Classical Cryptography
CSC 482/582: Computer Security
Topics
1. Modular Arithmetic Review 2. What is Cryptography? 3. History of Cryptography 4. Transposition Ciphers 5. Substitution Ciphers 1. Cæsar cipher 2. Vigènere cipher 6. Cryptanalysis: frequency analysis 7. Block Ciphers 8. DES
CSC 482/582: Computer Security
Modular Arithmetic Congruence a = b (mod N) iff a = b + kN Equivalently, a = b (mod N) iff N / (a – b) ex: 37=27 mod 10 b is the residue of a, modulo N Integers 0..N-1 are complete set of residues mod N
CSC 482/582: Computer Security
1 Laws of Modular Arithmetic
(a + b) mod N = (a mod N + b mod N) mod N
(a - b) mod N = (a mod N - b mod N) mod N
ab mod N = (a mod N)(b mod N) mod N
a(b+c) mod N = ((ab mod N) + (ac mod N)) mod N
CSC 482/582: Computer Security
What is Cryptography?
Cryptography: The art and science of keeping messages secure.
Cryptanalysis: the art and science of decrypting messages.
Cryptology: cryptography + cryptanalysis
CSC 482/582: Computer Security
Terminology Plaintext: message to be encrypted. Also called Plaintext cleartext.
Encryption: altering a Encryption message to keep its Procedure contents secret.
Ciphertext: encrypted message. Ciphertext
CSC 482/582: Computer Security
2 History of Cryptography Egyptian hieroglyphics ~ 2000 B.C.E. Cryptic tomb enscriptions for regality. Spartan skytale cipher ~ 500 B.C.E. Wrapped thin sheet of papyrus around staff. Messages written down length of staff. Decrypted by wrapped around = diameter staff. Cæsar cipher ~ 50 B.C.E. Simple alphabetic substitution cipher. al-Kindi ~ 850 C.E. Cryptanalysis using letter frequencies.
CSC 482/582: Computer Security
History of Cryptography Alberti’s polyalphabetic cipher 1467
Decryption of Zimmerman telegram 1917 Leads US into World War I Japanese Purple Machine cracked 1937 US breaks rotor machine for highest secrets. German Enigma machine cracked 1933-45 Initially broken by Polish mathematician Variants broken at Bletchley Park in UK Colossus, world’s 1st electronic computer. CSC 482/582: Computer Security
Rearrange letters in plaintext. Example: Rail-Fence Cipher Plaintext is HELLO WORLD
Rearrange as H L O O L
E L W R D
Ciphertext is HLOOL ELWRD
CSC 482/582: Computer Security
3 Cryptosystem Formal Definition 5-tuple (E, D, M, K, C) M set of plaintexts K set of keys C set of ciphertexts E set of encryption functions e: M K C D set of decryption functions d: C K M
CSC 482/582: Computer Security
Cæsar cipher Letter shifting cipher (A=>D, B=>E, C=>F, … 5-tuple M = { all sequences of letters } K = { i | i is an integer and 0 ≤ i ≤ 25 }
E = { Ek | k K and for all letters m,
Ek(m) = (m + k) mod 26 }
D = { Dk | k K and for all letters c,
Dk(c) = (26 + c – k) mod 26 } C = M History: Cæsar’s key was 3.
CSC 482/582: Computer Security
Cæsar cipher Plaintext is HELLO WORLD Change each letter to the third letter following it (X goes to A, Y to B, Z to C) Key is 3, usually written as letter ‘D’ Ciphertext is KHOOR ZRUOG
CSC 482/582: Computer Security
4 ROT 13
Cæsar cipher with key of 13 13 chosen since encryption and decryption are same operation Used to hide spoilers, punchlines, and offensive material online.
CSC 482/582: Computer Security
Kerckhoff’s Principle Security of cryptosystem should only depend on 1. Quality of shared encryption algorithm E 2. Secrecy of key K Security through obscurity tends to fail ex: DVD Content Scrambling System
CSC 482/582: Computer Security
Cryptanalysis Goals 1. Decrypt a given message. 2. Recover encryption key.
Adversarial models vary based on 1. Type of information available to adversary 2. Interaction with cryptosystem.
CSC 482/582: Computer Security
5 Cryptanalysis Adversarial Models ciphertext only: adversary has only ciphertext; goal is to find plaintext, possibly key. known plaintext: adversary has ciphertext, corresponding plaintext; goal is to find key. chosen plaintext: adversary may supply plaintexts and obtain corresponding ciphertext; goal is to find key.
