CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate...
Transcript of CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate...
![Page 2: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/2.jpg)
2
![Page 3: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/3.jpg)
TheNeedforCryptography
• Peoplehadalwayssecrets• Ordinaryapplicationsarebasedonsecrecy– e.g.,elections(ore-voting)
• Machinesneedtoverifyinformation– detecterrors
• Unforgeableinformation– ordinarysignaturesvsdigitalsignatures
• Manynewapplications– Fromcarkeystosmartcards,andcellphones
3
![Page 4: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/4.jpg)
CryptoRoadmap
• BasicConcepts• SymmetricCiphers• AsymmetricCiphers• CryptographicHashFunctions• DigitalSignatures• RandomNumbers
4
![Page 5: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/5.jpg)
BasicConcepts
5
CryptoSystemPlainText CipherText
Secret
Secret
PublicPublic
![Page 6: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/6.jpg)
SecurityviaObscurity
• Allcryptoalgorithmsareassumedtobeknown
• Securityisbasedon– Secrecyofthekey– Hardtoinfertheplaintextviatheciphertext
• Cryptanalysis– Infertheplaintextfromciphertext withoutknowingthekey
6
![Page 7: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/7.jpg)
SimpleExample
7
Xà X+key(i.e.,‘a’becomes‘d’)
a simplemessage
dcwlpsohcphwwdjh
3
InventedbyJuliusCaesar!
C=P+Kmod26
(assuminganalphabetof26letters!)
![Page 8: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/8.jpg)
Monoalphabetic ciphers
• Assumeanalphabet– abcdefghijklmnopqrstuvwxyz_
• Indextheletters– a is1,b is2,c is3,…,z is26,_ is27
• Selectakey(secret),whichshifts theorder– Assumingthekeyis3,thena isshiftedthreelettersandbecomesd,andz becomesb (wrapsaroundthealphabet)
8
![Page 9: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/9.jpg)
MultipleandRunningKeys
• Vigenere Cipher– PolyalphabeticSubstitutionCiphers
9
Key = r, u, n (three Caesar’s keys)
tobeornottobethatisthequestionrunrunrunrunrunrunrunrunrunrunKIOVIEEIGKIOVNURNVJNUVKHVMGZIA
![Page 10: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/10.jpg)
SecureEnough?
• Vigenere Cipher– PolyalphabeticSubstitutionCiphers
10
Key = r, u, n (three Caesar’s keys)
tobeornottobethatisthequestionrunrunrunrunrunrunrunrunrunrunKIOVIEEIGKIOVNURNVJNUVKHVMGZIA
![Page 11: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/11.jpg)
FrequencyAnalysis
11
Attheciphertext:
![Page 12: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/12.jpg)
FrequencyAnalysis
12
Englishtext:
![Page 13: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/13.jpg)
Example
13
![Page 14: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/14.jpg)
Repeat
14
![Page 15: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/15.jpg)
One-TimePad
• PushingVigenere totheextreme!– Sizeofkeyissizeofplaintext– Avoidrepeatedpatterns
15
Plain: helpsnowdenKey: jitwojsktuwCipher: qmelgwggwyj
![Page 16: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/16.jpg)
One-TimePad
16
Plain: helpsnowdenKey: jitwojsktuwCipher: qmelgwggwyj
Cipher: qmelgwggwyjKey: kejhopsktuwPlain: givesnowden
Key: jitwojsktuwCipher: pqoagwggwyjPlain: givesnowden
KeyIntegrity
MessageIntegrity
![Page 17: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/17.jpg)
One-TimePad
• PushingVigenere totheextreme!– Sizeofkeyissizeofplaintext– Avoidrepeatedpatterns
17
Plain: heilhitlerKey: wclnbtdefjCipher:DGTYIBWPJA
![Page 18: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/18.jpg)
One-TimePad
18
Plain: heilhitlerKey: wclnbtdefjCipher:DGTYIBWPJA
Cipher:DGTYIBWPJAKey: wggsbtdefjPlain: hanghitler
Cipher:DCYTIBWPJAKey: wclnbtdefjPlain: hanghitler
KeyIntegrityMessageIntegrity
![Page 19: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/19.jpg)
One-timePad
• Pros– PerfectSecrecy
• Cons– Impracticallongkey– Keyintegrity, givenacipheryoucanselectanotherkeythatproducesadifferentvalidplaintext
