Wade Trappe

Lecture SlidesCS4236 Principles & Practice of Computer

Securityhttp://www.comp.nus.edu.sg/~cs4236/

Sandeep [email protected]

Lecture Slides p.1

CS4236Computer Security IITextbook: Introduction to Cryptography withCoding Theory by Wade Trappe and LawrenceWashington.

Chapters 1 8, 11 13, 17 or as much of them as possible.Remaining: System & Network Security.

Useful if handy with Linux.Office Hours: Tue 5-6pm in S15#04-08.Grading policy:

Marks for tutorials 10%.Each tutorial question will have marks.You must attempt enough questions to get at least 10 marksduring the semester.

CS4236 intro p.2

CaveatsI will not know all the answers. I hope not!Its unlikely that my lecture slides will be readybefore the lecture.Mutual discussion is highly encouraged, blindcopying is not.(Cheating | plagiarism) F in class.Give me regular feedback about speed and strenuityof the class.Start looking for paper to present.

CS4236 intro p.3

Is Computer Security necessary?Adapted from [Kan01].

Because a lot of money is handled by computers.Because a lot of important information is stored onand handled by computers.

Would you want anyone to find your GPA, SAT,or GRE scores?How about your credit history, or your medicalhistory?

There needs to be a mechanism to control sharing ofinformation.Because society is increasingly dependent on thecorrect operation of computers. See zdnet.

Overview of Computer Security p.4

Examples of Security ProblemsAdapted from [Kan01].

The Internet Worm c1988 (buffer overflow).Spread over the Internet to many sites.Around 6000 sites were shut down to get rid of it.

Virus Attacks.Denial of Service Attacks.

Flooding of web servers with enormous # ofrequests.Flooding networks enroute the target.Exploiting target TCP state machines. SeeChristoph Schubas synkill paper.


Examples of Denial of Service

YOU YAHOOWEBSERVER

bottleneck link

HEAVY SPOOFED TRAFFIC

TCP SYN

TCP SYN+ACK

ATTACKER TARGET(allocates resources)

Wait...wait...wait


Traditional elements of Information Security - goals in [Pfl96]

Confidentiality [they want your data]. Assets of acomputing system are accessible only to authorized parties.Includes reading, printing, or even testing for existence of anobject.Breach: interception.Integrity. Assets can be modified only by authorized parties.In security, usually distinct from structural integrity (wellformedness).Breach: modification, fabrication.Availability [they want your bandwidth, cpu, disk].Assets are accessible to authorized parties.Breach: interruption.


Why is security hard?

Adapted from [Kan01].

Tradeoff between convenience and security, orperformance and security.Wily human opponents seek to outwit us. Mustassume that the opponent will attack the weakestpoint.Must get everything right any mistake is anopportunity for the opponent.Bug-free software?


Design Principles for Secure SystemsFrom Saltzer and Schroeder [SS75].

Economy of [protection] mechanism. Keep thedesign as simple and small as possible.Fail-safe defaults. Base access decisions onpermission rather than exclusion.Complete mediation. Every access to every objectmust be checked for authorization.Open design. Security through obscurity is not.


Design Principles for Secure Systems. . .

Separation of privileges. Two locks are better thanone!Least privilege. Operate using the least privilegesnecessary to complete the job.Least common mechanism. Minimize the amountof mechanism common to more than one user anddepended on by all users.Acceptability. Human interface should be easy touse.


Design Principles for Secure Systems. . .

Lessons: Blaine Burnham. Hear his keynote address atUsenix 2000 here.

Security is not an add on. Lets build it (get it to run) andadd security later on.Assurance matters.It takes a secret to keep a secret i.e., good keymanagement is really hard.There are no silver bullets.Security is a system property. Composing componentssome of which purport to be secure may not result in a securesystem.


Buffer Overflow: Attack of the Decade

Adapted from [Bon] and [CWP+99].

Extremely common bug.1997: 16/28 CERT advisories.1998: 9/13 CERT advisories.1999: 6/12 CERT advisories.

Often leads to total compromise of host.Requires expertise and patience (until someoneposts an exploit).

Cert statistics can be found here.


Buffer Overflow MechanismTwo steps:

Inject suitable code in the programs address space.Get the program to jump to that code, with suitableparameters loaded into registers and memory.


Injecting code on Activation RecordSuppose a web server contains the function:

!

"

#

$


Injecting code on Activation RecordWhen the function is invoked, the stack looks like:

strret addrframe ptrbuf[0..n] F P

Lower address Higher address

caller constructedcallee constructedstrcpy overflows ret addr

%ebp = frame pointer.%esp = stack pointer.%ebp+4 = return address.%ebp+8 = first argument to function.Caller pushes args in reverse order.Callee creates frame linkage.


Injecting code on Activation RecordWhat if str is 136 bytes? After strcpy, the stacklooks like:

frame ptr strret addrbuf

The basic problem is that strcpy doesnt do range check-ing.


Stack Smashing AttackWhat if the buffer overflow results in the following stackstate:

buf Pframe ptr(irrelevant) ret addr

P: execve(/bin/bash, char **argv, char **envp) properlyconstructed!

See the Aleph One article for step-by-step description.


Constructing call to execve%eax contains the syscall number 11 (for execve).%ebx contains the 1st arg to the syscall, a pointer to the string/bin/sh\0 .

%ecx contains the 2nd arg to the syscall (argv) which is apointer to the first element of an array of (char *)s. The lastelement of the array is NULL.

%ecx /bin/sh\00

%edx contains the 3rd arg to the syscall (envp) points to anarray of ptrs that ends in NULL. So what if we had %edx pointto a location that contained the NULL pointer (0).


Constructing call to execve. . .So, it looks like

x x + 7

/ b i n / s h \0 x 0b

c

d

%ebx x%ecx x + 8 (2 elem array)%edx x + 9 (1 elem array)We can determine x dynamically


Constructing overflow buffernoop land anywhere in herenoopjmp offset-to-callpopl %esi %esi now contains addr of /bin/shmovl %esi,array-offset(%esi) save addr /bin/sh heremovb $0x0,nullbyteoffset(%esi) terminate /bin/sh with \0movl $0x0,null-offset(%esi) /bin/sh\0 , addr , NULLmovl $0xb,%eax 11 for execvemovl %esi,%ebx reg b /bin/shleal array-offset,(%esi),%ecx reg c [addr of /bin/sh\0 , NULL]leal null-offset(%esi),%edx reg d NULLint $0x80 trap to kernelmovl $0x1, %eax exit(0) if execve failedmovl $0x0, %ebxint $0x80call offset-to-popl save addr of /bin/sh on stack/bin/sh string goes here. not NULL terminated else strcpy may stop


Stack Smashing Attack

When func() returns, /bin/sh will read and write filedescriptors 0 and 1. Often redirected to read fromand write to a socket.Attack code runs on the stack.Unsafe libc calls: strcpy, strcat, gets no rangechecking.


Exploiting buffer overflows

If the web server calls func() with given URL, thenan attacker can create a 200 byte URL to obtain shellon the web server!Some complications:

Program P shouldnt contain the \0 character.Overflow shouldnt crash the program beforefunc() returns.

Recent buffer overflows of this type:Overflow in the MIME type field in MS Outlook.Overflow in ISAPI in IIS.


Java Crypto APIBased on JDK1.5


Some keyrelated classes in Javajava.security.Keytop-level interface for all opaquekeys (symmetric and asymmetric).

String getAlgorithm() name of the algorithm ofthe key.byte[] getEncoded() the raw bytes of the key inits primary encoding format.String getFormat() the format of the encoded key,for e.g., PKCS#8, X.509.

Subset of Java Crypto API p.24

Creating keys for symmetric ciphers

javax.crypto.SecretKey is a sub-interface of Keyand represents a secret (symmetric) key.Class SecretKeySpec implements SecretKey.To generate a DES key for the byte sequence0x0102030405060708, use:

"

"

"

"

$

" "

"

"

"

"

"

"


KeySpec 5

java.security.spec.KeySpecan interface that denotesthe transparent (user-visible) representation of the keymaterial that constitutes a key.

Contains no methods or constants.Class SecretKeySpec implements KeySpec &SecretKey (more directly relevant for us).

SecretKey is an interface that extends Key. So itcan be used with Cipher.To generate a DES key for0x0102030405060708, use:byte[] key = new byte[8] {0x01,...};desKey = new SecretKeySpec(key, "DES");


Using IVs with symmetric ciphers

javax.crypto.spec.IvParameterSpeca class thatspecifies an IV. Implements AlgorithmParameterSpec.

public IvParameterSpec(byte[] iv), for e.g., create aneight byte array and initialize it with the IV andcreate an IvParameterSpec.Can be used in Cipher.init(...) because its anAlgorithmParameterSpec.


The Cipher class

javax.crypto.Ciphera class that provides thefunctionality of encryption and decryption (bothsymmetric and asymmetric).

public static Cipher getInstance(String tx). For e.g.,

Tx or transformation algorithm/mode/padding.A cipher can be initialized with

cipher.init(int Cipher.ENCRYPT_MODE, Key key,AlgorithmParameterSpec IV).cipher.init(int Cipher.ENCRYPT_MODE, Key key). Thisgenerates its own IV which can be retrieved withcipher.getIV().


Cipher. . .To encrypt a byte stream, use

byte[] encryptedBytes = cipher.update(buffer, 0, b_read);length(returned bytes) 6= length(argument bytes)

No semantics specified in the Java API.Must collect a blocks worth of data.

To end encryption, usebyte[] encryptedBytes = cipher.doFinal();

All outstanding bytes are returned.Padding is applied if specified.


Using Hashes

To calculate the MD5 checksum of a byte stream, use


X.500 Names 5Loosely, an X.500 name is hierarchical and consists ofthe following attributes:

Country: SG.State or Province: Singapore.Locality: Clementi.Organization: National University of Singapore.Organizational Unit: School of Computing.Common Name: Sandeep Kumar.Email Address: [email protected].


Base 64 encoding 5

Look here for more information. There must be otherreferences.

Encode a sequence of octets using the characters[A-Za-z0-9+/] to represent 6 bits each.Use the character = for trailing padding.6 bits of input represented as one printable characterof 8 bits 33% expansion.

Ex: 0x1F is Hw==. Is it?


