SI4 – R´eseauxAvanc´es Introduction `ala s´ecurit´edes r´eseauxinformatiques

An Introduction to Applied

Dr. Quentin Jacquemart [email protected]

http://www.qj.be/teaching/ 1 / 129 Outline

⇒ Introduction

• Classic Cryptography and

• Principles of Cryptography

• Symmetric Cryptography (aka. Secret- Cryptography)

• Asymmetric Cryptography (aka. Public-Key Cryptography)

• Hashes and Message Digests

• Conclusion

1 / 129 2 / 129 Introduction I

• Cryptography is at the crossroads of mathematics, electronics, and science

• The use of cryptography to provide confidentiality is self-evident

• But cryptography is a cornerstone of network security

• Cryptology is a (mathematical) discipline that includes — cryptography: studies how to exchange confidential messages over an unsecured/untrusted channel

— cryptanalysis: studies how to extract meaning out of a confidential message, i.e. how to breach cryptography

2 / 129 3 / 129 Introduction II

: the message to be exchanged between Alice and Bob (P)

• Ciphering: a cryptographic function that encodes the plaintext into (encrypt: E(·))

• Ciphertext: result of applying the cipher function to the plain text (unreadable) (C)

• Deciphering: a cryptographic function that decodes the ciphertext into plaintext (decrypt: D(·))

• Key: a secret parameter given to the cryptographic functions (K )

3 / 129 4 / 129 Introduction III

Trudy

Alice Bob

plaintext ciphertext plaintext

P E(P) P E(P) = D(E(P)) Decryption Algorithm Algorithm E(·) D(·)

4 / 129 5 / 129 Outline

• Introduction

⇒ Classic Cryptography and Cryptanalysis

• Principles of Cryptography

• Symmetric Cryptography (aka. Secret-Key Cryptography)

• Asymmetric Cryptography (aka. Public-Key Cryptography)

• Hashes and Message Digests

• Conclusion

5 / 129 6 / 129 Caesar Cipher [Stallings 2013; Kurose et al. 2017]

abcdefghi jklmnopqrstuvwxyz

plain 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

defghijklmnopqrstuvwxyzabc

cipher 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2

plain: bob, i love you. alice cipher: ere, l oryh brx. dolfh

c = E(p ) = v(p ) + k mod 26 i i i k = 3 for Caesar pi = D(ci ) = v(ci ) − k mod 26

Only 25 possible keys ⇒ Brute force attack is possible

6 / 129 7 / 129 Monoalphabetic Cipher [Kurose et al. 2017]

• 25 possible keys ⇒ Caesar cipher is far from secure

• Let’s increase the keyspace!

• Monoalphabetic substitution — uniquely replace one letter with another, without regular pattern

a bcdefghijklmnopqrstuvwxyz mnbvcxzasdfghjklpoiuytrewq

plain: bob, i love you. alice cipher: nkn, sgktc wky. mgsbc

• Keyspace: 26! substitutions possible (≈ 288)

• Spectrum too broad for brute force attack ⇒ job done?

7 / 129 8 / 129 Monoalphabetic Cipher: Cryptanalysis I [Stallings 2013]

Imagine you know the nature of the plaintext, e.g. uncompressed English

38 Chapter 2 / Classical Encryption Techniques

14 12.702 12 1. Compute the relative frequency of letters

10 ) 9.056

8.167 in the ciphertext 8 7.507 6.996 6.749 6.327 6.094 6 5.987 Relative frequency (% 4.253 4 4.025 2. Compare with standard distribution for 2.782 2.758 2.406 2.360 2.228 2.015 1.974 2 1.929 1.492

0.978 English 0.772 0.153 0.150 0.095 0.074 0 A B C D E F G H I J K L M N O P R S T U V W X Y Z Figure 2.5 Relative Frequency of Letters in English Text

So far, then, we have

UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ t a e e te a that e e a a VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX e t ta t ha e ee a e th The t a relative frequency of letters is sufficient EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ e e e tat e the t Only four letters have tobeen identified,decrypt but already we have quitelong-enough a bit of the (100’s of characters) message. Continued analysis of frequencies plus trial and error should easily yield a solution from this point. The complete plaintext, with spaces added between words, follows:

it was disclosed yesterday that several informal but direct contacts have been made with political representatives of the viet cong in moscow

Monoalphabetic ciphers are easy to break because they reflect the frequency data of the original alphabet. A countermeasure is to provide multiple substitutes,

8 / 129 9 / 129 Monoalphabetic Cipher: Cryptanalysis II If ciphertext is not long enough: 1. use bigrams, trigrams, quadgrams, . . . , (short) word frequency Bigrams th, er, on, an, re, he, in, ed, nd, ha, at, en, es, of, or, nt, ea, ti, to, it, st, io, le, is, ou, ar, as, de, rt, ve Trigrams the, and, tha, ent, ion, tio, for, nde, has, nce, edt, tis, oft, sth, men Doubles ss, ee, tt, ff, ll, mm, oo First Letters t, o, a, w, b, c, d, s, f, m, r, h, i, y, e, g, l, n, p, u, j, k Final Letters e, s, t, d, n, r, y, f, l, o, g, h, a, k, m, p, u, w One-Letter Words a, I Two-Letter Words of, to, in, it, is, be, as, at, so, we, he, by, or, on, do, if, me, my, up, an, go, no, us, am ... [Singh 2002] 2. assign parts of key according to rules, and brute force other positions

⇒ Monoalphabetic ciphers are easy to break: they reflect the same frequency data as the plaintext

9 / 129 10 / 129 Vigen`ereCipher [Stallings 2013] Polyalphabetic substitution: hide structure of plaintext by using multiple monoalphabetic substitutions. • We have the 26 Caesar ciphers

• We use one Caesar rule per plaintext character

• The order in which we use them is the key i.e. for a text of length n and a key of length m (m ≤ n):

c0 = p0 + k0 mod 26 c1 = p1 + k1 mod 26 . . cm−1 = pm−1 + km−1 mod 26 cm = pm + k0 mod 26 . . cn−1 = pn−1 + kn−1 mod m mod 26

10 / 129 40 Chapter 2 / Classical Encryption Techniques

4. Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its own row and the column occupied by the other plaintext letter. Thus, hs becomes BP and ea becomes IM (or JM, as the encipherer wishes). The Playfair cipher is a great advance over simple monoalphabetic ciphers. For one thing, whereas there are only 26 letters, there are 26 * 26 = 676 digrams, so that identification of individual digrams is more difficult. Furthermore, the relative frequencies of individual letters exhibit a much greater range than that of digrams, making frequency analysis much more difficult. For these reasons, the Playfair cipher was for a long time considered unbreakable. It was used as the standard field system by the British Army in World War I and still enjoyed considerable use by the U.S. Army and other Allied forces during World War II. Despite this level of confidence in its security, the Playfair cipher is relatively easy to break, because it still leaves much of the structure of the plaintext language intact. A few hundred letters of ciphertext are generally sufficient. One way of revealing the effectiveness of the Playfair and other ciphers is shown in Figure 2.6. The line labeled plaintext plots a typical frequency distribution of the 26 alphabetic characters (no distinction between upper 11 / and lower case) in ordinary text. This is also the frequency distribution of any 129 monoalphabetic substitution cipher, because the frequency values for individual Vigen`ereCipher:letters are the same, just Cryptanalysis with different letters I substituted for the original letters.[Stallings 2013] The plot is developed in the following way: The number of occurrences of each • Goodletter atin obscuringthe text is lettercounted frequency and divided information by the number of occurrences of the most frequently used letter. Using the results of Figure 2.5, we see that e is the most frequently used letter. As a result, e has a relative frequency of 1, t of • Some information from plaintext still remains

1.0

0.9 Plaintext 0.8 Playfair 0.7

0.6

0.5

0.4 Vignere 0.3 Normalized relative frequency 0.2 Random polyalphabetic

0.1

0 123456178910 10 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 Frequency ranked letters (decreasing frequency) Figure 2.6 Relative Frequency of Occurrence of Letters 11 / 129 12 / 129 Vigen`ereCipher: Cryptanalysis II [Stallings 2013]

plain: w e a r e d i s c o v e r e d s a v e y o u r s e l f key: d e c e p t i v e d e c e p t i v e d e c e p t i v e cipher: z i c v t w q n g r z g v t wavzhcqyglmgj

1. Determine key length — based on sequence repetitions in ciphertext — here: displacement of 9 ⇒ key of length (1, ) 3, or 9 — sequence repetitions are unavoidable with long ciphertexts 2. Attack the monoalphabetic substitutions individually — here: key length = 9 ⇒ attack 9 separate Caesar ciphers for each 9 characters

