280 likes | 605 Views
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security. Dr Keith Martin McCrea 349 01784 443099 keith.martin@rhul.ac.uk. Learning Outcomes. Explain the concept of perfect secrecy Recognise that there exists “unbreakable” ciphers
E N D
Introduction to Cryptography and Security Mechanisms:Unit 5Theoretical v Practical Security Dr Keith Martin McCrea 349 01784 443099 keith.martin@rhul.ac.uk
Learning Outcomes • Explain the concept of perfect secrecy • Recognise that there exists “unbreakable” ciphers • Appreciate the limitations of theoretical security • Identify some of the issues involved in assessing practical security • Recognise that there are two significantly different levels of computational complexity • Formulate a notion of practical security
Sections • Perfect secrecy • Practical security
An “attack” on the plaintext We have seen that there is one attack that can always be launched against a cipher system to obtain the decryption key – an exhaustive key search. There is however another “attack” that can always be launched against a cipher system that does not involve trying to obtain the decryption key. What is it?
Perfect secrecy A cipher system is said to offer perfect secrecy if, on seeing the ciphertext the interceptor gets no extra informationabout the plaintext than he had before the ciphertext was observed. In a cipher system with perfect secrecy the interceptor is “forced” to guess the plaintext. Note however that there may be practical attacks that are better than guessing the plaintext.
Simple one-time pad Consider a simple scenario where there are only two possible plaintexts: BUY and SELL Why is the simple substitution cipher a bad choice in this case?
Simple one-time pad Key k1 Ek1(BUY) = 0 Ek1(SELL) = 1 Key k2 Ek2(BUY) = 1 Ek2(SELL) = 0 Each key must be equally likely to be chosen
One-time pad There are many different versions and ways of describing the perfectly secure cipher system most often described as the one-time pad. However these all have the same three essential properties: • The number of possible keys is equal to the number of possible plaintexts • The key is selected at random from the choice of all possible keys • Any key should only be used once
One-time pad Why is the one-time pad “one-time”? (In other words, why must the key only be used once?) The one-time pad is important to understand. Make sure that you attempt Exercises 2 and 3 for this unit.
One-time pad questions • What should be done with a one-time pad key after it has been used to encrypt a plaintext? • How can random keys of the length required by the one-time pad be generated in practice? • In what type of situations is the one-time pad practical to use?
Stream ciphers Although the one-time pad is rather impractical to implement in most real systems, its desirable security properties make it attractive to “simulate”. Stream ciphers attempt to simulate the one-time pad by using short keys to generate longer keys that can then be used in a one-time pad encryption.
More wise words A theoretically secure cipher system may not be secure in practice A theoretically breakable cipher system may be secure in practice
Cover time • How do we formulate a notion of practical security? • The cover timeof a plaintext is the length of time for which the plaintext must be kept secret. • Clearly the cover time of different data items is likely to vary considerably: • Cover time for a daily password might simply be twenty-four hours. • Cover time for some stored government records could be one hundred years.
Cover time A good design principle is thus: Ensure that no known attacks on the cipher system can be conducted in less than the cover time of the plaintext. Given that there might be attacks that you don’t know about, take some time to write down a strategy for trying to minimise your exposure to the risks of unknown attacks. What kind of things should you do? What procedures might you put in place?
The challenge of cryptography If we are going to have to use a cipher system that is theoretically breakable, the challenge of cryptography is to design cipher systems that appear to require longer than any required cover time to break. Cryptographers normally design cipher systems that are theoretically breakable, but where the theoretical break is based on overcoming a problem that is perceived to be hardto solve. So what does it mean for a problem to be hard?
Complexity • The complexity of an algorithm gives, for each possible “length of input” to the algorithm, the maximum “time” that might be needed to run the algorithm for that “length of input”. • The “length of input” is usually measured in terms of the number of bits of input. • The “time” is usually measured in terms of the number of basic computer operations (such as adding two bits) that it takes to run the algorithm. This time is usually an approximation, and is not an attempt to measure the number of operations precisely.
Complexity is a polynomial in n (of the form nr) Computers can “easily” run algorithms that run in polynomial time As n increases, the length of time necessary to run the algorithm increases “steadily” Complexity is exponential in n (of the form r n) Computer have “difficulty” running algorithms that run in exponential time As n increases, the length of time necessary to run the algorithm increases “dramatically” Polynomial v Exponential time
Polynomial v Exponential time Is multiplication always efficient to compute? Is an exhaustive search always difficult to conduct? What about Moore’s Law? Find out what the latest version of Moore’s Law is – how much faster will computer processors be in 2010?
Real computational time First make an estimate of your computer speed (number of operations per second). Then real time to run algorithm on an n-bit input is: • Time complexity function evaluated at n ________________________________ secs Computer speed
Example real time computation Exhaustive search has complexity 2n. Thus if our computer is capable of processing one million operations per second then an exhaustive search for a 30-bit key will take: 230 __ seconds 106 Since 230 is approximately 109, the real time search will take approximately 103 = 1000 seconds, in other words approximately 17 minutes.
Polynomial v Exponential time Note the dramatic difference in rate of increase:
Limitations of complexity theory Establishing the complexity of any known attacks on a cipher system is important and useful, but brings no guarantees of practical security: • There may be unknown theoretical attacks • The key space may not be as big as you think • Complexity only gives you the general case • Memory / processing tradeoffs • Key management problems
Related exercises Practice some real computational time calculations by conducting Exercise 4 for this unit. Discover why the size of a key space can be deceiving by conducting Exercise 6 for this unit.
Defining practical security • Assessing the likely computing power of an adversary • Determining the complexity of known attacks • Evaluating the effectiveness of the key management processes • Forming a notion of what levels of risk to accept Defining practical security (of a cipher system) is extremely difficult and it could be argued that this whole MSc programme is all about training you to try to form your own notions about the meaning of practical security. For a cipher system, issues that it involves include:
Summary • The one-time pad is effectively the only example of a perfectly secure (unbreakable) cipher. • It is impossible to guarantee the security of a cipher system. Even if it is theoretically secure, it may be insecure in practice. • It can be quite acceptable in practice to use cipher systems that are theoretically breakable. • Every attempt should be made to formulate a notion of practical security for a given environment. This will inevitably involve tradeoffs, estimates and evaluations of what levels of risk to accept. Formulating this notion will be difficult. • Regardless of whether a cipher system offers theoretical or practical security, the most likely way in which it will be “broken” is through bad key management processes.