Lecture 13 Secure Multimedia Coding (I) - uni-konstanz.de

Shujun LI (李树钧): INF-10845-20091 Multimedia Coding

Lecture 13Secure Multimedia Coding (I)

July 15, 2009


Outline

Coding for Security: Cryptology• Fundamentals• Symmetric/Private-Key Ciphers• Cryptographic Hash Functions• Asymmetric/Public-Key Ciphers

1


Fundamentals


Cryptology

Cryptology = Cryptography + CryptanalysisCryptography = The art of designing cryptosystemsCryptanalysis = The art of analyzing (often breaking) cryptosystemsCryptosystems = Ciphers + Cryptographic hash functions + Digital signatures + Security protocols + …

Cryptography ≈ Cryptology, Cryptosystems ≈Ciphers (in many scenarios)

3


Models of evaluating security

Unconditional securityComplexity-theoretical securityProvable securityComputable/Practical security• The minimal computational effort (time and space)

an attacker needs to break a cryptosystem• Often related to mathematical hard problems

4


Ciphers

Cipher = Encipher + Decipher• An encipher encodes/encrypts a message P (called

plaintext) into another message C (called ciphertext), under the control of an encryption key KE.

• A decipher decodes/decrypts a ciphertext C back into a plaintext P’ (in most case =P), under the control of a decryption key KD.

5

Encipher DecipherPlaintext P Ciphertext C

Recovered Plaintext P’

EncryptionKey KE

DecryptionKey KD


Kerckhoffs’ principle (1883)

Kerckhoffs’ principle/assumption/law/axiom• A cipher should be secure even if everything about

the cryptosystem, except the key, is public knowledge. ⇐ Spies, reverse engineering, …

• = The security of a cipher should depend only on the key, but not on the secrecy of any other part of the system.

• = Shannon’s maxim: “The enemy knows the system.”

6


Cryptanalysis of ciphersCiphertext-only attack• The attacker can see C only: C ⇒ P and/or KD and/or KE?

Known-plaintext attack• The attacker can see/guess P and C: (P,C) ⇒ KD and/or KE?

Chosen-plaintext attack• The attacker has temporary access to the encipher, so that he can choose

P and see C: (P,C) ⇒ KE and perhaps then KD?Chosen-ciphertext attack• The attacker has temporary access to the decipher, so that he can choose

C and see P’: (P’,C) ⇒ KD and perhaps then KE?Related-key attack• The attacker can see the encryption results of several related keys.

…

7


More types of cryptanalysis

Brute-force attack• Exhaustively search for the key in the key space

Side-channel attack• Try to break a cryptosystem based on information gained from

physical implementation of the system

Social engineering attack• Try to get the key from the owner by deception

Black-bag cryptanalysis• Try to steal the key from the owner (e.g., via a keylogger)

Rubber-hose cryptanalysis• Get the key from the owner by force

8


Two important cryptanalytic techniques

Differential cryptanalysis• Given two different inputs of a cryptosystem, P1 and

P2, the attacker tries to (partially) break the key by exploiting the relationship between Diff(C1,C2) and Diff(P1,P2), where Diff=⊕ or modular subtraction in most scenarios.

Linear cryptanalysis• Given an input of a cryptosystem, P, the attacker tries

to (partially) break some key bits by exploiting the linear relationship between different bits in P, C and K.

9


Ciphers

Formal definitions as codes• Plaintext: P=(P1…Pm), where Pi∈P• Ciphertext: C={C1…Cm}, where Ci∈C=B* (B={0,1} in most

cases)• Encryption: C=E(P, KE)={Ei(Pi, KE)}• Decryption: P’=D(C, KD)={Di(Ci, KD)}

Classification• KD⇐KE (often KD=KE)? ⇒ Symmetric/Private-key ciphers (⇐) vs.

Asymmetric/Public-key ciphers (PKC) (⇐)• i≠j ⇒ Ei=Ej? ⇒ Block ciphers (Yes) vs. Stream ciphers (No)• P1=P2 ⇒ E(P1, KE)=E(P2, KE) with probability 1? ⇒

Deterministic ciphers (Yes) vs. Probabilistic ciphers (No)

10


Symmetric vs. Asymmetric ciphers

Symmetric/Private-key ciphers: The key has to be shared between the encipher and the decipher.• ⇒ A key distribution problem exists: n users need

C(n,2)=n(n-1)/2 keys and those keys have to be distributed to users in advance.

