Beruflich Dokumente
Kultur Dokumente
Fundamentals
Assoc. Prof. Catalin Boja, Ph.D.
IT&C Security Master
catalin.boja@ie.ase.ro
www.ism.ase.ro
Course organization
• Activities: Course 70% + Laboratory 30%
• Language: English
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
Concepts
• Cryptography – secret writing science; the
science of information security
• Cryptanalysis – science of “breaking”
ciphertexts without knowing cipher key
• Cryptology – mathematic field that studies
the mathematicall fundaments of
cryptography
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
E( )
D( ) Ke Kd
Encryption and decryption Encryption key Decryption key
Function (enchiper/dechiper)
C = Eke(M)
M M = Dkd(C) C
(clear text /plaintext message) (encrypted message
www.ism.ase.ro
- ciphertext)
Communication
channel
www.ism.ase.ro
www.ism.ase.ro
Transposition
Hash
functions Complex
computational/Product
Cryptographic Symmetric
System (DES, AES)
Asymmetric
(RSA)
Stream ciphers
Block ciphers
www.ism.ase.ro
Internet,
communication
channel
Alice Bob
Internet,
communication
channel
www.ism.ase.ro
Alice Bob
2009-2018 © ism.ase.ro Catalin Boja
Vulnerabilities
Active attacks
- replay Sends a message under another
identity
Internet,
communication
channel
Alice Bob
Resends messages
captured in an early session
Internet,
communication
channel
www.ism.ase.ro
Alice Bob
2009-2018 © ism.ase.ro Catalin Boja
Vulnerabilities
Active attacks
- tampering Modifies messages and resend them
(Man-in-the-middle)
Internet,
communication
channel
Alice Bob
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
Trusted party
M C C M
Communication
channel
Source Destination
Alice Bob
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
XOR logical function
• XOR function (exclusive or) – one of the most
used function in cryptographic systems
• Available in programming languages like C,
C++, Java and represented by the ˆ operator
• Implements mod 2 addition
X Y X Y
0 0 0
0 1 1
1 0 1
1 1 0
www.ism.ase.ro
C
M M
Public channel
source destination
K
Secure channel
www.ism.ase.ro
www.ism.ase.ro
a ≡ b (mod n)
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
Source: [7]
www.ism.ase.ro
• Test primes
• Factor a composite number in primes
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
• Measured by n
1
pi log 2
www.ism.ase.ro
i =1 pi
2009-2018 © ism.ase.ro Catalin Boja
Entropy
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
P vs NP
Is P = NP?
Is NP = co-NP?
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
Random
hardware/software Pseudo-Random
event Number Generator
Random Number
Generator
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
//C/C++
//prints 52 4 26 66 26 62 2 76 67 66.
#include <stdlib.h>
void main() {
srand(12366);
for (int i = 0; i < 10; i++) {
int i = rand() % 100;
printf("%d ", i);
}
}
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
Magic numbers
Xn+1 = (aXn + c ) mod m
Recurrence relation
{Xn}
Linear congruential generator Maximal period generator
www.ism.ase.ro
m a
231 65539
231-1 16807
231-249 40692
231-1 48271
231-1 62089911
232 69069
248 31167285
264 6364136223846793005
[Knuth]
www.ism.ase.ro
Overflow at a c m
231 8121 28411 134456
231 4561 51349 243000
231 7141 54773 259200
232 9301 49297 233280
232 4096 150889 714025
233 2416 374441 1771875
234 17221 107839 510300
[3]
www.ism.ase.ro
www.ism.ase.ro
r’n = t1*r1 + … + tn * rn
www.ism.ase.ro
Linear feedback shift register
generator - LFSR
2009-2018 © ism.ase.ro Catalin Boja
Pseudo-Random Number
Generator - PRNG
LFSR characteristics:
• simple feedback sequence
• an n-bit LFSR can have 2n-1 internal states
(depends on the tap sequence – maximal period
LFSR) – the polynomial formed by tap sequence
plus constant 1 must be a primitive polynomial
mod 2 (ex. x10 + x3 + 1)
• stream ciphers have been built based on LFSR (ex.