–MessageIntegrity,givenakeyyoucanselectaciphertextthatproducesthedesiredplaintext
19
![Page 20: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/20.jpg)
BlockCiphers
• Sofar,we:– Treatthemessageasone-dimensionstream– Useonlysubstitution–Wejustshift letters(i.e.,C=P+Kmod26)
• BlockCiphers– Splitmessagetoequallysizedblocks– Encrypteachblock
20
![Page 21: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/21.jpg)
Playfair (rule1)
P A L M E
R S T O N
B C D F G
H I K Q U
V W X Y Z
21
Iftwolettersareinthesamerow(orcolumn)theyarereplacedbythesucceeding
letters:am becomesLE
![Page 22: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/22.jpg)
Playfair (rule2)
P A L M E
R S T O N
B C D F G
H I K Q U
V W X Y Z
22
Otherwisethetwolettersstandattwoofthecornersoftherectangleinthetable,andwereplacethemwiththelettersat
theothertwocornersofthisrectangle:lo becomesMT
![Page 23: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/23.jpg)
Playfair Algorithm
• Replaceallj withi inplaintext• Splitplaintextintwo-letterblocks• Doublelettersareseparatedbyx• z isused(conditionally)forpadding• ApplyRule1and2
23
![Page 24: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/24.jpg)
Example
Lord Granville
lo rd gr an vi lx le sl et te rz
MT TB BN ES WH TL MR TA LN NL NV
24
![Page 25: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/25.jpg)
SYMMETRICCIPHERS
25
![Page 26: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/26.jpg)
26
![Page 27: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/27.jpg)
HillCipher
• Eachletterisinterpretedasanumber(0-25)• Messageiswrittenasamatrix– CATbecomes:
• Forencryption– C=KM–M =K-1 C
27
2
M = 0
19
![Page 28: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/28.jpg)
Transposition
• Producesanewpermutation ofthemessage• Doesnotchangethestatisticsofthemessage• Easiestwaytoimplementitisbymatrixmultiplication
28
![Page 29: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/29.jpg)
Transposition
• Initialorder:[1,2,3,4,5]• Ifyouwanttoproduce[3,1,2,5,4]youneedtomultiplyitusing
29
0 1 0 0 0
0 0 1 0 0
1 0 0 0 0
0 0 0 0 1
0 0 0 1 0
![Page 30: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/30.jpg)
BasicOperations
• Substitution(αντικατάσταση)– Changesthestatisticsofthemessagebysubstitutingletterswithotherletters
• Transposition (μετάθεση)– Reordersthelettersofthemessage
• Botharelinearoperations(reversible)
30
![Page 31: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/31.jpg)
SymmetricCiphers
• Relativelyfast• Onekeyencryptsanddecrypts• Block-basedorStream-based• Severalrounds– SubstitutionsandTranspositions– Notonletters,butonbits(orbytes)
• Majorweakness– Keydistribution
31
![Page 32: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/32.jpg)
PlainText
32
SymmetricCryptographicEncryption
PlainText CipherText
SymmetricCryptographicDecryption
CipherText
![Page 33: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/33.jpg)
ModernSymmetricCiphers
• DES,3DES,andAES– AESisthedominantone,today
• Basedon– Substitutionsandtranspositions
• Verycomplex• Type– Block– Stream
33
![Page 34: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/34.jpg)
BlockvsStream
• Blockcipher– A blockofplaintextistreatedasawholeandusedtoproduceablockofciphertext ofequallength
– Typically,ablocksizeof64or128bitsisused• Streamcipher– Plaintextistreatedasadatastream andonebitoronebyteisprocessedatatime
34
![Page 35: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/35.jpg)
Blockcipher
• Plaintextof n bitsproducesaciphertext ofnbits– Blocksize:nbits
• Spaceofdifferentplaintextblocks:2^n– Eachblockmustbeunique
35
![Page 36: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/36.jpg)
Reversibility
36
REVERSIBLEMAPPING IRREVERSIBLEMAPPING
Plaintext Ciphertext Plaintext Ciphertext
00 11 00 11
01 10 01 10
10 00 10 01
11 01 11 01
![Page 37: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/37.jpg)
IdealSubstitutionCipher
37
Mapping:key4bitsx16rows
=64bits!
