An Introduction to Cryptography
Edward J. Delp Purdue University School of Electrical and Computer Engineering Video and Image Processing Laboratory (VIPER) West Lafayette, Indiana
email: [email protected] http://www.ece.purdue.edu/~ace
EPICS Spring 2003 Slide 1 Course Goals
• Provide an introduction to modern cryptography and overview its use
EPICS Spring 2003 Slide 2 Digital Communication System
EPICS Spring 2003 Slide 3 Cryptography
• Analog Techniques
• Digital Techniques
EPICS Spring 2003 Slide 4 Cryptography - History
• Very rich history – Mary Queen of Scots – WWII Admiral Yamamoto – WWII Ultra (Enigma Machine) • “Modern” Cryptography after World War II – NSA • Popular interest since about 1978 http://www.cybercrimes.net/Cryptography/Articles/Hebert. html http://www.ics.uci.edu/~ics54/doc/security/pkhistory.html
EPICS Spring 2003 Slide 5 Goals
• Privacy - protect information from unauthorized users
• Authentication - “are you who you say you are”
EPICS Spring 2003 Slide 6 “Drivers” of Modern Cryptography
• Prime Number Generation – integer factorization
EPICS Spring 2003 Slide 7 Why Is It Now Popular
• Driven by everything “digital”
• Most work to date devoted to text-based or character- based data
EPICS Spring 2003 Slide 8 Export Controls
• The export of encryption software and hardware is controlled by the US government • Can cause a problem if encryption is included in a product and it is desired to sell it outside the US http://www.rsasecurity.com/rsalabs/faq/6-4.html http://www.bxa.doc.gov/Encryption/Default.htm
EPICS Spring 2003 Slide 9 Cryptography
• Code - exploit the linguistic properties of a language
• Cipher - do not exploit linguistic properties
EPICS Spring 2003 Slide 10 Cryptography
P - plaintext C - ciphertext
EPICS Spring 2003 Slide 11 Cryptography
• A special form of computation used to protect a plain- text message • The “security” of the system is based on the difficulty of the “inverse” computation without special “side information” known as “keys”
EPICS Spring 2003 Slide 12 Unbreakable Ciphers?
• Are there unbreakable ciphers? – Shannon showed that “unbreakable” systems exists – “one time pad” - form of a stream cipher • difficult to manage
http://www.ranum.com/pubs/otpfaq/
http://world.std.com/~franl/crypto/one-time-pad.html
EPICS Spring 2003 Slide 13 Unbreakable Ciphers?
• certificational security – secure because it has withstood the test of time in that no attacks have been successful • provable security – successfully attacking a provable system is identical to attacking a classically know “hard” problem
“A Note on the Security of the OAEP-Enhanced RSA Public-Key Encryption Scheme,” RSA Laboratories Bulletin Number 9, February 23, 1999.
EPICS Spring 2003 Slide 14 Cryptanalysis
• Used to break or attack cipher systems • Attack can be brute force (exhaustive search on the keyspace) • Exploit vulnerabilities in the cipher system or the way it is used • “Black bag jobs” • “rubber hose” techniques • “purchase key” technique • “dumpster diving” • social engineering
EPICS Spring 2003 Slide 15 Cryptanalysis
• Known plaintext • Known ciphertext • Chosen plaintext • Cripping • Differential approaches • Traffic flow analysis • Exploit “poor” use of the encryption system
EPICS Spring 2003 Slide 16 Cryptanalysis
• How do you know when you have been success in your attack? • Shannon showed this using the unicity distance: log K n = 2 RL log2 P
K - key space, P - plaintext, RL - redundancy in plaintext
EPICS Spring 2003 Slide 17 Cryptanalysis
• Unicity distance indicates much ciphertext is needed to ensure there is only one plaintext that corresponds to this ciphertext - “spurious keys” • Example - simple letter substitution cipher
P = 26; K = 26!; RL = 0.75 n = 25 • hence given a ciphertext of 25 letters a unique decryption is possible
EPICS Spring 2003 Slide 18 Why Use Encryption?