Classical CiphersPre DES


Shannons model of a secrecy systemDiagram as in [Sha49].

plaintext source encrypter decrypter destination

secure channel

key source

enemy cryptanalyst

P C PSender Receiver

K K

Classical Ciphers p.34

Shannons model. . .Encryption encodes a message so its meaning is notobvious.For symmetric encryption P = D(K, E(K, P )).For asymmetric encryption P = D(KD, E(KE, P )).Security of a cryptosystem should rest entirely in thesecrecy of the key, and not in the secrecy of thealgorithm (Kerckhoffs).


Types of attacks

Cryptographers design their algorithms to resist thefollowing increasingly aggressive attacks [SusanLandau].

Ciphertext-only: adversary has access to encrypted comms.Known-plaintext: adversary has some (plaintext, ciphertext).Chosen-text: the adversary chooses

the plaintext to be encrypted.the ciphertext to be decrypted (chosen ciphertext).the plaintext to be encrypted depending on ciphertextreceived from previous requests (adaptive chosenplaintext).


Monoalphabetic Substitution CipherShift cipher, for e.g., Caesars cipher is a very simple permutation,for e.g., rot13. An example is shift by 3.

abcdefghi j k lmnopqrs t uvwxyz

defghi jk lmno p qrstuvwxy z abc

So the secret message attack at dawn is encrypted as

a t t a c k a t d a w n

d w w a f n d w g d z q

Keyspace: 25. Can be broken using cipher text only.

I Might give a demo using vigenere-encrypt.cgi with the above as example.


Affine CiphersA specific way to construct a permutation. Choose twointegers and , with gcd(, 26) = 1, and consider theciphering function

y = x +

Keyspace = 11 26.Easy to break with a ciphertext only attack.


Monobetic substitution cipher

In general, the secret key is a table, a permutation pi thatmaps each symbol of PT onto a symbol of CT , for e.g.,

abcdefghi jk lmnopqr s tuvwxyz

pandorsbxcef g hijk lmq tuvwyz

Keyspace: 26! (permutations).At 1 decrypt/s, requires 103 years to cycle through.Constructing an easy to remember permutation issimple with a keyword, such as pandorasboxabove.


Monobetic substitution cipher. . .

Unfortunately, one can use frequency of English letterse 12.5%

t 9.25%

a 8.04%

o 7.60%

i 7.26%

n 7.09%

and pairs to break this cipher using a ciphertext onlyattack. Most common digram: th, most commontrigram: the.


Example of mono cryptanalysis

Example from [Kip99]:ETNAN XFWN LYK Y RYETNA QF EBWKXF LTX KYQP ETQK YPHQWNQK RXA DXB KXF DXB PXFE LYKT DXBAKNMR LNMM KX DXBARNNE KCNMM MQUN TNMM QR QF VNP LQET Y ZQAM UNNI DXBAKTXNK XF

I Set N = E as N is the most frequent letter; now search for the, 3 timesN is preceded by T , set T = H , 2 times TN is preceded by E, set E = T .Notice the lone Y , set Y = A. The rst word could be there, so set A = R.If A = R, then R 6= R, maybe R = F .Try http://localhost/info/cgi-bin/mono.cgi for a demo.

Unfortunately, same letters in plaintext encrypt tosame letters in ciphertext.


Vigenre CipherInvented circa 1520. Applied arithmetic to ciphers.

wha tanicedaytodayc ryptocryptocryptyyyi tb. . . . . . . . . . .

Use the Vigenre tableau to encrypt or decrypt messages.Its like n instances of Csars cipher. Or, its additionmodulo 26 where a = 0, . . . , z = 25.

Keyspace: 26n, n is the number of symbols in thekey.It evens out the frequency disparity in the plaintextalphabet.


Vigenre Cipher. . .Vigenres tableau (part of)

abcdefghi j k l mnopqr s t u vwxyza abcdefghi j k l mnopqr s t u vwxyzb bcdefghi j k l m n opqr s t u vwxyzac cdefghi jk l m n o pqr s tuvwx y zabd defghi jk lm n o p qr s tuvwx y z abc


Cryptanalysis of Vigenre Cipher. . .Easy to break [Fri84, pg. 17], [Sta99, pg. 40], [Pfl96,pg. 35]:

Find key length. Kasiski: Identical sequences ofplaintext at integral multiples of keyword length identical ciphertext sequences. Look for commonfactors.

English uses several endings and beginningsdisproportionately often.Words such as of, and, to etc. appear in highfrequency.


Cryptanalysis of Vigenre Cipher. . .Divide the cipher text into key length sized blocks.All elements corresponding to the same relativeposition within each block form a monoalphabeticcipher. Break each for every position of the block.Cipher-text only attack.


Cryptanalysis of Vigenre Cipher. . .Use the Index of Coincidence. It is defined as theprobability that two randomly selected letters in aciphertext are identical.

IC =

i

(ni2

)12n(n 1)

where ni is the # of occurrences of symbol i, say a . . . z.


Cryptanalysis of Vigenre Cipher. . .

See [TW02, Section 2.3] for details. To compute |key|.What if we computed IC from the ciphertextc1 . . . . . . cn sample by counting coincidences withthe shifted ciphertext ck . . . cnc1 . . . ck1 ? Ifk = |key|, then

c1, ck are shifted by the same amount, as are c2, ck+1 etc.So we should find the IC to be close to that of English!Because a monobetic transformation doesnt change theIC.


Index of Coincidence. . .Another interpretation of IC is that its a measure ofthe variation between frequencies in a distribution[from the uniform] [Pfl96, Section 2.3].If represents a plaintext symbol, then

P = 1.

Lets find the variation of a given distribution from aflat distribution P = 1/||.

var ==z

=a

(P 126

)2=

=z=a P

2 126

Now,

P 2 ni

n ni1n1 IC = var + const!Classical Ciphers p.48

Cryptanalysis of Vigenre Cipher. . .Example: Consider the ciphertext

WSPGM HHEHM CMTGP NROVX WISCQ TXHKRVESQT IMMKW BMTKW CSTVL TGOPZ XGTQMCXHCX HSMGX WMNIA XPLVY GROWX LILNF

JXTJI RIRVE XRTAX WETUS BITJM CKMCOTWSGR HIRGK PVDNI HWOHL DAIVX JVNUS

JX


Cryptanalysis of Vigenre Cipher. . .The counts of the various letters are:

a b c d e f g h i j k l m n o p q r3 2 7 2 4 1 8 9 10 5 5 5 11 5 5 5 3 8s t u v w x y z

8 12 2 8 9 13 1 1

The total # of letters is 152. Thus

IC =25

i=0 ni(ni1)n(n1)

=

3 2 + 2 1 + 1 0 + 1 0= 1048152151= .0457


Index of Coincidence. . .IC is a predictor of key length when it is small. Itcannot discriminate well for large key lengths..038 = 1/26, which is what wed expect.

keylen 1 2 3 4 5 10 largeIC .068 .052 .047 .044 .044 .041 .038


Permutation CipherColumnar transposition. Consider the plain texthowareyoudoing. Write this as two blocks of sevencharacters each

h o w a r e yo u t o d a y

The cipher text is the plaintext read in column order. Sothe cipher text is hoouwtaordeayy.

Same letter frequencies as original text.Can be broken using a form of frequency analysis.Can be broken with a KPA.


Permutation Cipher. . .Its a permutation on the position of PT symbols in thecorresponding CT. For e.g., HELLOWORD might betransformed into LWHOEROLD. An examplepermutation is

=

1 2 3 4 5 6 7 8 9

3 5 1 4 2 7 9 6 9


Playfair cipher

1854 by Sir Charles Wheatstone.5 5 matrix of letters constructed using a keyword[Sta99].In general, insert a filler letter such as i betweensuccessive identical letters to avoid needing toencrypt pairs such as tt.

M O N A R

C H Y B D

E F G I/J K

L P Q S TU V W X Z

ATTACKATDAWNRSSRDERSBRNY


Playfair Cipher. . .Used by the British Army in WW I.Frequency analysis more difficult. But still susceptible todigram frequency analysis.Flatter distribution than plaintext, nevertheless plenty ofstructure.

Both digrams re and er common. So if pairs IG & GI arecommon, e, i, r, g probably form the corners of a square,such as

e i

g ror

e g

i r

Last few rows of the matrix predictable.Each plaintext letter encrypts to one of five ciphertext letters.h {c, y, b, d, f} in the previous example.


Hill CipherInvented by Lester Hill in 1929. A block cipher.

C = KP mod 26, 0 kij < 26A ciphertext letter depends on multiple plaintextletters!Strong against ciphertext only attack, but easilybroken under known plaintext attack i.e., given a setof (P, C) pairs, solve for K.det(K) should be relatively prime to n in order forK to be invertible mod n.For a block size of 8, keyspace 2664 > 2 1090.


Perfect Substitution CipherUse an infinite nonrepeating sequence as key.Confounds both Kasiski and Index of Coincidence.

One-time pad. However, there is need for synchronization between sender and

receiver. need for unlimited number of keys.Long random number sequences. Can be used atbit level [Gilbert Vernam, 1918]. However,statistical pseudorandomness ; unpredictable.Long sequences from books. Digits from the phone book. (might have some

non-uniformity)


Linear Congruential Generator 5A Linear Congruential Generator is of the form

ri+1 = (a ri + b) mod nwhere a, b, n are constants. Its totally linear! For e.g., given therandom sequence 958833456, 396607904, 2147285887 forn = 231 1, we have the equations

396607904 = a 958833456 + b mod 21474836472147285887 = a 396607904 + b mod 2147483647396805664 = a 562225552 mod 2147483647

a = 16807


Vernam CipherGilbert Vernam, 1918.Choose keyword as long as plaintext with no statisticalrelationship to it [Sta99, pg. 40]. Works on bits.

ci = pi kiOne Time Pad (Joseph Mauborgne): Use a random keyas long as the message, but only once!


Rotor Machines

Three rotors plus a reflector.After every letter was encrypted, the rotor turnedlike an odometer.Each letter encrypted by effectively a new monoalphabetic substitution cipher.


Knapsack Encryption 5Given a set of integers a1, a2, . . . an, find whether a subset of themadds up to a given integer t. For example, for the set

A = {4, 7, 33, 1, 12, 78, 11, 291}Is there a subset that adds up to 17? To 129?To encrypt text, say NUS IS GREAT, use the ASCII bit sequenceof each character to select the set of numbers in the knapsack toadd. So

N = 0x4E = 01001110 = 7 + 12 + 78 + 11 = 108.U = 0x55 = 01010101 = 7 + 1 + 78 + 291 = 377.. . . . . .and so on. . . . . .


