ISA�562 Information�Security�Theory�&�Practice
Introduction�to�Cryptography
Agenda
• Basics�&�Definitions • Classical�Cryptography • Symmetric�(Secret�Key)�Cryptography • DES�(Data�Encryption�Standard) • Multiple�Encryptions • Modes�of�Block�Cipher�Operations� • Math�Essential • Asymmetric�(Public�Key)�Cryptography
2
1 Basics�&� Definitions
Security�Concepts�(I)
• Confidentiality – Prevent�information�from�being�exposed�to�unintended�party – Ex:�An�employee�should�not�come�to�know�the�salary�of�his� manager • Integrity – Assure�that�the�information�has�not�been�tempered – Ex:�An�employee�should�not�be�able�to�modify�the�employee's� own�salary • Identity – Assure�that�the�party�of�concern�is�authentic�� it�is�what�it�claims� to�be – Ex:�An�employee�should�be�able�to�uniquely�identify�and� authenticate�himself/herself
4
2 Security�Concepts�(II)
• Availability – Assure�that�unused�service�or�resource�is�available�to� legitimate�users – Ex:�Paychecks�should�be�printed�on�time�as�stipulated�by� law • Anonymity – Assure�that�the�identity�of�some�party�is�remain�anonymous – Ex:�The�manager�should�not�know�who�had�a�critical� review�of�him • Non�Repudiation – Assure�that�authenticated�party�has�indeed�done�something� that�cannot�be�denied – Ex:�Once�the�employee�has�cashed�his�paycheck,�he�can’t� deny�it. 5
Cryptography
• Crypt =�secret • Graph =�writing
• Cryptography is�the�science�/�art�of�transforming� meaningful�information�into�unintelligible�text� � Becoming�a�science�that�relies�on�mathematics� (number�theory,�algebra) • Cryptanalysis is�the�science�/�art�of�breaking� cryptographic�codes • Cryptology is�the�science�/�art�/�study�of�both� cryptography�and�cryptanalysis
6
3 Applications�of�Cryptography
• Assuring�document�integrity • Assuring�document�confidentiality • Authenticating�parties • Document�signature • Non�repudiation • Secure�transactions • Exchanging�keys • Sharing�Secrets • Digital�cash • Preserving�anonymity • Copyright�protection • More�.�.�.
7
Cryptographic�Services�(I)
Start�From�The�Basics
AB AB
C a)� Source�Integrity b)� Data�Confidentiality Normal�Flow Eavesdropping
AB AB
C C c)� Data�Integrity d)� Source Authentication Modification Fabrication
8
4 Cryptographic�Services�(II)
AB AB
C e)� Drop f)� Replay
AB
C g)� Denial�of�Service
9
Encryption/Decryption�Basic�Definitions
plaintext ciphertext plaintext encryption decryption
key key
• Plaintext: a�message�in�its�original�form • Ciphertext: a�message�in�the�transformed,�unrecognized�form • Encryption: the�process�that�transforms�a�plaintext�into�a�ciphertext • Decryption: the�process�that�transforms�a�ciphertext�to�the�corresponding� plaintext • Key: the�value�used�to�control�encryption/decryption.
10
5 Cryptanalytic�Attack�Definitions
• Known�Cipehrtext – Only�the�ciphertext is�known�to�attacker – Cryptanalysis�aims�at�revealing�the�plaintext�and/or�the�key • Known�Plaintext – Pairs�of�<�plaintext�,�ciphertext >�are�known�to�attacker – Cryptanalysis�aims�at�revealing�the�key – Relevant�when�plaintext�is�known�/�can�be�obtained • Chosen�Plaintext – Attacker�chooses�the�plaintext�and�receives�the�ciphertext – Cryptanalysis�aims�at�revealing�the�key – Relevant�when�attacker�can�“inject” plaintext�messages
11
Classical�Cryptography
6 A�little�History
• Cryptography�was�first�used�by�early�civilizations� (including�Egyptians,�Greeks,�Romans)�for�Secrecy� (Confidentiality )�… now�evolved�to�include� Integrity ,� Authentication� &� Authenticity ,�and�in�some�cases� Non�Repudiation . • Early�use�of�cryptography�consisted�of�encryption�by� substitution methods and/or� transposition methods – They�were�rather�simple�because�of�the�lack�of� sophisticated�computing�engines – Can�be�easily�attacked • Same�methods�are�in�use�today,�but�with�stronger�� properties�and�more�powerful�computing�engines
13
Substitution�Methods
• Methods�in�which�the�letters�of�the�alphabet�are�replaced�with� other�letters�/�numbers�/�symbols. • Examples: – Caesar�Cipher – fixed�permutation – Shift�Cipher – fixed�permutation – Mono�Alphabetic�Ciphers – one�of�many�permutations – Poly�Alphabetic�Ciphers – changing�permutations – Vig`enere Cipher – multiple�Mono�Alphabetic�Ciphers – *Running�Key�Cipher – Simple�yet�effective • Algorithm�is�known�– Key�is�“index” of�permutation,�but�not�for� *Running�Key�Cipher
14
7 Caesar�Cipher
• Named�after�Julius�Caesar,�who�supposedly�invented�it�himself • Cyclic�shift�of�the�26�letters�of�the�alphabet�by�3:
a�b�c�d�e�f�g�h�i�j�k�l�m�n�o�p�q�r�s�t�u�v�w�x�y�z D�E�F�G�H�I�J�K�L�M�N�O�P�Q�R�S�T�U�V�W�X�Y�Z�A�B�C • In�mathematical�terms: C�=�ENC(�P�)�=�P�+�3�(mod�26) • For�example:�GMU� → JPX • The�secrecy�is�in�the�algorithm�(!!!!) • There�is�one�key�(fixed�permutation) • Easy�to�break�(if�algorithm�is�known)
15
A�Shift�Cipher
• A�Shift�Cipher�is�similar�to�a�Caesar�Cipher,�but�there�is�a� cyclic�shift�of�the�26�letters�of�the�alphabet�by�key�K,�where� 0�≤ K�<�26. • In�mathematical�terms:
C�=�ENC K(�P�)�=�P�+�K�(mod�26) • Algorithm�is�known • There�are�26�different�keys • Easy�to�break�– check�which�of�26�possible�keys�returns�the� unintelligible�ciphertext to�a�meaningful�plaintext • Decipher�HAL�(the�computer�from�the�movie�2001:� A Space Odyssey )�using�a�shift�cipher�of�one. – So�the�shift�variable�n=1. • HAL� � ?
