2. Encryption and Decryption

2. Encryption and Decryption2. Encryption and Decryption

UNIVERSITYTHE

of ULSAT

Sujeet ShenoiSujeet ShenoiCenter for Information SecurityCenter for Information Security

Department of Computer ScienceDepartment of Computer Science University of Tulsa, Tulsa, OK 74104 University of Tulsa, Tulsa, OK 74104

[email protected]@utulsa.edu

UNIVERSITYTHE

of ULSAT

2. Encryption & Decryption2. Encryption & Decryption

Message

• Sender, Receiver, Transmission Medium

• Plaintext (P), Ciphertext (C)

• Interceptor/Intruder

– Block message (Interruption)

– Access message (Interception)

– Modify message (Modification)

– Fabricate message (Fabrication)

UNIVERSITYTHE

of ULSAT

FundamentalsFundamentals

Cryptography

• Using encryption to conceal plaintext

Cryptanalysis

• Unauthorized “ code breaking”

Cryptology

• Cryptography and Cryptanalysis

UNIVERSITYTHE

of ULSAT

Fundamentals (contd.)Fundamentals (contd.)

Cryptanalysis

• Ciphertext Only Attack (only cipher text is known)

• Known Plaintext Attack (full plaintext is known)

• Probable Plaintext Attack (some plaintext is known)

• Chosen Plaintext Attack (sender’s process is known)

• Chosen Ciphertext Attack (algorithm and ciphertext are known)

UNIVERSITYTHE

of ULSAT

Basic Encryption/DecryptionBasic Encryption/Decryption

Key-Based Ciphers

• Provide more security (than Keyless Ciphers)

• Encryption Key (KE); Decryption Key (KD)

• C = { P }KE

• P = { C }KD = { { P }KE

}KD

• Symmetric Encryption: KE = KD

• Asymmetric Encryption: KE KD

UNIVERSITYTHE

of ULSAT

Basic Cipher TypesBasic Cipher Types

• Substitution Ciphers

– Replace each char of plaintext with another char

• Transposition Ciphers

–Scramble or shuffle plaintext characters

UNIVERSITYTHE

of ULSAT

Substitution CiphersSubstitution Ciphers

Monoalphabetic Ciphers

• Single alphabet is used for substitution

• Caesar Cipher

– Plaintext Alphabet: A B C D E F … U V W X Y Z

– Ciphertext Alphabet: d e f g h i … x y z a b c

– Plaintext: WEATT ACKAT DAWNX

– Ciphertext: z h dww d f n d w g d z q a

UNIVERSITYTHE

of ULSAT

Monoalphabetic CiphersMonoalphabetic Ciphers

Monoalphabetic Ciphers

• Key-Based Cipher

– Plaintext Alphabet: A B C D E F G H I … U V W X Y Z

– Ciphertext Alphabet: k e y a b c d f g … t u v w x z

• Substitution Cipher ( () = (3* ) mod 26 )

– Plaintext Alphabet: A B C D E F G H I … U V W X Y Z

– Ciphertext Alphabet: a d g j m p s v y … i l o r u x

UNIVERSITYTHE

of ULSAT

Monoalphabetic Ciphers (contd.)Monoalphabetic Ciphers (contd.)

Breaking Monoalphabetic Ciphers

• Frequency Distributions

– Each language has a characteristic distribution

– Index of Coincidence (English IC = 0.068)

– Computers make code breaking trivial

• Solution: “Flatten Frequency Distributions”

• Polyalphabetic Ciphers (multiple alphabets)

UNIVERSITYTHE

of ULSAT

Polyalphabetic CiphersPolyalphabetic Ciphers

Polyalphabetic Ciphers

• Multiple alphabets flatten distributions

– 26! possible alphabets #Alphabets: 1 2 3 4 5 10 IC 0.068 0.052 0.047 0.044 0.044 0.041 0.038

• Example

– T H I S I S A T E S T X X X X

1 2 3 1 2 3 1 2 3 1 2 3 1 2 3

– Choose 1 2 3 so that frequencies are flat

UNIVERSITYTHE

of ULSAT

Polyalphabetic Ciphers (contd.)Polyalphabetic Ciphers (contd.)

Vigenere Cipher

• Polyalphabetic cipher based on Vigenere Tableau

• 26 possible alphabets, each “keyed” by a letter

• Example

– Key: j u l i e t j u l i e t

– Plaintext: B U T S O F T W H A T L

– Ciphertext: k o e a s y c q s i ….

UNIVERSITYTHE

of ULSAT

Polyalphabetic Ciphers (contd.)Polyalphabetic Ciphers (contd.)

