- 97 Views
- Uploaded on
- Presentation posted in: General

COSC 4607: Computer Security Lecture 9

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Cryptography

- Basic concepts
- Cipher Schemes
- Data Encryption Standard-DES
- Public Key Systems-RSA
- Digital Signature
- Cryptography Analysis

- Cryptography: the study of mathematical techniques related to information security that have the following objectives:
- Authentication: corroboration of the identity of an entity.
- Confidentiality: ensuring information is accessible only by authorized persons.
- Data integrity: ensuring information has not been altered by unauthorized or unknown means.
- Non-repudiation: preventing the denial of previous commitments or actions.

- Cryptography is one tool (not the only) useful for providing security servicessuch as:
- Authorization: conveyance of official sanction to do or be something to another entity.
- AccessControl: restricting access to resources to privileged entities.
- Availability: ensuring a system is available to authorized entities when needed.
- Anonymity: concealing the identity of an entity involved in some process
- Certification: endorsement of information by a trusted entity.
- Revocation: retraction of certification or authorization

Original

Plaintext

Plaintext

Ciphertext

Encryption

Decryption

- The most widely used tool for securing information and services is cryptography.
- Cryptography relies on ciphers: mathematical functions used for encryption and decryption of a message.
- Encryption: the process of disguising a message in such a way as to hide its substance.
- Ciphertext: an encrypted message
- Decryption: the process of returning an encrypted message back into plaintext.

- The security of a cipher may rest in the secrecy of its restrictedalgorithm .
- Whenever a users leaves a group, the algorithm must change.
- Can’t be scrutinized by people smarter than you.
- Unfortunately, secrecy is a popular approach.

- Modern cryptography relies on keys, a selected value from a large set (a keyspace), e.g., a 1024-bit number. 21024 values!
- Security is based on secrecy of the key, not the details of the algorithm.
- Change of authorized participants requires only a change in key.

For some message M, let’s denote the encryption of that message into cipher text as

{M}Kab = C

Kab is the key shared by participants A and B. The decryption into plain text is written as

{C}Kab = M

Notice,

{{M}Kab}Kab = Msymmetric key algorithms.

Some algorithms use different keys for each operation:

{{M}K+}K- = Mpublic-key algorithms.

- Shift cipher: each plaintext character is replaced by a character k to the right. (When k=3, it’s a Caesar cipher).
- “Watch out for Brutus!” => “Jngpu bhg sbe Oehghf!”(k = 13)
- Only 25 choices! Not hard to break by brute force.

- Substitution Cipher: each character in plaintext is replaced by a corresponding character of ciphertext.
- E.g., cryptograms in newspapers.
plaintext code: a b c d e f g h i j k l m n o p q r s t u v w x y z

ciphertext code: m n b v c x z a s d f g h j k l p o i u y t r e w q

- E.g., cryptograms in newspapers.
- (26!) Possible pairs.
- Is it really that hard to break?

- Give a serial number to each letter in the key (from a to z)
- Arrange the message based on the key positions
- For the ciphered text by get letters by columns with numbers from small to large.

- Firstly, the sender and receiver must agree on a keyword. In this example, the keyword is Wheatstone's name, CHARLES. The letters of the alphabet are written in a square, as shown, beginning with the keyword and with I-J combined into one element.
- Break the message into pairs of letters-diagraph. The two letters in a digraph must be different, so an X has been added to split the double M in 'hammersmith'.

- Encryption depends on the type of digraph. The digraphs fall into one of three categories
- If both letters are in the same row, then they are replaced by the letters to the immediate right of each one; 'mi' becomes 'NK'. If a letter is at the end of a row , it is replaced by the letter at the beginning; 'ni' becomes 'GK'.
- If both letters are in the same column, then they are replaced by the letter immediately beneath each one; 'ge' becomes 'OG'. If a is at the bottom of a column, it is replaced by the letter at the top; 've' becomes 'CG'.
- If the digraph letters are neither in the same row nor the same column, the rule differs. To encipher the first letter, look along its row until you reach the column containing the second letter; the letter at this intersection replaces the first letter. To encipher the second letter, look along its row until you reach the column containing the first letter; the letter at the intersection replaces the second letter. Hence, 'me' becomes 'GD'.

http://www.simonsingh.net/The_Black_Chamber/playfaircipher.htm

- Hashes are going to be a tool we use primarily for authentication.
- While related, these are not the same hashes you would use as the function in a hash table.
- They have stricter requirements.

