Post on 04-Jan-2016
description
Computer SecurityBasic Crypto
Introduction
Cryptosystem: (E,D,M,K,C) M is the set of plaintexts K the set of keys C the set of ciphertexts E: M K C the set of enciphering
functions D: C K M the set of deciphering functions
Introduction
• Shift Cipher: M = C = K = Z26, with
-- eK(x) = x + K mod26
-- dK(y) = y – K mod26
where x,y is in Z26
• Substitution Cipher: P = C = Z26, with K
the set of permutations on Z26 and
-- e(x) = (x)
-- d(y) = -1(y).
CryptosystemsBlock ciphers
The Shift Cipher and Substitution Cipher are block ciphers: successive plaintext elements (blocks) are encrypted using the same key. We now consider some other block ciphers.
• The Affine Cipher, is a special case of the • Substitution Cipher with• -- eK(x) = ax + b mod26
-- dK(y) = a-1y - a-1b mod26
where a,b x,y is in Z26 and x is invertible.
Block ciphers
The Vigenere Cipher is polyalphabetic.
Let m > 1
• M = C = K = (Z26)m
• For a key K = (k1, …, km)
• -- eK(x1,…, xm) = (x1 + k1, …, xm + km)
-- dK (y1,…, ym) = (y1 - k1, …, ym - km)
where all operations are in Z26.
Block ciphers
The Hill Cipher is also polyalphabetic. Let m > 1• M = C = (Z26)m , K is the set of all m by
m invertible matrices over (Z26)m
• For a key K• -- eK(x) = xK
-- dK (y)= yK-1
with all operations are in Z26.
Block ciphers
The Permutation Cipher. Let m > 1
M = C = (Z26)m ,
K is the set of all permutations of {1,…,m}.
• For a key (permutation)
• -- e(x1,…, xm) = (x(1),…, xm))
-- d(y1,…, ym) = (y(1),…, y(1))
where (1) is the inverse of
Stream Ciphers
The ciphers considered so far are block ciphers.
Another type of cryptosystem is the stream cipher.
Stream Ciphers• A synchronous stream cipher is a tuple
(E,D,M,C,K,L,) with a function g such that:• M, C, K, E, D are as before.• L is the keysteam alphabet• g is the keystream generator: it takes as input a key K
and outputs an infinite string
z1, z2, …
called the keystream, where zi are in L. • For each zi are in L there is an encryption rule ez in E,
and a decryption rule dz in D such that:
dz (ez(x)) = x for all plaintexts x in M.
Stream CiphersThe Linear Feedback Shift Register or LFSR. The keystream is computed as follows: Let (k1, k2, … ,km) be the initialized key vector at time t. At the next time unit the key vector is updated as
follows: -- k1 is tapped as the next keystream bit -- k2, … , km are each shifted one place to the left -- the “new” value of km is computed by
m-1
km+1 =
cj kj+1
j=0
Stream Ciphers
Let x1, x2, … be the plaintext (a binary string).
Then the ciphertext is:
y1, y2, …
where yi,= xi + ki, for i=1,2,… and the sum
is bitwise xor .
Cryptanalysis Attacks on Cryptosystems
• Ciphertext only attack: the opponent possesses a string of ciphertexts: y1, y2, …
• Known plaintext attack: the opponent possesses a string of plaintexts x1, x2, … and the corresponding string of ciphertexts: y1, y2, …
Attacks on Cryptosystems
• Chosen plaintext attack: the opponent can choose a string of plaintexts x1, x2, … and obtain the corresponding string of ciphertexts: y1, y2, …
• Chosen ciphertext attack: the opponent can choose a string of ciphertexts: y1, y2, … and construct the corresponding string of plaintexts x1, x2, …
Cryptanalysis
• Cryptanalysis of the shift cipher and substitution cipher: Ciphertext attack -- use statistical properties of the
language
• Cryptanalysis of the affine and Vigenere cipher: Ciphertext attack -- use statistical: properties of the
language
• Attacks on the affine and Vigenere cipher: Ciphertext attack -- use statistical: properties of the
language
Cryptanalysis
• Cryptanalysis of the Hill cipher: Known plaintext attack
• Cryptanalysis of the LFSR stream cipher: Known plaintext attack
One time pad
This is a binary stream cipher whose key stream is a random stream
This cipher has perfect secrecy
Security• Computational security Computationally hard to break: requires super-
polynomial computations (in the length of the ciphertext)
• Provable security Security is reduced to a well studied problem
though to be hard, e.g. factorization.
• Unconditional security No bound on computation: cannot be broken even
with infinite power/space. Only way to break is by “lucky” guessing.
Some Probability Theory
• The random variables X,Y are independent if:
Pr[x,y] = Pr[x] . Pr[y], for all x,y in X
In general,
Pr[x,y] = Pr[x|y] . Pr[y]
= Pr[y|x] . Pr[x], for all x,y in X
Some Probability Theory
• Bayes’ Law:
Pr[x|y] =
• Corollary:
X,Y are independent random variables (r.v.) iff
Pr[x|y] = Pr[x] for all x,y in X
Pr[y]
Pr[y|x] . Pr[x] ---------------- for all x,y in X
Perfect secrecy
• A cryptosystem is perfectly secure if :
Pr[x|y] = Pr[x],
for all x in M and y in C
Perfect secrecy
Theorem
Let |K|=|C|=|M| for a cryptosystem. We have perfect secrecy iff :
• Every key is used with equal probability,
• For each x in P and y in C there is a unique key K in K that encrypts x to y
1|K |------
One time pad
We have K = C = M = Z2n.
