Download Presentation
## CHAPTER 3: CLASSIC CRYPTOGRAPHY

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**CHAPTER 3: CLASSIC CRYPTOGRAPHY**Motivation: Information in any form, written, typed, or electronic is subject to disclosure, modification, and/or misuse since it is readily human readable. Need: Methods for providing secret communication to protect information in any state (during processing, while stored, or in transit). This also implies the need to be able to recover and read secret communications. The means to do this: Cryptology from the Greek Crypto meaning secret or hidden, and ology meaning doctrine, theory, or science Cryptology & Classic Cryptography**Cryptology**Two major subdivisions: Cryptography & Cryptanalysis Cryptography - communications in the presence of adversaries Study of methods that transform ordinary text (plaintext) into unreadable ciphertext. Ciphertext is unreadable as long as an adversary cannot invert (recover) the encoded information Cryptanalysis - methods of recovering plaintext from ciphertext Study of methods that reveal and recover ciphertext and/or Methods to forge ciphertext so it appears to be authentic Cryptology & Classic Cryptography**Conventional Cryptology**X’ Cryptanalyst K’ Source Destination Now is the time for all.. ………. ... country Now is the time for all.. ………. ... country X Encryption Algorithm Decryption Algorithm X Y Ciphertext Message Plaintext Message Plaintext Message K K K Key Source Secure Distribution Channel Cryptology & Classic Cryptography**Conventional Cryptography - Ground Rules**Important assumptions about the cryptographic environment 1. The adversary has full access to the ciphertext 2. The adversary has full knowledge of the encryption algorithm 3. The secret key is distributed over a secure channel and is unavailable to the attacker. 4. The plaintext message is composed of random characters. 5. The key is composed of random characters. NOTE: Any of these can fail and make the job harder, or easier, but these rules form the basis for modern cryptography. Cryptology & Classic Cryptography**Conventional Cryptography - Ground Rules**Access to ciphertext & knowledge of algorithm are based on many years of real experience - can’t be avoided If the secret key is not protected all is lost since the adversary has the same information as the legitimate receiver Randomizing the plaintext is non-obvious since any message contains structure - trouble is, it is the structure that makes the encrypted message recoverable if the encryption does not randomized the plaintext as part of the process Randomizing the key is more obvious, since non-random keys reduce the key space and give clues to key recovery Cryptology & Classic Cryptography**Methods for Information Hiding - 3 Main Forms**Steganography - literally meaning covered writing and depends on hiding the very existence of a secret message from an adversary Cryptography - using an algorithm and key to transform a message into an unreadable form that can only be inverted by using the same key and algorithm run backwards. Chaffing & winnowing - sending a message composed of valid and invalid parts to confuse the adversary regards the true and false content of the message It is also possible (as usual) to combine methods Cryptology & Classic Cryptography**Steganography - Classical**Hides the fact of a message using a secret algorithm. Knowing the algorithm typically breaks the secret. Examples: Greeks used wax covered tablets, hidden tattoos Microdots, the size of a period, hidden in a letter Invisible ink, revealed by chemicals or intense light Selected characters (e.g., first letter of each word, or letters that had been perforated by a pin) Primary problem is algorithmic secrecy. Is seeing renewed interest in electronic systems. Cryptology & Classic Cryptography**Steganography - Modern**Types: Injection – message is embedded in another message Substitution – message replaces existing information Injection based on file contents that are usually ignored when displayed – such as hidden fields in html pages Substitution of the least significant bit of every pixel in a complex graphics image. At 2048 x 2048 x 24 bits (x,y, and color), using 1 bit of the 24 affords a 4.19 Mbit or 524 kByte message space in each each image Use options field in IP