- A hash H is a one-way function that operates on arbitrary-length message m, and returns a fixed-length value h.
h=H(m)

- Given a message m, it is easy to compute H(m)
- Given h, it is hard to compute m such that H(m)=h.
- Given specific m, it is hard to find another message m’, such that H(m)=H(m’).
- Given a large set of messages M, it’s difficult to find any pair (mi,mj) that hash to the same value.
- Hashes provide a fingerprint of m.

- a = b mod m if only if a-b =λ*m
- (a mod m)+(b mod m) = (a+b) mod m
- (a mod m)*(b mod m) = (a*b) mod m

- Multiplicative order modulo
- Let p be a prime and a an arbitrary integer. The multiplicative order modulo of a modulo p is the smallest integer n so that an= 1 mod p.
- For example, if p = 3, a = 5, then n = 2

- Fermat’s Little Theorem:
- For every a = 0 mod p, p prime, we have
- ap-1 = 1 mode p

- Discrete logarithm problem (DLP):
- Given a prime modulus p, the basis a, and the value y = ax mod p, find the discrete logarithm x of y
- n-th root problem: given integers m, n, a find an integer b=an mod m
- Factorization: given an integer n, find its prime factors.

- The most common cryptographic tools are
- Symmetric key ciphers
- DES, 3DES, AES, Blowfish, Twofish, IDEA
- Fast and simple (based on addition, masks, and shifts)
- One key shared and kept secret
- Typical key lengths are 40, 128, 256, 512

- Asymmetric key ciphers
- RSA, El Gamal
- two keys
- Slow, but versatile (usually requires exponentiation)
- Typical key lengths are 512, 1024, 2048

- Symmetric key ciphers

- Encryption Algorithm: E(KE,M) => C
- Decryption Algorithm: D(KD,C) => M
- Key-pair: (KE, KD)
- Correctness:D(KD, E(KE,M) ) = M

- Symmetric key system: private-key system
- KE = KD or
- KD be easily computed from KE

- Asymmetrical: public-key system
- It is hard to compute KD from KE

- X-OR Scheme
- KE = KD = ( k1 k2 ...kL)
- M= ( m1 m2 ...mL)
- Encryption: E(KE,M) = ( c1 c2 ...cL), where ci = ki xor mi
- Decryption:
D(KE,C) = (ki xor c1 k2 xorc2 ... kL xorcL) =M

- Key generation: choose KE uniformly at random
- Implying C is uniformly at random
- Strength: Implying perfect security or unconditional security
- Weakness:
- it can only be used once (one-time pad)

- DES is a symmetric block cipher algorithm
- DES was developed in 1970’s
- Based on IBM Lucifer cipher
- U.S. government standard
- DES development was controversial
- NSA was secretly involved
- Design process not open
- Key length was reduced
- Subtle changes to Lucifer algorithm

- DES is a Feistel cipher
- 64 bit block length
- 56 bit key length
- 16 rounds
- 48 bits of key used each round (subkey)
- Each round is very simple
- Security depends primarily on “S-boxes”
- Each S-boxes maps 6 bits to 4 bits

- Input 32 bits
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

- Output 48 bits
31 0 1 2 3 4 3 4 5 6 7 8

7 8 9 10 11 12 11 12 13 14 15 16

15 16 17 18 19 20 19 20 21 22 23 24

23 24 25 26 27 28 27 28 29 30 31 0

- 8 “substitution boxes” or S-boxes
- Each S-box maps 6 bits to 4 bits
- S-box 1
input bits (0,5)

input bits (1,2,3,4)

| 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

------------------------------------------------------------------------------------

