CSE 3043 Week 3 Lecture Cryptography Part 1

8/4/2019 CSE 3043 Week 3 Lecture Cryptography Part 1

1/72

Goals of this lecture:

to introduce basic concepts & terminology ofencryption

to prepare us for studying modern cryptography


2/72

SCYTALESCYTALE , is an example for a really old tech that was, is an example for a really old tech that was

..operation is so simple . Get a long strip of leather andoperation is so simple . Get a long strip of leather andwind it over a rode like the picture , write the clear datawind it over a rode like the picture , write the clear dataon t e eat er over t e ro an t en unwin it .on t e eat er over t e ro an t en unwin it .

HELP ME I AM UNDER ATTACK will beHELP ME I AM UNDER ATTACK will be"HENTEIDTLAEAPMRCMUAK , and it totally depends onand it totally depends on

,,the message .the message .


3/72

Plaintext: original message to be encrypted

Ciphertext: the encrypted message

converting plaintext into ciphertext

oTwo inputs: a plaintext and a secret key

3


4/72

Deci herin or decr tion: recoverinplaintext from ciphertext

Decryption algorithm: performs decryption

and decryptionoAlso referred to as a s mmetric ke

4


5/72

Ci her or cr to ra hic s stem : a schemefor encryption and decryption

Cryptography: science of studying ciphers

Cryptanalysis: science of studying attacksaga ns cryp ograp c sys ems

Cryptology: cryptography + cryptanalysis

5


6/72


7/72

or conventional / secret-key / single-key

sender and recipient share a common keyall classical encryption algorithms are

symmetric

e on y type o c p ers pr or to t einvention of asymmetric-key ciphers in

by far most widely used

7


8/72

Goal: Confidentiality A ice B ob

My account number is 485853

Ev e

Message sent in clear: Eve can overhearEncryption unintelligible to Eve; only Bob

Alice)


9/72

Notations mathematically:E EEK E ,X= DK(Y) or X= D(K, Y)

Y= ciphertext

K= secret key

E = encryption algorithmD = decryption algorithm

s t e nverse o

Both E and D are known to ublic

9


10/72

Alice BobEK1(M)M DK2(C)

MC

K1 K2

M message

EK1(M) message M is encrypted using key K1

If K1=K2 this is

K2 decryption keyDK2(C) ciphertext C is decrypted using key K2

symmetr c(secret key) encryption

If K1K2 this is

asymmetric(public key) encryption


11/72

Alice encrypts (algorithm F) a message (m)with the same ke (k) that Bob uses todecrypt.

AliceB ob

1. Construct m

2. Compute c= F(m,k)

3. Send cto Bob 4. Receive cfrom Alice

5. Compute d=F-1(c,k)

Eve can see c, but cannot compute m.

because k is only known to Alice and Bob


12/72

Objective: to recover the plaintext of aciphertext or, more typica y, to recoverthe secret key.

Kerkhoffs principle: the adversary knows

all details about a cryptosystem except.

Two general approaches:obrute-force attackonon-brute-force attack (cryptanalytic attack)

12


13/72

Try every key to decipher the ciphertext.,

Time needed proportional to size ofkey space

ey ze s um er oAlternative Keys

me requ re adecryption/s

me requ re adecryptions/s

32 232 = 4.3 109 231 s = 35.8 minutes 2.15 milliseconds

56 16 55 . .

128 2128 = 3.4 1038 2127 s = 5.4 1024

years5.4 1018 years

168 2168 = 3.7 1050 2167 s = 5.9 1036 5.9 1030 ears

years

26 characters(permutation)

26! = 4 1026 2 1026 s = 6.4 1012

years6.4 106 years

13


14/72

Ma be classified b how much information

needed by the attacker:Ciphertext-only attackiphertext only attackoKnown-plaintext attack

Chosen-plaintext attackhosen plaintext attackoChosen-ciphertext attack

14


15/72

Given: a ciphertext cQ: what is the plaintext m?An encryption scheme is completely

insecure if it cannot resist ciphertext-onlya ac s.

15


16/72

Alice BobEK(M)M

DK(C)MC

K K

C h t t l tt kEve

Cyphertext-only attack:Eve can gather and analyze Cs to learn K

How does Eve know she ot the ri ht ke ?