• Enhance ability to conduct global commerce • Privacy • Authentication
EPICS Spring 2003 Slide 19 Cryptographic Systems
• Protocols describe how encryption system is used
• In many cases the security of the system is compromised by the protocol and NOT the encryption algorithm – “man in the middle” attack
EPICS Spring 2003 Slide 20 Types of Cryptographic Systems
C = S(P) S(·) - encryption function P = H(C) H(·) - decryption function
EPICS Spring 2003 Slide 21 Types of Cryptographic Systems
• Totally Secret – Kerckhoff’s Principle - “The security of any cipher lies in the key and NOT in the algorithm.” • Public Algorithm (Secret Key) • Public Key System
EPICS Spring 2003 Slide 22 Types of Cryptographic Systems
Totally secret systems - all aspects of the encryption/decryption is secret
EPICS Spring 2003 Slide 23 Public Algorithm
• Algorithms are known but parameters (keys) are secret
C = Sk(P)
P = Hk(C) K » key • Use same key for enciphering and deciphering • Block Ciphers -- DES, IDEA, Twofish, TEA • Stream Ciphers • Problem: key management
EPICS Spring 2003 Slide 24 Public Key Cryptography
• Two keys E ~ enciphering key D ~ deciphering key
C = SE(P)
P= HD(C) • Computationally infeasible to derive D from E • Each user could publish E in a “public key directory”
EPICS Spring 2003 Slide 25 Public Key Cryptography
• No problem with key distribution - really? – fronting attacks – “man in the middle” attack • Authentication - use private deciphering key to enciphering a message
EPICS Spring 2003 Slide 26 Authentication
• Two keys E ~ enciphering key D ~ deciphering key
Ca = SD(P) - encipher with private key
P= HE(Ca) - decipher with public key
The message P has been “signed”
EPICS Spring 2003 Slide 27 Public Key Cryptography
• Must protect public key directory • Application of the use of signatures • Certify the public key with a broker of trust (the US Post Office?!)
EPICS Spring 2003 Slide 28 History of Public Key Cryptography
• Diffie, Hellman, and Merkle are credited with being the inventors of public key cryptography – W. Diffie and M.E. Hellman, “Privacy and Authentication: An Introduction to Cryptography,” Proceedings of the IEEE, Vol. 67, No. 3, March 1979, pp. 397-427.
• British claim they did it in 1970 (http://www.gchq.gov.uk/about/history.html) • NSA claim they also invented it http://www.research.att.com/~smb/nsam-160/
EPICS Spring 2003 Slide 29 Key Management
• Block Ciphers - how do you distribute keys • Public Key - protect public key directory • Political issue - key recovery
EPICS Spring 2003 Slide 30 Clipper and Capstone Escrowed Encryption Standard, also known as “CLIPPER,” is a cryptographic device intended to protect private communications while at the same time permitting government agents to obtain the "keys" upon presentation of "legal authorization." The "keys" would be held by two government "escrow agents" and would enable the government to access the encrypted private communication. (February 4, 1992) Clipper would be used to encrypt voice transmissions, a similar device known as Capstone would be used to encrypt data. Both systems based on the SKIPJACK algorithm. http://www.eff.org/pub/Privacy/Clipper/ EPICS Spring 2003 Slide 31 Encryption Systems
• Trapdoor Functions - easily computable functions with a computationally infeasible inverse (without use of special knowledge)
EPICS Spring 2003 Slide 32 Public Key Systems
• Trapdoor-Knapsack System (Merkle and Hellman)
• Discrete Log (El Gamal)
• RSA (Rivest, Shamir, Adleman)
• Elliptic Curve Methods
EPICS Spring 2003 Slide 33 Knapsack System
Subset Sum Problem:
Given positive integers a1, a2, …, an and positive integer c, determine the subset of the integers which sum to c.
EPICS Spring 2003 Slide 34 “Hard Knapsack”
Assume the source produces binary words of n bits
X = (x1, x2, …, xn)
xi Î { 0, 1 }
A = (a1, a2, …, an) n c = A · X = åai · xi i=1
EPICS Spring 2003 Slide 35 “Easy Knapsack”
A¢ = (a1¢,a2¢,L,an¢ )
i-1 ai¢ > åa¢j j=1 A¢ = (3, 5, 11, 20, 41 ,83, 169, 340, 679, 1358) c¢ = A¢ · X c¢ = 1260
a10¢ = 1358 > c¢ Þ x10 = 0
EPICS Spring 2003 Slide 36 “Easy Knapsack”
= 679 < c¢ Þ x = 1 a9¢ 9 1260 - 679 = 581
a8¢ = 350 < 581 Þ x8 =1
X = (0011101110)
“Easy” Knapsack is too easy!
