Algorithms and Data Structures - Cryptography - BFH-TI …hnr1/SWS/10Crypto.pdf · ·...
Transcript of Algorithms and Data Structures - Cryptography - BFH-TI …hnr1/SWS/10Crypto.pdf · ·...
Cryptography Page 1
BFH-TI: Softwareschule Schweiz
Algorithms and Data Structures
Cryptography
Dr. Rolf Haenni
CAS SD01
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 2
Outline
Introduction
Symmetric Cryptography
Asymmetric Cryptography
RSA
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 3Introduction
Outline
Introduction
Symmetric Cryptography
Asymmetric Cryptography
RSA
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 4Introduction
What is Cryptography?
I Traditionally, cryptography is the practice and study of hidingwritten information (not its existence)
Ý Kryptos: hidden (Greek)Ý Graphein: write (Greek)
I On the other side, cryptanalysis is the study of methods forobtaining the meaning of encrypted information
I Cryptology = cryptography + cryptanalysis
I Historically, cryptography was mainly motivated by militaryand diplomatic applications (dating back to the ancient Greek)
I Today, cryptography is a broad branch of both mathematicsand computer science and is widely applied in modern IT andcommunications technologies
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 5Introduction
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 6Introduction
Cryptographic Terminology
Alphabet A set of characters, e.g. {A, . . . ,Z} or {0, 1}Plaintext The original message to be transmitted, represented
as a string of characters from a given alphabet
Ciphertext The message after making its content unreadable
Encryption The process of producing ciphertext from plaintext
Decryption The reverse process of producing plaintext fromciphertext
Cipher A pair of algorithms for encryption and decryption
Key A parameter that determines the functional outputof a cipher (usually a string of 56–2048 random bits)
Cryptosystem A system consisting of a cipher, a key generationalgorithm, and other cryptographic primitives
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 7Introduction
Basic Communication Model
Entity A person, organization, . . . , which sends, receives, ormanipulates information
Sender The entity from which a transmitted message originates(often called Alice)
Recipient The entity towards which a transmitted message isaddressed (often called Bob)
Opponent An entity which attacks the security of a transmittedmessage (often called Oscar or Eve)
Trusted Third Party A neutral entity which appears to betrustworthy for both the sender and recipient
Channel Medium for transmitting a message between the senderand recipient (unsecure, secure, secured)
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 8Introduction
Basic Communication Model (cont.)
Sender Recipientciphertextplaintext plaintext
Opponent
key key
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 9Introduction
Information Security
To protect sensitive information, the principal four goals to achieveare the following:
Confidentiality The content of a message is not disclosed tounauthorized entities
Integrity The content of a message can not be modifiedby an unauthorized entity
Authenticity The sender (and the recipient) are who theyclaim they are
Non-Repudiation The sender (and the recipient) of a message cannot deny the transmission
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 10Introduction
Brute-Force-Attack
I In a brute-force attack, the opponent tries all possible keys
Key Length Number of Keys 106 Keys/s 106 Keys/µs
16 bits 216 = 65536 32.7 ms 32.7 µs
32 bits 232 = 4.3∗109 35.8 min. 2.2 ms
56 bits 256 = 7.2∗1016 1142 years 10.1 hours
64 bits 264 = 1.8∗1019 292353 years 107 days
128 bits 2128 = 3.4∗1038 5.4∗1024 years 5.4∗1018 years
256 bits 2256 = 1.2∗1077 3.5∗1063 years 3.5∗1057 years
512 bits 2512 = 1.3∗10154 2.1∗10142 years 2.1∗10136 years
1024 bits 21024 = 1.7∗10308 2.7∗10296 years 2.7∗10290 years
I Number of particles in the universe: 4∗1078 − 6∗1079
I Age of the universe: 13.7∗109 years
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 11Symmetric Cryptography
Outline
