Title: Computer Security Cryptography an introduction
1Computer SecurityCryptography an introduction
2Encryption
- key KE
key KD - x plaintext
y ciphertext
original plaintext x
. encryption
decryption -
-
Eavesdropper
3Encryption
- A cryptosystem involves
- an encryption algorithm E, and a
- a decryption algorithm D
- Both algorithms make use of a key.
- Let KE be the encryption key and KD the
decryption key. - For symmetric cryptosystems the same key is used
both - encryption and decryption KE KD.
4Encryption
- If P is the plaintext message, C the ciphertext,
then for - symmetric cryptosystems
- C E (K,P) and P D (K,E (K,P))
D (K,C) - For an asymmetric cryptosystem
- C E (KE,P) and P D (KD,E (KE,P))
D (KD,C)
5Kerchoffs assumption
- The adversary knows all details of the
- encrypting function except the secret key
6Symmetric key encryption
- There are two types of cipher systems
- Stream ciphers,
- Block ciphers.
7Stream ciphers
x ISSOPMI
y wdhuvad
Key KE
8Block ciphers
x XNE OIG TPH YRK
y
.
Key KE wdm .
hut
vap
dgd
9Block ciphersAn overview of the DES Algorithm
- DES is an iterated block cipher with
- 16 rounds,
- block length 64 bits and
- key length 56 bits
10Iterating Block ciphers
- 1. Iterated block cipher
- Random (binary) key K ? round keys
K1,..., KNr,
2. Round function g w r g(w r-1, K
r), where w r-1 is the previous state
11Iterated cipher
Encryption operation w0 ? x (x
plaintext) w1 g(w0, K1), w2 g(w1,
K2), wNr g(wNr-1, KNr), y ? wNr
(y ciphertext)
12Iterated cipher
- For decryption we must have
- g(.,K) must be invertible for all K
- Then decryption is the reverse of encryption
- (bottom-up)
13Data Encryption Standard
- DES is a special type of iterated cipher called a
- Feistel cipher.
- Block length 64 bits
- Key length 56 bits
- Ciphertext length 64 bits
14DES
- The round function is
- g(Li-1,Ri-1 ),Ki ) (Li ,Ri),
- where
- Li Ri-1 and Ri Li-1 XOR f (Ri-1, Ki).
15DES round encryption
16DES inner function
17DES computation path
18Inner function f
- Combine 32 bit input and 48 bit key into 32 bit
output - Expand 32 bit input to 48 bits
- XOR the 48 bit key with the expanded 48 bit input
- Apply the S-boxes to the 48 bit input to produce
32 bit output - Permute the resulting 32 bits
19S Boxes
- There are 8 different S-Boxes,1 for each chunk
- S-box process maps 6 bit input to 4 bit output
- S box performs substitution on 4 bits
- There are 8 possible substitutions in each S box
- Inner 4 bits are fed into an S box
- Outer 2 bits determine which substitution is used
20Decrypting DES
- DES (and all Feistel structures) is reversible
through a - reverse encryption because
- No input data is mangled and passed to the output
- The properties of XOR
- S-boxes are not reversible (and don't need to be)
- Everything needed (except the key) to produce the
input - to the n-1th step is available from the
output of the nthstep. - 4. The input to the nth step is the output of the
n-1th step. - 5. Work backwards to step 1.
21Attacks on DES
- Brute force
- Linear Cryptanalysis
- -- Known plaintext attack
- Differential cryptanalysis
- Chosen plaintext attack
- Modify plaintext bits, observe change in
ciphertext - No dramatic improvement on brute force
22Countering Attacks
- Large keyspace combats brute force attack
- Triple DES (say EDE mode, with usually 2 keys)
- Use AES
23Modes of operation
- Four basic modes of operation are available for
- block ciphers
- Electronic codebook mode ECB
- Cipher block chaining mode CBC
- Cipher feedback mode CFB
- Output feedback mode OFB
24Electronic Codebook mode, ECB
- Each plaintext xi is encrypted with the same key
K - yi eK(xi).
- So, the naïve use of a block cipher.
25ECB
x1
x2
x3
x4
DES
DES
DES
DES
y4
y3
y2
y1
26Cipher Block Chaining mode, CBC
- Each cipher block yi-1 is xor-ed with the next
plaintext xi - yi eK(yi-1 XOR
xi) - before being encrypted to get the next plaintext
yi. - The chain is initialized with
- an initialization vector y0 IV
- with length, the block size.
27CBC
x1
x2
x3
x4
IV
DES
DES
DES
DES
y4
y3
y2
y1
28Cipher and Output feedback modes (CFB OFB)
- CFB
- z0 IV and recursively
- zi eK(yi-1) and yi xi
XOR zi - OFB
- z0 IV and recursively
- zi eK(zi-1) and yi xi
XOR zi
29CFB mode
x1
x2
IV
eK
eK
eK
y1
y2
30OFB mode
IV
eK
eK
x1
x2
y1
y2
31Double Triple DES
- Double DES C E(k2,E(k1,m))
- Triple DES C
E(k1,D(k2,E(k1,m)
32AES
- Block length 128 bits.
- Key lengths 128 (or 192 or 256).
