applied cryptology – the science of secrecy dr. victor ralevich sheridan institute credit for some...
TRANSCRIPT
Applied Cryptology Applied Cryptology – The Science of – The Science of
SecrecySecrecy
Applied Cryptology Applied Cryptology – The Science of – The Science of
SecrecySecrecy
Dr. Victor RalevichDr. Victor RalevichSheridan InstituteSheridan Institute
Credit for some of the slides goes to Dr. Richard J.SpillmanCredit for some of the slides goes to Dr. Richard J.Spillman
Dr. Victor RalevichDr. Victor RalevichSheridan InstituteSheridan Institute
Credit for some of the slides goes to Dr. Richard J.SpillmanCredit for some of the slides goes to Dr. Richard J.Spillman
Basic TerminologyBasic TerminologyBasic TerminologyBasic Terminology
Encryption: Encryption: Encryption keyEncryption key
– Plaintext CiphertextPlaintext Ciphertext
Decryption: Decryption: Decryption keyDecryption key
– Ciphertext PlaintextCiphertext Plaintext
Cipher = Encryption algorithmCipher = Encryption algorithm
CryptologyCryptologyCryptologyCryptology
CryptologyCryptology is the science of building and is the science of building and analyzing encryption-decryption methods. analyzing encryption-decryption methods.
CRYPTOLOGYCRYPTOLOGY
CRYPTOGRAPHYCRYPTOGRAPHYCRYPTOANALYSISCRYPTOANALYSIS
Fundamental Principle of Cryptology
A Good CipherA Good CipherA Good CipherA Good Cipher
The strength of the system should not lie in The strength of the system should not lie in the secrecy of the algorithms. the secrecy of the algorithms.
The strength of the system should only The strength of the system should only depend the secrecy of the key. depend the secrecy of the key.
Cipher EvaluationCipher EvaluationCipher EvaluationCipher Evaluation
We can We can nevernever be sure that a cipher is be sure that a cipher is secure. secure.
The best way to gain some confidence The best way to gain some confidence in a new cipher is to allow the security in a new cipher is to allow the security community to test it. community to test it.
Cipher ClassificationCipher ClassificationCipher ClassificationCipher Classification
Ciphers
Public KeySymmetric
KeyUnkeyed
IDSignaturePublicKey HashOneWayRandom
SymmetricMACSignatureRandom
BlockStreamClassical
Transposition Substitution
Classical CiphersClassical CiphersClassical CiphersClassical Ciphers
Further subdivisions:Further subdivisions:
Transposition Substitution
polyalphabetic monoalphabetic
BlockStreamClassical
...
Each plaintext characteris always substituted by the same other character.
Each plaintext characteris substituted by different characters dependant on the key used for encryption
Substitution CiphersSubstitution CiphersSubstitution CiphersSubstitution Ciphers
General General substitution algorithmsubstitution algorithm permits permits the cipher alphabet to be any the cipher alphabet to be any rearrangement of the plain alphabet.rearrangement of the plain alphabet.
That gives That gives
26! = 403,291,461,126,605,635,584,000,00026! = 403,291,461,126,605,635,584,000,000
possible keys from which to choose.possible keys from which to choose.
Frequency AnalysisFrequency Analysis Frequency AnalysisFrequency Analysis
Every letter of a given language has Every letter of a given language has characteristics of its own such as:characteristics of its own such as:– Frequency of occurrenceFrequency of occurrence
– Relation to the other lettersRelation to the other letters
– Position within wordsPosition within words
These and other similar characteristics are used to These and other similar characteristics are used to break substitution monoalphabetic ciphers by break substitution monoalphabetic ciphers by letter letter frequency analysisfrequency analysis
Letter Frequency in Letter Frequency in English LanguageEnglish Language
Letter Frequency in Letter Frequency in English LanguageEnglish Language
In order: ETAONIRSHDLUCMPFYWGBVJKQXZ Four vowels A, E, I, O and four consonants N, R, S, T
form 2/3 of the normal English plain text. 0.
