Chapter 30 Cryptography 30.1

Transcription

1 Chapter 30 Cryptography 30.1 Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

2 30-1 INTRODUCTION Let us introduce the issues involved in cryptography. First, we need to define some terms; then we give some taxonomies. Topics discussed in this section: Definitions Two Categories 30.2

3 Need for Security Some people who cause security problems and why.

4 Network security problems can be divided roughly into four closely intertwined areas: secrecy, authentication, Non-repudiation, and integrity control. Secrecy: Confidentiality, keeping information out of hands of unauthorized users. Authentication: Determine whom you are talking to before revealing sensitive information. Non-repudiation: Deals with signatures. How would u prove that customer placed an order. What if he deny later? Integrity Control: Finally, how can you be sure that a message you received was really the one sent and not something that a malicious adversary modified at transit? Cryptography comes from the Greek words for ''secret writing.' Encryption + Decryption = Cryptography. Types: Cipher : cipher is a character-for-character or bit-for-bit transformation, without regard to the linguistic structure of the message. Code : a code replaces one word with another word or symbol. Used with U.S. Armed forces during World War II in Pacific against Japan. U.S broke Japanese code but the Japanese never broke Navajo code(cipher and Code) which played a crucial role in American victories in Pacific. Four group of people contributed to cryptography: the military, the diplomatic corps, diarists, and lovers.

5 The messages to be encrypted, known as the plaintext, are transformed by a function that is parameterized by a key. The output of the encryption process, known as the cipher-text, is then transmitted, often by messenger or radio. We assume that the enemy, or intruder, hears and accurately copies down the complete ciphertext. But, he does not know what the decryption key is and so cannot decrypt the ciphertext easily. Intruder is needed to break this code. The art of breaking ciphers, called cryptanalysis, and the art devising them (cryptography) is collectively known as cryptology. What is the relation between plaintext, ciphertext, and keys? See next fig. We will use C = E K (P) to mean that the encryption of the plaintext P using key K gives the ciphertext C. Similarly, P = D K (C) represents the decryption of C to get the plaintext again. D k (E k (P)) = P Secrecy lies exclusively in the keys is called Kerckhoff's principle, named after the Flemish military cryptographer Auguste Kerckhoff who first stated it in 1883 (Kerckhoff, 1883). Kerckhoff's principle: All algorithms must be public; only the keys are secret. Trying to keep the algorithm secret is known in the trade as security by obscurity. The longer the key, the higher the work factor the cryptanalyst has to deal with. Newspaper cryptograms could be broken trivially if the cryptanalyst were allowed to ask such questions as: What is the encryption of ABCDEFGHIJKL? Encryption Methods: Substitution Ciphers Transposition Ciphers

6 Figure 30.1 Cryptography components Sender Receiver Plaintext Cipher text Encryption Decryption 30.6

7 30.7 Figure 30.2 Categories of cryptography

8 30.8 Figure 30.3 Symmetric-key cryptography

9 Note In symmetric-key cryptography, the same key is used by the sender (for encryption) and the receiver (for decryption). The key is shared. 30.9

10 Figure 30.4 Asymmetric-key cryptography 30.10

11 Figure 30.5 Keys used in cryptography 30.11

12 Figure 30.6 Comparison between two categories of cryptography 30.12

13 30-2 SYMMETRIC-KEY CRYPTOGRAPHY Symmetric-key cryptography started thousands of years ago when people needed to exchange secrets (for example, in a war). We still mainly use symmetric-key cryptography in our network security. Topics discussed in this section: Traditional Ciphers Simple Modern Ciphers Modern Round Ciphers Mode of Operation 30.13

14 Figure 30.7 Traditional ciphers 30.14

15 Encryption Model The encryption model (for a symmetrickey cipher).

16 Substitution Cipher In a substitution cipher each letter or group of letters is replaced by another letter or group of letters to disguise it. Caesar Ciphers: One of the oldest known ciphers is the Caesar cipher, attributed to Julius Caesar. In this method, a becomes D, b becomes E, c becomes F,..., and z becomes C. For example, attack becomes DWWDFN. Plaintext will be given in lower case letters, and ciphertext in upper case letters. Caesar cipher allows the ciphertext alphabet to be shifted by k letters, instead of always 3. In this case k becomes a key to the general method of circularly shifted alphabets. Disadvantage: Can t fool everyone. Easy to convert to plaintext. Predictable key.