header to carry message w/o options set. Requires special, but not difficult, programming and may have high overhead. Many, many possibilities – limited only be creativity! Cryptology & Classic Cryptography**Steganography - Tools**S-tools – Embeds data in lsb of bmp files ftp://idea.sec.dsi.unimi.it/pub/security/crypt/code/s-tools4.zip http://members.tripod.com/steganography/stego/software.html MP3 stego – hides messages in mpeg files S-Mail – hides messages in exe and dll files Invisible secrets – hides messages in banner ads on web sites Stash – hides messages in several image types Detectors: Normal bmp files have few duplicate colors A bmp with an embedded message has many Search for duplicates or near duplicates Use file size signatures in well-known exe, dll files Reported as being used by Al Qaida (also has been denied)! Cryptology & Classic Cryptography**Cryptography**Uses 3 finite sets: Plaintext space P, Ciphertext space C, and Key space K (set implies a finite space) and two functions; encryption e E and decryption d D such that: For each k K there is an encryption rule e E such that: ek : P C or C = ek(P) and for each k K there is a decryption rule d D such that: dk : C P or P = dk(C) ek & dk are inverses of each other for all p P and k K such that: dk(ek(p)) = p for every plaintext element p P. Cryptology & Classic Cryptography**Chaffing & Winnowing**Recent concept developed by Ron Rivest (RSA fame) Concept is to construct a group of messages, some true, some false Each group (block) has an appended code that authenticates the message. True messages have correct authenticating codes, false message have incorrect authenticating codes Authenticators are based on a shared secret and as long as the shared secret is protected an adversary cannot detect the true from the false messages Has high overhead, but does not encrypt the message so is not subject to federal export control restrictions Cryptology & Classic Cryptography**Cryptography - Rich and Lengthy History**1900 BC - Non-standard Egyption hierogliphs 1700 BC - Clay of Phaistos still unrecovered 600 BC - Book of Jeremiah encoded 60 BC - Ceasar used encryption for government communication 790 AD - First writing (known only by reference, never found) 1200 AD - Roger Bacon describes several methods 1518 AD - First printed book on cryptography 1861 AD - 1st U. S. patent issued 1927 AD - Used during prohibition by criminals 1942 AD - Used to read axis messages (Germany/Japan) 1976 AD - Public Key Cryptography invented (Diffie/Hellman) 1977 AD - RSA public key algorithm reduced to practice Cryptology & Classic Cryptography**Classical Cryptography**Three major classes: Substitution - Plaintext symbols are replaced with ciphertext letters, numbers, or symbols using a substitution algorithm Transposition - Letters of the plaintext are permuted (re-arranged) without losing their identity using a permutation algorithm Product - Uses alternate steps of substitution and transposition Cryptology & Classic Cryptography**Substitution Ciphers**Monoalphabetic - Each symbol of the plaintext alphabet is mapped into a ciphertext symbol. Example - Caesar Homophonic - Plaintext symbols are mapped into one of several possible ciphertext symbols (or reverse). Example - Playfair Polyalphabetic - Symbols of the plaintext alphabet are mapped into symbols of the ciphertext space as in the mono case, but the substitution changes with the ciphertext (non-constant substitution). Example - Vigenère, Vernam Polygram - Symbol groups in plaintext are substituted for symbol groups in ciphertext. Example – Hill Cipher Cryptology & Classic Cryptography**Monoalphabetic Ciphers**Substitution Ciphers: The keyspace is the set of all permutations on {0, 1, 2, ….,25}. For a given , E(x1x2, ….xn) = (x1)(x2) ….. (xn), and D(y1y2…..yn) = -1(y1) -1(y2)….. -1(yn) Example: Caesar Cipher - a simple shift cipher C = E(P) = (P + k) mod 26 Where C = Ciphertext symbol, P = Plaintext symbol for some key 0 < k < 26 Cryptology & Classic Cryptography**Caesar Cipher**The symbol:key relationship must be defined: A B C D E F G H I J K L M N O P Q R S 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 T U V W X Y Z 19 20 21 22 23 24 25 Suppose K = 11, message is wewillmeetatmidnite Text = 22 4 22 8 11 11 12 4 4 19 0 19 12 8 3 13 8 6 7 19 Add 11 7 15 7 19 22 