Sie sind auf Seite 1von 72

Goals of this lecture:

to introduce basic concepts & terminology of encryption to prepare us for studying modern cryptography

SCYTALESCYTALE ,, isis anan exampleexample forfor aa reallyreally oldold techtech thatthat waswas

useusedd ttoo cciipphherer (encryp(encryptt)) iinnfformaormatitionon

operationoperation isis soso simplesimple

windwind itit overover aa roderode likelike thethe picturepicture ,, writewrite thethe clearclear datadata onon tthhee lleateathherer overover tthhee rorodd anandd tthhenen unwunwiinndd iitt

ThThee concepconceptt ooff

GetGet aa longlong stripstrip ofof leatherleather andand

HELPHELP MEME II AMAM UNDERUNDER ATTACKATTACK willwill bebe "HENTEIDTLAEAPMRCMUAK“ , andand itit totallytotally dependsdepends onon thethe diameterdiameter ofof thethe rodrod ,, whichwhich isis thethe keykey toto decipherdecipher thethe messagemessage

Plaintext: original message to be encrypted

Ciphertext: the encrypted message

Enciphering or encryption: the process of converting plaintext into ciphertext

Encryption algorithm: performs encryption

o Two inputs: a plaintext and a secret key

3

Deciphering or decryption: recovering plaintext from ciphertext

Decryption algorithm: performs decryption

o Two inputs: ciphertext and secret key

Secret key: same key used for encryption and decryption

o Also referred to as a symmetric key

4

Cipher or cryptographic system : a scheme for encryption and decryption

Cryptography: science of studying ciphers

Cryptanalysis: science of studying attacks against cryptographic systems

Cryptology: cryptography + cryptanalysis

5

Symmetric cipher: same key used for encryption and decryption

o Block cipher: encrypts a block of plaintext at a time (typically 64 or 128 bits)

o Stream cipher: encrypts data one bit or one byte at a time

Asymmetric cipher: different keys used for encryption and decryption

6

or conventional / secret-key / single-key sender and recipient share a common key all classical encryption algorithms are symmetric

The only type of ciphers prior to the invention of asymmetric-key ciphers in

1970s

by far most widely used

7

Goal: Confidentiality

Ali ce

“My account number is 485853 and my PIN is 4984

Eve

Bob

Message “sent in clear”: Eve can overhear Encryption unintelligible to Eve; only Bob can decipher with his secret key (shared w/ Alice)

Notations mathematically:

Y = E (X)

X

K

= D K (Y)

or

or

Y = E(K , X) X = D(K, Y)

X = plaintext Y = ciphertext K = secret key

E = encryption algorithm D = decryption algorithm D is the inverse of E

Both E and D are known to public

9

Alice

M
C
E
K1 (M)
D K2 (C)
K1
K2

M

Bob

M – message K1 encryption key E K1 (M) – message M is encrypted using key K1

C – ciphertext K2 – decryption key

If K1=K2 this is symmetric (secret key) encryption

D K2 (C) – ciphertext C is decrypted using key K2

If K1K2 this is asymmetric (public key) encryption

Alice encrypts (algorithm F) a message (m) with the same key (k) that Bob uses to decrypt.

Alice
Bob
1. Construct m
2. Compute c= F(m,k)
c
3. Send c to Bob
5. Compute d=F -1 (c,k)
6
. m =
d

Eve can see c, but cannot compute m because k is only known to Alice and Bob

Objective: to recover the plaintext of a ciphertext or, more typically, to recover the secret key.

Kerkhoff’s principle: the adversary knows all details about a cryptosystem except the secret key.

Two general approaches:

o brute-force attack o non-brute-force attack (cryptanalytic attack)

12

Try every key to decipher the ciphertext. On average, need to try half of all possible keys Time needed proportional to size of key space

 Key Size (bits) Number of Alternative Keys Time required at 1 decryption/µs Time required at 10 6 decryptions/µs 32 2 32 = 4.3 × 10 9 2 31 µs = 35.8 minutes 2.15 milliseconds 56 2 56 = 7.2 × 10 16 2 55 µs = 1142 years 10.01 h ours 128 2 128 = 3.4 × 10 38 2 127 µs years = 5.4 × 10 24 5.4 × 10 18 years 168 2 168 = 3 7 × 10 50 . 2 167 µs years = 5 9 × 10 36 . 5 9 × 10 30 years . 26 characters (permutation) 26! = 4 × 10 26 2 × 10 26 µs = 6.4 × 10 12 years 6.4 × 10 6 years

13

May be classified by how much information needed by the attacker:

o Ciphertext-only attack o Known-plaintext attack o Chosen-plaintext attack o Chosen-ciphertext attack

14

Given: a ciphertext c Q: what is the plaintext m?