Knapsack Encryption. . . 5Alternatively, the knapsack can have 16 numbers and you canencrypt two characters at a time. Suppose that

A = {4, 7, 33, 1, 12, 78, 11, 291, 101, 29, 1101, 561, 487, 9826, 791, 893}Then you encrypt the message as

NU SI SG RE ATThe difficulty is that solving the general knapsack is as difficult forthe recipient as it is for the enemy.


Merkle-Hellman Knapsack Encryption 5

Make the problem difficult for the enemy but easy for the recipient!A superincreasing knapsack is one in which the integers in theknapsack form a superincreasing sequence. That is

ak >

k1j=1

aj

I Give a demo of superincreasing sequence using printSuperIncreasing-Seq(superIncreasingSeq(7)).An example is the sequence

A = {77, 105, 192, 392, 801, 1662, 3286, 6537}


Merkle-Hellman Knapsack Encryption. . . 5

Now supposing one were to ask if theres a subset of #sin the knapsack that add up to 2967, theres an easy wayto find it!But the problem is that solving a superincreasingknapsack is as easy for the enemy as it is for therecipient!So we try to confound the enemy by transforming a su-perincreasing knapsack into a random one.


En/decryption with MH Knapsacks 5

Choose a prime m >

ai. Choose a w rel. prime to m.Transform A into B such that bi = w ai mod m.Lets say that m = 13917 for the example above and thatw = 269. Then

B = {6796, 411, 9897, 8029, 6714, 1734, 7163, 4911}To encode the character N which is 01001110, we might do411 + 6714 + 1734 + 7163 = 16022.To decode this number, the recipient does269116022 mod 13917 = 372516022 mod 13917 = 5854.Solving the superincreasing knapsack for 5854 gives the set105 + 801 + 1662 + 3286!


En/decryption with Knapsacks. . . 5Practical Implementation

Generate random numbers 0 < ri < 2200 and choose

ai = 2200+i1 + ri


Why is the Knapsack considered hard? 5

The general knapsack problem is NP Complete!


A primer on complexity theory 5

f(n) is said to be O(g(n)) if c, n0 such thatf(n) c|g(n)| n n0

Example: f(n) = 17n + 10 is O(n) because

17n + 10 18nfor n0 = 10.I Demo plot [n=1:100] 17*n+10, 18*n.

Example: f(n) = atnt + at1nt1 + + a0 is O(nt).


A little primer on complexity theory. . . 5

The class P: problems that can be solved in time bounded by apolynomial function of the problem size. For example, sorting,finding the max of a set of numbers, multiplication,exponentiation.The class NP: problems that can be verified in polynomialtime. For example, Hamiltonian cycle, CNF satisfiability.The class NP Complete: Problems in NP to which every otherproblem in NP can be reduced in polynomial time.If an NP Complete problem yields a polynomial time solution,then P = NP. In some sense then, these are the hardestproblems to solve in the class NP.

We know that P NP, that P 6= EXP. But is P = NP?Classical Ciphers p.69

LessonsCompress before you encrypt.


Number TheoryChapter 3 of textbook


Modular ArithmeticIf a mod n = b, then a = c n + b. When you reduce anumber a modulo n you usually want 0 b < n.Division Principle [Bar02, pg. 61]: Let n be a positiveinteger and let a be any integer. Then there is exactly onepair of integers (c, b), 0 b < n such that

a = c n + b

Examples:17 mod 5 = 2.5 mod 17 = 5.8 mod 3 = 1.

Number Theory p.72

Modular Arithmetic. . .Some interesting properties of modular arithmetic:

(a + b) mod n = (a mod n + b mod n) mod n(a b) mod n = (a mod n b mod n) mod n

a1 mod n ?= (a mod n)1

which implies for example that

(a (b + c)) mod n= (a mod n (b + c) mod n) mod n= (a mod n (b mod n + c mod n) mod n) mod n

Number Theory p.73

Modular Arithmetic. . .Example:

(1234103 (123432 + 1004245)) mod 7= 2103 (232 + 3245)) mod 7= 2102 2 (232 + 3245)) mod 7= 2334 2 (232 + 3245)) mod 7= 834 2 (232 + 3245)) mod 7= 134 2 (232 + 3245)) mod 7= 2 (4 + 5) mod 7= 2 2 mod 7= 4

Number Theory p.74

Modular Arithmetic. . .Or, it is676427237703960480800617805514490628463396578265560602366454373169767529513846767-463207919355956469397510085357406342926865506157985561680695208896384623297418220-848803884955876363418030350483247250724631483325801396011637588071639599806167994-193309583778563056012382635920726053970067991456773244997104100369413491102455032-364389933341274984765464297162616658498629615474403373088517597556976620658033217-438802808681826205865918668079145490647409345949063789681229965740727240610788809-170465374269971438771754620002236124722436864506245588251677886076929770205524007-172037257055742380864415433040887992580892514085538198662824039695765741786689601-499720253798960729515852625876184645304451447920538193868342217303926500545181287-079103392181283330834131979868926531264458479736358778622572499449415763943865945-787807559542444116942358643003465906749115689733174380263588454966723817890990398-474943100607903083886568549182736368333115158684387147293334739082872093966419871-0347727796483110738685594792944199344858089699587734429853257643035321271289118720mod 7= 4

Number Theory p.75

Modular Exponentiation

Say you want to compute 6469 mod 7. You could compute

6 6 6 469 timesOr, observe that

469 = 1110101012 = 28 + 27 + 26 + 24 + 22 + 20

That is

6469 = 628 627 626 624 622 620

I So instead compute each term individually with one multiply each. Thatis, compute 62, 64, 68, 616, 632, 664, 6128, 6256 by repeated squaring.

Number Theory p.76

GCD. . .

| a%b | kb |

| a |

Number Theory p.78

ax + by = d

Theorem [TW02, Page 64].

Let a and b be two integers, with at least one of a, b 6= 0,and let d = gcd(a, b). Then integers x, y such that

ax + by = d

In particular, if a and b are relatively prime, then integers x, y such that

ax + by = 1

Proof: By induction on the GCD procedure.

Number Theory p.79

InverseThe inverse of an element x mod n is the element y s.t.

xy = 1 (mod n)

Consider the set of numbers modulo 9.Not every number has an inverse modulo 9. In fact,only numbers coprime to 9 have inverses!

Number Theory p.80

Inverse mod 9

0 1 2 3 4 5 6 7 80 0 0 0 0 0 0 0 0 0

1 0 1 2 3 4 5 6 7 8

2 0 2 4 6 8 1 3 5 7

3 0 3 6 0 3 6 0 3 6

4 0 4 8 3 7 2 6 1 5

5 0 5 1 6 2 7 3 8 4

6 0 6 3 0 6 3 0 6 3

7 0 7 5 3 1 8 6 4 2

8 0 8 7 6 5 4 3 2 1

Number Theory p.81

EGCDThe Extended Euclidean Algorithm EGCD(f, d)permits one to find d1 (mod f) and f1 (mod d)[provided that GCD(f, d) = 1] in addition toGCD(f, d).Start with the vectors

(1, 0, f) & (0, 1, d)

and reduce one vector with another by subtracting amultiple of one from the second until the result hasthe third component 1.

Number Theory p.82

EGCD. . .Both vectors maintain the invariant

fx1 + dx2 = x3

Eventually, you get an equation of the form

fx1 + dx2 = 1

This gives x2 = d1 (mod f ) and x1 = f1 (mod d).

I Show examples of GCD & EGCD using RSA.pm and /bin/perl/egcd.

Number Theory p.83

Modular DivisionProposition [TW02, Page 68].

Let a, b, c, n be integers with n 6= 0 and withGCD(a, n) = 1. If ab ac (mod n) then

b c (mod n)

Example: 2 1 2 4 (mod 6), but1 6= 4 (mod 6).Solving ax c (mod n), GCD(a, n) = 1 is noweasy.

Number Theory p.84

Modular Division. . .In the equation ax b (mod n), what ifGCD(a, n) = d > 1?

If d 6 | b, there is no solution.Solve (ad)x ( bd) (mod nd). Let the solution be x0.Then ax0 b (mod n).The solutions of ax b (mod n) are the uniquevalues mod n that satisfy the equation above. Theequation has d roots mod n,

x0, [x0+(n/d)], [x0+2(n/d)], . . . , [x0+(d1)(n/d)]Each is distinct mod n, but mod nd .

Number Theory p.85

Modular Division. . .

0nd

2nd

nTheres a solution 0 < x0 < nd for(ad)x ( bd) (mod nd).But if x0 is a solution, then so is x0 + knd .But x0 and x0 + knd are 6 mod n for 0 < k < d.

Number Theory p.86

PrimesAn integer a > 1 whose only divisors are the trivialdivisors 1 and a is said to be a prime number [CLRS01].Example: 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, . . . . . .

If n is a composite integer, then n has a prime factornot exceeding

n.

What this means is that in order to test a number nfor primality, its sufficient to try dividing it by allprimes n.There are infinitely many primes [Ros93, Theorem1.17].n! + 1 cannot have a prime divisor n.

Number Theory p.87

Primes. . .pi(x), the numbers of primes n n/ log n asn.

n/ log n as n.Even though the # of primes is, its densitygets sparser and sparser as n.Approximately speaking, one would need tosample log n numbers to find a prime close to n.

I Use Gnuplot to plot [n=1:1000000] n/log(n),n to show how n/log(n)varies with n.

Number Theory p.88

Primes. . .Consider finding all primes 25 using the sieve ofEratosthenes.

1 2 3 4 5

6 7 8 9 10

11 12 13 14 15

16 17 18 19 20

21 22 23 24 25

Number Theory p.89

FactorizationFind a factor of n by successively dividing n byprimes 2 . . . bnc.To find the factors of n, find x 6 y (mod n) withx2 y2 (mod n) [TW02, Sec. 6.3]. Then,gcd(x y, n) gives a non trivial factor of n.Pollards p 1 method. Find a number x thats amultiple of p 1 where p is a non-trivial factor of n.Then for a rel. prime to n ( also rel. prime to p),

ax 1 (mod p)or ax 1 is a possible non-trivial factor of n. See[TW02, Sec. 6.4] for details.

Number Theory p.90

Fermats TheoremFor prime p and integer b not divisible by p,

bp1 1 (mod p)

Consider P = 1b 2b 3b (p 2)b (p 1)b = bp1(p 1)!1 b 6= 2 b 6= 3 b 6= 6= (p 1) b because the residuesystem mod p is a field and b has an inverse in it.Thus 1b, 2b, . . . merely enumerate the numbers 1 . . . (p 1) insome order.Canceling out (p 1)! from both sides [because (p 1)! iscoprime to p] of the equation we get bp1 = 1.