Eve has to have enough ciphertext


17/72

Given: (m1,c1), (m2,c2), , (mk,ck) and a new

ciphertext c.Q: what is the plaintext of new ciphertext c? : w at s t e secret ey n use

17


18/72

Alice BobEK(M)M

DK(C)MC

K KEve

Known-plaintext attack:Eve can attempt to learn K by observing many

How does Eve obtain the plaintext?


19/72

1, 1 , 2, 2 , , k, k ,

m1, m2, , mk are chosen by the adversary;c c : what is the laintext of c or what is the

secret key?

19


20/72

Alice BobEK(M)M

DK(C)MC

K KMallory

Chosen-plaintext attack: Mallory can feed chosenmessages M into encryption algorithm and look at

resulting ciphertexts C. Learn either K or messages Mthat produce C. Assumption is that extremely few

.


21/72

In 1942, US Navy cryptanalysts discovered that Japan

They believed that AF means Midway island. .

US forces in Midway sent a plain message that their.Shortly, US intercepted a Japanese ciphertext saying

a was ow on wa er.

This proved that AF is Midway.21


22/72

Given: (m1,c1), (m2,c2), , (mk,ck), where c1,c

2, , c

kare chosen by the adversary; and a

new ciphertext c.

Q: what is the plaintext of c, or what is the

22


23/72

Alice BobEK(M)M

DK(C)MC

K K

Man-in-the-middle attack:Mallory

o Mallory can substitute messageso Mallory can modify messages

o So that they are scrambled

oMallory can drop messageso a ory can rep ay messages o ce, o or

the third party


24/72

Alice BobEK(M)M

DK(C)MC

K K

Brute-force attack:Eve

Brute-force attack:Eve has caught a ciphertext and will try every possiblekey to try to decrypt it.This can be made infinitely hard by choosing a largekeyspace.p


25/72

Plaintext is viewed as a sequence ofe ements e.g., ts or c aractersSubstitution cipher: replacing each

element.

rearranging the order of the elements ofthe plaintext.

Product cipher: using multiple stages ofsubstitutions and transpositions

25


26/72

Substitutiono oa : o scure re a ons p e ween

plaintext and ciphertextoSubstitute parts of plaintext with parts of

cip ertext

Transpositionransposition oGoal: dissipate redundancy of the plaintext by

spreading it over ciphertext

many bits of the ciphertext (if we have roundsof encryption)


27/72

Earliest known substitution cipher

Invented by Julius Caesar

Each letter is replaced by the letter K positions

further down the alphabet. (e.g. K=3)

Plain: a b c d e f g h i j k l m n o p q r s t u v w x y zCipher: D E F G H I K L M N O P Q R S T U V W X Y Z A B CExample: ohio state RKLR VWDWHHELLO KHOORHELLO ecomes KHOOR

27


28/72

Mathematically, map letters to numbers:

a, b, c, ..., x, y, z0, 1, 2, ..., 23, 24, 25

Then the general Caesar cipher is:c= K p = p+ mo

p= DK(c) = (c k) mod 26

Can be generalized with any alphabet.

28


29/72

Key space: {0, 1, ..., 25} nstea o us ng num er = we cou use

k[1,25]. Kwould be our key

How can we break this cipher?o

Vulnerable to brute-force attacks.

E.g., break ciphertext "UNOU YZGZK

Need to recognize it when have the plaintextWhat if the plaintext is written in Swahili?

29


30/72

e can a so c oose a mapp ng or eac e er(A ...Z) : for example,

(H is A, E is M, L is K, O is Y).This mapping would be our key.

This is monoalphabetic cipher.o ecomesMonoal habetic: each character is re laced

with another characterHow can we break this cipher? requency o sym o s stays t e same an

can be used to break the cipher


31/72

Shuffle the letters and map each plaintextetter to a i erent ran om cip ertext etter:

Plain letters: ab cd efghi jk lmno pq r s t uvw xyz

Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN

Plaintext: ifwewishtore lacelettersCiphertext: WIRFRWAJUHYFTSDVFSFUUFYA

31


32/72

= 26 .

With so many keys, it is secure against- .

But not secure against some cryptanalytic

attac s.

Problem is language characteristics.

32


33/72

Human languages are not random.

Letters are not equally frequently used.

n ng s , s y ar e mos commonletter, followed by T, R, N, I, O, A, S.

Other letters like Z, J, K, Q, X are fairly rare.

