Chapter 3. Cryptography. Information Security/System Security p. 33/617

Transcription

1 Chapter 3 Cryptography Information Security/System Security p. 33/617

2 Introduction A very important tool for security is cryptography Cryptography is the (art and) science of keeping information secure This is usually done by encoding it Cryptanalysis is the (art and) science of breaking a code Cryptology is the branch of math needed for cryptography and cryptanalysis Information Security/System Security p. 34/617

3 Introduction (2) One way to do it: Information Security/System Security p. 35/617

4 Introduction (3) Cryptography can help in providing: Confidentiality: only authorized persons are allowed to decode a message Authentication: receiver of a message (e.g. a password) should be able to ascertain its origin Integrity: receiver of a message should be able to verify that it hasn t been modified Non-repudiation: a sender shouldn t be able to falsely deny that they sent a message We re talking about messages here, but the principles can be applied to any information Information Security/System Security p. 36/617

5 Basic Definitions The original message is plaintext (sometimes also called cleartext Disguising the content of a message is called encryption This results in ciphertext, the encrypted message Turning ciphertext back into plaintext is called decryption Plaintext Encryption Ciphertext Decryption Original Plaintext Information Security/System Security p. 37/617

6 Basic Definitions (2) Plaintext is denoted by P or M (for message) It s a stream of bits, intended for transmission or storage, e.g. a textfile a bitmap digitized audio data digital video data Ciphertext is denoted by C and is also binary data Can be the same size as M Can be larger Can be smaller (if combining encryption with compression) Information Security/System Security p. 38/617

7 Basic Definitions (3) The encryption function E operates on M to produce C: E(M) = C The decryption function D operates on C to produce M: D(C) = M As the whole point encrypting and then decrypting is to recover the original message, the following has to be true: D(E(M)) = M Information Security/System Security p. 39/617

8 Algorithms A cryptographic algorithm (also called a cipher) is the mathematical function used for encryption and decryption Usually there are two functions, one for encryption and one for decryption If security is based on keeping the algorithm secret, then it s a restricted algorithm Restricted algorithms are not a good idea: Every time a user leaves a group, the algorithm has to be changed A group must develop their own algorithm; if they don t have the expertise, then it will be subpar Information Security/System Security p. 40/617

9 Algorithms and Keys Modern algorithms use a key, denoted by K A key is taken from a large range of possible values, the keyspace used as additional input for the en-/decryption function to do the en-/decrypting Encryption Key Decryption Key Plaintext Encryption Ciphertext Decryption Original Plaintext Information Security/System Security p. 41/617

10 Algorithms and Keys (2) So, the following holds: E KE (M) = C D KD (C) = M D KD (E KE (M)) = M The key used for encryption, K E, can be the same as the key used for decryption, K D, or the keys can be calculated from each other If this is the case, we have a symmetric algorithm Otherwise, it s an asymmetric algorithm Information Security/System Security p. 42/617

11 Algorithms and Keys (3) The security is based in the key, not in the details of the algorithm (Kerckhoffs s principle) This has several advantages: The algorithms can be published and analyzed by experts for possible flaws Software for the algorithm can be mass-produced Even if an eavesdropper knows the algorithm, without the key messages cannot be read An algorithm together with all possible plaintexts, ciphertexts, and keys is called a cryptosystem Information Security/System Security p. 43/617

12 Symmetric Algorithms Symmetric algorithms are sometimes also called conventional algorithms Secret-key or single-key algorithm means that encryption and decryption keys are identical Anyone who has the key can decrypt a message However, before two persons/systems can communicate, they need to agree on a key Information Security/System Security p. 44/617

13 Asymmetric Algorithms Asymmetric algorithms are also often called public-key algorithms The key used for encrypting messages is the public key The key used for decrypting messages is the private key The public key can be published, so that anyone can encrypt messages to a person/system The private key is only known to the receiver This only works if the private key cannot be calculated from the public key (in any reasonable time) Information Security/System Security p. 45/617

14 Asymmetric Algorithms (2) Asymmetric algorithms work similar to padlocks: You distribute open padlocks (for which only you have a key) Anyone sending you a message puts it into a box and snaps the padlock shut (encryption using public key) Only you can unlock the padlock using the key (decryption using private key) Information Security/System Security p. 46/617