Breaking Polyalphabetic Ciphers: Kasiski’s Method

• K: dicke nsdic kensd icken sdick ensdi ckens dicke

• P: ITWAS THEBE STOFT IMESI TWAST HEWOR STOFT IMESI

20

• K: nsdic kensd icken sdick ensdi ckens dicke nsdic

• P: TWAST HEAGE OFWIS DOMIT WASTH EAGEO FFOOL ISHNE

• K: kensd icken sdick ensdi ckens dicke nsdic kensd

• P: SSITW ASTHE EPOCH OFBEL IEFIT WASTH EEPOC HOFIN

83 (dist: 63; factors: 3,7,9,21,63) 104 (dist: 21; factors: 3,7,21)

UNIVERSITYTHE

of ULSAT

Perfect Substitution CiphersPerfect Substitution Ciphers

Infinite non-repeating sequences of alphabets (Immunity to Kasiski’s Method)

• One-Time Pad

• Long Random Number Sequences

• Vernam Cipher (punched paper tape)

• Long Sequences (e.g., from Telephone Book)

UNIVERSITYTHE

of ULSAT

Perfect Ciphers (contd.)Perfect Ciphers (contd.)

• Dual Message Entrapment

– Key: disre gardt hisme ssage

– Message: THISM ESSAG EISCR UCIAL

UNIVERSITYTHE

of ULSAT

Transposition CiphersTransposition Ciphers

Columnar Transposition

• Example (c = 10)T H I S I S A M E S

S A G E T O S H O W

H O W A T R A N S P

O S I T I O N C I P

H E R W O R K S X X

• Ciphertext

TSHOHHAOSEIGWIRSEATWITTIOSORORASANKMHNCSEOSIXSWPPX

UNIVERSITYTHE

of ULSAT

Transposition Ciphers (contd.)Transposition Ciphers (contd.)

Breaking Transposition Ciphers

• Common Digrams and Trigrams

• Digrams: EN, RE, ER, NT, TH, ON, IN, TE, AN, OR

• Trigrams: ENT, ION, AND, ING, IVE, TIO, FOR, OUR, THI, ONE

• Sliding Window Technique

TSH OHH AOSEIGWIRSEATWITTIOSORORASANKMHNCSEOSIXSWPPX

TSHO HHAO SEIGWIRSEATWITTIOSORORASANKMHNCSEOSIXSWPPX

TSHOH HAOSE IGWIRSEATWITTIOSORORASANKMHNCSEOSIXSWPPX

UNIVERSITYTHE

of ULSAT

Transposition CiphersTransposition Ciphers

Double Columnar Transposition

• Example (c1 = 10; c2 = 15)

• Ciphertext (First Transposition)

T S H O H H A O S E I G W I R

S E A T W I T T I O S O R O R

A S A N K M H N C S E O S I X

S W P P X E A O X Y Q S R D X

• Ciphertext (Second Transposition)

TSASSESWHAAPOTNPHWKXHIMEATHAOTNOSICXEOSYISEQGOOSWRSRIOIDRRXX

UNIVERSITYTHE

of ULSAT

Transposition Ciphers (contd.)Transposition Ciphers (contd.)

Breaking Double Transposition Ciphers

• Relationship between plaintext/ciphertext characters

• pi = c1r1*([(i-1) mod c1] + (i – 1)/c1 + 1)

• c1i = c2

r2*([(i-1) mod c2] + (i – 1)/c2 + 1)

• Use digrams and trigrams to compute parameters (c1, r1, c2, r2)

UNIVERSITYTHE

of ULSAT

Stream vs. Block CiphersStream vs. Block Ciphers

Stream Ciphers (Convert pi ci)

• Substitution Ciphers– High Speed of Transformation– Low Error Propagation– Low Diffusion; High Confusion– Susceptibility to Malicious Insertions

Block Ciphers (Convert P C)

• Transposition Ciphers– Low Speed of Transformation– High Error Propagation– High Diffusion; Low Confusion– Immunity to Malicious Insertions

UNIVERSITYTHE

of ULSAT

Shannon CharacteristicsShannon Characteristics

Characteristics of “Good Ciphers” (1949)

• Amount of secrecy needed should determine the amount of effort needed for encryption and decryption (Principle of Timeliness)

• Keys and enciphering algorithm should be free from complexity

• Implementation should be as simple as possible

• Errors should not propagate and corrupt message

• Ciphertext Size Plaintext Size

3. Secure Encryption Systems3. Secure Encryption Systems

UNIVERSITYTHE

of ULSAT

Sujeet ShenoiSujeet ShenoiCenter for Information SecurityCenter for Information Security

