Spoiler Warning

Brought to you by Max (ICQ:31252512 TEL:61337706)March 12, 2005

Modern Cryptography

Spoiler Warning

• After listening to this talk, you may become disappointed with this book!

• Much of the book’s content is about cryptography, but those about modern cryptography is often inaccurate

Build Your Own Cryptosystem

• Have you heard about any cryptosystem?• Have you tried to design your own encryption

algorithm?• Some software companies do this• But this is in fact very insecure

A cryptosystem can have many hidden flaws!

A simple cryptosystem I used in F.1

• Substitute English alphabets with numbers 01..26 <-> A..Z 00 <-> Space 27..99 <-> Nothing, added to obfuscate the eavesdropper This is a kind of monoalphabetic substitution cipher

• Example HELLO WORLD 08 05 48 37 36 12 12 15 00 23 61 15 18 12 04 95

• Problems?

Classical Ciphers

• Monoalphabetic Substitution Cipher Example : Caesar, simple substitution

• Substitutes every letter with a fixed letter• Very vulnerable to frequency analysis

Classical Ciphers

• Polyalphabetic Substitution Cipher Example : Vigenere Cipher, Enigma

• Substitution depends on position• Vulnerable to frequency analysis on

collections of letters

Classical Ciphers

• Transposition Cipher Example : Columnar transposition

• Moves the position of letters around• Again vulnerable to frequency analysis

Classical Ciphers

• Hill Cipher• Based on matrix multiplication• Vulnerable to known plaintext attack

Modern Cryptography

• Cryptosystem Key generation (an cryptosystem without key is useless) Encryption Decryption

• Confusing Words Cryptography is the study of cryptosystems and their

applications “Cipher” usually means the same thing as “Cryptosystem” Plaintext / cleartext means un-encrypted data Ciphertext / crypto-text means encrypted data

Symmetric Ciphers (Private Key Cryptosystems)

• Most famous : DES (Data Encryption Standard) 64 bit Key (56 bit for encryption, 8 bit for error check) In Digital Fortress, the brute force code breaking machine

TRANSLTR can break DES in 10 minutes However this is totally useless, because if we encrypt the

data with 3 keys consecutively (this is called 3DES), it would take 256x2 x 10 minutes to break!

• New algorithm : AES (Advanced Encryption Standard)

128, 192 or 256 bit Key Widely used

• Main problem with symmetric ciphers Key Distribution

Asymmetric Cipher (Public Key Cryptosystem)

• Most famous : RSA• A little number theory

n = p*q (p and q are large primes) Choose e, d such that e*d = 1 (mod (n))

• Encryption and Decryption Public key is (n,e) Private key is (n,d) C = Me

M = Cd

• To break RSA we need to factorize n Current fastest algorithm : Number Field Sieve

Why still use symmetric ciphers?

• Symmetric ciphers are much faster than asymmetric ones

At least 100x• Key length of symmetric ciphers can be much shorter th

an asymmetric ciphers AES key of 128 bit is roughly as strong as a RSA key of 2048 bit

• Use asymmetric cipher to encrypt the keys of symmetric cipher!

• Other well known algorithms Symmetric : RC5, IDEA, BlowFish, … Asymmetric : El-Gamal, Elliptic Curve Cryptography (ECC), XTR,

…

The One Time Pad

• One Time Pad is the only form of “Perfectly Secure” cryptosystem

• Length of Key must be at least length of Message• Vernam Cipher

Use bitwise XOR• Sometimes used by governments to transfer keys to em

bassies

Digital Signatures

• Many asymmetric encryption/decryption schemes are just mathematical functions, we can reverse the order

Dec(Enc(X)) = Enc(Dec(X)) = X• Therefore we can use them for “digital signature”

Example : RSA If we send M to somebody, we also send s=Md

The other party can check M has not been altered by verifying se

=M

Public Key Infrastructure

• Certificate Authorities (CA) Store your public key in their server and verifies their

authenticity

• Hierarchy of Trust• Example scenario

When you send a message, you also send a certificate as well as signature signed with your private key

When the other party receive the message, it first go to the CA which issued your cert to verify it

Then it use your public key listed in the cert to verify the message

The Real World

• What I told you is INSECURE !• Dolev-Yao Threat Model

Attackers control the whole network Attackers can intercept, duplicate, replay, modify, or forge any

message, but Attackers cannot find the plaintext from a ciphertext without th

e key, and Attackers cannot find the private key from a public key

• Recall the BT incident 90% of what the Customs did (mainly eavesdropping) can be do

ne by everyone on the Internet

Attack on RSA

• Scenario I eavesdropped an RSA-encrypted message for you (Me,

where e is your public key) I ask you to forward this message to someone else, but I

lie to you that this is a unencrypted message I also remind you to sign the message before forwarding In fact, the other person is myself Signature of Me = (Me)d = Med = M !

• In this scenario you acted as a “Decryption Oracle” and provided “Oracle Services” to me, the attacker

Attack on RSA

• A fix? Check every message to see if it is actually encrypted

• This is useless• Another scenario

When I eavesdropped Me, I compute Me Xe = (MX)e, where X is an integer I chose

I send (MX)e to you and ask you to sign it. When you try to decrypt it you get MX, which looks innoculous

Feeling safe, you sign it, and send MX back to me I can compute MX X-1 to get M (taking multiplicative inverse is ea

sy)• This is called the “Chosen Ciphertext Attack”

Attack on RSA

• A real solution is to apply cryptographic hash function before signing

• Properties of cryptographic hash function One way Non-linear Collision free

• However, many other attacks are possible Now, formal methods are used to model the attacks A “really secure” version of RSA is the RSA-OAEP Many research are ongoing

Links

• Cryptography A-Z http://www.ssh.com/support/cryptography/index.html

• Handbook of Applied Cryptography http://www.cacr.math.uwaterloo.ca/hac/

• Wikipedia http://www.wikipedia.org/

Spoiler Warning

Documents

Transcript of Spoiler Warning