Privacy and Computer Science (ECI 2015) Day 1 - Introduction why - - PowerPoint PPT Presentation

Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough

• F. Prost

Frederic.Prost@ens-lyon.fr

Ecole Normale Sup´ erieure de Lyon

July 2015

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 1 / 48

The Fall of Men and IT

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 2 / 48

Virtualization

Reality, virtual world and their interactions.

= ⇒ problems linked to hypostatic union, schism between the Oriental Orthodox Church and the rest of Christendom...

Very complex philosophical problem having huge repercussions: e.g. the world map.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 3 / 48

Security: a Counter-Intuitive Science

Si vis pacem, para bellum. (security in IT is very different than security in civil engineering). “Strategy: The Logic of War and Peace” (E.N. Luttwak).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 4 / 48

Security: a Counter-Intuitive Science

Si vis pacem, para bellum. (security in IT is very different than security in civil engineering). “Strategy: The Logic of War and Peace” (E.N. Luttwak). = ⇒ Greek wiretapping scandal (2006).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 4 / 48

Security: a Counter-Intuitive Science

Si vis pacem, para bellum. (security in IT is very different than security in civil engineering). “Strategy: The Logic of War and Peace” (E.N. Luttwak). = ⇒ Greek wiretapping scandal (2006). It is against the nature of the engineer’s mind: Programming Satan’s Computer [Anderson and Needham, 1995]!

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 4 / 48

Security: a Counter-Intuitive Science

Si vis pacem, para bellum. (security in IT is very different than security in civil engineering). “Strategy: The Logic of War and Peace” (E.N. Luttwak). = ⇒ Greek wiretapping scandal (2006). It is against the nature of the engineer’s mind: Programming Satan’s Computer [Anderson and Needham, 1995]! System complexity is the Achille’s Heel: e.g. password on mobile phones (with gyroscope sensors)...

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 4 / 48

Security: a Counter-Intuitive Science

Si vis pacem, para bellum. (security in IT is very different than security in civil engineering). “Strategy: The Logic of War and Peace” (E.N. Luttwak). = ⇒ Greek wiretapping scandal (2006). It is against the nature of the engineer’s mind: Programming Satan’s Computer [Anderson and Needham, 1995]! System complexity is the Achille’s Heel: e.g. password on mobile phones (with gyroscope sensors)... Every security solution is a trade-off.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 4 / 48

Potter vs Hacker : Harry’s War

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 5 / 48

Potter vs Hacker : Harry’s War

Who

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 5 / 48

Potter vs Hacker : Harry’s War

Who

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 5 / 48

Potter vs Hacker : Harry’s War

Who Tool

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 5 / 48

Potter vs Hacker : Harry’s War

Who Tool Magic wand Computer, Internet

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 5 / 48

Potter vs Hacker : Harry’s War

Who Tool Magic wand Computer, Internet Method

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 5 / 48

Potter vs Hacker : Harry’s War

Who Tool Magic wand Computer, Internet Method Magic formula Credit card number

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 5 / 48

Potter vs Hacker : Harry’s War

Who Tool Magic wand Computer, Internet Method Magic formula Credit card number Power

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 5 / 48

Potter vs Hacker : Harry’s War

Who Tool Magic wand Computer, Internet Method Magic formula Credit card number Power Experience/Mastery Bank account

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 5 / 48

Potter vs Hacker : Harry’s War

Who Tool Magic wand Computer, Internet Method Magic formula Credit card number Power Experience/Mastery Bank account Vector

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 5 / 48

Potter vs Hacker : Harry’s War

Who Tool Magic wand Computer, Internet Method Magic formula Credit card number Power Experience/Mastery Bank account Vector Gobelin, dwarf UPS/FedEx employee Drones ?

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 5 / 48

Potter vs Hacker : Harry’s War

Who Tool Magic wand Computer, Internet Method Magic formula Credit card number Power Experience/Mastery Bank account Vector Gobelin, dwarf UPS/FedEx employee Drones ? I.T. is literally like magic: it possesses all its features

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 5 / 48

A scientific Approach to Privacy and IT

It is not magic, it is computer science (and communications) ! On top of that privacy issues embrace almost every aspects of computer science from the deep theory to the smallest technical/material details. The aim of the course is to give a broad overview of the scientific aspects of privacy in computer science. = ⇒ It is an entry point to the subject. Some basic definitions are still active objects of research: defining “Privacy” properly is not trivial.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 6 / 48

Course’s Roadmap

1 Cryptography is not enough. Hard limits. 2 Privacy/Identity from a traditional cryptographic point of view.

(Cryptography)

3 Non-interference and programming. (Programming Languages) 4 Zero-Knowledge proofs. (Mathematics) 5 Formal Approaches. (Logics)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 7 / 48

Cryptography is not Enough

Plan

1

Cryptography is not Enough Enigma Cryptanalysis Naive Anonymization Just doesn’t Work