CSC 482/582: Computer Security
Classical Cryptography Sender and receiver share common key Keys may be the same, or be trivial to derive from one another. Sometimes called symmetric cryptography.
CSC 482/582: Computer Security
Substitution Ciphers Substitute plaintext chars for ciphered chars. Simple: Always use same substitution function. Polyalphabetic: Use different substitution functions based on position in message.
CSC 482/582: Computer Security
6 Cryptanalysis of Cæsar Cipher
Exhaustive search If the key space is small enough, try all possible keys until you find the right one. Cæsar cipher has only 26 possible keys.
CSC 482/582: Computer Security
General Simple Substitution Cipher
Key Space: All permutations of alphabet. Encryption: Replace each plaintext letter x with K(x) Decryption: Replace each ciphertext letter y with K-1(y) Example: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z K= F U B A R D H G J I L K N M P O S Q Z W X Y V T C E
CRYPTO BQCOWP
CSC 482/582: Computer Security
General Substitution Cryptanalysis
Exhaustive search impossible Key space size is 26! =~ 4 x 1026 Historically thought to be unbreakable.
CSC 482/582: Computer Security
7 Cryptanalysis: Frequency Analysis
Languages have different frequencies of letters digraphs (groups of 2 letters) trigraphs (groups of 3 letters) etc. Simple substitution ciphers preserve frequency distributions.
CSC 482/582: Computer Security
English Letter Frequencies
CSC 482/582: Computer Security
Additional Frequency Features
Digraph frequencies Common digraphs: EN, RE, ER, NT Vowels other than E rarely followed by another vowel. The letter Q is followed only by U. …
CSC 482/582: Computer Security
8 Countering Frequency Analysis Nulls Insert additional symbols (numbers) which have no meaning in random places. Idiosyncratic spellings n0rM4L s34rCh Hacker speak: www.google.com/webhp?hl=xx-hacker Homophonic substitution Each letter has multiple substitutions.
Techniques increase difficulty but don’t make impossible.
CSC 482/582: Computer Security
Countering Frequency Analysis
Primary weakness of simple substition: Each ciphertext letter corresponds to only one letter of plaintext. Solution: polyalphabetic substitution Use multiple cipher alphabets. Switch between cipher alphabets from character to character in the plaintext.
CSC 482/582: Computer Security
Letter Frequency Distributions
CSC 482/582: Computer Security
9 Vigènere Cipher Use phrase instead of letter as key. Example Message THE BOY HAS THE BALL Key VIG Encipher using Cæsar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG
Reproduction of CSA Cipher Disk CSC 482/582: Computer Security
Relevant Parts of Tableau
G I V Tableau shown only has A G I V relevant rows and columns. B H J W E L M Z Example encipherments: H N P C key V, letter T: follow V L R T G column down to T row O U W J (giving “O”) S Y A N Key I, letter H: follow I T Z B O column down to H row Y E H T (giving “P”)
CSC 482/582: Computer Security
Useful Terms period: length of key In earlier example, period is 3 tableau: table used to encipher and decipher Vigènere cipher has key letters on top, plaintext letters on the left.
CSC 482/582: Computer Security
10 Vigènere Cryptanalysis
1. Find key length (period), which we will call n. 2. Break message into n parts, each part being enciphered using the same key letter. 3. Use frequency analysis to solve resulting n simple substitution ciphers.
key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG
CSC 482/582: Computer Security
Kasiski Test Conjunction of key repetition with repeated portion of plaintext produces repeated ciphertext.
Example: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG Key and plaintext line up over the repetitions.
Distance between repetitions is 9 Repeated phrase “OPK” at 1st and 10th positions. Period is a multiple of 9 (1, 3 or 9.)
CSC 482/582: Computer Security
Example Vigènere Ciphertext ADQYS MIUSB OXKKT MIBHK IZOOO EQOOG IFBAG KAUMF VVTAA CIDTW MOCIO EQOOG BMBFV ZGGWP CIEKQ HSNEW VECNE DLAAV RWKXS VNSVP HCEUT QOIOF MEGJS WTPCH AJMOC HIUIX
CSC 482/582: Computer Security
11 Repetitions in Example
Letters Start End Distance Factors MI 5 15 10 2, 5 OO 22 27 5 5 OEQOOG 24 54 30 2, 3, 5 FV 39 63 24 2, 2, 2, 3 AA 43 87 44 2, 2, 11 MOC 50 122 72 2, 2, 2, 3, 3 QO 56 105 49 7, 7 PC 69 117 48 2, 2, 2, 2, 3 NE 77 83 6 2, 3 SV 94 97 3 3 CH 118 124 6 2, 3
CSC 482/582: Computer Security
Estimate of Period
OEQOOG is probably not a coincidence Two character repetitions may be chance. Period may be 1, 2, 3, 5, 6, 10, 15, or 30 Most others (7/10) have 2 in their factors Almost as many (6/10) have 3 in their factors. Begin with period of 2 3 = 6.
