Introduction to Software Security Crypto Basicssecuresw.dankook.ac.kr/ISS19-1/ISS_2019_08_Crypto...
Transcript of Introduction to Software Security Crypto Basicssecuresw.dankook.ac.kr/ISS19-1/ISS_2019_08_Crypto...
Seong-je Cho
Spring 2019
Computer Security & Operating Systems Lab, DKU
Introduction to Software Security
Crypto Basics(Chapter 2)
- 2 -
Sources / References
Textbook
M. T. Goodrich and R. Tamassia, Introduction to Computer Security, Pearson (Addison-Wesley)
Many photos in presentation licensed from google images or wikipedia
Please do not duplicate and distribute
Computer Security & OS Lab, DKU
- 3 -
Contents
How to speak crypto
Substitution Cipher
Transposition Cipher
One-Time Pad
Codebook Cipher
Crypto history
Taxonomy
Computer Security & OS Lab, DKU
- 4 -
Crypto
Cryptology The art and science of making and breaking “secret codes”
Cryptographymaking “secret codes”
Cryptosystem Pair of algorithms that take a key and convert plaintext to ciphertext and
back.
Cryptanalysis breaking “secret codes”
Crypto all of the above (and more)
Computer Security & OS Lab, DKU
Alice Bob
Eve
- 5 -
How to Speak Crypto
A cipher or cryptosystem is used to encrypt the plaintext
The result of encryption is ciphertext
We decrypt ciphertext to recover plaintext
A key is used to configure a cryptosystem
A symmetric key cryptosystem uses the same key to encrypt as to decrypt
A public key cryptosystem uses a public key to encrypt and a private key to decrypt (sign)
Computer Security & OS Lab, DKU
- 6 -
Symmetric key cryptosystem
DES (Data Encryption Standard)
AES (Advanced Encryption Standard)
SEED
Computer Security & OS Lab, DKU
- 7 -
Public key cryptosystem
Asymmetric key cryptosystem
RSA (Rivest, Sharmir, Adleman)
ECC (Elliptic Curve Cryptography)
Computer Security & OS Lab, DKU
- 8 -
Crypto
Basis assumption The system is completely known to the attacker
Only the key is secret
Also known as Kerckhoffs Principle Crypto algorithms are not secret (algorithms are open)
Why do we make this assumption? Experience has shown that secret algorithms are weak when exposed
Secret algorithms never remain secret
Better to find weaknesses beforehand
Computer Security & OS Lab, DKU
- 9 -
Crypto as Black Box
Computer Security & OS Lab, DKU
The message M is called the plaintext.
Alice will convert plaintext M to an encrypted form using anencryption algorithm E that outputs a ciphertext C for M.
encrypt decrypt
ciphertext
plaintext
sharedsecret
key
sharedsecret
key
CommunicationchannelSender Recipient
Attacker(eavesdropping)
plaintextplaintext
평문
Symmetric key cryptosystem
- 11 -
Simple Substitution
Replace each letter with the one “three over” in the alphabet. Plain: meet me after the toga party
Key
Computer Security & OS Lab, DKU
Cipher: PHHW PH DIWHU WKH WRJD SDUWB
Another example
Plaintext: fourscore and seven years ago
Ciphertext: IRXUVFRUHDAGVHYHABHDUVDIR
Shift by 3 is “Caesar’s cipher”
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Plaintext Ciphertext
- 12 -
Ceasar’s Cipher Decryption
Suppose we know a Ceasar’s cipher is being used
Ciphertext: VSRQJHEREVTXDUHSDQWU
Plaintext: spongebobsquarepants
Computer Security & OS Lab, DKU
a b c d e f g h i j k l m n o p q r s t u v w x y z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Plaintext Ciphertext
- 13 -
Not-so-Simple Substitution
Shift by n for some n {0,1,2,…,25}
Then key is n
Example: key = 7
Computer Security & OS Lab, DKU
a b c d e f g h i j k l m n o p q r s t u v w x y z
H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
Plaintext Ciphertext
- 14 -
Cryptanalysis I: Try Them All
Given A simple substitution (shift by n) is used
But the key is unknown
Given ciphertext: meqefscerhcsyeviekmvp
How to find the key?
Exhaustive key search Only 26 possible keys try them all!
