Cryptography The science and study of secret writings – Is a secret method of writing that transforms plaintext into • Comes in two flavors: Symmetric and The transformation is determined by a Asymmetric • Best for protection of “online” communications Cryptographic systems – One key • Good for archival data – Two key • So-so for electronic mail – Public key • Not good for active databases – Digital signatures

Cryptography CS177 2013 Cryptography CS177 2013 1 2

Terminology Communication Security • To lock (encipher): transforms into unintelligible form based on independent Secure communication should provide: data element called a key • Privacy • To unlock (decipher): transforms back into • Authentication intelligible form, again using a key • Integrity • Locked data is called ciphertext or black Anna Bruno • Nonrepudiation • Unlocked data is called plaintext, cleartext, or red • Keys are themselves data and can be locked Carlo and unlocked Cryptography CS177 2013 Cryptography CS177 2013 3 4

Cryptography General Observations

• Cryptography never solves a problem; it Enciphering transforms a security problem into a key Clear Cipher management problem • It takes a secret to keep a secret Text Text

Deciphering

Cryptography CS177 2013 Cryptography CS177 2013 5 6

1 Cryptographic System Crypto Systems Should () Guarantee Both – Secrecy • A plaintext message space M – Authenticity • A ciphertext message space C

• A key space K Secrecy requirements • A family of enciphering transformations 1. Should be computationally infeasible to systematically Ek: M  C determine Dk from c, even if corresponding m is known • A family of deciphering transformations 2. Should be computationally infeasible to determine m from Dk: C  M intercepted c

Cryptography CS177 2013 Cryptography CS177 2013 7 8

Crypto Systems Should Desirable Properties of Guarantee Both Crypto Systems – Secrecy

– Authenticity • Enciphering and deciphering must be efficient for all keys Authenticity requirements 1. Should be computationally infeasible to systematically • System must be easy to use determine Ek from c, even if corresponding m is known • The security of the system should depend on 2. Should be computationally infeasible to find c' such that the secrecy of the keys and not on the Dk(c') is valid plaintext in the set M secrecy of the algorithms E or D

Cryptography CS177 2013 Cryptography CS177 2013 9 10

Cryptanalysis (continued) • Cryptanalysis attempts to discover the key or the plaintext of an encrypted message – Assume analyst knows the algorithm but not the key • Types of attack (continued) • Types of attack: – Chosen plaintext – Ciphertext only • Given: M1, C1 = Ek(M1), M2, C2 = Ek(M2), ..., • Given: C1 = Ek(M1), C2 = Ek(M2), ..., Ci = Ek(Mi) Mi , Ci = Ek(Mi) where the attacker chooses M1, • Obtain: either M1,M2, ..., Mi or k M2 , ..., Mi – Known plaintext • Obtain: either k or an algorithm to obtain Mi+1, • Given: M1, C1 = Ek(M1), M2, C2 = Ek(M2), ..., Mi, from Ci+1 = Ek(Mi+1) Ci = Ek(Mi) • Obtain: either k or an algorithm to obtain Mi+1, from Ci+1 = Ek(Mi+1)

Cryptography CS177 2013 Cryptography CS177 2013 11 12

2 Basis for Attacks • Mathematical attacks – Based on analysis of underlying mathematics Rearranges bits or characters in the data – Simple transposition • Statistical attacks – Rail-fence cipher – Make assumptions about the distribution of letters, pairs of letters (digrams), triplets of letters – Columnar transposition (trigrams), etc. • Called models of the language – Examine ciphertext, correlate properties with the assumptions.