EPICS Spring 2003 Slide 37 “Moderately” Hard Knapsack
Choose two large positive numbers w and m
ai = ai¢w mod(m)
Example: w = 764 m = 2731
a4¢ = 20
a4 = 20 x 764 mod (2731) = 1625
EPICS Spring 2003 Slide 38 “Moderately” Hard Knapsack
A - public enciphering key A¢ , w, and m - private deciphering key
c = A· X w-1w mod(m) = 1 -1 w = 1605 n ¢ -1 ¢ -1 c = cw mod(m) c = å xiaiw mod(m) i a w-1 mod(m) = i ai¢
c ¢ ~ easy knapsack EPICS Spring 2003 Slide 39 Knapsack Attack
• Shamir proposed an interesting attack on the Knapsack system: – A. Shamir and R.E. Zippel, "On the Security of the Merkle-Hellman Cryptographic System," IEEE Transactions on Information Theory, Vol. 26, No. 3, May 1980, pp. 339-340. – A. Shamir, "A Polynomial-Time Algorithm for Breaking the Basic Merkle-Hellman Cryptosystem," IEEE Transactions on Information Theory, Vol. 30, No. 5, September 1984, pp. 699-704.
EPICS Spring 2003 Slide 40 Block Ciphers
Encipher block of x bits using y bits of key to produce x bits of ciphertext
• Message extension • Substitution cipher EPICS Spring 2003 Slide 41 Block Cipher
• Think of substitution operation as a permutation
• (2x)! Permutations
x • Key requires log2[(2 )!] bits – are all keys equally likely? Þ entropy of the key space
EPICS Spring 2003 Slide 42 Block Ciphers Problems
• Vulnerable to statistical attacks
• Vulnerable to dictionary attacks
EPICS Spring 2003 Slide 43 Triple Encryption
• Use block cipher three times – Tuchman, W, “Hellman Presents No Shortcut Solutions to DES”, IEEE Spectrum, vol. 16 no. 7, July 1979, pp. 40-41. • “Encrypt-Decrypt-Encrypt” – use two or three keys – see RFC 1851 http://www.landfield.com/rfcs/rfc1851.html
EPICS Spring 2003 Slide 44 Block Ciphers
• Translation Cipher
c = m + ti
ti - offset associated with the key • Linear Cipher
c = Aim
Ai - matrix associated with the key • Affine Cipher c = Am + t
EPICS Spring 2003 Slide 45 Feistel Cipher
• Plaintext must be even number of bits, 2n
• Plaintext, m, split into 2 halves m = (m0, m1)
• Key has subkeys (k1, k2, …, kh) • Each subkey describes a transformation f of n bits into ki n bits • f is a block cipher ki
EPICS Spring 2003 Slide 46 Feistel Cipher
A message m is enciphered h times or h rounds
1 Þ u0 = (m0, m1)
u1 = (m1, m2) m = m + f (m ) 2 0 k1 1 2 Þ u1 = (m1, m2)
u2 = (m2, m3) m = m + f (m ) 3 1 k2 2
EPICS Spring 2003 Slide 47 Feistel Cipher
th i Þ ui-1 = (mi-1, mi)
ui = (mi, mi+1) m = m + f (m ) i+1 i-1 ki i th h Þ uh-1 = (mh-1, mh)
uh = (mh, mh+1)
Output ciphertext
c = uh
EPICS Spring 2003 Slide 48 Feistel Cipher
• Note: m = m + f (m ) i+1 i-1 ki i can also be written as m = m + f (m ) i-1 i+1 ki i • Hence - reverse halves of c and use as input to decipher c • Exact same hardware used for both enciphering and deciphering, i.e do not need f -1(·) ki • in fact f - 1 ( · ) need not exist! ki
EPICS Spring 2003 Slide 49 Data Encryption Standard DES 1977
• A Feistel cipher with subkeys that are a function of the round • Based on the IBM Lucifer cipher • A US standard • Several operational modes - block or feedback mode • 64-bit plaintext • 56-bit key • 16 rounds http://csrc.nist.gov/cryptval/des.htm http://csrc.nist.gov/encryption/tkencryption.html EPICS Spring 2003 Slide 50 DES
• Input (L, R) (each 32 bits) • nth round
input Ln-1Rn-1
Ln = Rn-1
Rn = Ln-1 + f(Rn-1, Kn)
Kn ~ 48 bits chosen for the 56 bit key
Kn = KS(n, key)
EPICS Spring 2003 Slide 51 DES
EPICS Spring 2003 Slide 52 DES
EPICS Spring 2003 Slide 53 DES
EPICS Spring 2003 Slide 54 DES
EPICS Spring 2003 Slide 55 DES
• E maps 32-bit input ® 48-bit output • S boxes? - 6 bits in / 4 bits out – MSB and LSB of input form row index – block ciphers (not affine) – middle 4 bits form column index
EPICS Spring 2003 Slide 56 Cracking DES
http://www.eff.org/descracker.html
EPICS Spring 2003 Slide 57 DES “Hardware”
90 Billion keys/second - 4.5 days to break a 56 bit single DES key
EPICS Spring 2003 Slide 58 DES Hacking
• In 1999, new hack broke it in 22 hours – http://www.eff.org//Privacy/Crypto_misc/DESCracker/H TML/19990119_deschallenge3.html • http://www.cryptography.com/resources/whitepapers/DE S.html
EPICS Spring 2003 Slide 59 DES
• Single DES may still be have security for many applications • Triple DES is very secure - no known attacks
EPICS Spring 2003 Slide 60 AES
Advanced Cryptography Standard - new standard to follow on to DES – 128 bit input – keys 128, 192, and 256 bits – computational requirements
New algorithm announced on October 2, 2000 It is known as Rijndael http://csrc.nist.gov/encryption/aes/ EPICS Spring 2003 Slide 61 AES Candidates • Rijndael - http://www.esat.kuleuven.ac.be/~rijmen/rijndael/
• MARS - http://www.research.ibm.com/security/mars.html
• RC6 - http://www.rsasecurity.com/rsalabs/rc6/index.html
• Serpent - http://www.cl.cam.ac.uk/~rja14/serpent.html
• Twofish - http://www.counterpane.com/twofish.html EPICS Spring 2003 Slide 62 Rijndael
• Does not use the Feistel structure, instead “layers” are used • Uses only simple whole byte operations • Variable number of “rounds” – 9 rounds if both the block and the key are 128 bits long – 11 rounds if either the block or the key is 192 bits long, and neither of them is longer – 13 rounds if either the block or the key is 256 bits long.
