Embed Size (px)
Citation preview
CourseInfo
• Instructor:Dr.DengPan• Email:[email protected]• Officehours:– TuesdayandThursday,10am-12PM,ECS-389– Orbyappointment
1
Chapter1Introduction
2
Internetprotocolstack• application
– supportingnetworkapplications• transport
– process-processdatatransfer• network
– routingofdatagramsfromsourcetodestination
• link– datatransferbetweenneighboringnetworkelements
• physical– bits“onthewire”
application
transport
network
link
physical
3
Securityrelatedterminology
• Risk• Threats• Vulnerabilities• Adversary• Attacks• Participants• Trust• SecurityModel
4
Chapter3SecretKeyCryptography
5
SecretKeyEncryption
• orconventional/private-key /single-key• senderandrecipientshareacommonkey• allclassicalencryptionalgorithmsaresecretkeybased
• wasonlytypepriortoinventionofpublic-keyin1970’s
6
SomeBasicTerminology
• plaintext/cleartext - originalmessage
• ciphertext - codedmessage
• cipher - algorithmfortransformingplaintexttociphertext
• key - infousedincipherknownonlytosender/receiver
• encipher(encrypt) - convertingplaintexttociphertext
• decipher(decrypt) – recoveringplaintextfromciphertext
• cryptography - studyofencryptionprinciples/methods
• cryptanalysis(codebreaking) - studyofprinciples/methodsofdecipheringciphertextwithout knowingkey
7
SymmetricCipherModel
8
Requirements
• tworequirementsforsecureuseofsymmetricencryption:– astrongencryptionalgorithm– asecretkeyknownonlytosender/receiver
• mathematicallyhave:Y=EK(X)X=DK(Y)
• assumeencryptionalgorithmisknown
9
Cryptanalysis
• objectivetorecoverkeynotjustmessage• generalapproaches:– cryptanalyticattack– brute-forceattack
10
BruteForceSearch• alwayspossibletosimplytryeverykey• mostbasicattack,proportionaltokeysize• assumeeitherknow/recogniseplaintext
Key Size (bits)
Number of Alternative Keys
Time required at 1 decryption/µs
Time required at 106
decryptions/µs32 232 = 4.3 × 109 231 µs = 35.8
minutes2.15 milliseconds
56 256 = 7.2 × 1016 255 µs = 1142 years 10.01 hours128 2128 = 3.4 × 1038 2127 µs = 5.4 × 1024
years5.4 × 1018 years
168 2168 = 3.7 × 1050 2167 µs = 5.9 × 1036
years5.9 × 1030 years
26 characters (permutation)
26! = 4 × 1026 2 × 1026 µs = 6.4 × 1012 years
6.4 × 106 years
11
ClassicalSubstitutionCiphers
• wherelettersofplaintextarereplacedbyotherlettersorbynumbersorsymbols
• orifplaintextisviewedasasequenceofbits,thensubstitutioninvolvesreplacingplaintextbitpatternswithciphertextbitpatterns
12
CaesarCipher
• earliestknownsubstitutioncipher• byJuliusCaesar• firstattesteduseinmilitaryaffairs• replaceseachletterby3rdletteron• example:
PHHW PH DIWHU WKH WRJD SDUWB
13
CaesarCipher
• candefinetransformationas:
• mathematicallygiveeachletteranumber
• thenhaveCaesarcipheras:c=E(p)=(p+k)mod(26)p=D(c)=(c– k)mod(26)
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
0 1 2 3 4 5 6 7 8 9 10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
14
CryptanalysisofCaesarCipher
• onlyhave26possibleciphers– AmapstoA,B,..Z
• couldsimplytryeachinturn• abruteforcesearch• givenciphertext,justtryallshiftsofletters• doneedtorecognizewhenhaveplaintext• eg.breakciphertext"GCUAVQDTGCM"
15
MonoalphabeticCipher
• ratherthanjustshiftingthealphabet• couldshuffle(jumble)thelettersarbitrarily• eachplaintextlettermapstoadifferentrandomciphertextletter
• hencekeyis26letterslongPlain: abcdefghijklmnopqrstuvwxyzCipher: dkvqfibjwpescxhtmyauolrgzn
