Chapter 3

Chapter 3 Cryptography – Algorithms and Protocols Stallings Chp. 2,19,20, App. A,B Prof. Ehud Gudes Security Ch3

Definitions • Cryptography is the study of message concealment. • Cryptanalysis is the study of how to discover the encrypted message. • Cryptanalysis is difficult and requires good mathematical knowledge, so you don’t see many hackers trying to break codes. The equivalent to hackers are now scientists employed by a government or organized crime. Prof. Ehud Gudes Security Ch3

Cryptography Value • Authentication – can authenticate the identity of users, transactions, and systems. • Protection of messages – Can protect the secrecy of a message and prevent illegal modification.Cannot protect against destruction of the message. • Protection of software and data – can protect the confidentiality of them although not avoid their destruction.For example: passwords can be encrypted. Prof. Ehud Gudes Security Ch3

Cryptography Value II • Digital signatures – can authenticate the origin of a message • Non-repudiation – A user that signed or otherwise authenticated a document using cryptography cannot deny having signed it. Prof. Ehud Gudes Security Ch3

Notation • M, P - Messages - Plain text, clear text. • C - Cipher text. • K - Key. • E - the encryption function C=Ek(M) • D - the decryption function M=Dk’(C) • For any key pair K,K’ and for any message M M=Dk’(Ek(M)) Prof. Ehud Gudes Security Ch3

Cryptography – the Process Prof. Ehud Gudes Security Ch3

Prof. Ehud Gudes Security Ch3

Classification • Number of keys used: symmetric (one key) and asymmetric (encryption and decryption keys, these are the public-key systems). Neither approach is the best for all cases. • Type of encrypting operations: Symmetric systems use substitution and transposition stages. Substitutions just replace a bit or character for another. Transpositions rearrange bits or characters in the data. Product ciphers are combinations of substitutions and transpositions. Public key systems are based on invertible mathematical functions. Prof. Ehud Gudes Security Ch3

Classification II • The way the plaintext is encrypted: block and stream ciphers. In a block cipher a block of data is transformed, using a key, into a block of ciphertext. • In a stream cipher a stream of key bits is used to encode a stream of data one bit or character at a time. Block ciphers are more appropriate for use within computers, while stream ciphers are seen mostly in communications. Prof. Ehud Gudes Security Ch3

Main Principle of Cryptography The secret is in the KEYNot in the Algorithm!! Prof. Ehud Gudes Security Ch3

Attacks • Ciphertext only • Known plaintext • Chosen plaintext • Chosen ciphertext • Chosen text Prof. Ehud Gudes Security Ch3

סוגי התקפות על אלגוריתמים קריפטוגרפיים ההתקפות מסווגות לפי המידע שבידי המתקיף. נניח כי למתקיף יש גישה לאלגוריתם, ובנוסף יש לו ידע על מבנהו הפנימי. • Cipher text only attack • בידי המתקיף קבוצה של הודעות מוצפנות. • המטרה : מציאת ההודעות החשופות המתאימות, ו\או מפתח ההצפנה. • הנחה : קיים אפיון סטטיסטי של ההודעות. Prof. Ehud Gudes Security Ch 3

סוגי התקפות על אלגוריתמים קריפטוגרפיים (המשך) • Known plain text attack • בידי המתקיף קבוצה של זוגות (P,C). • המטרה : מציאת מפתח ההצפנה. • דוגמא : חיפוש ממצה (Exhaustive search). • Chosen plain text attack • המתקיף בוחר את קבוצת ההודעות {P}, ומקבל עבורן את ההודעות המוצפנות המתאימות {C}. • המטרה : מציאת מפתח ההצפנה. • דוגמא : Differential cryptanalysis. Prof. Ehud Gudes Security Ch3

סוגי התקפות על אלגוריתמים קריפטוגרפיים (המשך) • Adaptive chosen plain text attack. • המתקיף בונה את קבוצת הזוגות (P,C) בהדרגה. הוא יכול לבחור את ההודעה הבאה P, על סמך תוצאות ההצפנה הקודמות. • המטרה : מציאת מפתח ההצפנה. Prof. Ehud Gudes Security Ch3

Caesar Cipher The rule: Ci = E(pi) = pi + 3 A full translation chart of Caesar cipher is shown here. PlaintextA B C D E F G H I J K L M N O P Q R S T U V W X Y Z Ciphertext d e f g h i j k l m n o p q r s t u v w x y z a b c Using this encryption, the message TREATY IMPOSSIBLE Would be encoded as: T R E A T Y I M P O S S I B L E w u h d w b l p s r v v l e o h Prof. Ehud Gudes Security Ch3

