jan/feb 2002cryptography1 cryptography mathematical foundations, algorithms, and protocols klaus...
TRANSCRIPT
Jan/Feb 2002 Cryptography 1
CryptographyCryptographyMathematical Foundations, Algorithms, and ProtocolsMathematical Foundations, Algorithms, and Protocols
Klaus Köhler
Munich University of Applied Sciences
Fachhochschule München
E-Mail: [email protected]
Home Page: http://www.cs.fhm.de/~koehler
pgp key fingerprint: 8F 2A 16 D9 6A BF 2B F6 77 C2 39 82 1F D3 69 F4
X.509 Certificate: http://www.trustcenter.de/cgi-bin/Search.cgi
Klaus Köhler Cryptography 2
ContentsContents
• Requirements of IT-Security• Overview of Symmetric and Asymmetric Ciphers• Classical Ciphers• Stream Ciphers• Block Ciphers• Asymmetric Ciphers• Random Number Generators• Prime Number Generators• Hash Functionswith mathematical foundations interspersed
Not contained: Information Theory, Cryptanalysis
Klaus Köhler Cryptography 3
K.Köhler Munich, 2002-1-26FHM……
Crypto&Co.Random Road 13……
Order:
1 Cryptoboard 4711 € 249,-1 Card Reader 4712 € 49,-: :::: K. Köhler
Secure Transport
K.Köhler
Crypto&Co.Random Road 13
1�1.2.02
Letter Box
Sender
Time Stamp
Signature
Confidentiality, Privacy, Secrecy One Way Trapdoor
Function (with key)
Traditional Mail Traditional Mail E-mail E-mail
Security measures bound to physical mediumSecurity measures bound to physical medium
Security measures bound to messageSecurity measures bound to message
Klaus Köhler Cryptography 4
Goals of CryptographyGoals of Cryptography
• Privacy, Secrecy, Confidentiality Only intended receiver shall be able to read data. envelope
• IntegrityReceiver can check if transmitted data have been modified. untampered envelope
• AuthenticityReceiver can check that data were generated by sender. known handwriting, style, voice
• Liability (Non-repudiation)The receiver can proof that the data came from the sender. signature
Klaus Köhler Cryptography 5
Goals of IT-SecurityGoals of IT-SecurityJerome Saltzer and Michael Schroeder
• Privacy. A socially defined ability of an individual or organization to determine whether, when, and to whom personal or organizational information is to be released.
• Security. Techniques that control who may use or modify the computer or the information within it.
• Protection. The security techniques that control the access of executing programs to stored information.
• Integrity. Techniques that control the reliability of information storage and computing service despite accidental failure of individual components and programs.
• Reliability. A system is reliable if failures do not seriously impair its satisfactory operation.
Klaus Köhler Cryptography 6
Symmetric Encryption ModelSymmetric Encryption Model
Opponent XK
Cryptanalysis
X
plaintextEn-cryption
De-cryption
Key Generator
Plain text
Cipher text
X Y
K K
Alice Bob
Key Key
SourceSender
DrainReceiver
passive cryptanalyst Eve: eavesdropper active cryptanalyst Mallet: malicious attacker ciphertext-only attack: determine plaintext or key from ciphertext known plaintext attack: determine key from plaintext/ciphertext pair chosen plaintext attack: determine key from chosen plain/ciphertext pairs
Klaus Köhler Cryptography 7
Key Distribution in Symmetric SystemsKey Distribution in Symmetric Systems
Key Distribution Problem Authentic shared secret key must be exchanged prior to usage spontaneous communication impossible
n(n-1) keys for n participants, most of which are never used only suited for small groups
Solution: Active trust center (key distribution center)
EKAlice(Ksession) EKBob(Ksession)
senderAlice
receiverBob
EKsession(msg)
trusted partyTrent
name keyAlice 4711Bob \8%ö···
Only one key for each participant exchanged with Trent. Problem: Key directory must be secret and authentic.
Klaus Köhler Cryptography 8
Symmetric Encryption with Key DistributionSymmetric Encryption with Key Distribution
TrustCenter
certifies
X
plaintextEn-cryption
De-cryption
Key Generator
Plain text
Cipher text
X Y
K K
Alice Bob
Sessionkey Sessionkey
SourceSender
DrainReceiver
Klaus Köhler Cryptography 9
X
plaintextEn-cryption
De-cryption
Key Generator
Plain text
Cipher text
X Y
K K
Alice Bob
Key Key
SourceSender
DrainReceiver
K
Symmetric System
Asymmetric Encryption ModelAsymmetric Encryption Model
K’
Asymmetric System
K=PubKey(Bob) K’=PrivKey(Bob)
K = public key of receiver K' = private (secret) key of receiver K' cannot be determined from K (within a limited time span). K must be authentic, i.e. belong to the receiver.
Klaus Köhler Cryptography 10
Key Distribution in Asymmetric SystemsKey Distribution in Asymmetric Systems
Key Distribution Problem Sender has to know the public key of the receiver. Receiver's public key must be authentic.
Solution: Passive trust center (like telephone book)
Only one public key for each participant sent to Trent. Problem: Public directory must be authentic.
public directoryTrent
name pubkeyAlice 4711Bob \8%ö···
KBob authentic (notification) Kbob = \8%ö
Alice BobK'Bob private cipher = EKBob(msg)
msg =DK'Bob(cipher)
Klaus Köhler Cryptography 11
Authentication in Symmetric SystemsAuthentication in Symmetric SystemsPrerequisite: Sender and receiver share a secret key
Message redundant: like encryption
Problems: 1. Alice and Bob must trust each other as both can generate the same messages no proof of origin, no non-repudiation, no liability
2. Twice as much data transferred
Solutions:
1. Complicated protocol involving a trusted arbiter
2. Replace cipher with sighash = EK(H(msg)) using a hash function H that compresses msg to a short, fixed length fingerprint H(msg).
