Post on 22-May-2020
CS 4235 Information SecurityCS 4235 Information Security
Introduction to Cryptography
Building Blocks of SecurityBuilding Blocks of Security
Elements ExamplesElements• Knowledge
– secrecy
Examples• Cryptography
• Trust– authorization
b l
• Multi‐level security
• Capability– Computing power
• Risk
• Unix permissions
Risk– Loss/gain
• Utility matrix
The Building Blocks are RelatedThe Building Blocks are Related
Trust in Real Life: complex ElementsTrust in Real Life: complex Elements• authentication• content
secrecy
content• capability• context• service quality
– dependabilityprivacy– privacy
– data integritysecrecy
RiskRisk
How big should the lock be? Will bolt cutter be noticed?How big should the lock be? Will bolt cutter be noticed?
KnowledgeKnowledge
• SecretsSecrets• Information
b bili i• Probabilities• Identity• Communication• ComputationComputation
Important AssumptionsImportant Assumptions
• Messages and keys are all numbersMessages and keys are all numbers• Keys
S t k l d– Secret knowledge– Implies an exchange of information– Large key space– Hard to guess– Key size is important– May be several
A CryptosystemA Cryptosystem
N iNoise
Plaintext Ciphertext Transmitted Recovered Message M C Ciphertext
C’PlaintextMessage
M’
K and K’ are called KeysK and K are called KeysE(K,M) = CD(K’,C’) = M’
Security PropertiesSecurity Properties
E(K,M) = CE(K,M) C D(K’,C’) = M’
• Secrecy: can M = M’ be determined from C = C’ ?• Integrity: is M = M’ ?• Integrity: is M = M ?• Authenticity: was C’ composed by T ?
Threats to integrity:1. Some physical process corrupts the channel
Questions:1. What are threats to
secrecy?2. Some enemy corrupts the message
secrecy?2. What are threats to
authenticity?
A Trivial ExampleA Trivial Example
101101 = K101101 = K110111 = M0 0 0 C011010 = C101101 = K110111 = M
Ciphers and CodesCiphers and Codes• Codes
– Data compression– Error correcting– Hash– Morse– Phone book (spy)
• CiphersCiphers– One Time Pad– Caesar (monoalphabetic)– Polyalphabetic– Polyalphabetic– Rotor– DES/AES
Public Key– Public Key
Theory of Perfect SecrecyTheory of Perfect Secrecy
Intercepting C should give no informationIntercepting C should give no information about M
Baye’s Theorem
Perfect Secrecy means that C is ll d d fstatistically independent of M
Which means that you can’t guess the kkeys
Problems: 1. To have perfect secrecy, the number of keys must be at least as large as p y, y g
the number of messages. Why?2. Can you have perfect secrecy with exactly as many keys and messages?
Information Theory LimitsInformation Theory Limits
• If the system is perfect then the number ofIf the system is perfect, then the number of bits in the key must be at least as large as the number of bits in the messagenumber of bits in the message
• In a system with infinitely many messages, no finite key gives perfect securityfinite key gives perfect security
The One‐Time PadThe One Time Pad
Random Key Source
a1, a2,a3,…
Message = M M MMessage = M1M2 … Mk
Ciphertext = M1M2 … Mk a1 a2… akDecrypt C a = M
Information Theoretically Secure Encryption
Practical Approaches to OTPPractical Approaches to OTP• Vernam Cipher• Entrust OTP Scratch Card
– server challenges A5, B7, C9, D8Y h h– You must have the correct card to respond
• RSA Security SecureIDTwo factor– Two‐factor
– 1 seed per token– Time synchronization– User has 1 minute toUser has 1 minute to
authenticate himself and the correct passkey
Caesar CiphersCaesar Ciphers
DecimationDecimation
CryptanalysisCryptanalysis
How:How:1. Search for low frequency digraphs, trigraphs2. Search for high frequency digraphs, …3. Use plaintext separation of digraphs to guess (c,x) pairs
d h k i t land check intervals
A Cryptanalyst’s Bag of TricksA Cryptanalyst s Bag of Tricks• Complete the plaintext• Solve for standard alphabets by using frequency distributions• Solve decimated alphabets by congruences• Distinguish vowels from consonants• Find pattern words• Solve 5 letter groupings• Recognize polyalphabetic ciphers and determine number of alphabets
S l i di id l l h b– Solve individual alphabets– Match alphabets– Reduce to monoalphabet
• Use linear algebra for digraphic ciphers based on matricesUse linear algebra for digraphic ciphers based on matrices• Find probable words• Find repetitions between messages• Pay an insider $5,000,000 for the keyPay an insider $5,000,000 for the key
What make a good encryption l halgorithm?
