Lecture 13 Secure Multimedia Coding (I)

Transcription

1 Shujun LI (李树钧): INF Multimedia Coding Lecture 13 Secure Multimedia Coding (I) July 15, 2009

2 Outline Coding for Security: Cryptology Fundamentals Symmetric/Private-Key Ciphers Cryptographic Hash Functions Asymmetric/Public-Key Ciphers 1

3 Fundamentals

4 Cryptology Cryptology = Cryptography + Cryptanalysis Cryptography = The art of designing cryptosystems Cryptanalysis = The art of analyzing (often breaking) cryptosystems Cryptosystems = Ciphers + Cryptographic hash functions + Digital signatures + Security protocols + Cryptography Cryptology, Cryptosystems Ciphers (in many scenarios) 3

5 Models of evaluating security Unconditional security Complexity-theoretical security Provable security Computable/Practical security The minimal computational effort (time and space) an attacker needs to break a cryptosystem Often related to mathematical hard problems 4

6 Ciphers Cipher = Encipher + Decipher An encipher encodes/encrypts a message P (called plaintext) into another message C (called ciphertext), under the control of an encryption key K E. A decipher decodes/decrypts a ciphertext C back into a plaintext P (in most case =P), under the control of a decryption key K D. Plaintext P Encipher Encryption Key K E Ciphertext C Decryption Key K D Decipher Recovered Plaintext P 5

7 Kerckhoffs principle (1883) Kerckhoffs principle/assumption/law/axiom A cipher should be secure even if everything about the cryptosystem, except the key, is public knowledge. Spies, reverse engineering, = The security of a cipher should depend only on the key, but not on the secrecy of any other part of the system. = Shannon s maxim: The enemy knows the system. 6

8 Cryptanalysis of ciphers Ciphertext-only attack The attacker can see C only: C P and/or K D and/or K E? Known-plaintext attack The attacker can see/guess P and C: (P,C) K D and/or K E? Chosen-plaintext attack The attacker has temporary access to the encipher, so that he can choose P and see C: (P,C) K E and perhaps then K D? Chosen-ciphertext attack The attacker has temporary access to the decipher, so that he can choose C and see P : (P,C) K D and perhaps then K E? Related-key attack The attacker can see the encryption results of several related keys. 7

9 More types of cryptanalysis Brute-force attack Exhaustively search for the key in the key space Side-channel attack Try to break a cryptosystem based on information gained from physical implementation of the system Social engineering attack Try to get the key from the owner by deception Black-bag cryptanalysis Try to steal the key from the owner (e.g., via a keylogger) Rubber-hose cryptanalysis Get the key from the owner by force 8

10 Two important cryptanalytic techniques Differential cryptanalysis Given two different inputs of a cryptosystem, P 1 and P 2, the attacker tries to (partially) break the key by exploiting the relationship between Diff(C 1,C 2 ) and Diff(P 1,P 2 ), where Diff= or modular subtraction in most scenarios. Linear cryptanalysis Given an input of a cryptosystem, P, the attacker tries to (partially) break some key bits by exploiting the linear relationship between different bits in P, C and K. 9

11 Ciphers Formal definitions as codes Plaintext: P=(P 1 Pm), where Pi P Ciphertext: C={C 1 Cm}, where Ci C=B* (B={0,1} in most cases) Encryption: C=E(P, K E )={E i (P i, K E )} Decryption: P =D(C, K D )={D i (C i, K D )} Classification K D K E (often K D =K E )? Symmetric/Private-key ciphers ( ) vs. Asymmetric/Public-key ciphers (PKC) ( ) i j E i =E j? Block ciphers (Yes) vs. Stream ciphers (No) P 1 =P 2 E(P 1, K E )=E(P 2, K E ) with probability 1? Deterministic ciphers (Yes) vs. Probabilistic ciphers (No) 10

12 Symmetric vs. Asymmetric ciphers Symmetric/Private-key ciphers: The key has to be shared between the encipher and the decipher. A key distribution problem exists: n users need C(n,2)=n(n-1)/2 keys and those keys have to be distributed to users in advance. Asymmetric/Publick-key ciphers: The encryption key K E is published somewhere, but the decryption key K D is kept secret. No key distribution problem: n users need 2n keys n public keys for encryption and n private keys for decryption. 11

13 Symmetric/Private-Key Ciphers

14 Stream ciphers How to make E i time-varying? A pseudorandom number (bit) generator (PRNG/PRBG) is needed to produce a key-stream {k 1 k m } from the encryption key K E. Then, C i =f(p i,k i ), where f is often bitwise XOR operation P i k i, or modular addition (P i +k i ) mod 2 n. Types of stream ciphers Synchronous Stream Ciphers (SSC): K E {k 1 k m } Self-Synchronous Stream Ciphers (SSSC): (C i-l C i-1,k E ) k i One-Time Pad (OTP): {k 1 k m } is the encryption/decryption key and used only once. If {k 1 k m } is perfectly random, the stream cipher provide perfect secrecy in the sense that no additional information about P is leaked from C. (Shannon, 1949) 13

