Applied Cryptography - L-Università ta' Maltastaff.um.edu.mt/mvel3/files/crypto/1_intro.pdf ·...
Transcript of Applied Cryptography - L-Università ta' Maltastaff.um.edu.mt/mvel3/files/crypto/1_intro.pdf ·...
Applied Cryptography
CPS2323
CPS2323 2/35
Content
● Cryptography and its applications● Ciphers● Cipher Security● The Random Oracle and the Ideal Cipher● A look at Cryptanalysis
CPS2323 3/35
Applied cryptography (i)
● Then ...
CPS2323 4/35
Applied cryptography (ii)
● Now
CPS2323 5/35
Applied cryptography (iii)
● Cryptography– The art and science of secret writing– Creation of crypto primitives and proof models for cipher security
● Applied cryptography– Application of primitives– Computer security our main concern– Its importance accentuated with the onset of cyberspace
● Aim of course– Apply and compose existing crypto primitive implementations in a secure manner– Only possible if these primitives are understood indepth– Efficient and secure implementation– Implementationcentric cryptanalysis
CPS2323 6/35
Applied cryptography (iv)
Applied Number TheoryLinear Algebra
Applied Computational Theory/Applied Information Theory
Cryptography
Applied Cryptography
Information Security:ConfidentialityIntegrityAuthenticity
CPS2323 7/35
Applied cryptography (v)
● Adversarial model– Spoofing
– Tampering
– Repudiation
– Information Disclosure
– Denial of Service
– Elevation of Privilege
CPS2323 8/35
Ciphers (i)
● Cryptosystems
– Provide: CIA
– Make the system resilient to STRI(D)E
– Need to be secure!
outofband
Practicality issues e.g. Wifi vs Webmail login
CPS2323 9/35
Ciphers (ii)
● Cryptosystem – 5tuple
<X, Y, K, e(), d()>
where:X = Plaintext/cleartexr spaceY = Ciphertext spaceK = Key spacee(): X, K Y→d(): Y, K X→
CPS2323 10/35
Ciphers (iii)
● Taxonomy
(+ Hash functions)
CPS2323 11/35
Cipher Security (i)
● What does it mean for a cipher to be secure?● Let' s consider two classic substitution ciphers
from hundreds of years ago● Clearly both insecure
– Caeser/Shift Cipher● from the hands of the Caeser himself!
– Monoalphabetic subsitution cipher ● from the Arab empire days
CPS2323 12/35
Cipher Security (ii)
● Shift cipher– Rotate the letters of the alphabet (with wrap
around) by k positions– The Caeser used ROT3– i.e. A D, B E, …, Y B, Z C→ → → →
● begin the attack now● →● EHJLQWKHDWWDFNQRZ
CPS2323 13/35
Cipher Security (iii)
● Bruteforce/Exhaustive Key Search Attack
– for known plainciphertext pair – A highly likely possible in network traffic, files
due to headers/protocols
CPS2323 14/35
Cipher Security (iv)
● Computational security– Is the attack feasible?– 280: benchmark for midterm security (a couple of years)
● Moore's law– Computing power doubles every 18 months for a constant cost– i.e. For the same key space, the time taken halves over an 18
month period, or else the cost for the same attack is halved ● Therefore an attack could become feasible in terms of time/cost as
time passes by
CPS2323 15/35
Cipher Security (v)
● Monoalphabetic substitution cipher
● Key: permutation of the alphabet● Key space 26! 2≈ 88 >> 280
● tell him about me● →
● GDOOKVCXEFLGCD
CPS2323 16/35
Cipher Security (vi)
● Shortcut attack: FEASIBLE– Letter Frequency Analysis attack– Exploits plaintext patterns retained inside the
ciphertext– ≈ 220
for a million
chars
(English)
CPS2323 17/35
Cipher Security (vii)
● (Computational) Security– Best known attack is at least as hard as an infeasible
bruteforce attack on the key● Known? How about unknown?
– Build ciphers that are difficult to analyze– Cryptanalyze your own ciphers! – Better still: Release its design and have it analyzed by
peers
CPS2323 18/35
Cipher Security (viii)
● Kerckhoff's principle– A cryptosystem should be able to fall in the hands of the enemy without
any consequence– OR: The only secret component of a cryptosystem must be the key
– Principle of Open Design vs Security by Obscurity● Reasons
– Peer review for shortcut attacks– Ease of generating a new key vs new cipher– Difficult of hiding a s/w implementation of a cipher– Make Moore's law work for you by simply increasing the size of the key
rather than redesigning your cipher
CPS2323 19/35
The Random Oracle (i)
● The ideal cipher is one that CANNOT be analyzed in any way
● A True Random Function Truly Random Ciphertext→
CPS2323 20/35
The Random Oracle (ii)
● What is a True Random Function?
x f(x)
0 45346
1 45
2 456457
3 23243
4 86
5 90
... ...
