ECE 646 – Lecture 1 CRYPTOLOGY CRYPTOGRAPHY CRYPTANALYSIS Basic Concepts of Cryptography from Greek cryptos - hidden, secret logos - word graphos - writing 2 1 2 Basic Vocabulary Cryptosystem (Cipher) encryption decryption message ciphertext N bits message (cryptogram, message (plaintext, encrypted (plaintext, clear message) message) clear message) cryptographic key M C M K bits Sender Receiver M bits ciphertext 3 4 3 4 1 Definition of a cryptosystem (cipher) Substitution Cipher encryption function EK(M) a b c d e f g h i j k l m n o p q r s t u v w x y z Key = family of encryption f q i s h n c v j t y a u w d r e x l b m z o g k p functions message space key space ciphertext space TO BE OR NOT TO BE encryption M K key K C BD QH DX WDB BD QH decryption family of decryption TO BE OR NOT TO BE functions 26 decryption function DK(C) Number of keys = 26! ≈ 4 ∙ 10 K Î K M Î M DK(EK(M)) = M 5 6 5 6 Unpublished vs. published algorithm? Kerckhoffs’s principle Unpublished algorithm Published algorithm 1. The only reliable way of The security of a cipher MUST NOT depend 1. Cryptanalysis must include assessing cipher security recovering the algorithm on anything that cannot be easily changed 2. Prevents backdoors hidden by designers 2. Smaller number of users, 3. Large number of implementations smaller motivation to break = low cost + high performance 4. No need for anti-reverse- 3. Unavailable for other engineering protection Auguste Kerckhoffs, 1883, countries 5. Software implementations Dutch Linguist and 6. Domestic and international Cryptographer standardization 7 8 7 8 2 Fundamental Tenet of Cryptography Breaking ciphers used in GSM, 1999 (1) GSM - protocols for second-generation (2G) digital cellular networks used by mobile devices such as mobile phones and tablets. If lots of smart people have failed to solve • Developed in late 1980’s and early 1990’s a problem, then it probably will not be • Over 100 million GSM subscribers by 1998 solved anytime soon. Initially, two voice encryption algorithms: A5/1 – for use in Europe and U.S.A. A5/2 – for use in other countries. Goal: encrypt voice between a cell phone and a base station 9 10 9 10 Breaking ciphers used in GSM (2) Breaking ciphers used in GSM (3) Published attacks Both voice encryption algorithms A5/2 • never published August 1999, Ian Goldberg and David Wagner, U.C. Berkeley • designed and analyzed by the secretive "SAGE" group Number of operations in the attack ~ 216 (part of ETSI – European Telecommunications Standard Institute) A5/1 • A5/1 believed to be based on the modified French May 1999, Jovan Golic naval cipher Number of operations in the attack ~ 240 Both algorithms reverse-engineered by December 1999, Alex Biryukov and Adi Shamir Marc Briceno (Smartcard Developer Association) Less than 1 second on a single PC with 128 MB RAM published by the Berkeley crypto group and two 73 GB hard disks. A5/1 in May 1999, Based on the analysis of the A5/1 output A5/2 in August 1999 during the first two minutes of the conversation. 11 12 11 12 3 Breaking ciphers used in GSM (4) Breaking ciphers used in GSM (5) Recent Attacks Recent Attacks A5/2 A5/3 German computer engineer Karsten Nohl published a 2 TB Crypto conference, August 15-19, 2010 rainbow table which enables deriving a session key for any particular conversation with minimal hardware support. An attack against Kasumi announced by Israeli researchers Orr Dunkelman, Nathan Keller, Adi Shamir. A5/3 Complexity: Published in 2003, based on the Japanese cipher Kasumi. 226 bytes of encrypted data, 230 bytes of memory, 232 operations: single PC, 96-bit key in a few minutes 128-bit key in less then two hours 13 14 13 14 Breaking ciphers used in GSM (5) Breaking ciphers used in GSM (5) Recent Attacks Recent Attacks A5/3 A5/3 Crypto conference, August 15-19, 2010 Crypto conference, August 15-19, 2010 An attack against Kasumi announced by Israeli researchers An attack against Kasumi announced by Israeli researchers Orr Dunkelman, Nathan Keller, Adi Shamir. Orr Dunkelman, Nathan Keller, Adi Shamir. Complexity: Complexity: 226 bytes of encrypted data, 230 bytes of memory, 226 bytes of encrypted data, 230 bytes of memory, 232 operations: 232 operations: single PC, 96-bit key in a few minutes single PC, 96-bit key in a few minutes 128-bit key in less then two hours 128-bit key in less then two hours 15 16 15 16 4 Breaking ciphers used in GSM (6) Mifare Classics Recent Attacks Secret algorithm Crypto-1 developed by NXP Semiconductors, A5/3 used, among the others, in the public transport system cards in 2010 attack is a related-key attack – attacker must be able London (Oyster card), Boston (CharlieCard), Perth (SmartRider), to observe the results of encryptions using keys that have Seoul (T-money), Busan (Mybi), and in Netherlands (OV-Chipkaart) easily broken after successful reverse engineering of the chip. a known relationship. It is not clear that the Kasumi A total of about 1 billion cards all over the world. algorithm (A5/3) is used by the protocol