17 Note A substitution cipher replaces one symbol with another

18 Example 30.1 The following shows a plaintext and its corresponding ciphertext. Is the cipher monoalphabetic? Key = +3 Solution The cipher is probably monoalphabetic because both occurrences of L s are encrypted as O s

19 Mono-alphabetic substitution: The next improvement is to have each of the symbols in the plaintext, say, the 26 letters for simplicity, map onto some other letter. For example, plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z ciphertext: Q W E R T Y U I O P A S D F G H J K L Z X C V B N M The general system of symbol-for-symbol substitution is called a monoalphabetic substitution key being the 26-letter string corresponding to the full alphabet. attack would be transformed into the ciphertext QZZQEA. 26! = 4 x possible keys can be used. Even at 1 nsec per solution, a computer would take years to try all the keys. Disadvantage: How to carry 26 lettered key? CD? Written? How? Risky. Predicting is possible. e is the most common letter, followed by t, o, a, n, i, etc. The most common two-letter combinations, or digrams, are th, in, er, re, and an. The most common three-letter combinations, or trigrams, are the, ing, and, and Ion. Conclusion? If thyt stands for that, means a has code Y. substitution of Y to a would predict many digraphs and trigraphs such as awz stands for and. Cryptanalyst would try hard, he can predict the key.

20 Example 30.2 The following shows a plaintext and its corresponding ciphertext. Is the cipher monoalphabetic? Solution The cipher is not monoalphabetic because each occurrence of L is encrypted by a different character. The first L is encrypted as N; the second as Z

21 Note The shift cipher is sometimes referred to as the Caesar cipher

22 Example 30.3 Use the shift cipher with key = 15 to encrypt the message HELLO. Solution We encrypt one character at a time. Each character is shifted 15 characters down. Letter H is encrypted to W. Letter E is encrypted to T. The first L is encrypted to A. The second L is also encrypted to A. And O is encrypted to D. The cipher text is WTAAD

23 Example 30.4 Use the shift cipher with key = 15 to decrypt the message WTAAD. Solution We decrypt one character at a time. Each character is shifted 15 characters up. Letter W is decrypted to H. Letter T is decrypted to E. The first A is decrypted to L. The second A is decrypted to L. And, finally, D is decrypted to O. The plaintext is HELLO

24 Note A transposition cipher reorders (permutes) symbols in a block of symbols

25 Transposition Ciphers A transposition cipher.

26 Transposition cipher reorder the letters but do not disguise them. The cipher is keyed by a word or phrase not containing any repeated letters. In this example, MEGABUCK is the key. The purpose of the key is to number the columns. Plaintext is written horizontally, in rows, padded to fill the matrix if need be. The ciphertext is read out by columns, starting with the column whose key letter is the lowest. Every letter represents itself, keeping the frequency distribution intact. How to break the cipher as cryptanalyst? Suppose million dollars occurs somewhere in message. Observes digrams MO, IL, LL, LA, IR by wrapping around. For k columns, k(k-1) columns can be examined. Advantage: tough to determine the column sequence.

27 Figure 30.8 Transposition cipher 30.27

28 Example 30.5 Encrypt the message HELLO MY DEAR, using the key shown in Figure Solution We first remove the spaces in the message. We then divide the text into blocks of four characters. We add a bogus character Z at the end of the third block. The result is HELL OMYD EARZ. We create a three-block ciphertext ELHLMDOYAZER

29 Example 30.6 Using Example 30.5, decrypt the message ELHLMDOYAZER. Solution The result is HELL OMYD EARZ. After removing the bogus character and combining the characters, we get the original message HELLO MY DEAR

30 Figure 30.9 XOR cipher 30.30

31 Figure Rotation cipher 30.31

32 Figure S-box 30.32

33 Figure P-boxes: straight, expansion, and compression 30.33

34 Product Ciphers Basic elements of product ciphers. (a) P- box. (b) S-box. (c) Product.

35 S-Box: a 3-bit plaintext is entered and a 3-bit ciphertext is output. The 3-bit input selects one of the eight lines exiting from the first stage and sets it to 1. The second stage is a P-box. The third stage encodes the selected input line in binary again is input then output would be Product Cipher: Powerful tool in which p-box and s-box is cascaded forming whole series of boxes to form a product cipher. 12 input lines in p-box = 4096 crossed wires are needed in middle stage. Input is broken into 3 bits, each substituted independently. K bit input to produce k bit output, k is 64 to 256. Less general, more powerful, becoming complicated function.