1. Table lookup2. If not found Diceroll→
CPS2323 21/35
The Random Oracle (iii)
● In reality– Cryptographically Strong PseudoRandom
Functions (CSPRF) are used ● Essentially – keyed functions
– Not due to lack of elves!– But to due to the need for determinism– TRF Keys though!→
CPS2323 22/35
The Random Oracle (iv)
● Computational Security – a broader take
CSPRF
k
INFEASIBLE
CPS2323 23/35
The Random Oracle (v)
● The best known algorithms ('distinguishers') to distinguish– TRF vs PRF– Random vs ciphertext– Infeasible: Scales badly with respect to the size of some security parameter n e.g. keysize
(actually the definition is much stricter – but suffices for the moment)● What distinguishes random from nonrandom?
– PATTERNS!– Patterns can be leveraged to make predictions– Case in point: Mathematics!
● How hard it is?– PRF space: vs TRF space:
● for wordsize = keysize = n
– Patterns in plaintext must be removed! e.g letter frequency attack!
CPS2323 24/35
Cryptanalysis (i)
● Modular arithmetic– Divide by modulus m and keep the remainder
– e.g.● In general
where
CPS2323 25/35
Cryptanalysis (ii)
● Congruence relation: splitting into equivalence classes
…, 18, 9, 0, 9, 18, ...
…, 17, 8, 1, 10, 19, ...
…, 16, 7, 2, 11, 12, ...
….
CPS2323 26/35
Cryptanalysis (iii)
● Efficient implementation– Apply the mod operator as early as possible in
order to work with the smallest numbers possible
vs
CPS2323 27/35
Cryptanalysis (iv)
● Integer ring –
– E.g.● “+”: ● “x”:● for
– An algebraic structure based on module arithmetic
CPS2323 28/35
Cryptanalysis (v)
● Properties – Closed,– Associative and distributive operators– Neutral element with respect to +
● XXX
– Neutral element with respect to x● XXXX
– Additive inverse● XXXX
– Multiplicative inverse● XXX● Given a,m are coprime, gcd(a,m)=1 i.e. for , 01, 31, 61 do not exist
CPS2323 29/35
Cryptanalysis (vi)
● Caeser cipher
CPS2323 30/35
Cryptanalysis (vii)
● (Mathematical) Analytical attack
>>>Given: (hello, NKRRU), find k
CPS2323 31/35
Cryptanalysis (viii)
● Affine Cipher
CPS2323 32/35
Cryptanalysis (ix)
● Analytical attack
>>>Given: (hello, HVXXJ), find k
CPS2323 33/35
Cryptanalysis (x)
● Main point here– If your cipher can be manipulated mathematically
then definitely it does not look like a TRF!● Paradox
– Asymmetric ciphers/public key ciphers are built on mathematical structures
– More on this later on in the course …
CPS2323 34/35
Cryptanalysis (xi)
● Taxonomy
CPS2323 35/35
CPS2323 Reading ListTextbook:● Understanding Cryptography: A Textbook for Students and Practitioners: Christof Paar and
Jan Pelz. Publisher: Springer, 1st Edition, 2010, ISBN10: 3642041000, ISBN13: 9783642041006.
Supplementary reading:● Applied Cryptography. Bruce Schneier. Publisher: Wiley, 2nd Edition, 1996, ISBN10:
0471117099, ISBN13: 9780471117094 ● Discrete and combinatorial Mathematics: An Applied Introduction. Ralph P Grimaldi.
Publisher: Addison Wesley, 5th Edition, 2003, ISBN10: 0201726343, ISBN13: 9780201726343 ● GnuTLS Manual. http://www.gnutls.org/manual/gnutls.html● Handbook of Applied Cryptography. Alfred Menezes, Paul van Oorschot, and Scott Vanstone.
Publisher: CRC Press, 1996, ISBN10: 0849385237, ISBN13: 9780849385230 ● Introduction to Modern Cryptography, 2nd Edition. Publisher: Chapman and Hall/CRC Press,
2014, ISBN10: 1466570261 ISBN13: 9781466570269.