6/3/2015 Prof. Ehud Gudes Security Ch 3 1 Chapter 3 Cryptography – Algorithms and Protocols...
-
date post
19-Dec-2015 -
Category
Documents
-
view
235 -
download
10
Transcript of 6/3/2015 Prof. Ehud Gudes Security Ch 3 1 Chapter 3 Cryptography – Algorithms and Protocols...
04/18/23Prof. Ehud Gudes Security
Ch 3 1
Chapter 3
Cryptography – Algorithms and Protocols
Stallings Chp. 2,19,20, App. A,B
Prof. Ehud Gudes Security Ch 3
Definitions
•Cryptography is the study of message concealment.
•Cryptanalysis is the study of how to discover the encrypted message.
•Cryptanalysis is difficult and requires good mathematical knowledge, so you don’t see many hackers trying to break codes. The equivalent to hackers are now scientists employed by a government or organized crime.
04/18/23Prof. Ehud Gudes Security
Ch 3 3
Cryptography ValueAuthentication – can authenticate the identity
of users, transactions, and systems.Protection of messages – Can protect the
secrecy of a message and prevent illegal modification.Cannot protect against destruction of the message.
Protection of software and data – can protect the confidentiality of them although not avoid their destruction.For example: passwords can be encrypted.
04/18/23Prof. Ehud Gudes Security
Ch 3 4
Cryptography Value II
Digital signatures – can authenticate the origin of a message
Non-repudiation – A user that signed or otherwise authenticated a document using cryptography cannot deny having signed it.
04/18/23Prof. Ehud Gudes Security
Ch 3 5
Notation
M, P - Messages - Plain text, clear text.C - Cipher text.K - Key.
E - the encryption function C=Ek(M)
D - the decryption function M=Dk’(C)
For any key pair K,K’ and for any message M
M=Dk’(Ek(M))
04/18/23Prof. Ehud Gudes Security
Ch 3 6
Cryptography – the Process
04/18/23Prof. Ehud Gudes Security
Ch 3 7
04/18/23Prof. Ehud Gudes Security
Ch 3 8
Classification Number of keys used: symmetric (one key) and
asymmetric (encryption and decryption keys, these are the public-key systems). Neither approach is the best for all cases.
Type of encrypting operations: Symmetric systems use substitution and transposition stages. Substitutions just replace a bit or character for another. Transpositions rearrange bits or characters in the data. Product ciphers are combinations of substitutions and transpositions. Public key systems are based on invertible mathematical functions.
04/18/23Prof. Ehud Gudes Security
Ch 3 9
Classification II The way the plaintext is encrypted: block and
stream ciphers. In a block cipher a block of data is transformed, using a key, into a block of ciphertext.
In a stream cipher a stream of key bits is used to encode a stream of data one bit or character at a time. Block ciphers are more appropriate for use within computers, while stream ciphers are seen mostly in communications.
04/18/23Prof. Ehud Gudes Security
Ch 3 10
Main Principle of Cryptography
The secret is in the
KEY
Not in the Algorithm!!
04/18/23Prof. Ehud Gudes Security
Ch 3 11
Attacks
Ciphertext onlyKnown plaintextChosen plaintextChosen ciphertextChosen text
04/18/23Prof. Ehud Gudes Security
Ch 3 12
סוגי התקפות על אלגוריתמים קריפטוגרפיים
ההתקפות מסווגות לפי המידע שבידי המתקיף. נניח כי למתקיף יש גישה
לאלגוריתם, ובנוסף יש לו ידע על מבנהו הפנימי.
Cipher text only attack.בידי המתקיף קבוצה של הודעות מוצפנות המטרה : מציאת ההודעות החשופות
המתאימות, ו\או מפתח ההצפנה..הנחה : קיים אפיון סטטיסטי של ההודעות
04/18/23Prof. Ehud Gudes Security
Ch 3 13
סוגי התקפות על אלגוריתמים קריפטוגרפיים )המשך(
Known plain text attackבידי המתקיף קבוצה של זוגות) P,C .(.המטרה : מציאת מפתח ההצפנה
דוגמא : חיפוש ממצה) Exhaustive search .(
Chosen plain text attack{ המתקיף בוחר את קבוצת ההודעותP ,}
ומקבל עבורן את ההודעות המוצפנות {.C } המתאימות
.המטרה : מציאת מפתח ההצפנה : דוגמאDifferential cryptanalysis.
