CSE 3043 Week 3 Lecture Cryptography Part 1
Transcript of CSE 3043 Week 3 Lecture Cryptography Part 1
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
1/72
Goals of this lecture:
to introduce basic concepts & terminology ofencryption
to prepare us for studying modern cryptography
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
2/72
SCYTALESCYTALE , is an example for a really old tech that was, is an example for a really old tech that was
..operation is so simple . Get a long strip of leather andoperation is so simple . Get a long strip of leather andwind it over a rode like the picture , write the clear datawind it over a rode like the picture , write the clear dataon t e eat er over t e ro an t en unwin it .on t e eat er over t e ro an t en unwin it .
HELP ME I AM UNDER ATTACK will beHELP ME I AM UNDER ATTACK will be"HENTEIDTLAEAPMRCMUAK , and it totally depends onand it totally depends on
,,the message .the message .
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
3/72
Plaintext: original message to be encrypted
Ciphertext: the encrypted message
converting plaintext into ciphertext
oTwo inputs: a plaintext and a secret key
3
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
4/72
Deci herin or decr tion: recoverinplaintext from ciphertext
Decryption algorithm: performs decryption
and decryptionoAlso referred to as a s mmetric ke
4
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
5/72
Ci her or cr to ra hic s stem : a schemefor encryption and decryption
Cryptography: science of studying ciphers
Cryptanalysis: science of studying attacksaga ns cryp ograp c sys ems
Cryptology: cryptography + cryptanalysis
5
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
6/72
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
7/72
or conventional / secret-key / single-key
sender and recipient share a common keyall classical encryption algorithms are
symmetric
e on y type o c p ers pr or to t einvention of asymmetric-key ciphers in
by far most widely used
7
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
8/72
Goal: Confidentiality A ice B ob
My account number is 485853
Ev e
Message sent in clear: Eve can overhearEncryption unintelligible to Eve; only Bob
Alice)
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
9/72
Notations mathematically:E EEK E ,X= DK(Y) or X= D(K, Y)
Y= ciphertext
K= secret key
E = encryption algorithmD = decryption algorithm
s t e nverse o
Both E and D are known to ublic
9
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
10/72
Alice BobEK1(M)M DK2(C)
MC
K1 K2
M message
EK1(M) message M is encrypted using key K1
If K1=K2 this is
K2 decryption keyDK2(C) ciphertext C is decrypted using key K2
symmetr c(secret key) encryption
If K1K2 this is
asymmetric(public key) encryption
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
11/72
Alice encrypts (algorithm F) a message (m)with the same ke (k) that Bob uses todecrypt.
AliceB ob
1. Construct m
2. Compute c= F(m,k)
3. Send cto Bob 4. Receive cfrom Alice
5. Compute d=F-1(c,k)
Eve can see c, but cannot compute m.
because k is only known to Alice and Bob
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
12/72
Objective: to recover the plaintext of aciphertext or, more typica y, to recoverthe secret key.
Kerkhoffs principle: the adversary knows
all details about a cryptosystem except.
Two general approaches:obrute-force attackonon-brute-force attack (cryptanalytic attack)
12
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
13/72
Try every key to decipher the ciphertext.,
Time needed proportional to size ofkey space
ey ze s um er oAlternative Keys
me requ re adecryption/s
me requ re adecryptions/s
32 232 = 4.3 109 231 s = 35.8 minutes 2.15 milliseconds
56 16 55 . .
128 2128 = 3.4 1038 2127 s = 5.4 1024
years5.4 1018 years
168 2168 = 3.7 1050 2167 s = 5.9 1036 5.9 1030 ears
years
26 characters(permutation)
26! = 4 1026 2 1026 s = 6.4 1012
years6.4 106 years
13
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
14/72
Ma be classified b how much information
needed by the attacker:Ciphertext-only attackiphertext only attackoKnown-plaintext attack
Chosen-plaintext attackhosen plaintext attackoChosen-ciphertext attack
14
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
15/72
Given: a ciphertext cQ: what is the plaintext m?An encryption scheme is completely
insecure if it cannot resist ciphertext-onlya ac s.
15
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
16/72
Alice BobEK(M)M
DK(C)MC
K K
C h t t l tt kEve
Cyphertext-only attack:Eve can gather and analyze Cs to learn K
How does Eve know she ot the ri ht ke ?