2

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Entropy of passwords

3

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 8 / 48

Cryptography is not Enough

Cryptography is not Enough: you can run but you can’t hide

The dreamt world of mathematicians vs. the harsh reality.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 9 / 48

Cryptography is not Enough

Cryptography is not Enough: you can run but you can’t hide

The dreamt world of mathematicians vs. the harsh reality. Implementation details do matter.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 9 / 48

Cryptography is not Enough

Cryptography is not Enough: you can run but you can’t hide

The dreamt world of mathematicians vs. the harsh reality. Implementation details do matter. Usage protocol does matter.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 9 / 48

Cryptography is not Enough

Cryptography is not Enough: you can run but you can’t hide

The dreamt world of mathematicians vs. the harsh reality. Implementation details do matter. Usage protocol does matter. Psychology does matter.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 9 / 48

Cryptography is not Enough

Cryptography is not Enough: you can run but you can’t hide

The dreamt world of mathematicians vs. the harsh reality. Implementation details do matter. Usage protocol does matter. Psychology does matter. System complexity does matter.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 9 / 48

Cryptography is not Enough

Cryptography is not Enough: you can run but you can’t hide

The dreamt world of mathematicians vs. the harsh reality. Implementation details do matter. Usage protocol does matter. Psychology does matter. System complexity does matter. Sheer luck can matter...

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 9 / 48

Cryptography is not Enough

Cryptography is not Enough: you can run but you can’t hide

The dreamt world of mathematicians vs. the harsh reality. Implementation details do matter. Usage protocol does matter. Psychology does matter. System complexity does matter. Sheer luck can matter... = ⇒ Empirical proof: Snowden’s revalations about NSA’s practices...

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 9 / 48

Cryptography is not Enough Enigma Cryptanalysis

Plan

1

Cryptography is not Enough Enigma Cryptanalysis Naive Anonymization Just doesn’t Work

2

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Entropy of passwords

3

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 10 / 48

Cryptography is not Enough Enigma Cryptanalysis

Enigma Cryptanalysis

Real life, extreme, example of the difficulty of information security during WWII. Historians estimate the effect as 1 to 2 years war shortening (literally millions of lives). First mechanization of cryptanalysis: shift from linguistic to

• mathematics. First use of computers !
• A. Turing, father of computer science, heavily involved.

Exemplary in the multiple ways used to break the “unbreakable”. = ⇒ Think outside the box !

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 11 / 48

Cryptography is not Enough Enigma Cryptanalysis

Enigma Machine

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 12 / 48

Cryptography is not Enough Enigma Cryptanalysis

Permutations with Rotors Schematically

A

♠

B

♠

C

♠

D

♠

E

♠

F

♠

A

♠

B

♠

C

♠

D

♠

E

♠

F

♠ ✁ ✁ ✁ ✁ ✂ ✂ ✂ ✂ ✂ ✂ ❇ ❇ ❇ ❇ ❇ ❇ ❆ ❆ ❆ ❆ ✁ ✁ ✁ ✁ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄

• ❆

❆ ❆ ❆ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✁ ✁ ✁ ✁ ❅ ❅ ❇ ❇ ❇ ❇ ❇ ❇

• ❇

❇ ❇ ❇ ❇ ❇

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 13 / 48

Cryptography is not Enough Enigma Cryptanalysis

Enigma Schematically

A

♠

B

♠

C

♠

D

♠

E

♠

F

♠

• ❅

❅ ✂ ✂ ✂ ✂ ✂ ✂ ❇ ❇ ❇ ❇ ❇ ❇ ✁ ✁ ✁ ✁ ✂ ✂ ✂ ✂ ✂ ✂ ❇ ❇ ❇ ❇ ❇ ❇ ❆ ❆ ❆ ❆ ✁ ✁ ✁ ✁ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄

• ❆

❆ ❆ ❆ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ❉ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✄ ✁ ✁ ✁ ✁ ❅ ❅ ❇ ❇ ❇ ❇ ❇ ❇

• ❇

❇ ❇ ❇ ❇ ❇

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 14 / 48

Cryptography is not Enough Enigma Cryptanalysis

Protocol for the Use of Enigma

Book of keys: Date Rotor Initialization Plugboard 12 I II III REZ FD IZ LP MN TA SY 13 II V I KXU AN GZ ID LW MF UY 14 IV II III WGT ET IL MO NS WH BQ 15 II I V AQR UI YS AN MJ VB EH . . . . . . . . . . . . A key gives the initial configuration of the machine. Once the machine is set the operator sent three letters in order to initiate a session key (to avoid repetitions). This group of three letters was repeated twice.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 15 / 48

