Outline What is cryptography? Brief crypto history IN2120 Information Security Symmetric cryptography Stream ciphers Cryptography Block ciphers Hash functions Asymmetric cryptography Encryption Nils Gruschka Diffie-Hellman key exchange University of Oslo Digital signatures Post-Quantum Crypto Cryptography IN2120 2 Terminology What can cryptography do? Cryptology Crypto can provide the following security services: Confidentiality: Cryptography Cryptanalysis Makes data unreadable to entities who do not have the appropriate cryptographic keys, even if they have the data. Data Integrity: Cryptography is the science of secret writing with the goal of Entities with the appropriate cryptographic keys can verify that data is correct and has hiding the meaning of a message. not been altered, either deliberately or accidentally. Authentication: Cryptanalysis is the science of breaking cryptography. Entities who communicate can be assured that the other user/entity or the sender of a Cryptology covers both cryptography and cryptanalysis. message is what it claims to be. Digital Signature and PKI (Public-Key Infrastructure): Strong proof of data origin which can be verified by 3rd parties. Scalable (to the whole Internet) distribution of cryptographic keys. Cryptography IN2120 3 Cryptography IN2120 4 Taxonomy of cryptographic Evolution of Ciphers functions Cryptographic Functions Classical Medieval Pre-WW2 WW2 Pre-2000 Post-2000 ciphers ciphers ciphers ciphers ciphers ciphers Transposition Poly- One-time Complex DES AES alphabetic mechanics Scytale pad Feistel Rijmen & Hash Substitution Ciphers Enigma Daemen Functions + Vernam Transposition 1916 Vigenère Symmetric S Asymmetric A Substution 1566 SP-networks Asymmetric One secret key Public key used for Caesar Info-theory crypto cipher Post- used for both encryption and private Shannon Diffie Quantum encryption and decryption key used for decryption Hellman Asymmetric crypto Block Stream Also called BC AD 1799 1800 1939 1940 1975 1976 2000 2001 -key Cryptography IN2120 5 Cryptography IN2120 6 Terminology Symmetric cryptography (secret key) Encryption: plaintext (cleartext) M is converted into a ciphertext C Alice Bob under the control of a key k. Secret key Secret key We write C = E(M, k). Decryption with key k recovers the plaintext M from the ciphertext C. We write M = D(C, k). Message Message Symmetric ciphers: the secret key is used for both encryption and decryption. Algorithm Algorithm Ciphertext Asymmetric ciphers: Pair of private and public keys where it is encryption decryption computationally infeasible to derive the private decryption key from Plaintext Plaintext the corresponding public encryption key. authorized to encrypt and decrypt Cryptography IN2120 7 Cryptography IN2120 8 Strength of Ciphers Factors for cryptographic strength: Historic ciphers, like the Caesar Letter frequencies Key size. Cipher, are weak because they in English Exhaustive key-search time depends on the key size. fail to hide statistical regularities in the ciphertext. Typical key size for a symmetric cipher is 256 bit. 256 Attacker must try 2 /2 keys on average to find the key, which would take CC millions of years, which is not practical. Caesar Cipher With N different keys, the key size is log2(N). Algorithm strength. Key discovery by cryptanalysis can exploit statistical regularities in the ciphertext. by Unknown Author is licensed under under Authorislicensed Unknown by To prevent cryptanalysis, the bit-patterns / characters in the ciphertext should have a uniform distribution, i.e. all bit-patterns / characters should be ThisPhoto BY-SA equally probable. Cryptography IN2120 9 Cryptography IN2120 10 Claude Shannon (1916 2001) -P Network The Father of Information Theory MIT / Bell Labs Removes statistical regularities in ciphertext plaintext Information Theory - Defined the binary digit bit) as information unit Substitutions & Permutations S S . S Substitute bits e.g. 0001 with 0110 Defined information entropy to measure P amount of information Permute parts e.g. part-1 to part-2 S S . S Cryptography relationship between input and output Model of secrecy systems D influences many output bits ... E Defined perfect secrecy Iterated S-P functions a specific S S S Principle of S-P encryption (substitution & number of times . permutation) to hide statistical regularities Functions must be invertible P ciphertext Cryptography IN2120 11 Cryptography IN2120 12 AES - Advanced Encryption Standard Block Cipher DES (Data Encryption Standard) from 1977 had a 56-bit key and a Block cipher 64-bit block. In the mid-1990s DES could be cracked with exhaustive key search. Plaintext blocks In 1997, NIST announced an open competition for a new block n bits cipher to replace DES. Rijndael designed by Vincent Rijmen Key Block and Joan Daemen from Belgium) was Cipher nominated as AES (Advanced Encryption Standard) in 2001. n bits AES has key sizes of 128, 192 or 256 bit and block size of 128 bit. Ciphertext blocks Cryptography IN2120 