127
0.09
1
0.08
2
0.07
5
0.07
0
0.06
7
0.06
3
0.06
1
0.06
0
0.04
3
0.04
0
0.02
8
0.02
8
0.02
4
0.02
3
0.02
2
0.02
0
0.02
0
0.01
9
0.01
5
0.01
0
0.00
8
0.00
2
0.00
1
0.00
1
0.00
1
0.000
0.020
0.040
0.060
0.080
0.100
0.120
0.140
E T A O I N S H R D L C UMW F G Y P B V K J Q X Z
Word of AdviceWord of AdviceWord of AdviceWord of Advice NoteNote: The longer texts are more likely to follow the : The longer texts are more likely to follow the
standard frequencies, but it is not always the case. standard frequencies, but it is not always the case.
In 1969, the French author In 1969, the French author George PerecGeorge Perec wrote wrote “La “La Disparation”Disparation”, a 200-page novel that did not use words that , a 200-page novel that did not use words that contain letter “E”. contain letter “E”.
Gilbert AdairGilbert Adair translated the novel in English respecting the translated the novel in English respecting the same restriction. same restriction.
See also similar book See also similar book “Gadsby”“Gadsby” a story of over 50,000 a story of over 50,000 words without using the letter “E” by words without using the letter “E” by Ernest Vincent WrightErnest Vincent Wright
Polyalphabetic CiphersPolyalphabetic CiphersPolyalphabetic CiphersPolyalphabetic Ciphers
VigenVigenère’s cipherère’s cipherVigenVigenère’s cipherère’s cipher
VigenVigenèère Cipherre CipherVigenVigenèère Cipherre Cipher
Vigenère’s most important work was his Vigenère’s most important work was his “Traicté des Chiffres” (“A Treatise on “Traicté des Chiffres” (“A Treatise on Secret Writing”) published in 1586.Secret Writing”) published in 1586.
Vigenère’s cipher is resistant to letter Vigenère’s cipher is resistant to letter frequency analysis.frequency analysis.
VigVigeennèère Operationre OperationVigVigeennèère Operationre Operation A keyword is selected and it is A keyword is selected and it is
repeatedly written above the plaintextrepeatedly written above the plaintext– EXAMPLE: using the keyword “hold”EXAMPLE: using the keyword “hold”
H O L D H O L D H O L D H O L D H OKEYKEYplaintextplaintext I S T H E LP IA TN XE TST H I
a b c d e f g h i . . .a a b c d e f g h ib b c d e f g h i j . . .n c d e f g h i j k . . .d d e f g h i j k l . . .e e f g h i j k l m . . .f f g h i j k l m n . . .g g h i j k l m n o . . .h h i j k l m n o p . . .i i j k l m n o p q . . .j j k l m n o p q r . . . k k l m n o p q r s . . .l l m n o p q r s t . . .m m n o p q r s t u . . .n n o p q r s t u v . . .o o p q r s t u v w . . .p p q r s t u v w x . . .q q r s t u v w x y . . .r r s t u v w x y z . . .s s t u v w x y z a . . .t t u v w x y z a b . . .u u v w x y z a b c . . .
Aciphertextciphertext V T V HKEGQ HEBQDWDL E
Breaking VigenBreaking Vigenèère’s re’s CipherCipher
Breaking VigenBreaking Vigenèère’s re’s CipherCipher
In 1863, a Polish Infantry officer, Friedrich W. In 1863, a Polish Infantry officer, Friedrich W. Kasiski, published a short book which changed Kasiski, published a short book which changed the nature of cryptography. He noticed that:the nature of cryptography. He noticed that:
So, the size of the keyword can be determined by the nature of repeated ciphertext character strings.
The conjuction of a repeated portion ofthe key with a repetition in the plaintextproduces a repetition in the ciphertext.
Shannon CriteriaShannon CriteriaShannon CriteriaShannon Criteria
Claude Shannon (in the late 1940s) defined Claude Shannon (in the late 1940s) defined additional design criteria for ciphers: additional design criteria for ciphers:
–ConfusionConfusion – cipher should hide local – cipher should hide local patterns in language from an attacker.patterns in language from an attacker.