Alice Bob cipher = EK(msg) DK(cipher) sensible?
Message not redundant, e.g. compressed file: insert redundancy
Alice Bob (msg,cipher) msg = DK(cipher) ? (msg,sighash)
sighash = EK(H(msg))
Alice Bob H(msg) = DK(sighash) ?
Klaus Köhler Cryptography 12
Authentication in Asymmetric SystemsAuthentication in Asymmetric Systems With trusted party (authentic public directory), e.g. S/MIME, X.509
Digital Signature:
Proof of origin established since only Alice could create sigmsg or sighash Without trusted party, e.g. Pretty Good Privacy (pgp):
Trusted third party Trent is replaced by a web of trust = closed group of people who sign the public keys of friends
public directory Trent
name pubkeyAlice 4711Bob \8%ö···
KAlice = 4711 authentic
AliceK'Alice private
Bob
message redundant: sigmsg=DK'Alice(msg) msg = EKAlice(sigmsg) sensible?
not redundant: (msg,sighash) H(msg) = EKAlice(sighash) ?
sighash = DK'Alice(H(msg))
Klaus Köhler Cryptography 13
Confidentiality and Digital SignatureConfidentiality and Digital Signature
X
plaintextEn-cryption
De-cryption
Key Generator
Plain text
Cipher text
X Y
K K
Alice Bob
Key Key
SourceSender
DrainReceiver
Opponent XK
cryptanalysis
K’
Asymmetric System
Confidentiality: K=PubKey(Bob) K’=PrivKey(Bob) Digital Signature: K=PrivKey(Alice) K’=PubKey(Alice)
TrustCenter
certifies
OKno
yes
Plain-textX
H(X) Fingerprint
HashHash =?
HashHash
H(X)
Fingerprint
Digital Signature
Fingerprint
H(X)
Klaus Köhler Cryptography 14
Combination of Confidentiality and Combination of Confidentiality and Authentication in Asymmetric SystemsAuthentication in Asymmetric Systems
With trusted party (authentic public directory)
not redundant: (cipher,sighash) msg = DK'Bob(cipher) cipher = EKBob(msg) H(msg) = EKAlice(sighash)) ?sighash = DK'Alice(H(msg)))
redundant msg: ciphsigmsg = EKBob(DK'Alice(msg)) msg = EKAlice(DK'Bob(ciphsigmsg)) sensible?
AliceK'Alice private
BobK'Bob private
KAlice = 4711 authentic KBob = \8%ö authentic
public directory Trent
name pubkeyAlice 4711Bob \8%ö···
Klaus Köhler Cryptography 15
Combination of Symmetric and Combination of Symmetric and Asymmetric SystemsAsymmetric Systems
Hashing is even faster than symmetric encryption Apply hash functions before digitally signing a message
Symmetric crypto systems are about 1000 times faster than asymmetric suffer from key distribution problems are less suited for authentication, in particular digital signatures
Use symmetric systems for bulk data encryption with session keys
Use asymmetric systems for key distribution, e.g. session key agreement or encryption digital signatures
Klaus Köhler Cryptography 16
Cryptographic Building BlocksCryptographic Building Blocks
• Symmetric Ciphers (bulk data encryption)– Block ciphers– Stream ciphers
• Asymmetric Ciphers– encryption of small quantities, e.g. symmetric keys (confidentiality)– digital signatures
• Random Generators – Key generation (asymmetric, symmetric)– Authentication, e.g. challenges and nonces
• Prime Number Generators (for asymmetric ciphers)• Hash Functions
– fixed, e.g. MD5, SHA-1, RIPE-MD– keyed (often a combination of block and stream ciphers)
Klaus Köhler Cryptography 17
Classical Ciphers, TaxonomyClassical Ciphers, Taxonomy
Transposition: Permutation of character positions (Skytala)
Substitution: Replacement of syntactic Units (characters, blocks) Monographic: Replacement of single characters
Monoalphabetic (simple substitution): Deterministic replacement Homophone: Probabilistic replacement Polyalphabetic: Position determines substitution (Vigenère Cipher)
Stream Cipher: Position (and state) determines substitution (Vernam Cipher) Polygraphic Substitution: Replacements of character sequences (Hill Cipher)
Block Cipher: Deterministic replacement of (fixed length) blocks
affineaffine
additiveadditive multiplicativemultiplicative
Stream CipherStream Cipher Block CipherBlock Cipher
TranspositionTransposition SubstitutionSubstitution
polygraphicpolygraphicmonographicmonographic
monoalphabeticmonoalphabetic homophonehomophone polyalphabeticpolyalphabetic
Klaus Köhler Cryptography 18
Transposition CiphersTransposition Ciphers
Skytala: • wind parchment tape around a roll • write plaintext in a row and read it
column by column, i.e. unwind tape• key k = |rows| = diameter
HKAO PT
EYLFAA
TSTASRHKAOPTEYLF AA
A O F S P AR T A
Transposition Cipher = block cipher EK:XmXm, EK(a0am-1) = a(0)a(m-1)
Plaintext = ciphertext alphabet = X (block size m = matrix size = whole text)
Permutation Sm of the positions {0,...,m-1}
• Positions of letters changed Ciphertext contains the same letters with the same frequencies
• Bigrams, e.g. "th", are separated by k letters distance = key
Diffusion = breaking local dependencies
Klaus Köhler Cryptography 19
Additive Substitution CiphersAdditive Substitution Ciphers
Cesar Cipher: • Replace each letter by the letter k=3 positions away in the alphabet
AD, BE, ..., WZ, XA, YB, ZC • Example: SECRET VHFUHW
Additive Cipher EK:XX, Ek(a) = (a + k) mod n (with encoding A0, B1,...)
