CS-630: Cyyyber and Network Security
Lecture # 2: Introduction to Cryptography and Symmetric Ciphers (Stream Ciphers) PPfDrof. Dr. SSfiufian HHdameed Department of Computer Science FAST-NUCES
FAST-NUCES Crypto gra ph y
FAST-NUCES Examples
FAST-NUCES Cryptosystem
FAST-NUCES Attacks against Cryptosystems
1.))p Cipher text-only: Attacker ppgypossesses a string y of the cipher text
2. ) Known plaintext: Attacker possesses a string x of the plaintext and the corresponding cipher text y. The problem now is to find out the key which produces y from x
3.) Chosen plaintext: Attacker has access to the encryption machinery. Hence he can chose a plaintext string x and construct the corre spondi ng ci phe r te xt st ri ng y.
4.))p Chosen cipher text: Attacker has access to the decryption machinery. Hence, he can chose a cipher text string y and construct the corresponding plaintext string x.
FAST-NUCES Security of Keys
FAST-NUCES Cryptography is everywhere
Secure communication : y web traffic: HTTPS y wireless traffic: 802.11i WPA2 (and WEP), GSM, Bluetooth EtiEncrypting files on dis k: y EFS (Encrypting File System) y TrueCrypt (open-source disk encryption software) Content protection y DVD --- Content Scramble System (CSS) is a Digital Rights Managg()ement (DRM) and encr ypyyption system emp pyloyed on almost all commercially produced DVD-Video y Easy to break y Blu-Ray --- Advance Access Content System (AACS) User authentication … and much much more
FAST-NUCES Things to remember Cryptography is: y A tremendous tool y The basis for many security mechanisms
Cryptography is not: y The solution to all security problems y Software bugs y Social engineering attacks y Reliable unless implemented and used properly y Wired Equivalent Privacy (WEP -- good example on how not to use cryptography) y SthihldttitSomething you should try to invent yourself • many examples of broken ad-hoc designs •Proppyp,riety ciphers, once re-enggyineered are easily broken
FAST-NUCES History
David Kahn, “The code breakers” (1996)
FAST-NUCES Historical Cryptosystems
y Monoalphabetic cipher: Each alphabetic character is mapped onto a unique alphabetic character y Examples: Shift Cipher, Substitution Cipher, Affine Cipher
y Polyalphabetic cipher: Each alphabetic character is mapped onto various alphabetic characters y Examples: Vigenere Cipher, Hill Cipher, Permutation Cipher
FAST-NUCES Symmetric Cryptosystems
Formal Definition: Cryptosystem is defined over (K,M,C) and a pair of “efficient” algorithms (E, D) s.t. C: E(k, m) = c, D(k, E(k, m) ) = mאK and cאM, kא m
Effici ent means run i n pol ynomi al ti me FAST-NUCES Shift Cipher
y Cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet. Example includes Ceasar cipher, ROT13 y Ceasar Cipher y Each letter is replaced with a fixed shift of 3 letters Example of Ceasar cipher using left rotation of 3 places Plai n: ABCDEFGHIJKLMNOPQRSTUVWXYZ Cipher: DEFGHIJKLMNOPQRSTUVWXYZABC
FAST-NUCES Source: wikipedia Shift Cipp(her (ROT13)
y ROT13 y Each letter is replaced with a fixed shift of 13 letters The transformation can be done as follows Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ Cipher: NOPQRSTUVWXYZABCDEFGHIJKLM
Modular arithmetic representation: • Encryption of a letter x by a shift n can be described mathematically as
En(x) = (x+n) mod 26 • Decryption is performed in a similar manner
Dn(x) = (x-n) mod 26
Key space is ridiculously small, very easy to break
FAST-NUCES Source: wikipedia Substitution Cipher
Idea: use a permutation over the set of characters as key to get a more flexible scheme as in the shift cipher
• Keyypspace siggygnificantly larger • Character frequencies are preserved
FAST-NUCES What is the size of key space in the substitution cipher assuming 26 letters?