15 Encryption Techniques There are different techniques for actually doing the encryption We are going to have a look at the most important ones: Substitution ciphers Transposition ciphers Stream ciphers Block ciphers Information Security/System Security p. 47/617

16 Substitution Ciphers In a substitution cipher each character in the plaintext is substituted for another character One of the earliest techniques to be used in the famous Caesar cipher In the Caesar cipher each character is shifted (by three characters in the original cipher) Information Security/System Security p. 48/617

17 Monoalphabetic Substitution Ciphers Caesar cipher is a special case of a simple substitution cipher (or monoalphabetic cipher) Instead of just shifting characters, the alphabet can be mapped to a (random) permutation: Information Security/System Security p. 49/617

18 Monoalphabetic Substitution Ciphers (2) Monoalphabetic ciphers are not very secure and can be easily broken by statistical means: Different characters have typical frequencies in languages There have been various attempts at making substitutions more secure Information Security/System Security p. 50/617

19 Homophonic Substitution Ciphers Homophonic substitution ciphers try to obscure the frequencies by mapping a character to more than one code For example, A could correspond to 5, 13, 25, or 56; while for B this could be 7, 19, 32, or 42 While this makes analysis a bit harder, it doesn t hide all statistical properties With the help of a computer can usually be broken in a few seconds Information Security/System Security p. 51/617

20 Polygram Substitution Cipher Instead of encoding single characters, a polygram substitution cipher encrypts groups of letters For example, ABA could correspond to RTQ, while ABB could correspond to SLL The example above uses 3-grams (groups of 3 letters); can be generalized to n-grams Still not a very secure way of encrypting data: This hides the frequencies of individual letters However, natural languages also show typical frequencies for n-grams (although the curve is flattened) Information Security/System Security p. 52/617

21 Polyalphabetic Substitution Cipher A polyalphabetic substitution cipher uses multiple simple substitution ciphers The particular one used changes with the position of each character of the plaintext There are multiple one-letter keys The first key encrypts the first letter of the plaintext, the second key encrypts the second letter of the plaintext, and so on After all keys are used, you start over with the first key The number of keys determines the period of the cipher Information Security/System Security p. 53/617

22 Polyalphabetic Substitution Cipher (2) An early example is the Vigenère cipher Adds a key repeatedly into the plaintext using numerical codes: A=0, B=1,..., Z=25 This is done modulo 26, i.e. if the result is greater than 26, then we divide the result by 26 and take the remainder C = M +K mod 26 For example, P(15) + U(20) = 35 mod 26 = 9 Information Security/System Security p. 54/617

23 Polyalphabetic Substitution Cipher (3) Unfortunately, the Vigenère cipher is also not very secure Code can be broken by analyzing the period Looking at the example from previous slide, we notice that KIOV is repeated after 9 letters, NU after 6 letters As 3 is a common divisor of 6 and 9, this is a hint that the period could be 3 Knowing which letters were encoded with the same key allows the application of frequency methods again Information Security/System Security p. 55/617

24 Rotor Machines In the 1920s, mechanical encryption devices were developed (to automate the process) Basically, these machines implemented a complex Vigenère cipher A rotor is a mechanical wheel wired to perform a general substitution A rotor machine has a keyboard and a series or rotors, where the the output pins of one rotor are connected to the input of another For example, in a 4-rotor machine, the 1st rotor might substitute A F, the 2nd F Y, the 3rd Y E, the 4th E C; so the final output for A is C After each output, some of the rotors shift Information Security/System Security p. 56/617

25 Rotor Machines (2) Combination of several rotors and shifting of rotors leads to a period of 26 n (where n is the number of rotors) A long period makes it harder to break the code The best-known rotor machine is the Enigma (pictured on the right) Information Security/System Security p. 57/617

26 Transposition Ciphers Substitution ciphers on their own are usually not very secure That is why they are combined with transposition ciphers Transposition ciphers on their own are also not very secure In a transposition cipher the symbols of the plaintext remain the same, but their order is changed Information Security/System Security p. 58/617

27 Transposition Ciphers (2) A skytale is an early version (ancient Greece): Information Security/System Security p. 59/617

28 Simple Columnar Transposition Cipher In a simple columnar transposition cipher the plaintext is written horizontally onto a piece of graph paper of fixed width while the ciphertext is read off vertically W E A R E D I S C O V E R E D F L E E A T O N C E WIREEESEAACDTROFOEVLNDEEC Information Security/System Security p. 60/617