Number Theoretic Theorems p.91

Using Fermats Theorem

Consider the prime 17. Then216 = 65536 = 1 mod 17.416 = 4294967296 = 1 mod 17.1516 = 6568408355712890625 = 1 mod 17.

Lets try the same exercise with the prime 19.218 = 262144 = 1 mod 19.418 = 68719476736 = 1 mod 19.1518 = 1477891880035400390625 = 1 mod 19.

I If xp1 = 1 mod p, then x xp2 = 1 mod p. This means that xp2 isthe inverse of x mod p.


Eulers theoremIt is a generalization of Fermats theorem.Definition: (n) is the # of positive integers < n thatare relatively prime to n.For e.g., (9) = 1, 2, 3, 4, 5, 6, 7, 8 = 6.If p is prime then (p) = (p 1).

Theorem: If GCD(x, n) = 1, then

x(n) = 1 (mod n)


Eulers function

(pr) = pr pr1. Numbers not relatively prime to pr arep, 2p, . . . , pr p. That is pr1 1 numbers. Therefore, # ofintegers relatively prime to pr are

pr 1 (pr1 1) = pr1(p 1)

If gcd(m, n) = 1 then

(mn) = (m)(n)

Follows from CRT. The pairs (x {(m)}, y {(n)}) arerelatively prime to both m and n. Consider CRT1 of (x, y) tobe a mod (mn). If gcd(a, mn) 6= 1, let gcd(a, m) = d 6= 1.Then d | a and d |m, so d | (a mod m).


Primitive Rootsg is a primitive root of n if ord(g) = (n).Not all integers have primitive roots. Integers withprimitive roots are of the form: 2, 4, p, 2p, p oddprime.When p is a prime, a primitive root mod p is anumber whose powers yield every nonzero numbermod p.


Primitive Roots. . .0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 12 1 2 4 8 16 13 7 14 9 18 17 15 11 3 6 12 5 10 13 1 3 9 8 5 15 7 2 6 18 16 10 11 14 4 12 17 13 14 1 4 16 7 9 17 11 6 5 1 4 16 7 9 17 11 6 5 15 1 5 6 11 17 9 7 16 4 1 5 6 11 17 9 7 16 4 16 1 6 17 7 4 5 11 9 16 1 6 17 7 4 5 11 9 16 17 1 7 11 1 7 11 1 7 11 1 7 11 1 7 11 1 7 11 18 1 8 7 18 11 12 1 8 7 18 11 12 1 8 7 18 11 12 19 1 9 5 7 6 16 11 4 17 1 9 5 7 6 16 11 4 17 110 1 10 5 12 6 3 11 15 17 18 9 14 7 13 16 8 4 2 111 1 11 7 1 11 7 1 11 7 1 11 7 1 11 7 1 11 7 112 1 12 11 18 7 8 1 12 11 18 7 8 1 12 11 18 7 8 113 1 13 17 12 4 14 11 10 16 18 6 2 7 15 5 8 9 3 114 1 14 6 8 17 10 7 3 4 18 5 13 11 2 9 12 16 15 115 1 15 16 12 9 2 11 13 5 18 4 3 7 10 17 8 6 14 116 1 16 9 11 5 4 7 17 6 1 16 9 11 5 4 7 17 6 117 1 17 4 11 16 6 7 5 9 1 17 4 11 16 6 7 5 9 118 1 18 1 18 1 18 1 18 1 18 1 18 1 18 1 18 1 18 1

Ifx = y mod p

thendlog

y = x


Primitive Roots. . .Let g be a primitive root for prime p [TW02, Sec. 3.7].

If n is an integer, then gn 1 (mod p) iffn 0 (mod p 1)

If j and k are integers, then gj gk (mod p) iffj k (mod p 1)


CRTSee [Knu98, Section 4.3.2].

Alternative for doing arithmetic on large numbers.Have several moduli m1, m2, . . . , mr relativelyprime in pairs and work on residues u mod miinstead of with u.Regard (u1, u2, . . . , ur) as a new type of internalrepresentation for u.Disadvantage: Cant test for >, overflow, dodivision.


CRT. . .Advantage: Parallelizes multiplication.

(u1, u2, . . . , ur) + (v1, v2, . . . , vr) =

((u1 + v1) mod m1, . . . , (ur + vr) mod mr) (1)(u1, u2, . . . , ur) (v1, v2, . . . , vr) =

((u1 v1) mod m1, . . . , (ur vr) mod mr) (2)(u1, u2, . . . , ur) (v1, v2, . . . , vr) =

((u1 v1) mod m1, . . . , (ur vr) mod mr) (3)You can see the above because

uv mod mi = (u mod mi)(v mod mi) mod mi

This means that the representation of u v in the mi componentshould be (u mod mi) (v mod mi). Number Theoretic Theorems p.99

CRT. . .Proof: Let m = m1m2 mr and let u1, u2, . . . , ur beintegers. Then there is exactly one integer u such that

0 u < m u uj (mod mj), 1 j r

Let Mk = m/mk. Then GCD(Mk, mk) = 1. So M1kmod mk exists. Let this be yk. yk is small, with0 < yk < mk. Then

u = u1M1y1 + u2M2y2 + + urMryris the solution of the simultaneous congruences.


CRT ExampleLet m1 = 9, m2 = 10, m3 = 11. Then m = 990.Suppose you wanted to find 889899 mod 990.

Find the representation of 889 in the new system,which (7, 9, 9).Now 889899 = (7, 9, 9)899 =

(7899 mod 9, 9899 mod 10, 9899 mod 11)

That is = (4, 9, 5).Convert this back to the integer = 49.


Square roots mod pTheorem (Eulers criterion): a is a quadratic residue inZp iff

ap12 1 (mod p)

If a is a QR, then let a = 2. Then a p12 = p1 1.If ap12 1, let a = gi. So gi(p1)/2 1. But g beinga generator its ord is p 1(p 1) | i(p 1)/2 i is even a is QR.


Square roots mod p. . .

Let p 3 (mod 4) be prime and let y be an integer. Letx y(p+1)/4 (mod p). Then,

If y has a

mod p, then they are x.Otherwise, y has a mod p, then they are x.

x4 yp+1 y2yp1 y2 (mod p)This means that x2 +y or x2 y. So, at least oneof y is a QR. But by Eulers criterion, only one of themcan be, because (p 1)/2 = (4k + 3 1)/2 = 2k + 1 isodd.


Square roots mod p. . .

Example: Find

26055 mod the prime 34807.34807 3 (mod 4).26055(34807+1)/4 (mod 34807) = 33573.

Example: Find all

1522756 mod 2325781.2325781 = 523 4447.Both 523 and 4447 are 3 (mod 4).Use CRT to find the four solutions.


Finite FieldsA field F (sometimes denoted by Fq) is a set of elementswith two operations + and satisfying:

F is closed under + and , commutative w.r.t + and, associative w.r.t + and , and distributes over +.0 is the identity for +, 1 is the identity for .a F, a | a + (a) = 0.a 6= 0 F, a multiplicative inverse a1 Fsuch that a a1 = 1.

For every power pn of a prime, there is exactly one finitefield with pn elements, and these are the only finite fields.


The Ring of Polynomials Z2[X ]

This is the set of polynomials whose coefficients Z2i.e., {0, 1}.

x6 + x3 + 1 01001001.0, 1.+,, same as with polynomials except thatcoefficients are added and multiplied in Z2.Division possible with a remainder. For e.g.,

x4 + x3 + 1

x2 + x + 1= (q x2 + 1, r x)


Irreducible polynomial

Let F be a field. A nonconstant polynomial f(x) F [x]is said to be irreducible if f(x) cannot be expressed as aproduct of two polynomials of lower degree [Gal02,Pg. 295].

f(x) = 2x2 + 4 is irreducible over R but reducibleover C.f(x) = x2 + 1 is irreducible over Z3 but reducibleover Z5. Factors into (x + 2)(x + 3).


Zp[X ] mod (irreducible polynomial)Procedure for constructing a finite field with pn elements.

Zp[X] is the set of polynomials with coefficientsmod p.Choose P (x) to be an irreducible polynomial mod pof degree n.Let GF(pn) be Zp[X] mod P (x). Then GF(pn) is afield with pn elements.Using different irreducible polynomials generateisomorphic fields.


GF(28) and AES

Convenient to represent a field element as a byte.Irreducible polynomial is x8 + x4 + x3 + x + 1.


Examples

Show that x4 + x + 1 is irreducible in Z2[x].I Atleast one factor is of degree 2. Possible choices are x2+x+1, x2+1,x + 1. None of them divide x4 + x + 1.

Show that x16 x (mod x4 + x + 1).


Ints mod p vs Poly mod irreducible

Integers Zp[X]Prime number q Irreducible P (X) of degree n

Zq Zp[X] (mod P (X))Field with q elements Field with pn elements


Block & Stream CiphersChapter 4 of textbook


Block Ciphers

A block cipher of block size b bits specifies apermutation on b-bit values for each key.DES is a 64-bit block cipher while AES is a 128-bitblock cipher.

b

b

i

t

s

k bits

b

b

i

t

s

Block Ciphers & DES p.113

Block Ciphers. . .

A b-bit block has 2b plaintext and ciphertext blocks.This means there are 2b! permutations. Thus, a 64-bitblock cipher with 80-bit key is not an anomaly.


DESHistoryDescribed in FIPS46-3.

Late 60s Feisel worked on block ciphers.1972 NBS (NIST) issued RFP.1974 IBM developed and submitted LUCIFER(64 bit block, 128 bit key).NSA fixed it (S-boxes).1979 Adopted as a standard, accepted by thebanking community.1999 Broken in 22 hours using exhaustive keysearch.


DESPropertiesBlock size = 64 bits; key size = 56 bits.Software nightmare because of permutations andtable lookups.Great for pipelining because each round can workon a different key.Key size too shortbrute force search possible.Exhibits strong avalanche effect [Sta99, pg. 73].DESk(X) = DESk(X).


Block Ciphers DES

F

F

F

F

F

F

L0 R0

L1 R1

L2 R2

K0

K1

K2

L3 R3

R3 L3

R2 L2

R1 L1

R0 L0

K2

K1

K0

Feed swapped from the bottom of the first


Block Ciphers DES. . .Feistel Structure.Decryption essentially same as encryption.Inverts itself with a reversed key schedule.