Cryptography is not Enough Enigma Cryptanalysis

Some Numbers on Enigma

Each rotor is a permutation on 26: 263 = 17576 3 among 5 rotors: 5!/(3!2!) = 10 Plugboard, 6 wires: Π5

k=0

(26 − 2k)! 2 × (26 − 4k)! = 72282089880000 Number of Enigma settings: 76 × 1018 Age of the universe in seconds: 4, 3 × 1017 Enigma strength is due to the combination that avoid repetitions (rotor mechanism) and huge space of keys (plugboard). Even with a copy of the machine it is untractable.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 16 / 48

Cryptography is not Enough Enigma Cryptanalysis

Enigma Weaknesses

Internal weaknesses (algorithm weakness):

Only involutive substitutions are implemented: from 26! ≃ 403 × 1024 to 533 × 1012 (that is a 7, 5 × 1011 reduction !!).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 17 / 48

Cryptography is not Enough Enigma Cryptanalysis

Enigma Weaknesses

Internal weaknesses (algorithm weakness):

Only involutive substitutions are implemented: from 26! ≃ 403 × 1024 to 533 × 1012 (that is a 7, 5 × 1011 reduction !!). Because of the reflector a letter can never be encoded by itself. = ⇒ Sometimes to test communications lines german sent large texts

• nly made of “T’s”.

= ⇒ crib technique developped by Turing.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 17 / 48

Cryptography is not Enough Enigma Cryptanalysis

Enigma Weaknesses

Internal weaknesses (algorithm weakness):

Only involutive substitutions are implemented: from 26! ≃ 403 × 1024 to 533 × 1012 (that is a 7, 5 × 1011 reduction !!). Because of the reflector a letter can never be encoded by itself. = ⇒ Sometimes to test communications lines german sent large texts

• nly made of “T’s”.

= ⇒ crib technique developped by Turing.

External weaknesses (protocol use):

Germans forbid the use of the same rotor at the same place for two consecutive days.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 17 / 48

Cryptography is not Enough Enigma Cryptanalysis

Enigma Weaknesses

Internal weaknesses (algorithm weakness):

Only involutive substitutions are implemented: from 26! ≃ 403 × 1024 to 533 × 1012 (that is a 7, 5 × 1011 reduction !!). Because of the reflector a letter can never be encoded by itself. = ⇒ Sometimes to test communications lines german sent large texts

• nly made of “T’s”.

= ⇒ crib technique developped by Turing.

External weaknesses (protocol use):

Germans forbid the use of the same rotor at the same place for two consecutive days. Repetition of the session key at the start of the message.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 17 / 48

Cryptography is not Enough Enigma Cryptanalysis

Enigma Weaknesses

Internal weaknesses (algorithm weakness):

Only involutive substitutions are implemented: from 26! ≃ 403 × 1024 to 533 × 1012 (that is a 7, 5 × 1011 reduction !!). Because of the reflector a letter can never be encoded by itself. = ⇒ Sometimes to test communications lines german sent large texts

• nly made of “T’s”.

= ⇒ crib technique developped by Turing.

External weaknesses (protocol use):

Germans forbid the use of the same rotor at the same place for two consecutive days. Repetition of the session key at the start of the message. Some messages had a predictable structure: typically meteorological messages of 6:00 am of the Luftwaffe.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 17 / 48

Cryptography is not Enough Enigma Cryptanalysis

Enigma Weaknesses

Internal weaknesses (algorithm weakness):

Only involutive substitutions are implemented: from 26! ≃ 403 × 1024 to 533 × 1012 (that is a 7, 5 × 1011 reduction !!). Because of the reflector a letter can never be encoded by itself. = ⇒ Sometimes to test communications lines german sent large texts

• nly made of “T’s”.

= ⇒ crib technique developped by Turing.

External weaknesses (protocol use):

Germans forbid the use of the same rotor at the same place for two consecutive days. Repetition of the session key at the start of the message. Some messages had a predictable structure: typically meteorological messages of 6:00 am of the Luftwaffe. Operator’s bias: always the same three settings (surname of his fiancee...)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 17 / 48

Cryptography is not Enough Enigma Cryptanalysis

Marjan Rejevski First Attempts

By espionnage French had a copy of the Enigma machine, given to the Polish (30’s).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 18 / 48

Cryptography is not Enough Enigma Cryptanalysis

Marjan Rejevski First Attempts

By espionnage French had a copy of the Enigma machine, given to the Polish (30’s). Marjan Rejevsky was a young polish mathematician who found a way to exploit the protocol weakness of the germans (repetition of the session key).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 18 / 48

Cryptography is not Enough Enigma Cryptanalysis

Marjan Rejevski First Attempts

By espionnage French had a copy of the Enigma machine, given to the Polish (30’s). Marjan Rejevsky was a young polish mathematician who found a way to exploit the protocol weakness of the germans (repetition of the session key). = ⇒ The first and fourth letters are the same ones.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 18 / 48

