Computer SecuritySet of slides 2

Dr Alexei Vernitski

Cryptography

• Codes• Ciphers

(read more in the textbooks)

Example of code: Morse code

For discussion

• In what circumstances would one want to use Morse code?

• For example:– Is Morse code suitable for storing data?– Is Morse code suitable for protecting data

confidentiality?

Example of code: ASCII code97 is a98 is b99 is c

100 is d101 is e102 is f103 is g104 is h105 is i106 is j107 is k108 is l

109 is m

110 is n111 is o112 is p113 is q114 is r115 is s116 is t117 is u118 is v119 is w120 is x121 is y122 is z

Example of code: ASCII code1100001 is a1100010 is b1100011 is c1100100 is d1100101 is e1100110 is f1100111 is g1101000 is h1101001 is i1101010 is j1101011 is k1101100 is l

1101101 is m

1101110 is n1101111 is o1110000 is p1110001 is q1110010 is r1110011 is s1110100 is t1110101 is u1110110 is v1110111 is w1111000 is x1111001 is y1111010 is z

For discussion

• In what circumstances would one want to use ASCII code?

• For example:– Is ASCII code suitable for storing data?– Is ASCII code suitable for protecting data

confidentiality?

Encoding data in computers

• Characters are encoded as numbers• Numbers are encoded as binary numbers –

why? • Binary numbers are stored as sequences of bits• Memory for storing numbers is allocated in

blocks of a standard length, for example, 1 byte = 8 bits

• Each ASCII code is 7 bits• A byte contains 8 bits – why?

Example of cipher: Dorabella cipher

• This note was sent by the composer Elgar to his young friend Dora Penny

• It is still unknown what is written in the note

Cryptography

• Codes• Ciphers

Examples of codes:• Morse code• ASCII code

Example of cipher:• Dorabella cipher

Example: letter to John TrevanionWorthie Sir John:-

Hope, that is ye beste comfort of ye afflicted, cannot much, I fear me, help you now. That I would saye to you, is this only: if ever I may be able to requite that I do owe you, stand not upon asking me. 'Tis not much that I can do: but what I can do, bee ye verie sure I wille. I knowe that, if dethe comes, if ordinary men fear it, it frights not you, accounting it for a high honor, to have such a rewarde of your loyalty. Pray yet that you may be spared this soe bitter, cup. I fear not that you will grudge any sufferings; only if bie submission you can turn them away, 'tis the part of a wise man. Tell me, an if you can, to do for you anythinge that you wolde have done. The general goes back on Wednesday. Restinge your servant to command. - R.T.

Example: letter to John TrevanionWorthie Sir John:-

Hope, that is ye beste comfort of ye afflicted, cannot much, I fear me, help you now. That I would saye to you, is this only: if ever I may be able to requite that I do owe you, stand not upon asking me. 'Tis not much that I can do: but what I can do, bee ye verie sure I wille. I knowe that, if dethe comes, if ordinary men fear it, it frights not you, accounting it for a high honor, to have such a rewarde of your loyalty. Pray yet that you may be spared this soe bitter, cup. I fear not that you will grudge any sufferings; only if bie submission you can turn them away, 'tis the part of a wise man. Tell me, an if you can, to do for you anythinge that you wolde have done. The general goes back on Wednesday. Restinge your servant to command. - R.T.

Cryptography

• Cryptography• Steganography

Example of cryptography:• Dorabella cipher

Example of steganography:• John Trevanion’s letter

Digital steganography

• Information can be hidden in picture files or video files

• We shall look at one example:– 24-bit BMP file format

24-bit BMP file format

• Each pixel of the picture is defined individually by three bytes

• Each of the three bytes corresponds to one colour component of the pixel:– Red– Green– Blue

• Thus, the intensity of each of these three colours is in the range 0-255.

24-bit BMP file format

• I am showing you a very simple example (based on a black square)

• The code I used is taken from here:http://pseentertainmentcorp.com/smf/index.php?topic=2034.0

For discussion

• Suppose you plan to use steganography. • Would you also consider using cryptography in

combination with steganography?

Symmetric block ciphers

• Ciphers• Blocks• Keys• Attacks

(read more in the textbooks)(note that today we shall consider only very simple examples, not useful in practice)

Caesar cipher without key

• Today, in all examples, a block is a letter• Each block is encrypted separately, using

exactly the same algorithm• Encryption:

A → B → C → … → Y → Z → A• Decryption:

A → Z → Y → … → C → B → A

“Cipher” without key

Encryptionalgorithm

plaintext

ciphertext

Decryptionalgorithm

ciphertext

plaintext

Caesar cipher without key

• Encryption:A → B → C → … → Y → Z → A

• Decryption:A → Z → Y → … → C → B → A

• It is a block cipher (in this case, block=letter)

• Is this cipher secure?