Table of Letters Frequencies Table 2-1 Letter Frequency Distributions in English and Pascal English Pascal Letter Count Percent Count Percent a 3312 7.49 664 4.70 b 573 1.29 197 1.39 c 1568 3.54 878 6.22 d 1602 3.62 511 3.61 e 6192 14.00 1921 13.60 f 966 2.18 504 3.57 g 769 1.74 294 2.08 h 1869 4.22 478 3.39 i 2943 6.65 1215 8.60 j 119 0.27 6 0.04 k 206 0.47 87 0.61 l 1579 3.57 722 5.11 m 1500 3.39 270 1.91 n 2982 6.74 1157 8.19 o 3261 7.37 835 5.91 p 1074 2.43 340 2.41 q 116 0.26 12 0.08 r 2716 6.14 1147 8.12 s 3072 6.95 594 4.21 t 4358 9.85 1311 9.28 u 1329 3.00 377 2.66 v 512 1.16 127 0.89 w 748 1.69 193 1.36 x 123 0.28 139 0.98 y 727 1.64 137 0.96 z 16 0.04 5 0.03

Monoalphabetic Cipher Take for example the key: SHARON A B C D E F G H I J K L M N O P Q R S T S H A R ON B C DE F G I J K L MP Q S Prof. Ehud Gudes Security Ch3

counts and relative frequencies of letters in the cipher Table 2-3 shows the counts and relative frequencies of letters in the cipher examined in the previous section (in [P]) Wklv phvvdjh lv qrw wrr kdug wr euhdn Table 2-3 Frequencies of Letters in wklv… Cipher Letter Count Percent Letter Count Percent w 4 13.33 k 2 6.66 l 2 6.66 v 4 13.33 p 1 3.33 h 3 10.00 d 3 10.00 j 1 3.33 q 1 3.33 r 4 13.33 e 1 3.33 u 2 6.66 g 1 3.33 n 1 3.33

Monoalphabetic cipher – Example for Cryptanalysis QMC MEPQJOY JH QMC GAQEJGAD PCTROEQY ANCGTY EP PMOJRICI EG PCTOCTY CUCG EQP SRINCQ EP TDAPPEHECI’ The simplest effective attack on a monoalphabetic cipher is use of frequencies in natural languages: single letters, bigrams/trigrams, small words, end/beginning of words, etc.We’ll only consider English here. We’ll use some empirical facts about single-letter frequencies, as well as knowledge about common English words. Again, the most common single letters English are e and t, with all others considerably less frequent. Thus, to attack a cryptogram, first do an accounting of the most common letters in the ciphertext. For example in: QCIV XY KEO JLYYW JBRO XN KEO JKGOOK. TOK SO KX KEO AELGAE XY KBSO. KEO NBJE CGO MLSDBYT CYR KEO AXKKXY BJ EBTE. XLG JKCKO NCBG BJ KEO HOJK JKCKO NCBG. We find ranked by order of frequency of appearance, K-15, O-13, E-9, B-7, J-7, C-6, X-6, Y-6, G-5, L-3, N-3, A-2, S-2, T-2, R-1.7 with D, H, I, M, Q, V, W occuring much less often Prof. Ehud Gudes Security Ch3

Monoalphabetic cipher – Example for Cryptanalysis (Cont.) Thus, we would imagine that ‘K’ is either ‘e’ or ‘t’, and perhaps ‘O’ is the other of the two. Trying first K=e and O=t, we have (in part) QCIV XY eEt JLYYW JBRt XN eEt JeGtte. Tte St eX eEt AELGAE XY… The ‘Tte’ in the second sentence immediately raises a problem: it seems unlikely that ‘T’ can be anything that would make this a word that could begin a sentence. So try K=t and O=e instead: QCIV XY tEe JLYYW JBRe XN tEe JtGeet. Tet Se tX tEe AELGAE XY tBSe. tEe NBJE Cge MLSDBYT CYR tEe AXttXY BJ EBTE. XLG JtCte NCBG BJ tEe HeJt JtCte NCBG The ‘tEe’ suggests E=h, the ‘tX’ suggests X=o, and then ‘XY’ suggests Y=n. This gives: QCIV on the JLnnW JBRe oN the JtGeet. Tet Se to the AhLGAh on tBSe. the NBJh Cge MLSDBnT CnR the Aotton BJ hBTh. oLG JtCte NCBG BJ the HeJt JtCte NCBG. Prof. Ehud Gudes Security Ch3

