Lecture 13 Secure Multimedia Coding (I) - uni-konstanz.de
Transcript of Lecture 13 Secure Multimedia Coding (I) - uni-konstanz.de
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Lecture 13Secure Multimedia Coding (I)
July 15, 2009
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Outline
Coding for Security: Cryptology• Fundamentals• Symmetric/Private-Key Ciphers• Cryptographic Hash Functions• Asymmetric/Public-Key Ciphers
1
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Fundamentals
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Cryptology
Cryptology = Cryptography + CryptanalysisCryptography = The art of designing cryptosystemsCryptanalysis = The art of analyzing (often breaking) cryptosystemsCryptosystems = Ciphers + Cryptographic hash functions + Digital signatures + Security protocols + …
Cryptography ≈ Cryptology, Cryptosystems ≈Ciphers (in many scenarios)
3
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Models of evaluating security
Unconditional securityComplexity-theoretical securityProvable securityComputable/Practical security• The minimal computational effort (time and space)
an attacker needs to break a cryptosystem• Often related to mathematical hard problems
4
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Ciphers
Cipher = Encipher + Decipher• An encipher encodes/encrypts a message P (called
plaintext) into another message C (called ciphertext), under the control of an encryption key KE.
• A decipher decodes/decrypts a ciphertext C back into a plaintext P’ (in most case =P), under the control of a decryption key KD.
5
Encipher DecipherPlaintext P Ciphertext C
Recovered Plaintext P’
EncryptionKey KE
DecryptionKey KD
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Kerckhoffs’ principle (1883)
Kerckhoffs’ principle/assumption/law/axiom• A cipher should be secure even if everything about
the cryptosystem, except the key, is public knowledge. ⇐ Spies, reverse engineering, …
• = The security of a cipher should depend only on the key, but not on the secrecy of any other part of the system.
• = Shannon’s maxim: “The enemy knows the system.”
6
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Cryptanalysis of ciphersCiphertext-only attack• The attacker can see C only: C ⇒ P and/or KD and/or KE?
Known-plaintext attack• The attacker can see/guess P and C: (P,C) ⇒ KD and/or KE?
Chosen-plaintext attack• The attacker has temporary access to the encipher, so that he can choose
P and see C: (P,C) ⇒ KE and perhaps then KD?Chosen-ciphertext attack• The attacker has temporary access to the decipher, so that he can choose
C and see P’: (P’,C) ⇒ KD and perhaps then KE?Related-key attack• The attacker can see the encryption results of several related keys.
…
7
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
More types of cryptanalysis
Brute-force attack• Exhaustively search for the key in the key space
Side-channel attack• Try to break a cryptosystem based on information gained from
physical implementation of the system
Social engineering attack• Try to get the key from the owner by deception
Black-bag cryptanalysis• Try to steal the key from the owner (e.g., via a keylogger)
Rubber-hose cryptanalysis• Get the key from the owner by force
8
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Two important cryptanalytic techniques
Differential cryptanalysis• Given two different inputs of a cryptosystem, P1 and
P2, the attacker tries to (partially) break the key by exploiting the relationship between Diff(C1,C2) and Diff(P1,P2), where Diff=⊕ or modular subtraction in most scenarios.
Linear cryptanalysis• Given an input of a cryptosystem, P, the attacker tries
to (partially) break some key bits by exploiting the linear relationship between different bits in P, C and K.
9
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Ciphers
Formal definitions as codes• Plaintext: P=(P1…Pm), where Pi∈P• Ciphertext: C={C1…Cm}, where Ci∈C=B* (B={0,1} in most
cases)• Encryption: C=E(P, KE)={Ei(Pi, KE)}• Decryption: P’=D(C, KD)={Di(Ci, KD)}
Classification• KD⇐KE (often KD=KE)? ⇒ Symmetric/Private-key ciphers (⇐) vs.
