Cryptography I David Basin Institut f ur Informatik - - PowerPoint PPT Presentation

cryptography i
SMART_READER_LITE
LIVE PREVIEW

Cryptography I David Basin Institut f ur Informatik - - PowerPoint PPT Presentation

Apr 25, 2023 135 likes •566 views

Cryptography I David Basin Institut f ur Informatik Albert-Ludwigs-Universit at Freiburg IT-Security: Theory and Practice (WS02) David Basin 1 Motivation then and now Three can keep a secret, if two of them are dead. Benjamin

slide-1
SLIDE 1

Cryptography I

David Basin

Institut f¨ ur Informatik Albert-Ludwigs-Universit¨ at Freiburg

IT-Security: Theory and Practice (WS02)

slide-2
SLIDE 2

David Basin 1

Motivation then and now

Three can keep a secret, if two of them are dead. — Benjamin Franklin We interact and transact by directing flocks of digital packets towards each

  • ther through cyberspace, carrying love notes, digital cash, and secret

corporate documents. Our personal and economic lives rely on our ability to let such ethereal carrier pigeons mediate at a distance what we used to do with face-to-face meetings, paper documents, and a firm handshake. How do we converse privately when every syllable is bounced off a satellite and smeared over an entire continent? How should a bank know that it really is Bill Gates requesting from his laptop in Fiji a transfer of $10,000,000,000 to another bank? Fortunately, the mathematics of cryptography can help. — Ron Rivest

IT-Security: Theory and Practice (WS02) 29.10.02

slide-3
SLIDE 3

David Basin 2

Road map

  • Basic concepts
  • A mathematical formalization
  • Symmetric-key encryption

IT-Security: Theory and Practice (WS02) 29.10.02

slide-4
SLIDE 4

David Basin 3

Network security model

Information Channel Message Information Secret Secret Information Message Principal Trusted Third Party Opponent Principal

Since information channel is untrusted, measures must be taken to ensure confidentiality (integrity, ...) of transactions.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-5
SLIDE 5

David Basin 4

Security measures and mechanisms

  • Prevention: measures that hinder asset damage.

Real-world: build a castle with a moat and crocodiles. E-Commerce: encrypt your credit card number.

  • Detection: measures to detect when an asset has been damaged,

how it has been damaged, and who caused the damage. Real-world: install a closed-circuit television. E-Commerce: monthly statement of credit card transactions.

  • Reaction: take measures to recover your assets or rectify damages.

Real-world: call the police and pray. E-Commerce: block old card and request a new one.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-6
SLIDE 6

David Basin 5

Information hiding

SECRET WRITING CRYPTOGRAPHY STEGANOGRAPHY

(hidden) (scrambled)

SUBSTITUTION TRANSPOSITION CODE

(replace words)

CIPHER

(replace letters)

  • Cryptology: the study of secret writing.
  • Steganography: the science of hiding messages in other messages.
  • Cryptography: the science of secret writing.

N.B. Terms like encrypt, encode, and encipher are often (loosely and wrongly) used interchangeably

IT-Security: Theory and Practice (WS02) 29.10.02

slide-7
SLIDE 7

David Basin 6

Cryptographic algorithms

  • General Schema: Ekey1(P) = C, Dkey2(C) = P

Encryption Decryption Plaintext Ciphertext Key1 Key2 Plain Text P C P

  • Security depends on secrecy of the key, not the algorithm
  • Symmetric algorithms

– Key1 = Key2, or are easily derived from each other.

  • Asymmetric or public key algorithms

– Different keys, which cannot be derived from each other. – Public key can be published without compromising private key.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-8
SLIDE 8

David Basin 7

Other cryptographic primitives

  • A function f : X → Y is a one-way function, if f is “easy” to

compute for all x ∈ X , but f −1 is “hard” to compute “Easy” and “hard” with respect to complexity theory

  • A hash function is a one-way function that maps messages of

arbitrary length to a fixed size value (e.g., 128 bits)

  • We will see other cryptographic primitives later

Trapdoor functions, pseudo-random generators, . . .

