Outline Cryptography Encryption/Decryption

Home , Dictionary attack, Plaintext

Outline

■ Basic Crypto Concepts and Definitions

■ Some Early (Breakable) Cryptosystems

■ “Key” Issues CSCI 454/554 Computer and Network Security

Topic 2. Introduction to Cryptography

Cryptography

■ Cryptography: the art of secret writing

■ Converts data into unintelligible (random- looking) form

■ Must be reversible (can recover original data without loss or modification) Basic Concepts and Definitions ■ Not the same as compression

■ n bits in, n bits out

■ Can be combined with compression

■ What’s the right order?

3 4

Cryptography vs. Steganography Encryption/Decryption

■ Cryptography conceals the ■ Steganography (hiding contents of communication in plain sight) conceals plaintext ciphertext plaintext between two parties the very existence of encryption decryption ■ Anonymous communication communication conceals who is key key communicating ■ Examples?

■ Watermark ■ Plaintext: a message in its original form ■ Info leakage ■ Ciphertext: a message in the transformed, unrecognized ■ Kerckhoffs's principle ■ Security through form ■ A cryptosystem should be obscurity ■ Encryption: the process that transforms a plaintext into a secure even if everything ciphertext about the system, except ■ Defense in depth ■ Decryption: the process that transforms a ciphertext to ■ Open source software? the key, is public the corresponding plaintext knowledge ■ Key: the value used to control encryption/decryption. 5 6 Cryptanalysis Ciphertext Only Attacks

■ “code breaking”, “attacking the cipher” ■ Ex.: attacker can intercept encrypted

■ Difficulty depends on communications, nothing else

■ sophistication of the cipher ■ when is this realistic?

■ amount of information available to the ■ Breaking the cipher: analyze patterns in code breaker the ciphertext

■ Any cipher can be broken by exhaustive ■ provides clues about the encryption trials, but rarely practical method/key

■ When can you recognize if you have succeeded?

7 8

Known Plaintext Attacks Chosen Plaintext Attacks

■ Ex.: attacker intercepts encrypted text, but ■ Ex.: attacker can choose any plaintext also has access to some of the desired, and intercept the corresponding corresponding plaintext (definite ciphertext

advantage) ■ When is this realistic? ■ When is this realistic?

■ Requires plaintext-ciphertext pairs to ■ Choose exactly the messages that will recover the key, but the attacker cannot reveal the most about the cipher choose which particular pairs to access.

■ Makes some codes (e.g., mono- alphabetic ciphers) very easy to break

9 10

Chosen Ciphertext Attacks The “Weakest Link” in Security

■ Ex.: attacker can present any ciphertext ■ Cryptography is rarely the weakest link

desired to the cipher, and get the ■ Weaker links corresponding plaintext ■ Implementation of cipher ■ When is this realistic? ■ Distribution or protection of keys ■ Isn’t this the goal of cryptanalysis???

11 12 Perfectly Secure Ciphers Computationally Secure Ciphers

1. Ciphertext does not reveal any information 1. The cost of breaking the cipher quickly exceeds about which plaintexts are more likely to have the value of the encrypted information produced it and/or

■ i.e., the cipher is robust against chosen ciphertext 2. The time required to break the cipher exceeds attacks the useful lifetime of the information and ■ Under the assumption there is not a faster / cheaper way to break the cipher, waiting to be 2. Plaintext does not reveal any information about discovered which ciphertexts are more likely to be produced

■ i.e, the cipher is robust against chosen plaintext attacks

13 14

Secret Keys vs. Secret Algorithms Secret Keys vs. Secret Algorithms

■ Security by obscurity ■ Commercial world

■ We can achieve better security if we keep the ■ Published algorithms secret

■ Hard to keep secret if used widely ■ Wide review, trust

■ Reverse engineering, social engineering ■ Military

■ Keep algorithms secret ■ Publish the algorithms ■ Avoid giving enemy good ideas ■ Security of the algorithms depends on the secrecy of the keys ■ Military has access to the public domain

■ Less unknown vulnerability if all the smart (good) knowledge anyway. people in the world are examine the algorithms

15 16

Caesar Cipher

■ Replace each letter with the one 3 letters later in the alphabet

■ ex.: plaintext CAT ! ciphertext FDW

plaintext Some Early Ciphers alphabet A B C D E F G H I J K …

ciphertext A B C D E F G H I J K … alphabet

Trivial to break

17 18 “Captain Midnight Secret Decoder” Ring Mono-Alphabetic Ciphers

■ Replace each letter by one that is δ positions ■ Generalized substitution cipher: an arbitrary (but later, where is selectable (i.e., is the key) δ δ fixed) mapping of one letter to another ■ example: IBM ! HAL (for δ=25) 26 88 ■ 26! (≈ 4.0*10 ≈ 2 ) possibilities ■ Also trivial to break with modern computers (only ■ The key must specify which permutation; how 26 possibilities) many bits does that take? plaintext A B C D E F G H I J K … plaintext alphabet A B C D E F G H I J K … alphabet … … ciphertext A B C D E F G H I J K … alphabet ciphertext A B C D E F G H I J K … alphabet