15 Block ciphers How is encryption achieved? The same encryption function E i is applied to each n-bit block of P. n-bit block ciphers Types of block ciphers Substitution ciphers: each block is substituted by another one. Transposition ciphers: the positions of plaintext blocks/bits are permuted. Product ciphers: combination of different simpler ciphers Most modern ciphers are product ciphers. Modes of operation Running in certain mode of operation, a block cipher can work exactly like a stream cipher. 14

16 Confusion and diffusion (Shannon, 1949) Confusion: The relationship between P/K E and C should be as complex as possible. Ideally, for any P and any K E, the statistics of C is/looks the same. = Good pseudorandomness of C for any P/K E Ergodicity of chaotic systems? Diffusion: The dependence of C on P/K E should be very complex. Strict avalanche criterion (SAC): One bit changes in P/K E, each bit in C changes with probability ½. Sensitivity to initial condition/control parameter of chaotic systems? 15

17 Block cipher design: SPN SPN = SP network = n rounds of Substitution + Permutation + Substitution-box (S-box) Confusion w.r.t plaintext Permutation-box (P-box) Diffusion w.r.t plaintext Confusion/Diffusion w.r.t. key Multiple rounds Confusion & diffusion 16

18 Block cipher design: Feistel network A Feistel network/cipher = n rounds of and a round function F. P i =(L i (0),R i (0)), P i =(L i (n+1),r i (n+1)) K E =K D {K(0),,K(n)} Encryption: L i (j+1)=r i (j), R i (j+1)=l i (j) F(R i (j),k(j)) Decryption: R i (j)=l i (j+1), L i (j)=r i (j+1) F(L i (j+1),k(j)) The same structure for encryption/decryption 17

19 Block ciphers: Modes of operation Electronic codebook (ECB) Encryption: C i =E i (P i, K E ) Decryption: P i =D i (C i, K D ) Cipher-block chaining (CBC) Encryption: C i =E i (P i C i-1, K E ), C 0 =IV (Initial Vector) Decryption: P i =D i (C i, K D ) C i-1, C 0 =IV Propagating/Plaintext cipher-block chaining (PCBC) Encryption: C i =E i (P i C i-1 P i-1, K E ), P 0 C 0 =IV Decryption: P i =D i (C i, K D ) C i-1 P i-1, P 0 C 0 =IV 18

20 Block ciphers Stream ciphers Cipher feedback (CFB) Encryption: C i =E i (C i-1, K E ) P i, C 0 =IV Decryption: P i =E i (C i-1, K D ) C i, C 0 =IV Output feedback (OFB) Internal state: O i =E i (O i-1, K E ), O 0 =IV Encryption: C i =O i P i Decryption: P i =O i C i Counter (CTR) = OFB when O i is replaced by a random number (a counter) 19

21 Some classical ciphers Vernam cipher Stream ciphers Encryption: C i =P i k i Caesar cipher Substitution ciphers Encryption: C i =(P i +K) mod 26, where P i, C i, K { A =0,, Z =25} Vigenère cipher Polyalphabetic ciphers Encryption: C i =(P i +K i ) mod 26, where P i, C i, K i { A =0,, Z =25} Example: {K i }=konstanzkonstanzkonstanz Scytale/Skytale cipher Transposition ciphers Encryption: {P 1,,P m } {P i(1),,p i(m) } 20

22 Some modern block ciphers DES (Data Encryption Standard, NIST, 1977-) 64-bit 16-round Feistel cipher with 56-bit key AES (Advanced Encryption Standard, NIST, 2001-) / Rijndael 128-bit 10/12/14-round SPN cipher with 128/192/256-bit key IDEA (International Data Encryption Algorithm, Xuejia Lai and James Massey, 1991) 64-bit 8.5-round SPN cipher with 128-bit key Blowfish (Bruce Schneier, 1993) 64-bit 16-round Feistel cipher with 33~448-bit key Twofish (Bruce Schneier, 1998) = 128-bit 16-round Feistel cipher with 128/192/256-bit key Serpent (Ross Anderson, Eli Biham, Lars Knudsen, 1998) 128-bit 32-round SPN with 128/192/256-bit key 21

23 An visual demonstration of 128-bit AES Developed by Enrique Zabala as part of the CrypTool project 22

24 LSFR-based stream ciphers (PRNGs) LFSR = Linear Feedback Shift Register Non-linear combining functions Clock-controlled generators Nonlinear filter generators 23

25 More stream ciphers (PSNRs) NLFSR = Nonlinear feedback shift register SEAL (Software-optimized Encryption Algorithm, Phillip Rogaway and Don Coppersmith, 1993/1997) Based on a cryptographic hash function. The key K + a 32-bit number n A pseudorandom number k(n) RC4 = Rivest Cipher 4 = Ron s Code 4 (Ron Rivest, 1987, initially a trade secret, revealed in 1994) A permutation of and two pointers Key-stream estream ciphers (2008) 24