FAST-NUCES Breaking Monoalphabetic Ciphers
Monoalphabetic ciphers preserve the frequency of alphabetic characters, pairs, etc. → Identify alphabetic characters due to their frequency
Method to decipher natural languages:
1. Determine frequency of alphabetic characters of the cipher text 2. Identif y al ph ab eti c ch aract ers accordi ng t o th ei r f requency: e, n, iti, s, r, a, t (in Germany: e, n, r, i, s, t, u, d, a, g, l, o, ...) 3. Determine frequency of pairs 4. Identify e.g. th he 5. Look at identified text, re-substitute, guess, ...
FAST-NUCES Breaking Monoalphabetic Ciphers
FAST-NUCES Vigenere Cipher
Popular polyalphabetic substitution cipher
• Known as “le chiffre indéchiffrable” (‘the indecipherable cipher’ );-) • Combination of simple substitution ciphers • Rotations determined by a word (key)
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
FAST-NUCES Breaking Vigenere Cipher y Frequency analysis trivial if period can be guessed y Kasiski test y Repeated words may , by chance , sometimes be encrypted using the same key letters, leading to repeated groups in the ciphertext y Consider the following encryption using the keyword ABCD Key: ABCD ABCDABCD ABCD ABCD ABCD ABCD Plaintext: CRYP TOIS SHOR TFOR CRYP TOGR APHY Ciph ert ext : CSAS TPKV SIQU TGQU CSAS TPIU AQJB y Repetitions of CSASTP is at a distance16 y Assuminggpgp that the repeated segments represent the same pg,plaintext segments, this implies that the key is 16, 8, 4, 2, or 1 characters long
FAST-NUCES Source: wikipedia Rotor Machines (1870-1943) y The Hebern Machine (single rotor) y Easily broken (CT onl y) using letter freq uenc y, diagram frequency, trigram frequency
A K E N B S K E C T S K . . T S . . . T X R . . Y N R . Z E N R key
FAST-NUCES Rotor Machines (cont.)
Most famous: the Enigma (3-5t5 rotors)
With 4 rotors keys = 264 =2= 218 (actually 2 36 due to optional plugboard)
FAST-NUCES Turing Bombe
FAST-NUCES Must watch
“The Man Who Cracked Enigma”
FAST-NUCES One Time Pad, Stream Cipher and Pseudorandom Generators
FAST-NUCES Symmetric Cryptosystems
Formal Definition: Cryptosy stem is defined over ( K, M, C) and a p air of “efficient” alg orithms ( E, D) s.t. C: E(k, m) = c, D(k, E(k, m) ) = mאK and cאM, kא m
Efficient means run in polynomial time E is often randomized. D is always deterministic.
FAST-NUCES One Time Pad (Vernam 1917)
One Time Pad has perfect secrecy (i .e . no CT only attacks) Based on simple XOR operation n M=CC{,}=K={0,1} msg: 01101110 1 1 0 1 1 1 C:= E(k, m) = k ْ m key: 1 0 1 1 0 1 0 D(k, c) = k ْ c Indeed CT:1101101CT: 1 1 0 1 1 0 1 D(k, E(k, m)) = D(k, k ْ m) = k ْ (k ْ m) = (k ْ k) ْ m m = m ْ 0 = y One-time pad = XOR cipher with constraints: y Key length equals message length y KbittlKey bits are truly rand om ( (tnot pseud o-rand)dom) y Key is used only once and destroyed
FAST-NUCES You are given a message (m) and its OTP encryption (c). Can you compute the OTP key from m and c ?
No, I cannot compute the key.
.Yes, the key is k = m ْ c
I can only compute half the bits of the key .
.Yes, the key is k = m ْ m
FAST-NUCES The One Time Pad (Vernam 1917)
Very fast enc/dec !! … blbut long k eys ( (las long as pl liaintext)
Is the OTP secure? What is a secure cipher?
FAST-NUCES What is a secure cipher?