Introduction
Symmetric Cryptography
Asymmetric Cryptography
RSA
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 12Symmetric Cryptography
Symmetric Cryptosystems
I In a symmetric cryptosystem, the sender and receiver sharethe same secret key k
I All classical ciphers (from the ancient Greek until 1976) aresymmetric
I The problem of using a symmetric cipher is to exchange thesecret key
I Traditionally, secret keys were exchanged over securechannels, e.g. personally or by a trustworthy messenger
I In modern cryptography, secret keys are exchanged oversecured channels (using asymmetric cryptosystems)
I A symmetric cryptosystem achieves confidentiality, integrity,and authenticity (but not non-repudiation)
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 13Symmetric Cryptography
AES
I AES (Advanced Encryption Standard) is the best symmetriccipher today
Ý Winner of a world-wide competition in 2001Ý Successor of DES (Data Encryption Standard) since 2002Ý Key length: 128, 192, or 256 bits (DES: 56 Bits)Ý Fast in both software and hardware
I AES is a block cipher (not a bit-by-bit stream cipher)
Ý The bit string message is split into blocks of size n = 128 bitsÝ In principle, each block is encrypted independentlyÝ To avoid equal ciphertext blocks, there are several modes of
operation (EBC, CBC, CFB, etc.) to link the result fromencrypting one block with the encryption of another
I AES performs a series of substitutions and permutations
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 14Symmetric Cryptography
Substitution Cipher
I A substitution cipher replaces each character (or a group ofcharacters) of a plaintext block by another one
I Example: Caesar’s Cipher
abcdefghij k l m n o p q r s t u v w x y z↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓012345678910101213141516171819202122232425
Ý Plaintext: m = [M0M1 · · ·Mn−1], Mi ∈ {0, . . . , 25}Ý Ciphertext: c = [C0C1 · · ·Cn−1], Ci ∈ {0, . . . , 25}Ý Key: k ∈ {0, . . . , 25}Ý Encryption: Ci = Ek(Mi ) = Mi + k mod 26Ý Decryption: Mi = Dk(Ci ) = Ci − k mod 26
I AES substitutes groups of 8 bits (1 byte)
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 15Symmetric Cryptography
Permutation Cipher
I A permutation cipher changes the order of the characters inthe block
I Example: Shift Cipher
Ý Each character in a plaintext block is shifted to the left by kpositions (in a circular fashion)
Ý Plaintext: m = [M0M1 · · ·Mn−1]Ý Ciphertext: c = [C0C1 · · ·Cn−1]Ý Key: k ∈ {0, . . . , n − 1}Ý Encryption: c = Ek(m) = [M0+k mod n · · ·Mn−1+k mod n]Ý Decryption: m = Dk(c) = [C0−k mod n · · ·Cn−1−k mod n]
I In AES, each 128-bits block is divided into 4 words of size 32,which are individually shifted to the left by 0, 8, 16, or 24bits, respectively
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 16Symmetric Cryptography
Product Cipher
I If the amount of ciphertext is large enough, pure substitutionor permutation ciphers are easy to decrypt with a frequencyanalysis (even if the key space is too large for a brute-forceattack)
I The frequencies of the characters in the ciphertext arecompared with their frequencies in plaintext samples
I To prevent a frquency analysis, substitutions (S-boxes) andpermutations (P-boxes) are repeatedly applied in r rounds
I Such ciphers are called product ciphers or SP-networks
I AES has 10 rounds for 128-bit keys, 12 rounds for 192-bitkeys, and 14 rounds for 256-bit keys
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 17Symmetric Cryptography
Frequency Analysis
Example: Frequencies of letters in plain English
8.2
1.5
2.8
4.3
12.7
2.2 2.0
6.1
7.0
0.20.8
4.0
2.4
6.77.5
1.9
0.1
6.06.3
9.1
2.8
1.0
2.4
0.2
2.0
0.10
2
4
6
8
10
12
14
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 18Asymmetric Cryptography
Outline
Introduction
Symmetric Cryptography
Asymmetric Cryptography
RSA
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 19Asymmetric Cryptography
Asymmetric Cryptosystems
I In a asymmetric cryptosystem, each entity possesses two keys
Ý Private key e (kept secretly)Ý Public key d (distributed publicly)
I No secure channel is needed to distribute the public key!
