Cryptography I David Basin Institut f¨urInformatik Albert-Ludwigs-Universit¨at Freiburg IT-Security: Theory and Practice (WS02) David Basin 1 Motivation then and now Three can keep a secret, if two of them are dead. — Benjamin Franklin We interact and transact by directing flocks of digital packets towards each other through cyberspace, carrying love notes, digital cash, and secret corporate documents. Our personal and economic lives rely on our ability to let such ethereal carrier pigeons mediate at a distance what we used to do with face-to-face meetings, paper documents, and a firm handshake. How do we converse privately when every syllable is bounced off a satellite and smeared over an entire continent? How should a bank know that it really is Bill Gates requesting from his laptop in Fiji a transfer of $10,000,000,000 to another bank? Fortunately, the mathematics of cryptography can help. — Ron Rivest IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 2 Road map • Basic concepts • A mathematical formalization • Symmetric-key encryption IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 3 Network security model Trusted Third Party Principal Principal Message Information Message Channel Secret Secret Information Information Opponent Since information channel is untrusted, measures must be taken to ensure confidentiality (integrity, ...) of transactions. IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 4 Security measures and mechanisms • Prevention: measures that hinder asset damage. Real-world: build a castle with a moat and crocodiles. E-Commerce: encrypt your credit card number. • Detection: measures to detect when an asset has been damaged, how it has been damaged, and who caused the damage. Real-world: install a closed-circuit television. E-Commerce: monthly statement of credit card transactions. • Reaction: take measures to recover your assets or rectify damages. Real-world: call the police and pray. E-Commerce: block old card and request a new one. IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 5 Information hiding STEGANOGRAPHY SECRET (hidden) CODE WRITING SUBSTITUTION (replace words) CRYPTOGRAPHY CIPHER (scrambled) (replace letters) TRANSPOSITION • Cryptology: the study of secret writing. • Steganography: the science of hiding messages in other messages. • Cryptography: the science of secret writing. N.B. Terms like encrypt, encode, and encipher are often (loosely and wrongly) used interchangeably IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 6 Cryptographic algorithms • General Schema: Ekey1(P) = C , Dkey2(C ) = P Key1 Key2 Ciphertext Plaintext Plain Text Encryption Decryption P C P • Security depends on secrecy of the key, not the algorithm • Symmetric algorithms – Key1 = Key2, or are easily derived from each other. • Asymmetric or public key algorithms – Different keys, which cannot be derived from each other. – Public key can be published without compromising private key. IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 7 Other cryptographic primitives • A function f : X → Y is a one-way function, if f is “easy” to compute for all x ∈ X , but f −1 is “hard” to compute “Easy” and “hard” with respect to complexity theory • A hash function is a one-way function that maps messages of arbitrary length to a fixed size value (e.g., 128 bits) • We will see other cryptographic primitives later Trapdoor functions, pseudo-random generators, . IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 8 Goals for cryptographic algorithms Key1 Key2 Ciphertext Plaintext Plain Text Encryption Decryption • Encryption andP decryption are easyC if keys are known.P • Keep plaintext (or keys) secret from attacker. I.e., it is hard to: – get P from C without Key2. – get the keys even if given one or more pairs of C and corresponding P, IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 9 Cryptanalysis • Cryptanalysis: science of recovering the plaintext from ciphertext without the key. • Always assume attackers know the algorithms used! – Worst-case analysis and realistic in open systems – Algorithms should be published to facilitate the evaluation of their security. • Contrast with security by obscurity. Analogy: hide a letter under your mattress versus lock it in a safe, whose design has been published and whose locking mechanism has withstood attacks from the world’s best safecrackers. IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 10 Kinds of attacks Ciphertext only Given: C1 = EK (M1),..., Cn = EK (Mn) Deduce: M1,..., Mn or algorithm to compute Mn+1 from Cn+1 = EK (Mn+1) Known plaintext Given: M1, C1 = EK (M1),..., Mn, Cn = EK (Mn) Deduce: Inverse key or algorithm to compute Mn+1 from Cn+1 = EK (Mn+1) Chosen