SI4 – R´eseauxAvanc´es Introduction `ala s´ecurit´edes r´eseauxinformatiques
An Introduction to Applied Cryptography
Dr. Quentin Jacquemart [email protected]
http://www.qj.be/teaching/ 1 / 129 Outline
⇒ Introduction
• Classic Cryptography and Cryptanalysis
• Principles of Cryptography
• Symmetric Cryptography (aka. Secret-Key Cryptography)
• Asymmetric Cryptography (aka. Public-Key Cryptography)
• Hashes and Message Digests
• Conclusion
1 / 129 2 / 129 Introduction I
• Cryptography is at the crossroads of mathematics, electronics, and computer science
• The use of cryptography to provide confidentiality is self-evident
• But cryptography is a cornerstone of network security
• Cryptology is a (mathematical) discipline that includes — cryptography: studies how to exchange confidential messages over an unsecured/untrusted channel
— cryptanalysis: studies how to extract meaning out of a confidential message, i.e. how to breach cryptography
2 / 129 3 / 129 Introduction II
• Plaintext: the message to be exchanged between Alice and Bob (P)
• Ciphering: a cryptographic function that encodes the plaintext into ciphertext (encrypt: E(·))
• Ciphertext: result of applying the cipher function to the plain text (unreadable) (C)
• Deciphering: a cryptographic function that decodes the ciphertext into plaintext (decrypt: D(·))
• Key: a secret parameter given to the cryptographic functions (K )
3 / 129 4 / 129 Introduction III
Trudy
Alice Bob
plaintext ciphertext plaintext
P E(P) P E(P) = D(E(P)) Encryption Decryption Algorithm Algorithm E(·) D(·)
4 / 129 5 / 129 Outline
• Introduction
⇒ Classic Cryptography and Cryptanalysis
• Principles of Cryptography
• Symmetric Cryptography (aka. Secret-Key Cryptography)
• Asymmetric Cryptography (aka. Public-Key Cryptography)
• Hashes and Message Digests
• Conclusion
5 / 129 6 / 129 Caesar Cipher [Stallings 2013; Kurose et al. 2017]
abcdefghi jklmnopqrstuvwxyz
plain 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
defghijklmnopqrstuvwxyzabc
cipher 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2
plain: bob, i love you. alice cipher: ere, l oryh brx. dolfh
c = E(p ) = v(p ) + k mod 26 i i i k = 3 for Caesar pi = D(ci ) = v(ci ) − k mod 26
Only 25 possible keys ⇒ Brute force attack is possible
6 / 129 7 / 129 Monoalphabetic Cipher [Kurose et al. 2017]
• 25 possible keys ⇒ Caesar cipher is far from secure
• Let’s increase the keyspace!
• Monoalphabetic substitution — uniquely replace one letter with another, without regular pattern
a bcdefghijklmnopqrstuvwxyz mnbvcxzasdfghjklpoiuytrewq
plain: bob, i love you. alice cipher: nkn, sgktc wky. mgsbc
• Keyspace: 26! substitutions possible (≈ 288)
• Spectrum too broad for brute force attack ⇒ job done?