![Page 38: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/38.jpg)
Problems
• Vulnerabletostatisticalattacks– Smallblockscantakelimitedtransformations– Largeblocks(increasen)areimpractical
• Keysize:4bitsx16rows– Ingeneral:nx2n
– Approximatetheidealcase– Example:64-bitblockrequiresakeyof64x264=1021bits(!!)
38
![Page 39: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/39.jpg)
PracticalCiphers• Goal– Approximatetheidealcipher– Reducestatisticalpropertiesbetweenplaintext,ciphertext,andkey(s)
• CombiningSubstitutionsandTranspositions– Substitution:Eachplaintextelementorgroupofelementsisuniquelyreplacedbyacorrespondingciphertextelementorgroupofelements
– Transposition:Asequenceofplaintextelementsisreplacedbyapermutationofthatsequence;noelementsareaddedordeletedorreplacedinthesequence,rathertheorderinwhichtheelementsappearinthesequenceischanged
39
![Page 40: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/40.jpg)
40
![Page 41: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/41.jpg)
41
![Page 42: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/42.jpg)
InformationTheoryApproach
• Confusion– Obscurestherelationshipbetweentheplaintextandtheciphertext
– Theeasiestwaytodothisisthroughsubstitution• Diffusion– Reducesrepeatedplaintextpatternsbyspreadingouttheplaintextovertheciphertext
– Theeasiestwaytodothisisthroughtransposition
42
![Page 43: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/43.jpg)
RealizingSubstitution(S-box)
• Mapping6bitsofinputto4bits(takenfromDES)
• Example:011011
43
S-boxMiddle 4 bits of input
0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111
Outer bits
00 0010 1100 0100 0001 0111 1010 1011 0110 1000 0101 0011 1111 1101 0000 1110 1001
01 1110 1011 0010 1100 0100 0111 1101 0001 0101 0000 1111 1010 0011 1001 1000 0110
10 0100 0010 0001 1011 1010 1101 0111 1000 1111 1001 1100 0101 0110 0011 0000 1110
11 1011 1000 1100 0111 0001 1110 0010 1101 0110 1111 0000 1001 1010 0100 0101 0011
![Page 44: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/44.jpg)
SuperComplicated!
44
http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html
![Page 45: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/45.jpg)
Properties
• Blocksize:– Largerblocksizesmeangreatersecuritybutreducedencryption/decryptionspeedforagivenalgorithm
– Ablocksizeof64bitsisreasonabletradeoff– AESusesa128-bitblocksize
• Keysize:– Largerkeysizemeansgreatersecuritybutmaydecreaseencryption/decryptionspeed
– Keysizesof64bitsorlessarenowwidelyconsideredtobeinadequate,and128bitshasbecomeacommonsize
45
![Page 46: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/46.jpg)
Properties
• Numberofrounds:– Severalroundsareinvolved– Atypicalsizeis16rounds
• Subkey generationalgorithm:– Greatercomplexityinthisalgorithmshouldleadtogreaterdifficultyofcryptanalysis
46
![Page 47: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/47.jpg)
Extra(desired)properties
• Fastsoftwareencryption/decryption:– Inmanycases,encryptionisembeddedinapplicationsorutilityfunctionsinsuchawayastoprecludeahardwareimplementation
• Easeofanalysis:– Thereisgreatbenefitinmakingthealgorithmeasytoanalyze
– Itiseasiertoanalyzethatalgorithmforcryptanalyticvulnerabilitiesandthereforedevelopahigherlevelofassuranceastoitsstrength
– DES,forexample,doesnothaveaneasilyanalyzedfunctionality
47
![Page 48: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/48.jpg)
Blockmodes
48
Mode Description TypicalApplication
ElectronicCodebook(ECB) Eachblockof64plaintextbitsisencodedindependentlyusingthesamekey.
•Securetransmissionofsinglevalues(e.g.,anencryptionkey)
CipherBlockChaining(CBC)
TheinputtotheencryptionalgorithmistheXORofthenext64bitsofplaintextandthepreceding64bitsofciphertext.