19 20

Attacking Mono-Alphabetic Ciphers Attacking… (Cont’d)

■ If all words equally likely, probability of any one ■ Broken by statistical analysis of letter, word, and word would be quite low phrase frequencies of the language ■ how many words are there in the English language? ■ Frequency of single letters in English language, taken from a large corpus of text: ■ Actual frequencies of some words in English language:

21 22

(Tip: Counting Letter Frequencies) Vigenere Cipher

■ Program letter, written by TJ O’Connor ■ A set of mono-alphabetic substitution ■ Output for Declaration of Independence: rules (shift amounts) is used

■ the key determines what the sequence of rules is

■ also called a poly-alphabetic cipher

■ Ex.: key = (3 1 5)

■ i.e., substitute first letter in plaintext by letter+3, second letter by letter+1, third letter by letter+5

■ then repeat this cycle for each 3 letters 23 24 Vigenere… (Cont’d) Hill Ciphers

■ Ex.: plaintext = “BANDBAD” ■ Encrypts m letters of plaintext at each step plaintext message ■ i.e., plaintext is processed in blocks of size m B A N D B A D ■ Encryption of plaintext p to produce ciphertext c is accomplished by: c = Kp shift amount ■ the m×m matrix K is the key 3 1 5 3 1 5 3 ■ K’s determinant must be relatively prime to ciphertext message size of alphabet (26 for our example)

E B S G C F G ■ decryption is multiplication by inverse: p = K-1c Breaking the cipher: look for repeated patterns in the ■ remember: all arithmetic mod 26 ciphertext

25 26

Hill Cipher Example Hill… (Cont’d)

1 2 -1 21 2 ■ For m = 2, let K = , K = ■ Fairly strong for large m 3 5 3 25 ■ But, vulnerable to chosen plaintext attack A B X Y D G Plaintext p = ■ choose m plaintexts, generate 0 1 23 24 3 6 corresponding ciphertexts

(21*15+2*13) mod 26 ■ form a m x m matrix X from the (1*0+2*1) mod 26 plaintexts, and (3*23+5*24) mod 26 m x m matrix Y from the ciphertexts 2 5 19 7 15 13 (details omitted) Ciphertext c = -1 C F T H P N ■ can solve directly for K (i.e., K = Y X )

27 28

Permutation Ciphers Permutation… (Cont’d)

■ The previous codes are all based on ■ Permutation cipher ex. #1: substituting one symbol in the alphabet for ■ Permute each successive block of 5 letters in the another symbol in the alphabet message according to position offset <+1,+3,-2,0,-2>

■ Permutation cipher: permute (rearrange, plaintext message transpose) the letters in the message W H Y O W H Y C A N T I F L Y ■ the permutation can be fixed, or can change over the length of the message

Y W W O H C H N A Y F T Y L I ciphertext message

29 30 Permutation… (Cont’d) Permutation… (Cont’d)

■Permutation cipher ex. #2: ■ A longer example: plaintext = ■ arrange plaintext in blocks of n columns and m rows “ATTACK POSTPONED UNTIL TWO AM” ■ then permute columns in a block according to a key K n = 4 Key: 4 3 1 2 5 7 6 plaintext A T T A C K P Key (perm. of columns) ! 4 3 1 2 O S T P O N E Plaintext 1 2 3 4 symbol D U N T I L T 5 6 7 8 m = 3 positions W O A M X Y Z 9 10 11 12 ciphertext ciphertext sequence (by plaintext position) for one block 3 7 11 4 8 12 2 6 10 1 5 9 TTNA APTM TSUO AODW COIX PETZ KNLY

31 32

A Perfectly Secure Cipher: One-Time Pads OTP… (Cont’d)

■ According to a theorem by Shannon, a ■ Idea perfectly secure cipher requires: ■ generate a random bit string (the key) as long as the ■ a key length at least as long as the plaintext, and share with the other communicating message to be encrypted party ■ encryption: XOR this key with plaintext to get ■ the key can only be used once (i.e., for ciphertext

each message we need a new key) ■ decrypt: XOR same key with ciphertext to get plaintext plaintext ■ Very limited use due to need to negotiate plaintext ciphertext ⊕ ⊕ and distribute long, random keys for every message Key

33 34

OTP… (Cont’d)

plaintext 01011001 01000101 01010011 ⊕ = key (pad) 00010111 00001010 01110011 = ⊕ Some “Key” Issues ciphertext 01001110 01001111 00100000

■ Why can’t the key be reused?