Block Ciphers DES. . .The initial permutation IP.

58 50 42 34 26 18 10 260 52 44 36 28 20 12 462 54 46 38 30 22 14 664 56 48 40 32 24 16 857 49 41 33 25 17 9 159 51 43 35 27 19 11 361 53 45 37 29 21 13 563 55 47 39 31 23 15 7

Input bit 58 goes to output bit 1.Bits are numbered from the top-left (1) to thebottom-right (64).Table shows the sequence of connections of outputbits after IP. Block Ciphers & DES p.119

Block Ciphers DES. . .

IP1 is the inverse of IP.If bit x goes to bit y in IP, then bit y goes to bit x inIP1.


Block Ciphers DES. . .The E bit selection table. Convert 32 48 bits.

32 1 2 3 4 54 5 6 7 8 98 9 10 11 12 1312 13 14 15 16 1716 17 18 19 20 2120 21 22 23 24 2524 25 26 27 28 2928 29 30 31 32 1

Divide input into groups of four (eight sets).Convert each group into six by borrowing fromadjacent members.Bit 32 in the input becomes bit 1 in the output etc.Bits are numbered from the left (1) to the right (64).Block Ciphers & DES p.121

Block Ciphers DES. . .The S boxes.

row 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 150 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 71 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 82 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 03 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

Take the first and last bit of the input as a two bitbinary number to index the row.Take the middle four bits as a binary number toindex the column.Bits are numbered from the left (1) to the right (64).


Block Ciphers DES. . .The key schedule.

PC1 maps 64 bits 56 bits.Bits 8, 16, 24, 32, 40, 48, 56, 64 are parity bits andare skipped.Bits are numbered from the left (1) to the right(64).

PC2 maps 56 bits 48 bits. Its the same at eachstep.Fixed left shifts at each step.


Block Cipher ModesUsed to encrypt something other than exactly ablock size.Doesnt provide tamper resistance by itself.


Block Cipher Modes ECB

Ci = Ek(Mi). Its malleable i.e., an active intruder canswap Ci and Cj or compose whole messages from partsof separate ones, as in for e.g., [Pfl96, Section 4.4].

Depositor Account # Amount24B 8B 8B

I And its prone to dictionary attacks i.e., if Ci = Cj Mi = Mj . In DES,there are 264 CTs, so by the birthday paradox theres a probability > .5 that232 blocks of random CTs will result in a collision. This is = 8 232 =32GB of text.


Block Cipher Modes CBC

Ci = Ek(Mi Ci1).IV is secret because initial parts of the message maybe known, such as e-mail headers etc., which wouldprovide a (M, C) pair.A transmission error affects at most two plain textblocks, the block containing the error and thefollowing one.Decryption: Mi = Dk(Ci) Ci1.


Block Cipher Modes OFB

Ci = Pi Eik(IV ).Turns DES into a stream cipher-like mode.Both IV and K are secret.Nobody uses it because there are much faster streamciphers.Transmission bit errors do not propagate.


Block Cipher Modes CFB

Ci = Pi Ek(Ci1).Also a stream mode of operation.Transmission error affects at most two plain textblocks.Decryption: Pi = Ci Dk(Ci1).

I So it seems that a transmission error affects at most two plaintext blocksin this case as well because in order to decrypt Ci, one only needs Ci andCi1.


DESProperties. . . 5

keys k in DES such thatDESk(DESk(m)) = m

Or, keys k such that DESk(m) = DES1k (m).These are called weak keys. These are keys thatgenerate a key schedule in which

k1 = k2 = = k16


DESProperties. . . 5

keys k, k in DES such thatm, c = DESk(m) m = DESk(c)

Or that DESk(DESk(m)) = m [x5c, Q. 67]. Theseare called semi-weak keys. The key schedule for k isthe reverse of that of k.

I Show my m4 diagram of propagating L0, R0 to L16, R16.


DESProperties. . . 5Weak keys in DES are [Pfl96, Table 3-10]:

Left half Right half Weak Key Valuezeros zeros 0101010101010101ones ones FEFEFEFEFEFEFEFEzeros ones 1F1F1F1F0E0E0E0Eones zeros E0E0E0E0F1F1F1F1

Examples of semi-weak keys in DES are [Pfl96,Table 3-11]:

(01FE01FE01FE01FE, FE01FE01FE01FE01)


Avalanche Effect 5

4 PT or Key4 in CT.I Extra Credit: Study and present another block cipher and summarize it ina single page.


Block Cipher Design Principles 5# of rounds the more the better.Design of the F function (provides confusion).Key Scheduling.

Block Cipher Design Principles p.133

Block Cipher Design Principles. . . 5Design of the F function in the context of Feistel ciphers.

As non-linear as possible.Strict avalanche criterion: i, j any output bit j ofan S-box should change with probability 1/2 whensingle input bit i is inverted. Or, a booleanexpression involving any output bit involves allinput bits.Bit independence criterion: i, j, k output bits j, kshould change independently when any single inputbit i is inverted.I Approximately speaking, 00, 01, 10, 11 (1 bit ip, 0 no bit-ip)should be equiprobable. For all inputs, create 2(m1) pairs, one in whichinput bit i = 0 and the other in which the input bit i = 1 . . .See [WT85] formore details.


Attacks on Block Ciphers Exhaustive Search

Try all possible keys. 256 keys 1019 keys.Cost Time

1 DES encryption/s > 1000 yearsWiener $100K machine 35 hoursWiener $1 M machine 3.5 hours = 210 minsWiener $10M machine 21 mins


Attacks on Block Ciphers Differential Cryptanalysis 5

Biham & Shamir 1989.O(247) time and O(247)(M, C) pairs on DES.If the S-boxes were random, a differentialcryptanalytic attack would require O(220) time andO(220)(M, C) pairs.


Attacks on Block Ciphers Linear Cryptanalysis 5

Breaks DES in O(243) time and O(243) randomlychosen (M, C) pairs [Mat93].Essentially a known-plaintext attack.


Linear Cryptanalysis. . . 5Find effective linear expressions for DES of the form

P [i1, i2, . . . , ia] C[j1, j2, . . . , jb] = K[k1, k2, . . . , kc]that hold with probability p. |p 1/2| represents theeffectiveness of the equation. Guess of eqn. if p > 1/2and 6= otherwise. Can then determine one key bitK[k1, k2, . . . , kc] as follows:

Evaluate P [i1, i2, . . . , ia] C[j1, j2, . . . , jb] with Nrandom samples. Let T of them evaluate to 0.If p > 1/2, guess K[k1, k2, . . . , kc] = dT/Ne.If p < 1/2, guess K[k1, k2, . . . , kc] 6= dT/Ne.


Linear Cryptanalysis Linear Approximation of S-boxes 5

Given that for S5 (S box #5), the 4th input bit is related tothe four output bits with probability 12/64, we canpropagate this equation through a three round DES asfollows (rounds 1 and 3) [Mat93]:

[22]

[15][7,18,24,29]

[7,18,24,29] [15]

[22]

K1

K2

K3

PLPH

CH CL

X1

X2

X3F3

F2

F1


Linear Cryptanalysis Linear Approximation of S-boxes. . . 5

X2[7, 18, 24, 29] PH [7, 18, 24, 29] = K1[22]X2[7, 18, 24, 29] CH [7, 18, 24, 29] = K3[22]

Canceling X2[7, 18, 24, 29] we get a,

PH [7, 18, 24, 29]CH [7, 18, 24, 29]PL[15]CL[15] = K1[22]K3[22]

Extra Credit: Break 5-round DES as described in[Mat93].

aLook at it this way: X1[15] K1[22] = PH [7, 18, 24, 29] X2[7, 18, 24, 29] andX3[15]K3[22] = X2[7, 18, 24, 29] CH [7, 18, 24, 29]


DES VariantsDouble-DESIf Ek(M) is a symmetric cipher, then define

DEk1,k2 = Ek1(Ek2(M))

Pictorially, it is M Ek2 Ek1 C.


DES VariantsDouble-DES. . .Susceptible to meet-in-the-middle attack. Given an(M, C) pair:

Step 1: Build the following table (sorted onEk(M)) for all keys k

k1 Ek1(M)

k2 Ek2(M)

ki Eki(M)

Step 2: y, check if E1y (C) is in the table forsome key x. Then (x, y) encrypts M C. For ak bit key, time 2k + 2k log 2k k 2k.That is, given enough space, DE is only as secureas E.


DES VariantsTriple-DES

If Ek(M) is a symmetric cipher, then define

2KTEk1,k2 = Ek1 Dk2 Ek1Key length = 112 bits for DES.Dk2 only for backward compatibility, could use Einstead.


DES VariantsTriple-DES. . .

Effective key length is k bits in a CCA/CPA.

P0

A B C

K1 K2 K1

X Y Z

I For all keys k compute Dk2(0) in a table T. Now, for each key k, ndp = Dk(0). Do a CPA on p to nd the corresponding z. From this (z, k)nd y. See if y occurs in T. This is a possible pair of keys for T-DES.

Except for an uncommon attack noted by Merkle, triple DES does yield theexpected strength of 2112 [P96, Section 4.5].


DES VariantsTriple-DES. . .Better to use three independent keys.

TEk1,k2,k3 = Ek1 Dk2 Ek3Effective key length = 112 bits in a KPA(meet-in-the-middle).


DES Variants: DESXDESX: Actually a generic construction.

Ek1,k2,k3 = k1 DESk2 (M k3)Invented by Ron Rivest around 1984.Intended to protect DES against exhaustive keysearch.Key-size for DESX = 2 64 + 56 = 184 bits.Effective key length = 64 + 56 1 = 119 bits[KR96].DESX has hardly any computational overhead overordinary DES.


DES Variants: DESX. . .DESX is secure against generic (black box)attacks such as exhaustive search [KR96].DESk(M k) and DESk(M) k are no good.I To break the former assume that you have two pairs (m1, c1), (m2, c2).Now, for each k, (m1, c1) reveals a k that can be veried with (m2, c2).So you just need to cycle through the space for k. The latter is simpler:given (m1, c1), (m2, c2), c1 c2 = Ek(m1)Ek(m2). So you again cyclethrough the space of k to satisfy one or more such relations.

DESX assumes DES to be an ideal cipher, i.e.,pi1, pi2, . . . , pi2|k| are independent randompermutations.

Extra Credit: Read [KR96] and summarize in one page.Block Cipher Design Principles p.147

Stream CiphersLets approximate OTP with a pseudo-random OTPkey.The pseudo-random generator seed is the key.