36 Figure DES 30.36

37 Figure One round in DES ciphers 30.37

38 Figure DES function 30.38

39 DES (Data Encryption Standard), was widely adopted by the industry for use in security products. DES procedure: Enciphering a 64-bit data block and a 56-bit key Step 1: Stage 1: An initial transposition (permutation) Step 2: Iteration 1 to 16: rounds of a complex key dependent calculation. Step 3: Stage second last : 32 bit exchange of leftmost 32 bits with rightmost 32 bits. Step 4: Stage last : A final transposition, obtained by just reversing the obtained transposition. Output: 64 bit ciphertext. Iteration 1 to 16 procedure: Each stage takes two 32-bit inputs and produces two 32-bit outputs. Each of 16 iterations uses different key. The left output is simply a copy of the right input. The right output is the bitwise XOR of the left input and a function of the right input and the key for this stage, K i. All the complexity lies in this function. Whitening: Technique used to make DES sronger. XORing random 64bit key with each plaintext block before feeding it into DES. And then again XORing a second 64 bit key with resulting ciphertext before transmitting it. It can be removed easily by running reverse operation. It adds more bits to the key length. Time consuming. In 1977, standford cryptography researchers Diffie and Hellman designed a machine that breaks DES within 1 day.

40 Figure Triple DES 30.40

41 Triple DES (a) Triple encryption using DES. (b) Decryption. IBM realized that DES key length was too short and developed: : triple DES. Here, 2 keys, 3 stages Procedure: Step 1: the plaintext is encrypted using DES in the usual way with K 1. Step 2: DES is run in decryption mode, using K 2 as the key. Step 3: Finally, another DES encryption is done with K 1. Why 2 keys are used instead of 3? Another key would just add overhead for little benefit. So 2 keys are enough. Why EDE instead of EEE? Backward compatibility with single encryption decryption algorithm by just replacing k1 = k2.

42 AES The Advanced Encryption Standard DES began approaching the end of its useful life, even with triple DES. NIST (National Institute of Standards and Technology), the agency of the U.S. Dept. of Commerce charged with approving standards for the U.S. Federal Government, decided that the government needed a new cryptographic standard for unclassified use as there were problems with DES to be standardized. They conducted a conference which had following rules for computing cryptography algorithm: Rules for AES proposals: 1. The algorithm must be a symmetric block cipher. 2. The full design must be public. 3. Key lengths of 128, 192, and 256 bits supported. 4. Both software and hardware implementations required 5. The algorithm must be public or licensed on nondiscriminatory terms. Out of 16 proposals, 5 were sort listed and 1 was awarded as the best solution/ algorithm so far provided. Name: Rijndael (from: Joan Daelmen and Vincent Rijnmen, 86 votes). Let us see that in detail.

43 30.43 Table 30.1 AES configuration

44 Note AES has three different configurations with respect to the number of rounds and key size

45 Figure AES 30.45

46 Figure Structure of each round 30.46

47 Step 1: does a byte-for-byte substitution on state. Each byte in turn is used as an index into an S-box to replace its value by the contents of that S-box entry. This step is a straight mono-alphabetic substitution cipher. Unlike DES, which has multiple S-boxes, Rijndael has only one S- box. Step 2: rotates each of the four rows to the left. Row 0 is rotated 0 bytes (i.e., not changed), row 1 is rotated 1 byte, row 2 is rotated 2 bytes, and row 3 is rotated 3 bytes. This step diffuses the contents of the current data around the block, analogous to the permutations. Step 3: mixes up each column independently of the other ones. The mixing is done using matrix multiplication in which the new column is the product of the old column and a constant matrix, with the multiplication done using the finite Galois field, GF(2 8 ). Step 4: XORs the key for this round into the state array. Decryption? Decryption can be done just by running the algorithm backward. However, there is also a trick available in which decryption can be done by running the encryption algorithm, using different tables. Advantages: Great speed Great security Good software implementation on 2GHz machine, achieve 700Mbps encryption rate and encrypt over 100 MPEG-2 videos in real time. Hardware implementation is also faster.