•General-purposeblock-orientedtransmission•Authentication
Andsomemore:PCBC,CFB,OFB,CTR
![Page 49: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/49.jpg)
Blockmodeisimportant
49
Original ECBencryption Non-ECBencryption
![Page 50: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/50.jpg)
AdvancedEncryptionStandard(AES)
• SubsetofRijndael– Developedin1998bytwoBelgiancryptographers,JoanDaemen andVincentRijmen
• MostwidelyusedSymmetricCiphertoday• BlockSize– 128bits
• Keysize– 128,192,or256bits
50
![Page 51: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/51.jpg)
AdvancedEncryptionStandard(AES)• 10rounds• Roundtypes– SubBytes,anS-boxsubstitutionstep– ShiftRows,apermutationstep–MixColumns,amatrixmultiplication(likeHillcipher)
– AddRoundKey,aXOR-basedoperationthatproducesanewkeybasedontheinitialone
51
![Page 52: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/52.jpg)
AESS-box:-)
52
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
00 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76
10 ca 82 c9 7d fa 59 47 f0 ad d4 a2 af 9c a4 72 c0
20 b7 fd 93 26 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15
30 04 c7 23 c3 18 96 05 9a 07 12 80 e2 eb 27 b2 75
40 09 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84
50 53 d1 00 ed 20 fc b1 5b 6a cb be 39 4a 4c 58 cf
60 d0 ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8
70 51 a3 40 8f 92 9d 38 f5 bc b6 da 21 10 ff f3 d2
80 cd 0c 13 ec 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73
90 60 81 4f dc 22 2a 90 88 46 ee b8 14 de 5e 0b db
a0 e0 32 3a 0a 49 06 24 5c c2 d3 ac 62 91 95 e4 79
b0 e7 c8 37 6d 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08
c0 ba 78 25 2e 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a
d0 70 3e b5 66 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e
e0 e1 f8 98 11 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df
f0 8c a1 89 0d bf e6 42 68 41 99 2d 0f b0 54 bb 16
Thecolumnisdeterminedbytheleastsignificant 4bits,andtherowisdeterminedbytheotherhalf(0x9a becomes0xb8)
![Page 53: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/53.jpg)
OpenSSL
• OpenSSL isanOpenSourcelibraryforcryptographicoperations
• WritteninC,availableinmanylanguages– Java,Python,Ruby,etc.
53
![Page 54: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/54.jpg)
STREAMCIPHERS
54
![Page 55: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/55.jpg)
Theneedforrandomness
• Replayattacks– Addingarandomsecret(nonce)helpsagainstattackersthatreplay encryptedmessages
• Sessionkeygeneration– Sessionkeysarecryptographickeysthathaveashortlife
• GenerationofkeysfortheRSApublic-keyencryptionalgorithm– RSAisbasedonselectinglargeprimenumbersrandomly
• Streamciphers– Theirsecurityisentirelybasedonrandomness
55
![Page 56: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/56.jpg)
Randomness
• Uniformdistribution– Thedistributionofbitsinthesequenceshouldbeuniform
– Thefrequencyofoccurrenceofonesandzerosshouldbeapproximatelyequal
• Independence– Nosubsequenceinthesequencecanbeinferredfromtheothers
• Securityrequirement– Unpredictability
56
![Page 57: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/57.jpg)
RandomGeneratorTypes
• TrueRandomNumberGenerators(TRNGs)• Pseudo-randomNumberGenerators(PRNGs)
57
Converttobits Algorithm
Sourceoftruerandomness
Seed
Randombits Pseudo-randombits
![Page 58: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/58.jpg)
TRNGs
58
![Page 59: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/59.jpg)
PRNGs
r = f(seed);
59
![Page 60: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/60.jpg)
Requirements• Uniformity– Occurrenceofazerooroneisequallylikely– Theexpectednumberofzeros(orones)isn/2,wheren=thesequencelength
• Scalability– Anytestapplicabletoasequencecanalsobeappliedtosubsequencesextractedatrandom
