620 likes | 789 Views
Lecture 4: Crypto. SYCS 653 – Fall 2009 Wayne Patterson. What is. Cryptography
E N D
Lecture 4: Crypto • SYCS 653 – Fall 2009 • Wayne Patterson
What is • Cryptography • Cryptography is the science, or art, of secret writing The word itself is derived from the Greek, krupto, (kripto), or hidden, and grafia, (grafia), or something which is written. i.e. cryptography is the making of codes • Cryptanalysisthe breaking of codes • Cryptology – the study combining bothSome History
How to Speak Crypto • A cipher or cryptosystem is used to encrypt the plaintext • The result of encryption is ciphertext • We decrypt ciphertext to recover plaintext • A keyis used to configure a cryptosystem • A symmetric keycryptosystem uses the same key to encrypt as to decrypt • A public keycryptosystem uses a public key to encrypt and a private key to decrypt (sign)
Crypto • Basic assumption • The system is completely known to the attacker • Only the key is secret • Also known as Kerckhoffs Principle • Crypto algorithms are not secret • Why do we make this assumption? • Experience has shown that secret algorithms are weak when exposed • Secret algorithms never remain secret • Better to find weaknesses beforehand
Crypto as Black Box key key encrypt plaintext plaintext decrypt ciphertext A generic use of crypto
Simple Substitution • Plaintext: fourscoreandsevenyearsago • Key: Plaintext Ciphertext • Ciphertext: IRXUVFRUHDAGVHYHABHDUVDIR • Shift by 3 is “Caesar’s cipher”
Ceasar’s Cipher Decryption • Suppose we know a Ceasar’s cipher is being used • Ciphertext: VSRQJHEREVTXDUHSDQWU • Plaintext: spongebobsquarepants Plaintext Ciphertext
Not-so-Simple Substitution • Shift by n for some n {0,1,2,…,25} • Then key is n • Example: key = 7 Plaintext Ciphertext
Cryptanalysis • Cryptography is a two-way street. For every ingenious attempt to discover ways of hiding information, usually equally ingenious solutions are found to uncover this hidden information. Indeed, usually the same scientists are concerned both with devising cryptosystems and cryptanalytic attacks.
Cryptanalysis I: Try Them All • A simple substitution (shift by n) is used • But the key is unknown • Given ciphertext: CSYEVIXIVQMREXIH • How to find the key? • Only 26 possible keys try them all! • Exhaustive key search • Solution: key = 4
Did We Get the Right One? • One might ask the question, just because we intercept some text, and through exhaustive search, discover a message, how do we know whether this is the proper decryption? In other words, how do we know that we have computed tk-1 tk(m) = m, rather than tk-1 tk(m) = m' ?
Exercise • Find two strings of the greatest length which make sense in English and which are related by a Caesar shift. (Example: t4(CAP) = GET. Thus, t1(BZO) = CAP and t5(BZO) = GET. Ignore blanks.)
The Caesar shift is not a very secure method of message transmission. But it will serve to illustrate some points and to define some terms.
General Form of a “Cryptosystem” • A “cryptosystem” consists of: • Messages, or cleartext, M • Ciphers, or ciphertext, C • A large set of invertible transformations from messages to ciphers, k1,…,kn • Each transformation is called a “key”“invertible” means there is a way of going backwards from ciphers to messages.
The Model for a Cryptographic System • A general cryptographic system, or cryptosystem can be defined as an ordered quadruple, or 4-tuple, = « K, M, C, T », where the elements of the 4-tuple are defined as follows.
Let S be a finite set of symbols, to be called an alphabet. For example, one might use { A, B, ..., Z }, or { a, b, g, d, ..., w }, or { 0, 1 }. S* is the set of all strings over the alphabet S. We will say that a space is some subset S S*.
Key Space and Ciphertext Space • K, the keyspace of a cryptosystem, is a space over some alphabet S. • M, the message space, is a space over another alphabet, S'. • C, the ciphertext space, is a space over a third alphabet, S''. • Finally, T is a transformation T : K M C, such that each restriction, tk : M C, defined by tk(m) = T(k,m), is invertible (that is, there exists a transformation tk-1 : C M such that tk-1 tk(m) = m, m M, and tk tk-1 (c) = c, c C).