29 Double Columnar Transposition A simple columnar transposition can be broken by trying out different width/column lengths Putting the ciphertext through a second transposition enhances security In contrast to a simple substitution cipher, where a second application does not increase security Information Security/System Security p. 61/617

30 Stream Ciphers/Block Ciphers In symmetric algorithms we also distinguish between stream ciphers and block ciphers Stream ciphers operate on the plaintext a single bit (or single character) at a time Simple substitution cipher is an example Block ciphers operate on groups of bits (or groups of characters) An example of an early block cipher is Playfair Information Security/System Security p. 62/617

31 Playfair Place the alphabet in a 5x5 grid, permuted by the keyword (omitting the letter J; J=I) Then divide the plaintext into pairs of letters preventing double letters in a pair (by separating them with an x ) adding a z to the last pair (if necessary) Information Security/System Security p. 63/617

32 Playfair (2) For example, Lord Granville s letter becomes lo rd gr an vi lx le sl et te rz Then encrypt text pair by pair Replace two letters in the same row or column by succeeding letters, e.g. am LE Otherwise the two letters are in opposite corners of a rectangle, replace them with letters in the other corners, e.g. lo MT Information Security/System Security p. 64/617

33 Modern Algorithms So far we have covered algorithms that are more of historical interest Good for explaining basic cryptographic concepts with easy-to-understand algorithms None of these algorithms should be used today (they can all be broken easily) We will now turn to more modern algorithms (which are still relevant today) First we introduce some more concepts Information Security/System Security p. 65/617

34 Confusion and Diffusion In the 1940s Claude Shannon suggested that strong ciphers can be built by combining substitution and transposition This relies on the principles of confusion and diffusion Confusion adds an unknown key value to confuse an attacker about the true value of a plaintext symbol Diffusion spreads the plaintext information through the ciphertext Information Security/System Security p. 66/617

35 SP-Networks Early (modern) block ciphers used simple networks combining substitution and permutation circuits These networks are called substitution-permutation networks (or SP networks) Let s have a look at a simple SP network operating on 16-bit blocks Information Security/System Security p. 67/617

36 SP-Networks (2) A substitution box (S-box) is basically a look-up table containing some permutation of the numbers 0 to 15: Information Security/System Security p. 68/617

37 SP-Networks (3) The mapping used for the S-boxes needs to be one-to-one (so decryption is possible) The output of S-boxes is shuffled with a permutation network before being fed into the next layer of S-boxes Each layer is also called a round One question remains: how do you add a key? Information Security/System Security p. 69/617

38 SP-Networks (4) After each round you add (part of) the key via an XOR (exclusive-or) function Information Security/System Security p. 70/617

39 Using an SP Network Why use an SP network? Why not do a direct mapping from 16-bit code to 16-bit code? This would need 2 20 bits of memory ( bits) Using the 4-bit S-boxes needs 64 bits (2 4 4 bits) While a 16-bit mapping could be stored in memory, 16-bit block ciphers are far from secure In order to get a decent level of security, you need ciphers with a block size of at least 64, 128, or even more bits bits 100 million Terabytes Information Security/System Security p. 71/617

40 Using an SP Network (2) Main reason to use an SP network: saves space However, in order to make an SP network block cipher secure, the following conditions have to be met: The block size needs to be large enough We need to have enough rounds The S-boxes need to be chosen carefully Information Security/System Security p. 72/617

41 Block Size The smaller the block size, the more vulnerable a block cipher is to attacks If an attacker can obtain (or guess) some plaintext messages, they can create a dictionary With a dictionary any message encrypted with a certain key can then be decrypted The smaller the block size, the easier it is to complete such a dictionary Information Security/System Security p. 73/617

42 Number of Rounds Good ciphers exhibit the avalanche effect This means that a slight change in the input (e.g. toggling one bit) has a major impact on the output Ideally you want to create a lot of diffusion, i.e. spread the information trough the whole ciphertext Having just one or two rounds is not adequate, a slight change in the input will only have a minor impact on the output The exact number of rounds that are needed also depends on how quickly an SP network diffuses the data Information Security/System Security p. 74/617

43 Choice of S-Boxes S-boxes need to add enough randomness to be effective Let s look at an example of an S-box with 3 input and 3 output bits: The most significant bit passes unchanged through the S-box This would be a bad choice for an S-box Information Security/System Security p. 75/617