Asymmetric/Publick-key ciphers: The encryption key KE is published somewhere, but the decryption key KD is kept secret.• ⇒ No key distribution problem: n users need 2n keys – n

public keys for encryption and n private keys for decryption.

11


Symmetric/Private-Key Ciphers


Stream ciphers

How to make Ei time-varying?• A pseudorandom number (bit) generator (PRNG/PRBG) is needed

to produce a key-stream {k1…km} from the encryption key KE.• Then, Ci=f(Pi,ki), where f is often bitwise XOR operation Pi⊕ki, or

modular addition (Pi+ki) mod 2n.

Types of stream ciphers• Synchronous Stream Ciphers (SSC): KE ⇒ {k1…km}• Self-Synchronous Stream Ciphers (SSSC): (Ci-L…Ci-1,KE) ⇒ ki

• One-Time Pad (OTP): {k1…km} is the encryption/decryption key and used only once. ⇒ If {k1…km} is perfectly random, the stream cipher provide perfect secrecy in the sense that no additional information about P is leaked from C. (Shannon, 1949)

13


Block ciphers

How is encryption achieved?• The same encryption function Ei is applied to each n-bit block of

P. ⇒ n-bit block ciphers

Types of block ciphers• Substitution ciphers: each block is substituted by another one.• Transposition ciphers: the positions of plaintext blocks/bits are

permuted.• Product ciphers: combination of different simpler ciphers ⇒ Most

modern ciphers are product ciphers.

Modes of operation• Running in certain mode of operation, a block cipher can work

exactly like a stream cipher.

14


Confusion and diffusion (Shannon, 1949)

Confusion: The relationship between P/KE and C should be as complex as possible.• ⇒ Ideally, for any P and any KE, the statistics of C is/looks the

same.• = Good pseudorandomness of C for any P/KE

• ≈ Ergodicity of chaotic systems?

Diffusion: The dependence of C on P/KE should be very complex.• ⇒ Strict avalanche criterion (SAC): One bit changes in P/KE,

each bit in C changes with probability ½.• ≈ Sensitivity to initial condition/control parameter of chaotic

systems?

15


Block cipher design: SPN

SPN = SP network = n rounds of Substitution + Permutation + ⊕Substitution-box (S-box) ⇒Confusion w.r.t plaintextPermutation-box (P-box) ⇒Diffusion w.r.t plaintext⊕⇒ Confusion/Diffusion w.r.t. keyMultiple rounds ⇒ Confusion & diffusion

16


Block cipher design: Feistel network

A Feistel network/cipher = n rounds of ⊕ and a round function F.Pi=(Li(0),Ri(0)), Pi=(Li(n+1),Ri(n+1))KE=KD ⇒ {K(0),…,K(n)}Encryption: Li(j+1)=Ri(j),Ri(j+1)=Li(j)⊕F(Ri(j),K(j))Decryption: Ri(j)=Li(j+1),Li(j)=Ri(j+1)⊕F(Li(j+1),K(j))⇒ The same structure for encryption/decryption

17


Block ciphers: Modes of operation

Electronic codebook (ECB)• Encryption: Ci=Ei(Pi, KE)• Decryption: Pi=Di(Ci, KD)

Cipher-block chaining (CBC)• Encryption: Ci=Ei(Pi⊕Ci-1, KE), C0=IV (Initial Vector)• Decryption: Pi=Di(Ci, KD)⊕Ci-1, C0=IV

Propagating/Plaintext cipher-block chaining (PCBC)• Encryption: Ci=Ei(Pi ⊕Ci-1⊕Pi-1, KE), P0⊕C0=IV• Decryption: Pi=Di(Ci, KD)⊕Ci-1⊕Pi-1, P0⊕C0=IV

