1 / 32

David Evans http://www.cs.virginia.edu/evans

Lecture 5: Enigma Concluded. David Evans http://www.cs.virginia.edu/evans. Bletchley Park (June 2004). CS588: Security and Privacy University of Virginia Computer Science. L Rotor 1. N Rotor 3. R Reflector. B Plugboard. M Rotor 2. Plaintext. Ciphertext.

kellan
Download Presentation

David Evans http://www.cs.virginia.edu/evans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lecture 5: Enigma Concluded David Evans http://www.cs.virginia.edu/evans Bletchley Park (June 2004) CS588: Security and Privacy University of Virginia Computer Science

  2. L Rotor 1 N Rotor 3 R Reflector B Plugboard M Rotor 2 Plaintext Ciphertext Last Time: Added Plugboard 6 plugs: (26*25)/2 * (24*23)/2 * … * (16*15/2) / 6! = 1011 times more keys University of Virginia CS 588

  3. Poster in RAF Museum University of Virginia CS 588

  4. Operation • Day key (distributed in code book) • Each message begins with message key (“randomly” chosen by sender) encoded using day key • Message key sent twice to check • After receiving message key, re-orient rotors according to key University of Virginia CS 588

  5. Letter Permutations Symmetry of Enigma: if Epos (x) = y we know Epos (y) = x Given message openings DMQ VBM E1(m1) = D E4(m1) = VE1oE4(D) = V VON PUY => E1(D) = m1 PUC FMQ => E4 (E1 (D)) = V With enough message openings, we can build complete cycles for each position pair: E1oE4 = (DVPFKXGZYO) (EIJMUNQLHT) (BC) (RW) (A) (S) Note: Cycles must come in pairs of equal length University of Virginia CS 588

  6. Composing Involutions • E1 and E2 are involutions (x  y  y  x) • Without loss of generality, we can write: E1 contains (a1a2) (a3a4) … (a2k-1a2k) E2 contains (a2a3) (a4a5) … (a2ka1) E1 E2 a1  a2 a2 x = a3 orx = a1 a3  a4 a4 x = a5 orx = a1 Why can’t x be a2 or a3? University of Virginia CS 588

  7. Rejewski’s Theorem E1 contains (a1a2) (a3a4) … (a2k-1a2k) E4 contains (a2a3) (a4a5) … (a2ka1) E1E4 contains (a1a3a5…a2k-1) (a2ka2k-2… a4a2) • The composition of two involutions consists of pairs of cycles of the same length • For cycles of length n, there are n possible factorizations University of Virginia CS 588

  8. Factoring Permutations E1E4 = (DVPFKXGZYO) (EIJMUNQLHT) (BC) (RW) (A) (S) (A) (S) = (AS) o (SA) (BC) (RW) = (BR)(CW) o (BW)(CR) or = (BW)(RC) o (WC) (BR) (DVPFKXGZYO) (EIJMUNQLHT) = (DE)(VI)… or (DI)(VJ) … or (DJ)(VM) … … (DT)(VE) 10 possibilities University of Virginia CS 588

  9. How many factorizations? E1 E2 (DVPFKXGZYO) (EIJMUNQLHT) D  a2 a2 V V  a4 a4 P • Once we guess a2 everything else must follow! • So, only n possible factorizations for an n-letter cycle • Total to try = 2 * 10 = 20 • E2E5 andE3E6 likely to have about 20 to try also • About 203 (8000) factorizations to try (still too many in pre-computer days) University of Virginia CS 588

  10. Luckily… • Operators picked message keys (“cillies”) • Identical letters • Easy to type (e.g., QWE) • If we can guess P1 =P2 =P3(or known relationships) can reduce number of possible factorizations • If we’re lucky – this leads to E1 …E6 University of Virginia CS 588

  11. Solving? E1 = B-1L-1QLB E2 = B-1L-2QL2B E3 = B-1L-3QL3B E4 = B-1L-4QL4B E5 = B-1L-5QL5B E6 = B-1L-6QL6B 6 equations, 3 unknowns Not known to be efficiently solvable University of Virginia CS 588

  12. Solving? Often, know plugboard settings (didn’t change frequently) E1 = B-1L-1QLB BE1B-1 = L-1QL 6 equations, 2 unknowns – solvable 6 possible arrangements of 3 rotors, 263 starting locations = 105,456 possibilities Poles spent a year building a catalog of cycle structures covering all of them (until Nov 1937): 20 mins to break Then Germans changed reflector and they had to start over. University of Virginia CS 588

  13. 1939 • Early 1939 – Germany changes scamblers and adds extra plugboard cables, stop double-transmissions • Poland unable to cryptanalyze • 25 July 1939 – Rejewski invites French and British cryptographers • Gives England replica Enigma machine constructed from plans, cryptanalysis • 1 Sept 1939 – Germany invades Poland, WWII starts University of Virginia CS 588

  14. Bletchley Park • Alan Turing leads British effort to crack Enigma • Use cribs (“WETTER” transmitted every day at 6am) to find structure of plugboard settings • Built “bombes” to automate testing • 10,000 people worked at Bletchley Park on breaking Enigma (100,000 for Manhattan Project) University of Virginia CS 588

  15. Alan Turing’s “Bombe” Steps through all possible rotor positions (263), testing for probable plaintext; couldn’t search all plugboard settings (> 1012); take advantage of loops in cribs University of Virginia CS 588