44 Concrete Algorithms We ll now have a look at algorithms based on SP networks These algorithms are still in use (or have been used until recently) Data Encryption Standard (DES) Advanced Encryption Standard (AES) Information Security/System Security p. 76/617

45 Data Encryption Standard Data Encryption Standard (DES) is a well-known block cipher The original algorithm encrypts the plaintext in 64-bit blocks using a 64-bit key The key is actually 56 bits, every 8th bit is used for parity The fundamental building block of DES is a substitution followed by a permutation on a 32-bit block DES uses an SP network on half of the block at a given time DES has 16 rounds, applying the same technique on a plaintext block 16 times Information Security/System Security p. 77/617

46 Data Encryption Standard (2) First step is an initial permutation of the plaintext Then there are 16 rounds of identical operations: A block is broken up into a left and a right half In function f, the data is combined with the (current round) key and then run through an SP network After the 16th round, there is a final permutation Information Security/System Security p. 78/617

47 Data Encryption Standard (3) The function f is also called the Feistel function (named after its inventor) At first glance this might look overly complicated What s the advantage of all this criss-crossing? Actually, it s a very clever scheme allowing to use the same network for encryption and decryption The only difference is that during decryption the round keys are applied in inverse order Information Security/System Security p. 79/617

48 Data Encryption Standard (4) DES was a certified standard for more than 20 years However, there have been a couple of successful attacks on DES Deep Crack ($250,000 custom-built machine) breaks a DES key in 22 hours and 15 minutes (1999) COPACOBANA ($10,000 custom-built machine) breaks DES in 9 days (2006) DES has been replaced by the Advanced Encryption Standard (AES) AES uses a more sophisticated substitution/permutation algorithm on a 4x4 matrix of bytes Information Security/System Security p. 80/617

49 Advanced Encryption Standard Each input byte is sent through an S-box Then the rows of the matrix are shifted In a more complicated process the values in each column of the matrix are mixed In a final step the current round key is added This constitutes one round in AES Information Security/System Security p. 81/617

50 Advanced Encryption Standard (2) As we have 16 input bytes, AES has a block size of 16 8 = 128 bits. AES can be used with different key sizes: 128, 192, or 256 bits Depending on the key size there are 10, 12, or 14 rounds, respectively AES became a certified standard in 2002 It is the first published algorithm approved by the NSA for top secret documents (using 256-bit keys) We will move away from SP networks now and look at other types of algorithms Information Security/System Security p. 82/617

51 The Perfect Encryption Algorithm There is an unbreakable encryption scheme, it s called a one-time pad It s basically a Vigenère cipher with a truly random, non-repeating key Encryption is done by adding plaintext letter and a one-time pad key character modulo 26 Each key letter is used exactly once and for only one message The sender encrypts the message and then destroys the used part of the key The receiver (who needs an identical pad) follows the same procedure for decryption Information Security/System Security p. 83/617

52 One-Time Pads Here is an example of a one-time pad (using numbers): Information Security/System Security p. 84/617

53 One-Time Pads (2) The crucial point is having a truly random sequence of key characters This makes statistical analysis impossible, every potential message has the same probability Information Security/System Security p. 85/617

54 One-Time Pads (3) Generating truly random numbers is harder than it looks: Most algorithms generate pseudo-random numbers Better results can be achieved by integrating random events into the algorithm, e.g. mouse movements, disk operations, arrival times of network packets Another problem is exchanging the key between sender and receiver Information Security/System Security p. 86/617

55 RSA Public-Key Algorithm RSA is a very popular and secure encryption algorithm RSA stands for the names of the inventors: Rivest, Shamir, Adleman Has a public and a private key (asymmetric algorithm) The public and private key are functions of a pair of large prime numbers Information Security/System Security p. 87/617

56 Determining the Keys Select two large prime numbers p and q at random Compute their product n = p q Compute Euler totient f = (p 1)(q 1) (Randomly) choose an encryption key e such that e and f are coprime, i.e. they have no factors in common Another way of formulating this: the greatest common divisor (gcd) of e and f is 1 Compute the decryption key d such that e d = 1 mod f, i.e. e d divided by f leaves remainder 1 The public key consists of e and n The private key consists of d and n Information Security/System Security p. 88/617

