View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #1
ECE578: Cryptography
1. Introduction
Professor Richard A. Stanley, P.E.
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #2
Organizational Details
• Prof. Stanley contact information– Office: Atwater-Kent 303, WPI campus (but
rarely there)– Hours: by appointment before class, here– Phone: (508) 269-6482– Email: [email protected]
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #3
Administrivia• Class will normally meet 5:00 - 9:00 PM every Monday
here and at the remote locations. Please be on time.
• Class will end promptly; I am unable to stay after 9:00. If we need to meet, please come before class or schedule another meeting time.
• We will hold 10 classes, including exams; cancellations will be announced in advance (except weather)
• We will take a breaks approximately halfway through the class
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #4
Course Text
• Douglas Stinson, Cryptography: Theory and Practice, Third Edition (Discrete Mathematics and Its Applications). Chapman & Hall/CRC, 2002.
• Additional material will be in the form of handouts
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #5
Course Web Page
• http://ece.wpi.edu/courses/ee578/
• Slides will be posted to the page before class, barring any unfortunate problems
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #6
Policies
• Homework is due at the class following the one in which it is assigned. It will be accepted--with a one grade penalty--up to the second class after that in which it is assigned, but not after that, except in truly emergency situations. By definition, emergencies do not occur regularly.
• There is a difference between working in teams and submitting the same work. If work is a team product, it must be clearly labeled as such.
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #7
Elements of the Course• Assignments: There will be weekly assignments,
which will be graded• Presentation: At the end of the course, student
teams will present a report prepared on a cryptography-related subject. The presentation should be well-prepared and should give an overview of a special topic in cryptography (e.g. eCash, wireless security, SSL, biometric authentication systems etc.).
• Examinations: There will be a written examination that will cover all topics discussed in class. The questions will range from mild to hard.
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #8
Research Projects
• Teams of 3-5 individuals per project
• Research a cryptographically-related topic
• Prepare a report on the research
• Present findings– Note: a presentation is not the report copied
into PowerPoint
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #9
Grading
• Grade components– Course exams (35%)– Homework (20%)– Class participation (10%)– Course project (35%)
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #10
Syllabus
• Basic Definitions and Terminology
• Stream Ciphers• Block Ciphers • DES and AES• Modes of
Operation • Public Key
Cryptography
• RSA • Elliptic Curve
Cryptosystems• Public Key
Infrastructure • Certificates• Applications
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #11
Encryption
• A means for rendering plain language text (cleartext) into recoverable gibberish (ciphertext)– Classical usage since antiquity
• We will see that cryptographic techniques are also useful for providing other assurances as to message security– e.g., authentication
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #12
Encryption Primer• Cryptography = “secret writing”
– From the Greek, kryptos graphos
• Input = plaintext• Output = ciphertext• Ciphertext = plaintext + key (in general)
– Intention is that the cipher text be unintelligible to an eavesdropper
• Two basic types of cipher– Symmetric– Asymmetric
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #13
Problem Areas
• Languages have well-known statistics– E.g., “e” is most common letter in English– This can be exploited for cryptanalysis
• The only way to achieve true security is to make the ciphertext appear as random as possible
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #14
Relative Frequencies of Letters in English Language Text
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #15
Generic Cryptosystem
Cryptographic System
Plaintext Ciphertext
Key
Objective: Make the ciphertext as random as possible
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #17
Types of Cryptosystems
• Symmetric key– Used since times B.C.E. to today– Also called private key, which has become
confusing
• Asymmetric key– Invented in 1976– Also called public key systems
• Hybrid Systems
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #18
The Players
• Alice: commonly used to denote the sender of cryptographic traffic
• Bob: commonly used to indicate the recipient of that traffic
• Eve: an eavesdropper
• Oscar: a generalized “bad guy”
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #19
Symmetric Key Cryptosystems• Problem Statement: Alice and Bob want to
communication over an un-secure channel (e.g., computer network, satellite link). They want to prevent Oscar (the bad guy) from listening.
• Solution: Use of symmetric cryptosystems (these have been around since ancient times) such that if Oscar reads the encrypted version y of the message x over the unsecured channel, he will not be able to understand its content because x is what really was sent.
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #22
EnigmaPerhaps the most famouscipher machine in history.
This is an early model. Laterversions had as many as five rotors.
Enigma was a tactical machine--designed for battlefield use.
Even today, Enigma would providedecent security…IF no errors
occurred on the part of the operators.