in a way that would allow this attack to succeed. Interestingly, the Kasumi algorithm is closely based on a Mitsubishi algorithm known as MISTY1. MISTY1 is not vulnerable to the 2010 attack… 17 18 17 18 Attacks against Mifare Classics Crypto-1 Dec 2007-Apr 2008 • Proprietary encryption algorithm developed by Ø In 2007, Karsten Nohl and Henryk Plötz reverse engineered NXP Semiconductors MIFARE Classic • The security relies on the secrecy of Crypto-1 algorithm, Ø In 2009, researcher Flavio D. Garcia discovered card only • Pseudo random number generator attack that does not require a valid reader • 48-bit LFSR and two non-linear filter generators Ø In 2009, Nicolas T. Courtois form University College of London discovered an attack that can break Crypto-1 in just 1 second 19 20 19 20 5 SmarTrip SmarTrip Ø The Washington Metropolitan Area Transit Authority • MiFare Plus X (WMATA) SmartTrip card, 1999, the first contactless Ø NXP semiconductors, compatible with MiFare Classic 1K and 4K smartcard for transit in the U.S. Ø SmarTrip card uses MIFARE Plus X version based on 128-bit AES 21 22 21 22 Features required from today’s ciphers PERFORMANCE STRENGTH • software Types of Cryptosystems (1) • hardware Block vs. stream ciphers FUNCTIONALITY • easy key distribution • digital signatures 23 24 23 24 6 Block vs. stream ciphers Typical stream cipher M1, M2, …, Mn m1, m2, …, mn Sender Receiver initialization initialization key vector (seed) key vector (seed) Internal state - IS Block K K Stream cipher Pseudorandom Pseudorandom cipher Keystream Keystream Generator Generator C1, C2, …, Cn c1, c2, …, cn ki keystream ki keystream Ci=fK(Mi) ci = fK(mi, ISi) ISi+1=gK(mi, ISi) m c c Every block of ciphertext i i i mi Every block of ciphertext is a function of the current block plaintext ciphertext ciphertext plaintext is a function of only one of plaintext and the current internal state corresponding block of plaintext of the cipher 25 26 25 26 Classification of cryptosystems Terminology Types of Cryptosystems (2) secret-key public-key symmetric asymmetric Secret-key vs. public-key ciphers symmetric-key 27 28 27 28 7 Secret-key (Symmetric) Cryptosystems Key Distribution Problem key of Alice and Bob - KAB key of Alice and Bob - KAB Network Encryption Decryption Alice Bob Users Keys N · (N-1) N - Users Keys 100 5,000 2 1000 500,000 29 30 29 30 Features of Secret-Key Ciphers Major operations of secret-key ciphers (1) S-box Software Hardware PERFORMANCE C ROM STRENGTH • software S-box n x m n-bit address • hardware WORD S[1<<n]= Best attack: Building blocks: n { 0x23, 0x34, 0x56 Exhaustive-key search Operations easy to . 2n × m 2n words } 2k trials for a k-bit key implement in HW & SW bits S FUNCTIONALITY ASM m-bit output • easy key distribution m • digital signatures S DW 23H, 34H, direct logic 56H y ….. x1 1 ... ... y x2 2 Primary Application: Bulk data encryption ym xn 31 32 31 32 8 Major operations of secret-key ciphers (2) Major operations of secret-key ciphers (3) Variable Rotation Permutation Software Hardware Software Hardware Mux-based rotation A<<<0 A<<<16 x x x x n x1 2 3 n-1 n C C . C = (A << B) | (A >> (32-B)); B[4] complex B[3] P sequence of B[2] instructions B[1] . A <<< B <<, |, & B[0] n 32 y1 y2 y3 yn-1 yn A<<<B ASM variable rotation ASM Permutation ROL32 High-speed clock complex ROL A, B sequence of order of wires A instructions fast clock CLK’ ROL, OR, AND min (B, 32-B) CLK’ cycles 33 34 33 34 Major operations of secret-key ciphers (4) Public-Key (Asymmetric) Cryptosystems Addition/subtraction Software Hardware A B Public key of Bob - KB Private/Secret key of Bob - kB w w C n n unsigned long A, B, C; ADD C = A+B; n ASM n Network C ADD Adder/subtractor Encryption Decryption C=A+B mod 2w Alice Bob w=32, 16 35 36 35 36 9 One-way function Trap-door one-way function X f(X) Y Whitfield Diffie and Martin Hellman “New directions in cryptography,” 1976 f-1(Y) PUBLIC KEY EXAMPLE: f: Y=f(X) = AX mod P X f(X) Y where P and A are constants, P is a large prime, A is an integer smaller than P f-1(Y) Number of bits of P Average number of multiplications necessary to compute f f -1 1000 1500 1030 PRIVATE KEY 37 38 37 38 Key Distribution Digital Signature Alice Bob Alice Bob message message signature signature Bob’s Bob’s Bob’s Alice’s Alice’s Alice’s public private public private public public key key key key key key ciphertext ciphertext message message message signature signature Intruder Judge Bob’s Alice’s Alice’s public Intruder public public key key key ciphertext 39 message message 40 39 40 10 Features of Public-Key Ciphers Basic Operations of RSA Encryption L < k e public key exponent PERFORMANCE STRENGTH • software C = M mod N • hardware ciphertext plaintext public key modulus k-bits Best attack: Building blocks: k-bits k-bits Solving the underlying Complex arithmetic operations on large math problem, such as Decryption L=k factoring of large integers private key integers: FUNCTIONALITY d exponent • easy key distribution Given N=P∙Q, M = C mod N find P and Q.