Plaintext = ciphertext alphabet = X = {0,...,n-1}
Key k Z= {0,...,n-1} small key space enables brute force attack
Properties • Replace letters (not positions) plaintext letters appear with the same frequencies as their substitutes in the ciphertext
plaintext pairs (bigrams), triples, etc. appear with the same frequencies as their corresponding substitutes in the ciphertext
• Example (ciphertext frequencies): H: 2, U: 1, ... probably EH k=3
Klaus Köhler Cryptography 20
Multiplicative Substitution CiphersMultiplicative Substitution Ciphers
Multiplicative Cipher EK:XX, Ek(a) = a·k mod n Plaintext = ciphertext alphabet = X = {0,...,n-1},
Not all keys k {0,...,n-1} are valid, since EK must be invertible (injective)
Example: X = {0,...,25}, n=26, k=13,• A0 Ek(0) = 0·13 mod 26 = 0 A
• C2 Ek(2) = 2·13 mod 26 = 0 A not injective decryption impossible
Proposition:
EK:XX, Ek(a) = a·k mod n is invertible n and k are relatively prime i.e. gcd(n,k) = 1
The inverse key k-1 mod n can be determined by the extended Euclidean algorithm.
Example: n=26 • encryption k = 9: SECRET 18 4 2 17 4 19 6 10 18 23 10 15 GKSXKP
• decryption k-1=3 since 9·3 mod 26 = 1
Klaus Köhler Cryptography 21
Excursion: Modular ArithmeticExcursion: Modular Arithmetic
n= {0,1,...,n-1} with addition a+b = a+b mod nis a commutative group, i.e. the following axioms hold for all a,b,c n
– a+b n (closed)
– (a+b)+c = a+(b+c) (associative)
– a+b = b+a (commutative)
– 0+a = a (neutral element)
– (n-a)+a = 0 (inverse element: n-a is inverse to a)
n= {0,1,...,n-1} with multiplication a · b = a·b mod nis a commutative semigroup with neutral element, i.e. the following axioms hold for all a,b,c n
– a · b n (closed)
– (a · b) · c = a · (b · c) (associative)
– a · b = b · a (commutative)
– 1 · a = a (neutral element)
The inverse element need not exist, e.g. 2 26 is not invertible, but 9 is:9-1=3 because 9 · 3 = 27 mod 26 = 1 = neutral element.
Klaus Köhler Cryptography 22
Excursion: Modular Arithmetic, cont.Excursion: Modular Arithmetic, cont.Definition a, b are called relatively prime, if gcd(a,b) = 1.
Euclidean Algorithm (for determining the greatest common divisor)• Idea: gcd(a,b) = gcd(b,a-b) and hence gcd(a,b) = gcd(b,a mod b)
apply this transformation iteratively until b=0 obtaining gcd(a,0) = a
• Example: gcd(26,9) = gcd(9,26 mod 9) = gcd(9,8)= gcd(8,9 mod 8) = gcd(8,1)= gcd(1,8 mod 1) = gcd(1,0) = 1
int gcd(int a, int b) { // Euclidean Algorithm for integersint g = a, q = b, r;while(q!=0) { // Invariant: gcd(a,b) = gcd(g,q) && q != 0; Variant: |q|
r = g%q; // gcd(a,b) = gcd(g,q) = gcd(q,g%q) = gcd(q,r)g = q; // |r|<|q|=|g|q = r; // gcd(a,b) = gcd(g,q) |q|<|qold|
} // q = 0 and gcd(a,b) = gcd(g,q) // i.e. gcd(a,b) = gcd(g,0) = g
return g;}
Klaus Köhler Cryptography 23
Excursion: Modular Arithmetic, cont.Excursion: Modular Arithmetic, cont.
Proposition gcd(a,b) can be expressed as linear combination of a and b:
a,b a’,b’ such that gcd(a,b) = a' a + b' b
Extended Euclidean Algorithm (for determining the linear coefficients)
• Idea: Start the Eucidean Algorithm with a = g = 1a+0b, b = q = 0a+1b and apply the Euclidean transformations of g and q to the corresponding coefficients as well.
• Example: gcd(9,26)
Klaus Köhler Cryptography 24
Excursion: Extended Euclidean AlgorithmExcursion: Extended Euclidean Algorithm
int gcdExt(int a, int b, int& ga, int& gb) {int g, q, qa, qb, d, r, ra, rb; // auxiliary variablesg = a; ga = 1; gb = 0; // g = ga * a + gb * bq = b; qa = 0; qb = 1; // q = qa * a + qb * bwhile(q!=0) { // Variant: |q| // Invariant: g = ga * a + gb * b // q = qa * a + qb * b // q != 0 and gcd(a,b) = gcd(g,q)
d = g/q; r = g%q; // r = remainder of division of g by q // = g - d * q // gcd(a,b) = gcd(g,q) = gcd(q,g%q) = gcd(q,r)ra = ga - d * qa; rb = gb - d * qb; // r = ra * a + rb * bg = q; ga = qa; gb = qb; // g = ga * a + gb * bq = r; // gcd(a,b) = gcd(g,q)qa = ra; qb = rb; // q = qa * a + qb * b
} // q = 0 and gcd(a,b) = gcd(g,q) , g = ga * a + gb * b // i.e. gcd(a,b) = gcd(g,0) = g = ga * a + gb * b
return g;}
Klaus Köhler Cryptography 25
Excursion: Modular Arithmetic, cont.Excursion: Modular Arithmetic, cont.Corollary 1• a n := {0,1,...,n-1} with multiplication modulo n is invertible a and n are relatively prime, i.e. gcd(a,n) = 1
• a-1 can be determined by the extended Euclidean algorithm
Corollary 2 n* := {a n| a invertible} = {a n| gcd(a,n)=1}
with multiplication modulo n is a group. n* = n\{0} = {1,...,n-1} n is prime.