04/18/23Prof. Ehud Gudes Security
Ch 3 14
סוגי התקפות על אלגוריתמים קריפטוגרפיים )המשך(
Adaptive chosen plain text attack.) המתקיף בונה את קבוצת הזוגותP,C (
בהדרגה. הוא יכול לבחור את ההודעה הבאה P.על סמך תוצאות ההצפנה הקודמות ,.המטרה : מציאת מפתח ההצפנה
04/18/23Prof. Ehud Gudes Security
Ch 3 15
Caesar CipherThe rule:
Ci = E(pi) = pi + 3
A full translation chart of Caesar cipher is shown here.Plaintext A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Ciphertext d e f g h i j k l m n o p q r s t u v w x y z a b c
Using this encryption, the messageTREATY IMPOSSIBLE
Would be encoded as:T R E A T Y I M P O S S I B L Ew u h d w b l p s r v v l e o h
04/18/23 16
Table of Letters FrequenciesTable 2-1 Letter Frequency Distributions in English and Pascal
English Pascal Letter Count Percent Count Percent
a 3312 7.49 664 4.70b 573 1.29 197 1.39c 1568 3.54 878 6.22d 1602 3.62 511 3.61e 6192 14.00 1921 13.60f 966 2.18 504 3.57g 769 1.74 294 2.08h 1869 4.22 478 3.39i 2943 6.65 1215 8.60j 119 0.27 6 0.04k 206 0.47 87 0.61l 1579 3.57 722 5.11m 1500 3.39 270 1.91n 2982 6.74 1157 8.19o 3261 7.37 835 5.91p 1074 2.43 340 2.41q 116 0.26 12 0.08r 2716 6.14 1147 8.12s 3072 6.95 594 4.21t 4358 9.85 1311 9.28u 1329 3.00 377 2.66v 512 1.16 127 0.89w 748 1.69 193 1.36x 123 0.28 139 0.98y 727 1.64 137 0.96z 16 0.04 5 0.03
04/18/23Prof. Ehud Gudes Security
Ch 3 17
Monoalphabetic Cipher
Take for example the key: SHARON
A B C D E F G H I J K L M N O P Q R S T
S H A R ON B C DE F G I J K L MP Q S
04/18/23 18
counts and relative frequencies of letters in the cipher
Table 2-3 shows the counts and relative frequencies of letters in the cipher examined in the previous section (in [P])
Wklv phvvdjh lv qrw wrr kdug wr euhdn
Table 2-3 Frequencies of Letters in wklv… Cipher
Letter Count Percent Letter Count Percent w 4 13.33 k 2 6.66 l 2 6.66 v 4 13.33 p 1 3.33 h 3 10.00 d 3 10.00 j 1 3.33 q 1 3.33 r 4 13.33 e 1 3.33 u 2 6.66 g 1 3.33 n 1 3.33
04/18/23Prof. Ehud Gudes Security
Ch 3 19
Monoalphabetic cipher – Example for Cryptanalysis
QMC MEPQJOY JH QMC GAQEJGAD PCTROEQY ANCGTY EP PMOJRICI EG PCTOCTY CUCG EQP SRINCQ EP TDAPPEHECI’
The simplest effective attack on a monoalphabetic cipher is use of frequencies in natural languages: single letters, bigrams/trigrams, small words, end/beginning of words, etc.We’ll only consider English here. We’ll use some empirical facts about single-letter frequencies, as well as knowledge about common English words. Again, the most common single letters English are e and t, with all others considerably less frequent.
Thus, to attack a cryptogram, first do an accounting of the most common letters in the ciphertext. For example in:
QCIV XY KEO JLYYW JBRO XN KEO JKGOOK. TOK SO KX KEO AELGAE XY KBSO. KEO NBJE CGO MLSDBYT CYR KEO AXKKXY BJ EBTE. XLG JKCKO NCBG BJ KEO HOJK JKCKO NCBG.