12 / 129 13 / 129 Vigen`ereCipher with Auto Key [Stallings 2013]

Use non-repeating keyword, which is as long as message

plain: w e a r e d i s c o v e r e d s a v e y o u r s e l f key: d e c e p t i v e w e a r e d i s c o v e r e d s a v cipher: z i c v t w q n g k z e i i g a s x s t s l v v w l a

Still vulnerable to statistical analysis: key and plaintext exhibit same frequency distribution

13 / 129 14 / 129 Playfair Cipher [Stallings 2013]

• Multiple letter encryption: treat bigrams (or digrams) as single units • Playfair relies on a 5 × 5 matrix

p l a y f Key: playf¡air i/j r b c d e g h k m fill alphabetically n o q s t avoid repetitions u v w x z

1. Encrypt plaintext two letters at a time — Split double letters in same pair with ’x’ (e.g. balloon → ba lx lo on) 2. Plaintext letters in same row are encrypted one letter to the right (e.g. E(ay) = yf ; E(st) = tn) 3. Plaintext letters in same column are encrypted one letter beneath (e.g. E(pu) = ip; E(aq) = bw) 4. Else, replace by letter of own row and column of other letter (e.g. E(qu) = nw; E(ew) = hu)

14 / 129 15 / 129 Playfair Cipher: Cryptanalysis [Triguero et al. 2006]

• Keyspace — 25 letters

— Shifts of rows and/or columns leads to same ciphertext

25! ⇒ There are = 24! distinct keys (≈ 279) 52 • Ciphertext is composed of an independent set of bigrams — Inverted letters result in inverted ciphered bigrams (e.g. E(es) = kn, E(se) = nk)

— Regardless of the key, there are only 25! A2 = = 25 × 24 = 600 25 (25 − 2)! possible bigrams as output of Playfair

⇒ Statistical attack on bigrams

15 / 129 16 / 129 Hill Cipher [Stallings 2013]

Multiletter cipher based on modular linear algebra

C = E(P, K ) = PK mod 26 K is P = D(C, K ) = CK−1 mod 26

For example, considering blocs of size 3 (i.e. the encryption of trigrams)   k11 k12 k13     c1 c2 c3 = p1 p2 p3  k21 k22 k23  mod 26 k31 k32 k33

m

  c1 = k11p1 + k21p2 + k31p3 mod 26 c2 = k12p1 + k22p2 + k32p3 mod 26  c3 = k13p1 + k23p2 + k33p3 mod 26

16 / 129 17 / 129 Hill Cipher: Cryptanalysis [Stallings 2013]

• Like Playfair: hides single-letter frequency even though it is worse than Playfair for bigrams

• The larger the size of K, the more frequency information is hidden 3 × 3 K hides bigram information, etc

• Cipher is easily broken with plaintext attacks. For an m × m cipher, — if you know m plaintext-cipher text pairs, each of length m

— you have an unknown m × m matrix K such as     c11 c12 ··· c1m p11 p12 ··· p1m  . . .. .   . . .. .  C = PK ⇔  . . . .  =  . . . .  K cm1 cm2 ··· cmm pm1 pm2 ··· pmm and you need to invert P, so that K = P−1C

— if det P = 0, you need additional plaintext-ciphertext pairs

17 / 129 18 / 129 Breaking the Hill Cipher using Crib Dragging I [Lyons 2012]

• Imagine a 2 × 2 Hill cipher and the ciphertext

fupcmtgzkyukbqfjhuktzkkixtta

• We know “of the” is a part of the original message fu pc mt gz ky uk bq fj hu kt zk ki xt ta of th e ⇒ o ft he of th e o ft he of th e o ft he ......

As an example, we consider the second line, i.e. • the plaintext “ft” corresponds to the ciphertext “pc” • the plaintext “he” corresponds to the ciphertext “mt”

18 / 129 19 / 129 Breaking the Hill Cipher using Crib Dragging II

 p c   f t  = K m t h e

m

 15 2   5 19  = K 12 19 7 4

and

−1  5 19   15 2  K = P−1C = 7 4 12 19

19 / 129 20 / 129 Breaking the Hill Cipher using Crib Dragging III det P = −113 ⇒ P is invertible det P mod 26 = −9 mod 26 = 17 mod 26 1 P−1 mod 26 = ∆T mod 26 det P P " # 1 (−1)1+1 · 4 (−1)1+2 · 19 = mod 26 17 (−1)2+1 · 7 (−1)2+2 · 5 1  4 7  = mod 26 17 19 5

Computing the modular inverse: 17x mod 26 = 1 ⇒ x = 23; and  4 7   92 161  P−1 mod 26 = 23 mod 26 = mod 26 19 5 437 115  14 5  = mod 26 21 11

20 / 129 21 / 129 Breaking the Hill Cipher using Crib Dragging IV

So, we have

 14 5   15 2  K = P−1C = mod 26 21 11 12 19  270 123  = mod 26 447 251  10 19  = 5 17

and the candidate key is “jftr”. If we use the key “jftr” to decrypt the ciphertext, the result is

frfthezyssqyvfetlvbafvaconfz

So, the assumption about the pairs of ciphertext/plaintext were wrong.

21 / 129 22 / 129 Breaking the Hill Cipher using Crib Dragging V

If we apply the same method with the 18th line, we have

 k t   f t   10 19   5 19  = K ⇔ = K z k h e 25 10 7 4

−1  5 19   10 19   5 4  K = mod 26 = 7 4 25 10 17 15

and the candidate key is “erdp”. Using this key, the decryption yields

defendtheeastwallofthecastle

and the cipher is broken.

22 / 129 23 / 129 One-Time Pad I [Stallings 2013]

• Use a random key, that is as long as the message ⇒ No need to repeat the key

— Key is unique to a single message, and then discarded

• Only that exhibits perfect secrecy No matter how much ciphertext you have, you never get information about the plaintext

cipher: a nk y o d kyurep f j byo jdsp l rey i unofdo i uer fp l uy t s key: p x lmvmsydof uy r vzwc tn l ebnecvgdupahfzz l mny i h plain: mr mu s tard w i t h t he c a nd l es t i ck i n the ha l l key: p f t g pmi ydgaxgouf hk l l l mhsqdqogtewbqfgyo v uhwt pain: m i s s s car l e t w i t h the kn i f e i n t he l i b r ar y

23 / 129 24 / 129 One-Time Pad II [Stallings 2013]

• Use a random key, that is as long as the message ⇒ No need to repeat the key

— Key is unique to a single message, and then discarded

• Only cryptosystem that exhibits perfect secrecy No matter how much ciphertext you have, you never get information about the plaintext

cipher: a nk y o d kyurep f j byo jdsp l rey i unofdo i uer fp l uy t s key: p x lmvmsydof uy r vzwc tn l ebnecvgdupahfzz l mny i h plain: mr mu s tard w i t h t he c a nd l es t i ck i n the ha l l key: p f t g pmi ydgaxgouf hk l l l mhsqdqogtewbqfgyo v uhwt pain: m i s s s car l e t w i t h the kn i f e i n t he l i b r ar y

24 / 129 25 / 129 Rotor Machines I

: ubiquitous ciphering mechanism during 1920s-1980s • A random sequence makes a polyalphabetic substitution unbreakable (see One-Time Pad, slide 23) • Problem: Long random sequences are impractical to use • Solution: Generate a long key from a simple pattern automatically

25 / 129 26 / 129 Rotor Machines II

• A rotor wires the electrical current from any of the 26 inputs to any of the 26 outputs (= a substitution cipher) • The wiring between inputs and outputs can be changed depending on the rotor position

• A size-26 rotor is effectively a Vigen`erecipher ⇒ easy to break Direction of motion Direction of motion