7 / 129 8 / 129 Monoalphabetic Cipher: Cryptanalysis I [Stallings 2013]
Imagine you know the nature of the plaintext, e.g. uncompressed English
38 Chapter 2 / Classical Encryption Techniques
14 12.702 12 1. Compute the relative frequency of letters
10 ) 9.056
8.167 in the ciphertext 8 7.507 6.996 6.749 6.327 6.094 6 5.987 Relative frequency (% 4.253 4 4.025 2. Compare with standard distribution for 2.782 2.758 2.406 2.360 2.228 2.015 1.974 2 1.929 1.492
0.978 English 0.772 0.153 0.150 0.095 0.074 0 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Figure 2.5 Relative Frequency of Letters in English Text
So far, then, we have
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ t a e e te a that e e a a VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX e t ta t ha e ee a e th The t a relative frequency of letters is sufficient EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ e e e tat e the t Only four letters have tobeen identified,decrypt but already we have quitelong-enough a bit of the ciphertexts (100’s of characters) message. Continued analysis of frequencies plus trial and error should easily yield a solution from this point. The complete plaintext, with spaces added between words, follows:
it was disclosed yesterday that several informal but direct contacts have been made with political representatives of the viet cong in moscow
Monoalphabetic ciphers are easy to break because they reflect the frequency data of the original alphabet. A countermeasure is to provide multiple substitutes,
8 / 129 9 / 129 Monoalphabetic Cipher: Cryptanalysis II If ciphertext is not long enough: 1. use bigrams, trigrams, quadgrams, . . . , (short) word frequency Bigrams th, er, on, an, re, he, in, ed, nd, ha, at, en, es, of, or, nt, ea, ti, to, it, st, io, le, is, ou, ar, as, de, rt, ve Trigrams the, and, tha, ent, ion, tio, for, nde, has, nce, edt, tis, oft, sth, men Doubles ss, ee, tt, ff, ll, mm, oo First Letters t, o, a, w, b, c, d, s, f, m, r, h, i, y, e, g, l, n, p, u, j, k Final Letters e, s, t, d, n, r, y, f, l, o, g, h, a, k, m, p, u, w One-Letter Words a, I Two-Letter Words of, to, in, it, is, be, as, at, so, we, he, by, or, on, do, if, me, my, up, an, go, no, us, am ... [Singh 2002] 2. assign parts of key according to rules, and brute force other positions
⇒ Monoalphabetic ciphers are easy to break: they reflect the same frequency data as the plaintext
9 / 129 10 / 129 Vigen`ereCipher [Stallings 2013] Polyalphabetic substitution: hide structure of plaintext by using multiple monoalphabetic substitutions. • We have the 26 Caesar ciphers
• We use one Caesar rule per plaintext character
• The order in which we use them is the key i.e. for a text of length n and a key of length m (m ≤ n):
c0 = p0 + k0 mod 26 c1 = p1 + k1 mod 26 . . cm−1 = pm−1 + km−1 mod 26 cm = pm + k0 mod 26 . . cn−1 = pn−1 + kn−1 mod m mod 26
10 / 129 40 Chapter 2 / Classical Encryption Techniques
4. Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its own row and the column occupied by the other plaintext letter. Thus, hs becomes BP and ea becomes IM (or JM, as the encipherer wishes). The Playfair cipher is a great advance over simple monoalphabetic ciphers. For one thing, whereas there are only 26 letters, there are 26 * 26 = 676 digrams, so that identification of individual digrams is more difficult. Furthermore, the relative frequencies of individual letters exhibit a much greater range than that of digrams, making frequency analysis much more difficult. For these reasons, the Playfair cipher was for a long time considered unbreakable. It was used as the standard field system by the British Army in World War I and still enjoyed considerable use by the U.S. Army and other Allied forces during World War II. Despite this level of confidence in its security, the Playfair cipher is relatively easy to break, because it still leaves much of the structure of the plaintext language intact. A few hundred letters of ciphertext are generally sufficient. One way of revealing the effectiveness of the Playfair and other ciphers is shown in Figure 2.6. The line labeled plaintext plots a typical frequency distribution of the 26 alphabetic characters (no distinction between upper 11 / and lower case) in ordinary text. This is also the frequency distribution of any 129 monoalphabetic substitution cipher, because the frequency values for individual Vigen`ereCipher:letters are the same, just Cryptanalysis with different letters I substituted for the original letters.[Stallings 2013] The plot is developed in the following way: The number of occurrences of each • Goodletter atin obscuringthe text is lettercounted frequency and divided information by the number of occurrences of the most frequently used letter. Using the results of Figure 2.5, we see that e is the most frequently used letter. As a result, e has a relative frequency of 1, t of • Some information from plaintext still remains