–DiffusionDiffusion – cipher should mix around – cipher should mix around different parts of the plaintext, so that different parts of the plaintext, so that nothing is left in its original position. nothing is left in its original position.
Security RequirementsSecurity RequirementsSecurity RequirementsSecurity Requirements
Confidentiality– Protection from disclosure to unauthorised persons
Integrity– Maintaining data consistency
Authentication– Assurance of identity of person or originator of data
Non-repudiation– Originator of communications can’t deny it later
Binary NumbersBinary NumbersBinary NumbersBinary Numbers
Data in computer systems is stored, processed, and Data in computer systems is stored, processed, and transmitted in binary form (as 0’s and 1’s)transmitted in binary form (as 0’s and 1’s)
All numerical values are represented and manipulated as All numerical values are represented and manipulated as binary numbersbinary numbers
decimal binary 0 0 1 1 2 10 3 11 4 100
decimal binary 5 101 6 110 7 111 8 1000 9 1001
CharactersCharactersCharactersCharacters
There is no natural way to express characters There is no natural way to express characters (as there is with numbers) so computer (as there is with numbers) so computer manufactures have developed standard codes manufactures have developed standard codes such as ASCII and UNICODE.such as ASCII and UNICODE.
ASCIIASCII assigns 8 bits per character: assigns 8 bits per character: 2288 = 226 characters = 226 characters
UNICODEUNICODE assigns 16 bits per character: assigns 16 bits per character: 221616 = 65536 different characters = 65536 different characters
Symmetric Key CiphersSymmetric Key CiphersSymmetric Key CiphersSymmetric Key Ciphers
Stream CiphersStream CiphersBlock CiphersBlock Ciphers
Stream CiphersStream CiphersBlock CiphersBlock Ciphers
Symmetric CiphersSymmetric CiphersSymmetric CiphersSymmetric Ciphers
EncryptionEncryption Transmission Transmission Decryption Decryption
Symmetric Encryption Scheme Symmetric Encryption Scheme
The same key is used for both: encryption and The same key is used for both: encryption and decryption.decryption.
Bit Level CiphersBit Level CiphersBit Level CiphersBit Level Ciphers
Using computers, ciphers are implemented at the bit Using computers, ciphers are implemented at the bit level. We can now substitute or transpose 0’s and 1’slevel. We can now substitute or transpose 0’s and 1’s
The problem is, how can we seem to randomly change The problem is, how can we seem to randomly change bits and yet still be able to recover the plaintext?bits and yet still be able to recover the plaintext?
To do this we use the exclusive-OR (XOR) binary To do this we use the exclusive-OR (XOR) binary function function
XOR FunctionXOR FunctionXOR FunctionXOR Function
A
BF
A B F0 0 00 1 11 0 11 1 0
A will be the plaintext and B the key
XOR
Simple Stream CipherSimple Stream CipherSimple Stream CipherSimple Stream Cipher
plaintext
Key stream
XOR XOR
Key stream
plaintextcipherteciphertextxt
Some Stream CiphersSome Stream CiphersSome Stream CiphersSome Stream Ciphers
RC4RC4 PikePike SOBER-128SOBER-128 SEAL (Software-Optimized Encryption SEAL (Software-Optimized Encryption
Algorithm)Algorithm) TuringTuring A5/1 and A5/2A5/1 and A5/2
Block CipherBlock CipherBlock CipherBlock Cipher