Eve has to have enough ciphertext
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
17/72
Given: (m1,c1), (m2,c2), , (mk,ck) and a new
ciphertext c.Q: what is the plaintext of new ciphertext c? : w at s t e secret ey n use
17
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
18/72
Alice BobEK(M)M
DK(C)MC
K KEve
Known-plaintext attack:Eve can attempt to learn K by observing many
How does Eve obtain the plaintext?
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
19/72
1, 1 , 2, 2 , , k, k ,
m1, m2, , mk are chosen by the adversary;c c : what is the laintext of c or what is the
secret key?
19
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
20/72
Alice BobEK(M)M
DK(C)MC
K KMallory
Chosen-plaintext attack: Mallory can feed chosenmessages M into encryption algorithm and look at
resulting ciphertexts C. Learn either K or messages Mthat produce C. Assumption is that extremely few
.
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
21/72
In 1942, US Navy cryptanalysts discovered that Japan
They believed that AF means Midway island. .
US forces in Midway sent a plain message that their.Shortly, US intercepted a Japanese ciphertext saying
a was ow on wa er.
This proved that AF is Midway.21
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
22/72
Given: (m1,c1), (m2,c2), , (mk,ck), where c1,c
2, , c
kare chosen by the adversary; and a
new ciphertext c.
Q: what is the plaintext of c, or what is the
22
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
23/72
Alice BobEK(M)M
DK(C)MC
K K
Man-in-the-middle attack:Mallory
o Mallory can substitute messageso Mallory can modify messages
o So that they are scrambled
oMallory can drop messageso a ory can rep ay messages o ce, o or
the third party
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
24/72
Alice BobEK(M)M
DK(C)MC
K K
Brute-force attack:Eve
Brute-force attack:Eve has caught a ciphertext and will try every possiblekey to try to decrypt it.This can be made infinitely hard by choosing a largekeyspace.p
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
25/72
Plaintext is viewed as a sequence ofe ements e.g., ts or c aractersSubstitution cipher: replacing each
element.
rearranging the order of the elements ofthe plaintext.
Product cipher: using multiple stages ofsubstitutions and transpositions
25
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
26/72
Substitutiono oa : o scure re a ons p e ween
plaintext and ciphertextoSubstitute parts of plaintext with parts of
cip ertext
Transpositionransposition oGoal: dissipate redundancy of the plaintext by
spreading it over ciphertext
many bits of the ciphertext (if we have roundsof encryption)
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
27/72
Earliest known substitution cipher
Invented by Julius Caesar
Each letter is replaced by the letter K positions
further down the alphabet. (e.g. K=3)
Plain: a b c d e f g h i j k l m n o p q r s t u v w x y zCipher: D E F G H I K L M N O P Q R S T U V W X Y Z A B CExample: ohio state RKLR VWDWHHELLO KHOORHELLO ecomes KHOOR
27
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
28/72
Mathematically, map letters to numbers:
a, b, c, ..., x, y, z0, 1, 2, ..., 23, 24, 25
Then the general Caesar cipher is:c= K p = p+ mo
p= DK(c) = (c k) mod 26
Can be generalized with any alphabet.
28
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
29/72
Key space: {0, 1, ..., 25} nstea o us ng num er = we cou use
k[1,25]. Kwould be our key
How can we break this cipher?o
Vulnerable to brute-force attacks.
E.g., break ciphertext "UNOU YZGZK
Need to recognize it when have the plaintextWhat if the plaintext is written in Swahili?
29
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
30/72
e can a so c oose a mapp ng or eac e er(A ...Z) : for example,
(H is A, E is M, L is K, O is Y).This mapping would be our key.
This is monoalphabetic cipher.o ecomesMonoal habetic: each character is re laced
with another characterHow can we break this cipher? requency o sym o s stays t e same an
can be used to break the cipher
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
31/72
Shuffle the letters and map each plaintextetter to a i erent ran om cip ertext etter:
Plain letters: ab cd efghi jk lmno pq r s t uvw xyz
Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtore lacelettersCiphertext: WIRFRWAJUHYFTSDVFSFUUFYA
31
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
32/72
= 26 .
With so many keys, it is secure against- .
But not secure against some cryptanalytic
attac s.
Problem is language characteristics.
32
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
33/72
Human languages are not random.
Letters are not equally frequently used.
n ng s , s y ar e mos commonletter, followed by T, R, N, I, O, A, S.
Other letters like Z, J, K, Q, X are fairly rare.