Solution: key = 4
IAMABOYANDYOUAREAGIRL
Computer Security & OS Lab, DKU
- 15 -
Cryptanalysis I: Try Them All
Brute-force cryptanalysis of Caesar cipher
Computer Security & OS Lab, DKU
- 16 -
Even-less-Simple Substitution
Key is some permutation of letters
Need not be a shift (just one-to-one mapping)
For example
Then 26! > 288 possible keys! Dominates the art of secret writing
throughout the first millennium
Computer Security & OS Lab, DKU
a b c d e f g h i j k l m n o p q r s t u v w x y z
J I C A X S E Y V D K W B Q T Z R H F M P N U L G O
Plaintext Ciphertext
- 17 -
Cryptanalysis II: Be Clever
We know that a simple substitution is used
But not necessarily a shift by n
Can we find the key given ciphertext:
PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOXBTFXQWAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBFXFQVXGTVJVWLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFHXZHVFAGFOTHFEFBQUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQPBQWAQJJTODXQHFOQPWTBDHHIXQVAPBFZQHCFWPFHPBFIPBQWKFABVYYDZBOTHPBQPQJTQOTOGHFQAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWFLQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFHXAFQHEFZQWGFLVWPTOFFA
Computer Security & OS Lab, DKU
- 18 -
Cryptanalysis II
Can’t try all 288 simple substitution keys
Can we be more clever?
English letter frequency counts…
Computer Security & OS Lab, DKU
0.00
0.02
0.04
0.06
0.08
0.10
0.12
0.14
A C E G I K M O Q S U W Y
- 19 -
Cryptanalysis II
Ciphertext
PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOXBTFXQWAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBFXFQVXGTVJVWLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFHXZHVFAGFOTHFEFBQUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQPBQWAQJJTODXQHFOQPWTBDHHIXQVAPBFZQHCFWPFHPBFIPBQWKFABVYYDZBOTHPBQPQJTQOTOGHFQAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWFLQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFHXAFQHEFZQWGFLVWPTOFFA
Decrypt this message using info below
Computer Security & OS Lab, DKU
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
21 26 6 10 12 51 10 25 10 9 3 10 0 1 15 28 42 0 0 27 4 24 22 28 6 8
Ciphertext frequency counts:
- 20 -
Frequency analysis history
Discovered by the Arabs
Earliest known description of frequency analysis is in a book by the 9-century scientist al-Kindi
Rediscovered or introduced from the Arabs in Europe during the Renaissance
Frequency analysis made substitution cipher inscure.
Frequency Statistics of Language
In addition to the frequency info of single letters, the frequency info of two-letter (digram) or three-letter (trigram) combinations can be used for the cryptanalysis
Most frequent digrams TH, HE, IN, ER, RE, AN, ON, EN, AT
Most frequent trigrams THE, ING, AND, HER, ERE, ENT, THA, NTH, WAS, ETH, FOR, DTH
Computer Security & OS Lab, DKU
Cryptography
Monoalphabetic Substitution Ciphers
Further generalization of the Caesar cipher,Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Cipher: DEFGHIJKLMNOPQRSTUVWXYZABC
is obtained by allowing any permutation of 26 characters for the cipher
Key size = 26 Key space = 26! 4x1026
Unique mapping of plaintext alphabet to ciphertext alphabet Monoalphabetic
For a long time thought secure,
but easily breakable by frequency analysis attack
Computer Security & OS Lab. DKU
Cryptography
Vigenere Cipher
A method of encrypting alphabetic text by using a series of different Caesar ciphersbased on the letters of a keyword
Choose key word
Repeat key word to match character count to plaintext
Assign key word character to plaintext characters
Replace plaintext with shifted letter from character’s Vigenere Table row
Computer Security & OS Lab. DKU
Cryptography
Polyalphabetic System with Vigenere Table
1st i Z
2nd i T
Computer Security & OS Lab. DKU
Cryptography
Vigenère cipher
• Best-known polyalphabetic ciphers
• Each key letter determines one of 26 Caesar (shift) ciphers
• ci = E(pi) = pi + ki mod(key length)
• Example:
• Keyword is repeated to make a key as long as the plaintext
• Given a sufficient amount of ciphertext, common sequences are repeated, exposing the period (keyword length) Target of the cryptanalysis
Computer Security & OS Lab. DKU
Key: deceptivedeceptivedeceptive
Plaintext: wearediscoveredsaveyourself
Cipheretxt: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
Cryptography
Computer Security & OS Lab. DKU
Key: deceptivedeceptivedeceptive
Plaintext: wearediscoveredsaveyourself
Cipheretxt: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
Cryptography
Vigenère cipher
If the keyword length is N, then Vigenère cipher, in effect, consists of N monoalphabetic substitution ciphers
Improvement over the Playfair cipher, but language structure and frequency information still remain
Vigenère autokey system: after key is exhausted, use plaintext for running key (to eliminate the periodic nature)
Key and plaintext share the same frequency distribution of letters a statistical technique can be used for the cryptanalysis, (e.g., e enciphered with e would occur with a frequency of (0.1275)2 0.0163, t enciphered with t would occur with a frequency of (0.0925)2 0.0086, etc.)
Computer Security & OS Lab. DKU
Key: deceptivewearediscoveredsav
Plaintext: wearediscoveredsaveyourself
Cipheretxt: ZICVTWQNGKZEIIGASXSTSLVVWLA
Cryptography
Substitution Boxes
Vigenère cipher can be visualized using a two-dimensional table
● 1st letter in a pair would specify a row
● 2nd letter in a pair would specify a column
● Each entry would be the unique two-letter substitution to use for the pair
This substitution can also be done on binary numbers.
Such substitutions are usually described by substitution boxes, or S-boxes.
Computer Security & OS Lab. DKU
Cryptography
Transposition Cipher
method of encryption by which the positions held by units of plaintext (which are commonly characters or groups of characters) are shifted according to a regular system, so that the ciphertext constitutes a permutation of the plaintext.
Hide the message by rearranging the letter order without altering the actual letters used
Rail Fence Cipher● Write message on alternate rows, and read off cipher row by row● Example (Two rails): Meet me after the toga party
● Example (Three rails) : 'WE ARE DISCOVERED. FLEE AT ONCE’
Computer Security & OS Lab. DKU
M e m a t r h t g p r y
e t e f e t e o a a tMEMATRHTGPRYETEFETEOAAT
W E C R L T E
E R D S O E E F E A O C
A I V D E N
WECRL TEERD SOEEF EAOCA IVDEN
Cryptography
Transposition (Permutation) Techniques
Columnar Transposition Ciphers● Message is written in rectangle, row by row, but read off column by
column; The order of columns read off is the key● Example 1:
● Example 2:Ciphertext isEATI TNIH MEXN ETMG MEDT
Generalization: multiple transpositions
Computer Security & OS Lab. DKU
Key: 4 3 1 2 5 6 7
Plaintext: a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
Ciphertext:TTNA APTM TSUO AODW COIXKNLYPETZ
Cryptography
Double Transposition
Computer Security & OS Lab. DKU
Plaintext: attackxatxdawn
Permute rowsand columns
Ciphertext: xtawxnattxadakc
Key: matrix size and permutations (3,5,1,4,2) and (1,3,2)
Cryptography
The Hill Cipher
Use of linear algebra
To encrypt a message, each block of n letters (considered as an n-component vector) is multiplied by an invertible n× n matrix, again modulus 26. ● The matrix used for encryption is the cipher key
● The key (or GYBNQKURP in letters) →
To decrypt the message, each block is multiplied by the inverse of the matrix used for encryption.● the inverse matrix of the key matrix (IFKVIVVMI in letters)
Computer Security & OS Lab. DKU
Source: http://en.wikipedia.org/wiki/Hill_cipher
Cryptography
The Hill Cipher
Key: GYBNQKURP in letters
Plaintext: ACT (A:0, C:2, T:19)
or Plaintext: CAT
Ciphertext of ‘ACT’ is (‘POH’), Ciphertext of ‘CAT’ is (‘FIN’)
Decryption
Computer Security & OS Lab. DKU
- 35 -
One-time Pad Encryption
Assume that the (right) key was given to Alice
Computer Security & OS Lab, DKU
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111
Encryption: Plaintext Key = Ciphertext
Ph e i l h i t l e r
001 000 010 100 001 010 111 100 000 101
K 111 101 110 101 111 100 000 101 110 000
C110 101 100 001 110 110 111 001 110 101
s r l h s s t h s r
- 36 -
One-time Pad Decryption
Assume that the (right) key was given to Bob
Computer Security & OS Lab, DKU
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111
Decryption: Ciphertext Key = Plaintext
Cs r l h s s t h s r
110 101 100 001 110 110 111 001 110 101
K 111 101 110 101 111 100 000 101 110 000
P001 000 010 100 001 010 111 100 000 101
h e i l h i t l e r
- 37 -
One-time Pad (1st threat scenario)
Double agent, Charlie, claims that the key was 101 111 000 … (wrong key.)