Today’s most widely used ciphersToday’s most widely used ciphers– Define a block of computer bits which represent several Define a block of computer bits which represent several
characterscharacters
– Encipher the complete block at one timeEncipher the complete block at one time
AlgorithmAlgorithm
Block of BitsBlock of Bits
Block of BitsBlock of Bits
KEYKEY
Electronic Code BookElectronic Code BookElectronic Code BookElectronic Code Book
Simplest mode of operationSimplest mode of operation– each block is enciphered into a ciphertext each block is enciphered into a ciphertext
block using one keyblock using one key
Ek
M1
C1
Key Ek
M2
C2
Ek
Mm
Cm
Problem:if Mi = Mj thenCi = Cj
Cipher Block ChainingCipher Block ChainingCipher Block ChainingCipher Block Chaining
The input to each block stage is the The input to each block stage is the current block XOR-ed with the previous current block XOR-ed with the previous stage cipher blockstage cipher block
Key Ek
M1
C1
Ek
M2
C2
Ek
Mm
Cm
Some Block CiphersSome Block CiphersSome Block CiphersSome Block Ciphers
AESAES DES (obsolete)DES (obsolete) IDEAIDEA BlowfishBlowfish SkipjackSkipjack RC5RC5 RC6RC6 TwofishTwofish
Cipher ClassificationCipher ClassificationCipher ClassificationCipher Classification
Ciphers
AsymmetricKey
Symmetric Key
Unkeyed
IDSignaturePublicKey
Asymmetric ciphers have twodifferent keys: one to encipherand one to decipher
Public Key CiphersPublic Key CiphersPublic Key CiphersPublic Key Ciphers
They are usually They are usually based on number theorybased on number theory rather than substitution or permutation rather than substitution or permutation operationsoperations
There are There are two different keystwo different keys: : – one for encryption, and one for encryption, and – one for decryptionone for decryption
Knowing one key cannot compromise the otherKnowing one key cannot compromise the other
Public Key TransactionPublic Key TransactionPublic Key TransactionPublic Key Transaction
Asymmetric algorithms use matched public/private key pairsAsymmetric algorithms use matched public/private key pairs
RSARSARSARSA
Named after researchers at MIT who Named after researchers at MIT who developed the cipher: developed the cipher:
RRivest – ivest – SShamir – hamir – AAdleman Cipherdleman Cipher(1978)(1978)
Named after researchers at MIT who Named after researchers at MIT who developed the cipher: developed the cipher:
RRivest – ivest – SShamir – hamir – AAdleman Cipherdleman Cipher(1978)(1978)
RSA Key Generation RSA Key Generation RSA Key Generation RSA Key Generation
1.1. Select two 100 digit (or more) prime Select two 100 digit (or more) prime numbers, numbers, pp and and qq
2.2. Multiply them to obtain Multiply them to obtain n = pn = p∙∙qq
3.3. Select another number Select another number dd such that such that gcd(d, (p-1)gcd(d, (p-1)∙∙(q-1)) = 1 (q-1)) = 1 (relatively prime)(relatively prime)
4.4. Find integer Find integer ee such that: such that: ee∙∙d d ≡ 1≡ 1 mod ((p-1) mod ((p-1)∙∙(q-1))(q-1))
5.5. Par Par (e, n)(e, n) is public key, and pair is public key, and pair (d, n)(d, n) is is private key.private key.
RSA EncryptionRSA EncryptionRSA EncryptionRSA Encryption
Divide the message into blocks Divide the message into blocks MM all of the all of the same size same size xx. The bit string . The bit string MM can be can be viewed as an viewed as an xx digit binary number. digit binary number.