Cryptography is not Enough Enigma Cryptanalysis

Marjan Rejevski First Attempts

By espionnage French had a copy of the Enigma machine, given to the Polish (30’s). Marjan Rejevsky was a young polish mathematician who found a way to exploit the protocol weakness of the germans (repetition of the session key). = ⇒ The first and fourth letters are the same ones. Using all the message sent in one day it is easy to construct a corresping alphabet like: First Letter ABCDEFGHIJKLMNOPQRSTUVWXYZ Fourth Letter XFEARBSLHQIGCVDZWKMNJUOYTP This table is independant from the plugboard.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 18 / 48

Cryptography is not Enough Enigma Cryptanalysis

Rejevski’s cycles

Given a corresponding alphabet one can factor it in cycles. For instance in First Letter ABCDEFGHIJKLMNOPQRSTUVWXYZ Fourth Letter XFEARBSLHQIGCVDZWKMNJUOYTP One can make the cycles A → X → Y → T → N → V → U → J → Q → W → O → D → A B → F → B C → E → R → K → I → H → L → G → S → M → C P → Z → P

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 19 / 48

Cryptography is not Enough Enigma Cryptanalysis

Rejevski’s cycles

Given a corresponding alphabet one can factor it in cycles. For instance in First Letter ABCDEFGHIJKLMNOPQRSTUVWXYZ Fourth Letter XFEARBSLHQIGCVDZWKMNJUOYTP One can make the cycles A → X → Y → T → N → V → U → J → Q → W → O → D → A B → F → B C → E → R → K → I → H → L → G → S → M → C P → Z → P It turns out that this decomposition in cycles is unique with relation to the original setting of the rotors (like DNA code for it).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 19 / 48

Cryptography is not Enough Enigma Cryptanalysis

Rejevski’s cycles

Given a corresponding alphabet one can factor it in cycles. For instance in First Letter ABCDEFGHIJKLMNOPQRSTUVWXYZ Fourth Letter XFEARBSLHQIGCVDZWKMNJUOYTP One can make the cycles A → X → Y → T → N → V → U → J → Q → W → O → D → A B → F → B C → E → R → K → I → H → L → G → S → M → C P → Z → P It turns out that this decomposition in cycles is unique with relation to the original setting of the rotors (like DNA code for it). = ⇒ Just make a big book with all combinations ! (263 × 10)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 19 / 48

Cryptography is not Enough Enigma Cryptanalysis

Rejevski’s cycles

Given a corresponding alphabet one can factor it in cycles. For instance in First Letter ABCDEFGHIJKLMNOPQRSTUVWXYZ Fourth Letter XFEARBSLHQIGCVDZWKMNJUOYTP One can make the cycles A → X → Y → T → N → V → U → J → Q → W → O → D → A B → F → B C → E → R → K → I → H → L → G → S → M → C P → Z → P It turns out that this decomposition in cycles is unique with relation to the original setting of the rotors (like DNA code for it). = ⇒ Just make a big book with all combinations ! (263 × 10) It is not over: plugboard ? (easy to crack by hand. Do you find out how ?)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 19 / 48

Cryptography is not Enough Enigma Cryptanalysis

Cryptanalysis Automated: A. Turing at Bletchley Park

In may 1937 Germans changed their protocols and Rejevsky’s attack was no longer possible.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 20 / 48

Cryptography is not Enough Enigma Cryptanalysis

Cryptanalysis Automated: A. Turing at Bletchley Park

In may 1937 Germans changed their protocols and Rejevsky’s attack was no longer possible. Turing noted a similarity between messages: clear text attack. Famous example wetter in the message of the meteorological site. Called “cribs” it can lead to an attack.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 20 / 48

Cryptography is not Enough Enigma Cryptanalysis

Cryptanalysis Automated: A. Turing at Bletchley Park

In may 1937 Germans changed their protocols and Rejevsky’s attack was no longer possible. Turing noted a similarity between messages: clear text attack. Famous example wetter in the message of the meteorological site. Called “cribs” it can lead to an attack. Suppose you know that the message) starts with: WETTERUEBERSICHTNULLSECHSNULLNULL Consider the cyphertext: W E T T E R U E B E R S I C H T E R G H W T S S K J F E G L A W There is a cycle W →0 E →1 R →4 T →16 W

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 20 / 48

Cryptography is not Enough Enigma Cryptanalysis

Cryptanalysis Bombe (schema)

How to automatically discovers those cycles ? We can try to work on 4 machines in parallel. By linking them together, and setting them correctly, following the crib we can close an electrical circuit:

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 21 / 48

Cryptography is not Enough Enigma Cryptanalysis

Turing’s Cryptanalysis Bombe

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 22 / 48

Cryptography is not Enough Enigma Cryptanalysis

Information War

War actions were made to make the Germans communicate.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 23 / 48

Cryptography is not Enough Enigma Cryptanalysis

Information War

War actions were made to make the Germans communicate. = ⇒ indeed Allies knew how geographic data were encoded (standard espionage).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 23 / 48

