Cryptography I

Home , ROT13, Substitution cipher, Transposition cipher

David Basin Institut f¨urInformatik Albert-Ludwigs-Universit¨at Freiburg

IT-Security: Theory and Practice (WS02) David Basin 1 Motivation then and now

Three can keep a secret, if two of them are dead. — Benjamin Franklin

We interact and transact by directing flocks of digital packets towards each other through cyberspace, carrying love notes, digital cash, and secret corporate documents. Our personal and economic lives rely on our ability to let such ethereal carrier pigeons mediate at a distance what we used to do with face-to-face meetings, paper documents, and a firm handshake. How do we converse privately when every syllable is bounced off a satellite and smeared over an entire continent? How should a bank know that it really is Bill Gates requesting from his laptop in Fiji a transfer of $10,000,000,000 to another bank? Fortunately, the mathematics of cryptography can help. — Ron Rivest

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 2 Road map

• Basic concepts

• A mathematical formalization

• Symmetric-key encryption

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 3 Network security model

Trusted Third Party Principal Principal

Message Information Message Channel Secret Secret Information Information

Opponent

Since information channel is untrusted, measures must be taken to ensure conﬁdentiality (integrity, ...) of transactions.

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 4 Security measures and mechanisms

• Prevention: measures that hinder asset damage. Real-world: build a castle with a moat and crocodiles. E-Commerce: encrypt your credit card number.

• Detection: measures to detect when an asset has been damaged, how it has been damaged, and who caused the damage. Real-world: install a closed-circuit television. E-Commerce: monthly statement of credit card transactions.

• Reaction: take measures to recover your assets or rectify damages. Real-world: call the police and pray. E-Commerce: block old card and request a new one.

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 5 Information hiding

STEGANOGRAPHY SECRET (hidden) CODE WRITING SUBSTITUTION (replace words) CRYPTOGRAPHY CIPHER (scrambled) (replace letters) TRANSPOSITION

• Cryptology: the study of secret writing.

• Steganography: the science of hiding messages in other messages.

• Cryptography: the science of secret writing. N.B. Terms like encrypt, encode, and encipher are often (loosely and wrongly) used interchangeably

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 6 Cryptographic algorithms

• General Schema: Ekey1(P) = C , Dkey2(C ) = P Key1 Key2 Ciphertext Plaintext Plain Text Encryption Decryption P C P

• Security depends on secrecy of the key, not the algorithm

• Symmetric algorithms – Key1 = Key2, or are easily derived from each other.

• Asymmetric or public key algorithms – Diﬀerent keys, which cannot be derived from each other. – Public key can be published without compromising private key.

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 7 Other cryptographic primitives

• A function f : X → Y is a one-way function, if f is “easy” to compute for all x ∈ X , but f −1 is “hard” to compute “Easy” and “hard” with respect to complexity theory

• A hash function is a one-way function that maps messages of arbitrary length to a ﬁxed size value (e.g., 128 bits)

• We will see other cryptographic primitives later Trapdoor functions, pseudo-random generators, . . .

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 8 Goals for cryptographic algorithms

Key1 Key2 Ciphertext Plaintext Plain Text Encryption Decryption P C P

• Encryption and decryption are easy if keys are known.

• Keep plaintext (or keys) secret from attacker. I.e., it is hard to: – get P from C without Key2. – get the keys even if given one or more pairs of C and corresponding P,

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 9 Cryptanalysis

• Cryptanalysis: science of recovering the plaintext from ciphertext without the key.

• Always assume attackers know the algorithms used! – Worst-case analysis and realistic in open systems – Algorithms should be published to facilitate the evaluation of their security.

• Contrast with security by obscurity. Analogy: hide a letter under your mattress versus lock it in a safe, whose design has been published and whose locking mechanism has withstood attacks from the world’s best safecrackers.

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 10 Kinds of attacks

Ciphertext only Given: C1 = EK (M1),..., Cn = EK (Mn)

Deduce: M1,..., Mn or algorithm to compute Mn+1 from Cn+1 = EK (Mn+1)

Known plaintext Given: M1, C1 = EK (M1),..., Mn, Cn = EK (Mn)

Deduce: Inverse key or algorithm to compute Mn+1 from Cn+1 = EK (Mn+1)

Chosen plaintext Same as above but cryptanalyst may choose M1,..., Mn.

Adaptive chosen plaintext Cryptanalyst can not only choose plaintext, but he can modify the plaintext based on encryption results.

Chosen ciphertext Cryptanalyst can chose diﬀerent ciphertexts to be decrypted and gets access to the decrypted plaintext.

Rubber-hose Cryptanalyst bribes or tortures someone until he gets the key!

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 11 Road map

• Basic concepts

• A mathematical formalization

• Symmetric key encryption

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 12 Encryption/decryption

• A, the alphabet, is a ﬁnite set.

• M, the message space, is A∗, the ﬁnite strings over A. M ∈ M is a plaintext (message).

• C is the ciphertext space, whose alphabet may diﬀer from M.

• K denotes the key space of keys.

• Each e ∈ K determines a bijective function from M to C, denoted by Ee. Ee is the encryption function (or transformation).

• For each d ∈ K, Dd denotes a bijection from C to M. Dd is the decryption function.

• Applying Ee (or Dd ) is called encryption (or decryption).

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 13 Encryption/decryption (cont.)