Calculate ciphertext as:Calculate ciphertext as:
C ≡ MC ≡ Mee mod n mod n Remember Remember (e, n)(e, n) is public key (so anyone is public key (so anyone
can do this)can do this)
RSA DecryptionRSA DecryptionRSA DecryptionRSA Decryption
To obtain plaintext form ciphertext To obtain plaintext form ciphertext calculate:calculate:
CCdd = (M = (Mee))dd ≡≡ M M11 mod n mod n Remember Remember d d is private and remains is private and remains
private . private . To find To find dd you must discover you must discover pp and and qq but but
the only way to do that is to factor the only way to do that is to factor nn
Aside: Characters to Aside: Characters to NumbersNumbers
Aside: Characters to Aside: Characters to NumbersNumbers
Process: to translate a collection of characters Process: to translate a collection of characters to a numberto a number– convert the characters to ASCIIconvert the characters to ASCII
– treat the ASCII code like a binary number and treat the ASCII code like a binary number and convert it to decimalconvert it to decimal
it
0110100101110100
214 + 213 + 211 + 28 + 26 + 25 + 24 + 22
2699626996
Aside: Numbers to Aside: Numbers to CharactersCharacters
Aside: Numbers to Aside: Numbers to CharactersCharacters
Process: to translate a number to a collection Process: to translate a number to a collection of charactersof characters– convert the number to binaryconvert the number to binary
– treat the binary number like an ASCII codetreat the binary number like an ASCII code
26995
0110100101110011
isis
RSA ExampleRSA ExampleRSA ExampleRSA Example
Select p and q to be two digit primes: p = 41, q = 53Select p and q to be two digit primes: p = 41, q = 53
Then n = p*q = 2173 and (p-1)*(q-1) = 40*52 = 2080Then n = p*q = 2173 and (p-1)*(q-1) = 40*52 = 2080
Select any d between 54 and 2079 which does not share Select any d between 54 and 2079 which does not share any factors with 2080, say any factors with 2080, say d = 623d = 623
Now, compute e so that eNow, compute e so that e∙∙d = 1 mod 2080d = 1 mod 2080
It turns out that It turns out that e = 207e = 207 works since 207*623 = 128961 works since 207*623 = 128961 which when divided by 2080 leaves a remainder of 1which when divided by 2080 leaves a remainder of 1
MessageMessageMessageMessage
Now we need to divide the message into blocks of Now we need to divide the message into blocks of bitsbits– RULE: find the highest power of 2 less than nRULE: find the highest power of 2 less than n
– In our case, n = 2173 and 2In our case, n = 2173 and 21111 = 2048 but 2 = 2048 but 21212 = 4096 = 4096
– So, divide the plaintext into blocks of 11 bitsSo, divide the plaintext into blocks of 11 bits
Encrypt the message “JABBERWOCKY”Encrypt the message “JABBERWOCKY”
01011010 01000001 01000010 01000010 0100010101010010 01010111 01001111 01000011 0100101101011001
BlocksBlocksBlocksBlocks
The 11 bit blocks and their decimal equivalent The 11 bit blocks and their decimal equivalent are:are:
binary decimal01011010010 72200001010000 8010010000100 115610001010101 110900100101011 29910100111101 134100001101001 10501101011001 857
This represents the 8 message blocks, m1 through m8 which will be transformed into 8 ciphertext blocks c1 through c8
CiphertextCiphertextCiphertextCiphertext
Public key is (e, n) = (207, 2173) and the Public key is (e, n) = (207, 2173) and the ciphertext is generated by:ciphertext is generated by:
722207 = 1794 = c1 mod 2173 80207 = 1963 = c2 mod 21731156207 = 1150 = c3 mod 21731109207 = 702 = c4 mod 2173 299207 = 145 = c5 mod 21731342207 = 593 = c6 mod 2173 105207 = 2013 = c7 mod 2173 857207 = 1861 = c8 mod 2173
So the transmitted message is 1794 1963 1150 702 145 593 2013 1861
DecipherDecipherDecipherDecipher
To decipher the message use private key (d, To decipher the message use private key (d, n) = (623, 2173):n) = (623, 2173):
1794623 = 722 = m1 mod 21731963623 = 80 = m2 mod 21731150623 = 1156 = m3 mod 2173 702623 = 1109 = m4 mod 2173 145623 = 299 = m5 mod 2173 593623 = 1341 = m6 mod 21732013623 = 105 = m7 mod 21731861623 = 857 = m8 mod 2173
Convert these numbers back to binary, the binary back to characters and the plaintext message reappears
RSA PerformanceRSA PerformanceRSA PerformanceRSA Performance
Key generation is slowKey generation is slow
Ciphertext generation is about 1000 Ciphertext generation is about 1000 times slower than AES (standard for times slower than AES (standard for symmetric block cipher)symmetric block cipher)
Often times, RSA is used to protect Often times, RSA is used to protect session keys which are used with AESsession keys which are used with AES
Symmetric Session Key Symmetric Session Key Symmetric Session Key Symmetric Session Key
SenderSender RecipientRecipient
Factoring AlgorithmFactoring AlgorithmFactoring AlgorithmFactoring Algorithm
Strength of RSA is entirely based on difficulty of Strength of RSA is entirely based on difficulty of prime factoring of large integers.prime factoring of large integers.