Euler's Totient Function• For n Euler's phi-Funktion (n) counts the natural numbers i < n
relatively prime to n: (n) = |{i | 0 < i < n, gcd(i,n) = 1}| (n) gives the number of invertible elements of n: (n) = |n*|
• n = p prim (p) = p-1• n = p2, p prim (p2) = p(p-1)• n = pq, p,q prim, pq (pq) = (p-1)(q-1)
Klaus Köhler Cryptography 26
Excursion: Rings and FieldsExcursion: Rings and Fields is a commutative ring, i.e. the following axioms hold for all a,b,c
is a commutative group with respect to addition is a commutative semigroup with respect to multiplication– (a+b) · c = a·c + b·c (distributive)
n= {0,1,...,n-1} with modular addition and multiplication is a commutative ring, too.
is a Euclidean ring, i.e. division is almost possible: a,b , a 0 q,r , so that b = q a + r and r = 0 or |r| < |a|
n is not euclidean.
• For primes p p is a Galois field, i.e.
p is a commutative ring with respect to addition and multiplication
p* = p\{0} = {1,...,n-1} is a group with respect to multiplication
(If n =p·q is not prime, p 1 and q 1 are not invertible, since p·q = n = 0 n)
is not a field, since the only multiplicatively invertible elements of are 1 and -1.
Klaus Köhler Cryptography 27
Excursion: Rings and Fields, cont.Excursion: Rings and Fields, cont.
Definition of substructures: U < SA subset U of an algebraic structure (group / ring / field) S is called a substructure (subgroup / subring / subfield) if it is a group / ring / field with respect to the operations of the superstructure S.
Examples of substructures• Subgroup: 2 < with respect to addition
The multiplicative group 5* = {1,2,3,4} has the subgroups {1}, {1,4}, 5*.
• Subring: 2 < with respect to addition and multiplicationThe ring 6 = {0,1,2,3,4,5} has the proper subrings {0}, {0,3}, {0,2,4}.
• Subfield: < with respect to addition and multiplication
Order of structures: |U| |S|• The number of elements of a algebraic structure S is called its order |S|.• The order of a substructure U of a finite algebraic structure S is a divisor
of the order of S: |U| |S|
Klaus Köhler Cryptography 28
Excursion: Rings and Fields, cont.Excursion: Rings and Fields, cont.
Construction of finite fields (Galois fields)The field p was constructed from the Euclidean ring , addition + and multiplication · being defined modulo a prime p.
TheoremLet R be an Euclidean ring and p R a prime element (p is not invertible and has no proper divisors). Then R with addition + and multiplication · modulo p is a field R/p·R. (Abbreviation: p := /p·)
Proof parallels the proof of p being a field.
Corollary• Let F be a field and p(x) a prime polynomial (irreducible) of the ring of
polynomial F[x]. Then F[x]/p(x)·F[x] is a field. In particular q[x]/p(x)·q is a field, if q is prime in and p(x) is prime in q[x].
Proof: Polynomial division in F[x] yields a residue of smaller degree. Hence, F[x] is Euclidean. Inverse elements are determined by the extended Euclidean algorithm.
Klaus Köhler Cryptography 29
Excursion: Rings and Fields, cont.Excursion: Rings and Fields, cont.
Example• q = 2 is prime and p(x) = x3 + x2 + 1 q[x] is irreducible.
Therefore, 2[x]/p(x)·2 is a field.
• Elements can be reduced modulo p(x) 8 polynomials of degree < 3: 0, 1, x, x+1, x2, x2+1, x2+x, x2+x+1
• Powers of x: x, x2, x3 = x2 + 1, x4 = x2+x+1, x5 = x+1, x6 = x2+x, x7 = 1 The multiplicative group of q[x]/p(x)·q is generated by x.
Klaus Köhler Cryptography 30
Excursion: Rings and Fields, cont.Excursion: Rings and Fields, cont.
Theorem1 The only finite fields (up to isomorphism) are q and q[x]/p(x)·q, where
q is prime in and p(x) is prime in q[x].
2 The multiplicative group of a finite field is cyclic, i.e. generated by a primitive element.
3 The prime field q is a subfield of q[x]/p(x)·q.
q[x]/p(x)·q is a vector space over its prime field q.
q[x]/p(x)·q has qn, n = degree(p(x)) elements: |q[x]/p(x)·q| = qn.
6 For every prime q and every degree n there exist irreducible polynomials p(x) in q[x].
7 For every prime power qn there is exactly one field with qn elements (up to isomorphism).
Proof: For 1, 2, and 6 see any algebra book.The other proofs are left as exercises.
Klaus Köhler Cryptography 31
Stream CiphersStream Ciphers• Properties
– Encryption unit = bit, character, or block– Encryption of one unit can influence the following unit
• Simplest Model: independent encryption
– Vernam Cipher = One-time Pad• Encryption unit = 1 bit
• Substitution = XOR with running key i
• Unbreakable (absolute secure) for real random generator
• Key length plaintext length
• Secret key transmitted in advance
i
Plaintext X Ciphertext YSubstitution Ei
Running Key GeneratorTrigger
Klaus Köhler Cryptography 32
Stream Ciphers, cont.Stream Ciphers, cont.• Practically Used Model (RC4, OFB Mode of Block Ciphers)
– Pseudo-random Generator
• General Model (CBC, CFB Modes of Block Ciphers)
– Substitution depends on Key, Position, and previous encryption
i
Plaintext X Ciphertext YSubstitution Ei
State S
Transition
Key K
Trigger
iKey K
Plaintext X Ciphertext YSubstitution Ei
State S
Transition
Klaus Köhler Cryptography 33
Symmetric Block CiphersSymmetric Block CiphersDesign Principles• Desirable properties:
– confusion: hide statistical particularitiesgoal: equally distributed cipher text (for each key)
– diffusion: break up local dependenciesgoal: completeness (every ciphertext bit depends on each plaintext bit)
– avalanche effect: 1 bit change in plaintext swaps half of ciphertext bits
– non-linearity: no ciphertext bit is linearly dependent on the plaintext
• Block length: big equal distribution but long delay, more waste
• Key length: big more security but big effort (time and space)
• Encryption/Decryption similarity:– (almost) same algorithm for encryption and decryption
Klaus Köhler Cryptography 34
Symmetric Block Ciphers, cont.Symmetric Block Ciphers, cont.Efficiency• lookup table efficient (time) but too big (space)• pure calculation inefficient (time) but small (space) compromise: combine efficient building blocks
that operate on smaller partial blocks
Building blocks• (involutary) permutations of positions (transpositions) (diffusion)• (involutary) substitutions (confusion)• (incompatible) group operations
Resulting cipher: (cascaded) product cipher with several rounds (IDEA)
KS2 KSr
Key-Schedule Algorithm
ISKr(yr-1) y ISK2(y1) ... y ...
