Bishop, Chapter 9 Basic Cryptography - PowerPoint PPT Presentation

1 / 30

About This Presentation

Title:

Bishop, Chapter 9 Basic Cryptography

Description:

Brute force will often do it: just try many different matrices; you only have to ... because the key is a single number between 1 and 26, so we can use brute force ... – PowerPoint PPT presentation

Number of Views:44

Avg rating:3.0/5.0

Slides: 31

Provided by: Steve57

Category:

more less

Transcript and Presenter's Notes

Title: Bishop, Chapter 9 Basic Cryptography

1
Bishop, Chapter 9 (Basic Cryptography)

First some terminology a cryptosystem
encypher function converts plaintext into
cyphertext
decypher function converts cyphertext into
plaintext
of course plaintext and cyphertext are in the eye
of the beholder
Alternative terminology is encrypts and
decrypts
some cultures find this offensive or at least
creepy
most authors use these terms anyway, despite
their best intentions
The book also introduces the concept of a key
enciphering function takes plaintext and a key as
input, produces cyphertext
decyphering function takes a cyphertext and a key
as input, produces plaintext

2
Keys and Algorithms

The notion of a key isnt really necessary to
describe a cryptosystem
an encryption function simply translates
plaintext to ciphertext (think of it as a black
box)
a decryption function simply translates
ciphertext to plaintext
There is a spectrum of transparency in
cryptosystems
a black-box system where the encryption and
decryption algorithms are totally secret
a totally transparent system where the algorithm
is completely public (and you need something
additional information like a key to prevent
unwanted readers from decrypting your
information)
the real question is what is secret and what is
public
The form of a key isnt specified either just
think of it as data of some sort (a string, some
bits, ...) each algorithm will specify what the
key is

3
Ways of Attacking a Cryptosystem

Attack means trying to
learn the plaintext of a single message, given
some ciphertext
learn the general deciphering algorithm (or more
specifically the key, if you know what sort of
algorithm is being used)
Ciphertext-only attack
Attacker has the ciphertext of several messages,
and knows they have been encrypted using the same
algorithm. Goal is to recover the plaintext of
as many messages as possible, or better still
deduce the keys
Known-plaintext attack
Attacker has both the ciphertext and plaintext of
several messages
Chosen-plaintext attack
Attacker can get the ciphertext for messages of
his choosing
Adaptive chosen plaintext
Can make repeated requests for encryption based
what he learns about the system from previous
analysis
(Rubber-hose cryptanalysis)

4
What We Will Look At

Classical systems (pre-computer)
transposition
substitution
Symmetric-key block ciphers
DES
AES
Public-key ciphers
Diffie-Hellman
RSA

5
Classical Cryptosystems

Same key is used for both encryption and
decryption
meaning that the key must be kept secret, because
anybody who has the key has full knowledge about
the system
Two main types transposition ciphers and
substitution ciphers
transposition the cyphertext is a permutation
of the plaintext (same letters, different order)
cyphertext is plaintext in reverse order
pairs of letters are reversed
substitution letter or letters in the
cyphertext are substitutions for letter or
letters in the plaintext
cyphertext replaces A with B, B with C, ... Z
with A

6
Transposition Ciphers

The trick is to describe the permutation rule
concisely
Often this is done via a graphical aid, using a
rectangular grid

I
A
M
I AM VERY SECRET
V
E
R
Y
IA EYSCE MVR ERT
E
S
R
C
E
T
7
Transposition Ciphers (cont.)

To decrypt the ciphertext (knowing the grid size)
is simple just fit the ciphertext onto the
transposed grid, and read down the columns
To decrypt, all you need to know is the period,
8

I
A
E
Y
E
S
C
IA EYSCE MVR ERT
E
M
V
R
R
T
8
Breaking a Transposition Cypher

Plaintext attacks arent even worth mentioning
if you have a plaintext/ciphertext pair, you have
the key
Ciphertext-only attacks are also easy, given
naive implementations of the technique
Brute force will often do it just try many
different matrices you only have to look at the
first few characters of the resulting plaintext
There are other serious regularities left in the
ciphertext that an attacker can exploit
the first letter in the ciphertext is also the
first letter in the plaintext
based on probabilities of two-character sequences
in the English language, you can guess the second
letter I followed by a space is common, so
the period is probably either 2, 8, or 12
To strengthen the cipher, run it through the
transposition twice (with two different matrix
sizes)

