Embed Size (px)
Citation preview
Introduction to Computer SecuritySymmetric Cryptography
Pavel LaskovWilhelm Schickard Institute for Computer Science
Secret communication
Encryption
Alice Bob
Decryption
key
unitue
plaintext
I love you
plaintext
I love you
ciphertext
C ywoy cih
key
unitue
Cryptography and security objectives
Which security objectives are addressed by cryptography?
Confidentialitysymmetric cryptographyasymmetric cryptography
Integrityhashing
Authentication and non-repudiationdigital signatures
Cryptography and security objectives
Which security objectives are addressed by cryptography?
Confidentialitysymmetric cryptographyasymmetric cryptography
Integrityhashing
Authentication and non-repudiationdigital signatures
Symmetric cryptography
Encryption
Alice Bob
Decryption
shared key
unitue
plaintext
I love you
plaintext
I love you
ciphertext
C ywoy cih
shared key
unitue
any valid key
Early permutation cipher: scytale
Encryption:Wrap a parchment strip over a woodenrod of a fixed diameter and write lettersalong the rod.
Decryption:Wrap a received strip over a wooden rodof the same diameter and read off thetext.
Example:troopsheadingnorthsendmorefood
−→ thgsr renee oaonf odrdo pitmo snhod
A general permutation cipher shuffles the order of charactersin each block of fixed width according to a fixed permutation.
Early permutation cipher: scytale
Encryption:Wrap a parchment strip over a woodenrod of a fixed diameter and write lettersalong the rod.
Decryption:Wrap a received strip over a wooden rodof the same diameter and read off thetext.
Example:troopsheadingnorthsendmorefood
−→ thgsr renee oaonf odrdo pitmo snhod
A general permutation cipher shuffles the order of charactersin each block of fixed width according to a fixed permutation.
Monoalphabetic substitution cipher: Caesar
EncryptionReplace each letter with the one threepositions to the right in the alphabet.
DecryptionReplace each letter with the one threepositions to the left in the alphabet.
Example:
HABES OPINIONIS MEAE TESTIMONIUM
MDEHV RSNQNRQNV PHDH XHVXNPRQNZP
A general monoalphabetic substitution cipher isimplemented by some fixed one-to-one mapping betweeninput and output alphabets.
Monoalphabetic substitution cipher: Caesar
EncryptionReplace each letter with the one threepositions to the right in the alphabet.
DecryptionReplace each letter with the one threepositions to the left in the alphabet.
Example:
HABES OPINIONIS MEAE TESTIMONIUM
MDEHV RSNQNRQNV PHDH XHVXNPRQNZP
A general monoalphabetic substitution cipher isimplemented by some fixed one-to-one mapping betweeninput and output alphabets.
Frequency attacks
Manual attack against arbitrarysubstitution:
Compute frequencies of all letters inciphertext.Guess the key as the best matchbetween sorted letters in ciphertextand in the language.Adjust the guess if decryption doesn’tmake sense.
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
a b c d e f g h i j k l m n o p q r s t u v w x y z
Automatic attack against shift ciphers:For English language, the quantity ∑i p2
i is equal to 0.065.For all shifts j, compute the quantity Ij = ∑i piqi+j and chooseas the key the shift j for which Ij is the closest to 0.065.
Frequency attacks
Manual attack against arbitrarysubstitution:
Compute frequencies of all letters inciphertext.Guess the key as the best matchbetween sorted letters in ciphertextand in the language.Adjust the guess if decryption doesn’tmake sense.
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
a b c d e f g h i j k l m n o p q r s t u v w x y z
Automatic attack against shift ciphers:For English language, the quantity ∑i p2
i is equal to 0.065.For all shifts j, compute the quantity Ij = ∑i piqi+j and chooseas the key the shift j for which Ij is the closest to 0.065.
Polyalphabetic substitution cipher: Vigenere
EncryptionWrite the key over a message,repeating as necessary.Substitute each letter with the onefrom an appropriate column in theVigenere tableau.
DecryptionSame as encryption, use a rowinstead of a column.