22 23 15 15 4 11 4 23 19 14 24 19 17 18 4 Cipher = H P H T W W X P P E L E X T O Y T R S E Cryptology & Classic Cryptography**Monoalphabetic Ciphers**Graphically, the Caesar cipher, for k = 3 is: Z A Y B X C W D E V F U G T H S I R J Q K L P O M N Cryptology & Classic Cryptography**Monoalphabetic Ciphers**Decryption: P = D(C) = (C - k) mod 26 Easily broken. Since s is the key, there are only 26 possible keys and each one could be tried. Example: Plaintext is: we will attack at dawn through the left flank Ciphertext: zh zloo dwwdfn dw gdzq wkurxk wkh ohiw iodqn Cryptology & Classic Cryptography**Brute Force Decryption**Key tryMessage produced 1 gy yknn cvvcem cv feyp vtqwj vjg nghv hncpm 2 xf xjmm buubdl bu edxo uispvi uif mfgu gmbol 3 we will attack at dawn through the left flank 4 ……… 5 …… . 25 ai ampp exxego ex hear xlvvsyl xli pijx jpero This has been reduced by brute force. We might try a more sophisticated route by knowing the frequency of occurrence of letters in the English alphabet (if we know the message is in English). E is the most common character in frequency of appearance in the English language. Cryptology & Classic Cryptography**Frequency of Occurrence**Common libraries exist for single, double, triple, etc. occurrences in a particular language. Simplifies the guesswork. Cryptology & Classic Cryptography**Early Substitution Ciphers**Atbash - Used by the Hebrews ~ 500B.C. in the Bible (Jeremiah 25) . Substitutes by position: first letter for last, second for next-to-last (A-Z, B-Y, etc.). Polybius Checkerboard ~ 205-123 B.C. substitutes numbers for letters. R = 42 T = 44 Cryptology & Classic Cryptography**Monoalphabetic Ciphers - More**Playfair - Charles Wheatstone 1854 Multiple letter encryption mapping multiple letters into a single cipher character. Masks the symbol frequency better than simpler ciphers. Used by British in WWI and to some extent in WWII. Hill - Lester Hill 1929 Multiple letter substitution like Playfair, but substitutions are designed to further mask statistics (flatten) in the original text. By this time, they are getting much better. Cryptology & Classic Cryptography**Polyalphabetic Ciphers**Instead of a fixed substitution, the encrypting alphabet is changed as symbols are encrypted. The key may be in the form of a numeric matrix or a text passphrase. For each symbol in the plaintext, the corresponding symbol in the matrix or passphrase is used to determine the shift that is used to determine the cipher character. Vigenère cipher function f(a) = (a + ki)mod n See Stallings, pages 40-43. Cryptology & Classic Cryptography**Vigenère Autokey Ciphers**In the autokey method, a priming key is used to initiate the encryption. The key may be a single letter or a text passphrase. For each symbol in the plaintext, the corresponding symbol in the column of the tableau is used to locate the letter in the row labeled by the key to determine the cipher character. Plaintext: ALL THE FINE YOUNG CANNIBALS Key: KAL LTH EFIN EYOUN GCANNIBALS Cipher: KLW EAL……… In this case the priming key is K Cryptology & Classic Cryptography**Transposition Ciphers**Rearrange the plaintext to form the ciphertext without substituting symbols. Instead, it simply moves them (transposes). Classically done using a geometric figure as a template (e.g., rail fence, 2-D rectangle, 3-D cube, etc. Rail fence: Text = meet me for the drop at noon tomorrow m e m f r h d o a n o t m r o e t e o t e r p t o n o o r w Easy to see, but with complex figures and multi-level encryption the statistics of the plaintext message are better masked Cryptology & Classic Cryptography**Product Ciphers**Combination of substitution and transposition - German ADFGX cipher used in WW1 (2 step process). Step 1 is a transpose of one plaintext character into a limited set of two-character symbols as follows (the inner matrix can be changed); A D F G X A n b x r u D q o k d v F a h s g f G m z c l t X e i p j w Example message: forced to retreat ten km to abbeville few casualties f = FX; o = DD; r = AG; c = GF; e = XA Cryptology & Classic Cryptography**Product Ciphers – ADFGX (contd.)