560 likes | 749 Views
Computer Systems Security Cryptography Topic 3 Sources: Pfleeger Chapter 10. Agenda. Details of AES Public Key Encryption Systems Merkle-Helman Knapsacks Encryption RSA Encryption Other Aspects of Cryptography and conclusion. Where we left off last week ….
E N D
Computer Systems SecurityCryptography Topic 3Sources: Pfleeger Chapter 10 CSS_PS6.ppt
Agenda • Details of AES • Public Key Encryption Systems • Merkle-Helman Knapsacks Encryption • RSA Encryption • Other Aspects of Cryptography and conclusion CSS_PS6.ppt
Where we left off last week … • Introduced AES. The characteristics are: • Symmetric key • Operates on data blocks of 128 bits • Key sizes of 128, 192, and 256 bits • Rijndael Algorithm • Structure of AES • 128-bit block of AES presented as a 4 by 4 matrix, called the state. • Present the state as the matrix s[0,0]..s[3,3]. • Fill the state matrix from input in columns. • Rijindael performs some of the operations in columns, and some in rows. CSS_PS6.ppt
AES – Rijndael Basic Steps The four steps are as follows: • Byte Substitution: Non-linear function for confusion • S-box used on every byte. S[i,j] becomes s’[i,j]. This is carried out through a substitution table • Shift Rows: Linear mixing function for diffusion • Rows ofS are permutated by left circular shift • The firsti elements of rowi are shifted around to the end • Mix columns: Transformation on columns of S under which the 4 elements of each column are multiplied by a polynomial • Defusing each element of the column over all these four elements • Shifting left and XOR bits • Effect: matrix multiplication • Add Round Key: incorporates key and creates confusion • Derive unique key and add to each column • All operations can be combined into XOR and table look-ups • This is a very efficient and fast method CSS_PS6.ppt
AES: Byte Substitution Step • Uses a conventional substitution box • See next slide. • This table is set up so that each byte b is replaced by the byte which is the result of two mathematical functions: • Let b-1 be is the multiplicative inverse of b in GF(28); • 0, having no multiplicative inverse, is represented by 0. (using inverses ensures that each value appears exactly only once in the table) • Exclusive OR b-1 with 99 [= hexadecimal 63 = 0110 0011] (Adding 63 helps break up patterns) • Leaving the mathematics alone we suffice to using the substitution table in next slide CSS_PS6.ppt
RSA: Byte Substitution Table (Source: Pfleeger) CSS_PS6.ppt
RSA: Byte Substitution Table Byte 20 is replaced by B7, In row 2, column 0. CSS_PS6.ppt
RSA: Shift Row Step • AES specifies 128-bit blocks i.e. 16 bytes. But Rijndael also defines 192-bit (24 bytes), and 256-bit (32 bytes) blocks. • Now Assume a block is composed of 16 (or 24 or 32) bytes numbered (from left, or most significant, to right) 1 to 16 (or 24 or 32). • In the shift row, the numbered bytes are shifted to the positions as shown in Table shown in the next slide. CSS_PS6.ppt
RSA: Shift Row 128-,192-, and 256-bit block sizes • For 128- and 192-bit blocks, row i is rotated left (i–1) bytes Example of 128-bit block CSS_PS6.ppt
RSA: Shift Row 192-bit block sizes CSS_PS6.ppt
RSA: Shit Row - 256-bit block sizes • for 256-byte blocks, rows 3 and 4 are shifted an extra byte. CSS_PS6.ppt
RSA – Mix Column Stage • Each column (as shown in shift rows) is “multiplied” by the matrix: • So that CSS_PS6.ppt
RSA – Mix Column Stage • Note that this “multiplication” " is carried out on bytes by logical operations. • so multiplying the column by 1 means leaving it unchanged, multiplying by 2 (binary 10) means shifting each byte left one bit, and multiplying by 3 (binary 11) means shifting left one bit and adding (exclusive ORing) the original unshifted value. • See example in next slide. CSS_PS6.ppt
RSA – Mix Column Stage • For example, • S’1,1= S0,1 XOR (2 . S1,1) XOR (3 . S2,1) XOR S3,1 • Note that multiplication is (“.”) and addition is (XOR) and should be performed according to rules of Galios Field which are not covered in Pfleeger. • Results longer than 8 bits are reduced by computing mod P for the generating polynomial P of the Rijndael algorithm; • For example 100011011 is subtracted (XORed) from the result until the result has at most eight significant bits. CSS_PS6.ppt