IT-Security: Theory and Practice (WS02) 29.10.02

slide-9
SLIDE 9

David Basin 8

Goals for cryptographic algorithms

Encryption Decryption Plaintext Ciphertext Key1 Key2 Plain Text P C P

  • Encryption and decryption are easy if keys are known.
  • Keep plaintext (or keys) secret from attacker. I.e., it is hard to:

– get P from C without Key2. – get the keys even if given one or more pairs of C and corresponding P,

IT-Security: Theory and Practice (WS02) 29.10.02

slide-10
SLIDE 10

David Basin 9

Cryptanalysis

  • Cryptanalysis: science of recovering the plaintext from ciphertext

without the key.

  • Always assume attackers know the algorithms used!

– Worst-case analysis and realistic in open systems – Algorithms should be published to facilitate the evaluation of their security.

  • Contrast with security by obscurity.

Analogy: hide a letter under your mattress versus lock it in a safe, whose design has been published and whose locking mechanism has withstood attacks from the world’s best safecrackers.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-11
SLIDE 11

David Basin 10

Kinds of attacks

Ciphertext only Given: C1 = EK(M1), . . . , Cn = EK(Mn) Deduce: M1, . . . , Mn or algorithm to compute Mn+1 from Cn+1 = EK(Mn+1) Known plaintext Given: M1, C1 = EK(M1), . . . , Mn, Cn = EK(Mn) Deduce: Inverse key or algorithm to compute Mn+1 from Cn+1 = EK(Mn+1) Chosen plaintext Same as above but cryptanalyst may choose M1, . . . , Mn. Adaptive chosen plaintext Cryptanalyst can not only choose plaintext, but he can modify the plaintext based on encryption results. Chosen ciphertext Cryptanalyst can chose different ciphertexts to be decrypted and gets access to the decrypted plaintext. Rubber-hose Cryptanalyst bribes or tortures someone until he gets the key!

IT-Security: Theory and Practice (WS02) 29.10.02

slide-12
SLIDE 12

David Basin 11

Road map

  • Basic concepts
  • A mathematical formalization
  • Symmetric key encryption

IT-Security: Theory and Practice (WS02) 29.10.02

slide-13
SLIDE 13

David Basin 12

Encryption/decryption

  • A, the alphabet, is a finite set.
  • M, the message space, is A∗, the finite strings over A.

M ∈ M is a plaintext (message).

  • C is the ciphertext space, whose alphabet may differ from M.
  • K denotes the key space of keys.
  • Each e ∈ K determines a bijective function from M to C, denoted

by Ee. Ee is the encryption function (or transformation).

  • For each d ∈ K, Dd denotes a bijection from C to M.

Dd is the decryption function.

  • Applying Ee (or Dd) is called encryption (or decryption).

IT-Security: Theory and Practice (WS02) 29.10.02

slide-14
SLIDE 14

David Basin 13

Encryption/decryption (cont.)

  • An encryption scheme (or cipher) consists of a set {Ee : e ∈ K}

and a corresponding set {De : e ∈ K} with the property that for each e ∈ K there is a unique d ∈ K such that Dd = E −1

e

; i.e., Dd(Ee(m)) = m for all m ∈ M .

  • The keys e and d above form a key pair, sometimes denoted by

(e, d). They can be identical.

  • To construct an encryption scheme requires fixing a message

space M, a ciphertext space C and a key space K, as well as encryption transformations {Ee : e ∈ K} and corresponding decryption transformations {Dd : d ∈ K}.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-15
SLIDE 15

David Basin 14

Question — why bother with keys?

  • Formalization based on two parties exchanging a key pair (e, d) to

achieve confidentiality.

  • Why not just exchange encryption/decryption functions?

IT-Security: Theory and Practice (WS02) 29.10.02

slide-16
SLIDE 16

David Basin 14

Question — why bother with keys?

  • Formalization based on two parties exchanging a key pair (e, d) to

achieve confidentiality.

  • Why not just exchange encryption/decryption functions?
  • Answer: By exchanging key pairs, if some encryption/decryption

transformation is revealed, one doesn’t have to redesign entire

  • scheme. Just exchange new keys!
  • Analogy with combination lock: If your combination is

compromised, just change it, not the physical lock. However, if the lock design is compromised . . .

IT-Security: Theory and Practice (WS02) 29.10.02

slide-17
SLIDE 17

David Basin 15

An example

Let M = {m1, m2, m3} and C = {c1, c2, c3}. There are 3! = 6 bijections from M to C. The key space K = {1, 2, 3, 4, 5, 6} specifies these transformations.