A 24 21 26 20 1 8 A A 23 13 26 20 1 8 A B 25 3 1 1 2 18 B B 24 21 1 1 2 18 B C 26 15 2 6 3 26 C C 25 3 2 6 3 26 C D 1 1 3 4 4 17 D D 26 • 15Add3 a4 new4 rotor,17 D step only when the first E 2 19 4 15 5 20 E E 1 1 4 15 5 20 E F 3 10 5 3 6 22 F F 2 19 5 3 6 22 F G 4 14 6 14 7 10 G G 3 10rotor6 has14 7 done10 G a revolution H 5 26 7 12 8 3 H H 4 14 7 12 8 3 H I 6 20 8 23 9 13 I I 5 26 8 23 9 13 I J 7 8 9 5 10 11 J J 6 20 9 5 10 11 J K 8 16 10 16 11 4 K K 7 • Now8 10 you16 11 need4 K 26 · 26 = 676 letters before L 9 7 11 2 12 23 L L 8 16 11 2 12 23 L M 10 22 12 22 13 5 M M 9 7 12 22 13 5 M N 11 4 13 19 14 24 N N 10 22repeating13 19 14 the24 N substitution O 12 11 14 11 15 9 O O 11 4 14 11 15 9 O P 13 5 15 18 16 12 P P 12 11 15 18 16 12 P Q 14 17 16 25 17 25 Q Q 13 5 16 25 17 25 Q R 15 9 17 24 18 16 R R 14 • 17For17 three24 18 rotors,16 R you need S 16 12 18 13 19 19 S S 15 9 18 13 19 19 S T 17 23 19 7 20 6 T T 16 12 19 7 20 6 T U 18 18 20 10 21 15 U U 17 232620· 2610 · 2126 =15 U 17, 576 letters V 19 2 21 8 22 21 V V 18 18 21 8 22 21 V W 20 25 22 21 23 2 W W 19 2 22 21 23 2 W X 21 6 23 9 24 7 X X 20 25 23 9 24 7 X Y 22 24 24 26 25 1 Y Y 21 6 24 26 25 1 Y Z 23 13 25 17 26 14 Z Z 22 24 25 17 26 14 Z

Fast rotor Medium rotor Slow rotor Fast rotor Medium rotor Slow rotor (a) Initial setting (b) Setting after one keystroke 26 / 129 Figure 2.8 Three-Rotor Machine with Wiring Represented by Numbered Contacts 51 27 / 129 The I [Rijmenants 2011] • Keyboard: plaintext/ciphertext to convert

— involution (for ease of use) — stroke steps rotor by one position • Lightboard: converted text • 3 rotors in use —8 distinct rotors available — window to show/set position • 1 reflector in use —2 distinct reflectors available • 1 plugboard, up to 10 pairs connected

27 / 129 28 / 129 The Enigma Machine II [Rijmenants 2011]

• All machines need to be setup with identical settings — Rotor selection and position on shaft — Relative position of alphabet on rotor — Reflector selection — Plugboard connections — Starting position of rotors • We now call this a key distribution problem

— Starting position: chosen by operator (now called an ) — Other settings distributed by sheets

28 / 129 29 / 129 The Enigma Machine III [Rijmenants 2011]

29 / 129 30 / 129 Enigma: Theoretical Strength – Plugboard I [Miller 1995]

• The plugboard has 26 sockets • Swaps inputs to scramble the letters

30 / 129 31 / 129 Enigma: Theoretical Strength – Plugboard II [Miller 1995]

• Its security depends on 1. the number of cables/connections used (p) 2. the group of sockets selected to be plugged 3. the interconnections made • Given p cables (0 ≤ p ≤ 13) there are

 26  26! C26 = = 2p 2p (2p)! (26 − 2p)!

possible distinct selections of 2p sockets

31 / 129 32 / 129 Enigma: Theoretical Strength – Plugboard III [Miller 1995] • Within each of these selections of 2p sockets: — The end of the first cable can be plugged into 2p − 1 sockets — The end of the second cable can be plugged into 2p − 3 sockets — The total number of connections of p cables inside the 2p sockets is (2p)! (2p − 1)(2p − 3) ··· (1) = (2p − 1)!! = 2p p! • The number of possible settings for the plugboard with p cables is 26! (2p)! 26! C26 (2p − 1)!! = = 2p (2p)! (26 − 2p)! 2p p! 2p (26 − 2p)! p!

• The overall total number of plugboard settings is 13 X 26! > 532 · 1012 2p (26 − 2p)! p! p=0

32 / 129 33 / 129 Enigma: Theoretical Strength – Rotors [Rijmenants 2011]

• There are 26! possible rotors mapping 26 inputs to 26 outputs • Any of these can be put on the shaft, that is

26!(26! − 1)(26! − 2)

possible orders • Each rotor can be inserted in any of the 26 positions, that is

263 = 17, 576

possible starting positions for the rotors • Each rotor has a movable ring with a notch that pushes the next rotor after a revolution • This means 262 = 676 possible ring positions that affect the way rotors turn

33 / 129 34 / 129 Enigma: Theoretical Strength [Miller 1995]

• The reflector is similar to the plugboard — Connects two inputs together to swap their signal — Ensures one letter cannot be translated as itself • There are (26 − 1)!! = 25!! > 7 · 1012 possible reflectors • The theoretical number of possible configurations for Enigma is

 13  X 26! 3 2   · 26! · (26! − 1) · (26! − 2) · 26 · 26 · 25!! 2p (26 − 2p)! p! p=0 > 3 · 10114

The total number of atoms in the universe is about 1080

34 / 129 35 / 129 Enigma: Figuring out the Rotor Wirings I [Rijmenants 2011]

• The settings of the machine were valid for 1 day • Before ciphering a message, the operator chooses a message key — The position of the rotors to be used to decipher the message • Using the start position of the code sheet: 1. Choose 3 letters (e.g. GHK) 2. Type them once (e.g. they are translated as XMC) 3. Type them once more (e.g. they are translated as FZQ) 4. Move rotors to key position (e.g. GHK) 5. Type message • Transmit message starting with key (e.g. XMCFZQ)

35 / 129 36 / 129 Enigma: Figuring out the Rotor Wirings II [Rijmenants 2011]

• French Intelligence got hold of a manual for Enigma • Transmitted to Polish Cipher Bureau in 1932 • Obvious relationship between the first 6 letters of any message!

G → XH → MK → C G + 3 positions → F H + 3 positions → Z K + 3 positions → Q

• The rotor wirings were uncovered within weeks of message capture • The German cryptologists realized this weakness only in 1940

36 / 129 37 / 129 Enigma: Practical Security [Rijmenants 2011; Miller 1995; Ratcliff 2003]

• The number of cables used was known to be p = 10 i.e. > 50 · 1012 plugboard settings • There were 5 rotors in use, therefore only 5 · 4 · 3 = 60 possible orders • The number of possible initial positions remains 263 = 17, 576 • The number of possible ring settings remains 262 = 676 • Only 1 reflector was (mostly) used • The total key space for Enigma, as used by Nazi Germany, was around 1.07 · 1023, i.e. a 77-bit key

37 / 129 38 / 129 Enigma: Attacking with Cribs

• Prototyped messages were exchanged every day — e.g. every morning, 6AM, weather reports ⇒ “wetterbericht” would be included in the message • Enigma does not encode a letter to itself

··· jxatqbggywcrybbqt ··· w e t t e r b e r i c h t w e t t e r b e r i c h t wetterbericht w e t t e r b e r i c h t wetterberich t

• The crib is used as input to a Bombe to automatically all possible Enigma settings

38 / 129 39 / 129 The Turing/Welchman Bombe

• A logic, electromechanical machine used for systematic search • Each 3-wheels column is effectively an Enigma machine • Once a match is found, the machine stops • The settings are tested on a real Enigma to see if the deciphered text is German • One full run of all 263 rotor positions would take 20 minutes • 211 Bombes were built and used daily

39 / 129 40 / 129 Food for Thought

• The theoretical security provided by Enigma was excellent • The operational security available was way less — Pro: stealing an Enigma did not break the mechanism — Con: A lot of it (rotor wiring) was security through obscurity which cannot work (see Kerckhoffs’ principles, slide 43) • Proper design and use of cryptographic techniques is mandatory

40 / 129 41 / 129 Outline

• Introduction

• Classic Cryptography and Cryptanalysis

⇒ Principles of Cryptography

• Symmetric Cryptography (aka. Secret-Key Cryptography)

• Asymmetric Cryptography (aka. Public-Key Cryptography)

• Hashes and Message Digests

• Conclusion

41 / 129 42 / 129 Fundamental Tenet of Cryptography [Kaufman et al. 2002]

• Cryptographers invent clever methods to keep secrets

• Cryptanalyst use clever ways to discover these secrets

• The constant competition improves the global quality of encryption schemes

If lots of smart people have failed to solve a problem, then it probably won’t be solved (soon).

42 / 129 43 / 129 Kerckhoffs’ Principles [Kerckhoffs 1883]

These are the requirements for a strong encryption system to be used within the military: 1. The system must be practically, if not mathematically, undecipherable; 2. It must not require secrecy and can be stolen by the enemy without causing trouble; 3a. It must be easy to communicate and retain the key without the aid of written notes; 3b. It must also be easy to change or modify the key at the discretion of the correspondents; 4. It ought to be compatible with telegraph communication; 5. It must be portable, and its use must not require more than one person; 6. It must be easy to use and must neither be stressful to use or require the knowledge and compliance to a long series of rules.

