ISA 562 Information Security Theory & Practice

ISA 562 Information Security Theory & Practice Cryptography Chapter 9 of Bishop’s Book

Overview • Background • Secret Key Cryptography • Caesar cipher • Vigenère cipher

Cryptography • Cryptology means hidden writing • Comes from the Greek words  (hidden or secret) and  (writing) • A mechanism for • Confidentiality • Integrity (authentication, non-repudiation) • In the face of • passive, and • active attacks

Terminology • Encryption: the process of coding a message to conceal its meaning • Decryption: The process of transforming an encrypted message into the original form • Often we use encode or encipher instead of encrypt, and decode or decipher instead of decrypt • Plaintext or Cleartext: A message in its original form • Ciphertext:A message in the encrypted form • Cryptography: The practice (or art) of using encryption to conceal text • Cryptosystem: A system for encryption and decryption • Cryptographer: Invents encryption algorithms (“Good Guys”) • Cryptanalyst:Attempts to break encryption algorithms (“Bad Guys”)

Cryptosystems SECRET KEY Symmetric Key Single Key Conventional PUBLIC KEY Asymmetric Key Two Keys

Secret Key Cryptosystem Plain- text Plain- text Ciphertext Encryption Algorithm Decryption Algorithm INSECURE CHANNEL A B K K SECURE CHANNEL Secret Key shared by A and B

Public Key Cryptosystem Plain- text Plain- text Ciphertext Encryption Algorithm Decryption Algorithm INSECURE CHANNEL A B B's Public Key B's Private Key RELIABLE CHANNEL B's Public Key

Notation for a Cryptosystem • Quintuple (E, D, M, K, C) • M set of plaintexts • K set of keys • C set of ciphertexts • E set of encryption functions e: M KC • c = e(k,m) • D set of decryption functions d: C KM • m = d(k’,c) • Is k=k’? • Who keeps k and k’?

Example • Example: Caesar cipher • M= { all sequences of letters } • K = { i | i is an integer and 0 ≤ i ≤ 25 } • E = { Ek | kK, where Ek(m) = (m + k) mod 26 for any letter m} • E0 (a) = a, E2 (b) = ?, E2 (y) = ? • D = { Dk | kK, where Dk(c) = (26 + c–k) mod 26 for any letter c} • D0 (a) = a, D2 (b) = ?, D2 (y) = ? • C = M m c k

Cryptanalysis • Adversary ’sgoal is to break the cryptosystem • Knows e and dbut not k • Knows how the lock works, but don’t’ know the combination • Break the cryptosystem = get the key • Real objective might be to discover the plaintext message, but this is generally assumed to be equivalent to discovering the key • Unlock the cabinet (and use the remote control)

Cryptanalysis (Cont’d) • Types of attacks: • ciphertext only: adversary has only ciphertext • The enemy intercepted encrypted messages • known plaintext: adversary has some plaintext-ciphertext pairs • The enemy later learned the content of those messages • chosen plaintext: adversary has plaintext-ciphertext pairs for plaintext of the cryptanalyst's choice • A spy submit fake messages for encryption • chosen ciphertext: adversary has plaintext-ciphertext pairs for ciphertext of the cryptanalyst's choice • A spy submit fake encrypted messages for decryption

Basis for Attacks • Mathematical attacks • Based on analysis of underlying mathematics • Statistical attacks • Natural language contains particular distribution of letters, pairs of letters (digrams), triplets of letters (trigrams), etc. ,in a natural language • Called models of the language • In English, ‘e’ appears the most frequently (65 times more frequently than the least frequent ‘z’ and ‘q’) • In this handout: ‘e’ 1769, ‘z’ 27, ‘q’ 68 • Encryption may not fully destroy the distribution, so observe the ciphertext for related properties

Secret Key Cryptography • Sender, receiver share common key • Keys may be the same, or trivial to derive from one another • Also called symmetric key cryptography • Two basic types • Transposition ciphers • Substitution ciphers • Combinations are called product ciphers

Transposition Cipher • Rearrange letters in plaintext to produce ciphertext • Example (Rail-Fence Cipher) • Plaintext is HELLO WORLD • Rearrange as HLOOL ELWRD • Ciphertext is HLOOL ELWRD • Permutation • Does not alter frequency of single characters • Called a 1-gram

Attacking the Transposition Cipher • Anagramming • If 1-grams of ciphertext match English frequencies, but other n-grams (that is, frequency of n-tuple of characters) do not, probably transposition • Rearrange letters to form n-grams with highest frequencies HELLO WORLD HLOOL ELWRD HLOOL ELWRD Permutations do not change frequency of single characters, but do change frequency of pairs of characters

Example • Ciphertext: HLOOLELWRD • In English, frequencies of 2-grams starting w/ H • HE0.0305 the winner! • HO 0.0043 • HL, HW, HR, HD < 0.0010 • Frequencies of 2-grams ending in H • WH 0.0026 • EH, LH, OH, RH, DH ≤ 0.0002 • Implies E follows H

Example • Arrange so the H and E are adjacent HE LL OW OR LD • Read off across, then down, to get original plaintext HLOOL ELWRD