– Ifasequenceisrandom,thenanysuchextractedsubsequenceshouldalsoberandom
• Consistency– Thebehaviorofageneratormustbeconsistentacrossstartingvalues(seeds)
60
![Page 61: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/61.jpg)
Tests• Frequencytest– Determinewhetherthenumberofonesandzerosinasequenceisapproximatelythesameaswouldbeexpectedforatrulyrandomsequence
• Runs test– Determinewhetherthenumberofrunsofonesandzerosofvariouslengthsisasexpected forarandomsequence
• Maurer’suniversalstatisticaltest– Detectwhetherornotthesequencecanbesignificantlycompressedwithoutlossofinformation
– Asignificantlycompressiblesequenceisconsideredtobenon-random
61
![Page 62: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/62.jpg)
Unpredictability
• Forwardunpredictability– Iftheseedisunknown,thenextoutputbitinthesequenceshouldbeunpredictableinspiteofanyknowledgeofpreviousbitsinthesequence
• Backward unpredictability– Itshouldalsonotbefeasibletodeterminetheseedfromknowledgeofanygeneratedvalues
– Nocorrelationbetweenaseedandanyvaluegeneratedfromthatseedshouldbeevident
– Eachelementofthesequenceshouldappeartobetheoutcomeofanindependentrandomeventwhoseprobabilityis1/2
62
![Page 63: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/63.jpg)
Seed
63
Converttobits
Algorithm
Sourceoftruerandomness
Seed
Pseudo-randombits
![Page 64: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/64.jpg)
CryptographicPRNGs
• Existingcryptographicalgorithms– Streamciphers– Asymmetricciphers(RSA,computeprimes)
• Hashfunctions• MessageAuthenticationCodes(MACs)
64
![Page 65: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/65.jpg)
Xn+1=(aXn+c) mod m
• X0 istheseed (assumeX0=1)• Selection ofa,c,andm,iscritical– a=7, c=0, m=32• 7, 17, 23, 1, 7, ...
– a=5• 5, 25, 29, 17, 21, 9, 13, 1, 5, ...
• Intheorym should be very large(2^31)
65
![Page 66: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/66.jpg)
StreamCiphers
66
⊕11001100 plaintext
01101100 key stream
10100000 ciphertext
![Page 67: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/67.jpg)
67
Pseudo-randomByteGenerator(keystream)
Key/Seed
Pseudo-randomByteGenerator(keystream)
⊕ ⊕plaintextstream ciphertext stream plaintextstream
Encryption Decryption
Key/Seed
![Page 68: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/68.jpg)
RC4
• DesignedbyRonRivest in1987• UsedtodayinTLS– TLSistheciphersuitebehindHTTPS
• UsedinWEP– Gotbroken
• ThereareconcernsaboutthesecurityofRC4• Basedonrandompermutations• Periodisbelievedtobegreaterthan10100• 8to16machineoperationsarerequiredperbyteoftheciphertext
68
![Page 69: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/69.jpg)
RC4– Initialization
/* Initialization */ for i = 0 to 255 do S[i] = i;T[i] = K[i mod keylen];
/* Initial Permutation of S */ j = 0;for i = 0 to 255 do j = (j + S[i] + T[i]) mod 256; Swap (S[i], S[j]);
69
![Page 70: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/70.jpg)
RC4– StreamGeneration
i, j = 0;while (true)
i = (i + 1) mod 256;j = (j + S[i]) mod 256; Swap (S[i], S[j]);t = (S[i] + S[j]) mod 256; k = S[t];
70
Encryption:XORthenextbyteofplaintextwithkDecryption:XORthenextbyteofciphertext withk
![Page 71: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/71.jpg)
RC4
71
![Page 72: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/72.jpg)
RC4
72
/* Initialization */ for i = 0 to 255 do S[i] = i;T[i] = K[i mod keylen];
![Page 73: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/73.jpg)
RC4
73
/* Initialization */ for i = 0 to 255 do S[i] = i;T[i] = K[i mod keylen];
/* Initial Permutation of S */ j = 0;for i = 0 to 255 do j = (j + S[i] + T[i]) mod 256;
Swap (S[i], S[j]);
![Page 74: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/74.jpg)
RC4
74
/* Initialization */ for i = 0 to 255 do S[i] = i;T[i] = K[i mod keylen];
