Security in Computing Chapter 2, Elementary Cryptography

1 / 130

Security in Computing Chapter 2, Elementary Cryptography - PowerPoint PPT Presentation

Security in Computing Chapter 2, Elementary Cryptography. Summary created by Kirk Scott. 1. Notation. S = Sender R = Recipient or Receiver T = Transmission Medium O = Outsider, possibly an Interceptor or Intruder. 2. Possible Attacks on Messages in Transition. A. Block the message

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

PowerPoint Slideshow about 'Security in Computing Chapter 2, Elementary Cryptography' - kimn

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Security in ComputingChapter 2, Elementary Cryptography

Summary created by

Kirk Scott

1. Notation
• S = Sender
• R = Recipient or Receiver
• T = Transmission Medium
• O = Outsider, possibly an Interceptor or Intruder
2. Possible Attacks on Messages in Transition
• A. Block the message
• R does not receive it
• This violates availability
• B. Intercept the message
• If it is readable, this violates confidentiality
• Even if unreadable, knowing that a message was sent may be of value

C. Modify the message

• Intercept, modify, and retransmit
• This violates integrity
• D. Fabricate a message
• Send a message to R that appears to come from S
• This violates integrity
3. Terminology
• Encryption = encoding = enciphering = converting plaintext to ciphertext = scrambling the contents of a message so it can only be read by the intended recipient
• Decryption = decoding = deciphering = converting ciphertext to plaintext
• A rational scheme for encryption and decryption is known as a cryptosystem
4. More Notation
• A plaintext sequence of characters can be represented in this way:
• P = <p1, p2, …, pn>
• Ciphertext can be represented in this way:
• C = < c1, c2, …, cn>
• Encoding and decoding can be represented as functions E() and D()
5. Relationships in a Cryptosystem
• Encryption: C = E(P)
• Decryption: P = D(C)
• A successful cryptosystem has this property:
• P = D(E(P))
6. Encryption Algorithms
• An encryption algorithm is a set of rules for converting plaintext to ciphertext
• Algorithms commonly come in families
• A slight variation in the use of the rules yields a different encryption
7. Keys
• In certain cryptosystems the variation between different applications of an algorithm is embodied in keys
• A key, K, identifies or characterizes a particular variation on an algorithm
• This is the notation for encrypting with a key, where E() represents the algorithm overall:
• C = E(K, P)
• If encryption is done with a key, decryption will also be done with a key:
• P = D(K, P)
8. Symmetric and Asymmetric Keys
• Symmetric: The key for encryption and decryption are the same:
• P = D(K, E(K, P))
• Asymmetric: The key for encryption and decryption are different:
• P = D(KD, E(KE, P))
• Both kinds of systems will eventually be discussed in depth
9. Keys or No Keys
• Keyless cryptosystems are possible
• A system with a key makes multiple encryptions of plaintext possible
• It makes the code breaker’s task more difficult
• Figure out the algorithm
• Also figure out the key
• Even if the algorithm is known, it’s still necessary to figure out the key
10. Cryptology/Cryptography
• Cryptology = research and study of codes
• Cryptography = use and application of codes
• Cryptographer = (authorized) user of codes
• Cryptanalyst = breaker of codes
11. Functions of Cryptanalysis
• Break a single message
• Deduce a key for an algorithm
• Deduce an algorithm
• Signals intelligence: Infer meaning from message traffic without decryption
• Find weaknesses in the use of a cryptosystem
• Find weaknesses in a cryptosystem in the absence of intercepted messages
12. Sources for Cryptanalysis
• Intercepted plaintext
• Intercepted ciphertext or suspected ciphertext
• Properties of human languages
• Mathematical and statistical tools
• Known algorithms
• Intuition, ingenuity, perseverance, luck
• All approaches, licit and illicit, are open to the attacker
13. Breakable Encryption
• A code may be theoretically breakable through brute force
• Even given all possible decryptions, it would still be necessary to pick the right one
• The real problem is not having the computing resources to afford a brute force solution
• On the other hand, computing resources are getting cheaper and cheaper
• The real opportunity comes from applying strategies better than brute force
14. Numeric Representations of the Alphabet
• A = 0, B = 1, …, Z = 25
• Starting with zero makes it possible to work in modular fashion
• Simple codes can be based on + and –
• If the result goes below 0 or above 25, modular arithmetic rolls over or wraps around
15. Two Simple Example Techniques of Encryption
• Substitution: Exchange one letter for another
• This embodies the idea of confusion
• One thing stands for another
• Transposition: Rearrange the letters in a message
• This embodies the idea of diffusion
• Parts of the original message are spread throughout the encrypted message