16
8 Mono�Alphabetic�Ciphers
• Generalization:�arbitrary�mapping�of�one�letter�to� another • One�of�N!�permutations�on�N�letters�of�the�alphabet • The�key�is�the�index�of�the�permutation • Algorithm�is�known�(mono�alphabetic�cipher) • Key�is�secret�(one�of�N!�options) • Example: – N�=�26�letters�of�the�English�alphabet – N!�=�26!�≈ 4�• 10 26 ≈ 288 permutations�or� 309 Septillion – ≈ 309,485,009,821,345,000,000,000,000�permutations • IS�IT�SECURE? 17
Not�with�Frequency�Analysis
• Cryptanalysis�formally�began�in�later�part�of�the�first� millennium�AD�in�the�Middle�East. • Frequency�analysis�is�the�study�of�the�frequency�of� occurrence�of�letters.�(statistics) • First�treatise�on�frequency�analysis�was�written�by� Ab‾uY‾us‾uf Ya‘q‾ub ibn Is�h‾aq ibn as�Sabb‾ah ibn ‘omr‾an ibn Isma‾il al�Kind‾i,�the�“philosopher� of�the�Arabs.”
18
9 Attacking�Mono�Alphabetic�Ciphers�(I)
• English�is�highly�redundant,�as�shown�in�the�next� slide,�it�has�a�non�uniform�distribution�of�letters. • Each�symbol�of�ciphertext depends�on�only�one� symbol�of�plaintext�and�one�value�of�the�permutation� key,�so�guessing�part�of�the�key�gives�part�of�the� plaintext. • Attack�proceeds�by�guessing�parts�of�key� corresponding�to�most�common�letters,�which�makes� it�possible�to�decipher�entire�message.
19
The�problem:�Letter�Frequencies�
20
10 Attacking�Mono�Alphabetic�Ciphers�(II)
• Appearance�frequency�of�letters�(in�long�enough�texts)�in�the� language�is�well�determined�as�shown�by�the�previous�slide. • Appearance�frequency�of�pairs�of�letters�in�the�language�is�well defined: th,�ee,�oo,�tt,�qu,�is,�ae,�.�.�. • Appearance�frequency�of�certain�words�in�the�language�is�well� defined�as�well: the�≈ 6.4%� a�≈ 2.1%� i�≈ 0.9% of�≈ 4.0%� in�≈ 1.8%� it�≈ 0.9% and�≈ 3.2%� that�≈ 1.2%� for�≈ 0.8% to�≈ 2.4%� is�≈ 1.0%� as�≈ 0.8%
21
Attacking�Mono�Alphabetic�Ciphers�(III)
• Using�the�appearance�frequencies�of�letters,�words,� and�pairs�of�letters�– accelerates�the�identification�of� certain�letter�substitutions�(which�are�part�of�the�key) • Identification�of�word�patterns,�vowels,�and� consonants�helps�in�finding�parts�of�the�text • The�identification�of�the�remaining�parts�of�the�key� now�reduces�the�search�space�dramatically�(from�N!) • Using�heuristics�and�associative�word�completions,� the�rest�of�the�key�can�be�easily�revealed
22
11 Summary�of�English�Language�Facts
1. most�common�letters:�E,�T,�A,�O,�I,�N,�S,�H. 2. more�than�half�of�all�words�end�in�E,�T,�D,�S. 3. Q�is�always�followed�by�U. 4. most�common�word:�“THE.” 5. most�common�doublets:�EE,�TT,�OO,�SS,�LL,�FF. 6. most�common�2�letter�combos:�HE,�RE,�AN,�TH,� ER,IN. 7. most�common�3�letter�combos:�ION,�AND,�ING,� THE,�ENT.
23
Possible�solutions
• You�can�try�not�to�use�redundant�letters,�like�the�letter� “e”,�as�was�done�by�a�French�writer�named�Georges� Perec in�1969.��He�published�a�300�page�novel� La Disparition (The�Disappearance).��It�was�translated� into�english by�Gilbert�Adair�and�is�called�“A�Void”. • Or�you�can�you�a�group�of�different�Mono�Alphabetic� Ciphers�at�different�parts�of�the�plaintext called� �Ploy�Alphabetic�Ciphers. • Or�you�can�group�the�plaintext�into�blocks�that�will� then�go�through�some�transformation.�
24
12 Poly�Alphabetic Ciphers
• Use�different�Mono�Alphabetic�Ciphers�at�different�parts�of�the� plaintext • Using�many�Mono�Alphabetic�Ciphers�will�more�or�less� equate�the�appearance�frequencies�of�letters • Well�designed,�and�sufficiently�long,�Poly�Alphabetic�Ciphers� can�be quite strong • A�common�scheme�to�build�a�Poly�Alphabetic�Cipher: – Use�a�collection�of�related�Mono�Alphabetic�Ciphers – Use�a�key�to�determine�which�one�of�the�Mono�Alphabetic� Ciphers�in�the�collection�to�use�at�each�stage
25
Vig`enere Cipher�(I)
• Blaise de�Vig`enere:�(1523)�Creates�the�Vig`enere cipher. • Thought�to�be�too�slow�and�cumbersome�for�warfare,�the� Vig`enere cipher�was�unused�almost�200�years. • Vig`enere Cipher�is�one�type�of� Poly-Alphabetic Cipher • The�collection�of�Mono�Alphabetic�Ciphers�consists�of�the�26� options�for�Caesar�Cipher�(with�K�=�0,�1,�2,�.�.�.,�25) • Each�of�the�26�Caesar�Ciphers�is�denoted�by�a�letter,�which�is� the�ciphertext letter�that�replaces�the�letter�‘a’ • In�practice: – A�table�of�26�rows�by�26�columns�is�built.�Row�i�in�the�table� contains�the�26�letters�of�the�alphabet�circularly�shifted�by�i. – A�keyword�is�used�(over�and�over�again)�to�select�which�of�the� mono�alphabetic�ciphers�to�use.�The�cipher�used�is�selected�by� the�current�letter�in�the�keyword.
26
13 Vig`enere Cipher�(II)
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
27
Class�Exercise�using�Vig`enere Cipher
• Keyword:������� GMU • Plaintext:�����SECURITY • Ciphertext:
28
14 Vig`enere Cipher�(III)
• The�strength�of�Vig`enere Cipher�is�based�on�the�fact� that�there�are�multiple�ciphertext letters�to�which�each� plaintext�letter�can�be�mapped • Question :� To�how�many�possible�ciphertext letters� can�a�single�plaintext�letter�be�mapped?
