Classical Cryptography

CSC 482/582: Computer Security Topics

1. Modular Arithmetic Review 2. What is Cryptography? 3. Transposition Ciphers 4. Substitution Ciphers 1. Cæsar cipher 2. Vigènere cipher 5. Cryptanalysis: frequency analysis 6. Block Ciphers: AES and DES

CSC 482/582: Computer Security Modular Arithmetic Congruence  a = b (mod N) iff a = b + kN  ex: 37=27 mod 10 b is the residue of a, modulo N  Integers 0..N-1 are complete set of residues mod N

CSC 482/582: Computer Security Laws of Modular Arithmetic

(a + b) mod N = (a mod N + b mod N) mod N

(a - b) mod N = (a mod N - b mod N) mod N

ab mod N = (a mod N)(b mod N) mod N

a(b+c) mod N = ((ab mod N) + (ac mod N)) mod N

CSC 482/582: Computer Security What is Cryptography?

Cryptography: The art and science of keeping messages secure.

Cryptanalysis: the art and science of decrypting messages.

Cryptology: cryptography + cryptanalysis

CSC 482/582: Computer Security Terminology Plaintext: message P to be encrypted. Also called Plaintext cleartext.

Encryption: altering a Encryption message to keep its Procedure contents secret.

Ciphertext: encrypted message C. Ciphertext

CSC 482/582: Computer Security Early Cryptography Egyptian hieroglyphics ~ 2000 B.C.E.  Cryptic tomb inscriptions for regality. Spartan skytale cipher ~ 500 B.C.E.  Wrapped thin sheet of papyrus around staff.  Messages written down length of staff.  Decrypted by wrapped around = diameter staff. Cæsar cipher ~ 50 B.C.E.  Simple alphabetic substitution cipher. al-Kindi ~ 850 C.E.  Cryptanalysis using letter frequencies.

7 A Transposition Cipher

Rearrange letters in plaintext. Example: Rail-Fence Cipher Plaintext is HELLO WORLD

Rearrange as H L O O L

E L W R D

Ciphertext is HLOOL ELWRD

CSC 482/582: Computer Security Cryptosystem Formal Definition 5-tuple (E, D, M, K, C)  M set of plaintexts  K set of keys  C set of ciphertexts  E set of encryption functions e: M  K  C  D set of decryption functions d: C  K  M

CSC 482/582: Computer Security Cæsar cipher Letter shifting cipher (A=>D, B=>E, C=>F, … 5-tuple M = { all sequences of letters } K = { i | i is an integer and 0 ≤ i ≤ 25 }

E = { Ek | k  K and for all letters m,

Ek(m) = (m + k) mod 26 }

D = { Dk | k  K and for all letters c,

Dk(c) = (26 + c – k) mod 26 } C = M History: Cæsar’s key was 3.

CSC 482/582: Computer Security Cæsar cipher Plaintext is HELLO WORLD Change each letter to the third letter following it (X goes to A, Y to B, Z to C)  Key is 3, usually written as letter ‘D’ Ciphertext is KHOOR ZRUOG

CSC 482/582: Computer Security ROT 13

Cæsar cipher with key of 13 13 chosen since encryption and decryption are same operation Used to hide spoilers, punchlines, and offensive material online.

CSC 482/582: Computer Security Kerckhoff’s Principle Security of cryptosystem should only depend on 1. Quality of shared encryption algorithm E 2. Secrecy of key K Security through obscurity tends to fail ex: DVD Content Scrambling System

CSC 482/582: Computer Security Cryptanalysis Goals 1. Decrypt a given message. 2. Recover encryption key.

Threat models vary based on 1. Type of information available to adversary 2. Interaction with cryptosystem.

CSC 482/582: Computer Security Cryptanalysis Threat Models ciphertext only: adversary has only ciphertext; goal is to find plaintext, possibly key. known plaintext: adversary has ciphertext, corresponding plaintext; goal is to find key. chosen plaintext: adversary may supply plaintexts and obtain corresponding ciphertext; goal is to find key.

CSC 482/582: Computer Security Brute Force Attack Exhaustive search of keyspace by decrypting ciphertext C with all possible keys K.