/* Initial Permutation of S */ j = 0;for i = 0 to 255 do j = (j + S[i] + T[i]) mod 256;
Swap (S[i], S[j]);
/* Stream Generation */ i, j = 0;while (true) i = (i + 1) mod 256;j = (j + S[i]) mod 256; Swap (S[i], S[j]);t = (S[i] + S[j]) mod 256; k = S[t];
![Page 75: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/75.jpg)
AdditionalReading
OntheSecurityofRC4inTLS. NadhemAlFardan, etal. InUsenix Security2013.https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/alFardan
75
![Page 76: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/76.jpg)
BlockciphertoStreamcipher• Cipher-feedbackmode(CFB)– Ci =EK (Ci-1)⊕ Bi– Theencryptionofablock,Ci,istheencryptionofthepreviousblock,Ci-1,XORed withthecurrentplaintextblock,Bi
• Reducingtheblocksize– 1byte(orless)– Blockcipherbehaveslikeastreamcipher– Highoverhead
76
![Page 77: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/77.jpg)
CryptographicAttacks• Ciphertext-only– Attackerhasaccesstociphertext ofoneormoremessages,encryptedallwiththesamekey
• Known-plaintext– Attackerhasaccesstooneormoreplaintext-ciphertextpairs,encryptedallwiththesamekey
• Chosen-plaintext– Attackercanchoseoneormoreplaintextmessagesandreceivetheirciphertext (eitheroff-lineoron-line)
• Chosen-ciphertext– Attackercanchoseoneormorechiphertext messagesandreceivetheirplaintext(eitheroff-lineoron-line)
77
![Page 78: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/78.jpg)
ASYMMETRICENCRYPTION
78
![Page 79: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/79.jpg)
ModularArithmetic
(10+13)mod12=23mod12=11mod12
Or,wecouldsay:11and23areequivalent,modulo12
Anotherwaytowritethis:10+13≡11(mod12)
79
![Page 80: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/80.jpg)
ModularArithmetic
a ≡b (modn)ifa=b+kn,forsomeintegerk
Fortheexample:23≡11(mod12),since23=11+12,k=1
Anotherexample:82 ≡ 2(mod20),since82=2+4·20,k=4
80
![Page 81: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/81.jpg)
ModularInverse
• Themultiplicativeinverseof4is1/4,since4·1/4=1• Inmodulararithmetic
4 ·x≡1(mod7),translatesto4·x=7·k+1,wherebothxandkareintegers
• Generalform1=(a ·x)modna-1 ≡x(modn)
• Notalwayssolvable– Theinverseof5,modulo14,is3– 2hasnoinversemodulo14
81
![Page 82: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/82.jpg)
Primenumber
• Anintegerp >1isaprimenumberifandonlyifitsonlydivisorsare:1,p (and–p)
• Noothernumberevenlydividesit• Primes– 5,7,13,19,2521
• Nonprimes– 4,8,39,125
82
![Page 83: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/83.jpg)
Relativeprimes(co-primes)• Twonumbersarerelativeprimewhentheysharenofactorsincommonotherthan1
• 15and28arerelativeprimes• 15and27arenotrelativeprimes• 13and500arerelativeprimes
83
![Page 84: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/84.jpg)
Euler’sTotientFunction,φ(n)
• φ(n) isthenumberofpositivesintegerslessthannthatarerelativeprimeton
• φ(1)is1,bydefinition• Ifn=pq,wherep andqareprimes– φ(n)=(p-1)(q-1)– Superimportant!
84
![Page 85: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/85.jpg)
Recipe1/3
• Supposeyouwanttoencryptthemessage:2– Let’ssaythatAmapsto0,Bmapsto1,andCmapsto2;youwanttomapCtoanotherletter
• Picktwoprimenumbers– p =2andq=7
• Multiplythem– n=pq =2·7=14
85
![Page 86: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/86.jpg)
Recipe2/3
• Calculateφ(n),or φ(14)– φ(n)=(p-1)(q-1)=(2-1)(7-1)=6
• Pickanumberthatisrelativeprimeto6andsmallerthan6– e=5
• Solvetheequationx ·5≡1(mod6)– Findanintegerxthatifmultipliedwith5theresultis1mod6
– x=11,because55mod6=1mod6– let’scallthatd=11
86
![Page 87: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/87.jpg)
Recipe3/3
• Forencryption25 mod14=32mod14=4(so2becomes4)
• Fordecryption– 411 mod14=4194304mod14=2
87
![Page 88: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/88.jpg)
Whatdidjusthappen?