Department of Computer ScienceDepartment of Computer Science University of Tulsa, Tulsa, OK 74104 University of Tulsa, Tulsa, OK 74104

[email protected]@utulsa.edu

UNIVERSITYTHE

of ULSAT

3. Secure Encryption Systems3. Secure Encryption Systems

• Modern techniques are based on “Hard Problems” (NP-Complete Problems)

• Involve heuristic search (2n possibilities)

• Satisfiability

– Pick v1 v2, v3: Boolean such that (v1) (v2 v3) (¬ v3 ¬ v1) is True

• Knapsack

– Pick v1 v2, v3 {0,1} such that v1*a1 + v2*a2 + v3*a3 = T (Target sum)

UNIVERSITYTHE

of ULSAT

Classes P, NP and EXPClasses P, NP and EXP

Class P

Set of problems whose solutions run in time bounded by “polynomial functions” of the size of the problems

Class NP

Set of problems whose solutions run in time bounded by polynomial functions of the size of the problems “assuming the ability to guess perfectly”

Class EXP

Set of problems whose solutions run in time bounded by “exponential functions” of the size of the problems

UNIVERSITYTHE

of ULSAT

Classes P, NP and EXP (contd.)Classes P, NP and EXP (contd.)

Fundamental Result: P NP EXP

Is: P NP or P = NP ? Not known!

Some Comments

• NP-Complete problem does not guarantee that there is no solution easier than exponential

• Every NP-Complete problem has a solution that runs in time proportional to 2n; feasible if n is small

• Non-determinism can be modeled by “threads”

• Interceptors may use other information to simplify the task of breaking the encryption

UNIVERSITYTHE

of ULSAT

Secret and Public Key AlgorithmsSecret and Public Key Algorithms

Secret Key Algorithms (Symmetric)

• One key for encryption and decryption (KE = KD = K)

• C = { P }K and P = { C }K

• One key per channel (#keys = n*(n-1)/2)

Public Key Algorithms (Asymmetric)

• Separate keys for encryption and decryption (KE KD)

• C = { P }KE and P = { C }KD

• C = { P }KD and P = { C }KE

• Two keys per user (#keys = 2*n)

UNIVERSITYTHE

of ULSAT

Public Key AlgorithmsPublic Key Algorithms

Public Key Algorithms (Asymmetric)

• Key Pair: (KApriv

, KApub)

• KApriv: Private Key; KA

pub: Public Key

• KApriv

is kept by secret by A

• KApub

is distributed widely by A

• A Receiver: C = { P }KApriv (and P = { C }KA

pub)

• Sender A: C = { P }KApub (and P = { C }KA

priv)

UNIVERSITYTHE

of ULSAT

RSA (Public Key) AlgorithmRSA (Public Key) Algorithm

Rivest-Shamir-Adelman (1978)

• Based on factoring large numbers (200 digits)

• Best factorization algorithm (known) is exponential

• Encryption key: (e, n); Decryption key: (d, n)

• C = Pe mod n; P = Cd mod n

• C = Pd mod n; P = Ce mod n

• RSA Mathematics– n = p*q (p, q: 100 digit prime numbers)

(n: 200 digits or 512 bits; 1024 bits max)

– d = e-1 mod (n) (e: rel. prime to (n) = (p-1)*(q-1))

UNIVERSITYTHE

of ULSAT

Cryptographic Hash AlgorithmsCryptographic Hash Algorithms

• Hash function (f) produces “digest” of data/message

• S R: m, f(m)

• R: computes f(m) & compares with f(m) received

• Difficult to “invert,” i.e., change m and f(m)

• XOR bits: 10101010 00101111 1 (Prob = 1/2)

• XOR bytes: 10101010 00101111 10000101 (Prob = 1/28)

• Most digests are between 100 to 1,000 bits

UNIVERSITYTHE

of ULSAT

Secure Hash Algorithm (SHA)Secure Hash Algorithm (SHA)

• Designed for Digital Signature Algorithm (DSA)

• NIST (1992-1995)

• Input: 264 bits; Digest: 160 bits

• Operations: XOR, + mod 232, left circular shift(n,v)

• Algorithm: Non-linear function that interweaves bits– Pad message: Multiple of 512 bits (msg 1 0…0 <64-bit length>)

(512 bits = 16 32-bit words: W0 … W15)