KS1
K
ISK1(x) x
KG1 KG2 KGr KGr+1
IP IP
Klaus Köhler Cryptography 35
Advanced Encryption Standard (AES)Advanced Encryption Standard (AES)History• 1997: National Institute of Standards and Technology (NIST) called for
a successor of DES. The proposed AES-algorithms should be– unclassified,
– publicly disclosed
– available royalty-free, worldwide.
The algorithm must implement – symmetric key cryptography as a block cipher and (at a minimum) support
block sizes of 128-bits and key sizes of 128-, 192-, and 256-bits.
• 1998: NIST announced a group of fifteen AES candidate algorithms• 1999: NIST selected five algorithms after in depth analysis conducted
by the global cryptographic community on the candidate algorithms:MARS (IBM), RC6 (RSA), Twofish (Counterpane), Rijndael, Serpent
• 2000: NIST proposed Rijndael for the AES• 2001: approval of the Federal Information Processing Standard (FIPS)
for the Advanced Encryption Standard
Klaus Köhler Cryptography 36
RijndaelRijndael (V. Rijmen, J. Daemon, University of Leuven)
Features• Key length Nk,,block length Nb: 32N, N = 4,...,8, (128, 160, 192, 224, 256)
independently chosen
• Block represented as state S = 4Nb-byte matrix
• r = max(Nb,Nk)+6 rounds
• Rounds transform state S through– ByteSub: parallel byte operations: confusion by non-linear substitution
– ShiftRow: parallel row operations: diffusion through linear operation
– MixColumn: parallel column operations: diffusion through linear operation
– AddRoundKey: matrix operation (XOR with key): dependency of key
Key-Schedule Algorithm
y...
K
x ByteSub
ShiftRow
MixColm
ByteSub
ShiftRow
MixColm
ByteSub
ShiftRow
K0
K1
Kr-1
Kr
Klaus Köhler Cryptography 37
Rijndael, cont.Rijndael, cont.E/D-Similarity: same algorithm for decryption, only modified round keys
M-1(Kr-1) M-1(K1)
M-1(K0)
inv. BS
inv. SR
inv. MC
inv. BS
inv. SR
Reverse Key-Schedule Algorithm
x...
K
y
Kr
inv. BS
inv. SR
inv. MC
Ki
S M-1
M-1
same mapping
Ki
S M-1
• MixColumn and AddRoundKey almost commute
Key-Schedule Algorithm
y ...
K
xinv.BS
inv.SR
inv.MC
inv.BS
inv.SR
inv.MC
inv.BS
inv.SR
Kr
Kr-1
K1
K0
• ByteSub and ShiftRow commute
Klaus Köhler Cryptography 38
Basic Rijndael OperationsBasic Rijndael Operations
AddRoundKey• XOR of state S and round key Ki
ShiftRow• row 1 fixed• row 2-4 cyclic shift by 1 to 4 positions
depending on the block length Nb
ByteSub• combination of
– affine mapping of the vector space GF(28) over its prime field GF(2)=2
– inverse mapping in the field GF(28)
MixColumn• linear transformation of the vector space GF(28)4 induced by a
polynomial multiplication
Klaus Köhler Cryptography 40
Rijndael Key SchedulingRijndael Key SchedulingPurpose: derive round keys from the cipher key
• r+1 keys K0, ... , Kr for r rounds necessary: (r+1) · Nb 32 bit words
• cipher key is expanded to an "expanded key" of that size (or more)
Key-Schedule Algorithm
y...
K
x ByteSub
ShiftRow
MixColm
ByteSub
ShiftRow
MixColm
ByteSub
ShiftRow
K0
K1
Kr-1
Kr
recursion formula (for Nk 6, slightly different for Nk > 6):
– Wi = Wi-Nk Wi-1 if Nk is no divisor of i
– Wi = Wi-Nk (BS(SR(Wi-1)) RC[i/Nk] if Nk is a divisor of iBS = ByteSub, SR = ShiftRow 1 Byte, RC = (xi-1, 0016, 0016, 0016), xi-1 in GF(28), i.e. calculated modulo p(x) = x8+x4+x3+x+1
• round keys are taken from the expanded key in the order of rounds
W0 W1 ... WNk-1 WNk WNk+1 … W2Nk-1 W2Nk … Wn-1
Klaus Köhler Cryptography 41
Block Cipher Modes of OperationBlock Cipher Modes of Operation
Problem: Plaintext usually longer than block size Cut plaintext into slices (blocks) and pad the last incomplete block Electronic Codebook (ECB) (no stream cipher)
Independent encryption of each block with the same key Codebook attack (passive): Identical blocks are encrypted identically Replay attack (active): Insert/delete/replace blocks by preceding ones
Combine block ciphers with stream ciphers Stream Cipher Modes (CBC, CFB, OFB):
Stream cipher with a block as encryption unit
iKey K
Plaintext X Ciphertext YBlock Cipher Ei
State S
Transition
Klaus Köhler Cryptography 42
Block Cipher Modes of OperationBlock Cipher Modes of Operation
Assessment Criteria1 Propagation of transmission errors (change bits)2 Synchronisation errors (delete or insert bits)3 Code expansion4 Effective key size5 Cryptanalysis, security6 Application areas7 Effective encryption rate (compared with ECB)
Klaus Köhler Cryptography 43
Electronic Codebook (ECB)Electronic Codebook (ECB)
Assessment1 Propagation of transmission errors (change bits)
whole block corrupted, succeeding blocks unchanged2 Synchronisation errors (delete or insert bits)
all succeeding blocks corrupted3 Code expansion
last block expansion due to padding can be avoided (ciphertext stealing)
4 Effective key size= key size
5 Cryptanalysis, securitypoor security, codebook analysis for redundant plaintexts (e.g. English)
6 Application areasrandom access of single blocks, e.g. data bases
7 Effective encryption rate (compared with ECB)1
Klaus Köhler Cryptography 44
Cipher Block Chaining (CBC)Cipher Block Chaining (CBC)
Construction• XOR of plaintext block with preceding ciphertext block• Initialisation vector IV needed for first encryption• IV not secret, but randomly chosen
to hide patterns at the beginning of the plaintext• IV transmitted as first block
xi yi-1 yi EK(xi yi-1)
Register
xi
K
yi-1
DK(yi) xi yi-1 yi
Register
xi
K
yi-1
Klaus Köhler Cryptography 45