Cryptography is not Enough Enigma Cryptanalysis

Information War

War actions were made to make the Germans communicate. = ⇒ indeed Allies knew how geographic data were encoded (standard espionage). Allies knew where the U-boot were, they could have destroyed them all at once... but the Germans would have switched their

• cryptosystems. How to use the information ?
• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 23 / 48

Cryptography is not Enough Enigma Cryptanalysis

Information War

War actions were made to make the Germans communicate. = ⇒ indeed Allies knew how geographic data were encoded (standard espionage). Allies knew where the U-boot were, they could have destroyed them all at once... but the Germans would have switched their

• cryptosystems. How to use the information ?
• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 23 / 48

Cryptography is not Enough Enigma Cryptanalysis

Conclusion

The mathematics of the cryptosystem is just a paramater among

• thers:
• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 24 / 48

Cryptography is not Enough Enigma Cryptanalysis

Conclusion

The mathematics of the cryptosystem is just a paramater among

• thers:

espionage,

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 24 / 48

Cryptography is not Enough Enigma Cryptanalysis

Conclusion

The mathematics of the cryptosystem is just a paramater among

• thers:

espionage, protocol applications,

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 24 / 48

Cryptography is not Enough Enigma Cryptanalysis

Conclusion

The mathematics of the cryptosystem is just a paramater among

• thers:

espionage, protocol applications, practical implementations,

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 24 / 48

Cryptography is not Enough Enigma Cryptanalysis

Conclusion

The mathematics of the cryptosystem is just a paramater among

• thers:

espionage, protocol applications, practical implementations, sheer luck,...

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 24 / 48

Cryptography is not Enough Enigma Cryptanalysis

Conclusion

The mathematics of the cryptosystem is just a paramater among

• thers:

espionage, protocol applications, practical implementations, sheer luck,...

No such thing as coincidence...

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 24 / 48

Cryptography is not Enough Naive Anonymization Just doesn’t Work

Plan

1

Cryptography is not Enough Enigma Cryptanalysis Naive Anonymization Just doesn’t Work

2

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Entropy of passwords

3

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 25 / 48

Cryptography is not Enough Naive Anonymization Just doesn’t Work

Practical Case of de-Anonymization: Netflix

Striking results [Narayanan and Shmatikov, 2009]. Netflix publishes a subset of its customer data: the aim is to produce usefull suggestions for movies in pay per view. Users Movies/Marks Movies/marks hidden 456789 87/4, 998/2, 687/4 954/2, 486/4 654953 45/3, 743/3, 486/4 687/3, 45/4 ... Data are simply anonymized by changing the real name to a random number.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 26 / 48

Cryptography is not Enough Naive Anonymization Just doesn’t Work

Practical Case of de-Anonymization: Netflix

Striking results [Narayanan and Shmatikov, 2009]. Netflix publishes a subset of its customer data: the aim is to produce usefull suggestions for movies in pay per view. Users Movies/Marks Movies/marks hidden 456789 87/4, 998/2, 687/4 954/2, 486/4 654953 45/3, 743/3, 486/4 687/3, 45/4 ... Data are simply anonymized by changing the real name to a random number. R´ esults : 99% of correct de-anonymization for more than 8 marks (84% if one forget about the date when the mark was set if non mainstream movies are seen).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 26 / 48

Cryptography is not Enough Naive Anonymization Just doesn’t Work

Social Data Anonymization: Dimensions and Principles

Problem more down to the earth than non-interference:

Partial knowledge of the graph by the opponent. Active attacker (embedding fake sub graphs to re-identify them). Object of interests vary from one data set to another.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 27 / 48

Cryptography is not Enough Naive Anonymization Just doesn’t Work

Social Data Anonymization: Dimensions and Principles

Problem more down to the earth than non-interference:

Partial knowledge of the graph by the opponent. Active attacker (embedding fake sub graphs to re-identify them). Object of interests vary from one data set to another.

Hence three important points to consider:

1

Background Knowledge: What does the opponent know ? Model of the opponent.

2

Privacity: what is attacked ?

3

Usage: How the data is going to be analyzed ?

= ⇒ Anonymizing techniques

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 27 / 48

Cryptography is not Enough Naive Anonymization Just doesn’t Work

Social Data Anonymization: Techniques

Two families:

Clustering: group together edges and nodes. k-anonymity (and l-diversity): there should be at least k-1 other candidates with similar features.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 28 / 48

Cryptography is not Enough Naive Anonymization Just doesn’t Work

Social Data Anonymization: Techniques

Two families:

Clustering: group together edges and nodes. k-anonymity (and l-diversity): there should be at least k-1 other candidates with similar features.

Let us focus on the k-anonymity approach: the problem amounts to create G ′ such that G ′ = G1 ⊕ G2 ⊕ ... ⊕ Gk such that Gis are isomorphic graphs.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 28 / 48

Cryptography is not Enough Naive Anonymization Just doesn’t Work

Social Data Anonymization: Techniques

Two families:

Clustering: group together edges and nodes. k-anonymity (and l-diversity): there should be at least k-1 other candidates with similar features.