 Must determine if DK(C) is a likely plaintext  Requires some knowledge of format (language, doc type) For N possible keys,  Worst case is N decryptions.  Mean case is N/2 decryptions. Example: DES has 56-bit keys  Average time to find key is 255 decryptions.

CSC 482/582: Computer Security Is 128 bits enough?

128-bit keyspace permits 2128 keys  340,282,366,920,938,463,463,374,607,431,768,211,456 or  3.4 x 1038 keys Cracking 1 trillion (1012) keys per second requires  3.4 x 1026 seconds or  1.08 x 1019 years Cracking 1 trillion keys per second on 1 billion CPUs  requires 1.08 x 1010 years = 10.8 billion years

CSC 482/582: Computer Security Classical Cryptography

Sender and receiver share common key  Keys may be the same, or be trivial to derive from one another.  Sometimes called symmetric cryptography.

P encrypt C decrypt P

K K

CSC 482/582: Computer Security Substitution Ciphers Substitute plaintext chars for ciphered chars. Simple: Always use same substitution function. Polyalphabetic: Use different substitution functions based on position in message.

CSC 482/582: Computer Security Cryptanalysis of Cæsar Cipher

Brute force attack sufficient: Decryption key Candidate  Since the keyspace is small (26-K) plaintext (26 possible keys), try all 0 exxegoexsrgi possible keys until you find 1 dwwdfndwrqfh the right one. 2 cvvcemcvqpeg 3 buubdlbupodf 4 attackatonce 5 zsszbjzsnmbd 6 yrryaiyrmlac ... 23 haahjrhavujl 24 gzzgiqgzutik 25 fyyfhpfytshj

CSC 482/582: Computer Security General Simple Substitution Cipher

Key Space: All permutations of alphabet (26! keys) Encryption: Replace each plaintext letter x with K(x) Decryption: Replace each ciphertext letter y with K-1(y) Example: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z K= F U B A R D H G J I L K N M P O S Q Z W X Y V T C E

CRYPTO BQCOWP

CSC 482/582: Computer Security General Simple Substitution Cryptanalysis

Exhaustive search impossible  Key space size is 26! =~ 4 x 1026  Historically thought to be unbreakable. However, languages have different frequencies of  letters  digraphs (groups of 2 letters)  trigraphs (groups of 3 letters)  etc. Simple substitution ciphers preserve letter frequencies.

CSC 482/582: Computer Security English Letter Frequencies Additional Frequency Features

Digraph frequencies  Common digraphs: EN, RE, ER, NT Trigraph frequencies  Common trigraphs: THE, AND, ING  Digraph and trigraph tables can be found at http://www.sttmedia.com/syllablefrequency- english The letter Q is followed only by U. Countering Frequency Analysis Nulls  Insert additional symbols (numbers) which have no meaning in random places. Idiosyncratic spellings  n0rM4L s34rCh  Hacker speak: www.google.com/webhp?hl=xx-hacker Homophonic substitution  Each letter has multiple substitutions.

Techniques increase difficulty but don’t make impossible.

CSC 482/582: Computer Security Countering Frequency Analysis

Primary weakness of simple substitution:  Each ciphertext letter corresponds to only one letter of plaintext. Solution: polyalphabetic substitution  Use multiple cipher alphabets.  Switch between cipher alphabets from character to character in the plaintext.

CSC 482/582: Computer Security Letter Frequency Distributions

CSC 482/582: Computer Security Vigènere Cipher Use phrase instead of letter as key. Example  Message THE BOY HAS THE BALL  Key VIG  Encipher using Cæsar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG

Reproduction of CSA Cipher Disk CSC 482/582: Computer Security Relevant Parts of Tableau

G I V Tableau shown only has A G I V relevant rows and columns. B H J W E L M Z Example encipherments: H N P C  key V, letter T: follow V L R T G column down to T row O U W J (giving “O”) S Y A N  Key I, letter H: follow I T Z B O column down to H row Y E H T (giving “P”)

CSC 482/582: Computer Security Useful Terms period: length of key  In earlier example, period is 3 tableau: table used to encipher and decipher  Vigènere cipher has key letters on top, plaintext letters on the left.

