Introduction to Computer Security Foundations of Cryptography Pavel - PowerPoint PPT Presentation

Introduction to Computer Security Foundations of Cryptography Pavel Laskov Wilhelm Schickard Institute for Computer Science

Secret communication key key unitue unitue Alice Bob plaintext ciphertext plaintext Encryption I love you C ywoy cih Decryption I love you

Cryptography and security objectives Which security objectives are addressed by cryptography?

Cryptography and security objectives Which security objectives are addressed by cryptography? Confidentiality symmetric cryptography asymmetric cryptography Integrity hashing Authentication and non-repudiation digital signatures

Symmetric cryptography any valid key shared key shared key unitue unitue Alice Bob plaintext ciphertext plaintext I love you Encryption C ywoy cih Decryption I love you

Early permutation cipher: scytale Encryption: Wrap a parchment strip over a wooden rod of a fixed diameter and write letters along the rod. Decryption: Wrap a received strip over a wooden rod of the same diameter and read off the text. Example: troops headin − → thgsr renee oaonf odrdo pitmo snhod gnorth sendmo refood

Monoalphabetic substitution cipher: Caesar Encryption Replace each letter with the one three positions to the right in the alphabet. Decryption Replace each letter with the one three positions to the left in the alphabet. Example: HABES OPINIONIS MEAE TESTIMONIUM MDEHV RSNQNRQNV PHDH XHVXNPRQNZP

Polyalphabetic substitution cipher: Vigen` ere Encryption Write the key over a message, repeating as necessary. Substitute each letter with the one from an appropriate column in the Vigen` ere tableau. Decryption Same as encryption, use a row instead of a column. Example: unitueun − → cywoycih iloveyou

Polyalphabetic substitution: Enigma Operating principle: electromechanical varying map substitution Main components: 3–5 rotors with pre-defined connectivity inter-rotor rings: mapping between letters and connections letter swap by jumper cables Key definition: rotor types, ring positions, jumper settings Tag UKW Walzenlage Ringstellung ---- Steckerverbindungen ---- 31 B I IV III 16 26 08 AD CN ET FL GI JV KZ PU QY WX 30 B II V I 18 24 11 BN DZ EP FX GT HW IY OU QV RS 29 B III I IV 01 17 22 AH BL CX DI ER FK GU NP OQ TY

One-time pad ciphers Encryption: Generate a random key sequence. Add a key to a message using modular arithmetic. Decryption: Subtract a key from a message using modular arithmetic. Example: 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11 (L) key = 30 16 13 21 25 message + key = 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) mod 26

Feistel cipher: S and P boxes S-box Complex substitution controlled by a key Secure if enough internal states Unrealizable for a large number of states P-box Block-wise permutation of digits Simple transformation with maximal entropy Insecure against a “tickling attack”

Feistel network Revival of the idea of a product cipher Strong polyalphabetic substitution via multiple rounds Follows theoretical principles of Shannon

A practical Feistel cipher A multiple-round scheme with separate keys Encryption: L i + 1 = R i R i + 1 = L i ⊕ f ( K i , R i ) Decryption: reverse the key order L i + 1 = R i R i + 1 = L i ⊕ f ( K n − i , R i ) 3 rounds suffice to achieve a pseudorandom permutation

DES: Digital Encryption Standard Adopted in 1977 after two rounds of proposals Won by IBM’s Lucifer cipher based on Feistel’s design Key length reduced by NIST from 128 bits to 56 bits Subject to extensive cryptanalysis research in 1990s’ Broken by specialized hardware crackers in 1997–1999 (fastest result: 22 hours 15 minutes by Deep Crack) Still widely used in practice (as 3DES) Replaced by Advanced Encryption Standard (AES) in 2000

DES overview 64 bit plaintext 56 bit key Initial Permuted Permutation Choice 1 K 1 Permuted Left Circular Iteration 1 Choice 2 Shift / 2 K 2 Permuted Left Circular Iteration 2 Choice 2 Shift / 2 ... K 16 Permuted Left Circular Iteration 16 Choice 2 Shift / 2 32 bit Swap Inverse Initial Permutation 64 bit ciphertext

DES round structure Data to be encrypted Key used for encryption 32 bit 32 bit 28 bit 28 bit L i-1 R i-1 C i-1 D i-1 Expansion Left Shift Left Shift Permutation 48 48 K i Permutation Contraction + (Perm. Choice 2) 48 S-Box: Choice Substitution 32 Permutation 32 + L i R i C i D i

Other symmetric ciphers Block ciphers Algorithm Key size Block size Rounds Applications 3DES 112/168 64 48 Finance, PGP , S/MIME AES 128/192/256 128 10/12/14 Repl. for DES/3DES IDEA 128 64 8 PGP Blowfish up to 448 64 16 Various software RC5 up to 2048 64 up to 255 Various software Stream ciphers Algorithm Key size IV State Applications A5/2 54 114 64 GSM RC4 40-256 8 2064 WEP , WPA, SSL, SSH, Kerberos, etc.

