590 likes | 823 Views
Cryptography. History – Of Cryptography. Pen and Paper Cryptography 2000 B.C. – 1750 AD Examples: Caesar Vigenère Mechanical cipher machines 1750- 1950 Confederate Army ’ s Cipher Disk Japanese Red and Purple Machines German Enigma Modern Computer Cryptography
E N D
History – Of Cryptography • Pen and Paper Cryptography 2000 B.C. – 1750 AD • Examples: Caesar Vigenère • Mechanical cipher machines 1750- 1950 • Confederate Army’s Cipher Disk • Japanese Red and Purple Machines • German Enigma • Modern Computer Cryptography • DES, Rijndael / AES, RSA, ECC, Chameleon,
Crypto Vocabulary Plaintext – A message in its natural format readable by an attacker Ciphertext – Message altered to be unreadable by anyone except the intended recipients Key – Sequence that controls the operation and behavior of the cryptographic algorithm Keyspace– Total number of possible values of keys in a crypto algorithm
Crypto Vocabulary 2 Initialization Vector – Random values used with ciphers to ensure no patterns are created during encryption Cryptosystem – The combination of algorithm, key, and key management functions used to perform cryptographic operations
Cryptosystem Services • Confidentiality • Integrity • Authenticity • Nonrepudiation • Access Control
Types of Cryptography • Asymmetric, and Symmetric • Stream-based Ciphers • Mixes plaintext with key stream • Good for real-time services • Block Ciphers • Substitution and transposition
Encryption Systems • Substitution Cipher • Convert one letter to another • Cryptoquip • Transposition Cipher • Change position of letter in text • Word Jumble • Monoalphabetic Cipher • Caesar
Encryption Systems Polyalphabetic Cipher Vigenère Modular Mathematics Running Key Cipher One-time Pads Randomly generated keys 8
Steganography • Hiding a message within another medium, such as an image • Example • Modify color map of JPEG image • Image of Snowden’s Girlfriend Lindsey Mills that contains encoded Information that is still unknown
Cryptographic Methods • Symmetric • Same key for encryption and decryption • Key distribution problem • Asymmetric • Mathematically related key pairs for encryption and decryption • Public and private keys
Cryptographic Methods • Hybrid • Combines strengths of both methods • Asymmetric distributes symmetric key • Also known as a session key • Symmetric provides bulk encryption • Example: • SSL negotiates a hybrid method
Attributes of Strong Encryption • Confusion • Change key values each round • Performed through substitution • Complicates plaintext/key relationship • Diffusion • Change location of plaintext in ciphertext • Done through transposition
Symmetric Algorithms • DES • 3DES • AES (ECB, CBC, TXC,) • RC4, RC5 • IDEA • Blowfish, TwoFish • Chameleon
E, D: cipher k: secret key (e.g., 128 bits) m, c: plaintext, ciphertextn: nonce (aka IV) Symmetric Encryption Alice Bob m, n D(k,c,n)=m E c, n D E(k,m,n)=c k k
0 1 1 1 1 0 0 0 0 1 0 1 0 1 1 1 0 1 0 1 1 0 0 0 0 1 1 0 0 0 First example: One Time Pad (single use key) • Vernam (1917) • Shannon ‘49: • OTP is “secure” against ciphertext-only attacks Key: Plaintext: Ciphertext:
