Language Studies and Academics

Cryptography and System Security Michael Pramateftakis Room Z940 Tel: (089-289)23622 E-Mail: pramateftakis@ei.tum.de

Organisatorisches • Vorlesung: Do., 12:30-14:00, N1170 • Übung: Do., 14:00-14:45, N1170 • Skript und Folien auf Englisch • Vorlesung, Diskussion und Prüfung auf Deutsch. Hinweis: Ab 3.5.2004 neue Vorlesung (WA) “Applied IT-Security” Mo. 14:00-15:30, Hörsaal 0999, Vorl. auf Englisch in Zusammenarbeit mit der Fraunhofer Gesellschaft (Dr. Stephan Spitz)

Lecture Overview • Motivation • Security Services and Mechanisms • Cryptographic Mechanisms • Discrete Algebra • Cryptographic Algorithms • Cryptographic Protocols • Security and the Internet • Smartcards and Security Applications

1. Motivation Why cryptography?

Business offers, contacts Internet Money, Payments Payment Browsing, Orders… Attacker Exemplary Scenario Other companies Bank Internet users Company Network

Further catchwords • Hackers, Crackers, Script kiddies etc. • Denial of Service • Address spoofing • Connection hijacking • Firewall, NAT, Intrusion detection • Spam • E-mail fakingetc., etc., …

2. Security Services and Mechanisms Cryptography’s most basic terms and definitions

Basic terms • Security Services • Security Mechanisms • Cryptographic algorithms

Security Services • Security services describe what a user requires from a security system: • Confidentiality (or Nondisclosure of Information) • Authentication • Verifiability and Nonrepudiation • Anonymity • Access Control Security services remedy threats.

Security Mechanisms and Algorithms • Security Mechanisms:The technical and procedural means used to implement security services.(e.g. encryption provides confidentiality.) • Algorithms:Concrete implementations of security mechanisms.(e.g. DES implements encryption)

Relations • Services, mechanisms and algorithms are related to one another. • The relation is formally defined in the OSI security architecture. • Security systems are designed and parameterized based on these relations. Services, Mechanisms and Algorithms are very basic and important terms!Distinguish between them correctly!

3. Cryptographic Mechanisms Mechanism Details

Symmetric Encryption k k c f f-1 m m Decryption m= f-1(k,c) Encryption c= f(k,m) Secure Environment Secure Environment m: Plaintext message c: Cipher k: Key f: Encryption Function f-1: Decryption Function (Inverse of f) • Symmetric = Same key for encryption and decryption. • Key is secret, secure environment needed at sender and receiver.

Symmetric Encryption Different kinds of symmetric encryption schemes: • Characterwise with a key.<Output char.> = f (k,<Input char.>) • Blockwise with a key.<Output block> = f (k,<Input block>) • Symbolwise/bitwise with sequence of keysk: k1,k2,k3,… • Blockwise with block chaining.

Perfect Security Prerequisites for perfect security: • Unlimited key length. • Truly random key sequence. • One-time pad. • |K| >= |C| >= |M| Every message can be mapped to every cipher with a different key! Thus, for a given cipher, every possible message is equiprobable, since a proper key can always be constructed! An attacker cannot make any assumptions about the message.

Perfect Security c1 k1 c2 c3 m3 c4 k5 c5 C |M|=|C|=|K| Keys equiprobable Messages equiprobable M

Asymmetric Encryption d e c f f m m Decryption m= fd(c) Public Encryption c= fe(m) Secure Environment m: Plaintext message c: Cipher e: Encryption Key d: Decryption Key f: Asymmetric Function • Asymmetric = Different keys for encryption and decryption. • Only decryptionkey is secret, secure environment needed only at receiver side.

Asymmetric Encryption • Sender encrypts with receiver’s public key. • Receiver decrypts with his own private key. Thus, everybody can send encrypted messages to the receiver without needing to exchange a secret.

Digital Signature • Creator of message signs with own private key. • Everybody can verify the signature with the creator’s public key. • The correspondence of the creator’s person to the respective public key must be reliably known. • Signed messages are not encrypted.

4. Discrete Algebra Basics of modulo-arithmetics

Discrete Algebra Chapter Overview: • Definition of modulo-n arithmetics • Groups, Rings and Fields, Galois field • Multiplicative-inverse elements in mod n • Powers in mod n, related theorems • Chinese remainder theorem • Discrete logarithms

Groups An algebra on a finite or infinite set of elements satisfying the following axioms: • The sum of 2 arbitrary elements a+b is defined and is an element of this set. • The sum is associative: (a+b)+c=a+(b+c) • A null-element 0 exists, such that for any element a holds a+0=a • Every element a has an additive-inverse element a-1 such that a+a-1=0 is called a Group. Addition and subtraction are defined for groups.