There are tables of sin le, double & tri le

letter frequencies for various languages

33


34/72

34


35/72

In decreasing order of frequency

Double letters:

th he an in er re es on,

Triple letters:

the and ent ion tio for nde,

35


36/72

Key concept:omonoalphabetic substitution does not change

relative letter frequencies

To attack, weocompare this distribution against the known one

36


37/72

Given ciphertext:UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ

EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ

Count relative letter frequencies (see next

Guess {P, Z} = {e, t}

Of double letters, ZW has highestrequency, so guess = an ence= the

Proceedin with trial and error finall et:it was disclosed yesterday that several informal butdirect contacts have been made with political

representatives of the viet cong in moscow

37


38/72

. . . . .

Z 11.67 D 5.00 W 3.33 G 1.67 K 0.00. . . . .

U 8.33 V 4.17 T 2.50 I 0.83 N 0.00

. . . . .

M 6.67

38


39/72

Not even the large number of keys in amonoal habetic ci her rovides securit .

One approach to improving security is toencr t multi le letters at a time.

The Playfair Cipher is the best known suchci her.

Invented by Charles Wheatstone in 1854,but named after his friend Baron Pla fair.

39


40/72

.

Fill in letters of the key (w/o duplicates)..

E.g., key = MONARCHY.

MM OO NN AA RR

EE FF GG I/JI/J KK

LL PP QQ SS TT

UU VV WW XX ZZ

40


41/72

Plaintext is encrypted two letters at a time.

1. If a pair is a repeated letter, insert filler like 'X.

. o e ers a n e same row, rep ace eacwith the letter to its right (circularly).

3. If both letters fall in the same column, replaceeach with the the letter below it (circularly).

4. Otherwise, each letter is replaced by the letter inthe same row but in the column of the other

.

41


42/72

Equivalent to a monoalphabetic cipher withan a p a et o x = c aracters.

Security is much improved over the simplemonoa p a et c c p er.

Was widely used for many decadesoeg. y US & Britis mi itary in WW1 an ear y WW2

Once thought to be unbreakable.

Actually, it can be broken, because it stillleaves some structure of plaintext intact.

42


43/72

Keyword Infosec

I / J N F O S

E C A B D

G H K L M

V W X Y Z

43


44/72

Rules recall:oGroup plaintext letters two at a time

oSeparate repeating letters with an x

oTa e a pair o etters rom p aintext

oPlaintext letters in the same row are replaced bye ers o e r g cyc c manner

oPlaintext letters in the same column are replaced

oPlaintext letters in different row and column are

44

the column of the other letter and vice versa


45/72

E.g., Plaintext: CRYPTO IS TOO EASY

Keyword is INFOSEC

Grouped text: CR YP TO IS TO XO EA SYCiphertext: AQ VT YB NI YB YF CB OZ

To decrypt, the receiver reconstructs the 5x 5 matrix using the keyword and then uses

45


46/72

A sequence of monoalphabetic ciphers (M1,M2, M3, ..., Mk) is used in turn to encrypt

letters.

ey eterm nes w c sequence ociphers to use.

corresponding ciphertext letters.

This makes cryptanalysis harder since theletter fre uenc distribution will be flatter.

46


47/72

Simplest and most common polyalphabeticsubstitution cipher

Consider the set of all Caesar ciphers:

{ Ca, Cb, Cc, ..., Cz }

Key: e.g. security

ncrypt eac etter us ng s, e, c, u, r,Ci, Ct, Cy in turn.

y.

Decryption simply works in reverse.

47


48/72


49/72

E.g., Message = SEE ME IN MALLTake keyword as INFOSECVigenre cipher works as follows:

S E E M E I N M A L L

I N F O S E C I N F O-------------------------------------

A R J A W M P U N Q Z

49


50/72

To decrypt, the receiver places the keywordc aracters e ow eac c p ertext c aracter

,corresponding to the keyword character and

look for the ciphertext character in that row

Plaintext character is then at the top of that

50


51/72

Decryption of ciphertext:

A R J A W M P U N Q Z

I N F O S E C I N F O

----------------------------------

S E E M E I N M A L LBest feature is that same plaintext character

is substituted by different ciphertext. .,

51


52/72

Keyword: deceptive

key: deceptivedeceptivedeceptive

plaintext: wearediscoveredsaveyourself

ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

52


53/72

There are multiple (how many?) ciphertext letters.

So, letter frequencies are obscured but not totallylost.