1.0
0.9 Plaintext 0.8 Playfair 0.7
0.6
0.5
0.4 Vignere 0.3 Normalized relative frequency 0.2 Random polyalphabetic
0.1
0 123456178910 10 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 Frequency ranked letters (decreasing frequency) Figure 2.6 Relative Frequency of Occurrence of Letters 11 / 129 12 / 129 Vigen`ereCipher: Cryptanalysis II [Stallings 2013]
plain: w e a r e d i s c o v e r e d s a v e y o u r s e l f key: d e c e p t i v e d e c e p t i v e d e c e p t i v e cipher: z i c v t w q n g r z g v t wavzhcqyglmgj
1. Determine key length — based on sequence repetitions in ciphertext — here: displacement of 9 ⇒ key of length (1, ) 3, or 9 — sequence repetitions are unavoidable with long ciphertexts 2. Attack the monoalphabetic substitutions individually — here: key length = 9 ⇒ attack 9 separate Caesar ciphers for each 9 characters
12 / 129 13 / 129 Vigen`ereCipher with Auto Key [Stallings 2013]
Use non-repeating keyword, which is as long as message
plain: w e a r e d i s c o v e r e d s a v e y o u r s e l f key: d e c e p t i v e w e a r e d i s c o v e r e d s a v cipher: z i c v t w q n g k z e i i g a s x s t s l v v w l a
Still vulnerable to statistical analysis: key and plaintext exhibit same frequency distribution
13 / 129 14 / 129 Playfair Cipher [Stallings 2013]
• Multiple letter encryption: treat bigrams (or digrams) as single units • Playfair relies on a 5 × 5 matrix
p l a y f Key: playf¡air i/j r b c d e g h k m fill alphabetically n o q s t avoid repetitions u v w x z
1. Encrypt plaintext two letters at a time — Split double letters in same pair with ’x’ (e.g. balloon → ba lx lo on) 2. Plaintext letters in same row are encrypted one letter to the right (e.g. E(ay) = yf ; E(st) = tn) 3. Plaintext letters in same column are encrypted one letter beneath (e.g. E(pu) = ip; E(aq) = bw) 4. Else, replace by letter of own row and column of other letter (e.g. E(qu) = nw; E(ew) = hu)
14 / 129 15 / 129 Playfair Cipher: Cryptanalysis [Triguero et al. 2006]
• Keyspace — 25 letters
— Shifts of rows and/or columns leads to same ciphertext
25! ⇒ There are = 24! distinct keys (≈ 279) 52 • Ciphertext is composed of an independent set of bigrams — Inverted letters result in inverted ciphered bigrams (e.g. E(es) = kn, E(se) = nk)
— Regardless of the key, there are only 25! A2 = = 25 × 24 = 600 25 (25 − 2)! possible bigrams as output of Playfair
⇒ Statistical attack on bigrams
15 / 129 16 / 129 Hill Cipher [Stallings 2013]
Multiletter cipher based on modular linear algebra
C = E(P, K ) = PK mod 26 K is square P = D(C, K ) = CK−1 mod 26
For example, considering blocs of size 3 (i.e. the encryption of trigrams) k11 k12 k13 c1 c2 c3 = p1 p2 p3 k21 k22 k23 mod 26 k31 k32 k33
m
c1 = k11p1 + k21p2 + k31p3 mod 26 c2 = k12p1 + k22p2 + k32p3 mod 26 c3 = k13p1 + k23p2 + k33p3 mod 26
16 / 129 17 / 129 Hill Cipher: Cryptanalysis [Stallings 2013]
• Like Playfair: hides single-letter frequency even though it is worse than Playfair for bigrams
• The larger the size of K, the more frequency information is hidden 3 × 3 K hides bigram information, etc
• Cipher is easily broken with plaintext attacks. For an m × m cipher, — if you know m plaintext-cipher text pairs, each of length m
— you have an unknown m × m matrix K such as c11 c12 ··· c1m p11 p12 ··· p1m . . .. . . . .. . C = PK ⇔ . . . . = . . . . K cm1 cm2 ··· cmm pm1 pm2 ··· pmm and you need to invert P, so that K = P−1C
— if det P = 0, you need additional plaintext-ciphertext pairs
17 / 129 18 / 129 Breaking the Hill Cipher using Crib Dragging I [Lyons 2012]
• Imagine a 2 × 2 Hill cipher and the ciphertext
fupcmtgzkyukbqfjhuktzkkixtta
• We know “of the” is a part of the original message fu pc mt gz ky uk bq fj hu kt zk ki xt ta of th e ⇒ o ft he of th e o ft he of th e o ft he ......
