Cryptography 2

Cryptography 2

Substitution Transposition

CSCE 522 - Farkas 2

Secret Key Cryptosystem

Encryption Decryption

Plaintext PlaintextCiphertext

K

Sender Recipient

C=E(K,M)M=D(K,C)

K needs secure channel

CSCE 522 - Farkas 3

Basic Encryption Techniques

Substitution (confusion) Permutation (diffusion) Combinations and iterations of these

CSCE 522 - Farkas 4

Simple Alphabetic Substitution

Assign a new symbol to each plain text symbol randomly or by key, e.g.,

C k, A h, B l

M=CAB

C =k h l

Advantages: large key space 26!

Disadvantages: trivially broken for known plaintext attack, repeated pattern, letter frequency distributions unchanged

How about multiple substitutions?

CSCE 522 - Farkas 5

Polyalphabetic Substitution Frequency distribution: reflects the distribution of

the underlying alphabet cryptanalysts find substitutions E.g., English: e – 14 %, t – 9.85%, a – 7.49%, o- 7.37%, …

Need: flatten the distribution E.g., combine high and low distributions:

t a (odd position), b (even position)

x a (even position) , b (odd position)

Vigenere Tableu

Use the Vigenere Tableau to encrypt Plain text: HOPE YOU ARE HAVING FUN With key: I think this cipher is hard to

break

CSCE 522 - Farkas 6

CSCE 522 - Farkas 7

Cryptanalysis of Polyalphabetic Substitution

1. Determine the number of alphabets used

2. Solve each piece as monoalphabetic substitution.

Kasiski Method: Uses regularity of English: letters, letter groupings, full

words e.g., endings: -th, -ing, -ed, -ion, -ation, -tion,…

beginnings: im-, in-, re-, un-, ...

patterns: -eek-, -oot-, -our-, …

words: of, end, to, with, are, is, …

CSCE 522 - Farkas 8

One-Time Pad

Perfect Secrecy! Large, non-repeating set of keys Key is larger than the message Advantages: immune to most attacks Disadvantages:

Need total synchronization Need very long, non-repeating key Key cannot be reused Key management: printing, storing, accounting for

Recommend a practical approach for generating a large key

CSCE 522 - Farkas 9CSCE 522 - Farkas 9

Summary of Substitution

Advantages:SimpleEasy to encrypt

Disadvantages:Easy to break!!!

CSCE 522 - Farkas 10

Transposition Letters of the message are rearranged Break patterns, e.g., columnar transposition

Plaintext: this is a testt h i si s a t tiehssiatst!e s t !

Advantages: easy to implement Disadvantages:

Trivially broken for known plaintext attack Easily broken for cipher only attack


Cryptanalysis Rearrange the letters Digrams, Trigrams, Patterns

Frequent digrams: -re-, -th-, -en-, -ed-, … Cryptanalysis:

1. Compute letter frequencies subst. or perm.2. Compare strings of ciphertext to find reasonable

patterns (e.g., digrams)3. Find digram frequencies


Double Transposition Two columnar transposition with different

number of columnsFirst transposition: breaks up adjacent lettersSecond transposition.: breaks up short patterns


Product Ciphers

One encryption applied to the result of the other En(En-1(…(E1(M)))), e.g.,Double transpositionSubstitution followed by permutation, followed

by substitution, followed by permutation… Broken for

Chosen plaintext

Shannon’s Characteristics of “Good” Ciphers The amount of secrecy needed should

determine the amount of labor appropriate for the encryption and decryption

The set of keys and the enciphering algorithm should be free from complexity

The implementation of the process should be simple and possible


Shannon’s Characteristics of “Good” Ciphers (cont.) Errors in ciphering should not propagate

and cause corruption of further information in the message

The size of the enciphered text should be no larger than the original message


Trustworthy Encryption Systems

Based on sound mathematics Has been analyzed by experts Has stood the test of time

Examples: Data Encryption Standard (DES), Advanced Encryption Standard (AES), River-Shamir-Adelman (RSA)



Stream Ciphers Convert one symbol of plain text into a symbol of

ciphertext based on the symbol (plain), key, and algorithm

Advantages: Speed of transformation Low error propagation

Disadvantages: Low diffusion Vulnerable to malicious insertion and modification


Block Ciphers Encrypt a group of plaintext as one block and

produces a block of ciphertext Advantages:

DiffusionImmunity to insertions

Disadvantages:Slowness of encryptionError propagation


Secret Key Cryptosystem Vulnerabilities (1)

Passive Attacker (Eavesdropper)Obtain and/or guess key and cryptosystem

use these to decrypt messagesCapture text in transit and try a ciphertext-

only attack to obtain plaintext.