RSA – Add Subkey • This step adds (exclusive OR) a subkey (variation of the key) with the result so far. • The subkey is generated as follows: • The first key is the key itself. • The second key is changed 4-byte word by word. • The first word is rotated one byte left, then transformed by the substitution of the byte substitution step, then added (exclusive ORed) with a constant. • The rest of the words in that subkey are produced by the exclusive OR of the first word with the corresponding word from the previous key. CSS_PS6.ppt
RSA – Add Subkey • For example, if key variation k1 is w1w2w3w4 (four 32-bit words, or 128 bits), then • k2 is w1'(w2 XOR w1')(w3 XOR w1')(w4 XOR w1') where w1' is w1 rotated left 1 byte, substituted, and exclusive ORed with a constant. CSS_PS6.ppt
AES – putting it all together(source: Pfleeger) • Summary of the four steps. • Notice that in the Mix Columns step the algorithm takes a "right turn," changing from a row (word) orientation to a column structure. CSS_PS6.ppt
Cryptanalysis of the AES • Rijndael has been subjected to extensive cryptanalysis by professional community and so far, no major problems have been noticed. • At the moment, the AES is a very good replacement for the DES. • The regularity of patterns result in good diffusion, • in that small changes in the input have a widespread effect. • However, it might give some clue to an attacker, although that is unlikely! • In future we can anticipate that mathematicians to explore this algorithm and its core area. CSS_PS6.ppt
Public Key Encryption Systems • Proposed in 1976 by Diffie and Hellman: • Each user will need a key that does not have to be kept secret. • The public nature of the key would not hider system's secrecy. • The public key transformation is a one-way encryption with a secret (private) way to decrypt. CSS_PS6.ppt
Characteristicsof Public Key Systems • This is an asymmetric method of encryption system, each user has two keys: a public key and a private key. • The user may publish the public key freely. The keys operate as inverses. Let kPRIV be a user's private key, and let kPUB be the corresponding public key. Then, P= D(KPRIV, E(KPUB,P) CSS_PS6.ppt
Characteristicsof Public Key Systems • … P= D(KPRIV , E(KPUB , P) • So a user can decode with a private key what someone else has encrypted with the corresponding public key. • Also, with the second public key encryption algorithm, P= D(KPUB , E(KPRIV , P) • So a user can encrypt a message with a private key and the message can be decrypted only with the corresponding public key. • These two properties show that public and private keys can be applied in either order. CSS_PS6.ppt
Characteristicsof Public Key Systems • In the literature there is three major types of public key systems: • Merkle–Hellman knapsacks, • RSA encryption, and • El Gamal applied to digital signatures. • We will examine the first two in some detail. CSS_PS6.ppt
Merkle–Hellman Knapsacks • Encryption algorithm based on the knapsack problem described earlier. • The knapsack problem involves a set of positive integers and a target total, with the goal of finding a subset of the integers that sum to the target. • The knapsack problem is NP-complete. CSS_PS6.ppt
Merkle–Hellman Knapsacks • The idea is to encode a binary message as a solution to a knapsack problem, reducing the ciphertext to the target sum obtained by adding terms corresponding to 1s in the plaintext. • Blocks of plaintext will be converted to a knapsack sum by adding into the sum those terms that match with 1 bits in the plaintext. • See example in next slide. CSS_PS6.ppt
Merkle–Hellman Knapsacks(source: Pfleeger) CSS_PS6.ppt
Merkle–Hellman Knapsacks • Before giving the details of the algorithm we define two types of knapsack: • General Knapsacks (hard knapsack) • Superincreasing knapsacks (simple knapsack) CSS_PS6.ppt