EPICS Spring 2003 Slide 63 Rijndael
• To encipher a block of data – Add Round Key step (XORing a subkey with the block) by itself – the number of rounds mentioned on previous slide • Byte Sub • Shift Row • Mix Column • Add Round Key – the final round with the “Mix Column step” omitted • Key Schedule
EPICS Spring 2003 Slide 64 Rijndael
EPICS Spring 2003 Slide 65 EPICS Spring 2003 Slide 66 Byte Sub
• Each byte encrypted by an S-box 140 161 137 13 191 230 66 104 155 30 135 233 206 85 40 223 225 248 152 17 105 217 142 148 112 62 181 102 72 3 246 14 232 221 116 31 75 189 139 138 186 120 37 46 28 166 180 198 108 86 244 234 101 122 174 8 231 200 55 109 141 213 78 169 194 211 172 98 145 149 228 121 224 50 58 10 73 6 36 92 196 167 126 61 100 93 25 115 205 12 19 236 95 151 68 23 188 182 218 33 16 255 243 210 208 239 170 251 67 77 51 133 106 203 190 57 74 76 88 207 183 253 147 38 54 63 247 204 173 212 162 175 156 164 114 192 202 130 201 125 250 89 71 240 99 124 119 123 242 107 111 197 65 153 45 15 176 84 187 22 97 53 87 185 134 193 29 158 70 238 184 20 222 94 11 219 96 129 79 220 34 42 144 136 81 163 64 143 146 157 56 245 69 249 2 127 80 60 159 168 83 209 0 237 32 252 177 91 82 59 214 179 41 227 47 132 52 165 229 241 113 216 49 21 48 1 103 43 254 215 171 118 9 131 44 26 27 110 90 160 7 18 128 226 235 39 178 117 4 199 35 195 24 150 5 154
EPICS Spring 2003 Slide 67 Shift Row
For 128 bit input (bytes 1 to 16 are arranged as): from to 1 5 9 13 1 5 9 13 2 6 10 14 6 10 14 2 3 7 11 15 11 15 3 7 4 8 12 16 16 4 8 12
EPICS Spring 2003 Slide 68 Shift Row
• Inputs that are 192 shifted like this:
from to 1 5 9 13 17 21 1 5 9 13 17 21 2 6 10 14 18 22 6 10 14 18 22 2 3 7 11 15 19 23 11 15 19 23 3 7 4 8 12 16 20 24 16 20 24 4 8 12
EPICS Spring 2003 Slide 69 Shift Row
• Inputs that are 256 bits are shifted as: from to 1 5 9 13 17 21 25 29 1 5 9 13 17 21 25 29 2 6 10 14 18 22 26 30 6 10 14 18 22 26 30 2 3 7 11 15 19 23 27 31 15 19 23 27 31 3 7 11 4 8 12 16 20 24 28 32 20 24 28 32 4 8 12 16
EPICS Spring 2003 Slide 70 Mix Column
• Matrix multiplication is performed: each column is multiplied by the matrix: 2 3 1 1 1 2 3 1 1 1 2 3 3 1 1 2
EPICS Spring 2003 Slide 71 Add Key Round
• XORs the key round
EPICS Spring 2003 Slide 72 Rijndael • Hence Rijndael is: ARK
BSB SR MC ARK
BSB SR MC ARK ... BSB SR MC ARK
BSB SR ARK
EPICS Spring 2003 Slide 73 Key Schedule • For 128 and 192 bit keys – original key, followed by stretches, each the length of the original key, consisting of four-byte words such that each word is the XOR of the preceding four-byte word and either the corresponding word in the previous stretch or a function of it – first word in a stretch, the word is first rotated one byte to the left, and then its bytes are transformed using the S-box from the Byte Sub step, and then a round-dependent constant is XORed to its first byte • For 256 bit keys in length, in addition, the S-box from the Byte Sub step alone is applied to the word from the preceding stretch for the fifth word in a stretch
EPICS Spring 2003 Slide 74 Blowfish
• Blowfish - http://www.counterpane.com/blowfish.html – symmetric block cipher that can be used as a drop-in replacement for DES – 64 bit block cipher with variable-key length – uses Feistel structure • Blowfish has two steps – key expansion - key as large as 448 its converted to subkey array of 4168 bits – encryption - 16 rounds of the Feistel structure – four 32 bit S-boxes that have 256 entries
EPICS Spring 2003 Slide 75 Blowfish - Block Diagram
EPICS Spring 2003 Slide 76 Blowfish - F Function
EPICS Spring 2003 Slide 77 Twofish
