Introduction to Software Security Crypto Basicssecuresw.dankook.ac.kr/ISS18-1/ISS_2018_07_Crypto...

Seong-je Cho

Spring 2018

Computer Security & Operating Systems Lab, DKU

Introduction to Software Security

Crypto Basics(Chapter 2)

- 2 -

Sources / References

Textbook

M. T. Goodrich and R. Tamassia, Introduction to Computer Security, Pearson (Addison-Wesley)

Many photos in presentation licensed from google images or wikipedia

Please do not duplicate and distribute

Computer Security & OS Lab, DKU

- 3 -

Contents

How to speak crypto

Substitution Cipher

Transposition Cipher

One-Time Pad

Codebook Cipher

Crypto history

Taxonomy


- 4 -

Crypto

Cryptology The art and science of making and breaking “secret codes”

Cryptographymaking “secret codes”

Cryptosystem Pair of algorithms that take a key and convert plaintext to ciphertext and

back.

Cryptanalysis breaking “secret codes”

Crypto all of the above (and more)


Alice Bob

Eve

- 5 -

How to Speak Crypto

A cipher or cryptosystem is used to encrypt the plaintext

The result of encryption is ciphertext

We decrypt ciphertext to recover plaintext

A key is used to configure a cryptosystem

A symmetric key cryptosystem uses the same key to encrypt as to decrypt

A public key cryptosystem uses a public key to encrypt and a private key to decrypt (sign)


- 6 -

Symmetric key cryptosystem

DES (Data Encryption Standard)

AES (Advanced Encryption Standard)

SEED


http://en.wikipedia.org/wiki/File:Crypto.png

http://en.wikipedia.org/wiki/File:Crypto.png

http://images.yourdictionary.com/images/computer/XOR.GIF

http://images.yourdictionary.com/images/computer/XOR.GIF

- 7 -

Public key cryptosystem

Asymmetric key cryptosystem

RSA (Rivest, Sharmir, Adleman)

ECC (Elliptic Curve Cryptography)


- 8 -

Crypto

Basis assumption The system is completely known to the attacker

Only the key is secret

Also known as Kerckhoffs Principle Crypto algorithms are not secret

Why do we make this assumption? Experience has shown that secret algorithms are weak when exposed

Secret algorithms never remain secret

Better to find weaknesses beforehand


- 9 -

Crypto as Black Box


The message M is called the plaintext.

Alice will convert plaintext M to an encrypted form using anencryption algorithm E that outputs a ciphertext C for M.

encrypt decrypt

ciphertext

plaintext

sharedsecret

key

sharedsecret

key

CommunicationchannelSender Recipient

Attacker(eavesdropping)

plaintextplaintext

평문

Symmetric key cryptosystem

Substitution Cipher


- 11 -

Simple Substitution

Replace each letter with the one “three over” in the alphabet. Plain: meet me after the toga party

Key


Cipher: PHHW PH DIWHU WKH WRJD SDUWB

Another example

Plaintext: fourscoreandsevenyearsago

Ciphertext: IRXUVFRUHDAGVHYHABHDUVDIR

Shift by 3 is “Caesar’s cipher”

a b c d e f g h i j k l m n o p q r s t u v w x y z

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

Plaintext Ciphertext

- 12 -

Ceasar’s Cipher Decryption

Suppose we know a Ceasar’s cipher is being used

Ciphertext: VSRQJHEREVTXDUHSDQWU

Plaintext: spongebobsquarepants



D E F G H I J K L M N O P Q R S T U V W X Y Z A B C


- 13 -

Not-so-Simple Substitution

Shift by n for some n {0,1,2,…,25}

Then key is n

Example: key = 7



H I J K L M N O P Q R S T U V W X Y Z A B C D E F G


- 14 -

Cryptanalysis I: Try Them All

Given A simple substitution (shift by n) is used

But the key is unknown

Given ciphertext: meqefscerhcsyeviekmvp

How to find the key?

Exhaustive key search Only 26 possible keys try them all!