There are tables of sin le, double & tri le
letter frequencies for various languages
33
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
34/72
34
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
35/72
In decreasing order of frequency
Double letters:
th he an in er re es on,
Triple letters:
the and ent ion tio for nde,
35
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
36/72
Key concept:omonoalphabetic substitution does not change
relative letter frequencies
To attack, weocompare this distribution against the known one
36
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
37/72
Given ciphertext:UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies (see next
Guess {P, Z} = {e, t}
Of double letters, ZW has highestrequency, so guess = an ence= the
Proceedin with trial and error finall et:it was disclosed yesterday that several informal butdirect contacts have been made with political
representatives of the viet cong in moscow
37
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
38/72
. . . . .
Z 11.67 D 5.00 W 3.33 G 1.67 K 0.00. . . . .
U 8.33 V 4.17 T 2.50 I 0.83 N 0.00
. . . . .
M 6.67
38
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
39/72
Not even the large number of keys in amonoal habetic ci her rovides securit .
One approach to improving security is toencr t multi le letters at a time.
The Playfair Cipher is the best known suchci her.
Invented by Charles Wheatstone in 1854,but named after his friend Baron Pla fair.
39
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
40/72
.
Fill in letters of the key (w/o duplicates)..
E.g., key = MONARCHY.
MM OO NN AA RR
EE FF GG I/JI/J KK
LL PP QQ SS TT
UU VV WW XX ZZ
40
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
41/72
Plaintext is encrypted two letters at a time.
1. If a pair is a repeated letter, insert filler like 'X.
. o e ers a n e same row, rep ace eacwith the letter to its right (circularly).
3. If both letters fall in the same column, replaceeach with the the letter below it (circularly).
4. Otherwise, each letter is replaced by the letter inthe same row but in the column of the other
.
41
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
42/72
Equivalent to a monoalphabetic cipher withan a p a et o x = c aracters.
Security is much improved over the simplemonoa p a et c c p er.
Was widely used for many decadesoeg. y US & Britis mi itary in WW1 an ear y WW2
Once thought to be unbreakable.
Actually, it can be broken, because it stillleaves some structure of plaintext intact.
42
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
43/72
Keyword Infosec
I / J N F O S
E C A B D
G H K L M
V W X Y Z
43
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
44/72
Rules recall:oGroup plaintext letters two at a time
oSeparate repeating letters with an x
oTa e a pair o etters rom p aintext
oPlaintext letters in the same row are replaced bye ers o e r g cyc c manner
oPlaintext letters in the same column are replaced
oPlaintext letters in different row and column are
44
the column of the other letter and vice versa
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
45/72
E.g., Plaintext: CRYPTO IS TOO EASY
Keyword is INFOSEC
Grouped text: CR YP TO IS TO XO EA SYCiphertext: AQ VT YB NI YB YF CB OZ
To decrypt, the receiver reconstructs the 5x 5 matrix using the keyword and then uses
45
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
46/72
A sequence of monoalphabetic ciphers (M1,M2, M3, ..., Mk) is used in turn to encrypt
letters.
ey eterm nes w c sequence ociphers to use.
corresponding ciphertext letters.
This makes cryptanalysis harder since theletter fre uenc distribution will be flatter.
46
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
47/72
Simplest and most common polyalphabeticsubstitution cipher
Consider the set of all Caesar ciphers:
{ Ca, Cb, Cc, ..., Cz }
Key: e.g. security
ncrypt eac etter us ng s, e, c, u, r,Ci, Ct, Cy in turn.
y.
Decryption simply works in reverse.
47
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
48/72
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
49/72
E.g., Message = SEE ME IN MALLTake keyword as INFOSECVigenre cipher works as follows:
S E E M E I N M A L L
I N F O S E C I N F O-------------------------------------
A R J A W M P U N Q Z
49
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
50/72
To decrypt, the receiver places the keywordc aracters e ow eac c p ertext c aracter
,corresponding to the keyword character and
look for the ciphertext character in that row
Plaintext character is then at the top of that
50
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
51/72
Decryption of ciphertext:
A R J A W M P U N Q Z
I N F O S E C I N F O
----------------------------------
S E E M E I N M A L LBest feature is that same plaintext character
is substituted by different ciphertext. .,
51
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
52/72
Keyword: deceptive
key: deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
52
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
53/72
There are multiple (how many?) ciphertext letters.
