Bart Preneel September 2007 Cryptographic Algorithm Engineering and “Provable” Security Outline Cryptographic Algorithm Engineering and “Provable” Security • Crypto refresher – Basic concepts Foundations of Security Analysis and Design – one time pad – stream ciphers and block ciphers September 2007 – hash functions Slide credit: most of • Provable security for symmetric cryptology Prof. Bart Preneel the slides on – concepts provable security Katholieke Universiteit Leuven, Belgium – OTP have been created Bart.Preneel(at)esat.kuleuven.be – Merkle Damgard construction for hash functions by Dr. Gregory http://homes.esat.kuleuven.be/~preneel – CBC mode of a block cipher Neven • Limitations of provable security 1 2 Data confidentiality Entity authentication Eve Hello, I am Alice Alice Bob Bob Eve 3 4 Data authentication Non-repudiation (origin) Eve Alice I never sent this message Alice Bob Bob 5 6 1
Bart Preneel September 2007 Cryptographic Algorithm Engineering and “Provable” Security Non-repudiation (receipt) Denial of service Eve Alice r e v e n d I e v i e e g c a e s r s e m s i h t Bob Alice Bob 7 8 Definitions (ctd) Applying crypto: protocols (1) • Networking (communications security) data entities – key transport (email) – authenticated key agreement (SSL/TLS, SSH, GSM, 3GSM) Confidentiality encryption anonymity confidentiality – anonymous communication Integrity – robust networking (DNS, routing) data authentication identification Availability authentication • Computer security Authorisation – file and database encryption – code signing – attestation (TPM) Non-repudiation of origin, receipt – secure identification Don’t use the Contract signing word • Applications authentication – time-stamping and notarisation without defining it Notarisation and Timestamping – e-invoicing – e-cash – e-voting – e-auctions 9 10 Cryptology: basic principles Protocols (2) • privacy protecting biometry “you can trust it • privacy protecting data mining Eve Alice Bob • social and group crypto because you don’t • … have to” • multi-party computation CRY CRY Clear Clear %^C& %^C& PTO PTO @&^( @&^( text text BOX BOX 11 12 2
Bart Preneel September 2007 Cryptographic Algorithm Engineering and “Provable” Security Cryptographic algorithms Cryptography ≠ security • Manual systems (before 1920) • crypto is only a tiny piece of the security puzzle • Mechanical and electromechanical systems (1920-1960) – but an important one: if crypto breaks, implications can be dramatic • Electronic systems (1960s-present) • most systems break elsewhere – incorrect requirements or specifications – implementation errors – application level – social engineering 13 14 Cryptanalysis example: Old cipher systems (pre 1900) TIPGK RERCP JZJZJ WLE GVCTX EREPC WMWMW JYR • Caesar cipher: shift letters over k positions in UJQHL SFSDQ KAKAK XMF HWDUY FSFQD XNXNX KZS VKRIM TGTER LBLBL YNG IXEVZ GTGRE YOYOY LAT the alphabet (k is the secret key) WLSJN UHUFS MCMCM ZOH JYFWA HUHSF ZPZPZ MBU XDTKO VOVGT NDNDN API KZGXB IVITG AQAQA NCV THIS IS THE CAESAR CIPHER YNULP WKWHU OEOEO BQJ LAHYC JWJUH BRBRB ODW ZOVMQ XKXIV PFPFP CRK MBIZD KXKVI CSCSC PEX WKLV LV WKH FDHVDU FLSKHU APWNR YLYJW QGQGQ DSL NCJAE LYLWJ DTDTD QFY BQXOS ZMXKX RHRHR ETM ODKBF MZMXK EUEUE RGZ • Julius Caesar never changed his key (k=3). CRYPT ANALY SISIS FUN PELCG NANYL FVFVF SHA DSZQU BOBMZ TJTJT GVO QFMDH OBOZM GWGWG TIB ETARV CPCNA UKUKU HWP RGNEI PCPAN HXHXH UJC FUBSW DQDOB VLVLV IXQ SHOFJ QDQBO IYIYI VKD Plaintext? k = 17 15 16 Old cipher systems (pre 1900) (2) Security • there are n! different substitutions on an alphabet • Substitutions with n letters ! Easy to – ABCDEFGHIJKLMNOPQRSTUVWXYZ • there are n! different transpositions of n letters break using – MZNJSOAXFQGYKHLUCTDVWBIPER • n=26: n!=403291461126605635584000000 = 4 . 10 26 keys statistical techniques • trying all possibilities at 1 nanosecond per key • Transpositions requires.... 4.10 26 /(10 9 . 10 5 . 4 10 2 ) = 10 9 years TRANS ORI S POSIT NOTIT keys per days per seconds IONS OSANP second year per day 17 18 3
