CryptographyCryptanalysis, II

1
Cryptography/Cryptanalysis, II

• CS 436/636/736
• February 27, 2006

2
Main References (this lecture)

• Applied Cryptography, 2/e, Schneier, Wiley
• Material from several chapters adapted for this
  set of lectures
• GNU Privacy Guard manual and web pages (more info
  on this provided later)
• Wikipedia (several, mentioned as lecture
  progresses)
• Material from the course text (Chapter 8)
• Wikipedia

3
Topical Notes - QC/QIP/QE

• Quantum Computing / Quantum Information
  Processing
• http//www.magiqtech.com/products/whatisqip.php
• Many articles and scholarly papers are in the
  literature
• Quantum Encryption
• http//www.magiqtech.com/products/whatisqip.phpcr
  yptography
• http//www.cookiecentral.com/quantum-encryption.ht
  m
• http//www.eetimes.com/story/OEG20031125S0047
• http//www.securitydocs.com/library/3230
• See also Scientific American, http//www.sciam.com
  /

4
Topical Notes, II -Efforts to Break Enigma
(further)

• Recent efforts to break Enigma (courtesy of M.
  Curry) ciphertext only
• http//www.bytereef.org/m4_project.html (M4
  project)
• Original attacks were known plaintext attacks
  (Polish mathematicians, Bletchley Park UK), and
  relied partially on errors/limitations of how
  Enigma was used
• Clever, extremely innovative cryptanalysis and
  mechanical systems (bomby/bombe) to find keys and
  help partially decrypt messages
• Huge potential size of space to search, but
  careful and dogged analysis, plus limits on how
  deployed help both original and current means to
  break
• Mathematics and technology of breaking Enigma is
  interesting and on-going discussion area in
  Cryptanalysis, despite passage of 60 years since
  World War II ended.
• Lots of writeups and literature on this subject
  (e.g., http//math.usask.ca/encryption/lessons/les
  son00/page8.html,http//en.wikipedia.org/wiki/Cry
  ptanalysis_of_the_Enigma )

5
Enigma Machine(from Wikipedia commons)
6
Outline

• Crypto Hashes and Collisions
• DES
• IDEA
• DAS
• RSA
• PGP
• Gnu Privacy Guard
• Web of Trust (Intro)
• Summary

7
Cryptographic Hashes

• Related to one-way functions, but have slightly
  different properties
• I. Preimage resistant given a hash hf(x), it
  should be hard to find x.
• II. Given h1f(x1), it should be hard to find x2,
  such thatf(x2)h1.
• III. Collision resistant It should be difficult
  to find any two messages x1 and x2 that have the
  same hash
• Birthday attack means that collision resistance
  makes a cryptographic hash at least 2x as long to
  be collision resistant as to satisfy II.
• Ref http//en.wikipedia.org/wiki/Cryptographic_ha
  sh_function
• http//en.wikipedia.org/wiki/Birthday_attack

8
Birthday attack (cf, Wikipedia)

• Alice prepares a valid contract (m), and a set of
  similar ones, all valid, that differ by cosmetic
  differences only. She can also create a set of
  fraudulent contracts (m') and cosmetic variants
  of these. Then she computes the hash functions
  to all these, till she finds any pair where
  f(valid contractm clone) f(fraudulent
  contractm' clone).
• The valid contract is signed, but the fraudulent
  one can be substituted. Bob is cheated, since
  the hashes match.
• If Bob changes the contract on receipt
  cosmetically before signing, to prevent the
  attack, Alice may suspect Bob of the same attack.
• This means that collisions have to be relatively
  expensive to find, a long cryptographic hash
  being needed, as the probabilistic model for
  finding collisions is proportional to sqrt(n).

9
MD5

• Message Digest Algorithm 5
• Replaced MD4, when issues were found with it
• Ronald Rivest, 1991 (cf, RSA)
• Flaws found in 1996 and 2004 etc
• Now can only safely use to make sure files
  download correctly, very fast algorithms for
  breaking now exist
• Example digests (e.g., md5sum, Wikipedia has code
  too)
• MD5("The quick brown fox jumps over the lazy
  dog") 9e107d9d372bb6826bd81d3542a419d6
• MD5("The quick brown fox jumps over the lazy
  cog") 1055d3e698d289f2af8663725127bd4b
• Ref http//en.wikipedia.org/wiki/MD5

10
SHA-1

• Secure Hash Standard
• SHA-1 replaced SHA-0, NIST standard 1993
• Some attacks have been shown, but still extremely
  difficult in practice
• SHA-1 will be phased out by NIST by 2010
• Other SHA's have longer keys

11
Collision Attacks on Cryptographic Hashes

• Main points
• Collision attacks are possible
• MD5 has flaws, SHA-1 has flaws
• Trust who you communicate with remains a key
  aspect of security
• Collisions/weaknesses in MD5 vs. SHA-1
• http//en.wikipedia.org/wiki/MD5
• http//www.venge.net/monotone/docs/Hash-Integrity.
  html
• http//www.cryptography.com/cnews/hash.html