26 Cryptographic Hash Functions

27 Cryptographic hash functions An unkeyed hash function h maps a message of any size to an output of a fixed size. Input: x=(x 1 xm), where xi X Output: y=h(x) B n, where n is an integer Hashing Lossy compression Types of cryptographic hash functions Modification detection codes (MDCs) Unkeyed hash functions Message authentication codes (MACs) Keyed hash functions: h(x) h(x,k) 26

28 Security of cryptographic hash functions Security against preimage attack Given any hash value y, it is computationally infeasible to find x such that h(x)=y. Complexity = O(2 n ). Security against 2 nd -preimage attack Given any message x, it is computationally infeasible to find x such that h(x ) =h(x). Complexity = O(2 n ). Security against collision/birthday attack It is computationally infeasible to find any two messages x and x such that h(x ) =h(x). Complexity = O(2 n/2 ). Security against MAC forgery Given a number of MAC-pairs (x,h(x,k)), it is computationally infeasible to find a new pair (x,h(x,k). Complexity = O(2 n ). 27

29 Applications of hash functions Message integrity verification / Error detection (MDC) Message authentication (MAC) One-way function used in digital certificates and security protocols (MDC/MAC) Password storing (MDC) A password P is stored on the server as its hash value h(p) or its salted hash value h(p Salt). An attacker who has read access to the server cannot get P from the hash value ( security against preimage attack) or another P with the same hash value ( security against 2 nd - preimage attack). 28

30 How to build hash functions? Merkle-Damgård construction (1979, 1989) All popular hash functions follow this construction. 1-bit + 0-bits + Message Length 29

31 Some MDCs and their applications MD5 = Message-Digest algorithm 5 (Ron Rivest, 1991; IETF RFC 1321, 1992) 128-bit hash function 2 64 is not enough against brute-force collusion attack nowadays Collusion reported by Xiaoyun Wang et al. in Collusions of real documents and digital certificates were found afterwards. MD5 has been broken in terms of collusion resistance! SHA (Secure Hash Algorithm) family SHA-0 (FIPS PUB 180 Secure Hash Standard, 1993) and SHA-1 (FIPS PUB 180-1, 1995): 160-bit hash function SHA-2 (FIPS PUB 180-2, 2000/2002/2004) SHA-256 (truncated version SHA-224), SHA-512 (truncated edition SHA-384) SHA-3 (in development, 2012?) 30

32 Shujun LI (李树钧): INF Multimedia Coding Asymmetric/Public-Key Cryptography

33 Public-key cryptography (PKC) Public-key encryption (ciphers) Encryption: C=E(P,K E ), where K E is public Decryption: P=D(C,K D ), where K D is private Digital signatures Signing: (P, S=E(h(P),K S )), where K S is private Verification: check if h(p)=d(s,k V ), where K V is public 32

34 Special attacks to PKC Chosen-plaintext attacks are always possible! The encryption key K E is public. A new attack: K E K D. Impersonation attack An attacker may impersonate a user by distributing a wrong public-key. A reliable public-key distribution scheme is needed. 33

35 How to construct public-key ciphers? One-way functions A function f that is easy to compute in one direction, but hard from the opposite direction. Trapdoor (one-way) functions A function f that is one-way without the knowledge of some trapdoor information. Trapdoor functions can be constructed on mathematically hard problems. Two mathematically hard problems Prime factorization: n=pq p and q (which are large primes) Discrete logarithm problem: g x x (over a finite cyclic group) 34

36 RSA Public-key cipher Named after Ron Rivest, Adi Shamir and Leonard Adleman (1978) Key generation (Alice) Choose two distinct primes p and q Compute n=pq and φ=(p-1)(q-1) Select a random positive integer e<φ, such that gcd(e,φ)=1 Compute the inverse of e mod φ, i.e., another integer d such that de 1 (mod φ). K E =(n,e), K D =d and publish K E Encryption (Bob) C=(P e mod n), where P, C {0,,n-1} Decryption (Alice) P=(C d mod n)=(p de mod n) 35

37 Security of RSA The RSA problem (corresponding to ciphertext-only attack) (n=pq,e) and C P such that P e C (mod n) It is believed that the RSA problem is as hard as the prime factorization problem The trapdoor information is p and q. The prime factorization problem n=pq p and q φ=(p-1)(q-1) d (Bob can do the same thing exactly as Alice did, if he gets the values of p and q) The trapdoor information is p and q. 36

38 References

39 References of Further Reading A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996, fulltext of all chapters are available at Bruce Schneier, Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C, 2nd Edition, John Wiley & Sons, Inc., 1996 National Technical Information Service (NTIS), Specification for the Advanced Encryption Standard (AES), Federal Information Processing Standards Publication (FIPS PUB) 197, 2001, available online at pdf 38