470 likes | 1.02k Views
THE. U NIVERSITY. T. of. ULSA. 2. Encryption and Decryption. Sujeet Shenoi Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK 74104 sujeet@utulsa.edu. U NIVERSITY. THE. T. ULSA. of. 2. Encryption & Decryption. Message
E N D
THE UNIVERSITY T of ULSA 2. Encryption and Decryption Sujeet ShenoiCenter for Information SecurityDepartment of Computer Science University of Tulsa, Tulsa, OK 74104 sujeet@utulsa.edu
UNIVERSITY THE T ULSA of 2. Encryption & Decryption Message • Sender, Receiver, Transmission Medium • Plaintext (P), Ciphertext (C) • Interceptor/Intruder • Block message (Interruption) • Access message (Interception) • Modify message (Modification) • Fabricate message (Fabrication)
UNIVERSITY THE T ULSA of Fundamentals Cryptography • Using encryption to conceal plaintext Cryptanalysis • Unauthorized “ code breaking” Cryptology • Cryptography and Cryptanalysis
UNIVERSITY THE T ULSA of Fundamentals (contd.) Cryptanalysis • Ciphertext Only Attack (only cipher text is known) • Known Plaintext Attack (full plaintext is known) • Probable Plaintext Attack (some plaintext is known) • Chosen Plaintext Attack (sender’s process is known) • Chosen Ciphertext Attack (algorithm and ciphertext are known)
UNIVERSITY THE T ULSA of Basic Encryption/Decryption Key-Based Ciphers • Provide more security (than Keyless Ciphers) • Encryption Key (KE); Decryption Key (KD) • C = { P }KE • P = { C }KD = { { P }KE }KD • Symmetric Encryption: KE = KD • Asymmetric Encryption: KE KD
UNIVERSITY THE T ULSA of Basic Cipher Types • Substitution Ciphers • Replace each char of plaintext with another char • Transposition Ciphers • Scramble or shuffle plaintext characters
UNIVERSITY THE T ULSA of Substitution Ciphers Monoalphabetic Ciphers • Single alphabet is used for substitution • Caesar Cipher • Plaintext Alphabet: A B C D E F … U V W X Y Z • Ciphertext Alphabet: d e f g h i … x y z a b c • Plaintext: WEATT ACKAT DAWNX • Ciphertext: z h dww d f n d w g d z q a
UNIVERSITY THE T ULSA of Monoalphabetic Ciphers Monoalphabetic Ciphers • Key-Based Cipher • Plaintext Alphabet: A B C D E F G H I … U V W X Y Z • Ciphertext Alphabet: k e y a b c d f g … t u v w x z • Substitution Cipher ( () = (3* ) mod 26 ) • Plaintext Alphabet: A B C D E F G H I … U V W X Y Z • Ciphertext Alphabet: a d g j m p s v y … i l o r u x
UNIVERSITY THE T ULSA of Monoalphabetic Ciphers (contd.) Breaking Monoalphabetic Ciphers • Frequency Distributions • Each language has a characteristic distribution • Index of Coincidence (English IC = 0.068) • Computers make code breaking trivial • Solution: “Flatten Frequency Distributions” • Polyalphabetic Ciphers (multiple alphabets)
UNIVERSITY THE T ULSA of Polyalphabetic Ciphers Polyalphabetic Ciphers • Multiple alphabets flatten distributions • 26! possible alphabets #Alphabets: 1 2 3 4 5 10 IC 0.068 0.052 0.047 0.044 0.044 0.041 0.038 • Example • T H I S I S A T E S T X X X X • 1 2 3 1 2 3 1 2 3 1 2 3 1 2 3 • Choose 1 2 3 so that frequencies are flat
UNIVERSITY THE T ULSA of Polyalphabetic Ciphers (contd.) Vigenere Cipher • Polyalphabetic cipher based on Vigenere Tableau • 26 possible alphabets, each “keyed” by a letter • Example • Key: j u l i e t j u l i e t • Plaintext: B U T S O F T W H A T L • Ciphertext: k o e a s y c q s i ….
