1 / 52

Computer Security Cryptography –an introduction

Computer Security Cryptography –an introduction. Encryption. key K E key K D

xanti
Download Presentation

Computer Security Cryptography –an introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer SecurityCryptography –an introduction

  2. Encryption key KE key KD x plaintext y ciphertext original plaintext x . encryption decryption Eavesdropper

  3. Encryption A cryptosystem involves • an encryption algorithm E, and a • a decryptionalgorithm D Both algorithms make use of a key. Let KEbe the encryption key and KD the decryption key. For symmetric cryptosystems the same key is used both encryption and decryption: KE = KD.

  4. Encryption If P is the plaintext message, C the ciphertext, then for symmetric cryptosystems: C = E(K,P)and P = D(K,E(K,P)) = D(K,C) For an asymmetric cryptosystem C = E(KE,P)and P = D(KD,E(KE,P)) = D(KD,C)

  5. Kerchoffs’ assumption The adversary knows all details of the encrypting function except the secret key

  6. Symmetric key encryption There are two types of cipher systems: • Streamciphers, • Blockciphers.

  7. Stream ciphers Encryption x = ISSOPMI y = wdhuvad Key KE

  8. Block ciphers x = XNE OIG TPH YRK … y = .Key KE wdm . hut vap dgd … Encryption

  9. Block ciphersAn overview of the DES Algorithm DES is an iterated block cipher with • 16 rounds, • block length 64 bits and • key length 56 bits

  10. Iterating Block ciphers 1. Iterated block cipher Random (binary) key K  round keys:K1,..., KNr, 2. Round function g wr = g(wr-1, Kr), where wr-1is the previous state

  11. Iterated cipher … Encryption operation: w0x (x =plaintext) w1 = g(w0, K1), w2 = g(w1, K2), wNr = g(wNr-1, KNr), ywNr(y =ciphertext)

  12. Iterated cipher … For decryption we must have: g(.,K) must be invertible for all K Then decryption is the reverse of encryption (bottom-up)

  13. Data Encryption Standard DES is a special type of iterated cipher called a Feistel cipher. Block length 64 bits Key length 56 bits Ciphertext length 64 bits

  14. DES The round function is: g([Li-1,Ri-1 ]),Ki ) = (Li ,Ri), where Li = Ri-1 and Ri = Li-1 XOR f (Ri-1, Ki).

  15. DES round encryption

  16. DES inner function

  17. DES computation path

  18. Inner functionf Combine 32 bit input and 48 bit key into 32 bit output • Expand 32 bit input to 48 bits • XOR the 48 bit key with the expanded 48 bit input • Apply the S-boxes to the 48 bit input to produce 32 bit output • Permute the resulting 32 bits

  19. S Boxes • There are 8 different S-Boxes,1 for each chunk • S-box process maps 6 bit input to 4 bit output • S box performs substitution on 4 bits • There are 8 possible substitutions in each S box • Inner 4 bits are fed into an S box • Outer 2 bits determine which substitution is used

  20. Decrypting DES • DES (and all Feistel structures) is reversiblethrough a “reverse” encryption because: • No input data is mangled and passed to the output • The properties of XOR • S-boxes are not reversible (and don't need to be) • Everything needed (except the key) to produce the input to the n-1th step is available from the output of the nthstep. 4. The input to the nth step is the output of the n-1th step. 5. Work backwards to step 1.

  21. Attacks on DES • Brute force • Linear Cryptanalysis -- Known plaintext attack • Differential cryptanalysis • Chosen plaintext attack • Modify plaintext bits, observe change in ciphertext No dramatic improvement on brute force

  22. Countering Attacks • Large keyspace combats brute force attack • Triple DES (say EDE mode, with usually 2 keys) • Use AES

  23. Modes of operation Four basic modes of operation are available for block ciphers: • Electronic codebook mode: ECB • Cipher block chaining mode: CBC • Cipher feedback mode: CFB • Output feedback mode: OFB

  24. Electronic Codebook mode, ECB Each plaintext xi is encrypted with the same key K: yi = eK(xi). So, the naïve use of a block cipher.

  25. ECB x1 x2 x3 x4 DES DES DES DES y1 y2 y3 y4

  26. Cipher Block Chaining mode, CBC Each cipher block yi-1 is xor-ed with the next plaintext xi : yi = eK(yi-1 XOR xi) before being encrypted to get the next plaintext yi. The chain is initialized with an initialization vector: y0 = IV with length, the block size.