43 / 129 44 / 129 How Secure? [Stallings 2013]

Unconditionally secure • Ciphertext does not contain enough information to uniquely determine plaintext

• Regardless of ciphertext length, or available time to break the cipher

• = One-Time Pad

Computationally secure • Cost of breaking the cipher exceeds the value of encrypted information

• Time required to break cipher exceeds useful lifetime of information

44 / 129 45 / 129 To Publish or not to Publish [Kaufman et al. 2002]

Keeping a cryptographic algorithm as secret as possible will enhance its security. —Folk wisdom • Bad guys will find out about the algorithm eventually anyway (e.g. Lorenz cipher, Purple cipher, etc)

• Impossible to keep secret if the algorithm is to be widely used

• Publication gives valuable feedback and free consulting from knowledgeable people about possible weaknesses and shortcomings N.B.: • Kerckhoffs’ principles 6⇒ you should publish the algorithm • Assume the enemy knows how the system works! i.e. if the enemy knows the algorithm, the cipher will not be breached • Not publishing = defense in depth (through obscurity)

45 / 129 46 / 129 Properties of Diffusion and Confusion [Shannon 1945]

A good ciphering system should make up for frustrating statistical cryptoanalysis. It should exhibit the properties of: • diffusion: dissipate statistical structure of plaintext into long combinations of ciphered letters — enemy should intercept tremendous amount of ciphertext to reconstruct statistics

• confusion: complexify the relationship between the plaintext and the encryption key — avoids the enemy’s ability to reduce the space for an exhaustive key search

— e.g. ciphertext symbols should result from operations with multiple/all key symbols

46 / 129 47 / 129 The Avalanche Effect [Stallings 2013]

A small change in either the plaintext or the key yields a significant change in the ciphertext.

(This is a consequence of confusion)

47 / 129 48 / 129 Outline

• Introduction

• Classic Cryptography and Cryptanalysis

• Principles of Cryptography

⇒ Symmetric Cryptography (aka. Secret-Key Cryptography)

• Asymmetric Cryptography (aka. Public-Key Cryptography)

• Hashes and Message Digests

• Conclusion

48 / 129 49 / 129 Symmetric Cryptography: Introduction

• Symmetric cryptography (aka. secret-key cryptography, or conventional cryptography) is a class of cryptographic algorithms that rely on a single key for encryption and decryption

• The key is the secret, only known by the sender and receiver

• Fast implementations, both software and hardware

• Two types of algorithms: block ciphers, stream ciphers

49 / 129 50 / 129 The (DES) [Kaufman et al. 2002]

• Also referred to as Data Encryption Algorithm (DEA)

published in 1977 by NIST — for commercial and unclassified government use!

• Based on IBM’s cipher, and improved by NSA — reduced from 128 bits to 56 bits – 8 bits out of the 64 are parity checks and unused in the cipher!

— Improved resilience against differential cryptanalysis attacks

• Efficient to implement in hardware but relatively slow in software

• Elegant and understandable design

50 / 129 51 / 129 DES Overview I

2 2 2 22

2222 2

2222 2

2222 2

22 2 2 Figure based on [Kaufman et al. 2002] 51 / 129 52 / 129 DES Overview II [Kaufman et al. 2002] DES encrypts 64-bit blocks of plaintext, with a 56-bit key: 1. Initial Permutation: shuffle the input bits 2. Round-key Generation: — The 56-bit key is used to generate 16 48-bit keys — Each key used once, in each of the 16 rounds 3. Rounds:

— Operates on left and right halves independently (= Feistel structures) — Composed of substitutions and permutations based on the round key — 16 rounds, output of a round used as input for the next round 4. Final Permutation: shuffle the bits of 16th round’s output

DES decryption works by running the algorithm backwards.

52 / 129 53 / 129 DES Round-Key Generation (Step 2) [Kaufman et al. 2002]

Initial permutation Consider left and right halves independently

Shift 1 or 2 bits to the left (with wrap around)

Use C and D as input for next-round i i

Permute bits internally

Reduce Ci and Di from 28 bits to 24 bits

Ki is the concatenation of the two 24-bit halves

53 / 129 54 / 129 A DES Round (Step 3) [Kaufman et al. 2002]

Break Rn into 4-bit chunks Concatenate adjacent bits to chunks

⇒ 8 chunks of 6 bits Substitute 6-bit chunks by 4-bit chunks ⇒ 8 chunks of 4 bits

(Decryption is the reverse operation) 54 / 129 55 / 129 What’s so Special about DES? [Kaufman et al. 2002]

• DES appears quite simple in conception — Shuffle bits, shuffle some more, and you have a cipher!

— It was proven that minor changes in the substitution makes DES orders of magnitude less secure

• Design process for DES was not public — Details chosen for strength? randomly? to hide (exploitable) weakness?

— DES designers claim they knew about many attacks and – made DES resilient against those attacks

– did not want to publicize the cryptanalytic attacks

55 / 129 56 / 129 DES Weaknesses [Kaufman et al. 2002]

• Complementation Property   — If C = DES(P, k), we have C = DES P, k

• Weak and semi-weak keys

— Suspect keys when C0 and D0 (see slide 53) are either – all zeros

– all ones

– alternating zeros/ones

– alternating ones/zeros

— 4 weak keys lead to P = DES(DES(P, k) , k)

— 12 semi-weak keys that are inverse of one another

56 / 129 57 / 129 Attacks on DES I [Kaufman et al. 2002]

1. Brute force attacks: keyspace of 256 appeared weak from the start — 1977: Machine with 1E6 chips to break a key in 12h for US$20M (given a single plaintext-ciphertext pair)

— 1998: EFF DES cracker with 1850 CPUs breaks key in 56h for US$250k

— 2006-2008: COPACOBANA FPGA-based machine breaks key in under a day for around US$10k

— 2012: website crack.sh to break DES within 26 hours with FGPA

57 / 129 58 / 129 Attacks on DES II [Stallings 2013]

2. Differential cryptanalysis: chosen plaintext attack

— Use messages with a known difference (e.g. ∆m = m1 ⊕ m2)

— Study the resulting difference produced by each round

(e.g. ∆round 1m = round1(m1, k1) ⊕ round1(m2, k1))

— Find where the algorithm is predictable to deduce the result, and hence the round key

— Best differential attack on DES requires 247 chosen

3. : known plaintext attack — Find linear approximation that model an encryption algorithm

— Best linear attack on DES requires 243 known plaintext-ciphertext pairs

4. Davies’ attack: known plaintext attack

58 / 129 59 / 129 DES: Encrypting Twice? [Kaufman et al. 2002; Stallings 2013]

• Encrypting twice with the same key; i.e. C = DES(DES(P, k), k) — Keyspace is still 256; attacker only needs to decrypt twice ⇒ Slows attacker down a little bit, but also users

• Encrypting twice with different keys; i.e. C = DES(DES(P, k1), k2) — Appears more secure

— Assume you have pairs m1 → c1, m2 → c2, m3 → c3 — You can build dictionaries A and B, each with 256 elements such as n −1 o A = {DES(m1, k) → k} and B = DES (c1, k) → k ∀k

— Find matching elements R in A and B −1 R = DES(m1, kA) = DES (c1, kB)

i.e. elements for which c1 = DES(DES(m1, kA), kB) — Requires max. 256 operations on each A and B, i.e. max. 2 · 256 = 257 — Probability of false positive is 1/280 with three pairs 59 / 129 60 / 129 Triple Encryption DES I [Kaufman et al. 2002; Stallings 2013]

• DES can be made more secure with triple encryption

• Called Triple DES (3DES), or Triple DEA (TDEA)

• Method EDE: Encryption-Decryption-Encryption

— with two keys k1 and k2:

 −1  C = DES DES (DES(P, k1), k2), k1

−1  −1   P = DES DES DES (C, k1), k2 , k1

— with three keys k1, k2, and k3:

 −1  C = DES DES (DES(P, k1), k2), k3

−1  −1   P = DES DES DES (C, k3), k2 , k1

60 / 129 61 / 129 Triple Encryption DES II • Advantages: — backward compatibility — exponential pain for differential cryptanalysis • Disadvantages: (very) slow • Security: — 3DES with two keys – equivalent to a 280 key [Barker et al. 2007] (for an attacker with 240 known plaintext pairs) – deprecated — 3DES with three keys – equivalent to a 2112 key (meet-in-the-middle attack) – end of life

All block ciphers relying on 64-bit blocks can be broken with Sweet32 [Bhargavan et al. 2016] 61 / 129 62 / 129 Call for Ciphers: The AES Process

• In 1997, NIST started the process of replacing the aging DES

— Avoid DES mistakes (i.e. don’t choose a standard everyone is skeptical about)

