CS-630: Cyyyber and Network Security Lecture # 2: Introduction to Cryptography and Symmetric Ciphers (Stream Ciphers) PPfDrof. Dr. SSfiufian HHdameed Department of Computer Science FAST-NUCES FAST-NUCES Cryptog rap hy FAST-NUCES Examples FAST-NUCES Cryptosystem FAST-NUCES Attacks against Cryptosystems 1.))p Cipher text-only: Attacker ppgypossesses a string y of the cipher text 2. ) Known plaintext: Attacker possesses a string x of the plaintext and the corresponding cipher text y. The problem now is to find out the key which produces y from x 3.) Chosen plaintext: Attacker has access to the encryption machinery. Hence he can chose a plaintext string x and construct the corre spondi ng ci phe r te xt st ri ng y. 4.))p Chosen cipher text: Attacker has access to the decryption machinery. Hence, he can chose a cipher text string y and construct the corresponding plaintext string x. FAST-NUCES Security of Keys FAST-NUCES Cryptography is everywhere Secure communication: y web traffic: HTTPS y wireless traffic: 802.11i WPA2 (and WEP), GSM, Bluetooth EtiEncrypting files on dis k: y EFS (Encrypting File System) y TrueCrypt (open-source disk encryption software) Content protection y DVD --- Content Scramble System (CSS) is a Digital Rights Managg()ement (DRM) and encryp ypytion system em pyployed on almost all commercially produced DVD-Video y Easy to break y Blu-Ray --- Advance Access Content System (AACS) User authentication … and much much more FAST-NUCES Things to remember Cryptography is: y A tremendous tool y The basis for many security mechanisms Cryptography is not: y The solution to all security problems y Software bugs y Social engineering attacks y Reliable unless implemented and used properly y Wired Equivalent Privacy (WEP -- good example on how not to use cryptography) y SthihldttitSomething you should try to invent yourself • many examples of broken ad-hoc designs •Proppyp,riety ciphers, once re-enggyineered are easily broken FAST-NUCES History David Kahn, “The code breakers” (1996) FAST-NUCES Historical Cryptosystems y Monoalphabetic cipher: Each alphabetic character is mapped onto a unique alphabetic character y Examples: Shift Cipher, Substitution Cipher, Affine Cipher y Polyalphabetic cipher: Each alphabetic character is mapped onto various alphabetic characters y Examples: Vigenere Cipher, Hill Cipher, Permutation Cipher FAST-NUCES Symmetric Cryptosystems Formal Definition: Cryptosystem is defined over (K,M,C) and a pair of “efficient” algorithms (E, D) s.t. C: E(k, m) = c, D(k, E(k, m) ) = mאK and cאM, kא׊ m Effici ent means run i n pol ynomi al ti me FAST-NUCES Shift Cipher y Cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet. Example includes Ceasar cipher, ROT13 y Ceasar Cipher y Each letter is replaced with a fixed shift of 3 letters Example of Ceasar cipher using left rotation of 3 places Plai n: ABCDEFGHIJKLMNOPQRSTUVWXYZ Cipher: DEFGHIJKLMNOPQRSTUVWXYZABC FAST-NUCES Source: wikipedia Shift Cipp(her (ROT13 ) y ROT13 y Each letter is replaced with a fixed shift of 13 letters The transformation can be done as follows Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ Cipher: NOPQRSTUVWXYZABCDEFGHIJKLM Modular arithmetic representation: • Encryption of a letter x by a shift n can be described mathematically as En(x) = (x+n) mod 26 • Decryption is performed in a similar manner Dn(x) = (x-n) mod 26 Key space is ridiculously small, very easy to break FAST-NUCES Source: wikipedia Substitution Cipher Idea: use a permutation over the set of characters as key to get a more flexible scheme as in the shift cipher • Keyypspace siggygnificantly larger • Character frequencies are preserved FAST-NUCES What is the size of key space in the substitution cipher assuming 26 letters? FAST-NUCES Breaking Monoalphabetic Ciphers Monoalphabetic ciphers preserve the frequency of alphabetic characters, pairs, etc. → Identify alphabetic characters due to their frequency Method to decipher natural languages: 1. Determine frequency of alphabetic characters of the cipher text 2. Iden tify al ph ab eti c ch aract ers accordi ng t o th ei r f requency: e, n, iti, s, r, a, t (in Germany: e, n, r, i, s, t, u, d, a, g, l, o, ...) 