introduction to cryptography and security mechanisms: unit 5 theoretical v practical security dr...

Introduction to Cryptography and Security Mechanisms:

Unit 5

Theoretical v Practical Security

Dr Keith Martin

McCrea 349 01784 443099

[email protected]

Introduction to Cryptography and Security Mechanisms 2005

2

Learning Outcomes

• Explain the concept of perfect secrecy• Recognise that there exists “unbreakable”

ciphers• Appreciate the limitations of theoretical

security• Identify some of the issues involved in

assessing practical security• Recognise that there are two significantly

different levels of computational complexity• Formulate a notion of practical security


3

Sections

1. Perfect secrecy

2. Practical security

1. Perfect secrecy


5

An “attack” on the plaintext

We have seen that there is one attack that can always be launched against a cipher system to obtain the decryption key – an exhaustive key search.

There is however another “attack” that can always be launched against a cipher system that does not involve trying to obtain the decryption key.

What is it?


6

Perfect secrecy

A cipher system is said to offer perfect secrecy if, on seeing the ciphertext the interceptor gets no extra information about the plaintext than he had before the ciphertext was observed.

In a cipher system with perfect secrecy the interceptor is “forced” to guess the plaintext.

Note however that there may be practical attacks that are better than guessing the plaintext.


7

Simple one-time pad

Consider a simple scenario where there are only two possible plaintexts: BUY and SELL

Why is the simple substitution cipher a bad choice in this case?


8

Simple one-time pad

Key k1Ek1(BUY) = 0 Ek1(SELL) = 1

Key k2Ek2(BUY) = 1 Ek2(SELL) = 0

Each key must be equally likely to be chosen


9

One-time pad

• The number of possible keys is equal to the number of possible plaintexts

• The key is selected at random from the choice of all possible keys

• Any key should only be used once

There are many different versions and ways of describing the perfectly secure cipher system most often described as the one-time pad. However these all have the same three essential properties:


10

One-time pad

Why is the one-time pad “one-time”?

(In other words, why must the key only be used once?)

The one-time pad is important to understand. Make sure that you attempt Exercises 2 and 3 for this unit.


11

One-time pad questions

1. What should be done with a one-time pad key after it has been used to encrypt a plaintext?

2. How can random keys of the length required by the one-time pad be generated in practice?

3. In what type of situations is the one-time pad practical to use?


12

Stream ciphers

Although the one-time pad is rather impractical to implement in most real systems, its desirable security properties make it attractive to “simulate”.

Stream ciphers attempt to simulate the one-time pad by using short keys to generate longer keys that can then be used in a one-time pad encryption.

2. Practical security


14

More wise words

A theoretically secure cipher system may not be secure in practice

A theoretically breakable cipher system may be secure in practice


15

Cover time

How do we formulate a notion of practical security?

The cover time of a plaintext is the length of time for which the plaintext must be kept secret.

Clearly the cover time of different data items is likely to vary considerably:

Cover time for a daily password might simply be twenty-four hours.

Cover time for some stored government records could be one hundred years.


16

Cover time

Ensure that no known attacks on the cipher system can be conducted in less than the cover time of the plaintext.

A good design principle is thus:

Given that there might be attacks that you don’t know about, take some time to write down a strategy for trying to minimise your exposure to the risks of unknown attacks.

What kind of things should you do?

What procedures might you put in place?


17

The challenge of cryptography

If we are going to have to use a cipher system that is theoretically breakable, the challenge of cryptography is to design cipher systems that appear to require longer than any required cover time to break.

Cryptographers normally design cipher systems that are theoretically breakable, but where the theoretical break is based on overcoming a problem that is perceived to be hard to solve.

So what does it mean for a problem to be hard?


18

Complexity

• The complexity of an algorithm gives, for each possible “length of input” to the algorithm, the maximum “time” that might be needed to run the algorithm for that “length of input”.

• The “length of input” is usually measured in terms of the number of bits of input.

• The “time” is usually measured in terms of the number of basic computer operations (such as adding two bits) that it takes to run the algorithm. This time is usually an approximation, and is not an attempt to measure the number of operations precisely.


19

ComplexityOperation Complexity Comments

Addition of two n-bit numbers

n Essentially one addition for every bit in the lengths of the inputs.

Multiplication of two n-bit numbers

n2 Computer multiply in a similar way to “long multiplication” – essentially n additions.

Raising a number to an n-bit power

n3 Repeated Squares:

n operations, each either a squaring or a multiplication.

Exhaustive key search for n-bit key

2n Trying out every n-bit key.


20

Polynomial v Exponential time

• Complexity is a polynomial in n (of the form nr)

• Computers can “easily” run algorithms that run in polynomial time

• As n increases, the length of time necessary to run the algorithm increases “steadily”

• Complexity is exponential in n (of the form r n)

• Computer have “difficulty” running algorithms that run in exponential time

• As n increases, the length of time necessary to run the algorithm increases “dramatically”


21


Is multiplication always efficient to compute?

Is an exhaustive search always difficult to conduct?

What about Moore’s Law?

Find out what the latest version of Moore’s Law is – how much faster will computer processors be in 2010?


22

Real computational time

First make an estimate of your computer speed (number of operations per second).

Then real time to run algorithm on an n-bit input is:

Time complexity function evaluated at n ________________________________ secs

Computer speed


23

Example real time computation

Exhaustive search has complexity 2n.

Thus if our computer is capable of processing one million operations per second then an exhaustive search for a 30-bit key will take:

230

__ seconds

106

Since 230 is approximately 109, the real time search will take approximately

103 = 1000 seconds,

in other words approximately 17 minutes.


24


Complexity n=10 n=30 n=50

n 0.00001 secs

0.00003 secs

0.00005 secs

n3 0.001 secs 0.027 secs 0.125 secs

2n 0.001 secs 17.9 mins 37.7 years

3n 0.059 secs 6.5 years 200 000 000 centuries

Note the dramatic difference in rate of increase:


25

Limitations of complexity theory

• There may be unknown theoretical attacks• The key space may not be as big as you think• Complexity only gives you the general case• Memory / processing tradeoffs• Key management problems

Establishing the complexity of any known attacks on a cipher system is important and useful, but brings no guarantees of practical security:


26

Related exercises

Practice some real computational time calculations by conducting Exercise 4 for this unit.

Discover why the size of a key space can be deceiving by conducting Exercise 6 for this unit.


27

Defining practical security

• Assessing the likely computing power of an adversary• Determining the complexity of known attacks• Evaluating the effectiveness of the key management

processes• Forming a notion of what levels of risk to accept

Defining practical security (of a cipher system) is extremely difficult and it could be argued that this whole MSc programme is all about training you to try to form your own notions about the meaning of practical security.

For a cipher system, issues that it involves include:


28

Summary• The one-time pad is effectively the only example of a

perfectly secure (unbreakable) cipher.• It is impossible to guarantee the security of a cipher

system. Even if it is theoretically secure, it may be insecure in practice.

• It can be quite acceptable in practice to use cipher systems that are theoretically breakable.

• Every attempt should be made to formulate a notion of practical security for a given environment. This will inevitably involve tradeoffs, estimates and evaluations of what levels of risk to accept. Formulating this notion will be difficult.

• Regardless of whether a cipher system offers theoretical or practical security, the most likely way in which it will be “broken” is through bad key management processes.

introduction to cryptography and security mechanisms: unit 5 theoretical v practical security dr...

Documents

security mechanisms

onetime pad onetime

pad practical

onetime pad questions

perfect secrecy slide

decryption key

concept of perfect secrecy

key k2e k2 buy