57 Determining the Keys (2) Let s do an example: Choose p = 47 and q = 71 n = pq = 3337 f = (p 1)(q 1) = 3220 A valid value for e is 79 Can be checked by using the Euclidean algorithm d = 1019, as ( ) mod 3220 = 1 Can be computed using the extended Euclidean algorithm Now that we have the keys, what do we do with them? First step: destroy p and q, otherwise your private key is insecure Information Security/System Security p. 89/617

58 Encrypting/Decrypting a Message Encrypting a message is done by exponentiating the message M with e (modulo n): C = M e mod n Decrypting a ciphertext is done by exponentiating it with d (modulo n): Example: M = C d mod n mod 3337 = mod 3337 = 53 Caveat: M and n have to be coprime; if message is too large, split it up into blocks (you re safe if M < p and M < q) Information Security/System Security p. 90/617

59 Encrypting/Decrypting a Message (2) Why does this work? Number theory! Euler showed in 1736 that if M and n are coprime, then M f = 1 mod n Furthermore, M f+s = M s mod n, i.e. exponent can be taken modulo f So, encrypting and then decrypting by computing (M e ) d mod n yields M 1 mod n, which is M Remember that ed = 1 mod f Information Security/System Security p. 91/617

60 Security Now we know that RSA will reconstruct the original message again Why is it secure? Can t someone figure out d given n and e? This involves integer factoring, i.e. figuring out the factors p and q of n The prime numbers p and q used in RSA are really big, so that n is sufficiently large Using a size of around 300 bits for n can be factored in a few hours on a PC A size of 2048 bits for n is probably safe in the near future The fastest algorithm for integer factoring has a run-time exponential in the size of the input Information Security/System Security p. 92/617

61 Prime Factors: Other Uses Information Security/System Security p. 93/617

62 What Now? O.k., RSA is secure, but we are left with two problems: If integer factoring is so difficult, how do we figure out p and q, which have to be prime? If the numbers involved are so huge, how do we encrypt and decrypt efficiently? Computing mod doesn t look easy Information Security/System Security p. 94/617

63 Determining Prime Numbers Factoring numbers is difficult, however, testing a number for primality is easier There are quick probabilistic tests: Take a whole range of numbers x Test whether a x 1 = 1 mod x for different values of a If x is a prime, then this holds for all a Repeating this for several values of a gives a high probability for having found a prime There are also deterministic tests, e.g. APR (Adleman, Pomerance, Rumely) These tests are usually very complicated to implement Information Security/System Security p. 95/617

64 Efficient Exponentiation This still leaves us with the problem of determining M e mod n and C d mod n efficiently As e and d are usually huge numbers, you don t want to do a brute-force computation: That means multiplying M e times with itself and then taking it modulo n Don t try to do this with your calculator We can use a technique called repeated squaring to cut down on the number of multiplications Information Security/System Security p. 96/617

65 Repeated Squaring Assume we want to compute x 59 It s not too hard to compute the following series of numbers: x 2, x 4, x 8, x 16, x 32,... Multiplying x with itself gives you x 2 multiplied with itself gives you x 4 multiplied with itself gives you x 8, and so on Incidentally, the exponents for the numbers we can compute quickly are all powers of 2 We can use the binary representation of the exponent and multiply all the numbers that are present in the binary representation: 59 = = x 59 = x 32 x 16 x 8 x 2 x 1 Information Security/System Security p. 97/617

66 Modular Exponentiation Repeated Squaring reduces the number of multiplications tremendously However, the numbers can still become very big Math comes to the rescue again: we can take modulo n after each multiplication For example, if we want to compute 2 40 mod 100, then 40 = , so 2 40 = = 256 = 56 mod = = 3136 = 36 mod = = 1296 = 96 mod = = 5376 = 76 mod 100 Information Security/System Security p. 98/617

67 Some Additional Stuff on RSA While the techniques mentioned above make RSA usable in practice, it s still slower than DES or AES The prime numbers p and q should not be too close : p q should not be less than 2n 1 4 The private key needs to be large enough : d should be greater than n 1 4/3 The public key can be small, but then extra care has to be taken when encrypting messages: In order to compensate, message has to be made larger by padding it Information Security/System Security p. 99/617

68 Summary This represents only a small glimpse into the world of cryptography There are countless other cryptosystems out there: Anubis, Grand Cru, Khufu, Serpent, Twofish, just to name a few Going deeper into this would involve some very sophisticated math RSA is one of the simpler algorithms in terms of understandability Information Security/System Security p. 100/617