— Open and transparent process over 3 years

— June 1998: 15 candidates, tested for security and software efficiency

— October 2000: 5 finalists, tested for security and hardware efficiency (MARS, RC6, Rijndael, , Twofish)

• The winner, Rijndael became the Advanced Encryption Standard

— 128-bit blocks (although Rijndael also supports 192-bit and 256-bit blocks)

— 128-bit, 192-bit, or 256-bit key (also known as AES-128/AES-192/AES-256) — 10, 12, or 14 rounds, depending on key length

62 / 129 63 / 129 AES Overview [Kaufman et al. 2002]

dd dd

d d

d d d d

d Iterative process is done with the state matrix of octets (initial state is plaintext, final state is ciphertext) • Rounds are composed of: — octet-for-octet substitution — row/column permutation (rearrangement) — mathematical operations on columns using finite field arithmetic

— ⊕ with round key (the only operation for “round 0”)

63 / 129 64 / 129 Simplified AES I [Stallings 2013]

• Simplified AES is an algorithm used for teaching only — Goal: understand the operations of AES with smaller parameters

• 16-bit blocks; 16-bit key; 3 rounds with 16-bit round keys

• Based on 4 operations: 1. Add key (AK(·)) 2. Nibble substitution (NS(·)) 3. Shift row (SR(·)) 4. Mix column (MC(·))

64 / 129 65 / 129 Simplified AES II [Stallings 2013]

SAES(k) ≡ AKk2 ◦ SR ◦ NS ◦ AKk1 ◦ MC ◦ SR ◦ NS ◦ AKk0 | {z } | {z } | {z } round 2 round 1 round 0 • Each function is applied to the 2 × 2 state matrix S     S0,0 S0,1 p0p1p2p3 p8p9p10p11 S = ; initially Sinit = S1,0 S1,1 p4p5p6p7 p12p13p14p15

where Si,j are nibbles, and P = p0p1p2 ··· p15 Each column of S is 1 octet

• Similarly, the key is a 2-column-of-1-octet matrix   k0 k8  k1 k9  =   K  . .   . .  k7 k15

−1 −1 −1 −1 −1 SAES (k) ≡ AKk0 ◦ NS ◦ MC ◦ AKk1 ◦ NS ◦ SR ◦ AKk2

65 / 129 66 / 129 Simplified AES: Add Key (Operation 1) [Stallings 2013]

Add Key AK(S, K ) returns the bitwise XOR between S and K

AK(S, K) = S ⊕ K

e.g.

 A 4   2 5   8 1  S ⊕ K = ⊕ = = S 7 9 D 5 AC after AK

Add Key is its own inverse ⇒ AK−1 = AK

66 / 129 67 / 129 Simplified AES: Nibble Substitution (Op. 2) [Stallings 2013]

• The Nibble Substitution maps a 4-bit value to another 4-bit value • For S-AES, the mapping is as follows:

j = 0b00 0b01 0b10 0b11 0b00 0x9 0x4 0xA 0xB 0b01 0xD 0x1 0x8 0x5 i = 0b10 0x6 0x2 0x0 0x3 0b11 0xC 0xE 0xF 0x7

i is made out of the leftmost two bits of the nibble; j the two rightmost. • For example:  8 1   0b1000 0b0001   6 4  NS(S) = NS = NS = AC 0b1010 0b1100 0 C

• The mapping is a Nyberg S-box well-chosen and justified, unlike DES. . . • NS−1 is done with the opposite mapping

67 / 129 68 / 129 Simplified AES: Shift Row (Operation 3) [Stallings 2013]

Shift Row performs a circular left shift on the rows of the state matrix (the first row is untouched) e.g.

 6 4   6 4  SR(S) = SR = 0 C C 0

The inverse function SR−1 is identical because it shifts the row back to its original position

68 / 129 69 / 129 Simplified AES: Mix Column (Operation 4) [Stallings 2013]

Mix Column operates on each column of the state matrix individually (Each nibble is mapped to a new value that depends on both nibbles)

 1 4  MC(S) = S 4 1  with the arithmetic performed in GF 24 , with r(x) = x4 + x + 1.

−1  The inverse MC is defined with the inverse matrix (still in GF 24 )

 9 2  MC−1(S) = S 2 9

69 / 129 70 / 129 Finite Field Arithmetic I [Stallings 2013]

• A field is a set with addition, subtraction, multiplication, division — The result of an operation remains in the set

• A finite field contains a finite number of elements

— Example: field Zp = {0, 1,..., p − 1} with arithmetic mod p • Encryption algorithm = operation on integers — If one operation in the algorithm is a division, we need a multiplicative inverse, i.e. a x such as ax = 1 ∀ a

• Implementation: work with n-bit words, i.e. on range 0,..., 2n−1

— Z2n is not a field n (no multiplicative inverse for 2 in Z2n , i.e. a x such as 2x mod 2 = 1)

⇒ Do operations in a field that contains 2n elements

70 / 129 71 / 129 Finite Field Arithmetic II

• Natural choice is a Galois Field, a finite field of order 2n

n GF 2

• Defined as the set of polynomials of degree n − 1

n−1 n−2 an−1 x + an−2 x + ··· + a1 x + a0

• Arithmetic is done on coefficients of polynomial, represented as integer

an1 an−2 ··· a1 a0

• Operations implemented as XORs and SHIFTs ⇒ Efficient in computation time and memory space

71 / 129 72 / 129 Back to AES [Kaufman et al. 2002; Stallings 2013]

• The state matrix S is a 4 × 4 matrix of octets (1 column = 4 octets = 32 bits)

• The substitution box is a 16 × 16 array, indexed with 4 bits

• Shift row shifts a different amount, based on column  • Mix columns is done in GF 28 with r(x) = x8 + x4 + x3 + x + 1

72 / 129 73 / 129

An AES Round 5.3 / AES Transformation Function[Stallingss 137 2013]

State

SubBytes S S S S S S S S S S S S S S S S

State

ShiftRows

State

MixColumns M M M M

State

r0 r1 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11 r12 r13 r14 r15 AddRoundKey

State Figure 5.4 AES Encryption Round 73 / 129

identical to the encryption algorithm. This is a consequence of the particular structure of AES. 9. Once it is established that all four stages are reversible, it is easy to verify that decryption does recover the plaintext. Figure 5.3 lays out encryption and decryption going in opposite vertical directions. At each horizontal point (e.g., the dashed line in the figure), State is the same for both encryption and decryption. 10. The final round of both encryption and decryption consists of only three stages. Again, this is a consequence of the particular structure of AES and is required to make the cipher reversible.

5.3 AES Transformation Functions

We now turn to a discussion of each of the four transformations used in AES. For each stage, we describe the forward (encryption) algorithm, the inverse (decryption) algorithm, and the rationale for the stage. 74 / 129 AES Security

• Best attacks focus on a reduced-working AES conditions which are not available in real-world — either focusing on weak keys

— either focusing on lower number of rounds (i.e. min. 2126)

• Very clever attack based on “meet-in-the-middle” can break the cipher about 4 times faster than brute force

• Most often: side-channel attack don’t attack the cipher, but the hardware that runs it

• NSA also appears clueless

74 / 129 75 / 129 Encrypting a Large Message I [Kaufman et al. 2002; Stallings 2013]

• How to encrypt a message larger than one block?

• Mode of Operation — Enhance the effect of a cryptographic algorithm

— Adapt the algorithm for an application

• Many (secure and insecure) proposals and standards

• We review the ones used in network security

75 / 129 76 / 129 Electronic Code Book (ECB) I [Kaufman et al. 2002] Simplest method: break message into individual, independent blocks

76 / 129 77 / 129 Electronic Code Book (ECB) II [Kaufman et al. 2002]

• Need to pad message if length is not multiple of block size

• Pros: — Use ciphers without overhead or additional complexity

• Cons: — Identical blocks of plaintext yield identical blocks of ciphertext

— Blocks within messages can be rearranged or repeated to modify the plaintext

ECB is rarely used to encrypt messages 77 / 129 78 / 129 Cipher Block Chaining (CBC) I [Kaufman et al. 2002]

Create a chain by using ci−1 as a random number to ⊕ with pi

Initialization Vector (IV) = initial random number (doesn’t need to be secret)

Decryption with wrong IV yields gibberish (but only for first block)

78 / 129 79 / 129 Cipher Block Chaining (CBC) II [Kaufman et al. 2002]

• Need to pad message if length is not multiple of block size

• Pros: — Use ciphers without overhead or additional complexity

— Identical blocks of plaintext lead to different blocks of ciphertext

— Differences in plaintext affect whole end of sequence

• Cons: — If IV is constant, differences in repeating messages can be detected

— Modifications to ci have a predictable effect on mi+1

— Rearrangement with known plaintext means attacker can craft messages

79 / 129 80 / 129 Counter (CTR) I [Kaufman et al. 2002]