Cryptography CS177 2013 Cryptography CS177 2013 13 14

Simple Transposition Rail Fence • simply break message into blocks and permute each block using some scheme • Transposition depends on a figure • Eg. Blocks of five with key (25413) • In this case the figure is a rail fence (or – Consider picket fence) CMPS IS FUN FOR ALL CMPS IS FU N FOR ALL_ becomes M SCP SUFI RONF A L L • Figure could be a scene, such as a landscape or city skyline

Cryptography CS177 2013 Cryptography CS177 2013 15 16

Rail Fence Rail Fence

C F A C I N A

M S U R L M S S U F R L P I N O L P F O L S F

If key is 2-4-3-1 If key is 1-2-3

MSURLSFPINOLCFA CINAMSSUFRLPFOL

Cryptography CS177 2013 Cryptography CS177 2013 17 18

3 Mountain Scene Columnar Transposition

• Uses a two dimensional array M P

C S • Text is placed in rows • Columns are transposed • Columns are read out as ciphered text

• Key is the transposition of the columns – e.g., for 4x4 matrix key could be 2-4-3-1

Cryptography CS177 2013 Cryptography CS177 2013 19 20

Columnar Transposition Crypto Analysis

Example (4x4 matrix and key = 2-4-3-1) • Can detect transposition cipher by checking the character frequencies against the norm CMPS ISFU NFOR a 0.080 h 0.060 n 0.070 t 0.090 ALLb b 0.015 i 0.065 o 0.080 u 0.030 becomes c 0.030 j 0.005 p 0.020 v 0.010 d 0.040 k 0.005 q 0.002 w 0.015 MSFLSURbPFOLCINA e 0.130 l 0.035 r 0.065 x 0.005 What about (key = 1-2-3-4)? f 0.020 m 0.030 s 0.060 y 0.020 g 0.015 z 0.002

Cryptography CS177 2013 Cryptography CS177 2013 21 22

Crypto Analysis Substitution Ciphers

• Brute force by trying possible permutations and looking for readable text in the result • Simple substitution • Anagramming • Polyalphabetic – If 1-gram frequencies match English frequencies, • Running key but other n-gram frequencies do not, probably • Vernam transposition – Rearrange letters to form n-grams with highest frequencies

Cryptography CS177 2013 Cryptography CS177 2013 23 24

4 Alphabet Simple Substitution 0 – A 7 – H 14 – O 21 – V • is most common example of 1 – B 8 – I 15 – P 22 – W simple substitution – Julius used shift of 4 2 – C 9 – J 16 – Q 23 – X – Augustus used key of 3 3 – D 10 – K 17 – R 24 – Y • (letter value + key) mod 26 4 – E 11 – L 18 – S 25 – Z • Example (key = 3) 5 – F 12 – M 19 – T CMPS IS FUN FOR ALL 6 – G 13 – N 20 – U becomes FPSV LV IXQ IRU DOO

Cryptography CS177 2013 Cryptography CS177 2013 25 26

Attacking the Cipher Statistical Attack

• Exhaustive search • Compute frequency of each character in the – If the key space is small enough, try all possible ciphertext: keys until you find the right one D .067 F .067 I .133 L .067 – Caesar cipher has 26 possible keys O .133 P .067 Q .067 R .067 S .067 U .067 V .133 X .067 • Statistical analysis – Compare to 1-gram model of English • Apply 1-gram model of English – Frequency of characters (1-grams) in English is on next slide

Cryptography CS177 2013 Cryptography CS177 2013 27 28

Character Frequencies Statistical Analysis

a 0.080 h 0.060 n 0.070 t 0.090 • f(c) frequency of character c in ciphertext b 0.015 i 0.065 o 0.080 u 0.030 • (i) correlation of frequency of letters in ciphertext with corresponding letters in c 0.030 j 0.005 p 0.020 v 0.010 English, assuming key is i d 0.040 k 0.005 q 0.002 w 0.015 – (i) = 0 ≤ c ≤ 25 f(c)p(c – i) e 0.130 l 0.035 r 0.065 x 0.005 f 0.020 m 0.030 s 0.060 y 0.020 p(x) is frequency of character x in English g 0.015 z 0.002