UNIVERSITY THE T ULSA of Polyalphabetic Ciphers (contd.) Breaking Polyalphabetic Ciphers: Kasiski’s Method • K: dicke nsdic kensd icken sdick ensdi ckens dicke • P: ITWAS THEBE STOFT IMESI TWAST HEWOR STOFT IMESI 20 • K: nsdic kensd icken sdick ensdi ckens dicke nsdic • P: TWAST HEAGE OFWIS DOMIT WASTH EAGEO FFOOL ISHNE • K: kensd icken sdick ensdi ckens dicke nsdic kensd • P: SSITW ASTHE EPOCH OFBEL IEFIT WASTH EEPOC HOFIN 83 (dist: 63; factors: 3,7,9,21,63) 104 (dist: 21; factors: 3,7,21)
UNIVERSITY THE T ULSA of Perfect Substitution Ciphers Infinite non-repeating sequences of alphabets (Immunity to Kasiski’s Method) • One-Time Pad • Long Random Number Sequences • Vernam Cipher (punched paper tape) • Long Sequences (e.g., from Telephone Book)
UNIVERSITY THE T ULSA of Perfect Ciphers (contd.) • Dual Message Entrapment • Key: disre gardt hisme ssage • Message: THISM ESSAG EISCR UCIAL
UNIVERSITY THE T ULSA of Transposition Ciphers Columnar Transposition • Example (c = 10) T H I S I S A M E S S A G E T O S H O W H O W A T R A N S P O S I T I O N C I P H E R W O R K S X X • Ciphertext TSHOHHAOSEIGWIRSEATWITTIOSORORASANKMHNCSEOSIXSWPPX
UNIVERSITY THE T ULSA of Transposition Ciphers (contd.) Breaking Transposition Ciphers • Common Digrams and Trigrams • Digrams: EN, RE, ER, NT, TH, ON, IN, TE, AN, OR • Trigrams: ENT, ION, AND, ING, IVE, TIO, FOR, OUR, THI, ONE • Sliding Window Technique TSH OHH AOSEIGWIRSEATWITTIOSORORASANKMHNCSEOSIXSWPPX TSHO HHAO SEIGWIRSEATWITTIOSORORASANKMHNCSEOSIXSWPPX TSHOH HAOSE IGWIRSEATWITTIOSORORASANKMHNCSEOSIXSWPPX
UNIVERSITY THE T ULSA of Transposition Ciphers Double Columnar Transposition • Example (c1 = 10; c2 = 15) • Ciphertext (First Transposition) T S H O H H A O S E I G W I R S E A T W I T T I O S O R O R A S A N K M H N C S E O S I X S W P P X E A O X Y Q S R D X • Ciphertext (Second Transposition) TSASSESWHAAPOTNPHWKXHIMEATHAOTNOSICXEOSYISEQGOOSWRSRIOIDRRXX
UNIVERSITY THE T ULSA of Transposition Ciphers (contd.) Breaking Double Transposition Ciphers • Relationship between plaintext/ciphertext characters • pi = c1r1*([(i-1) mod c1] + (i – 1)/c1 + 1) • c1i = c2r2*([(i-1) mod c2] + (i – 1)/c2 + 1) • Use digrams and trigrams to compute parameters (c1, r1, c2, r2)
UNIVERSITY THE T ULSA of Stream vs. Block Ciphers Stream Ciphers (Convert pi ci) • Substitution Ciphers • High Speed of Transformation • Low Error Propagation • Low Diffusion; High Confusion • Susceptibility to Malicious Insertions Block Ciphers (Convert P C) • Transposition Ciphers • Low Speed of Transformation • High Error Propagation • High Diffusion; Low Confusion • Immunity to Malicious Insertions
UNIVERSITY THE T ULSA of Shannon Characteristics Characteristics of “Good Ciphers” (1949) • Amount of secrecy needed should determine the amount of effort needed for encryption and decryption (Principle of Timeliness) • Keys and enciphering algorithm should be free from complexity • Implementation should be as simple as possible • Errors should not propagate and corrupt message • Ciphertext Size Plaintext Size
THE UNIVERSITY T of ULSA 3. Secure Encryption Systems Sujeet ShenoiCenter for Information SecurityDepartment of Computer Science University of Tulsa, Tulsa, OK 74104 sujeet@utulsa.edu