9
Substitution Ciphers

The key in a substitution cipher is a mapping
from characters in the plaintext to characters in
the ciphertext
(A, Q), (B, A), (C, X), (D, R), ... (this
should be a 11 mapping)
this is equivalent to (1, 15), (2, 1), (3, 24),
(4, 13), ...
an even more concise key is a number N which
stands for the set (1, N1), (2, N2), (i,
(Ni) mod 26)
several famous examples
the Caesar cipher (N3) (A, D), (B, E), ... (W,
Z), (X, A), (Y, B), (Z, C)
ROT13 (N13)

10
Simple Substitution Cyphers

In these simple index-based schemes, the key is
simply the number N, and to decipher you use the
same enciphering method only use the key (26-N)
to encipher a message with the Caesar cipher,
apply the substitution with N3 to decipher use
N23
The main weakness of ciphers based on
single-letter substitutions is the powerful
regularity of letter frequencies in the English
language
In regular English text, 13 out of 100 letters is
an E, but only 2 out of 100 letters is a Q or a
Z. Therefore if you see a letter being used
frequently, you can make a strong guess as to its
identity
In computer languages the regularities are even
stronger, since keywords make up a significant
fraction of the text, and people tend to use
English words as variables.
Of course this does not crack the code by itself,
but it allows you to cut down the number of
guesses, and its remarkably accurate

11
How easy is it to break a simple substitution?

Compute the letter frequency for each letter in
the cyphertext
For each offset (1..25) compute the deviation
between the actual frequency for each letter
after applying the offset and the predicted
frequency for that letter. Choose the offset
with the lowest deviation.
Even quicker choose a letter in the ciphertext
and compute its frequency. Find the letter whose
frequency is closest. That gives you a guess for
the offset apply the inverse to the plaintext
and check.

12
Polyalphabetic Substitutions

There is an obvious relationship between the
strength of a cipher and the key length simple
substitution is so easy to break because the key
is a single number between 1 and 26, so we can
use brute force
The Vigenere Cipher uses a sequence of keys, each
between 0 and 25
if the key is (9,13,0)
shift the first plaintext character by 9
shift the second plaintext character by 13
shift the third plaintext character by 0 (not at
all)
shift the fourth plaintext character by 9
etc
the book uses an equivalent alphabetic key (IMA
for our example), but notice in Figure 9-3 that
this is simply describing 26 shift indexes

13
A Quick Example

This is the result of a quick Perl implementation
Plaintext
THISISASHORTBUTSWEETPIECEOFSECRETPLAINTEXT
Key
LUCY
Cyphertext
EBKQTMCQSITRMOVQHYGRACGAPIHQPWTCEJNYTHVCIN

14
Breaking the Cypher

The key insight is that if you know the length of
the key (four in our case), you can split the
full text into four separate single-character
substitution cyphers, and use the
letter-frequency trick to infer each letter
LUCY
EBKQ
TMCQ
SITR
MOVQ
HYGR
ACGA
PIHQ
PWTC
EJNY
THVC
IN

15
Finding the Key Length The Index of Coincidence

The relative frequencies of English-language
letters has the following interesting effect
Suppose you took a piece of English-language text
offset a copy of the text by a certain amount,
and counted the number of places the same letter
co-occurred
THISISASHORTBUTSWEETPIECEOFSECRETPLAINTEXT
RETPLAINTEXTTHISISASHORTBUTSWEETPIECEOFSEC
X X X
There are three duplicates per 42 letters, or
7.1
This is slightly above the statistical average of
6
Now suppose instead we took randomly generated
letters and offset it the same amount
LQDLUNKUJWRSNRBHJWZMYLWGFERHPGFFBCXGAWYQRH
FBCXGAWYQRRLQDLUNKUJWRSNRBHJWZMYLWGFERHPGF
X
There is one duplicate per 42 letters, or 2.3
This is slightly below the statistical average of
3.8

16
Index of Coincidence (cont.)

The point is
duplicates are much more likely in a plaintext
string than in a random text string, due to
letter-frequency regularities
and the same applies to single-character
substitutions, because the letter frequencies are
the same as in plaintext
in other words, the index of coincidence in a
piece of text encrypted using a single-character
substitution would be exactly the same as the
plaintext (same number of coincidences, but
different letters would match)
What's the significance to the Vigenere cypher?

