Embed Size (px)
Citation preview
Introduction to Computer SecurityFoundations of Cryptography
Pavel LaskovWilhelm Schickard Institute for Computer Science
Secret communication
Encryption
Alice Bob
Decryption
key
unitue
plaintext
I love you
plaintext
I love you
ciphertext
C ywoy cih
key
unitue
Cryptography and security objectives
Which security objectives are addressed by cryptography?
Confidentialitysymmetric cryptographyasymmetric cryptography
Integrityhashing
Authentication and non-repudiationdigital signatures
Cryptography and security objectives
Which security objectives are addressed by cryptography?
Confidentialitysymmetric cryptographyasymmetric cryptography
Integrityhashing
Authentication and non-repudiationdigital signatures
Symmetric cryptography
Encryption
Alice Bob
Decryption
shared key
unitue
plaintext
I love you
plaintext
I love you
ciphertext
C ywoy cih
shared key
unitue
any valid key
Early permutation cipher: scytale
Encryption:Wrap a parchment strip over a woodenrod of a fixed diameter and write lettersalong the rod.
Decryption:Wrap a received strip over a wooden rodof the same diameter and read off thetext.
Example:troopsheadingnorthsendmorefood
−→ thgsr renee oaonf odrdo pitmo snhod
Monoalphabetic substitution cipher: Caesar
EncryptionReplace each letter with the one threepositions to the right in the alphabet.
DecryptionReplace each letter with the one threepositions to the left in the alphabet.
Example:
HABES OPINIONIS MEAE TESTIMONIUM
MDEHV RSNQNRQNV PHDH XHVXNPRQNZP
Polyalphabetic substitution cipher: Vigenere
EncryptionWrite the key over a message,repeating as necessary.Substitute each letter with the onefrom an appropriate column in theVigenere tableau.
DecryptionSame as encryption, use a rowinstead of a column.
Example:unitueuniloveyou
−→ cywoycih
Polyalphabetic substitution: Enigma
Operating principle: electromechanicalvarying map substitutionMain components:
3–5 rotors with pre-defined connectivityinter-rotor rings: mapping between letters andconnectionsletter swap by jumper cables
Key definition: rotor types, ring positions,jumper settingsTag UKW Walzenlage Ringstellung ---- Steckerverbindungen ----
31 B I IV III 16 26 08 AD CN ET FL GI JV KZ PU QY WX
30 B II V I 18 24 11 BN DZ EP FX GT HW IY OU QV RS
29 B III I IV 01 17 22 AH BL CX DI ER FK GU NP OQ TY
One-time pad ciphers
Encryption:Generate a random key sequence.Add a key to a message usingmodular arithmetic.
Decryption:Subtract a key from a message usingmodular arithmetic.
Example:7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message
+ 23 (X) 12 (M) 2 (C) 10 (K) 11 (L) key
= 30 16 13 21 25 message + key
= 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) mod 26
Feistel cipher: S and P boxes
S-boxComplex substitution controlled by a keySecure if enough internal statesUnrealizable for a large number of states
P-box
Block-wise permutation of digitsSimple transformation with maximalentropyInsecure against a “tickling attack”
Feistel network
Revival of the idea of a product cipherStrong polyalphabetic substitution via multiple roundsFollows theoretical principles of Shannon
A practical Feistel cipher
A multiple-round scheme withseparate keysEncryption:
Li+1 = Ri Ri+1 = Li ⊕ f (Ki, Ri)
Decryption: reverse the key order
Li+1 = Ri Ri+1 = Li⊕ f (Kn−i, Ri)
3 rounds suffice to achieve apseudorandom permutation
DES: Digital Encryption Standard
Adopted in 1977 after two rounds of proposalsWon by IBM’s Lucifer cipher based on Feistel’s designKey length reduced by NIST from 128 bits to 56 bitsSubject to extensive cryptanalysis research in 1990s’Broken by specialized hardware crackers in 1997–1999(fastest result: 22 hours 15 minutes by Deep Crack)Still widely used in practice (as 3DES)Replaced by Advanced Encryption Standard (AES) in 2000
DES overview
PermutedChoice 1
64 bit plaintext 56 bit key
InitialPermutation
Iteration 1PermutedChoice 2
Left CircularShift / 2
K1
Iteration 2PermutedChoice 2
Left CircularShift / 2
K2
Iteration 16PermutedChoice 2
Left CircularShift / 2
K16
32 bit Swap
Inverse InitialPermutation
64 bit ciphertext
...