As an example, we consider the second line, i.e. • the plaintext “ft” corresponds to the ciphertext “pc” • the plaintext “he” corresponds to the ciphertext “mt”
18 / 129 19 / 129 Breaking the Hill Cipher using Crib Dragging II
p c f t = K m t h e
m
15 2 5 19 = K 12 19 7 4
and
−1 5 19 15 2 K = P−1C = 7 4 12 19
19 / 129 20 / 129 Breaking the Hill Cipher using Crib Dragging III det P = −113 ⇒ P is invertible det P mod 26 = −9 mod 26 = 17 mod 26 1 P−1 mod 26 = ∆T mod 26 det P P " # 1 (−1)1+1 · 4 (−1)1+2 · 19 = mod 26 17 (−1)2+1 · 7 (−1)2+2 · 5 1 4 7 = mod 26 17 19 5
Computing the modular inverse: 17x mod 26 = 1 ⇒ x = 23; and 4 7 92 161 P−1 mod 26 = 23 mod 26 = mod 26 19 5 437 115 14 5 = mod 26 21 11
20 / 129 21 / 129 Breaking the Hill Cipher using Crib Dragging IV
So, we have
14 5 15 2 K = P−1C = mod 26 21 11 12 19 270 123 = mod 26 447 251 10 19 = 5 17
and the candidate key is “jftr”. If we use the key “jftr” to decrypt the ciphertext, the result is
frfthezyssqyvfetlvbafvaconfz
So, the assumption about the pairs of ciphertext/plaintext were wrong.
21 / 129 22 / 129 Breaking the Hill Cipher using Crib Dragging V
If we apply the same method with the 18th line, we have
k t f t 10 19 5 19 = K ⇔ = K z k h e 25 10 7 4
−1 5 19 10 19 5 4 K = mod 26 = 7 4 25 10 17 15
and the candidate key is “erdp”. Using this key, the decryption yields
defendtheeastwallofthecastle
and the cipher is broken.
22 / 129 23 / 129 One-Time Pad I [Stallings 2013]
• Use a random key, that is as long as the message ⇒ No need to repeat the key
— Key is unique to a single message, and then discarded
• Only cryptosystem that exhibits perfect secrecy No matter how much ciphertext you have, you never get information about the plaintext
cipher: a nk y o d kyurep f j byo jdsp l rey i unofdo i uer fp l uy t s key: p x lmvmsydof uy r vzwc tn l ebnecvgdupahfzz l mny i h plain: mr mu s tard w i t h t he c a nd l es t i ck i n the ha l l key: p f t g pmi ydgaxgouf hk l l l mhsqdqogtewbqfgyo v uhwt pain: m i s s s car l e t w i t h the kn i f e i n t he l i b r ar y
23 / 129 24 / 129 One-Time Pad II [Stallings 2013]
• Use a random key, that is as long as the message ⇒ No need to repeat the key
— Key is unique to a single message, and then discarded
• Only cryptosystem that exhibits perfect secrecy No matter how much ciphertext you have, you never get information about the plaintext
cipher: a nk y o d kyurep f j byo jdsp l rey i unofdo i uer fp l uy t s key: p x lmvmsydof uy r vzwc tn l ebnecvgdupahfzz l mny i h plain: mr mu s tard w i t h t he c a nd l es t i ck i n the ha l l key: p f t g pmi ydgaxgouf hk l l l mhsqdqogtewbqfgyo v uhwt pain: m i s s s car l e t w i t h the kn i f e i n t he l i b r ar y
24 / 129 25 / 129 Rotor Machines I
• Rotor machine: ubiquitous ciphering mechanism during 1920s-1980s • A random sequence makes a polyalphabetic substitution unbreakable (see One-Time Pad, slide 23) • Problem: Long random sequences are impractical to use • Solution: Generate a long key from a simple pattern automatically
25 / 129 26 / 129 Rotor Machines II
• A rotor wires the electrical current from any of the 26 inputs to any of the 26 outputs (= a substitution cipher) • The wiring between inputs and outputs can be changed depending on the rotor position
• A size-26 rotor is effectively a Vigen`erecipher ⇒ easy to break Direction of motion Direction of motion