3. Determine frequency of pairs 4. Identify e.g. th he 5. Look at identified text, re-substitute, guess, ... FAST-NUCES Breaking Monoalphabetic Ciphers FAST-NUCES Vigenere Cipher Popular polyalphabetic substitution cipher • Known as “le chiffre indéchiffrable” (‘the indecipherable cipher’ );-) • Combination of simple substitution ciphers • Rotations determined by a word (key) A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 FAST-NUCES Breaking Vigenere Cipher y Frequency analysis trivial if period can be guessed y Kasiski test y Repeated words may , by chance , sometimes be encrypted using the same key letters, leading to repeated groups in the ciphertext y Consider the following encryption using the keyword ABCD Key: ABCD ABCDABCD ABCD ABCD ABCD ABCD Plaintext: CRYP TOIS SHOR TFOR CRYP TOGR APHY Cip her text : CSAS TPKV SIQU TGQU CSAS TPIU AQJB y Repetitions of CSASTP is at a distance16 y Assuminggpgp that the repeated segments represent the same pg,plaintext segments, this implies that the key is 16, 8, 4, 2, or 1 characters long FAST-NUCES Source: wikipedia Rotor Machines (1870-1943) y The Hebern Machine (single rotor) y Easily broken (CT onl y) using letter freq uenc y, diagram frequency, trigram frequency A K E N B S K E C T S K . T S . T X R . Y N R . Z E N R key FAST-NUCES Rotor Machines (cont.) Most famous: the Enigma (3-5t5 rotors ) With 4 rotors keys = 264 =2= 218 (actually 2 36 due to optional plugboard) FAST-NUCES Turing Bombe FAST-NUCES Must watch “The Man Who Cracked Enigma” FAST-NUCES One Time Pad, Stream Cipher and Pseudorandom Generators FAST-NUCES Symmetric Cryptosystems Formal Definition: Cryptosy stem is defined over ( K, M, C) and a p air of “efficient” al gorithms (E, D) s.t. C: E(k, m) = c, D(k, E(k, m) ) = mאK and cאM, kא׊ m Efficient means run in polynomial time E is often randomized. D is always deterministic. FAST-NUCES One Time Pad (Vernam 1917) One Time Pad has perfect secrecy (i .e . no CT only attacks) Based on simple XOR operation n M=CC{,}=K={0,1} msg: 01101110 1 1 0 1 1 1 C:= E(k, m) = k ْ m key: 1 0 1 1 0 1 0 D(k, c) = k ْ c Indeed CT:1101101CT: 1 1 0 1 1 0 1 D(k, E(k, m)) = D(k, k ْ m) = k ْ (k ْ m) = (k ْ k) ْ m m = m ْ 0 = y One-time pad = XOR cipher with constraints: y Key length equals message length y KbittlKey bits are truly rand om ( (tnot pseud o-rand)dom) y Key is used only once and destroyed FAST-NUCES You are given a message (m) and its OTP encryption (c). Can you compute the OTP key from m and c ? No, I cannot compute the key. .Yes, the key is k = m ْ c I can only compute half the bits of the key . .Yes, the key is k = m ْ m FAST-NUCES The One Time Pad (Vernam 1917) Very fast enc/dec !! … blbut long k eys ( (las long as pl liaintext) Is the OTP secure? What is a secure cipher? FAST-NUCES What is a secure cipher? Attac ker ’s a bilities: CT on ly a ttac k (for now) Possible security requirements: attempt #1: attacker cannot recover secret key attempt #2: attacker cannot recover all of plaintext Shannon’s idea: CT should reveal no “info” about PT FAST-NUCES Information Theoretic Security Def: A cipher (E,D) over (K,M,C) has perfect secrecy if CאM (|( |m0||| = |m1|)| ) an d ׊cא ׊m0, m1 R Pr[ E(k,m0)=c ] = Pr[ E(k,m1)=c ] where k ึK • Given CT can’t tell if msg is m0 or m1 ( for all m0, m1) • MtMost power fldful adversary learns nothi thibtPTfng about PT from CT • no CT only attacks !!! (but other attacks possible) FAST-NUCES The bad news … • i.e. perfect secrecy Î key-len >= msg-len • Hard to use in practice !!! FAST-NUCES One Time Pad in practice y Intelligence and military services y Regular usage by KGB spies y Hotline between USA and USSR y Major problems y Key exchange difficult y True randomness required y Not very practical today y Inspiration for other methods, y e.g . stream ciphers FAST-NUCES Stream Ciphers: making OTP practical Idea: replace “random” key by “pseudorandom” key PRG is a Function G: {0,1}s {0,1}n s.t n >> s PRG is efficiently computable by a deterministic algorithm FAST-NUCES Stream Ciphers: making OTP practical K(K)ithdKey (K) is the seed use dbGtd by G to genera tthPRGte the PRG Security: PRG must be unpredictable FAST-NUCES Stream Ciphers y Stream ciphers y Bit-wise encryption and decryption of data y Application of pseudo-random number generator (PRG) y XOR operat ion on pseu do-random keystream y Security solely depends on randomness of PRG FAST-NUCES Stream Ciphers Stream ciphers cannot have perfect secrecy !! y Need a different definition of security y Security will depend on specific PRG FAST-NUCES PRG must be unpredictable FAST-NUCES PRG must be unpredictable We say that G: K ื {0, 1}n is predictable if: Def:PRGis: PRG is unpredictable if it is not predictable i: no “eff” adv.