1 / 48

Cryptography

Learn about the requirements for digital signatures, how to implement them using RSA and ElGamal algorithms, and the security of DES encryption.

soriab
Download Presentation

Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography Lecture 12: Digital Signatures Piotr Faliszewski

  2. Digital Signatures • Requirements for digital signatures • tied to the signer • tied to the message! • easily verified • difficult to forge

  3. RSA Digital Signature • Signing document m • p, q – two large primes • n = pq • e – an exponent s.t. gcd(e, (n)) = 1 • ed = 1 (mod (n)) • y = md (mod n)  the signature! • (m, y) – the signed document • Observation • Signing is encrypting with keys reversed! • Verification • compute ye (mod n)  should obtain m

  4. Forging Signatures • Reusing a signature? • (m,y) – a signed document • m1 – a different document • m1e y (mod n)  can’t use signature y • Different approach • choose y • let m = ye (mod n) • (m,y)  validly signed document • ... but m will be all garbage

  5. Scenario Bob wants Alice to sign a document Bob does not want Alice to read it Is it possible? Signing without Reading

  6. Scenario Bob wants Alice to sign a document Bob does not want Alice to read it Is it possible? RSA implementation Alice: chooses p,q,e,d n,e  public Bob: random k (mod n)gcd(k,n) = 1m – message to signt = m∙ke(mod n) Alice: signs t as s = td (mod n) Bob: computes s/kThis is signed m Signing without Reading

  7. Signing document m Setup p – a large prime α – primitive root mod p a – secret value β = αa (mod p) Signing process: Choose random k,gcd(k, p-1) = 1 r = αk (mod p) s = (m – ar)k-1 (mod p) Signature = (r, s) Verification Accept if: αm = βrrs (mod p) Why does it work? βr = αar (mod p) rs = αk(m-ar)k-1 = αm-ar (mod p) αm = βrrs (mod p) Properties Multiple signatures per document Safe if discrete logarithm is hard ElGamal Digital Signatures

  8. Cryptography Lecture 12: DES Piotr Faliszewski

  9. What is DES? symmetric-key cipher for private/commercial use developed at IBM Lucifer algorithm – by Horst Feistel DES is an adaptation of the Lucifer algorithm executes a series of stages of permutation substitution NBS = NIST NBS – National Bureau of Standards NIST – National Institute of Standards and Technology DES – Data Encryption Standard

  10. High level of security Public and easy to understand Follow Kerckhoff’s principle (security in the key) Available to everyone Adaptable to multiple applications Cheap to implement in hardware Efficient to use Exportable Requirements for DES

  11. 1972 – NBS’s call for proposals 1974 – second call for proposals 1976 – DES approved as standard 1983 – DES reaffirmed for the first time 1988 – DES reaffirmed for the second time 1990 – rediscovery of differential cryptanalysis 1993 – DES reaffirmed for the third time 1997 – DES challenge – first public breaking of DES 1998 – EFF’s DES Cracker breaks DES in 56 hours 1999 – DES Cracker + distributed.net break DES in 22 hours and 15 minutes 1999 – DES reaffirmed for the third time (Triple DES required) 2005 – NIST withdraws DES 2007 -- $10000 computer capable of breaking DES in about a week History of DES

  12. DES Key • DES key • 64 bits, 8 of which are parity • 8, 16, 24, ... • every 8 bits of the key have an odd number of ones in binary • parity bits dropped • 56 bits important for the key 8 16 24 32 40 48 56 64

  13. DES Basic Operation of DES key ciphertext plaintext 64 bits 64 bits 16 rounds of permutation and substitution (decryption almost identical)

  14. DES Operation – Agenda • Encryption and decryption • Feistel function • S-boxes • Key schedule

  15. M – 64 bits of plaintext K – the 56 bit key K1, ..., K16 – derived from K IP – initial permutation FP = IP-1 – final permutation F – Feistel funciton Initial permutation no cryptographic purpose eased implementation of DES in hardware in the 70s Feistel function recombines the bits of the message Key schedule (K1, ..., K16) simply determined from K DES Encryption

