B) Symmetric Ciphers. B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers

Similar documents
Goals of Modern Cryptography

Private-Key Encryption

COMP4109 : Applied Cryptography

ISA 562: Information Security, Theory and Practice. Lecture 1

Foundations of Cryptology

Lecture IV : Cryptography, Fundamentals

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Computer Security CS 526

Information Security CS526

2 What does it mean that a crypto system is secure?

Cryptosystems. Truong Tuan Anh CSE-HCMUT

Lecture 02: Historical Encryption Schemes. Lecture 02: Historical Encryption Schemes

Chapter 3 Traditional Symmetric-Key Ciphers 3.1

CPSC 467: Cryptography and Computer Security

Classical Encryption Techniques. CSS 322 Security and Cryptography

Lecture 15: Public Key Encryption: I

CSC 474/574 Information Systems Security

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

Classical Encryption Techniques

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Syrvey on block ciphers

Introduction to Cryptography CS 136 Computer Security Peter Reiher October 9, 2014

Introduction to Cryptology. Lecture 2

Lecture 1: Perfect Security

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Traditional Symmetric-Key Ciphers. A Biswas, IT, BESU Shibpur

1-7 Attacks on Cryptosystems

Secret Key Algorithms (DES)

Outline Basics of Data Encryption CS 239 Computer Security January 24, 2005

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Cryptography. Historical Encoding. Encryption Media. Intro to Encryption 8/24/2010. COMP620 Information Privacy & Security 1

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Cryptanalysis. Ed Crowley

Information Security CS526

CPSC 467b: Cryptography and Computer Security

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

2/7/2013. CS 472 Network and System Security. Mohammad Almalag Lecture 2 January 22, Introduction To Cryptography

Applied Cryptography and Computer Security CSE 664 Spring 2018

Cryptography ThreeB. Ed Crowley. Fall 08

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

1 One-Time Pad. 1.1 One-Time Pad Definition

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

File and Disk Encryption

Math236 Discrete Maths with Applications

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

CPSC 467: Cryptography and Computer Security

Computational Security, Stream and Block Cipher Functions

Channel Coding and Cryptography Part II: Introduction to Cryptography

Cryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1

CSC 474/574 Information Systems Security

Stream Ciphers. Çetin Kaya Koç Winter / 13

Modern Cryptography Activity 1: Caesar Ciphers

Elliptic Curve Cryptography

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Cryptography. Dr. Michael Schneider Chapter 10: Pseudorandom Bit Generators and Stream Ciphers

Lecture 2. Cryptography: History + Simple Encryption,Methods & Preliminaries. Cryptography can be used at different levels

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Block ciphers, stream ciphers

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Introduction to Cryptology Dr. Sugata Gangopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Roorkee

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Cryptography and Network Security 2. Symmetric Ciphers. Lectured by Nguyễn Đức Thái

Classical Cryptography

Cryptography. Lecture 03

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Cryptography. Summer Term 2010

Classical Cryptography. Thierry Sans

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

CPSC 467b: Cryptography and Computer Security

CHAPTER 1 INTRODUCTION TO CRYPTOGRAPHY. Badran Awad Computer Department Palestine Technical college

Stream Ciphers. Koç ( ucsb ccs 130h explore crypto fall / 13

Elastic Block Ciphers: Method, Security and Instantiations

Cryptography Introduction to Computer Security. Chapter 8

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Data Encryption Standard (DES)

2 Secure Communication in Private Key Setting

CPSC 467b: Cryptography and Computer Security

10.1 Introduction 10.2 Asymmetric-Key Cryptography Asymmetric-Key Cryptography 10.3 RSA Cryptosystem

A Chosen-key Distinguishing Attack on Phelix

Chapter 2: Classical Encryption Techniques

Practical Aspects of Modern Cryptography

Secret Key Cryptography

RSA. Public Key CryptoSystem

1 Achieving IND-CPA security

Multi-Level Encryption using SDES Key Generation Technique with Genetic Algorithm