• The amount of work to encrypt and decrypt should be yp ypproporational to the amount of secrecy needed
• The system (keys and algorithms) should be free from l iti d idi iunnecessary complexities and idiosyncracies
• It should be simple to implement• Enciphering errors should not propagate• Enciphering errors should not propagate• The ciphertext should be no larger than the plaintext• You should not rely on keeping the algorithm secretYou should not rely on keeping the algorithm secret
Security through obscurity is not permitted
What does it take to have commercial‐dgrade encryption?
• The underlying mathematics should be soundThe underlying mathematics should be sound• Independent experts have analyzed the algorithms and can explain why they arealgorithms and can explain why they are strongI h i h d h f i• It has withstood the test of time
The Data Encryption Standard (DES)The Data Encryption Standard (DES)
• Developed for the US GovernmentDeveloped for the US Government• Officially accepted as cryptographic standard in US and abroadin US and abroad
• Widely deployed in both hardware and fsoftware
• Adequacy called into question
Why a DES?Why a DES?
• General public not being served by secrecy ofGeneral public not being served by secrecy of Departments of Defense and State
• Proliferation of methods made commerce• Proliferation of methods made commerce difficult (2 users with different devices could not talk to each other)not talk to each other)
• No independent verification of claims of hi hcryptographic strength
• National Bureau of Standards
1972 NBS Call for Proposals1972 NBS Call for Proposals
• Able to provide a high level of securityp g y• Specified and easy to understand• Should be publishable so that security does not depend on secrecy of the algorithm
• Available to all usersAd t bl f li ti• Adaptable for any application
• Economical to implement• Effcient to use• Effcient to use• Must be capable of being validated• exportableexportable.
There was a second call in August 1974There was a second call in August 1974
• Feistel (1974)– IBM’s Lucifer – Basic algorithm was already public– StraightforwardStraightforward– Used simple logical operations on small quantities of data
• Tuchman (1976)– Data Encryption Algorithm– Developed by NBS and IBM– Analyzed by NSA (!!!!!!)y y ( )
• NBS (1977)– Approval and Implementation of the Standard
Security of DESSecurity of DES• What does it mean to crack DES?
– Recover the key from ciphertext• Diffie and Hellman (1977)
– 56 bit key is too shortff l h• Differential Cryptography
– 1990 Biham and Shamir– Changes to algorithm weaken it (means design is optimal?)(1997)• (1997)– 3,500 machines in parallel– 4 months
• DES Cracker (1998)• DES Cracker (1998)– Special machine– $100,000 and four days to recover key
Overview of DESOverview of DES• Strength relies on two crypto building blocks
– Nonlinear substitution (S) functions to deter analysis
Confusion
Nonlinear substitution (S) functions to deter analysis– Permutations (P) to deter statistical attacks
• To the user DES looks like a 64‐bit S‐boxDiff i
• Cascade S‐P BoxesDiffusion
x1x2
y1y2
01
01
(2n)! possible connections
2x3..
y3...
2..
2..
H t b ild ith l.xn
.y64
.2n‐1
.2n‐1
How to build with less than 264 internal switches?
Why Nonlinearity?Why Nonlinearity?
• Example 1 – 2 short tape Vernam systemExample 1 2 short tape Vernam system
• Example 2 – Linear feedback shift registerSolve a boolean polynomial of degree d
What does it take to deter statistical kattacks?