12
DES/DEA

• DES is Data Encryption Standard, 1976
• Based on Data Encryption Algorithm (DEA)
• 56-bit key, 64-bit block
• Block cipher symmetric key cipher, works on
  fixed-length group of bits
• Triple DES is a common strategy keeps algorithm,
  increases key space (2 keys, 112 bits) triple
  encrypts w/ two keys.
• AES is replacement for DES, Advanced Encryption
  System
• Ref http//en.wikipedia.org/wiki/Block_cipher

13
AES Advanced Encryption System

• Block cipher
• Fixed block size of 128-bits
• Key size of 128, 192, or 256 bits
• Used by OpenSSL
• Attacks exist against implementations that leak
  information
• Rjindael algorithm is a superset/close relative
• Ref http//en.wikipedia.org/wiki/Advanced_Encrypt
  ion_Standard

14
IDEA Int. Data Encryption Alg.

• Block cipher
• 128-bit block, 64-bit key
• Used in PGP non-commercial uses OK
• Optional in OpenPGP not used in GPG
• Patented in some countries to 2010-2011
• Replacement IDEA NXT FOX
• Refhttp//en.wikipedia.org/wiki/International_Dat
  a_Encryption_Algorithmhttp//en.wikipedia.org/wiki
  /FOX_28cipher29

15
RSA

• Algorithm for Public Key encryption (patented),
  1977
• Invented by Rivest, Shamir, and Adlemen at MIT
  (R, S, A)
• Cocks (British mathematician), developed similar
  version in secret in 1973, revealed in 1997
• Can be used with one key for signing, another key
  for encryption
• Develops shared secret via prime numbers and
  modulo arithmetic approaches,
• Minimum of 1,024-bit keys recommended, given
  brute force attack potential (My IE6 has 128-bit
  encryption, by comparison)
• Padding an essential aspect of security
• Ref http//en.wikipedia.org/wiki/RSA
• RSA http//www.rsasecurity.com/
• RSAlabs http//www.rsasecurity.com/rsalabs/

16
DSA Digital Signature Algorithm

• US Government standard for digital signatures
• Patented, but royalty free
• Builds on SHA-1 building block
• Builds public/private key just for signature
• Related to Elgamal signature scheme
• Ref http//en.wikipedia.org/wiki/Digital_Signatur
  e_Algorithm

17
ElGamal Signature

• Asymmetric key encryption algorithm for PKE
• Uses Diffie-Hellman key agreement algorithm
• A single plaintext can be encrypted with several
  ciphertexts (probabilistic methods)
• Used with GnuPG, Related to DSA
• Chosen ciphertext attack vulnerable
• Ref http//en.wikipedia.org/wiki/ElGamal

18
PGP Pretty Good Privacy

• Zimmerman created, lots of legal wrangling ensued
  with RSA
• Built in response to lack of privacy concerns
• Windows/Unix clients (used flaky IDEA originally)
• Spawned OpenPGP effort, now IETF supported RFCs
• Original had international and US legal
  versions after wrangling
• Original Merged/demerged from NAI (now McAfee)
• PGP is now a standalone company again, commercial
  
• OpenPGP is a standard (RFC)
• Refhttp//en.wikipedia.org/wiki/Pretty_Good_Priva
  cy

19
GnuPG Gnu Privacy Guard

• Free tool used to replace original PGP 2.6
• Implements OpenPGP (RFC 2440)
• Does not use IDEA algorithm
• Uses DSA/Elgamal
• Open source, ported widely
• http//www.gnupg.org/
• Often bundled with Linux, Windows client easy to
  install
• We will use this extensively in this class

20
Web of Trust

• Used by PGP, GnuPG(PGP), and OpenPGP to establish
  authenticity of user lt-gt key purportedly of that
  user.
• Alternative to having a single authority (central
  trust) Trent / CA
• Identity certificates in OpenPGP owner info and
  public key
• Three partially trusted endorsers endorse of a
  certificate, or one fully trusted endorser
  endorses, then that certificate is trusted
• Parametrically settable (can require more partial
  trust or not accept at all)
• You can have up to four steps removed in a web of
  trust, and still use that to endorse someone, but
  beyond four, it won't work
• Using keyservers is helpful for central storing
  info, even though no CA.
• Ref http//en.wikipedia.org/wiki/Web_of_trust
• See also Gossamer web of trust -
  http//www.gswot.org/siteframe/

21
Key Server

• Holds public keys and signings of those keys
• Corresponds with ASCII-armored PGP key exports,
  as produced by GnuPG and OpenPGP compliant
  systems
• Try http//pgp.mit.edu/
• Look at my public key at
• http//pgp.mit.edu11371/pks/lookup?opgetsearch
  0x2EF66A1D Or by searching for me by name, and
  then selecting my UAB key.