An encryption scheme is completely insecure if it cannot resist ciphertext-only attacks.

15

Alice

M
C
E K (M)
D K (C)
K
K

Eve

Cyphertext-only attack:

M

Bob

Eve can gather and analyze C’s to learn K How does Eve know she got the right key? Eve has to have enough ciphertext

Given: (m 1 ,c 1 ), (m 2 ,c 2 ), …, (m k ,c k ) and a new ciphertext c.

Q: what is the plaintext of new ciphertext c?

Q: what is the secret key in use?

17

Alice

M
C
E K (M)
D K (C)
K
K
Eve

M

Bob

Known-plaintext attack:

Eve can attempt to learn K by observing many ciphertexts C for known messages M

How does Eve obtain the plaintext?

Given: (m 1 ,c 1 ), (m 2 ,c 2 ), …, (m k ,c k ), where m 1 , m 2 , …, m k are chosen by the adversary; and a new ciphertext c.

Q: what is the plaintext of c, or what is the secret key?

19

Alice

M
C
E K (M)
D K (C)
K
K
Mallory

M

Bob

Chosen-plaintext attack: Mallory can feed chosen messages M into encryption algorithm and look at resulting ciphertexts C. Learn either K or messages M that produce C. Assumption is that extremely few messages M can produce same C.

In 1942, US Navy cryptanalysts discovered that Japan was planning an attack on “AF.

They believed that “AF” means Midway island. Pentagon didnt think so.

US forces in Midway sent a plain message that their freshwater supplies were low.

Shortly, US intercepted a Japanese ciphertext saying that AFwas low on water.

This proved that “AF” is Midway.

21

Given: (m 1 ,c 1 ), (m 2 ,c 2 ), …, (m k ,c k ), where

c 1 ,

c 2 , …, c k are chosen by the adversary; and a

new ciphertext c.

Q: what is the plaintext of c, or what is the secret key?

22

Alice

M
C
E K (M)
D K (C)
K
K
Mallory

M

Bob

Man-in-the-middle attack:

o

o

Mallory can substitute messages Mallory can modify messages o So that they have different meaning o So that they are scrambled Mallory can drop messages Mallory can replay messages to Alice, Bob or the third party

o

o
M
C
M
Alice
Bob
E K (M)
D K (C)
K
K
Eve
k
Eve has caught a ciphertext and will try every possible
key to try to decrypt it.
B
ru e- orce a
t
f
tt
ac
:

This can be made infinitely hard by choosing a large keyspace.

Plaintext is viewed as a sequence of elements (e.g., bits or characters) Substitution cipher: replacing each element of the plaintext with another element. Transposition (or permutation) cipher:

rearranging the order of the elements of the plaintext. Product cipher: using multiple stages of substitutions and transpositions

25

Substitution

o Goal: obscure relationship between plaintext and ciphertext o Substitute parts of plaintext with parts of ciphertext

Transposition (shuffling)

o Goal: dissipate redundancy of the plaintext by spreading it over ciphertext o This way changing one bit of plaintext affects many bits of the ciphertext (if we have rounds of encryption)

Earliest known substitution cipher

Invented by Julius Caesar

Each letter is replaced by the letter K positions further down the alphabet. (e.g. K=3)

Plain:

a b c d e f g h i

j

k

l m n o

p q r s t

u v w x y z

Cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

Example: ohio state RKLR VWDWH

HELLO becomes KHOOR

27

Mathematically, map letters to numbers:

a, b, c, 0, 1, 2,

, x,

, 23, 24, 25

y,

z

Then the general Caesar cipher is:

c = E K (p) = (p + k) mod 26 p = D K (c) = (c k) mod 26

Can be generalized with any alphabet.

28

Key space:

Instead of using number k=3 we could use k [1,25]. K would be our key

{0, 1,

25}

,

How can we break this cipher?

o Vulnerable to brute-force attacks.

E.g., break ciphertext "UNOU YZGZK“

Need to recognize it when have the plaintext

What if the plaintext is written in Swahili?

29

We can also choose a mapping for each letter

(A

(H

Z) : for example,

is A, E is M, L is K, O is Y).

This mapping would be our key. This is monoalphabetic cipher.

o HELLO becomes AMKKY

Monoalphabetic: each character is replaced with another character How can we break this cipher? frequency of symbols stays the same and can be used to break the cipher

Shuffle the letters and map each plaintext letter to a different random ciphertext letter:

Plain letters:

ab cd efghi

jk lmno pq r s t uvw xyz

Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN

Plaintext: ifwewishtoreplaceletters Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA

What does a key look like?

31

Now we have a total of 26! = 4 x 10 26 keys.

With so many keys, it is secure against brute-force attacks.

But not secure against some cryptanalytic attacks.

Problem is language characteristics.

32

Human languages are not random.

