r r r cse870: advanced software engineering: cheng (sp 2003)1 outline brief review mainstream...

CSE870: Advanced Software Engineering: Cheng (Sp 2003)

1

R

R

ROutline

• Brief review• Mainstream crypto-algorithms

– Symmetric encryption algorithms• DES

– Asymmetric encryption algorithms• RSA• Merkle-Hellman

• Other crypto-related techniques– Digital signature– Digital certificate


2

R

R

RAcknowledgements

• Charles Pfleedger

• E. Spafford

• William A. Stein

• FOLDOC

• Sunit Chauhan

• Jim Xu, et al.

• Shawn Hillis


3

R

R

RBrief Review

• Basic Concepts– Encryption– Crypto-system– Symmetric / asymmetric encryption– Cryptographer / crypto-analyst– Crypto-analysis– Breakability


4

R

R

RBrief Review – cont’d

• Stream ciphers– Substitution-based ciphers

• Mono-alphabetic ciphers: Caesar cipher• Poly-alphabetic ciphers: multiple alphabets

– Strengths• Simple• Fast• Low error propagation rate

– Weaknesses• Sustainable to frequency-based attacks• Sustainable to pattern-based attacks


5

R

R

RBrief Review – cont’d

• Block ciphers– Transposition

• Columnar transposition• Double transposition• Fractionated transposition

– Strengths• Good diffusion, immune to pattern-based attacks

– Weaknesses• Slow• Error propagation rate


6

R

R

RSecure Encryption Systems

• Weaknesses of stream and block ciphers– Can be manually broken, although tedious

• We will introduce– some “hard” encryption algorithms– Review 3 key, important encryption algs

• DES, RSA, M-H

– Look at cryptography related techniques


7

R

R

RSym vs Asym Encryption Algorithms

• Symmetric encryption algorithm– Encryption key == decryption key– DES

• Asymmetric algorithms– Encryption key != decryption key– Basis of public-key encryption algorithms– RSA, M-H, …


8

R

R

RData Encryption Standard (DES)

• Based on Shannon’s theory of information secrecy– Confusion: info is changed so that output bits have no obvious

relation to input bits– Diffusion: spread the effect of one plaintext bits to other cipher-text

bits.

• History of DES– Developed by US govt for general public use (by National Institute

of Standards and Technologies)– Milestones: 1972(CFP) - 1975(IBM) – 1976(NIST) – 2001(AES)

– Cracked in 1999• 56-bit key, Cracked in 22 hours 15 min (1999)

– Extensions of DES• Triple-DES, length of key extends to 56*3• AES, 128, 192, or 256-bit key (2001)


9

R

R

RDES – cont’d

• Overview of DES– Repeats 16 cycles of

• substitution, for confusion• transposition, for diffusion

– Splits data block into 2 pieces:• Scrambles each half independently• Combines key with one half

– (key is transformed during each cycle)

• Swap 2 halves• Repeat 16 times.


10

R

R

RDES – cont’d

• Overview of DES – cont’d

Plaintext(64bits)initialphase

left

rightfunctionfunction

FF

inverseinitialphase

Cipher-text

16x

transposition substitution

[Shawn Hillis]


11

R

R

RDES – cont’d

[NPS.Navy]


12

R

R

ROne Cycle in DES

Left Half Right Half

New Left Half(Old Right Half)

New Right Half

++

Key shifted

Permuted Key

Permuted Data

[Pfleeger97]


13

R

R

RDES – cont’d

• Evaluation– Strengths include

• fast• simple• standard

– Weaknesses include• weak keys, length of key is only 56bit• number of iterations, only 16• NSA involvement, trapdoor?


