Post on 31-Jan-2016
description
2. Encryption and Decryption2. Encryption and Decryption
UNIVERSITYTHE
of ULSAT
Sujeet ShenoiSujeet ShenoiCenter for Information SecurityCenter for Information Security
Department of Computer ScienceDepartment of Computer Science University of Tulsa, Tulsa, OK 74104 University of Tulsa, Tulsa, OK 74104
sujeet@utulsa.edusujeet@utulsa.edu
UNIVERSITYTHE
of ULSAT
2. Encryption & Decryption2. Encryption & Decryption
Message
• Sender, Receiver, Transmission Medium
• Plaintext (P), Ciphertext (C)
• Interceptor/Intruder
– Block message (Interruption)
– Access message (Interception)
– Modify message (Modification)
– Fabricate message (Fabrication)
UNIVERSITYTHE
of ULSAT
FundamentalsFundamentals
Cryptography
• Using encryption to conceal plaintext
Cryptanalysis
• Unauthorized “ code breaking”
Cryptology
• Cryptography and Cryptanalysis
UNIVERSITYTHE
of ULSAT
Fundamentals (contd.)Fundamentals (contd.)
Cryptanalysis
• Ciphertext Only Attack (only cipher text is known)
• Known Plaintext Attack (full plaintext is known)
• Probable Plaintext Attack (some plaintext is known)
• Chosen Plaintext Attack (sender’s process is known)
• Chosen Ciphertext Attack (algorithm and ciphertext are known)
UNIVERSITYTHE
of ULSAT
Basic Encryption/DecryptionBasic Encryption/Decryption
Key-Based Ciphers
• Provide more security (than Keyless Ciphers)
• Encryption Key (KE); Decryption Key (KD)
• C = { P }KE
• P = { C }KD = { { P }KE
}KD
• Symmetric Encryption: KE = KD
• Asymmetric Encryption: KE KD
UNIVERSITYTHE
of ULSAT
Basic Cipher TypesBasic Cipher Types
• Substitution Ciphers
– Replace each char of plaintext with another char
• Transposition Ciphers
–Scramble or shuffle plaintext characters
UNIVERSITYTHE
of ULSAT
Substitution CiphersSubstitution Ciphers
Monoalphabetic Ciphers
• Single alphabet is used for substitution
• Caesar Cipher
– Plaintext Alphabet: A B C D E F … U V W X Y Z
– Ciphertext Alphabet: d e f g h i … x y z a b c
– Plaintext: WEATT ACKAT DAWNX
– Ciphertext: z h dww d f n d w g d z q a
UNIVERSITYTHE
of ULSAT
Monoalphabetic CiphersMonoalphabetic Ciphers
Monoalphabetic Ciphers
• Key-Based Cipher
– Plaintext Alphabet: A B C D E F G H I … U V W X Y Z
– Ciphertext Alphabet: k e y a b c d f g … t u v w x z
• Substitution Cipher ( () = (3* ) mod 26 )
– Plaintext Alphabet: A B C D E F G H I … U V W X Y Z
– Ciphertext Alphabet: a d g j m p s v y … i l o r u x
UNIVERSITYTHE
of ULSAT
Monoalphabetic Ciphers (contd.)Monoalphabetic Ciphers (contd.)
Breaking Monoalphabetic Ciphers
• Frequency Distributions
– Each language has a characteristic distribution
– Index of Coincidence (English IC = 0.068)
– Computers make code breaking trivial
• Solution: “Flatten Frequency Distributions”
• Polyalphabetic Ciphers (multiple alphabets)
UNIVERSITYTHE
of ULSAT
Polyalphabetic CiphersPolyalphabetic Ciphers
Polyalphabetic Ciphers
• Multiple alphabets flatten distributions
– 26! possible alphabets #Alphabets: 1 2 3 4 5 10 IC 0.068 0.052 0.047 0.044 0.044 0.041 0.038
• Example
– T H I S I S A T E S T X X X X
1 2 3 1 2 3 1 2 3 1 2 3 1 2 3
– Choose 1 2 3 so that frequencies are flat
UNIVERSITYTHE
of ULSAT
Polyalphabetic Ciphers (contd.)Polyalphabetic Ciphers (contd.)
Vigenere Cipher
• Polyalphabetic cipher based on Vigenere Tableau
• 26 possible alphabets, each “keyed” by a letter
• Example
– Key: j u l i e t j u l i e t
– Plaintext: B U T S O F T W H A T L
– Ciphertext: k o e a s y c q s i ….