These two techniques alone are too weak for commercial use

• They are of historical interest
• They are also useful for learning the concepts without getting bogged down in heavy math
16. Simple Substitution
• This may be called a mono-alphabetic cipher
• Example: Caesar’s Cipher:
• A  d, B  e, …, Z  c
• ci = E(pi) = (pi + 3) mod 26
• Example:
• TREATY IMPOSSIBLE  wuhdwblpsrvvleoh
18. Aspect’s of Caesar’s Cipher
• Easy to use
• No need for written instructions
• In a world where most were illiterate anyway, it was reasonably secure
• On the other hand, it is also quite weak
19. Cryptanalysis of Caesar’s Cipher
• Spaces between words are preserved
• Plaintext letters always map to the same ciphertext letters
• As a consequence, regularly occurring sequences of letters in plaintext will recur as ciphertext sequences (prefixes, suffixes, etc.)
• In the small example given, the appearance of the double letters SS/vv illustrates the idea
20. A Cryptanalysis Example
• wklvphvvdjhlvqrwwrrkdugwreuhdn
• This is based on a 27 letter alphabet with the space included
• Furthermore, the space hasn’t been encrypted (or “it codes to itself”)
• This opens up lots of cryptanalytic possibilities

The number of short words in English is small

• For example, am, is, to , be, he , we, and, are, you, she, …
• Approach: Substitute whole short words, then do the same letter substitutions elsewhere to see what you get

wrr is a strong clue because it contains a double letter, and wr only reinforces this

• Small words fitting the wrr pattern include see, too, add, odd, off, …
• You also need one where the first two letters make a smaller word
• Too and to are probably more common

This is an educated guessing game

• Trying too and to gives:
• wklvphvvdjhlvqrwwrrkdugwreuhdn
• T--- ------- -- -OT TOO ---- TO -----
• Now consider lv which is a short word in its own right and also ends wklv
• Is and this are reasonable guesses
• At some point either the message or the transformation will become obvious…
21. Permutations of the Alphabet
• The alphabet can be rearranged in less obvious ways than shifting 3 to the right
• In general a permutation is any reordering of the elements of a set
• Given a set, {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}
• A permutation can be represented:
• Π1 = {1, 3, 5, 7, 10, 8, 6, 4, 2}
• For an individual element:
• Π1(3) = 5
22. Keys, Permutations, and Substitution Ciphers
• Any permutation of the alphabet can be used as a substitution cipher
• A key can be the basis for coming up with a substitution
• Let the key be “word”
• Here is a way of using it to determine a code:
• ABCDEFGHIJKLMNOPQRSTUVWXYZ
• wordabcefghijklmnpqstuvxyz
• At the end, letters “substitute” for themselves
• The letters at the end of the alphabet are uncommon
• Still, this is weak

The books suggests an alternative of counting by 3:

• ABCDEFGHIJKLMNOPQRSTUVWXYZ
• You could probably come up with a mathematical expression for this
• It works because of the relationship between 3 and 26 (relatively prime?)
23. The Complexity of Substitution
• All simple substitutions are equivalent to table look up
• For practical purposes, the time to look up each letter is constant
• For a message of length n, both encryption and decryption are O(n)
• Low order of complexity is a sign of a weak algorithm
• If a key is involved, the encryption may be strong
• The point is that the security of the encryption now depends largely on the key and not the algorithm
24. Cryptanalysis of Substitution Ciphers
• Superficially, substitution ciphers appear to be based on a hard problem
• There are 26! Permutations of the English alphabet
• Trying all by brute force would be daunting

If encryption was done by mono-alphabetic substitution, letter frequency analysis breaks the code

