prev

next

of 58

View

22Download

4

Embed Size (px)

DESCRIPTION

Computer Security Cryptography –an introduction. Encryption. key K E key K D - PowerPoint PPT Presentation

Computer SecurityCryptography an introduction

Encryption

key KE key KD x plaintext y ciphertext original plaintext x . encryption decryption

Eavesdropper

EncryptionA cryptosystem involves an encryption algorithm E, and a a decryption algorithm DBoth algorithms make use of a key.Let KE be the encryption key and KD the decryption key. For symmetric cryptosystems the same key is used both encryption and decryption: KE = KD.

EncryptionIf P is the plaintext message, C the ciphertext, then for symmetric cryptosystems:

C = E (K,P) and P = D (K,E (K,P)) = D (K,C)

For an asymmetric cryptosystem

C = E (KE,P) and P = D (KD,E (KE,P)) = D (KD,C)

Kerchoffs assumptionThe adversary knows all details of the encrypting function except the secret key

Symmetric key encryptionThere are two types of cipher systems:Stream ciphers, Block ciphers.

Stream ciphers Encryption x = ISSOPMI y = wdhuvad

Key KE

Block ciphers Encryptionx = XNE OIG TPH YRK

y = . Key KE wdm . hut vap dgd

Block ciphersAn overview of the DES AlgorithmDES is an iterated block cipher with 16 rounds, block length 64 bits and key length 56 bits

Iterating Block ciphers1. Iterated block cipher Random (binary) key K round keys: K1,..., KNr, 2. Round function g w r = g(w r-1, K r), where w r-1 is the previous state

Iterated cipher Encryption operation:

w0 x (x = plaintext)

w1 = g(w0, K1),w2 = g(w1, K2),

wNr = g(wNr-1, KNr),

y wNr (y = ciphertext)

Iterated cipher For decryption we must have: g(.,K) must be invertible for all K

Then decryption is the reverse of encryption (bottom-up)

Data Encryption StandardDES is a special type of iterated cipher called a Feistel cipher.Block length 64 bitsKey length 56 bitsCiphertext length 64 bits

DES

The round function is:

g([Li-1,Ri-1 ]),Ki ) = (Li ,Ri),

where

Li = Ri-1 and Ri = Li-1 XOR f (Ri-1, Ki).

DES round encryption

DES inner function

DES computation path

A Round of DES32 bit Rn+164 bit output32 bit Ln+164 bit input32 bit Ln32 bit RnKn

Inner function fCombine 32 bit input and 48 bit key into 32 bit outputExpand 32 bit input to 48 bits XOR the 48 bit key with the expanded 48 bit inputApply the S-boxes to the 48 bit input to produce 32 bit outputPermute the resulting 32 bits

S BoxesThere are 8 different S-Boxes,1 for each chunkS-box process maps 6 bit input to 4 bit outputS box performs substitution on 4 bitsThere are 8 possible substitutions in each S boxInner 4 bits are fed into an S boxOuter 2 bits determine which substitution is used

DES: Initial and Final PermutationsThere is also an initial and a final permutation: the final permutation is the inverse of the initial permutation

Decrypting DESDES (and all Feistel structures) is reversible through a reverse encryption because:No input data is mangled and passed to the outputThe properties of XORS-boxes are not reversible (and don't need to be)Everything needed (except the key) to produce the input to the n-1th step is available from the output of the nthstep.4. The input to the nth step is the output of the n-1th step.5. Work backwards to step 1.

Encrypt round n Decrypt round n+132 bit Rn+164 bit input32 bit Ln+164 bit output32 bit Ln32 bit Rn Inner Function+Kn32 bit Rn+164 bit output32 bit Ln+164 bit input32 bit Ln32 bit RnInner Function+Kn

Attacks on DESBrute forceLinear Cryptanalysis -- Known plaintext attackDifferential cryptanalysisChosen plaintext attackModify plaintext bits, observe change in ciphertext

No dramatic improvement on brute force

Countering AttacksLarge keyspace combats brute force attackTriple DES (say EDE mode, with usually 2 keys)Use AES

Modes of operationFour basic modes of operation are available for block ciphers:Electronic codebook mode: ECBCipher block chaining mode: CBCCipher feedback mode: CFBOutput feedback mode: OFB

Electronic Codebook mode, ECBEach plaintext xi is encrypted with the same key K:

yi = eK(xi).