Attack er’ s abiliti es: CT on ly a ttac k (for now)
Possible security requirements: attempt #1: attacker cannot recover secret key
attempt #2: attacker cannot recover all of plaintext
Shannon’s idea: CT should reveal no “info” about PT
FAST-NUCES Information Theoretic Security
Def: A cipher (E,D) over (K,M,C) has perfect secrecy if
CאM (|( |m0||| = |m1|)| ) an d cא m0, m1
R Pr[ E(k,m0)=c ] = Pr[ E(k,m1)=c ] where k ึK
• Given CT can’t tell if msg is m0 or m1 ( for all m0, m1) • MtMost power fldful adversary l earns nothi thibtPTfng about PT from CT • no CT only attacks !!! (but other attacks possible)
FAST-NUCES The bad news …
• i.e. perfect secrecy Î key-len >= msg-len • Hard to use in practice !!!
FAST-NUCES One Time Pad in practice
y Intelligence and military services y Regular usage by KGB spies y Hotline between USA and USSR y Major problems y Key exchange difficult y True randomness required y Not very practical today y Inspiration for other methods, y e.g . stream ciphers
FAST-NUCES Stream Ciphers: making OTP practical
Idea: replace “random” key by “pseudorandom” key
PRG is a Function G: {0,1}s {0,1}n s.t n >> s
PRG is efficiently computable by a deterministic algorithm
FAST-NUCES Stream Ciphers: making OTP practical
K(K)ithdKey (K) is the seed used dbGt by G to generat tthPRGe the PRG Security: PRG must be unpredictable
FAST-NUCES Stream Ciphers y Stream ciphers y Bit-wise encryption and decryption of data y Application of pseudo-random number generator (PRG) y XOR operat ion on pseu do-random keystream
y Security solely depends on randomness of PRG
FAST-NUCES Stream Ciphers
Stream ciphers cannot have perfect secrecy !!
y Need a different definition of security
y Security will depend on specific PRG
FAST-NUCES PRG must be unpredictable
FAST-NUCES PRG must be unpredictable
We say that G: K ื {0, 1}n is predictable if:
Def:PRGis: PRG is unpredictable if it is not predictable i: no “eff” adv. can predict bit (i+1) for “non-neg” ε
FAST-NUCES Suppose G:K ื {0,1}n is such that for all k: XOR(G(k)) = 1
Is G predictable ??
Yes, given the first bit I can predict the second
No, G is unpredictable
Yes, given the first (n-1) bits I can predict the nth bit It depends
FAST-NUCES Weak PRGs (do not use for crypto)
With LCG small number of outputs can be use to predict remaining bits
ggbclibc raado()ndom():
r[i] ← ( r[i-3] + r[i -31] ) %2% 232 FAST-NUCESoutput r[i] >> 1 Negggligible and non-negggligible
y In practice: ε y ε non-neg: ε≥ 1/230 (likely to happen over 1GB of data) y ε negligible: ε≤ 1/280 (won’t happen over life of key)
FAST-NUCES Attack: two time pad is insecure !!
Never use stream cippyher key more than once !!
