An Introduction to Cryptography Edward J. Delp Purdue University School of Electrical and Computer Engineering Video and Image Processing Laboratory (VIPER) West Lafayette, Indiana email: [email protected] http://www.ece.purdue.edu/~ace EPICS Spring 2003 Slide 1 Course Goals • Provide an introduction to modern cryptography and overview its use EPICS Spring 2003 Slide 2 Digital Communication System EPICS Spring 2003 Slide 3 Cryptography • Analog Techniques • Digital Techniques EPICS Spring 2003 Slide 4 Cryptography - History • Very rich history – Mary Queen of Scots – WWII Admiral Yamamoto – WWII Ultra (Enigma Machine) • “Modern” Cryptography after World War II – NSA • Popular interest since about 1978 http://www.cybercrimes.net/Cryptography/Articles/Hebert. html http://www.ics.uci.edu/~ics54/doc/security/pkhistory.html EPICS Spring 2003 Slide 5 Goals • Privacy - protect information from unauthorized users • Authentication - “are you who you say you are” EPICS Spring 2003 Slide 6 “Drivers” of Modern Cryptography • Prime Number Generation – integer factorization • Random Number Generation EPICS Spring 2003 Slide 7 Why Is It Now Popular • Driven by everything “digital” • Most work to date devoted to text-based or character- based data EPICS Spring 2003 Slide 8 Export Controls • The export of encryption software and hardware is controlled by the US government • Can cause a problem if encryption is included in a product and it is desired to sell it outside the US http://www.rsasecurity.com/rsalabs/faq/6-4.html http://www.bxa.doc.gov/Encryption/Default.htm EPICS Spring 2003 Slide 9 Cryptography • Code - exploit the linguistic properties of a language • Cipher - do not exploit linguistic properties EPICS Spring 2003 Slide 10 Cryptography P - plaintext C - ciphertext EPICS Spring 2003 Slide 11 Cryptography • A special form of computation used to protect a plain- text message • The “security” of the system is based on the difficulty of the “inverse” computation without special “side information” known as “keys” EPICS Spring 2003 Slide 12 Unbreakable Ciphers? • Are there unbreakable ciphers? – Shannon showed that “unbreakable” systems exists – “one time pad” - form of a stream cipher • difficult to manage http://www.ranum.com/pubs/otpfaq/ http://world.std.com/~franl/crypto/one-time-pad.html EPICS Spring 2003 Slide 13 Unbreakable Ciphers? • certificational security – secure because it has withstood the test of time in that no attacks have been successful • provable security – successfully attacking a provable system is identical to attacking a classically know “hard” problem “A Note on the Security of the OAEP-Enhanced RSA Public-Key Encryption Scheme,” RSA Laboratories Bulletin Number 9, February 23, 1999. EPICS Spring 2003 Slide 14 Cryptanalysis • Used to break or attack cipher systems • Attack can be brute force (exhaustive search on the keyspace) • Exploit vulnerabilities in the cipher system or the way it is used • “Black bag jobs” • “rubber hose” techniques • “purchase key” technique • “dumpster diving” • social engineering EPICS Spring 2003 Slide 15 Cryptanalysis • Known plaintext • Known ciphertext • Chosen plaintext • Cripping • Differential approaches • Traffic flow analysis • Exploit “poor” use of the encryption system EPICS Spring 2003 Slide 16 Cryptanalysis • How do you know when you have been success in your attack? • Shannon showed this using the unicity distance: log K n = 2 RL log2 P K - key space, P - plaintext, RL - redundancy in plaintext EPICS Spring 2003 Slide 17 Cryptanalysis • Unicity distance indicates much ciphertext is needed to ensure there is only one plaintext that corresponds to this ciphertext - “spurious keys” • Example - simple letter substitution cipher P = 26; K = 26!; RL = 0.75 n = 25 • hence given a ciphertext of 25 letters a unique decryption is possible EPICS Spring 2003 Slide 18 Why Use Encryption? • Enhance ability to conduct global commerce • Privacy • Authentication EPICS Spring 2003 Slide 19 Cryptographic Systems • Protocols describe how encryption system is used • In many cases the security of the system is compromised by the protocol and NOT the encryption algorithm – “man in the middle” attack EPICS Spring 2003 Slide 20 Types of Cryptographic Systems C = S(P) S(·) - encryption function P = H(C) H(·) - decryption function EPICS Spring 2003 Slide 21 Types of Cryptographic Systems • Totally Secret – Kerckhoff’s Principle - “The security of any cipher lies in the key and NOT in the algorithm.” • Public Algorithm (Secret Key) • Public Key System EPICS Spring 2003 Slide 22 Types of Cryptographic Systems Totally secret systems - all aspects of the encryption/decryption is secret EPICS Spring 2003 Slide 23 Public Algorithm • Algorithms are known but parameters (keys) are secret C = Sk(P) P = Hk(C) K » key • Use same key for enciphering and deciphering • Block Ciphers -- DES, IDEA, Twofish, TEA • Stream Ciphers • Problem: key management EPICS Spring 2003 Slide 24 Public Key Cryptography • Two keys E ~ enciphering key D ~ deciphering key C = SE(P) P= HD(C) • Computationally infeasible to derive D from E • Each user could publish E in a “public key directory” EPICS Spring 2003 Slide 25 Public Key Cryptography • No problem with key distribution - really? – fronting attacks – “man in the middle” attack • Authentication - use private deciphering key to enciphering a message EPICS Spring 2003 Slide 26 Authentication • Two keys E ~ enciphering key D ~ deciphering key Ca = SD(P) - encipher with private key P= HE(Ca) - decipher with public key The message P has been “signed” EPICS Spring 2003 Slide 27 Public Key Cryptography • Must protect public key directory • Application of the use of signatures • Certify the public key with a broker of trust (the US Post Office?!) EPICS Spring 2003 Slide 28 History of Public Key Cryptography • Diffie, Hellman, and Merkle are credited with being the inventors of public key cryptography – W. Diffie and M.E. Hellman, “Privacy and Authentication: An Introduction to Cryptography,” Proceedings of the IEEE, Vol. 67, No. 3, March 1979, pp. 397-427. • British claim they did it in 1970 (http://www.gchq.gov.uk/about/history.html) • NSA claim they also invented it http://www.research.att.com/~smb/nsam-160/ EPICS Spring 2003 Slide 29 Key Management • Block Ciphers - how do you distribute keys • Public Key - protect public key directory • Political issue - key recovery EPICS Spring 2003 Slide 30 Clipper and Capstone Escrowed Encryption Standard, also known as “CLIPPER,” is a cryptographic device intended to protect private communications while at the same time permitting government agents to obtain the "keys" upon presentation of "legal authorization." The "keys" would be held by two government "escrow agents" and would enable the government to access the encrypted private communication. (February 4, 1992) Clipper would be used to encrypt voice transmissions, a similar device known as Capstone would be used to encrypt data. Both systems based on the SKIPJACK algorithm. http://www.eff.org/pub/Privacy/Clipper/ EPICS Spring 2003 Slide 31 Encryption Systems • Trapdoor Functions - easily computable functions with a computationally infeasible inverse (without use of special knowledge) EPICS Spring 2003 Slide 32 Public Key Systems • Trapdoor-Knapsack System (Merkle and Hellman) • Discrete Log (El Gamal) • RSA (Rivest, Shamir, Adleman) • Elliptic Curve Methods EPICS Spring 2003 Slide 33 Knapsack System Subset Sum Problem: Given positive integers a1, a2, …, an and positive integer c, determine the subset of the integers which sum to c. EPICS Spring 2003 Slide 34 “Hard Knapsack” Assume the source produces binary words of n bits X = (x1, x2, …, xn) xi Î { 0, 1 } A = (a1, a2, …, an) n c = A · X = åai · xi i=1 EPICS Spring 2003 Slide 35 “Easy Knapsack” A¢ = (a1¢,a2¢,L,an¢ ) i-1 ai¢ > åa¢j j=1 A¢ = (3, 5, 11, 20, 41 ,83, 169, 340, 679, 1358) c¢ = A¢ · X c¢ = 1260 a10¢ = 1358 > c¢ Þ x10 = 0 EPICS Spring 2003 Slide 36 “Easy Knapsack” = 679 < c¢ Þ x = 1 a9¢ 9 1260 - 679 = 581 a8¢ = 350 < 581 Þ x8 =1 X = (0011101110) “Easy” Knapsack is too easy! EPICS Spring 2003 Slide 37 “Moderately” Hard Knapsack Choose two large positive numbers w and m ai = ai¢w mod(m) Example: w = 764 m = 2731 a4¢ = 20 a4 = 20 x 764 mod (2731) = 1625 EPICS Spring 2003 Slide 38 “Moderately” Hard Knapsack A - public enciphering key A¢ , w, and m - private deciphering key c = A· X w-1w mod(m) = 1 -1 w = 1605 n ¢ -1 ¢ -1 c = cw mod(m) c = å xiaiw mod(m) i a w-1 mod(m) = i ai¢ c ¢ ~ easy knapsack EPICS Spring 2003 Slide 39 Knapsack Attack • Shamir proposed an interesting attack on the Knapsack system: – A. Shamir and R.E. Zippel, "On the Security of the Merkle-Hellman Cryptographic System," IEEE Transactions on Information Theory, Vol. 26, No. 3, May 1980, pp. 339-340. – A. Shamir, "A Polynomial-Time Algorithm for Breaking the Basic Merkle-Hellman Cryptosystem," IEEE Transactions on Information Theory, Vol. 30, No. 5, September 1984, pp. 699-704. EPICS Spring 2003 Slide 40 Block Ciphers Encipher block of x bits using y bits of key to produce x bits of ciphertext • Message extension • Substitution cipher EPICS Spring 2003 Slide 41 Block Cipher • Think of substitution operation as a permutation • (2x)! Permutations x • Key requires log2[(2 )!] bits – are all keys equally likely? Þ entropy of the key space EPICS Spring 2003 Slide 42 Block Ciphers Problems • Vulnerable to statistical attacks • Vulnerable to dictionary attacks EPICS Spring 2003 Slide 43 Triple Encryption • Use block cipher three times – Tuchman, W, “Hellman Presents