Solution: key = 4

IAMABOYANDYOUAREAGIRL


- 15 -

Cryptanalysis I: Try Them All

Brute-force cryptanalysis of Caesar cipher


- 16 -

Even-less-Simple Substitution

Key is some permutation of letters

Need not be a shift

For example

Then 26! > 288 possible keys! Dominates the art of secret writing

throughout the first millennium



J I C A X S E Y V D K W B Q T Z R H F M P N U L G O


- 17 -

Cryptanalysis II: Be Clever

We know that a simple substitution is used

But not necessarily a shift by n

Can we find the key given ciphertext:

PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOXBTFXQWAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBFXFQVXGTVJVWLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFHXZHVFAGFOTHFEFBQUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQPBQWAQJJTODXQHFOQPWTBDHHIXQVAPBFZQHCFWPFHPBFIPBQWKFABVYYDZBOTHPBQPQJTQOTOGHFQAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWFLQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFHXAFQHEFZQWGFLVWPTOFFA


- 18 -

Cryptanalysis II

Can’t try all 288 simple substitution keys

Can we be more clever?

English letter frequency counts…


0.00

0.02

0.04

0.06

0.08

0.10

0.12

0.14

A C E G I K M O Q S U W Y

- 19 -

Cryptanalysis II

Ciphertext

PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOXBTFXQWAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBFXFQVXGTVJVWLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFHXZHVFAGFOTHFEFBQUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQPBQWAQJJTODXQHFOQPWTBDHHIXQVAPBFZQHCFWPFHPBFIPBQWKFABVYYDZBOTHPBQPQJTQOTOGHFQAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWFLQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFHXAFQHEFZQWGFLVWPTOFFA

Decrypt this message using info below


A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

21 26 6 10 12 51 10 25 10 9 3 10 0 1 15 28 42 0 0 27 4 24 22 28 6 8

Ciphertext frequency counts:

- 20 -

Frequency analysis history

Discovered by the Arabs

Earliest known description of frequency analysis is in a book by the 9-century scientist al-Kindi

Rediscovered or introduced from the Arabs in Europe during the Renaissance

Frequency analysis made substitution cipher inscure.

Frequency Statistics of Language

In addition to the frequency info of single letters, the frequency info of two-letter (digram) or three-letter (trigram) combinations can be used for the cryptanalysis

Most frequent digrams TH, HE, IN, ER, RE, AN, ON, EN, AT

Most frequent trigrams THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FOR, DTH


Cryptography

Monoalphabetic Substitution Ciphers

Further generalization of the Caesar cipher,Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ

Cipher: DEFGHIJKLMNOPQRSTUVWXYZABC

is obtained by allowing any permutation of 26 characters for the cipher

Key size = 26 Key space = 26! 4x1026

Unique mapping of plaintext alphabet to ciphertext alphabet Monoalphabetic

For a long time thought secure,

but easily breakable by frequency analysis attack

Computer Security & OS Lab. DKU

Cryptography

Vigenere Cipher

A method of encrypting alphabetic text by using a series of different Caesar ciphersbased on the letters of a keyword

Choose key word

Repeat key word to match character count to plaintext

Assign key word character to plaintext characters

Replace plaintext with shifted letter from character’s Vigenere Table row


https://en.wikipedia.org/wiki/Encryption

https://en.wikipedia.org/wiki/Alphabet

https://en.wikipedia.org/wiki/Caesar_cipher

Cryptography

Polyalphabetic System with Vigenere Table

1st i Z

2nd i T


Cryptography

Vigenère cipher

• Best-known polyalphabetic ciphers

• Each key letter determines one of 26 Caesar (shift) ciphers

• ci = E(pi) = pi + ki mod(key length)

• Example:

• Keyword is repeated to make a key as long as the plaintext

• Given a sufficient amount of ciphertext, common sequences are repeated, exposing the period (keyword length) Target of the cryptanalysis


Key: deceptivedeceptivedeceptive

Plaintext: wearediscoveredsaveyourself

Cipheretxt: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

Cryptography


Key: deceptivedeceptivedeceptive


Cipheretxt: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

Cryptography

Vigenère cipher

If the keyword length is N, then Vigenère cipher, in effect, consists of N monoalphabetic substitution ciphers

Improvement over the Playfair cipher, but language structure and frequency information still remain

Vigenère autokey system: after key is exhausted, use plaintext for running key (to eliminate the periodic nature)

Key and plaintext share the same frequency distribution of letters a statistical technique can be used for the cryptanalysis, (e.g., e enciphered with e would occur with a frequency of (0.1275)2 0.0163, t enciphered with t would occur with a frequency of (0.0925)2 0.0086, etc.)