A5 for GSM) because they can be easily
implemented in hardware
www.ism.ase.ro
www.ism.ase.ro
4-bit LFSR
C+1
Vi+1
EDE (Random)
Si - 64 bit
(Seed)
EDE
Ri
(Random)
www.ism.ase.ro ANSI X9.17 PRNG
2009-2018 © ism.ase.ro Catalin Boja
Pseudo-Random Number
Generator - PRNG
Blum Blum Shub Generator – BBS
• One of the most used generators
• Highly secure – it uses the factorization
problem
• Generates pseudo-random values of any
length
• cryptographically secure pseudorandom bit
generator (CSPRBG) – it pass the next-bit test
www.ism.ase.ro
www.ism.ase.ro
[Microsoft]
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
Collisions exist,
but are difficult
to find them
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
http://en.wikipedia.org/wiki/Sponge_function
2009-2018 © ism.ase.ro Catalin Boja
Sponge function
• The state memory is divided into two
sections, R of size r bits and C of size c = b -
r bits. The parameter r is called
the bitrate and c is the capacity.
• The padding function appends enough bits to
the input string so that the length of the
padded input is a whole multiple of the
bitrate, r. The padded input can thus be
broken into r-bit blocks.
www.ism.ase.ro
www.ism.ase.ro
+
A +
B round 1 round2 round3 round4 + hash
C
+
D
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
A Mjm ti
B
C nonlinear
function F
D
<<< k
www.ism.ase.ro
SHA-384
SHA-2 SHA-512 384 192
SHA- 512 512 256
1024 2128 − 1 80 112
154
512/224 224 (8×64)
SHA- 256 128
512/256
www.ism.ase.ro http://en.wikipedia.org/wiki/SHA-3
2009-2018 © ism.ase.ro Catalin Boja
SHA-3
• a subset of the cryptographic primitive
family Keccak
• On October 2, 2012, Keccak was selected as the
winner of the NIST hash function competition
• is not meant to replace SHA-2, as no significant
attack on SHA-2 has been demonstrated
• may make it useful for so-called “embedded” or
smart devices
• SHA-3 uses the sponge construction
www.ism.ase.ro
112
SHA3-224 224 1152 128
SHA3-256 256 1088 192
SHA3-384 384 1600 832 and, xor, 256
SHA-3 SHA3-512 512 (5×5×64) 576
∞ 24
not, rot min(d/2, 1
SHAKE128 d (arbitrary) 1344 28)
SHAKE256 d (arbitrary) 1088 min(d/2, 2
56)
http://en.wikipedia.org/wiki/SHA-3
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
Bob
Accounts Database
User + Password
Dictionary attack
www.ism.ase.ro
Attacker
www.ism.ase.ro
M tag
M C+MAC C+MAC M
Communication
channel
Source Destination
Alice M tag Bob
Secret information
Attacker used to verify the tag
www.ism.ase.ro
www.ism.ase.ro
F1 F2 Fn
User key
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
http://en.wikipedia.org/wiki/Hash-
based_message_authentication_code
where
H is a cryptographic hash function,
K is a secret key padded to the right with extra zeros to the input block size of the hash function, or the
hash of the original key if it's longer than that block size,
m is the message to be authenticated,
| denotes concatenation, ⊕ denotes exclusive or (XOR),
opad is the outer padding (0x5c5c5c…5c5c, one-block-long hexadecimal constant),
and ipad is the inner padding (0x363636…3636, one-block-long hexadecimal constant).
www.ism.ase.ro
www.ism.ase.ro
Symmetric cryptographic systems
• encryption key has the
same value as the
decryption one
• both source and
destination know the Internet,
communication
key channel
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
CALCU
CLAALTCOUR
LATOR
CALCULATOR
CLUAO
CLUAOACLTR
ACLTR
www.ism.ase.ro
C A S A encryption key
3 1 4 2
UROFSPRECCTARIGI
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
ABC…XYZ
CURS CRIPTOGRAFIE CURS CRIPTOGRAFIE
DEF…ABC
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
ABCDE
FGHI J alphabet
KLMNO
PQRST
UVWXY
Z
www.ism.ase.ro
1 A B C
2 D E F G H I J K alphabet
3 L M N O P Q R S T
4 U
5 V W X Y Z
6
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
Simple S Box
m1 c1
S Box
Decimal to Binary
Decimal to Binary
m2 c2
Conversion
Conversion
. .
. .
. .