Active AttackerBreak communication channel (denial of

service)Obtain and/or guess key and cryptosystem

and use these to send fake messagesNo third party authentication

Secret Key Cryptosystem Vulnerabilities (2)


Inherent Weaknesses of Symmetric Cryptography

Key distribution must be done secretly (difficult when parties are geographically distant, or don't know each other)

Need a key for each pair of users n users need n*(n-1)/2 keys

If the secret key (and cryptosystem) is compromised, the adversary will be able to decrypt all traffic and produce fake messages


Data Encryption Standards

DES

Background and History

Developed by the U.S. government Intended for general public 1970s: NBS (National Bureau of Standards) —

now named NIST (National Institute of Standards and Technology) — need for standard for encrypting unclassified, sensitive information

1974: IBM’s candidate: Lucifer November 1976 : DES was approved as a

federal standard in

23CSCE 522 - Farkas

DES Versions Jan. 15, 1977: DES was published as FIPS PUB 46 (Federal

Information Processing Standard), authorized for use on all unclassified data

1988 (revised as FIPS-46-1) and 1993 (FIPS-46-2): DES is reaffirmed

Jan. 1999: DES key is broken in 22 hours and 15 minutes 1999 (FIPS-46-3): DES, containing Triple DES, is reaffirmed Nov. 26, 2001: The Advanced Encryption Standard (AES) is

published in FIPS 197 May 26, 2002: The AES standard becomes effective May 19, 2005: FIPS 46-3 was officially withdrawn but Triple

DES is approved by NIST until 2030 for sensitive government information

24CSCE 522 - Farkas


Data Encryption Standard Mathematics to design strong product ciphers is

classified Breakable by exhaustive search on 56-bit key

size for known plaintext, chosen plaintext and chosen ciphertext attacks

Security: computational complexity of computing the key under the above scenarios (22 hours)


Data Encryption Standard

DES is a product cipher 56 bit key size 64 bit block size for plaintext and cipher text

Developed by IBM and adopted by NIST with NSA approval

Encryption and decryption algorithms are public but the design principles are classified


DES Controversies

Key size 56 bits – threshold of allowing exhaustive-search known plaintext attack

Built in trapdoor – allegations

The US Senate Select Committee of Intelligence exonerated NSA from tampering with the design of DES in any way


DES Multiple Encryption

1992: proven that DES is not a group: multiple encryptions by DES are not equivalent to a single encryption


DES Multiple EncryptionDouble DES

Encryption EncryptionPlaintext

Intermediate Ciphertext Ciphertext

K1 K2

Known-plaintext: meet-in-the-middle attackEffective key size: 57 bit -- Why not 112?

P EK1(P) EK2[EK1(P)]


DES Multiple EncryptionTriple DES

K1 K2 K1

Tuchman: avoid meet-in-the-middle attackIf K1=K2: single encryption

E D E

DK2[EK1(P)]EK1(P)P EK1[DK2[EK1(P)]]


Triple DES

Tuchman’s technique is part of NIST standard

Can be broken in 2^56 operations if one has 2^56 chosen plaintext blocks (Merkle, Hellman 1981)

Could use distinct K1,K2,K3 to avoid this attack -- 2^112 bit key


DES Algorithm (review)

K1

K2

K16

56 bit key64 bit plaintext

Permuted choice

Left circular shift

Left circular shift

Left circular shift

Permuted choice 1

Permuted choice 2

Permuted choice 16

Initial permutation

Iteration 1

Iteration 2

Iteration 16

32 bit swap

Inverse initial permutation

64 bit ciphertext


DES Cycle (review)

+

L i-1(= R i-2) R i-1

L i R i

Permuted key48 bits

48 bits

32 bits 32 bits

Expansion permutation

48 bits

32 bits

Permutation

S-box

+32 bits


Modes of DES (review)

ECB – Electronic Code Book

CBC – Cipher Block Chaining

CFB – Cipher FeedBack

OFB – Output FeedBack

Part of NIST standard


ECB Mode (review)