KHOOR ZRUOG HELLO WORLD Substitution Ciphers - Caesar cipher • Change characters in plaintext to produce ciphertext • Example (Caesar cipher) • Plaintext is HELLO WORLD • Change each letter to the third letter following it (X goes to A, Y to B, Z to C) • Key is 3, usually written as letter ‘D’ • Ciphertext is KHOOR ZRUOG

Attacking the Caesar Cipher • Exhaustive search • If the key space is small enough, try all possible keys until you find the right one • Caesar cipher has 26 possible keys • Statistical analysis • The right key should let decrypted message match the 1-gram model of English

Statistical Attack on Caesar Cipher • 1-grams of the ciphertext KHOOR ZRUOG g 0.1 h 0.1 k 0.1 o 0.3 r 0.2 u 0.1 z 0.1 • 1-grams of English p: • Question: how to choose the right key such thatthe two 1-grams match the best?

Correlation of Frequency • ‘Match the best’ means… • The right key 0i 25 should maximize (i) = 0.1•p (6 –i) + 0.1 •p (7 –i) + 0.1 •p (10 –i) + 0.3 •p (14 –i) + 0.2 •p (17 –i) + 0.1 •p (20 –i) + 0.1 •p (25 –i) • 0.3 •p ( 14 –i ) (k) is maximum iff the two sides match (having similar relative percentage)  frequency of ‘o’ in ciphertext frequency of decrypted ‘o’ in english

(i) for 0 ≤ i ≤ 25

Who is the Winner? • Most probable keys, based on : • i = 6, (i) = 0.0660 • plaintext EBIIL TLOLA • i = 10, (i) = 0.0635 • plaintext AXEEH PHKEW • i = 3, (i) = 0.0575 • plaintext HELLO WORLD • i = 14, (i) = 0.0535 • plaintext WTAAD LDGAS • Only English phrase is for i = 3 • That’s the key • Why ranked #3?

Caesar Cipher’s Problem • Key is too short • Can be found by exhaustive search (13 tries) • Statistical frequencies not concealed well • 1-grams are not changed (only shifted) • So make key longer • Use a sequence as key: k1 k2 k3… kn(key space 26n) • Conceal statistical frequencies through diffusion • Use ki to encrypt the ith letter of plaintext • Statistical patterns average out

Vigenère Cipher • Example • Message THE BOY HAS THE BALL • Key VIG repeating • Period of the key is 3 • Encipher using Caesar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL Cipher OPKWWECIYOPKWIRG

G I V A G I V B H J W E L M Z H N P C L R T G O U W J S Y A N T Z B O Y E H T Tableau shown has relevant rows, columns only (full version: Figure 9-3 in textbook) Relevant Parts of Tableau key plaintext key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL Cipher OPKWWECIYOPKWIRG

Attacking the Cipher • Approach • Establish period; call it n • Break message into n parts, each part being enciphered using the same key letter • Solve each part • We will show each step keyVIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL CipherOPKWWECIYOPKWIRG

The Target Cipher • We want to break this cipher: ADQYS MIUSB OXKKT MIBHK IZOOO EQOOG IFBAG KAUMF VVTAA CIDTW MOCIO EQOOG BMBFV ZGGWP CIEKQ HSNEW VECNE DLAAV RWKXS VNSVP HCEUT QOIOF MEGJS WTPCH AJMOC HIUIX

First Tool: Kaskski’s Method • Kaskski: if characters of the key appear over the same characters in the plaintext, repetitions in the ciphertext will occur key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG • Distance between repetitions is 9, so the period must be a factor of 9 (that is, 1, 3, or 9) • Will the ciphertext contain the same repetition in the following two cases? key VIGVIGVIGVIGVIGVI plain THEBOOYHASTHEBALL key VIGJVIGJVIGJVIGJ plain THEBOYHASTHEBALL

Repetitions in Example

Estimate of Period • The longest repetition OEQOOG is probably not a coincidence • Distance is 30 • The second longest is MOC • Distance is 72 • GCD of 30 and 72 is 6 • Others • (7/10) have 2 in their factors • (6/10) have 3 in their factors • 6 is a probable period

Second Tool: Index of Coincidence • Index of coincidence (IC) • The probability that any two randomly chosen letters from ciphertext are the same • A measure of variation in frequencies of letters • IC of aaaaaaaabc (> or <) IC of aabcdefghi ? • This variation depends on the period of key • Longer key tends to average out statistical patterns that exist in English (and thus in plaintext) • Known result of period - IC 1 - 0.066 3 - 0.047 5 - 0.044 2 - 0.052 4 - 0.045 10 - 0.041 larger- 0.038

Compute IC of Our Ciphertext • IC =0≤i≤25 (Fi (Fi– 1)) (n (n– 1)) • where n is length of ciphertext and Fi the number of times character i occurs in ciphertext • aaaaa aaabb • Here, IC = 0.043 • Indicates a period of slightly more than 5 • Agrees with the previous estimate 6 • Step 1 done; now we have the key period