Same Alphabets • Of course, in the above definition, it is possible that the alphabets may be the same (S = S'= S'' ); indeed that the message space and the ciphertext space may be the same (M=C).In the case of the Caesar shift, the 4-tuple is Caesar = « K26, MRoman, MRoman, T26 »
Caesar Cipher Key Space • The key space, K26 = { 0, 1, 2, … , 25 }, represents the number of increments to the message before coding; the message space and ciphertext space consist of arbitrary strings over the Roman alphabet (or strings of length 5 if each block is considered a single message). Finally, the transformation ti is defined as ti(m) = ( (-1(m) + i ) mod 26 )
Working Assumption • Part of the assumption about a cryptosystem is that the sender of a message, the receiver of a message, and a potential interceptor of a message as well, know what system is being used. In addition, after the sender encrypts a message (i.e. chooses a value k K and applies tk to the message m) and sends it; the receiver must know how to compute the inverse tk-1, and apply it to tk(m) to recover m = tk-1 tk(m).
A Basic Principle • FOR A CRYPTOSYSTEM TO BE SUCCESSFUL, THE KEY SPACE MUST HAVE CARDINALITY LARGE ENOUGH FOR AN EXHAUSTIVE KEY SEARCH ATTACK TO BE COMPUTATIONALLY INFEASIBLE.
A general transposition cryptosystem, trans = « K, MRoman, MRoman, T »is based on the following. Let N be a set of n objects, perhaps the first n natural numbers. Let K be the set of all permutations, , on N; therefore a key value will be some permutation of the first n numbers.
Position not Symbol • The encryption will map blocks of n letters to blocks of n letters. The ith character of the message text will be written to the (i)-th position in the cipher text, where . As an example, if n=6, and the permutation (1 2 3 4 5 6) = (5 3 2 4 6 1), then the message “HOWARD" is encrypted as “DWOAHR".
Will This Beat Exhaustive Search? • In this case, the size of the key space is n!, the number of permutations of n things. n does not have to be very large for n! searches to be infeasible, even with the fastest computers and the highest degree of parallelism.
Exercise: • Suppose that we can perform one search every microsecond,of a key space based on the permutations of 100 objects. How many minutes of computing time will an exhaustive search take?
Columnar Transposition • one method known as columnartransposition essentially used a permutation generated by matrix transposition followed by column permutation. If the key is the permutation (1 2 3 4) = (4 1 3 2), then 16-character blocks are written, in row-major order, into a 4-by-4 matrix: PLAY IT AGAIN, SAMMY P L A YI T A GA I N SA M M Y
Columnar Transposition • and then sent, using column-major order, with the permutation of columns, to give ciphertext: YGSY PIAA AANM LTIM Consequently, a cryptanalyst, knowing that this method was being used, would not have to search through the 16! 2 x 1013 permutations of 16 letters, but rather the 4! = 24 permutations of four things (columns).
Substitution Cryptosystems • The other type of cryptosystem, the substitution cryptosystem is based on permutations of the underlying alphabet of M. The Caesar shift is essentially a simple version of this approach.
Even-less-Simple Substitution • Key is some permutation of letters • Need not be a shift • For example Plaintext Ciphertext • Then 26! > 288 possible keys!
Cryptanalysis II: Be Clever • We know that a simple substitution is used • But not necessarily a shift by n • Can we find the key given ciphertext: PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOXBTFXQWAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBFXFQVXGTVJVWLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFHXZHVFAGFOTHFEFBQUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQPBQWAQJJTODXQHFOQPWTBDHHIXQVAPBFZQHCFWPFHPBFIPBQWKFABVYYDZBOTHPBQPQJTQOTOGHFQAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWFLQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFHXAFQHEFZQWGFLVWPTOFFA
Cryptanalysis II • Can’t try all 288 simple substitution keys • Can we be more clever? • English letter frequency counts…
The keyword mixed alphabet cryptosystem uses as the key space Kkeyword, the set of all words, with duplicate letters removed, in the English language. Indeed, the requirement for words to be English words (in addition to being Xenophobic) is imposed only because the distribution of the keyword is made simpler if it is a word rather than an arbitrary character string. The messenger, having ridden from Lexington to Valley Forge in half a day, was exhausted, out of breath, and indeed near death as he approached General Washington to tell him the secret key for the cipher system: "XRUTGDKWQFP", he panted, then expired. Did he say "XRUTGDKWQFP" or "XRUTGDKWQFT" ? puzzled General Washington.
Keyword Mixed Alphabet • The method itself uses the keyword to define a mapping or permutation of the message space alphabet, S. The alphabet is written in normal order; and under it is written a permuted alphabet: the letters of the keyword followed by the remaining letters of the alphabet. Keyword: FACETIOUSLY
Keyword Mixed Alphabet • ABCDE FGHIJ KLMNO PQRST UVWXY ZPermuted Alphabet: FACET IOUSL YBDGH JKMNP QRVWX Z The encryption maps each letter of the message text to a letter of cipher text according to the permutation defined above. Thus, "MAY THE FORCE BE WITH YOU" becomes "DFX PUT IHMCT AT VSPU XHQ", or more likely, "DFXPU TIHMC TATVS PUXHQ".