• An encryption scheme (or cipher) consists of a set {Ee : e ∈ K} and a corresponding set {De : e ∈ K} with the property that for −1 each e ∈ K there is a unique d ∈ K such that Dd = Ee ; i.e.,

Dd (Ee(m)) = m for all m ∈ M .

• The keys e and d above form a key pair, sometimes denoted by (e, d). They can be identical.

• To construct an encryption scheme requires ﬁxing a message space M, a ciphertext space C and a key space K, as well as encryption transformations {Ee : e ∈ K} and corresponding decryption transformations {Dd : d ∈ K}.

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 14 Question — why bother with keys?

• Formalization based on two parties exchanging a key pair (e, d) to achieve conﬁdentiality.

• Why not just exchange encryption/decryption functions?

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 14 Question — why bother with keys?

• Formalization based on two parties exchanging a key pair (e, d) to achieve conﬁdentiality.

• Why not just exchange encryption/decryption functions?

• Answer: By exchanging key pairs, if some encryption/decryption transformation is revealed, one doesn’t have to redesign entire scheme. Just exchange new keys!

• Analogy with combination lock: If your combination is compromised, just change it, not the physical lock. However, if the lock design is compromised . . .

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 15 An example

Let M = {m1, m2, m3} and C = {c1, c2, c3}. There are 3! = 6 bijections from M to C. The key space K = {1, 2, 3, 4, 5, 6} speciﬁes these transformations.

E1 E2 E3 m1 c1 m1 c1 m1 c1 m2 c2 m2 c2 m2 c2 m3 c3 m3 c3 m3 c3

E4 E5 E6 m1 c1 m1 c1 m1 c1 m2 c2 m2 c2 m2 c2 m3 c3 m3 c3 m3 c3

Suppose Alice and Bob agree on the transformation E1. To encrypt m1, Alice computes E1(m1) = c3. Bob decrypts c3 by reversing the arrows on the diagram for E1 and observing that c3 points to m1.

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 16 Road map

• Basic concepts

• A mathematical formalization

• Symmetric-key encryption Codes, substitution ciphers, transposition ciphers, one-time pads.

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 17 Symmetric key encryption

• Consider an encryption scheme {Ee : e ∈ K} and {Dd : d ∈ K}. The scheme is symmetric-key if for each associated pair (e, d) it is computationally “easy” to determine d knowing only e and to determine e from d. In practice e = d. • Other terms: single-key, one-key, private-key, and conventional encryption. • A block cipher is an encryption scheme that breaks up the plaintext message into strings (blocks) of a ﬁxed length t and encrypts one block at a time. • A stream cipher is one where the block-length is 1. • In contrast, codes work on words of varying length.

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 18 Codes

• Code: a string of symbols stands for a complete message.

• Translation given by a ‘code-book’.

Word Code ...... The 1701 secret 5603 mischiefs 4008 that 3790 I 2879 set 0524 ......

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 18 Codes

• Code: a string of symbols stands for a complete message.

• Translation given by a ‘code-book’.

Word Code ...... The 1701 secret 5603 mischiefs 4008 that 3790 I 2879 set 0524 ......

2327 6605 1702 9853 0001 0970 3190 8817 1320 0000 = 1701 5603 4008 3790 2879 0524 7946 = 2879 2870 6699 1702 3982 5550 8102 7354 0000 =

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 18 Codes

• Code: a string of symbols stands for a complete message.

• Translation given by a ‘code-book’.

Word Code ...... The 1701 secret 5603 mischiefs 4008 that 3790 I 2879 set 0524 ......

2327 6605 1702 9853 0001 0970 3190 8817 1320 0000 = I do the wrong, and ﬁrst begin to brawl. 1701 5603 4008 3790 2879 0524 7946 = The secret mischiefs that I set abroach 2879 2870 6699 1702 3982 5550 8102 7354 0000 = I lay unto the grievous charge of others. (Richard III, Act I, Scene 3)

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 19 Another Example

This year’s trial of the embassy bombings revealed that Bin Laden associates began to use encryption before 1998. Sometimes members of the Al-Qaida confederation have alternatively resorted to simple code words. For instance, “working” is said to mean Jihad, “tools” meant weapons, “potatos” meant grenades and “the director” was an alias for Bin Laden. Steganographic approaches were also used to communicate in at least three terrorist acts, including the 1998 embassy bombings in Kenya and Tanzania. Lisa Krieger, Mercury News, Oct 1. 2001

IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 20 Historical ciphers

• Used 4000 years ago by Egyptians to encipher hieroglypics.

• Ancient Hebrews enciphered certain words in the scriptures. • 2000 years ago Julius Ceasar used a simple substitution cipher. • Roger Bacon described several methods in 1200s. • Geoﬀrey Chaucer included several ciphers in his works • Leon Alberti devised a cipher wheel, and described the principles of frequency analysis in the 1460s. IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 21 Mono-alphabetic substitution ciphers

• Let K be the set of all permutations on the alphabet A. Deﬁne for each e ∈ K an encryption transformation Ee on strings m = m1m2 ··· mn ∈ M as

Ee(m) = e(m1)e(m2) ··· e(mn) = c1c2 ··· cn = c

• To decrypt c, compute the inverse permutation d = e−1 and

Dd (c) = d(c1)d(c2) ··· d(cn) = m

• Ee is a simple substitution cipher or a mono-alphabetic substitution cipher.