
View
21
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Lecture 5: Enigma Concluded. David Evans http://www.cs.virginia.edu/evans. Bletchley Park (June 2004). CS588: Security and Privacy University of Virginia Computer Science. L Rotor 1. N Rotor 3. R Reflector. B Plugboard. M Rotor 2. Plaintext. Ciphertext. - PowerPoint PPT Presentation
Citation preview
David Evanshttp://www.cs.virginia.edu/evans
CS588: Security and PrivacyUniversity of VirginiaComputer Science
Lecture 5: Enigma Concluded
Bletchley Park (June 2004)
3 February 2005 University of Virginia CS 588 2
Last Time: Added Plugboard
Plaintext
B
Plugboard
L
Rotor1
M
Rotor2
N
Rotor3
R
ReflectorCiphertext
6 plugs: (26*25)/2 * (24*23)/2 * … * (16*15/2) / 6! = 1011 times more keys
3 February 2005 University of Virginia CS 588 3Poster in RAF Museum
3 February 2005 University of Virginia CS 588 4
Operation
• Day key (distributed in code book)• Each message begins with message
key (“randomly” chosen by sender) encoded using day key
• Message key sent twice to check• After receiving message key, re-orient
rotors according to key
3 February 2005 University of Virginia CS 588 5
Letter PermutationsSymmetry of Enigma:
if Epos (x) = y we know Epos (y) = xGiven message openingsDMQ VBM E1(m1) = D E4(m1) = V E1oE4(D) = VVON PUY => E1(D) = m1
PUC FMQ => E4 (E1 (D)) = V With enough message openings, we can build complete cycles for each position pair:
E1oE4 = (DVPFKXGZYO) (EIJMUNQLHT) (BC) (RW) (A) (S)Note: Cycles must come in pairs of equal length
3 February 2005 University of Virginia CS 588 6
Composing Involutions• E1 and E2 are involutions (x y y x)• Without loss of generality, we can write:
E1 contains (a1a2) (a3a4) … (a2k-1a2k) E2 contains (a2a3) (a4a5) … (a2ka1) E1 E2
a1 a2 a2 x = a3 or x = a1
a3 a4 a4 x = a5 or x = a1Why can’tx be a2 or a3?
3 February 2005 University of Virginia CS 588 7
Rejewski’s TheoremE1 contains (a1a2) (a3a4) … (a2k-1a2k)
E4 contains (a2a3) (a4a5) … (a2ka1)
E1E4 contains (a1a3a5…a2k-1)
(a2ka2k-2… a4a2)• The composition of two involutions consists of
pairs of cycles of the same length• For cycles of length n, there are n possible
factorizations
3 February 2005 University of Virginia CS 588 8
Factoring PermutationsE1E4 = (DVPFKXGZYO) (EIJMUNQLHT) (BC) (RW)
(A) (S)
(A) (S) = (AS) o (SA) (BC) (RW) = (BR)(CW) o (BW)(CR) or = (BW)(RC) o (WC) (BR)(DVPFKXGZYO) (EIJMUNQLHT)
= (DE)(VI)… or (DI)(VJ) … or (DJ)(VM) … … (DT)(VE) 10 possibilities
3 February 2005 University of Virginia CS 588 9
How many factorizations?(DVPFKXGZYO) (EIJMUNQLHT)
D a2
E1 E2
a2 VV a4 a4 P
Once we guess a2 everything else must follow!So, only n possible factorizations for an n-letter cycle
Total to try = 2 * 10 = 20
E2E5 and E3E6 likely to have about 20 to try also
About 203 (8000) factorizations to try
(still too many in pre-computer days)
3 February 2005 University of Virginia CS 588 10
Luckily…• Operators picked message keys
(“cillies”)– Identical letters– Easy to type (e.g., QWE)
• If we can guess P1 = P2 = P3 (or known relationships) can reduce number of possible factorizations
• If we’re lucky – this leads to E1 …E6
3 February 2005 University of Virginia CS 588 11
Solving?
E1 = B-1L-1Q LB
E2 = B-1L-2QL2B
E3 = B-1L-3QL3B
E4 = B-1L-4QL4B
E5 = B-1L-5QL5B
E6 = B-1L-6QL6B
6 equations, 3 unknowns
Not known to be efficiently solvable
3 February 2005 University of Virginia CS 588 12
Solving?E1 = B-1L-1Q LB
BE1B-1 = L-1Q L
6 equations, 2 unknowns – solvable
Often, know plugboard settings (didn’t change frequently)
6 possible arrangements of 3 rotors, 263 starting locations= 105,456 possibilitiesPoles spent a year building a catalog of cycle structurescovering all of them (until Nov 1937): 20 mins to breakThen Germans changed reflector and they had to start over.