Monoalphabetic cipher – Example for Cryptanalysis (Cont.) The ‘Tet Se to the’ suggests ‘get me to the’, so T=g and S=m. and ‘JtGeet’ could be ‘street’, so J=s, G=r: QCIV on the sLnnW sBRe oN the street. get me to the AhLrAh on tBme. the NBsh Cre MLmDBng CnR the Aotton Bs hBgh. oLr stCte NCBr Bs the Hest stCte NCBr. The ending on ‘MLmDBng’, and also ‘Bs hBgh’, suggest B=I. Also the ‘oLr’ suggests L=u. Rewrite: QCIV on the sunnW siRe oN the street. Get me to the AhurAh on time. the Nish Cre MumDing CnR the Aotton is high. our stCte NCir is the Hest stCte NCir. Then ‘sunnW siRe oN’ suggests W=y, R=d, and N=f: QCIV on the sunny side of the street. get me to the AhurAh on time. the fish Cre Prof. Ehud Gudes Security Ch3

Vignere Table

Poly-alphabetic Cipher – using Vignere Table letter (B) is converted to the ciphertext letter in row 1 (B), column 9 (j), in this tableau. The letter in that position is k. the encryption of this message starts as shown below.Julie tjuli etjul ietju lietj uliet julie tjuliBUTSO FTWHA TLIGH TTHRO UGHYO NDERW INDOW BREAKkoeas ycqsi … With a six letter keyword such as juliet this algorithm effectively spreads the effect of the frequency of each letter onto six others, which flattens the distribution substantially. Long keywords can be used, but a keyword of length three usually suffices to smooth out the distribution Prof. Ehud Gudes Security Ch3

Polyalphabetic cipher – finding the key length The Dickens It was the best of times… example has much repetition so it demonstrates this argument quickly. Suppose the keyword is dickens.dicke nsdic kensd icken sdick ensdi ckens dickeITWAS THEBE STOFT IMESI TWAST HEWOR STOFT IMESInsdic kensd icken sdick ensdi ckens dicke nsdicTWAST HEAGE OFWIS DOMIT WASTH EAGEO FFOOL ISHNEkensd icken sdick ensdi ckens dicke nsdic kensdSSITW ASTHE EPOCH OFBEL IEFIT WASTH EEPOC HOFIN The phrase IT WAS THE is enciphered with keyword nsdicken once in the first line and twice in the third line. These three cases all appear as identical 8-character patterns in the ciphertext. Prof. Ehud Gudes Security Ch3

Kasiski Method – Finding the Key Length in Poly-Alphabetic Ciphers Starting Distance from Position Previous Factors 20 83 63 (83-20) 3, 7, 9, 21, 63 104 21 (104-83) 3, 7, 21 From this short example, we may guess that a keyword of 21 is improbable. Thus the key length is probably either 3 or 7. With more repeats you could reduce the number of possibilities for key length. Let us continue with the key length possibilities of 3 and 7. For the Kasiski method, the steps are 1. Identify repeated patterns of three or more characters. 2. For each pattern write down the position at which each instance of the pattern begins. 3. Compute the difference between the starting points of successive instances. 4. Determine all factors of each difference. 5. If a polyalphabetic substitution cipher was used, the key length will be one of the factors that appears often in step 4. 6. Once the key-length is known use mono-alphabetic techniques Prof. Ehud Gudes Security Ch3

VERNAM Cipher Prof. Ehud Gudes Security Ch3

Vernam Cipher For example, the binary number 101101100101011100101101011100101 Can be encoded with the random binary stream 101111011110110101100100100110001 To produce the following ciphertext 000010111011101001001001111010100 Prof. Ehud Gudes Security Ch3

Vernam Cipher - Cryptanalysis The problem with this form of random number generator is its dependability. Because each number depends only on the previous number, you can determine constants by solving a series of equations. r1 = a * r0 + b mod n r2 = a * r1 + b mod n r3 = a * r2 + b mod n An interceptor who has r0, r1, r2 and r3 can resolve for a, b, and n. An interceptor can get r0, r1, r2 and r3 by a probable word attack. With a Vernam cipher, each ciphertext letter comes from the formulaci = ri + pi mod n If an interceptor of the ciphertext guesses that the message starts with MEMO (M = 12, E = 4, O = 14), the interceptor can try to substitute probable values of pi and solve for values of ri. Prof. Ehud Gudes Security Ch3