Example:unitueuniloveyou
−→ cywoycih
Kasiski’s attack against Vigenere
Identify repeating patterns of letters of size 2 or 3 in theciphertext.If the distance between some of such numbers is divisible byl, then the key is likely to have length lProceed with the frequency attack for each relative positionin the key.
Plaintext: the man and the woman retrieved the letter from the post
Key: bea dsb ead sbe adsbe adsbeadsb ead sbeads bead sbe adsb
Ciphertext VMF QTP FOH MJJ XSFCS SIMTNFZXF YIS EIYUIK HWPQ MJJ QSLV
Polyalphabetic substitution: Enigma
Operating principle: electromechanicalvarying map substitutionMain components:
3–5 rotors with pre-defined connectivityinter-rotor rings: mapping between letters andconnectionsletter swap by jumper cables
Key definition: rotor types, ring positions,jumper settingsTag UKW Walzenlage Ringstellung ---- Steckerverbindungen ----
31 B I IV III 16 26 08 AD CN ET FL GI JV KZ PU QY WX
30 B II V I 18 24 11 BN DZ EP FX GT HW IY OU QV RS
29 B III I IV 01 17 22 AH BL CX DI ER FK GU NP OQ TY
Broken by Polish and British cryptanalystsusing special computing devices (bomba’s)
Lessons from historic cryptography
Kerckhoffs’ principle (1883): The security of a cryptographicsystem must not depend on the secrecy of its method.The key space should be reasonably large (very large formodern computing power!).The notion of security must be clearly defined.Security proofs must be based on clear assumptions; theseassumptions should be reaslistic and as minimal as possible.
Perfect secrecy
A cryptosystem is called perfect if for any probabilitydistribution over the message spaceM, every messagem ∈ M and every ciphertext c ∈ C,
Pr[M = m|C = c] = Pr[M = m]
For a perfect cryptosystem,
Pr[C = c|M = m] = Pr[C = c]
For a perfect cryptosystem, any two messages m1 and m2are indistinguishable:
Pr[C = c|M = m1] = Pr[C = c|M = m2]
Perfect secrecy
A cryptosystem is called perfect if for any probabilitydistribution over the message spaceM, every messagem ∈ M and every ciphertext c ∈ C,
Pr[M = m|C = c] = Pr[M = m]
For a perfect cryptosystem,
Pr[C = c|M = m] = Pr[C = c]
For a perfect cryptosystem, any two messages m1 and m2are indistinguishable:
Pr[C = c|M = m1] = Pr[C = c|M = m2]
Perfect secrecy
A cryptosystem is called perfect if for any probabilitydistribution over the message spaceM, every messagem ∈ M and every ciphertext c ∈ C,
Pr[M = m|C = c] = Pr[M = m]
For a perfect cryptosystem,
Pr[C = c|M = m] = Pr[C = c]
For a perfect cryptosystem, any two messages m1 and m2are indistinguishable:
Pr[C = c|M = m1] = Pr[C = c|M = m2]
Vernam cipher
Encryption:Generate a random key of length lfrom a uniform distribution.Add a key to a message usingmodular arithmetic.
Decryption:Subtract a key from a message usingmodular arithmetic.
Example:7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message
+ 23 (X) 12 (M) 2 (C) 10 (K) 11 (L) key
= 30 16 13 21 25 message + key
= 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) mod 26
Perfect secrecy of the Vernam cipher
For Vernam cipher,
Pr[C = c|M = m] = Pr[M⊕ K = c|M = m]
= Pr[m⊕ K = c] = Pr[K = m⊕ c] = 2−l
Furthermore, using the Bayes formula, we obtain:
Pr[M = m0|C = c] B.f.=
Pr[C = c|M = mo] · Pr[M = m0]
∑m∈M Pr[C = c|M = m] · Pr[M = m]
=2−1 · Pr[M = m0]
∑m∈M 2−l · Pr[M = m]= Pr[M = m0]
Perfect secrecy of the Vernam cipher
For Vernam cipher,
Pr[C = c|M = m] = Pr[M⊕ K = c|M = m]
= Pr[m⊕ K = c] = Pr[K = m⊕ c] = 2−l
Furthermore, using the Bayes formula, we obtain:
Pr[M = m0|C = c] B.f.=
Pr[C = c|M = mo] · Pr[M = m0]
∑m∈M Pr[C = c|M = m] · Pr[M = m]
=2−1 · Pr[M = m0]
∑m∈M 2−l · Pr[M = m]= Pr[M = m0]
Limitations of perfect ciphers
The key must be at least as long as the message.No key must be used more than once:
(m1 ⊕ k)⊕ (m1 ⊕ k) = m1 ⊕m2
Necessary and sufficient condition for perfect secrecy(Shannon):
Every key k is chosen with equal probability 1|K| .