14

R

R

RPublic Key Systems (PKS)

• Traditional key system (symmetric enc system):– Need a key for every pair of users– N*(N-1)/2 keys, grows exponentially with users– Each user has to keep track of many keys

• Public key systems (asymmetric enc system)– Each user only has 2 keys: public and private key

• M=D(kPRIV,E(kPUB,M))

– Solid mathematical basis: one way functions: • E: M x Ke -> C and D=E-1: C x Kd -> M• Easy for Kd-holders to compute D, while difficult for others

– May publish the public key freely• others can ally encrypt mesgs for A with A’s public key


15

R

R

RSome “Hard” theories

• Computational complexity– Is number of steps or arithmetic operations required to

solve a computational problem– Polynomial time– NP, Non-deterministic polynomial time– NP-hard– NP-complete

• Satisfaction problem• Hamilton’s problem

– Cryptographers try to • find encryption algorithms that would require NP-complete

algorithms to decrypt


16

R

R

RSome “Hard” theories – cont’d

• Basic number theory:– Prime factorization

• Primes– 1|p, p|p, no other factors

• Euclid’s algorithm• The unsolved prime factorization problem problem

– Is there an algorithm which can factor any k-digit number n so quickly that it’s running time is bound by a polynomial function of k

– Modular Arithmetic• a = b mod N iff N|(a-b)

– Inverses[William A. Stein]


17

R

R

RExample PKS

• Rivest-Shamir-Adelman (RSA):– Based on number theory– Suspected to be NP-complete, not proven

• Merkle-Hellman:– Based on knapsack problem– Proven to be NP-complete


18

R

R

RRSA

• The most widely used enc and auth algorithm– In IE, Netscape, Notes, SSH Secure Shell,

Quicken, etc.

• Proposed in 1977 by – Ronald L. Rivest, MIT, now in MIT– Adi Shamir, MIT, now in Weizmann Institute– Leonard Adleman, MIT, now in USC

• Now owned by RSA Security


19

R

R

RRSA – cont’d

• Based on prime factorization problem• How RSA works

– Create public/private keys• Pick large prime numbers p and q, let n=p*q• Let

– all the numbers that is co-prime with n form a group, and the size of that group is (p-1)(q-1)

• Select e, s.t. • Solve equation, get d, • Public key is (n,e), private key is (n,d)

[William A. Stein]


20

R

R

RRSA – cont’d

• How RSA works – cont’d– Encrypt/decrypt messages

• Encode a phrase into a number– state = 19 + 20*27 + 1*272 + 20*273 + 5*274

• E(x) = xe (mod n)• D(x) = xd (mod n)

– Preposition: n,d,e are integers, n is square-free, for each p|n, p-1|de-1, then, for all a, ade = a mod n

– D(E(m)) = (me mod n)d mod n = med mod n = m mod n = m

[William A. Stein]


21

R

R

RRSA – cont’d

• Example – Let p=17, q=19, n = 323– – Let e = 95– Solve 95*x=1 mod 288, d=191

• E(m) = m95 mod n• D(c) = c191 mod n

– Suppose we have string “x”, which is 24• E(“x”) = E(24) = 2495 mod 323 = 294• D(294) = 294191 mod 323 = 24 = “x”

[William A. Stein]


22

R

R

RRSA – cont’d

• Why is it hard to break RSA?– Keep secret, if you wanna get d, you have to

factorized n into p and q

• RSA challenge– http://www.rsasecurity.com/rsalabs

/challenges/factoring/numbers.html – 8 challenges– Problem: 576 – 2048 digits– Prizes: 10k to 200k dollars

[William A. Stein]


23

R

R

RRSA – cont’d

• Evaluation– Strengths

• Algorithm is simple and easy to implement• Supported by RSA Security

– Weaknesses • Problem not yet proved to be NP-Complete• Slower than DES


24

R

R

RMerkle-Hellman

• Knapsack problem: – Set of positive integers– Target sum– Find subset of integers that equal the target– Proven to be NP-complete.