17
IC and the Vigenere Cypher

If we line up the text at the correct period (the
key length), we are essentially counting four
single-character substitutions, and the IC will
be high
Alternatively, if we line up the text at the
incorrect period, we are essentially counting a
piece of random text
So IC values at the key length or multiples of
the key length will tend to have large values
other values will tend to be small

18
IC Values for the Example
This is 1 EBKQTMCQSITRMOVQHYGRACGAPIHQPWTCEJNYTHVC
IN NEBKQTMCQSITRMOVQHYGRACGAPIHQPWTCEJNYTHVCI Thi
s is 2 EBKQTMCQSITRMOVQHYGRACGAPIHQPWTCEJNYTHVCIN
INEBKQTMCQSITRMOVQHYGRACGAPIHQPWTCEJNYTHVC This
is 4 EBKQTMCQSITRMOVQHYGRACGAPIHQPWTCEJNYTHVCIN VC
INEBKQTMCQSITRMOVQHYGRACGAPIHQPWTCEJNYTH x
x x This is 7 EBKQTMCQSITRMOVQHY
GRACGAPIHQPWTCEJNYTHVCIN YTHVCINEBKQTMCQSITRMOVQHY
GRACGAPIHQPWTCEJN x
x This is 8 EBKQTMCQSITRMOVQHYGRACGAPIHQ
PWTCEJNYTHVCIN NYTHVCINEBKQTMCQSITRMOVQHYGRACGAPIH
QPWTCEJ x x x
19
Using the (Suspected) Key Length

Now we can work on four different
single-character cyphers.
If we were correct about the key length, each of
these came from a single-character substitution.
So what do we do next?

1 gt ETSMHAPPETI 2 gt BMIOYCIWJHN 3 gt
KCTVGGHTNV 4 gt QQRQRAQCYC
20
Using the (Suspected) Key Length

Here is output for the minimum-variance
calculation applied to the first column
This isn't quite right what's the right answer?
Are we close? What went wrong?

ETSMHAPPETI Variance for 0 is 0.00251999141767324
Variance for 11 is 0.00311439701207883 Variance
for 15 is 0.00314936204704387
21
Cracking the Cypher (cont.)

Here are the other three

Cyphertext is BMIOYCIWJHN Variance for 6 is
0.00166811602034329 Variance for 5 is
0.00250727685950413 Variance for 21 is
0.00285692720915448
Cyphertext is KCTVGGHTNV Variance for 24 is
0.00276665384615385 Variance for 11 is
0.00422819230769231 Variance for 20 is
0.00438203846153846
Cyphertext is QQRQRAQCYC Variance for 2 is
0.00645896153846154 Variance for 14 is
0.00735126923076923 Variance for 17 is
0.00765126923076923
22
And finally

Of course a little human nature doesn't hurt....
substituting our best guesses yields the
following plaintext
EHIS TS A SSORT MUT SHEETAIECP OF SPCREE
PLATNTEIT
Or alternatively, our current candidate for a key
is AUCY
Put these two pieces of information together, you
see that the first character is probably wrong,
and if you know your victim .....

23
Final Notes on Polyalphabetic Ciphers

Two factors are crucial to making the cipher
difficult to break
length of the key (longer is better, 1 is very
easy)
lack of predictability in the key
infrequent use (so not vulnerable to a
known-plaintext or chosen-plaintext attack)
Carrying these factors to the extreme we get the
"one-time pad"
key is at least as long as the plaintext, so
there are no cycles
key is chosen truly randomly
key is used only once

24
Symmetric-Key Block Ciphers

Symmetric key same key is used both for
encryption and decryption
Block cipher encrypts fixed-sized blocks
(typically 128 bits or 16 bytes)
efficiency and hardware implementations are the
main reasons for this
In effect the block cipher just permutes its
input bits (with the key describing the
permutation). The two goals are confusion and
diffusion
displace original positions of the input bits
distribute the input bits onto the output bits
uniformly
this is called an oblique cipher
Most block ciphers consist of multiple rounds of
a weak cipher

25
Basic Structure of DES

Initial shuffle of the plaintext (not significant
cryptographically, but in the standard)
Sixteen rounds (64-bit to 64-bit transformation)
Each round (i)
Select 48 bits from the 56 bit key (Ki)
Split the input into two halves (L, R)
Transform R using Ki (more on this later)
XOR R back with L
feed this into the next round
Final inverse shuffle of the ciphertext

26
DES Single-Round Diagram
R i-1
L i-1
F i
K i
32 bits
Expand
S i
Shuffle
48 bits
32 bits
L i
R i
27
Interesting Properties of the Algorithm

Implementation aspects
code and S tables implemented in hardware, even
in the 70s (need for fixed block and key length)
same basic algorithm for decryption (run the same
algorithm, but reverse the round keys)
Functions of the various pieces
splitting L and R (Feistel structure) diffuses
the input bits
XOR ensures that the key is mixed with the data
S-boxes provide nonlinearity (no mathematical
regularity to the transformation)
S-box, expand, and shuffle mean that small
changes in the input bits can still cause a big
difference in the output
Main complaint at this point key length is too
small
triple DES run the algorithm three times (is
that enough??)