Computer Security Cryptography an introduction - PowerPoint PPT Presentation

About This Presentation

Title:

Computer Security Cryptography an introduction

Description:

where w r-1 is the previous state. 11/22/09. 11. Iterated cipher ... g([Li-1,Ri-1 ]),Ki ) = (Li ,Ri), where. Li = Ri-1 and Ri = Li-1 XOR f (Ri-1, Ki). 11/22/09 ... – PowerPoint PPT presentation

Number of Views:81

Avg rating:3.0/5.0

Slides: 53

Provided by: mikebur

Learn more at: http://www.cs.fsu.edu

Category:

more less

Transcript and Presenter's Notes

Title: Computer Security Cryptography an introduction

1
Computer SecurityCryptography an introduction
2
Encryption

key KE
key KD
x plaintext
y ciphertext
original plaintext x

. encryption

decryption
Eavesdropper

3
Encryption

A cryptosystem involves
an encryption algorithm E, and a
a decryption algorithm D
Both algorithms make use of a key.
Let KE be the encryption key and KD the
decryption key.
For symmetric cryptosystems the same key is used
both
encryption and decryption KE KD.

4
Encryption

If P is the plaintext message, C the ciphertext,
then for
symmetric cryptosystems
C E (K,P) and P D (K,E (K,P))
D (K,C)
For an asymmetric cryptosystem
C E (KE,P) and P D (KD,E (KE,P))
D (KD,C)

5
Kerchoffs assumption

The adversary knows all details of the
encrypting function except the secret key

6
Symmetric key encryption

There are two types of cipher systems
Stream ciphers,
Block ciphers.

7
Stream ciphers

Encryption

x ISSOPMI
y wdhuvad
Key KE
8
Block ciphers
x XNE OIG TPH YRK

y

.
Key KE wdm .

hut

vap

dgd

Encryption

9
Block ciphersAn overview of the DES Algorithm

DES is an iterated block cipher with
16 rounds,
block length 64 bits and
key length 56 bits

10
Iterating Block ciphers

1. Iterated block cipher
Random (binary) key K ? round keys
K1,..., KNr,

2. Round function g w r g(w r-1, K
r), where w r-1 is the previous state
11
Iterated cipher

Encryption operation w0 ? x (x
plaintext) w1 g(w0, K1), w2 g(w1,
K2), wNr g(wNr-1, KNr), y ? wNr
(y ciphertext)
12
Iterated cipher

For decryption we must have
g(.,K) must be invertible for all K
Then decryption is the reverse of encryption
(bottom-up)

13
Data Encryption Standard

DES is a special type of iterated cipher called a
Feistel cipher.
Block length 64 bits
Key length 56 bits
Ciphertext length 64 bits

14
DES

The round function is
g(Li-1,Ri-1 ),Ki ) (Li ,Ri),
where
Li Ri-1 and Ri Li-1 XOR f (Ri-1, Ki).

15
DES round encryption
16
DES inner function
17
DES computation path
18
Inner function f

Combine 32 bit input and 48 bit key into 32 bit
output
Expand 32 bit input to 48 bits
XOR the 48 bit key with the expanded 48 bit input
Apply the S-boxes to the 48 bit input to produce
32 bit output
Permute the resulting 32 bits

19
S Boxes

There are 8 different S-Boxes,1 for each chunk
S-box process maps 6 bit input to 4 bit output
S box performs substitution on 4 bits
There are 8 possible substitutions in each S box
Inner 4 bits are fed into an S box
Outer 2 bits determine which substitution is used

20
Decrypting DES

DES (and all Feistel structures) is reversible
through a
reverse encryption because
No input data is mangled and passed to the output
The properties of XOR
S-boxes are not reversible (and don't need to be)
Everything needed (except the key) to produce the
input
to the n-1th step is available from the
output of the nthstep.
4. The input to the nth step is the output of the
n-1th step.
5. Work backwards to step 1.

21
Attacks on DES

Brute force
Linear Cryptanalysis
-- Known plaintext attack
Differential cryptanalysis
Chosen plaintext attack
Modify plaintext bits, observe change in
ciphertext
No dramatic improvement on brute force

22
Countering Attacks

Large keyspace combats brute force attack
Triple DES (say EDE mode, with usually 2 keys)
Use AES

23
Modes of operation

Four basic modes of operation are available for
block ciphers
Electronic codebook mode ECB
Cipher block chaining mode CBC
Cipher feedback mode CFB
Output feedback mode OFB

24
Electronic Codebook mode, ECB

Each plaintext xi is encrypted with the same key
K
yi eK(xi).
So, the naïve use of a block cipher.

25
ECB
x1
x2
x3
x4
DES
DES
DES
DES
y4
y3
y2
y1
26
Cipher Block Chaining mode, CBC

Each cipher block yi-1 is xor-ed with the next
plaintext xi
yi eK(yi-1 XOR
xi)
before being encrypted to get the next plaintext
yi.
The chain is initialized with
an initialization vector y0 IV
with length, the block size.