Cryptography CS177 2013 Cryptography CS177 2013 29 30

5 Example Analysis from Text Statistical Analysis

• Caesar cipher (i) correlation of frequency of letters in – Plaintext is HELLO WORLD ciphertext with corresponding letters in English, assuming key is i – Key is 3 – (i) =  f(c)p(c – i) so here, – Ciphertext is KHOOR ZRUOG 0 ≤ c ≤ 25 (i) = 0.1p(6 – i) + 0.1p(7 – i) + 0.1p(10 – i) + 0.3p(14 – i) + 0.2p(17 – i) + 0.1p(20 – i) + 0.1p(25 • Frequency of each letter in ciphertext: – i)

G 0.1 H 0.1 K 0.1 O 0.3 • f(x) is frequency of character c in ciphertext R 0.2 U 0.1 Z 0.1 • p(x) is frequency of character x in English

Cryptography CS177 2013 Cryptography CS177 2013 31 32

Correlation: (i) for 0 ≤ i ≤ 25 The Result

i (i) i (i) i (i) i (i) • Most probable keys, based on : 0 0.0482 7 0.0442 13 0.0520 19 0.0315 – i = 6, (i) = 0.0660 • plaintext EBIIL TLOLA 1 0.0364 8 0.0202 14 0.0535 20 0.0302 – i = 10, (i) = 0.0635 2 0.0410 9 0.0267 15 0.0226 21 0.0517 • plaintext AXEEH PHKEW – i = 3, (i) = 0.0575 3 0.0575 10 0.0635 16 0.0322 22 0.0380 • plaintext HELLO WORLD 4 0.0252 11 0.0262 17 0.0392 23 0.0370 – i = 14, (i) = 0.0535 5 0.0190 12 0.0325 18 0.0299 24 0.0316 • plaintext WTAAD LDGAS • Only English phrase is for i = 3 6 0.0660 25 0.0430 – That’s the key (3 or ‘D’)

Cryptography CS177 2013 Cryptography CS177 2013 33 34

Caesar’s Problem Polyalphabetic Ciphers • Key is too short • Use multiple substitutions – Can be found by exhaustive search – Statistical frequencies not concealed well • Most are periodic • They look too much like regular English letters – These are essentially multiple Caesar ciphers • So make it longer • Instead of adding the same key each time, – Multiple letters in key each successive letter gets a different key – Idea is to smooth the statistical frequencies to added, but the keys repeat themselves make cryptanalysis harder • When period is 1, this is equivalent to simple substitution

Cryptography CS177 2013 Cryptography CS177 2013 35 36

6 Polyalphabetic Ciphers Attacking the Cipher

• Approach Example (key = SECUR) – Establish period; call it n CMPS IS FUN FOR ALL – Break message into n parts, each part being enciphered using the same key letter SECU RS ECU RSE CUR – Solve each part becomes • You can leverage one part from another UQRN ZK ….

Cryptography CS177 2013 Cryptography CS177 2013 37 38

Establish Period Sample Cipher from Bishop

• Kasiski: repetitions in the ciphertext occur when ADQYS MIUSB OXKKT MIBHK IZOOO characters of the key appear over the same EQOOG IFBAG KAUMF VVTAA CIDTW characters in the plaintext MOCIO EQOOG BMBFV ZGGWP CIEKQ • Example: key VIGVIGVIGVIGVIGV HSNEW VECNE DLAAV RWKXS VNSVP plain THEBOYHASTHEBALL HCEUT QOIOF MEGJS WTPCH AJMOC cipher OPKWWECIYOPKWIRG HIUIX Note the key and plaintext line up over the repetitions (underlined). As distance between repetitions is 9, the period is a factor of 9 (that is, 1, 3, or 9)