CSC 482/582: Computer Security Vigènere Cryptanalysis

1. Find key length (period), which we will call n. 2. Break message into n parts, each part being enciphered using the same key letter. 3. Use frequency analysis to solve resulting n simple substitution ciphers.

key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG

CSC 482/582: Computer Security Kasiski Test Conjunction of key repetition with repeated portion of plaintext produces repeated ciphertext.

Example: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG Key and plaintext line up over the repetitions.

Distance between repetitions is 9  Repeated phrase “OPK” at 1st and 10th positions.  Period is a multiple of 9 (1, 3 or 9.)

CSC 482/582: Computer Security Example Vigènere Ciphertext

ADQYS MIUSB OXKKT MIBHK IZOOO EQOOG IFBAG KAUMF VVTAA CIDTW MOCIO EQOOG BMBFV ZGGWP CIEKQ HSNEW VECNE DLAAV RWKXS VNSVP HCEUT QOIOF MEGJS WTPCH AJMOC HIUIX

CSC 482/582: Computer Security Repetitions in Example

Letters Start End Distance Factors MI 5 15 10 2, 5 OO 22 27 5 5 OEQOOG 24 54 30 2, 3, 5 FV 39 63 24 2, 2, 2, 3 AA 43 87 44 2, 2, 11 MOC 50 122 72 2, 2, 2, 3, 3 QO 56 105 49 7, 7 PC 69 117 48 2, 2, 2, 2, 3 NE 77 83 6 2, 3 SV 94 97 3 3 CH 118 124 6 2, 3

CSC 482/582: Computer Security Estimate of Period

OEQOOG is probably not a coincidence  Two character repetitions may be chance.  Period may be 1, 2, 3, 5, 6, 10, 15, or 30 Most others (7/10) have 2 in their factors Almost as many (6/10) have 3 in their factors. Begin with period of 2  3 = 6.

CSC 482/582: Computer Security Letter Coincidence

Coincidence: Picking two letters at random from a message that are identical. Procedure  Place one text above other.  Count coincidences. Coincidence probabilities for two letters:  Random English letters: 1/26 @ 0.0385  English plaintext: 0.0667

CSC 482/582: Computer Security English Letter Frequencies a 0.080 h 0.060 n 0.070 t 0.090 b 0.015 i 0.065 o 0.080 u 0.030 c 0.030 j 0.005 p 0.020 v 0.010 d 0.040 k 0.005 q 0.002 w 0.015 e 0.130 l 0.035 r 0.065 x 0.005 f 0.020 m 0.030 s 0.060 y 0.020 g 0.015 z 0.002

CSC 482/582: Computer Security Index of Coincidence Probability that two randomly chosen letters of a ciphertext of N characters coincide.

 ni is frequency of cipher character number i  N is the length of the ciphertext

1 25 IC   n i ( n i  1) N ( N  1) i  0 For our ciphertext, IC = 0.043 Indicates a key of slightly more than 5. A statistical measure, so it can be in error, but it agrees with the previous estimate (which was 6.)

CSC 482/582: Computer Security Index of Coincidence

Expected IC Expected IC by period Random: 0.0385 2: 0.052 Plaintext: 0.0667 3: 0.047 4: 0.045 5: 0.044 10: 0.041

Index of Coincidence Shorter Key

Longer Key 0.0385 0.0667

CSC 482/582: Computer Security Splitting Into Alphabets Divide cipher into 6 (period) alphabets. Alphabet IC AIKHOIATTOBGEEERNEOSAI 0.069 DUKKEFUAWEMGKWDWSUFWJU 0.078 QSTIQBMAMQBWQVLKVTMTMI 0.078 YBMZOAFCOOFPHEAXPQEPOX 0.056 SOIOOGVICOVCSVASHOGCC 0.124 MXBOGKVDIGZINNVVCIJHH 0.043

IC indicates single alphabet, except #4 and #6.