• The cryptanalyst is not restricted to solving the underlying hard problem
• Consider the program LetterCount.java, given with the first assignment
• Empirically determine letter frequencies in English text and see what frequencies occur in ciphertext
25. The Cryptographer’s Dilemma
• Encryption is not random
• In order to encrypt and decrypt, there has to be a pattern which authorized users know
• It’s the pattern which gives clues to the cryptanalyst
• The contest between cryptographers and cryptanalysts is never-ending

• 1. If a message is short enough, it will not include sufficient traces of the pattern for analysis
• Suppose you simply intercept a message consisting of 6 characters
• What could it be?
• You need context to even hazard a guess

2. In the cryptographic arms race, you can essentially assume that anything encrypt is breakable

• The question is, will it be breakable before the data loses its value
• This is the principle of adequate protection applied to thinking about how strongly to encrypt something
26. Vernam Ciphers
• A diagram of the Vernam process is shown on the following overhead
• Note that the diagram shows XOR as the transformation

The book chooses to illustrate the idea behind Vernam with an example based on addition and modular arithmetic rather than XOR

• Letters of plaintext are represented by numbers
• Then a sequence of 2 digit random numbers is considered
• The random numbers are added to the plaintext, mod 26

The idea is that this is a system where the algorithm is extremely simple

• Security depends on the secrecy and randomness of the key
• The problem with this illustration is that it’s not clear how you decrypt
• It does not appear to me that this is true:
• p = ((p + n) mod 26) + n) mod 26

XOR actually makes a better example

• Let the letters and random numbers be represented in binary
• If p is the plaintext and q is the random number key:
• E(p) = c = p XOR q
• D(c) = c XOR q = (p XOR q) XOR Q = p
• In other words, applying XOR q twice returns you to p
27. Vigenere Tables
• A Vigenere table is shown on the overhead following the next one
• Across the top the columns are labeled with small letters
• This can be interpreted as key look up
• Down the side the rows are labeled with big letters
• This can be interpreted as plaintext look up

At the right-most edge there is a column labeled π

• This tells you that each row in the table is one of 26 permutations of the alphabet
• Encryption using a Vigenere table involves substitution
• This is poly-alphabetic substitution (not mono-alphabetic)
28. Vigenere Example
• Key:
• iamiexistthatiscert
• Message:
• MACHINESCANNOTTHINK
• Encryption of first letter, for example:
• Look up intersection of row M, column i, getting u

The complete encryption is:

• uaopmkmkvtunhbljmed
• Substitution has occurred, but substitution was done on each letter from a potentially different permutation of the alphabet, depending on what the corresponding key value was.
29. Cryptanalysis of the Example
• The original message is English and has corresponding letter frequencies
• In this example the key is also English and will have corresponding letter frequencies
• A, E, O, and T make up 40% of English text
• The probability that both the plaintext and the key come from this set:
• .4 X .4 = .16

A, E, O, T, N, and I make up 50% of English text

• The probability that both the plaintext and the key come from this set:
• .5 X .5 = .25
• A Vigenere table is shown on the following overhead with the intersections of the rows and columns for these letters circled

Consider any one ciphertext letter

• If it appears in the intersection of one of the highlighted rows and columns, there is a high probability that the ciphertext letter was produced by that plaintext/key pair
• This observation alone won’t crack the code, but it tilts the odds in the cryptanalyst’s favor

Randomly guessing plaintext key pairs would have this kind of probability:

• 1/26 X 1/26 = 1/676 = .001479
• Letter pair by letter pair it isn’t necessarily clear which would be the plaintext and which would be the key
• Even in a final decryption, which would be the message, “iam…” or “machines…”?
30. Strengthening Such a Code
• Never repeat or recycle the key
• Do not use text, books, poems, etc. as the key
• Use values without a pattern
• Example: Use middle digits of telephone numbers starting at an agreed upon place in the book
• Use random numbers generated by a computer
• This term refers to printed sequences of random numbers distributed as keys to senders and receivers
• As they are used, they are destroyed
• Without other clues, the ciphertext itself is virtually unbreakable
• Attacks will come on the key distribution and storage system
32. Transpositions = Permutations of Messages (Not Permutations of the Alphabet)
• Substitution is a confusion based technique
• Transposition is a diffusion based technique
• The contents of the original message are dispersed throughout the encrypted message
33. Columnar Transposition (Row-Column Transposition)
• Arrange the plaintext in rows of fixed length
• Read it back in columns
• If you don’t completely fill the matrix, pad the last row with X’s
• An example is shown on the following overhead