Blocks are independent (like ECB)

GCM mode is the same, but with addition done in GF(2n) (Galois/Counter Mode)

80 / 129 81 / 129 Counter (CTR) II [Kaufman et al. 2002]

• Pros: — Identical blocks of plaintext lead to different blocks of ciphertext

— OTP can be generated in advance ⇒ extremely fast

— Changes to ci only affect mi (can also be a con. . . )

— Can be adapted for any token size

81 / 129 82 / 129 Counter (CTR) III [Kaufman et al. 2002]

• Cons: — Known plaintext attack:

– Attacker can ⊕ ci with pi to obtain the pad value (k leftmost bits of t)

– Attacker can then ⊕ own plaintext with t and transmit ⇒ essential to use nonce for IV

— Blocks independent from one another (can also be a pro. . . )

82 / 129 83 / 129 Modes of Operation

• No mode is perfect — The application dictates which one to use

— Many more exist, including for specific applications (e.g. disk encryption)

• Generally: adjunct a Message Authentication Code (MAC)

— Avoids tempering, reordering (i.e. provides integrity)

— MAC is secured by the secret key (more on this later)

• Newer modes of operations provide authentication along with encryption

83 / 129 84 / 129 Generic Stream Encryption I [Stallings 2013]

Stream ciphers encrypt a plaintext stream one byte at a time (generally, one token at a time)

• A key is used to as input to generate a (pseudo) random key stream

• The ciphertext stream is a ⊕

between the plaintext and the key stream

• Basic idea is: One-Time Pad (see slide 23)

84 / 129 85 / 129 Generic Stream Encryption II [Stallings 2013] • Important design considerations: — Large period for the key stream – Longer time for key stream to repeat = harder the cryptanalysis (just like we saw with Vigen`ere’sauto-key) — Key stream should approximate true randomness – Approximately equal number of zeros and ones – If key stream of bytes: equal probability on all 256 values

— Sufficiently long key (to avoid brute force on key stream) • Advantages compared to block ciphers:

— Stream ciphers are as secure as block ciphers (if properly designed) — Stream ciphers run faster, code is (much) shorter • Disadvantages compared to block ciphers:

— Never reuse keys with stream ciphers!!! (makes cryptanalysis very easy) — You can reuse keys with block ciphers

85 / 129 86 / 129 Generic Stream Encryption III [Stallings 2013]

Never reuse the same key with stream ciphers

86 / 129 87 / 129 Available Stream Ciphers

• RC4 designed in 1984

— Very popular until broken in 2013 (e.g. WiFi) — Now considered completely unsafe • No clear contender for succession • 2008: eSTREAM project to select/standardize a new — Adoption rate is pretty low

87 / 129 88 / 129 Outline

• Introduction

• Classic Cryptography and Cryptanalysis

• Principles of Cryptography

• Symmetric Cryptography (aka. Secret-Key Cryptography)

⇒ Asymmetric Cryptography (aka. Public-Key Cryptography)

• Hashes and Message Digests

• Conclusion

88 / 129 89 / 129 Asymmetric Cryptography: Introduction [Kaufman et al. 2002]

• Asymmetric cryptography (aka. public-key cryptography) is a class of cryptographic algorithms that reply on two related keys for encryption and decryption — The public key, K +, is known from everyone — The private key, K −, is known from a single individual

• Based on mathematical functions and not on permutations and substitutions

• They perform and provide different functions: — Encryption and : RSA and ECC — Digital signatures only: ElGamal and DSS — only: Diffie-Hellman — Authentication only: Zero Knowledge

89 / 129 90 / 129 Asymmetric I [Stallings 2013]

• Each user generates a pair of keys to be used for encryption and decryption

• Each user disseminates one of the keys, the public key

• The private key is kept private by each user

• If Alice wishes to send a message to Bob:

— Only Bob can decrypt the message (because only he knows the private key) +  −  — C = E P, KBob ; P = D C, KBob +  +  +  — E C, KBob = E E P, KBob , KBob is gibberish

90 / 129 91 / 129 Asymmetric Cryptosystems II [Stallings 2013]

Consider the opposite situation:

−  • The transmitted ciphertext is C = E P, KAlice +  • Bob can read the message P = D C, KAlice

+ • Everyone can read the message C, because KAlice is Alice’s public key — But only Alice could have written the message C (and hence P)

−  − — C = E P, KAlice , with KAlice being Alice’s private key

— This is a digital signature Authenticates Alice as the author

91 / 129 92 / 129 Asymmetric Cryptosystems III [Stallings 2013]

Asymmetric algorithms rely on one key for encryption, and one related, but different key for decryption

Requirement: It is computationally infeasible to determine the decription key given only knowledge of the cryptographic algorithm and the encryption key

Property exhibited by some algorithms: Either of the two related keys can be used for encryption, the other is then used for decryption

92 / 129 93 / 129 The RSA Algorithm I [Kaufman et al. 2002; Stallings 2013]

• Introduced in 1977

• The most popular algorithm for asymmetric cryptography in use

• Based on exponentiation in modulo arithmetic

• Feasibility deeply rooted in number theory

93 / 129 94 / 129 The RSA Algorithm II [Kaufman et al. 2002; Stallings 2013]

Encryption and decryption done as follows:

C = Pe mod n P = Cd mod n = Ped mod n = Ped mod n

1. Senders know n and e (and P) ⇒ K − = {e, n}

2. Receivers know n and d (and C) ⇒ K + = {d, n}

Where P is a plaintext block of size i, with 2i < n ≤ 2i+1

94 / 129 95 / 129 Why does RSA work?[Kaufman et al. 2002; Stallings 2013; Kurose et al. 2017]

Can we find values d, e, n such that Ped mod n = P ∀ P < n

Result from Euler’s theorem

If p and q are co-prime, and n = pq, then

xy mod n = xy mod φ(n) mod n

where φ(n) = (p − 1)(q − 1) is Euler’s totient function

The RSA equation works if

ed mod φ(n) = 1

i.e. if e is the modulo inverse of d mod φ(n) (and if pq = n, with gcd(p, q) = 1)

95 / 129 96 / 129 The RSA Algorithm III [Kaufman et al. 2002; Stallings 2013]

The RSA algorithm works as follows: 1. Generate two prime numbers p and q

2. Compute n = pq

3. Choose e such that 3 < e < φ(n), with gcd(e, φ(n)) = 1

4. Compute d such that ed ≡ 1 mod φ(n)

5. Forget p and q

96 / 129 97 / 129 Why is RSA Secure? [Kaufman et al. 2002; Stallings 2013] 274 Chapter 9 / Public-Key Cryptography and RSA

1022

1020

1018 • RSA is considered

1016 computationally secure General number field sieve 14 10 • Factoring a big number (n) 1012 is hard, and methods are

1010 slow

8 MIPS-years needed to factor 10 Special number • At the very least, n should field sieve 106 be a 1024-bit integer

104 — n values of 2048, and 4096 bits are also in use 102

100 600 800 1000 1200 1400 1600 1800 2000 Bits Figure 9.9 MIPS-years Needed to Factor 97 / 129 sieve (SNFS), can factor numbers with a specialized form considerably faster than the generalized number field sieve. Figure 9.9 compares the performance of the two algorithms. It is reasonable to expect a breakthrough that would en- able a general factoring performance in about the same time as SNFS, or even better [ODLY95]. Thus, we need to be careful in choosing a key size for RSA. The team that produced the 768-bit factorization made the following observa- tion [KLEI10]:

Factoring a 1024-bit RSA modulus would be about a thousand times harder than factoring a 768-bit modulus, and a 768-bit RSA modulus is several thousands times harder to factor than a 512-bit one. Because the first factorization of a 512-bit RSA modulus 98 / 129 An RSA Example I

Step 1: we choose p = 31 and q = 53 ⇒ n = 31 · 53 = 1643

Step 2: φ(n) = 30 · 52 = 1560

Step 3: we choose e = 11, which satisfies 3 < 11 < 1560 and gcd(11, 1560) = 1

Step 4: we have 11d ≡ 1 mod 1560 ⇔ d = 851

Therefore, K + = {11, 1643} and K − = {851, 1643}

98 / 129 99 / 129 An RSA Example II

So, we have K + = {11, 1643} and K − = {851, 1643}. Let’s encrypt ANEMONE. Using alphabetical positions, we have 01 14 05 13 15 14 05 Let’s use blocks of length 3 011 405 131 514 05 Add so blocks are full (also removes double pattern NE) 001 140 513 151 405