E4 E1 E2 E3 E5 E6

m1 m2 m3 m1 m2 m3 m1 m2 m3 m1 m2 m3 m1 m2 m3 m1 m2 m3 c1 c2 c3 c1 c1 c1 c1 c1 c2 c2 c2 c2 c2 c3 c3 c3 c3 c3

Suppose Alice and Bob agree on the transformation E1. To encrypt m1, Alice computes E1(m1) = c3. Bob decrypts c3 by reversing the arrows on the diagram for E1 and observing that c3 points to m1.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-18
SLIDE 18

David Basin 16

Road map

  • Basic concepts
  • A mathematical formalization
  • Symmetric-key encryption

Codes, substitution ciphers, transposition ciphers, one-time pads.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-19
SLIDE 19

David Basin 17

Symmetric key encryption

  • Consider an encryption scheme {Ee : e ∈ K} and {Dd : d ∈ K}.

The scheme is symmetric-key if for each associated pair (e, d) it is computationally “easy” to determine d knowing only e and to determine e from d. In practice e = d.

  • Other terms: single-key, one-key, private-key, and conventional

encryption.

  • A block cipher is an encryption scheme that breaks up the

plaintext message into strings (blocks) of a fixed length t and encrypts one block at a time.

  • A stream cipher is one where the block-length is 1.
  • In contrast, codes work on words of varying length.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-20
SLIDE 20

David Basin 18

Codes

  • Code: a string of symbols stands for a complete message.
  • Translation given by a ‘code-book’.

Word Code ... ... The 1701 secret 5603 mischiefs 4008 that 3790 I 2879 set 0524 ... ...

IT-Security: Theory and Practice (WS02) 29.10.02

slide-21
SLIDE 21

David Basin 18

Codes

  • Code: a string of symbols stands for a complete message.
  • Translation given by a ‘code-book’.

Word Code ... ... The 1701 secret 5603 mischiefs 4008 that 3790 I 2879 set 0524 ... ... 2327 6605 1702 9853 0001 0970 3190 8817 1320 0000 = 1701 5603 4008 3790 2879 0524 7946 = 2879 2870 6699 1702 3982 5550 8102 7354 0000 =

IT-Security: Theory and Practice (WS02) 29.10.02

slide-22
SLIDE 22

David Basin 18

Codes

  • Code: a string of symbols stands for a complete message.
  • Translation given by a ‘code-book’.

Word Code ... ... The 1701 secret 5603 mischiefs 4008 that 3790 I 2879 set 0524 ... ... 2327 6605 1702 9853 0001 0970 3190 8817 1320 0000 = I do the wrong, and first begin to brawl. 1701 5603 4008 3790 2879 0524 7946 = The secret mischiefs that I set abroach 2879 2870 6699 1702 3982 5550 8102 7354 0000 = I lay unto the grievous charge of others. (Richard III, Act I, Scene 3)

IT-Security: Theory and Practice (WS02) 29.10.02

slide-23
SLIDE 23

David Basin 19

Another Example

This year’s trial of the embassy bombings revealed that Bin Laden associates began to use encryption before 1998. Sometimes members of the Al-Qaida confederation have alternatively resorted to simple code words. For instance, “working” is said to mean Jihad, “tools” meant weapons, “potatos” meant grenades and “the director” was an alias for Bin Laden. Steganographic approaches were also used to communicate in at least three terrorist acts, including the 1998 embassy bombings in Kenya and Tanzania. Lisa Krieger, Mercury News, Oct 1. 2001

IT-Security: Theory and Practice (WS02) 29.10.02

slide-24
SLIDE 24

David Basin 20

Historical ciphers

  • Used 4000 years ago by Egyptians to encipher hieroglypics.
  • Ancient Hebrews enciphered certain words in the scriptures.
  • 2000 years ago Julius Ceasar used a simple substitution cipher.
  • Roger Bacon described several methods in 1200s.
  • Geoffrey Chaucer included several ciphers in his works
  • Leon Alberti devised a cipher wheel, and described the principles
  • f frequency analysis in the 1460s.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-25
SLIDE 25

