Cryptography

Cryptography CS 110 Fall 2005

From last class… • Instant messanger systems • Unsafe links on AIM profiles • Requests from “buddies” to open messages containing pictures

Security problems of interest Policies: • confidentiality - protect info content from unwarranted observation • integrity - protect info accuracy • availability - ensure information delivery • authentication - assure identity of user (sender) • non-repudiation - protect from deniability • access control - control access to info/resources Problems that arise in implementation:

Attacks • interception - of information-traffic, breaches confidentiality • interruption - of service, availability • modification - of information, i.e. loss of integrity • fabrication - of information, destroys authenticity

Response? • identify key assets • evaluate threat posed to assets • implement suitable countermeasures • manage implementation • cryptography is a key technology • Note – not a “perimeter defense” technology

What’s cryptography • cryptography is the study of secret (crypto-) writing (-graphy) • concerned with developing algorithms to: • conceal the content of a message from all except the sender & recipient (secrecy or confidentiality) • verify the correctness of a message or its sender to the recipient (integrity & authentication)

A few terms • cryptography • the art or science of transforming an intelligible message into one that is unintelligible, and then transforming that message back to original form • plaintext • the original intelligible message • ciphertext • the transformed message

A few terms • key • critical (secret) information used in the cipher & known only to the sender & receiver • Symmetric – shared • Asymmetric – public/private

Transformations • code • an algorithm for transforming an intelligible message into an unintelligible message using a code-book • encryption • applying a mathematical function mapping plaintext to ciphertext using the specified key: C = EK(P)

A few terms • cryptanalysis (codebreaking) • the study of methods for transforming an unintelligible message back into an intelligible message without knowledge of the key

Steganography • embed message in innocuous setting My Special Friend, Our speaker today in class today is exciting, & I know that the next speaker is even better. I need to report to you that next class is the mid-term exam. Well, there is only one mid-term! YEAH!!! Well that is it for now. ………...

Two crypto techniques Permutation Substitution

“Staff” cipher • an early Greek transposition cipher: • cut a narrow strip of paper long enough to write message • wind it around a staff so that adjacent edges abut • write message horizontally down the shaft with a character on each wrapping • unwind • Result: long sequence of seemingly random letters

The ole alternation trick write message letters on alternate rows read off cipher by row Plain = “I CAME I SAW I CONQUERED” Plain: I A E S W C N U E C M I A I O Q R D Cipher: IAESW CNUE CMIAI OQRD

The ole structured patterns trick write message letters as a matrix read off cipher by some pattern Plain: I C A M E I S A W I C O N Q U E R D A B Cipher: diagonals, concentric circle, in and out, etc

The ole mirror trick write the message backwards Plain: I CAME I SAW I CONQUERED Cipher: DEREU QNOCI WASIE MACI ………and speaking of J. Caesar

Two crypto techniques Permutation Substitution

Caesar cipher - substitution cipher • Julius Caesar invented to transmit military information -- 2000 years ago • Map each letter to another -- fixed offset -- called the translation alphabet Alphabets: Plain: A B C D E F G H I J K L M N O P Q R S T U Cipher: E F G H I J K L M N O P Q R S T U V W X Y CipherText: W TI G M E P W T I E O I V G S Q M R K

Caesar cipher - substitution cipher • Julius Caesar invented to transmit military information -- 2000 years ago • Map each letter to another -- fixed offset -- called the translation alphabet Alphabets: Plain: A B C D E F G H I J K L M N O P Q R S T U Cipher: E F G H I J K L M N O P Q R S T U V W X Y CipherText: W TI G M E P W T I E O I V G S Q M R K P = S P E C I A L S P EA K E R C O M I N G

Cryptanalysis – break Caesar cipher • check out brute force cryptanalysis of a Caesar cipher • What is the Key? • What is the Key size?

Mono-alphabetic Substitution • Use any permutation of the 26 alphabetic characters • 26! (i.e. 4 x 1026) possible keys • Non-trivial number of options • But, regularities of the language give clues • English, German, Hebrew, Russian – have different characteristics in terms of letter usage

Language regularities • can base cryptanalysis on frequency of letter occurrence • E is most frequent, then • T, R, I, N, O, A, S, then ….. • rarely are J, K, Q X Z used • E is 25 times more frequent than Q • Strategy (for a “long enough” message) is to guess at letter value based on frequency of appearance in ciphertext

Language regularities - example Ceasar (Mono alphabetic substitution) Alphabets: Plain: A B C D E F G H I J K L M N O P Q R S T U Cipher: E F G H I J K L M N O P Q R S T U V W X Y CipherText: W TI GM E P W T I E O I V G S Q M R K P = S P E C I A L S P EA K E R C O M I N G P = S P E C I A L S P EA K E R C O M I N G

Data Encryption Standard (DES) • Developed by IBM in 1970s • Sold to Lloyds of London • US Nat’l Bureau of Standards requested a national cipher standard • National Security Administration (NSA) worked with IBM to refine it • Adopted in 1977 by Nat’l Bureau of Standards

Key Property • Avalanche • Small change in plaintext or in key produces significant change in cipertext • Change one bit of plaintext and about half the ciphertext bits will change

