Confidential Channels, Encryption, and Ciphers
• Readings – Sections 2.1 – 2.4, 3.1 – 3.2
• Greek for “hidden writing” • “The art and science of keeping messages secure” • A field of study relating to the above • Note: Cryptology is often defined to include the fields of: –Cryptography –Cryptanalysis –Steganography
2 What is encryption?
• Encryption is used to achieve confidentiality • Alice and Bob, wish to communicate secretly. • Curious Carl wants to listen into their private 01001110… chat.
As root, try: tcpdump -a -s 0
3 Ciphers
• Plaintext • Ciphertext • Encipher: transform plaintext into ciphertext (encrypt) • Decipher: transform ciphertext into plaintext (decrypt) • Key: used in the transformation between plaintext and ciphertext. • Cipher: an encryption (and decryption) algorithm – Symmetric or secret key – Asymmetric or public/private key • Goal of good ciphers: make the ciphertext look like “random bits”
4 Ciphers
• Ciphers operate to “garble” their input to make it unintelligible. The output of a cipher (ciphertext) does not bear any clear relation to the input (clear- text or plaintext). – The earliest recorded example of the use of a cipher is by Julius Caesar to his generals: He would shift each letter to the third letter following it in the alphabet. • Example: Attack now Dwwdfn qrz • How can you cryptanalyze this cipher?
5 Generalizing the Caesar Cipher (a substitution cipher) • Caesar: given plaintext p, use s, where s = E(p + 3) mod 26 • Can obviously use s = E(p + k) mod 26 for arbitrary k. How many keys are there? • Mono-alphabetic cipher: use an arbitrary permutation of the 26 letters. – N! permutations or keys – Many more keys – how much harder to analyze?
6 Assumptions about cipher design
• The adversary knows the cipher algorithm. – also the design process, the implementation, etc. • To achieve secrecy, ciphers use keys. • A key is an auxiliary input to the algorithm that must be kept private. – Only the key value is private. It is assumed that the enemy knows how keys are generated.
7 Example: Vigenere cipher
Key VECTOR (21,4,2,19,14,17)
W E W I L L M E E T A T M I D N I G H T 22 4 22 8 11 11 12 4 4 19 0 19 12 8 3 13 8 6 7 19 21 4 2 19 14 17 21 4 2 19 14 17 21 4 2 19 14 17 21 4 17 8 24 1 25 2 7 8 6 12 14 10 7 12 5 6 22 23 2 23 R I Y B Z C H I G M O K H M F G W X C X
Courtesy of Giuseppe Ateniese Vigenere Cipher
• Normally the key of Vigenere cipher is given as a “keyword” instead of a vector of integer values, for example an English word or even a sentence – For example, if a keyword is “leg”, then the corresponding values of “leg” are repeated applied to plaintext to obtain ciphertext – Easy to remember
9 Breaking the Vigenere Cipher
• The probability distribution of characters
0.14 0.12 0.1 0.08 0.06 0.04 0.02 0 A C E G I K M O Q S U W Y
Courtesy of Giuseppe Ateniese Strategy for breaking this cipher
• We start with the above distribution of letters in the alphabet. Notice how the letter E is so more frequent than other characters that it can always be identified given enough ciphertext, if the cipher preserves character probabilities. • Moreover, it is not shown here, but E tends to appear in patterns, such as following H or preceding R. H, a common letter, tends to follow T. The letter I, also very frequent, tends to be followed by N, and so on. (digrams) • Suppose that the adversary guesses the key length to be equal to 4 in our Vigenere example. Will get each fourth character and create four collections:
11 Looking at the example again
K VECTOR (21,4,2,19,14,17)
W E W I L L M E E T A T M I D N I G H T 22 4 22 8 11 11 12 4 4 19 0 19 12 8 3 13 8 6 7 19 21 4 2 19 14 17 21 4 2 19 14 17 21 4 2 19 14 17 21 4 17 8 24 1 25 2 7 8 6 12 14 10 7 12 5 6 22 23 2 23 R I Y B Z C H I G M O K H M F G W X C X
12 Computing Distributions for various
• By computing the distribution of each fourth letter, and comparing with the distribution of English, the adversary can check if there is a match. • With enough ciphertext, the adversary will be able to find the key length when the distributions match. Here the adversary would find that the correct key length is six. • The adversary would collect every sixth letter and, given enough ciphertext, be able to determine which letter corresponds to „E‟ in each distribution. That determines the key character for the distribution, decrypting that collection.
