Computer Security Basic Crypto

1
Computer SecurityBasic Crypto
2
Introduction

• Cryptosystem (E,D,M,K,C)
• M is the set of plaintexts
• K the set of keys
• C the set of ciphertexts
• E M ? K? C the set of enciphering
  
• 
  functions
• D C ? K? M the set of deciphering
• 
  functions

3
Introduction

• Shift Cipher M C K Z26, with
• -- eK(x) x K mod26
• -- dK(y) y K mod26
• where x,y is in Z26
• Substitution Cipher P C Z26, with K
• the set of permutations p on Z26 and
• -- ep(x) p(x)
• -- dp(y) p-1(y).

4
CryptosystemsBlock ciphers

• The Shift Cipher and Substitution Cipher are
  block
• ciphers successive plaintext elements (blocks)
  are
• encrypted using the same key.
• We now consider some other block ciphers.
• The Affine Cipher, is a special case of the
• Substitution Cipher with
• -- eK(x) ax b mod26
• -- dK(y) a-1y - a-1b mod26
• where a,b x,y is in Z26 and x is
  invertible.

5
Block ciphers

• The Vigenere Cipher is polyalphabetic.
• Let m gt 1
• M C K (Z26)m
• For a key K (k1, , km)
• -- eK(x1,, xm) (x1 k1, , xm km)
• -- dK (y1,, ym) (y1 - k1, , ym - km)
• where all operations are in Z26.

6
Block ciphers

• The Hill Cipher is also polyalphabetic.
• Let m gt 1
• M C (Z26)m , K is the set of all m by m
  invertible matrices over (Z26)m
• For a key K
• -- eK(x) xK
• -- dK (y) yK-1
• with all operations are in Z26.

7
Block ciphers

• The Permutation Cipher. Let m gt 1
• M C (Z26)m ,
• K is the set of all permutations of 1,,m.
• For a key (permutation) p
• -- ep(x1,, xm) (xp(1),, xp(m))
• -- dp(y1,, ym) (yp-1(1),, yp-1(1))
• where p-1(1) is the inverse of p.

8
Stream Ciphers

• The ciphers considered so far are block ciphers.
• Another type of cryptosystem is the stream cipher.

9
Stream Ciphers

• A synchronous stream cipher is a tuple
  (E,D,M,C,K,L,) with a function g such that
• M, C, K, E, D are as before.
• L is the keysteam alphabet
• g is the keystream generator it takes as input a
  key K and outputs an infinite string
• z1, z2,
• called the keystream, where zi are in L.
• For each zi are in L there is an encryption rule
  ez in E, and a decryption rule dz in D such
  that
• dz (ez(x)) x
• for all plaintexts x in M.

10
Stream Ciphers

• The Linear Feedback Shift Register or LFSR.
• The keystream is computed as follows
• Let (k1, k2, ,km) be the initialized key
  vector at
• time t.
• At the next time unit the key vector is updated
  as follows
• -- k1 is tapped as the next keystream bit
• -- k2, , km are each shifted one place
  to the left
• -- the new value of km is computed by
• m-1
• km1 S cj kj1
• j0

11
Stream Ciphers

• Let x1, x2, be the plaintext (a binary
  string).
• Then the ciphertext is
• y1, y2,
• where yi, xi ki, for i1,2, and the sum
• is bitwise xor .

12
Cryptanalysis Attacks on Cryptosystems

• Ciphertext only attack the opponent possesses a
  string of ciphertexts y1, y2,
• Known plaintext attack the opponent possesses a
  string of plaintexts x1, x2, and the
  corresponding string of ciphertexts y1, y2,

13
Attacks on Cryptosystems

• Chosen plaintext attack the opponent can choose
  a string of plaintexts x1, x2, and obtain the
  corresponding string of ciphertexts y1, y2,
• Chosen ciphertext attack the opponent can choose
  a string of ciphertexts y1, y2, and construct
  the corresponding string of plaintexts x1, x2,

14
Cryptanalysis

• Cryptanalysis of the shift cipher and
  substitution cipher
• Ciphertext attack -- use statistical
  properties of the language
• Cryptanalysis of the affine and Vigenere cipher
• Ciphertext attack -- use statistical
  properties of the language
• Attacks on the affine and Vigenere cipher
• Ciphertext attack -- use statistical
  properties of the language

15
Cryptanalysis

• Cryptanalysis of the Hill cipher
• Known plaintext attack
• Cryptanalysis of the LFSR stream cipher
• Known plaintext attack

16
One time pad

• This is a binary stream cipher whose key
  stream is a random stream
• This cipher has perfect secrecy

17
Security

• Computational security
• Computationally hard to break requires
  super-polynomial computations (in the length of
  the ciphertext)
• Provable security
• Security is reduced to a well studied
  problem though to be hard, e.g. factorization.
• Unconditional security
• No bound on computation cannot be broken
  even with infinite power/space.
• Only way to break is by lucky guessing.