18


Block ciphers ⇒ Stream ciphers

Cipher feedback (CFB)• Encryption: Ci=Ei(Ci-1, KE)⊕Pi, C0=IV• Decryption: Pi=Ei(Ci-1, KD)⊕Ci, C0=IV

Output feedback (OFB)• Internal state: Oi=Ei(Oi-1, KE), O0=IV• Encryption: Ci=Oi⊕Pi

• Decryption: Pi=Oi⊕Ci

Counter (CTR)• = OFB when Oi is replaced by a random number (a

counter)19


Some classical ciphers

Vernam cipher ∈ Stream ciphers• Encryption: Ci=Pi⊕ki

Caesar cipher ∈ Substitution ciphers• Encryption: Ci=(Pi+K) mod 26, where Pi, Ci,

K∈{‘A’=0,…,’Z’=25}

Vigenère cipher ∈ Polyalphabetic ciphers• Encryption: Ci=(Pi+Ki) mod 26, where Pi, Ci,

Ki∈{‘A’=0,…,’Z’=25}• Example: {Ki}=konstanzkonstanzkonstanz…

Scytale/Skytale cipher ∈ Transposition ciphers• Encryption: {P1,…,Pm} ⇒ {Pi(1),…,Pi(m)}

20


Some modern block ciphersDES (Data Encryption Standard, NIST, 1977-)• 64-bit 16-round Feistel cipher with 56-bit key

AES (Advanced Encryption Standard, NIST, 2001-) / Rijndael• 128-bit 10/12/14-round SPN cipher with 128/192/256-bit key

IDEA (International Data Encryption Algorithm, Xuejia Lai and James Massey, 1991)• 64-bit 8.5-round SPN cipher with 128-bit key

Blowfish (Bruce Schneier, 1993)• 64-bit 16-round Feistel cipher with 33~448-bit key• ⇒ Twofish (Bruce Schneier, 1998) = 128-bit 16-round Feistel cipher

with 128/192/256-bit keySerpent (Ross Anderson, Eli Biham, Lars Knudsen, 1998)• 128-bit 32-round SPN with 128/192/256-bit key

21


An visual demonstration of 128-bit AES

Developed by Enrique Zabala as part of the CrypTool project

22


LSFR-based stream ciphers (PRNGs)

LFSR = Linear Feedback Shift Register

Non-linear combining functionsClock-controlled generators

Nonlinear filter generators

23


More stream ciphers (PSNRs)NLFSR = Nonlinear feedback shift register

SEAL (Software-optimized Encryption Algorithm, Phillip Rogawayand Don Coppersmith, 1993/1997)• Based on a cryptographic hash function.• The key K + a 32-bit number n ⇒ A pseudorandom number k(n)

RC4 = Rivest Cipher 4 = Ron’s Code 4 (Ron Rivest, 1987, initially a trade secret, revealed in 1994)• A permutation of 0…255 and two pointers ⇒ Key-stream

eSTREAM ciphers (2008)

24


Cryptographic Hash Functions


Cryptographic hash functions

An unkeyed hash function h maps a message of any size to an output of a fixed size.• Input: x=(x1…xm), where xi∈X• Output: y=h(x)∈Bn, where n is an integer• Hashing ∈ Lossy compression

Types of cryptographic hash functions• Modification detection codes (MDCs) ∈ Unkeyed hash

functions• Message authentication codes (MACs) ∈ Keyed hash

functions: h(x) ⇒ h(x,K)

26


Security of cryptographic hash functions

Security against preimage attack• Given any hash value y, it is computationally infeasible to find x

such that h(x)=y. ⇒ Complexity = O(2n).

Security against 2nd-preimage attack• Given any message x, it is computationally infeasible to find x’

such that h(x’) =h(x). ⇒ Complexity = O(2n).

Security against collision/birthday attack• It is computationally infeasible to find any two messages x and x’

such that h(x’) =h(x). ⇒ Complexity = O(2n/2).

Security against MAC forgery• Given a number of MAC-pairs (x,h(x,K)), it is computationally

infeasible to find a new pair (x’,h(x’,K). ⇒ Complexity = O(2n).