27
CBC
x1
x2
x3
x4
IV

DES
DES
DES
DES
y4
y3
y2
y1
28
Cipher and Output feedback modes (CFB OFB)

CFB
z0 IV and recursively
zi eK(yi-1) and yi xi
XOR zi
OFB
z0 IV and recursively
zi eK(zi-1) and yi xi
XOR zi

29
CFB mode
x1
x2
IV
eK
eK

eK

y1
y2
30
OFB mode
IV
eK
eK
x1
x2

y1
y2
31
Double Triple DES

Double DES C E(k2,E(k1,m))
Triple DES C
E(k1,D(k2,E(k1,m)

32
AES

Block length 128 bits.
Key lengths 128 (or 192 or 256).
The AES is an iterated cipher with Nr10 (or 12
or 14)
In each round we have
Subkey mixing State ? Roundkey XOR State
A substitution SubBytes(State)
A permutation ShiftRows(State)
MixColumns(State)

33
One time pad

This is a binary stream cipher whose key
stream is a random stream.
This cipher has perfect secrecy.

34
One time pad

The One-Time-Pad is a Stream Cipher for which
The plaintext x e P, ciphertext y e C and key K e
K are
all binary n-tuples.
P C K 0,1n
and
eK(x) (x1K1, , xnKn) mod 2
Decryption is identical to encryption
dK(x) (y1K1, , ynKn) mod 2

35
Asymmetric key encryptionPublic Key Cryptography
36
Public Key Cryptography

Alice
Bob

Alice and Bob want to exchange a private key in
public.
37
Public Key CryptographyThe Diffie-Hellman
protocol

Alice ga mod p
Bob
gb mod p
where p is a prime and g a number which has
order p-1.
The private key is gab mod p

38
Public Key CryptographyEncryption schemes

Let
P be the set of all plaintext messages
C be the set of ciphertexts
K be the set of all keys

39
The RSA cryptosystem

Let n pq, where p and q are primes.
Let P C 1,2, ,n, and define
K (n,p,q,e,d) ed 1 mod f(n) .
where f(n) (p-1)(q-1).
For each key K (n,p,q,e,d), define
c eK(m) me mod n
and
dK(c) cd mod n,
where 1 ? m,c ? n .
Public key (n,e), Private key (n,d).

40
Check

We have ed 1 mod f(n), so ed 1 tf(n).
Therefore,
dK(eK(m)) (me)d med m tf(n)1
(mf(n)) t m 1.m m
mod n

41
Example

p 101, q 113, n 11413.
f (n) 100x112 11200 26527
For encryption use e 3533.
Then d e-1 mod11200 6597.
Bob publishes n 11413, e 3533.
Suppose Alice wants to encrypt 9726.
She computes 97263533 mod 11413 5761
To decrypt it Bob computes
57616597 mod 11413 9726

42
Security of RSA

Relation to factoring.
Recovering the plaintext m from an RSA
ciphertext c is
easy if factoring is possible.
The RSA problem
Given (n,e) and c, compute m such that me c
mod n

43
Digital Signatures
44
Public Key CryptographySignature schemes

Let
P be the set of all messages
S be the set of signatures
K be the set of all keys

45
The RSA digital signature

Let n pq, where p and q are primes.
Let P S 1,2, ,n , and define
K (n,p,q,e,d) ed 1 mod f(n) .
For each key K (n,p,q,e,d), define
sigK(m) md mod n
and
verK(m,y) true ye m mod
n,
where (m,y) e Zn.
Public key (n,e), Private key (n,d).

46
The ElGamal signature scheme

Let p be a prime and g an integer of order
p-1.
Let P 0,1, , p-1,
A 0,1, , p-1 x 0,1, , p-1 and
K (p,g,a,ya) ya ga modp .
The values p,g,ya are the public key.
a is the private key.

47
The ElGamal signature scheme

Signing
Let m, 0 ? m ? p-1, be a message.
For a key K (p,g,a,ya) with ya ga mod p,
and a secret random number k , 0 ? k ? p-1, such
that gcd(k,p-1) 1, define sigK(m,k) (s,t),
where
r gk mod p
s (m-ar)k-1 mod p-1
Verification
verK(m,(r,s)) true
yarrs gm modp .

48
Toy example

Let p 467, g 2, x 127,
message m 100,
Choose k 213. Then k-1mod 466 431.
The signature is
r 2213 mod 467 29
s (m-ar)k-1 mod(p-1) (100-127x29)431 mod 466
51
Verification 2100 ?? 132292951 mod 467

49
The security of the ElGamal signature

If the Discrete Logarithm problem can be solved
then ElGamal signatures can be forged.
The converse may not be true.
The exponent k must be
private
cannot be used twice
best chosen at random.

50
The Digital Signature Algorithm