A 24 21 26 20 1 8 A A 23 13 26 20 1 8 A B 25 3 1 1 2 18 B B 24 21 1 1 2 18 B C 26 15 2 6 3 26 C C 25 3 2 6 3 26 C D 1 1 3 4 4 17 D D 26 • 15Add3 a4 new4 rotor,17 D step only when the first E 2 19 4 15 5 20 E E 1 1 4 15 5 20 E F 3 10 5 3 6 22 F F 2 19 5 3 6 22 F G 4 14 6 14 7 10 G G 3 10rotor6 has14 7 done10 G a revolution H 5 26 7 12 8 3 H H 4 14 7 12 8 3 H I 6 20 8 23 9 13 I I 5 26 8 23 9 13 I J 7 8 9 5 10 11 J J 6 20 9 5 10 11 J K 8 16 10 16 11 4 K K 7 • Now8 10 you16 11 need4 K 26 · 26 = 676 letters before L 9 7 11 2 12 23 L L 8 16 11 2 12 23 L M 10 22 12 22 13 5 M M 9 7 12 22 13 5 M N 11 4 13 19 14 24 N N 10 22repeating13 19 14 the24 N substitution O 12 11 14 11 15 9 O O 11 4 14 11 15 9 O P 13 5 15 18 16 12 P P 12 11 15 18 16 12 P Q 14 17 16 25 17 25 Q Q 13 5 16 25 17 25 Q R 15 9 17 24 18 16 R R 14 • 17For17 three24 18 rotors,16 R you need S 16 12 18 13 19 19 S S 15 9 18 13 19 19 S T 17 23 19 7 20 6 T T 16 12 19 7 20 6 T U 18 18 20 10 21 15 U U 17 232620· 2610 · 2126 =15 U 17, 576 letters V 19 2 21 8 22 21 V V 18 18 21 8 22 21 V W 20 25 22 21 23 2 W W 19 2 22 21 23 2 W X 21 6 23 9 24 7 X X 20 25 23 9 24 7 X Y 22 24 24 26 25 1 Y Y 21 6 24 26 25 1 Y Z 23 13 25 17 26 14 Z Z 22 24 25 17 26 14 Z
Fast rotor Medium rotor Slow rotor Fast rotor Medium rotor Slow rotor (a) Initial setting (b) Setting after one keystroke 26 / 129 Figure 2.8 Three-Rotor Machine with Wiring Represented by Numbered Contacts 51 27 / 129 The Enigma Machine I [Rijmenants 2011] • Keyboard: plaintext/ciphertext to convert
— involution (for ease of use) — stroke steps rotor by one position • Lightboard: converted text • 3 rotors in use —8 distinct rotors available — window to show/set position • 1 reflector in use —2 distinct reflectors available • 1 plugboard, up to 10 pairs connected
27 / 129 28 / 129 The Enigma Machine II [Rijmenants 2011]
• All machines need to be setup with identical settings — Rotor selection and position on shaft — Relative position of alphabet on rotor — Reflector selection — Plugboard connections — Starting position of rotors • We now call this a key distribution problem
— Starting position: chosen by operator (now called an initialization vector) — Other settings distributed by code sheets
28 / 129 29 / 129 The Enigma Machine III [Rijmenants 2011]
29 / 129 30 / 129 Enigma: Theoretical Strength – Plugboard I [Miller 1995]
• The plugboard has 26 sockets • Swaps inputs to scramble the letters
30 / 129 31 / 129 Enigma: Theoretical Strength – Plugboard II [Miller 1995]
• Its security depends on 1. the number of cables/connections used (p) 2. the group of sockets selected to be plugged 3. the interconnections made • Given p cables (0 ≤ p ≤ 13) there are
26 26! C26 = = 2p 2p (2p)! (26 − 2p)!
possible distinct selections of 2p sockets
31 / 129 32 / 129 Enigma: Theoretical Strength – Plugboard III [Miller 1995] • Within each of these selections of 2p sockets: — The end of the first cable can be plugged into 2p − 1 sockets — The end of the second cable can be plugged into 2p − 3 sockets — The total number of connections of p cables inside the 2p sockets is (2p)! (2p − 1)(2p − 3) ··· (1) = (2p − 1)!! = 2p p! • The number of possible settings for the plugboard with p cables is 26! (2p)! 26! C26 (2p − 1)!! = = 2p (2p)! (26 − 2p)! 2p p! 2p (26 − 2p)! p!