Cryptography CS177 2013 Cryptography CS177 2013 39 40

Repetitions in Example Estimate of Period

Letters Start Repeats Distance Factors • OEQOOG is probably not a coincidence MI 5 15 10 2, 5 OO 22 27 5 5 – It’s too long for that OEQOOG 24 54 30 2, 3, 5 – Period may be 1, 2, 3, 5, 6, 10, 15, or 30 FV 39 63 24 2, 2, 2, 3 AA 43 87 44 2, 2, 11 MOC 50 122 72 2, 2, 2, 3, 3 • Most others (8/11) have 2 in their factors QO 56 105 49 7, 7 • Almost as many (7/11) have 3 in their factors PC 69 117 48 2, 2, 2, 2, 3 NE 77 83 6 2, 3 • Six of eleven have 6 in their factors SV 94 97 3 3 CH 118 124 6 2, 3 • Begin with period of 2  3 = 6

Cryptography CS177 2013 Cryptography CS177 2013 41 42

7 (IC) Compute IC

• Index of coincidence is probability that two • Tabulated for different periods: randomly chosen letters from ciphertext will 1 0.066 3 0.047 5 0.044 be the same 2 0.052 4 0.045 10 0.041 Large 0.038

–1 IC = [n (n – 1)] 0≤i≤25 [Fi (Fi – 1)] • For sample cipher IC = 0.043 – where n is length of ciphertext and Fi the number – Indicates a key of slightly more than 5 of times character i occurs in ciphertext – A statistical measure, so it can be in error, but it agrees with the previous estimate (which was 6)

Cryptography CS177 2013 Cryptography CS177 2013 43 44

Splitting Into Alphabets Running Key Ciphers alphabet 1: AIKHOIATTOBGEEERNEOSAI alphabet 2: DUKKEFUAWEMGKWDWSUFWJU • Cipher has key as long as the text alphabet 3: QSTIQBMAMQBWQVLKVTMTMI • Since security of alphabet 4: YBMZOAFCOOFPHEAXPQEPOX increases with key length, this is more alphabet 5: SOIOOGVICOVCSVASHOGCC secure alphabet 6: MXBOGKVDIGZINNVVCIJHH • Uses nonrepeating text, such as a book – key specified by page and paragraph number Use same approach as for monoalphabet on each of the six alphabets

Cryptography CS177 2013 Cryptography CS177 2013 45 46

Consider Bishop Section 8.2.2.2 Vernam Cipher (p. 107) • Uses random characters as the key Example (key = The one time pad is …) • One time pads CMPS IS FUN FOR ALL – Provably unbreakable – Why? Look at ciphertext DXQR. Equally likely to THEO NE TIM EPA DIS correspond to plaintext DOIT (key AJIY) and to plaintext DONT (key AJDY) and any other 4 letters becomes • Warning: keys must be random, or you can VTTG VW YCZ …. attack the cipher by trying to regenerate the key – Approximations, such as using pseudorandom number generators to generate keys, are not random

Cryptography CS177 2013 Cryptography CS177 2013 47 48

8 Product Ciphers Conventional • One key • Compose substitution and transposition ciphers • Encipher and decipher with same key

– Lucifer Asymmetric Cryptosystems – DES – AES • Two keys • Encipher and decipher with different keys • Computationally infeasible to determine one key from the other

Cryptography CS177 2013 Cryptography CS177 2013 49 50

Public-key Cryptosystems Secrecy Assume Public Key for User K = Ek • Each user has both a public and a private key Assume Private Key for User K = Dk • Two users can communicate knowing only each other's public key PUBLIC PRIVATE M E D M • It must be computationally infeasible to B B determine a user's private key from their public key A B D B(EB (M))=M

Cryptography CS177 2013 Cryptography CS177 2013 51 52

Digital Signature A property private to a user that is used for For A to sign a message sent to B the signing messages following properties must be satisfied by A's signature: • B must be able to validate A's signature on the message • It must be impossible for anyone, including B, to forge A's signature • It must be possible for a judge or third party to settle a dispute between A and B

Cryptography CS177 2013 Cryptography CS177 2013 53 54

9 Authentication Secrecy and Authentication

Assume Public Key for User K = Ek Assume Public Key for User K = Ek Assume Private Key for User K = Dk Assume Private Key for User K = Dk

