computer security basic crypto
DESCRIPTION
Computer Security Basic Crypto. Introduction. Cryptosystem: ( E,D,M,K,C) M is the set of plaintexts K the set of keys C the set of ciphertexts E: M K C the set of enciphering functions - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/1.jpg)
Computer SecurityBasic Crypto
![Page 2: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/2.jpg)
Introduction
Cryptosystem: (E,D,M,K,C) M is the set of plaintexts K the set of keys C the set of ciphertexts E: M K C the set of enciphering
functions D: C K M the set of deciphering functions
![Page 3: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/3.jpg)
Introduction
• Shift Cipher: M = C = K = Z26, with
-- eK(x) = x + K mod26
-- dK(y) = y – K mod26
where x,y is in Z26
• Substitution Cipher: P = C = Z26, with K
the set of permutations on Z26 and
-- e(x) = (x)
-- d(y) = -1(y).
![Page 4: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/4.jpg)
CryptosystemsBlock ciphers
The Shift Cipher and Substitution Cipher are block ciphers: successive plaintext elements (blocks) are encrypted using the same key. We now consider some other block ciphers.
• The Affine Cipher, is a special case of the • Substitution Cipher with• -- eK(x) = ax + b mod26
-- dK(y) = a-1y - a-1b mod26
where a,b x,y is in Z26 and x is invertible.
![Page 5: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/5.jpg)
Block ciphers
The Vigenere Cipher is polyalphabetic.
Let m > 1
• M = C = K = (Z26)m
• For a key K = (k1, …, km)
• -- eK(x1,…, xm) = (x1 + k1, …, xm + km)
-- dK (y1,…, ym) = (y1 - k1, …, ym - km)
where all operations are in Z26.
![Page 6: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/6.jpg)
Block ciphers
The Hill Cipher is also polyalphabetic. Let m > 1• M = C = (Z26)m , K is the set of all m by
m invertible matrices over (Z26)m
• For a key K• -- eK(x) = xK
-- dK (y)= yK-1
with all operations are in Z26.
![Page 7: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/7.jpg)
Block ciphers
The Permutation Cipher. Let m > 1
M = C = (Z26)m ,
K is the set of all permutations of {1,…,m}.
• For a key (permutation)
• -- e(x1,…, xm) = (x(1),…, xm))
-- d(y1,…, ym) = (y(1),…, y(1))
where (1) is the inverse of
![Page 8: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/8.jpg)
Stream Ciphers
The ciphers considered so far are block ciphers.
Another type of cryptosystem is the stream cipher.
![Page 9: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/9.jpg)
Stream Ciphers• A synchronous stream cipher is a tuple
(E,D,M,C,K,L,) with a function g such that:• M, C, K, E, D are as before.• L is the keysteam alphabet• g is the keystream generator: it takes as input a key K
and outputs an infinite string
z1, z2, …
called the keystream, where zi are in L. • For each zi are in L there is an encryption rule ez in E,
and a decryption rule dz in D such that:
dz (ez(x)) = x for all plaintexts x in M.
![Page 10: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/10.jpg)
Stream CiphersThe Linear Feedback Shift Register or LFSR. The keystream is computed as follows: Let (k1, k2, … ,km) be the initialized key vector at time t. At the next time unit the key vector is updated as
follows: -- k1 is tapped as the next keystream bit -- k2, … , km are each shifted one place to the left -- the “new” value of km is computed by
m-1
km+1 =
cj kj+1
j=0
![Page 11: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/11.jpg)
Stream Ciphers
Let x1, x2, … be the plaintext (a binary string).
Then the ciphertext is:
y1, y2, …
where yi,= xi + ki, for i=1,2,… and the sum
is bitwise xor .