Vernam Cipher (Cont.) r0 = c0 – 12 mod n r1 = c1 – 4 mod n r2 = c2 – 12 mod n r3 = c3 – 14 mod nWith these values of r0 to r3, the interceptor may be able to solve the three equations for a, b, and n. Given those, the interceptor can generate the full sequence of random numbers and obtain plaintext directly. Prof. Ehud Gudes Security Ch3

Vernam Cipher – a weakness • If we know both a message M and the Cipher C, we like the computation K = f (M,C) To be difficult • In Vernam f is very easy, its also a XOR !

Pseudorandom verses Random Numbers • often use algorithmic technique to create pseudorandom numbers • which satisfy statistical randomness tests • but likely to be predictable • true random number generators use a nondeterministic source • e.g. radiation, gas discharge, leaky capacitors • increasingly provided on modern processors

Permutation Cipher As an example, you would write the plaintext message as:T H I S I S A M E S S A G E T O S H O W H O W A C O L U M N A R T R A N S P O S I T I O N W O R K S The resulting ciphertext would then be read as tssoh oaniw haaso lrsto imghw utpir seeoa mrook istwc nasns Prof. Ehud Gudes Security Ch3

t s s o h o a n i w h a a s o l r s t o n i w h a a s o l r s t o n i w h a a s o l r s t o n i w h a a s o l r s t o n i w h a a s o l r s t o n i w h a a s o l r s t o t s s o h o a t s s o h o a t s s o h o a t s s o h o a t s s o h o a Finding the Column Positions in Permutation Cipher Improvement - The empty holes method

Product Ciphers 1. Although substitution ciphers and permutation ciphers alone, are quite easy to break, their combination is quite a strong cipher! 2. This was the basis of most classical ciphers like the Enigma machine of World-war II (see book by Sing…) 3. Its also the basis for the DES cipher Prof. Ehud Gudes Security Ch3

Shannon’s Principles for a Good Cipher 1. The amount of secrecy needed should determine the labor required for encryption/decryption. 2. The keys and ciphering algorithm should be “free” from complexity. 3. The implementation of the cipher algorithm should be simple and effective. 4. Errors in ciphering should not propagate to the entire message. 5. The size of the enciphered text should not be much larger then the size of the clear text. Prof. Ehud Gudes Security Ch3

Shanon’s Theory Prof. Ehud Gudes Security Ch3

Shanon’s Theory A system has perfect secrecy if by intercepting cipher code, nothing can be learned on the original message. i.e. H(M|C) = H(M) A Perfect Cipher Prof. Ehud Gudes Security Ch3

Shanon’s Theory (1949) Confusion – a complex functional relationship between the Key, Plain-text and Cipher-text. Diffusion – Information from one plain bit is diffused over all bits of the cipher (block). Prof. Ehud Gudes Security Ch3

Unicity Distance Key equivocation Hc(K) = P(c) Pc(K) log2 Pc(K) – prob. of K given C. Hc(K) = H(K) means the cipher is (theoretically) breakable Unicity Distance = where D is the Language Redundancy – the number of characters required to break the cipher (theoretically)

צופן מושלם תהי {M={M1,M2,…,Mnקבוצת כל ההודעות האפשריות, ו-{C={C1,C2,…,Cnקבוצת כל ההודעות המוצפנות בהתאמה, צופן הוא מושלם אם לכל i,j p(Mi|Cj)=p(Mi) • ידיעת הטקסט המוצפן אינה מוסיפה ידע על הטקסט המקורי • צופן מושלם חסין ל-Known Cipher text attacks Prof. Ehud Gudes Security Ch3

ניתן להוכיח שבצופן מושלם מספר המפתחות גדול או שווה למספר ההודעות. • הצופן היחיד המושלם הוא One-Time Pad כל הודעה מוצפנת באמצעות מפתח אקראי שונה • הצפנת ההודעה נעשית ע“יXOR בינה ובין המפתח Prof. Ehud Gudes Security Ch3