• Encode binary mesg as soln to knapsack problem– Plaintext: 0’s and 1’s– By adding terms corresponding to 1s in plaintext,

we can reduce cipher-text to target sum


25

R

R

RMerkle-Hellman – cont’d

• Super-increasing sequence: – Each integer is greater than sum of all preceding integers

– ak > j=1

k-1aj

– Solution of super-increasing knapsack (e.g., simple knapsack) is easy to find, and unique

• Convert simple knapsack into Hard knapsack– Pick super-increasing sequence S of m integers

• S = [s1, s2,.., sm]

• Choose multiplier w and modulus n, n > j=1

m-1si

• Choose n to be prime

• Replace every sj in simple knapsack with term:– hi= w* si mod n

– Hard knapsack: H = [h1, h2,.., hm]


26

R

R

RMerkle-Hellman - cont’d

• Merkle-Hellman is Public key cryptosystem– Each user has public key:

• Set of integers of a knapsack problem

– Each user has private key• Set of integers for corresponding superincreasing

knapsack

• Contribution: design of technique to convert super-increasing knapsack into a regular one.– Change numbers in non-obvious, reversible way.


27

R

R


• Encryption alg starts with binary message– P = [p1, p2,.., pk]

• Divide message into blocks of m bits, – P0 = [p1, p2,.., pm], P1 = [p1, p2,.., p2m],

– Value of m is number of terms in simple or hard knapsack

• Encipherment of message P is sequence of targets

– Each target is sum of some of the terms of the hard knapsack H

– Terms selected correspond to 1 bits in Pi,

– Pi serves as selection vector for elts of H

– Each term of ciphertext is Pi * H


28

R

R


• Decryption:– Legitimate recipient knows simple knapsack and values of

w and n– H = w * S mod n– C = H * P = w* S* P mod n

• To decipher, multiply C by w-1

– w-1 * C = w-1 * H * P = w-1 * w * S * P = S * P mod n

• Weaknesses:– How easy is it to determine w or n from H?


29

R

R

RMerkle-Hellman – cont’d

• Example– S= [1,2,4,9]; H= [15,13,9,16], – w= 15, n= 17, m = 4; hi= w* si mod n

– P = 0100101110100101– Encode with H as follows:

• P = 0100 1011 1010 0101• [0,1,0,0] * [15,13,9,16] = 13• [1,0,1,1] * [15,13,9,16] = 40• [1,0,1,0] * [15,13,9,16] = 24• [0,1,0,1] * [15,13,9,16] = 29

– Encrypted message as integers: 13,40,24,29,• Public knapsack H = [15,13,9,16]


30

R

R

REvaluation of PKS

• Strengths– Harder to break– Easier to manage keys

• Weaknesses– Slower– Dependent upon NP-computational theory


31

R

R

RCrypto-related Techniques

• Digital signatures

• Digital certificates


32

R

R

RDigital Signatures

• Digital signature proves integrity of message – by signing the message using PK techniques

• How digital signatures work?– The sender

• sends M, S=E(hash(M), private)• Message digest functions

– MD2, MD4, and MD5 from RSA Security– SHA and SHA-1 from US government

– The receiver • compares E(S, public) with hash(M)• M is considered genuine if they match

[Jim Xu, et al.]


33

R

R

RDigital Signatures – cont’d

• Assumption: – it is very rare that two different messages

have the same digest


34

R

R

RDigital Certificates

• Digital certificates are– frameworks for identification information,

and bind identities with public keys

• Digital certificates provide foundation for– identification– authentication– non-repudiation

[Sunit Chauhan][Sunit Chauhan]


35

R

R

RDigital Certificates – cont’d

• How digital certificates work?– Let a third party, trusted by both sender

and receiver, prove the binding of sender and its public key.

– Need a hierarchy of trusted certificate authorities (CAs)

• Everybody trust root CA• Root CA prove the trustworthiness of a

hierarchy of other CAs


36

R

R

RDigital Certificates – cont’d

• Example digital certificate– X509 v3 certificate format

• Version

• Certificate Serial Number

• Signature Algorithm Identifier

• Issuer Name

• Validity Period

• Subject Name

• Subject Public Key Information

• Optional Fields

[Chauhan]


37

R

R

RSummary

• Symmetric-key encryption algorithms– DES

• Public-key encryption algorithms– RSA, Merkel-Hellman

• PKS based techniques– Digital signature– Digital certificate

r r r cse870: advanced software engineering: cheng (sp 2003)1 outline brief review mainstream...

Documents