Key: deceptivewearediscoveredsav


Cipheretxt: ZICVTWQNGKZEIIGASXSTSLVVWLA

Cryptography

Substitution Boxes

Vigenère cipher can be visualized using a two-dimensional table

● 1st letter in a pair would specify a row

● 2nd letter in a pair would specify a column

● Each entry would be the unique two-letter substitution to use for the pair

This substitution can also be done on binary numbers.

Such substitutions are usually described by substitution boxes, or S-boxes.


Transposition cipher,Hill cipher


Cryptography

Transposition Cipher

method of encryption by which the positions held by units of plaintext (which are commonly characters or groups of characters) are shifted according to a regular system, so that the ciphertext constitutes a permutation of the plaintext.

Hide the message by rearranging the letter order without altering the actual letters used

Rail Fence Cipher● Write message on alternate rows, and read off cipher row by row● Example (Two rails): Meet me after the toga party

● Example (Three rails) : 'WE ARE DISCOVERED. FLEE AT ONCE’


M e m a t r h t g p r y

e t e f e t e o a a tMEMATRHTGPRYETEFETEOAAT

W E C R L T E

E R D S O E E F E A O C

A I V D E N

WECRL TEERD SOEEF EAOCA IVDEN

http://en.wikipedia.org/wiki/Permutation

Cryptography

Transposition (Permutation) Techniques

Columnar Transposition Ciphers● Message is written in rectangle, row by row, but read off column by

column; The order of columns read off is the key● Example 1:

● Example 2:Ciphertext isEATI TNIH MEXN ETMG MEDT

Generalization: multiple transpositions


Key: 4 3 1 2 5 6 7

Plaintext: a t t a c k p

o s t p o n e

d u n t i l t

w o a m x y z

Ciphertext:TTNA APTM TSUO AODW COIXKNLYPETZ

Cryptography

Double Transposition


Plaintext: attackxatxdawn

Permute rowsand columns

Ciphertext: xtawxnattxadakc

Key: matrix size and permutations (3,5,1,4,2) and (1,3,2)

Cryptography

The Hill Cipher

Use of linear algebra

To encrypt a message, each block of n letters (considered as an n-component vector) is multiplied by an invertible n× n matrix, again modulus 26. ● The matrix used for encryption is the cipher key

● The key (or GYBNQKURP in letters) →

To decrypt the message, each block is multiplied by the inverse of the matrix used for encryption.● the inverse matrix of the key matrix (IFKVIVVMI in letters)


Source: http://en.wikipedia.org/wiki/Hill_cipher

http://en.wikipedia.org/wiki/Vector_space

http://en.wikipedia.org/wiki/Matrix_(mathematics)

http://en.wikipedia.org/wiki/Modular_arithmetic

Cryptography

The Hill Cipher

Key: GYBNQKURP in letters

Plaintext: ACT (A:0, C:2, T:19)

or Plaintext: CAT

Ciphertext of ‘ACT’ is (‘POH’), Ciphertext of ‘CAT’ is (‘FIN’)

Decryption


One-time Pad


- 35 -

One-time Pad Encryption

Assume that the (right) key was given to Alice


e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111

Encryption: Plaintext Key = Ciphertext

Ph e i l h i t l e r

001 000 010 100 001 010 111 100 000 101

K 111 101 110 101 111 100 000 101 110 000

C110 101 100 001 110 110 111 001 110 101

s r l h s s t h s r

- 36 -

One-time Pad Decryption

Assume that the (right) key was given to Bob


e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111

Decryption: Ciphertext Key = Plaintext

Cs r l h s s t h s r

110 101 100 001 110 110 111 001 110 101

K 111 101 110 101 111 100 000 101 110 000

P001 000 010 100 001 010 111 100 000 101

h e i l h i t l e r

- 37 -

One-time Pad (1st threat scenario)

Double agent, Charlie, claims that the key was 101 111 000 … (wrong key.)

Bob cannot understand the decrypted message, and contact to Alice.


Double agent claims sender used “key”:

e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111


110 101 100 001 110 110 111 001 110 101

K 101 111 000 101 111 100 000 101 110 000

P011 010 100 100 001 010 111 100 000 101

k i l l h i t l e r

- 38 -

One-time Pad (2nd threat scenario)

Assume that Alice is captured, but she is double agent and told the adversary the (wrong) key

The adversary didn’t know the fact and can release her.