27


Applications of hash functions

Message integrity verification / Error detection (MDC)Message authentication (MAC)One-way function used in digital certificates and security protocols (MDC/MAC)Password storing (MDC)• A password P is stored on the server as its hash value h(P) or its

salted hash value h(P||Salt).• ⇒ An attacker who has read access to the server cannot get P

from the hash value (⇐ security against preimage attack) or another P’ with the same hash value (⇐ security against 2nd-preimage attack).

…28


How to build hash functions?

Merkle-Damgård construction (1979, 1989)• All popular hash functions follow this

construction.

29

1-bit + 0-bits + Message Length


Some MDCs and their applicationsMD5 = Message-Digest algorithm 5 (Ron Rivest, 1991; IETF RFC 1321, 1992)• 128-bit hash function ⇒ 264 is not enough against brute-force collusion

attack nowadays• Collusion reported by Xiaoyun Wang et al. in 2004. ⇒ Collusions of real

documents and digital certificates were found afterwards. ⇒ MD5 has been broken in terms of collusion resistance!

SHA (Secure Hash Algorithm) family• SHA-0 (FIPS PUB 180 “Secure Hash Standard”, 1993) and SHA-1 (FIPS

PUB 180-1, 1995): 160-bit hash function• SHA-2 (FIPS PUB 180-2, 2000/2002/2004) ⊃ SHA-256 (truncated

version SHA-224), SHA-512 (truncated edition SHA-384)• SHA-3 (in development, 2012?)

30


Asymmetric/Public-Key Cryptography


Public-key cryptography (PKC)

Public-key encryption (ciphers)• Encryption: C=E(P,KE), where KE

is public• Decryption: P=D(C,KD), where

KD is private

Digital signatures• Signing: (P, S=E(h(P),KS)), where

KS is private• Verification: check if

h(P)=D(S,KV), where KV is public

32


Special attacks to PKC

Chosen-plaintext attacks are always possible! ⇐ The encryption key KE is public.A new attack: KE ⇒ KD.Impersonation attack• An attacker may impersonate a user by distributing

a wrong public-key.• ⇒ A reliable public-key distribution scheme is

needed.

33


How to construct public-key ciphers?

One-way functions• A function f that is easy to compute in one direction, but hard

from the opposite direction.

Trapdoor (one-way) functions• A function f that is one-way without the knowledge of some

“trapdoor” information.• Trapdoor functions can be constructed on mathematically hard

problems.

Two mathematically hard problems• Prime factorization: n=pq ⇒ p and q (which are large primes)• Discrete logarithm problem: gx ⇒ x (over a finite cyclic group)

34


RSA Public-key cipherNamed after Ron Rivest, Adi Shamir and Leonard Adleman (1978)Key generation (Alice)• Choose two distinct primes p and q• Compute n=pq and φ=(p-1)(q-1)• Select a random positive integer e<φ, such that gcd(e,φ)=1• Compute the inverse of e mod φ, i.e., another integer d such that de≡1

(mod φ).• ⇒ KE=(n,e), KD=d and publish KE

Encryption (Bob)• C=(Pe mod n), where P, C ∈ {0,…,n-1}

Decryption (Alice)• P=(Cd mod n)=(Pde mod n)

35


Security of RSA

The RSA problem (corresponding to ciphertext-only attack)• (n=pq,e) and C ⇒ P such that Pe≡C (mod n)• It is believed that the RSA problem is as hard as the prime

factorization problem• The trapdoor information is p and q.

The prime factorization problem• n=pq ⇒ p and q ⇒ φ=(p-1)(q-1) ⇒ d (Bob can do the same thing

exactly as Alice did, if he gets the values of p and q)• The trapdoor information is p and q.

36


References


References of Further ReadingA. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996, fulltext of all chapters are available at www.cacr.math.uwaterloo.ca/hacBruce Schneier, Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C, 2nd Edition, John Wiley & Sons, Inc., 1996National Technical Information Service (NTIS), Specification for the Advanced Encryption Standard (AES), Federal Information Processing Standards Publication (FIPS PUB) 197, 2001, available online at http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf

38

Lecture 13 Secure Multimedia Coding (I) - uni-konstanz.de

Documents

Transcript of Lecture 13 Secure Multimedia Coding (I) - uni-konstanz.de