35 36 Types of Cryptography Secret Key Cryptography

■ Number of keys

■ Hash functions: no key plaintext ciphertext plaintext ■ Secret key cryptography: one key encryption decryption

■ Public key cryptography: two keys - public, private key Same key key

■ The way in which the plaintext is processed ■ Same key is used for encryption and decryption ■ Stream cipher: encrypt input message one ■ Also known as symbol at a time ■ Symmetric cryptography ■ Block cipher: divide input message into blocks ■ Conventional cryptography of symbols, and processes the blocks in sequence

■ May require padding 37 38

Secret Key Cryptography (Cont’d) Secret Key Cryptography (Cont’d)

■ Basic technique ■ Ciphertext approximately the same length

■ Product cipher: as plaintext ■ ■ Multiple applications of interleaved Examples substitutions and permutations ■ Stream Cipher: RC4

■ Block Cipher: DES, IDEA, AES plaintext S P S P … S ciphertext

key

39 40

Applications of Secret Key Cryptography Public Key Cryptography (PKC)

■ Transmitting over an insecure channel plaintext ciphertext plaintext ■ Challenge: How to share the key? encryption decryption

■ Secure Storage on insecure media

■ Authentication Public key Private key

■ Challenge-response ■ Invented/published in 1975 ■ To prove the other party knows the secret key ■ A public/private key pair is used ■ Must be secure against chosen plaintext attack ■ Public key can be publicly known

■ Integrity check ■ Private key is kept secret by the owner of the key

■ Message Integrity Code (MIC) ■ Much slower than secret key cryptography

■ a.k.a. Message Authentication Code (MAC) ■ Also known as

■ Asymmetric cryptography

41 42 Public Key Cryptography (Cont’d) Applications of Public Key Cryptography

■ Data transmission: message Digital Yes/No Sign Verify signature ■ Alice encrypts ma using Bob’s public key eB, Bob decrypts ma using his private key dB. Private key Public key ■ Storage:

■ Can create a safety copy: using public key of trusted ■ Another mode: digital signature person.

■ Only the party with the private key can create a digital ■ Authentication: signature. ■ No need to store secrets, only need public keys. ■ The digital signature is verifiable by anyone who ■ Secret key cryptography: need to share secret key for knows the public key. every person to communicate with. ■ The signer cannot deny that he/she has done so.

■ The signature is created on a hash value of the message. 43 44

Applications of PKC (Cont’d) Hash Algorithms

■ Digital signatures

■ Sign hash H(m) with the private key Message of A fixed-length Hash H ■ Authorship arbitrary length short message

■ Integrity

■ Non-repudiation: can’t do with secret key ■ Also known as cryptography ■ Message digests ■ One-way transformations ■ Key exchange ■ One-way functions ■ Establish a common session key between two ■ Hash functions parties ■ Length of H(m) much shorter then length of m ■ Particularly for encrypting long messages ■ Usually fixed lengths: 128 or 160 bits

45 46

Hash Algorithms (Cont’d) Applications of Hash Functions

■ Desirable properties of hash functions ■ Primary application

■ Performance: Easy to compute H(m) ■ Generate/verify digital signatures

■ One-way property (Preimage resistance): Message H(m) Signature Given H(m) but not m, it’s difficult to find m. H Sign m Sig(H(m)) ■ Weak collision free (Second preimage

resistance): Given m1, it’s difficult to find m2 Private key such that H(m1) = H(m2). Message H(m) ■ Strong collision free (Collision Resistance): m H Verify Yes/No Computationally infeasible to find m1, m2 such Signature that H(m1) = H(m2) Sig(H(m)) Public key

47 48 Applications of Hash Functions (Cont’d) Applications of Hash Functions (Cont’d)

■ Password hashing ■ Message fingerprinting

■ Doesn’t need to know password to verify it ■ Verify whether some large data structures ■ Store H(password+salt) and salt, and compare (e.g., a program) has been modified it with the user-entered password ■ Keep a copy of the hash ■ Salt makes dictionary attack more difficult ■ At verification time, recompute the hash and ■ Message integrity compare ■ Agree on a secrete key k

■ Compute H(m|k) and send with m ■ Hashing program and the hash values must be ■ Doesn’t require encryption algorithm, so the protected separately from the large data technology is exportable structures

49 50

Summary

■ Cryptography is a fundamental, and most carefully studied, component of security

■ not usually the “weak link”

■ “Perfectly secure” ciphers are possible, but too expensive in practice

■ Early ciphers aren’t nearly strong enough

■ Key distribution and management is a challenge for any cipher