29
Attacking�Vig`enere Cipher
• Check�whether�the�cipher�is�Mono�Alphabetic – Check�whether�the�appearance�frequency�of�letters�in�the� ciphertext complies�with�that�of�a�Mono�Alphabetic�cipher • Determine�the�length�of�the�keyword – If�two�identical�sequences�of�plaintext�letters�occur�at�a�distance� that�is�an�integer�multiple�of�the�keyword�length�– than�the�two� corresponding�sequences�of�ciphertext letters�will�be�identical – Detect�identical�sequences�of�ciphertext letters – Conjecture�that�the�keyword�length�is�the�GCD�(greatest� common�divisor)�of�distances�between�identical�sequences�of� ciphertext • Neutralize�shifts�and�break�each�of�the�suspected�Mono� Alphabetic�Ciphers�independently
30
15 Running�Key�Cipher
• Doesn’t�use�mathematical�formulas,�instead�everyday� items. • For�example�a�set�of�books – Numbers�are�sent�representing�book�number,�page� number,�line�number,�and�word�number.�
31
Transposition�Methods
• Generalization:�Letters�are�rearranged�in�a�particular�fashion. • Plaintext�is�buffered�in�a�buffer�of�size�N�characters • Plaintext�is�scrambled�by�a�fixed�transposition�on�the�locations of� the�characters�in�the�buffer
• Algorithm�is�known • Key�is�the�indication�of�the�transposition�mapping
32
16 Spartan�Scytale
• Scytale (5fh�Century�BC)�– Uses�paper�or�leather�and�is�wrapped�around�rod� (cylinder).�The�text�is�written�along�the�length�of�the�scytale,�and�then�the�strip�is� unwounded.�The�result�is�a�long�meaningless�string.�
33
Rail�Fence�Cipher
• Method – Plaintext�is�written�down�as�a�sequence�of�diagonals� and�then�read�of�as�a�sequence�of�rows • Example: m�e�m�a�t�r�h�t�g�p�r�y e�t�e�f�e�t�e�o�a�a�t • Plaintext: – meet�me�after�the�toga�party
34
17 Row�Column�Cipher
• Plaintext�is�written�in�a�rectangle,�row�by�row,�and� ciphertext is�read�from�the�rectangle,�column�by� column,�in�a�permuted�column�order • � Example: Key:� 2�4�1�5�3 Plaintext:� a�t�t�a�c k�f�r�o�m e�a�s�t�a t�d�a�w�n • Ciphertext:� trsaaketcmantfadaotw
35
Attacking�Transposition�Methods
• A�pure�Transposition�Cipher�can�be�easily� recognized,�because�it�has�the�same�letter�appearance� frequencies�as�the�original�text • Appearance�frequencies�of�di�grams�or�tri�grams�may� also�be�useful�in�breaking�the�code� • Frequent�plaintext�words�(or�combinations�of�letters)� may�repeat�at�same�locations�in�many�buffers,�which� will�result�in�repetition�of�certain�letter�combinations� in�the�ciphertext • Key�can�be�determined�by�placing�the�ciphertext in�a� rectangle�and�playing�with�the�rows�and�the�columns
36
18 Rotor Machines (I)
• Rotor�Machines�combine�principles�of�Substitution� Methods and�Transposition�Methods • Rotor�Machines�produce�ciphers�that�are�very�difficult� to�break • Rotor�Machines�in�World�War�II: – “Enigma” used�by�the�German – “Purple” used�by�the�Japanese • The�breaking�of�both�Rotor�Machines�by�the�Allies� was�a�significant�factor�in�the�outcome�of�the�war
37
Rotor�Machine�Example
38
19 Concealment�Cipher
• Concealment�Cipher� – Is�a�message�within�a�message. – For�example�the�3 rd word�from�the�following�sentences� is�the�key:
GMU�students�take security�class�very�seriously. They�study�a good�eight�hours�a�day,�everyday. They�can�break many�of�the�classical�ciphers.
39
Symmetric�(Secret�Key)� Cryptography
20 Conditional�Cryptography
• Cryptographic�schemes,�for�which�we�do�not�have�a� mathematical�proof�that�they�are�100%�secure • An�opponent�can�break�the�scheme: – if�unlimited�text�is�available – if�unlimited�time�is�available – if�unlimited�computing�power�is�available • Strength�of�such�a�scheme�relies�on�the�assumption�that�the� opponent�does�not�have�sufficient�resources�(text,�time,� computers,�money,�etc.)�to�break�the�scheme • All�modern�practical�cryptographic�schemes�are�only� conditionally�secure
41
Xor Basics
42
21 Notations
• A�– Alice� (one�party) • B�– Bob� (another�party) • E�– Eve� (eavesdropper�/�attacker) • M�– Message� (plaintext,�sometimes�secret) • K�– Key� (highly�secret) • C�– Cipher� (ciphertext,�seen�by�attacker) • ENC�–Encryption� (secret�/�known) • DEC�– Decryption� (secret�/�known) • AUTH�– Authentication� (secret�/�known) • VER�– Verification� (secret�/�known)
43
Symmetric�Cryptography
• Same�key�is�used�on�both�sides • Algorithms�are�usually�similar�on�both�sides
44
22 Symmetric�Encryption
• A�encrypts�the�message�M�using�the�algorithm�ENC�with�the� key�K�to�obtain�the�cipher�C • B�decrypts�the�cipher�C�using�the�algorithm�DEC�with�the�key� K�to�obtain�the�message�M • Key�K�is�symmetric,�secret,�and�known�only�to�A�and�B
45
DES�(Data�Encryption�Standard)
23 DES�(Data�Encryption�Standard)�History
• In�1973,�NBS�(National�Bureau�of�Standards)�came� out�with�an�RFP�(Request�for�Proposals)�for�a� commercial�encryption�standard • IBM�proposed�its�strong�Lucifer�algorithm� (developed�by�Feistel and�others) • NSA�(National�Security�Agency)�requested�to�weaken� the�strength�of�Lucifer�(by�shortening�the�key) • NSA�also�made�changes�to�IBM’s�Lucifer�algorithm� • Data�Encryption�Standard�(DES)�accepted�in�1976� and�it�expired�22�years�later,�in�1998.
47
DES�Design�Criteria
• NBS�had�set�the�following�design�criteria�for�DES: – Algorithm�must�provide�high�level�of�security – Algorithm�must�be�completely�specified – Security�of�the�algorithm�must�reside�in�the�key – Algorithm�must�be�available�to�all�users – Algorithm�must�be�adaptable�for�use�in�diverse�applications – Algorithm�must�be�efficiently�implemented�in�hardware – Algorithm�must�be�efficient�to�use – Algorithm�must�be�able�to�be�validated – Algorithm�must�be�exportable
48
24 DES�
• DES�is�a�widely�used�method�of�data�encryption� using�a�(secret)�key�that�was�judged�so�difficult�to� break�by�the�U.S.�government�that�it�was�restricted� for�exportation�to�other�countries.� • There�are�72,000,000,000,000,000�(72�quadrillion)� or�more�possible�encryption�keys�that�can�be�used.� For�each�given�message,�the�key�is�chosen�at� random�from�among�this�enormous�number�of�keys.� • Like�other�private�key�cryptographic�methods,�both� the�sender�and�the�receiver�must�know�and�use�the� same�private�key.
49
DES�Structure
• Block�size�– 64�bits • Key�size�– 64�bit�quantity=(8�bit�parity)+(56�bit�key) – Every�8th�bit�is�a�parity�bit. – 16�round�keys�(48�bits)�derived�from�key�(56�bits) • 16�iterations�each�consisting�of�scrambling�the�round�block�(64�bits)�with� the�round�key�(48�bits) • 64�bit�input,�64�bit�output.
