cryptographic techniques - national taiwan universityipr/ipr2005/data...cryptographic techniques...
TRANSCRIPT
Cryptographic Techniques
Information Technologies for IPR Protections
2003/11/12 R107, CSIE Building
C. H. HUANG IN CML 2
Outline
ØData securityØ Cryptography basicsØ Cryptographic systemsØDESØ RSA
C. H. HUANG IN CML 3
Cryptography
Ø Cryptography is the science of secret writing.– A cipher is a secret method of writing, where by
plaintext (cleartext) is transformed into a ciphertext. – The process of transforming plaintext into ciphertext is
called encipherment or encryption. – The reverse process of transforming ciphertext into
plaintext is called decipherment or decryption. – Encryption and decryption are controlled by
cryptographic keys.
C. H. HUANG IN CML 4
Secret Writing
Encryption
Decryption
Plaintext CiphertextKey
C. H. HUANG IN CML 5
Attacks against Ciphers
Ø Cryptanalysis is the science and study of methods of breaking ciphers.
Ø A cipher is breakable if it is possible to determine the plaintext or key from the ciphertext, or to determine the key from plaintext-ciphertext pairs.
Ø Attacks– Ciphertext-only attack– Known-plaintext attack– Chosen-plaintext attack
C. H. HUANG IN CML 6
Cryptographic Systems
Ø A cryptographic system has five components:– A plaintext message space, M– A ciphertext message space, C– A key space, K– A familiy of enciphering transformations
Ek:MàC– A family of deciphering transformations
Dk:CàM
C. H. HUANG IN CML 7
Cryptographic Systems (cont.)
M Ek C Dk Mplaintext plaintextciphertext
Dk(Ek(m))=m ,for a key k
Ø Cryptosystem requirements:– Efficient enciphering/deciphering– Systems must be easy to use– The security of the system depends only on the
keys, not the secrecy of E or D
C. H. HUANG IN CML 8
Secure Cipher
ØUnconditionally secure– A cipher is unconditionally secure if no matter
how much ciphertext is intercepted, there is not enough information in the ciphertext to determine the plaintext uniquely.
Ø Computationally secure– A cipher is computationally infeasible to break.
C. H. HUANG IN CML 9
Secrecy Requirements
Ø It should be computationally infeasible to systematically determine the deciphering transformation Dk from intercepted c, even if corresponding m is known.
Ø It should be computationally infeasible to systematically determine m from intercepted c.
Ek C Dk MM
Mdisallowed
protected
C. H. HUANG IN CML 10
Authenticity requirements
Ø It should be computationally infeasible to systematically determine the enciphering transformation given c, even if corresponding m is known.
Ø It should be computationally infeasible to systematically find c’ such that Dk(c’) is a valid plaintext in M.
Ek C Dk MM
Mdisallowed
protected
C. H. HUANG IN CML 11
Key-distribution cryptosystem
• Encrypting &decrypting are closely tied together.• The sender and the receiver must agree on the use of a
common key before any message transmission takes place.• A safe communication channel must exist between sender and
receiver
Message Source
PEncryption
CDecryption
PReceiver
Secure key transmission
C. H. HUANG IN CML 12
Public-key Cryptosystem
In a public key cryptosystem, each participant is assigned a pair of inverse keys E and D.
Ø Different functions are used for enciphering and deciphering, one of the two keys can be made public, provided that it is impossible to generate one key from the other.
Ø E can be made public, but D is kept secret.Ø The normal key transmission between senders and receivers can be
replaced by an open directory of enciphering keys, containing the keys E for all participants.
Message Source
PEncryption
CDecryption
PReceiver
Key source 1Ek
Key source 2Dk
C. H. HUANG IN CML 13
Using Public-Key Cryptosystem to Transfer Messages SecretlyØ When a person A wishes to send a message to a
person B, the receiver’s enciphering key EB is used to generate the ciphertext EB(m). Since the key EBis freely available, anyone can then encipher a message destined for B. However, only the receivers B with access to the decipher key DB can regenerate the original text by performing the inverse transform DB(EB(m)).
C. H. HUANG IN CML 14
Digital Signature
Ø Guaranteeing authenticity.Ø Let B be the recipient of a message m signed by
A. Then A’s signature must satisfy:1. B must be able to able to validate A’s signature on m.2. It must be impossible to forge A’s signature3. If A disavow signing a message, a third party must
be able to resolve the distribute.
C. H. HUANG IN CML 15
Using Public-key Systems to Implement Digital Signatures 1. A signs m by computing c=DA(m)2. B validates A’s signature by checking
EA(c) =m3. A dispute can be judged by checking
whether EA(c) restores M in the same ways as B.