Resum´ e of symmetric cryptography Provides (with some exceptions) a reliable means for enforcing confidentiality Highly efficient Key distribution is a major problem!

Asymmetric cryptography specially generated keypair Bob’s public key Bob’s private key unitue zxtr9y Alice Bob plaintext ciphertext plaintext I love you Encryption C ywoy cih Decryption I love you

Prime numbers An integer p is a prime number if its only divisors are ± 1 and ± p . A positive integer c is said to be the greatest common divisor of a and b if c is a divisor of a and of b ; any divisor of a and of b is a divisor of c . Integers a and b are said to be relatively prime if gcd ( a , b ) = 1.

Euler’s totient function A totient φ ( n ) of an integer n is the number of integers less than n that are relatively prime to n . Example: φ ( 9 ) = 6 : { 1, 2, 4, 5, 7, 8 } Two integers a and b are congruent modulo n , written as a ≡ b mod n , if ( a mod n ) = ( b mod n ) Euler’s Theorem: If a and n are relatively prime, then a φ ( n ) ≡ 1 mod n .

RSA overview Alice sends her love message to Bob via RSA: Alice Bob Generate a keypair K u / K r Send K u to Alice Encrypt plaintext M with K u Send ciphertext C to Bob Decrypt C with K r

RSA key generation Step Condition p , q prime, p � = q Select p , q Compute n = p × q Compute φ ( n ) = ( p − 1 )( q − 1 ) Select 1 < e < φ ( n ) gcd ( φ ( n ) , e ) = 1 Compute d ( de ) mod φ ( n ) = 1 ( ∗ ) Public key K u = { e , n } Private key K r = { d , n }

RSA encryption and decryption Encryption: Plaintext: M < n C = M e mod n Ciphertext: Decryption: Ciphertext: C M = C d mod n Plaintext:

Correctness of RSA encryption By the property ( ∗ ), ( de ) mod φ ( n ) = 1 ⇒ ∃ k : ( de ) = 1 + k φ ( n ) . Then, ? ≡ C d mod n M ≡ ( M e ) d mod n ≡ M ( ed ) mod n ≡ M 1 + k φ ( n ) mod n ? ≡ M mod n

Correctness of RSA encryption (ctd.) For prime numbers p , φ ( p ) = ( p − 1 ) . By the key generation algorithm and the multiplicative property of the totient function, φ ( n ) = φ ( p ) · φ ( q ) = ( p − 1 ) · ( q − 1 ) . By Euler’s Theorem, if p does not divide M , M ( p − 1 ) = 1 mod p and since ( p − 1 ) divides φ ( n ) M 1 + k φ ( n ) ≡ M mod p . Similar argument holds for q and hence for n = pq .

What’s secret in RSA? An attacker needs to know d to decrypt C . To find d , an attacker needs to solve ( ∗ ): ( de ) mod φ ( n ) = 1. For this, he needs to know φ ( n ) . If p and q are known, then finding φ ( n ) is trivial: φ ( n ) = ( p − 1 ) · ( q − 1 ) However p and q are discarded during key generation. Factoring n into a product of two prime numbers is an intractable problem! Finding φ ( n ) directly is likewise intractable.

Other asymmetric ciphers Algorithm E/D D.S. KEX Hardness RSA Yes Yes Yes Factorization ElGamal Yes No No DLP DSS No Yes No DLP Diffie-Hellmann No No Yes DLP Elliptic curve Yes Yes Yes EC DLP

Summary Cryptographic methods provide solutions for various confidentiality, integrity and authentication tasks. Symmetric cryptography is based on a single key that must be shared between the communication parties and kept secret. Asymmetric cryptography is based two related keys; only one of them (private key) must be kept secret, the other one (public key) can be distributed over insecure media.

Next lecture Cryptographic hash functions Digital signatures