UNIVERSITYTHE
of ULSAT
Polyalphabetic Ciphers (contd.)Polyalphabetic Ciphers (contd.)
Breaking Polyalphabetic Ciphers: Kasiski’s Method
• K: dicke nsdic kensd icken sdick ensdi ckens dicke
• P: ITWAS THEBE STOFT IMESI TWAST HEWOR STOFT IMESI
20
• K: nsdic kensd icken sdick ensdi ckens dicke nsdic
• P: TWAST HEAGE OFWIS DOMIT WASTH EAGEO FFOOL ISHNE
• K: kensd icken sdick ensdi ckens dicke nsdic kensd
• P: SSITW ASTHE EPOCH OFBEL IEFIT WASTH EEPOC HOFIN
83 (dist: 63; factors: 3,7,9,21,63) 104 (dist: 21; factors: 3,7,21)
UNIVERSITYTHE
of ULSAT
Perfect Substitution CiphersPerfect Substitution Ciphers
Infinite non-repeating sequences of alphabets (Immunity to Kasiski’s Method)
• One-Time Pad
• Long Random Number Sequences
• Vernam Cipher (punched paper tape)
• Long Sequences (e.g., from Telephone Book)
UNIVERSITYTHE
of ULSAT
Perfect Ciphers (contd.)Perfect Ciphers (contd.)
• Dual Message Entrapment
– Key: disre gardt hisme ssage
– Message: THISM ESSAG EISCR UCIAL
UNIVERSITYTHE
of ULSAT
Transposition CiphersTransposition Ciphers
Columnar Transposition
• Example (c = 10)T H I S I S A M E S
S A G E T O S H O W
H O W A T R A N S P
O S I T I O N C I P
H E R W O R K S X X
• Ciphertext
TSHOHHAOSEIGWIRSEATWITTIOSORORASANKMHNCSEOSIXSWPPX
UNIVERSITYTHE
of ULSAT
Transposition Ciphers (contd.)Transposition Ciphers (contd.)
Breaking Transposition Ciphers
• Common Digrams and Trigrams
• Digrams: EN, RE, ER, NT, TH, ON, IN, TE, AN, OR
• Trigrams: ENT, ION, AND, ING, IVE, TIO, FOR, OUR, THI, ONE
• Sliding Window Technique
TSH OHH AOSEIGWIRSEATWITTIOSORORASANKMHNCSEOSIXSWPPX
TSHO HHAO SEIGWIRSEATWITTIOSORORASANKMHNCSEOSIXSWPPX
TSHOH HAOSE IGWIRSEATWITTIOSORORASANKMHNCSEOSIXSWPPX
UNIVERSITYTHE
of ULSAT
Transposition CiphersTransposition Ciphers
Double Columnar Transposition
• Example (c1 = 10; c2 = 15)
• Ciphertext (First Transposition)
T S H O H H A O S E I G W I R
S E A T W I T T I O S O R O R
A S A N K M H N C S E O S I X
S W P P X E A O X Y Q S R D X
• Ciphertext (Second Transposition)
TSASSESWHAAPOTNPHWKXHIMEATHAOTNOSICXEOSYISEQGOOSWRSRIOIDRRXX
UNIVERSITYTHE
of ULSAT
Transposition Ciphers (contd.)Transposition Ciphers (contd.)