DES round structure
Li-1 Ri-1
ExpansionPermutation
Ci-1 Di-1
Left Shift Left Shift
Permutation Contraction(Perm. Choice 2)+
4848 Ki
S-Box: Choice Substitution
Permutation
+
Li Ri Ci Di
48
32
32 bit 32 bit 28 bit 28 bit
32
Data to be encrypted Key used for encryption
Other symmetric ciphers
Block ciphersAlgorithm Key size Block size Rounds Applications3DES 112/168 64 48 Finance, PGP, S/MIMEAES 128/192/256 128 10/12/14 Repl. for DES/3DESIDEA 128 64 8 PGPBlowfish up to 448 64 16 Various softwareRC5 up to 2048 64 up to 255 Various software
Stream ciphersAlgorithm Key size IV State ApplicationsA5/2 54 114 64 GSMRC4 40-256 8 2064 WEP, WPA, SSL, SSH, Kerberos, etc.
Resume of symmetric cryptography
Provides (with some exceptions) a reliable means forenforcing confidentialityHighly efficientKey distribution is a major problem!
Asymmetric cryptography
Encryption
Alice Bob
Decryption
Bob’s public key
unitue
plaintext
I love you
plaintext
I love you
ciphertext
C ywoy cih
Bob’s private key
zxtr9y
specially generatedkeypair
Prime numbers
An integer p is a prime number if its only divisors are ±1 and±p.A positive integer c is said to be the greatest common divisorof a and b if
c is a divisor of a and of b;any divisor of a and of b is a divisor of c.
Integers a and b are said to be relatively prime if
gcd(a, b) = 1.
Euler’s totient function
A totient φ(n) of an integer n is the number of integers lessthan n that are relatively prime to n.Example:
φ(9) = 6 : {1, 2, 4, 5, 7, 8}
Two integers a and b are congruent modulo n, written asa ≡ b mod n, if
(a mod n) = (b mod n)
Euler’s Theorem: If a and n are relatively prime, then
aφ(n) ≡ 1 mod n.
RSA overview
Alice sends her love message to Bob via RSA:
Alice BobGenerate a keypair Ku / Kr
Send Ku to AliceEncrypt plaintext M with Ku
Send ciphertext C to BobDecrypt C with Kr
RSA key generation
Step ConditionSelect p, q p, q prime, p 6= qCompute n = p× qCompute φ(n) = (p− 1)(q− 1)Select 1 < e < φ(n) gcd(φ(n), e) = 1Compute d (de) mod φ(n) = 1 (∗)Public key Ku = {e, n}Private key Kr = {d, n}
RSA encryption and decryption
Encryption:
Plaintext: M < nCiphertext: C = Me mod n
Decryption:
Ciphertext: CPlaintext: M = Cd mod n
Correctness of RSA encryption
By the property (∗),
(de) mod φ(n) = 1 ⇒ ∃k : (de) = 1 + kφ(n).
Then,
M?≡ Cd mod n
≡ (Me)d mod n
≡ M(ed) mod n
≡ M1+kφ(n) mod n?≡ M mod n
Correctness of RSA encryption (ctd.)
For prime numbers p,
φ(p) = (p− 1).
By the key generation algorithm and the multiplicative property ofthe totient function,
φ(n) = φ(p) · φ(q) = (p− 1) · (q− 1).
By Euler’s Theorem, if p does not divide M,
M(p−1) = 1 mod p
and since (p− 1) divides φ(n)
M1+kφ(n) ≡ M mod p.
Similar argument holds for q and hence for n = pq.
What’s secret in RSA?
An attacker needs to know d to decrypt C.To find d, an attacker needs to solve (∗):
(de) mod φ(n) = 1.
For this, he needs to know φ(n).If p and q are known, then finding φ(n) is trivial:
φ(n) = (p− 1) · (q− 1)
However p and q are discarded during key generation.Factoring n into a product of two prime numbers is anintractable problem!Finding φ(n) directly is likewise intractable.
Other asymmetric ciphers
Algorithm E/D D.S. KEX HardnessRSA Yes Yes Yes FactorizationElGamal Yes No No DLPDSS No Yes No DLPDiffie-Hellmann No No Yes DLPElliptic curve Yes Yes Yes EC DLP
Summary
Cryptographic methods provide solutions for variousconfidentiality, integrity and authentication tasks.Symmetric cryptography is based on a single key that mustbe shared between the communication parties and keptsecret.Asymmetric cryptography is based two related keys; onlyone of them (private key) must be kept secret, the other one(public key) can be distributed over insecure media.
Next lecture
Cryptographic hash functionsDigital signatures