Let us focus on the k-anonymity approach: the problem amounts to create G ′ such that G ′ = G1 ⊕ G2 ⊕ ... ⊕ Gk such that Gis are isomorphic graphs. It is NP-hard to find graph transformations minimizing the editing distance between a graph and a k-isomorphic graph.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 28 / 48

Cryptography is not Enough Naive Anonymization Just doesn’t Work

Social Data Anonymization: Techniques

Two families:

Clustering: group together edges and nodes. k-anonymity (and l-diversity): there should be at least k-1 other candidates with similar features.

Let us focus on the k-anonymity approach: the problem amounts to create G ′ such that G ′ = G1 ⊕ G2 ⊕ ... ⊕ Gk such that Gis are isomorphic graphs. It is NP-hard to find graph transformations minimizing the editing distance between a graph and a k-isomorphic graph. One tentative: select 1/k nodes randomly, create k clones, link the clones together e.g. with categorical graph transformation approaches.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 28 / 48

Information Theory Cryptology: [Shannon, 1949]

Plan

1

Cryptography is not Enough Enigma Cryptanalysis Naive Anonymization Just doesn’t Work

2

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Entropy of passwords

3

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 29 / 48

Information Theory Cryptology: [Shannon, 1949]

IT and Privacy : Art or Science ?

Computer science : art or science ? “The Art of Computer Programming”, D.E. Knuth.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 30 / 48

Information Theory Cryptology: [Shannon, 1949]

IT and Privacy : Art or Science ?

Computer science : art or science ? “The Art of Computer Programming”, D.E. Knuth. Basic issue in privacy : how do you study the strength of a cryptosystem ?

Computational security. Provable security. Unconditional security.

What attack are considered ?

Cyphertext only ? Plaintext attack ? Partial plaintext ? etc.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 30 / 48

Information Theory Cryptology: [Shannon, 1949]

Information Theory 101

First things first: What is information ?

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 31 / 48

Information Theory Cryptology: [Shannon, 1949]

Information Theory 101

First things first: What is information ? = ⇒ ultimately it can be seen as the way to reduce incertainty.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 31 / 48

Information Theory Cryptology: [Shannon, 1949]

Information Theory 101

First things first: What is information ? = ⇒ ultimately it can be seen as the way to reduce incertainty. Pioneer work of C.E. Shannon: “A mathematical Theory of communication”, The Bell System Technical Journal, vol. 27, 1948. “Communication Theory of Secrecy Systems”, The Bell System Technical Journal, vol. 28, 1949. It is a study of probability theory. More precisely how probability distribution is affected by some hypotheses.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 31 / 48

Information Theory Cryptology: [Shannon, 1949]

Discrete Probabilities

Discrete random variable: X Probability distribution: P s. t.

i∈I PrP[X = xi] = 1

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 32 / 48

Information Theory Cryptology: [Shannon, 1949]

Discrete Probabilities

Discrete random variable: X Probability distribution: P s. t.

i∈I PrP[X = xi] = 1

Joint Probability: PrP,Q[X = x, Y = y] Conditional Probability: PrP,Q[ X = x | Y = y ]

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 32 / 48

Information Theory Cryptology: [Shannon, 1949]

Discrete Probabilities

Discrete random variable: X Probability distribution: P s. t.

i∈I PrP[X = xi] = 1

Joint Probability: PrP,Q[X = x, Y = y] Conditional Probability: PrP,Q[ X = x | Y = y ] PrP,Q[x, y] = PrP,Q[ x | y ]PrQ[y] = PrQ,P[ y | x ]PrP[x]

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 32 / 48

Information Theory Cryptology: [Shannon, 1949]

Discrete Probabilities

Discrete random variable: X Probability distribution: P s. t.

i∈I PrP[X = xi] = 1

Joint Probability: PrP,Q[X = x, Y = y] Conditional Probability: PrP,Q[ X = x | Y = y ] PrP,Q[x, y] = PrP,Q[ x | y ]PrQ[y] = PrQ,P[ y | x ]PrP[x] Theorem (Baye’s theorem) if PrP[y] > 0 then PrP,Q[ x | y ] = PrP[x]PrQ,P[ y | x ] PrQ[y]

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 32 / 48

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems

Plan

1

Cryptography is not Enough Enigma Cryptanalysis Naive Anonymization Just doesn’t Work

2

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Entropy of passwords

3

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 33 / 48

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems

Perfect Secrecy

How to prove unconditional strength for a cryptosystem ?