We find ranked by order of frequency of appearance,K-15, O-13, E-9, B-7, J-7, C-6, X-6, Y-6, G-5, L-3, N-3, A-2, S-2, T-2, R-1.7
with D, H, I, M, Q, V, W occuring much less often
04/18/23Prof. Ehud Gudes Security
Ch 3 20
Monoalphabetic cipher – Example for Cryptanalysis (Cont.)
Thus, we would imagine that ‘K’ is either ‘e’ or ‘t’, and perhaps ‘O’ is the other of the two. Trying first K=e and O=t, we have (in part)
QCIV XY eEt JLYYW JBRt XN eEt JeGtte. Tte St eX eEt AELGAE XY…The ‘Tte’ in the second sentence immediately raises a problem: it seems
unlikely that ‘T’ can be anything that would make this a word that could begin a sentence. So try K=t and O=e instead:
QCIV XY tEe JLYYW JBRe XN tEe JtGeet. Tet Se tX tEe AELGAE XY tBSe. tEe NBJE Cge MLSDBYT CYR tEe AXttXY BJ EBTE. XLG JtCte NCBG BJ tEe HeJt JtCte NCBG
The ‘tEe’ suggests E=h, the ‘tX’ suggests X=o, and then ‘XY’ suggests Y=n. This gives:
QCIV on the JLnnW JBRe oN the JtGeet. Tet Se to the AhLGAh on tBSe. the NBJh Cge MLSDBnT CnR the Aotton BJ hBTh. oLG JtCte NCBG BJ the HeJt JtCte NCBG.
04/18/23Prof. Ehud Gudes Security
Ch 3 21
Monoalphabetic cipher – Example for Cryptanalysis (Cont.)
The ‘Tet Se to the’ suggests ‘get me to the’, so T=g and S=m. and ‘JtGeet’ could be ‘street’, so J=s, G=r:
QCIV on the sLnnW sBRe oN the street. get me to the AhLrAh on tBme. the NBsh Cre MLmDBng CnR the Aotton Bs hBgh. oLr stCte NCBr Bs the Hest stCte NCBr.
The ending on ‘MLmDBng’, and also ‘Bs hBgh’, suggest B=I. Also the ‘oLr’ suggests L=u. Rewrite:
QCIV on the sunnW siRe oN the street. Get me to the AhurAh on time. the Nish Cre MumDing CnR the Aotton is high. our stCte NCir is the Hest stCte NCir.
Then ‘sunnW siRe oN’ suggests W=y, R=d, and N=f:QCIV on the sunny side of the street. get me to the AhurAh on time. the
fish Cre
04/18/23 22
Vignere Table
04/18/23Prof. Ehud Gudes Security
Ch 3 23
Poly-alphabetic Cipher – using Vignere Table
letter (B) is converted to the ciphertext letter in row 1 (B), column 9 (j), in this tableau. The letter in that position is k. the encryption of this message starts as shown below.
Julie tjuli etjul ietju lietj uliet julie tjuliBUTSO FTWHA TLIGH TTHRO UGHYO NDERW INDOW BREAK
koeas ycqsi …
With a six letter keyword such as juliet this algorithm effectively spreads the effect of the frequency of each letter onto six others, which flattens the distribution substantially. Long keywords can be used, but a keyword of length three usually suffices to smooth out the distribution
04/18/23Prof. Ehud Gudes Security
Ch 3 24
Polyalphabetic cipher – finding the key length
The Dickens It was the best of times… example has much repetition so it demonstrates this argument quickly. Suppose the keyword is dickens.
dicke nsdic kensd icken sdick ensdi ckens dickeITWAS THEBE STOFT IMESI TWAST HEWOR STOFT IMESI
nsdic kensd icken sdick ensdi ckens dicke nsdicTWAST HEAGE OFWIS DOMIT WASTH EAGEO FFOOL ISHNE
kensd icken sdick ensdi ckens dicke nsdic kensdSSITW ASTHE EPOCH OFBEL IEFIT WASTH EEPOC HOFIN
The phrase IT WAS THE is enciphered with keyword nsdicken once in the first line and twice in the third line. These three cases all appear as identical 8-character patterns in the ciphertext.