I Alice encrypts the plaintext m with the public key eB of Bob:
c = EeB(m)
I Bob uses his private key dB to decrypt the ciphertext c :
m = DdB(c) = DdB
(EeB(m))
I Asymmetric encryption achieves confidentiality only
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 20Asymmetric Cryptography
Man-in-the-Middle Attack
I Asymmetric cryptosystems facilitate but do not entirely solvethe key exchange problem
I The remaining problem is to know whether a given public keybelongs to the entity who claims to own it
I An opponent can thus distribute faked public keys in thename of other entities
I In a Man-in-the-Middle Attack, the opponent Oscar sendsfaked public keys to Alice and the Bob
Ý Alice thinks Oscar is Bob and sends him an encrypted messageÝ Oscar decrypts Alice’s message and sends it encrypted to BobÝ Vice versa
I The key authentication problem is solved with certificates
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 21Asymmetric Cryptography
Hybrid Cryptosystems
I All known asymmetric cryptosystems are relatively inefficientI A hybrid cryptosystem combines the flexibility of asymmetric
with the efficiency of symmetric cryptosystems
Ý Alice encrypts m symmetrically with a secret key kÝ The secret key k is ecrypted with Bob’s public key eB
Ý Ek(m) and EeB(k) are transmitted over an insecure channel
Ý Bob uses his private key dB to decrypt k = DdB(EeB
(k))Ý The secret key k is used to decrypt m = Dk(Ek(m))
I In other words, the secret key k is exchanged over a securedchannel
I Most cryptographic applications today use hybrid systems
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 22Asymmetric Cryptography
Hybrid Cryptosystem
m ||
k
SE SD
k
m
ADdBAEeB
Alice Bob
I SE/SD: Symmetric encryption/decrpytion
I AE/AD: Asymmetric encryption/decrpytion
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 23Asymmetric Cryptography
Digital Signatures
I Asymmetric cryptosystems can also be used to generatedigital signatures
Ý Alice generates a hash code h = h(m) of the message mÝ h is encrypted with Alice’s private key dA to get s = EdA
(h)Ý m together with its signature s is sent to BobÝ Bob decrypts h = DeA
(s) with Alice’s public key eA
Ý Bob computes h(m) and compares it with h
I With digital signatures, we can achieve integrity, authenticity,and non-repudiation
I Combined with asymmetric encryption/decryption, all foursecurity requirements are achieved
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 24Asymmetric Cryptography
Digital Signature
h
m || m h
?=ADeA
AEdA
Alice Bob
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 25Asymmetric Cryptography
Hybrid Cryptosystem with Digital Signature
h
m ||
k
SE || SD
k
m h
?=
ADeA
ADdB
AEdA
AEeB
Alice Bob
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 26RSA
Outline
Introduction
Symmetric Cryptography
Asymmetric Cryptography
RSA
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 27RSA
RSA
I The first asymmetric cryptosystem was discovered in 1977 byRivest, Shamir, and Adleman (RSA)
I The method is based on number theory
Ý Prime numbers: 2, 3, 5, 7, 11, 13, 17, . . .
Ý Greatest common divisor: gcd(x , y), e.g. gcd(14, 42) = 7
Ý Euler function:
ϕ(x) =
1 if x = 1,
x − 1, if x is prime
(y − 1) ∗ y z−1, if x = y z and y is prime
ϕ(y) ∗ ϕ(z), if x = y ∗ z and gcd(y , z) = 1
x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 · · ·ϕ(x) 1 1 2 2 4 2 6 4 6 4 10 4 12 6 . . .