• Twofish - http://www.counterpane.com/twofish.html • 128-bit block cipher • 128-, 192-, or 256-bit key • 16 round Feistel structure
EPICS Spring 2003 Slide 78 Twofish - Block Diagram
EPICS Spring 2003 Slide 79 Twofish - F Function
EPICS Spring 2003 Slide 80 IDEA
International Data Encryption Algorithm (IDEA) proposed by Lai and Massey in 1990 – block cipher – used in many applications as a replacement to DES – used in PGP – “seems” to be immune to differential attacks
IDEA is patented: http://www.ascom.ch/systec/idea.html
EPICS Spring 2003 Slide 81 IDEA
• 64 bit input • 128 bit key • 8 rounds • Combinations of: – XOR – additions, mod 216 – multiplies, mod 216 + 1 (which is prime)
• Appears very secure, but still a new algorithm
EPICS Spring 2003 Slide 82 IDEA
• X = plaintext • Y = ciphertext • Z = key • Å = XOR • = ADD • · = MULT
EPICS Spring 2003 Slide 83 Skipjack
• Block cipher proposed by NSA as part of the Clipper Chip – 64 bit input – 80 bit key – 32 rounds – can be used in different modes http://csrc.nist.gov/cryptval/des.htm
EPICS Spring 2003 Slide 84 Tiny Encryption Algorithm (TEA)
• Tiny Encryption Algorithm (TEA) - http://www.vader.brad.ac.uk/tea/tea.shtml – 64 bit block cipher using a 128-bit key – uses Feistel structure with 8, 16, 32 rounds • Computationally very efficient
• Assumed to be secure - no known attacks
EPICS Spring 2003 Slide 85 RC5
• RC5 - http://www.rsasecurity.com/rsalabs/faq/3-6-4.html – block size 32 bits , 64 bits (for use a drop-in replacement for DES), and 128 bits – number of rounds can range from 0 to 255 – the key can range from 0 bits to 2040 bits in size
EPICS Spring 2003 Slide 86 Primitive Operations A + B Addition modulo 2w A - B Subtraction modulo 2w A Å B Exclusive-Or A <<< B Rotate A left by amount in low-order lg(w ) bits of B A >>> B Rotate A right, similarly (A,B,C,D) = (B,C,D,A) Parallel assignment A x B Multiplication modulo 2w
EPICS Spring 2003 Slide 87 RC5
Two plaintext block A and B, r is the number of rounds RC5 encryption inner loop: for i = 1 to r do { A = ( ( A Å B ) <<< B ) + S[ i ] ( A, B ) = ( B, A ) }
S[i] is generated by the key
EPICS Spring 2003 Slide 88 RC5 Key Expansion
• Input: array L[ 0 … c-1 ] of input key words • Output: array S[ 0 … 43 ] of round key words • Procedure: S[ 0 ] = 0xB7E15163 for i = 1 to 43 do S[i] = S[i-1] + 0x9E3779B9 A = B = i = j = 0 for s = 1 to 132 do { A = S[ i ] = ( S[ i ] + A + B ) <<< 3 B = L[ j ] = ( L[ j ] + A + B ) <<< ( A + B ) i = ( i + 1 ) mod 44 j = ( j + 1 ) mod c }
EPICS Spring 2003 Slide 89 RC6 • RC6-w/r/b parameters: – Word size in bits: w ( 32 )( lg(w) = 5 ) – Number of rounds: r ( 20 ) – Number of key bytes: b ( 16, 24, or 32 ) • Key Expansion: – Produces array S[ 0 … 2r + 3 ] of w-bit round keys. • Encryption and Decryption: – Input/Output in 32-bit registers A,B,C,D
EPICS Spring 2003 Slide 90 RC6 Primitive Operations A + B Addition modulo 2w A - B Subtraction modulo 2w A Å B Exclusive-Or A <<< B Rotate A left by amount in low-order lg(w ) bits of B A >>> B Rotate A right, similarly (A,B,C,D) = (B,C,D,A) Parallel assignment A x B Multiplication modulo 2w
EPICS Spring 2003 Slide 91 RC6 Encryption (Generic)
B = B + S[ 0 ] D = D + S[ 1 ] for i = 1 to r do { t = ( B x ( 2B + 1 ) ) <<< lg( w ) u = ( D x ( 2D + 1 ) ) <<< lg( w ) A = ( ( A Å t ) <<< u ) + S[ 2i ] C = ( ( C Å u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) } A = A + S[ 2r + 2 ] C = C + S[ 2r + 3 ]
EPICS Spring 2003 Slide 92 One Round of RC6 A B C D t u <<< f <<< f 5 5 <<< <<<
S[2i] S[2i+1]
A B C D EPICS Spring 2003 Slide 93 RC6 Encryption (for AES)