Encryption yields: Decryption yields: 00111 mod 1643 = 0001 0001851 mod 1643 = 001 14011 mod 1643 = 0109 0109851 mod 1643 = 140 51311 mod 1643 = 0890 0890851 mod 1643 = 513 15111 mod 1643 = 1453 1453851 mod 1643 = 151 40511 mod 1643 = 0374 0374851 mod 1643 = 405

99 / 129 100 / 129 Diffie-Hellman [Kaufman et al. 2002]

• Oldest asymmetric cryptosystem still in use

• Predates RSA

— less general (does not do encryption nor signatures)

— better performance for what it does

• Diffie-Hellman allows individual to agree on a shared key — even though they can only exchange messages in public

• Many protocols still rely on Diffie-Hellman today

Often referred to as the Diffie-Hellman key exchange protocol

100 / 129 101 / 129 Diffie-Hellman Algorithm [Kaufman et al. 2002]

1. Let p be a large prime 2. Let g be an integer g such that g < p, and g a primitive root of p p and g can be public 3. Each party chooses a large integer at random (at least 512 bits) and keeps it as secret → S1 and S2 S S 4. Each party computes g , i.e. Ti = g i mod p 5. They exchange each other’s T ’s 6. Each party raises the received T with their secret number, i.e.

 S1 S1 S2 S2S1 T2 = g = g mod p

 S2 S2 S1 S1S2 T1 = g = g mod p

and g S1S2 is the

101 / 129 102 / 129 Diffie-Hellman Key Exchange

wwww

w w

ww ww ww ww

ww

ww

ww ww

w www

102 / 129 103 / 129 Diffie-Hellman Security

• People who spy on the Diffie-Hellman algorithm know

p, g, T1, and T2

• To recover the shared secret, they must solve either

S1 = α logg T1 mod p

S2 = β logg T2 mod p

(for any α or β)

• It is considered infeasible to compute discrete logarithms for large primes

(We will later see that Diffie-Hellman is vulnerable to man-in-the-middle attacks and how prevent them)

103 / 129 104 / 129 Diffie-Hellman Example [Stallings 2013]

Let p = 353 and g = 3

97 Alice chooses SA = 97 and computes TA = 3 mod 353 = 40 233 Bob chooses SB = 233 and computes TB = 3 mod 353 = 248

They exchange TA and TB.

SA 97 Alice computes K = (TB) mod p = 248 mod 353 = 160 SB 233 Bob computes K = (TA) mod p = 40 mod 353 = 160

Eve, the eavesdropper, knows p = 353, g = 3, TA = 40, and TB = 248

To find K , she needs to discover SA or SB, i.e. solve for a or b in 3 a mod 353 = 40 or 3 b mod 353 = 248 For such small values she can find the solution after 97 trials

104 / 129 105 / 129 Other Popular Asymmetric Cryptography Algorithms

• ElGamal: similar to Diffie Hellman

• DSS: A (unloved) NIST standard based on ElGamal

• Elliptic Curve Cryptography — Based on point on an ellipse y 2 + a xy + b y = x 3 + c x 2 + d x + e

— With the correct definitions for operations, you can move from point to point on the ellipse

— Can be done in

— Or in GF(2n) arithmetic — Advantage: mathematics are (much) more complex (not even exponential algorithms yet)

105 / 129 106 / 129 Symmetric and Asymmetric Cryptography [Stallings 2013]

• Asymmetric cryptography is just as secure as symmetric cryptography — Private key size needs to be bigger to provide the same security level as a secret key — Due to the efforts involved in a brute force attack • Asymmetric cryptography is not the future at the expense of symmetric cryptography — (Much) bigger overhead on encryption/decryption with asymmetric protocols — Both types of encryption have their specific and practical uses Symmetric ECC-based asymmetric mod-based asymmetric 56 112 512 80 160 1024 112 224 2048 128 256 3072 192 384 7680 256 512 15360 106 / 129 107 / 129 Outline

• Introduction

• Classic Cryptography and Cryptanalysis

• Principles of Cryptography

• Symmetric Cryptography (aka. Secret-Key Cryptography)

• Asymmetric Cryptography (aka. Public-Key Cryptography)

⇒ Hashes and Message Digests

• Conclusion

107 / 129 108 / 129 Hash Functions: Introduction [Stallings 2013]

• A hash function maps a variable-length input of data into a fixed-size output value — e.g. CRC, function for the hash map ADT, . . .

— 6= compression

• In other words: a hash (or digest) is a short summary of a large quantity

• Hash functions are the most diverse tool in cryptography (many purposes: integrity, authentication, signature, . . . )

108 / 129 109 / 129 Secure Hash Functions I [Stallings 2013]

To be useful in cryptography, we need a secure hash function h = H(x). The general requirements are: 1. Variable input size: H can be applied to a block of data of any size

2. Fixed output size: H produces a fixed-length output (these are standard requirements for any hash functions)

3. Efficiency: H(x) is easy to compute for any x (software and hardware implementations should be practical)

4. One-way property: for a given h, it is computationally infeasible to find a block x such that H(x) = h

109 / 129 110 / 129 Secure Hash Functions II [Stallings 2013]

5. Collision resistance:

1 For any given block x, it is computationally infeasible to find y 6= x such that H(x) = H(y)

2 It is computationally infeasible to find a pair x, y such that H(x) = H(y)

6. Pseudorandomness: The output of H meets standard tests for pseudorandomness

110 / 129 111 / 129 Brute Force Attacks on Hash Functions [Stallings 2013]

• Enemy knows a hash value h and aims to find a block y such that matches, i.e. h = H(y)

• Brute force: — Take random value as y

— Compute H(y)

— Generate collision, eventually

• For an m-bit hash value, it takes 2m−1 trials to find one y that generates h

111 / 129 112 / 129 Attacks on Collision Resistance I [Stallings 2013]

• Enemy wishes to find two data blocks x and y so that H(x) = H(y)

• This requires considerably less effort than a brute force attack

• Explained by the birthday paradox (well-known probability result)

112 / 129 113 / 129 The Birthday Paradox I What is the probability that two random people have the same birthday in a group of n people?

• Probability is 100% if n = 366 (we ignore leap years)

• How many people for a probability of 50%?

• We solve this problem as a combinatorics problem = number of ways to arrange a set of n into a sequence of length k

• Number of ways to arrange k elements (= the people), without repetition 365! Ak = 365 (365 − k)!

• Total possible arrangements of k elements, with repetition k k B365 = 365

113 / 129 114 / 129 The Birthday Paradox II

• Probability that nobody has the same birthday is

Ak 365! = 365 = Pnone k k B365 (365 − k)! (365)

• Therefore, probability that there is at least two people born on the same day

365! P = 1 − Pnone = 1 − (365 − k)! (365)k

• P ≥ 0.5 for k = 23

⇒ There is a 50% of chance that two people are born on the same day in a group of 23 people

114 / 129 115 / 129 Attacks on Collision Resistance II

Using similar reasoning: • Given an n-bit hash value y, we need to generate n − 1 blocks p so that

H(p) = y

• For a given√ hash function H that produces an n-bit value, we need to generate n distinct blocks x and y so that

H(x) = H(y)

115 / 129 326 Chapter 11 / Cryptographic Hash Functions

The generation of many variations that convey the same meaning is not diffi- cult. For example, the opponent could insert a number of “space-space-­backspace” character pairs between words throughout the document. Variations could then be generated by substituting “space-backspace-space” in selected instances. Alternatively, the opponent could simply reword the message but retain the mean- ing. Figure 11.7 provides an example. To summarize, for a hash code of length m, the level of effort required, as we have seen, is proportional to the following. 116 / Preimage resistant 2m 129 Second preimage resistant 2m Attacks on Collision ResistanceCollision resistant III 2m/2 [Stallings 2013]

 the   had the pleasure of knowing  As   Dean of Blakewell College, I have   Cherise  —   known   last   has been   a tremendous   asset to  Rosetti for the   four years. She        past   was   an outstanding   role model in     our   would like to take this opportunity to    school. I   recommend Cherise for your  the   wholeheartedly   school’s   am   confident   that   she   graduate program. I         will  —   feel   certain   —   Cherise   continue to   She    succeed in her studies.   is a dedicated student and  —   Cherise     thus far her grades   have been   exemplary        . In class,  her grades thus far   are   excellent   she   has proven to be   person   who is      a take-charge     able to  Cherise   has been   individual   —  successfully develop plans and implement them.