48 Figure Modes of operation for block ciphers 30.48

49 Figure ECB mode 30.49

50 Electronic Code Book Mode Step 1: Break it up into consecutive 8 byte (64 bits) blocks. Step 2: Encrypt them one after another with the same key. Step 3: Last piece of plaintext is padded out to 64bits, if need be. Also called ECB mode. Intruder Enjoys by: making a copy of the 12th ciphertext block (which contains Kim's bonus) and use it to replace the 4th ciphertext block (which contains Leslie's bonus) even without knowing what the 12th block says.

51 Figure CBC mode 30.51

52 Cipher Block Chaining Mode Cipher block chaining. (a) Encryption. (b) Decryption. Overcome the disadvantage of ECB mode. Each plaintext block is XORed with previous ciphertext block before being encrypted. Step 1: The first block is XORed with a randomly chosen IV (Initialization Vector), which is transmitted (in plaintext) along with the ciphertext. C 0 = E(P 0 XOR IV) Step 2: Then we compute C 1 = E(P 1 XOR C 0 ), and so on. Decryption? also uses XOR to reverse the process, with P 0 = IV XOR D(C 0 ), and so on. Advantage: Same plaintext block will not result in the same ciphertext block, making cryptanalysis more difficult. Disadvantage: Have to wait until an entire 64-bit block to arrive before decryption can begin.

53 Figure CFB mode 30.53

54 Cipher Feedback Mode (a) Encryption. (b) Decryption. Overcome the disadvantage of Cipher Block Chaining Mode. Use Triple(DES), Only 128 bit shift register is used. Step 1: The leftmost byte of that ciphertext is extracted and XORed with P 10. Step 2: That byte is transmitted on the transmission line. Step 3: In addition, the shift register is shifted left 8 bits, causing C 2 to fall off the left end, and C 10 is inserted in the position just vacated at the right end by C 9. Need: initialization vector to start the ball rolling. Decryption? Decryption with cipher feedback mode just does the same thing as encryption. (not decryption). Disadvantage? One bit transmission error may exist. if one bit of the ciphertext is accidentally inverted during transmission, the 8 bytes that are decrypted while the bad byte is in the shift register will be corrupted.

55 Figure OFB mode 30.55

56 Stream Cipher Mode / OFB A stream cipher. (a) Encryption. (b) Decryption. Overcome the disadvantage of 1 bit error. Step 1: It works by encrypting an initialization vector, using a key to get an output block. Step 2: The output block is then encrypted, using the key to get a second output block. Step 3: This block is then encrypted to get a third block, and so on. Step 4: The (arbitrarily large) sequence of output blocks, called the key stream, is treated like a one-time pad and XORed with the plaintext to get the ciphertext. Note: IV is used only on the first step. Key-stream is independent of the data, so it can be computed in advance, if need be, and It is completely insensitive to transmission errors. Decryption? Decryption occurs by generating the same keystream at the receiving side. Disadvantage: Never to use same (key,iv) pair twice otherwise may result to keystream reuse attack. Decrypting all the blocks ahead of it, an expensive proposition.

57 30-3 ASYMMETRIC-KEY CRYPTOGRAPHY An asymmetric-key (or public-key) cipher uses two keys: one private and one public. We discuss two algorithms: RSA and Diffie-Hellman. Topics discussed in this section: RSA Diffie-Hellman 30.57

58 PUBLIC KEY ALGORITHM: RSA RSA Rivest Shamir Adelman Used for both, Encryption and Signing. Has long keys. i.e1024 bits which makes is secure. Key advantage: difficulty of factoring large integers. General Algorithm: 1. Generate two large random prime numbers, pand q, equal in size such that n=pq and φ= (p-1)(q-1). 2. Compute n= pq and φ= (p-1)(q-1) 3. Choose an integer e such that 1 < e <φ gcd(e,φ) = Compute secret exponent d, 1 < d < φsuch that ed=1(mod φ). 5. The public key is (n,e) and private key (n,d). Keep secret p, q, φ. Note: n is modulus e is public exponent or encryption. d is secret exponent of decryption.