Splitting Into Alphabets alphabet 1: AIKHOIATTOBGEEERNEOSAI IC 0.069 alphabet 2: DUKKEFUAWEMGKWDWSUFWJU IC 0.078 alphabet 3: QSTIQBMAMQBWQVLKVTMTMI IC 0.078 alphabet 4: YBMZOAFCOOFPHEAXPQEPOX IC 0.056 alphabet 5: SOIOOGVICOVCSVASHOGCC IC 0.124 alphabet 6: MXBOGKVDIGZINNVVCIJHH IC 0.043 • 1,2,3,5 indicate period 1 • 4 and 6 don’t (well, statistics) • Step 2 done; now we are dealing with 6 Caesar ciphers! ADQYS MIUSB OXKKT MIBHKIZOOO EQOOG IFBAG KAUMF VVTAA CIDTW MOCIO EQOOG BMBFV ZGGWP CIEKQ HSNEW VECNE DLAAV RWKXS VNSVP HCEUT QOIOF MEGJS WTPCH AJMOC HIUIX

Frequency Examination ABCDEFGHIJKLMNOPQRSTUVWXYZ 131004011301001300112000000 2 10022210013010000010404000 3 12000000201140004013021000 4 21102201000010431000000211 5 10500021200000500030020000 6 01110022311012100000030101 • Letter frequencies in English HMMMHMMHHMMMMHHMLHHHMLLLLL • #1 matches – the key is a (H high, M medium, L low)

Begin Decryption • #3 matches if I shifted to A • #6 matches if V shifted to A • Substitute into ciphertext (bold are substitutions) ADIYS RIUKB OCKKL MIGHK AZOTO EIOOL IFTAG PAUEF VATAS CIITW EOCNO EIOOL BMTFV EGGOP CNEKI HSSEW NECSE DDAAA RWCXS ANSNP HHEUL QONOF EEGOS WLPCM AJEOC MIUAX

Look For Clues • AJE in last line suggests “are”, meaning #2 key is s : ALIYS RICKB OCKSL MIGHS AZOTO MIOOL INTAG PACEF VATIS CIITE EOCNO MIOOL BUTFV EGOOP CNESI HSSEE NECSE LDAAA RECXS ANANP HHECL QONON EEGOS ELPCM AREOC MICAX

Next Alphabet • MICAX in last line suggests “mical” (a common ending for an adjective), meaning #2 key is O : ALIMS RICKP OCKSL AIGHS ANOTO MICOL INTOG PACET VATIS QIITE ECCNO MICOL BUTTV EGOOD CNESI VSSEE NSCSE LDOAA RECLS ANAND HHECL EONON ESGOS ELDCM ARECC MICAL

Got It! • QI means that U maps into I, as Q is always followed by U: ALIME RICKP ACKSL AUGHS ANATO MICAL INTOS PACET HATIS QUITE ECONO MICAL BUTTH EGOOD ONESI VESEE NSOSE LDOMA RECLE ANAND THECL EANON ESSOS ELDOM ARECO MICAL A LIMERICK PACKS LAUGHS ANATOMICAL INTO SPACE THAT IS QUITE ECONOMICAL BUT THE GOOD ONES IVE SEEN SO SELDOM ARE CLEAN AND THE CLEAN ONES SO SELDOM ARE COMICAL

One-Time Pad • A Vigenère cipher with a random key at least as long as the message • Perfectly secure (textbook 32.3.3) • Why? Look at ciphertext DXQR. Equally likely to correspond to plaintext DOIT (key AJIY) and to plaintext DONT (key AJDY) and any other 4 letters • Impractical • Remember the key must be transmitted via a secure channel

Key Points • Two basic types of ciphers • Transposition ciphers and substitution ciphers • Product ciphers combine them • Caesar cipher uses one key • Vigenère cipher uses a sequence of keys • Cryptanalysis • Exhaustive search • Statistical analysis

ISA 562 Information System Security Stream Cipher and Block Cipher

Overview • Problems with naive use of ciphers • Stream Cipher • Block cipher • DES

Naive Use of Cipher • Just encrypt each message (if message is too long, divide it into blocks and encrypt each block) and transmit the ciphertext’ • What can go wrong?

Attack #1: Forward Search • Set of all possible messages is small • {buy, sell} • Public key cryptosystem used • Encryption key is public • Idea: precompute all (message, ciphertext) pairs • (buy, cbuy ), (sell, csell) • When ciphertext csell is intercepted, the adversary knows the message is sell even without decryption • Digitized sound • Seems like far too many possible plaintexts (232) • Redundancy in human speech reduces this to 100,000 (≈ 217) • This is small enough to worry about

Attack #2: Misordered Blocks • Alice sends Bob message • Message LIVE is too long to be encrypted, so divide into blocks and encrypt each letter • Plaintext 11 08 21 04 and Ciphertext is 44 57 21 16 • A man-in-the-middle Eve intercepts the ciphertext • Rearranges blocks to be 16 21 57 44 • Bob gets modified ciphertext and deciphers it • He sees EVIL

Attack #3: Statistical Regularities • Encrypting repeated plaintext with the same key produces the same ciphertext • Recall the Kasiski method

ISA 562 Information Security Theory & Practice