Sender (Alice) is captured and claims the key is:


110 101 100 001 110 110 111 001 110 101

K 111 101 000 011 101 110 001 011 101 101

P001 000 100 010 011 000 110 010 011 000

h e l i k e s i k e

e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111

- 39 -

One-time Pad Summary

Provably secure, when used correctly Ciphertext provides no info about plaintext

All plaintexts are equally likely

Pad must be random, used only once

Pad is known only by sender and receiver

Pad is same size as message

No assurance of message integrity

Why not distribute message(plaintext) the same way as the pad(key)?


Others

(Codebook, Information theory …)


- 41 -

Codebook

Literally, a book filled with “codewords”

Zimmerman Telegram encrypted via codebookFebruar 13605

fest 13732

finanzielle 13850

folgender 13918

Frieden 17142

Friedenschluss 17149

: :

Modern block ciphers are codebooks!

More on this later…


http://library.thinkquest.org/28005/flashed/timemachine/courseofhistory/zimmerman.shtml?tqskip1=1&tqtime=1029

- 42 -

Early 20th Century

WWI Zimmerman Telegram

“Gentlemen do not read each other’s mail” Henry L. Stimson, Secretary of State, 1929

WWII golden age of cryptanalysis

Japanese Purple (codename MAGIC)

German Enigma (codename ULTRA)

Enigma Machine


• Encryption machine used by Germans in the WWII, relies on electricity

• Plug board: allowed for pairs of letters to be remapped before the encryption process started and after it ended.

• Light board

• Keyboard

• Set of rotors: user must select three rotors from a set of rotors to be used in the machine. A rotor contains one-to-one mappings of all the letters.

• Reflector (half rotor).

http://en.wikipedia.org/wiki/Magic_(cryptography)

http://en.wikipedia.org/wiki/Enigma_machine

- 43 -

Alan Turing


- 44 -

Post-WWII History

Claude Shannon father of the science of information theory

Computer revolution lots of data

Data Encryption Standard (DES), 70’s

Public Key cryptography, 70’s

CRYPTO conferences, 80’s

Advanced Encryption Standard (AES), 90’s

Crypto moved out of classified world


- 45 -

Claude Shannon

The founder of Information Theory 1949 paper: Comm. Thy. of Secrecy Systems

http://netlab.cs.ucla.edu/wiki/files/shannon1949.pdf

Confusion and diffusion Confusion obscure relationship between plaintext and ciphertextMaking the relationship between the ciphertext and the key as complex and

involved as possible

One aim is to make it very hard to find the key even if one has a large number of plaintext-ciphertext pairs produced with the same key

E.g.) simple substitution cipher

Diffusion spread plaintext statistics through the ciphertext Change of one character in the plaintext results in several characters changed in the

ciphertext

One-time pad only uses confusion, while double transposition only uses diffusion

Proved that one-time pad is secureComputer Security & OS Lab, DKU

http://en.wikipedia.org/wiki/Claude_Shannon

http://netlab.cs.ucla.edu/wiki/files/shannon1949.pdf

- 46 -

Taxonomy of Cryptography

Symmetric Key Same key for encryption as for decryption

Stream ciphers

Block ciphers

Public Key Two keys, one for encryption (public), and one for decryption (private)

Digital signatures nothing comparable in symmetric key crypto

Hash algorithms


- 47 -

Taxonomy of Cryptography


스트림 암호 블록 암호

RC4, LFSR AES, SEED

이산 대수 소인수 분해

공개키암호

DH, DSA RSA

현대 암호

대칭키 암호

해쉬 함수

SHA1,HAS-160

- 48 -

Summary, Q & A

Substitution ciphers

Mono-alphabetic (Basic unit is letters)

Poly-alphabetic (Basic unit is single letters)

Statistical Attacks

Numerous tests have failed to do statistical analysis of the ciphertext

Transposition ciphers

Hill cipher


Introduction to Software Security Crypto Basicssecuresw.dankook.ac.kr/ISS18-1/ISS_2018_07_Crypto...

Documents

Transcript of Introduction to Software Security Crypto Basicssecuresw.dankook.ac.kr/ISS18-1/ISS_2018_07_Crypto...