- The AES is an iterated cipher with Nr10 (or 12
or 14) - In each round we have
- Subkey mixing State ? Roundkey XOR State
- A substitution SubBytes(State)
- A permutation ShiftRows(State)
MixColumns(State)
33One time pad
- This is a binary stream cipher whose key
stream is a random stream. - This cipher has perfect secrecy.
34One time pad
- The One-Time-Pad is a Stream Cipher for which
- The plaintext x e P, ciphertext y e C and key K e
K are - all binary n-tuples.
- P C K 0,1n
- and
- eK(x) (x1K1, , xnKn) mod 2
- Decryption is identical to encryption
- dK(x) (y1K1, , ynKn) mod 2
35Asymmetric key encryptionPublic Key Cryptography
36Public Key Cryptography
Alice and Bob want to exchange a private key in
public.
37Public Key CryptographyThe Diffie-Hellman
protocol
- Alice ga mod p
Bob - gb mod p
- where p is a prime and g a number which has
order p-1. - The private key is gab mod p
38Public Key CryptographyEncryption schemes
- Let
- P be the set of all plaintext messages
- C be the set of ciphertexts
- K be the set of all keys
39The RSA cryptosystem
- Let n pq, where p and q are primes.
- Let P C 1,2, ,n, and define
- K (n,p,q,e,d) ed 1 mod f(n) .
- where f(n) (p-1)(q-1).
- For each key K (n,p,q,e,d), define
- c eK(m) me mod n
- and
- dK(c) cd mod n,
- where 1 ? m,c ? n .
- Public key (n,e), Private key (n,d).
40Check
- We have ed 1 mod f(n), so ed 1 tf(n).
- Therefore,
- dK(eK(m)) (me)d med m tf(n)1
- (mf(n)) t m 1.m m
mod n
41Example
- p 101, q 113, n 11413.
- f (n) 100x112 11200 26527
- For encryption use e 3533.
- Then d e-1 mod11200 6597.
- Bob publishes n 11413, e 3533.
- Suppose Alice wants to encrypt 9726.
- She computes 97263533 mod 11413 5761
- To decrypt it Bob computes
- 57616597 mod 11413 9726
42Security of RSA
- Relation to factoring.
- Recovering the plaintext m from an RSA
ciphertext c is - easy if factoring is possible.
- The RSA problem
- Given (n,e) and c, compute m such that me c
mod n -
43Digital Signatures
44Public Key CryptographySignature schemes
- Let
- P be the set of all messages
- S be the set of signatures
- K be the set of all keys
45The RSA digital signature
- Let n pq, where p and q are primes.
- Let P S 1,2, ,n , and define
- K (n,p,q,e,d) ed 1 mod f(n) .
- For each key K (n,p,q,e,d), define
- sigK(m) md mod n
- and
- verK(m,y) true ye m mod
n, - where (m,y) e Zn.
- Public key (n,e), Private key (n,d).
46The ElGamal signature scheme
- Let p be a prime and g an integer of order
p-1. - Let P 0,1, , p-1,
- A 0,1, , p-1 x 0,1, , p-1 and
- K (p,g,a,ya) ya ga modp .
- The values p,g,ya are the public key.
- a is the private key.
47The ElGamal signature scheme
- Signing
- Let m, 0 ? m ? p-1, be a message.
- For a key K (p,g,a,ya) with ya ga mod p,
and a secret random number k , 0 ? k ? p-1, such
that gcd(k,p-1) 1, define sigK(m,k) (s,t),
where - r gk mod p
- s (m-ar)k-1 mod p-1
- Verification
- verK(m,(r,s)) true
yarrs gm modp .
48Toy example
- Let p 467, g 2, x 127,
- message m 100,
- Choose k 213. Then k-1mod 466 431.
- The signature is
- r 2213 mod 467 29
- s (m-ar)k-1 mod(p-1) (100-127x29)431 mod 466
51 - Verification 2100 ?? 132292951 mod 467
49The security of the ElGamal signature
- If the Discrete Logarithm problem can be solved
then ElGamal signatures can be forged. - The converse may not be true.
- The exponent k must be
- private
- cannot be used twice
- best chosen at random.
50The Digital Signature Algorithm
- Let p be a an L-bit prime prime,
- 512 ? L ? 1024 and L ? 0 mod 64 ,
- let q be a 160-bit prime that divides p-1 and
- Let ? e Zp be a q-th root of 1 modulo p.
- Let P Zp-1,
- A Zq x Zq and
- K (p,q,?,x,y) y ? x modp .
- The values ?,y are the public key.
- x is the private key.
51The Digital Signature scheme
- Signing
- Let m e Zp-1 be a message.
- For K (p,q,?,x,y) y ?x mod p , and
secret random - number k e Zp-1, define sigK(m,k) (s,t),
where - s (?k mod p) mod q
- t (SHA1(m)xs)k-1mod q
- Verification
- Let
- e1 SHA1(m) t-1 mod q
- e2 st-1 mod q
- verK(m,(s,t)) true
(?e1 ye2 mod p) mod q s).
52The Digital Signature scheme
- Verification continued
- Check
- (?e1 ye2 mod p) mod q (? SHA1(m) t-1 y
st-1mod p) mod q - (?
SHA1(m) t-1 ? xst-1mod p) mod q - (?
SHA1(m) t-1 ? xst-1mod p) mod q - (?
(SHA1(m) xs)t-1mod p) mod q - (? k mod
p) mod q s -