22
ASCII armored public key(tony_at_cis.uab.edu)
Public Key Server -- Get 0x2EF66A1D
'' -----BEGIN PGP PUBLIC KEY BLOCK----- Version
PGP Key Server 0.9.6 mQGiBEQAua4RBADOLOLzXgKXdrqk
Z2aVowqi3uoBwZJek1d25VhasVz1YTdIehXd kptQGhOHj3nh0
DpXUqHAF5ZIqzMfr1iZ4kdf8bwC7mHAxH9wgYIGDCLUlG/Fk2
H KpfugGbi84J4q/a5L0n1LAWTr3gIeISLrL3XJjAEcqLW5GR9
mT87k9T8dwCgn6km /91elZeJA1oRaYrX7Lhm78EAM2F2f4zr
NDwDTEsNeNkoCNzmDG8slcHx5WKHXSq aunID/bM3Rc00VZ2FF
bbKvDV2t0F4PfYR9BgSrEUXhiwjBBs3cGaCsC0pb/GoobN wGu
KbFrn9px3wgM7YINNjZT4oFK/8RCGDnQvyjWoQQcOq24tTCX1
LbShtkyiaiB 5mMkBAC/e1tHIMrIOE8Z4ezjSCLMhw8Jio9Kef
mh1gYe6Bi1b8uAbifMuBF/mfCo eXGUTH4zVVUiVwrV4v/I2LK
VxYxr4vb2KTu2KzEefX4QgB8D8vNw7dt4vvcbYoiW f0YwxrR1
wkA4kxii36A4X1MJk74kt6Db1wE3fLO8yMY/q61hbQtQW50aG
9ueSBT a2plbGx1bSAoVUFCL0NJUykgPHRvbnlAY2lzLnVhYi5
lZHUiEYEEBECAAYFAkQB wNsACgkQTSfXwOvDtRVwZwCdHI9g
D12iN2k1phhjPI7VFMw1T4AnRNCKLcERpKk U1EQmlsSHlu4
8ILiEYEEBECAAYFAkQBxo8ACgkQUKLjtPbEz8b6TQCgiQOGDgt
u Zeeg7H5X1rv4PCUYr6QAoLapfFdQw7fpI1P1OuuL5PJtTtS9
iEYEEBECAAYFAkQB xrMACgkQkZRIGmZv2vDwDgCgs9BJv2zWB
agRMw4CZBT2U/sHUi0AoIlucoHCoTmZ 47gnwewl7Tz4zPLciG
AEExECACAFAkQAua4CGwMGCwkIBwMCBBUCCAMEFgIDAQIe AQI
XgAAKCRB/l0XaLvZqHSoYAJwIDsd8Ch4F4PogI4fSN4tmVtsQ
wCffTdP75zC Xb4RWVfHx2MQy0wTyAS5Ag0ERAC5xhAIANIAr2
Eqd7r2NLlaZ58bpOVmM51ZwKe FaC8kq01g3y7nPh209oPjMq
UYNFB1CgRjhKGEX8obRi8jCtcRDdPpMb7YbIUW309 f1wHOrvd
LwryZHHfqWPZSRy0hQI7iwa1sttrefA6O00NLOsn0LLZxxxFK
0a6Na 5F4VaSeLLQ7cfsBYVvHtZ5oxnxYxriAIbiNhW2240QY
1a5YmmO79BLb2YUy73LR6 qT6qOXD0swUUyn4qPvW5RZPU1xz/
BoIZ71nAaIavsUeXQP6ff3UAUlVKDiSrroiV EOwLGqsW5VlPU
GqinZ3aRuOjN4Uloqw5mqGsu15taHs4mrWKaX9LLTMAAwUIAMz
Q TO06Rw40mKJFEoVj2My21TF977ALIkTFj7P6cAncklh94nI
fhUyB7S3BfeuIPwX hlobU84UtV/4mnF5w6SpoPNDKkgW97qL
1bxjngOTk74CbF4woTBMPsg/Qc0jQ2W 3mPhwVgYupDhx4jX3R
PkhirY5n2kqXHa7zRHGH3GSIgNCRdeO6b9GnAh7nciPQS FZO
YcCz9W6fOdxnNAXwOoB55gbf0oT8gzd99sBAEm9YhpAnY3b1
UTNHLZZ/TsY ezt073cQhjRs1ZTT/jLOvSK2j7u3fV4UCxz/mV
ry9sU9nAULieaJSbPnhlRit75 W2i4kW9/jolgiiGFaISQQ
YEQIACQUCRAC5xgIbDAAKCRB/l0XaLvZqHaFFAJ9Z 51jpfuol
AulKd8nsMrDKJLlOMwCfXFOWNhWkmPbTEViYo7tSqjXaOw
UhkR -----END PGP PUBLIC KEY BLOCK-----
23
Summary

• Culture Topics Enigma, QIP
• Hashes, MD5, SHA-1, open issues
• Several PK systems, notably RSA
• PGP, GnuPG import historical and current systems
• Keep using longer keys, and longer hashes, to
  keep up with smart computer/mathematical attacks
• Patents ending, so era of restriction for some
  legal reasons ending, other legal issues remain
• Web of Trust, Keyservers important, alternatives
  to CA's. No perfect solution
• There is no substitute for trust, despite all the
  efforts with encryption and signing