Cipher Block Chaining (CBC), cont.Cipher Block Chaining (CBC), cont.Assessment1 Propagation of transmission errors (change bits)
block and next blocks corrupted, succeeding blocks unchanged2 Synchronisation errors (delete or insert bits)
all succeeding blocks corrupted3 Code expansion
last block expansion due to padding can be avoided (ciphertext stealing)
4 Effective key size= key size
5 Cryptanalysis, securityplaintext patterns hidden, no codebook analysis, no statistical analysis
6 Application areasencryption of long texts (archives) when random access is not essential,cope with synchronisation errors through transmission protocols
7 Effective encryption rate (compared with ECB)1
Klaus Köhler Cryptography 46
Output Feedback (OFB)Output Feedback (OFB)
Construction• Block cipher as Running Key Generator for stream cipher• Initialisation vector IV needed for RKG initialisation• IV not secret, but randomly chosen
to generate different random streams for same key• Part or whole of state register (block) used for encryption Average period: 2n-1 for n = m and 2n/2 for m < n
EK(si)
xi
Shift Register
K
yi
1 m n
ki
Encryption = Decryption
Klaus Köhler Cryptography 47
Output Feedback (OFB), cont.Output Feedback (OFB), cont.Assessment1 Propagation of transmission errors (change bits)
no error propagation at all2 Synchronisation errors (delete or insert bits)
all succeeding blocks corrupted3 Code expansion none4 Effective key size = key size5 Cryptanalysis, security
plaintext patterns hidden, no codebook analysis, no statistical analysis,short period 2n/2 sometimes insufficient, no error propagation active manipulations may remain undetected
6 Application areasonline transactions without delay or error propagationcope with manipulation problems through error detecting protocols
7 Effective encryption rate (compared with ECB)m/n if only m bits out of n (= block length) are used for encryption
EK(si)
xi
Shift Register
K
yi
1 m n
ki
Klaus Köhler Cryptography 48
Cipher Feedback (CFB)Cipher Feedback (CFB)
Construction• Feed back cipher text instead of random stream in OFB• Initialisation vector IV needed• IV not secret, but randomly chosen
to generate different random streams for same key• Part or whole of state register (block) used for encryption
EK(si)
xi
Shift Register
K
yi
1 m n
ki
K EK(si)
yi
Shift Register
xi
1 m n
ki
Klaus Köhler Cryptography 49
Cipher Feedback (CFB), cont.Cipher Feedback (CFB), cont.Evaluation1 Propagation of transmission errors (change bits)
affected block and n/m-1 succeeding blocks (of length m) corrupted2 Synchronisation errors (delete or insert bits)
erroneous blocks as long as shift register is corrupted completely self-synchronising for m=1
3 Code expansion none4 Effective key size = key size5 Cryptanalysis, security
plaintext patterns hidden, no codebook analysis, no statistical analysis,error propagation active manipulations can be detected
6 Application areasonline transactions without delay but detection of manipulations
7 Effective encryption rate (compared with ECB)m/n if only m bits out of n (= block length) are used for encryption
Klaus Köhler Cryptography 50
X
plaintextEn-cryption
De-cryption
Key Generator
Plain text
Cipher text
X Y
K K'
Alice Bob
Key Key
SourceSender
DrainReceiver
Asymmetric CiphersAsymmetric Ciphers
Encryption EK(X) is a one-way function with trapdoor K',neither inverse key K' nor plaintext X can be derived from K and ciphertext Y= EK(X) (with limited resources)
Practically used one-way trapdoor functions: Diffie-Hellman-Pohlig one-way trapdoor function
f: p* p*, y = f(x) = ax mod p, with large prime number p, fixed aInverse function: x = f-1(y) = loga(y) mod p (discrete logarithm)
RSA one-way trapdoor functionf: n n, y = f(x) = xe mod n, with n = p·q, p,q prime, gcd(e,(n))=1
Inverse function: x = f-1(y) = yd mod n, e·d = 1 mod (n) (factoring n)
Klaus Köhler Cryptography 51
Diffie-Hellman one-way functionDiffie-Hellman one-way functionf: p* p*, y = f(k) = ak mod p, with large prime number p, fixed a
• Fast computation with Square-and-Multiply algorithm
• Idea: k = (bn-1,...,b1,b0)2 = bn-12n-1+...+b12+b0 (binary representation)
1n
1b0i
2bb2b
2b2b...2bk
i
i011n1n
011n
1n aaa...aaa
• Algorithm: Iteratively apply formula
k odd foraak even for²aa
1k
2 div kk
• Example:
a13 = aa12 = a(a2)6 = a((a2)2)3
= a a1
3 = aa1a12 = aa1(a1
2)1
= aa1(a2)1 = aa1a2a2
0
z : = 1; z := za; z := za1; z := z a2 1;
Klaus Köhler Cryptography 52
Square-and-MultiplySquare-and-Multiply/** Square-and-multiply algorithm for integral power calculation a^k, k>=0 */long power(long a, int k) { // a and z from any multiplicative group
long z = 1; // power = z * a^kwhile (k > 0) { // Variant: k;
// Invariant: power = z * a^k if (k%2 == 0) { // k is even
k /= 2; a *= a; // power = z * a^k } else { // k is odd
k--; z *= a; // power = z * a^k }
}return z; // k = 0 ==> power = z * a^k=z
}
• Time complexity: O(log(k)) for worst case and best casek even (bit = 0): 1 mult=square (a*=a), 1 shift (k/=2), ½kk odd (bit = 1): 1 mult=square (z*=a), 1 bit and (k--), k evenloop: 1 step for each bit=1 + 1 step for each bit: max 2·log2(k) steps
• Space complexity: O(1) = constant, independent of k
Klaus Köhler Cryptography 53
Diffie-Hellman Public Key-Distribution SystemDiffie-Hellman Public Key-Distribution System Establish a shared secret (e.g. a symmetric key ) using insecure
communication channels. Solve the key distribution problem for symmetric keys. No Public Key Cryptosystem!