![Page 12: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/12.jpg)
Cryptanalysis Attacks on Cryptosystems
• Ciphertext only attack: the opponent possesses a string of ciphertexts: y1, y2, …
• Known plaintext attack: the opponent possesses a string of plaintexts x1, x2, … and the corresponding string of ciphertexts: y1, y2, …
![Page 13: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/13.jpg)
Attacks on Cryptosystems
• Chosen plaintext attack: the opponent can choose a string of plaintexts x1, x2, … and obtain the corresponding string of ciphertexts: y1, y2, …
• Chosen ciphertext attack: the opponent can choose a string of ciphertexts: y1, y2, … and construct the corresponding string of plaintexts x1, x2, …
![Page 14: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/14.jpg)
Cryptanalysis
• Cryptanalysis of the shift cipher and substitution cipher: Ciphertext attack -- use statistical properties of the
language
• Cryptanalysis of the affine and Vigenere cipher: Ciphertext attack -- use statistical: properties of the
language
• Attacks on the affine and Vigenere cipher: Ciphertext attack -- use statistical: properties of the
language
![Page 15: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/15.jpg)
Cryptanalysis
• Cryptanalysis of the Hill cipher: Known plaintext attack
• Cryptanalysis of the LFSR stream cipher: Known plaintext attack
![Page 16: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/16.jpg)
One time pad
This is a binary stream cipher whose key stream is a random stream
This cipher has perfect secrecy
![Page 17: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/17.jpg)
Security• Computational security Computationally hard to break: requires super-
polynomial computations (in the length of the ciphertext)
• Provable security Security is reduced to a well studied problem
though to be hard, e.g. factorization.
• Unconditional security No bound on computation: cannot be broken even
with infinite power/space. Only way to break is by “lucky” guessing.
![Page 18: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/18.jpg)
Some Probability Theory
• The random variables X,Y are independent if:
Pr[x,y] = Pr[x] . Pr[y], for all x,y in X
In general,
Pr[x,y] = Pr[x|y] . Pr[y]
= Pr[y|x] . Pr[x], for all x,y in X
![Page 19: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/19.jpg)
Some Probability Theory
• Bayes’ Law:
Pr[x|y] =
• Corollary:
X,Y are independent random variables (r.v.) iff
Pr[x|y] = Pr[x] for all x,y in X
Pr[y]
Pr[y|x] . Pr[x] ---------------- for all x,y in X
![Page 20: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/20.jpg)
Perfect secrecy
• A cryptosystem is perfectly secure if :
Pr[x|y] = Pr[x],
for all x in M and y in C
![Page 21: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/21.jpg)
Perfect secrecy
Theorem
Let |K|=|C|=|M| for a cryptosystem. We have perfect secrecy iff :
• Every key is used with equal probability,
• For each x in P and y in C there is a unique key K in K that encrypts x to y
1|K |------
![Page 22: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/22.jpg)
One time pad
We have K = C = M = Z2n.
Also given: x = x1,…,xn and y = y1,…,yn,
the key K = K1,…,Kn is unique because K = x+y mod 2
Finally all keys are chosen equiprobably.Therefore, the one time pad has perfect secrecy
![Page 23: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/23.jpg)
Kerchoffs’ assumption
The adversary knows all details of the encrypting function except the secret key
![Page 24: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/24.jpg)
DES
DES is a Feistel cipher.Block length 64 bits (effectively 56)Key length 56 bitsCiphertext length 64 bits
![Page 25: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/25.jpg)
DES
It has a round function g for which:
g([Li-1,Ri-1 ]),Ki ) = (Li ,Ri),
where
Li = Ri-1 and Ri = Li-1 XOR f (Ri-1, Ki).
![Page 26: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/26.jpg)
DES round encryption
![Page 27: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/27.jpg)
DES inner function
![Page 28: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/28.jpg)
DES computation path
![Page 29: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/29.jpg)
Attacks on DES• Brute force• Linear Cryptanalysis -- Known plaintext attack• Differential cryptanalysis
– Chosen plaintext attack– Modify plaintext bits, observe change in ciphertext
No dramatic improvement on brute force
![Page 30: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/30.jpg)
Countering Attacks
• Large keyspace combats brute force attack• Triple DES (say EDE mode, 2 or 3 keys)• Use AES
![Page 31: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/31.jpg)
AES
Block length 128 bits.Key lengths 128 (or 192 or 256).The AES is an iterated cipher with Nr=10 (or 12 or 14)In each round we have: • Subkey mixing • A substitution• A permutation
![Page 32: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/32.jpg)
Modes of operation
Four basic modes of operation are available for block ciphers:• Electronic codebook mode: ECB• Cipher block chaining mode: CBC• Cipher feedback mode: CFB• Output feedback mode: OFB
![Page 33: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/33.jpg)
Electronic Codebook mode, ECB
Each plaintext xi is encrypted with the same key K:
yi = eK(xi).
So, the naïve use of a block cipher.