  16. Enigma Cryptanalysis • Relied on combination of sheer brilliance, mathematics, espionage, operator errors, and hard work • Huge impact on WWII • Britain knew where German U-boats were • Advance notice of bombing raids • But...keeping code break secret more important than short-term uses • The Coventry bombing story isn’t true, but decoy scouts is University of Virginia CS 588

  17. Projects • Start thinking about projects and forming teams • Prefer teams of 3 people • In rare circumstances will allow solo projects • Preliminary Proposals due Feb 15 • List of team members • Use web forum to discuss project ideas, find interested teammates • Either: • Short blurbs for at least 3 project ideas • A description of a project idea with some background, convincing argument it will be possible and interesting University of Virginia CS 588

  18. Project Option 1: Research • Research Projects • Identify an interesting problem related to cryptography/security • Devise an approach for solving it • Analyze security of some system • GET PERMISSION FIRST! • Doesn’t need to be limited to purely computational systems University of Virginia CS 588

  19. Project Option 2: “Outreach” • Do something relevant to this course that is beneficial to the larger community. Examples include: • Develop and teach a course for K-12 students that uses cryptography to make math interesting • Produce something that conveys important security principles to the general public • Movie screening at end of class today University of Virginia CS 588

  20. Which should you do? • Grad student, grad-school bound 3rd or 4th year: research project that integrates with your main research • 3rd/4th year looking for a job: something you can talk about on job interviews • 4th year with a job: outreach project • 4th year who doesn’t want a job University of Virginia CS 588

  21. Modern Symmetric Ciphers • A billion billion is a large number, but it's not that large a number.— Whitfield Diffie University of Virginia CS 588

  22. Goals of Cipher:Diffusion and Confusion • Claude Shannon [1945] • Diffussion: • Small change in plaintext, changes lots of ciphertext • Statistical properties of plaintext hidden in ciphertext • Confusion: • Statistical relationship between key and ciphertext as complex as possible • So, need to design functions that produce output that is diffuse and confused University of Virginia CS 588

  23. Block Ciphers • Stream Ciphers • Encrypts small (bit or byte) units one at a time • Block Ciphers • Encrypts large chunks (64 bits) at once • Ciphers we have seen so far: • Changing one letter of message only changes one letter of ciphertext • There were classical ciphers that had some diffusion: Vigenère autokey, Hill cipher (2-letter chunks) University of Virginia CS 588

  24. Ideal Block Cipher • 64 bit blocks • 264 possible plaintext blocks, must have at least 264 corresponding ciphertext blocks • There are 264! possible mappings • Why not just create a random mapping? • Need a 264 * 64-bit table  1021 bits • $14 quadrillion • Need to distribute new table if compromised • Approximate ideal random mapping using components controlled by a key University of Virginia CS 588

  25. Feistel Cipher Structure Plaintext L0 = left half of plaintext R0 = right half of plaintext Li = Ri - 1 Ri = Li - 1 F (Ri - 1, Ki ) C = Rn || Ln n is number of rounds (undo last permutation) R0 L0 K1  Substitution F Round Permutation L1 R1 University of Virginia CS 588

  26. One Round Feistel Li = Ri - 1 Ri = Li - 1 F (Ri - 1, Ki ) E (L0 || R0): L1 = R0 R1 = L0 F (R0, K1)) C = R1 ||L1 = L0 F (R0, K1)) || R0 University of Virginia CS 588

  27. Decryption Ciphertext LD0 = left half of ciphertext RD0 = right half of ciphertext LDi = RDi - 1 RDi = LDi - 1  F (RDi - 1, Kn – i + 1) P = RDn || LDn n is number of rounds RD0 LD0 Kn  Substitution F Permutation L1 R1 University of Virginia CS 588

  28. LDi = RDi - 1 RDi = LDi - 1 F (RDi - 1, Kn – i + 1) Decryption D (L0 F (R0, K1)) || R0) LD0 = L0 F (R0, K1) RD0 = R0 LD1 = R0 RD1 = LD0  F (RD0, K1) = L0 F (R0, K1) F (RD0, K1)) = L0 P = RD1 || LD1 = L0 || R0 Yippee! University of Virginia CS 588

  29. Multiple Rounds • The entire round is a function: fK (L || R) = R|| L  F (R, K)) swap (L || R) = R || L • E = swap ° swap ° fKr° swap ° fKr-1 ° ... ° fK2° swap ° fK1 • D = fK1° swap ° fK2° ... ° fKr-1 ° swap ° fKr° swap ° swap University of Virginia CS 588

  30. Decryption swap (fK (swap (fK (L || R)) = swap (fK (swap (R|| L  F (R, K)))) = swap (fK (L  F (R, K) || R)) = swap (R || (L  F (R, K))  F (R, K)) = swap (R || L) = L || R Soswap ° fKits own inverse! University of Virginia CS 588

  31. F • What are the requirements on F? • For decryption to work: none! • For security: • Hide patterns in plaintext • Hide patterns in key • Coming up with a good F is hard University of Virginia CS 588

  32. Charge • Start to think of interesting project ideas • Post on discussion forum, find teammates • Next time: • DES: a Feistel cipher • Breaking DES (including Girish Ratanpal) • Movie (if you can stay, otherwise it is on the web) University of Virginia CS 588

More Related