B = B + S[ 0 ] D = D + S[ 1 ] for i = 1 to 20 do { t = ( B x ( 2B + 1 ) ) <<< 5 u = ( D x ( 2D + 1 ) ) <<< 5 A = ( ( A Å t ) <<< u ) + S[ 2i ] C = ( ( C Å u ) <<< t ) + S[ 2i + 1 ] (A, B, C, D) = (B, C, D, A) } A = A + S[ 42 ] C = C + S[ 43 ]
EPICS Spring 2003 Slide 94 RC6 Decryption (for AES)
C = C - S[ 43 ] A = A - S[ 42 ] for i = 20 downto 1 do { (A, B, C, D) = (D, A, B, C) u = ( D x ( 2D + 1 ) ) <<< 5 t = ( B x ( 2B + 1 ) ) <<< 5 C = ( ( C - S[ 2i + 1 ] ) >>> t ) Å u A = ( ( A - S[ 2i ] ) >>> u ) Å t } D = D - S[ 1 ] B = B - S[ 0 ]
EPICS Spring 2003 Slide 95 Key Expansion (Same as RC5’s)
• Input: array L[ 0 … c-1 ] of input key words • Output: array S[ 0 … 43 ] of round key words • Procedure: S[ 0 ] = 0xB7E15163 for i = 1 to 43 do S[i] = S[i-1] + 0x9E3779B9 A = B = i = j = 0 for s = 1 to 132 do { A = S[ i ] = ( S[ i ] + A + B ) <<< 3 B = L[ j ] = ( L[ j ] + A + B ) <<< ( A + B ) i = ( i + 1 ) mod 44 j = ( j + 1 ) mod c }
EPICS Spring 2003 Slide 96 Public Key Cryptography
RSA (1978) Rivest, Shamir, and Adleman
Problem: factor a large integer into the product of two integers
EPICS Spring 2003 Slide 97 RSA
• Public key: choose integers h and n • Plaintext block: m • Encipher: c = mh mod(n) • Decipher: m = cd mod(n) • h - public enciphering key (known) • d - private deciphering key • n - known
EPICS Spring 2003 Slide 98 RSA
• Generate d and h - choose two prime numbers p and q such that pq = n • p and q are secret • Choose d such that
GCD(d, f(n)) = 1 f(n) = (p-1)(q-1) f(n) ~ Euler’s Totient Function
EPICS Spring 2003 Slide 99 RSA
Example: p = 61 q = 53 n = 3233 f(n) = 3120 choose d = 37 Þ h = 253 dh = 1 mod f(n)
EPICS Spring 2003 Slide 100 RSA • How to attack RSA – factor n Þ p and q Þ d from h – n ~ 300 digits • ~ 1.5 x 1029 operations to factor n • 1 ms/operation Þ 4 x 1015 years – Determine f(n) Þ factor n • Operational Protocol for RSA - plaintext padding protocol known as the Optimal Asymmetric Encryption Padding (OAEP) M. Bellare and P. Rogaway, “Optimal Asymmetric Encryption - How to Encrypt with RSA,” Eurocrypt 1994, pp.92-111. EPICS Spring 2003 Slide 101 Public Key Cryptography
Discrete Log Problem El Gamal Cipher • p - prime number • a and b intergers • Find a such that aa = b mod (p)
EPICS Spring 2003 Slide 102 El Gamal Cipher
• Discrete Log Problem - aa = b mod (p) – p, a, and b are public key – a is secret (deciphering key) • Chose k • x - plaintext
k y1 = a mod (p) k y2 = xb mod(p)
c = (y1, y2)
EPICS Spring 2003 Slide 103 El Gamal Cipher
• Plaintext masked by bk • decryption - compute bk from ak and then divide to obtain x
a -1 x = y2 (y1 ) mod (p) a k a y1 = (a ) mod (p) a k y1 = b mod (p) x = x bk (bk )-1 mod (p) • To attack the cipher must solve the discrete log problem for a
EPICS Spring 2003 Slide 104 Diffie-Hellman Key Exchange • Choose prime number n and integer g - can be made public • User 1 Þ A = gx mod n (x random integer); send A to User 2 • User 2 Þ B = gy mod n (y random integer): send B to User 1 • User 1 Þ k = Bx mod n • User 2 Þ h = Ay mod n • k = h = gxy use as the key illegal user knows: n, g, A, and B Þ to find key - solve the discrete log
EPICS Spring 2003 Slide 105 Other Public Key Techniques
• Elliptic Curve Systems • Cellular Automata • DES Variants • Ong-Schnorr-Shamir • ESIGN
EPICS Spring 2003 Slide 106 Elliptic Curve Cryptosystems
• Elliptic Curve Systems - generalization of the discrete log problem and RSA systems to a Galois Field which modular multiplication is replaced by the elliptic curve addition operation, for example: y2 = x3 + ax + b (mod p) (p is prime) Find points solutions to curve (x, y) pairs • PKCS #13: Elliptic Curve Cryptography Standard - http://www.rsasecurity.com/rsalabs/pkcs/pkcs-13/ http://world.std.com/~dpj/elliptic.html