Stream ciphers (single use key) Problem: OTP key is as long the message Solution: Pseudo random key -- stream ciphers Stream ciphers: RC4 (113MB/sec) , SEAL (293MB/sec) key c PRBG(k) m PRBG message ciphertext
One time key !! “Two time pad” is insecure: C1 m1 PRBG(k) C2 m2 PRBG(k) Eavesdropper does: C1 C2 m1 m2 Enough redundant information in English that: m1 m2 m1 , m2 Dangers in using stream ciphers
E, D: cipher k: secret key (e.g., 128 bits) m, c: plaintext, ciphertext n: nonce (aka IV) Symmetric encryption: nonce (IV) nonce Alice Bob m, n D(k,c,n)=m E c, n D E(k,m,n)=c k k
Use Cases • Single use key: (one time key) • Key is only used to encrypt one message • encrypted email: new key generated for every email • No need for nonce (set to 0) • Multi use key: • Key used to encrypt multiple messages • SSL: same key used to encrypt many packets • Need either unique nonce or random nonce • Multi use key, but all plaintexts are distinct: • Can eliminate nonce (use 0) using special mode (SIV)
Block ciphers: crypto work horse n Bits n Bits E, D PT Block CT Block Key k Bits • Canonical examples: • 3DES: n= 64 bits, k = 168 bits • AES: n=128 bits, k = 128, 192, 256 bits • IV handled as part of PT block
mL mR mR mLF(k,mR) Building a block cipher Input: (m, k) Repeat simple mixing operation several times DES: Repeat 16 times: AES-128: Mixing step repeated 10 times Difficult to design: must resist subtle attacks differential attacks, linear attacks, brute-force, …
Block Ciphers Built by Iteration key k R(k,m): round function for DES (n=16), for AES (n=10) key expansion k1 k2 k3 kn m c R(k1, ) R(k2, ) R(k3, ) R(kn, )
Incorrect use of block ciphers • Electronic Code Book (ECB): • Problem: • if m1=m2 then c1=c2 PT: m1 m2 c2 c1 CT:
Asymmetric Algorithms • Diffie-Hellman • RSA • Elliptic Curve Cryptography (ECC)
Answer in polynomial space may need exhaustive search If yes, can guess and check in polynomial time Answer in polynomial time, with high probability Answer in polynomial time compute answer directly Complexity Classes hard PSpace NP BPP P easy
Example: RSA • Arithmetic modulo pq • Generate secret primes p, q • Generate secret numbers a, b with xab x mod pq • Public encryption key n, a • Encrypt(n, a, x) = xa mod n • Private decryption key n, b • Decrypt(n, b, y) = yb mod n • Main properties • This appears to be a “trapdoor permutation” • Cannot compute b from n,a • Apparently, need to factor n = pq n
Why RSA works (quick sketch) • Let p, q be two distinct primes and let n=p*q • Encryption, decryption based on group Zn* • For n=p*q, order (n) = (p-1)*(q-1) • Proof: (p-1)*(q-1) = p*q - p - q + 1 • Key pair: a, b with ab 1 mod (n) • Encrypt(x) = xa mod n • Decrypt(y) = yb mod n • Since ab 1 mod (n), have xab x mod n • Proof: if gcd(x,n) = 1, then by general group theory, otherwise use “Chinese remainder theorem”.
Textbook RSA is insecure • What if message is from a small set (yes/no)? • Can build table • What if I want to outbid you in secret auction? • I take your encrypted bid c and submit c (101/100)e mod n • What if there’s some protocol in which I can learn other message decryptions?