Breaking Double Transposition Ciphers
• Relationship between plaintext/ciphertext characters
• pi = c1r1*([(i-1) mod c1] + (i – 1)/c1 + 1)
• c1i = c2
r2*([(i-1) mod c2] + (i – 1)/c2 + 1)
• Use digrams and trigrams to compute parameters (c1, r1, c2, r2)
UNIVERSITYTHE
of ULSAT
Stream vs. Block CiphersStream vs. Block Ciphers
Stream Ciphers (Convert pi ci)
• Substitution Ciphers– High Speed of Transformation– Low Error Propagation– Low Diffusion; High Confusion– Susceptibility to Malicious Insertions
Block Ciphers (Convert P C)
• Transposition Ciphers– Low Speed of Transformation– High Error Propagation– High Diffusion; Low Confusion– Immunity to Malicious Insertions
UNIVERSITYTHE
of ULSAT
Shannon CharacteristicsShannon Characteristics
Characteristics of “Good Ciphers” (1949)
• Amount of secrecy needed should determine the amount of effort needed for encryption and decryption (Principle of Timeliness)
• Keys and enciphering algorithm should be free from complexity
• Implementation should be as simple as possible
• Errors should not propagate and corrupt message
• Ciphertext Size Plaintext Size
3. Secure Encryption Systems3. Secure Encryption Systems
UNIVERSITYTHE
of ULSAT
Sujeet ShenoiSujeet ShenoiCenter for Information SecurityCenter for Information Security
Department of Computer ScienceDepartment of Computer Science University of Tulsa, Tulsa, OK 74104 University of Tulsa, Tulsa, OK 74104
sujeet@utulsa.edusujeet@utulsa.edu
UNIVERSITYTHE
of ULSAT
3. Secure Encryption Systems3. Secure Encryption Systems
• Modern techniques are based on “Hard Problems” (NP-Complete Problems)
• Involve heuristic search (2n possibilities)
• Satisfiability
– Pick v1 v2, v3: Boolean such that (v1) (v2 v3) (¬ v3 ¬ v1) is True
• Knapsack
– Pick v1 v2, v3 {0,1} such that v1*a1 + v2*a2 + v3*a3 = T (Target sum)
UNIVERSITYTHE
of ULSAT
Classes P, NP and EXPClasses P, NP and EXP
Class P
Set of problems whose solutions run in time bounded by “polynomial functions” of the size of the problems
Class NP
Set of problems whose solutions run in time bounded by polynomial functions of the size of the problems “assuming the ability to guess perfectly”
Class EXP
Set of problems whose solutions run in time bounded by “exponential functions” of the size of the problems
UNIVERSITYTHE
of ULSAT
Classes P, NP and EXP (contd.)Classes P, NP and EXP (contd.)
Fundamental Result: P NP EXP
Is: P NP or P = NP ? Not known!
Some Comments
• NP-Complete problem does not guarantee that there is no solution easier than exponential
• Every NP-Complete problem has a solution that runs in time proportional to 2n; feasible if n is small
• Non-determinism can be modeled by “threads”
• Interceptors may use other information to simplify the task of breaking the encryption
UNIVERSITYTHE
of ULSAT
Secret and Public Key AlgorithmsSecret and Public Key Algorithms
Secret Key Algorithms (Symmetric)
• One key for encryption and decryption (KE = KD = K)
• C = { P }K and P = { C }K
• One key per channel (#keys = n*(n-1)/2)
Public Key Algorithms (Asymmetric)
• Separate keys for encryption and decryption (KE KD)
• C = { P }KE and P = { C }KD
• C = { P }KD and P = { C }KE
• Two keys per user (#keys = 2*n)
UNIVERSITYTHE
of ULSAT
Public Key AlgorithmsPublic Key Algorithms
Public Key Algorithms (Asymmetric)
• Key Pair: (KApriv
, KApub)
• KApriv: Private Key; KA
pub: Public Key
• KApriv
is kept by secret by A
• KApub
is distributed widely by A
• A Receiver: C = { P }KApriv (and P = { C }KA
pub)
• Sender A: C = { P }KApub (and P = { C }KA
priv)
UNIVERSITYTHE
of ULSAT
RSA (Public Key) AlgorithmRSA (Public Key) Algorithm
Rivest-Shamir-Adelman (1978)
• Based on factoring large numbers (200 digits)
• Best factorization algorithm (known) is exponential
• Encryption key: (e, n); Decryption key: (d, n)
• C = Pe mod n; P = Cd mod n
• C = Pd mod n; P = Ce mod n
• RSA Mathematics– n = p*q (p, q: 100 digit prime numbers)
(n: 200 digits or 512 bits; 1024 bits max)