So, letter frequencies are obscured but not totallylost.
To break Vigenere cipher:
. .2. If key length is N, the cipher consists of N Caesar
ci hers. Plaintext letters at ositions k N+k
2N+k, 3N+k, etc., are encoded by the same cipher.
3. Attack each individual cipher as before.
53
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
54/72
Main idea: Plaintext words separated by
same way. In our example, if plaintext =
to the same ciphertext words.
So look at the ci hertext for re eated atterns.E.g. repeated VTW in the previous example
suggests a key length of 3 or 9:
c p ertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
Of course, the repetition could be a randomfluke.
54
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
55/72
Before modern ciphers, rotor machines were mostcommon comp ex cip ers in use.
Widely used in WW2.
Use a series o rotating cy in ers.
Implemented a polyalphabetic substitution cipher of
eriod K.
With 3 cylinders, K = 263 =17,576.
With 5 c linders K = 265 =12 x 106.
What is a key?o If the adversary has a machineo e a versary oesn ave a mac ne
55
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
56/72
56
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
57/72
57
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
58/72
58
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
59/72
59
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
60/72
Also called permutation ciphers.Shuffle the plaintext, without altering theactual letters used.
Example: Row Transposition Ciphers
60
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
61/72
Plaintext is written row by row in arectangle.
order specified by a key.
a t t a c k p
Key: 3 4 2 1 5 6 7
Plaintext:
o s t p o n e
d u n t i l t
w o a m x y z
61
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
62/72
Uses a sequence ofsubstitutions andtranspositionsranspositionsoHarder to break than just substitutions or
trans ositions
This is a bridge from classical to modernciphers.
62
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
63/72
A cipher is unconditionally secure if it is
(time, space) the attacker has.
A cipher is computationally secure if thebest algorithm for breaking it will require somuc resources e.g., years t atpractically the cryptosystem is secure.
All the ciphers we have examined are notunconditionally secure.
63
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
64/72
Ke = random
Vernams one-time pad cip
used one-time onl
her
k k k k K
1 2 3 4Plaintext = m m m m K
1 2 3 4Ciphertext =
where
c c c c
c m k=
K
Can be proved to be unconditionally secur .e
64
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
65/72
Hide a messa e in another messa e.
E.g., hide your plaintext in a graphic imageoEach ixel has 3 b tes s ecif in the RGB coloroThe least significant bits of pixels can be changed
w/o greatly affecting the image quality
Advantage: hiding existence of messages
raw ac : g over ea
65
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
66/72
Take a 640x480 (=30,7200) pixel image. , ,
Using 4 LSBs, can hide 460,800 characters.
66
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
67/72
An actual message from a German spyo
discounted and ignored. Isman hard hit.
Blockade issue affect pretext for embargoon by products, ejecting suets andvegetable oils.
Pershing Sails from NY June 1
67
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
68/72
Have considered:
oclassical cipher techniques and terminology
ocryptanalysis using letter frequencies
opolyalphabetic ciphers
oproduct ciphers and rotor machines
o
68
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
69/72
50 B.C. Julius Caesar uses cryptographic
400 A.D. Kama Sutra in India mentionscr to ra hic techni ues1250 British monk Roger Bacon
describes simple ciphers1466 Leon Alberti develops a cipher
disk n on orces use a c p er ur ng
Civil War
69
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
70/72
1914 World War I British, French, and
technology
1917 William Friedman, Father of U.S.
encryption efforts starts a school
for teaching cryptanalysis in
1917 AT&T employee Gilbert Vernam
invents polyalphabetic cipher
ermans eve op e ng ma mac ne
for encryption
70
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
71/72
1937 Japanese design the Purple
1942 Navajo windtalkers help with secure
communication during World War II
1948 Claude Shannon develops statistical
methods for encryption/decryption
1976 Diffie Hellman develop public key /
private key cryptography
ves am r eman eve op e
RSA algorithm for public key / privatekey
71
-
8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1
72/72
Outline S llabusoConcept of Secure Computing, Domain of
Protection, Social Engineering, Attacks andDefenses Defining Security Policy Classicalefenses, Defining Security Policy, ClassicalCiphers, Encryption and Decryption, Symmetricand Asymmetric Ciphers, Operating System
-, , ,Databases), Viruses, Privacy, and Digital RightsManagement, Intrusion Detection Systems, Secure
, ,
Protection, Web Security and Wireless NetworkSecurity.
72