Letters are not equally frequently used.

In English, E is by far the most common letter, followed by T, R, N, I, O, A, S.

Other letters like Z, J, K, Q, X are fairly rare.

There are tables of single, double & triple letter frequencies for various languages

33

34

In decreasing order of frequency

Double letters:

th

he

an

in

er

Triple letters:

the

and

ent

ion

re

tio

es

for

on,

nde, …

35

Key concept:

o monoalphabetic substitution does not change relative letter frequencies

To attack, we

o calculate letter frequencies for ciphertext o compare this distribution against the known one

36

Given ciphertext:

UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ

VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX

EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ

Count relative letter frequencies (see next page) Guess {P, Z} = {e, t} Of double letters, ZW has highest frequency, so guess ZW = th and hence ZWP = the Proceeding with trial and error finally get:

it was disclosed yesterday that several informal but direct contacts have been made with political representatives of the viet cong in moscow

37

 P 13 33 . H 5 83 . F 3 33 . B 1 67 . C 0 00 . Z 11.67 D 5.00 W 3.33 G 1.67 K 0.00 S 8 33 E 5 00 Q 2 50 Y 1 67 L 0 00 . . . . . U 8.33 V 4.17 T 2.50 I 0.83 N 0.00 O 7.50 X 4.17 A 1.67 J 0.83 R 0.00 M 6.67

38

Not even the large number of keys in a monoalphabetic cipher provides security.

One approach to improving security is to encrypt multiple letters at a time.

The Playfair Cipher is the best known such cipher.

Invented by Charles Wheatstone in 1854, but named after his friend Baron Playfair.

39

Use a 5 x 5 matrix. Fill in letters of the key (w/o duplicates). Fill the rest of matrix with other letters. E.g., key = MONARCHY.

MM
OO
NN
AA
RR
CC
HH
YY
BB
DD
EE
FF
GG
I/JI/J
KK
LL
PP
QQ
SS
TT
UU
VV
WW
XX
ZZ

40

Plaintext is encrypted two letters at a time.

1. If a pair is a repeated letter, insert filler like 'X’.

2. If both letters fall in the same row, replace each with the letter to its right (circularly).

3. If both letters fall in the same column, replace each with the the letter below it (circularly).

4. Otherwise, each letter is replaced by the letter in the same row but in the column of the other letter of the pair.

41

Equivalent to a monoalphabetic cipher with an alphabet of 26 x 26 = 676 characters.

Security is much improved over the simple monoalphabetic cipher.

Was widely used for many decades

o eg. by US & British military in WW1 and early WW2

Once thought to be unbreakable.

Actually, it can be broken, because it still leaves some structure of plaintext intact.

42

Keyword “Infosec”

I / J
N F
O S
ECABD
GHKLM
P
Q
R
T
U
VWXY
Z

43

Rules recall:

o Group plaintext letters two at a time

o Separate repeating letters with an x

o Take a pair of letters from plaintext

o Plaintext letters in the same row are replaced by letters to the right (cyclic manner)

o Plaintext letters in the same column are replaced by letters below (cyclic manner)

o Plaintext letters in different row and column are replaced by the letter in the row corresponding to the column of the other letter and vice versa

44

E.g., Plaintext: “CRYPTO IS TOO EASY”

Keyword is “INFOSEC”

Grouped text: CR YP TO IS TO XO EA SY

Ciphertext:

AQ VT YB NI YB YF CB OZ

To decrypt, the receiver reconstructs the 5 x 5 matrix using the keyword and then uses the same rules as for encryption

45

A sequence of monoalphabetic ciphers (M 1 ,

M 2 , M 3 ,

, M k ) is used in turn to encrypt

letters. A key determines which sequence of ciphers to use.

Each plaintext letter has multiple corresponding ciphertext letters.

This makes cryptanalysis harder since the letter frequency distribution will be flatter.

46

Simplest and most common polyalphabetic substitution cipher Consider the set of all Caesar ciphers:

{ C a , C b , C c ,

, C z }

Key: e.g. security Encrypt each letter using C s , C e , C c , C u , C r , C i , C t , C y in turn.

Repeat from start after C y . Decryption simply works in reverse.

47

E.g., Message = SEE ME IN MALL Take keyword as INFOSEC Vigenère cipher works as follows:

S E E M E I

N M A L L

I N F O S E C

I

N F O

-------------------------------------

A R J A W M P U N Q Z

49

To decrypt, the receiver places the keyword characters below each ciphertext character

Using the table, choose the row corresponding to the keyword character and look for the ciphertext character in that row

Plaintext character is then at the top of that column

50

Decryption of ciphertext:

 A R J A W M P U N Q Z I N F O S E C I N F O

----------------------------------

S

E

E M E I N

M A L L

Best feature is that same plaintext character is substituted by different ciphertext characters (i.e., polyalphabetic)

51

Keyword: deceptive

key:

plaintext: wearediscoveredsaveyourself ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

deceptivedeceptivedeceptive

52

There are multiple (how many?) ciphertext letters corresponding to each plaintext letter.