To break Vigenere cipher:

. .2. If key length is N, the cipher consists of N Caesar

ci hers. Plaintext letters at ositions k N+k

2N+k, 3N+k, etc., are encoded by the same cipher.

3. Attack each individual cipher as before.

53


54/72

Main idea: Plaintext words separated by

same way. In our example, if plaintext =

to the same ciphertext words.

So look at the ci hertext for re eated atterns.E.g. repeated VTW in the previous example

suggests a key length of 3 or 9:

c p ertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

Of course, the repetition could be a randomfluke.

54


55/72

Before modern ciphers, rotor machines were mostcommon comp ex cip ers in use.

Widely used in WW2.

Use a series o rotating cy in ers.

Implemented a polyalphabetic substitution cipher of

eriod K.

With 3 cylinders, K = 263 =17,576.

With 5 c linders K = 265 =12 x 106.

What is a key?o If the adversary has a machineo e a versary oesn ave a mac ne

55


56/72

56


57/72

57


58/72

58


59/72

59


60/72

Also called permutation ciphers.Shuffle the plaintext, without altering theactual letters used.

Example: Row Transposition Ciphers

60


61/72

Plaintext is written row by row in arectangle.

order specified by a key.

a t t a c k p

Key: 3 4 2 1 5 6 7

Plaintext:

o s t p o n e

d u n t i l t

w o a m x y z

61


62/72

Uses a sequence ofsubstitutions andtranspositionsranspositionsoHarder to break than just substitutions or

trans ositions

This is a bridge from classical to modernciphers.

62


63/72

A cipher is unconditionally secure if it is

(time, space) the attacker has.

A cipher is computationally secure if thebest algorithm for breaking it will require somuc resources e.g., years t atpractically the cryptosystem is secure.

All the ciphers we have examined are notunconditionally secure.

63


64/72

Ke = random

Vernams one-time pad cip

used one-time onl

her

k k k k K

1 2 3 4Plaintext = m m m m K

1 2 3 4Ciphertext =

where

c c c c

c m k=

K

Can be proved to be unconditionally secur .e

64


65/72

Hide a messa e in another messa e.

E.g., hide your plaintext in a graphic imageoEach ixel has 3 b tes s ecif in the RGB coloroThe least significant bits of pixels can be changed

w/o greatly affecting the image quality

Advantage: hiding existence of messages

raw ac : g over ea

65


66/72

Take a 640x480 (=30,7200) pixel image. , ,

Using 4 LSBs, can hide 460,800 characters.

66


67/72

An actual message from a German spyo

discounted and ignored. Isman hard hit.

Blockade issue affect pretext for embargoon by products, ejecting suets andvegetable oils.

Pershing Sails from NY June 1

67


68/72

Have considered:

oclassical cipher techniques and terminology

ocryptanalysis using letter frequencies

opolyalphabetic ciphers

oproduct ciphers and rotor machines

o

68


69/72

50 B.C. Julius Caesar uses cryptographic

400 A.D. Kama Sutra in India mentionscr to ra hic techni ues1250 British monk Roger Bacon

describes simple ciphers1466 Leon Alberti develops a cipher

disk n on orces use a c p er ur ng

Civil War

69


70/72

1914 World War I British, French, and

technology

1917 William Friedman, Father of U.S.

encryption efforts starts a school

for teaching cryptanalysis in

1917 AT&T employee Gilbert Vernam

invents polyalphabetic cipher

ermans eve op e ng ma mac ne

for encryption

70


71/72

1937 Japanese design the Purple

1942 Navajo windtalkers help with secure

communication during World War II

1948 Claude Shannon develops statistical

methods for encryption/decryption

1976 Diffie Hellman develop public key /

private key cryptography

ves am r eman eve op e

RSA algorithm for public key / privatekey

71


72/72

Outline S llabusoConcept of Secure Computing, Domain of

Protection, Social Engineering, Attacks andDefenses Defining Security Policy Classicalefenses, Defining Security Policy, ClassicalCiphers, Encryption and Decryption, Symmetricand Asymmetric Ciphers, Operating System

-, , ,Databases), Viruses, Privacy, and Digital RightsManagement, Intrusion Detection Systems, Secure

, ,

Protection, Web Security and Wireless NetworkSecurity.

72

CSE 3043 Week 3 Lecture Cryptography Part 1

Documents

Transcript of CSE 3043 Week 3 Lecture Cryptography Part 1