• The overall total number of plugboard settings is 13 X 26! > 532 · 1012 2p (26 − 2p)! p! p=0
32 / 129 33 / 129 Enigma: Theoretical Strength – Rotors [Rijmenants 2011]
• There are 26! possible rotors mapping 26 inputs to 26 outputs • Any of these can be put on the shaft, that is
26!(26! − 1)(26! − 2)
possible orders • Each rotor can be inserted in any of the 26 positions, that is
263 = 17, 576
possible starting positions for the rotors • Each rotor has a movable ring with a notch that pushes the next rotor after a revolution • This means 262 = 676 possible ring positions that affect the way rotors turn
33 / 129 34 / 129 Enigma: Theoretical Strength [Miller 1995]
• The reflector is similar to the plugboard — Connects two inputs together to swap their signal — Ensures one letter cannot be translated as itself • There are (26 − 1)!! = 25!! > 7 · 1012 possible reflectors • The theoretical number of possible configurations for Enigma is
13 X 26! 3 2 · 26! · (26! − 1) · (26! − 2) · 26 · 26 · 25!! 2p (26 − 2p)! p! p=0 > 3 · 10114
The total number of atoms in the universe is about 1080
34 / 129 35 / 129 Enigma: Figuring out the Rotor Wirings I [Rijmenants 2011]
• The settings of the machine were valid for 1 day • Before ciphering a message, the operator chooses a message key — The position of the rotors to be used to decipher the message • Using the start position of the code sheet: 1. Choose 3 letters (e.g. GHK) 2. Type them once (e.g. they are translated as XMC) 3. Type them once more (e.g. they are translated as FZQ) 4. Move rotors to key position (e.g. GHK) 5. Type message • Transmit message starting with key (e.g. XMCFZQ)
35 / 129 36 / 129 Enigma: Figuring out the Rotor Wirings II [Rijmenants 2011]
• French Intelligence got hold of a manual for Enigma • Transmitted to Polish Cipher Bureau in 1932 • Obvious relationship between the first 6 letters of any message!
G → XH → MK → C G + 3 positions → F H + 3 positions → Z K + 3 positions → Q
• The rotor wirings were uncovered within weeks of message capture • The German cryptologists realized this weakness only in 1940
36 / 129 37 / 129 Enigma: Practical Security [Rijmenants 2011; Miller 1995; Ratcliff 2003]
• The number of cables used was known to be p = 10 i.e. > 50 · 1012 plugboard settings • There were 5 rotors in use, therefore only 5 · 4 · 3 = 60 possible orders • The number of possible initial positions remains 263 = 17, 576 • The number of possible ring settings remains 262 = 676 • Only 1 reflector was (mostly) used • The total key space for Enigma, as used by Nazi Germany, was around 1.07 · 1023, i.e. a 77-bit key
37 / 129 38 / 129 Enigma: Attacking with Cribs
• Prototyped messages were exchanged every day — e.g. every morning, 6AM, weather reports ⇒ “wetterbericht” would be included in the message • Enigma does not encode a letter to itself
··· jxatqbggywcrybbqt ··· w e t t e r b e r i c h t w e t t e r b e r i c h t wetterbericht w e t t e r b e r i c h t wetterberich t
• The crib is used as input to a Bombe to automatically all possible Enigma settings
38 / 129 39 / 129 The Turing/Welchman Bombe
• A logic, electromechanical machine used for systematic search • Each 3-wheels column is effectively an Enigma machine • Once a match is found, the machine stops • The settings are tested on a real Enigma to see if the deciphered text is German • One full run of all 263 rotor positions would take 20 minutes • 211 Bombes were built and used daily
39 / 129 40 / 129 Food for Thought
• The theoretical security provided by Enigma was excellent • The operational security available was way less — Pro: stealing an Enigma did not break the mechanism — Con: A lot of it (rotor wiring) was security through obscurity which cannot work (see Kerckhoffs’ principles, slide 43) • Proper design and use of cryptographic techniques is mandatory
40 / 129 41 / 129 Outline
• Introduction
• Classic Cryptography and Cryptanalysis
⇒ Principles of Cryptography
• Symmetric Cryptography (aka. Secret-Key Cryptography)
• Asymmetric Cryptography (aka. Public-Key Cryptography)
• Hashes and Message Digests
• Conclusion
41 / 129 42 / 129 Fundamental Tenet of Cryptography [Kaufman et al. 2002]
• Cryptographers invent clever methods to keep secrets
• Cryptanalyst use clever ways to discover these secrets
• The constant competition improves the global quality of encryption schemes
If lots of smart people have failed to solve a problem, then it probably won’t be solved (soon).