Stream Ciphers LFSR

rn r1

Goal: Choose taps and initial content so that the period isas long as possible. Hope for 2n 1 (exclude all 0s).


Stream Ciphers LFSR. . .

Pro: Very fast in hardware.Con: The linearity of the LFSR is its weakness. It can bebroken with only 2n bits of known (plaintext, ciphertext).I From this you can get 2n bits of key, say k2n, . . . , k2k1. Form and solvethe following equations for the tap values ti as

kn+1

kn+2.

.

.

k2n

=

tnkn + tn1kn1 + + t1k1tnkn+1 + tn1kn + + t1k2

.

.

.

tnk2n1 + tn1kn + + t1kn


Stream CipherRC4Stream ciphers dont encrypt PT blocks directly.Invented in 1987 by Rivest. Reverse engineered andposted on the Cypherpunks mailing list in 1994.

Seed: A permutation of the sequence (0 . . . 255) and twonumbers 0 i, j < 256. Derived from the input key.


Stream CipherRC4. . .

do forever:i = (i+1) % 256j = (j + S[i]) % 256swap(S[i], S[j]) update register statet = (S[i] + S[j]) % 256output S[t]

Is it secure? Cant prove it.1997: Run generator for 1012 iterations. LSb ofthese 1012 bytes has slightly more 1s than 0s.


Features of RijndaelPronounced as Rhine-doll.Joan Daemen (of Proton World International) andVincent Rijmen (of Katholieke Universiteit Leuven).Allows only 128, 192, and 256-bit key sizes (unlikethe other candidates).Variable block length of 128, 192, or 256 bits. Allnine combinations of key/block length possible.A block is the smallest data size the algorithm willencrypt.Vast speed improvement over DES in both hardwareand software implementations.

AES p.153

AES TransformationsThe round transformation of Rijndael does not have aFeistel structure.

ByteSub is a non-linear byte substitution, the S-box isinvertible. You take the multiplicative inverse of the byte inGF(28) and then apply an affine transformation in GF(2).ShiftRow is simple.In MixColumn, the columns of the state are considered aspolynomials over GF(28) and multiplied with{03}x3 + {01}x2 + {01}x + {02} modulo x4 + 1. The inverseof MixColumn is similar to MixColumn.RoundKey addition is a straightforward bitwise XOR with thekey.

AES p.154

Inverting AES

0BBBBBB@

I I I ARK

BS SR MC ARK

...BS SR MC ARK

BS SR I ARK

1CCCCCCA

0BBBBBB@

I I I ARK1

SR1 BS1 ARK1 MC1

...SR1 BS1 ARK1 MC1

SR1 BS1 I ARK1

1CCCCCCA

0BBBBBB@

I I I ARK1

BS1 SR1 ARK1 MC1

...BS1 SR1 ARK1 MC1

BS1 SR1 I ARK1

1CCCCCCA

AES p.155

Inverting AES. . .Each of BS, SR, MC, and ARK is invertible.BS and SR commute.(MC ARK) =

[({03}x3 + {01}x2 + {01}x + {02})(s0ix

3 + s1ix2 + s2ix + s3i)]

(k0ix3 + k1ix

2 + k2ix + k3i)

If E44 = M44 S44 + K44, then to invert E, we have

M144 E44 + M144 K44 = S44which is the same form as M S + K but with M = M1and K = M1K.

AES p.156

RSA & Discrete LogsChapters 6,7 of textbook

AES p.157

RSABy definition (n) is the number of integers 0 < x < nthat are relatively prime to n. Consider

n = p qwhere p and q are distinct primes. Then

(n) = (n 1) (p 1) (q 1) = (p 1) (q 1)

RSA p.158

RSA. . .Choose large primes p and q differing by a few digits. Say oneof 75 digits, the other of 100 digits. Both (p 1) and (q 1)should contain a large prime factor.Compute n = p q. Its hard to factor n.Choose e to be, say 65537.Compute d e1 mod (n).Public key = (e, n).Private key = (d, n). Infeasible to get d given (e, n).For a given message m, its encryption is c = me mod n. Andto decrypt a cipher text c, compute m = cd mod n.

med med m1 mod (n) m.

RSA p.159

An example of RSALet p = 57748729314142811323 and q = 5295757044745316310341.Then,

n = 305823240090462151745038276856407276791143

(n) = 305823240090462151739684771082347817669480.

Choose e = 65537, then d = e1 mod (n)

= 59944845540718629190350345138224820571313

Encode a message NUS as its binary encoding (for example) to get

0x4e5553 = 5133651.

RSA p.160

An example of RSA. . .To encrypt, find

513365165537 mod 305823240090462151745038276856407276791143= 217657393729141588774828799917624500652607

To decrypt, compute cd to get the original message.

21765739372914158877482879991762450065260759944845540718629190350345138224820571313

= run time error in bc= 5133651

RSA p.161

Breaking RSA

Brute force. Try all possible values of d. Given an(m, c) pair, find a d such that cd = m. From this youmight be able to factorize n [TW02, ExponentFactorization, Section 6.4].Timing attacks.Do we need factorization to solve the RSA problemwhich is finding the eth root modulo n [MvOV96,Section 3.3]?

RSA p.162

Breaking RSA. . .Mathematical attacks.

Factor n.Find (n). But knowing (n) is equivalent tofactoring n. Becausen = pq, (n) = n (p + q) + 1 and we have

p + q = n + 1 (n)p q =

(p + q)2 4n

This gives equations for p + q and p q.

I Show [Sta99, Fig. 6.9] on MIPS years needed to factor large n.RSA p.163

Timing analysisTo compute ax, use modular exponentiation. Square andmultiply (if the corresponding bit in x2 is 1).Suppose you have correctly guessed the first (b 1) leastsignificant bits of the exponent.Now you want to guess the bth bit.Assume that the intermediate values for some as are such thatthe multiply at the bth bit takes excessive time! Then

bth bit 1 correlation between the bth bit multiplicationtime and remaining time needed.bth bit 0 no such correlation.

RSA p.164

Primes and Factoring

Go to this slide.

RSA p.165

Miller-Rabin Primality Test

Theorem: If p is an odd prime, then x2 1 mod p hasonly two solutions, namely x = 1 and x = 1.Proof: x2 1 mod p means that p | (x2 1), orp | (x 1)(x + 1). Because p is prime, it divides either(x 1) or (x + 1). It cannot divide both because then itddivide their difference which is (x + 1) (x 1) = 2.Example: 52 mod 6 = 1 because 52 1 = (51)(5+1)23 .

RSA p.166

Miller-Rabin Primality Test. . .

By Fermats theorem, xp1 1 mod p if p is prime. So to test anumber n for primality, try Fermats for x = 2, 3, 4.

Now, let n 1 = 2e y. Find xy. We ultimately want to find xy2e .So, repeatedly square xy but make sure that you never have z2 = 1when z 6= 1.Examples

Is 125 prime? Lets try the Miller-Rabin test with base 2.(125 1) = 124 = 22 31. Now 231 = 23, 232 = 29, 292 = 91.So 125 simply fails the Fermat test and is not prime.Is 561 prime? Lets try again with base 2.(561 1) = 560 = 24 35. Now 235 = 263, 2632 = 166,1662 = 67, but 672 = 1! So 561 fails the Miller-Rabinprimality test because we get 672 = 1 (mod 561) 561 is nota prime. RSA p.167

Problems with RSAProblems with textbook RSA

Existential forgery.Blinding attack.Timing attack.

Standard signatures use PKCS #1 to avoid theseproblems.

Prime Generation for RSAUse the Miller-Rabin probabilistic test for primalitytesting. Choose primes to be strong primes.

The number of primes n = n/ log n. Thus on the aver-age one needs to test only log n/2 numbers to find a primenear n.

RSA p.168

Discrete Logs

Let Zp = {0, 1, . . . , p 1}, p is prime andZp = {1, 2, . . . , p 1}

For 0 < g < p lets study the sequence

g1, g2, g3, . . .

We know from Fermats that gp1 1 (mod p).I Show [Sta99, Table 7.6].

Discrete Logs p.169

Discrete Logs. . .

The sequence g1, g2, g3, . . . ends in 1.If the sequence ends in 1, it clearly repeats itselfafter that.I If it does not, let gm = gx, g 6= 1, 0 < x. Then, gm(gxm1) 0which means that either p | (gxm 1), or p | gm. But p 6 | gm becausep 6 | g. So gxm 1 mod p which is a contradiction.

Zp is a cyclic group. Not every element of Zp is agenerator. For e.g., 2 mod 7 = {1, 2, 4}.Logarithms are the inverse of exponentiation.

Discrete Logs p.170

Discrete Logs. . .

Reals Zp

logx 1 = 0 logg 1 (mod p) 0logx x = 1 logg g (mod p) 1

logx(yz) = logx y + logx z logg(yz) (mod p) logg y + logg z (mod (p))logx(y

r) = r logx y logg(yr) (mod p) r logg y (mod (p))

Discrete Logs p.171

Discrete Logs. . .

See the primitive roots table to explain generators.x = y mod p dlogy = xDiscrete logs can be used to implementbit commitment and key exchange.

Discrete Logs p.172

El Gamal public key encryptionFrom [TW02, Sec. 7.4]. Given p prime, generator ofZp , a private key, = a public key, and k a pseudorandom integer. To encrypt a message 0 < m < p,

Compute r = k (mod p).Encryption of m, c =

(r, k m).

To decrypt c, compute (k m)/ra.Given k, a, can you find ak without knowledge of a?Because if you can, then you can find ra = ak.

Discrete Logs p.173

Macs and Hashes

Discrete Logs p.174

Hash Functions

A hash function accepts a variable-size message m asinput and produces a fixed-size hash code h(m), calledits message digest. It is a function of all the bits of themessage.

Instead of signing and MACing messages, one cansign and MAC hash of messages.

Much faster for signatures.MACs no slower than hashes.

Hash Functions p.175

Hash Functions. . .A hash function should be [Sta99, Sec 8.4]

Relatively easy to compute.Pre-image resistant. Means a one-way hash i.e., giveny = h(x), cant [computationally] find x.Second pre-image resistant. Useful for virus protection. Givenx, h(x), cant find x | h(x) = h(x).Collision resistant. Cant find arbitrary x, y | h(x) = h(y) byjust examining h.