**Step 2 = transposition using a sequence of numbers between 1 & 20 arranged in scrambled order (with order of the numbers changed as often as needed). A typical transposition key would be; 8 9 14 7 19 13 16 1 15 6 3 10 17 2 20 5 11 18 4 12 F X D D A G G F X A D G G X D D A G X A G X A G X A F A G X G X X A A A D F G A G X D D F A A D A D X A D X X D G G G G X A F X X A X X G F F A F F A X F A G G G X X D X A F F The substituted message is read into the tranpose matrix in order. The entry above is for the message: “forced to retreat ten km to abbeville few casualties” Cryptology & Classic Cryptography**Product Ciphers - ADFGX (contd)**The output is taken a column at a time from the transpose matrix in numeric order (i.e., 1,2,3, etc) and blocked in five character groups. For the message on the previous slide (forced to retreat ten km to abbeville few casualties): FADXF XAXFD GFXFG GGDAD XAXDF DGDXD FGGXG XXXAX GXAAA DGFAA GGGAA AADAD FXXGA GGFAX FGXDF GFGAA XFXXD AXA The code is not very strong. It took a Frenchman 3.5 months to break the code. Later the code was changed and it only took 24 hours to break it again. Cryptology & Classic Cryptography**Cipher Machines**Jefferson Cylinder-1790, Wheatstone Disk-1817, Enigma- 1930’s. Rotor machines with multiple cylindrical rotors, each with 26 input lines, and 26 output lines. Each input line is connected to an output line producing a simple substitution cipher (e.g., a in, t out). For each input character typed, the rotor advances. This is a polyalphabetic cipher with a repeating cycle of 26. Easy to break. Now make the output of each stage, the input to the next stage up to n stages. Initial rotor positions are randomly selected. As each stage cycles through 26 positions, the next stage cycles by one position. A 2-stage, 26 character system presents 26 x 26 = 676 combos before repeating. Cryptology & Classic Cryptography**Cipher Machines**Add enough stages and the problem is very difficult. For example: Number of Stages Repetition Frequency (N) (Characters) 1 261 = 26 2 262 = 676 3 263 = 17,576 4 264 = 456,976 5 265 = 11,881,376 The German Enigma machine of WWII was a 3/4 rotor machine. Today, rotor machines have been replaced with electronic devices. Cryptology & Classic Cryptography**The Enigma Machine**First developed in 1923 as a commercial product. Attracted the attention of the German military and was withdrawn from the commercial marketplace and further improved. The user types a message on a keyboard. Each letter is passed to a series of rotors that scramble the input and produce a different character as output. The output lights a lamp on an indicator panel. This character is read by the operator and sent out in Morse code. For a diagram see the next page. Cryptology & Classic Cryptography**Reflector**Moving Rotors C Q K X Scrambler S N N Y Lamp Board N Keyboard Q Cryptology & Classic Cryptography**The Enigma Scrambler Unit**Original design used three rotors without the reflector rotor. Input was applied on the left and output came out on the right. To decrypt, the input and outputs had to be reversed - bad idea! The reflector rotor was added to avoid this problem. Now it could operate in encrypt or decrypt mode without changing anything. Keyboard - 26 letters Lamp Board - 26 indicator lamps Scrambler - 3 rotating wheels on a common shaft Plugboard (not shown) - 5-13 single letter plug (cable) exchanges Cryptology & Classic Cryptography**The Rotors**Each rotor = 26 rotating positions, one per character. Each position indicated one character and characters were printed on an external ring mounted on the circumference of the rotor. All three rotors could be independently positioned by the operator (i.e., 26 x 26 x 26 possible initial conditions ). C D E F G H I J K A B C D E F G H I N O P Q R S T U V Cryptology & Classic Cryptography**The Rotors**The three rotors were called the fast, medium, and slow rotors in accordance with their speed of advancement. Used because: The initial setting alone was not secure. The initial setting would only implement a variable Caesar shift cipher and determining the shift for an initial setting would be simple since the encrypted letter frequency would quickly reveal the plaintext. To secure the method, each time a key was pressed, the first rotor advanced one position. This caused the encryption to vary with each key stroke. After the first rotor got to a certain position, it would cause the middle rotor to advance one position. This was due to a notch/pin that could be moved to vary