General Knapsacks • The knapsack problem examines a sequence a1, a2, …, an of integers and a target sum, T. • The problem is to find a vector of 0s and 1s such that the sum of the integers associated with 1s equals T. • That is, given S = [a1,a2, …, an], and T, find a vector V of 0s and 1s such that: * vi = T CSS_PS6.ppt
Superincreasing knapsacks • Places an additional restriction on the problem: The integers of S must form a superincreasing sequence, • each integer is greater than the sum of all preceding integers. • So, every integer ak would be of the form: CSS_PS6.ppt
Superincreasing knapsacks • The solution is easy to find. • Start with T. Compare the largest integer in S to it. If this integer is larger than T, it is not in the sum, so the corresponding position in V will be 0. • If the largest integer is less than or equal to T, that integer is in the sum, so the corresponding position in V will be 1 and reduce T by the integer. • Repeat for all remaining integers in S. • An example solving a simple knapsack for targets 96 and 95 is shown in next slide. CSS_PS6.ppt
Example of Superincreasing knapsacks Consider the list of integers [17,38,73,4,11,1] The corresponding vector V =(1,0,1,0,1,1) • Solution of a simple knapsack for targets 96 and 95. Source: Pfleeger CSS_PS6.ppt
The Knapsack Problem as a Public Key Cryptographic Algorithm • Each user has a public key, which can be distributed to anyone, and a private key, which is kept secret. • The public key is the set of integers of a (regular/hard) knapsack problem • The private key is a corresponding superincreasing knapsack. • Merkle and Hellman designed a technique for converting a superincreasing knapsack into a regular one. • This was done by changing the numbers in a non-obvious but reversible way. CSS_PS6.ppt
Merkle–Hellman Encryption algorithmTransforming a Superincreasing Knapsack • The encryption transforms a superincreasing knapsack into a (hard) knapsack. Here we learn just how to do that. • First we pick a superincreasing sequence S of m integers. • To do this, first choose an initial (small) integer. Choose the next integer to be larger than the first. Then select an integer larger than the sum of the first two. Continue this process by choosing new integers larger than the sum of all integers already chosen. • For example, CSS_PS6.ppt
Merkle–Hellman Encryption algorithmTransforming a Superincreasing Knapsack Forms such a simple knapsack sequence CSS_PS6.ppt
Merkle–Hellman Encryption algorithmTransforming a Superincreasing Knapsack • After choosing a simple knapsack S = [s1, s2,…,sm], we choose a multiplier wand a modulus n. • The modulus should be a number greater than the sum of all si. • The multiplier should have no common factors with the modulus. • To guarantee this property we can choose a modulus that is a prime number:- • no number smaller than it will have any common factors with it. CSS_PS6.ppt
Merkle–Hellman Encryption algorithmTransforming a Superincreasing Knapsack • Finally, we replace every integer si in the simple knapsack with the term • hi = w * si mod n • Then, H = [h1, h2,..., hm] is a hard knapsack. Both the hard and simple knapsacks will be used in the encryption. CSS_PS6.ppt
Merkle–Hellman Encryption Transformation Example • Example; • Start with the superincreasing knapsack • S = [1, 2, 4, 9] and transform it by multiplying by w and reducing mod n where w = 15 and n = 17: 1 * 15 = 15 mod 17 = 15 2 * 15 = 30 mod 17 = 13 4 * 15 = 60 mod 17 = 9 9 * 15 = 135 mod 17 = 16 The hard knapsack will be H= [15, 13,9,16] CSS_PS6.ppt
Merkle–Hellman Encryption • The plaintext message P can be formed as a binary sequence say: P = [p1, p2,..., pk]. • Divide the message into blocks of m bits, P0 = [pl, p2,..., pm], P1 = [pm+1,..., p2m], and so on. (m is the number of terms in the simple or hard knapsack) • To encipher message P we need a sequence of targets where, • each target is the sum of a combination of the terms of the hard knapsack H. • The selected terms are those corresponding to 1 bits in Piso that Piserves as a selection vector for the elements of H. • Each term of the ciphertext is: • Pi * H, the target derived using block Pi as the selection vector. CSS_PS6.ppt