PRIVATE PUBLIC PRIVATE PUBLIC PRIVATE PUBLIC M D E D M D M A B B EA M A EA

A B A B E (D (M))=M D D A A EA( B(EB( A (M))))=M

Cryptography CS177 2013 Cryptography CS177 2013 55 56

Public Key Facts About Numbers

• Prime number p: – p is an integer Based on problems that are known to be hard – p  2 to solve – The only divisors of p are 1 and p • Examples – 2, 7, 19 are primes – -3, 0, 1, 6 are not primes Merkle-Hellman Knapsack • Prime decomposition of a positive integer n: e e RSA n = p1 1  …  pk k • Example: – 200 = 23  52 Fundamental Theorem of Arithmetic The prime decomposition of a positive integer is unique

Cryptography CS177 2013 Cryptography CS177 2013 57 Goodrich + Tamassia 58

Greatest Common Divisor Modular Arithmetic

• The greatest common divisor (GCD) of two positive integers a • Modulo operator for a positive integer n and b, denoted gcd(a, b), is the largest positive integer that r = a mod n divides both a and b equivalent to a = r + kn • The above definition is extended to arbitrary integers • Example: • Examples: 29 mod 13 = 3 13 mod 13 = 0 -1 mod 13 = 12 gcd(18, 30) = 6 gcd(0, 20) = 20 29 = 3 + 213 13 = 0 + 113 12 = -1 + 113 gcd(-21, 49) = 7 • Modulo and GCD: • Two integers a and b are said to be relatively prime if gcd(a, b) = gcd(b, a mod b) gcd(a, b) = 1 • Example: • Example: gcd(21, 12) = 3 gcd(12, 21 mod 12) = gcd(12, 9) = 3 – Integers 15 and 28 are relatively prime

Cryptography CS177 2013 Cryptography CS177 2013 Goodrich + Tamassia 59 Goodrich + Tamassia 60

10 Euclid’s GCD Algorithm Multiplicative Inverses (1)

• Euclid’s algorithm for Algorithm EuclidGCD(a, b) • The residues modulo a positive integer n are the set Input integers a and b computing the GCD Output gcd(a, b) Zn = {0, 1, 2, …, (n - 1)} repeatedly applies the • Let x and y be two elements of Zn such that formula if b = 0 xy mod n = 1 gcd(a, b) = gcd(b, a mod b) return a else We say that y is the multiplicative inverse of x in Z and we • Example n return EuclidGCD(b, a mod b) write y = x-1 – gcd(412, 260) = 4 • Example: a 412 260 152 108 44 20 4 – Multiplicative inverses of the residues modulo 11 b 260 152 108 44 20 4 0 x 0 1 2 3 4 5 6 7 8 9 10 x-1 1 6 4 3 9 2 8 7 5 10

Cryptography CS177 2013 Cryptography CS177 2013 Goodrich + Tamassia 61 Goodrich + Tamassia 62

Multiplicative Inverses (2) Merkle-Hellman Knapsack

Theorem

An element x of Zn has a multiplicative inverse if and only if x and n are relatively prime • Superincreasing sequence is a sequence of positive • Example integers where each element is greater than the sum – The elements of Z10 with a multiplicative inverse are 1, 3, 7, 9 of the previous elements Corollary

If is p is prime, every nonzero residue in Zp has a multiplicative inverse • Merkle-Hellman uses two knapsacks Theorem – Easy knapsack - superincreasing sequence A variation of Euclid’s GCD algorithm computes the multiplicative inverse – Hard knapsack - derived by modifying elements of the of an element x of Zn or determines that it does not exist easy one x 0 1 2 3 4 5 6 7 8 9 • Modification is such that any solution of one x-1 1 7 3 9 knapsack is a solution of the other

Cryptography CS177 2013 Cryptography CS177 2013 Goodrich + Tamassia 63 64

Merkle-Hellman Key Selection • Encryption • Choose superincreasing sequence S of m C = H*M integers