UNIVERSITY THE T ULSA of 3. Secure Encryption Systems • Modern techniques are based on “Hard Problems” (NP-Complete Problems) • Involve heuristic search (2n possibilities) • Satisfiability • Pick v1 v2, v3: Boolean such that (v1) (v2 v3) (¬ v3¬ v1) is True • Knapsack • Pick v1 v2, v3 {0,1} such that v1*a1 + v2*a2 + v3*a3 = T (Target sum)
UNIVERSITY THE T ULSA of Classes P, NP and EXP Class P Set of problems whose solutions run in time bounded by “polynomial functions” of the size of the problems Class NP Set of problems whose solutions run in time bounded by polynomial functions of the size of the problems “assuming the ability to guess perfectly” Class EXP Set of problems whose solutions run in time bounded by “exponential functions” of the size of the problems
UNIVERSITY THE T ULSA of Classes P, NP and EXP (contd.) Fundamental Result: P NP EXP Is: P NP or P = NP ? Not known! Some Comments • NP-Complete problem does not guarantee that there is no solution easier than exponential • Every NP-Complete problem has a solution that runs in time proportional to 2n; feasible if n is small • Non-determinism can be modeled by “threads” • Interceptors may use other information to simplify the task of breaking the encryption
UNIVERSITY THE T ULSA of Secret and Public Key Algorithms Secret Key Algorithms (Symmetric) • One key for encryption and decryption (KE = KD = K) • C = { P }K and P = { C }K • One key per channel (#keys = n*(n-1)/2) Public Key Algorithms (Asymmetric) • Separate keys for encryption and decryption (KE KD) • C = { P }KE and P = { C }KD • C = { P }KD and P = { C }KE • Two keys per user (#keys = 2*n)
UNIVERSITY THE T ULSA of Public Key Algorithms Public Key Algorithms (Asymmetric) • Key Pair: (KApriv, KApub) • KApriv: Private Key; KApub: Public Key • KAprivis kept by secret by A • KApubis distributed widely by A • A Receiver: C = { P }KApriv (and P = { C }KApub) • Sender A: C = { P }KApub (and P = { C }KApriv)
UNIVERSITY THE T ULSA of RSA (Public Key) Algorithm Rivest-Shamir-Adelman (1978) • Based on factoring large numbers (200 digits) • Best factorization algorithm (known) is exponential • Encryption key: (e, n); Decryption key: (d, n) • C = Pe mod n; P = Cd mod n • C = Pd mod n; P = Ce mod n • RSA Mathematics • n = p*q (p, q: 100 digit prime numbers) (n: 200 digits or 512 bits; 1024 bits max) • d = e-1 mod (n) (e: rel. prime to (n) = (p-1)*(q-1))
UNIVERSITY THE T ULSA of Cryptographic Hash Algorithms • Hash function (f) produces “digest” of data/message • S R: m, f(m) • R: computes f(m) & compares with f(m) received • Difficult to “invert,” i.e., change m and f(m) • XOR bits: 10101010 00101111 1 (Prob = 1/2) • XOR bytes: 10101010 00101111 10000101 (Prob = 1/28) • Most digests are between 100 to 1,000 bits
UNIVERSITY THE T ULSA of Secure Hash Algorithm (SHA) • Designed for Digital Signature Algorithm (DSA) • NIST (1992-1995) • Input: 264 bits; Digest: 160 bits • Operations: XOR, + mod 232, left circular shift(n,v) • Algorithm: Non-linear function that interweaves bits • Pad message: Multiple of 512 bits (msg 1 0…0 <64-bit length>) (512 bits = 16 32-bit words: W0 … W15) • Expand to 80 words: W0 … W79 • Initialize 5 32-bit pattern constants: H00 … H50 • Perform 80-step 4-round diffusion algorithm: digest = H080 … H580
UNIVERSITY THE T ULSA of MD4 and MD5 Algorithms • MD4 (Rivest, 1991-92) • Exceptionally fast, less secure • 16-word block (512 bits) • 48-step 3-round diffusion algorithm • 4 pattern constants (128 bits) • MD5 (Rivest, 1992) • Slower, more secure • 16-word block (512 bits) • 64-step 4-round diffusion algorithm • 4 pattern constants (128 bits)