  16. M – 64 bits of plaintext K – the 56 bit key K1, ..., K16 – derived from K IP – initial permutation FP = IP-1 – final permutation F – Feistel funciton Algorithm M0 = IP(M), L0R0 = M0 For 1 ≤ i ≤ 16, Li = Ri-1 Ri = Li-1 f(Ri-1, Ki) c = IP-1(R16L16) Initial permutation no cryptographic purpose eased implementation of DES in hardware in the 70s Feistel function recombines the bits of the message Key schedule (K1, ..., K16) simply determined from K DES Encryption

  17. M – 64 bits of plaintext K – the 56 bit key K1, ..., K16 – derived from K IP – initial permutation FP = IP-1 – final permutation F – Feistel funciton Algorithm M0 = IP(M), L0R0 = M0 For 1 ≤ i ≤ 16, Li = Ri-1 Ri = Li-1 f(Ri-1, Ki) c = IP-1(R16L16) DES Encryption

  18. How to decrypt? Algorithm M0 = IP(M), L0R0 = M0 For 1 ≤ i ≤ 16, Li = Ri-1 Ri = Li-1 f(Ri-1, Ki) c = IP-1(R16L16) DES Decryption

  19. How to decrypt? Run again, keys backwards! Algorithm M0 = IP(M), L0R0 = M0 For 1 ≤ i ≤ 16, Li = Ri-1 Ri = Li-1 f(Ri-1, Ki) c = IP-1(R16L16) DES Decryption

  20. Algorithm M0 = IP(M), L0R0 = M0 For 1 ≤ i ≤ 16, Li = Ri-1 Ri = Li-1 f(Ri-1, Ki) c = IP-1(R16L16) Ri-1 = Li Li-1 = Ri f(Li, Ki) Roles of L and R are exchanged! DES Decryption

  21. DES Operation – Agenda • Encryption and decryption • Feistel function • S-boxes • Key schedule

  22. Input half-block – 32 bits of data to encrypt subkey – 48 bits (Ki) Operation Expand 32 bits of input into 48 bits (permute&duplicate) XOR with the key Apply S-boxes Apply permutation P Feistel Function confusion and diffusion

  23. Input 48 bits from key and expanded input these bits form 8blocks of 6 bits each S-boxes Input: 6 bits Output: 4 bits highly nonlinear specified by a table Feistel Function

  24. DES Operation – Agenda • Encryption and decryption • Feistel function • S-boxes • Key schedule

  25. Operation of an S-box 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

  26. Operation of an S-box 0 1 1 0 0 1 b6 b4 b1 b3 b2 b5 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

  27. Operation of an S-box 0 1 1 0 0 1 b6 b4 b1 b3 b2 b5 b2b3b4b5 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 b1b6

  28. Operation of an S-box 0 1 1 0 0 1 b6 b4 b1 b3 b2 b5 b2b3b4b5 = (1100)2 = 12 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 b1b60 1

  29. Operation of an S-box 0 1 1 0 0 1 b6 b4 b1 b3 b2 b5 b2b3b4b5 = (1100)2 = 12 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 b1b60 1 Output = 9 = ( 1 0 0 1 )2

  30. How were the S-boxes designed? No apparent structure Magic? Random choice? Is there a trap door in the S-boxes? Design of S-boxes?

  31. How were the S-boxes designed? No apparent structure Magic? Random choice? Is there a trap door in the S-boxes? In the 70s it took months to find the S-boxes automaticallly IBM published some criteria in the early 90s 6 inputs/4 outputs – largest doable on one chip in 1974 outputs are not linear functions of the inputs each row contains all numbers between 0 and 15 If two inputs vary by 1 bit then output varies by 2 bits ... Design of S-boxes?

  32. DES Operation – Agenda • Encryption and decryption • Feistel function • S-boxes • Key schedule

  33. PC1 – permuted choice 1 – drop the parity bit + permutation Remaining 56 bits split into 28 bit halves PC2 – select 24 bits from the right and 24 bits from the left <<< -- rotations to the left (at each level by either 1 or 2 positions – altogether full rotation is done – rotate right for decryption) Key Schedule each key bit used in about 14 of 16 iterations

  34. Key size 56 bit seems to short! bruteforce attack is feasible Attacks on DES distributed computing special purpose architecture programmable logic arrays 1997 DES challenge $10,000 to a person who breaks a certain DES encrypted message won by Rocke Veser distributed program over the internet shared the prize with the owner of the computer that found the key the message was:„Strong cryptography makes the world a safer place” Security of DES