THISI

• SAMES
• SAGET
• OSHOW
• HOWAC
• OLUMN
• ARTRA
• NSPOS
• ITION
• WORKS
• Becomes:
• tssohoaniwhaasolrstoimghwutpirseeoamrookistwcnasns
34. Encipherment/Decipherment Complexity
• Note, this is about authorized users, not cryptanalysis
• There is a constant time for each character
• There is also a space cost
• You have to have to hold the whole message before encrypting or decrypting
• This implies a delay before encrypting and decrypting
• Not practical for long, time-sensitive messages
35. Cryptanalysis of a Transposition Cipher
• If you believe you have a complete message
• If you suspect it’s a row-column transposition
• You can try all different possible row/column sizes and see which one gives a decryption
• Note that if you do a letter frequency analysis and it agrees with English text, this is a sign that you’re dealing with a technique like transposition, not substitution

If the message is large

• Or if computing resources are limited
• You can do a piecemeal attack using digram/trigram analysis
• Digram and trigram are just fancy words for sequences of two and three letters

In any language, including English, some sequences are common and some are rare

• Let the following be given:
• ABS
• URD
• LYX
•  aulbrysdx

To check whether there were two columns:

• c0, c2 = AL (OK)
• c0, c2, c4 = ALR (OK--already)
• c2, c4, c6 = LRS (Maybe not)
• To check whether there were three columns:
• c0, c3 = AB (OK)
• c0, c3, c6 = ABS (OK)
• Etc.—They’ll all be OK…
• A large proportion of common to rare “grams” is a sign you’re on the right track
36. Combinations of Encryption Approaches
• Substitution and Transposition can be mixed, for example
• A product cipher can be represented in this way:
• E2(E1(P, K1), K2)
• A product, or composition of ciphers may be more secure
• If algorithms are composed without understanding, the result may be weaker
37. Shannon’s Characteristics of Good Ciphers
• 1. Effort to use should be proportional to strength
• 2. Algorithm and keys should be free of extraneous complexities
• 3. Implementation and use should be as simple as possible
• 4. Errors in ciphering should not propagate and corrupt what follows
• 5. The size of the encryption should be no greater than the original
• They still have general validity
• However, computers have effectively obviated some of them
38. Properties of Trustworthy Encryption Systems
• This topic refers to commercially viable systems, not hand-based systems
• Based on sound, established mathematics and solid principles
• Analyzed by competent experts and verified by them
• Stood the test of time
39. Stream Ciphers
• Mono-alphabetic substitution illustrated the concept
• Transformation of plaintext accomplished one symbol at a time with key algorithm
• One slip can mess up what follows, but finding the problem in a stream is doable
• Low to no diffusion
• Susceptible to insertion and modification
40. Block Ciphers
• Row-column transposition illustrated the concept
• Encryption/decryption performed on a set of symbols, producing another set
• High diffusion—throughout block
• Immunity to insertion
• Delay/slowness in encryption and decryption
• One error may make a whole block garbage
41. Source Information for Cryptanalysis
• The cryptanalyst may have this information:
• Ciphertext (only)
• Full plaintext (plus matching ciphertext)
• Partial or possible plaintext (plus ciphertext)
• The algorithm
42. Given Ciphertext
• This is what the foregoing examples were about
• The analysis is based on:
• Probabilities
• Distributions
• Characteristics discernible in the ciphertext
• Publicly available knowledge
43. Ultimate Task, Given Plaintext and Ciphertext
• For some C = E(P)
• Find E()
• Or, for some C = E(P, K)
• Find K
44. Given Full Plaintext and Ciphertext
• Under these conditions there is no message to decrypt
• The goal is to find the algorithm or key
• Given the algorithm, a key may be breakable by brute force, testing all possibilities
• With no additional knowledge, deducing the algorithm may depend on informed trial and error
45. Given Partial or Probable Plaintext and Ciphertext
• This is like a ciphertext-only attack, only with a headstart
• You rely on educated guesses, probabilities, distributions, etc.
• Hopefully you arrive at a full message decryption
• Then you can think about trying to determine the algorithm or key that produced it
46. Given Ciphertext of any Selected Plaintext
• If an organization has been infiltrated, it may be possible insert messages and intercept the encryptions
• This is the most powerful attack possible on algorithms
• It allows the analyst to test hypotheses about them
• This approach depends on a pre-existing attack that allows insertion—as opposed to an attack that obtained algorithms and keys outright
47. Cryptographic Weaknesses
• Human beings are faulty, or at least they have predictable characteristics which can be exploited
• Likewise for software…
• Likewise for hardware…
48. Current Commercial Algorithms
• These systems are supposed to measure up to a level of trustworthiness appropriate to modern commercial transactions
• DES = Data Encryption Standard
• AES = Advanced Encryption Standard
• It may be argued that AES does not yet meet criterion 3, the test of time, since it’s the newest
49. Symmetric and Asymmetric Encryption Systems
• AES and DES are symmetric
• Secure communication is supported by a single, shared, private key for each pair of users
• RSA is asymmetric
• Each user has two keys, one public and one private
• The public key is shared with any other user who wants to send a secure message to that user
• The differences in keys determines how each kind of system is applied
50. DES Background
• NBS Specifications:
• Highly secure
• Clearly specified/easy to understand
• Publishable/open algorithm/validatable
• Available to all users
• Economical hardware implementation
• Efficient to use
• exportable