CSC 482/582: Computer Security Frequency Examination ABCDEFGHIJKLMNOPQRSTUVWXYZ 1 31004011301001300112000000 2 10022210013010000010404000 3 12000000201140004013021000 4 21102201000010431000000211 5 10500021200000500030020000 6 01110022311012100000030101 HMMMHMMHHMMMMHHMLHHHMLLLLL

Unshifted frequencies (H high, M medium, L low)

CSC 482/582: Computer Security Begin Decryption  First matches characteristics of unshifted alphabet  Third matches if I shifted to A  Sixth matches if V shifted to A  Substitute into ciphertext (bold are substitutions)

ADIYS RIUKB OCKKL MIGHK AZOTO EIOOL IFTAG PAUEF VATAS CIITW EOCNO EIOOL BMTFV EGGOP CNEKI HSSEW NECSE DDAAA RWCXS ANSNP HHEUL QONOF EEGOS WLPCM AJEOC MIUAX

CSC 482/582: Computer Security Look For Clues AJE in last line suggests “are”, meaning second alphabet maps A into S:

ALIYS RICKB OCKSL MIGHS AZOTO MIOOL INTAG PACEF VATIS CIITE EOCNO MIOOL BUTFV EGOOP CNESI HSSEE NECSE LDAAA RECXS ANANP HHECL QONON EEGOS ELPCM AREOC MICAX

CSC 482/582: Computer Security Next Alphabet MICAX in last line suggests “mical” (a common ending for an adjective), meaning fourth alphabet maps O into A:

ALIMS RICKP OCKSL AIGHS ANOTO MICOL INTOG PACET VATIS QIITE ECCNO MICOL BUTTV EGOOD CNESI VSSEE NSCSE LDOAA RECLS ANAND HHECL EONON ESGOS ELDCM ARECC MICAL

CSC 482/582: Computer Security Got It!

QI means that U maps into I, as Q is always followed by U:

ALIME RICKP ACKSL AUGHS ANATO MICAL INTOS PACET HATIS QUITE ECONO MICAL BUTTH EGOOD ONESI VESEE NSOSE LDOMA RECLE ANAND THECL EANON ESSOS ELDOM ARECO MICAL

CSC 482/582: Computer Security Rotor Machines (1920s-1970s)

Observation: If Vigènere key is very long, frequency analysis won’t work. Implement: multiple rounds of Vigènere substitution.  Machine contains multiple cylinders.  Each cylinder has 26 states (ciphers.)  Cylinders rotate to change states on different schedules.  m-cylinder machine has 26m substitution ciphers.

CSC 482/582: Computer Security Enigma Machine 3 rotors: 17576 substitutions. 3 rotors can be used in any order: 6 combinations. Some machines had up to 8 rotors Plug board: 6 pairs of letters can be swapped. Total keys ~ 1016

CSC 482/582: Computer Security The World Wars Decryption of Zimmerman telegram 1917  Leads US into World War I Japanese Purple Machine cracked 1937  US breaks rotor machine for highest secrets. German Enigma machine cracked 1933-45  Initially broken by Polish mathematician  Variants broken at Bletchley Park in UK  Colossus, world’s 1st electronic computer.

48 One-Time Pad  A Vigenère cipher with a random key at least as long as the message.  Provably unbreakable.

 Example ciphertext: DXQR.  Equally likely to correspond to  plaintext DOIT (key AJIY)  plaintext DONT (key AJDY)  and any other 4 letters.

CSC 482/582: Computer Security Binary One Time Pad

Encrypt a message M with pad P to produce ciphertext C = M ⊕ P where ⊕ is the exclusive OR operator. Decrypt a ciphertext C with the same pad P M = C ⊕ P We can prove this as follows: C ⊕ P = (M ⊕ P) ⊕ P = M ⊕ (P ⊕ P) associativity = M ⊕ 0 = M

CSC 482/582: Computer Security One Time Pad Problems

1. The one-time pad must be random. Software pseudo-random number generators are not random. Pad needs hardware randomness. 2. Transmission of long pads is difficult. The pad is just as long as all the messages you’ll ever send with it, so you’ve just moved the problem of transmitting secret messages to transmitting a secret pad. 3. Pad must always be kept secret. If pad is ever discovered, then attacker can decrypt old messages. Pads must be securely destroyed at end of use.