64�bit�M 64�bit�C DES Encryption
56�bits
50
25 Demo�Time
• The�Demo�is�a�summary�of�the�next� 15 slides.
51
DES�Overview 56�bit�Key 64�bit�Input Generate�keys Permutation Initial�Permutation 48�bit�K1 Round�1 48�bit�K2 Round�2 …... 48�bit�K16 Round�16
Swap Swap�32�bit�halves
Permutation Final�Permutation
64�bit�Output
52
26 Initial�and�Final�Permutations
• Initial�permutation�(IP) • View�the�input�as�M:�8� × 8�bit�matrix • Transform�M�into�M1�in�two�steps – Transpose�row�x�into�column�(9�x),�1 ≤x� ≤8�( equivalent� to�90º clockwise�turn�of�the�matrix ) – Apply�permutation�on�the�rows: • For�even�row�y,�it�becomes�row�y/2 • For�odd�row�y,�it�becomes�row�(5+y/2) • Note:�Final�permutation�FP�=�IP �1
53
Initial�Bit�Permutation�(1�to�1)
1����2�����3�����4 64 ……. Input: b1 b2 b3 b4 b64
1�bit
Output …….. b58 b50 b42 b34 b7 58����50���42���34� 7
54
27 Per�Round�Key�Generation
• Initial�Key�has�64�bits • Remove�Every�8 th bit:� – Remove�8,�16,�24,�32,�40,�48�(parity�check) • End�up�with�56�bits:� – Now�do�an�initial�permutation�of�the�56�bit�key: – First�half�(28�bits)�=�Co
– Second�half�(28�bits)�=�D 0
55
Per�Round�Key�Generation Initial�Permutation�of�DES�key
C� i�1 28�bitsD� i�1 28�bits
Circular�Left�Shift Circular�Left�Shift
Permutation Round�1,2,9,16: with�Discard single�L�shift Others:�two�R�bits 48 bits�Ki
C� i 28�bitsD� i 28�bits
56
28 Round�(i)
• 64�bit�input�broken�down�into�two�halfs
•Li and�Ri (32�bits�each) • Recursively�define:
•Li+1 =�Ri
•Rn+1 =�mangler(R n,k n)(+)L n
Pictorially�
57
A�DES�Round�(i)
32�bits� Li 32�bits� Ri
E
One�Round 48�bits Ki Encryption Mangler Function S�Boxes
P
32�bits
32�bits� Li+1 32�bits� Ri+1 58
29 Mangler Function
4 4 4 4 4 4 4 4 subkey 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
+ + + + + + + +
S1 S2 S3 S4 S5 S6 S7 S8 The�permutation�produces� “spread” among�the� 4 4 4 4 4 4 4 4 chunks/S�boxes!
Permutation
59
Bits�Expansion�in�the�Mangler Function
1����2�����3�����4�����5 32 Input: 0����0�����1�����0�����1……. 1
Output
1�����0�����0�����1�����0�����1�����0�����1…….. 1�����0 1�����2�����3�����4�����5�����6�����7�����8���� 48
60
30 E�Box�of�DES
• How�is�the�E�Box�defined?
32 1������2������3������4���� 5 4 5������6������7������8 9 8 9������10����11����12���� 13 12 13����14����15����16 17 16 17����18����19����20 21 20 21����22����23����24 25 24 25����26����27����28 29 28 29����30����31����32 1
61
S�Box�(Substitute�and�Shrink)
• 48�bits�==>�32�bits.�(8*6�==>�8�*4) • 2�bits�used�to�select�amongst�4�permutations�for�the� rest�of�the�4�bit�quantity
2�bits I1 row I2 I3 O1 Si O2 I4 O3 I5 O4 an�integer�between 4�bits I6 0�and�15. column i =�1,…8.
62
31 S�Box�(Cont’d)
Each�row�and�column�contain�different�numbers.
0��������1���������2������� 3 4��������5�������6��������… 15
0������14�������4��������13������1���������2�������15�����11
1�������0��������15�������7�������4��������14�������2������13
2 4��������1��������14������8��������13�������6�������2
3������15������12��������8�������2��������4���������9�������1
Example:�input:� 10011 0 output:�???
63
DES�Standard
• Cipher�Iterative�Action • Key�Generation�Box – Input: 64�bits – Input: 56�bits – Key: 48 bits – Output: 48 bits – Output: 64�bits
One�round�(Total�16�rounds)
64
32 Feistel Cipher�Encryption
Ln Rn
mangler Kn
Ln+1 Rn+1
65
Feistel Cipher�Decryption
Ln Rn
mangler Kn
Ln+1 Rn+1
66
33 Important�Properties�of�DES�Round
• The�decryption�in�a�DES�round�does�NOT�require�the� mangler function�to�be�reversible! • The�decryption�of�64�bit�block�in�a�DES�round�is� equivalent�to�encryption�of�the�64�bit�block�(by� swapping�the�32�bit�halves)�with�the�same�key
67
Avalanche�Effect
• A�small�change�in�either�the�plaintext�or�the�key�should� produce�a�significant�change�in�the�ciphertext. • DES�has�a�strong�avalanche�effect. • Example – Plaintexts:�0X0000000000000000�and�0X8000000000000000 – Same�key:�0X016B24621C181C32 – 34�bits�difference�in�cipher�texts – Similar�result�with�same�plaintext�and�slightly�different�keys
68
34 Concerns�About�DES
• Key�space�problem:�56�bit�key�(2 56 ) – DESCHALL�recovered�RSA�challenge�I�key�on�June� 17,�1997�(6�month�into�the�contest) – $.25m�(total�cost),�July�15,�1998,�RSA�DES�challenge� II�key�recovered�in�56�hours – Presumably,�most�national�security�agencies�have�the� hardware�and�software�to�crack�DES�in�hours
69
DES�Summary
• Simple,�easy�to�implement: – Hardware/gigabits/second,�software/megabits/second • 56�bit�key�DES�maybe�acceptable�for�non�critical� applications�but�triple�DES�(3�DES)�should�be�secure� for�most�applications�today • Supports�several�operation�modes:�ECB�CBC,�OFB,� CFB
70
35 Rijndael Demo
Time�permitting
71
Multiple�Encryption
36 Multiple�Encryption
• Major�limitation�of�DES – Key�length�is�too�short�(56�bits). • Question:�Can�we�apply�DES�multiple�times�to� increase�the�strength�of�encryption? – Advantage:�preserve�the�existing�investment�in� software�and�equipment.
73
Double�DES�(I)
• Apply�two�iterations�of�DES�with�two�keys�K1�and� K2
• What�if�DES�has�a�structure�of�an�algebraic�group,� such�that�for�each�K1�and�K2�there�is�a�K3�with�the� property:
Ek2 (E k1 (P))�=�E k3 (P) • This�is�not�the�case�(proved�in�1992) • BUT�� is�the�security�level�O(2 112 )?