Didn’t quite meet all of their requirements

• System developed by IBM (initially proprietary and not)
• Verfified/modified(?) by the NSA
• Adopted as a standard in 1976

This information comes from the Wikipedia article on differential cryptanalysis.

• It explains a little bit about the relationship between academic research on cryptography, commercial research, and the NSA.
• “The discovery of differential cryptanalysis is generally attributed to Eli Biham and Adi Shamir in the late 1980s, who published a number of attacks against various block ciphers and hash functions, including a theoretical weakness in the Data Encryption Standard (DES). It was noted by Biham and Shamir that DES is surprisingly resistant to differential cryptanalysis, in the sense that even small modifications to the algorithm would make it much more susceptible.[1]”

“In 1994, a member of the original IBM DES team, Don Coppersmith, published a paper stating that differential cryptanalysis was known to IBM as early as 1974, and that defending against differential cryptanalysis had been a design goal.[2] According to author Steven Levy, IBM had discovered differential cryptanalysis on its own, and the NSA was apparently well aware of the technique.[3] IBM kept some secrets, as Coppersmith explains: "After discussions with NSA, it was decided that disclosure of the design considerations would reveal the technique of differential cryptanalysis, a powerful technique that could be used against many ciphers. This in turn would weaken the competitive advantage the United States enjoyed over other countries in the field of cryptography."[2] Within IBM, differential cryptanalysis was known as the "T-attack"[2] or "Tickle attack".[4]”

51. DES Algorithm
• 64 bit blocks
• Suited to 64 bit architecture
• 64 bit key with 56 effective bits
• 16 cycles of substitution and transposition
• I.e., both confusion and diffusion in blocks
• Implemented using standard arithmetic/logic/shift operations
52. Security of DES
• Growth in computing power now makes testing 256 possible keys feasible
• This still takes money and time
• Some features were never revealed or inferred through independent research
• Never was fully trusted for fear of an NSA trapdoor
53. Increasing the Security of DES
• DES wasn’t developed with the ability to increase its security with longer keys
• Double DES = E(k2, E(k1, m))
• It has been shown that for doubling the encryption/decryption effort in this way, you only double the cryptanalysis cost
• In other words, the effective key length only grows to 57

Triple DES = E(k3, D(k2, E(k1, m)))