נאמר כי אלגוריתם הצפנה הוא Unconditionally Secure אם בהינתן אינסוף משאבים, ומספר אינסופי של זוגות של הודעות חשופות ומוצפנות, לא ניתן, בהינתן הצפנת ההודעה הבאה, למצוא את ההודעה החשופה המתאימה לה. • One time padהוא אלגוריתם ההצפנה היחיד שהוא Unconditionally Secure Prof. Ehud Gudes Security Ch3

Computational Security • אלגוריתם הצפנה יקרא Computationally secure אם מעשית קשה מאד לשחזר את הטקסט המקורי בהנתן הטקסט המוצפן • מאחר שאלגוריתם ההצפנה היחיד המושלם הוא One-time pad, ניתן בהינתן כמות מספקת של כוח חישוב וזמן לפצח כל אלגוריתם הצפנה • לגבי כל האלגוריתמים הקריפטוגרפיים הידועים, לא ידועים חסמים תחתונים על מספר הפעולות הדרושות לפיצוחם Prof. Ehud Gudes Security Ch3

החוזק של אלגוריתם הצפנה (Shanon ) • The work factorשל אלגוריתם הצפנה הוא הזמן שנדרש בכדי לפצחו - מציאת הודעה או מציאת המפתח בהינתן ה-Cipher text • ה-Work Factorנמדד בזמן ובכסף שיש להשקיע בפיצוח האלגוריתם • מעשית ה-work factor הוא המדד לחוזק של אלגוריתם הצפנה Prof. Ehud Gudes Security Ch3

Stream and block Ciphers • פונקציות הצפנה מקבלות קלטים בעלי אורך קבוע • בכדי להצפין הודעה M, שאורכה עולה על אורך הקלט של פונקצית ההצפנה, מחלקים את Mלבלוקים שאורכם כאורך הקלט של פונקצית ההצפנה (אם יש צורך מבצעים דיפון). כל בלוק עובר הצפנה בנפרד • נבחין בין שני סוגי צפנים - Block ciphers ו-Stream ciphers Prof. Ehud Gudes Security Ch3

צפני בלוקים • תהי Mהודעת הקלט M=M1M2…Mn • ההצפנה מתבצעת ע”י Ci=Ek(Mi…) • ההצפנה של כל בלוק מתבצעת בצורה זהה על ידי שימוש באותו מפתח. • במקרה הכללי - הקלט יכול להיות פונקציה של כל הבלוקים הקודמים בהודעה, אבל המפתח נשאר קבוע. • אורך בלוק הקלט צריך להיות גדול מספיק בכדי שלא ניתן יהיה לבצע Exhaustive search Prof. Ehud Gudes Security Ch3

Stream ciphers • מפתח ההצפנה (והפענוח) משתנה. ההצפנה מתבצעת בעזרת Key stream • ה-key streamיכול להיות פונקציה של הבלוקים הקודמים, של מספר הבלוק, ושל מפתח קלט • Stream ciphersבדרך כלל פועלים על בלוקים מאורכים קטנים (סיביות בודדות או בתים). • בחלק מה-Stream ciphersההצפנה נעשית על ידי ביצוע xorשל הודעת הקלט עם ה-Key stream Prof. Ehud Gudes Security Ch3

צפני בלוקים לעומת Stream ciphers • כפי שאמרנו, stream cipherלעיתים קרובות עובדים על יחידות קטנות של קלט. עובדה זו הופכת אותם למתאימים יותר למימוש בחמרה מאשר בתכנה • צפני בלוקים בדרך כלל עובדים על יחידות קלט שהן כפולות של 32 סיביות (מילה) • בדרך כלל stream ciphersמהירים יותר מצפני בלוקים. • כיום, השימוש בצפני בלוקיםנפוץ יותר Prof. Ehud Gudes Security Ch3

M0 M1 Mn ... ENC ENC ENC K K K C0 C1 Cn ECBElectronic Code Book Prof. Ehud Gudes Security Ch3

M0 M1 Mn IV ENC ENC ENC K K K C0 C1 Cn CBCCipher Block Chaining ... Prof. Ehud Gudes Security Ch3

Chapter 3

Chapter 3

Presentation Transcript

Chapter 3

Chapter 3

Chapter 3

Chapter 3

Chapter 3

Chapter 3

chapter 3

CHAPTER 3-3

Chapter 3-3

Chapter 3 Chapter 3

CHAPTER 3

Chapter 3

Chapter 3

Chapter 3

Chapter 3

Chapter 3

Chapter 3

Chapter 3

Chapter 3

Chapter 3

CHAPTER 3

Chapter 3