So, the nave use of a block cipher.

ECBx1x2x3x4y4y3y2y1DESDESDESDES

Cipher Block Chaining mode, CBCEach cipher block yi-1 is xor-ed with the next plaintext xi :

yi = eK(yi-1 XOR xi)before being encrypted to get the next plaintext yi.The chain is initialized with an initialization vector: y0 = IVwith length, the block size.

CBCx1++++IVx2x3x4y4y3y2y1DESDESDESDES

Cipher and Output feedback modes (CFB & OFB)CFBz0 = IV and recursively: zi = eK(yi-1) and yi = xi XOR zi

OFBz0 = IV and recursively: zi = eK(zi-1) and yi = xi XOR zi

CFB mode

IVeK

eK

y1 +x1eKx2y2 +

OFB mode

IVeK

eK

y1 +x1x2y2 +

Double & Triple DES Double: C = E(k2,E(k1,m) Triple: C = E(k1,D(k2,E(k1,m)

AESBlock length 128 bits.Key lengths 128 (or 192 or 256).The AES is an iterated cipher with Nr=10 (or 12 or 14)In each round we have: Subkey mixing: State Roundkey XOR StateA substitution: SubBytes(State)A permutation: ShiftRows(State) & MixColumns(State)

Asymmetric key encryptionPublic Key Cryptography

Public Key CryptographyAlice BobAlice and Bob want to exchange a private key in public.

Public Key CryptographyThe Diffie-Hellman protocolAlice ga mod p Bob gb mod p

The private key is: gab mod p where p is a prime and g is a generator of Zp

Finite FieldsTheoremIf p is a prime then Zp is a cyclic group.

The generator of Zp is called a primitive element modulo p

Public Key CryptographyEncryption schemesLet P be the set of all plaintext messages C be the set of ciphertextsK be the set of all keys

The RSA cryptosystemLet n = pq, where p and q are primes.Let P = C = Zn, and define K = {(n,p,q,e,d) : ed = 1 mod f(n) }.

For each key K = (n,p,q,e,d), define

c = eK(m) = me mod nand dK(c) = cd mod n,

where (m,c) e Zn.

Public key = (n,e), Private key (n,d).

CheckWe have: ed = 1 mod f(n), so ed = 1 + tf(n).Therefore, dK(eK(m)) = (me)d = med = m tf(n)+1 = (mf(n)) t m = 1.m = m mod n

Examplep = 101, q = 113, n = 11413.f (n) = 100x112 = 11200 = 26527For encryption use e = 3533.Then d = e-1 mod11200 = 6597.Bob publishes: n = 11413, e = 3533.Suppose Alice wants to encrypt: 9726.She computes 97263533 mod 11413 = 5761To decrypt it Bob computes: 57616597 mod 11413 = 9726

- ImplementationGenerate two large primes: p,qn pq and f (n)= (p-1)(q-1)Choose random e: with 1
Security of RSARelation to factoring. Recovering the plaintext m from an RSA ciphertext c iseasy if factoring is possible.

The RSA problem Given (n,e) and c, compute: m such that me = c mod n

The ElGamal encryption schemeLet p be a prime and g e Zp a primitive element.Let P = Zp-1, C = Zp-1 x Zp-1 and K = {(p,g,x,y): y = gx modp }.The values p,g,y are the public key.x is the private key.

The ElGamal encryption schemeEncryption Let m e Zp-1 be a message. For K = {(p,g,x,y): y = gx mod p }, and secret random number k e Zp-1, define: eK(m,k) = (s,t), where s = gk mod p t = m yk mod pDecryption For s,t e Zp-1, define: dK(s,t) = t (sx)-1mod p

The security of ElGamalThe Diffie-Hellman problem. Given a prime p,g e Zp-1, and x,y e Zp-1, find xlog gy mod p.

The security of the ElGamal encryption is reduced to the difficulty of breaking the Diffie-Hellman problem.

Digital Signatures

Public Key CryptographySignature schemesLet P be the set of all messages A be the set of signaturesK be the set of all ke