59

60 RSA An example of the RSA algorithm.

61 Figure RSA 30.61

62 Note In RSA, e and n are announced to the public; d and F are kept secret

63

64 Example: Keys for a plaintext input of M = 88. Encryption: To calculate C = 88 7 mod 187: 88 7 mod 187 = [(88 4 mod 187) (88 2 mod 187) (88 1 mod 187)] mod mod 187 = mod 187 = 7744 mod 187 = mod 187= 59,969,536 mod 187 = mod 187 = ( ) mod 187 =894,432 mod 187 = 11

65 Example of RSA Algorithm

66 Decryption: M =11 23 mod 187: mod 187 = [(11 1 mod 187) (11 2 mod 187) (11 4 mod 187) (11 8 mod 187) (11 8 mod 187)] mod mod 187 = mod 187 = mod 187 = 14,641 mod 187 = mod 187 = 214,358,881 mod 187 = mod 187 = ( ) mod 187 = 79,720,245 mod 187 = 88

67 Limitations of RSA: To defeat the RSA algorithm: Use bruteforce approach, i.e try all possible private keys. The larger the number of bits in e and d, the more secure the algorithm. Because the calculations involved (both in key generation and in encryption/decryption) are complex, the larger the size of the key, the slower the system will run.

68 Diffie-Hellman The first published public-key algorithm. Purpose: Exchange a secret key securely. (Also limitation). Algorithm depends for its effectiveness on the difficulty of computing discrete logarithms.

69 There are two publicly known numbers: a prime number q and an integer α that is (alpha) α primitive root of q. Suppose the users A and B wish to exchange a key. User A selects a random integer X A < q and computes Y A = a XA mod q. B independently selects a random integer X B < q and computes Y B = a XB mod q. Each side keeps the X value private and makes the Y value available publicly to the other side. User A computes the key as K = (Y A ) X B mod q. And user B computes the key as K = (Y B ) X A mod q. = (a X B mod q) X A mod q = (a X B) X A mod q = a X B X A mod q = (a X A) X B mod q = (a X A mod q) X B mod q K = (Y A ) X B mod q The result is that the two sides have exchanged a secret value.

70

71 As X A and X B are private, an adversary only has the following ingredients to work with: q,,y A, and Y B. Thus, the adversary is forced to take a discrete logarithm to determine the key. To determine the private key of user B, an adversary must compute X B = dlog α,q (Y B ). Security lies with calculation of discrete logarithms. Lets take one example supporting the algorithm.

72

73 Example: The prime number q = 353 and a primitive root of q = 353, in this case α = 3. A and B select secret keys X A =97 and X B =233, respectively. Each computes its public key: A computes Y A = 3 97 mod 353 = 40. B computes Y B =3 233 mod 353 = 248. After they exchange public keys, each can compute the common secret key: A computes K =(Y B ) mod 353= mod 353= 160. B computes K =(Y A ) mod 353= mod 353= 160. We assume an attacker would have available the following information: q = 353; α = 3; Y A = 40; Y B = 248. In this simple example, it would be possible to determine the secret key 160 by brute force. The brute-force approach is to calculate powers of 3 modulo 353, stopping when the result equals either 40 or 248. The desired answer is reached with the exponent value of 97, which provides 3 97 mod 353= 40. With larger numbers, the problem becomes impractical.

74 Limitations of Diffie-Hellman The technique does not protect against replay attacks. Man-In-The-Middle-Attack: 1. Darth generating two private keys X D1 and X D2, and then computing the corresponding public keys Y D1 and Y D2. 2. Alice transmites Y A to Bob. 3. Darth intercepts Y A and transmits Y D1 to Bob. Darth also calculates K2 = (Y A ) X D2 mod q. 4. Bob receives Y D1 and calculates K1 = (Y D1 ) X B mod q. 5. Bob transmits Y B to Alice. 6. Darth intercepts Y B and transmits Y D2 to Alice. Darth calculates K1 = (Y B ) X D1 mod q. 7. Alice receives Y D2 and calculates K 2 = (Y D2 ) X A mod q. At this point, Bob and Alice think that they share a secret key. But actually situation is different. Darth simply wants to eavesdrop. Or modify the message going to Bob.

75 Note The symmetric (shared) key in the Diffie-Hellman protocol is K = g xy mod p

76 Example Let us give a trivial example to make the procedure clear. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume g = 7 and p = 23. The steps are as follows: 1. Alice chooses x = 3 and calculates R 1 = 7 3 mod 23 = Bob chooses y = 6 and calculates R 2 = 7 6 mod 23 = Alice sends the number 21 to Bob. 4. Bob sends the number 4 to Alice. 5. Alice calculates the symmetric key K = 4 3 mod 23 = Bob calculates the symmetric key K = 21 6 mod 23 = 18. The value of K is the same for both Alice and Bob; g xy mod p = 7 18 mod 23 =

77 Figure Diffie-Hellman idea 30.77

78 Figure Man-in-the-middle attack 30.78