04/18/23Prof. Ehud Gudes Security
Ch 3 25
Kasiski Method – Finding the Key Length in Poly-Alphabetic Ciphers
Starting Distance fromPosition Previous Factors 20 83 63 (83-20) 3, 7, 9, 21, 63 104 21 (104-83) 3, 7, 21
From this short example, we may guess that a keyword of 21 is improbable. Thus the key length is probably either 3 or 7. With more repeats you could reduce the number of possibilities for key length. Let us continue with the key length possibilities of 3 and 7.
For the Kasiski method, the steps are1. Identify repeated patterns of three or more characters.2. For each pattern write down the position at which each instance of the
pattern begins.3. Compute the difference between the starting points of successive
instances.4. Determine all factors of each difference.5. If a polyalphabetic substitution cipher was used, the key length will be
one of the factors that appears often in step 4.6. Once the key-length is known use mono-alphabetic techniques
04/18/23Prof. Ehud Gudes Security
Ch 3 26
VERNAM Cipher
04/18/23Prof. Ehud Gudes Security
Ch 3 27
Vernam Cipher
For example, the binary number101101100101011100101101011100101
Can be encoded with the random binary stream101111011110110101100100100110001
To produce the following ciphertext000010111011101001001001111010100
04/18/23Prof. Ehud Gudes Security
Ch 3 28
Vernam Cipher - Cryptanalysis
The problem with this form of random number generator is its dependability. Because each number depends only on the previous number, you can determine constants by solving a series of equations.
r1 = a * r0 + b mod n
r2 = a * r1 + b mod n
r3 = a * r2 + b mod n
An interceptor who has r0, r1, r2 and r3 can resolve for a, b, and n.
An interceptor can get r0, r1, r2 and r3 by a probable word attack. With a Vernam cipher, each ciphertext letter comes from the formula
ci = ri + pi mod n
If an interceptor of the ciphertext guesses that the message starts with MEMO (M = 12, E = 4, O = 14), the interceptor can try to substitute probable values of pi and solve for values of ri.
04/18/23Prof. Ehud Gudes Security
Ch 3 29
Vernam Cipher (Cont.)
r0 = c0 – 12 mod n
r1 = c1 – 4 mod n
r2 = c2 – 12 mod n
r3 = c3 – 14 mod nWith these values of r0 to r3, the interceptor may be able to solve the three equations for a, b, and n. Given those, the interceptor can generate the full sequence of random numbers and obtain plaintext directly.
Vernam Cipher – a weakness
If we know both a message M and the Cipher C, we like the computation K = f (M,C)To be difficult
In Vernam f is very easy, its also a XOR !
Pseudorandom verses Random Numbers
often use algorithmic technique to create pseudorandom numberswhich satisfy statistical randomness testsbut likely to be predictable
true random number generators use a nondeterministic sourcee.g. radiation, gas discharge, leaky
capacitorsincreasingly provided on modern processors
04/18/23Prof. Ehud Gudes Security
Ch 3 32
Permutation CipherAs an example, you would write the plaintext message as:
T H I S I
S A M E SS A G E TO S H O WH O W A CO L U M NA R T R AN S P O SI T I O NW O R K S
The resulting ciphertext would then be read astssoh oaniw haaso lrsto imghwutpir seeoa mrook istwc nasns
04/18/23 33
Finding the Column Positions in Permutation Cipher
t
s
s
o
h
o
a
n
i
w
h
a
a
s
o
l
r
s
t
o
n
i
w
h
a
a
s
o
l
r
s
t
o
n
i
w
h
a
a
s
o
l
r
s
t
o
n
i
w
h
a
a
s
o
l
r
s
t
o
n
i
w
h
a
a
s
o
l
r
s
t
o
n
i
w
h
a
a
s
o
l
r
s
t
o
t
s
s
o
h
o
a
t
s
s
o
h
o
a
t
s
s
o
h
o
a
t
s
s
o
h
o
a
t
s
s
o
h
o
a
Improvement - The empty holes method
04/18/23Prof. Ehud Gudes Security
Ch 3 34
Product Ciphers
1. Although substitution ciphers and permutation ciphers alone, are quite easy to break, their combination is quite a strong cipher!
2. This was the basis of most classical ciphers like the Enigma machine of World-war II (see book by Sing…)
3. Its also the basis for the DES cipher
04/18/23Prof. Ehud Gudes Security
Ch 3 35
Shannon’s Principles for a Good Cipher
1. The amount of secrecy needed should determine the labor required for encryption/decryption.
2. The keys and ciphering algorithm should be “free” from complexity.
3. The implementation of the cipher algorithm should be simple and effective.
4. Errors in ciphering should not propagate to the entire message.
5. The size of the enciphered text should not be much larger then the size of the clear text.
04/18/23Prof. Ehud Gudes Security
Ch 3 36
Shanon’s Theory
04/18/23Prof. Ehud Gudes Security
Ch 3 37
Shanon’s Theory
A system has perfect secrecy if by intercepting cipher code, nothing can be learned on the original message.
i.e. H(M|C) = H(M)
A Perfect Cipher
04/18/23Prof. Ehud Gudes Security
Ch 3 38
Shanon’s Theory (1949)
Confusion – a complex functional relationship between the Key, Plain-text and Cipher-text.
Diffusion – Information from one plain bit is diffused over all bits of the cipher (block).
04/18/23 39
Unicity Distance
Key equivocationHc(K) = P(c) Pc(K) log2
Pc(K) – prob. of K given C.Hc(K) = H(K) means the cipher is (theoretically)
breakable
Unicity Distance = where D is the Language Redundancy – the
number of characters required to break the cipher (theoretically)
Pc(K)1
c
k
DKH )(
04/18/23Prof. Ehud Gudes Security
Ch 3 40
צופן מושלם
קבוצת כל ההודעות M1,M2,…,Mn{=Mתהי }קבוצת כל C1,C2,…,Cn{=Cהאפשריות, ו-}
ההודעות המוצפנות בהתאמה, צופן הוא i,jמושלם אם לכל
p(Mi|Cj)=p(Mi) ידיעת הטקסט המוצפן אינה מוסיפה ידע על
הטקסט המקורי -צופן מושלם חסין לKnown Cipher text
attacks
04/18/23Prof. Ehud Gudes Security
Ch 3 41
ניתן להוכיח שבצופן מושלם מספר המפתחותגדול או שווה למספר ההודעות.
הצופן היחיד המושלם הואOne-Time Pad כל הודעה מוצפנת באמצעות מפתח אקראי
שונה הצפנת ההודעה נעשית ע“יXOR בינה ובין
המפתח
04/18/23Prof. Ehud Gudes Security
Ch 3 42
נאמר כי אלגוריתם הצפנה הואUnconditionally Secure
אם בהינתן אינסוף משאבים, ומספר אינסופי של זוגות של הודעות חשופות ומוצפנות, לא ניתן,
בהינתן הצפנת ההודעה הבאה, למצוא את ההודעה החשופה המתאימה לה.
One time pad הוא אלגוריתם ההצפנה Unconditionally Secureהיחיד שהוא
04/18/23Prof. Ehud Gudes Security
Ch 3 43
Computational Security
אלגוריתם הצפנה יקראComputationally secure אם מעשית קשה מאד לשחזר את
הטקסט המקורי בהנתן הטקסט המוצפן מאחר שאלגוריתם ההצפנה היחיד המושלם
, ניתן בהינתן כמות One-time padהוא מספקת של כוח חישוב וזמן לפצח כל אלגוריתם
הצפנה לגבי כל האלגוריתמים הקריפטוגרפיים
הידועים, לא ידועים חסמים תחתונים על מספר הפעולות הדרושות לפיצוחם
04/18/23Prof. Ehud Gudes Security
Ch 3 44
Shanonהחוזק של אלגוריתם הצפנה ((
The work factor של אלגוריתם הצפנה הוא הזמן שנדרש בכדי לפצחו - מציאת הודעה או
Cipher textמציאת המפתח בהינתן ה--הWork Factor נמדד בזמן ובכסף שיש
להשקיע בפיצוח האלגוריתם-מעשית הwork factor הוא המדד לחוזק של
אלגוריתם הצפנה
04/18/23Prof. Ehud Gudes Security
Ch 3 45
Stream and block Ciphers
פונקציות הצפנה מקבלות קלטים בעלי אורךקבוע
בכדי להצפין הודעהM שאורכה עולה על אורך , Mהקלט של פונקצית ההצפנה, מחלקים את
לבלוקים שאורכם כאורך הקלט של פונקצית ההצפנה (אם יש צורך מבצעים דיפון). כל בלוק
עובר הצפנה בנפרד - נבחין בין שני סוגי צפניםBlock ciphers
Stream ciphersו-
04/18/23Prof. Ehud Gudes Security
Ch 3 46
צפני בלוקים
תהיM הודעת הקלט M=M1M2…Mn
ההצפנה מתבצעת ע”יCi=Ek(Mi…)
ההצפנה של כל בלוק מתבצעת בצורה זהה עלידי שימוש באותו מפתח.
במקרה הכללי - הקלט יכול להיות פונקציה שלכל הבלוקים הקודמים בהודעה, אבל המפתח
נשאר קבוע. אורך בלוק הקלט צריך להיות גדול מספיק בכדי
Exhaustive searchשלא ניתן יהיה לבצע
04/18/23Prof. Ehud Gudes Security
Ch 3 47
Stream ciphers
מפתח ההצפנה (והפענוח) משתנה. ההצפנהKey streamמתבצעת בעזרת
-הkey stream יכול להיות פונקציה של הבלוקים הקודמים, של מספר הבלוק, ושל מפתח קלט
Stream ciphers בדרך כלל פועלים על בלוקים מאורכים קטנים (סיביות בודדות או בתים).
-בחלק מהStream ciphers ההצפנה נעשית על ידי Key stream של הודעת הקלט עם ה-xorביצוע
04/18/23Prof. Ehud Gudes Security
Ch 3 48
Stream ciphersצפני בלוקים לעומת
,כפי שאמרנוstream cipher לעיתים קרובות עובדים על יחידות קטנות של קלט. עובדה זו
הופכת אותם למתאימים יותר למימוש בחמרה מאשר בתכנה
צפני בלוקים בדרך כלל עובדים על יחידות קלט סיביות (מילה)32שהן כפולות של
בדרך כללstream ciphers מהירים יותר מצפני בלוקים.
כיום, השימוש בצפני בלוקים נפוץ יותר
04/18/23Prof. Ehud Gudes Security
Ch 3 49
ECBElectronic Code Book
ENC
M0
C0
K ENC
M1
C1
K ENC
Mn
Cn
K...
04/18/23Prof. Ehud Gudes Security
Ch 3 50
CBCCipher Block Chaining
ENC
M1
C1
K ENC
Mn
Cn
K
...K ENC
M0
C0
IV
Cipher Feedback (CFB)
04/18/23Prof. Ehud Gudes Security
Ch 3 53
Advantages / Disadvantages of Block Cipher
Advantages:
•Higher Diffusion
•Immunity to malicious insertions
•Same data, same cipher – good for retrievalDisadvantages:
•Lower speed
•Higher error propagation (block boundary?)
•Same data, same cipher – disclose statistics
04/18/23Prof. Ehud Gudes Security
Ch 3 54
Advantages / Disadvantages of Stream Cipher
Advantages:
•High speed of encryption
•Low error propagation (on single bit/char)
Disadvantages:
•Low Diffusion
•Susceptibility to malicious insertions
04/18/23Prof. Ehud Gudes Security
Ch 3 55
דוגמאות לצפני בלוקים סימטריים
DESIDEARC5AES - Rijndeal
04/18/23Prof. Ehud Gudes Security
Ch 3 56
The Data Encryption Standard
The DES is a product cipher consisting of a series of permutations and substitutions. More specifically, it is a block cipher with an initial permutation, 16 rounds of encryption, a 32-bit swap, and final permutation.
All books on cryptography and data security describe this algorithm in gory detail.
It uses a 56-bit key(+8 bits parity) and it has been implemented in hardware and software.