CSC 482/582: Computer Security Block Ciphers

Encrypt groups (blocks) of chars at once. Improvement over single char substitution  Cryptanalysis must use digraph frequencies for two-char blocks.  Longer blocks are more difficult to analyze.  Modern ciphers are block ciphers. Example: Playfair Cipher, 1854

CSC 482/582: Computer Security Playfair Cipher Create 5x5 table  Fill in spaces with letters of key, dropping duplicate letters. Charles Wheatstone  Fill remaining spaces P L A Y F with unused letters of alphabet in order I|J R E X M  Drop Q … or B C D G H  I = J K N O Q S T U V W Z

CSC 482/582: Computer Security Playfair Cipher

Encryption Algorithm 1. If letters of pair are identical (or only one letter remains), add an “X” after first letter. 2. If two letters are in same row or column, replace them with the succeeding letters. 3. Otherwise, two letters form a rectangle, and we replace them with letters on the same row respectively at the other pair of corners.

CSC 482/582: Computer Security Playfair Cipher Example Plaintext is HELLO WORLD  Pair HE is rectangle, replace with DM  Pair LX (X inserted) is rectangle, YR  Pair LO is rectangle, replace with AN  Pair WO is rectangle, replace with VQ  Pair RL is in column, replace with CR  Pair DX is rectangle, replace with GE Ciphertext is DMYRANVQCRGE P L A Y F I|J R E X M B C D G H K N O Q S T U V W Z CSC 482/582: Computer Security Transposition Cipher Cryptanalysis

Anagramming If 1-gram frequencies match English frequencies, but other n-gram frequencies do not, then, message likely ciphered via transposition. Rearrange letters to form n-grams with highest frequencies.

CSC 482/582: Computer Security Rail Fence Cipher Analysis Ciphertext: HLOOLELWRD Frequencies of 2-grams beginning with H  HE 0.0305  HO 0.0043  HL, HW, HR, HD < 0.0010 Frequencies of 2-grams ending in H  WH 0.0026  EH, LH, OH, RH, DH ≤ 0.0002 Implies E follows H

CSC 482/582: Computer Security Cryptanalysis Example Arrange so the H and E are adjacent HE LL OW OR LD Read across, then down, to recover plaintext.

CSC 482/582: Computer Security SP-Networks Combine Substitution+Permutation (transposition)  Confusion: adding unknown key values will confuse attacker about value of plaintext symbol.  Diffusion: Spread plaintext data throughout ciphertext. Designing for Security  Block Size  Number of Rounds  Each input bit is XOR of several output bits from previous round.  Choice of S-boxes

CSC 482/582: Computer Security Substitution Boxes

Substitution can be done using a matrix, which acts as a lookup table for substituting one set of bits with another. Such tables are called substitution boxes, or S-boxes. Overview of the DES Block cipher (64 bit blocks)  64-bit key is actually a  56-bit key + 8 parity bits Product cipher  substitution + transposition 16 rounds (iterations) of encryption  round key generated from user key

CSC 482/582: Computer Security Feistel Function (F)

CSC 482/582: Computer Security Controversy

Considered too weak Diffie, Hellman said in a few years technology would allow DES to be broken in days (1976).  EFF built “Deep Crack” in 1998 for $250,000.  Brute forced DES in 56 hours. Design decisions not public  NSA helped to design cipher:  128-bit key reduced to 56 bits.  Helped design S-boxes.

CSC 482/582: Computer Security Differential Cryptanalysis A chosen ciphertext attack  Biham and Shamir rediscovered in late 1980s  Examines pairs of plaintext with particular differences.  Requires 247 plaintext, ciphertext pairs.  Only 214 pairs required with 8 round DES. Revealed several properties  S-box designed to resist differential cryptanalysis.  IBM revealed knowledge of technique at design time. Linear cryptanalysis improves result  Linear approximation of DES.  Requires 243 plaintext, ciphertext pairs.  DES not designed to resist this technique.

CSC 482/582: Computer Security Electronic Code Book Mode Encrypt each block independently.

E(block) = Cblock each time block appears

Therefore attacker can build dictionary of blocks.

