Lecture IV : Cryptography, Fundamentals

Transcription

1 Lecture IV : Cryptography, Fundamentals Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Computer Science Department, National Chiao Tung University Spring 2012

2 Basic Principles Kerckhoff s Principle: Internet Security - Cryptography Basics 2 A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. Shannon's Maxim: Your enemy knows your system!

3 Internet Security - Cryptography Basics 3 Outlines Basic Concepts Information Theoretic Cryptography Computational Difficult Cryptography One Way Functions One Way Trapdoor Functions Cyptanalytic Attacks Mathematical Foundation Modular Arithmetic Finite Fields Computationally Hard Problems

4 Internet Security - Cryptography Basics 4 Information Theoretic Cryptography Basic Cryptography Tenet Proper application of cryptography should make it infeasible for cryptanalysis to infer plaintext and/or crypto-keys using ciphertext, known-plaintext or chosen-plaintext attacks What does it mean by infeasible? What does it mean by infer? Information Theoretic Cryptography [Shannon 1949] Infeasible means Mathematically impossible (regardless of available resources) Cryptanalyst does not have enough information to decipher Infer means Obtaining partial/probabilistic information about plaintext

5 Internet Security - Cryptography Basics 5 Computational Difficult Cryptography Foundation of Modern Cryptography Infeasible means Computationally infeasible with existing technology & available resources Cryptanalyst does have enough information to decipher, but may not have time, machines or energy to crack the codes Infer means Obtaining partial/probabilistic information about plaintext Computationally difficult cryptosystems are based upon One-Way Functions One-Way Functions are functions that are easy to evaluate but hard to invert x f(x)

6 Internet Security - Cryptography Basics 6 Outlines Basic Concepts Information Theoretic Cryptography Computational Difficult Cryptography One Way Functions One Way Trapdoor Functions Cyptanalytic Attacks Mathematical Foundation Modular Arithmetic Finite Fields Computationally Hard Problems

7 7 One-Way Function Spring 2012 Internet Security - Cryptography Basics Definition : A one-to-one mapping x S, y S y = f (x) of which Forward Mapping f is computationally feasible Inverse Mapping f -1 is computationally infeasible Characteristics : Cryptographically Strong / Secure Inverse Infeasibility f -1 is computationally infeasible Collision Improbability Example : Given a, b S, P ( f (a) = f (b) ) #(S)/2 Modular Exponentiation Message Digest (Cryptographically Strong Hashing)

8 8 Spring 2012 One-Way Trapdoor Function Internet Security - Cryptography Basics Definition : A one-to-one parameterized mapping x S, y S y = f k (x) of which Question : Forward Mapping f k is computationally feasible if k is known Inverse Mapping f k -1 is Computationally infeasible if k is unknown, but Computationally feasible if k is known Does such function ever exist? Diffie and Hellman thought so! Diffie, W. and Hellman, M.E., New Directions in Cryptography, IEEE Transaction on Information Theory 22(6): , 1976.

9 Internet Security - Cryptography Basics 9 Outlines Basic Concepts Information Theoretic Cryptography Computational Difficult Cryptography One Way Functions One Way Trapdoor Functions Cyptanalytic Attacks Mathematical Foundation Modular Arithmetic Finite Fields Computationally Hard Problems

10 Attack Models When performing cryptanalytic attacks, we have to determine adversary s capability (Attack Model) and define a successful attack (Goal Model). Ciphertext-Only Attack (COA) Attackers have access only to a set of ciphertexts Known-Plaintext Attack (KPA) Attackers have samples of both the plaintext, and its encrypted version (ciphertext) Chosen-Plaintext Attack (CPA) Attackers have the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts Chosen-Ciphertext Attack (CCA) Internet Security - Cryptography Basics 10 Attackers have the capability to choose a ciphertext and obtaining its decryption under an unknown key

11 Internet Security - Cryptography Basics 11 Attack Goals Corresponding plaintext is deduced Part of plaintext or the whole plaintext of target ciphertext Unintended ciphertext/plaintext is generated One or more valid ciphertext/plaintext pair Users private keys are found Attackers can do anything. Also known as total break.

12 Example: Caesar Cipher Ciphertext-Only Attack (COA) Attacker gains one ciphertext. He can tries all 26 possible key (shift amount) to see if meaningful plaintext appears. Known-Plaintext Attack (KPA) Attacker gains several plaintext/ciphertext pair. He could easily find which one letter maps to the other. Chosen-Plaintext Attack (CPA) Attacker chooses one letter to be encrypted and retrieve the ciphertext. He could deduce the key from the ciphertext. Chosen-Ciphertext Attack (CCA) Work basically the same way since the operation is symmetric. Internet Security - Cryptography Basics 12

13 Ciphertext Attack Concept Internet Security - Cryptography Basics 13 Attempts to discover cipher key(s) or plaintext(s) from known ciphertext(s) Most common cipher attacks Definition Given ciphertext of N unknown plaintext under same unknown key c i = E k (m i ), i = [ 1..N ] Discover or infer key k or some subset(s) of plaintext { m i } Example Mono-alphabetic Cipher : encipher English text by mapping the alphabets to a chosen permutation { a, b, c, x, y, z } { e, r, p, h, g, m } Relatively difficult to break based on exhaustive key search (26! 1) Easy to break based on letter frequencies of English alphabets