Bob cannot understand the decrypted message, and contact to Alice.
Computer Security & OS Lab, DKU
Double agent claims sender used “key”:
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111
Cs r l h s s t h s r
110 101 100 001 110 110 111 001 110 101
K 101 111 000 101 111 100 000 101 110 000
P011 010 100 100 001 010 111 100 000 101
k i l l h i t l e r
- 38 -
One-time Pad (2nd threat scenario)
Assume that Alice is captured, but she is double agent and told the adversary the (wrong) key
The adversary didn’t know the fact and can release her.
Computer Security & OS Lab, DKU
Sender (Alice) is captured and claims the key is:
Cs r l h s s t h s r
110 101 100 001 110 110 111 001 110 101
K 111 101 000 011 101 110 001 011 101 101
P001 000 100 010 011 000 110 010 011 000
h e l i k e s i k e
e=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111
- 39 -
One-time Pad Summary
Provably secure, when used correctly Ciphertext provides no info about plaintext
All plaintexts are equally likely
Pad must be random, used only once
Pad is known only by sender and receiver
Pad is same size as message
No assurance of message integrity
Why not distribute message(plaintext) the same way as the pad(key)?
Computer Security & OS Lab, DKU
- 41 -
Codebook
Literally, a book filled with “codewords”
Zimmerman Telegram encrypted via codebookFebruar 13605
fest 13732
finanzielle 13850
folgender 13918
Frieden 17142
Friedenschluss 17149
: :
Modern block ciphers are codebooks!
Computer Security & OS Lab, DKU
- 42 -
Early 20th Century
WWI Zimmerman Telegram
“Gentlemen do not read each other’s mail” Henry L. Stimson, Secretary of State, 1929
WWII golden age of cryptanalysis
Japanese Purple (codename MAGIC)
German Enigma (codename ULTRA)
Enigma Machine
Computer Security & OS Lab, DKU
• Encryption machine used by Germans in the WWII, relies on electricity
• Plug board: allowed for pairs of letters to be remapped before the encryption process started and after it ended.
• Light board
• Keyboard
• Set of rotors: user must select three rotors from a set of rotors to be used in the machine. A rotor contains one-to-one mappings of all the letters.
• Reflector (half rotor).
- 44 -
Post-WWII History
Claude Shannon father of the science of information theory
Computer revolution lots of data
Data Encryption Standard (DES), 70’s
Public Key cryptography, 70’s
CRYPTO conferences, 80’s
Advanced Encryption Standard (AES), 90’s
Crypto moved out of classified world (crypto가숨겨져있다가기밀세계바깥으로나오게됨)
Computer Security & OS Lab, DKU
- 45 -
Claude Shannon
The founder of Information Theory 1949 paper: Comm. Thy. of Secrecy Systems
http://netlab.cs.ucla.edu/wiki/files/shannon1949.pdf
Confusion and diffusion Confusion obscure relationship between plaintext and ciphertextMaking the relationship between the ciphertext and the key as complex and
involved as possible
One aim is to make it very hard to find the key even if one has a large number of plaintext-ciphertext pairs produced with the same key
E.g.) simple substitution cipher
Diffusion spread plaintext statistics through the ciphertext Change of one character in the plaintext results in several characters changed in the
ciphertext
One-time pad only uses confusion, while double transposition only uses diffusion
Proved that one-time pad is secureComputer Security & OS Lab, DKU
- 46 -
Taxonomy of Cryptography
Symmetric Key Same key for encryption as for decryption
Stream ciphers
Block ciphers
Public Key Two keys, one for encryption (public), and one for decryption (private)
Digital signatures nothing comparable in symmetric key crypto
Hash algorithms
Computer Security & OS Lab, DKU
- 47 -
Taxonomy of Cryptography
Computer Security & OS Lab, DKU
스트림 암호 블록 암호
RC4, LFSR AES, SEED
이산 대수 소인수 분해
공개키암호
DH, DSA RSA
현대 암호
대칭키 암호
해쉬 함수
SHA1,HAS-160