Merkle–Hellman EncryptionAn Example • Consider the knapsacks S = [1, 2, 4, 9] and H = [15, 13, 9, 16] of previous example with w = 15, n = 17, and m = 4. The public key (knapsack) is H, while S is kept secret. • The message P = 0100101110100101 is encoded with public knapsack H = [15, 13, 9,16] as follows. P = 0100 1011 1010 0101 [0, 1, 0, 0] * [15, 13, 9, 16] = 13 [1, 0, 1, 1] * [15, 13, 9, 16] = 40 [1, 0, 1, 0] * [15, 13, 9, 16] = 24 [0, 1, 0, 1] * [15, 13, 9, 16] = 29 So The message is encrypted as the integers 13, 40, 24, 29, using the public knapsack H = [15, 13, 9, 16]. CSS_PS6.ppt
Knapsack Decryption Algorithm • The recipient knows the simple knapsack and the values of w and n that transformed it to a hard public knapsack. • It determines the value w–1 so that w * w–1 = 1 mod n. In our example, 15–1 mod 17 is 8, • since 15 * 8 mod 17 = 120 mod 17 = [(17 * 7) + 1] mod 17 = 1. • Remember that H is the hard knapsack derived from the simple knapsack S. H is obtained from S by H= w * S mod n CSS_PS6.ppt
Knapsack Decryption Algorithm • Also the ciphertext message produced by the encryption algorithm is: C = H * P = w * S * P mod n • To decipher, multiply C by w–1, since w-1 * C = w-1 * H * P = w-1 * w * S * P mod n= S * P mod n CSS_PS6.ppt
Knapsack Decryption Algorithm • Now the recipient would solve the simple knapsack problem with • knapsack S and target w–1 * Cifor each ciphertext integer Ci. • Since w–1 * Ci = S * P mod n, the solution for target w–1 * Ci is plaintext block Pi , which is the message originally encrypted. QED CSS_PS6.ppt
Example of Decryption • Remember the simple knapsack example was • S = [1, 2, 4, 9], with w = 15 and n = 17. The transmitted messages were 13, 40, 24, and 29. • To decipher, these messages are multiplied by 8 mod 17 since 8 is 15–1 mod 17. • Then we can easily solve the simple knapsacks, as follows: CSS_PS6.ppt
Example of Decryption S = [1, 2, 4, 9], with w = 15 and n = 17. 13 * 8 = 104 mod 17 = 2 = [0,1,0,0]*[1,2,4,9] 40 * 8 = 320 mod 17 = 14 = [1011]= [1,0,1,1] * [1,2,4,9] 24 * 8 = 192 mod 17 = 5 = [1010]= [1,0,1,0] * [1,2,4,9] 29 * 8 = 232 mod 17 =11 = [0101] [0,1,0,1] * [1,2,4,9] The recovered message is thus 0100101110100101 CSS_PS6.ppt
Case study • Investigat the cryptoanalysis of the knapsack algorithms and, • Weaknesses of the Merkle–Hellman Encryption Algorithm. CSS_PS6.ppt
Rivest–Shamir–Adelman (RSA) Encryption • Introduced in 1978 by Rivest, Shamir, and Adelman based on an underlying hard problem. • The RSA algorithm incorporates results from number theory, combined with the difficulty of determining the prime factors of a target. • RSA also operates with arithmetic mod n. CSS_PS6.ppt
RSA Basics • Two interchangeable keys, d and e, are used for decryption and encryption. • The plaintext block P is encrypted as Pe mod n. • The decrypting key d is carefully chosen so that (Pe)d mod n = P. • So, the receiver who knows d can simply compute (Pe)d mod n = P and recovers P without having to factor Pe. CSS_PS6.ppt
RSA Basics • The encryption algorithm is based on the underlying problem of factoring large numbers. • The factorization problem is not believed to be NP-complete; • the fastest known algorithm is exponential in time. CSS_PS6.ppt
Detailed Description of the RSA Algorithm • The RSA algorithm uses two keys, d and e, which work in pairs, for decryption and encryption, respectively. • A plaintext message P is encrypted to ciphertext C by C = Pe mod n • The plaintext is recovered by P = Cd mod n CSS_PS6.ppt
Detailed Description of the RSA Algorithm • Modular arithmetic is symmetric, so encryption and decryption are mutual inverses and commutative. Therefore, P = Cd mod n = (Pe)d mod n = (Pd)emod n • This means that we can apply the encrypting transformation and then the decrypting one, or the decrypting one followed by the encrypting one. CSS_PS6.ppt
RSA: Key Choice • The encryption key consists of the pair of integers (e, n), and the decryption key is (d, n). • This requires to find a very large value for n, a product of two primes p and q. • Both p and q should be large themselves. Typically, about 100 digits each. CSS_PS6.ppt