![Page 34: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/34.jpg)
ECB
x1 x2 x3 x4
y4y3y2y1
DES DES DES DES
![Page 35: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/35.jpg)
Cipher Block Chaining mode, CBC
Each cipher block yi-1 is xor-ed with the next plaintext xi :
yi = eK(yi-1 XOR xi)
before being encrypted to get the next plaintext yi.
The chain is initialized with an initialization vector: y0 = IV
with length, the block size.
![Page 36: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/36.jpg)
CBC
x1
+ + ++IV
x2 x3 x4
y4y3y2y1
DES DES DES DES
![Page 37: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/37.jpg)
Cipher and Output feedback modes (CFB & OFB)
CFBz0 = IV and recursively:
zi = eK(yi-1) and yi = xi XOR zi
OFBz0 = IV and recursively:
zi = eK(zi-1) and yi = xi XOR zi
![Page 38: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/38.jpg)
CFB mode
IV eKeK
y1
+
x1
eK
x2
y2
+
![Page 39: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/39.jpg)
OFB mode
IV eKeK
y1
+
x1 x2
y2
+
![Page 40: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/40.jpg)
Public Key Cryptography
Alice Bob
Alice and Bob want to exchange a private key in public.
![Page 41: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/41.jpg)
Public Key Cryptography
Alice ga mod p Bob
gb mod p
The private key is: gab mod p
where p is a prime and g is a generator of Zp
![Page 42: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/42.jpg)
The RSA cryptosystemLet n = pq, where p and q are primes.
Let M = C = Zn, and let a,b be such that ab = 1 mod (n).
Define
eK(x) = xb mod nand dK(y) = ya mod n,
where (x,y) Zn.
Public key = (n,b), Private key (n,a).
![Page 43: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/43.jpg)
Check
We have: ed = 1 mod (n), so ed = 1 + t(n).
Therefore, dK(eK(m)) = (me)d = med = m
t(n)+1
= (m(n)) t m = 1.m = m mod n
![Page 44: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/44.jpg)
Examplep = 101, q = 113, n = 11413. (n) = 100x112 = 11200 = 26527For encryption use e = 3533.Then d = e-1 mod11200 = 6597.Bob publishes: n = 11413, e = 3533.Suppose Alice wants to encrypt: 9726.She computes 97263533 mod 11413 = 5761To decrypt it Bob computes: 57616597 mod 11413 = 9726
![Page 45: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/45.jpg)
Security of RSA
1. Relation to factoring. Recovering the plaintext m from an RSA ciphertext c is easy if factoring is possible.
2. The RSA problem Given (n,e) and c, compute: m such that me = c mod n
![Page 46: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/46.jpg)
The Rabin cryptosystem
Let n = pq, p,q primes with p,q 3 mod 4. Let P = C = Zn*
and define K = {(n,p,q)}.For K = (n,p,q) define eK(x) = x 2 mod n
dK(y) = mod n
The value of n is the public key, while p,q are the private key.
y
![Page 47: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/47.jpg)
The RSA digital signature scheme
Let n = pq, where p and q are primes.
Let P = A = Zn , and define
e,d such that ed = 1 mod (n).
Define
sigK(m) = md mod n
and verK(m,y) = true y = me mod n,
where (m,y) Zn.
Public key = (n,e), Private key (n,d).
![Page 48: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/48.jpg)
The Digital Signature Algorithm
Let p be a an L-bit prime prime, 512 L 1024 and L 0 mod 64 ,let q be a 160-bit prime that divides p-1 and Let Zp
* be a q-th root of 1 modulo p.Let M = Zp-1, A = Zq x Zq and K = {(x,y): y =
x modp }.• The public key is p,q,,y.• The private key is (p,q,), x.
![Page 49: Computer Security Basic Crypto](https://reader035.vdocument.in/reader035/viewer/2022081603/5681389c550346895da04fd7/html5/thumbnails/49.jpg)
The Digital Signature scheme• Signing
Let m Zp-1 be a message.
For public key is p,g,,y, with y = x mod p, and secret random number k Zp-1, define: sigK(m,k) = (s,t), where
– s = (k mod p) mod q– t = (SHA1(m)+xs)k-1mod q
• Verification
Let – e1 = SHA-1(m) t-1 mod q
– e2 = st-1 mod q
verK(m,(s,t)) = true (e1 ye2 mod p) mod q = s.