A simple hash function is the XOR of fixed sized message blocks.Useless for data security. Trivial to compute pre-image and secondpre-image.By the birthday paradox, if the hash size is 64 bits, then time forcollision 232 (small). Typical hash size 160 bits.


Hash Functions. . .Examples: MD5, SHA-1.Almost all real-life hash functions are iterative the Merkle-Damgrd construction.CV0 is fixed and known for the hash function.

b b b

Y0 Y1 Y2

CV1 CV2CV0


Generalized Birthday AttackProbability P (n, k) that theres a duplicate in k random selectionsbetween 1 . . . n [Sta99, Appendix 8A].

P (n, k) = 1 no duplicates in k selections= 1 n(n1)(nk+1)

nk

= 1 1 (1 1n

) (1 k1n

) 1 e1n e(k1)n , 1 x ex 1 ek(k1)2n

For k 2 ln 2 n, P (n, k) = .5. As k increases, the producte1n e(k1)n decreases because each product term < 1, hence

P (n, k) = 1 product increases which means that the probability ofcollision increases.


MACsA MAC hk(m) takes a secret k and a variable-sizemessage m as input and produces a fixed-size code suchthat

An attacker capable of chosen message attackcannot do existential forgery i.e., construct hk(m)for an unknown m.

MACs p.179

CBC-MACSee [Sta99, pg. 252]. Tail needed to prevent existentialforgery.Classic construction used in the banking industry.Its secret key is the pair (k, k).

M

Ek

M

Ek

M

Ek

Ek' Ek

MACs p.180

MACs from CRHFs such as MD5 & SHA

How about MACk(M) = h(k||M)? Bad idea because ofMerkle-Damgrd construction.

Consider the message M = km. This is hashed as km|pad .From this, construct the message M = km pad . This is

hashed as km|pad pad2 . Without knowledge of k, one cansay that h(M ) = f(h(M), padding .

How about MACk(M) = h(M ||k)? Bad idea. You can do abirthday attack to get m, m such that Hi(m) = Hi(m). So,collision is independent of k.How about MACk(M) = h(k||M ||k)? Envelope method. Noserious attacks but no analysis either.

MACs p.181

MACs from CRHFs such as MD5 & SHA. . .

HMAC [Sta99, pg. 294], [BCK96a] and [BCK96b]. Used inSSL, IPSec. 0 is used to pad k to full compression functionblock size for h, usually 512 bits.

HMACk(x) = h(512b

0k op ||128/160b

h((0k ip) 512b

||m))

[0k ip] and [0k op] are of compression function blocksize. Block size for MD5 = SHA-1 = 512 bits. Chainingvariable size for MD5 = 128 bits, for SHA-1 = 160 bits.

On a 200MHz Pentium, HMAC-MD5 clocked 28.5MB/s whileHMAC-SHA-1 clocked 15.25MB/s. CBC-MAC on the other hand,clocked 4.7MB/s and IDEA-MAC clocked 3MB/s.

MACs p.182

ProtocolsAdapted from [Pfl96, Chapter 4].A protocol is an orderly sequence of steps two or moreparties take to accomplish some task. A good protocolshould be

Established in advance.Mutually subscribed to.Unambiguous.Complete.

I For example, the hello protocol on phone connections.

We are interested in protocols by which mutuallysuspicious parties can interact with each other and beconvinced of fairness.Protocols help verify correctness of a process at a highlevel (modeling tool).

Security Protocols p.183

Types of Protocols

Arbitratedtrusted third party involved in theinteraction.

Finding a mutually trustworthy third party?Availability of the third party (may become abottleneck).Shares secrets with involved parties.

Adjudicateddisinterested third party can judgefairness based on evidence.

Detect failure after the fact.Self-Enforcingguarantees fairness. If either partycheats, it becomes evident to the other party.


Key Exchange ProtocolsNSSymmetric Key Exchange Using a Trusted Server.Authentication with key exchange as side-effect.

Say Pablo wants to communicate with Renee. S isthe trusted server [NS78].

Pablo and Renee each share a key with theserver, say KP and KR.P S: (P, R, IP ). P requests appropriatecredentials to authenticate himself to R.

S P : EKP (IP , R,sess key

KPR ,

ticket EKR(KPR, P )).

S returns a session key encrypted for P and aticket encrypted for R.P R: EKR(KPR, P ). Security Protocols p.185

Key Exchange Protocols. . .NSCompromise of the session key results in spoofing[DS81].The protocol fails to provide key freshness from theviewpoint of R [Seb], [Sma03, Section 6.2.3].Knowledge of KPR allows message three to bereplayed, thus permitting anyone to become P .Subject to attacks if passwords such as KP are weak.


Key Exchange Protocols. . .Kerberos

From [Sma03, Section 6.2.5].

TTP

2

""

Bob

4++Alice

1

cc

3jj

1. A, B. No nonceeveryone is loosely time synchronized.2. {TS, L, Kab, B, {TS, L, Kab, A}Kbs}Kas3. {TS, L, Kab, A}Kbs, {A, TA}Kab4. {TA + 1}Kab


Kerberos V4Adpated from [KPS95, Chapter 10] and [Sta99, Chapter11].

Based on work by Needham and Schroeder [NS78].KDC + library of subroutines used by distributedapplications.Some modified applications: telnet, BSD rtools,NFS.KDC shares master key with each principal (eachuser and resource that will be using Kerberos).Bob knows that anyone who knows KAB is actingon Alices behalf.


Kerberos V4. . .Alice registers with Kerberos and gets a ticket fromthe TGS.

AliceWS. (Tx pwd DES key).WS AS. (AS_REQ to get a TGT).ASWS. (AS_REP KA{SA, TGT}).


Kerberos V4. . .Alice wants to talk to Bob.

Alices WS TGS.(TGS_REQ TGT + Authenticator)Authenticator SA{TS} (within 5 mins ofcurrent)TGT KKDC{Alice, SA}.


Kerberos V4. . .Alice establishes communication with Bob.

Alices WS Bob.(AP_REQ Bobs ticket + Authenticator)Authenticator KAB{TS}Bobs ticket KB{Alice, KAB}.


Kerberos RealmsHard for everyone to trust a single KDC.Divide network intoo realms, each with its ownKDC database.Principal (NAME, INSTANCE, REALM) for e.g.,(fileserv, jailbreak, R1). For humans, INSTANCEcould be a role.

Interrealm Authentication

KDC in realm B is registered as a principal in realmA.


Key Exchange Protocols

Its not a good idea to exchange too much informationencrypted with a single key.

Symmetric Key Exchange Without ServerSend EKold(Knew) to the other party!


Key Exchange Protocols. . .

Asymmetric Key Exchange Without Server (P knowsRs public key).

Reduces the need for individual keys.Reduces the vulnerability of a central repository.P could send ER(KPR) directly to R.

No authentication.No replay prevention.

P could send ER(DP (KPR)) to R. One messagepasses an authenticated, confidential key.

No replay prevention. Have P decrypt a noncewith KPR to avoid that.


Key Exchange Protocols. . .

Asymmetric Key Exchange With Server (P doesntknow Rs pubkey)

The server provides public keys for everyone.Exchange is as in the previous case.How do you ensure that the server has the rightpublic key for everyone?

In practice, the server issues certificates encoded inDER.I Show openssl x509 -inform der -in pub.der -text.


Encrypted Key Exchange [BM92]PA is a randomlygenerated publickey.Even if KAB isweak, finding K inmessage two ishard.Messages 35 pro-vide mutual authen-tication and fresh-ness of this run ofthe protocol.

1. AKAB(PA) // B

2. A BKAB(PA(K)))oo

3. AK(CA) // B

4. A BK(CA|CB)oo

5. AK(CB) // B


Key Exchange in SSL

Cr1 S Supp cipher suites, 28B randomness

Cr2 S Chosen cipher suite, 28B randomness

C S Server certC S EservPubKey(Client selected 48B PMS)

Both parties compute MS h(pms||r1||r2)Encryption & MAC keys derived from MS

Does this protocol provide client authentication?Also see the SSL protocol.


DH Key Exchange. . .unauthenticated

Alice

ga

++Bobgbkk

Both Alice and Bob compute gab.g, p are known in advance.In practice, do this in a large subgroup of Zp .Subject to person-in-the-middle attack.

Diffie-Hellman problem: Given ga, gb, compute gab.Certainly no harder than DLog. Does DLog hard DHsecure? Open problem. (Strong evidence).


DH. . .person-in-the-middle

Alice

ga

))Eve

gp

))

gqjj Bobgbii

Alice believes shes talking to Bob becausemessages make semantic sense. A simplechallenge-response protocol from Alice to verifyBob succeeds. (Should ask for challenge+DHparams for connection).Eve establishes shared key gaq with Alice, and gpbwith Bob.Eve deciphers every message between Alice andBob.


Diffie-Hellman in practice

p = 1024 bit prime.g Zp , an element of order q.q, a prime s.t. q | (p 1) and q 2160 (160 bits).

Now a {0, 1, . . . , q 1} and b {0, 1, . . . , q 1}.Since q is 160 bits, ga (mod p) only needs 160multiplies rather than 1024. A seven fold improvement!


Digital Signatures

Suppose you send e-mail to your bank to transfer $100 toTims account.

Why should the bank believe the e-mail came fromyou [unaltered]?

Authentication ( integrity).If the bank transferred the money, maybe you candisavow the e-mail.

Non-repudiation.In case of dispute, can it be settled by a neutral thirdparty?

Signatures basically provide non-repudiation that sharedkey systems do not.


Digital Signatures with Symmetric Encryption

With the aid of a trusted third party! A signature is theencryption of the message. EKS is Ss encryption key,while EKR is Rs encryption key. A is the trusted thirdparty (arbiter).

S A : EKS(M).A R : EKR(M, S, EKS(M))

A says that S said M.


Digital Signatures With Public Key Encryption

S R : DS(M).Authentic but not private.S R : ER(DS(M)).

But what if R decrypts the outer layer andreencrypts the inner message to create a newmessage EU(DS(M))?This would make it appear as if S sent a signedmessage to U !


Digital Signatures With Public Key Encryption (El Gamal)

From [TW02, Sec. 8.2].Prime p,Generator of Zp , i.e., ord = (p 1).Private key 1 a (p 2),Public key = a,Pseudo random integer k (p 1), r = k.

Signature on m: s = (m ar)k1 mod (p 1)Computing s seems to require knowledge of a (private key) & k,which requires the ability to compute discrete logs. Signature is thepair (r, s). Precomputing of (k, r) pairs is possible and signaturegeneration is then cheap! Security Protocols p.204

Digital Signatures With Public Key Encryption (El Gamal). . .