• Note: This is the presentation in the 3rd edition
• The textual explanation seems to imply that the 3rd edition was correct and the 4th edition contains a false modification
• At the expense of tripling the encryption/decryption cost, the cost of cryptanalysis is increased by a factor of 256

In other words, the effective key length is doubled to 112

• This is significant, but multiple encryption is not as convenient as a system that simply has a longer key
• The book presents a third option that results in an effective key length of 80
• The details aren’t important
54. AES Background
• The NIST solicited replacements for DES with these characteristics:
• Unclassified/publicly disclosed
• Royalty-free worldwide
• Symmetric block cipher for 128 bits
• Usable with 128, 192, and 256 bit keys

After evaluation, the Rijndael algorithm was chosen

• It was created by two Dutchmen and openly published
• Not the least of its advantages was reduced fear of a government trapdoor
55. AES Algorithm
• 10, 12, or 14 cycles for keys of 128, 192, and 256 bits, respectively
• Cycles include substitution and transposition
• Operations include byte substitution, row shift, column mixing, XOR, and adding subkeys
• Message bits are diffused throughout the block
• Adding subkeys means that key bits are also diffused throughout the block
56. Security of AES
• Extensively studied and tested
• Less real world experience
• Little chance of trapdoors
• No flaws found yet
• Number of cycles and length of keys can be increased
• On the other hand, the day will come when cryptanalysis forces it to be replaced
57. Keys in Symmetric Systems
• Support authentication of sender
• Support secure communication
• One secret key shared by every pair of users
• n(n – 1) / 2 keys to fully interconnect n users
• Key proliferation and distribution are challenges
• Keeping multiple distributed keys secret is an additional aspect of proliferation
58. Public Key Encryption
• The challenges of symmetric encryption motivate asymmetric encryption
• A system can be devised with a public key and a private key (see ch. 12)
• In notation:
• P = D(kpriv, E(kpub, P))
• P = D(kpub, E(kpriv, P))
• Decryption is done with the private key
• For authentication, encryption is done with the private key
• Decryption is done with the public key
59. Advantages of Public Key Systems
• Each user has only one public and one private key
• That means 2n keys to fully interconnect n users
• Proliferation problems are reduced
• Each user only has to keep one key secret
• Distribution of public keys is simply not a problem
60. Comparison of Symmetric and Asymmetric Encryption
• Symmetric is fast, on the order of 10,000 times faster than asymmetric
• Therefore, symmetric is the workhorse
• Symmetric keys have to be distributed “out of band”
• Asymmetric is the ideal tool for distributing symmetric keys
• Asymmetric is convenient for mass messages to multiple receivers and for authentication
61. RSA Encryption
• This brief preview is just to establish that asymmetric systems are possible and do exist
• Let e, d, and n be numeric values
• e = encryption key, d = decryption key
• C = Pe mod n
• P = (Pe)d mod n

In simplistic terms:

• P = C1/e = (Pe)1/e
• Because the arithmetic is done mod n, finding the decryption key, d, is not as simple as just finding 1/e
• Ultimately this is based on finding the prime factors of a (large) number
• This will be covered in chapter 12
62. The Uses of Encryption
• 1. Secrecy or confidentiality of message/data
• 2. Integrity of message/data
• 3. Key exchange
• 4. Authentication/digital signatures/security certificates
63. Message Integrity—Cryptographic Hashing
• Hash function  checksum or message digest
• I.e., h(P)  hash value
• H() has to have this characteristic:
• Change one bit in P and h(P) is changed
• The idea is this:
• Whoever holds the hash algorithm/key has the unique ability to produce h(P)
• If someone a fake Pfake, h(P) won’t match and they won’t have the ability to create the matching h(Pfake)
• Only an authorized user, whether sender or receiver, can create or verify a hash
• A hashing scheme will be more secure if the algorithm is effectively non-invertible
• This eliminate inversion as an angle of attack
64. How Hashing is Used
• The sender hashes a message/data
• The hash is posted with the message
• The receiver hashes the message and compares with the received hash
• If the computed hash doesn’t agree with the posted one, the message has been altered or damaged (or, possibly the posted hash has been altered or damaged)
65. Integrity Verification
• For comparison, checksums are a simple form of integrity verification
• They would not be secure
• XOR’ing repeated message blocks would be another simple integrity checking scheme
• Posting an encryption with corresponding plaintext would effectively be a hash, but it’s not desirable to hand P and C both to attackers
66. Commercial Hash Functions
• MD4, MD5 (MD = Message Digest)
• Created by RSA (Rivest, Shamir, Adelman)
• Convert any msg to 128 bit digest
• SHA/SHS (Secure Hash Algorithm/Standard)
• Converts any msg to 160 bit digest
67. Attacking Hashes
• If msgs of any length generate fixed length hashes shorter than the msgs:
• Then >1 message can generate the same hash
• This means a different message could be posted with the hash of the original message and no problem would be detected
• This may or may not be useful to an attacker
• A complete attack would allow the attacker to generate correct hashes for arbitrary messages
68. Key Exchange
• The basic problem is setting up secure exchange between two parties who don’t know each other face-to-face
• The goal is to exchange a private symmetric key between them
• This problem has two components:
• Making sure the key is secure
• Authenticating the sender of the key