CSC 482/582: Computer Security
Letter Coincidence
Coincidence: Picking two letters at random from a message that are identical. Procedure Place one text above other. Count coincidences. Coincidence probabilities for two letters: Random English letters: 1/26 0.0385 English plaintext: 0.0667
CSC 482/582: Computer Security
12 English Letter Frequencies
a 0.080 h 0.060 n 0.070 t 0.090 b 0.015 i 0.065 o 0.080 u 0.030 c 0.030 j 0.005 p 0.020 v 0.010 d 0.040 k 0.005 q 0.002 w 0.015 e 0.130 l 0.035 r 0.065 x 0.005 f 0.020 m 0.030 s 0.060 y 0.020 g 0.015 z 0.002
CSC 482/582: Computer Security
Index of Coincidence Probability that two randomly chosen letters of a ciphertext of N characters coincide.
Fi is frequency of cipher character number i N is the length of the ciphertext
1 25 IC F i ( F i 1)
N ( N 1) i 0
CSC 482/582: Computer Security
Index of Coincidence
Expected IC Expected IC by period Random: 0.0385 2: 0.052 Plaintext: 0.0667 3: 0.047 4: 0.045 5: 0.044 10: 0.041
Index of Coincidence Shorter Key
Longer Key 0.0385 0.0667
CSC 482/582: Computer Security
13 Compute IC for Example IC = Number of Coincidences/Number of Pairs
= ( 0≤i≤25 [ni (ni – 1)]) / (N (N – 1)) For our ciphertext, IC = 0.043 Indicates a key of slightly more than 5. A statistical measure, so it can be in error, but it agrees with the previous estimate (which was 6.)
CSC 482/582: Computer Security
Splitting Into Alphabets Divide cipher into 6 (period) alphabets. Alphabet IC AIKHOIATTOBGEEERNEOSAI 0.069 DUKKEFUAWEMGKWDWSUFWJU 0.078 QSTIQBMAMQBWQVLKVTMTMI 0.078 YBMZOAFCOOFPHEAXPQEPOX 0.056 SOIOOGVICOVCSVASHOGCC 0.124 MXBOGKVDIGZINNVVCIJHH 0.043
IC indicates single alphabet, except #4 and #6.
CSC 482/582: Computer Security
Frequency Examination ABCDEFGHIJKLMNOPQRSTUVWXYZ 1 31004011301001300112000000 2 10022210013010000010404000 3 12000000201140004013021000 4 21102201000010431000000211 5 10500021200000500030020000 6 01110022311012100000030101 HMMMHMMHHMMMMHHMLHHHMLLLLL
Unshifted frequencies (H high, M medium, L low)
CSC 482/582: Computer Security
14 Begin Decryption First matches characteristics of unshifted alphabet Third matches if I shifted to A Sixth matches if V shifted to A Substitute into ciphertext (bold are substitutions)
ADIYS RIUKB OCKKL MIGHK AZOTO EIOOL IFTAG PAUEF VATAS CIITW EOCNO EIOOL BMTFV EGGOP CNEKI HSSEW NECSE DDAAA RWCXS ANSNP HHEUL QONOF EEGOS WLPCM AJEOC MIUAX
CSC 482/582: Computer Security
Look For Clues AJE in last line suggests “are”, meaning second alphabet maps A into S:
ALIYS RICKB OCKSL MIGHS AZOTO MIOOL INTAG PACEF VATIS CIITE EOCNO MIOOL BUTFV EGOOP CNESI HSSEE NECSE LDAAA RECXS ANANP HHECL QONON EEGOS ELPCM AREOC MICAX
CSC 482/582: Computer Security
Next Alphabet MICAX in last line suggests “mical” (a common ending for an adjective), meaning fourth alphabet maps O into A:
ALIMS RICKP OCKSL AIGHS ANOTO MICOL INTOG PACET VATIS QIITE ECCNO MICOL BUTTV EGOOD CNESI VSSEE NSCSE LDOAA RECLS ANAND HHECL EONON ESGOS ELDCM ARECC MICAL
CSC 482/582: Computer Security
15 Got It!
QI means that U maps into I, as Q is always followed by U:
ALIME RICKP ACKSL AUGHS ANATO MICAL INTOS PACET HATIS QUITE ECONO MICAL BUTTH EGOOD ONESI VESEE NSOSE LDOMA RECLE ANAND THECL EANON ESSOS ELDOM ARECO MICAL
CSC 482/582: Computer Security
Rotor Machines
Observation: If Vigènere key is very long, frequency analysis won’t work. Implement: multiple rounds of Vigènere substitution. Machine contains multiple cylinders. Each cylinder has 26 states (ciphers.) Cylinders rotate to change states on different schedules. m-cylinder machine has 26m substitution ciphers.
