- By
**lanza** - Follow User

- 97 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Spoiler Warning' - lanza

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Spoiler Warning

- After listening to this talk, you may become disappointed with this book!
- Much of the book’s content is about cryptography, but those about modern cryptography is often inaccurate

Build Your Own Cryptosystem

- Have you heard about any cryptosystem?
- Have you tried to design your own encryption algorithm?
- Some software companies do this
- But this is in fact very insecure
- A cryptosystem can have many hidden flaws!

A simple cryptosystem I used in F.1

- Substitute English alphabets with numbers
- 01..26 <-> A..Z
- 00 <-> Space
- 27..99 <-> Nothing, added to obfuscate the eavesdropper
- This is a kind of monoalphabetic substitution cipher
- Example
- HELLO WORLD
- 08 05 48 37 36 12 12 15 00 23 61 15 18 12 04 95
- Problems?

Classical Ciphers

- Monoalphabetic Substitution Cipher
- Example : Caesar, simple substitution
- Substitutes every letter with a fixed letter
- Very vulnerable to frequency analysis

Classical Ciphers

- Polyalphabetic Substitution Cipher
- Example : Vigenere Cipher, Enigma
- Substitution depends on position
- Vulnerable to frequency analysis on collections of letters

Classical Ciphers

- Transposition Cipher
- Example : Columnar transposition
- Moves the position of letters around
- Again vulnerable to frequency analysis

Classical Ciphers

- Hill Cipher
- Based on matrix multiplication
- Vulnerable to known plaintext attack

Modern Cryptography

- Cryptosystem
- Key generation (an cryptosystem without key is useless)
- Encryption
- Decryption
- Confusing Words
- Cryptography is the study of cryptosystems and their applications
- “Cipher” usually means the same thing as “Cryptosystem”
- Plaintext / cleartext means un-encrypted data
- Ciphertext / crypto-text means encrypted data

Symmetric Ciphers (Private Key Cryptosystems)

- Most famous : DES (Data Encryption Standard)
- 64 bit Key (56 bit for encryption, 8 bit for error check)
- In Digital Fortress, the brute force code breaking machine TRANSLTR can break DES in 10 minutes
- However this is totally useless, because if we encrypt the data with 3 keys consecutively (this is called 3DES), it would take 256x2 x 10 minutes to break!
- New algorithm : AES (Advanced Encryption Standard)
- 128, 192 or 256 bit Key
- Widely used
- Main problem with symmetric ciphers
- Key Distribution

Asymmetric Cipher (Public Key Cryptosystem)

- Most famous : RSA
- A little number theory
- n = p*q (p and q are large primes)
- Choose e, d such that e*d = 1 (mod f(n))
- Encryption and Decryption
- Public key is (n,e)
- Private key is (n,d)
- C = Me
- M = Cd
- To break RSA we need to factorize n
- Current fastest algorithm : Number Field Sieve

Why still use symmetric ciphers?

- Symmetric ciphers are much faster than asymmetric ones
- At least 100x
- Key length of symmetric ciphers can be much shorter than asymmetric ciphers
- AES key of 128 bit is roughly as strong as a RSA key of 2048 bit
- Use asymmetric cipher to encrypt the keys of symmetric cipher!
- Other well known algorithms
- Symmetric : RC5, IDEA, BlowFish, …
- Asymmetric : El-Gamal, Elliptic Curve Cryptography (ECC), XTR, …

The One Time Pad

- One Time Pad is the only form of “Perfectly Secure” cryptosystem
- Length of Key must be at least length of Message
- Vernam Cipher
- Use bitwise XOR
- Sometimes used by governments to transfer keys to embassies

Digital Signatures

- Many asymmetric encryption/decryption schemes are just mathematical functions, we can reverse the order
- Dec(Enc(X)) = Enc(Dec(X)) = X
- Therefore we can use them for “digital signature”
- Example : RSA
- If we send M to somebody, we also send s=Md
- The other party can check M has not been altered by verifying se=M

Public Key Infrastructure

- Certificate Authorities (CA)
- Store your public key in their server and verifies their authenticity
- Hierarchy of Trust
- Example scenario
- When you send a message, you also send a certificate as well as signature signed with your private key
- When the other party receive the message, it first go to the CA which issued your cert to verify it
- Then it use your public key listed in the cert to verify the message

The Real World

- What I told you is INSECURE !
- Dolev-Yao Threat Model
- Attackers control the whole network
- Attackers can intercept, duplicate, replay, modify, or forge any message, but
- Attackers cannot find the plaintext from a ciphertext without the key, and
- Attackers cannot find the private key from a public key
- Recall the BT incident
- 90% of what the Customs did (mainly eavesdropping) can be done by everyone on the Internet

Attack on RSA

- Scenario
- I eavesdropped an RSA-encrypted message for you (Me, where e is your public key)
- I ask you to forward this message to someone else, but I lie to you that this is a unencrypted message
- I also remind you to sign the message before forwarding
- In fact, the other person is myself
- Signature of Me = (Me)d = Med = M !
- In this scenario you acted as a “Decryption Oracle” and provided “Oracle Services” to me, the attacker

Attack on RSA

- A fix?
- Check every message to see if it is actually encrypted
- This is useless
- Another scenario
- When I eavesdropped Me, I compute Me Xe = (MX)e, where X is an integer I chose
- I send (MX)e to you and ask you to sign it. When you try to decrypt it you get MX, which looks innoculous
- Feeling safe, you sign it, and send MX back to me
- I can compute MX X-1 to get M (taking multiplicative inverse is easy)
- This is called the “Chosen Ciphertext Attack”

Attack on RSA

- A real solution is to apply cryptographic hash function before signing
- Properties of cryptographic hash function
- One way
- Non-linear
- Collision free
- However, many other attacks are possible
- Now, formal methods are used to model the attacks
- A “really secure” version of RSA is the RSA-OAEP
- Many research are ongoing

Links

- Cryptography A-Z
- http://www.ssh.com/support/cryptography/index.html
- Handbook of Applied Cryptography
- http://www.cacr.math.uwaterloo.ca/hac/
- Wikipedia
- http://www.wikipedia.org/

Download Presentation

Connecting to Server..