C1 ← m1 ⊕ PRG(k)
C2 ← m2 ⊕ PRG(k)
Eavesdropper does:
C1 ⊕ C2 → m1 ⊕ m2
Enough redundancy in English and ASCII encoding that:
m1 ⊕ m2 → m1 , m2
FAST-NUCES Real world examples
y Project Venona (1941-1946) y Roll a dice a compute a pad. This seems boring and they started using the same pads again and again. Soviet messages sent from 1941 to 1946, decrypted about 3000 messages. y MS-PPTP (windows NT):
k k
FAST-NUCES Need different keys for CืS and SืC Real world examples
802. 11b WEP:
m CRC(m)
k PRG( IV ll k ) k
IV ciphetext Length of IV: 24 bits y Repeated IV after 224 ≈ 16M frames y On some 802. 11 cards: IV resets to 0 after power cycle
FAST-NUCES Avoid related keys
802. 11b WEP:
m CRC(m)
k PRG( IV II k ) k
IV ciphetext
key for frame #1: (1 II k) key for frame #2: (2 II k)
FAST-NUCES A better construction
k PRG k
now each frame has a pseudorandom key ֜ better solution: use stronger encryption method (as in WPA2)
FAST-NUCES Yet another examppyple: disk encryption
FAST-NUCES Two time ppyad: summary
Never use stream cipher key more than once !! y Network traffic: negotiate new key for every session (e.g. TLS) y Disk encryption: typically do not use a stream cipher
FAST-NUCES Attack 2: No Integgyrity (OTP is malleable)
( enc ( ْk m mْk p ( dec ( ْk)k m p (mْْْk)ْp
Modifications to ciphertext are undetected and have predictable impact on plaintext FAST-NUCES Attack 2: No Integrity
( enc ( ْk From: Bob From: Bob
( dec ( ْk)k From: Eve From: Eve
Modifications to ciphertext are undetected and have ppppredictable impact on plaintext
FAST-NUCES RlReal-world S tream Ciph ers
FAST-NUCES RC4 Cipher
y Common stream cipher y Developed by Ron Rivest for RSA Security y Leaked to the public in 1994 (ARC4 = Alleged RC4) y Key size (seed): 40 to 256 bits y Some known weaknesses, e.g., in WEP implementation
FAST-NUCES Old exampp(le (software ): RC4 (1987 )
2048 bits 128 bi ts 1 byte per round seed y Used in HTTPS and WEP y Weaknesses: 1. Bias in initial outpp[ut: Pr[ 2nd byy]te = 0 ] = 2/256 2. Prob. of (0,0) is 1/2562 + 1/2563 (happens in GBs of Data) 3. Related key attacks FAST-NUCES Old example (hardware):CSS: CSS (badly broken)
Linear feedback shift regg(ister (LFSR) :
DVD encrypt ion (CSS): 2 LFSRs GSM encryption (A5/1,2): 3 LFSRs all broken Bluetooth (E0): 4 LFSRs
FAST-NUCES Old example (hardware): CSS (badly broken)
CSS: seed = 5 bytes = 40 bits
FAST-NUCES Cryptanalysis of CSS (217 time attack)
8 17-bit LFSR encrypted movie 8 + (mod 256) prefix 25-bit LFSR 8 CSS prefix
For all possible initial settings of 17-bit LFSR do: y Run 17 -bit LFSR to get 20 bytes of output y Subtract from CSS prefix ֜ candidate 20 bytes output of 25-bit LFSR y If consistent with 25 -bit LFSR , found correct initial settings of both y Using key, generate entire CSS output
FAST-NUCES Modern stream ciphers: eStream (2008)
PRG: {0, 1}s × R {0,1} n
Nonce: a non-repeating value for a given key.
E(k, m ; r) = m PRG(k ; r)
The pair ( krk,r) is never used more than once .
FAST-NUCES eStream: Salsa 20 (SW+HW)
Salsa20: {0,1} 128 or 256 × {0,1}64 ื {0,1}n Salsa20( k ; r) := H( k , (r, 0)) ll H( k , (r , 1)) ll … 0,1… are counters that goes from step to step
τ0 k k τ1 64 byte r r h output i i τ2 k (10 rounds) 32 bytes τ3 64 bytes 64 bytes h: invertible function. designed to be fast on x86
FAST-NUCES Is Salsa20 secure (unpredictable) ?
y Unknown: no known provably secure PRGs y In reality: no known attacks better than exhaustive search
FAST-NUCES Performance:
AMD Opteron, 2.2 GHz ( Linux)
PRG Speed (MB/sec) RC4 126 Salsa20/12 643 eStream Sosemanuk 727
FAST-NUCES Acknowledgements
Material in this lecture are taken from the slides prepared by: y Prof. Dr . Konrad Rieck (Uni-Göttingen) y Prof. Dan Boneh (Stanford)
FAST-NUCES