Ø Requirements:– Dk(Ek(m))=Ek(Dk(m))=m
C. H. HUANG IN CML 16
Secrecy and Authenticity in A Public-Key System
Ø EA(DB(C))=EA(DB(EB(DA(M))))=EA(DA(M))=M
DA(m)=S EB(S)=C DB(C)=S EA(S)=mm m
Transformations applied by sender
Transformations applied by receiver
C. H. HUANG IN CML 17
Reference
Ø Cryptography and Data Security, D. Elizabeth and R. Denning, Purdue University, 1998
Ø FAQ about Today’s Cryptography, RSA Laboratory, (found in www.rsa.com)
Ø The reference listed in course handout.
C. H. HUANG IN CML 18
Conventional CryptosystemsØUsing substitution transform and
permutation transform– Substitution Ciphers– Running Key Ciphers– Transposition Ciphers
(Permutation ciphers)– Stream Ciphers
C. H. HUANG IN CML 19
Substitution Ciphers
Ø Replace bits, characters, or blocks of characters with substitutes.– Example: Caesar cipherØwhich shift each letter in the English forward by K
positions (shifts past Z cycle back to A)
ØA simple substitution cipher is easy to solve by performing a frequency analysis.
C. H. HUANG IN CML 20
Running Key Ciphers
Ø The security of a substitution cipher generally increases with the key length. In a running key cipher, the key length is equal to the plaintext message.(not using a fixed key alphabet) – E.g. use the text in a book as the key sequence.
Ø The cipher may be breakable by Friedman’s method based on the observation that both plaintext and key letters are high frequency ones in natural language.
C. H. HUANG IN CML 21
Permutation Ciphers
Ø Rearrange bits or characters in the data.
Ø What is the key?Ø Attacks: frequency analysis of characters.
INFORMATION TECHNIQUES FOR IPR
I R I T N E RN O M T O E H I U S O I R
F A N C Q F P
IRITNERNOMTOEHIUSOIRFANCQFP
C. H. HUANG IN CML 22
Product Cipher
Ø A product cipher is the composition of functions F1,…,Ft, where each Fi may be a substitution or permutation.
Ø Examples of product ciphers – DES
P P
S
S
S
C. H. HUANG IN CML 23
Data Encryption Standard (DES)
Ø The National Bureau of Standards announced DES to be used in unclassified U.S. Government applications.
ØDES enciphers 64-bit blocks with a 56-bit key.
C. H. HUANG IN CML 24
DES
Ø An input block T is first transposed under an initial permutation IP, giving T0=IP(T).– E.g. t1t2…t64èt58t50…t7
Ø Then T0 is passed through 16 iterations of function f.
Ø Finally, it is transposed under the inverse permutation IP-1 to give the final result.
C. H. HUANG IN CML 25
DES (cont.)
Ø Let Ti denote the result of the ith iteration, and let Li and Ri denote the left and right halves of Ti. Then
Li=Ri-1Ri=Li-1⊕ f(Ri-1, Ki)
where ⊕ is the exclusive-or operation and K is a 48-bit key.
Ø After the last iteration, the left and right halves are not changed , but instead passed to IP-1.
C. H. HUANG IN CML 26
DES (cont.)
Ø Calculate the function F(Ri-1, Ki):1. Using bit-selection Table E to expand 32-bit Ri-1 to a
48-bit block E(Ri-1). (Similar to permutation)2. Calculate the exclusive-or of E(Ri-1) and Ki. Then
break the result into 8 6-bit blocks B1, …, B8. 3. Use each 6-bit Bj b1b2b3b4b5b6 as input to a selection
(substitution ) and return a 4-bit block Sj(Bj). b1b6àrow b2b3b4b5àcolumn
C. H. HUANG IN CML 27
DES (cont.)
Ø Key calculation– Each iteration i uses a different 48-bit key Ki derived
from the initial key K, which is input as a 64-bit block with 8 parity bits in positions 8, 16, …, 64.
– PC-1 discards the parity bits and transposes the remaining 56-bit bits to obtain PC-1(K).
– PC-1(K) is then split to C and D of 28-bits each, and circular shifted by LS. Ci=LSi(Ci-1), Di=LSi (Di-1)
– Ki=PC-2(CiDi).
C. H. HUANG IN CML 28
DES (cont.)
ØDeciphering – The same algorithm is used, except that the
order of key for each iteration is reversed. E.g. K16 is used in 1st iteration, K15 is used in 2nd
iteration….