• Choose a modulus n greater than the sum of the elements of S • Decryption w-1*C = w-1*H*M • Choose multiplier w that is relatively prime = w-1*w*S*M to n = S*M • Construct H by replacing each integer in S by Hi = w*Si mod n Cryptography CS177 2013 Cryptography CS177 2013 65 66

11 Example Another Example

S = [1, 2, 4, 9] S = [47, 52, 112, 216, 436, 868, 1732, 3470, n = 17 6937,13876] w = 15 n = 27749 H = [15, 13, 9, 16] w = 113 H = [5311, 5876, 12656, 24408, 21519, 14837, 1473, 3624, 6909, 14044]

Cryptography CS177 2013 Cryptography CS177 2013 67 68

M = 0110110101 S = [47, 52, 112, 216, 436, 868, 1732, 3470, C = (0*5311 + 1*5876 + … +0*6909 +1*14044) 6937,13876] -1 = 72556 (w *C ) mod 27749 = M*S = 18814 w-1 = 7367 M =

(w-1*C ) mod 27749 = (7367*72556) mod 27749 = 18814 Cryptography CS177 2013 Cryptography CS177 2013 69 70

Conventional Wisdom Says

Real knapsacks should contain at least 250 items

Each item in the knapsack should have on the order of 200 bits in its binary representation

Cryptography CS177 2013 Cryptography CS177 2013 71 72

12 Knapsack with 100 numbers, largest ~1038 Sum: 63382538753555854942653739257859936077 N: 63382538753555854942653739257859936127

Cryptography CS177 2013 Cryptography CS177 2013 73 74

Fermat’s Little Theorem Totient Function

Theorem • The multiplicative group for Zn, denoted with Z*n, is Let p be a prime. For each nonzero residue x of Zp, we have the subset of elements of Zn relatively prime with n p - 1 x mod p = 1 • The totient function of n, denoted with f(n), is the • Example (p = 5): size of Z* 14 mod 5 = 1 24 mod 5 = 16 mod 5 = 1 n 34 mod 5 = 81 mod 5 = 1 44 mod 5 = 256 mod 5 = 1 • Example

Corollary Z*10 = { 1, 3, 7, 9 }

Let p be a prime. For each nonzero residue x of Zp, the f(10) = 4 multiplicative inverse of x is xp - 2 mod p Z*21 = {1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 } Proof f(21) = 12 x(xp - 2 mod p) mod p = xxp - 2 mod p = xp - 1 mod p = 1 • If p is prime, we have

Z*p = {1, 2, …, (p - 1)} f(p) = p - 1

Cryptography CS177 2013 Cryptography CS177 2013 Goodrich + Tamassia 75 Goodrich + Tamassia 76

Euler’s Theorem RSA Algorithm

Euler’s Theorem f(n) For each element x of Z*n, we have x mod n = 1 • Uses multiplication of large primes to produce keys • Example (n = 10) f(10) 4 3 mod 10 = 3 mod 10 = 81 mod 10 = 1 • Relies on the difficulty of factoring large 7f(10) mod 10 = 74 mod 10 = 2401 mod 10 = 1 9f(10) mod 10 = 94 mod 10 = 6561 mod 10 = 1 numbers for secrecy

Cryptography CS177 2013 Cryptography CS177 2013 Goodrich + Tamassia 77 78

13 RSA Key Selection • Encryption e – Select two large primes p and q C = M mod n – Compute n = p*q – Compute f(n) = (p-1)*(q-1) – Choose an integer e between 3 and f(n) that has • Decryption no common factor with f(n)

– Select an integer d such that d*e mod f(n) = 1 d – e,n are made public M = C mod n – p,q,d, f(n) are kept secret

Cryptography CS177 2013 Cryptography CS177 2013 79 80

Example Example

p = 5 p = 53 q = 7 q = 61 n = p*q = 5*7 = 35 n = p*q = 53*61 = 3233 (n) = (p-1)(q-1) = 4*6 = 24 (n) = (p-1)(q-1) = 52*60 = 3120 e = 11 e = 71 d = 11 d = 791