Asymmetric/Public-key ciphers (PKC) (⇐)• i≠j ⇒ Ei=Ej? ⇒ Block ciphers (Yes) vs. Stream ciphers (No)• P1=P2 ⇒ E(P1, KE)=E(P2, KE) with probability 1? ⇒
Deterministic ciphers (Yes) vs. Probabilistic ciphers (No)
10
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Symmetric vs. Asymmetric ciphers
Symmetric/Private-key ciphers: The key has to be shared between the encipher and the decipher.• ⇒ A key distribution problem exists: n users need
C(n,2)=n(n-1)/2 keys and those keys have to be distributed to users in advance.
Asymmetric/Publick-key ciphers: The encryption key KE is published somewhere, but the decryption key KD is kept secret.• ⇒ No key distribution problem: n users need 2n keys – n
public keys for encryption and n private keys for decryption.
11
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Symmetric/Private-Key Ciphers
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Stream ciphers
How to make Ei time-varying?• A pseudorandom number (bit) generator (PRNG/PRBG) is needed
to produce a key-stream {k1…km} from the encryption key KE.• Then, Ci=f(Pi,ki), where f is often bitwise XOR operation Pi⊕ki, or
modular addition (Pi+ki) mod 2n.
Types of stream ciphers• Synchronous Stream Ciphers (SSC): KE ⇒ {k1…km}• Self-Synchronous Stream Ciphers (SSSC): (Ci-L…Ci-1,KE) ⇒ ki
• One-Time Pad (OTP): {k1…km} is the encryption/decryption key and used only once. ⇒ If {k1…km} is perfectly random, the stream cipher provide perfect secrecy in the sense that no additional information about P is leaked from C. (Shannon, 1949)
13
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Block ciphers
How is encryption achieved?• The same encryption function Ei is applied to each n-bit block of
P. ⇒ n-bit block ciphers
Types of block ciphers• Substitution ciphers: each block is substituted by another one.• Transposition ciphers: the positions of plaintext blocks/bits are
permuted.• Product ciphers: combination of different simpler ciphers ⇒ Most
modern ciphers are product ciphers.
Modes of operation• Running in certain mode of operation, a block cipher can work
exactly like a stream cipher.
14
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Confusion and diffusion (Shannon, 1949)
Confusion: The relationship between P/KE and C should be as complex as possible.• ⇒ Ideally, for any P and any KE, the statistics of C is/looks the
same.• = Good pseudorandomness of C for any P/KE
• ≈ Ergodicity of chaotic systems?
Diffusion: The dependence of C on P/KE should be very complex.• ⇒ Strict avalanche criterion (SAC): One bit changes in P/KE,
each bit in C changes with probability ½.• ≈ Sensitivity to initial condition/control parameter of chaotic
systems?
15
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Block cipher design: SPN
SPN = SP network = n rounds of Substitution + Permutation + ⊕Substitution-box (S-box) ⇒Confusion w.r.t plaintextPermutation-box (P-box) ⇒Diffusion w.r.t plaintext⊕⇒ Confusion/Diffusion w.r.t. keyMultiple rounds ⇒ Confusion & diffusion
16
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Block cipher design: Feistel network
A Feistel network/cipher = n rounds of ⊕ and a round function F.Pi=(Li(0),Ri(0)), Pi=(Li(n+1),Ri(n+1))KE=KD ⇒ {K(0),…,K(n)}Encryption: Li(j+1)=Ri(j),Ri(j+1)=Li(j)⊕F(Ri(j),K(j))Decryption: Ri(j)=Li(j+1),Li(j)=Ri(j+1)⊕F(Li(j+1),K(j))⇒ The same structure for encryption/decryption
17
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Block ciphers: Modes of operation
Electronic codebook (ECB)• Encryption: Ci=Ei(Pi, KE)• Decryption: Pi=Di(Ci, KD)
Cipher-block chaining (CBC)• Encryption: Ci=Ei(Pi⊕Ci-1, KE), C0=IV (Initial Vector)• Decryption: Pi=Di(Ci, KD)⊕Ci-1, C0=IV
