preliminary Paper Script Information Systems Security 157.738 MSc CompSci Sebastian Link Version March 24, 2003 Massey University Department of Information Systems Private Bag 11222 Palmerston North New Zealand Plagiarism 2003 Since most of your marks will contribute towards your overall marks for the course we cannot accept work which has been written jointly with others unless it is an approved group activity. Similarly, if you include in your assignments material gained from other works in your sub- ject area it is absolutely imperative that you give due acknowledgment. Deliberately copying from printed work and passing it off as your own is cheating. Copyright 2003 Books, journals, computer software and other teaching materials made available by Massey University are for the student's own studies and copying or use of them for other purposes is an infringement of copyright. 3 Preface This lecture manual is intended to serve as an introduction to cryptography for graduate Information Systems students. It is self-contained, especially fundamental mathematical con- cepts are introduced in a way they will be needed to understand formally how and why particular cryptographic methods work. Therefore, students are not required to have a deep mathematical background. Unfortunately, proofs for theorems have been omitted in general, although the author tried to convey as much mathematical flavour as possible. The script covers a lot more than can be taught within a five day block course, where it is important that lectures and exercises alternate. Basically, greater extracts have been taken and adopted from Stinson's \Cryptography: The- ory and Practice" and from the \Handbook of Applied Cryptography". I am grateful for any kind of helpful suggestions and corrections. Table of Contents 1 The Significance of Cryptography 1 1.1 Introduction . 1 1.2 Information Security and Cryptography . 2 2 Simple Cryptosystems 6 2.1 Basics on Functions . 6 2.2 General Definitions . 8 2.3 Monoalphabetic Cryptosystems . 10 2.3.1 Modular Arithmetic - Part I . 11 2.3.2 The Shift Cipher . 13 2.3.3 Permutations . 15 2.3.4 The Substitution Cipher . 16 2.3.5 Modular Arithmetic - Part II . 17 2.3.6 The Affine Cipher . 20 2.4 Polyalphabetic Cryptosystems . 24 2.4.1 The Vigenere Cipher . 24 2.4.2 Matrices and determinants . 26 2.4.3 The Hill Cipher . 30 2.4.4 The Permutation Cipher . 32 2.5 Cryptanalysis . 34 2.5.1 Different Levels of Attack . 34 2.5.2 Cryptanalysis of the Affine Cipher . 35 2.5.3 Cryptanalysis of the Substitution Cipher . 37 2.5.4 Cryptanalysis of the Vigenere Cipher . 39 2.5.5 A known Plaintext Attack on the Hill Cipher . 44 3 Modern Block Ciphers 45 3.1 Introduction to block ciphers . 45 3.2 DES . 46 3.2.1 Introduction . 46 3.2.2 Product ciphers and Feistel ciphers . 46 3.2.3 The DES Algorithm . 47 3.2.4 Triple DES . 53 3.2.5 Security and Attacks on DES and Triple DES . 54 3.2.6 DES Modes of Operation . 55 3.3 FEAL . 56 ii 3.4 IDEA . 58 3.5 SAFER . 61 3.6 RC5 . 64 3.7 The Advanced Encryption Standard: Rijndael . 65 3.7.1 The Basic Algorithm . 66 3.7.2 The Layers . 67 3.7.3 Decryption . 70 3.7.4 Design Considerations . 72 4 The RSA System 73 4.1 Introduction to public-key cryptography . 73 4.2 More mathematical background . 77 4.2.1 Asymptotic notation . 77 4.2.2 The Euclidean Algorithm and its extension . 78 4.2.3 Algorithms in n . 79 4.2.4 The Chinese Remainder Theorem and the Gauss-Algorithm . 81 4.2.5 Some facts about groups . 83 4.3 The RSA Cryptosystem . 85 4.4 Probabilistic Primality Tests . 87 4.4.1 Fermat's test . 88 4.4.2 The Legendre and Jacobi symbols . 89 4.4.3 Solovay-Strassen Test . 92 4.4.4 Miller-Rabin Test . 93 4.4.5 A Comparison . 95 4.5 The Integer Factorization Problem . 96 4.5.1 Trial Division . 97 4.5.2 Pollard's ρ-method . 97 4.5.3 Pollard's p 1-method . 99 − 4.5.4 Elliptic curve factoring . 101 4.5.5 Quadratic sieve factoring . 101 4.6 Attacks on RSA . 103 4.6.1 Relation to factoring . 103 4.6.2 Small Encryption Exponent b . 104 4.6.3 Forward Search Attack . 105 4.6.4 Small Decryption Exponent a . 105 4.6.5 Multiplicative Properties . 106 4.6.6 Common modulus attack . 106 4.6.7 Cycling attacks . 107 4.6.8 Message Concealing . 107 4.7 RSA Encryption in Practice . 108 5 The ElGamal Cryptosystem 110 5.1 The ElGamal Cryptosystem and Discrete Logarithms . 110 5.2 Algorithms for the Discrete Log Problem . 113 5.2.1 The Baby-Step-Giant-Step Algorithm . 113 5.2.2 Pollard's ρ-algorithm for Discrete Logs . 114 5.2.3 The Pohlig-Hellman Algorithm . 116 iii 5.2.4 The Index Calculus Method . 