Cryptography 2
description
Transcript of Cryptography 2
Cryptography 2
Substitution Transposition
CSCE 522 - Farkas 2
Secret Key Cryptosystem
Encryption Decryption
Plaintext PlaintextCiphertext
K
Sender Recipient
C=E(K,M)M=D(K,C)
K needs secure channel
CSCE 522 - Farkas 3
Basic Encryption Techniques
Substitution (confusion) Permutation (diffusion) Combinations and iterations of these
CSCE 522 - Farkas 4
Simple Alphabetic Substitution
Assign a new symbol to each plain text symbol randomly or by key, e.g.,
C k, A h, B l
M=CAB
C =k h l
Advantages: large key space 26!
Disadvantages: trivially broken for known plaintext attack, repeated pattern, letter frequency distributions unchanged
How about multiple substitutions?
CSCE 522 - Farkas 5
Polyalphabetic Substitution Frequency distribution: reflects the distribution of
the underlying alphabet cryptanalysts find substitutions E.g., English: e – 14 %, t – 9.85%, a – 7.49%, o- 7.37%, …
Need: flatten the distribution E.g., combine high and low distributions:
t a (odd position), b (even position)
x a (even position) , b (odd position)
Vigenere Tableu
Use the Vigenere Tableau to encrypt Plain text: HOPE YOU ARE HAVING FUN With key: I think this cipher is hard to
break
CSCE 522 - Farkas 6
CSCE 522 - Farkas 7
Cryptanalysis of Polyalphabetic Substitution
1. Determine the number of alphabets used
2. Solve each piece as monoalphabetic substitution.
Kasiski Method: Uses regularity of English: letters, letter groupings, full
words e.g., endings: -th, -ing, -ed, -ion, -ation, -tion,…
beginnings: im-, in-, re-, un-, ...
patterns: -eek-, -oot-, -our-, …
words: of, end, to, with, are, is, …
CSCE 522 - Farkas 8
One-Time Pad
Perfect Secrecy! Large, non-repeating set of keys Key is larger than the message Advantages: immune to most attacks Disadvantages:
Need total synchronization Need very long, non-repeating key Key cannot be reused Key management: printing, storing, accounting for
Recommend a practical approach for generating a large key
CSCE 522 - Farkas 9CSCE 522 - Farkas 9
Summary of Substitution
Advantages:SimpleEasy to encrypt
Disadvantages:Easy to break!!!
CSCE 522 - Farkas 10
Transposition Letters of the message are rearranged Break patterns, e.g., columnar transposition
Plaintext: this is a testt h i si s a t tiehssiatst!e s t !
Advantages: easy to implement Disadvantages:
Trivially broken for known plaintext attack Easily broken for cipher only attack
CSCE 522 - Farkas 11
Cryptanalysis Rearrange the letters Digrams, Trigrams, Patterns
Frequent digrams: -re-, -th-, -en-, -ed-, … Cryptanalysis:
1. Compute letter frequencies subst. or perm.2. Compare strings of ciphertext to find reasonable
patterns (e.g., digrams)3. Find digram frequencies
CSCE 522 - Farkas 12
Double Transposition Two columnar transposition with different
number of columnsFirst transposition: breaks up adjacent lettersSecond transposition.: breaks up short patterns
CSCE 522 - Farkas 13
Product Ciphers
One encryption applied to the result of the other En(En-1(…(E1(M)))), e.g.,Double transpositionSubstitution followed by permutation, followed
by substitution, followed by permutation… Broken for
Chosen plaintext
Shannon’s Characteristics of “Good” Ciphers The amount of secrecy needed should
determine the amount of labor appropriate for the encryption and decryption
The set of keys and the enciphering algorithm should be free from complexity
The implementation of the process should be simple and possible
CSCE 522 - Farkas 14
Shannon’s Characteristics of “Good” Ciphers (cont.) Errors in ciphering should not propagate
and cause corruption of further information in the message
The size of the enciphered text should be no larger than the original message
CSCE 522 - Farkas 15
Trustworthy Encryption Systems
Based on sound mathematics Has been analyzed by experts Has stood the test of time
Examples: Data Encryption Standard (DES), Advanced Encryption Standard (AES), River-Shamir-Adelman (RSA)
CSCE 522 - Farkas 16
CSCE 522 - Farkas 17
Stream Ciphers Convert one symbol of plain text into a symbol of
ciphertext based on the symbol (plain), key, and algorithm
Advantages: Speed of transformation Low error propagation
Disadvantages: Low diffusion Vulnerable to malicious insertion and modification
CSCE 522 - Farkas 18
Block Ciphers Encrypt a group of plaintext as one block and
produces a block of ciphertext Advantages:
DiffusionImmunity to insertions
Disadvantages:Slowness of encryptionError propagation
CSCE 522 - Farkas 19
Secret Key Cryptosystem Vulnerabilities (1)
Passive Attacker (Eavesdropper)Obtain and/or guess key and cryptosystem
use these to decrypt messagesCapture text in transit and try a ciphertext-
only attack to obtain plaintext.