CSC 482/582: Computer Security
Enigma Machine 3 rotors: 17576 substitutions. 3 rotors can be used in any order: 6 combinations. Some machines had up to 8 rotors Plug board: 6 pairs of letters can be swapped. Total keys ~ 1016
CSC 482/582: Computer Security
16 One-Time Pad A Vigenère cipher with a random key at least as long as the message. Provably unbreakable.
Example ciphertext: DXQR. Equally likely to correspond to plaintext DOIT (key AJIY) plaintext DONT (key AJDY) and any other 4 letters.
CSC 482/582: Computer Security
One-Time Pad Warning: keys must be random, or you can attack the cipher by trying to regenerate the key. Approximations, such as using pseudorandom number generators to generate keys, are not random.
CSC 482/582: Computer Security
Block Ciphers
Encrypt groups (blocks) of chars at once. Improvement over single char substitution Cryptanalysis must use digraph frequencies for two-char blocks. Longer blocks are more difficult to analyze. Modern ciphers are block ciphers. Example: Playfair Cipher, 1854
CSC 482/582: Computer Security
17 Playfair Cipher Create 5x5 table Fill in spaces with letters of key, dropping duplicate letters. Charles Wheatstone Fill remaining spaces P L A Y F with unused letters of alphabet in order I|J R E X M Drop Q … or B C D G H I = J K N O Q S T U V W Z
CSC 482/582: Computer Security
Playfair Cipher
Encryption Algorithm 1. If letters of pair are identical (or only one letter remains), add an “X” after first letter. 2. If two letters are in same row or column, replace them with the succeeding letters. 3. Otherwise, two letters form a rectangle, and we replace them with letters on the same row respectively at the other pair of corners.
CSC 482/582: Computer Security
Playfair Cipher Example Plaintext is HELLO WORLD Pair HE is rectangle, replace with DM Pair LX (X inserted) is rectangle, YR Pair LO is rectangle, replace with AN Pair WO is rectangle, replace with VQ Pair RL is in column, replace with CR Pair DX is rectangle, replace with GE Ciphertext is DMYRANVQCRGE P L A Y F I|J R E X M B C D G H K N O Q S
CSC 482/582: Computer Security T U V W Z
18 Transposition Cipher Cryptanalysis
Anagramming If 1-gram frequencies match English frequencies, but other n-gram frequencies do not, then, message likely ciphered via transposition. Rearrange letters to form n-grams with highest frequencies.
CSC 482/582: Computer Security
Cryptanalysis Example Ciphertext: HLOOLELWRD Frequencies of 2-grams beginning with H HE 0.0305 HO 0.0043 HL, HW, HR, HD < 0.0010 Frequencies of 2-grams ending in H WH 0.0026 EH, LH, OH, RH, DH ≤ 0.0002 Implies E follows H
CSC 482/582: Computer Security
Cryptanalysis Example Arrange so the H and E are adjacent HE LL OW OR LD Read across, then down, to recover plaintext.
CSC 482/582: Computer Security
19 SP-Networks Combine Substitution+Permutation (transposition) Confusion: adding unknown key values will confuse attacker about value of plaintext symbol. Diffusion: Spread plaintext data throughout ciphertext. Designing for Security Block Size Number of Rounds Each input bit is XOR of several output bits from previous round. Choice of S-boxes
CSC 482/582: Computer Security
Overview of the DES Block cipher: encrypts blocks of 64 bits 56-bit key + 8 parity bits Product cipher substitution + transposition 16 rounds (iterations) of encryption round key generated from user key
CSC 482/582: Computer Security
Encipherment
input Split 64-bit block
IP L0=init left half
R0=init right half L 0 R 0
f Encrypt with K 1 f=round fn L 1 = R 0 R 1 = L 0 f(R 0 , K 1) K1=round 1 key
L = R R 16 = L 15 • f (R 15 , K 16) 16 15 Join L + R halves L =round 16 left Š1 16 IP half
ou tput R16=round 16 right half
CSC 482/582: Computer Security
20 The f Function Each round has effect: Li = Ri-1 Ri = Li-1 f(Ri-1, Ki)
R (32 bits) iŠ1 K i (48 bits)
E
R (32 bits) iŠ1 6 bits into each
S1 S2 S3 S4 S5 S6 S7 S8
4 bits out of each
P
32 bits
CSC 482/582: Computer Security
Controversy
Considered too weak Diffie, Hellman said in a few years technology would allow DES to be broken in days (1976). EFF built “Deep Crack” in 1998 for $250,000. Brute forced DES in 56 hours. 2008 RIVYERA averages under 1 day, costs under $10,000. Design decisions not public NSA involved in weakening cipher. 128-bit key reduced to 56 bits. S-boxes may have backdoors.