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 34 / 48

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems

Perfect Secrecy

How to prove unconditional strength for a cryptosystem ? Formal definition of a cryptosystem: Definition (cryptosystem) (T, C, K, E, ∆) with:

T : clear Texts. C : Cyphers. K : Keys. ∀k ∈ K there is ek ∈ E and dk ∈ ∆ such that ek : T → C dk : C → T and ∀x ∈ T, one has dk(ek(x)) = x

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 34 / 48

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems

Secrecy and Probabilities

Plaintext: X following P. Key: K following equiprobable distribution. Since usually the key is chosen before encryption it is fair to assume K and X are independent random variables. The probability of cyphertexts can be computed from K and X: C(K) = {eK(x) | x ∈ T}

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 35 / 48

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems

Secrecy and Probabilities

Plaintext: X following P. Key: K following equiprobable distribution. Since usually the key is chosen before encryption it is fair to assume K and X are independent random variables. The probability of cyphertexts can be computed from K and X: C(K) = {eK(x) | x ∈ T} PrP[Y = y] =

{K|y∈C(K)} PrK[K = K]PrP[x = dK(y)]

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 35 / 48

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems

Secrecy and Probabilities

Plaintext: X following P. Key: K following equiprobable distribution. Since usually the key is chosen before encryption it is fair to assume K and X are independent random variables. The probability of cyphertexts can be computed from K and X: C(K) = {eK(x) | x ∈ T} PrP[Y = y] =

{K|y∈C(K)} PrK[K = K]PrP[x = dK(y)]

PrP[ y = y | x = x ] =

{K|x=dK (y)} PrK[K = K]

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 35 / 48

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems

Secrecy and Probabilities

Plaintext: X following P. Key: K following equiprobable distribution. Since usually the key is chosen before encryption it is fair to assume K and X are independent random variables. The probability of cyphertexts can be computed from K and X: C(K) = {eK(x) | x ∈ T} PrP[Y = y] =

{K|y∈C(K)} PrK[K = K]PrP[x = dK(y)]

PrP[ y = y | x = x ] =

{K|x=dK (y)} PrK[K = K]

By Baye’s theorem PrP[ x = x | y = y ] = PrP[x = x] ×

• {K|x=dK (y)}

PrK[K = K]

• {K|y∈C(K)}

PrK[K = K]PrP[x = dK(y)]

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 35 / 48

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems

Defining Perfect Secrecy

Definition (Perfect Secrecy) A cryptotsytem has perfect secrecy if: Pr[ x | y ] = Pr[x] In other words if the a posteriori probability that the plaintext is x, given the cypher y is identical to the a priori probability that the plaintext is x. One-time pad can be proven to achieve perfect secrecy. Shannon’s perfect secrecy theorem: The cryptosystem has perfect secrecy if and only if

each key is used with equal probability 1/|K| for every plaintext x and ciphertext y, there is a unique key k such that ek(x) = y.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 36 / 48

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems

Entropy

What if the key is used for more than one encryption ?

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 37 / 48

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems

Entropy

What if the key is used for more than one encryption ? Entropy is a mathematical measure of information or uncertainty. = ⇒ computed as function of probability distribution.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 37 / 48

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems

Entropy

What if the key is used for more than one encryption ? Entropy is a mathematical measure of information or uncertainty. = ⇒ computed as function of probability distribution. Suppose X following P: what is learnt through experiments following P ? = ⇒ This is the entropy of X: H(X) Imagine a mind game: guess a word while its letters are given one by

• ne.
• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 37 / 48

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems

Entropy definition

Definition (Entropy) Let X follow P, then H(X) = −

• x∈X

PrP[X = x] log2(PrP[X = x]) The log is undefined for 0, but the limit is 0... so it is ok in the sum. The choice of the base of the log is arbitrary. Many applications to cryptosystems, eg: Theorem Consider the cryptosystem (T, C, K, E, ∆): H(K | C) = H(K) + H(P) − H(C)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 38 / 48

Information Theory Cryptology: [Shannon, 1949] Entropy of passwords

Plan

1

Cryptography is not Enough Enigma Cryptanalysis Naive Anonymization Just doesn’t Work

2

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Entropy of passwords

3

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 39 / 48

Information Theory Cryptology: [Shannon, 1949] Entropy of passwords

How to Choose a Password ?

By far the most used technology of access control. Problems linked to the number of passwords to manage (reuse?). A lot of advices are available in order to buid a “secure” password. Information theory can help us to scientifically assess whether a password is good. = ⇒ The problem is to find a not too short, but not too long and difficult to rememeber.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 40 / 48

Information Theory Cryptology: [Shannon, 1949] Entropy of passwords

How to Choose a Password ?