Propagating/Plaintext cipher-block chaining (PCBC)• Encryption: Ci=Ei(Pi ⊕Ci-1⊕Pi-1, KE), P0⊕C0=IV• Decryption: Pi=Di(Ci, KD)⊕Ci-1⊕Pi-1, P0⊕C0=IV
18
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Block ciphers ⇒ Stream ciphers
Cipher feedback (CFB)• Encryption: Ci=Ei(Ci-1, KE)⊕Pi, C0=IV• Decryption: Pi=Ei(Ci-1, KD)⊕Ci, C0=IV
Output feedback (OFB)• Internal state: Oi=Ei(Oi-1, KE), O0=IV• Encryption: Ci=Oi⊕Pi
• Decryption: Pi=Oi⊕Ci
Counter (CTR)• = OFB when Oi is replaced by a random number (a
counter)19
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Some classical ciphers
Vernam cipher ∈ Stream ciphers• Encryption: Ci=Pi⊕ki
Caesar cipher ∈ Substitution ciphers• Encryption: Ci=(Pi+K) mod 26, where Pi, Ci,
K∈{‘A’=0,…,’Z’=25}
Vigenère cipher ∈ Polyalphabetic ciphers• Encryption: Ci=(Pi+Ki) mod 26, where Pi, Ci,
Ki∈{‘A’=0,…,’Z’=25}• Example: {Ki}=konstanzkonstanzkonstanz…
Scytale/Skytale cipher ∈ Transposition ciphers• Encryption: {P1,…,Pm} ⇒ {Pi(1),…,Pi(m)}
20
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Some modern block ciphersDES (Data Encryption Standard, NIST, 1977-)• 64-bit 16-round Feistel cipher with 56-bit key
AES (Advanced Encryption Standard, NIST, 2001-) / Rijndael• 128-bit 10/12/14-round SPN cipher with 128/192/256-bit key
IDEA (International Data Encryption Algorithm, Xuejia Lai and James Massey, 1991)• 64-bit 8.5-round SPN cipher with 128-bit key
Blowfish (Bruce Schneier, 1993)• 64-bit 16-round Feistel cipher with 33~448-bit key• ⇒ Twofish (Bruce Schneier, 1998) = 128-bit 16-round Feistel cipher
with 128/192/256-bit keySerpent (Ross Anderson, Eli Biham, Lars Knudsen, 1998)• 128-bit 32-round SPN with 128/192/256-bit key
21
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
An visual demonstration of 128-bit AES
Developed by Enrique Zabala as part of the CrypTool project
22
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
LSFR-based stream ciphers (PRNGs)
LFSR = Linear Feedback Shift Register
Non-linear combining functionsClock-controlled generators
Nonlinear filter generators
23
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
More stream ciphers (PSNRs)NLFSR = Nonlinear feedback shift register
SEAL (Software-optimized Encryption Algorithm, Phillip Rogawayand Don Coppersmith, 1993/1997)• Based on a cryptographic hash function.• The key K + a 32-bit number n ⇒ A pseudorandom number k(n)
RC4 = Rivest Cipher 4 = Ron’s Code 4 (Ron Rivest, 1987, initially a trade secret, revealed in 1994)• A permutation of 0…255 and two pointers ⇒ Key-stream
eSTREAM ciphers (2008)
24
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Cryptographic Hash Functions
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Cryptographic hash functions
An unkeyed hash function h maps a message of any size to an output of a fixed size.• Input: x=(x1…xm), where xi∈X• Output: y=h(x)∈Bn, where n is an integer• Hashing ∈ Lossy compression
Types of cryptographic hash functions• Modification detection codes (MDCs) ∈ Unkeyed hash
functions• Message authentication codes (MACs) ∈ Keyed hash
functions: h(x) ⇒ h(x,K)
26
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Security of cryptographic hash functions
Security against preimage attack• Given any hash value y, it is computationally infeasible to find x
such that h(x)=y. ⇒ Complexity = O(2n).
Security against 2nd-preimage attack• Given any message x, it is computationally infeasible to find x’
such that h(x’) =h(x). ⇒ Complexity = O(2n).
Security against collision/birthday attack• It is computationally infeasible to find any two messages x and x’
such that h(x’) =h(x). ⇒ Complexity = O(2n/2).
Security against MAC forgery• Given a number of MAC-pairs (x,h(x,K)), it is computationally
infeasible to find a new pair (x’,h(x’,K). ⇒ Complexity = O(2n).