UNIVERSITY THE T ULSA of Digital Signature Algorithms • El Gamal Algorithm (1984) • Pick p: prime; a < p and x < p; (p-1) must have a large prime factor: q • Compute: y = ax mod p • Private key: x; Public key: y (and p, a) • Message Signing (m: message) • Pick k: 0 < k < p-1 (relatively prime to p-1) • Compute: r = ak mod p • Compute: s = k-1*(m – x*r) mod (p-1) (k*k-1 1 mod (p-1)) • Message Signature: r & s • Signature Verification • Compute: yrrs mod p • Compute: am mod p • Check: yrrs mod p am mod p
UNIVERSITY THE T ULSA of Digital Signature Algorithm (DSA) • DSA (NIST, 1994) • El Gamal Algorithm with restrictions • Pick p: prime; a < p and x < p; (p-1) must have a large prime factor: q • New condition: 2511 < p < 2512 (p: 170 digits long) • New condition: 2159 < q < 2160 • Compute: y = ax mod p • Private key: x; Public key: y (and p, a) • Message Signing (H(m) instead of m) • Pick k: 0 < k < p-1 (relatively prime to p-1) • Compute: r = ak mod q • Compute: s = k-1*(H(m) – x*r) mod q (k*k-1 1 mod (p-1)) • Message Signature: r & s • DSA is easier to break than the El Gamal Digital Signature Algorithm
UNIVERSITY THE T ULSA of Secret Key Algorithms • Data Encryption Standard (DES) • Escrowed Encryption Standard (EES): Skipjack • Advanced Encryption Standard (AES) Secret Key Algorithms (Symmetric) • Single Key for A-B Channel: (KAB) • KAB: Secret (known only to A and B) • A B: C = { P }KAB (and P = { C }KAB) • B A: C = { P }KAB (and P = { C }KAB)
UNIVERSITY THE T ULSA of Data Encryption Standard (DES) • NIST (1977) • Developed for use by the general public • Accepted as a cryptographic standard worldwide • Hardware and software implementations • Algorithm • Complex combination of substitution and transposition (Product Cipher) • 64-bit plaintext blocks; 56-bit keys • 16-round algorithm • Same algorithm for encryption and decryption
UNIVERSITY THE T ULSA of DES Algorithm (contd.) Algorithm Description • Initial Permutation • 16 Cycles (with Key Transformation) • Inverse Initial Permutation • Cycle Description • Split into Left and Right Halves: 32 bits each • Expansion Permutation: 32 bits 48 bits (Right Half only) • XOR with Transformed Key: 48 bits (Right Half only) • S-Box (Substitution Choice): 48 bits 32 bits (Right Half only) • P-Box (Permutation): 32 bits (Right Half only) • XOR with Original Left Half: 32 bits (Right Half only) • Concatenation of Original Right Half and Right Half
UNIVERSITY THE T ULSA of DES Algorithm (contd.) Brute Force Attack • 256 key possibilities • 1 key/100ms: 228 million years • 1 key/ms: 2,280 years • 106 chips: 20 hours (Diffie-Hellman, 1977) An EFF Team broke DES (January 1999) • Time: 22 hours and 15 minutes • “Deep Crack” supercomputer and 100,000 PCs • 256 billion keys/second NSA will not recertify DES
UNIVERSITY THE T ULSA of Escrowed Encryption Std. (EES) • Developed by NSA (1980s) to allow “legal” wiretapping • AT&T encrypted telephone devices (1993) • Analog Digital Encrypt … Decrypt Digital Analog • Unique key was generated for each session and transmitted • Unit keys would be split into halves and kept by different escrow agencies • Law enforcement agents would need court orders to obtain key halves (using information in LEAF) • Sealed encryption device