when the rotor advanced. Cryptology & Classic Cryptography**Rotor Advancement**After the second rotor advanced by 26 positions, the third rotor advanced one position. However, the mechanics were such that the advance of the slow rotor also caused an advance of the middle rotor. Without this feature a total of 263 = 17,576 characters were possible before repeating. This feature caused the rotor to skip a position for every step of the slow rotor reducing the combination by 676 (26 x 26) due to lost positions. This led to some strange rotor advance mechanics designed to further confuse the cryptographers. Cryptology & Classic Cryptography**Rotor External Ring Settings**It was also possible to move the external ring settings on each rotor. To set the ring, the rotor was removed, adjusted, and re-inserted. This altered the position of the notch/pin so the advancement character was altered. There were two final complications: 1., The position of the rotors could be changed so there could be six (6) different rotor orderings. (1,2,3), (1,3,2), (2,3,1), 2,1,3), (3,2,1), and (3,1,2). 2. The operator could choose 3 rotors to use from 5 available (1,2,3), (1,2,4), (1,2,5), (2,3,4), (2,3,5), (3,4,5), (1,3,4), (1,3,5), (2,4,5), (1,4,5) So, we have 17,576 x 6 x 10 initial positions = 1,054,560 x 676 possible initial ring positions = 712,882,560 possible states! Cryptology & Classic Cryptography**First Problems with Enigma**In 1928, the Germans sent an enigma machine to their Warsaw legation by ordinary freight. When they discovered the error, they made urgent enquiries of the Polish Customs Service which tipped off the Poles. The Poles sequestered the machine over a weekend for a full examination and then delivered it on Monday. While the design on any system typically assumes knowledge of the algorithm (in this case a mechanical/electrical one), the design was secret and revealing information about the basic mechanism clearly jump started the effort to break the code. Not enough for a complete break, but certainly helpful. Cryptology & Classic Cryptography**Enigma Strengths and Weaknesses**Strength = large number of initial settings. Each setting produced a different encryption and the encryption of a particular letter varied with each input character. However, it did have weaknesses: 1. No character could encrypt to itself (because of the mechanical design). 2. Set-up was by reference to a daily code book, distributed monthly. 3. One element was supposed to be altered for each message sent (only the morning initialization is the same at all sites). After the 1st message the starting positions are changed. 4. This procedure, called the “Indicator System” enabled the receiving operator to know how to setup his system to decode a specific message. Cryptology & Classic Cryptography**Indicator Procedure**The procedure called for the sending operator to randomly select three rotor positions (say, A, S, G). Then he would set the machine to the daily settings from the code book and transmit three chosen letters twice to indicate to the receiver, the per message rotor settings. The repetition was intended to reduce errors, but was a weakness as it allowed the cryptographers to work out the daily initial settings. The Poles knew that three letters would be sent twice. In each case with the machine in the intialized state. They simply looked for two letter pairs that enciphered to the same ciphertext in the two messages. These were called females and disclosed the initial setup for the day. Cryptology & Classic Cryptography**Breaking the Code**By observing many females over the day, the per message settings could be determined. They did this by examining the ciphertext by manipulating a stack of perforated sheets on a back-lit glass table looking for matches, where the perforations were related to possible per message rotor setting. They built an electromechanical machine to automate the process Called a “bomba” which could search through the rotor settings to obtain a match. Six machines could be used, one for each possible rotor order. All of this was passed on to the British at Bletchley Park who had far more resources to attack the problem. The Poles didn’t have the resources to deal with the four or five rotor machines. Cryptology & Classic Cryptography**Breaking an Encrypted