Also given: x = x1,…,xn and y = y1,…,yn,
the key K = K1,…,Kn is unique because K = x+y mod 2
Finally all keys are chosen equiprobably.Therefore, the one time pad has perfect secrecy
Kerchoffs’ assumption
The adversary knows all details of the encrypting function except the secret key
DES
DES is a Feistel cipher.Block length 64 bits (effectively 56)Key length 56 bitsCiphertext length 64 bits
DES
It has a round function g for which:
g([Li-1,Ri-1 ]),Ki ) = (Li ,Ri),
where
Li = Ri-1 and Ri = Li-1 XOR f (Ri-1, Ki).
DES round encryption
DES inner function
DES computation path
Attacks on DES• Brute force• Linear Cryptanalysis -- Known plaintext attack• Differential cryptanalysis
– Chosen plaintext attack– Modify plaintext bits, observe change in ciphertext
No dramatic improvement on brute force
Countering Attacks
• Large keyspace combats brute force attack• Triple DES (say EDE mode, 2 or 3 keys)• Use AES
AES
Block length 128 bits.Key lengths 128 (or 192 or 256).The AES is an iterated cipher with Nr=10 (or 12 or 14)In each round we have: • Subkey mixing • A substitution• A permutation
Modes of operation
Four basic modes of operation are available for block ciphers:• Electronic codebook mode: ECB• Cipher block chaining mode: CBC• Cipher feedback mode: CFB• Output feedback mode: OFB
Electronic Codebook mode, ECB
Each plaintext xi is encrypted with the same key K:
yi = eK(xi).
So, the naïve use of a block cipher.
ECB
x1 x2 x3 x4
y4y3y2y1
DES DES DES DES
Cipher Block Chaining mode, CBC
Each cipher block yi-1 is xor-ed with the next plaintext xi :
yi = eK(yi-1 XOR xi)
before being encrypted to get the next plaintext yi.
The chain is initialized with an initialization vector: y0 = IV
with length, the block size.
CBC
x1
+ + ++IV
x2 x3 x4
y4y3y2y1
DES DES DES DES
Cipher and Output feedback modes (CFB & OFB)
CFBz0 = IV and recursively:
zi = eK(yi-1) and yi = xi XOR zi
OFBz0 = IV and recursively:
zi = eK(zi-1) and yi = xi XOR zi
CFB mode
IV eKeK
y1
+
x1
eK
x2
y2
+
OFB mode
IV eKeK
y1
+
x1 x2
y2
+
Public Key Cryptography
Alice Bob
Alice and Bob want to exchange a private key in public.
Public Key Cryptography
Alice ga mod p Bob
gb mod p
The private key is: gab mod p
where p is a prime and g is a generator of Zp
The RSA cryptosystemLet n = pq, where p and q are primes.
Let M = C = Zn, and let a,b be such that ab = 1 mod (n).
Define
eK(x) = xb mod nand dK(y) = ya mod n,
where (x,y) Zn.
Public key = (n,b), Private key (n,a).
Check
We have: ed = 1 mod (n), so ed = 1 + t(n).
Therefore, dK(eK(m)) = (me)d = med = m
t(n)+1
= (m(n)) t m = 1.m = m mod n
Examplep = 101, q = 113, n = 11413. (n) = 100x112 = 11200 = 26527For encryption use e = 3533.Then d = e-1 mod11200 = 6597.Bob publishes: n = 11413, e = 3533.Suppose Alice wants to encrypt: 9726.She computes 97263533 mod 11413 = 5761To decrypt it Bob computes: 57616597 mod 11413 = 9726
Security of RSA
1. Relation to factoring. Recovering the plaintext m from an RSA ciphertext c is easy if factoring is possible.
2. The RSA problem Given (n,e) and c, compute: m such that me = c mod n
The Rabin cryptosystem
Let n = pq, p,q primes with p,q 3 mod 4. Let P = C = Zn*
and define K = {(n,p,q)}.For K = (n,p,q) define eK(x) = x 2 mod n
dK(y) = mod n
The value of n is the public key, while p,q are the private key.
y
The RSA digital signature scheme
Let n = pq, where p and q are primes.
Let P = A = Zn , and define
e,d such that ed = 1 mod (n).
Define
sigK(m) = md mod n
and verK(m,y) = true y = me mod n,
where (m,y) Zn.
Public key = (n,e), Private key (n,d).
The Digital Signature Algorithm
Let p be a an L-bit prime prime, 512 L 1024 and L 0 mod 64 ,let q be a 160-bit prime that divides p-1 and Let Zp
* be a q-th root of 1 modulo p.Let M = Zp-1, A = Zq x Zq and K = {(x,y): y =
x modp }.• The public key is p,q,,y.• The private key is (p,q,), x.
The Digital Signature scheme• Signing
Let m Zp-1 be a message.
For public key is p,g,,y, with y = x mod p, and secret random number k Zp-1, define: sigK(m,k) = (s,t), where
– s = (k mod p) mod q– t = (SHA1(m)+xs)k-1mod q
• Verification
Let – e1 = SHA-1(m) t-1 mod q
– e2 = st-1 mod q
verK(m,(s,t)) = true (e1 ye2 mod p) mod q = s.