3 February 2005 University of Virginia CS 588 13
1939• Early 1939 – Germany changes scamblers and
adds extra plugboard cables, stop double-transmissions– Poland unable to cryptanalyze
• 25 July 1939 – Rejewski invites French and British cryptographers– Gives England replica Enigma machine constructed
from plans, cryptanalysis• 1 Sept 1939 – Germany invades Poland, WWII
starts
3 February 2005 University of Virginia CS 588 14
Bletchley Park• Alan Turing leads British effort to crack
Enigma• Use cribs (“WETTER” transmitted every day
at 6am) to find structure of plugboard settings• Built “bombes” to automate testing• 10,000 people worked at Bletchley Park on
breaking Enigma (100,000 for Manhattan Project)
3 February 2005 University of Virginia CS 588 15
Alan Turing’s “Bombe”
Steps through all possible rotor positions (263), testing for probable plaintext; couldn’t search all plugboard settings (> 1012); take advantage of loops in cribs
3 February 2005 University of Virginia CS 588 16
Enigma Cryptanalysis• Relied on combination of sheer brilliance,
mathematics, espionage, operator errors, and hard work
• Huge impact on WWII– Britain knew where German U-boats were– Advance notice of bombing raids– But...keeping code break secret more important
than short-term uses• The Coventry bombing story isn’t true, but decoy scouts is
3 February 2005 University of Virginia CS 588 17
Projects• Start thinking about projects and forming
teams• Prefer teams of 3 people
– In rare circumstances will allow solo projects• Preliminary Proposals due Feb 15
– List of team members• Use web forum to discuss project ideas, find interested
teammates– Either:
• Short blurbs for at least 3 project ideas• A description of a project idea with some background,
convincing argument it will be possible and interesting
3 February 2005 University of Virginia CS 588 18
Project Option 1: Research• Research Projects
– Identify an interesting problem related to cryptography/security
• Devise an approach for solving it– Analyze security of some system
• GET PERMISSION FIRST!• Doesn’t need to be limited to purely
computational systems
3 February 2005 University of Virginia CS 588 19
Project Option 2: “Outreach”• Do something relevant to this course that
is beneficial to the larger community. Examples include: – Develop and teach a course for K-12 students
that uses cryptography to make math interesting
– Produce something that conveys important security principles to the general public
• Movie screening at end of class today
3 February 2005 University of Virginia CS 588 20
Which should you do?
• Grad student, grad-school bound 3rd or 4th year: research project that integrates with your main research
• 3rd/4th year looking for a job: something you can talk about on job interviews
• 4th year with a job: outreach project• 4th year who doesn’t want a job
3 February 2005 University of Virginia CS 588 21
Modern Symmetric Ciphers
A billion billion is a large number, but it's not that large a number.— Whitfield Diffie
3 February 2005 University of Virginia CS 588 22
Goals of Cipher:Diffusion and Confusion
• Claude Shannon [1945]• Diffussion:
– Small change in plaintext, changes lots of ciphertext– Statistical properties of plaintext hidden in ciphertext
• Confusion:– Statistical relationship between key and ciphertext as
complex as possible• So, need to design functions that produce output
that is diffuse and confused
3 February 2005 University of Virginia CS 588 23
Block Ciphers
• Stream Ciphers– Encrypts small (bit or byte) units one at a time
• Block Ciphers– Encrypts large chunks (64 bits) at once
• Ciphers we have seen so far: – Changing one letter of message only changes one
letter of ciphertext– There were classical ciphers that had some
diffusion: Vigenère autokey, Hill cipher (2-letter chunks)
3 February 2005 University of Virginia CS 588 24
Ideal Block Cipher• 64 bit blocks• 264 possible plaintext blocks, must have at
least 264 corresponding ciphertext blocks – There are 264! possible mappings
• Why not just create a random mapping?– Need a 264 * 64-bit table 1021 bits – $14 quadrillion– Need to distribute new table if compromised
• Approximate ideal random mapping using components controlled by a key
3 February 2005 University of Virginia CS 588 25
Feistel Cipher StructurePlaintext
Rou
nd
L0 R0
F
K1
L1 R1
L0 = left half of plaintextR0 = right half of plaintext
Li = Ri - 1 Ri = Li - 1 F (Ri - 1, Ki )
C = Rn || Ln
n is number of rounds (undo last permutation)
Sub
stitu
tion
Per
mut
atio
n
3 February 2005 University of Virginia CS 588 26
One Round Feistel
E (L0 || R0):
L1 = R0
R1 = L0 F (R0, K1))
C = R1 || L1 = L0 F (R0, K1)) || R0
Li = Ri - 1
Ri = Li - 1 F (Ri - 1, Ki )
3 February 2005 University of Virginia CS 588 27
DecryptionCiphertext
LD0RD0
F
Kn
L1 R1
LD0 = left half of ciphertextRD0 = right half of ciphertext
LDi = RDi - 1 RDi = LDi - 1
F (RDi - 1, Kn – i + 1)
P = RDn || LDn
n is number of rounds
Sub
stitu
tion
Per
mut
atio
n
3 February 2005 University of Virginia CS 588 28
Decryption
D (L0 F (R0, K1)) || R0)LD0 = L0 F (R0, K1) RD0 = R0
LD1 = R0
RD1 = LD0 F (RD0, K1)= L0 F (R0, K1) F (RD0, K1)) = L0
P = RD1 || LD1 = L0 || R0 Yippee!
LDi = RDi - 1
RDi = LDi - 1 F (RDi - 1, Kn – i + 1)
3 February 2005 University of Virginia CS 588 29
Multiple Rounds• The entire round is a function:
fK (L || R) = R || L F (R, K)) swap (L || R) = R || L
• E = swap ° swap ° fKr ° swap ° fKr-1
°
... ° fK2 ° swap ° fK1
• D = fK1 ° swap ° fK2
° ... °
fKr-1 ° swap ° fKr ° swap ° swap
3 February 2005 University of Virginia CS 588 30
Decryption
swap (fK (swap (fK (L || R))= swap (fK (swap (R || L F (R, K))))
= swap (fK (L F (R, K) || R))
= swap (R || (L F (R, K)) F (R, K))= swap (R || L) = L || R
So swap ° fK its own inverse!
3 February 2005 University of Virginia CS 588 31
F
• What are the requirements on F?– For decryption to work: none!– For security:
• Hide patterns in plaintext• Hide patterns in key• Coming up with a good F is hard
3 February 2005 University of Virginia CS 588 32
Charge• Start to think of interesting project ideas• Post on discussion forum, find
teammates• Next time:
– DES: a Feistel cipher– Breaking DES (including Girish Ratanpal)
• Movie (if you can stay, otherwise it is on the web)