Plaintext: ifwewishtoreplacelettersCiphertext: wirfrwajuhyftsdvfsfuufya
16
MonoalphabeticCipherSecurity
• nowhaveatotalof– 26!=4x1026 keys
• withsomanykeys,mightthinkissecure• butwouldbewrong• problemislanguagecharacteristics
17
LanguageRedundancyandCryptanalysis
• humanlanguagesareredundant• eg"thlrdsmshphrdshllntwnt"• lettersarenotequallycommonlyused• inEnglishEisbyfarthemostcommonletter– followedbyT,R,N,I,O,A,S
• otherletterslikeZ,J,K,Q,Xarefairlyrare• havetablesofsingle,double&tripleletterfrequenciesforvariouslanguages
18
EnglishLetterFrequencies
19
UseinCryptanalysis• keyconcept- monoalphabeticsubstitutionciphersdonotchangerelativeletterfrequencies
• calculateletterfrequenciesforciphertext• comparecounts/plotsagainstknownvalues• ifcaesarcipherlookforcommonpeaks/troughs– peaksat:A-E-Itriple,NOpair,RSTtriple– troughsat:JK,X-Z
• formonoalphabeticmustidentifyeachletter– tablesofcommondouble/triplelettershelp
20
ExampleCryptanalysis
• givenciphertext:UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
• countrelativeletterfrequencies(seetext)• guessP&Zaree&t• guessZWisthandhenceZWPisthe• proceedingwithtrialanderrorfinallyget:
it was disclosed yesterday that several informal butdirect contacts have been made with politicalrepresentatives of the viet cong in moscow
21
Example
• AgeneralizationoftheCaesarcipher,knownastheaffinecipherisasfollows:C=E([a,b],p)=(ap+b)mod26
• Aciphertexthasbeengeneratedwithanaffinecipher.Themostfrequentletteroftheciphertextis‘B’,andthesecondmostfrequentis‘U’.Breakthecode.
22
PlayfairCipher
• noteventhelargenumberofkeysinamonoalphabeticcipherprovidessecurity
• oneapproachtoimprovingsecuritywastoencryptmultipleletters
• the PlayfairCipher isanexample• inventedbyCharlesWheatstonein1854,butnamedafterhisfriendBaronPlayfair
23
PlayfairKeyMatrix
• a5X5matrixoflettersbasedonakeyword• fillinlettersofkeyword(sansduplicates)• fillrestofmatrixwithotherletters• eg.usingthekeywordMONARCHY
M O N A RC H Y B DE F G I/J KL P Q S TU V W X Z
24
EncryptingandDecrypting
• plaintextisencryptedtwolettersatatime1. ifapairisarepeatedletter,insertfillerlike'X’2. ifbothlettersfallinthesamerow,replaceeach
withlettertoright (wrappingbacktostartfromend)
3. ifbothlettersfallinthesamecolumn,replaceeachwiththeletterbelowit(againwrappingtotopfrombottom)
4. otherwiseeachletterisreplacedbytheletterinthesamerowandinthecolumnoftheotherletterofthepair
25
SecurityofPlayfairCipher
• securitymuchimprovedovermonoalphabetic• sincehave26x26=676digrams• wouldneeda676entryfrequencytabletoanalyse(verses26foramonoalphabetic)
• andcorrespondinglymoreciphertext• waswidelyusedformanyyears– eg.byUS&BritishmilitaryinWW1
• itcanbebroken,givenafewhundredletters• sincestillhasmuchofplaintextstructure
26
PolyalphabeticCiphers
• polyalphabeticsubstitutionciphers• improvesecurityusingmultiplecipheralphabets• makecryptanalysisharderwithmorealphabetstoguessandflatterfrequencydistribution
• useakeytoselectwhichalphabetisusedforeachletterofthemessage
• useeachalphabetinturn• repeatfromstartafterendofkeyisreached
27
VigenèreCipher
• simplestpolyalphabeticsubstitutioncipher• effectivelymultiplecaesarciphers• keyismultipleletterslongK=k1 k2 ...kd• ith letterspecifiesith alphabettouse• useeachalphabetinturn• repeatfromstartafterdlettersinmessage• decryptionsimplyworksinreverse
28
ExampleofVigenèreCipher