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #23
Sigaba
Similar in theoryto Enigma.
Designed for strategic(fixed station) use; note
direct punching of teletypewriter paper
tape for transmission.
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #25
Cryptanalysis
• The science of recovering the plaintext x from the ciphertext y without the knowledge of the key (Oscar's job)
• Rules of the game:– Oscar knows the cryptosystem (encryption and
decryption algorithms)– Oscar does not know the key
• Example: JN-25
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #26
Kerckhoffs’ Principle
• Secrecy must reside solely in the key– It is assumed that the attacker knows the
complete details of the cryptographic algorithm and implementation
– A. Kerckhoffs was a 19th century Dutch cryptographer
• Ergo, Security by obscurity doesn’t work!
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #27
Attacks Against Cryptosystems
• Ciphertext-only attack– Oscar's knowledge: some y1 = ek(x1), y2 =
ek(x2), ...
– Oscar's goal : obtain x1; x2; ... or the key k
• Known plaintext attack– Oscar's knowledge: some pairs (x1,
y1 = ek(x1)); (x2, y2 = ek(x2)) ...
– Oscar's goal : obtain the key k.
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #28
More Cryptosystem Attacks
• Chosen plaintext attack– Oscar's knowledge: some pairs (x1, y1 = ek(x1)), (x2; y2
= ek(x2)), ... of which he can choose x1, x2, ...
– Oscar's goal : obtain the key k
• Chosen ciphertext attack– Oscar's knowledge: some pairs (x1; y1 = ek(x1)), (x2; y2
= ek(x2)), ... of which he can choose y1, y2, ...
– Oscar's goal : obtain the key k
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #29
How to Achieve Good Cryptography?
• Well-reviewed algorithms– So weaknesses cannot “hide” until after
implementation
• Excellent key generation & management– To maintain secrecy of the key
• Algorithms that are sufficiently complex so as to not permit feasible exhaustive attacks
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #30
Some Number Theory
r is sometimes also called the residue
Example: 12 mod 9 = 3
or 12 = 3 mod 9
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #40
Attacks on Shift Cipher• Ciphertext-only: Try all possible keys (|k| = 26).
This is known as “brute force attack” or “exhaustive search”– Secure cryptosystems require a sufficiently large
key space. Minimum requirement today is |K| > 280, however for long-term security, |K| 2100 is recommended.
• Since same cleartext maps to same ciphertext, can also easily be attacked with letter-frequency analysis.
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #45
Vernam’s FirstPatent for a Stream Cipher Machine
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #46
Security
• A cryptosystem is unconditionally secure if it cannot be broken even with infinite computational resources.
• This is a very stringent test of security, and one not often met.
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #47
Substitution Ciphers
• Similar to shift cipher, except the substitution need not be regular– e.g. A=Q, B=Z, C=A, etc.
• Book ciphers fall into this category
• Is the probability of appearance of all symbols in the ciphertext equal?
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #48
Vigenère Cipher
• Polyalphabetic substitution cipher
• Invented by Bellaso; attributed to Blaise Vigenère
• In French, “le chiffre indéchiffrable,” but it is quite breakable
Source: Wikipedia
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #50
One-Time Pad Ciphers
The One-Time Pad is unconditionally secure if the keys are used only once.
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #53
Why Use Anything Except One-time Pads?
• Speed of encipherment
• Letters vs. numbers
• Logistics
• Usability
• Error rates
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #54
OTP Encryption
• Only ONE provably secure cryptosystem– One-time pad– Secure even if pad or operator captured– BUT…errors can lead to decryption– http://www.cia.gov/csi/books/venona/preface.htm
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #58
Key Characteristics
• Plaintext is a function with known statistics that are non-random
• Ideally, we want a keystream that is completely random
• Why?
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #59
Random Keys
• It is mathematically impossible to create purely random outputs from deterministic processes, e.g., computer programs
• Obtaining random numbers is not easy– Radioactive decay– Shot noise– ...etc.
• Key is critical to security (Kerckhoff)
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #60
Cryptographically Secure PRNG
A pseudo random generator (key stream generator) is cryptographically secure if it is unpredictable. That is, given the first n output bits of the generator, it is computationally infeasible to compute the bits n+1, n+2, ...
Spring 2010© 2000-2010, Richard A. Stanley
ECE578 #61
Summary
• Cryptology is the science that deals with making and breaking codes for secure communications
• Cryptographic techniques are critical to modern secure communications
• Understanding the underlying mathematics is crucial to proper employment of the systems