The mappingM K−→ C is surjective.
From perfection to security in practice
How can sufficiently long random keys be generated andtransmitted in practice?
Block ciphers: use fixed length keys for fixed lengthmessages.
Block 1 Block 2 Block N...
Block 1 Block 2 Block N...
E E EK K K
M
C
Stream ciphers: use fixed length keys for generation ofvariable length keys.
PRNGK
M
C
message stream ...
key stream ...
ciphertext stream ...
Feistel cipher: S and P boxes
S-boxComplex substitution controlled by a keySecure if enough internal statesUnrealizable for a large number of states
P-box
Block-wise permutation of digitsSimple transformation with maximalentropyInsecure against a “tickling attack”
Feistel network
Revival of the idea of a product cipherStrong polyalphabetic substitution via multiple roundsFollows theoretical principles of Shannon
A practical Feistel cipher
A multiple-round scheme withseparate keysEncryption:
Li+1 = Ri Ri+1 = Li ⊕ f (Ki, Ri)
Decryption: reverse the key order
Li+1 = Ri Ri+1 = Li⊕ f (Kn−i, Ri)
3 rounds suffice to achieve apseudorandom permutation
DES: Digital Encryption Standard
Adopted in 1977 after two rounds of proposalsWon by IBM’s Lucifer cipher based on Feistel’s designKey length reduced by NIST from 128 bits to 56 bitsSubject to extensive cryptanalysis research in 1990s’Broken by specialized hardware crackers in 1997–1999(fastest result: 22 hours 15 minutes by Deep Crack)Still widely used in practice (as 3DES)Replaced by Advanced Encryption Standard (AES) in 2000
DES overview
PermutedChoice 1
64 bit plaintext 56 bit key
InitialPermutation
Iteration 1PermutedChoice 2
Left CircularShift / 2
K1
Iteration 2PermutedChoice 2
Left CircularShift / 2
K2
Iteration 16PermutedChoice 2
Left CircularShift / 2
K16
32 bit Swap
Inverse InitialPermutation
64 bit ciphertext
...
DES round structure
Li-1 Ri-1
ExpansionPermutation
Ci-1 Di-1
Left Shift Left Shift
Permutation Contraction(Perm. Choice 2)+
4848 Ki
S-Box: Choice Substitution
Permutation
+
Li Ri Ci Di
48
32
32 bit 32 bit 28 bit 28 bit
32
Data to be encrypted Key used for encryption
AES: Advanced Encryption Standard
Developed by Belgian cryptographers Daemen and Rijmen.Won a public competition in 2000.Uses elegant polynomial algebra for mixing transformations.Variable key lengths (128, 192, 256 bits)Variable block sizes (128, 192, 256 bits)Best performance for its security strength.
Other symmetric ciphers
Block ciphersAlgorithm Key size Block size Rounds Applications3DES 112/168 64 48 Finance, PGP, S/MIMEIDEA 128 64 8 PGPBlowfish up to 448 64 16 Various softwareRC5 up to 2048 64 up to 255 Various software
Stream ciphersAlgorithm Key size IV State ApplicationsA5/2 54 114 64 GSMRC4 40-256 8 2064 WEP, WPA, SSL, SSH, Kerberos, etc.
Resume of symmetric cryptography
Provides (with some exceptions) a reliable means forenforcing confidentialityHighly efficientKey distribution is a major problem!
Next lecture
Key distribution protocolsAsymmetric cryptography