• writetheplaintextout• writethekeywordrepeatedaboveit• useeachkeyletterasacaesarcipherkey• encryptthecorrespondingplaintextletter• egusingkeyworddeceptive
key: deceptivedeceptivedeceptiveplaintext: wearediscoveredsaveyourselfciphertext: zicvtwqngrzgvtwavzhcqyglmgj
29
SecurityofVigenèreCiphers
• havemultipleciphertextlettersforeachplaintextletter
• henceletterfrequenciesareobscured• butnottotallylost• startwithletterfrequencies– seeiflookmonoalphabeticornot
• ifnot,thenneedtodeterminenumberofalphabets,sincethencanattackeach
30
AutokeyCipher• ideallywantakeyaslongasthemessage• Vigenèreproposedtheautokey cipher• withkeywordisprefixedtomessageaskey• knowingkeywordcanrecoverthefirstfewletters• usetheseinturnontherestofthemessage• eg.givenkeydeceptive
key: deceptivewearediscoveredsavplaintext: wearediscoveredsaveyourselfciphertext: zicvtwqngkzeiigasxstslvvwla
31
TranspositionCiphers
• nowconsiderclassicaltransposition orpermutation ciphers
• thesehidethemessagebyrearrangingtheletterorder
• withoutalteringtheactuallettersused• canrecognisethesesincehavethesamefrequencydistributionastheoriginaltext
32
RailFencecipher
• writemessagelettersoutdiagonallyoveranumberofrows
• thenreadoffcipherrowbyrow• eg.writemessageoutas:
m e m a t r h t g p r ye t e f e t e o a a t
• givingciphertextMEMATRHTGPRYETEFETEOAAT
33
RowTranspositionCiphers
• amorecomplextransposition• writelettersofmessageoutinrowsoveraspecifiednumberofcolumns
• thenreorderthecolumnsaccordingtosomekeybeforereadingofftherowsKey: 3 4 2 1 5 6 7Plaintext: a t t a c k p
o s t p o n ed u n t i l tw o a m x y z
Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ
34
ProductCiphers
• ciphersusingsubstitutionsortranspositionsarenotsecurebecauseoflanguagecharacteristics
• henceconsiderusingseveralciphersinsuccessiontomakeharder,but:– twosubstitutionsmakeamorecomplexsubstitution– twotranspositionsmakemorecomplextransposition– butasubstitutionfollowedbyatranspositionmakesanewmuchhardercipher
• thisisbridgefromclassicaltomodernciphers
35
Example
ConsidertwoCaesarciphers:E(p)=(p+3)mod(26)E’(p)=(p+7)mod(26)
Whatisthecompositionofthetwociphers,i.e.E’(E(p))?
36
ModernBlockCiphers
• nowlookatmodernblockciphers• oneofthemostwidelyusedtypesofcryptographicalgorithms
• providesecrecy/authenticationservices• focusonDES(DataEncryptionStandard)• toillustrateblockcipherdesignprinciples
37
BlockvsStreamCiphers
• blockciphersprocessmessagesinblocks,eachofwhichisthenen/decrypted
• likeasubstitutiononverybigcharacters– 64-bitsormore
• streamciphersprocessmessagesabitorbyteatatimewhenen/decrypting
• manycurrentciphersareblockciphers
38
DataEncryptionStandard(DES)
• mostwidelyusedblockcipherinworld• encrypts64-bitdatausing56-bitkey• haswidespreaduse• hasbeenconsiderablecontroversyoveritssecurity
39
DESDesignControversy
• althoughDESstandardispublic• wasconsiderablecontroversyoverdesign– inchoiceof56-bitkey– andbecausedesigncriteriawereclassified
• subsequenteventsandpublicanalysisshowinfactdesignwasappropriate
• useofDEShasflourished– especiallyinfinancialapplications– stillstandardisedforlegacyapplicationuse
40
DESOverview
41
DESOverview
• Initialpermutation• 16rounds• 64-bitinput– Eachroundproducesa64-bitoutput
• 56-bitinitialkey– generatessixteen48-bitper-roundkeys
• Swaptwohalvesafter16th round• Finalpermutation
42
DESOverview
• DecryptionworksbyessentiallyrunningDESbackwards.