DES Status • No weak points have surfaced • DES is widely used • 1994, Nat’l Institute of Standards and Technology reaffirmed its use for federal use • Recommended for all but “classified”

DES key length • Increased computing has made a 56-bit key susceptible to exhaustive key search • 1997 – a few months were needed by a large network (70,000) of computers to break DES. $10,000 prize claimed • 1998 – Electronic Frontier Foundation broke DES in a few days • 1999 – A break accomplished in 22 hours • DES with larger keys is still used and it works well

Public Key Encryption • Alice wishes to communicate a secret message to Bob • Bob will then reply

Symmetric Key System • Alice and Bob have common knowledge of a single key • Alice puts message in box and locks with a padlock for which she has a key • She sends the box to Bob in regular mail • Bob has identical copy of Alice’s key and uses it to open the box • He uses same padlock for sending his response back to Alice

Symmetric Key Risks • How are the keys distributed? • Through mail? • Stolen/copied in the mail? • If key is stolen/copied, all communications are (unknowingly) compromised • All participants must synchronize and get a new key

Asymmetric Public Key • Bob and Alice have separate padlocks • Alice asks Bob to send his open padlock to her through regular mail • Alice uses Bob’s lock to secure the box containing her message and she mails it to Bob • Upon receiving the box, Bob uses his key to unlock it

Advantages of Asymmetric Public Key • No need to send keys to one another • Third party cannot copy key while in transit • One stolen key only compromises part of the communication

Public-key Encryption • It’s annoying for Bob to send his padlock to Alice • Instead, Bob sends instructions for how Alice can build a padlock that will only be open-able by Bob • Note these instructions cannot give away secret of Bob’s key

Public-key Encryption • Alice has two keys (strings of letters) • Public key that she freely shares with the world • Private key that only she knows • Messages encrypted with Alice’s public key are only decipherable by Alice’s private key

Public-key Encryption • Alice can send message encrypted using her private key • Bob can decode message using Alice’s public key • Bob is assured message he reads was authored by Alice

Is Public Key Crypto Secure? • A 128 bit key would be a number between 1 and 340,282,366,920,938,000,000,000,000,000,000,000,000 • How many prime numbers are between 1 and this number? • approximately n / ln(n) which is about 2^128 / ln( 2^128 ) = 3,835,341,275,459,350,000,000,000,000,000,000,000 • How long would it take to find all of these prime numbers if you could calculate one trillion of these numbers per second? • More than 121,617,874,031,562,000 years (i.e., about 10 million times longer than the universe has existed so far.) • Reference: http://www.livinginternet.com/?i/is_crypt_pkc_inv.htm • Answer – Yes, but know its limitations (e.g. plaintext attacks, block sizes, etc.)

Weakness of Public-key System • Man-in-the-middle Attack • Communication of Alice’s public key is intercepted and changed to a new public key that matches interceptors private key • Interceptor decodes the message to read it and re-encodes it using Alice’s public key before sending on to her Trusted key distribution

Trusted Key Distribution • Companies exist to manage key distribution • Microsoft “offered” to do this with a system called Passport • Business model… Microsoft creates a standard for secure communication and sets prices at monopolist levels

Trusted Key Distribution • US Government • Do you trust them? • They are very interested in having the power to control keys so they can listen to any message

Trusted Key Distribution • RSA: Rivest, Shamir, Adelman • Verisign • PGP: Pretty Good Privacy

RSA inventors offered $100 reward for finding a plaintext sentence enciphered via RSA public key had 129 decimal digits (~ 428 bits) RSA predicted 40 quadrillion years was needed 1994 -- a group claimed the prize after 8 months of work (1600 computers used) Breaking RSA

Security and the Web • HTTPS • Uses port 443 (not 80) • Security protocol is determined by your browser and the server • Online vendors may establish contract with Verisign to handle security • A form of public-key encryption secures the transaction

Review • Adware • Viruses • Worms

Review • Email Spoofing • falsified sender • Email Phishing • obfuscate HTML to trick you into submitting private info through deceptive web pages

Review • Openness in desktop computers • You permit lots of programs to read/write data to your hard drive and memory • Computer “listens” for packets on many ports of its internet connection • http, itunes, email, IM, homeDir, … • Programs that monitor the ports for packets are supposed to be failsafe • Flaws are discovered and exploited

November 8, 2005 Three image-rendering flaws in the Windows OS could put millions of Internet-connected users at risk of PC takeover attacks. The flaws could be exploited by any software that displays images, including … Outlook, Word, and Internet Explorer. http://www.eweek.com/article2/0,1895,1883850,00.asp

November 8, 2005 The bugs are considered particularly dangerous because users could be at risk merely by browsing to a malicious rigged site with rigged image files, or by displaying images in the preview pane of an e-mail program

November 8, 2005 Any program that renders WMF or EMF images on the affected systems could be vulnerable to this attack. An attacker who successfully exploits this vulnerability can take complete control of an affected system

Cryptography

Cryptography

Presentation Transcript

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

CRYPTOGRAPHY

Cryptography

Cryptography

CRYPTOGRAPHY

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography