Crypt Analysis

download Crypt Analysis

of 52

Transcript of Crypt Analysis

  • 8/4/2019 Crypt Analysis


    Cryptography and Steganography

    Dr. Abhijit Das

    Department of Computer Science and Engineering

    Indian Institute of Technology Kharagpur

    Kharagpur 721302 India

  • 8/4/2019 Crypt Analysis


    Hash Functions

  • 8/4/2019 Crypt Analysis


    Hash Functions: Introduction

    Input: A string (message) M of any length.

    Output: A string of a fixed length. The output is calledthe hash-value or the hash of M.

    The hash of a message is a short representative of the

    message. Easy to compute.

    Provide message compression.

    Alternate names: Message digest, digital fingerprint andimprint.

    May be used in conjunction with secret keys.

  • 8/4/2019 Crypt Analysis


    Hash Functions: Classification

    Unkeyed hash function or modification detection

    code (MDC): used to preserve integrity of message,i.e., to detect modification of the message by an activeadversary or by transmission errors.

    Keyed hash function or message authenticationcode (MAC): used to authenticate the source of a

    message (since secret keys are used to hash amessage) in addition to preserving integrity of themessage.

  • 8/4/2019 Crypt Analysis


    Hash Functions: Desirable Properties

    Collision:A hash function H maps an infinite set to a

    finite set and so there must exist messages x and xsuch that H(x) = H(x). Such a pair (x,x) of messages iscalled a collision for H.

    First preimage resistance: Except for few hashvalues y, it should be difficult to find a message x suchthat H(x) = y.

    Second preimage resistance: Given a message x, itshould be difficult to find another message x with theproperty that H(x) = H(x).

    Collision resistance: It should be difficult to find twomessages x and x with H(x) = H(x).

  • 8/4/2019 Crypt Analysis


    Hash Functions: Design

    Acompression function f maps strings of length m to

    strings of length n. Let r = m - n.

    Break the message M into blocks M1,M2,,Ml of length r.

    Start with an initial hash value H0.

    For k = 1,2,,l compute the next hash valueHk+1 = f (Hk|| Mk).

    Output Hl+1

    as the hash value H(M) of M.

    If f has the desirable properties, then H too has those.

    A symmetric cipher may be used for designing one-waycompression functions. Example: f (M || K) = DES


    maps 120-bit strings to 64-bit strings.

  • 8/4/2019 Crypt Analysis


    Hash Functions: Examples

    Custom-designed hash functions work based on the

    general principle described earlier.

    The MD family: MD2, MD4 and MD5 (128-bit hash).

    The SHA family: SHA-1 (160-bit), SHA-256 (256-bit),SHA-384 (384-bit) and SHA-512 (512-bit).

    RIPEMD-128 (128-bit), RIPEMD-160 (160-bit).

  • 8/4/2019 Crypt Analysis


    Hash Functions: Examples

    HMAC (a keyed hash function)

    Notations:M = the message to be hashedH = an unkeyed hash function

    K = key for HMACP,Q = short padding blocks (not secret).

    HMAC(M) = H (K || P || H (K || Q || M)).

    HMAC involves two calls of H.

    HMAC is efficient, since the outer call involvescomputation of hash of a short message.

  • 8/4/2019 Crypt Analysis


    Hash Function: Attacks

    Birthday attack: Let H be a hash function that

    produce n-bit hash values. If about 2n/2 randommessages are hashed by H, then it is highly probablethat we have found two messages x and x satisfying

    H(x) = H(x). The bit-size n of hash values should be at least as large

    as 128. The values greater than or equal to 160 are

    recommended. Other attacks:

    Attacks on the compression function

    Chaining attacksAttacks on the underlying block cipher

  • 8/4/2019 Crypt Analysis


    Digital Signatures

  • 8/4/2019 Crypt Analysis


    Digital Signatures: Introduction

    Digital equivalent of hand-written signatures.

    Bind pieces of digital data with particular entities.

    Based on public-key technology.

    Signing: The signer uses his private key d to sign. Difficulty of forging:An entity without knowledge of

    this private key d cannot generate a valid signature on anew piece of data.

    Verifying:Anybody having access to the signers publickey e can verify the signature.

    Non-repudiation:An entity should not be allowed todeny valid signatures made by him.

  • 8/4/2019 Crypt Analysis


    Digital Signatures: Classification

    Signature with appendix:A representative H(M) of

    the message M is computed. The signing transformationis applied on H(M). Verification requires the message M.

    Signature generation:

    m = H(M)s = fs(m,d)Output the signed message (M,s).

    Signature verification:Compute m = H(M)

    Compute m = fv(s,e)If (m=m) output signature verified

    else output signature not verified

  • 8/4/2019 Crypt Analysis


    Digital Signatures: Classification

    Signature with message recovery: The signing

    transformation is applied to the message itself. Theverification transformation retrieves the message.

    Signature generation:

    Compute the signature s = fs(M,d) Signature verification:

    Recover the message M = fv(s,e)

    If M looks like a valid message,output signature verified


    output signature not verified

  • 8/4/2019 Crypt Analysis


    Digital Signatures: Classification

    Deterministic signatures: For a given message the

    same signature is generated on every occasion thesigning algorithm is executed.

    Probabilistic signatures: On different runs of the

    signing algorithm different signatures are generated,even if the message remains the same.

    Probabilistic signatures offer better protection against

    some kinds of forgery. Deterministic signatures are of two types:

    Multiple-use signatures: Slow. Parameters are used multiple

    times.One-time signatures: Fast. Parameters are used only once.

  • 8/4/2019 Crypt Analysis


    Digital Signatures: Examples

    RSA with appendix

    Parameter selection:

    Select two large primes p and q.Compute n = pq and (n) = (p - 1)(q - 1).Select a random integer e with gcd(e,(n)) = 1.

    Compute an integer d satisfying ed = 1 (mod (n)).

    Publish (e,n) as the verification key.Keep d secret as the signing key.

  • 8/4/2019 Crypt Analysis


    Digital Signatures: Examples

    Signature generation:

    Generate the short representative m = H(M) of M.Sign m as s = md (mod n).Output (M,s) as the signed message.

    Signature verification:Generate the short representative m = H(M) of M.Invert signature as m = se (mod n).

    If (m = m), output signature verified,else output signature not verified.

    Forging: If any key other than d is used to sign m, the

    equality m = m will not be satisfied. So forging RSAsignatures is as difficult as knowing d.

  • 8/4/2019 Crypt Analysis


    Digital Signatures: Examples

    RSA with message recovery

    Parameter selection: Same as before.

    Signature generation:Compute s = Md (mod n).

    Output the signature s.

    Signature verification:Compute M = se (mod n).

    If M is a valid message, output signature verified,else output signature not verified.

    Forging: If any key other than d is used to generate s,

    the recovered message M will almost certainly look likea meaningless sequence of symbols.

  • 8/4/2019 Crypt Analysis


    Digital Signatures: Examples

    Rabin Signature ElGamal signature

    Schnorr signature

    Nyberg-Rueppel signature

    Digital signature algorithm (DSA)

    Elliptic curve version of DSA (ECDSA)

    XTR signature


    . . .

  • 8/4/2019 Crypt Analysis


    Digital Signatures: Blind Signatures

    The signer is not allowed to know the message to sign.

    Still his active participation is necessary for signing. Blind RSA signature:

    Parameter generation:As before.

    Signature generation:A generates a random integer k coprime to n.A blinds m as m* = mke (mod n).B signs s* = (m*)d (mod n).

    A retrieves Bs signature s = s*k-1 (mod n).

    Signature verification:As before.

  • 8/4/2019 Crypt Analysis


    Digital Signatures: Undeniable


    An active participation of the signer is necessary duringsignature verification.

    A signer is not allowed to deny a legitimate signaturemade by him.

    An undeniable signature comes with a denial ordisavowal protocol that generates one of the followingthree outputs:

    Signature verified

    Signature forged

    The signer is trying to deny his signature by not properly

    participating in the protocol.

  • 8/4/2019 Crypt Analysis


    Digital Signatures: Attacks

    Total break: An attacker knows the signing key or has

    a function that is equivalent to the signature generationtransformation.

    Selective forgery:An attacker can generatesignatures (without the participation of the legitimatesigner) on a set of messages chosen by the attacker.

    Existential forgery: The attacker can generatesignatures on certain messages over which the attacker

    has no control.

  • 8/4/2019 Crypt Analysis


    Digital Signatures: Attacks

    Key-only attack: The attacker knows only the

    verification (public) key of the signer. This is the mostdifficult attack to mount.

    Known-message attack: The attacker knows some

    messages and the signatures of the signer on thesemessages.

    Chosen-message attack: This is similar to the known-

    message attack except that the messages for which thesignatures are known are chosen by the attacker.

    Adaptive chosen-message attack: The messages to

    be signed are adaptively chosen by the attacker.

  • 8/4/2019 Crypt Analysis


    Digital Certificates

  • 8/4/2019 Crypt Analysis


    Digital Certificates: Introduction

    Bind public-keys to entities.

    Required to establish the authenticity of public keys.

    Guard against malicious public keys.

    Promote confidence in using others public keys.

    Require a Certification Authority (CA) whom every entityover a network can believe. Typically, a governmentorganization or a reputed company can be a CA.

    In case a certificate is compromised, one requires torevoke it.

    A revoked certificate cannot be used to establish the

    authenticity of a public key.

  • 8/4/2019 Crypt Analysis


    Digital Certificates: Contents

    A digital certificate contains particulars about the entity

    whose public key is to be embedded in the certificate. Itcontains:

    Name, address and other personal details of the entity.

    The public key of the entity. The key pair may be generated byeither the entity or the CA. If the CA generates the key pair,then the private key is handed over to the entity by trustedcouriers.

    The certificate is digitally signed by the private key ofthe CA.

    If signatures are not forgeable, nobody other than the

    CA can generate a valid certificate for an entity.

  • 8/4/2019 Crypt Analysis


    Digital Certificates: Revocation

    A certificate may become invalid due to several reasons:

    Expiry of the certificate

    Possible or suspected compromise of the entitys private key

    An invalid certificate is revoked by the CA.

    The CA maintains a list of revoked certificates theCertificate Revocation List (CRL).

    An entity A willing to use Bs public key looks up the

    certificate for Bs public key. If the CAs signature isverified on this certificate and if the certificate is notfound in the CRL, then A gains the desired confidence to

    use Bs public key.

  • 8/4/2019 Crypt Analysis



  • 8/4/2019 Crypt Analysis


    Steganography: Introduction

    Literally means covered writing (Greek).

    Hiding messages in innocent media.

    May be used in conjunction with cryptography, i.e., themessage may be encrypted before hiding.

    An encrypted message arouses suspicion duringtransmission. A hidden message is invisible and is notexpected to arouse suspicion.

    Digital watermarking embeds copyright, ownership,license and similar information in a medium. It isdifferent from steganography only in the intent of

    hiding. They share same operational and functionalbehaviors.

  • 8/4/2019 Crypt Analysis


    Steganography: History

    Shave the messengers head, tattoo the secret message,

    allow hair to grow and then send the messenger. Whenthe messenger reaches the destination, his head can beshaved once again in order to see the hidden message.

    German spy sent this message during World War II:

    Apparently neutrals protest is thoroughly discounted and ignored.Isman hard hit. Blockade issue affects pretext for embargo on by-products, ejecting suets and vegetable oils.

    Extracting second letters from the words gives:

    Pershing sails from NY June I.

  • 8/4/2019 Crypt Analysis


    Steganography: Terminology


    Cover-medium + embedded message + Stego-key= Stego-medium.

    Multimedia files are good covers for hiding messages:

    ImagesSound files


    Binary filesText files

    We will concentrate on embedding messages in image

    files. The media are then called cover-image andstego-image.

  • 8/4/2019 Crypt Analysis


    Steganography: Image Files

    Size of an image is determined by pixels. A pixel is an

    instance of color.A color can be specified by the primary components:

    Red, Green and Blue. Each component is represented by

    a byte (an 8-bit value between 0 and 255).Example: 00 00 00 is black, FF 00 00 is red, FF FF 00 isyellow, and FF FF FF is white.

    Each pixel can be represented by an 8-bit value (GIF) ora 24-bit value (JPEG, BMP).

    The image data is usually compressed.

    Lossless compression: The exact pixel values are stored.Lossy compression: Approximate pixel values are stored.

  • 8/4/2019 Crypt Analysis


    Steganography: Image Files

    A GIF (Graphic Interchange Format) image is an 8-bit

    image file. Supports at most 256 colors per image.

    Color-map table: An index of 256 (or less) colors

    occurring in the image. Each pixel is represented by an 8-bit value which refers

    to the index of the color in the color-map table.

    A JPEG (Joint Photography Experts Group) image is a24-bit image file that uses lossy compression based onthe discrete cosine transform (DCT).

    Both GIF and JPEG formats use adaptations of theLempel-Ziv (LZ) compression algorithm.

  • 8/4/2019 Crypt Analysis


    Steganography: Methods

    Least significant bit (LSB) insertion: Modify the LSB

    of a pixel value based on the message to hide. Smallchanges in the pixel values cannot be noticed by humanobservers.

    Properties:Simple to implement.

    Compatible with lossless compression.

    Better adapted to 24-bit images.Often works well with gray-scale images.

    Causes expansion of the number of colors in an image.

    Extremely vulnerable to image manipulations.

  • 8/4/2019 Crypt Analysis


    Steganography: Methods

    Masking and filtering: Marks the image in a non-

    detectable manner, for example, by increasing theintensity subtly at certain locations of the image.Typically noisy and busy areas of an image are chosen

    to hide the message.


    The hidden message is more integrated to the cover image.Robust against image manipulations like rotation, smoothing.

    Multiple insertion of the hidden message makes stego-imagesrobust again cropping.

    Can withstand some amount of compression.

  • 8/4/2019 Crypt Analysis


    Steganography: Methods

    Algorithms and transformation: These are the most

    sophisticated hiding mechanism that use specialalgorithms to hide a message in an image. For example,the DCT algorithm may be exploited in order to hide a

    message in a JPEG file. The DCT uses floating-pointcalculations with rounding-off errors and so thecompression is lossy. Suitably modifying the floatingpoint arithmetic may hide a message.


    Integrates the message in the image in the best way.

    Most robust against image manipulation.

    Compatible with lossy compression.

  • 8/4/2019 Crypt Analysis


    Steganography: LSB Example

    Suppose we want to hide the letter C in a GIF image.

    The ASCII value of C is 67, i.e., 01000011. Suppose that the first eight pixels of the GIF image are:

    00110101 01001000 00101000 00110101

    00101111 00011100 01001000 01001000 Modifying the LSBs corresponding to C gives:

    00110100 01001001 00101000 00110100

    00101110 00011100 01001001 01001001 Changes in the index values (in the color-map table)

    may lead to easily detectable patterns in the image (for

    example, a red spot in the blue sky). More sophisticated algorithms smooth out the patterns.

  • 8/4/2019 Crypt Analysis


    Steganography: Examples

    StegoDos: handles 8-bit images, uses LSB insertion. Hide and Seek: LSB-based.

    Hide4PGP: LSB-based.

    S-Tools: LSB-based. SysCop: LSB-based.

    White Noise Storm: LSB-based.

    Mandelsteg: hides messages in a fractal image.

    Jsteg-Jpeg: handles Jpeg images by manipulation ofDCT coefficients.

  • 8/4/2019 Crypt Analysis


    Steganography: Examples Text message to hide:

    Steganography is the art and science of communicating in a way which hides the

    existence of the communication. In contrast to cryptography, where the enemy isallowed to detect, intercept and modify messages without being able to violatecertain security premises guaranteed by a cryptosystem, the goal of steganographyis to hide messages inside other harmless messages in a way that does not allowany enemy to even detect that there is a second secret message present.

    Cover image Stego image produced by StegoDos

  • 8/4/2019 Crypt Analysis


    Steganography: Examples

    Image file to hide:

    Image of a major Soviet strategic bomber base

  • 8/4/2019 Crypt Analysis


    Steganography: Examples

    Cover image:

    Pierre-Auguste Renoirs Le Moulin de la Galette.

  • 8/4/2019 Crypt Analysis


    Steganography: Examples

    Stego-image produced by White Noise Storm:

  • 8/4/2019 Crypt Analysis


    Steganography: Examples

    Stego-image produced by S-Tools:

  • 8/4/2019 Crypt Analysis


    Steganography: ExamplesWatermarked image obtained by masking:

  • 8/4/2019 Crypt Analysis



  • 8/4/2019 Crypt Analysis


    Steganalysis: Introduction

    Steganalysis refers to the art of detecting and

    rendering useless covert messages. Classification:

    Stego-only attack: Only the stego-medium is available to the

    attacker.Known-cover attack: Both the original cover medium and the

    corresponding stego-medium are available.

    Known-message attack: The hidden message and the stego-

    medium are available.

    Chosen-message attack: Similar to the known-message attackexcept that the message(s) are chosen by the attacker.

    Adaptive chosen-message attack: Same as chosen-messageattack, but the messages are chosen adaptively.

  • 8/4/2019 Crypt Analysis


    Steganalysis: Detection of Hidden


    Looking for unusual features in a medium:

    May be done by a human observer. Example: Red dot in animmaculately blue sky. Another example of a stego-imageproduced by Hide and Seek is given below:

    Unusual features may be detected electronically. This isparticularly needed, because our eyes (and ears) are insensitiveto small variations. Examples: Slightly colored pixels in a gray-scale image, rapid change in pixel values in a small region.

  • 8/4/2019 Crypt Analysis


    Steganalysis: Detection of Hidden


    Search for signatures of known steganographicsoftware.

    Look for obvious and repetitive patterns.

    In a known-cover attack, one should compare theoriginal cover medium with the stego medium.

    Image processing: Luminance defined as

    L = (0.299 x R) + (0.587 x G) + (0.114 x B)

    is a promising message detection parameter.

  • 8/4/2019 Crypt Analysis


    Steganalysis: Detection of Hidden


    S-Tools handles 8-bit images by first reducing the

    number of colors in the original image to 32 and thenapplying LSB insertion. So many indexes of pixels differonly by one bit (the LSB). Therefore, the variance in

    colors produced by normal images is usually muchlarger than stego-images produced by S-Tools.

    Mandelsteg produces images with 256 palette entries

    with two entries for each of 128 different colors. Hide and Seek produces images whose 8-bit color

    values are multiples of 4. For example, the whitest color

    in a stego image from this software has the RGB value252,252,252.

  • 8/4/2019 Crypt Analysis


    Steganalysis: Destroying Hidden


    Once existence of a hidden message is detected, it is

    necessary to read it. This is not always easy, since thehidden message may be encrypted. The next best thingthat an attacker can do is to destroy the message.

    Break the image I in two parts:I = v + t,

    where t is threshold of human imperceptibility.

    Choose some t in the region of human imperceptibilityand modify the image as:

    I = v + t.

    I and I look the same, but I has the hidden messagedistorted beyond recovery possibilities.

  • 8/4/2019 Crypt Analysis



  • 8/4/2019 Crypt Analysis


    References: Cryptography

    Alfred J Menezes, Paul C van Oorschot and Scott A Vanstone,

    Handbook of Applied Cryptography, CRC Press, Fifth Printing(August 2001). ISBN: 0-8493-8523-7.

    William Stallings, Cryptography and Network Security, Pearson

    Education, 2003. ISBN: 81-7808-902-5. Bruce Schneier, Applied Cryptography, John Wiley & Sons, Inc.

    Asian edition 2002. ISBN: 9971-51-348-X.

    Neal Koblitz, A Course in Number Theory and Cryptography(Graduate Texts in Mathematics, No 114), Springer-Verlag, 2ndedition (August 1, 1994). ISBN: 0-3879-4293-9.

    A Das and C E Veni Madhavan, Book on public-key cryptography,


  • 8/4/2019 Crypt Analysis


    References: Steganography

    Neil F Johnson, Zoran Duric, Sushil Jajodia, Information Hiding:Steganography and Watermarking - Attacks and Countermeasures,(Advances in Information Security, Volume 1), Kluwer AcademicPublishers, 2001. ISBN: 0-79237-204-2.

    Stefan Katzenbeisser, Fabien A P Petitcolas (editors), InformationHiding Techniques for Steganography and Digital Watermarking,Artech House Books, January 2000. ISBN: 1-58053-035-4