An Introduction to Cryptography Gianluigi Me [email protected] Anno Accademico 2011/12 Overview History of Cryptography (and Steganography) Modern Encryption and Decryption Principles Symmetric Key Cryptography Stream Ciphers and Cipher Block Modes Key Management for Conventional Cryptography Attack on Bad Implementation of Cryptography: IEEE 802.11 WEP Message Authentication Public Key Cryptography Digital Signatures Key Management for Public-Key Cryptography Main sources Network Security Essential / Stallings Applied Cryptography / Schneier Handbook of Applied Cryptography / Menezes, van Oorschot, Vanstone Innovative Cryptography, N. Moldovyan , A.Moldovyan Modern Cryptography: Theory and Practice, Wenbo Mao History of Steganography and Cryptography Steganography Steganography Steganos = “covered” in Greek, Graphein = “to write” Being able to communicate secretly has always been considered an advantage Secret messages were often not written down, but rather memorized by sworn messengers Or hidden Demaratus, a Greek immigrant to Persia, reveals Persia’s intention to attack Athens. Writes the secret message on a tablet, and covers it with wax. Histaiaeus encourages Aristagoras of Miletus to revolt against the Persian King. Writes message on shaved head of the messenger, and sends him after his hair grew Chinese wrote on silk, turned into wax-covered ball that was swallowed by the messenger Steganography (cont.) Invisible Ink Certain organic fluids are transparent when dried but the deposit can be charred and is then visible A mixture of alum and vinegar may be used to write on hardboiled eggs, so that can only be read once shell is broken Embedded information Germans used “microdots” - documents shrunk to the size of a dot, and embedded within innocent letters Secret messages within music (Beatles) Steganography (cont.) Steganography is also used to foil piracy in digital content Watermarking copyright information into images, music Programmers sometime embed “easter eggs” Steganography has been used by spies and children alike Most recently, US argued that Bin Laden implanted instructions within taped interviews Steganography is weaker than cryptography because the information is revealed once the message is intercepted However, steganography can be used in conjunction with cryptography Cryptography In Cryptography, the meaning of the message is hidden, not its existence Kryptos = “hidden” in Greek Historically, and also today, encryption involves transposition of letters Sparta’s scytale is first cryptographic device (5th Century BC) Message written on a leather strip, which is then unwound to scramble the message substitution Kama-Sutra suggests that women learn to encrypt their love messages by substituting pre-paired letters (4th Century AD) Cipher – replace letters Code – replace words Cryptography The classical cryptographic task is to provide for a reversible transformation of an understandable plaintext (original text) to a seemingly random character sequence called a ciphertext or a cryptogram. The security of modern cryptosystems is not based on the secrecy of the algorithm, but on the secrecy of a relatively small amount of information, called a secret key. Cryptography Definition : A cryptographic system consists of the following: a plaintext message space M: a set of strings over some alphabet a ciphertext message space C: a set of possible ciphertext messages an encryption key space K: a set of possible encryption keys, and a decryption key space K1: a set of possible decryption keys an efficient key generation algorithm an efficient encryption algorithm an efficient decryption algorithm . l l For integer 1 , G(1 ) outputs a key pair (ke, kd) K x K' of length l . For ke K and m M, we denote by the encryption transformation and read it as "c is an encryption of m under key ke," Cryptography the decryption transformation and read it as "m is the decryption of c under key kd." It is necessary that for all m M and all ke K, there exists kd K': Cryptography Combining Shannon's semantic characterization for cryptosystem and Kerchoffs' principle, we can provide a summary for a good cryptosystem as follows: Algorithms ε and D contain no component or design part which is secret; ε distributes meaningful messages fairly uniformly over the entire ciphertext message space; it may even be possible that the random distribution is due to some internal random operation of ; With the correct cryptographic key, ε and D are practically efficient; Without the correct key, the task for recovering from a ciphertext the correspondent plaintext is a problem of a difficulty determined solely by the size of the key parameter, which usually takes a size s such that solving the problem requires computational resource of a quantitative measure beyond p(s) for p being any polynomial. Cryptography If a cipher achieves independence between the distributions of its plaintext and ciphertext, then we say that the cipher is secure in an information-theoretically secure