– d = e-1 mod (n) (e: rel. prime to (n) = (p-1)*(q-1))
UNIVERSITYTHE
of ULSAT
Cryptographic Hash AlgorithmsCryptographic Hash Algorithms
• Hash function (f) produces “digest” of data/message
• S R: m, f(m)
• R: computes f(m) & compares with f(m) received
• Difficult to “invert,” i.e., change m and f(m)
• XOR bits: 10101010 00101111 1 (Prob = 1/2)
• XOR bytes: 10101010 00101111 10000101 (Prob = 1/28)
• Most digests are between 100 to 1,000 bits
UNIVERSITYTHE
of ULSAT
Secure Hash Algorithm (SHA)Secure Hash Algorithm (SHA)
• Designed for Digital Signature Algorithm (DSA)
• NIST (1992-1995)
• Input: 264 bits; Digest: 160 bits
• Operations: XOR, + mod 232, left circular shift(n,v)
• Algorithm: Non-linear function that interweaves bits– Pad message: Multiple of 512 bits (msg 1 0…0 <64-bit length>)
(512 bits = 16 32-bit words: W0 … W15)
– Expand to 80 words: W0 … W79
– Initialize 5 32-bit pattern constants: H00 … H5
0
– Perform 80-step 4-round diffusion algorithm: digest = H080 … H5
80
UNIVERSITYTHE
of ULSAT
MD4 and MD5 AlgorithmsMD4 and MD5 Algorithms
• MD4 (Rivest, 1991-92)– Exceptionally fast, less secure
– 16-word block (512 bits)
– 48-step 3-round diffusion algorithm
– 4 pattern constants (128 bits)
• MD5 (Rivest, 1992)– Slower, more secure
– 16-word block (512 bits)
– 64-step 4-round diffusion algorithm
– 4 pattern constants (128 bits)
UNIVERSITYTHE
of ULSAT
Digital Signature AlgorithmsDigital Signature Algorithms
• El Gamal Algorithm (1984)– Pick p: prime; a < p and x < p; (p-1) must have a large prime factor: q
– Compute: y = ax mod p
– Private key: x; Public key: y (and p, a)
• Message Signing (m: message)– Pick k: 0 < k < p-1 (relatively prime to p-1)
– Compute: r = ak mod p
– Compute: s = k-1*(m – x*r) mod (p-1) (k*k-1 1 mod (p-1))
– Message Signature: r & s
• Signature Verification – Compute: yrrs mod p
– Compute: am mod p
– Check: yrrs mod p am mod p
UNIVERSITYTHE
of ULSAT
Digital Signature Algorithm (DSA)Digital Signature Algorithm (DSA)
• DSA (NIST, 1994)– El Gamal Algorithm with restrictions– Pick p: prime; a < p and x < p; (p-1) must have a large prime factor: q
– New condition: 2511 < p < 2512 (p: 170 digits long)
– New condition: 2159 < q < 2160
– Compute: y = ax mod p
– Private key: x; Public key: y (and p, a)
• Message Signing (H(m) instead of m)– Pick k: 0 < k < p-1 (relatively prime to p-1)
– Compute: r = ak mod q
– Compute: s = k-1*(H(m) – x*r) mod q (k*k-1 1 mod (p-1))
– Message Signature: r & s
– DSA is easier to break than the El Gamal Digital Signature Algorithm
UNIVERSITYTHE
of ULSAT
Secret Key AlgorithmsSecret Key Algorithms
• Data Encryption Standard (DES)
• Escrowed Encryption Standard (EES): Skipjack
• Advanced Encryption Standard (AES)
Secret Key Algorithms (Symmetric)
• Single Key for A-B Channel: (KAB)
• KAB: Secret (known only to A and B)
• A B: C = { P }KAB (and P = { C }KAB
)
• B A: C = { P }KAB (and P = { C }KAB
)
UNIVERSITYTHE
of ULSAT
Data Encryption Standard (DES)Data Encryption Standard (DES)
• NIST (1977)
• Developed for use by the general public
• Accepted as a cryptographic standard worldwide
• Hardware and software implementations
• Algorithm– Complex combination of substitution and transposition
(Product Cipher)
– 64-bit plaintext blocks; 56-bit keys
– 16-round algorithm
– Same algorithm for encryption and decryption
UNIVERSITYTHE
of ULSAT
DES Algorithm (contd.)DES Algorithm (contd.)
Algorithm Description
• Initial Permutation
• 16 Cycles (with Key Transformation)
• Inverse Initial Permutation
• Cycle Description– Split into Left and Right Halves: 32 bits each
– Expansion Permutation: 32 bits 48 bits (Right Half only)
– XOR with Transformed Key: 48 bits (Right Half only)
– S-Box (Substitution Choice): 48 bits 32 bits (Right Half only)
– P-Box (Permutation): 32 bits (Right Half only)
– XOR with Original Left Half: 32 bits (Right Half only)
– Concatenation of Original Right Half and Right Half
UNIVERSITYTHE
of ULSAT
DES Algorithm (contd.)DES Algorithm (contd.)