• Good random number generatorGood random number generator• Generate permutations of 0,…,63 with equal probabilityprobability
The AlgorithmThe Algorithm
64 bit input 8 check bits
56 bit keyDES
bitsK
56 bit keyDES
64 bit output
The AlgorithmThe Algorithm
64 bit input 8 check bits
56 bit key
bitsKPermutation
16 Rounds of permutations and 56 bit key
Reverse Permutation
permutations and substitutions
1. Split Input2. Operate on R with SP Network3. Combine LR Pieces
64 bit outputLi‐1 Ri‐1
f Ki+S
P
f Ki
Li Ri
+
The Ki’s come from a Key Scheduler th t R t th D ithat Repeats the Design
1. Discards 8 bits and permutes according to tables
2 S lit i t 28 bit h lK
PC1
2. Split into 28 bit halves
3. Circular left shift 1 or 2 bits according to value of i
i= 1,2,9,16 shift 1 biti = anything else, shift 2 bits
C0 D0
LS LS
4. Discards 8 bits, permutes and outputs K1
y g , f
LS1 LS1
C1 D15. Start next cycle of shifts and permutations
Li‐1 Ri‐1
f Ki+PC2 K1
f Ki
Li Ri
+LS2 LS2
The S and P Boxes have a very specific ddesign
• 8 distinct S‐Boxes8 distinct S Boxes– 6 bits of data replaced by 4 bits
48 bits divided into 8 six bit blocks– 48 bits divided into 8 six bit blocks– The ith block is operated on by the ith S‐box
3 P B• 3 P‐Boxes– Initial reorders the 64 bits– After S‐box substitution all 32 bits are permuted– Final is the inverse of the initial permutation
Putting the Pieces togetherPutting the Pieces together
DecryptionDecryption
Forward BackwardForward Backward
Th l ith t d d t !The same algorithm encrypts and decrypts!
Design ConsiderationsDesign Considerations
• Permutations give maximum mixing in thePermutations give maximum mixing in the least number of rounds
• Number of gates in the final design of S boxes• Number of gates in the final design of S‐boxes is >> number of gates in random substitution circuitcircuit
• There is a mixing of plaintext with keys• Increasing key uncertainty• Additional mixing by L‐R interchangesg y g
Other indications of strengthOther indications of strength
• Intersymbol dependence: each bit of C is aIntersymbol dependence: each bit of C is a complex function of all bits of K,M Beginning with round 5Beginning with round 5
• Complexity of f• Multiple Rounds
ExampleExample
Let’s just change 1 bit (hex notation)Let s just change 1 bit (hex notation)M = 1(0)141
C 9 8 6 62 0C= 958E6E627A05557BK = 3(0)13
C’= 858E6E627A05557B
E‐1(K,C’) = 8D4893C2966CC21 ≠ M
Weak KeysWeak Keys
• Those that give K1 = K2 = K16Those that give K1 = K2 = K16– It is sufficient that either the C or D registers are all 1 or all 0all 1 or all 0
– Also any keys for which • EKEK(M) = M orEKEK(M) M or • DKDK(C) =C
Semi Weak KeysSemi Weak Keys
• One register is of the form 010101… or 1010110…g• The other register is one of the following
0000…1111…0101…10101010…
• Shifting alternating 0‐1 produces the same results• Property of a semi weak key K: there is a p y ydifferent K’ such that K’i = K17‐IIn other words EKEK’(M) = M and EK’EK(M) = M
There are other repeating patternsThere are other repeating patterns
C Register and any of these D Register patternsC Register, and any of these• 0011…0011• 0110…0110
D Register patterns• 00…00• 0011…00110110…0110
• 1001…1001• 1100…1100
0011…0011• 0101…0101• 0110…0110• 1001…1001• 1010…1010• 1100…1100• 11…11
Question: How can these be used to compromise DES?
Is DES Secure?Is DES Secure?
• Design of AlgorithmDesign of Algorithm– NSA InvolvementSecrecy– Secrecy
– Existence of trapdoors?
N b f It ti ?• Number of Iterations?• Key length?
Known Plaintext AttackKnown Plaintext Attack
• Given: M C find KGiven: M, C, find K• Brute force
G t k K* til E(M K*) C– Generate keys K* until E(M,K*)=C– 256 56‐bit keys – takes too much time– Diffie‐Hellman Parallel processor – cost decrease due to Moore’s Law
Chosen Plaintext AttackChosen Plaintext Attack
• Attacker inserts plaintext block of his choosingAttacker inserts plaintext block of his choosing into encryption stream and observes the results
• Compute all 256 results of encrypting chosen plaintext under all possible keys and store in a table
• Recover key for random plaintext by inserting chosen plaintext and looking up result in table.
Differential CryptanalysisDifferential Cryptanalysis
• Biham and Shamir (1990)Biham and Shamir (1990)
Strengthening DESStrengthening DES• Weakness of 56 bit keys• Double DES: E(K1,E(K2,M))
– No better than one key: Merkle and Hellman 1981• Triple DES: E(K3,E(K2,E(K1,M))Triple DES: E(K3,E(K2,E(K1,M))
– Equivalent to 128 bit keys• AES
Public– Public– Royalty‐free license– Symmetric for blocks of 128 bits
K i 128 192 d 256 bit– Key sizes 128, 192, and 256 bits– Rijndael: submitted 1998 (1 of 5 finalists)– Adopted 2001