– Expand to 80 words: W0 … W79

– Initialize 5 32-bit pattern constants: H00 … H5

0

– Perform 80-step 4-round diffusion algorithm: digest = H080 … H5

80

UNIVERSITYTHE

of ULSAT

MD4 and MD5 AlgorithmsMD4 and MD5 Algorithms

• MD4 (Rivest, 1991-92)– Exceptionally fast, less secure

– 16-word block (512 bits)

– 48-step 3-round diffusion algorithm

– 4 pattern constants (128 bits)

• MD5 (Rivest, 1992)– Slower, more secure

– 16-word block (512 bits)

– 64-step 4-round diffusion algorithm

– 4 pattern constants (128 bits)

UNIVERSITYTHE

of ULSAT

Digital Signature AlgorithmsDigital Signature Algorithms

• El Gamal Algorithm (1984)– Pick p: prime; a < p and x < p; (p-1) must have a large prime factor: q

– Compute: y = ax mod p

– Private key: x; Public key: y (and p, a)

• Message Signing (m: message)– Pick k: 0 < k < p-1 (relatively prime to p-1)

– Compute: r = ak mod p

– Compute: s = k-1*(m – x*r) mod (p-1) (k*k-1 1 mod (p-1))

– Message Signature: r & s

• Signature Verification – Compute: yrrs mod p

– Compute: am mod p

– Check: yrrs mod p am mod p

UNIVERSITYTHE

of ULSAT

Digital Signature Algorithm (DSA)Digital Signature Algorithm (DSA)

• DSA (NIST, 1994)– El Gamal Algorithm with restrictions– Pick p: prime; a < p and x < p; (p-1) must have a large prime factor: q

– New condition: 2511 < p < 2512 (p: 170 digits long)

– New condition: 2159 < q < 2160

– Compute: y = ax mod p

– Private key: x; Public key: y (and p, a)

• Message Signing (H(m) instead of m)– Pick k: 0 < k < p-1 (relatively prime to p-1)

– Compute: r = ak mod q

– Compute: s = k-1*(H(m) – x*r) mod q (k*k-1 1 mod (p-1))

– Message Signature: r & s

– DSA is easier to break than the El Gamal Digital Signature Algorithm

UNIVERSITYTHE

of ULSAT

Secret Key AlgorithmsSecret Key Algorithms

• Data Encryption Standard (DES)

• Escrowed Encryption Standard (EES): Skipjack

• Advanced Encryption Standard (AES)

Secret Key Algorithms (Symmetric)

• Single Key for A-B Channel: (KAB)

• KAB: Secret (known only to A and B)

• A B: C = { P }KAB (and P = { C }KAB

)

• B A: C = { P }KAB (and P = { C }KAB

)

UNIVERSITYTHE

of ULSAT

Data Encryption Standard (DES)Data Encryption Standard (DES)

• NIST (1977)

• Developed for use by the general public

• Accepted as a cryptographic standard worldwide

• Hardware and software implementations

• Algorithm– Complex combination of substitution and transposition

(Product Cipher)

– 64-bit plaintext blocks; 56-bit keys

– 16-round algorithm

– Same algorithm for encryption and decryption

UNIVERSITYTHE

of ULSAT

DES Algorithm (contd.)DES Algorithm (contd.)

Algorithm Description

• Initial Permutation

• 16 Cycles (with Key Transformation)

• Inverse Initial Permutation

• Cycle Description– Split into Left and Right Halves: 32 bits each

– Expansion Permutation: 32 bits 48 bits (Right Half only)

– XOR with Transformed Key: 48 bits (Right Half only)

– S-Box (Substitution Choice): 48 bits 32 bits (Right Half only)

– P-Box (Permutation): 32 bits (Right Half only)

– XOR with Original Left Half: 32 bits (Right Half only)

– Concatenation of Original Right Half and Right Half

UNIVERSITYTHE

of ULSAT

DES Algorithm (contd.)DES Algorithm (contd.)

Brute Force Attack– 256 key possibilities

– 1 key/100ms: 228 million years

– 1 key/ms: 2,280 years

– 106 chips: 20 hours (Diffie-Hellman, 1977)

An EFF Team broke DES (January 1999)– Time: 22 hours and 15 minutes

– “Deep Crack” supercomputer and 100,000 PCs

– 256 billion keys/second

NSA will not recertify DES

UNIVERSITYTHE

of ULSAT

Escrowed Encryption Std. (EES)Escrowed Encryption Std. (EES)

• Developed by NSA (1980s) to allow “legal” wiretapping

• AT&T encrypted telephone devices (1993)– Analog Digital Encrypt … Decrypt Digital Analog

– Unique key was generated for each session and transmitted

• Unit keys would be split into halves and kept by different escrow agencies

• Law enforcement agents would need court orders to obtain key halves (using information in LEAF)

• Sealed encryption device

UNIVERSITYTHE

of ULSAT

Clipper ChipClipper Chip

• Skipjack (algorithm)

• Clipper (chip implementing Skipjack and LEAF)

• MOSAIC (program)

• Capstone (cryptographic device with key exchange)

• Tessera (Capstone chip)

• Fortezza (Capstone chip)

• Escrowed Encryption Standard (EES)

UNIVERSITYTHE

of ULSAT

Clipper (contd.)Clipper (contd.)