14 Known Plaintext Attack Concept Internet Security - Cryptography Basics 14 Attempts to discover cipher key(s) or new plaintext(s) from known plaintext and ciphertext pairs Definition Given N pairs of known plaintext and ciphertext under same unknown key ( m i, c i = E k (m i ) ), i = [ 1..N ] Discover or infer key k or some new ciphertext-plaintext pair Example k or ( c N+1, m N+1 ) Key or plaintext discovery from special control messages Mono-alphabetic Cipher : Easy to break if known plaintext-ciphertext pairs contain all alphabets

15 Chosen Plaintext Attacks Concept Internet Security - Cryptography Basics 15 Attempts to discover cipher key(s) or new plaintext(s) from knowing corresponding plaintexts of chosen ciphertexts Definition Given ciphertext of N chosen plaintext under same unknown key ( m i (chosen), c i = E k (m i ) ), i = [ 1..N ] Discover or infer key k or some new ciphertext-plaintext pair Example ( c N+1, m N+1 ) Mono-alphabetic Cipher : Easy to break by having the corresponding ciphertext of plaintext abcd xyz or any sub-string of 25 alphabets Challenge-Response Attacks SSL Million Message Attack

16 Internet Security - Cryptography Basics 16 Outlines Basic Concepts Cyptanalytic Attacks Information Theoretic Crypto Computational Difficult Crypto One Way Functions One Way Trapdoor Functions Mathematical Foundation Modular Arithmetic Finite Fields Computationally Hard Problems

17 17 Spring 2012 Internet Security - Cryptography Basics Wonderful World of Modular Arithmetic Integers : = { -2, -1, 0, 1, 2, } Addition (+) Identity : z, 0 z + 0 = z Inverse : z, -z z + (-z) = 0 Multiplication (x) Identity : z, 1 z x 1 = z Inverse :? is a (commutative) ring

18 18 Spring 2012 Internet Security - Cryptography Basics Modular Arithmetic Addition (+) a, b, n ( a + b ) mod n remainder ( a + b ) n Ex: ( ) mod 10 = 1

19 Modular Arithmetic Multiplication ( ) Internet Security - Cryptography Basics 19 a, b, n ( a b ) mod n remainder ( a b ) n Ex: ( 2 7 ) mod 10 = 4

20 Internet Security - Cryptography Basics 20 Outlines Basic Concepts Cyptanalytic Attacks Information Theoretic Crypto Computational Difficult Crypto One Way Functions One Way Trapdoor Functions Mathematical Foundation Modular Arithmetic Finite Fields Computationally Hard Problems

21 21 Finite Fields Spring 2012 Internet Security - Cryptography Basics Addition (+) Identity : z p, 0 p ( z + 0 ) mod p = z Inverse : z p, -z p z + (-z) = 0 Multiplication ( ) Identity : z p, 1 p z 1 = z Inverse : z p, z -1 p z z -1 = 0

22 22 Spring 2012 Internet Security - Cryptography Basics Finite Field, p Integer Prime-Modulo Sets : p = { 0, 1, 2, p-1 } Addition (+) Identity : z p, 0 p ( z + 0 ) mod p = z Inverse : z p, -z p z + (-z) = 0 Ex: ( ) mod 5 = 0 Multiplication ( ) Identity : z p, 1 p z 1 = z Inverse : z p, z -1 p z z -1 = 1 Ex: ( 3 2 ) mod 5 = 1! p is a FINITE FIELD

23 Internet Security - Cryptography Basics 23 Outlines Basic Concepts Cyptanalytic Attacks Information Theoretic Crypto Computational Difficult Crypto One Way Functions One Way Trapdoor Functions Mathematical Foundation Modular Arithmetic Finite Fields Computationally Hard Problems

24 Internet Security - Cryptography Basics 24 Hard Problem : Discrete Logarithm Modular Exponentiation (x y ) Definition : x, y, n x y mod p remainder ( x y ) n How about Inverse? z p, p is prime, Is there y p x y mod p = z? y is known as log x z (mod p) Discrete Logarithm Inverse of Modular Exponentiation Like factoring problem, discrete logarithm problem (DLP) is believed to be difficult. Thus, modular exponentiation is regarded as a one-way function, and used as the basis of several public-key cryptosystems. Yet, nobody admitted to have proven that DLP cannot be solved quickly.

25 Internet Security Cryptography Basics 25 Discrete Logarithm, Properties NOT all columns contain unique results! ONLY those share no common factor with n = 10 contain unique results. α x mod n α x+n mod n α x mod n = α x+κφ(n) mod n

26 NP-Intermediate Problems Internet Security - Cryptography Basics 26 It s a problem in NP but not known to be in P or NP-complete If P NP then there exist problems in NP that are neither P nor NPcomplete. These problems are called NP-intermediate problems. - Ladner Examples: Graph Isomorphism Discrete Logarithm Integer Factorization

27 Best Algorithms Internet Security - Cryptography Basics 27 Both integer factoring and discrete logarithm can be solved by sub-exponential algorithms Integer Factoring General_number_field_sieve: L n [1/3, (64/9) 1/3 ]= L n [1/3, ] Special_number_field_sieve: L n [1/3, (32/9) 1/3 ]=L n [1/3, ] Discrete Logarithms Index_calculus_algorithm: L 2 m[1/3,c] 0<c<1.587 for F * 2m, let n=2m