Introduction to Computer Security Foundations of Cryptography Pavel - - PowerPoint PPT Presentation

Introduction to Computer Security

Foundations of Cryptography

Pavel Laskov Wilhelm Schickard Institute for Computer Science

Secret communication

Encryption Alice Bob Decryption key unitue plaintext I love you plaintext I love you ciphertext C ywoy cih key unitue

Cryptography and security objectives

Which security objectives are addressed by cryptography?

Cryptography and security objectives

Which security objectives are addressed by cryptography? Confidentiality

symmetric cryptography asymmetric cryptography

Integrity

hashing

Authentication and non-repudiation

digital signatures

Symmetric cryptography

Encryption Alice Bob Decryption shared key unitue plaintext I love you plaintext I love you ciphertext C ywoy cih shared key unitue any valid key

Early permutation cipher: scytale

Encryption:

Wrap a parchment strip over a wooden rod of a fixed diameter and write letters along the rod.

Decryption:

Wrap a received strip over a wooden rod

• f the same diameter and read off the

text.

Example:

troops headin gnorth sendmo refood

− →

thgsr renee oaonf odrdo pitmo snhod

Monoalphabetic substitution cipher: Caesar

Encryption

Replace each letter with the one three positions to the right in the alphabet.

Decryption

Replace each letter with the one three positions to the left in the alphabet.

Example:

HABES OPINIONIS MEAE TESTIMONIUM MDEHV RSNQNRQNV PHDH XHVXNPRQNZP

Polyalphabetic substitution cipher: Vigen` ere

Encryption

Write the key over a message, repeating as necessary. Substitute each letter with the one from an appropriate column in the Vigen` ere tableau.

Decryption

Same as encryption, use a row instead of a column.

Example:

unitueun iloveyou

− →

cywoycih

Polyalphabetic substitution: Enigma

Operating principle: electromechanical varying map substitution Main components:

3–5 rotors with pre-defined connectivity inter-rotor rings: mapping between letters and connections letter swap by jumper cables

Key definition: rotor types, ring positions, jumper settings

Tag UKW Walzenlage Ringstellung ---- Steckerverbindungen ---- 31 B I IV III 16 26 08 AD CN ET FL GI JV KZ PU QY WX 30 B II V I 18 24 11 BN DZ EP FX GT HW IY OU QV RS 29 B III I IV 01 17 22 AH BL CX DI ER FK GU NP OQ TY

One-time pad ciphers

Encryption:

Generate a random key sequence. Add a key to a message using modular arithmetic.

Decryption:

Subtract a key from a message using modular arithmetic.

Example:

7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11 (L) key = 30 16 13 21 25 message + key = 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) mod 26

Feistel cipher: S and P boxes

S-box

Complex substitution controlled by a key Secure if enough internal states Unrealizable for a large number of states

P-box

Block-wise permutation of digits Simple transformation with maximal entropy Insecure against a “tickling attack”

Feistel network

Revival of the idea of a product cipher Strong polyalphabetic substitution via multiple rounds Follows theoretical principles of Shannon

A practical Feistel cipher

A multiple-round scheme with separate keys Encryption: Li+1 = Ri Ri+1 = Li ⊕ f(Ki, Ri) Decryption: reverse the key order Li+1 = Ri Ri+1 = Li ⊕ f(Kn−i, Ri) 3 rounds suffice to achieve a pseudorandom permutation

DES: Digital Encryption Standard

Adopted in 1977 after two rounds of proposals Won by IBM’s Lucifer cipher based on Feistel’s design Key length reduced by NIST from 128 bits to 56 bits Subject to extensive cryptanalysis research in 1990s’ Broken by specialized hardware crackers in 1997–1999 (fastest result: 22 hours 15 minutes by Deep Crack) Still widely used in practice (as 3DES) Replaced by Advanced Encryption Standard (AES) in 2000

DES overview

Permuted Choice 1 64 bit plaintext 56 bit key Initial Permutation Iteration 1 Permuted Choice 2 Left Circular Shift / 2

K1

Iteration 2 Permuted Choice 2 Left Circular Shift / 2

K2

Iteration 16 Permuted Choice 2 Left Circular Shift / 2

K16

32 bit Swap Inverse Initial Permutation 64 bit ciphertext

...