74
37 Double�DES�(II)
Meet�in�the�Middle�Attack: • For�given�M�and�C�– search�only�O(256)�pairs�of�keys�K1�and� K2�at�the�intermediate�point�I
56 • Encrypt�M�under�all�2 options�for�K 1 56 – Denote�the�results�by�X 1,�X 2,�.�.�.,�X 2 56 • Decrypt�C�under�all�2 options�for�K 2 56 – Denote�the�results�by�Y 1,�Y 2,�.�.�.,�Y 2
75
Double�DES�(III)
Meet�in�the�Middle�Attack�(continued): 56 • Sort�the�values�X 1,�X 2,�.�.�.,�X 2 56 • Sort�the�values�Y 1,�Y 2,�.�.�.,�Y 2 • Find�collisions�between�values�of�X i and�Yj – there� should�be�about�(2 112 /�2 64 )�=�2 48 such�collisions 48 • Mark�the�2 potential�candidates�for�key�pair�K 1 and� K2 • Take�another�pair�M’ and�C’,�and�repeat�the�above� test�with�the�new�pair�and�the�suspected�2 48 key�pairs • The�second�test�will�pin�down�the�correct�pair�K1�and� K2�(since�the�success�rate�will�be�(2 48 /�2 64)�=�2 �16 )
76
38 Double�DES�(IV)
Meet�in�the�Middle�Attack�(continued): • Time�requirement�of�attack�– for�encryptions,� decryptions,�sorting,�and�comparing: about�O(2 64 )�steps • Space�requirement�of�attack�– for�keeping�the� encryption�and�decryption�values: about�O(2 60 )�bytes • Although�attack�is�not�very�practical�– it�is� sufficiently�intriguing�to�consider�Double�DES�not� secure�enough
77
Triple�DES�(I)
• EEE�Mode:
– DES�Encrypt�Encrypt�Encrypt�with�three�keys�K 1,�K 2,�and�K 3
• Properties: – Three�keys�(168�bits) – Strength�about�O(2 110 )�against�Meet�in�the�Middle – Not�compatible�with�regular�DES
78
39 Triple�DES�(II)
• EDE�Mode:
– DES�Encrypt�Decrypt�Encrypt�with�two�keys�K 1,�&�K 2
• Properties: – Two�keys�(112�bits) – Strength�about�O(2 110 )�against�Meet�in�the�Middle
– Compatible�with�regular�DES�when�K 1=�K 2
79
E�D�E�vs E�E�E
• Why�E�D�E? – Initial�and�final�permutations�would�cancel�each�other� out�with�EEE�(minor�advantage�to�EDE) – EDE�compatible�with�single�DES�if�K1=K2=K3. – What’s�another�advantage?
80
40 E�D�E�vs E�E�E�� Solution
• Why�E�D�E? – Initial�and�final�permutations�would�cancel�each�other� out�with�EEE�(minor�advantage�to�EDE) – EDE�compatible�with�single�DES�if�K1=K2=K3. – What’s�another�advantage? • Only�2�different�Keys�needed�with�E�D�E
81
Triple�DES
Encryption P E D E C
K1 K2 K1 Decryption P D E D C
• Apply�DES�encryption/decryption�three�times. – With�two�keys�or�three�keys • Why�E�D�E? – Initial�and�final�permutations�would�cancel�each�other�out� with�EEE�(minor�advantage�to�EDE) – EDE�compatible�with�single�DES�if�K1=K2=K3. – What’s�another�advantage?
82
41 Triple�DES�Is�Not�Ideal...
• Efficiency�demands�schemes�with�longer�keys�to� begin�with! • Triple�DES�runs�one�third�as�fast�as�DES�on�the�same� platform • New�candidates�are�numerous�� RC5,�IDEA,�two�fish,� CAST,�etc • New�AES
83
Modes�of�Block�Cipher�Operations
42 Encrypting�a�Large�Message
• Modes�of�block�cipher�operations – ECB�(Electronic�Code�Book) – CBC�(Cipher�Block�Chaining�Mode) – OFB�(Output�Feedback�Mode) – CFB�(Cipher�Feedback�Mode)
85
Encrypting�Large�Messages
• The�basic�algorithms�encrypt�a�fixed�size�block • Obvious�solution�is�to�encrypt�a�block�at�a�time.�This� is�called�Electronic�Code�Book�(ECB) • Repeated�plaintext�blocks�yield�repeated�ciphertext blocks • Other�modes�“chain” to�avoid�this�(CBC,�CFB,�OFB) • Encryption�does�not�guarantee�integrity!
86
43 Electronic�Code�Book�(ECB)
• Divide�and�conquer�! • (M1�==�M3)�=>�(C1�==�C3) giving�some�information�to� eavesdroppers
87
ECB�Properties�(Cont’d)
Disadvantage:
• If�ci=cJ,�then�you�know�p i=pJ 1. Can�reorder�blocks 2. Can�substitute�(fabricated�information)�blocks�to� affect�plaintext • Salary�Example Advantage: • Advantage:�No�error�propagation. Two�serious�flaws,�one�advantage!
88
44 Example�of�ECB�Issue
89
Consider�this
M1 M2 M3 M4
r1 r2 r3 r4
E E E E
C1 C2 C3 C4 transmit�r1,�c1,�r2,�c2,�r3,�c3,�r4,�c4
90
45 Problems�with�previous�slide
• Need�to�send�twice�as�much�data • Can�still�rearrange�blocks • If�two�ciphertext blocks�are�equal,�you�know�XOR�of�two� plaintext�blocks�=�XOR�of�the�corresponding�two�random� numbers • CBC�generates�its�own�“random�numbers” by�using� previous�ciphertext block,�plus�one�additional�block�(the� “IV”,�initialization�vector)
91
Cipher�Block�Chaining�(CBC)
(M 1 ==�M 3)�very�unlikely�leads�to�(C 1 ==�C 3)
92
46 CBC�Decryption
93
CBC�Properties
• Chaining�dependency – Each�ciphertext�block�depends�on�all�preceding�plaintext�blocks
– To�change�a�particular�bit�in�m i� ,�change�the�corresponding�bit�in� ci�1.�The�side�effect�is�that�m i�1 will�be�garbled. • Error�propagation
– Each�error�in�cj affects�decipherment�of�mj and�m j+1 . • Error�recovery
– An�error�in�cj doesn’t�propagate�beyond�c j+1 . – Can�recover�from�loss�of�cipher�text�blocks.
94
47 Output�Feedback�Mode�(OFB)
95
OFB�Properties
• (OFB)�stream�generated: – IV�(transmitted�in�the�clear)
– pad 1=e(IV,�key)
– pad 2=e(pad 1,�key)
– pad i=e(pad i�1,key) • Chaining�dependencies – Key�stream�is�plaintext�independent – Allow�pre�computing�of�pseudo�random�stream�(One�Time�Pad);�XOR� can�be�implemented�very�efficiently • No�error�propagation�problem�as�in�CBC • What�if�ciphertext is�garbled�or�lost? – If�garbled,�only�those�plaintext�bits�are�garbled. – If�lost�or�duplicated,�you�lose�synchronization�so�everything�is lost.