00 | 1110 0100 1101 0001 0010 1111 1011 1000 0011 1010 0110 1100 0101 1001 0000 0111

01 | 0000 1111 0111 0100 1110 0010 1101 0001 1010 0110 1100 1011 1001 0101 0011 1000

10 | 0100 0001 1110 1000 1101 0110 0010 1011 1111 1100 1001 0111 0011 1010 0101 0000

11 | 1111 1100 1000 0010 0100 1001 0001 0111 0101 1011 0011 1110 1010 0000 0110 1101

- Input 32 bits
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

- Output 32 bits
15 6 19 20 28 11 27 16 0 14 22 25 4 17 30 9

1 7 23 13 31 26 2 8 18 12 29 5 21 10 3 24

- 56 bit DES key, 0,1,2,…,55
- Left half bits, LK
49 42 35 28 21 14 7

0 50 43 36 29 22 15

8 1 51 44 37 30 23

16 9 2 52 45 38 31

- Right half bits, RK
55 48 41 34 27 20 13

6 54 47 40 33 26 19

12 5 53 46 39 32 25

18 11 4 24 17 10 3

- For rounds i=1,2,...,n
- Let LK = (LK circular shift left by ri)
- Let RK = (RK circular shift left by ri)
- Left half of subkey SKi consists of LK bits
13 16 10 23 0 4 2 27 14 5 20 9

22 18 11 3 25 7 15 6 26 19 12 1

- Right half of subkey SKi consists of RK bits
12 23 2 8 18 26 1 11 22 16 4 19

15 20 10 27 5 24 17 13 21 7 0 3

- For rounds 1,2,9 and 16 the shift ri is 1, and in all other rounds ri is 2
- Bits 8,17,21,24 of LK are omitted each round
- Bits 6,9,14,25 of RK are omitted each round
- The function that yields the 48 bit SKi is known as the compression permutation

- An initial perm P before round 1
- A final permutation (inverse of P) is applied to (R16,L16) to yield cipher text
- Security if DES depends on S-boxes
- Everything else in DES is linear

- 30 years of intense analysis has revealed no “back door”
- Attacks today use exhaustive key search

- Key exchange must be supported securely
- Key maintenance is expensive: imagine there are n users, then we need n(n-1)/2 keys, one for each pair
- When a new user is joining the club, everyone is involved in key generation

- Public-key for encryption
- Private-key for decryption
- Requirement:
- Efficient encryption and decryption with keys
- Without private, it is hard to obtain the plain-text from the cipher-text
- Computational hard to obtain the key from each other

- Choose two large random primes p , q and
- A private decryption exponent d with
- gcd(d, p-1)=1 and gcd(d, q-1) =1

- A public encryption key consisting n = pq
- And an exponent e with
- e*d = 1 mod lcm (p-1, q-1)

- Encryption
- M=E(m) = me mod n

- Decryption
- D(M) =Md = me*d mod n = m mod n

To find a key pair e, d:

1. Choose two large prime numbers, P and Q (each greater than 10100), and form:

N = P * Q

Z = (P–1) *(Q–1)

2. For d choose any number that is relatively prime with Z (that is, such that d has no common factors with Z).

We illustrate the computations involved using small integer values for P and Q:

P = 13, Q = 17 –> N = 221, Z = 192

d = 5

3.To find e solve the equation:

e x d = 1 mod Z

That is, e x d is the smallest element divisible by d in the series Z+1, 2Z+1, 3Z+1, ... .

e * d = 1 mod 192 = 1, 193, 385, ...

385 is divisible by d

e = 385/5 = 77

- To encrypt text using the RSA method, the plaintext is divided into equal blocks of length k bits where 2k < N (that is, such that the numerical value of a block is always less than N; in practical applications, k is usually in the range 512 to 1024).
- k = 7, since 27 = 128
- The function for encrypting a single block of plaintext M is:
- E'(e, N, M) = Me mod N
- for a message M, the ciphertext is M77 mod 221
- The function for decrypting a block of encrypted text c to produce the original plaintext block is:
- D'(d, N, c) = cd mod N

- Rivest, Shamir and Adelman proved that E' and D' are mutual inverses (that is, E'(D'(x)) = D'(E'(x)) = x) for all values of P in the range 0 ≤ P ≤ N.
- The two parameters e, N can be regarded as a key for the encryption function, and similarly d, N represent a key for the decryption function.
- So we can write Ke= <e, N> and Kd = <d, N>, and we get the encryption function:
- E(Ke, M) ={M}K (the notation here indicating that the encrypted message can be decrypted only by the holder of the private key Kd) and D(Kd, ={M}K ) = M.