Rings If all preceding axioms hold, plus: • The sum is commutative: a+b=b+a • The product of 2 arbitrary elements a·b is defined and is an element of this set. • The product is associative: (a·b)·c=a·(b·c) • The distributive law holds: a·(b+c)=a·b+a·c we have a Ring. Multiplication is defined for a ring along addition and subtraction.

Fields If all preceding axioms hold, plus: • The product is commutative: a·b=b·a • There is an one-element 1, such that a·1=a holds for every element a • Every element a≠0 has a multiplicative inverse element a-1, such that a·a-1=1 we have a Field. Division is defined for a field along multiplication, addition and subtraction.

Arithmetics mod n • For arithmetics modulo-n axioms 1 to 10 are valid. • For arithmetics modulo-p, where p is a prime number, axioms 1 to 11 are valid. We’ll show that every element a[0,n-1] can be replaced by any element of the same remainder class Ra. When the axioms are proven, the calculus rules of algebra apply.

Multiplicative-inverse elements • In modulo-n arithmetics, an element a≠0 with hcd(n,a)=1 has a multiplicative inverse element a-1. • One way to find it would be a search of 1·a,2·a,3·a,… which is not practical for large modules. • Another way is through the fact that hcd(n,a)=1=a·n+b·aThe above mod n yields 1=b·a mod n and thus a-1=b

Euler’s f-function The f-function for a natural number n is defined as: The quantity of numbers less than n, that are relatively prime to n f(n)=| {z[1,n-1] where hcd(n,z)=1} | Since for a prime number p all numbers z<p are relatively prime to it: f(p)=p-1

Euler’s f-function In the case where n=p·q, p≠q prime: f(p·q)=(p-1)·(q-1) because: f(p·q)=[p·q-1]-(p-1)-(q-1)= f(p·q)=(p-1)·(q-1) All possible numbers Multiples of q Multiples of p

Euler’s theorem af(n)≡1 (mod n) for a|hcd(n,a)=1 This is formula (4.4.2) since f(p)=p-1. The relation is also called “Small theorem of Fermat” ap-1≡1 (mod p), for a[1,p-1]

RSA Generalization (RSA: Rivest, Shamir, Adleman, inventors of the RSA algorithm) Take Euler’s theorem, exponentiate with iN and multiply with a: • af(n)≡1 (mod n) • (af(n))i≡1i ai·f(n)≡1 (mod n) • ai·f(n)+1≡a valid for a[0,n-1] with n=p or n=p·q, p≠q

5. Cryptographic Algorithms Symmetric and asymmetric encryption algorithms

Chapter Overview • DES • DES-based MAC • DES-based cryptohash-function • AES • IDEA • Block operation modes • RSA • El Gamal methods • Certificates

DES DES history: • Developed by IBM • Published in 1974 • ‘National Bureau of Standards’, today NIST, recognizes DES as a standard in 1977 • ‘American National Standards Institute’ recognizes DES as standard (ANSI X3.92) in 1981

DES DES attributes: • Symmetric algorithm • Block cipher: Message blocks of 64 bits. Encryption to cipher blocks of 64 bits. • Key of 64 bits. Significant key length is 56 bits, with 8 parity bits. |K|=256 64 bits mi 64 bits mi DES DES-1 Key k 64(56) bits Encryption Decryption 64 bits ci 64 bits ci

AES Encryption round Data block di-1: 128 bits/16 bytes AES key: 128/192/256 bits Transformations based on byte-operations - Substitution -Permutation - Intermix Round key derivation from AES key 10/12/14 depending on key size Data block di: 128 bits/16 bytes • No transformation box in initial round • No intermix for last round

AES Encryption round Transformations: • Substitution • Each byte is replaced by its multiplicative inverse value. • Bytes are used to represent polynomials of grade less than 8, due to modular reduction with an irreducible polynomial of grade 8. • Bytes are interpreted as elements of a finite field. Addition and multiplication are defined, but are not the same with the ones used for numbers. • Permutation • Interchange of byte positions. • Intermix • Matrix multiplication of bytes in the internal ‘State’.