Caesar cipher with key

• Key k is a number between 1 and 25• Encryption:

each letter is moved k positions to the right in the alphabet

• Decryption:each letter is moved k positions to the left in the alphabet

Cipher with key

Encryptionalgorithm

plaintext

ciphertext

Decryptionalgorithm

ciphertext

plaintext

key

key

Kerckhoffs's principle

• One must assume that everything about the cipher, including the encryption and decryption algorithms, are known to the attacker

• Only the key is not known to the attacker, and confidentiality must be based on this assumption

Symmetric cipher

• Both to encrypt and to decrypt you need a key, and this is the same key in both cases

• Such a cipher is called symmetric (the same key for both encryption and decryption)

• Most ciphers are symmetric

Attack

• The algorithm is known• Find the plaintext• Find the key

Caesar cipher with key: an attack

• Key k is a number between 1 and 25• Because there are not so many keys, we can

build a table of all possible keys, or simply try all possible keys one after another

• This attack is called exhaustive key search, or brute force attack

Substitution cipher

• A table of correspondences is prepared• Letters in the second row are placed in a random order• (Note that the table is not likely to be stored as a table

with two rows when you implement the cipher)

A B C … X Y ZK U D H M Y

Substitution cipher

• Encryption:find the letter in the first row and replace by the corresponding letter in the second row

• Decryption:find the letter in the second row and replace by the corresponding letter in the first row

A B C … X Y ZK U D H M Y

Substitution cipher: attack?

• Now, there are many keys• How many?• 26 25 24 … 2 1• This is what is denoted by 26!• We cannot use exhaustive key search

Substitution cipher: attack 1

• However, we have not so many blocks (26).• We can successfully use the known plaintext

attack• See a separate example

Substitution cipher: attack 2

• We can use frequency analysis• Example from E. A. Poe• Example from A. Conan Doyle• A more realistic example• Example: Dorabella cipher

Frequency analysis: example

• This is the substitution cipher from Edgar Allan Poe’s story ‘The Gold-Bug’ (1843).

• 53‡‡†305))6*;4826)4‡.)4‡);806*;48†8• “Now, in English, the letter which most

frequently occurs is e. Afterwards, the succession runs thus: a o i d h n r s t u y c f g l m w b k p q x z.”

• Then the character successfully decrypts the cipher

Frequency analysis: example

• This is the substitution cipher from Arthur Conan Doyle’s story ‘The Adventure of the Dancing Men’ (1903)

The Adventure of the Dancing Men

• Having once recognised, however, that the symbols stood for letters, and having applied the rules which guide us in all forms of secret writings, the solution was easy enough. The first message submitted to me was so short that it was impossible for me to do more than to say with some confidence that the symbol stood for E. As you are aware, E is the most common letter in the English alphabet, and it predominates to so marked an extent that even in a short sentence one would expect to find it most often. Out of fifteen symbols in the first message four were the same, so it was reasonable to set this down as E.

A more realistic example

• It is a truth universally acknowledged that a single man in possession of a good fortune, must be in want of a wife.

• ot os i trmtn mhoversiddc ipkhafdelwel tnit i sohwde yih oh gassessoah au i waal uartmhe ymst be oh fiht au i foue

• The second fragment is produced by applying a substitution cipher and then breaking it with frequency analysis

Frequency analysis

• Simple frequency analysis based only on frequency of individual letters is unlikely to be very successful

• It is possible to use more advanced statistical techniques to analyse the ciphertext, assuming we know the statistical properties of the plaintext

• Example of a more advanced solver• http://www.blisstonia.com/software/WebDecrypto/index.php

Dorabella cipher

Dorabella cipher

1, 12, 4, 0, 2, 7, 20, 0, 11, 22, 3, 16, 17, 5, 16, 6, 16, 16, 7, 12, 12, 16, 5, 20, 22, 23, 8, 3, 1520, 16, 20, 7, 20, 0, 11, 10, 0, 4, 16, 16, 4, 7, 8, 17, 20, 16, 3, 16, 7, 19, 15, 17, 5, 23, 11, 11, 23, 3, 154, 15, 7, 19, 15, 4, 5, 19, 18, 8, 15, 4, 16, 7, 19, 17, 15, 8, 0, 12, 8, 15, 7, 0, 8, 23, 0

Frequency of letters in English language

Symbol frequencies in Dorabella cipher and in an average English text

‘Decryption’ of Dorabella cipher

• This is an example of what a simple frequency analysis produces and a ‘decryption’:wlioytsodfheurepeetllersfmnha sestsodboieeitnusehetcaurmddmha iatcaircgnaietcuanolnatonmo

• More advanced versions of frequency analysis also cannot break Dorabella cipher

• Probably, in this cipher not only substitutions, but also permutations are used.

What we have considered today:Examples of ciphers

What we have considered today: Types of attack

Sample exam questions

• Explain briefly the difference between a code and a cipher. Give one example of a code and one example of a cipher, explaining briefly why these examples demonstrate well the difference between codes and ciphers.

Sample exam questions

• Describe an example of a technology which can be classified as steganography. Explain why you would classify it as steganography.

Sample exam questions

• Give a short definition of how the brute force attack works.

• Explain briefly why Caesar’s cipher can be attacked using the brute force attack, whereas the substitution cipher cannot.

• More generally, explain which types of ciphers are vulnerable to the brute force attack, and which are not.

Sample exam questions

• Explain why frequency analysis can be successfully used for attacking the substitution cipher.

• Suggest one parameter of a cipher which is likely to make it less vulnerable to frequency analysis.