  35. Electronic Frontier Foundation’s DES Cracker special purpose computer for cracking DES cost of about $250,000 Architecture large number (≈1500) of 40MHz chips testing keys if a key interesting  send to the main machine for testing key interesting if decrypts first 128 bits to reasonable characters Performance Breaks DES in 4.5 days on the average!! Security of DES

  36. Notation Ak(m) – affine cipher with key k Rk(m) – RSA cipher with key k Ek(m) – DES cipher with key k Encrypting multiple times Ak1(Ak2(m)) = Ak3(m) for some k3 Rk1(Rk2(m)) = Rk3(m) for some k3 Extending DES Security

  37. Notation Ak(m) – affine cipher with key k Rk(m) – RSA cipher with key k Ek(m) – DES cipher with key k Encrypting multiple times Ak1(Ak2(m)) = Ak3(m) for some k3 Rk1(Rk2(m)) = Rk3(m) for some k3 Not true for DES! applying DES twice does not yield a DES cipher with a different key! Extending DES Security

  38. Triple DES choose three keys k1, k2, k3 Encryption c = Ek1(Dk2(Ek3(m))) Questions why use EDE rather than EEE? why three keys not two? Extending DES

  39. Triple DES choose three keys k1, k2, k3 Encryption c = Ek1(Dk2(Ek3(m))) Questions why use EDE rather than EEE? why three keys not two? Some answers Triple DES reduces to DES if k1 = k2 = k3 Using three keys gives the effect of.... ... 112 bits of encryption only! Two keys would not increase the strength at all! Meet-in-the-middle attack! Extending DES

  40. „Double-DES” Keys: k1, k2 c = Ek1(Ek2(m)) Seems secure? two keys of 56 bits each 112 bits altogether... Meet in the Middle Attack

  41. „Double-DES” Keys: k1, k2 c = Ek1(Ek2(m)) Seems secure? two keys of 56 bits each 112 bits altogether... Meet-in-the-middle Attack Given a pair (m,c) of plaintext and ciphertext for „Double-DES” Prepare lists xi = Dki(c)  for all keys k_i yi = Eki(m)  for all keys k_i Find a match: If xi = yj then we found both keys! (or a small set of candidates) Meet in the Middle Attack

  42. Triple DES security of 112 key bits 3x the runtime of regular DES! DESX c = k1 Ek2(m  k3) DESX not as good as Triple DES ... ... but still much better than DES as fast as DES X in DESX stands for XOR Extending DES

  43. How to use DES to encode a stream of data? Typical data: Stream of characters (8 characters per block) Some requirements security encoding symbol by symbol (not block by block) Errors should not propagate Modes of operation Electronic Codebook Cipher Block Chaining Cipher Feedback Output Feedback Counter Modes of Operation

  44. Idea: P = [P1, ..., PL] C = [C1, ..., CL] Plaintext of 64bit blocks Ciphertext: Each block encoded separately Cj = Ek(Pj) Properties: A single error in encoding damages the whole block of data Same blocks of plaintext are encoded to same blocks of ciphertext can build a codebook... ... and read messages without knowing the key Electronic Codebook (ECB)

  45. Idea: Use previous blocks for encryption P = [P1, ..., PL] C = [C1, ..., CL] Cj = Ek(Pj Cj-1) How to choose C0? Fixed value? then the same message looks identical! Choose randomly... ... and send in the open text! Problems: Transmission error still destroys the whole block Have to cipher block by block Cipher Block Chaining (CBC)

  46. Idea: try to encode character by character Instead of using DES to encode the message... ... use „one-time pad” with DES generated pseudorandom bits Notation L8 – left 8 bits R56 – right 56 bits Encryption P = [P1, ... , PL]  plaintext characters Oj = L8(Ek(Xj)) Cj = Pj Oj Xj+1 = R56(Xj) || Cj Problems Transmission errors still damage 64 bits of data Cipher Feedback (CFB)

  47. Idea transmission error for one character should damage only one character Oj = L8(Ek(Xj)) Xj+1 = R56(Xj) || Oj Cj = Pj Oj Performance Oj’s – generated without plaintext! Errors in transmission affect only erroneous symbols! Output Feedback (OFB)

  48. Idea Make Xj’s computable in parallel Xj = Xj-1 + 1 Oj = L8(Ek(Xj)) Cj = Pj Oj Advantage: Can cipher the whole stream of data in parallel Counter (CTR)

More Related