• Weencrypted2to4• Wedecrypted4backto2• Nosubstitution• Notransposition• Nosinglekey
88
![Page 89: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/89.jpg)
RSA
89
![Page 90: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/90.jpg)
Properties
• 2keys– PublicKey(nosecrecy)– PrivateKey(ifstoleneverythingislost)
• Easyalgorithm,buthard toreverse– Computationallyhardtoinferp andq fromn=pq– Computationallyhardmeanssolvableinnon-polynomialtime
90
![Page 91: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/91.jpg)
RSA
• Encryption– C=Me modn
• Decryption–M=Cd modn=(Me modn)d=Med modn
• Keys– PublicKey ={e,n}– PrivateKey ={d,n}– ed ≡1modφ(n)
91
![Page 92: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/92.jpg)
RSASteps• p,q,twoprimenumbers
– Private• n =pq
– n canbepublic,butrecallthatitishard toinferp andqbyjustknowingn
• e isrelativeprimetoφ(n)– Public– Recallφ(n)=(p-1)(q-1)
• dfrome,andφ(n)– Private
• ed ≡1modφ(n)– Canbecomputedsinceweknowp andq
92
![Page 93: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/93.jpg)
RSAexample
1. Select p =17andq =112. Then, n =pq =17·11=1873. φ(n) = (p-1)(q-1) = 16·10 = 1604. Select e relativelyprimetoφ(n)=160and
lessthanφ(n); e =75. Determine d
- de ≡ 1(mod160) and d <160,- d =23,because23·7=161=(1·160)+1;
93
![Page 94: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/94.jpg)
ComputationalAspects
• RSAbuildsonexponents• Intensiveoperation• Side channels
94
![Page 95: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/95.jpg)
CRYPTOGRAPHYANDAPPLICATIONS
95
![Page 96: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/96.jpg)
96
![Page 97: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/97.jpg)
97
p(bigrandomprime)
q(bigrandomprime)
n=p· qcomputingpandqfromn requiressuper-polynomialtime inthenumberofdigits
Compute φ(n),φ(n)=(p-1)(q-1)onlyifncanbeexpressedasn=p· q,
wherepandqareprimes
Selecte whichisrelativeprimeto(p-1)(q-1)
Selectd fromd ·e≡1mod(p-1)(q-1)
PrivateKey{e,n}
PublicKey{d,n}
Bothkeys{e,n} and{d,n} areequivalent,anyofthemcanbeusedastheprivatekeyandtheotheroneasthepublickey
![Page 98: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/98.jpg)
PlainText
RecallSymmetricCiphers
98
SymmetricCipher(Encryption)
PlainText CipherText
SymmetricCipher(Decryption)
CipherText
![Page 99: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/99.jpg)
PlainText
AsymmetricEncryptionMode1
99
AsymmetricCipherPlainText CipherText
AsymmetricCipherCipherText
PublicKey
PrivateKey
![Page 100: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/100.jpg)
PlainText
AsymmetricEncryptionMode2
100
AsymmetricCipherPlainText CipherText
AsymmetricCipherCipherText
PrivateKey
PublicKey
![Page 101: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/101.jpg)
PlainText
RSA
101
(plaintext)e modnPlainText CipherText
(ciphertext)d modnCipherText
e,n
d,n
![Page 102: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/102.jpg)
AsymmetricCiphers
• RSA– primefactorization
• ElGamal– Computingdiscretelogarithms
• Ellipticcurves–Morecomplicated,butsmallerkeysizes
102
![Page 103: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/103.jpg)
CryptographicHashFunctions
103
message1(Nbits)
message2(Nbits)
HashValueA(256bits)
CryptographicHashFunction
HashValueB(256bits)
CryptographicHashFunction
Ideally:Ifmessage1andmessage2differbyonebit,thenAandBdifferin50%oftheirbits
![Page 104: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/104.jpg)
High-levelProperties
• Complicatedone-wayfunctions• One-way– Hardtocomputethemessagebyhavingjustthehashvalue(ordigest)
– Nocryptographickeys– Shouldnotbeconfusedwithinvertiblefunctions(1-1)
• Collision– FindamessagethatcryptographicallyhashestoagivendigestH
104
![Page 105: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/105.jpg)
Requirements
Requirement Description
Variableinputsize Hcanbeappliedtoablockofdataofanysize
Fixedoutput size Hproduces fixed-lengthoutput(calledhashvalue ormessagedigest)