David Basin 21

Mono-alphabetic substitution ciphers

  • Let K be the set of all permutations on the alphabet A. Define

for each e ∈ K an encryption transformation Ee on strings m = m1m2 · · · mn ∈ M as Ee(m) = e(m1)e(m2) · · · e(mn) = c1c2 · · · cn = c

  • To decrypt c, compute the inverse permutation d = e−1 and

Dd(c) = d(c1)d(c2) · · · d(cn) = m

  • Ee is a simple substitution cipher or a mono-alphabetic

substitution cipher.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-26
SLIDE 26

David Basin 22

Substitution cipher examples

  • KHOOR ZRUOG

IT-Security: Theory and Practice (WS02) 29.10.02

slide-27
SLIDE 27

David Basin 22

Substitution cipher examples

  • KHOOR ZRUOG = HELLO WORLD

Caesar cipher: each plaintext character is replaced by the character three to the right modulo 26.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-28
SLIDE 28

David Basin 22

Substitution cipher examples

  • KHOOR ZRUOG = HELLO WORLD

Caesar cipher: each plaintext character is replaced by the character three to the right modulo 26.

  • Zl anzr vf Nqnz

IT-Security: Theory and Practice (WS02) 29.10.02

slide-29
SLIDE 29

David Basin 22

Substitution cipher examples

  • KHOOR ZRUOG = HELLO WORLD

Caesar cipher: each plaintext character is replaced by the character three to the right modulo 26.

  • Zl anzr vf Nqnz = My name is Adam

ROT13: shift each letter by 13 places. ‘A’ is replaced by ‘N’, ‘B’ by ‘O’, ...,

IT-Security: Theory and Practice (WS02) 29.10.02

slide-30
SLIDE 30

David Basin 22

Substitution cipher examples

  • KHOOR ZRUOG = HELLO WORLD

Caesar cipher: each plaintext character is replaced by the character three to the right modulo 26.

  • Zl anzr vf Nqnz = My name is Adam

ROT13: shift each letter by 13 places. ‘A’ is replaced by ‘N’, ‘B’ by ‘O’, ...,

  • 2-25-5 2-25-5

IT-Security: Theory and Practice (WS02) 29.10.02

slide-31
SLIDE 31

David Basin 22

Substitution cipher examples

  • KHOOR ZRUOG = HELLO WORLD

Caesar cipher: each plaintext character is replaced by the character three to the right modulo 26.

  • Zl anzr vf Nqnz = My name is Adam

ROT13: shift each letter by 13 places. ‘A’ is replaced by ‘N’, ‘B’ by ‘O’, ...,

  • 2-25-5 2-25-5 = BYE BYE

Alphanumeric: substitute numbers for letters. How hard are these to cryptanalyze? Caesar? General?

IT-Security: Theory and Practice (WS02) 29.10.02

slide-32
SLIDE 32

David Basin 23

(In)security of substitution ciphers

  • Key spaces are typically huge. 26 letters ❀ 26! possible keys.
  • Trivial to crack using frequence analysis (letters, digraphs, etc.).
  • Frequencies for English based on data-mining books/articles.

⇒ Serdhrapvrf sbe Ratyvfu onfrq ba qngn-zvavat obbxf/negvpyrf.

  • Easy to apply, except for short, atypical texts

From Zanzibar to Zambia and Zaire, ozone zones make zebras run zany zigzags. ⇒ More sophistication required to mask statistical regularities.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-33
SLIDE 33

David Basin 24

Homophonic substitution ciphers

  • To each a ∈ A associate a set H (a) of strings of t symbols, where

H (a), a ∈ A are pairwise disjoint. A homophonic substitution cipher replaces each a with a randomly chosen string from H (a). To decrypt a string c of t symbols, one must determine an a ∈ A such that c ∈ H (a). The key for the cipher is the sets H (a).

  • Example: A = {a, b}, H (a) = {00, 10}, and H (b) = {01, 11}.

The plaintext ab encrypts to one of 0001, 0011, 1001, 1011.

  • Rational: makes frequency analysis more difficult.

Cost: data expansion and more work for decryption.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-34
SLIDE 34

David Basin 25

Polyalphabetic substitution ciphers

  • Idea (Leon Alberti): conceal distribution using family of

mappings.

  • A polyalphabetic substitution cipher is a block cipher with block

length t over alphabet A where: – the key space K consists of all ordered sets of t permutations

  • ver A, (p1, p2, . . . , pt).