64 bit data

56 bitkey

56 bitkey

64 bit data

E D

Good for small messagesIdentical data block will be identically encrypted


CBC Mode (review)

64 bit data

56 bitkey

56 bitkey

64 bit data

E D

+

+

64 bit previousCiphertext block

64 bit previousCiphertext block

+ XOR

Need initiation vector

Cn=Ek[Cn-1 Pn]


CFB Mode (review)

+ +

8, 8 bit blocks 8, 8 bit blocks

56 bit key 56 bit key

8 bit plain text 8 bit plain text

8 bit cipher text

Left shift

Left shift

E D

Needs initialization vectorAdv: can encipher one character at a timeError propagation: current transf. + next 8 characters


OFB Mode (review)

+ +

8, 8 bit blocks 8, 8 bit blocks

56 bit key 56 bit key

8 bit plain text 8 bit plain text

8 bit cipher text

Left shift

Left shiftE D

Needs initialization vectorAdv: can encipher one character at a timeError propagation: current transfer only


Advanced Encryption Standard (AES) Federal Information Processing Standard

(FIPS) to be used by U.S. Government organizations

Effective since May 26, 2002 Replaces DES (triple DES remains) Rijndael ([Rhine Dhal]) algorithm (Joan

Daemen and Vincent Rijmen)


AES Origin

Started in 1997 and lasted for several years Requirements specified by NIST:

Algorithm unclassified and publicly available Available royalty free world wide Symmetric key Operates on data blocks of 128 bits Key sizes of 128, 192, and 256 bits Fast, secure, and portable Active life of 20-30 years Provides full specifications


AES Finalists1999:

Algorithm name Complexity Speed Security margin

MARS (IBM- USA) Complex Fast High

Serpent (Anserson, Biham, & Knudsen - U.K.)

Simple - clean Slow High

Rijndael (Joan Daemen/V. Rijmen – Belgium)

Simple -clean Fast Good

RC6 (RSA Data Security, Ins. - USA)

Very simple Very fast

Low

Twofish (Bruse Schneier and others - USA)

Complex Fast High


Rijndael Algorithm Chosen for: security, performance, efficiency, ease of

implementation, and flexibility Block cipher (variable block and key length) Federal Information Processing Standard (FIPS)


Rijndael

Symmetric, block cipher Key size: 128, 192, or 256 bitsBlock size: 128

Processed as 4 groups of 4 bytes (state)Operates on the entire block in every round

Number of rounds depending on key size: Key=128 9 rounds Key=192 11 rounds Key=256 13 rounds


Rijndael – Basic Steps (review)

1. Byte Substitution: Non-linear function for confusion• S-box used on every byte (table look-up)

2. Shift Rows: Linear mixing function for diffusion• Permutes bytes between columns• Different for different block sizes (128, 192 same, 256 different)

3. Mix columns: Transformation -- diffusion• Shifting left and XOR bits• Effect: matrix multiplication

4. Add Round Key: incorporates key and creates confusion• XOR state with unique key

All operations can be combined into XOR and table look-ups Very fast and efficient


Strength of Algorithm

New – little experimental results Cryptanalysis results

Few theoretical weaknessNo real problem

No relation to government agency no allegations of tampering with code

Has sound mathematical foundation


AES Decryption

Non-identical to encryption Steps done in reverseDifferent key schedule

Key Distribution

Secret key methods


Conventional EncryptionConventional Encryption

K


Plaintext M

Plaintext M

Ciphertext C

Sender Recipient

Key source

Secure channelK

R knows that:• Message was sent by S• Message hasn’t been altered


Summary: Secret-Key Encryption Single, secret key Key distribution problem of secret key systems

Establish key before communicationNeed n(n-1)/2 keys with n different parties

Do NOT provide electronic signatures (no third party authentication)

Faster than public-key encryption


Symmetric-Key Distribution without Server Change encryption key E(Knew,K), where Knew

is the session key, K is the master key


New key New keyCiphertext C

Sender RecipientK


Symmetric-Key Distribution with Server

RecipientOriginator

(O,R,IO) E([(IO,R,KOR,E((KOR,O), KR)], KO)

E((KOR,O), KR)

Server

Decrypts with KO

Knows KOR

Does not know E((KOR,O), KR)

Decrypts with KR

Knows KOR

Knows KO and KR


Next class

Public Key

Encryption

Cryptography 2

Documents

Transcript of Cryptography 2