CSCE 522 - Farkas 20
Active AttackerBreak communication channel (denial of
service)Obtain and/or guess key and cryptosystem
and use these to send fake messagesNo third party authentication
Secret Key Cryptosystem Vulnerabilities (2)
CSCE 522 - Farkas 21
Inherent Weaknesses of Symmetric Cryptography
Key distribution must be done secretly (difficult when parties are geographically distant, or don't know each other)
Need a key for each pair of users n users need n*(n-1)/2 keys
If the secret key (and cryptosystem) is compromised, the adversary will be able to decrypt all traffic and produce fake messages
CSCE 522 - Farkas 22
Data Encryption Standards
DES
Background and History
Developed by the U.S. government Intended for general public 1970s: NBS (National Bureau of Standards) —
now named NIST (National Institute of Standards and Technology) — need for standard for encrypting unclassified, sensitive information
1974: IBM’s candidate: Lucifer November 1976 : DES was approved as a
federal standard in
23CSCE 522 - Farkas
DES Versions Jan. 15, 1977: DES was published as FIPS PUB 46 (Federal
Information Processing Standard), authorized for use on all unclassified data
1988 (revised as FIPS-46-1) and 1993 (FIPS-46-2): DES is reaffirmed
Jan. 1999: DES key is broken in 22 hours and 15 minutes 1999 (FIPS-46-3): DES, containing Triple DES, is reaffirmed Nov. 26, 2001: The Advanced Encryption Standard (AES) is
published in FIPS 197 May 26, 2002: The AES standard becomes effective May 19, 2005: FIPS 46-3 was officially withdrawn but Triple
DES is approved by NIST until 2030 for sensitive government information
24CSCE 522 - Farkas
CSCE 522 - Farkas 25
Data Encryption Standard Mathematics to design strong product ciphers is
classified Breakable by exhaustive search on 56-bit key
size for known plaintext, chosen plaintext and chosen ciphertext attacks
Security: computational complexity of computing the key under the above scenarios (22 hours)
CSCE 522 - Farkas 26
Data Encryption Standard
DES is a product cipher 56 bit key size 64 bit block size for plaintext and cipher text
Developed by IBM and adopted by NIST with NSA approval
Encryption and decryption algorithms are public but the design principles are classified
CSCE 522 - Farkas 27
DES Controversies
Key size 56 bits – threshold of allowing exhaustive-search known plaintext attack
Built in trapdoor – allegations
The US Senate Select Committee of Intelligence exonerated NSA from tampering with the design of DES in any way
CSCE 522 - Farkas 28
DES Multiple Encryption
1992: proven that DES is not a group: multiple encryptions by DES are not equivalent to a single encryption
CSCE 522 - Farkas 29
DES Multiple EncryptionDouble DES
Encryption EncryptionPlaintext
Intermediate Ciphertext Ciphertext
K1 K2
Known-plaintext: meet-in-the-middle attackEffective key size: 57 bit -- Why not 112?
P EK1(P) EK2[EK1(P)]
CSCE 522 - Farkas 30
DES Multiple EncryptionTriple DES
K1 K2 K1
Tuchman: avoid meet-in-the-middle attackIf K1=K2: single encryption
E D E
DK2[EK1(P)]EK1(P)P EK1[DK2[EK1(P)]]
CSCE 522 - Farkas 31
Triple DES
Tuchman’s technique is part of NIST standard
Can be broken in 2^56 operations if one has 2^56 chosen plaintext blocks (Merkle, Hellman 1981)
Could use distinct K1,K2,K3 to avoid this attack -- 2^112 bit key
CSCE 522 - Farkas 32
DES Algorithm (review)
K1
K2
K16
56 bit key64 bit plaintext
Permuted choice
Left circular shift
Left circular shift
Left circular shift
Permuted choice 1
Permuted choice 2
Permuted choice 16
Initial permutation
Iteration 1
Iteration 2
Iteration 16
32 bit swap
Inverse initial permutation
64 bit ciphertext
CSCE 522 - Farkas 33
DES Cycle (review)
+
L i-1(= R i-2) R i-1
L i R i
Permuted key48 bits
48 bits
32 bits 32 bits
Expansion permutation
48 bits
32 bits
Permutation
S-box
+32 bits
CSCE 522 - Farkas 34
Modes of DES (review)
ECB – Electronic Code Book
CBC – Cipher Block Chaining
CFB – Cipher FeedBack
OFB – Output FeedBack
Part of NIST standard
CSCE 522 - Farkas 35
ECB Mode (review)
64 bit data
56 bitkey
56 bitkey
64 bit data
E D
Good for small messagesIdentical data block will be identically encrypted
CSCE 522 - Farkas 36
CBC Mode (review)
64 bit data
56 bitkey
56 bitkey
64 bit data
E D
