Computer Security Cryptography an introduction - PowerPoint PPT Presentation

About This Presentation
Title:

Computer Security Cryptography an introduction

Description:

where w r-1 is the previous state. 11/22/09. 11. Iterated cipher ... g([Li-1,Ri-1 ]),Ki ) = (Li ,Ri), where. Li = Ri-1 and Ri = Li-1 XOR f (Ri-1, Ki). 11/22/09 ... – PowerPoint PPT presentation

Number of Views:81
Avg rating:3.0/5.0
Slides: 53
Provided by: mikebur
Learn more at: http://www.cs.fsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Computer Security Cryptography an introduction


1
Computer SecurityCryptography an introduction
2
Encryption
  • key KE
    key KD
  • x plaintext
    y ciphertext
    original plaintext x

    . encryption

    decryption

  • Eavesdropper

3
Encryption
  • A cryptosystem involves
  • an encryption algorithm E, and a
  • a decryption algorithm D
  • Both algorithms make use of a key.
  • Let KE be the encryption key and KD the
    decryption key.
  • For symmetric cryptosystems the same key is used
    both
  • encryption and decryption KE KD.

4
Encryption
  • If P is the plaintext message, C the ciphertext,
    then for
  • symmetric cryptosystems
  • C E (K,P) and P D (K,E (K,P))
    D (K,C)
  • For an asymmetric cryptosystem
  • C E (KE,P) and P D (KD,E (KE,P))
    D (KD,C)

5
Kerchoffs assumption
  • The adversary knows all details of the
  • encrypting function except the secret key

6
Symmetric key encryption
  • There are two types of cipher systems
  • Stream ciphers,
  • Block ciphers.

7
Stream ciphers

  • Encryption

x ISSOPMI
y wdhuvad
Key KE
8
Block ciphers
x XNE OIG TPH YRK

y


.
Key KE wdm .

hut

vap

dgd



  • Encryption

9
Block ciphersAn overview of the DES Algorithm
  • DES is an iterated block cipher with
  • 16 rounds,
  • block length 64 bits and
  • key length 56 bits

10
Iterating Block ciphers
  • 1. Iterated block cipher
  • Random (binary) key K ? round keys
    K1,..., KNr,


2. Round function g w r g(w r-1, K
r), where w r-1 is the previous state
11
Iterated cipher

Encryption operation w0 ? x (x
plaintext) w1 g(w0, K1), w2 g(w1,
K2), wNr g(wNr-1, KNr), y ? wNr
(y ciphertext)
12
Iterated cipher
  • For decryption we must have
  • g(.,K) must be invertible for all K
  • Then decryption is the reverse of encryption
  • (bottom-up)

13
Data Encryption Standard
  • DES is a special type of iterated cipher called a
  • Feistel cipher.
  • Block length 64 bits
  • Key length 56 bits
  • Ciphertext length 64 bits

14
DES
  • The round function is
  • g(Li-1,Ri-1 ),Ki ) (Li ,Ri),
  • where
  • Li Ri-1 and Ri Li-1 XOR f (Ri-1, Ki).

15
DES round encryption
16
DES inner function
17
DES computation path
18
Inner function f
  • Combine 32 bit input and 48 bit key into 32 bit
    output
  • Expand 32 bit input to 48 bits
  • XOR the 48 bit key with the expanded 48 bit input
  • Apply the S-boxes to the 48 bit input to produce
    32 bit output
  • Permute the resulting 32 bits

19
S Boxes
  • There are 8 different S-Boxes,1 for each chunk
  • S-box process maps 6 bit input to 4 bit output
  • S box performs substitution on 4 bits
  • There are 8 possible substitutions in each S box
  • Inner 4 bits are fed into an S box
  • Outer 2 bits determine which substitution is used

20
Decrypting DES
  • DES (and all Feistel structures) is reversible
    through a
  • reverse encryption because
  • No input data is mangled and passed to the output
  • The properties of XOR
  • S-boxes are not reversible (and don't need to be)
  • Everything needed (except the key) to produce the
    input
  • to the n-1th step is available from the
    output of the nthstep.
  • 4. The input to the nth step is the output of the
    n-1th step.
  • 5. Work backwards to step 1.