Message**Objective: Recover plaintext messages or forge messages that appear to be authentic. Methods include: Algorithmic attacks: Invert the cipher text without the key. Key attacks: determine the key structure and/or do an exhaustive search of the key space to recover the key. Analyze ciphertext by statistical and other means in order to recover the plaintext. Algorithmic and key attacks are deferred for now and we discuss cryptanalysis methods. Cryptology & Classic Cryptography**Cryptanalysis Methods (Codebreaking)**Ciphertext: Adversary knows the encryption algorithm and has access to only the ciphertext to be decoded. Known Plaintext: Algorithm and ciphertext are known and adversary has one, or more, plaintext/ciphertext pairs available. Chosen Plaintext: Algorithm and ciphertext are known. Adversary has chosen a plaintext and has the ciphertext from the chosen plaintext encrypted with the secret key. Chosen Ciphertext: Algorithm and ciphertext are known. Adversary has a chosen ciphertext along with the corresponding plaintext decoded by the secret key. Cryptology & Classic Cryptography**Ciphertext Only**Most difficult to break. Can use brute force on key search, but large key-spaces (I.e., long keys) make this intractable. Most common approach is to use statistical analysis on the ciphertext. Difficulty is then based on how well the encryption removes the statistics of the underlying message. Cryptology & Classic Cryptography**Know Plaintext**If the analyst knows something about the contents being encrypted, like the language (clues to structure), type of file (pdf, Excel, Java source listing, “C” executable), then we know that all have specific formats that tend to appear in specific locations. Given the ciphertext and this knowledge, the analyst will attempt to recover the key from knowledge about part of the message. Generally, this is still a trial and error process and compute intensive. Cryptology & Classic Cryptography**Chosen Plaintext**Depends on the analyst being able to get the sender to encode plaintext selected entirely, or in part, by the analyst. If this is possible, the analyst will choose a plaintext to be encrypted. It should be carefully selected to provide a full symbol set or specific patterns of characters that may reveal the structure of the key. This is like black box engineering where it is well established that if you know the input, output and algorithm, you can determine the remaining variable – the encrypting key. Cryptology & Classic Cryptography**Chosen Ciphertext**Not widely used because there is no obvious way to select the ciphertext being produced by a target system. Still, it is a theoretical method of attack because it can be studied in the lab. Strong algorithms and keys will readily withstand ciphertext only attacks. Strong algorithms are designed to withstand known plaintext attacks. Cryptology & Classic Cryptography**Breaking the Vigenère Cipher**WUBEFIQLZURMVOFEHMYMWT IXCGTMPIFKRZUPMVOIRQMM WOZMPULMBNYVQQQMVMVJLE YMHFEFNZPSDLPPSDLPEVQM WCXYMDAVQEEFIQCAYTQOWC XYMWMSEMEFCFWYEYQETRLI QYCGMTWCWFBSMYFPLRXTQY EEXMRULUKSGWFPTLRQAERL UVPMVYQYCXTWFQLMTELSFJ PQEHMOZCIWCIWFPZZSLMAEZ IQVLQMZVPPXAWCSMZMORVG VVQSZETRLQZPBJAZVQIYXE WWOICCGDWHQMMVOWSGNTJP FPPAYBIYBJUTWRLQKLLLMD PYVACDCFQNZPIFPPKSDVPT IDGXMQQVEBMQALKEZMGCVK UZKIZBZLIUAMMVZ The unknown message, no knowledge of the key or the plaintext. Cryptology & Classic Cryptography**Background**• Vigenère uses a priming key with three possibilities: • Autokeying = One character priming key, then use the • plaintext for the rest of the key. • Priming word = Select a word to be used as the key and • use it in repetition (e.g., GEORGEGEORGEGEORGE) • for the length of the message. • Priming text = Selected text (e.g., book) or a random • string as long as the message. • Consider the second case – a fixed length priming word. Cryptology & Classic Cryptography**Step-by-step breakage - 1**Step 1: Look for long repeating sequences + shifts: EFIQ, line 1 & 5, 95 letter shift. PSDLP, occurs twice in line 4, 5 letter shift. WCXYM, line 5 & 5-6, 20 letter shift. ETRL, line 6 & 12, 120 letter shift. Step 2: Find factors (neglect 1 as a factor): Factors of 95 = 5, 19 Factors of 5 = 5 Factors of 20 = 2, 4, 5, 10, 20 Factors of 120 = 2, 3, 4, 5, 6, 8, 10, 15, 20 Cryptology & Classic Cryptography