96
48 Cipher�Feedback�Mode (CFB)
97
CFB�Properties
• Chaining�dependencies
– Ciphertext�block�cj depends�on�all�preceding� plaintext�blocks. • Error�propagation – Bit�error�in�one�ciphertext�block�affects�the�next� several�blocks • Error�recovery – Can�recover�from�bit�errors�after�several�blocks – Can�resynchronize�after�loss�of�blocks.
98
49 Math�Essentials
Beauty�of�Mathematics Demonstration Pick�a�number�from�10�to�99 At�the�2�digits,�for�example: If�you�chose�51,�you�would�add�5+1=6 Then�subtract�the�result�from�the�original�number So�51�6=45 (Demonstration�shown�in�class)
100
50 Prime�Numbers�(I)
x Percentage Percentage x/(ln x - 1) Percentage 1,000 168 16.8% 169 16.9% 10,000 1,229 12.3% 1,218 12.2% 100,000 9,592 9.6% 9,512 9.5% 1,000,000 78,498 7.8% 78,030 7.8% 10,000,000 664,579 6.6% 661,459 6.6% 100,000,000 5,761,455 5.8% 5,740,304 5.7% 1,000,000,000 50,847,534 5.1% 50,701,542 5.1% 10,000,000,000 455,052,511 4.6% 454,011,971 4.5% • Prime�numbers�“thin�out” as�the�numbers�get�larger • There�are�25�primes�<100,�so�density�is�1�in�4. • Ten�digit�number,�density�is�1�in�23. • Hundred�digit�number,�density�is�1�in�230.
101
Division�(I)
(also�called�counting�numbers)
102
51 Division�(II)
103
Division�(III)
104
52 Common�Divisors�(I)
105
Common�Divisors�(II)
in�Z
106
53 Euler’s�Totient Function�(I)
• Leonhard�Euler� – Swiss�mathematician�and�physicist – First�to�use�the�term�function. – Lived�in�the�1700’s
* • Totient function�ø(n):�|Zn | – number�of�integers�less�than� n and�relatively�prime�to� n – If� n is�prime,�ø(n)= n�1 – If� n=p∗q,�and� p, q are�primes,�ø(n)=( p�1)( q�1)� – If� p is�prime�and� k>0,�ø(pk)�=( p�1)� pk�1
107
Euler’s�Totient Function�(II)
• Examples: ø(7)=�7*(1�(1/7))=6��{1,2,3,4,5,6} Or�ø(7)�=7�1=6,�because�7�is�prime
ø(10)=�10*(1�(1/2)*(1�(1/5))=4��{1,3,7,9} ø(18)=�18*(1�(1/2)*(1�(1/3))=6��{1,5,7,11,13,17}
ø(21)=�21*(1�(1/3)*(1�(1/7))=12� {1,2,4,5,8,10,11,13,16,17,19,20} Or�ø(21)=�ø(3.7)=�ø(3).�ø(7)=��2.6�=�12
108
54 Motivation�1� Key�Distribution�Problem� • In�a�secret�key�cryptosystem,�the�secret�key�must�be� transmitted�via�a�secure�channel • Inconvenient – n�parties�want�to�communicate�with�each�other,�how�many�keys� total�keys�are�needed�and�how�many�other�keys�must�each�n� store?� n�entities�– There�will�be�n(n�1)�/�2�keys�total Each�entity�has�to�store�n�1�keys • Insecure – Is�the�secure�channel�really�secure?�
• Public�key�cryptosystem�solves�the�problem – Public�key�known�by�everyone�– telephone�directory – Privacy�key�is�never�transmitted
109
How�many�Symmetric�Keys�needed?
Administration�Problems: n Total Keys Keys Stored – Adding�new�entities 2 2 1 3 3 2
– Removing�existing�entities 4 6 3 – Changing�keys 5 10 4 6 15 5
7 21 6
8 28 7
9 36 8
10 45 9
11 55 10
12 66 11
13 78 12
14 91 13
15 105 14
110
55 Motivation�2� Digital�Signature • In�a�secret�key�cryptosystem,�authentication�and�non� repudiation�may�be�difficult • Authentication – You�must�share�a�secret�key�with�someone�in�order�to� verify�his�signature • Non�repudiation – “I�didn’t�sign�it.�You�did�since�you�also�have�the�key” • Public�key�cryptosystem�solves�the�problem – Verification�of�signature�needs�only�the�public�key – One�is�solely�responsible�for�his�private�key
111
Asymmetric�(Public�Key)� Cryptography
56 Public�Key�Algorithms
• Public�key�algorithms�covered�in�this�lecture: – RSA:�encryption�and�digital�signature – Diffie�Hellman:�key�exchange • Number�theory�underlies�most�of�public�key� algorithms.
113
Requirements�for�Public�Key�Algorithms
• It�is�computationally�easy�to� – generate�a�(public,�private)�key�pair. – to�generate�a�ciphertext�using�the�public�key. – to�decrypt�the�ciphertext�using�the�private�key. – to�sign�with�the�private�key. – to�verify�the�signature�with�the�public�key. • It�is�computationally�infeasible�to� – determine�the�private�key�from�the�public�key. – recover�the�message�from�the�ciphertext�and�the�public�key. – forge�a�signature.
114
57 The�Big�Picture
Plain- Plain- text Encryption Ciphertext Decryption text Algorithm INSECURE CHANNEL Algorithm AA BB B's Public Key B's Private Key
RE LIA BL E C HA NN EL B's Public Key 115
The�Basic�Idea
• Confidentiality: encipher�using�public�key,�decipher� using�private�key • Integrity/authentication: encipher�using�private�key,� decipher�using�public�key
Plain- Plain- text Encryption Ciphertext Decryption text Algorithm Algorithm ‘Signature’
B's Public Key B's Private Key B AA 116B
58 Public�Key�Model
117
Public�Key�Encryption�
118
59 Public�Key�Signatures
119
Use�of�Public�Key�Cryptosystems
• Encryption/decryption – The�sender�encrypts�a�message�with�the�receiver’s�public�key – Only�the�receiver�can�decrypt�the�message. • Digital�signature – The�sender�signs�a�message�with�its�private�key. – Authentication�and�non�repudiation • Key�exchange – Two�sides�cooperate�to�exchange�a�session�key. – Secret�key�cryptosystems�are�often�used�with�the�session�key.