So, letter frequencies are obscured but not totally lost.

To break Vigenere cipher:

1. Try to guess the key length. How?

2. If key length is N, the cipher consists of N Caesar

ciphers.

2N+k, 3N+k, etc., are encoded by the same cipher.

Plaintext letters at positions k, N+k,

3.

Attack each individual cipher as before.

53

Main idea: Plaintext words separated by multiples of the key length are encoded in the same way. In our example, if plaintext = “…thexxxxxxthe…” then thewill be encrypted to the same ciphertext words.

So look at the ciphertext for repeated patterns. E.g. repeated “VTW” in the previous example suggests a key length of 3 or 9:

ciphertext:

ZICVTWQNGRZGVTWAVZHCQYGLMGJ

Of course, the repetition could be a random fluke.

54

Before modern ciphers, rotor machines were most common complex ciphers in use.

Widely used in WW2.

Used a series of rotating cylinders.

Implemented a polyalphabetic substitution cipher of period K.

With 3 cylinders, K = 26 3 =17,576.

With 5 cylinders

What is a key?

, K = 26 5 =12 x 10 6 .

o If the adversary has a machine o If the adversary doesnt have a machine

55

56

57

58

59

Also called permutation ciphers.

Shuffle the plaintext, without altering the actual letters used. Example: Row Transposition Ciphers

60

Plaintext is written row by row in a rectangle.

Ciphertext: write out the columns in an order specified by a key.

 a t t a ckp o s t p one d u n t ilt w o a m xyz

Key: 3 4 2

1

5 6

7

Plaintext:

Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ

61

Uses a sequence of substitutions and transpositions

o Harder to break than just substitutions or transpositions

This is a bridge from classical to modern ciphers.

62

A cipher is unconditionally secure if it is secure no matter how much resources (time, space) the attacker has.

A cipher is computationally secure if the best algorithm for breaking it will require so much resources (e.g., 1000 years) that practically the cryptosystem is secure.

All the ciphers we have examined are not unconditionally secure.

63

Key =

kkkk K

(random,

used one-time only

1234

Plaintext = mmmm K

1234

Ciphertext = cccc

1234

K

where cmk=

i

ii

)

Can be proved to be unconditionally secure.

64

Hide a message in another message. E.g., hide your plaintext in a graphic image

o Each pixel has 3 bytes specifying the RGB color o The least significant bits of pixels can be changed w/o greatly affecting the image quality o So can hide messages in these LSBs

65

Take a 640x480 (=30,7200) pixel image.

Using only 1 LSB, can hide 115,200 characters

Using 4 LSBs, can hide 460,800 characters.

66

An actual message from a German spy

o read second letter in each word

“Apparently, neutral’s protest is thoroughly discounted and ignored. Isman hard hit. Blockade issue affect pretext for embargo on by products, ejecting suets and vegetable oils.

“Pershing Sails from NY June 1”

67

Have considered:

o classical cipher techniques and terminology o monoalphabetic substitution ciphers o cryptanalysis using letter frequencies o Playfair cipher o polyalphabetic ciphers o transposition ciphers o product ciphers and rotor machines o stenography

68

50 B.C. Julius Caesar uses cryptographic technique 400 A.D. Kama Sutra in India mentions cryptographic techniques 1250 British monk Roger Bacon describes simple ciphers

1466

Leon Alberti develops a cipher disk Union forces use a cipher during

1861 Civil War

69

 1914 World War I – British, French, and 1917 German forces use encryption technology William Friedman, Father of U.S. 1917 encryption efforts starts a school for teaching cryptanalysis in Illinois AT&T employee Gilbert Vernam

invents polyalphabetic cipher 1919 Germans develop the Engima machine for encryption

70

 1937 Japanese design the Purple 1942 machine for encryption Navajo windtalkers help with secure 1948 communication during World War II Claude Shannon develops statistical 1976 methods for encryption/decryption IBM develops DES 1976 Diffie – Hellman develop public key / 1977 private key cryptography Rivest – Shamir – Adleman develop the RSA algorithm for public key / private

key

71

Outline Syllabus

o Concept of Secure Computing, Domain of Protection, Social Engineering, Attacks and Defenses, Defining Security Policy, Classical Ciphers, Encryption and Decryption, Symmetric and Asymmetric Ciphers, Operating System Holes, Application Security (Web, e-mail, Databases), Viruses, Privacy, and Digital Rights Management, Intrusion Detection Systems, Secure Protocols, Security of Middleware, Software Protection, Web Security and Wireless Network Security.

72