The controversy about the Key length
04/18/23Prof. Ehud Gudes Security
Ch 3 57
The DES Cipher
04/18/23Prof. Ehud Gudes Security
Ch 3 58
DES – one iteration
Exhaustive Key Search
Symmetric Encryption Algorithms
04/18/23Prof. Ehud Gudes Security
Ch 4 61
DES התקן פותח ע”יI.B.M אומץ ע”י .NIST. - סיביות64אורך בלוק קלט - סיביות64אורך המפתח
8סיביות הן סיביות זוגיות
1998יולי : Deep Crack מכונה שפותחה - . היא 210000$במיוחד למטרה זו, ועלתה
שעות.56מצאה מפתח תוך
04/18/23Prof. Ehud Gudes Security
Ch 3 62
הצפנה כפולה ומשולשת
הצפנה כפולהC=Ek1 (Ek2(M))
M=Dk2 (Dk1(C))
-הצפנה כפולה חשופה לMan in the middle attack
הצפנה משולשתC=Ek1 (Dk2 (Ek3 (M))
M=Dk3 (Ek2 (Dk1 (C))
Triple DES (3DES)first used in financial applicationsin DES FIPS PUB 46-3 standard of 1999uses three keys & three DES executions:
C = E(K3, D(K2, E(K1, P)))
decryption same with keys reverseduse of decryption in second stage gives
compatibility with original DES userseffective 168-bit key length, slow, secureAES will eventually replace 3DES
04/18/23Prof. Ehud Gudes Security
Ch 3 64
IDEAInternational Data Encryption Alg.
) ע”י 1992פותח (Massey-ו Lai. סיביות.64אורך בלוק הקלט סיביות.128אורך המפתח 216+1 וכפל מודולו 216מבוסס על חיבור מודולו. .קל למימוש בתכנה.מקובל יותר באירופה
04/18/23Prof. Ehud Gudes Security
Ch 3 65
RC5
הומצא ע”יRon Rivest-1995 ב. 2048 ל-0בעל אורך מפתח משתנה (בין
סיביות), אורך בלוק משתנה ומספר סיבובים ).255 ל-0משתנה (בין
פשוט למימוש - מבוסס עלxor-חיבור ו rotate
Advanced Encryption Standard (AES)
needed a better replacement for DESNIST called for proposals in 1997selected Rijndael in Nov 2001published as FIPS 197symmetric block cipheruses 128 bit data & 128/192/256 bit
keysnow widely available commercially
04/18/23Prof. Ehud Gudes Security
Ch 3 67
The Advanced Encryption Standard
The AES (Rijndael) uses block and key sizes of 16,24, or 32 bytes. It uses 10, 12, or 14 rounds.
Each round applies byte subtraction, row shift, column mixing, and key addition. Bytes are transformed using invertible substitutions (to add nonlinearity).
Bytes in columns are linearly combined for diffusion. Row shifts provide diffusion over multiple rounds. Key addition makes round function key dependent
Advanced Encryption Standard (AES)
04/18/23 69
AES (Cont.) Byte substitution. Bytes are transformed using invertible
substitutions (to add nonlinearity). The substitution table is based on inverses in a field of (256) assures that each input byte is substituted into a unique output byte.
Shift row. Each byte is shifted a number of bytes depending on its location in the block, and on the key length. Row shifts provide diffusion over multiple rounds. The tables for shift row are given.
Mix column. This is the most complex operation. Bytes in columns are linearly combined for diffusion.. Each column is multiplied by a matrix which represents a polynomial mod 256. That it, Each column is considered as a polynomial:–aj(x) =a0jx3 + a1jx2
+a2jx+a3j–Multiplied modulo x4 +1 with a fixed polynomial:–c(x) =’03’x3 +’01’x2 +’01’ )
Key addition Key addition makes each round key dependent. Before the first round, the key is expanded into Nk bytes where Nk is the size of the block times the number of rounds. Then in each round, the next required number of key bytes are extracted, shifted and xored between them resulting with a great key diffusion.
04/18/23Prof. Ehud Gudes Security
Ch 3 70
Public Key Systems (PKS)These algorithms use two keys, one of which is public
and the other secret. The approach is based on the infeasibility of determining the decryption key given the algorithm and the public key.
Main advantage: to communicate privately among N users, you need 2N keys, instead of N(N-1)/2 keys with symmetric encryption
Instead of permutations and substitutions these algorithms use properties of mathematical functions. In particular, they use the theory of NP functions, those for which there is no polynomial time algorithm.
Rivest, Shamir, and Adelman developed the so-called RSA cipher used in most current systems. This takes advantage of the difficulty of factoring a number into primes.