00..0 01 Message rand. H + G + Plaintext to encrypt with RSA OAEP [BR94, Shoup ’01] Preprocess message for RSA • If RSA is trapdoor permutation, then this is chosen-ciphertext secure (if H,G “random oracles”) • In practice: use SHA-1 or MD5 for H and G Check padon decryption.Reject CT if invalid. {0,1}n-1
Digital Signatures • Public-key encryption • Alice publishes encryption key • Anyone can send encrypted message • Only Alice can decrypt messages with this key • Digital signature scheme • Alice publishes key for verifying signatures • Anyone can check a message signed by Alice • Only Alice can send signed messages
Properties of signatures • Functions to sign and verify • Sign(Key-1, message) • Verify(Key, x, m) = • Resists forgery • Cannot compute Sign(Key-1, m) from m and Key • Resists existential forgery: given Key, cannot produce Sign(Key-1, m) for any random or arbitrary m • true if x = Sign(Key-1, m) • false otherwise
RSA Signature Scheme • Publish decryption instead of encryption key • Alice publishes decryption key • Anyone can decrypt a message encrypted by Alice • Only Alice can send encrypt messages • In more detail, • Alice generates primes p, q and key pair a, b • Sign(x) = xa mod n • Verify(y) = yb mod n • Since ab 1 mod (n), have xab x mod n Generally, sign hash of message instead of full plaintext
Public-Key Infrastructure (PKI) • Anyone can send Bob a secret message • Provided they know Bob’s public key • How do we know a key belongs to Bob? • If imposter substitutes another key, can read Bob’s mail • One solution: PKI • Trusted root authority (VeriSign, IBM, United Nations) • Everyone must know the verification key of root authority • Check your browser; there are hundreds!! • Root authority can sign certificates • Certificates identify others, including other authorities • Leads to certificate chains
Public-Key Infrastructure Known public signature verification key Ka Certificate Authority Certificate Sign(Ka-1, Ks) Ka Ks Sign(Ka-1, Ks), Sign(Ks, msg) Client Server Server certificate can be verified by any client that has CA key Ka Certificate authority is “off line”
Hashing Algorithms • MD5 • Computes 128-bit hash value • Widely used for file integrity checking • SHA-1 • Computes 160-bit hash value • NIST approved message digest algorithm • SHA-256
Birthday Attack • Collisions • Two messages with the same hash value • Based on the “birthday paradox” • Hash algorithms should be resistant to this attack
Message Authentication Codes • Small block of data generated with a secret key and appended to a message • HMAC (RFC 2104) • Uses hash instead of cipher for speed • Used in SSL/TLS and IPSec
Digital Signatures • Hash of message encrypted with private key • Digital Signature Standard (DSS) • DSA/RSA/ECD-SA plus SHA • DSS provides • Sender authentication • Verification of message integrity • Nonrepudiation
Encryption Management • Key Distribution Center (KDC) • Uses master keys to issue session keys • Example: Kerberos • ANSI X9.17 • Used by financial institutions • Hierarchical set of keys • Higher levels used to distribute lower
Public Key Infrastructure • All components needed to enable secure communication • Policies and Procedures • Keys and Algorithms • Software and Data Formats • Assures identity to users • Provides key management features
PKI Components • Digital Certificates • Contains identity and verification info • Certificate Authorities • Trusted entity that issues certificates • Registration Authorities • Verifies identity for certificate requests • Certificate Revocation List (CRL)
PKI Cross Certification • Process to establish a trust relationship between CAs • Allows each CA to validate certificates issued by the other CA • Used in large organizations or business partnerships
Cryptanalysis • The study of methods to break cryptosystems • Often targeted at obtaining a key • Attacks may be passive or active
Cryptanalysis • Kerckhoff’s Principle • The only secrecy involved with a cryptosystem should be the key • Cryptosystem Strength • How hard is it to determine the secret associated with the system?
Cryptanalysis Attacks • Brute force • Trying all key values in the keyspace • Frequency Analysis • Guess values based on frequency of occurrence • Dictionary Attack • Find plaintext based on common words
Cryptanalysis Attacks (statistical) • WORD COUNT PERCENT bar graph • the 53.10 B 7.14% the • of 30.97 B 4.16% of • and 22.63 B 3.04% and • to 19.35 B 2.60% to • in 16.89 B 2.27% in • a 15.31 B 2.06% a • is 8.38 B 1.13% is • that 8.00 B 1.08% that • for 6.55 B 0.88% for LET COUNT PERCENT bar graph E 445.2 B 12.49% E T 330.5 B 9.28% T A 286.5 B 8.04% A O 272.3 B 7.64% O I 269.7 B 7.57% I N 257.8 B 7.23% N S 232.1 B 6.51% S R 223.8 B 6.28% R H 180.1 B 5.05% H L 145.0 B 4.07% L D 136.0 B 3.82% D C 119.2 B 3.34% C U 97.3 B 2.73% U M 89.5 B 2.51% M F 85.6 B 2.40% F P 76.1 B 2.14% P