Brute Force Attack– 256 key possibilities
– 1 key/100ms: 228 million years
– 1 key/ms: 2,280 years
– 106 chips: 20 hours (Diffie-Hellman, 1977)
An EFF Team broke DES (January 1999)– Time: 22 hours and 15 minutes
– “Deep Crack” supercomputer and 100,000 PCs
– 256 billion keys/second
NSA will not recertify DES
UNIVERSITYTHE
of ULSAT
Escrowed Encryption Std. (EES)Escrowed Encryption Std. (EES)
• Developed by NSA (1980s) to allow “legal” wiretapping
• AT&T encrypted telephone devices (1993)– Analog Digital Encrypt … Decrypt Digital Analog
– Unique key was generated for each session and transmitted
• Unit keys would be split into halves and kept by different escrow agencies
• Law enforcement agents would need court orders to obtain key halves (using information in LEAF)
• Sealed encryption device
UNIVERSITYTHE
of ULSAT
Clipper ChipClipper Chip
• Skipjack (algorithm)
• Clipper (chip implementing Skipjack and LEAF)
• MOSAIC (program)
• Capstone (cryptographic device with key exchange)
• Tessera (Capstone chip)
• Fortezza (Capstone chip)
• Escrowed Encryption Standard (EES)
UNIVERSITYTHE
of ULSAT
Clipper (contd.)Clipper (contd.)
Clipper Message Format
• S R: { M }k • { { k }u • { n, a } }f
– LEAF: { { k }u • { n, a } }f
– M: 64-bit block
– k: 80-bit session key (randomly generated and transmitted)
– u: 80-bit unit key (unique to Clipper unit; held in escrow)
– n: 30-bit unit ID (unique to Clipper unit)
– a: Escrow authenticator
– f: 80-bit law enforcement key (common to Clipper family)
UNIVERSITYTHE
of ULSAT
Skipjack Algorithm (contd.)Skipjack Algorithm (contd.)
Algorithm Description
• 32 Cycles (with 80-bit Key)
• Cycle Description– Rule A (8 Steps) {Decryption: Rule B-1 (8 Steps)}
– Rule B (8 Steps) {Decryption: Rule A-1 (8 Steps)}
– Rule A (8 Steps) {Decryption: Rule B-1 (8 Steps)}
– Rule B (8 Steps) {Decryption: Rule A-1 (8 Steps)}
– Gk Permutation {Decryption: [Gk]-1} (4-round Feistel structure)
– F Table (Fixed-byte substitution table)
UNIVERSITYTHE
of ULSAT
Skipjack Algorithm (contd.)Skipjack Algorithm (contd.)
Expected to be 36 years before the cost of breakingSkipjack is equal to the cost of breaking DES today
• Skipjack was classified until 1998
• Abruptly declassified
• Problems still exist
– Once unit key (u) is known, all past, present and future transmissions are compromised
– Knowing the unit key (u) makes it possible to fabricate messages
UNIVERSITYTHE
of ULSAT
Advanced Encryption Std. (AES)Advanced Encryption Std. (AES)
Rijndael Algorithm (Daeman and Rijmen, 2000)
• Will become a federal standard by June 2001
• Features– A system breaking DES in 1 second would take 149 trillion
years to break a 128-bit AES key (smallest key size)
– Very good performance in hardware and software
– Wide range of computing environments
– Variable block and key lengths, and number of cycles
– Simplicity, low memory requirements, sound design
– Suitable for ATM, HDTV, B-ISDN, voice, satellite (> 1 GBits/sec requires dedicated hardware)
UNIVERSITYTHE
of ULSAT
AES (contd.)AES (contd.)
Design Rationale
• Resistance to all known attacks
• Speed, code compactness, wide range of platforms (including smartcard applications)
• Design Simplicity
• Variable Block (Nb) and Key (Nk) sizes (4-byte words)
Nb = 4 Nb = 6 Nb = 8
Nk = 4: Nr = 10 Nr = 12 Nr = 14
Nk = 6: Nr = 12 Nr = 12 Nr = 14
Nk = 8: Nr = 14 Nr = 14 Nr = 14
UNIVERSITYTHE
of ULSAT
AES (contd.)AES (contd.)
Details of AES Algorithm
• Most ciphers use a Feistel structure (some of the bits in intermediate states are simply transposed)
• AES uses three distinct invertible uniform transformations (layers)
• AES Algorithm– ByteSub: Linear mixing layer (high diffusion)
– ShiftRow: Parallel S-boxes (nonlinearity)
– MixColumn (not used in last round)
– AddRoundKey: (XOR of key to state)
UNIVERSITYTHE
of ULSAT
Pretty Good Privacy (PGP)Pretty Good Privacy (PGP)
Hybrid Algorithm (Zimmerman, 1995)
• RSA (keys up to 2,047 bits) for key management
• IDEA for data encryption– 64-bit plaintext blocks; 128-bit keys; 8 rounds
– XOR; + (mod 216); * (mod 216 + 1) S-Box
• MD5 as a one way hash function– User’s private key is encrypted using a hashed pass phrase
• Only after the recipient decrypts the message is it known who signed the message
• Web of Trust (no key certification authority)