plaintext Same as above but cryptanalyst may choose M1,..., Mn. Adaptive chosen plaintext Cryptanalyst can not only choose plaintext, but he can modify the plaintext based on encryption results. Chosen ciphertext Cryptanalyst can chose different ciphertexts to be decrypted and gets access to the decrypted plaintext. Rubber-hose Cryptanalyst bribes or tortures someone until he gets the key! IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 11 Road map • Basic concepts • A mathematical formalization • Symmetric key encryption IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 12 Encryption/decryption • A, the alphabet, is a finite set. • M, the message space, is A∗, the finite strings over A. M ∈ M is a plaintext (message). • C is the ciphertext space, whose alphabet may differ from M. • K denotes the key space of keys. • Each e ∈ K determines a bijective function from M to C, denoted by Ee. Ee is the encryption function (or transformation). • For each d ∈ K, Dd denotes a bijection from C to M. Dd is the decryption function. • Applying Ee (or Dd ) is called encryption (or decryption). IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 13 Encryption/decryption (cont.) • An encryption scheme (or cipher) consists of a set {Ee : e ∈ K} and a corresponding set {De : e ∈ K} with the property that for −1 each e ∈ K there is a unique d ∈ K such that Dd = Ee ; i.e., Dd (Ee(m)) = m for all m ∈ M . • The keys e and d above form a key pair, sometimes denoted by (e, d). They can be identical. • To construct an encryption scheme requires fixing a message space M, a ciphertext space C and a key space K, as well as encryption transformations {Ee : e ∈ K} and corresponding decryption transformations {Dd : d ∈ K}. IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 14 Question — why bother with keys? • Formalization based on two parties exchanging a key pair (e, d) to achieve confidentiality. • Why not just exchange encryption/decryption functions? IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 14 Question — why bother with keys? • Formalization based on two parties exchanging a key pair (e, d) to achieve confidentiality. • Why not just exchange encryption/decryption functions? • Answer: By exchanging key pairs, if some encryption/decryption transformation is revealed, one doesn’t have to redesign entire scheme. Just exchange new keys! • Analogy with combination lock: If your combination is compromised, just change it, not the physical lock. However, if the lock design is compromised . IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 15 An example Let M = {m1, m2, m3} and C = {c1, c2, c3}. There are 3! = 6 bijections from M to C. The key space K = {1, 2, 3, 4, 5, 6} specifies these transformations. E1 E2 E3 m1 c1 m1 c1 m1 c1 m2 c2 m2 c2 m2 c2 m3 c3 m3 c3 m3 c3 E4 E5 E6 m1 c1 m1 c1 m1 c1 m2 c2 m2 c2 m2 c2 m3 c3 m3 c3 m3 c3 Suppose Alice and Bob agree on the transformation E1. To encrypt m1, Alice computes E1(m1) = c3. Bob decrypts c3 by reversing the arrows on the diagram for E1 and observing that c3 points to m1. IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 16 Road map • Basic concepts • A mathematical formalization • Symmetric-key encryption Codes, substitution ciphers, transposition ciphers, one-time pads. IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 17 Symmetric key encryption • Consider an encryption scheme {Ee : e ∈ K} and {Dd : d ∈ K}. The scheme is symmetric-key if for each associated pair (e, d) it is computationally “easy” to determine d knowing only e and to determine e from d. In practice e = d. • Other terms: single-key, one-key, private-key, and conventional encryption. • A block cipher is an encryption scheme that breaks up the plaintext message into strings (blocks) of a fixed length t and encrypts one block at a time. • A stream cipher is one where the block-length is 1. • In contrast, codes work on words of varying length. IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 18 Codes • Code: a string of symbols stands for a complete message. • Translation given by a ‘code-book’. Word Code ... ... The 1701 secret 5603 mischiefs 4008 that 3790 I 2879 set 0524 ... ... IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 18 Codes • Code: a string of symbols stands for a complete message. • Translation given by a ‘code-book’. Word Code ... ... The 1701 secret 5603 mischiefs 4008 that 3790 I 2879 set 0524 ... ... 2327 6605 1702 9853 0001 0970 3190 8817 1320 0000 = 1701 5603 4008 3790 2879 0524 7946 = 2879 2870 6699 1702 3982 5550 8102 7354 0000 = IT-Security: Theory and Practice (WS02) 29.10.02 David Basin 18 Codes • Code: a string of symbols stands for a complete message. • Translation given by a ‘code-book’.