DES round structure

Li-1 Ri-1

Expansion Permutation

Ci-1 Di-1 Left Shift Left Shift

Permutation Contraction (Perm. Choice 2)

+

48 48 Ki S-Box: Choice Substitution

Permutation

+

Li Ri Ci Di

48 32 32 bit 32 bit 28 bit 28 bit 32 Data to be encrypted Key used for encryption

Other symmetric ciphers

Block ciphers

Algorithm Key size Block size Rounds Applications 3DES 112/168 64 48 Finance, PGP , S/MIME AES 128/192/256 128 10/12/14

• Repl. for DES/3DES

IDEA 128 64 8 PGP Blowfish up to 448 64 16 Various software RC5 up to 2048 64 up to 255 Various software

Stream ciphers

Algorithm Key size IV State Applications A5/2 54 114 64 GSM RC4 40-256 8 2064 WEP , WPA, SSL, SSH, Kerberos, etc.

Resum´ e of symmetric cryptography

Provides (with some exceptions) a reliable means for enforcing confidentiality Highly efficient Key distribution is a major problem!

Asymmetric cryptography

Encryption Alice Bob Decryption Bob’s public key unitue plaintext I love you plaintext I love you ciphertext C ywoy cih Bob’s private key zxtr9y specially generated keypair

Prime numbers

An integer p is a prime number if its only divisors are ±1 and

±p.

A positive integer c is said to be the greatest common divisor

• f a and b if

c is a divisor of a and of b; any divisor of a and of b is a divisor of c.

Integers a and b are said to be relatively prime if gcd(a, b) = 1.

Euler’s totient function

A totient φ(n) of an integer n is the number of integers less than n that are relatively prime to n. Example: φ(9) = 6 :

{1, 2, 4, 5, 7, 8}

Two integers a and b are congruent modulo n, written as a ≡ b mod n, if

(a mod n) = (b mod n)

Euler’s Theorem: If a and n are relatively prime, then aφ(n) ≡ 1 mod n.

RSA overview

Alice sends her love message to Bob via RSA: Alice Bob Generate a keypair Ku / Kr Send Ku to Alice Encrypt plaintext M with Ku Send ciphertext C to Bob Decrypt C with Kr

RSA key generation

Step Condition Select p, q p, q prime, p = q Compute n = p × q Compute φ(n) = (p − 1)(q − 1) Select 1 < e < φ(n) gcd(φ(n), e) = 1 Compute d (de) mod φ(n) = 1 (∗) Public key Ku = {e, n} Private key Kr = {d, n}

RSA encryption and decryption

Encryption:

Plaintext: M < n Ciphertext: C = Me mod n

Decryption:

Ciphertext: C Plaintext: M = Cd mod n

Correctness of RSA encryption

By the property (∗),

(de) mod φ(n) = 1 ⇒ ∃k : (de) = 1 + kφ(n).

Then, M

?

≡ Cd mod n ≡ (Me)d mod n ≡ M(ed) mod n ≡ M1+kφ(n) mod n

?

≡ M mod n

Correctness of RSA encryption (ctd.)

For prime numbers p, φ(p) = (p − 1). By the key generation algorithm and the multiplicative property of the totient function, φ(n) = φ(p) · φ(q) = (p − 1) · (q − 1). By Euler’s Theorem, if p does not divide M, M(p−1) = 1 mod p and since (p − 1) divides φ(n) M1+kφ(n) ≡ M mod p. Similar argument holds for q and hence for n = pq.

What’s secret in RSA?

An attacker needs to know d to decrypt C. To find d, an attacker needs to solve (∗):

(de) mod φ(n) = 1.

For this, he needs to know φ(n). If p and q are known, then finding φ(n) is trivial: φ(n) = (p − 1) · (q − 1) However p and q are discarded during key generation. Factoring n into a product of two prime numbers is an intractable problem! Finding φ(n) directly is likewise intractable.

Other asymmetric ciphers

Algorithm E/D D.S. KEX Hardness RSA Yes Yes Yes Factorization ElGamal Yes No No DLP DSS No Yes No DLP Diffie-Hellmann No No Yes DLP Elliptic curve Yes Yes Yes EC DLP

Summary

Cryptographic methods provide solutions for various confidentiality, integrity and authentication tasks. Symmetric cryptography is based on a single key that must be shared between the communication parties and kept secret. Asymmetric cryptography is based two related keys; only

• ne of them (private key) must be kept secret, the other one

(public key) can be distributed over insecure media.

Next lecture

Cryptographic hash functions Digital signatures