• Sameoperation,keysinoppositeorder– firstuseK16,thekeyyougeneratedlast
43
ThePermutationsoftheData
• Initialpermutation(IP)– firststepofthedatacomputation– IPreorderstheinputdatabits– quiteregularinstructure(easyinh/w)
• Finalpermutation(IP-1)– Laststep– InverseofIP
44
Initialpermutation(IP)InitialPermutation(IP)
58 50 42 34 26 18 10 260 52 44 36 28 20 12 462 54 46 38 30 22 14 664 56 48 40 32 24 16 857 49 41 33 25 17 9 159 51 43 35 27 19 11 361 53 45 37 29 21 13 563 55 47 39 31 23 15 7
• Numbersintablespecifybitnumbersofinput.Orderofnumbersintablescorrespondstooutputbitposition.
• E.g.:– inputbit58tooutputbit1– inputbit50tooutputbit2 45
FinalPermutation(IP-1)
• InverseofIP– IP-1(IP(M))=M
FinalPermutation(IP-1)40 8 48 16 56 24 64 3239 7 47 15 55 23 63 3138 6 46 14 54 22 62 3037 5 45 13 53 21 61 2936 4 44 12 52 20 60 2835 3 43 11 51 19 59 2734 2 42 10 50 18 58 2633 1 41 9 49 17 57 25
46
ThePermutationsoftheData
• Permutationnotrandom• PatternsofIPandIP-1 (reversingthearrows)– bitsofith octetgetspreadinto(9-i)th bitsofalloctets
47
GeneratingthePer-RoundKeys
• DESkeylookslike64bitslong,but8bitsareparity.– Numberthebitsfromlefttorightas1,2,...64.Bits8,16,...64aretheparitybits.
• DESgeneratesfromthe64bitsinitialkeysixteen48-bitkeys,whichareK1,K2,...K16.
48
InitialKeyPermutation
• Initialpermutationon56usefulbitsofkey,outputdividedintotwo28-bitvalues:C0 andD0
• Noticethatnoneoftheparitybits(8,16,...64)isusedinC0 orD0.
C0 D0
57 49 41 33 25 17 9 63 55 47 39 31 23 151 58 50 42 34 26 18 7 62 54 46 38 30 2210 2 59 51 43 35 27 14 6 61 53 45 37 2919 11 3 60 52 44 36 21 13 5 28 20 12 4
49
InitialKeyPermutation
• Permutationnotrandom
50
GeneratingthePer-RoundKeys
• 16rounds:rotationfollowedbypermutation• Numberofbitsshifted– Single-bitrotateleftinrounds1,2,9,and16– Two-bitrotateleftintheotherrounds
51
LefthalfofKi• PermutationofCi produceslefthalfofKi• Bits9,18,22,and25discarded:24bitsleft
permutationtoobtainthelefthalfofKi:
14 17 11 24 1 53 28 15 6 21 1023 19 12 4 26 816 7 27 20 13 2
52
RighthalfofKi• PermutationofDi producesrighthalfofKi• Bits35,38,43,and54discarded• Ki 48bitslong
permutationtoobtaintherighthalfofKi:
41 52 31 37 47 5530 40 51 45 33 4844 49 39 56 34 5346 42 50 36 29 32
53
Example
• Whatwillbetheroundkeysiftheinitialkeyis00…00?
54
DESRound
• Eachofthe16rounds
55
DESRound
• 64-bitinputdividedintotwo32-bithalvesLnandRn.
• Theroundgeneratesasoutput32-bitquantitiesLn+1 andRn+1.– Ln+1 =Rn– Rn+1=Ln ⊕ mangler(Rn,Kn)
• TheconcatenationofLn+1 andRn+1 isthe64-bitoutputoftheround.
56
DESRound
• Fordecryption,howtogetLn andRn fromLn+1andRn+1?– Rn =Ln+1– Ln =Rn+1⊕ mangler(Rn,Kn)
• DESisreversiblewithoutconstrainingmanglerfunctiontobereversible,duetoFeistel.– Decryptionidenticaltoencryptionwith32-bithalvesswapped.Inotherwords,feedingRn+1|Ln+1intoroundnproducesRn|Ln asoutput.