Trent
Alice Bob
1. yB 4. yA
yA=gxA yB=gxB
2. K= yBxA
Y=EK(M)5. K= yA
xB
M=DK(Y)
3. Y
Protocol: Agree upon a common large prime p and a primitive element g of p
Each member A chooses a private random number xA and sends yA=gXA as public information to a (passive) trust center.
From the public key yB=gXB of the partner B calculate the shared secretK := yB
XA = (gXB)XA = (gXA)XB = yAXB
Klaus Köhler Cryptography 54
ELGamal CryptoELGamal Crypto System Based on Diffie-Hellman Different algorithms for encryption and digital signatures Encryption for confidentiality is an asynchronous variant of Diffie-Hellman.
Digital signatures are somewhat more complicated.
Encryption Protocol: As in the Diffie-Hellman protocol except that the receiver need not consult the trust center because the sender send his "public key" gXA along with his encrypted message EK(M) = K·M.
Trent
Alice Bob
1. yB 4. yA
yA=gXA yB=gXB
2. K= yBXA
Y=EK(M)5. K= yA
XB
M=DK(Y)
3. Y
Diffie-Hellman
Trent
Alice Bob
1. yB
yA=gXA yB=gXB
2. K=yBXA
Y=EK(M)=KM4. K=yA
XB
M=DK(Y)=Y yA-XB
3. yA|Y
ElGamal
Klaus Köhler Cryptography 55
Digital Signature Algorithm (DSA)Digital Signature Algorithm (DSA)
Based on ElGamal signatures More efficient than ElGamal signatures because
operations are performed in a smaller group (time complexity) only 2·160 bit for digital signature (space complexity)
Hash function SHA-1 used (160 bit) No legal or patent restrictions Used in pgp (version 6 and beyond)
Klaus Köhler Cryptography 56
Elliptic Curve Cryptography (ECC)Elliptic Curve Cryptography (ECC) Based on ElGamal ElGamal uses only multiplicative group p* any group will do if multiplication is fast (and therefore, rising to the nth power, too) inverse operation (logarithm) is hard.
ECC needs smaller keys (160 bit) than RSA (1024 bit) ECC best suited for smart cards
212
3 xxrx
1313 yxxry
21y2ax3
1221xx
yy
PPfür
P,PPfürr
1
21
12
12
neutral element (not representable as point) inverse element P-1 = (x,p-y) of P = (x,y).
Elliptic Curves are points P = (x,y) p p with
y2 = x3+ax+b, 4a3+27b2 0 mod p (with suitable a,b p)
multiplication defined by P3 = P1 P2 = (x3,y3) with
Klaus Köhler Cryptography 57
RSARSA Public Key Cryptosystem
Confidentiality Authenticity including digital signatures
Key generation for messages encoded as natural numbers M < m = 2l
Each member: Secretly choose two large primes p and q
and calculate n := pq > m (public) Choose e < (n)=(p-1)·(q-1), so that gcd(e,(n)) = 1, e.g. e = 3 or e = 216+1 Determine d < (n), so that ed = 1 mod (n) (extended Euclidean algorithm) (n,e) is the public key, d is the private key
Encrypt message M: Ee(M) = Me mod n, e = receiver's public key
Decrypt message C = Ee(M): Dd(C) = Cd mod n, d = receiver's private key
Sign message M: Dd(M) = Md mod n, d = sender's private key
Verify message C = De(M): Ee(C) = Ce mod n, e = sender's public key
Klaus Köhler Cryptography 58
Security of RSASecurity of RSA Known-Plaintext Attack = Chosen-Plaintext Attack
Determination of the private key d from plaintext M = Cd mod n and ciphertext C = Ee(M) ciphertext is a discrete logarithm problem.
Ciphertext-only Attacks Message-dependent attacks: Deriving
M from e, n and C = Ee(M) = Me mod n
is tantamount to determining the eth root modulo n.This problem is equivalent to factoring n.
d from e, n and C = Ee(M) = Me mod n
seems to be just as hard as the Message-independent attack: Deriving d from e and n
is assumed to be equivalent to factoring n. Factoring a large composite number n = p·q is a classical hard problem.