C. H. HUANG IN CML 29
Disputes about DES
Ø 56-bit key length should be doubled?– A special purpose machine containing a million LSI
chips could try 256 keys in 1 day. The cost of this machine is about $ 20 million. Amortized over 5 years, the cost per day would be $10,000.
– The same level of security could be obtained using multiple encryption scheme.
Ø The S-box may have hidden trapdoors.– The analysis is still classified.
C. H. HUANG IN CML 30
Stream Ciphers
Ø A random number generator (typically LFSR) may be used to generate a stream of key characters, each character of the key being added to a character of the input stream to produce an output character.
⊕ Cipher stream
Message stream
Key stream⊕
Shift register
C. H. HUANG IN CML 31
Cipher Based on Computationally Difficult ProblemsØ One-way function: C=f(P)
– exponentiation and logarithm– multiplication/factoring – review of number theory
Ø NP-complete problems– A systematic deterministic solution is likely to require
exponential time in the number of inputs.
f: computationally simple
f-1:computationally difficult except in special cases when supplementary information (keys) is available
P C
C. H. HUANG IN CML 32
Diffie Hellman’s public-key cryptosystem Ø Each user i in the system has a pair of keys Xi and
Yi, whereYi=αXi mod q , 1≦Xi≦q-1, 1≦α≦q-1, q: prime number
Xi is kept secret, but Yi is made public.Ø Sender i generates the key
Kij= YjXi mod q = αXiXj mod q
from receiver j’s public key Yj and his own private key Xi.
Ø Receiver j obtains Kij similarly from Yi and Xj.
C. H. HUANG IN CML 33
Security of Diffie Hellman’sSystemØ To generate the key Kij, one of the private
keys Xi or Xj must be known.Ø To generate the Kij from Yi and Yj, a form
of logarithm below must be computed:Kij=Yi
(log Yj) mod q which is computationally difficult.
C. H. HUANG IN CML 34
The RSA Algorithm
Ø Each user selects two large prime numbers P and Q at random, and multiplies them to obtain N=P•Q. – N should be about 200 digits long and can be
made public – P and Q are kept secret.
C. H. HUANG IN CML 35
The RSA Algorithm (cont.)
ØUsing P and Q, the user computes the Euler totient function Φ(N), representing the number of positive integers relatively prime to N.–Φ(N)=Φ(P)Φ(Q) = (P-1) (Q-1)
Ø The user then chooses a quantity E less than N and relatively prime to Φ(N). The quantity E is made public.
C. H. HUANG IN CML 36
The RSA Algorithm (cont.)
Ø Given a message M to be enciphered, M is broken down into a sequence of quantities M1, M2, …, Mp, where each component Mi is represented by an integer between 0 and N-1. The enciphering is now done separately on each block Mi using the public information E and N to generate a cryptogram Ci as – Ci=Mi
E mod N – at most 2.Log2(N) multiplications are required
C. H. HUANG IN CML 37
The RSA Algorithm (cont.)
ØUsing the secret informationΦ(N), the user can easily compute a quantity D such that E.D=1 modΦ(N) (deciphering key). I– E.D=1 modΦ(N)=KΦ(N)+1– D=KΦ(N)+1/E.
C. H. HUANG IN CML 38
The RSA Algorithm (cont.)
Ø By Fermat’s theorem: MΦ(N)mod N =1 mod N, or MKΦ(N)+1 mod N =M mod N.
ØDeciphering procedure:Ci
D mod N = Mi
ED mod N = Mi
KΦ(N)+1 mod N = Mi mod N = Mi
C. H. HUANG IN CML 39
Using RSA
Ø Suppose user A want to send a message m to user B. User A creates the ciphertext c by c = mE mod N, where E and N are user B’s public key.
Ø User A sends c to user B.Ø User B decrypts c by calculate m = cD mod N. The
relation bewteen D and E ensures that B correctly recovers m.
Ø Since only B knows D, only B can decrypt the message.
C. H. HUANG IN CML 40
Attacks against RSA
ØAttacks to recover all messages for a given key – Factor the public modulus N to P and Q.With
P,Q, and E, the attacker can easily compute D. ØAttacks to recover a message
– Guessed-plaintext attacks.– This attacks can be defeated by appending
random bits.
C. H. HUANG IN CML 41
Security of RSA
Ø The size of a key in the RSA algorithm typically refers to the size of the modulus N. The two primes P and Q should be roughly equal length.
Ø The longer the key size, the greater the security, but also the slower the RSA algorithm.
Ø The 512-bit RSA-155 was factored in seven month during 1999.
Ø The RSA lab currently recommends key sizes of 1024 bits for corporate use.