14 Another Class of Ciphers: Transposition ciphers • Plaintext – attackatdawn • Cipher 3 1 4 2 - the key – Put plaintext in a n by m matrix (example 3 by 4) a t t a – Re-arrange the column according to the key. For c k a t example, put column 1 in original matrix to column 3 – Output letters vertically from d a w n top using key number order • Ciphertext – TKAATNACDTAW 15 Choosing a Cipher • Ciphers are vulnerable to many known analysis techniques, and one must count on new attacks being discovered • General advice: – Avoid proprietary commercial ciphers whose design has not been publicly scrutinized. – Do not develop your own if good alternatives exist: Adopt standards. • Why? Standardization process ensures that many experts have explored the cipher for weaknesses • Fundamental Tenet of Cryptography – If lots of smart people have failed to solve a problem, then it probably won’t be solved (soon)
16 General Encryption Schemes
17 Symmetric vs. Asymmetric
• If the encryption and decryption keys are equal, the scheme is said to be symmetric • If the encryption and decryption keys differ, and moreover the decryption key cannot be computed from knowledge of the algorithm and encryption key, the scheme is asymmetric • Note: “cannot be computed” really means “computationally infeasible”
18 Security of ciphers
From the Vigenere cipher to the Vernam one- time pad
19 Attacks on Encryption Schemes
• PASSIVE – Ciphertext only • Only the ciphertext is available. Use statistical methods and correlations – Known-plaintext • One or more pairs of (plaintext, ciphertext) available • Analyst could likely have this • ACTIVE – Chosen plaintext (CPA) • Adversary can obtain encrypted versions of (chosen) plaintext – Adaptive CPA • Can obtain encrypted versions based on analysis of previous versions – Chosen ciphertext (CCA1) • Given ciphertext, can get plaintext
– Adaptive CCA (CCA2) 20 Outcomes of Attacks (Goals)
• Total Break (key recovery) - most ambitious – This is the worst outcome possible • Recovery of plaintext - less ambitious – less bad an outcome • Distinguishability between two possible decryptions of a given ciphertext - even less ambitious – may even be willing to settle for this
Note: IND (indistinguishability) is used to denote “not distinguishability”
• Most stringent security: IND-CCA2
21 Perfect Cipher
• If the Vigenere cipher has key at least as long as the plaintext, is chosen at random, and used only once: – The scheme is called the Vernam One-Time Pad – It is provably unbreakable, even if the adversary has infinite computational power • Reasoning: Given some ciphertext, any message of the same size would encrypt to the observed ciphertext under some key.
22 One Time Pad
• Plaintext is xor'ed with a string of random bits • The result is a random bit string • Problems – Key must be same size as plaintext – Generating random bits
23 Example of a One-Time Key
• Plaintext: T E D
• ASCII of plaintext: 0101 0100 0100 0101 0100 0100
• Key (random): 0110 0110 0111 0011 0001 0010
• Ciphertext: 0011 0010 0011 0110 0101 0110
• ASCII of Ciphertext: 2 6 V
24 Perfect Secrecy
• Shannon proved that the only cipher that is secure against an all-powerful adversary – Has key length equal to, or larger than the message – The key is random – Used only once – As inefficient as the Vernam one-time pad
25 Modern Ciphers
• Operate on binary plaintext • Use binary keys of fixed length • Different types of ciphers: – Public key/asymmetric ciphers – Symmetric ciphers • Stream ciphers (RC4, A5/x, Helix, SEAL) • Block ciphers (Triple-DES, Blowfish, AES)
26 Modern Cipher Operations
• Two basic operations – Substitution: substitute a code symbol (for instance bit octets) for another. • Example: shifts (Vigenere cipher), xor • 10110111 11001010 – Permutation: transpose or reorder the symbols (bits) present in the code • 10110111 11111100 • Both steps are needed for security
27 Reading Assignments
• Sections 3.3, 4.1, 4.2 • Paper 2
28