118 A Cryptography Timeline 121 Chapter 1 The Significance of Cryptography 1.1 Introduction Cryptography has a long and fascinating history. The most complete non-technical account of the subject is Kahn's The Codebreakers. This book traces cryptography from its initial use by the Egyptians some 4000 years ago, to the twenties century where it played a crucial role in the outcome of both world wars. Completed in 1963, Kahn's book covers those aspects of the history which are most significant (up to that time) to the development of that subject. The predominant practitioniers of the art were associated with the military, the diplomatic service and government in general. Cryptography was used as a tool to protect national secrets and strategies. The proliferation of computers and communications systems in the 1960s brought with it a demand from the private sector for means to protect information in digital form and to provide security services. Beginning with the work of Feistel at IBM in the early 1970s and culminating in 1977 with the adoption as a U.S. Federal Information Processing Standard for encrypting unclassified information, DES, the Data Encryption Standard, is the most well-known cryptographic mechanism in history. It remains the standard means for securing electronic commerce for many financial institutions around the world. The most striking development in the history of cryptography came 1976 when Diffie and Hellman published New Directions in Cryptography. This paper introduced the revolutionary concept of public-key cryptography and also provided a new and ingenious method for key exchange, the security of which is based on the intractibility of the discrete logarithm problem. Although the authors had no practical realization scheme at the time, the idea was clear and it generated extensive interest and activity in the cryptographic community. In 1978 Rivest, Shamir and Adleman discovered the first practical public-key encryption and signature scheme, now referred to as RSA. The RSA scheme is based on another hard mathematical problem, the intractibility of factoring large integers. This application of a hard mathematical problem to cryptography revitalized efforts to find more efficent methods to factor. The 1980s saw major advances in this area but none which rendered the RSA system insecure. Another class of powerful and practical public-key schemes was found by ElGamal in 1985. These are also based on the discrete logarithm problem. One of the most significant contributions provided by public-key cryptography is the digital signature. In 1991 the first international standard for digital signatures (ISO/IEC 9797) was adopted. It is based on the RSA public-key scheme. In 1994 the U.S. Government adopted CHAPTER 1. THE SIGNIFICANCE OF CRYPTOGRAPHY 2 the Digital Signature Standard, a mechanism based on the ElGamal public-key scheme. The search for new-public schemes, improvements to existing cryptographic mechanisms, and proof of security continues at a rapid pace. Various standards and infrastructures involving cryptography are being put in place. Security products are being developed to address the security needs of an information intensive society. The purpose of this paper is to give an up-to-date treatise of the principles, techniques, and algorithms of interest in cryptographic practice. Emphasis has been placed on those aspects which are most practical and applied. The reader will be aware of the basic issues and encouraged to further studies in the fields of interest. Due to time restrictions and in view of the practical intention of this paper, most results will be stated without proofs. 1.2 Information Security and Cryptography The concept of information will be taken to be an understood quantity. To introduce cryp- tography, an understanding of issues related to information security in general is necessary. Information security manifests itself in many ways according to the situation and requirement. Regardless of who is involved, to one degree or another, all parties to a transaction must have confidence that certain objectives associated with information security have been met. Some of these objectives are listed in Table 1.1. privacy keeping information secret from all but those who or confidentiality are authorized to see it data integrity ensuring information has not been altered by unauthorized or unknown means entity authentication corroboration of the identity of an entity (e.g., a person, or identification a computer terminal, a credit card, etc.) message corroborating the source of information; also known as data authentication origin authentication signature a means to bind information to an entity authorization conveyance, to another entity, of official sanction to do or be something validation a means to provide timeliness of authorization to use or manipulate information or resources access control restricting access to resources to privileged entities certification endorsement of information by a trusted entity timestamping recording the time of creation or existence of information witnessing verifying the creation or existence of information by an entity other than the creator receipt acknowledgement that information has been received confirmation acknowledgement that services have been provided ownership a means to provide an entity with the legal right to use or transfer a resource to others anonymity concealing the identity of an entity involved in some process non-repudiation preventing the denial of previous commitments or actions revocation retraction of certification or authorization Table1.1.