. .
mn cn
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
[7]
2009-2018 © ism.ase.ro Catalin Boja
Product ciphers
• A product/generated algorithm (also called
product cipher) is a composition of t functions
(ciphers) f1,f2,…,ft, where each fi can be a
substitution or a permutation
• Are based on S-P boxes networks, resulting
the cryptogram C=Ek(M)=StPt-1…S2P1S1(M),
each Si being dependent of a k key, part of K
cipher
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro [Source 7 ]
2009-2018 © ism.ase.ro Catalin Boja
Claude Shannon and Substitution-
Permutation Ciphers
• Claude Shannon introduced idea of substitution-
permutation (S-P) networks in 1949 paper
• form basis of modern block ciphers
• S-P nets are based on the two primitive
cryptographic operations seen before:
– substitution (S-box)
– permutation (P-box)
• provide confusion & diffusion of message & key
www.ism.ase.ro
Li-1 K Ri-1
Li Ri
Feistel network
www.ism.ase.ro
www.ism.ase.ro
[Source 7 ]
2009-2018 © ism.ase.ro Catalin Boja
Feistel Cipher Design Elements
• block size
• key size
• number of rounds
• subkey generation algorithm
• round function
• fast software en/decryption
• ease of analysis
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
Cipher types
• Cipher types:
– block ciphering
– stream ciphering
• Define ways to use symmetrical algorithms
(the algorithm used does no matter)
• Are simple because the security is the
attribute of ciphering and not of the way the
ciphering scheme is done
www.ism.ase.ro
www.ism.ase.ro
Plaintext block
Bi
128 bits
Symmetrical
cryptographic
system
Files, data
structures or Ci = Encryption (Bi XOR Ki)
plaintexts
Files, data
structures or Called Ci
ECB
encrypted texts
www.ism.ase.ro
Ki
Files, data
structures or Called Ci
ECB – with an additional XOR
encrypted texts
www.ism.ase.ro
M1 M2 … Mn-1 Mn
k k k k
www.ism.ase.ro
C1 C2 Cn-1 Cn
2009-2018 © ism.ase.ro Catalin Boja
Block ciphering - Padding
• Bit padding – you add a single 1 bit followed
by needed number of 0 bits
... | 1101 0100 0010 0010 1000 0000 |
is not reversible
www.ism.ase.ro
https://en.wikipedia.org/wiki/Padding_(cryptography)
... | CC CC CC CC CC CC CC CC | CC CC
00 00 00 00 00 06 |
... | CC CC CC CC CC CC CC CC | CC CC
16 4F 5D A4 11 06 |
www.ism.ase.ro
https://en.wikipedia.org/wiki/Padding_(cryptography)
2009-2018 © ism.ase.ro Catalin Boja
Block ciphering - Padding
• PKCS7 - RFC 5652 - value of each added byte is the number
of bytes that are added
... | CC CC CC CC CC CC CC CC | CC CC
06 06 06 06 06 06 |
www.ism.ase.ro
https://en.wikipedia.org/wiki/Padding_(cryptography)
www.ism.ase.ro
[3]
www.ism.ase.ro
[3]
www.ism.ase.ro
E(Ri)
Files, data
structures or
Ci = Bi XOR E(Ri)
plaintexts
Called Ci
Files, data
structures or
OFB (Output FeedBack) encrypted texts
www.ism.ase.ro
www.ism.ase.ro
Files, data
structures or
Ci = Bi XOR E(Ri)
plaintexts
Called Ci
Files, data
structures or
CTR (Counter Mode) encrypted texts
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
Keystream Keystream
Generator Generator
Ki Ki
Ciphertext Ci
Files Files
Plaintext Plaintext
Sequential ciphering
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
[Wiki]
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
M CRC(M)
PRG(IV || K)
K K
(104 or 40 bits key) IV cipher
24 bits
Increments for each message M
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
Complex ciphers
• Lucifer (except 128 bits)
• DES – Data Encryption Standard)
64 bits • IDEA – International Data Encryption Standard
• FEAL – Japanese Fast Data Encryption Algorithm
(->1997) • LOKI – Australian symmetrical cipher
• RC2 – Rivest Cipher
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
58 50 42 34 26 18 10 2
60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6 IP
64 56 48 40 32 24 16 8 initial permutation
57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5