04/18/23Prof. Ehud Gudes Security
Ch 3 71
אלגוריתמי מפתח ציבוריDiffie- Hellman (1974).מפתח ההצפנה ומפתח הפענוח שונים אם נתון מפתח ההצפנה, קשה למצוא
את מפתח הפענוח ניתן לפרסם את מפתח ההצפנה (ומכאן
מקור השם)
- מפתח ההצפנהKeהמפתח הציבורי ,
- מפתח הפענוחKdהמפתח הפרטי ,
04/18/23Prof. Ehud Gudes Security
Ch 3 72
אלגוריתמי מפתח ציבורי
- דוגמאות ( RSA(יש אחרים נוחים לשימוש - אין צורך בפרוטוקול להסכמה
על מפתח משותף איטיים (משמש בד"כ להצפנת מפתח בלבד
ולא להצפנת נתונים...)”חשופים להתקפת “האיש שבאמצע
”הבעיה “במי לבטוחהפתרון - בכל מי שמוכיח את זהותו
04/18/23Prof. Ehud Gudes Security
Ch 3 73
”התקפת“ האיש שבאמצעMan in the middle attack
Alice Bob
Hello, I am Alice
Hello, I am Bob
Matt
Hello, I am Alice
Hello, I am Alice
Hello, I am BobHello, I am Bob
04/18/23 74
”התקפת“ האיש שבאמצעMan in the middle attack
Alice Bob
Hello, I am Alice KA
Hello, I am Bob KB
Matt
Hello, I am Alice KA
Hello, I am Alice KA’
Hello, I am Bob KB
Hello, I am Bob KB’
Solution - Certificates
04/18/23Prof. Ehud Gudes Security
Ch 3 75
Merkle-Hellman - The Encryption Technique
Public key is a beautiful idea – how to achieve?First attempt - the Merkle-Hellman encryption
technique. The public key is the set of integers of a
knapsack (not a superincreasing knapsack); the private key is a corresponding superincreasing knapsack.
The contribution of Merkle and Hellman was the design of a technique for converting a superincreasing knapsack into a regular one. The trick is to change the numbers in a nonobvious but reversible way.
04/18/23Prof. Ehud Gudes Security
Ch 3 76
The Encryption Technique cont.
96: 73? Yes 95: 73? Yes96-73=23 38? No 95-73=22: 38? No23: 17: Yes 22: 17? Yes23-17=6: 11? No 22-17=5: 11? No6: 4? Yes 5: 4? Yes6-4=2: 1? Yes 5-4=1: 1? Yes2-1=1: No solution 1-1=0 Solution
Figure 3-6 Example of Solving a Simple Knapsack
04/18/23Prof. Ehud Gudes Security
Ch 3 77
Public Key Using the Knapsack Problem
1. Select a simple (super-increasing) Knapsack S
2. Convert problem to hard Knapsack (select w and n relatively prime)
H = w*S mod n3. Encrypt: C=H*M mod n
Since H is hard C is hard to break4. Decrypt:
C’ = w-1 * C = w-1w S M = S M mod nsince S is simple, M can be computed easily!
04/18/23Prof. Ehud Gudes Security
Ch 3 78
Knapsack Example1. Simple knapsack: = (1,2,4,9)2. W = 15, n = 17 15 . 8 = 1 mod 17 w-1 = 8
Hard knapsack: (15,13,9,16)3. Message = 1100 1011 1010 01014. Encryption:
P=0100 1011 1010 0101[0,1,0,0]*[15,13,9,16]=13[1,0,1,1]*[15,13,9,16]=40
[1,0,1,0]*[15,13,9,16]=24
[0,1,0,1]*[15,13,9,16]=29
04/18/23Prof. Ehud Gudes Security
Ch 3 79
Knapsack Example cont.5. Decryption:
13 * 8 = 104 mod 17 = 2
40 * 8 = 320 mod 17 = 14 24 * 8 = 192 mod 17 = 5 29 * 8 = 232 mod 17 = 11
the recovered message is thus 0100101110100101
How?C = S * M Note: S is super-increasing!C = 2, S = (1,2,4,9) M = (0,1,0,0)C = 14, S = (1, 2, 4, 9) M = (1, 0, 1, 1)