42 / 129 43 / 129 Kerckhoffs’ Principles [Kerckhoffs 1883]
These are the requirements for a strong encryption system to be used within the military: 1. The system must be practically, if not mathematically, undecipherable; 2. It must not require secrecy and can be stolen by the enemy without causing trouble; 3a. It must be easy to communicate and retain the key without the aid of written notes; 3b. It must also be easy to change or modify the key at the discretion of the correspondents; 4. It ought to be compatible with telegraph communication; 5. It must be portable, and its use must not require more than one person; 6. It must be easy to use and must neither be stressful to use or require the knowledge and compliance to a long series of rules.
43 / 129 44 / 129 How Secure? [Stallings 2013]
Unconditionally secure • Ciphertext does not contain enough information to uniquely determine plaintext
• Regardless of ciphertext length, or available time to break the cipher
• = One-Time Pad
Computationally secure • Cost of breaking the cipher exceeds the value of encrypted information
• Time required to break cipher exceeds useful lifetime of information
44 / 129 45 / 129 To Publish or not to Publish [Kaufman et al. 2002]
Keeping a cryptographic algorithm as secret as possible will enhance its security. —Folk wisdom • Bad guys will find out about the algorithm eventually anyway (e.g. Lorenz cipher, Purple cipher, etc)
• Impossible to keep secret if the algorithm is to be widely used
• Publication gives valuable feedback and free consulting from knowledgeable people about possible weaknesses and shortcomings N.B.: • Kerckhoffs’ principles 6⇒ you should publish the algorithm • Assume the enemy knows how the system works! i.e. if the enemy knows the algorithm, the cipher will not be breached • Not publishing = defense in depth (through obscurity)
45 / 129 46 / 129 Properties of Diffusion and Confusion [Shannon 1945]
A good ciphering system should make up for frustrating statistical cryptoanalysis. It should exhibit the properties of: • diffusion: dissipate statistical structure of plaintext into long combinations of ciphered letters — enemy should intercept tremendous amount of ciphertext to reconstruct statistics
• confusion: complexify the relationship between the plaintext and the encryption key — avoids the enemy’s ability to reduce the space for an exhaustive key search
— e.g. ciphertext symbols should result from operations with multiple/all key symbols
46 / 129 47 / 129 The Avalanche Effect [Stallings 2013]
A small change in either the plaintext or the key yields a significant change in the ciphertext.
(This is a consequence of confusion)
47 / 129 48 / 129 Outline
• Introduction
• Classic Cryptography and Cryptanalysis
• Principles of Cryptography
⇒ Symmetric Cryptography (aka. Secret-Key Cryptography)
• Asymmetric Cryptography (aka. Public-Key Cryptography)
• Hashes and Message Digests
• Conclusion
48 / 129 49 / 129 Symmetric Cryptography: Introduction
• Symmetric cryptography (aka. secret-key cryptography, or conventional cryptography) is a class of cryptographic algorithms that rely on a single key for encryption and decryption
• The key is the secret, only known by the sender and receiver
• Fast implementations, both software and hardware
• Two types of algorithms: block ciphers, stream ciphers