Bart Preneel September 2007 Cryptographic Algorithm Engineering and “Provable” Security Letter distributions Assumptions on Eve (the opponent) • Cryptology = cryptography + cryptanalysis 12 • Eve knows the algorithm, except for the 10 key (Kerckhoffs’s principle) • increasing capability of Eve: 8 – knows some information about the plaintext 6 (e.g., in English) – knows part of the plaintext 4 – can choose (part of) the plaintext and look at the ciphertext 2 – can choose (part of) the ciphertext and look at the 0 plaintext A B C D E F G H I … Y Z 19 20 The Rotor machines (WW II) Assumptions on Eve (the opponent) • A scheme is broken if Eve can deduce the key or obtain additional plaintext • Eve can always try all keys till “meaningful” plaintext appears: a brute force attack – solution: large key space • Eve will try to find shortcut attacks (faster than brute force) – history shows that designers are too optimistic about the security of their cryptosystems 21 22 Problem: what is this? Mechanical: Hagelin C38 • Cryptogram [=14 January 1961 11.00 h] • <AHQNE XVAZW IQFFR JENFV OUXBD LQWDB BXFRZ NJVYB QVGOZ KFYQV GEDBE HGMPS GAZJK RDJQC VJTEB XNZZH MEVGS ANLLB DQCGF PWCVR UOMWW LOGSO ZWVVV LDQNI YTZAA OIJDR UEAAV RWYXH PAWSV CHTYN HSUIY PKFPZ OSEAW SUZMY QDYEL FUVOA WLSSD ZVKPU ZSHKK PALWB SHXRR MLQOK AHQNE 11205 141100> 23 24 4
Bart Preneel September 2007 Cryptographic Algorithm Engineering and “Provable” Security The answer The answer (in readable form) • Plaintext [=14 January 1961 11.00 h] • Plaintext [=14 January 1961 11.00 h] • TRESECV. R V M PRINTEX. PRIMO • DOFGD VISWA WVISW JOSEP HWXXW RIEN ENVOYE RUSUR. POUVEZ TERTI OWMIS SIONW BOMBO KOWVO REGLER. SECUNDO REPRENDRE IRWTE LEXWC EWSUJ ETWAM BABEL DURGENCE PLAN BRAZZA VIS A GEWXX WJULE SWXXW BISEC TWTRE VIS JOSEP H. TERTIO MISSION SECVX XWRWV WMWPR INTEX WXXWP BOMBOKO VOIR TELEX CE SUJET RIMOW RIENW ENVOY EWRUS URWWX AMBABELGE. JULES. XWPOU VEZWR EGLER WXXWS ECUND Resume urgently plan Brazzaville OWREP RENDR EWDUR GENCE WPLAN w.r.t. P. Lumumba WBRAZ ZAWWC 25 26 Life cycle of a cryptographic algorithm “Broken” algorithms idea • FEAL mathematical analysis • DES publication • RC4 (WEP) public evaluation • E0 (Bluetooth) RIP OK • Keeloq hw/sw implementation • MAA (banking MAC) standardization • MD2, MD4, MD5, SHA-1 industrial products $$$ • … take out of service 27 28 Vernam scheme (1917) – one time pad Vernam scheme + Shannon (1948) • perfect secrecy: ciphertext gives opponent no • key is random string, as long as the plaintext additional information on the plaintext or • perfect security (even if opponent has infinite H(P|C)=H(P) computing power) but impractical • impractical: key is as long as the plaintext • but this is optimal: for perfect secrecy H(K) ≥ H(P) ⊕ ⊕ 10010 10010 11001 11001 C P P 01011 01011 29 30 5
Bart Preneel September 2007 Cryptographic Algorithm Engineering and “Provable” Security Vernam scheme: perfect secrecy Vernam scheme: Venona • general: C = (P + K) mod 26; P = (C - K) mod 26 • c 1 = p 1 + k – with C, P, K ∈ [0,25]; A=0, B=1, …, Z=25 • c 2 = p 2 + k • consider ciphertext C= XHGRQ • then c 1 – c 2 = p 1 – p 2 – with key AAAAA P = XHGRQ – with key VAYEK P = CHINA – with key EZANZ P = TIGER • a skilled cryptanalyst can recover p 1 and p 2 – … from p 1 – p 2 using the redundancy in the – with key ZZZZZ P = YIHSR language • conclusion: for every 5-character plaintext there is a 5-character key which maps the ciphertext to that plaintext 31 32 Example: c1 V c2 (not +) Vernam scheme • 0 + 1 = 1 1.2 • 1 + 0 = 1 1 0.8 0+1 • 0 + 0 = 0 0.6 1+0 0+0 0.4 • 1 + 1 = 0 1+1 0.2 0 -0.2 • identical mathematical symbols can result in different electrical signals 33 34 Three approaches in cryptography Model of a practical stream cipher • information theoretic security IV IV – ciphertext only – part of ciphertext only next next – noisy version of ciphertext state state function function • system-based or practical security – also known as “prayer theoretic” security output output • complexity theoretic security: function “looks” function model of computation, definition, proof random P P – variant: quantum cryptography C 35 36 6
Recommend
More recommend