AES Encryption round Key derivation: With keylength 128 bits, each round requires 128 bits. The key is split into 4 words of 4 bytes each. wi=wi-1 XOR wi-4 When i mod 4=0, key transformation (KT) is applied. KT involves byte shifts, substitutions and the addition of a ‘round constant’, powers of 2 in the GF(28). KT … w0 w1 w2 w3 w4 w5 w6 w7 Key for round 1 AES key =key for round 0

c1 m1 m2 c2 BA BA BA-1 BA-1 k k k k m1 c2 m2 c1 Block operation modes Electronic Codebook (ECB) ci=BA(mi), mi=BA-1(ci) Receiver: Decryption Sender: Encryption … … … … Time

Block operation modes Properties of ECB • Every block is independent of other blocks. • Same plaintext is encrypted to same ciphertext. • Error propagation: If an error occurs in a cipher block, only the respective plaintext block is affected. • Synchronization: If the receiver cannot synchronize block boundaries, decryption is impossible.

m1 BA k c1 Block operation modes Cipher Block Chaining (CBC) ci=BA(mici-1), mi=BA-1(ci)ci-1, c0=IV Receiver: Decryption Sender: Encryption m1 … c1 c2 … IV BA-1 BA-1 k k BA k IV … m1 m2 … c1

Block operation modes Properties of CBC • The initialization vector IV must be specified. It must not be secret. • A cipher block depends on IV and all plaintext blocks before it. Identical plaintexts are encrypted to different ciphertexts. • The sequence of the blocks is significant. If the sequence changes, the cipher changes. • Identical plaintext sequences are encrypted to identical cipher sequences, so different IVs should be used. • Error propagation: If an error occurs in a cipher block, this and the next plaintext block cannot be decrypted. • Synchronization: If synchronization is regained at this cipher block, the next plaintext block and all following ones can be decrypted.

BA BA k k Block operation modes Cipher Feedback (CFB) ci=BA(ci-1)mi, mi=BA(ci-1)ci, c0=IV Receiver: Decryption Sender: Encryption ci-1 ci-1 ci mi mi ci Similar properties to CBC. Messages shorter than blocksize possible.

BA BA k k Block operation modes Output Feedback (OFB) zi=BA(zi-1), ci=zimi, mi=zici, z0=IV Receiver: Decryption Sender: Encryption zi-1 mi zi-1 ci ci mi Shorter messages than blocksize possible

Block operation modes OFB properties • State sequence zi does not depend on the plaintext. • Corresponds to encryption with pseudonoise, with a random number generator with nonlinear feedback. • Error propagation: none. • Synchronization: If block boundary synchronization is lost, the system must be resynchronized.

RSA Creating an RSA key pair: We will work in arithmetics modulo n, with: n=p·q, p≠q prime f(n)=(p-1)·(q-1) We select one of the keys randomly, e.g. e, with the following restrictions: 1<e<f(n) and hcd(e,f(n))=1 The other key is the multiplicative inverse of e modulo f(n): e·d≡1 mod f(n)

RSA • A’s public key is thus: eA,n • A’s secret key is: dA The prime factors of n cannot be found out. (Difficult task of factorization) Euler’s theorem (ai·f(n)+1) mod n=a yields with e·d≡1 mod f(n): (me·d) mod n=m for 0≤m<n as i·f(n)+1≡1 mod f(n) as well. so, you encrypt a message by raising to one key (here e) and decrypt by raising to the other (here d), modulo n.

RSA Thus, the following formulas apply: Encryption: c=(me) mod n Decryption: (cd) mod n=(me)d mod n=m Signature: s=(md) mod n Verification: (se) mod n=(md)e mod n=m The operations are computationally intensive. (e.g. 1000 times slower than IDEA)

RSA Applications of RSA: • Digital signature on message hash-values. • Transmission of symmetric session keys in hybrid cryptography systems. Due to high complexity, RSA is not useful for bulk data encryption.

Chinese Remainder Theorem The Chinese remainder theorem calculates a number x mod n=p·q, when the remainders of x modulo p and modulo q are known. Known: (x mod p) and (x mod q) Result: (x mod n) with n=p·q

Chinese Remainder Theorem The hcd of two natural numbers p and q with no common factors can be written as: hcd(p,q)=1=s·p+t·q where s and t can be calculated with the extended Euclidean algorithm. With a=x mod p and b=x mod q known, we can deduce x=(b·s·p+a·t·q) mod n=p·q See proof in script, p.38.

Language Studies and Academics

Language Studies and Academics

Presentation Transcript

Academics and Athletics

Morpheme studies and scond language acquisition

Poetry Studies Figurative Language

Academics

TIME MANAGEMENT and ACADEMICS

ENGLISH Language Studies

Korean Language Studies: Motivation and Attrition

Academics

CISR Academics and Research

Academics:

Academics

Content-Based Language and Culture Studies

ACADEMICS

Academics

Academics:

The Language of Studies

Improving Academics through Language Acquisition

Academics

Arabic Language Studies

Academics and Student Success

Social Studies and English Language Learners

Policymakers, Academics, and Practitioners