120
60 Public�Key�Cryptanalysis�
• Brute�force�attack – Try�all�possible�keys • Derivation�of�private�key�from�public�key – Try�to�find�the�relationship�between�the�public�key�and�the� private�key�and�compute�the�private�key�from�the�public�one. • Probable�message�attack – The�public�key�is�known. – Encrypt�all�possible�messages – Try�to�find�a�match�between�the�ciphertext�and�one�of�the�above� encrypted�messages. – Example:�Prof.�sends�encrypted�messages�of�letter�grades�to�his� students�based�on�their�public�key.
121
History�of�Public�Key�Schemes�
• 1976�– Diffie &�Hellman�suggested�the�public�key�model�for� encryption�and�signatures • 1976�– Diffie &�Hellman�developed�public�key�protocol�for� key�exchange�based�on�Discrete�Log�Problem • 1977� Rivest,�Shamir,�Adelman developed�RSA�public�key� scheme�for�encryption�and�signatures�based�on�the�Number� Factoring�Problem • 1980’s� El�Gamal developed�public�key�protocols�for� encryption�and�signatures�based�on�Discrete�Log�Problem
122
61 Revolution�in�Cryptography
• Diffie &�Hellman�sought�to�solve�2�problems� – Find�a�secure�way�to�distribute�keys�in�the�public – Provide�digital�signature�for�document • Public�key�cryptography�is�based�on�rigorous� mathematical�theory,�rather�than�substitutions�and� permutations. • It�is�asymmetric�– requires�two�different�keys:�private� key�&�public�key
123
Diffie�Hellman Key�Exchange�(I)
• Published�in – W.�Diffie and�ME�Hellman,�" New�Directions�in�Cryptography ",� in�IEEE�Transactions�on�Information�Theory,�IT�22�no�6� (November�1976)�p.�644�654� • The�first�public�key�algorithm • Allows�two�users�to�agree�on�a�secret�key�over�public�channel • No�encryption,�decryption,�nor�authentication • What’s�involved? – p is�a�large�prime�number�(about�512�bits),� g < p and� g is�a� primitive�root�of� p. – p and g are�publicly�known
124
62 Diffie�Hellman Key�Exchange�(II)
125
Diffie�Hellman Key�Exchange�(III)
126
63 Diffie�Hellman Example
Alice�and�Bob�want�to�establish�a�shared�secret�key • Have�agree�on�the�value� n=353�(prime)�and� g=3 • Select�the�random�secret�values:
– Alice�chooses�Xa=97,�Bob�chooses�Xb=233 • Derive�the�public�keys: Xa 97 –Ta=� g mod� n =�3 mod�353�=�40�����(Alice’s) Xb 233 –Tb=� g mod� n =�3 mod�353�=�248��(Bob’s) • Derive�the�shared�secret�key Xa 97 – K�=�Tb mod� n =�248 mod�353�=�160���(Alice’s) Xb 233 – K�=�Ta mod� n =�40 mod�353�=�160���(Bob’s)
127
Diffie�Hellman Man�in�the�middle
128
64 Hard�Number�Theory�Problems
• T = gs mod� p – Given� T, g, p ,�it�is�computationally�infeasible�to� compute�the�value�of� s (discrete�logarithm) – This�is�the�basis�of�the�Diffie�Hellman,�El�Gamal,�and� DSS�Public�Key�Schemes. • Another�difficult�number�theory�problem;�It�is�trivial� to�compute�the�product�of�two�primes� p and� q to� obtain�n=pq;�But�it�is�difficult�to�factor�the�composite� number�n�into�its�two�prime�factors�p�and�q. – This�is�the�basis�of�the�RSA�Public�Key�scheme
129
Diffie�Hellman Scheme
• Security�factors – Discrete�logarithm�very�difficult. – Shared�key�(the�secret)�itself�never�transmitted. • Disadvantages: – Expensive�exponential�operation – Cannot�be�used�to�encrypt�anything. – No�authentication,�so�you�can�not�sign�anything.
130
65 Diffie�Hellman in�Phone�Book�Mode
• DH�is�subject�to�active�man�in�the�middle�attack�because� their�public�key�component�may�be�intercepted�and� substituted • Phone�book�mode�allows�everyone�to�generate�the�public� key�component�in�advance�and�publish�them�through�other� reliable�means • All�communicating�parties�agree�on�their�common�< g,� p> • Essential�requirement :�authenticity�of�the�public�key.
131
RSA�(Rivest,�Shamir,�Adleman)
• Published�in – R.�Rivest,�A.�Shamir,�and�L.�Adleman,�" A�Method�for�Obtaining� Digital�Signatures�and�Public�Key�Cryptosystems ",�CACM�21,� pp.�120��126,�Feb.�1978� – The�first�public�key�encryption�and�signature�system • Support�both�public�key�encryption�and�digital�signature. • Assumption/theoretical�basis: – Factorization�of�large�primes�is�hard. • Variable�key�length�(usually�1024�bits). • Variable�plaintext�block�size. – Plaintext�must�be�“smaller” than�the�key. – Ciphertext�block�size�is�the�same�as�the�key�length.
132
66 Number�Factoring
How�about�Tomorrow’s�computers?��
133
Quantum�Computing
• A�classical�computer�has�a�memory�made�up�of�bits,�where�each�bit�holds�either�a� one�or�a�zero.�The�device�computes�by�manipulating�those�bits,�i.e.�by�transporting� these�bits�from�memory�to�(possibly�a�suite�of)�logic�gates�and�back.�A�quantum� computer�maintains�a�set�of�qubits.�
• A�qubit can�hold�a�one,�or�a�zero,�or�a�superposition�of�these.�A�quantum�computer� operates�by�manipulating�those�qubits,�i.e.�by�transporting�these�bits�from�memory� to�(possibly�a�suite�of)�quantum�logic�gates�and�back.
• Qubits for�a�quantum�computer�can�be�implemented�using�particles�with�two�spin� states:�"up"�and�"down";�in�fact�any�system,�possessing�an�observable�quantity�A� which�is�conserved�under�time�evolution�and�such�that�A�has�at�least�two�discrete� and�sufficiently�spaced�consecutive�eigenvalues,�is�a�suitable�candidate�for� implementing�a�qubit.
Information�Source:�Wikipedia
134
67 The�RSA�Algorithm
• To�generate�key�pair: – Pick�large�primes� p and� q – Let� n =� p*q,�keep� p and� q to�yourself! – For�public�key,��choose� e that�is�relatively�prime�to� ø(n) =(p-1)(q-1). public�key�=�< e,n > – For�private�key,�find� d that�is�the�multiplicative�inverse� of� e mod� ø(n), i.e.,� e*d =�1�mod� ø(n) – Private�key�=�< d,n>.
135
How�Does�RSA�Work?
• Given�pubKey =�< e, n >�and�privKey =�< d, n > • Message�=�m – encryption:� c =� me mod� n,� m < n – decryption:� m =� cd mod� n – signature:� s =� md mod� n,� m <� n – verification:� m =� se mod� n
136
68 An�Example
• Choose� p =�7�and� q =�17. • Compute� n =� p*q= 119 . • Compute� φ(n)=( p�1)( q�1)=96. • Select� e =�5,�which�is�relatively�prime�to� φ(n). • Compute� d =�_77_ such�that� e*d=1�mod� φ(n). • Public�key:�<5,119> • Private�key:�<77,119> • Message�=�19 • Encryption:�19 5 mod�119�=�66 • Decryption:�66 77 mod�119�=�19.
137
Example:�Encryption
• p =�7,� q =�11,� n =�77 • Alice�chooses� e =�17,�making� d =�53 • Bob�wants�to�send�Alice�secret�message� HELLO (07 04 11 11 14) – 07 17 mod�77�=�28 – 04 17 mod�77�=�16 – 11 17 mod�77�=�44 – 11 17 mod�77�=�44 – 14 17 mod�77�=�42 • Bob�sends� 28 16 44 44 42
138
69 Example:�Decryption
• Alice�receives� 28 16 44 44 42 • Alice�uses�private�key,� d = 53 ,�to�decrypt�message: – 28 53 mod�77�=�07 – 16 53 mod�77�=�04 – 44 53 mod�77�=�11 – 44 53 mod�77�=�11 – 42 53 mod�77�=�14 • Alice�translates� 07 04 11 11 14 to� HELLO – No�one�else�could�read�it,�as�only�Alice�knows�her� private�key�and�that�is�needed�for�decryption
139
Digital�Signatures�in�RSA
• RSA�has�an�important�property,�not�shared�by�other� public�key�systems • Encryption�and�decryption�are�symmetric – Encryption�followed�by�decryption�yields�the�original� message – (M e mod n) d mod n = M – Decryption�followed�by�encryption� also yields�the� original�message – (Md mod n) e mod n = M – Because e and d are�symmetric�in e*d = 1 mod (p-1)*(q-1) 140
70 Digital�Signatures�in�RSA
Plaintext M’ Plaintext ? M Plaintext M M d mod n C e mod n Ciphertext C (signature)
A's Private Key d A's Public Key e
AA RELIABLE CHANNEL BB
141
Compared�To�Encryption�in�RSA
Plaintext Plaintext M M M e mod n C d mod n Ciphertext C AA BB
B's Public Key e B's Private Key d
RELIABLE CHANNEL
142
71 Signature�and�Encryption A B A Encrypted B Signed Signed Signed Plaintext Plaintext Plaintext Plain- Plain- text text D E D E
A's Private B's Public B's Private A's Public Key Key Key Key
143
Example:�Sign
• Take� p =�7,� q =�11,� n =�77� • Alice�chooses� e =�17,�making� d =�53 • Alice�wants�to�send�Bob�message�HELLO�(07�04�11� 11�14)�so�Bob�knows�it�is�from�Alice,�and�it�has�not� been�modified�in�transit – 07 53 mod�77�=�35 – 04 53 mod�77�=�09 – 11 53 mod�77�=�44 – 11 53 mod�77�=�44 – 14 53 mod�77�=�49 • Alice�sends�35�09�44�44�49
144
72 Example:�Verify
• Bob�receives�35�09�44�44�49 • Bob�uses�Alice’s�public�key,� e =�17,� n =�77,�to�decrypt� message: – 35 17 mod�77�=�07 – 09 17 mod�77�=�04 – 44 17 mod�77�=�11 – 44 17 mod�77�=�11 – 49 17 mod�77�=�14 • Bob�translates� 07 04 11 11 14 to� HELLO – (Assume)�only�Alice�has�her�private�key,�so�no�one�else�could� have�been�able�to�create�a�correct�signature – The�(deciphered)�signature�matches�the�transmitted�plaintext,�so the�plaintext�is�not�altered 145
Example:�Both
• Alice�wants�to�send�Bob�message�HELLO�both�enciphered�and� signed – Alice’s�keys:�public�(17,�77);�private:�53 – Bob’s�keys:�public:�(37,�77);�private:�13 • Alice�does�(does�she�encipher�first�or�sign�first?) – (07 53 mod�77) 37 mod�77�=�07 – (04 53 mod�77) 37 mod�77�=�37 – (11 53 mod�77) 37 mod�77�=�44 – (11 53 mod�77) 37 mod�77�=�44 – (14 53 mod�77) 37 mod�77�=�14 • Alice�sends�07�37�44�44�14 • What�would�Bob�do�upon�receiving�the�message?
146
73 Class�Exercise
1. Find�primes�p�and�q�so�that�12�bit�plaintext�blocks� could�be�encrypted�with�RSA. 2. Decrypt�the�ciphertext C=4�using�RSA�with�the� private�key�{d=7,�p=3,�q=7}
147
RSA�KEY�SIZE
• In�August�1999�a�group�using�300�workstations�and�PCs�was� able�to�factor�512�bit�number�in�7�months. • RSA�Laboratories�currently�recommends�key�sizes�of�1024� bits�for�corporate�use�and�2048�bits�for�extremely�valuable� keys�like�the�root�key�pair�used�by�a�certifying�authority� (rsasecurity.com) • What�does�an�RSA�155�number�look�like?
148
74 RSA�155�Number
10263959282974110577205419657399759007165678080380668 334193352190711307779� * 1066034883801684548209272203600187867920795857598929 22270608237193062808643.� = 10941738641570527421809707322040357612003732945449 20599091384213147634998428893478471799725789126733 24976257528997818337970765372440271467435315933543 33897�
149
Finding�Large�Prime�Numbers
• Good�news – Infinite�number�of�prime�numbers� ☺ • Bad�news – The�prime�number�ratio�decreases�as�the�prime�number�gets� big� � • Brute�force – Try�to�divide�n�by�2,…,n1/2 – Impractical�for�large�number!!! • No�known�practical�method�to�determine�if�a�given�large�number� is�prime� � • However�fast�probabilistic�primality test�exists. That�is,�determine�if�a�larger�number�is�likely�to�be�a�prime.
150
75 Finding�Large�Prime�Numbers�(Cont’d)
• Primality test – Randomly�pick�0< a 151 The�Security�of�RSA • Attacks�against�RSA – Brute�force:�Try�all�possible�private�keys • Can�be�defeated�by�using�a�large�key�space – Mathematical�attacks • Factor� n into� n=p*q. • Determine�ø(n)�directly:�equivalent�to�factoring� n. • Determine� d directly:�at�least�as�difficult�as�factoring� n.� 152 76 The�Security�of�RSA�(Cont’d) • Factoring�large�integer�is�very�hard! • But�if�you�can�factor�big�number� n then�given�public�key� 153 RSA�Versus�DES • Fastest�implementations�of�RSA�can�encrypt� kilobits/second • Fastest�implementations�of�DES�can�encrypt� megabits/second • It�is�often�proposed�that�RSA�be�used�for�secure� exchange�of�DES�keys • This�1000�fold�difference�in�speed�is�likely�to�remain� independent�of�technology�advances 154 77