+
+
64 bit previousCiphertext block
64 bit previousCiphertext block
+ XOR
Need initiation vector
Cn=Ek[Cn-1 Pn]
CSCE 522 - Farkas 37
CFB Mode (review)
+ +
8, 8 bit blocks 8, 8 bit blocks
56 bit key 56 bit key
8 bit plain text 8 bit plain text
8 bit cipher text
Left shift
Left shift
E D
Needs initialization vectorAdv: can encipher one character at a timeError propagation: current transf. + next 8 characters
CSCE 522 - Farkas 38
OFB Mode (review)
+ +
8, 8 bit blocks 8, 8 bit blocks
56 bit key 56 bit key
8 bit plain text 8 bit plain text
8 bit cipher text
Left shift
Left shiftE D
Needs initialization vectorAdv: can encipher one character at a timeError propagation: current transfer only
CSCE 522 - Farkas 39
Advanced Encryption Standard (AES) Federal Information Processing Standard
(FIPS) to be used by U.S. Government organizations
Effective since May 26, 2002 Replaces DES (triple DES remains) Rijndael ([Rhine Dhal]) algorithm (Joan
Daemen and Vincent Rijmen)
CSCE 522 - Farkas 40
AES Origin
Started in 1997 and lasted for several years Requirements specified by NIST:
Algorithm unclassified and publicly available Available royalty free world wide Symmetric key Operates on data blocks of 128 bits Key sizes of 128, 192, and 256 bits Fast, secure, and portable Active life of 20-30 years Provides full specifications
CSCE 522 - Farkas 41
AES Finalists1999:
Algorithm name Complexity Speed Security margin
MARS (IBM- USA) Complex Fast High
Serpent (Anserson, Biham, & Knudsen - U.K.)
Simple - clean Slow High
Rijndael (Joan Daemen/V. Rijmen – Belgium)
Simple -clean Fast Good
RC6 (RSA Data Security, Ins. - USA)
Very simple Very fast
Low
Twofish (Bruse Schneier and others - USA)
Complex Fast High
CSCE 522 - Farkas 42
Rijndael Algorithm Chosen for: security, performance, efficiency, ease of
implementation, and flexibility Block cipher (variable block and key length) Federal Information Processing Standard (FIPS)
CSCE 522 - Farkas 43
Rijndael
Symmetric, block cipher Key size: 128, 192, or 256 bitsBlock size: 128
Processed as 4 groups of 4 bytes (state)Operates on the entire block in every round
Number of rounds depending on key size: Key=128 9 rounds Key=192 11 rounds Key=256 13 rounds
CSCE 522 - Farkas 44
Rijndael – Basic Steps (review)
1. Byte Substitution: Non-linear function for confusion• S-box used on every byte (table look-up)
2. Shift Rows: Linear mixing function for diffusion• Permutes bytes between columns• Different for different block sizes (128, 192 same, 256 different)
3. Mix columns: Transformation -- diffusion• Shifting left and XOR bits• Effect: matrix multiplication
4. Add Round Key: incorporates key and creates confusion• XOR state with unique key
All operations can be combined into XOR and table look-ups Very fast and efficient
CSCE 522 - Farkas 45
Strength of Algorithm
New – little experimental results Cryptanalysis results
Few theoretical weaknessNo real problem
No relation to government agency no allegations of tampering with code
Has sound mathematical foundation
CSCE 522 - Farkas 46
AES Decryption
Non-identical to encryption Steps done in reverseDifferent key schedule
Key Distribution
Secret key methods
CSCE 522 - Farkas 48
Conventional EncryptionConventional Encryption
K
Encryption Decryption
Plaintext M
Plaintext M
Ciphertext C
Sender Recipient
Key source
Secure channelK
R knows that:• Message was sent by S• Message hasn’t been altered
CSCE 522 - Farkas 49
Summary: Secret-Key Encryption Single, secret key Key distribution problem of secret key systems
Establish key before communicationNeed n(n-1)/2 keys with n different parties
Do NOT provide electronic signatures (no third party authentication)
Faster than public-key encryption
CSCE 522 - Farkas 50
Symmetric-Key Distribution without Server Change encryption key E(Knew,K), where Knew
is the session key, K is the master key
Encryption Decryption
New key New keyCiphertext C
Sender RecipientK
CSCE 522 - Farkas 51
Symmetric-Key Distribution with Server
RecipientOriginator
(O,R,IO) E([(IO,R,KOR,E((KOR,O), KR)], KO)
E((KOR,O), KR)
Server
Decrypts with KO
Knows KOR
Does not know E((KOR,O), KR)
Decrypts with KR
Knows KOR
Knows KO and KR
CSCE 522 - Farkas 52
Next class
Public Key
Encryption