CPSC 467: Cryptography and Computer Security

Differential Cryptanalysis

10/3/2017. Cryptography and Network Security. Sixth Edition by William Stallings

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

EE 595 (PMP) Introduction to Security and Privacy Homework 1 Solutions

Information Systems Security

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

A New Symmetric Key Algorithm for Modern Cryptography Rupesh Kumar 1 Sanjay Patel 2 Purushottam Patel 3 Rakesh Patel 4

Security Models: Proofs, Protocols and Certification

ENEE 457: Computer Systems Security 09/12/16. Lecture 4 Symmetric Key Encryption II: Security Definitions and Practical Constructions

Transcription:

1 B) Symmetric Ciphers B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers

B.a) Fundamentals 2

B.1 Definition 3 A mapping Enc: P K C for which ϕ k := Enc(,k): P C is bijective for each k K is called an encryption algorithm. The sets P, K and C are called P : plaintext space K : key space C : ciphertext space

B.1 (continued) 4 The mapping Enc(, ) induces a set {ϕ k : P C k K } of K bijections. Its elements are called encryption transformations. Consequently, there exists a further set of K bijections {ψ h : C P h K } with the property that for each k K there exists a unique h K so that the composition ψ h ϕ k equals the identity mapping on P. That is, ψ h (ϕ k (p)) = p for each p P. These bijections are called decryption transformations. For any fixed k K and any c C there exists a unique p P with Enc(p,k) = c. We define Dec(c,k):= p and call Dec(, ) the decryption algorithm. Alternatively, Dec may be denoted by Enc -1.

B.1 (continued) 5 The 5-tuple (P,K,C,{ϕ k : P C k K }, {ψ h : C P h K }) is called an encryption scheme (resp., a cipher).

B.3 Remark 6 In Definition B.1 more generality can be obtained if ϕ k := Enc(,k): P C is merely assumed to be injective for each k K, i.e. bijective onto its image ϕ k (P). An encryption algorithm Enc(, ) can alternatively be represented by the set of encryption transformations. Some authors denote the sets ( {ϕ k : P C k K }, {ψ h : C P h K }) an encryption scheme (resp., a cipher).

B.4 Definition 7 An encryption algorithm is called symmetric if decryption is computationally easy provided that the encryption key is known. In the notion of encryption and decryption transformations this is equivalent to saying that it is computationally easy to compute h = h(k) from k. Note: Otherwise we speak of asymmetric algorithms or public key cryptography ( Chapter C).

B.5 Example 8 Cesar s cipher: P = C = {A,B,,Z} K = {0,1,,25} shift the plaintext alphabet P cyclically by k positions to the left, substitute the plaintext letter by the ciphertext letter at the corresponding position. Note: Cesar s cipher is symmetric. Decrypting merely demands the rotation of the ciphertext alphabet by k positions to the right.

B.6 Definition 9 An adversary (attacker, enemy, eavesdropper) tries to defeat an information security service; e.g. he may try to find a key to decrypt a secret message. A passive adversary is an adversary who is capable only of reading information from an unsecured channel. An active adversary may also transmit, alter or delete information on an unsecured channel.

B.7 Typical Goals of a Potential Adversary 10 Find the decryption key k To given ciphertexts c 1,c 2,,c N find the corresponding plaintexts p 1,p 2,,p N. To given plaintexts p 1,p 2,,p N find the corresponding ciphertexts c 1,c 2,,c N. Note: For symmetric ciphers the first goal implies the second and the third. Depending on the concrete situation the second goal may be easier to achieve than the first.

B.8 Attacking Cesar s cipher 11 The adversary decrypts given ciphertext c 1,c 2,,c N with all 26 admissible keys. One key yields meaningful plaintext. This is the searched key. (The other keys give meaningless plaintexts.) Note: a) Because of its small key space it is very easy to break Cesar s cipher.