Cryptography CS177 2013 Cryptography CS177 2013 81 82

Security Algorithmic Issues • Security of RSA based on • In 2005, a team of researchers difficulty of factoring factored the RSA-640 challenge number using 30 2.2GHz CPU years • The implementation of the • Setup – Widely believed • In 2004, the prize for factoring RSA- RSA cryptosystem –Generation of random – Best known algorithm takes 2048 was $200,000 requires various numbers with a given number exponential time • Current practice is 2,048-bit keys of bits (to generate candidates • Estimated resources needed to factor algorithms • RSA Security factoring a number within one year p and q) challenge (discontinued) • Overall –Primality testing (to check that • In 1999, 512-bit challenge –Representation of integers of candidates p and q are prime) factored in 4 months using arbitrarily large size and –Computation of the GCD (to arithmetic operations on them 35.7 CPU-years Length PCs Memory verify that e and f(n) are – 160 175-400 MHz SGI and (bits) • Encryption relatively prime) –Computation of the Sun 430 1 128MB –Modular power – 8 250 MHz SGI Origin multiplicative inverse (to 760 215,000 4GB • Decryption – 120 300-450 MHz Pentium II compute d from e) 1,020 342106 170GB –Modular power – 4 500 MHz Digital/Compaq 1,620 1.61015 120TB

Cryptography Goodrich + Tamassia CS177 2013 Cryptography Goodrich + Tamassia CS177 2013 83 84

14 Product Ciphers Lucifer

• Compose substitution and transposition ciphers • Developed by IBM in 1974

– Lucifer • S Boxes - Nonlinear Substitution Boxes – DES – 4 – AES • P Boxes - Permutation Boxes – 128 • 128 bit key

Cryptography CS177 2013 Cryptography CS177 2013 85 86

DES - Data Encryption Standard Controversy

• Considered too weak • Enciphers 64-bit blocks – Diffie, Hellman said in a few years technology • Outputs 64 bits of ciphertext would allow DES to be broken in days • Uses 56-bit key • Design using 1999 technology published • Adapted by NBS(NIST) for unclassified US – Design decisions not public government applications • S-boxes may have backdoors • Initial and final permutation • 16 rounds (iterations) – S boxes and P boxes

Cryptography CS177 2013 Cryptography CS177 2013 87 88

Strength of DES Undesirable Properties • 4 weak keys • Undesirable properties – They are their own inverses • Special purpose machine attacks • 12 semi-weak keys • Double DES – Each has another semi-weak key as inverse • Triple DES • S-boxes exhibit irregular properties – Distribution of odd, even numbers non-random – Outputs of fourth box depends on input to third box

Cryptography CS177 2013 Cryptography CS177 2013 89 90

15 Electronic Frontier Foundation Double DES

• Built a special purpose machine • Encrypt (k1) Encrypt(k2) • Cost budget $210,000 • Susceptible to “meet-in-the-middle” attack – $80,000 design – Plaintext attack – $130,000 material – Reduces the number of keys to check from 112 57 • Crack DES key in 4.5 days 2 to 2 • Design and algorithms published in scannable form

Cryptography CS177 2013 Cryptography CS177 2013 91 92

Triple DES Advanced Encryption Standard (AES) • Encrypt(k1) Decrypt(k2) Encrypt(k3) • NIST initiated a competition for AES in 1999 • Rijndael was selected in October 2000 • By using same key for all three it is – Vincent Rijmen and Joan Daemen identical to DES • Became a Federal Information Processing • Having all three keys unique is referred to standard (PUB 197) in November 2001 as “triple key triple DES” • NSA approved for classified information in June 2003

Cryptography CS177 2013 Cryptography CS177 2013 93 94

AES AES Round Structure

• The 128-bit version of the AES encryption algorithm proceeds • Encrypts 128 word blocks in ten rounds. • Each round performs an • Various key lengths invertible transformation on a 128-bit array, called state. • 128 uses 10 rounds • The initial state X0 is the XOR • 192 uses 12 rounds of the plaintext P with the key K: • 256 uses 14 rounds • X0 = P XOR K. • Single S box - one byte in one byte out • Round i (i = 1, …, 10) receives state Xi-1 as input and produces state X . • P box based on square of bytes i • The ciphertext C is the output of the final round: C = X . • 16 bytes of key per round 10