Verification: m = r rs (mod p).Verification only requires (, r) both of which are public.Verification requires exponentiation! To derive the verificationequation from first principles, consider that

s = (m ar)k1 mod (p 1)s = (mar)k

1(mod p)

(s)k =((mar)k

1)k

mod p(k

)s= (mar) mod p

rs = m r mod prs r = m mod p

I Look at [Sta99, pg. 229] for why we go from the rst equality which ismod (p1) to the second equality which is mod p. Its because p1 = (p).Security Protocols p.205

Digital Signatures With Public Key Encryption (El Gamal). . .

For forgery, Eve needs to compute s for message m s.t.the verification eqn

m = r rs (mod p)is satisfied. Lets say she randomly chooses r = k.Then

s = logrm

r

So, she must be able to compute discrete logs for basek. If she chooses r = k of small order, then itsunclear whether DL(s) would exist for it.


Digital Sig without EncryptionUse a strong hash function and a trusted third party. Suses a hash function fs (only S and A know it) and Ruses fr (only R and A know it). Both share thesefunctions with the arbiter A.

S A :S said M

(M, fs(M)).A R : ( M

e

, S, fs(M) e

, fr(M, S) A says that S said M

).

e: Evidence in case of future dispute.


Key Escrow

Provide strong security for communications while simul-taneously allowing authorized government access to par-ticular communications for law enforcement and nationalsecurity purposes [DS94].

The EES uses SKIPJACK (64-bit block, 80-bit key)and a Law Enforcement Access Field (128-bitLEAF) transmitted with every message.Each Clipper chip has an 80-bit Device Unique key(KU ) and an 80-bit common Family Key (KF ).Key Exchange method unspecified. A session keyKS is somehow generated.


Key Escrow. . .

Encryption could be used to conceal criminal andterrorist activities.By rendering communications immune from lawfulinterception, encryption threatens law enforcementand public safety.Special tamper-resistant hardware encryption device(Clipper and a Key Escrow System (KES).


Key Escrow. . .

The LEAF and IV are transmitted forsynchronization and LEAF validation.Infeasible to deploy the system without transmittinga valid LEAF [Bla94].Session key (KS) is encrypted with the device KU .Unit id identifies KU .The whole LEAF is encrypted under KF .The receiving chip is unable to extract KS from theLEAF.

LEAF =EKU (KS) (80b) unit id (32b) cksum (16b)

EKF (. . . . . .) Security Protocols p.210

Mental PokerA B: EKA(C1) . . . EKA(C52). Ci = Jack ofSpades.B chooses five and sends to A:EKB(EKA(Ci)), . . . EKB(EKA(Cm)).A unlocks the five that B has chosen

[DKA(EKB(EKA(Ci))), . . . , DKA(EKB(EKA(Cm)))]

to yield[EKB(Ci), . . . , EKB(Cm)]

and sends them back to B.B can now get Ci . . . Cm.


Mental Poker. . .To realize this scheme, one can use

((Ci )

)1

= Ci

Michael Goodrich has a written description ofmental poker here.


Who will pay for dinner? Flipping a Coin.

If its heads, Pete will pay, if its tails, Nancy pays. SoPete flips a coin in his office and tells Nancy the resultover the phone!

Pete offers Nancy a choice of two.Nancy picks one but blinds it. She is committed to herchoice when she sends her selection to Pete.Pete selects one of the above two blinded choices.Pete is committed to his choice when he sends his selection toNancy.Toss outcome depends on whether both made thesame or different selections.


Who will pay for dinner?. . .

Pete selects two public key pairs: (Ei, Di), (Ej, Dj).Nancy chooses KN to a symmetric algorithm Sknown to both.P N : (Ei, Ej).N P : Eh(KN) picked at random, h = i | j.P guesses h and retrieves KP = Dh(Eh(KN)).P N : sends M = EKP (Pete will pay).If Nancy can read DKN (M), Pete pays, otherwiseNancy pays.


Coin Flipping using Quadratic Residues

From [Sch97, Section 19.3].A selects two large primes and computes n = p q.A sends n to B. [For p, q 3 (mod 4) theres adeterministic method to find square roots.]

B picks a random x < n and computes z = x2mod n. B sends z to A.A computes the four square roots of z, x and y.I Consider the pair (a, b), a = x mod p, b = x mod q. By CRT, (a, b),(a, b), (a,b), (a,b) are square roots of z.

A sends one of these four values, say , to B.B verifies that 2 = x2 mod n. If p = x, A wins,otherwise B wins.


Coin Flipping using Quadratic Residues. . .

If B says hes won why should A believe him?Because B can now factor n with knowledge of and x. Because

GCD( + x, n) = {p | q}

If 2 x2 mod n, then n | (2 x2). Ifn | ( x)( + x) then for 6= x, p divides oneof ( x) or ( + x) and q divides the other.


Chaums Blind Signature


Dining CryptographersA Flavor


Zero KnowledgeA Flavor

Use Nasirs slides (nasir-zk.ppt). [KPS02, Section 6.8]also has a treatment of ZK.


Bit CommitmentAdapted from [TW02, Section 7.3].

Alice wants to make a private statement that oncemade, cannot be changed.If computing discrete logs is hard, then Alice cancommit a message m by making public c = m,where is a generator of Zp .The commitment c can be later verified becausem c is a 1:1 onto operation.


Winnowing & Chaffing


How to leak a secret?


Operating System Security


Protection in General Purpose OSAdapted from [Pfl96, Chapter 6].

Why protect the OS?Operating Systems support multiprogramming sotheyve developed ways to protect the computationof one user from inadvertent or maliciousinterference from another.

OS Security p.224

Protection in General Purpose OS. . .Executives. Provided linkers and loaders

Provided linkers and loaders for relocation.Provided easy access to compilers, assemblers.Provided automatic loading of subprograms fromlibraries.

Monitors.Provides scheduling, sharing, and parallel use ofresourcesmemory, I/O devices, sharableprograms and data.Oversaw all computing.

OS Security p.225

Security Methods of OSesThe basis of protection is separation.

Physical Separation. Poor resource utilization.Temporal Separation. Poor resource utilization.Logical Separation.Cryptographic Separation.

OS Security p.226

Security Methods of OSes. . .Separation is only half the answer. The other half iscontrolled sharing.

All or Nothing.Access control on objects.Capabilities.Partial use of objects.

E.g., the ability to read but not print as in Adobereader.Collect statistics from a database but not theactual records.

What is the granularity of sharing?OS Security p.227

Protecting Memory

Using a fixed fence with non-relocatable programsthat know the fence value at compile time.

Protection in only one direction. You can shootyourself in the foot.Cannot sub partition programs into finergranularity of protection.

OS Security p.228

Protecting Memory. . .

Using variable sized fences with programscompiled starting at address 0.

Programs not relocated, rather indirection usedwith the fence value stored in a register.Provides relocation and protection at the sametime.

OS Security p.229

Protecting Memory. . .

Base bounds registers.Provide both lower and upper bounds.Change it for every program at context switch.Use additional base bounds registers for finergranularity partitionsay code and data.

OS Security p.230

Protecting MemorySegmentation

Addresses are of the form seg #, offset.Segments can be separately relocated and protected.Each process would normally have its own segmenttable for address translation.Processes that want to share segments map them tothe same segment numbers in their segment table.

OS Security p.231

Protecting MemorySegmentation. . .

Pros and Cons:Fine granularity of protection, on a per-segmentbasis.Can lead to fragmentation of main memory.Requires compaction.Sharing requires same segment numbers in allsharing processes because of inter segmentreferences.

OS Security p.232

Paging

Addresses are of the form page #, offset.All pages are of the same size.

OS Security p.233

Segmentation+PagingBreak a segment into pages.

OS Security p.234

User AuthenticationThe process whereby a system is assured of the identityof the user involved in a protocol and that the user hasactually participated.

Message authentication itself provides no timelinessguarantees w.r.t. when the message was created.User authentication is a real-time process.

Adapted from [Den04, Week 4].

OS Security p.235

Bases of User AuthenticationSomething the user knows, e.g., passwords, PINs.Something the user possesses, e.g., smart card,tokens.Something the user is (or how he behaves), knownas biometrics, or the measurement of somebiological property of the user, e.g., fingerprints.We are only concerned with password based userauthentication here.

OS Security p.236

User Authentication. . .Alice Bob.

Concerns: Eavesdropping, Exposing secrets onserver.Goal: No secrets on the server + foil eavesdropping.Methods: Passwords, One-Time Passwords,Challenge-Response protocols, Zero-Knowledgeauthentication.

In typical environments, authentication has to becombined with session key exchange protocol (forencryption/authentication) to foil session hijacking.

OS Security p.237

PasswordsUsed to authenticate people.Have low entropy ( 25 bits).I 225 = 33554432, 2558 = 17878103347812890625.

Susceptible to eavesdropping, replay to server.A B pwd1

pwd2...

pwdn

OS Security p.238

Passwords. . .Never store passwords on the server.Store the password hash instead. Dont need theability to invert. If this file is exposed, an adversarycan mount a dictionary attack.for(every word w in dictionary){compute h(w)

}

lookup h(w) in this file.

OS Security p.239

Passwords. . .

I Unix uses a modied DES algorithm with 12 bits of salta two-char stringfrom the set [a-zA-Z0-9./] . It is used to perturb the algorithm in oneof 4096 different ways. Usually encrypts 0 with the key 25 times. The valuestored in the password le is a series of 13 printable ASCII characters (therst two characters are the 12-bit salt itself and the remaining 11 charactersencode the 64-bit encryption of 0). See crypt(3).

Suppose 10M words in dictionary, 12 bit salt: then we have 10M 4K =40G encrypted passwords. Assuming average length of 8 bytes gives320GB.

If one encryption is done in one s, the dictionary can be encrypted in 40109 106 = 4 104s 10 hours.

OS Security p.240

PasswordsSaltingSalt makes dictionary attack harder. An attackermust hash every word in the dictionary 212 times.Logically, it looks like

Alice salta h(Pa||salta)Bob saltb h(Pb||saltb)

Secret Salt. Store Alice|salta|h(Pa||salta||salta).salta is 4 bits. To verify a users password, thesystem tries all 24 combinations of salta. Attackerswork goes up by 16.

OS Security p.241

Biometrics

OS Security p.242

One-Time PasswordsLamport hash (S/Key)

Wade Trappe

Documents

Transcript of Wade Trappe