57
ManglerFunction
• Input:32-bitRand48-bitK• Firststep:expandRto48bits– breakRintoeight4-bitchunks– expandeachchunkto6bitsbytakingadjacentbitsandconcatenatingthemtochunk
58
ManglerFunction
• 48-bitKbrokenintoeight6-bitchunks.• ChunkioftheexpandedRis⊕ 'dwithchunkiofKtoyielda6-bitoutput.
• 6-bitoutputisfedintoanS-box,asubstitutionwhichproducesa4-bitoutput.– inner4bits:row#– outer2bits:column#
59
S-box
• 8S-boxes– The4-bitoutputofeachoftheeightS-boxesiscombinedinto32bits.
• Example:S-box1
60
Example
• FindbelowtheS-boxS8 ofDES.SupposingtheinputtoS8 is19,calculatetheoutput.
61
PermutationofS-boxResults
• 32-bitS-boxresultsarethenpermuted.• Interpretationoftable– 1st bitofoutputofthepermutationisthe16thinputbit,the2nd outputbitisthe7th inputbit,...the32nd outputbitisthe25th inputbit.
62
StrengthofDES– KeySize
• 56-bitkeyshave256 =7.2x1016 values• bruteforcesearchlookshard• recentadvanceshaveshownispossible• mustnowconsideralternativestoDES
63
DESExample
• Plaintext:02468aceeca86420• Key:0f1571c947d9e859• Ciphertext:da02ce3a89ecac3b
64
DESExample
65
AvalancheEffectinDES:ChangeinPlaintext
66
AvalancheEffectinDES:ChangeinKey(1f1571c947d9e859)
67
Example
• Assumethat0xFFFFFFFFFFFFFFFFistheinitialDESkey.SupposethatweknowE0xFFFFFFFFFFFFFFFF (0x0102030405060708)=0x0101010101010101. CalculateE0xFFFFFFFFFFFFFFFF (0x0101010101010101).
68
InternationalDataEncryptionAlgorithm(IDEA)
• DevelopedbyETHZuria• Efficientinsoftware• Input:64-bitplaintext,128-bitkey• SimilartoDES,IDEAhasencryptionanddecryptionidenticalexceptforkeyexpansion.
69
PrimitiveOperations
• EachprimitiveoperationinIDEAmapstwo16-bitquantitiesintoa16-bitquantity.
• Threeoperations,allreversible– bitwiseexclusiveor⊕– modifiedadd+:throwingawaycarries,oradditionmod216
– modifiedmultiply:firstcalculatingthe32-bitresult,andthentakingremainderdividedby216+1
70
KeyExpansion
• 128-bitkeyto5216-bitkeys,K1,K2,...K52• First8keys:startingfromtheleft,choppingoff16bitsatatime
71
KeyExpansion
• Next8keys:startingatbit25,andwrappingaroundtothebeginningwhentheendisreached
72
KeyExpansion
• Next8keysaregeneratedbyoffsetting25morebits,andsoforth.
• Lastoffsetstartsatbit23,andonly4keys– 25*6mod128=22
• K50 andK51 areswapped
73
IDEARound
• 17rounds,oddandevenroundsdifferent
74
IDEARound
• 64-bitdatainput:treatedasfour16-bitquantities,Xa,Xb,Xc,andXd,toyieldnewversions.
• Keys:– Oddroundsuse4keys:Ka,Kb,Kc,andKd– Evenroundsuse2keys:Ke andKf
75
OddRound
• Easilyreversibleindecryption– Sameoperationwithmultiplicative/additiveinversesofkeys
76
EvenRound
• Evenroundisitsowninverse,samekeysfordecryption77
InverseKeysforDecryption
• Samecodecanperformeitherencryptionordecryptiongivendifferentexpandedkeys
• Inoddrounds,takeinversesofencryptionkeysandusetheminoppositeorder– E.g.encryptionkeysK49,K50,K51,andK52correspondingtodecryptionkeysK1,K2,K3,andK4
• Inevenrounds,samekeysforencryptionasdecryption
78