By far the most used technology of access control. Problems linked to the number of passwords to manage (reuse?). A lot of advices are available in order to buid a “secure” password. Information theory can help us to scientifically assess whether a password is good. = ⇒ The problem is to find a not too short, but not too long and difficult to rememeber. In real life:

Building of a dictionnary by a scan of the hard drive (50% success rate). Using a password manager is a good compromise.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 40 / 48

Information Theory Cryptology: [Shannon, 1949] Entropy of passwords

Brute Force Attack and the Age of the Universe

The problem is reduced to the exhaustive search. If you enumerate the possible passwords it amounts to check integers. Suppose you can check 1015 password per second. Suppose that Google or the NSA can devote 1000 computers to the search: 1018 passwords per second. We have the following timetable: size in bits execution time 56 less than 1 sec 64 18 sec 128 1, 07 × 1013 years 256 3, 65 × 1051 years 512 4, 25 × 10128 years for your information the age of the universe is estimated 13, 7x109 years.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 41 / 48

Information Theory Cryptology: [Shannon, 1949] Entropy of passwords

Landauer’s Principle

What if the NSA has a super computer that is really, really fast ?

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 42 / 48

Information Theory Cryptology: [Shannon, 1949] Entropy of passwords

Landauer’s Principle

What if the NSA has a super computer that is really, really fast ? It has to follow the laws of physics: the minimal energy expenditure at temperature T is given by ∆E ≥ kT log(2) where k = 1.38 × 10−23J/K To enumerate all integers on 128 bits requires 1018 ≃ 30gigaWatts/year which is equivalent to 267teraWatts/hour roughly half the electrical power in France. There is not enough energy in the visible space to enumerate all integers on 256 bits.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 42 / 48

Information Theory Cryptology: [Shannon, 1949] Entropy of passwords

Landauer’s Principle

What if the NSA has a super computer that is really, really fast ? It has to follow the laws of physics: the minimal energy expenditure at temperature T is given by ∆E ≥ kT log(2) where k = 1.38 × 10−23J/K To enumerate all integers on 128 bits requires 1018 ≃ 30gigaWatts/year which is equivalent to 267teraWatts/hour roughly half the electrical power in France. There is not enough energy in the visible space to enumerate all integers on 256 bits. = ⇒ More than a hundred bits of entropy is overkill.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 42 / 48

Information Theory Cryptology: [Shannon, 1949] Entropy of passwords

Measuring the Strength of a Password

The idea is to measure the entropy associated to a password. Under an equiprobable probability distribution, in a set of size n the entropy of an element picked is log(n). With N symbols and a password of length L, NL possible passwords, hence log(NL) = L log(N) Symbols Entropy per symbol 0-9 3,32 0-9+’A’-’F’ 4 ’a’-’z’ 4,7 0-9+’a’-’z’ 5,1 ’A’-’Z’+’a’-’z’ 5,7 0-9+’a’-’z’+’A’-’Z’ 5,9 ASCII writable 6,56 Spanish dictionnary size 100000, hence 16 entropy bits per word.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 43 / 48

Conclusion

Plan

1

Cryptography is not Enough Enigma Cryptanalysis Naive Anonymization Just doesn’t Work

2

Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Entropy of passwords

3

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 44 / 48

Conclusion

Conclusion

Privacy is complicated:

Philosophically/Conceptually.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 45 / 48

Conclusion

Conclusion

Privacy is complicated:

Philosophically/Conceptually. Concretly.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 45 / 48

Conclusion

Conclusion

Privacy is complicated:

Philosophically/Conceptually. Concretly. Technologically.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 45 / 48

Conclusion

Conclusion

Privacy is complicated:

Philosophically/Conceptually. Concretly. Technologically. Scientifically.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 45 / 48

Conclusion

Conclusion

Privacy is complicated:

Philosophically/Conceptually. Concretly. Technologically. Scientifically.

Security requires a proper mindset that is usually not the one developped in usual cursus.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 45 / 48

Conclusion

Conclusion

Privacy is complicated:

Philosophically/Conceptually. Concretly. Technologically. Scientifically.

Security requires a proper mindset that is usually not the one developped in usual cursus. Information theory is just one side of the story: how does it help to write a “safe” program ?

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 45 / 48

Conclusion

Bibliography I

Anderson, R. J. and Needham, R. M. (1995). Programming satan’s computer. In Computer Science Today: Recent Trends and Developments, pages 426–440. Springer. Andersson, R. (2008). Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley. Narayanan, A. and Shmatikov, V. (2009). De-anonymizing social networks. In 30th IEEE Symposium on Security and Privacy (S&P 2009), 17-20 May 2009, Oakland, California, USA, pages 173–187.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 46 / 48

Conclusion

Bibliography II

Schneier, B. (1996). Applied Cryptography: Protocols, Algorithms, and Source Code in C. Wiley. Shannon, C. (1948). A mathematical theory of communication. Bell System Technical Journal, 27:379–423, 623–656. Shannon, C. (1949). Communication theory of secrecy systems. Bell System Technical Journal, Vol 28, pp. 656-715. Singh, S. (2000). The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography. Anchor.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 47 / 48

Conclusion

Bibliography III

Stinson, D. (2005). Cryptography Theory and Practice. CHapman and Hall/CRC. third edition.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough July 2015 48 / 48