63 55 47 39 31 23 15 7
L0 R0
www.ism.ase.ro
www.ism.ase.ro
E BIT-SELECTION TABLE
16 7 20 21
29 12 28 17
1 15 23 26
Generic f function f(R,K) 5 18 31 10 P transformation
2 8 24 14
32 27 3 9
19 13 30 6
www.ism.ase.ro 22 11 4 25
2009-2018 © ism.ase.ro Catalin Boja
DES
(Data Encryption Standard)
B - 6 bits – b1b2b3b4b5b6
Vij - 4 bits values S1
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
L - 4 bits – l1l2l3l4
L=S(B)
L = v[i][j],
i = (b1b6)10 -> {0,1,2,3}
j = (b2b3b4b5)10 -> {0, …, 15}
Boxes S DES.pfd
www.ism.ase.ro
16 keys of 48 bits
www.ism.ase.ro
57 49 41 33 25 17 9
1 58 50 42 34 26 18
C0
10 2 59 51 43 35 27
19 11 3 60 52 44 36
63 55 47 39 31 23 15
D0 7 62 54 46 38 30 22
14 6 61 53 45 37 29
21 13 5 28 20 12 4
www.ism.ase.ro
14 17 11 24 1 5
3 28 15 6 21 10
23 19 12 4 26 8
16 7 27 20 13 2
41 52 31 37 47 55
30 40 51 45 33 48
44 49 39 56 34 53
46 42 50 36 29 32
www.ism.ase.ro
40 8 48 16 56 24 64 32
39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30
37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28
35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26
33 1 41 9 49 17 57 25
IP-1
Inverse initial permutation
www.ism.ase.ro 64 bits – cipher block
2009-2018 © ism.ase.ro Catalin Boja
DES
(Data Encryption Standard)
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
Rijndael Round
2009-2018 © ism.ase.ro Catalin Boja
AES – Rijndael
(Advanced Encryption Standard)
Implementation:
• An initial round of application of user’s key
(Round Key Addition)
• Nr-1 rounds (more 10,12 or 14 rounds
depending on key’s size)
• A final round
www.ism.ase.ro
www.ism.ase.ro
4 4
4 4
i = 0 … 4*Nb-1
a0,0 a1,0 a2,0 a3,0 a0,1 … a2,5 a3,5
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
Key Expansion
W[Nb*(Nr+1)]
NR + 1
(no of keys = no of rounds) Round Key Selection
4*Nb*8 bits
Current key
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
Key
generation
Key Key
distribution storage
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
Asymmetric encryption
systems
• 1976 – idea of public key encryption system, Diffie and
Hellman (key distribution design)
• Probably most significant advance in the 3000 year history
of cryptography
• Use distinct keys of encryption and decryption (but
dependent on each other)
• It is impossible to extract a key from the other key
• One of the keys is made public, being available for
everyone wishing to send an encrypted message.
• The receiver owning the 2nd key, can decrypt and use the
message
• The public key technique is also used in digital (electronic)
signature
www.ism.ase.ro
www.ism.ase.ro
Confidentiality A B
Authentication &
Confidentiality A A B A
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
= M bmod n = M1 mod n = M
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
DECRYPTION ENCRYPTION
M C M
Alice Internet,
communication Bob
channel
www.ism.ase.ro
168 2168 = 3.7 1050 2167 µs = 5.9 1036 years 5.9 1030 years
26 characters 26! = 4 1026 2 1026 µs = 6.4 1012 years 6.4 106 years
(permutation)
Source [7]
www.ism.ase.ro
Don’t be naive.
Remember
Entropy ?
www.ism.ase.ro
https://www.betterbuys.com/estimating-password-cracking-times/
2009-2018 © ism.ase.ro Catalin Boja
Cryptanalysis
Dictionary attack:
• the attacker uses a dictionary of common keys
• based on common names, places, famous
people, cartoons characters, locations and
names from movies, books, mythology, sports,
• works better against a file of keys
• based on a preliminary analysis of the target
www.ism.ase.ro
#1 1234 10.713%
#2 1111 6.016%
#3 0000 1.881%
#4 1212 1.197%
#5 7777 0.745%
#6 1004 0.616%
#7 2000 0.613%
#8 4444 0.526%
#9 2222 0.516%
http://www.datagenetics.com/blog/september32012/
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
Letters’ frequency in English language
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro
www.ism.ase.ro