21
Attacks on DES
  • Brute force
  • Linear Cryptanalysis
  • -- Known plaintext attack
  • Differential cryptanalysis
  • Chosen plaintext attack
  • Modify plaintext bits, observe change in
    ciphertext
  • No dramatic improvement on brute force

22
Countering Attacks
  • Large keyspace combats brute force attack
  • Triple DES (say EDE mode, with usually 2 keys)
  • Use AES

23
Modes of operation
  • Four basic modes of operation are available for
  • block ciphers
  • Electronic codebook mode ECB
  • Cipher block chaining mode CBC
  • Cipher feedback mode CFB
  • Output feedback mode OFB

24
Electronic Codebook mode, ECB
  • Each plaintext xi is encrypted with the same key
    K
  • yi eK(xi).
  • So, the naïve use of a block cipher.

25
ECB
x1
x2
x3
x4
DES
DES
DES
DES
y4
y3
y2
y1
26
Cipher Block Chaining mode, CBC
  • Each cipher block yi-1 is xor-ed with the next
    plaintext xi
  • yi eK(yi-1 XOR
    xi)
  • before being encrypted to get the next plaintext
    yi.
  • The chain is initialized with
  • an initialization vector y0 IV
  • with length, the block size.

27
CBC
x1
x2
x3
x4
IV




DES
DES
DES
DES
y4
y3
y2
y1
28
Cipher and Output feedback modes (CFB OFB)
  • CFB
  • z0 IV and recursively
  • zi eK(yi-1) and yi xi
    XOR zi
  • OFB
  • z0 IV and recursively
  • zi eK(zi-1) and yi xi
    XOR zi

29
CFB mode
x1
x2
IV
eK
eK

eK

y1
y2
30
OFB mode
IV
eK
eK
x1
x2


y1
y2
31
Double Triple DES
  • Double DES C E(k2,E(k1,m))
  • Triple DES C
    E(k1,D(k2,E(k1,m)

32
AES
  • Block length 128 bits.
  • Key lengths 128 (or 192 or 256).
  • The AES is an iterated cipher with Nr10 (or 12
    or 14)
  • In each round we have
  • Subkey mixing State ? Roundkey XOR State
  • A substitution SubBytes(State)
  • A permutation ShiftRows(State)
    MixColumns(State)

33
One time pad
  • This is a binary stream cipher whose key
    stream is a random stream.
  • This cipher has perfect secrecy.

34
One time pad
  • The One-Time-Pad is a Stream Cipher for which
  • The plaintext x e P, ciphertext y e C and key K e
    K are
  • all binary n-tuples.
  • P C K 0,1n
  • and
  • eK(x) (x1K1, , xnKn) mod 2
  • Decryption is identical to encryption
  • dK(x) (y1K1, , ynKn) mod 2

35
Asymmetric key encryptionPublic Key Cryptography
36
Public Key Cryptography
  • Alice
    Bob

Alice and Bob want to exchange a private key in
public.
37
Public Key CryptographyThe Diffie-Hellman
protocol
  • Alice ga mod p
    Bob
  • gb mod p
  • where p is a prime and g a number which has
    order p-1.
  • The private key is gab mod p


38
Public Key CryptographyEncryption schemes
  • Let
  • P be the set of all plaintext messages
  • C be the set of ciphertexts
  • K be the set of all keys

39
The RSA cryptosystem
  • Let n pq, where p and q are primes.
  • Let P C 1,2, ,n, and define
  • K (n,p,q,e,d) ed 1 mod f(n) .
  • where f(n) (p-1)(q-1).
  • For each key K (n,p,q,e,d), define
  • c eK(m) me mod n
  • and
  • dK(c) cd mod n,
  • where 1 ? m,c ? n .
  • Public key (n,e), Private key (n,d).