Clipper Message Format

• S R: { M }k • { { k }u • { n, a } }f

– LEAF: { { k }u • { n, a } }f

– M: 64-bit block

– k: 80-bit session key (randomly generated and transmitted)

– u: 80-bit unit key (unique to Clipper unit; held in escrow)

– n: 30-bit unit ID (unique to Clipper unit)

– a: Escrow authenticator

– f: 80-bit law enforcement key (common to Clipper family)

UNIVERSITYTHE

of ULSAT

Skipjack Algorithm (contd.)Skipjack Algorithm (contd.)

Algorithm Description

• 32 Cycles (with 80-bit Key)

• Cycle Description– Rule A (8 Steps) {Decryption: Rule B-1 (8 Steps)}

– Rule B (8 Steps) {Decryption: Rule A-1 (8 Steps)}

– Rule A (8 Steps) {Decryption: Rule B-1 (8 Steps)}

– Rule B (8 Steps) {Decryption: Rule A-1 (8 Steps)}

– Gk Permutation {Decryption: [Gk]-1} (4-round Feistel structure)

– F Table (Fixed-byte substitution table)

UNIVERSITYTHE

of ULSAT

Skipjack Algorithm (contd.)Skipjack Algorithm (contd.)

Expected to be 36 years before the cost of breakingSkipjack is equal to the cost of breaking DES today

• Skipjack was classified until 1998

• Abruptly declassified

• Problems still exist

– Once unit key (u) is known, all past, present and future transmissions are compromised

– Knowing the unit key (u) makes it possible to fabricate messages

UNIVERSITYTHE

of ULSAT

Advanced Encryption Std. (AES)Advanced Encryption Std. (AES)

Rijndael Algorithm (Daeman and Rijmen, 2000)

• Will become a federal standard by June 2001

• Features– A system breaking DES in 1 second would take 149 trillion

years to break a 128-bit AES key (smallest key size)

– Very good performance in hardware and software

– Wide range of computing environments

– Variable block and key lengths, and number of cycles

– Simplicity, low memory requirements, sound design

– Suitable for ATM, HDTV, B-ISDN, voice, satellite (> 1 GBits/sec requires dedicated hardware)

UNIVERSITYTHE

of ULSAT

AES (contd.)AES (contd.)

Design Rationale

• Resistance to all known attacks

• Speed, code compactness, wide range of platforms (including smartcard applications)

• Design Simplicity

• Variable Block (Nb) and Key (Nk) sizes (4-byte words)

Nb = 4 Nb = 6 Nb = 8

Nk = 4: Nr = 10 Nr = 12 Nr = 14

Nk = 6: Nr = 12 Nr = 12 Nr = 14

Nk = 8: Nr = 14 Nr = 14 Nr = 14

UNIVERSITYTHE

of ULSAT

AES (contd.)AES (contd.)

Details of AES Algorithm

• Most ciphers use a Feistel structure (some of the bits in intermediate states are simply transposed)

• AES uses three distinct invertible uniform transformations (layers)

• AES Algorithm– ByteSub: Linear mixing layer (high diffusion)

– ShiftRow: Parallel S-boxes (nonlinearity)

– MixColumn (not used in last round)

– AddRoundKey: (XOR of key to state)

UNIVERSITYTHE

of ULSAT

Pretty Good Privacy (PGP)Pretty Good Privacy (PGP)

Hybrid Algorithm (Zimmerman, 1995)

• RSA (keys up to 2,047 bits) for key management

• IDEA for data encryption– 64-bit plaintext blocks; 128-bit keys; 8 rounds

– XOR; + (mod 216); * (mod 216 + 1) S-Box

• MD5 as a one way hash function– User’s private key is encrypted using a hashed pass phrase

• Only after the recipient decrypts the message is it known who signed the message

• Web of Trust (no key certification authority)

2. Encryption and Decryption

Documents

Transcript of 2. Encryption and Decryption