PROBLEMPROBLEM: How to decompose a large integer : How to decompose a large integer into its prime factors? For example:into its prime factors? For example:
The largest known prime number today is The largest known prime number today is 7,816,230 digit Mersenne prime 27,816,230 digit Mersenne prime 225964951 25964951 – 1 – 1
71055935100972617105593510097261
RSA ChallengeRSA ChallengeRSA ChallengeRSA Challenge
In December 1977, the challenge was given to break In December 1977, the challenge was given to break RSA-129 where:RSA-129 where:
nn (RSA-129) = (RSA-129) = 1 1438 1625 7578 8886 7669 2357 7997 6146 1 1438 1625 7578 8886 7669 2357 7997 6146 6120 1021 8296 7212 4236 2562 5618 4293 5706 9352 4573 6120 1021 8296 7212 4236 2562 5618 4293 5706 9352 4573 3897 8305 9712 3563 9587 0505 8989 0751 4759 9290 0268 3897 8305 9712 3563 9587 0505 8989 0751 4759 9290 0268 7954 35417954 3541
ee = 9007 = 9007
The best known algorithm at the time would have The best known algorithm at the time would have required 40,000 trillion years if multiplications of 129 required 40,000 trillion years if multiplications of 129 digit numbers could run as fast as 1 nsdigit numbers could run as fast as 1 ns
Challenge MetChallenge MetChallenge MetChallenge Met
It only took 17 yearsIt only took 17 years
Derek Atkins (April 1994) announced that:
RSA-129 = 3490 5295 1084 7650 9491 4784 9619 9038 9813
3417 7646 3849 3387 8439 9082 0577 * 3 2769 1329 9326 6709
5499 6198 8190 8344 6141 3177 6429 6799 2942 5397 9828 8533
ProcessProcessProcessProcess
WhenWhen: : August 1993 - 1 April 1994, August 1993 - 1 April 1994, 8 8 monthsmonths
WhoWho: : D. Atkins, M. Graff, A. K. D. Atkins, M. Graff, A. K. Lenstra, P. LeylandLenstra, P. Leyland– + 600 volunteers from the entire world+ 600 volunteers from the entire world
HowHow: 1600 computers: 1600 computers– from Cray C90, through 16 MHz PC, to from Cray C90, through 16 MHz PC, to
fax machinesfax machines
Now, RSA-155 has been broken as well, so the newstandard for keys is 231 digits
Other Public Key Other Public Key SystemsSystems
Other Public Key Other Public Key SystemsSystems
ElGamal Cipher – ElGamal Cipher – It relies on the difficulty of It relies on the difficulty of solving the discrete logarithm problem solving the discrete logarithm problem
b = ab = axx mod p, mod p,
by finding integer x if p is prime, a and b are by finding integer x if p is prime, a and b are integersintegers. .
Elliptic Curve CipherElliptic Curve Cipher
Further ReadingsFurther ReadingsFurther ReadingsFurther Readings
Richard J. Spillman “Classical and Contemporary Richard J. Spillman “Classical and Contemporary Cryptology”, Prentice Hall, 2005Cryptology”, Prentice Hall, 2005
Richard J. Spillman – Lecture notes for Cryptology course, Richard J. Spillman – Lecture notes for Cryptology course, Pacific Lutheran UniversityPacific Lutheran University
Bruce Scheneier “Applied Cryptography”, J.Wiley&Sons, Bruce Scheneier “Applied Cryptography”, J.Wiley&Sons, 19961996
Simon Singh “Code Book”, Anchor, 2000Simon Singh “Code Book”, Anchor, 2000 Prime Pages (http://www.utm.edu/research/primes/)Prime Pages (http://www.utm.edu/research/primes/) And many more ….And many more ….