Vigenère Cipher • The Vigenère cipher was a widely-used cryptosystem dating back to the 16th century, using a keyword combined with a Caesar shift. If the keyword is "FACETIOUSLY", as before, the encryption will use 11 different Caesar shifts periodically. (Each letter determines a Caesar shift, or modular addition. Suppose that 0 A, 1 B, … , 25 Z, as usual. Then, the first letter to be encoded uses the shift corresponding to F, the second to A, the third to C, and so on until the cycle repeats:
Vigenère Cipher • Choose a key word, perhaps: “FACETIOUSLY”Clear text:“IT’S A LONG WAY TO TIPPERARY …”Key:“FAC E TIOU SLY FA CETIOUSLY”Cipher text:“OUV F FXCB PMX ZP WNIYTMTDX”
Cryptanalysis II • Ciphertext: PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOXBTFXQWAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBFXFQVXGTVJVWLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFHXZHVFAGFOTHFEFBQUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQPBQWAQJJTODXQHFOQPWTBDHHIXQVAPBFZQHCFWPFHPBFIPBQWKFABVYYDZBOTHPBQPQJTQOTOGHFQAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWFLQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFHXAFQHEFZQWGFLVWPTOFFA • Decrypt this message using info below Ciphertext frequency counts:
Cryptanalysis: Terminology • Cryptosystem is secure if best know attack is to try all keys • Cryptosystem is insecure if any shortcut attack is known • By this definition, an insecure system might be harder to break than a secure system!
Double Transposition • Plaintext: attackxatxdawn Permute rows and columns • Ciphertext: xtawxnattxadakc • Key: matrix size and permutations (3,5,1,4,2) and (1,3,2)
One-time Pad Encryption e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111 Encryption: Plaintext Key = Ciphertext Plaintext: Key: Ciphertext:
One-time Pad Decryption e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111 Decryption: Ciphertext Key = Plaintext Ciphertext: Key: Plaintext:
One-time Pad Double agent claims sender used “key”: Ciphertext: “key”: “Plaintext”: e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111
One-time Pad Sender is captured and claims the key is: Ciphertext: “Key”: “Plaintext”: e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111
One-time Pad Summary • Provably secure, when used correctly • Ciphertext provides no info about plaintext • All plaintexts are equally likely • Pad must be random, used only once • Pad is known only by sender and receiver • Pad is same size as message • No assurance of message integrity • Why not distribute message the same way as the pad?
Real-world One-time Pad • Project VENONA • Soviet spy messages from U.S. in 1940’s • Nuclear espionage, etc. • Thousands of messaged • Spy carried one-time pad into U.S. • Spy used pad to encrypt secret messages • Repeats within the “one-time” pads made cryptanalysis possible
VENONA Decrypt (1944) [C% Ruth] learned that her husband [v] was called up by the army but he was not sent to the front. He is a mechanical engineer and is now working at the ENORMOUS [ENORMOZ] [vi] plant in SANTA FE, New Mexico. [45 groups unrecoverable] detain VOLOK [vii] who is working in a plant on ENORMOUS. He is a FELLOWCOUNTRYMAN [ZEMLYaK] [viii]. Yesterday he learned that they had dismissed him from his work. His active work in progressive organizations in the past was cause of his dismissal. In the FELLOWCOUNTRYMAN line LIBERAL is in touch with CHESTER [ix]. They meet once a month for the payment of dues. CHESTER is interested in whether we are satisfied with the collaboration and whether there are not any misunderstandings. He does not inquire about specific items of work [KONKRETNAYa RABOTA]. In as much as CHESTER knows about the role of LIBERAL's group we beg consent to ask C. through LIBERAL about leads from among people who are working on ENOURMOUS and in other technical fields. • “Ruth” == Ruth Greenglass • “Liberal” == Julius Rosenberg • “Enormous” == the atomic bomb
Codebook • Literally, a book filled with “codewords” • Zimmerman Telegram encrypted via codebook Februar 13605 fest 13732 finanzielle 13850 folgender 13918 Frieden 17142 Friedenschluss 17149 : : • Modern block ciphers are codebooks! • More on this later…
ZimmermanTelegram • One of most famous codebook ciphers ever • Led to US entry in WWI • Ciphertext shown here…
ZimmermanTelegramDecrypted • British had recovered partial codebook • Able to fill in missing parts