Let the symmetric key be represented as K

• Let R and S both have public and private asymmetric keys, kPUB-R, kPRIV-R, kPUB-S, kPRIV-S
• Let S be the party who will be sending K to R
• S should send this:
• E(kPUB-R, E(kPRIV-S, K))
• The outer transformation provides security
• The inner transformation authenticates S
69. Diffie-Hellman Key Exchange
• The bottom line: Don’t worry about the details of this
• The book mentions it without giving a full explanation
• It is essentially based on the same idea as RSA encryption, powers and modular arithmetic
• That will be covered in ch. 12
• If, ultimately, you understand key exchange using public key encryption, you’ve learned enough
70. Characteristics of Digital Signatures
• The book uses a paper (monetary) check as a reality check on signatures
• A signature/signed document should:
• Be authenticable/not be forgeable/not be repudiatable
• Not be alterable
• Not be reusable
71. Notation for Digital Signatures
• P = Person who signs
• R = Receiver of signed item
• M = Message, signed item
• S(P, M) is the signature of P on M
• [M, S(P, M)] is the unique, unreproducible pair created when P signs M
• It is important to note that the signature is unique to the message—it’s bound to the message
72. Characteristics of Signed Documents Using Notation
• This is the pair: [M, S(P, M)]
• Authentic/not forgeable/not repudiatable: R can verify that P was the only possible source of the pair
• Not alterable: After sending or posting, neither P, nor R, nor an outside interceptor can change the pair without detection
• Not repudiatable: If the pair is presented a second time, R can immediately detect this
• Whether a key is public or private is indicated by the transformation, E() or D()
• Let U = the User
• Let M = the Message
• Privacy transformation: Use of public key by other user to send to U will be shown with E():
• E(M, Ku)
• Authentication transformation: Use of private key by U to send to others will be shown with D():
• D(M, Ku)
74. Using Public Keys for Digital Signatures
• This is a straightforward use of public keys for authentication
• As presented, it also relies on the idea that the encryption of a message is itself a kind of hash of the message
• This is the message/signature pair that S would produce:
• [M, D(M, Ks)]
75. Characteristics—Authentic
• [M, D(M, Ks)]
• Authentic/not forgeable/not repudiatable:
• Only S can produce this
• R can verify by applying E(D(M, Ks), Ks) to acquire M
• Note that R should save a copy for non-repudiation purposes
76. Characteristics—Not Alterable
• [M, D(M, Ks)]
• If M (or D(M, Ks)) is altered, E(D(M, Ks), Ks) will not give back M
• Again, note that this assumes that the system hasn’t been broken
• A successful attack on the system would allow fake M and the correct, corresponding D(M, Ks)
77. Characteristics—Not Reusable
• [M, D(M, Ks)]
• This characteristic is not based on the protocol directly
• Just like with monetary checks, every transaction, M, should be numbered internally
• Each numbered transaction should be honored only once
• An attacker could alter the transaction number in M, but could not produce the matching D(M, Ks) for resubmission
• Like for non-repudiation, R should save a copy of all honored transactions
78. Trust in Digital Environments
• An authentication transformation makes it possible to distribute a symmetric key, for example
• The antecedent question is how you verify the identity of/put trust in a party who wants to exchange keys
• Trust is transferred or transmitted when a known, trusted party vouches for another party