EPICS Spring 2003 Slide 107 Stream Ciphers
• Key generator - generate random sequence – Can it really be random? • Can produce “error resilient” cipher
EPICS Spring 2003 Slide 108 Stream Cipher
• Another way to look at:
Pi i=1, 2, 3, … plaintext
Ri i=1, 2, 3, … random numbers used as the key sequence
Ci = Pi Å Ri ciphertext
EPICS Spring 2003 Slide 109 Key Generator
• Shift Register sequence
• Linear Shift Register Sequence
EPICS Spring 2003 Slide 110 LSR Sequences
f(·) = c0s0 + c1s1 + … + cn-1sn-1
ci ~ feedback coefficients
• Output is function of the ci’s and the initial fill • Output sequence is periodic, maximum period 2n-1 • How do you choose the feedback coefficeints? – use m-sequences (nice correlation properties) – also known as pseudo-random sequences
EPICS Spring 2003 Slide 111 Linear Shift Register
• Not very secure • know 2n bits Þ can obtain the entire 2n - 1 bits • use non-linear sequences • random number generation
EPICS Spring 2003 Slide 112 RC4
• Stream cipher - Ci = Pi Å Ri
• To generate Ri: one 8x8 s-box of bytes Si i=0, 1, …, 255 i=0, j=0 i=(i+1) mod 256
j= (j+ Si ) mod 256
swap Si and Sj
t= (Si + Sj) mod 256
R = St
EPICS Spring 2003 Slide 113 RC4
• Generation of the s-box - 8x8 matrix – initially fill it with 0, 1, 2, …, 255 – take key and fill another array, repeat key to fill the entire array, call this K0, K1, …, K255 for i=0 to 255
j = (j+ Si + Ki) mod 256
swap Si and Sj
EPICS Spring 2003 Slide 114 RC4
• RSA claims the RC4 is immune to short cycles and other attacks and is very nonlinear – it has been broken! • can extend to larger s-box
• Lots of controversy when RC4 was leaked to the public • RC4 used in Cellular Digital Packet Data (CDPD) and WEP
• See Airsnort - http://airsnort.shmoo.com/
EPICS Spring 2003 Slide 115 Authentication Signature Schemes
• Who are you? • Are you who you say you are? • Signing a document
EPICS Spring 2003 Slide 116 Signatures
• Digital Signatures vs. Conventional Signatures • “Signing” a document – Conventional Signature - physically part of the document – Digital Signature - must have a “binding” operation to bind signature to message • Verification – Conventional - compare to other authentic document – Digital - public algorithm anyone can verify the signature
EPICS Spring 2003 Slide 117 Signatures
• A copy of signed digital document is identical to the original • Problem with document reuse (time-stamping)
EPICS Spring 2003 Slide 118 Signatures - RSA
M - message
kd - private deciphering key
ke - piblic enciphering key c = d (m) kd m = e (c) ke c - signed message Problems with forgery - use hash functions
EPICS Spring 2003 Slide 119 Signature Algorithm
• Signing Algorithm sigk(•)
• Verification Algorithm verk(•) • El Gamal Signature Algorithm • DSS (December 1, 1994) • Difference in Encryption and Signature Systems – Signature System must be stronger – Problems with signing long messages
EPICS Spring 2003 Slide 120 Signing and Encryption
• Always better to sign and then encrypt m - plaintext s = d (m) kd c = e (m, s) ke c - ciphertext • Encrypt the sign c´ = e (m) ke c = d (c´) kd Another user could remove your signature add their signature
EPICS Spring 2003 Slide 121 Hash Functions
• Hash functions convert arbitrary-length binary strings to a fixed length output, H = H(P) • Useful properties: – trivial to produce H, given P – extremely difficult to obtain P from H