B.9 An Improved Variant of Cesar s Cipher 12 P = C = {A,B,,Z} K = {π π : P C is bijective} Enc(p, π):= π(p) Note: a) K = 26! 2 88 b) It is not practically feasible to check key by key. Question: Does this mean that the improved variant of Cesar s cipher is secure?

B.10 Attacking the Improved Variant of Cesar s Cipher 13 Unless it is very short the most frequent letter in a typical English text is E. Substitute the letter that occurs most frequently in the encrypted message by plaintext E. This reduces the size of the remaining key space by factor 26 from 26! to 25! Continue the attack. Try to substitute further (frequently occurring) letters of the encrypted message by probable plaintext letters If these substitutions were correct the attacker knows a fragment of the plaintext message. It should be possible to guess its complement, which is still unknown. Details: Blackboard Exercise: Perform this attack practically

B.11 Generic Design Criteria 14 The attacks from B.8 and B.10 suggest the following requirements: a) The key space K should be so large that an exhaustive key search (i.e. checking all keys) is not practically feasible ( B.8, attacking Cesar s cipher) b) The encryption algorithm shall not allow attacks that are essentially faster than exhaustive key search ( B.10, attacking an improved variant of Cesar s cipher) Note: It is easy to guarantee Requirement a) but usually it is much more difficult to decide whether b) is fulfilled. The assessment whether b) is fulfilled may vary in the course of the time ( new attacks)

B.12 Affine Encryption (I) 15 Identify {A,B,,Z} with the set Z 26 :={0,1,,25}. More precisely, identify the letter A with 0, the letter B with 1,, and Z with 25. Equip Z 26 with the addition and multiplication modulo 26. Then Z 26 is a ring. Select an integer m 1. Definition: GL(m,26) denotes the group of all (m m)-matrices over Z 26 Remark: M GL(m,26) iff (det(m) (mod 26)) Z 26 * iff gcd(det(m),26) = 1

B.12 Affine Encryption (II) 16 Substitute each letter of the plaintext by the respective element in Z 26 and group the plaintext into non-overlapping blocks of m consecutive numbers. Encryption of a block p: Enc(p,(A(k 1 ),k 2 )) := A(k 1 )p + k 2 (mod 26), i.e. P = C = Z 26 m K = GL(m,26) Z 26 m Decryption: Dec(c, (A(k 1 ),k 2 )) = A(k 1 ) -1 (c - k 2 ) (mod 26) Question: Is the affine cipher secure?

B.13 Attacking the Affine Cipher 17 Assumption: The attacker knows (plaintext, ciphertext) pairs (p 1,c 1 ),, (p m+1,c m+1 ) Goal: Find the key (A(k 1 ),k 2 ) Fact: If the column vectors p 1 -p m+1,,p m -p m+1 Z 26m form a matrix in GL(m,26) the key is uniquely determined. (Otherwise the attacker needs further (plaintext, ciphertext) pairs.) The attack requires the inversion of one matrix and one matrix multiplication in GL(m,26). Details: Blackboard

B.14 Types of Attacks (characterization with regard to the attacker s knowledge / abilities) 18 General assumption: The attacker knows the encryption algorithm. a) ciphertext-only attack: The attacker only knows some ciphertext. Example: B.8 (attacking Cesar s cipher), B.10 (attacking the improved variant of Cesar s cipher) b) known plaintext attack: The attacker knows some corresponding (plaintext, ciphertext) pairs (p 1,c 1 ),, (p N,c N ). Example: B.13 (attacking the affine cipher)

19 B.14 (continued) c) chosen plaintext attack: similar to a known plaintext attack but the attacker is able to select plaintexts p 1,p 2,, p N. A chosen-plaintext attack is called adaptive if the choice of p k+1 depends on (p 1,c 1 ),, (p k,c k ) for k = 1,2,, N-1. d) chosen ciphertext attack: pendant to a chosen plaintext attack where the attacker is able to select the ciphertext

20 B.15 Remark a) Ciphertext-only attacks are usually only successful against very weak ciphers, due to inappropriate conditions of use, security flaws in protocols etc. b) To perform a chosen plaintext attack (resp. a chosen ciphertext attack) the adversary must have access to the encryption device (e.g., a smart card or a server) at least for a period of time and the ability / permission to use it.