UNIVERSITY THE T ULSA of Clipper Chip • Skipjack (algorithm) • Clipper (chip implementing Skipjack and LEAF) • MOSAIC (program) • Capstone (cryptographic device with key exchange) • Tessera (Capstone chip) • Fortezza (Capstone chip) • Escrowed Encryption Standard (EES)
UNIVERSITY THE T ULSA of Clipper (contd.) Clipper Message Format • S R: { M }k• { { k }u • { n, a } }f • LEAF: { { k }u • { n, a } }f • M: 64-bit block • k: 80-bit session key (randomly generated and transmitted) • u: 80-bit unit key (unique to Clipper unit; held in escrow) • n: 30-bit unit ID (unique to Clipper unit) • a: Escrow authenticator • f: 80-bit law enforcement key (common to Clipper family)
UNIVERSITY THE T ULSA of Skipjack Algorithm (contd.) Algorithm Description • 32 Cycles (with 80-bit Key) • Cycle Description • Rule A (8 Steps) {Decryption: Rule B-1 (8 Steps)} • Rule B (8 Steps) {Decryption: Rule A-1 (8 Steps)} • Rule A (8 Steps) {Decryption: Rule B-1 (8 Steps)} • Rule B (8 Steps) {Decryption: Rule A-1 (8 Steps)} • Gk Permutation {Decryption: [Gk]-1} (4-round Feistel structure) • F Table (Fixed-byte substitution table)
UNIVERSITY THE T ULSA of Skipjack Algorithm (contd.) Expected to be 36 years before the cost of breaking Skipjack is equal to the cost of breaking DES today • Skipjack was classified until 1998 • Abruptly declassified • Problems still exist • Once unit key (u) is known, all past, present and future transmissions are compromised • Knowing the unit key (u) makes it possible to fabricate messages
UNIVERSITY THE T ULSA of Advanced Encryption Std. (AES) Rijndael Algorithm (Daeman and Rijmen, 2000) • Will become a federal standard by June 2001 • Features • A system breaking DES in 1 second would take 149 trillion years to break a 128-bit AES key (smallest key size) • Very good performance in hardware and software • Wide range of computing environments • Variable block and key lengths, and number of cycles • Simplicity, low memory requirements, sound design • Suitable for ATM, HDTV, B-ISDN, voice, satellite (> 1 GBits/sec requires dedicated hardware)
UNIVERSITY THE T ULSA of AES (contd.) Design Rationale • Resistance to all known attacks • Speed, code compactness, wide range of platforms (including smartcard applications) • Design Simplicity • Variable Block (Nb) and Key (Nk) sizes (4-byte words) Nb = 4 Nb = 6 Nb = 8 Nk = 4: Nr = 10 Nr = 12 Nr = 14 Nk = 6: Nr = 12 Nr = 12 Nr = 14 Nk = 8: Nr = 14 Nr = 14 Nr = 14
UNIVERSITY THE T ULSA of AES (contd.) Details of AES Algorithm • Most ciphers use a Feistel structure (some of the bits in intermediate states are simply transposed) • AES uses three distinct invertible uniform transformations (layers) • AES Algorithm • ByteSub: Linear mixing layer (high diffusion) • ShiftRow: Parallel S-boxes (nonlinearity) • MixColumn (not used in last round) • AddRoundKey: (XOR of key to state)
UNIVERSITY THE T ULSA of Pretty Good Privacy (PGP) Hybrid Algorithm (Zimmerman, 1995) • RSA (keys up to 2,047 bits) for key management • IDEA for data encryption • 64-bit plaintext blocks; 128-bit keys; 8 rounds • XOR; + (mod 216); * (mod 216 + 1) S-Box • MD5 as a one way hash function • User’s private key is encrypted using a hashed pass phrase • Only after the recipient decrypts the message is it known who signed the message • Web of Trust (no key certification authority)