– very difficult to find two inputs, P1 and P2, that yield the same H (collision resistance)
EPICS Spring 2003 Slide 122 Hash Functions • Produce Message Digest by “hashing” the message – check sum – map large message into n bit hash • Sign message digest • MD4 Hash (Rivest 1990) • MD5 Hash (Rivest 1991) 128 bit hash • Secure Hash Standard (SHS) (May 11, 1993) 160 bit hash – SHA-1 – http://csrc.nist.gov/cryptval/shs.html – SHA-1 will be replaced - new hash work better with AES EPICS Spring 2003 Slide 123 SHA-1
EPICS Spring 2003 Slide 124 Time Stamps • Time stamps use hash functions to verify a digital work’s time of creation, ownership and content: – When was this data created or last modified? • Two procedures: – certification - the author of the data can "sign" the record, or a user can fix data in time. The result is a certificate – verification - any user can check data and its certificate to make sure it is correct • Time stamping is a form of authentication and requires a “trusted” third party escrow agent • http://www.surety.com/ EPICS Spring 2003 Slide 125 Other Standards
• Digital Signature Standard
• Digital Time Stamp Standard
EPICS Spring 2003 Slide 126 Pretty Good Privacy - PGP
• Uses RSA, IDEA, and MD5 hash • Message encrypted using IDEA – 64 bit plaintext, 128 bit key • RSA used to encrypt IDEA key • Hash used for signing
http://www.pgp.com/
EPICS Spring 2003 Slide 127 E-Commerce
• This almost always means selling and/or buying something using the Internet – cryptography (be careful of US export laws) – authentication (signing and time stamping) • The key management problem - who is your trusted escrow agent (US government?)
EPICS Spring 2003 Slide 128 Certificates and Digital I.D.
• Use to certify that your public key is correct - trusted third party signs your public key and issues a certificate or “digital I.D” • Used – web browsers – secure email – smart cards
EPICS Spring 2003 Slide 129 Certification Authority (Trusted Agents) • VeriSign - www.verisign.com • Baltimore CyberTrust Solutions - http://www.baltimore.com/cybertrust/ • Entrust - www.entrust.com
All use the Public Key Infrastructure (PKI) http://csrc.nist.gov/pki/
EPICS Spring 2003 Slide 130 Web Based Security
• Lots of potential problems using the web - it is easy to do something dumb! – cgi scripts – serve side includes – running the server as root – TCP/IP problems (spoofing and packet flooding)
http://www.w3.org/Security/Faq/www-security-faq.html
EPICS Spring 2003 Slide 131 Digital Millennium Copyright Act
Will it be illegal to remove security features from a data element?
http://lcweb.loc.gov/copyright/ http://www.dfc.org/ EPICS Spring 2003 Slide 132 Reference Books
• D. R. Stinson, Cryptography: Theory and Practice, CRC Press, 2nd Edition. • B. Schneier, Applied Cryptography, (2nd edition) Wiley, 1996. • D. Kahn, The Codebreakers, Scribner, 1996. • K. W. Dam and H. S. Lin, Cryptography’s Role In Securing The Information Society, National Academy Press, 1996.
EPICS Spring 2003 Slide 133 Web Resources • RSA Security -- http://www.rsa.com (RSA Labs - http://www.rsasecurity.com/rsalabs/index.html excellent FAQ) • International Association for Cryptologic Research http://www.swcp.com/~iacr • Ron Rivest's Cryptography and Security Page http://theory.lcs.mit.edu/~rivest/crypto-security.html • Dorothy Denning's Cryptography Project http://www.cosc.georgetown.edu/~denning/crypto • Bruce Schneier’s Counterpane http://www.counterpane.com/ • NIST’s Cryptographic Toolkit http://csrc.nist.gov/encryption/ EPICS Spring 2003 Slide 134