Efficiency H(x)isrelatively easytocomputeforanygivenx(intermsofbothsoftware/hardwareimplementations)
Preimage resistant(one-wayproperty) Foranygivenhashvalueh, itiscomputationallyinfeasibletofindysuchthatH(y)=h
Second preimageresistant(weakcollisionresistant) For anygivenblockx,itiscomputationallyinfeasibletofindy<>xwithH(y)=H(x)
Collisionresistant (strongcollisionresistant) Itiscomputationallyinfeasible tofindanypair(x,y)suchthatH(x)=H(y)
Pseudorandomness OutputofHmeetsstandard testsforpseudorandomness
105
![Page 106: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/106.jpg)
Lifetimesofcryptographichashfunctions
106
More:http://valerieaurora.org/hash.html
SHA256isconsideredcurrentlysafe
![Page 107: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/107.jpg)
ModernApplications
• Ciphersuites– TransportLayerSecurity(TLS),encryptedsockets
• SymmetricKeydistribution• DigitalSignatures• Passwords
107
![Page 108: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/108.jpg)
SymmetricKey
SymmetricKeyDistribution
108
(symmetrickey)dmodn
SymmetricKey CipherText
(symmetrickey)emodn
CipherText
d,n(publickey)
e,n
![Page 109: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/109.jpg)
Theneedforsignatures
• Confidentialityisnotalwaysthekeyrequirementforcryptography
• Communicationbetweenuntrustedparties– BobmayforgeamessageandclaimthatitcamefromAlice
– Bobcandenysendingamessage
• Example– Anelectronicfundstransfertakesplace,andthereceiverincreasestheamountoffundstransferred
109
![Page 110: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/110.jpg)
Requirements• Thesignaturemustbeabitpatternthatdependsonthe
messagetobesigned• Thesignaturemustusesomeinformationuniquetothe
sender,topreventbothforgeryanddenial• Itmustberelativelyeasytoproducethedigitalsignature• Itmustberelativelyeasytorecognizeandverifythedigital
signature• Itmustbecomputationallyinfeasibletoforgeadigital
signature,eitherbyconstructinganewmessageforanexistingdigitalsignatureorbyconstructingafraudulentdigitalsignatureforagivenmessage
• Itmustbepracticaltoretainacopyofthedigitalsignatureinstorage
110
![Page 111: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/111.jpg)
DigitalSigning
111
Document(ArbitrarySize)
CryptographicHashKey(FixedSize)
MessageSignature
Public-KeyCryptography
(RSA)PrivateKey
SignedDocument
(ArbitrarySize+signature)
MessageSignature
![Page 112: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/112.jpg)
VerifyingDigitalSignatures
112
Document(ArbitrarySize+signature) MessageSignature
DocumentHashKey
Public-KeyCryptography
(RSA)PublicKey
MessageSignature
Document(ArbitrarySize+signature)
DocumentHashKey
CryptographicHashFunction
![Page 113: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/113.jpg)
Passwords
• Services– Storecryptographichashesofpasswords– Passwordsinplaintextaredeleted
• Authentication– Servicescheckonlycryptographichashesandnotplaintextpasswords
• Encryptingpasswordsisabadidea– Attackercanleakthekey
• Passwordsaresalted– Identicalplaintextpasswordsproducedifferenthashkeys
113
![Page 114: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/114.jpg)
AttackingPasswords
• Bruteforce• Dictionaryattacks• Rainbowtables– Saltcanmakethisextremelyhard
• GPUs
114
![Page 115: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/115.jpg)
115
![Page 116: CS682 –Advanced Security Topics - UCY · •Double letters are separated by x ... –Approximate the ideal cipher ... –Transposition: A sequence of plaintext elements is replaced](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e7868e7789323619c661784/html5/thumbnails/116.jpg)
116
OriginalFile
EncryptedFile
WannaCryHeader
AttackerRSAPublicKey(fixed),PuK
ComputedRSAPublicKey,Sub-PuK
ComputedRSAPrivateKey,Sub-PrK
ComputedAESKey(perfile),
EncK
1. EncryptfilewithEncK (per-fileencryption)
2. EncryptEncK withSub-PuK andstoreittoWannaCryHeader(per-hostencryption)
3. EncryptSub-PrKwithPuK andsendittoattacker(attackerhasadifferentdecryptionkeyperhost)
Readmore:WannaKey,https://github.com/aguinet/wannakey