- Real signatures provide a number of features
- Authentic: Signature provides authenticity for a documents
- Unforgeable: Signatures are “hard” to forge
- Non-repudiable:
- Signatures can’t be repudiated. The signers cannot credibly deny that the document was signed by them.

- Unalterable: Signatures are unalterable or erasable.
- Non-reusable: Signatures, as parts of the document, aren’t reusable.

- In reality there are ways around all of these for real signatures.

1. Alice produces a one-way has of the document.

A: h=H(D)

2. Alice encrypts the hash

A: {h}KA-

3. Alice sends the document and the signed hash to Bob.

A->B: D, {h}KA-

4. Bob verifies by producing the same hash and decrypting the hash Alice sent.

1. Alice encrypts the hash of the document with her private key.

2. Alice sends the document plus hash to Bob.

3. Bob hashes the document and compares the result to what he decrypted, thereby verifying the signature.

- The sig is authentic (the hashes match)

- The sig is unforgeable (as long as no one has the private key but Alice)

- The sig is not reusable (it’s a function of the document)

- The signed doc is unalterable (the hashes wouldn’t match)

- The document can’t be repudiated.

- He/She has to break almost all the 220 messages to decrypt (expected 219) of them
- Cryptoanalysis is the science of recovering the plaintext of a message without access to the key.
- Doesn’t have to discover the key necessarily.
- The loss of a key without cryptoanalysis is called a compromise.

- Ciphertext-only attack
- Learning from samples of Ciphertexts
- Given: C1 = EK(M1) , C2 = EK(M2) ,…, Ci= EK(Mi)
- Deduce either M1, M2,…,Mi, or k or infer Mi+1 from Ci+1

- Known-plaintext attack
- Learning from samples of Ciphertext-plaintext pairs
- Given: M1 C1 = EK(M1) , M2 C2 = EK(M2),…, Mi Ci= EK(Mi)
- Deduce either k or infer Mi+1 from Ci+1

- Chosen-plaintext attack
- Learning from samples of Ciphertext-plaintext pairs where the hacker chooses the plaintext
- Given: M1 C1 = EK(M1) , M2 C2 = EK(M2),…, Mi Ci= EK(Mi)
- Deduce either k or infer Mi+1 from Ci+1

- Chosen-ciphertext attack
- Learning from samples of Ciphertext-plaintext pairs where the hacker chooses the ciphertext
- Given: M1 C1 = EK(M1) , M2 C2 = EK(M2),…, Mi Ci= EK(Mi)
- Deduce k

- Rubbery-attack
- Well….
- Threats, blackmails, torture, pay-offs.

- Totally break: e.g., obtain the decryption key
- Global deduction: find an alternative way to decryption
- Instance (local) deduction: find the plaintext of the intercepted ciphertext
- Information deduction: some information about the plaintext or the key

- Ideally, the attacker has to use brute force in an exhaustivesearch of the key-space.
- It is the complexity of launching the attack that secures us:
- Data complexity: a large number of expected inputs (e.g., ciphertext)
- Storage complexity: a large amount of storage units required.
- Processing complexity: a large number of operations required.

- A simple substitution cipher over a natural language can be easy.
- “Don’t attack. We aren’t ready.”
- “Vkj’u muumbf. Rc mocj’u ocmvw.”

- With 26! tries, you will definitely get a pattern to decrypt.

- Basic concepts
- Cipher Schemes
- Data Encryption Standard-DES
- Public Key Systems-RSA
- Digital Signature
- Cryptography Analysis