CSC 482/582: Computer Security
Differential Cryptanalysis A chosen ciphertext attack Biham and Shamir (1990) Examines pairs of plaintext with particular diffs. Requires 247 plaintext, ciphertext pairs. Only 214 pairs required with 8 round DES. Revealed several properties S-box designed to resist differential cryptanalysis. IBM revealed knowledge of technique at design time. Linear cryptanalysis improves result Linear approximation of DES. Requires 243 plaintext, ciphertext pairs. DES not designed to resist this technique.
CSC 482/582: Computer Security
21 DES Modes
Electronic Code Book Mode (ECB) Encipher each block independently. 64-bit blocks = 8 characters will be repeated. Attacker can build dictionary of blocks. Cipher Block Chaining Mode (CBC) XOR each block with previous ciphertext block. Requires an initialization vector for the first one. Triple DES: Encrypt-Decrypt-Encrypt Mode (3 keys: k, k´, k´´) –1 c = DESk(DESk´ (DESk’’(m))) Middle decrypt allows backward compatibility if k=k´=k´´ Double-encryption vulnerable to meet-in-middle attack, reducing difficulty from 2112 to 257.
CSC 482/582: Computer Security
CBC Mode Encryption
init. vector m1 m2 …
DES DES …
c1 c2 …
sent sent
CSC 482/582: Computer Security
CBC Mode Decryption
init. vector c1 c2 …
DES DES …
m1 m2 …
CSC 482/582: Computer Security
22 Self-Healing Property Plaintext “heals” after 2 blocks. i.e., if ciphertextaltered, error propagated 2 blocks. Initial message 3231343336353837 3231343336353837 3231343336353837 3231343336353837 Received as (underlined 4c should be 4b) ef7c4cb2b4ce6f3b f6266e3a97af0e2c 746ab9a6308f4256 33e60b451b09603d Which decrypts to efca61e19f4836f1 3231333336353837 3231343336353837 3231343336353837
CSC 482/582: Computer Security
Current Status of DES Design for computer system, associated software that could break any DES-enciphered message in a few days published in 1998. Several challenges to break DES messages solved using distributed computing. NIST selected Rijndael as Advanced Encryption Standard, replacement to DES in October 2000. Rijndael winner of 3-year competition of 15 ciphers. DES too easily crackable. Triple DES too slow.
CSC 482/582: Computer Security
Advanced Encryption Standard Block size is 128 bits Variable key size 128, 192, and 256 bits 10, 12, and 14 rounds Known attacks Only vulnerable to attacks on a reduced # of rounds.
CSC 482/582: Computer Security
23 Key Points Cryptography is the art of securing messages. Types of ciphers Substitution (monoalphabeticand polyalphabetic) Transposition (permutation) Product Cryptanalysis Language features can be used to break ciphers. Frequency analysis: Kasiski test, Index of Coincidence. Block ciphers ECB mode insecure; need to use CBC for block ciphers DES obsolete due to small 56-bit keys. 3DES=112 bit key. AES current standard with 128, 192, and 256 bit keys.
CSC 482/582: Computer Security
References
1. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. 2. David Kahn, The Codebreakers, MacMillan, 1967. 3. Alfred J. Menezes, Paul C. van Oorschotand Scott A. Vanstone, Handbook of Applied Cryptography, http://www.cacr.math.uwaterloo.ca/hac/, CRC Press, 1996. 4. NIST, FIPS Publication 46-3: Data Encryption Standard (DES), 1999, http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf 5. Bruce Schneier, Applied Cryptography, 2nd edition, Wiley, 1996. 6. US Government Dept of the Army, FM 34-40-2 FIELD MANUAL, 1990, http://www.umich.edu/~umich/fm-34-40-2/ 7. John Viegaand Gary McGraw, Building Secure Software, Addison- Wesley, 2002.
CSC 482/582: Computer Security
24