ECB encryption of bitmap hides colors but image is still discernible.

CSC 482/582: Computer Security Cipher Block Chaining Mode XOR each block with the previous ciphertext block. Random initialization vector (IV) used for 1st block.

CBC encryption of bitmap looks random.

CSC 482/582: Computer Security Cipher Block Chaining Mode

Formula for CBC encryption (i=1 is 1st block)

Formula for CBC decryption

CSC 482/582: Computer Security CBC Self-Healing Property Plaintext “heals” after 2 blocks. i.e., if ciphertext altered, error propagated 2 blocks. Initial message 3231343336353837 3231343336353837 3231343336353837 3231343336353837 Received as (underlined 4c should be 4b) ef7c4cb2b4ce6f3b f6266e3a97af0e2c 746ab9a6308f4256 33e60b451b09603d Which decrypts to efca61e19f4836f1 3231333336353837 3231343336353837 3231343336353837

CSC 482/582: Computer Security Triple DES Encrypt-Decrypt-Encrypt Mode (3 keys: k, k´, k´´) –1  c = DESk(DESk´ (DESk’’(m)))  Middle decrypt allows backward compatibility if all keys are equal: k = k´= k´´  Double-encryption vulnerable to meet-in-middle attack, reducing difficulty from 2112 to 257.

CSC 482/582: Computer Security DES is Insecure Brute force attacks can be completed in <1day  Distributed computing attacks.  RIVYERA FPGA-based parallel computer breaks DES in <1 day for a hardware cost of <$10,000. Linear cryptanalysis faster than brute force  Need 241 known plaintexts

CSC 482/582: Computer Security Advanced Encryption Standard (AES)

Winner of open NIST competition (1997-2000)  Rijndael, designed by Joan Daemen and Vincent Rijmen.  Published as FIPS 197 in November 2001. 128-bit block cipher  128-, 192-, or 256-bit keys.  10, 12, or 14 rounds, depending on key size. Replacement for DES  DES vulnerable to brute force attacks due to 56-bit keys.  Triple DES is very slow.

9/9/2014 Cryptography 71 AES Round Structure

 Round keys derived from user key using AES key schedule.  Each round transforms 128-bit

state, Xi in 4 steps: 1. SubBytes: S-box substitution. 2. ShiftRows: permutation. 3. MixColumns: matrix multiplication. 4. AddRoundKey: XOR with round key for this round.

CSC 482/582: Computer Security AES Round Steps

CSC 482/582: Computer Security AES Cryptanalysis

Biclique attack (2011)  Faster than brute force by a factor of 4  So can break AES-128 with 2126.1 operations. Related key attacks (2009)  Requires 299.5 operations to break AES-256  Requires 2176 operations to break AES-192  Due to weak key scheduling algorithm for AES-256  This means AES-128 is more secure than AES-256!

CSC 482/582: Computer Security Key Points Types of ciphers  Substitution (monoalphabetic and polyalphabetic)  Transposition (permutation)  Product (Substitution + Permutation) Cryptanalysis  Kerchoff’s principle  Brute force attack  One-time pad is provably secure  Frequency analysis: Kasiski test, Index of Coincidence. Block ciphers  ECB mode insecure; need to use CBC for block ciphers.  DES obsolete due to small 56-bit keys. 3DES=112 bit key.  AES current standard, best symmetric cipher is AES-128.

CSC 482/582: Computer Security References

1. Ross Anderson, Security Engineering, 2nd edition, Wiley, 2008. 2. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. 3. Neil Daswani et. al., Foundations of Security, Apress, 2007. 4. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011. 5. David Kahn, The Codebreakers, MacMillan, 1967. 6. Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook of Applied Cryptography, http://www.cacr.math.uwaterloo.ca/hac/, CRC Press, 1996. 7. NIST, FIPS Publication 46-3: Data Encryption Standard (DES), 1999, http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf 8. Bruce Schneier, Applied Cryptography, 2nd edition, Wiley, 1996. 9. US Government Dept of the Army, FM 34-40-2 FIELD MANUAL, 1990, http://www.umich.edu/~umich/fm-34-40-2/

CSC 482/582: Computer Security