sense The notion of information-theoretic-based cryptographic security is developed by Shannon. According to Shannon's theory, we can summarize two conditions for secure use of classical ciphers: Cryptography Conditions for Secure Use of Classical Ciphers #K ≥ #M; k εU K and is used once in each encryption only. So if a classical cipher encrypts a message string of length l , then in order for the encryption to be secure, the length of a key string should be at least l , and the key string should be used once only. The scheme (D; ε) is perfectly secure if for every pair of messages x; x0, ε Un(x) ≡ ε Un(x0). Cryptography Definition: A cryptosystem is perfectly message indistinguishable if for all plaintexts x1 and x2 and all ciphertexts y Pr (εk(x1)=y)=Pr (εk(x2)=y) Theorem: Shannon secrecy and message indistinguishability are equivalent. When restricting to #P =#C=#K key ambiguity is equivalent as well. LEMMA: #K<#P implies not perfectly secret. Vernam Cipher Assume that the message is a string of n binary bits the key is also a string of n binary bits where U stands for uniformely random Encryption takes place one bit at a time and the ciphertext string c = c1c2…cn is found by the bit operation XOR (exclusive or) each message bit with the corresponding key bit 1in Vernam Cipher Considering M = C = K = {0, 1}*, the Vernam cipher is a special case of substitution ciphers Confidentiality offered by the one-time-key Vernam cipher is in the information-theoretically secure sense, or is, unconditional. In fact, a ciphertext message string c provides (an eavesdropper) no information whatsoever about the plaintext message string m since any m could have yield c if the key k is equal to c m (bit by bit). Review: Bayes’ Theorem Let X and Y be two random variables. Define: Theorem (Chain Rule): Apriori Theorem (Bayes): Aposteriori Theoretical (Perfect) Security What does it mean for a cryptosystem to be perfectly secure? Essentially, the adversary doesn’t learn anything from the ciphertext: Perfect Security means |K|>|P| Reminder: adversary “knows the system” and has unlimited power If key-space is finite, each ciphertext must map to a finite number of plaintexts If |P|>|K|, some plaintexts will be “impossible” for some ciphertexts The Vernam Cipher (1) Is there a perfectly secure cryptosystem for which |K|=|P|? Theorem (Shannon): Let (P,K,C,E,D) be a cryptosystem for which |K|=|P|=|C|. Then the cryptosystem provides perfect if: The Vernam Cipher (2) Proof: Let (P,K,C,E,D) be a cryptosystem for which |K|=|P|=|C|. Because of perfect secrecy: |K|=|P|=|C|, so there is a unique key associated with every pair (p,c) The Vernam Cipher (3) Fix c. For all possible plaintexts pi, let ki be the key satisfying eki(pi)=c By Bayes: Mathematical Proof mi ki prob. ci prob. prob. 0 x 0 ½ 0 ½ x 0 x 1 ½ 1 ½ x 1 1-x 0 ½ 1 ½ (1-x) 1 1-x 1 ½ 0 ½ (1-x) • We find out the probability of a ciphertext bit being 1 or 0 is equal to (½)x + (½)(1-x) = ½. Ciphertext looks like a random sequence. exclusive or Operator a b c = a b 0 0 0 0 1 1 1 0 1 1 1 0 Example message =‘IF’ then its ASCII code =(1001001 1000110) key = (1010110 0110001) Encryption: 1001001 1000110 plaintext 1010110 0110001 key 0011111 1110110 ciphertext Decryption: 0011111 1110110 ciphertext 1010110 0110001 key 1001001 1000110 plaintext Cryptanalysis In parallel with the development of cryptographic systems, methods have been developed that make it possible to restore an original message based on the ciphertext and other known information. These methods are collectively known as cryptanalysis. Advances in cryptanalysis have led to tightening the requirements on cryptographic algorithms Cryptanalysis Ciphertext Plaintext and its corresponding ciphertext Chosen plaintext Chosen ciphertext Adapted plaintext Adapted ciphertext Additionally, some attacks use: Hardware faults Power consumption measurements Calculation time measurements Cryptanalysis As cryptography is the science and art of creating secret codes, cryptanalysis is the science and art of breaking those codes. Figure 3.3 Cryptanalysis attacks 3.29 Cryptanalysis Ciphertext-Only Attack 3.30 Cryptanalysis known plaintext cryptanalysis, it is assumed that the cryptanalyst knows the ciphertext and a portion of the original text, and in special cases knows the correspondence between the ciphertext and the original text. chosen plaintext cryptanalysis, it is assumed that the cryptanalyst can enter a specially chosen text into the enciphering device and get a cryptogram created under the control of the secret key. Chosen ciphertext cryptanalysis assumes that the opponent can use ciphertexts created by him or her for deciphering. The texts were specially chosen to most easily compute the secret key from texts obtained at the output of the deciphering device. Adapted text cryptanalysis corresponds to a case in which the attacker repeatedly submits texts for encryption (or decryption), with each new portion being chosen depending on previously obtained cryptanalysis results.