21 B.16 Unconditional Security An encryption algorithm Enc: P K C is said to be unconditionally secure (resp., perfectly secure) if the knowledge of the ciphertext gives an adversary with unlimited computational power no additional information on the plaintext. Note: This means Prob(plaintext=p ciphertext=c) = Prob(plaintext=p) for all (p,c) P C

B.17 Remark 22 Unconditional security is an very strong requirement. All the widespread algorithms are not unconditionally secure (cf. B.23)

23 B.18 Computational Security An encryption algorithm Enc: P K C is said to be computationally secure (resp., practically secure) if an attacker is not even able to perform the best currently known attack with non-negligible success probability since the perceived level of computation required to defeat it exceeds, by a comfortable security margin, the computational resources of the hypothesized adversary. Note: The statement may be restricted (e.g.: is computationally secure against known plaintext attacks ).

B.19 Further Notions of Security 24 complexity-based security provable security (cf. the Handbook of Applied Cryptography, for instance)

25 B.20 Remark a) The characterization of computational security is not precise in a mathematical sense. b) Problem / Difficulty: Designers and evaluators of encryption algorithms may overlook effective attacks. c) The assessment whether an encryption algorithm is viewed to be computationally secure usually changes in the course of the time.

26 B.20 (continued) d) Ideally, new algorithms should be evaluated by a large number of experts. At least all known types of attacks should be considered. e) Sometimes the resistance of an encryption algorithm against specific types of attacks can be proven in a strict sense.

B.21 Composition of Ciphers 27 Assume that Enc 1 : P K C and Enc 2 : C K* C* are encryption algorithms. The composition Enc 2 Enc 1 : P (K K*) C* is also an encryption algorithm. Notation: Enc 2 Enc 1 (p,(k,k*)) := Enc 2 (Enc 1 (p,k)),k*) Remark: In general, the composition Enc 2 Enc 1 is stronger than Enc 1 and Enc 2, respectively. Exercise: Show that the strength of the composition of two Cesar s ciphers, resp. of two improved Cesar s ciphers, does not exceed the strength of one cipher of the respective type.

B.22 Remark 28 When composing encryption algorithms one usually performs three instead of two consecutive encryptions. The reason will be explained in Section B.b.

B.23 One-time pad 29 plaintext p 1,p 2,,p N P = {0,1} key bits k 1,k 2,,k N {0,1}, i.e. K = {0,1} N Assumption / Mathematical model: The key bits k 1,k 2, are viewed as values that are taken on by independent random variables that are uniformly distributed on {0,1}. (The key bits might be generated by tossing a fair coin, for instance.)

30 B.23 (continued) Encryption: c j = p j k j (= p j + k j (mod 2)) for j=1,2,,n Decryption: p j = c j k j for j=1,2,,n Security: The knowledge of the ciphertext (c 1,c 2,,c N ) {0,1} N does not give any additional information on the corresponding plaintext: In fact, all keys are equally likely and to each plaintext p 1,p 2,,p N there exists exactly one key k {0,1} N with Dec(c 1,c 2,,c N, k ) = p 1, p 2,,p N. The one-time pad cipher is unconditionally secure against decryption attacks.

B.23 (continued) 31 Disadvantages / Problems: The key is as long as the plaintext. The key must not be used twice ( Exercises). Consistency demands unconditional secure key exchange (e.g. by a trustworthy courier). At least for open networks this is very inconvenient.

32 B.23 (continued) Note: The one-time pad does not ensure data integrity against active adversaries. Altering particular ciphertext bits results in wrong plaintext bits at these positions after decryption. If the attacker knows the structure of the plaintext (e.g., a bank transfer) he may alter particular bits hoping that these changes give a meaningful plaintext (e.g. another valid target account number). Example: Exercise

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback