Cryptography Symmetric Encryption Class 2 Stallings: Ch 3 & 6 Stallings: Ch 4 CEN-5079: 18.January.2018 1
Symmetric Cryptosystems Encryption Key Decryption Key Plaintext Plaintext Encryption Algorithm = Decryption Algorithm CEN-5079: 18.January.2018 2
Outline Encryption Techniques Classical Techniques Modern Times: DES CEN-5079: 18.January.2018 3
Classic Techniques Substitution Ciphers Cesar Cipher Monoalphabetic Ciphers Polyalphabetic Ciphers Vigenere Vernam One Time Pad Transposition Ciphers Product Ciphers CEN-5079: 18.January.2018 4
Classic Substitution Techniques Letters of plaintext are replaced by other letters or by numbers or symbols If plaintext is viewed as a sequence of bits Replace plaintext bits with ciphertext bits CEN-5079: 18.January.2018 5
Caesar Cipher Earliest known substitution cipher By Julius Caesar First attested use in military affairs Example: meet me after the toga party PHHW PH DIWHU WKH WRJD SDUWB Guess how? Replaces each letter by 3rd letter on CEN-5079: 18.January.2018 6
Caesar Cipher (cont d) Define transformation as: a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C Give each letter a number a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Math -- Caesar cipher is: c = E(k, p) = (p + k) mod (26) p = D(k, c) = (c k) mod (26) CEN-5079: 18.January.2018 7
Cryptanalysis of Caesar Cipher Only have 25 possible ciphers A maps to B,C,.., Z Brute force search Given ciphertext, just try all shifts of letters Do need to recognize when have plaintext E.g. break ciphertext QIIX QI MR QMEQM CEN-5079: 18.January.2018 8
Monoalphabetic Cipher Shuffle the letters arbitrarily Random permutation how many in total? Each plaintext letter maps to a different random ciphertext letter Key is 26 letters long Example: Plain: abcdefghijklmnopqrstuvwxyz Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN Plaintext: ifwewishtoreplaceletters Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA CEN-5079: 18.January.2018 9
Monoalphabetic Cipher Security Key space increases from 25 (Caesar) to 26! = 4 x 10 26 (English) http://www.simonsingh.net/the_black_chamb er/generalsubstitutionwithmenu.html With so many keys, might think is secure But would be WRONG Problem is language characteristics CEN-5079: 18.January.2018 10
Language and Cryptanalysis Letters are not equally used In English E is by far the most common letter Other letters like Z,J,K,Q,X are fairly rare Build digrams Trigrams CEN-5079: 18.January.2018 11
Use In Cryptanalysis Monoalphabetic substitution ciphers do not change relative letter frequencies Discovered by Arabian scientists in 9 th century 1. Calculate letter frequencies for ciphertext 2. Compare counts against known values peaks at: A-E-I triple, NO pair, RST triple valeys at: JK, X-Z CEN-5079: 18.January.2018 12
Playfair Cipher Not even the large number of keys in a monoalphabetic cipher provides security Idea: encrypt multiple letters at a time Example: the Playfair Cipher Invented by Charles Wheatstone in 1854, but named after his friend Baron Playfair CEN-5079: 18.January.2018 13
Playfair Key Matrix 5X5 matrix of letters based on a keyword Fill in letters of keyword (without duplicates) Fill rest of matrix with other letters Example: using the keyword MONARCHY M O N A R C H Y B D E F G I/J K L P Q S T U V W X Z CEN-5079: 18.January.2018 14
Encrypting and Decrypting Plaintext is encrypted two letters at a time 1. If a pair is a repeated letter, insert filler like 'X 2. If both letters fall in the same row, replace each with letter to right (wrapping back to start from end) 3. If both letters fall in the same column, replace each with the letter below it (wrapping to top from bottom) 4. Otherwise each letter is replaced by the letter in the same row and in the column of the other letter of the pair CEN-5079: 18.January.2018 15
Security of Palyfair Security much improved over monoalphabetic Since we have 26 x 26 = 676 digrams Would need a 676 entry frequency table to analyse Versus 26 for a monoalphabetic And correspondingly more ciphertext Was widely used for many years E.g. by US & British military in WW1 It can be broken, given a few hundred letters Since still has much of plaintext structure CEN-5079: 18.January.2018 16
Classic Techniques Substitution Ciphers Cesar Cipher Monoalphabetic Ciphers Polyalphabetic Ciphers Vigenere Vernam One Time Pad Transposition Ciphers Product Ciphers CEN-5079: 18.January.2018 17
Polyalphabetic Ciphers Improve security using multiple cipher alphabets Flatten frequency distribution Use key to select which alphabet is used for each letter of the message Use each alphabet in turn Repeat from start after end of key is reached CEN-5079: 18.January.2018 18
Vigenere Ciphers Simplest polyalphabetic substitution cipher Effectively multiple Caesar ciphers Key is multiple letters long K = k 1 k 2... k m i th letter of key specifies i th alphabet to use Key k 1..k m C 1 =(P 1 +k 1 ) mod 26 Plaintext P 1, P 2...P n Succession of Caesar ciphers Ciphertext C 1, C 2...C n C m =(P m +k m ) mod 26 C m+1 =(P m+1 +k 1 ) mod 26 CEN-5079: 18.January.2018 19
Example: Vigenere Cipher Write the plaintext out Write the keyword repeated above it Use each key letter as a Caesar cipher key Encrypt the corresponding plaintext letter key #: 342415198214342415198214342415198214 key: deceptivedeceptivedeceptive plaintext: wearediscoveredsaveyourself ciphertext:zicvtwqngrzgvtwavzhcqyglmgj CEN-5079: 18.January.2018 20
Security of Vigenere Cipher Have multiple ciphertext letters for each plaintext letter Hence letter frequencies are obscured But not totally lost! CEN-5079: 18.January.2018 21
Kasiski Method Repetitions in ciphertext give clues to period Find same plaintext an exact period apart Which results in the same ciphertext key: deceptivedeceptivedeceptive plaintext: wearediscoveredsaveyourself ciphertext:zicvtwqngrzgvtwavzhcqyglmgj Suggests key size of 3 or 9 Then attack each monoalphabetic cipher individually using same techniques as before CEN-5079: 18.January.2018 22
Vernam Cipher Ultimate defense is to use a key as long as the plaintext With no statistical relationship to it Invented by AT&T engineer Gilbert Vernam in 1918 Originally proposed using a very long but eventually repeating key CEN-5079: 18.January.2018 23
Vernam Cipher Generalization of Vigenere Represent messages in binary format E.g., ASCII (google it): A = 10 (decimal) = 1010 (binary) Key has the same length as the cipertext key stream generator key stream generator Key Plaintext k i Ciphertext Key k i Plaintext P i C i Encryption Decryption P i CEN-5079: 18.January.2018 24
One Time Pad Vernam: the key was very long, but Repeatable One Time Pad: Generalization of Vernam The key is used ONLY ONCE! The only Perfect security cryptosystem Problems: Production of many random keys Distribution of random keys as long as the message CEN-5079: 18.January.2018 25
Classic Techniques Substitution Ciphers Cesar Cipher Monoalphabetic Ciphers Polyalphabetic Ciphers Vigenere Vernam One Time Pad Transposition Ciphers Product Ciphers CEN-5079: 18.January.2018 26
Transposition Ciphers Transposition or permutation ciphers Rearrange the letter order Without altering the actual letters used Easily recognizable Have the same frequency distribution as the original text CEN-5079: 18.January.2018 27
Rail Fence Cipher Write message letters over a number of rows Then read off cipher by column Example: write message out as: m e m a t r h t g p r y e t e f e t e o a a t Resulting ciphertext MEMATRHTGPRYETEFETEOAAT CEN-5079: 18.January.2018 28
Row Transposition Ciphers Write letters of message out in rows over a specified number of columns Then reorder the columns according to some key before reading off the rows Key: 4 3 1 2 5 6 7 a t t a c k p o s t p o n e d u n t i l t w o a m x y z Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ CEN-5079: 18.January.2018 29
Product Ciphers Ciphers using substitutions or transpositions are not secure because of language characteristics Use several ciphers in succession to make harder: Two substitutions make a more complex substitution Two transpositions make more complex transposition Product cipher: a substitution followed by a transposition makes a new much harder cipher This is bridge from classical to modern ciphers CEN-5079: 18.January.2018 30
Rotor Machines Before modern ciphers, rotor machines were most common complex ciphers in use Widely used in WW II German Enigma, Allied Hagelin, Japanese Purple Implemented a very complex, varying substitution cipher Used a series of cylinders, each giving one substitution, which rotated and changed after each letter was encrypted With 3 cylinders have 26 3 =17576 alphabets CEN-5079: 18.January.2018 31
Hagelin Rotor Machine CEN-5079: 18.January.2018 32
Enigma Rotor Machine CEN-5079: 18.January.2018 33
Symmetric Ciphers Stream Ciphers Block Ciphers CEN-5079: 18.January.2018 34
Stream Ciphers Encrypt one bit (byte) at a time Example: Vigenere, Vernam Length of key = length of (clear/cipher) text Hard to share between sender and receiver Key (K) Bit-stream generator Bit-stream generator Key (K) Key k i Key k i Plaintext Ciphertext Plaintext P i C i P i Plaintext Plaintext CEN-5079: 18.January.2018 35
Block Ciphers Encrypt one block of text at a time 64-128 bit long Encryption key = Decryption key Shared by sender and receiver 64 bits Key (K) 64 bits Plaintext Encryption Algorithm Ciphertext CEN-5079: 18.January.2018 36
Block Cipher Principles n bit input to n bit output 2 n possible inputs Each must produce a unique ciphertext Otherwise encryption is not reversible No decryption possible CEN-5079: 18.January.2018 37
Ideal Block Cipher Need 2 n table to encrypt! CEN-5079: 18.January.2018 38
Data Encryption Standard (DES) Most widely used block cipher in world Adopted in 1977 by NBS (now NIST) As FIPS PUB 46 Encrypts 64-bit data using 56-bit key Has seen considerable controversy over its security CEN-5079: 18.January.2018 39
DES History IBM developed Lucifer cipher Team led by Feistel in late 60 s Used 64-bit data blocks with 128-bit key Redeveloped as a commercial cipher with input from NSA and others 1973: National Bureau of Standards (NBS) issued request for proposals for a national cipher standard IBM submitted their revised Lucifer which was eventually accepted as the DES CEN-5079: 18.January.2018 40
DES Controversy DES standard is public Considerable controversy over design Choice of 56-bit key (vs Lucifer 128-bit) Design criteria were classified Subsequent events and public analysis show in fact design was appropriate Use of DES has flourished Especially in financial applications Still standardised for legacy application use Replaced by AES CEN-5079: 18.January.2018 41
DES Encryption CEN-5079: 18.January.2018 42
Initial Permutation (IP) First step of the data computation IP reorders the input data bits Even bits to LH half, odd bits to RH half Quite regular in structure (easy in h/w) Example: IP(675a6967 5e5a6b5a) = (ffb2194d 004df6fb) CEN-5079: 18.January.2018 43
DES Round Structure Uses two 32-bit L & R halves Feistel cipher: L i = R i 1 R i = L i 1 F(R i 1, K i ) CEN-5079: 18.January.2018 44
Feistel Cipher Introduced by Horst Feistel 16 + 1 rounds Plaintext LE 0 RE 0 What is F? F K 1 LE 1 =RE 0 RE 1 L i = R i 1 R i = L i 1 F(R i 1, K i ) CEN-5079: 18.January.2018 45
Feistel Cipher Structure CEN-5079: 18.January.2018 46
DES Structure: Function F F takes 32-bit R half and 48-bit subkey: Expands R to 48-bits using perm E Adds to subkey using XOR 8 S-boxes to get 32-bit result Finally permutes using 32-bit perm P CEN-5079: 18.January.2018 47
Symmetric Key Crypto Symmetric Ciphers Multiple Encryption Modes of Operation CEN-5079: 18.January.2018 48
Multiple Encryption and DES Uses 56-bit keys to encrypt 64 bit blocks Differential cryptanalysis O(2 47 ) encryptions Linear cryptanalysis O(2 43 ) encryptions Can we make DES withstand attacks without changing its structure? Yes! CEN-5079: 18.January.2018 49
Double DES 2 DES with keys K 1 and K 2 : C = E K2 (E K1 (P)) K 1 K 2 P DES Encrypt X DES Encrypt C K2 K 1 DES Decrypt DES Decrypt C X P CEN-5079: 18.January.2018 50
2 DES: Meet-in-the-Middle 2 DES uses two keys: 56+56=112 bits Is the strength 2 56 of DES? NO!!!! Given P and C Encrypt P for all possible 2 56 values of K 1 Store in table T: pairs (K 1, E K1 (P)) Decrypt C for all possible 2 56 values of K 2 Search D K2 (C) in table T Success when E K1 (P) = D K2 (C) Attack takes O(2 56 ) steps similar to DES CEN-5079: 18.January.2018 51
Triple DES: Two Keys Must use 3 encryptions But can use 2 keys with E-D-E sequence C = E K1 (D K2 (E K1 (P))) If K 1 =K 2 then equivalent with single DES Standardized in ANSI X9.17 & ISO8732 No current known practical attacks Several proposed impractical attacks might become basis of future attacks CEN-5079: 18.January.2018 52
Triple DES: Three Keys Can use Triple-DES with Three-Keys to avoid even these C = E K3 (D K2 (E K1 (P))) Has been adopted by some Internet applications PGP, S/MIME CEN-5079: 18.January.2018 53
Symmetric Key Crypto Symmetric Ciphers Multiple Encryption Modes of Operation CEN-5079: 18.January.2018 54
Modes of Operation Block ciphers encrypt fixed size blocks DES encrypts 64-bit blocks with 56-bit key Need to encrypt and decrypt arbitrary amounts of data in practice NIST SP 800-38A defines 5 modes Electronic Code Book: ECB Cipher Block Chaining: CBC Cipher Feedback: CFB Output Feedback: OFB Counter Mode: CTR Can be used with any block cipher CEN-5079: 18.January.2018 55
Electronic Code Book (ECB) Split message into blocks of length b (e.g., 64 bits) Use the same key to encrypt each block Each block is mapped into a unique value like a codebook P 1 P s K DES Encrypt (s blocks) K DES Encrypt C 1 C s CEN-5079: 18.January.2018 56
ECB Decryption C 1 C s K DES Decrypt K (s blocks) DES Decrypt P 1 P s Weakness due to independent encryptions Same bit repeated each b positions Main use is sending a few blocks of data E.g., shared keys CEN-5079: 18.January.2018 57
Cipher Block Chaining (CBC) Use Initial Vector (IV) to start process Chain current cipher block into next encryption IV P 1 P 2 (s blocks) K DES Encrypt K DES Encrypt C 1 C 2 C 1 CEN-5079: 18.January.2018 58
CBC: Decryption C 1 C 2 C 1 (s blocks) K DES Decrypt K DES Decrypt IV P 1 P 2 CEN-5079: 18.January.2018 59
CBC Discussion Padding: Message length may not be divisible by b End of message must handle a possible last short block Random padding May require an extra entire block over those in message Need Initialization Vector (IV) Must be known to sender & receiver May be sent encrypted in ECB mode before rest of message CEN-5079: 18.January.2018 60
Stream Modes of Operation Block modes (ECB,CBC) encrypt entire block May need to operate on smaller units: Why? Real time data Convert block cipher into stream cipher Cipher feedback (CFB) mode Output feedback (OFB) mode Counter (CTR) mode CEN-5079: 18.January.2018 61
Cipher Feedback Mode (CFB) Message is treated as a stream of bits Take s bits at a time; s<b K IV (b bits) DES Encrypt K IV Shift s bits DES Encrypt (so on) s bits Discard s bits Discard P 1 (s) P 2 (s) C 1 C 2 CEN-5079: 18.January.2018 62
More on CFB Decryption similar Appropriate when data arrives in bits/bytes CEN-5079: 18.January.2018 63
Counter Mode (CTR) b is block size Counter 1 Counter 2 K Encrypt K Encrypt (so on) P 1 (b) P 2 (b) C 1 Counter 2 = Counter 1 +1,.., Counter n = Counter n-1 + 1 C 2 CEN-5079: 18.January.2018 64
CTR (cont d) The initial Counter 1 is random Decryption is identical to encryption Counter 1 must be known Counters should not be reused This includes across multiple messages CEN-5079: 18.January.2018 65
CTR Advantages Hardware/software efficient Can process blocks in parallel Preprocessing Precompute encryptions of counters Random access Can encrypt/decrypt any block CEN-5079: 18.January.2018 66
CTR Advantages (cont d) Provable security At least as secure as the other modes Simplicity Encryption = Decryption CEN-5079: 18.January.2018 67
Summary Symmetric Ciphers Multiple Encryption Cipher Modes of Operation CEN-5079: 18.January.2018 68