13 Cryptography IN2120 14 Block Ciphers: Modes of Operation Electronic Code Book (ECB) Block ciphers can be used in different modes in order to provide Simplest mode of operation specific security protection. Plaintext data is divided into blocks M1, M2 n Common modes include: Each block is then processed separately Plaintext block and key used as inputs to the encryption algorithm M M Electronic Code Book (ECB) Insecure 1 2 Mn Cipher Block Chaining (CBC) K Encrypt K Encrypt K Encrypt Output FeedBack (OFB) C1 C2 Cn Cipher FeedBack (CFB) Secure CounTeR Mode (CTR) K Decrypt K Decrypt K Decrypt M1 M2 Mn Cryptography IN2120 15 Cryptography IN2120 16 Electronic Code Book (ECB-mode) Vulnerability of ECB-mode THIS IS A SIMPLE PLAINTEXT MESSAGE. Encryption Encryption Encryption X&jÜ Ji8(clÄ+#/2Haq% 7Ö1k5a$jA~Kq1 ü AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Encryption Encryption Encryption Lo%91Pa*/qF8Ql0 Lo%91Pa*/qF8Ql0 Lo%91Pa*/qF8Ql0 Cryptography IN2120 17 Cryptography IN2120 18 CTR One-Time-Pad (Gilbert Vernam, 1917) Counter Mode Bob Alice Shared secret Shared secret OTP key K OTP key K k1, k2, k3 ki k1, k2, k3 ki Message Message encryptionCiphertext decryption ci = mi ki mi = ci ki c1, c2, c3 ci bitwise bitwise Plaintext XOR addition XOR-addition Plaintext message M message M Property of bitwise XOR addition: ki ki = 0 and mi = ci ki = mi ki ki OTP offers perfect security assuming the OTP key is perfectly random, of same length as the message, and only used once Cryptography Cryptography IN2120 20 The perfect cipher: One-Time-Pad Block Cipher vs. Stream Cipher Block cipher Stream cipher Plaintext blocks Key Note that the key n bits stream repeats itself and is not totally random, hence a Key stream cipher is not Key Block stream a One-Time-Pad. Cipher generator Key stream n bits Old version used a paper tape of random data Ciphertext blocks Plaintext stream Ciphertext stream Modern versions can use DVDs with Gbytes of random data Cryptography IN2120 21 Cryptography IN2120 22 Hash Functions Idea: characteristic for the large dataset or (Extremely simple) example: take the last 4 digits of a credit card number INTEGRITY CHECK FUNCTIONS Image Source: https://www.syssolutionsllc.com/page/Addons/CreditCardHolderName Source: Image Cryptography IN2120 23 Cryptography IN2120 24 Hash functions (message digest functions) Properties of hash functions Requirements for a one-way hash function h: x ? x x ? ? ? 1.Ease of computation: given x, it is easy to compute h(x). 2.Compression: h maps inputs x of arbitrary bitlength to outputs h(x) of a fixed bitlength n. 3.One-way: given a value y, it is computationally infeasible to find an h(x) h(.) h(x) h(x) h(.) input x so that h(x)=y. 4.Collision resistance: it is computationally infeasible to find x and , Ease of Pre-image Collisions Weak collision Strong where x , with h(x)=h( ) (note: two variants of this property). computation resistance exist but are resistance collision hard to find (2nd pre-image resistance resistance) Cryptography IN2120 25 Cryptography IN2120 26 Applications of hash functions Well-known hash functions Comparing files MD5 (1991): 128 bit digest. Relatively easy to break by finding collisions, due to short digest and poor design. Not to be used in new applications, but may be used in Protection of password legacy applications. Authentication of SW distributions SHA-1 (Secure Hash Algorithm):160 bit digest. Designed by NSA in 1995 to operate Bitcoin with DSA (Digital Signature Standard). Attacks exist. Not recommended, but Generation of Message Authentication Codes (MAC) sometimes still in use. Digital signatures SHA-2 designed by NSA in 2001 provides 224, 256, 384, and 512 bit digest. Pseudo number generation/Mask generation functions Considered secure. Replacement for SHA-1. Key derivation SHA-3: designed by Joan Daemen + others in 2010. Standardized in 2015. Digest of: 224, 256, 384, and 512 bit. SHA-3 has little use, because SHA-2 is considered strong. Cryptography IN2120 27 Cryptography IN2120 28 Hash Function for Integrity Protection Message Authentication Codes h(M) A message M with a simple message hash h(M) can be changed by attacker. hash In communications, we need to verify the origin of data, i.e. we need message hash sent together Verify h(M) = h( ) authentication. with message M MAC (message authentication code) can use hash function as h(M, k) i.e. with hash h( ) message M and a secret key k as input. Hash To validate and authenticate a message, the receiver has to share the same function secret key used to compute the MAC with the sender. Hash A third party who does not know the key cannot validate the MAC. function Received Alice Message M Bob message Cryptography IN2120 29 Cryptography IN2120 30 Practical message integrity with MAC MAC and MAC functions h(M,K) Terminology MAC MAC is the computed message authentication code h(M, k) MAC sent Verify h(M,K) = h( ) MAC function is the algorithm used to compute a MAC together with message M MAC functions, a.k.a.