Vouching sets up chains or hierarchies of trust

• Hierarchies of trust may be parallel to hierarchies of management in organizations
• Through a chain of contacts in the organization, one party can trust another who is n steps removed
• Authentication is applied at each step
• The result is a sequence of authentications
79. Digital Certificates
• Note: This idea will be presented in a somewhat simplified form, with a note on reality at the end
• The idea will initially be explained in terms of key distribution only
• The reality is that keys should be distributed along with the identities of the key holders
• In practice, certificates are made more secure by hashing their contents, binding the key and the identity together
• Let X post a public key on a secure, trusted system available to other members of the hierarchy
• Let X retain the matching private key
• Let Y be one step removed in the hierarchy, but personally known and trusted by X

X transmits trust to Y by performing and posting this transformation: D(KX PRIV, KY PUB)

• KX PRIV is the key used in the transformation
• KY PUB is the message
• Anyone with access to X’s public key can apply E(KX PUB, D(KX PRIV, KY PUB)) and obtain Y’s public key
• D(KX PRIV, KY PUB) is Y’s certificate
• Y vouches for Z by performing this transformation: D(KY PRIV, KZ PUB)
• This is not Z’s full certificate
• A complete certificate reaches all the way to a commonly trusted individual

A certificate consists of a full chain of individual “vouchers” that reaches the top of the hierarchy

• In this case, Z’s certificate would be:
• D(KX PRIV, KY PUB) + D(KY PRIV, KZ PUB)
• With access to KX PUB, it’s possible to evaluate the second half of the certificate, obtaining KZ PUB
80. Identities and Hashing in Certificates
• A public key is not so useful if you don’t know who it belongs to, so an identity has to be distributed with a key
• The message body, M, of a certificate, should contain both.
• For Z, for example, the last part of the certificate should contain:
• M = Z’s id + KZ PUB

The transformation is D(KY PRIV, Z’s id + KZ PUB)

• There is a cryptographic weakness here
• An attacker may be able to separate the two parts of the message at the plus sign, substituting a fake id or a fake key
• A more secure certificate would bind the id and its key together
• Hashing can be used to bind things together

At the lowest level, the message or contents of Z’s certificate become:

• [Z’s id + KZ PUB, hash(Z’s id + KZ PUB)]
• Checking against the hash will protect against changes in the id or the key
• Then applying Y’s vouching transformation, the lowest level of Z’s certificate is:
• D{KY PRIV, [Z’s id + KZ PUB, hash(Z’s id + KZ PUB)]}
• Under this scheme, Y’s certificate is:
• D{KX PRIV, [Z’s id + KY PUB, hash(Z’s id + KY PUB)]}
• Thus, Z’s complete certificate is the sequence, or chain:
• D{KX PRIV, [Z’s id + KY PUB, hash(Z’s id + KY PUB)]} + D{KY PRIV, [Z’s id + KYPUB, hash(Y’s id + KYPUB)]}

In summary, for every user:

• The individual parts of the certificate bind id and public key together
• Each individual part is authenticated by the next individual part
• The different parts, or sub-certificates are independent and do not have to be bound by hashing
• The chain ultimately has to reach an agreed upon source of trust
81. Trust Outside of a Hierarchy
• An organization can build a trust hierarchy different from the management hierarchy
• For example, there may be one security officer responsible for issuing one-level certificates to all employees
• The Internet overall does not have just one root
• There are multiple (typically national) trusted, top-level certificate issuing bodies
• Trust still propagates through chains of certificates
• Digital security relies on mutual trust of a common authority
82. What Do Trust and Certificates Accomplish?
• This is just a reminder, but it’s useful in case you’ve lost sight of the forest for the trees
• Aside from the abstraction, trust, what is concretely being transmitted by certificates?
• The message contains an id and a public key
• A public key is being distributed
• Knowing who the key belongs to—priceless
• This is what is being securely accomplished