Best (known) algorithms have time complexity
3 23 lnlnln192.1 nnoeO
Klaus Köhler Cryptography 59
Security of RSA and Diffie-HellmanSecurity of RSA and Diffie-Hellman
Assumed security of RSA with respect to key length
Klaus Köhler Cryptography 60
Random Number GeneratorsRandom Number Generators
• Use– Key generation (asymmetric, symmetric)– Authentication, e.g. challenge and response– Nonces in key distribution schemes
to prevent replay attacks
• Requirements– Randomness:
• Uniform distribution of the values in the sequence(single numbers and subsequences of any length)
• Independence of the sequence values of each other
– Unpredictabilityof successive members of the sequence
Klaus Köhler Cryptography 61
Types of Random Number GeneratorsTypes of Random Number Generators
• Physical noise generators (stochastic)– ionising radiation events– leaky capacitors
• Pseudorandom Number Generators (deterministic)– linear congruential method (easy to break)
si=c·si-1+d mod p, p prime
– linear feedback shift registers (good statistics, easy to break)sj = -c1sj-1 - c2sj-2 - ... - clsj-l mod p
– nonlinear feedback shift registers (still insecure) filters, stop-and-go generators
• Cryptographical Random Number Generators– block cipher based (good statistics, secure, complex)– based on public key cryptography (equally secure)
Klaus Köhler Cryptography 62
Linear Congruential MethodLinear Congruential Method
si=c·si-1+d mod p, p prime
• c=1: si=si-1+d mod p linear sequence predictable
• d=0: si=c·si-1 mod p, s00,
c primitive, i.e. c:={1, c, c2, c3,..., cp-2}=p*={1,2,...,p-1}
{s0, s1=c·s0, s2= c2·s0,..., sp-2= cp-2·s0} = c·s0 = p*
Examples:
p=23-1=7, c=2 c:={1, 2, 4} not primitive
c=5 c:={1, 5, 4, 6, 2, 3} primitive (1 of ((p))=2)
s0=2: c·s0 = {2, 3, 1, 5, 4, 6} = p* random
p=231-1 is prime, c=75 is primitive: used in IBM 360
Klaus Köhler Cryptography 63
Linear Feedback Shift RegistersLinear Feedback Shift Registers
sj = -c1sj-1 - c2sj-2 - ... - clsj-l mod p, p prime
• maximum period pl-1 c(x) primitiv,i.e. the multiplicative group of the Galois field p[x]/c(x)p[x] is generated by the coset of x
• Example: p=2, c(x) = x3 + x2 + 1 is irreducible and primitive:x = {x, x2, x3=x2+1, x4=x2+x+1, x5=x+1, x6=x2+x, x7=1}, generated sequence with period 23-1=7: 1011100...
• can be broken, if a subsequence of 2·l elements is known
s0,s1,...
sj ... ... sj-2 sj-1
-c2 -c1
sj-l+1
-cl-1
sj-l
-cl
Klaus Köhler Cryptography 64
Cryptographic Random Number GeneratorsCryptographic Random Number Generators
• Cyclic Encryption
Counter Encryption
+1 Key
c Ek si=Ek(c)
si
Key EK
Shift Register
1 m n
• Output Feedback
Klaus Köhler Cryptography 65
Cryptographic Random Number GeneratorsCryptographic Random Number Generators
• ANSI X9.17 Pseudorandom Number Generator
EDE
EDE
EDE
Key
si
Seedi+1
Seedi
Date/Timei
Klaus Köhler Cryptography 66
Prime Number GeneratorsPrime Number Generators
Prime number tests deterministic: assure primality, but time consuming, e.g. factoring probabilistic: assure primality with a given probability (almost 1)
repeat n times (certainty 1-2n)test with a random witness if p may be prime
return true return false if p is definitely not prime
Algorithm:(probabilistic)
p prime: single test (witness) never fails (never signals "not prime")p composite: witness signals "not prime" with probability > 0.5
n/ln(n) prime numbers < n P(n is prime) ln(n) for a randomly chosen n only few tries necessary to catch a prime
repeat until p is prime
choose a random number p of appropriate size test if p is prime
Algorithm:
Klaus Köhler Cryptography 67
Prime Number TestsPrime Number Tests Lehmann
p prime p is a field (p) = |p*| = p-1 ap-1 mod p = 1 for a 0p composite ap-1 mod p need not be 1 for a 0, butP(a | ap-1 mod p 1) 0.5 for p composite Algorithm: choose a random number a < p
return ap-1 mod p == 1
Rabin-Miller p odd prime p-1 can easily be decomposed: p-1 = 2b·m
1 = ap-1 mod p = ap-1 = (am)2b = (···(am)2)···)2 mod p
while z 1 and i < b (invariant: ap-1 = z2b-i)
z = z2; i = i+1
yes z 1 nop is not prime p may be prime
z = am; i = 0
choose a random number a < p (am)2i mod p = 1 p may be prime
Use Lehmanns test, but avoid to calculate ap-1 if already (am)2i mod p = 1 Algorithm
Klaus Köhler Cryptography 68
Hash FunctionsHash Functions Requirements
Compressionmap a arbitrary-length input m on a fixed-length output h = H(m)that should depend on every input bit (typical length: 128 or 160 bit)
Equal distribution of the hash values Avalanche effect
One bit change in the message swaps half of the hash value bits (on average).
One-way Given m, it is easy to compute h = H(m). Given h, it is hard to compute an m' such that H(m') = h
Collision-resistant (stronger requirement than one-way) It is hard to find two random messages m and m' such that H(m) = H(M').
Examples MD5 (128 bit) SHA-1 (160 bit)
Klaus Köhler Cryptography 69
Hash Functions, cont.Hash Functions, cont.
Compression principle Cut message M into fixed-length blocks Mi
Apply a one-way function
hi+1 = f(Mi,hi) one-way function fMi
hi
hi+1
with an initial value h0 that contains the message length (MD strengthening)
n times. The last hi is the hash value of the entire message.
Hypothesis (not proved)The (iterated) variable-length hash function is secure
if the fixed-length one-way function f is secure
One-way function several rounds with non-linear operations
Klaus Köhler Cryptography 70
Message Authentication Code (MAC)Message Authentication Code (MAC)
Key-dependent one-way hash functionoften in combination with symmetric encryption
Message Authentication Authentication of files between users Proof that a file has not been changed, for example by a virus
Block 1
DES
Block 2
DES
Block 3
DES
Block k
...
K
MAC
Example