  27. CBC x1 x2 x3 x4 IV + + + + DES DES DES DES y1 y2 y3 y4

  28. Cipher and Output feedback modes (CFB & OFB) CFB z0 = IV and recursively: zi = eK(yi-1) and yi = xi XOR zi OFB z0 = IV and recursively: zi = eK(zi-1) and yi = xi XOR zi

  29. CFB mode x1 x2 IV eK + eK + eK y1 y2

  30. OFB mode IV eK eK x1 x2 + + y1 y2

  31. Double & Triple DES Double DES:C = E(k2,E(k1,m)) Triple DES: C = E(k1,D(k2,E(k1,m)

  32. AES Block length 128 bits. Key lengths 128 (or 192 or 256). The AES is an iterated cipher with Nr=10 (or 12 or 14) In each round we have: • Subkey mixing: State  Roundkey XOR State • A substitution: SubBytes(State) • A permutation:ShiftRows(State) & MixColumns(State)

  33. One time pad This is a binary stream cipher whose key stream is a randomstream. This cipher has perfect secrecy.

  34. One time pad The One-Time-Pad is a Stream Cipher for which The plaintext xe P, ciphertext y eC and key K eK are all binary n-tuples. P = C = K = {0,1}n and eK(x) = (x1+K1, … , xn+Kn) mod 2 Decryption is identical to encryption: dK(x) = (y1+K1, … , yn+Kn) mod2

  35. Asymmetric key encryptionPublic Key Cryptography

  36. Public Key Cryptography AliceBob Alice and Bob want to exchange a private key in public.

  37. Public Key CryptographyThe Diffie-Hellman protocol Alicega mod pBob gb mod p wherep is a prime and g a number which has order p-1. The private key is:gab mod p

  38. Public Key CryptographyEncryption schemes Let • P be the set of all plaintext messages • C be the set of ciphertexts • K be the set of all keys

  39. The RSA cryptosystem Let n = pq, where p andq are primes. Let P = C= {1,2, … ,n}, and define K= {(n,p,q,e,d) : ed= 1 mod f(n) }. where f(n) = (p-1)(q-1). For each key K = (n,p,q,e,d), define c = eK(m) = me mod n and dK(c) = cd mod n, where 1m,c n . Public key = (n,e), Private key (n,d).

  40. Check We have: ed = 1 mod f(n), so ed = 1 + tf(n). Therefore, dK(eK(m)) = (me)d = med = mtf(n)+1 = (mf(n))t m = 1.m = m mod n

  41. Example p = 101, q = 113, n = 11413. f(n) = 100x112 = 11200 = 26527 For encryption use e = 3533. Then d = e-1 mod11200 = 6597. Bob publishes: n = 11413, e = 3533. Suppose Alice wants to encrypt: 9726. She computes 97263533 mod 11413 = 5761 To decrypt it Bob computes: 57616597 mod 11413 = 9726

  42. Security of RSA • Relation to factoring. Recovering the plaintext m from an RSA ciphertext c is easy if factoring is possible. • The RSA problem Given (n,e) and c, compute: m such that me = c mod n

  43. Digital Signatures

  44. Public Key CryptographySignature schemes Let • P be the set of all messages • S be the set of signatures • K be the set of all keys

  45. The RSA digital signature Let n = pq, where p andq are primes. Let P = S ={1,2, … ,n}, and define K= {(n,p,q,e,d) : ed = 1 mod f(n) }. For each keyK= (n,p,q,e,d), define sigK(m) = md mod n and verK(m,y) = true ye = m mod n, where (m,y)eZn. Public key = (n,e), Private key (n,d).

  46. The ElGamal signature scheme Let p be a prime and g an integer of order p-1. Let P = {0,1, … , p-1}, A = {0,1, … , p-1}x {0,1, … , p-1} and K= {(p,g,a,ya): ya = ga modp }. • The valuesp,g,ya are the public key. • a is the private key.

  47. The ElGamal signature scheme • Signing Let m, 0 m  p-1, be a message. For a key K = (p,g,a,ya) with ya = ga modp, and a secret random number k , 0 k  p-1, such that gcd(k,p-1) = 1, define: sigK(m,k) = (s,t), where • r = gk modp • s = (m-ar)k-1 modp-1 • Verification verK(m,(r,s)) = true yar·rs = gm modp .

  48. Toy example Let p = 467, g = 2, x = 127, message m = 100, Choose k = 213. Then k-1mod 466 = 431. The signature is: • r = 2213 mod 467 = 29 • s = (m-ar)k-1 mod(p-1) = (100-127x29)431 mod 466 = 51 Verification: 2100? 132292951 mod 467

  49. The security of the ElGamal signature • If the Discrete Logarithm problem can be solved then ElGamal signatures can be forged. • The converse may not be true. • The exponent k must be • private • cannot be used twice • best: chosen at random.

  50. The Digital Signature Algorithm Let p be a an L-bit prime prime, 512  L 1024 and L  0 mod 64 , let q be a 160-bit prime that divides p-1 and Let e Zp* be a q-th root of 1 modulo p. Let P = Zp-1, A = Zqx Zqand K = {(p,q,,x,y): y = x modp }. • The values ,y are the public key. • x is the private key.

More Related