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 28RSA
RSA Key Generation
I Choose N = p ∗ q, such that p and q are prime
I Compute ϕ(N) = (p − 1)(q − 1)
I Public key: choose 1 < e < ϕ(N) such that gcd(e, ϕ(N)) = 1I Private key: compute d such that e ∗ d mod ϕ(N) = 1
Ý Modular multiplicative inverse
I Example:
Ý p = 3, q = 11Ý N = 3 ∗ 11 = 33Ý ϕ(22) = 2 ∗ 10 = 20Ý e = 3, which satifies gcd(3, 20) = 1Ý d = 7, which satisfies 3 ∗ 7 mod 20 = 1
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 29RSA
RSA Encryption and Decryption
I Split plaintext into blocks m of length n = blog Nc bits
I Interpret each block as a number m < N
I Encryption: c = Ee(m) = me mod N
I Decryption: m = Dd(c) = cd mod N
I Proof . . .
I Example: e = 3, d = 7, N = 33
Ý n = blog 33c = 5Ý m = [00110] = 6Ý c = 63 mod 33 = 216 mod 33 = 18 = [10010]Ý m = 187 mod 33 = 612′220′032 mod 33 = 6
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 30RSA
Attacking RSA
I To attack an RSA-encrypted ciphertext c , we need to infer dfrom e and N
I For this, we need to know ϕ(N) = (p − 1)(q − 1)
I For this, we need to infer p and q from N = p ∗ qI In other words, we need to recover the prime factors of N
Ý Easy for small numbersÝ Difficult for large numbersÝ Practically impossible for very large numbers
I The RSA key length is usually 512, 1024, or 2048 bits
I The factorization problem is widely believed to be unfeasible,but this is still unproven
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 31RSA
RSA Algorithms
I To implement RSA, we need efficient algorithms to performthe following tasks with very large number:
Ý Generate prime numbers at random (see §10.1.6)Ý Integer multiplication (see §10.4.4)Ý Greatest common divisor (see §10.1.2)Ý Modular multiplicative inverse (see §10.1.5)Ý Modular exponentiation (see §10.1.4)
I Prime numbers are generated by generating random numbersand testing them for primality
I The best known primality test runs in O(log6+ε n) time, whichis very slow if n is large (polynomial in the number of bits)
I There are various efficient probabilistic primality tests, whichhave error probabilities that converge quickly towards 0
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 32RSA
Euclid’s Algorithm
I The greatest common divisor is efficiently computed byEuclid’s algorithm:
gcd(x , y) =
{x , if y = 0
gcd(y , x mod y), otherwise
I Example:
gcd(108, 44) = gcd(44, 20) = gcd(20, 4) = gcd(4, 0) = 4
I Runs in O(log max(x , y)) time, i.e. linear in the number of bits
I There is a variation called binary Euclid’s algorithm, in whichthe modulo operator is replaced by divisions by 2 (right-shift)
I Another variation called extended Euclid’s algorithm computesmodular multiplicative inverses
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures
Cryptography Page 33RSA
Repeated Squaring Algorithm
I The modular exponentiation is efficiently computed with therepeated squaring algorithm:
xy mod n =
x , if y = 1
(xy/2 mod n)2 mod n, if y is even
x ∗ (xy−1 mod n) mod n, if y is oddI Example:
187 mod 33 = 18 ∗ (186 mod 33) mod 33
= 18 ∗ ((183 mod 33)2 mod 33) mod 33
= 18 ∗ ((18 ∗ (182 mod 33) mod 33)2 mod 33) mod 33
= 18 ∗ ((18 ∗ ((18 mod 33)2 mod 33) mod 33)2 mod 33) mod 33
= · · · = 6
I Runs in O(log y) time, i.e. linear in the number of bits
Berner Fachhochschule Rolf Haenni
Technik und Informatik Algorithms and Data Structures