 She   us   She   has also assisted   in our admissions office.   has  Cherise   —   Cherise   successfully    demonstrated leadership ability by counseling new and prospective students.  —   Her   a great    advice has been   help to these students, many of whom  Cherise’s   of considerable   taken time to share  have   their comments with me regarding her pleasant and  shared     encouraging   For these reasons    attitude.   I  reassuring   It is for these reasons that     highly recommend   without reservation   ambition    Cherise  . Her   and unreservedly  offer high recommendations for     drive     abilities   truly   asset to   establishment    will   be an   your   . potential plus for    surely     school  38 Figure 11.7 A Letter in 2 Variations 116 / 129 117 / 129 Secure Hash Algorithm [Stallings 2013]

• SHA = Secure Hash Algorithm

• Cryptographically secure hash functions standardized by NIST — SHA-0 (1993–1995)

— SHA-1 (1995–2010): similar to MD5

— SHA-2 (2002–soon): ± SHA-1 with larger output

— SHA-3 (2015–. . . ): selected after public competition

• We review SHA-512, a flavor of SHA-2 — Input: message M of length < 2128 bits

— Output: 512-bit hash value

— Processed as 1024-bit blocks over 80 rounds

117 / 129 118 / 129 SHA-512: Overview [Stallings 2013] Preprocessing: 1. Pad message with bits “1000000 ··· 0” until message length is 896 mod 1024. Padding is always done even if length is already good. 2. Append 128-bit L = size of message The message to be

processed is now a multiple of 1024 (896 + 128 = 1024) Processing: successive processing of each 1024-bit block Mi 3. Processing of Mi is done on 8 64-bit sub-blocks a, b, c, d, e, f , g, h

4. Each block Mi goes through an 80-round processing. Its value gets mixed up with preceding intermediate hash 512-bit Hi−1 = (a, b, c, d, e, f , g, h)i−1 from all blocks M1,..., Mi−1

5. Returned value is HN = SHA512(Message) addition is done mod 264 118 / 129 119 / 129 SHA-512: Processing of a Block [Stallings 2013]

• Processing is done on 8 64-bits registers: a, b, c, d, e, f , g, h • Initial value of registers = results from last block

or constants for H0 with M1 • kt = additive constants to eliminate patterns in input (= diffusion) • w = a 64-bit word derived t from input block M i

• At end of round, mod 64 addition between new registers and final registers from previous block

119 / 129 120 / 129 A SHA-512 Round [Stallings 2013]

• 6 registers are permuted, which results in a rotation, hash-wise (h = g; g = f ; f = e; d = c; c = b; b = a)

• 2 registers are generated by substitutions, resulting from

— circular or non-circular bit shifts, to the left or right (depending on values) — addition modulo 264 — ⊕

• The 64-bit wt are generated from the original block Mi processed in current round — based on same operations as before

120 / 129 121 / 129 Applications of Secure Hashes [Stallings 2013]

• Recall — Mode of operation = techniques to transmit multiple blocks of ciphertext

— Some modes are subject to alteration/reordering

• Hash functions can prevent these attacks — They can be used to provide authentication and integrity

121 / 129 122 / 129 Hash-Based Message Authentication Code (HMAC) Alice wants to send the message P to Bob with authentication and data integrity • Using a secure hash function H, Alice computes a = H({H(K ) , P}) (where K is the secret key she shares with Bob)

• She sends the message {P, a} to Bob

• Bob receives {P, a}

• Using the same hash function, Bob computes b = H({H(K ) , P})

• If b = a the message is authenticated — Only Alice could have generated P, since only she knows K (included in the hash)

• Moreover P was not altered by a third-party, since its value is verified by the hash function (= integrity)

122 / 129 123 / 129 Confidentiality and HMAC

For messages that also need to be confidential, the transmitted message can be

E({P, H({H(K ) , P})} , K )

i.e. encrypt the message using a symmetric cipher.

To be pedantic, it should be mode(E({P, H({H(K ) , P})} , K )), since an operation mode for the (block) cipher should also be selected. . .

123 / 129 124 / 129 Digital Signatures [Stallings 2013]

• Digital signatures are similar to MACs — They enforce authentication, i.e. certify who a message’s author is

— They enforce integrity, i.e. that the message is a perfect copy of the original

• Contrary to MACs, digital signature are based on asymmetric cryptography

— The private key is used to encrypt

−  • To sign a message P, Alice must compute d = E H(P) , KAlice (where E is an asymmetric encryption function)

• She transmits {P, d}

• Receivers can verify the message by computing h = H(P), and verifying +  that h = D d, KAlice

124 / 129 125 / 129 Confidentiality and Digital Signatures [Stallings 2013]

A common technique to ensure confidentiality between two parties along with a digital signature is to rely on symmetric encryption.

 −   E P, E H(P) , Ksender , K where K is a secret symmetric key shared between the sender and the receiver. The outer E(·) is a symmetric encryption cipher (e.g. AES). The inner E(·) is an asymmetric encryption cipher (e.g. RSA).

125 / 129 126 / 129 Outline

• Introduction

• Classic Cryptography and Cryptanalysis

• Principles of Cryptography

• Symmetric Cryptography (aka. Secret-Key Cryptography)

• Asymmetric Cryptography (aka. Public-Key Cryptography)

• Hashes and Message Digests

⇒ Conclusion

126 / 129 127 / 129 Conclusion: Symmetric Cryptography

• One secret key shared between two persons

• Encryption/Decryption per block (e.g. AES) or stream (e.g. Rabbit)

• Long messages rely on modes (e.g. CTR)

• Suited for sessions, data transfer, storage,...

127 / 129 128 / 129 Conclusion: Asymmetric Cryptography

• Two related keys are used — Public key, known by everyone

— Private key, secret to one person

• Private and public keys cancel each other out for encryption/decryption

• Orders of magnitude slower than symmetric cryptography

• Suited for key exchange (Diffie-Hellman), signatures (RSA), . . .

128 / 129 129 / 129 Conclusion: Hash Functions

• One-way functions that produce a fixed-size digest of input

• Used alongside symmetric and asymmetric cryptography to provide authentication and integrity

129 / 129 130 / 129

Bibliography

130 / 129 131 / 129 BibliographyI

[Barker et al. 2007] E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid, “Recommendation for key management – part 1: General (revised)”, National Institute of Standards and Technology, NIST Special Publication 800-57 part 1, Mar. 2007. [Bhargavan et al. 2016] K. Bhargavan and G. Leurent, “On the practical (in-)security of 64-bit block ciphers: Collision attacks on http over tls and openvpn”, in 23rd ACM Conference on Computer and Communications Security, Oct. 2016. [Dong 2012] C. Dong, Math in network security: A crash course, https://www.doc.ic.ac.uk/∼mrh/330tutor/, Feb. 2012.

131 / 129 132 / 129 BibliographyII

[Kaufman et al. 2002] C. Kaufman, R. Perlman, and M. Speciner, Network Security: Private Communication in a Public World, 2nd ed. Prentice Hall Press, 2002. [Kerckhoffs 1883] A. Kerckhoffs, “La cryptographie militaire”, Journal des sciences militaires, vol. 9, pp. 5–38, Jan. 1883. [Kurose et al. 2017] J. F. Kurose and K. W. Ross, Computer Networking: A Top-Down Approach, 7th ed. Pearson, 2017. [Lyons 2012] J. Lyons, Cryptanalysis of the hill cipher, 2012. [Miller 1995] A. R. Miller, “The cryptographic mathematics of enigma”, Cryptologia, vol. 19, no. 1, pp. 65–80, 1995.

132 / 129 133 / 129 BibliographyIII

[Ratcliff 2003] R. A. Ratcliff, “How statistics led the germans to believe enigma secure and why they were wrong: Neglecting the practical mathematics of cipher machines”, Cryptologia, vol. 27, no. 2, pp. 119–131, 2003. [Rijmenants 2011] D. Rijmenants, Technical details of the enigma machine, http://users.telenet.be/d.rijmenants/en/enigmatech.htm, 2011. [Shannon 1945] C. E. Shannon, “A mathematical theory of cryptography”, Bell Laboratories, Tech. Rep. MM 45-110-02, Sep. 1945. [Singh 2002] S. Singh, The black chamber – cipher hints and tips, https://www.simonsingh.net/The Black Chamber/hintsandtips.html, Sep. 2002.

133 / 129 134 / 129 BibliographyIV

[Stallings 2013] W. Stallings, Cryptography and Network Security: Principles and Practice, 6th ed. Prentice Hall Press, 2013. [Triguero et al. 2006] J. J. O. Triguero, M. A. L. Guerrero, and E. C. G. del Castillo Crespo, Introducci´ona la criptograf´ıa.Historia y actualidad. Ediciones de la Universidad de Castilla-La Mancha, 2006.

134 / 129