27
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Applications of hash functions
Message integrity verification / Error detection (MDC)Message authentication (MAC)One-way function used in digital certificates and security protocols (MDC/MAC)Password storing (MDC)• A password P is stored on the server as its hash value h(P) or its
salted hash value h(P||Salt).• ⇒ An attacker who has read access to the server cannot get P
from the hash value (⇐ security against preimage attack) or another P’ with the same hash value (⇐ security against 2nd-preimage attack).
…28
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
How to build hash functions?
Merkle-Damgård construction (1979, 1989)• All popular hash functions follow this
construction.
29
1-bit + 0-bits + Message Length
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Some MDCs and their applicationsMD5 = Message-Digest algorithm 5 (Ron Rivest, 1991; IETF RFC 1321, 1992)• 128-bit hash function ⇒ 264 is not enough against brute-force collusion
attack nowadays• Collusion reported by Xiaoyun Wang et al. in 2004. ⇒ Collusions of real
documents and digital certificates were found afterwards. ⇒ MD5 has been broken in terms of collusion resistance!
SHA (Secure Hash Algorithm) family• SHA-0 (FIPS PUB 180 “Secure Hash Standard”, 1993) and SHA-1 (FIPS
PUB 180-1, 1995): 160-bit hash function• SHA-2 (FIPS PUB 180-2, 2000/2002/2004) ⊃ SHA-256 (truncated
version SHA-224), SHA-512 (truncated edition SHA-384)• SHA-3 (in development, 2012?)
30
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Asymmetric/Public-Key Cryptography
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Public-key cryptography (PKC)
Public-key encryption (ciphers)• Encryption: C=E(P,KE), where KE
is public• Decryption: P=D(C,KD), where
KD is private
Digital signatures• Signing: (P, S=E(h(P),KS)), where
KS is private• Verification: check if
h(P)=D(S,KV), where KV is public
32
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Special attacks to PKC
Chosen-plaintext attacks are always possible! ⇐ The encryption key KE is public.A new attack: KE ⇒ KD.Impersonation attack• An attacker may impersonate a user by distributing
a wrong public-key.• ⇒ A reliable public-key distribution scheme is
needed.
33
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
How to construct public-key ciphers?
One-way functions• A function f that is easy to compute in one direction, but hard
from the opposite direction.
Trapdoor (one-way) functions• A function f that is one-way without the knowledge of some
“trapdoor” information.• Trapdoor functions can be constructed on mathematically hard
problems.
Two mathematically hard problems• Prime factorization: n=pq ⇒ p and q (which are large primes)• Discrete logarithm problem: gx ⇒ x (over a finite cyclic group)
34
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
RSA Public-key cipherNamed after Ron Rivest, Adi Shamir and Leonard Adleman (1978)Key generation (Alice)• Choose two distinct primes p and q• Compute n=pq and φ=(p-1)(q-1)• Select a random positive integer e<φ, such that gcd(e,φ)=1• Compute the inverse of e mod φ, i.e., another integer d such that de≡1
(mod φ).• ⇒ KE=(n,e), KD=d and publish KE
Encryption (Bob)• C=(Pe mod n), where P, C ∈ {0,…,n-1}
Decryption (Alice)• P=(Cd mod n)=(Pde mod n)
35
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
Security of RSA
The RSA problem (corresponding to ciphertext-only attack)• (n=pq,e) and C ⇒ P such that Pe≡C (mod n)• It is believed that the RSA problem is as hard as the prime
factorization problem• The trapdoor information is p and q.
The prime factorization problem• n=pq ⇒ p and q ⇒ φ=(p-1)(q-1) ⇒ d (Bob can do the same thing
exactly as Alice did, if he gets the values of p and q)• The trapdoor information is p and q.
36
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
References
Shujun LI (李树钧): INF-10845-20091 Multimedia Coding
References of Further ReadingA. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996, fulltext of all chapters are available at www.cacr.math.uwaterloo.ca/hacBruce Schneier, Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C, 2nd Edition, John Wiley & Sons, Inc., 1996National Technical Information Service (NTIS), Specification for the Advanced Encryption Standard (AES), Federal Information Processing Standards Publication (FIPS PUB) 197, 2001, available online at http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf
38