40
Check
  • We have ed 1 mod f(n), so ed 1 tf(n).
  • Therefore,
  • dK(eK(m)) (me)d med m tf(n)1
  • (mf(n)) t m 1.m m
    mod n

41
Example
  • p 101, q 113, n 11413.
  • f (n) 100x112 11200 26527
  • For encryption use e 3533.
  • Then d e-1 mod11200 6597.
  • Bob publishes n 11413, e 3533.
  • Suppose Alice wants to encrypt 9726.
  • She computes 97263533 mod 11413 5761
  • To decrypt it Bob computes
  • 57616597 mod 11413 9726

42
Security of RSA
  • Relation to factoring.
  • Recovering the plaintext m from an RSA
    ciphertext c is
  • easy if factoring is possible.
  • The RSA problem
  • Given (n,e) and c, compute m such that me c
    mod n

43
Digital Signatures
44
Public Key CryptographySignature schemes
  • Let
  • P be the set of all messages
  • S be the set of signatures
  • K be the set of all keys

45
The RSA digital signature
  • Let n pq, where p and q are primes.
  • Let P S 1,2, ,n , and define
  • K (n,p,q,e,d) ed 1 mod f(n) .
  • For each key K (n,p,q,e,d), define
  • sigK(m) md mod n
  • and
  • verK(m,y) true ye m mod
    n,
  • where (m,y) e Zn.
  • Public key (n,e), Private key (n,d).

46
The ElGamal signature scheme
  • Let p be a prime and g an integer of order
    p-1.
  • Let P 0,1, , p-1,
  • A 0,1, , p-1 x 0,1, , p-1 and
  • K (p,g,a,ya) ya ga modp .
  • The values p,g,ya are the public key.
  • a is the private key.

47
The ElGamal signature scheme
  • Signing
  • Let m, 0 ? m ? p-1, be a message.
  • For a key K (p,g,a,ya) with ya ga mod p,
    and a secret random number k , 0 ? k ? p-1, such
    that gcd(k,p-1) 1, define sigK(m,k) (s,t),
    where
  • r gk mod p
  • s (m-ar)k-1 mod p-1
  • Verification
  • verK(m,(r,s)) true
    yarrs gm modp .

48
Toy example
  • Let p 467, g 2, x 127,
  • message m 100,
  • Choose k 213. Then k-1mod 466 431.
  • The signature is
  • r 2213 mod 467 29
  • s (m-ar)k-1 mod(p-1) (100-127x29)431 mod 466
    51
  • Verification 2100 ?? 132292951 mod 467

49
The security of the ElGamal signature
  • If the Discrete Logarithm problem can be solved
    then ElGamal signatures can be forged.
  • The converse may not be true.
  • The exponent k must be
  • private
  • cannot be used twice
  • best chosen at random.

50
The Digital Signature Algorithm
  • Let p be a an L-bit prime prime,
  • 512 ? L ? 1024 and L ? 0 mod 64 ,
  • let q be a 160-bit prime that divides p-1 and
  • Let ? e Zp be a q-th root of 1 modulo p.
  • Let P Zp-1,
  • A Zq x Zq and
  • K (p,q,?,x,y) y ? x modp .
  • The values ?,y are the public key.
  • x is the private key.

51
The Digital Signature scheme
  • Signing
  • Let m e Zp-1 be a message.
  • For K (p,q,?,x,y) y ?x mod p , and
    secret random
  • number k e Zp-1, define sigK(m,k) (s,t),
    where
  • s (?k mod p) mod q
  • t (SHA1(m)xs)k-1mod q
  • Verification
  • Let
  • e1 SHA1(m) t-1 mod q
  • e2 st-1 mod q
  • verK(m,(s,t)) true
    (?e1 ye2 mod p) mod q s).

52
The Digital Signature scheme
  • Verification continued
  • Check
  • (?e1 ye2 mod p) mod q (? SHA1(m) t-1 y
    st-1mod p) mod q
  • (?
    SHA1(m) t-1 ? xst-1mod p) mod q
  • (?
    SHA1(m) t-1 ? xst-1mod p) mod q
  • (?
    (SHA1(m) xs)t-1mod p) mod q
  • (? k mod
    p) mod q s
Write a Comment
User Comments (0)
About PowerShow.com