– Encryption of m = m1 · · · mt under key e = (p1, · · · , pt) is Ee(m) = p1(m1) · · · pt(mt). – Decryption key for e is d = (p−1

1 , · · · p−1 t

).

IT-Security: Theory and Practice (WS02) 29.10.02

slide-35
SLIDE 35

David Basin 26

Example: Vigen` ere ciphers

  • Key given by sequence of numbers e = e1, . . . , et, where

pi(a) = (a + ei) mod n defining a permutation on an alphabet of size n.

  • Example: English (n = 26), with k = 3,7,10

m = THI SCI PHE RIS CER TAI NLY NOT SEC URE then Ee(m) = WOS VJS SOO UPC FLB WHS QSI QVD VLM XYO

IT-Security: Theory and Practice (WS02) 29.10.02

slide-36
SLIDE 36

David Basin 27

Transposition ciphers

  • For block length t, let K be the set of permutations on {1, . . . , t}.

For each e ∈ K and m ∈ M Ee(m) = me(1)me(2) · · · me(t)

  • The set of all such transformations is called a transposition cipher.
  • To decrypt c = c1c2 · · · ct compute Dd(c) = cd(1)cd(2) · · · cd(t).
  • N.B.: cryptanalysis easy as frequencies (of letters) preserved.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-37
SLIDE 37

David Basin 28

Transposition ciphers — example

  • C = Aduaenttlydhatoiekounletmtoihahvsekeeeleeyqonouv

IT-Security: Theory and Practice (WS02) 29.10.02

slide-38
SLIDE 38

David Basin 28

Transposition ciphers — example

  • C = Aduaenttlydhatoiekounletmtoihahvsekeeeleeyqonouv

A n d i n t h e e n d t h e l

  • v

e y

  • u

t a k e i s e q u a l t

  • t

h e l

  • v

e y

  • u

m a k e

IT-Security: Theory and Practice (WS02) 29.10.02

slide-39
SLIDE 39

David Basin 28

Transposition ciphers — example

  • C = Aduaenttlydhatoiekounletmtoihahvsekeeeleeyqonouv

A n d i n t h e e n d t h e l

  • v

e y

  • u

t a k e i s e q u a l t

  • t

h e l

  • v

e y

  • u

m a k e

  • Idea goes back to Greek Scytale: wrap belt spirally around baton

and write plaintext lengthwise on it.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-40
SLIDE 40

David Basin 29

Composite ciphers

  • Ciphers based on just substitutions or transpositions are not secure
  • Ciphers can be combined. However . . .

– two substitutions are really only one more complex substitution, – two transpositions are really only one transposition, – but a substitution followed by a transposition makes a new harder cipher.

  • Product ciphers chain

substitution-transposition combinations.

  • Difficult to do by hand

❀ invention of cipher machines.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-41
SLIDE 41

David Basin 30

One-time pads (Vernam cipher)

  • A one-time pad is a stream cipher defined on A = {0, 1}.

Message m1 · · · mn is encrypted by a binary key string k1 · · · kn. Ek1···kn(m1 · · · mn) = (m1 ⊕ k1) · · · (mn ⊕ kn) Dk1···kn(c1 · · · cn) = (c1 ⊕ k1) · · · (cn ⊕ kn)

  • Example: m = 010111, k = 110010, and c = 100101
  • Since every key sequence is equally likely, so is every plaintext!

Perfect (information theoretical) security, if key isn’t reused.

  • Until recently, communication between Moscow and Washington

was secured this way. Keys transported by trusted courier. Problematic to securely exchange and synchronize long keys.

IT-Security: Theory and Practice (WS02) 29.10.02

slide-42
SLIDE 42

David Basin 31

Bibliography

  • Bruce Schneier. Applied Cryptography. John Wiley & Sons, New

York, 1996.

  • Dieter Gollmann. Computer Security. Wiley, 2000.
  • Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone.

Handbook of Applied Cryptography. CRC Press, 1996. Available online at http://cacr.math.uwaterloo.ca/hac/

  • Arthur E. Hutt, Seymour Bosworth, Douglas B. Hoyt. Computer

Security Handbook. John Wiley & Sons, 1995.

IT-Security: Theory and Practice (WS02) 29.10.02