Cryptography CS177 2013 Cryptography Goodrich + Tamassia CS177 2013 95 96

16 AES Rounds Structure of Each Round

• Each round is built from four basic steps: 1.SubBytes step: an S-box substitution step 2.ShiftRows step: a permutation step 3.MixColumns step: a matrix multiplication step 4.AddRoundKey step: an XOR step with a round key derived from the 128-bit encryption key

Cryptography CS177 2013 Cryptography CS177 2013 97 98

Changing Text to State SubBytes Substitution Step

Cryptography CS177 2013 Cryptography CS177 2013 99 100

Shift Rows Step Shift Rows Step

ShiftRows step: a permutation step • Row 1 no shift • Row 2 left shift 1 • Row 3 left shift 2 • Row 4 left shift 3

Cryptography CS177 2013 Cryptography CS177 2013 101 102

17 MixColumns Step MixColumns Step

MixColumns step: a matrix multiplication step Each column multiplied by known matrix

where 1 means no change 2 means shifting to the left 3 means shifting to the left and then peforming XOR with initial unshifted value Cryptography CS177 2013 Cryptography CS177 2013 103 104

AddRoundKey Step Round Subkeys

• Each byte of the state is combined with a byte • Each round key subkey is derived from the of the round subkey using the XOR operation main key using Rinjdael’s • Each subkey is the same size as the state • Subkey for each round plus one more

Cryptography CS177 2013 Cryptography CS177 2013 105 106

Block Ciphers Block Ciphers • Advantages – Only one execution of the encryption algorithm • Break message M into successive blocks per n characters M1, M2, ... – Errors in one ciphertext block have no effect on • Encipher each Mi with the same key k other blocks • Disadvantages Ek(M) = Ek(M1)Ek(M2) ... – More susceptible to cryptanalysis • Identical blocks of plaintext yield identical blocks of ciphertext • Vulnerable to ciphertext searching • More susceptible to replay Cryptography CS177 2013 Cryptography CS177 2013 107 108

18 Block Chaining Cipher Block Chaining • Exclusive ORs previous ciphertext block with • Inserts some bits of the previous ciphertext the current plaintext block then encrypts the block into unused portions of the current result plaintext block before encrypting it Ci = Ek(Mi  Ci-1) • Reduces the number of available message bits per block • Ci is functionally dependent on all previous blocks • Useful for checksumming and digital signatures

Cryptography CS177 2013 Cryptography CS177 2013 109 110

CBC Mode Decryption Cipher Feedback

• Part of previous ciphertext is shifted into a init. vector c1 c2 … shift register • Shift register is encrypted with the user’s DES DES … key and the result is XOR’d with the   plaintext block

m1 m2 …

Cryptography CS177 2013 Cryptography CS177 2013 111 112

One-way Hash Function Where to Encrypt and Decrypt

• Takes a variable length input and produces a Link encryption fixed length output – input is called the preimage End-to-End encryption – output is called the hash value or message digest • Transformation is irreversible • Called digest function, cryptographic checksum, message integrity check

Cryptography CS177 2013 Cryptography CS177 2013 113 114

19 Link Encryption End-to-End Encryption

• Enciphers and deciphers a message M at each • Encipher the message at the source and node between the source and destination decipher it at the destination

– Each host need only know the keys for its – User needs a separate key for each correspondent immediate neighbors – More susceptible to traffic flow analysis because – Data is exposed at each intermediate node the destination is always exposed

Cryptography CS177 2013 Cryptography CS177 2013 115 116

Two Approaches Can Be Combined

Source sends a message that is the encrypted version of the original message over link encrypted communication system

Cryptography CS177 2013 117

20