Outline ■ Basic Crypto Concepts and Definitions ■ Some Early (Breakable) Cryptosystems ■ “Key” Issues CSCI 454/554 Computer and Network Security Topic 2. Introduction to Cryptography 2 Cryptography ■ Cryptography: the art of secret writing ■ Converts data into unintelligible (random- looking) form ■ Must be reversible (can recover original data without loss or modification) Basic Concepts and Definitions ■ Not the same as compression ■ n bits in, n bits out ■ Can be combined with compression ■ What’s the right order? 3 4 Cryptography vs. Steganography Encryption/Decryption ■ Cryptography conceals the ■ Steganography (hiding contents of communication in plain sight) conceals plaintext ciphertext plaintext between two parties the very existence of encryption decryption ■ Anonymous communication communication conceals who is key key communicating ■ Examples? ■ Watermark ■ Plaintext: a message in its original form ■ Info leakage ■ Ciphertext: a message in the transformed, unrecognized ■ Kerckhoffs's principle ■ Security through form ■ A cryptosystem should be obscurity ■ Encryption: the process that transforms a plaintext into a secure even if everything ciphertext about the system, except ■ Defense in depth ■ Decryption: the process that transforms a ciphertext to ■ Open source software? the key, is public the corresponding plaintext knowledge ■ Key: the value used to control encryption/decryption. 5 6 Cryptanalysis Ciphertext Only Attacks ■ “code breaking”, “attacking the cipher” ■ Ex.: attacker can intercept encrypted ■ Difficulty depends on communications, nothing else ■ sophistication of the cipher ■ when is this realistic? ■ amount of information available to the ■ Breaking the cipher: analyze patterns in code breaker the ciphertext ■ Any cipher can be broken by exhaustive ■ provides clues about the encryption trials, but rarely practical method/key ■ When can you recognize if you have succeeded? 7 8 Known Plaintext Attacks Chosen Plaintext Attacks ■ Ex.: attacker intercepts encrypted text, but ■ Ex.: attacker can choose any plaintext also has access to some of the desired, and intercept the corresponding corresponding plaintext (definite ciphertext advantage) ■ When is this realistic? ■ When is this realistic? ■ Requires plaintext-ciphertext pairs to ■ Choose exactly the messages that will recover the key, but the attacker cannot reveal the most about the cipher choose which particular pairs to access. ■ Makes some codes (e.g., mono- alphabetic ciphers) very easy to break 9 10 Chosen Ciphertext Attacks The “Weakest Link” in Security ■ Ex.: attacker can present any ciphertext ■ Cryptography is rarely the weakest link desired to the cipher, and get the ■ Weaker links corresponding plaintext ■ Implementation of cipher ■ When is this realistic? ■ Distribution or protection of keys ■ Isn’t this the goal of cryptanalysis??? 11 12 Perfectly Secure Ciphers Computationally Secure Ciphers 1. Ciphertext does not reveal any information 1. The cost of breaking the cipher quickly exceeds about which plaintexts are more likely to have the value of the encrypted information produced it and/or ■ i.e., the cipher is robust against chosen ciphertext 2. The time required to break the cipher exceeds attacks the useful lifetime of the information and ■ Under the assumption there is not a faster / cheaper way to break the cipher, waiting to be 2. Plaintext does not reveal any information about discovered which ciphertexts are more likely to be produced ■ i.e, the cipher is robust against chosen plaintext attacks 13 14 Secret Keys vs. Secret Algorithms Secret Keys vs. Secret Algorithms ■ Security by obscurity ■ Commercial world ■ We can achieve better security if we keep the ■ Published algorithms secret ■ Hard to keep secret if used widely ■ Wide review, trust ■ Reverse engineering, social engineering ■ Military ■ Keep algorithms secret ■ Publish the algorithms ■ Avoid giving enemy good ideas ■ Security of the algorithms depends on the secrecy of the keys ■ Military has access to the public domain ■ Less unknown vulnerability if all the smart (good) knowledge anyway. people in the world are examine the algorithms 15 16 Caesar Cipher ■ Replace each letter with the one 3 letters later in the alphabet ■ ex.: plaintext CAT ! ciphertext FDW plaintext Some Early Ciphers alphabet A B C D E F G H I J K … ciphertext A B C D E F G H I J K … alphabet Trivial to break 17 18 “Captain Midnight Secret Decoder” Ring Mono-Alphabetic Ciphers ■ Replace each letter by one that is δ positions ■ Generalized substitution cipher: an arbitrary (but later, where is selectable (i.e., is the key) δ δ fixed) mapping of one letter to another ■ example: IBM ! HAL (for δ=25) 26 88 ■ 26! (≈ 4.0*10 ≈ 2 ) possibilities ■ Also trivial to break with modern computers (only ■ The key must specify which permutation; how 26 possibilities) many bits does that take? plaintext A B C D E F G H I J K … plaintext alphabet A B C D E F G H I J K … alphabet … … ciphertext A B C D E F G H I J K … alphabet ciphertext A B C D E F G H I J K … alphabet 19 20 Attacking Mono-Alphabetic Ciphers Attacking… (Cont’d) ■ If all words equally likely, probability of any one ■ Broken by statistical analysis of letter, word, and word would be quite low phrase frequencies of the language ■ how many words are there in the English language? ■ Frequency of single letters in English language, taken from a large corpus of text: ■ Actual frequencies of some words in English language: 21 22 (Tip: Counting Letter Frequencies) Vigenere Cipher ■ Program letter, written by TJ O’Connor ■ A set of mono-alphabetic substitution ■ Output for Declaration of Independence: rules (shift amounts) is used ■ the key determines what the sequence of rules is ■ also called a poly-alphabetic cipher ■ Ex.: key = (3 1 5) ■ i.e., substitute first letter in plaintext by letter+3, second letter by letter+1, third letter by letter+5 ■ then repeat this cycle for each 3 letters 23 24 Vigenere… (Cont’d) Hill Ciphers ■ Ex.: plaintext = “BANDBAD” ■ Encrypts m letters of plaintext at each step plaintext message ■ i.e., plaintext is processed in blocks of size m B A N D B A D ■ Encryption of plaintext p to produce ciphertext c is accomplished by: c = Kp shift amount ■ the m×m matrix K is the key 3 1 5 3 1 5 3 ■ K’s determinant must be relatively prime to ciphertext message size of alphabet (26 for our example) E B S G C F G ■ decryption is multiplication by inverse: p = K-1c Breaking the cipher: look for repeated patterns in the ■ remember: all arithmetic mod 26 ciphertext 25 26 Hill Cipher Example Hill… (Cont’d) 1 2 -1 21 2 ■ For m = 2, let K = , K = ■ Fairly strong for large m 3 5 3 25 ■ But, vulnerable to chosen plaintext attack A B X Y D G Plaintext p = ■ choose m plaintexts, generate 0 1 23 24 3 6 corresponding ciphertexts (21*15+2*13) mod 26 ■ form a m x m matrix X from the (1*0+2*1) mod 26 plaintexts, and (3*23+5*24) mod 26 m x m matrix Y from the ciphertexts 2 5 19 7 15 13 (details omitted) Ciphertext c = -1 C F T H P N ■ can solve directly for K (i.e., K = Y X ) 27 28 Permutation Ciphers Permutation… (Cont’d) ■ The previous codes are all based on ■ Permutation cipher ex. #1: substituting one symbol in the alphabet for ■ Permute each successive block of 5 letters in the another symbol in the alphabet message according to position offset <+1,+3,-2,0,-2> ■ Permutation cipher: permute (rearrange, plaintext message transpose) the letters in the message W H Y O W H Y C A N T I F L Y ■ the permutation can be fixed, or can change over the length of the message Y W W O H C H N A Y F T Y L I ciphertext message 29 30 Permutation… (Cont’d) Permutation… (Cont’d) ■Permutation cipher ex. #2: ■ A longer example: plaintext = ■ arrange plaintext in blocks of n columns and m rows “ATTACK POSTPONED UNTIL TWO AM” ■ then permute columns in a block according to a key K n = 4 Key: 4 3 1 2 5 7 6 plaintext A T T A C K P Key (perm. of columns) ! 4 3 1 2 O S T P O N E Plaintext 1 2 3 4 symbol D U N T I L T 5 6 7 8 m = 3 positions W O A M X Y Z 9 10 11 12 ciphertext ciphertext sequence (by plaintext position) for one block 3 7 11 4 8 12 2 6 10 1 5 9 TTNA APTM TSUO AODW COIX PETZ KNLY 31 32 A Perfectly Secure Cipher: One-Time Pads OTP… (Cont’d) ■ According to a theorem by Shannon, a ■ Idea perfectly secure cipher requires: ■ generate a random bit string (the key) as long as the ■ a key length at least as long as the plaintext, and share with the other communicating message to be encrypted party ■ encryption: XOR this key with plaintext to get ■ the key can only be used once (i.e., for ciphertext each message we need a new key) ■ decrypt: XOR same key with ciphertext to get plaintext plaintext ■ Very limited use due to need to negotiate plaintext ciphertext ⊕ ⊕ and distribute long, random keys for every message Key 33 34 OTP… (Cont’d) plaintext 01011001 01000101 01010011 ⊕ = key (pad) 00010111 00001010 01110011 = ⊕ Some “Key” Issues ciphertext 01001110 01001111 00100000 ■ Why can’t the key be reused? 35 36 Types of Cryptography Secret Key Cryptography ■ Number of keys ■ Hash functions: no key plaintext ciphertext plaintext ■ Secret key cryptography: one key encryption decryption ■ Public key cryptography: two keys - public, private key Same key key ■ The way in which the plaintext is processed ■ Same key is used for encryption and decryption ■ Stream cipher: encrypt input message one ■ Also known as symbol at a time ■ Symmetric cryptography ■ Block cipher: divide input message into blocks ■ Conventional cryptography of symbols, and processes the blocks in sequence