18
Some Probability Theory

• The random variables X,Y are independent
• if
• Prx,y Prx . Pry, for all x,y
  in X
• In general,
• Prx,y Prxy . Pry
• Pryx . Prx, for all
  x,y in X

19
Some Probability Theory

• Bayes Law
• Prxy
• Corollary
• X,Y are independent random variables (r.v.)
• iff
• Prxy Prx for all x,y in X

Pryx . Prx
---------------- for all x,y in X
Pry
20
Perfect secrecy

• A cryptosystem is perfectly secure if
• Prxy Prx,
• for all x in M and y in C

21
Perfect secrecy

• Theorem
• Let KCM for a cryptosystem.
• We have perfect secrecy iff
• Every key is used with equal probability,
• For each x in P and y in C there is a unique key
  K
• in K that encrypts x to y

1
------
K
22
One time pad

• We have K C M Z2n.
• Also given
• x x1,,xn and y y1,,yn,
• the key K K1,,Kn is unique because K xy mod
  2
• Finally all keys are chosen equiprobably.
• Therefore,
• the one time pad has perfect secrecy

23
Kerchoffs assumption

• The adversary knows all details of the
• encrypting function except the secret key

24
DES

• DES is a Feistel cipher.
• Block length 64 bits (effectively 56)
• Key length 56 bits
• Ciphertext length 64 bits

25
DES

• It has a round function g for which
• g(Li-1,Ri-1 ),Ki ) (Li ,Ri),
• where
• Li Ri-1 and Ri Li-1 XOR f (Ri-1, Ki).

26
DES round encryption
27
DES inner function
28
DES computation path
29
Attacks on DES

• Brute force
• Linear Cryptanalysis
• -- Known plaintext attack
• Differential cryptanalysis
• Chosen plaintext attack
• Modify plaintext bits, observe change in
• ciphertext
• No dramatic improvement on brute force

30
Countering Attacks

• Large keyspace combats brute force attack
• Triple DES (say EDE mode, 2 or 3 keys)
• Use AES

31
AES

• Block length 128 bits.
• Key lengths 128 (or 192 or 256).
• The AES is an iterated cipher with Nr10 (or 12
  or 14)
• In each round we have
• Subkey mixing
• A substitution
• A permutation

32
Modes of operation

• Four basic modes of operation are available for
• block ciphers
• Electronic codebook mode ECB
• Cipher block chaining mode CBC
• Cipher feedback mode CFB
• Output feedback mode OFB

33
Electronic Codebook mode, ECB

• Each plaintext xi is encrypted with the same key
  K
• yi eK(xi).
• So, the naïve use of a block cipher.

34
ECB
35
Cipher Block Chaining mode, CBC

• Each cipher block yi-1 is xor-ed with the next
  plaintext xi
• yi eK(yi-1 XOR
  xi)
• before being encrypted to get the next plaintext
  yi.
• The chain is initialized with
• an initialization vector y0 IV
• with length, the block size.

36
CBC
37
Cipher and Output feedback modes (CFB OFB)

• CFB
• z0 IV and recursively
• zi eK(yi-1) and yi xi
  XOR zi
• OFB
• z0 IV and recursively
• zi eK(zi-1) and yi xi
  XOR zi

38
CFB mode
x1
x2
IV
eK
eK

eK

y1
y2
39
OFB mode
IV
eK
eK
x1
x2


y1
y2
40
Public Key Cryptography

• Alice
  Bob

Alice and Bob want to exchange a private key in
public.
41
Public Key Cryptography

• Alice ga mod p
  Bob
• gb mod p
  
• The private key is gab mod p
• where p is a prime and g is a generator of Zp

42
The RSA cryptosystem

• Let n pq, where p and q are primes.
• Let M C Zn, and let
• a,b be such that ab 1 mod f(n).
• Define
• eK(x) xb mod n
• and
• dK(y) ya mod n,
• where (x,y)e Zn.
• Public key (n,b), Private key (n,a).

43
Check

• We have ed 1 mod f(n), so ed 1 tf(n).
• Therefore,
• dK(eK(m)) (me)d med m tf(n)1
• (mf(n)) t m 1.m m
  mod n

44
Example

• p 101, q 113, n 11413.
• f (n) 100x112 11200 26527
• For encryption use e 3533.
• Then d e-1 mod11200 6597.
• Bob publishes n 11413, e 3533.
• Suppose Alice wants to encrypt 9726.
• She computes 97263533 mod 11413 5761
• To decrypt it Bob computes
• 57616597 mod 11413 9726

45
Security of RSA

• Relation to factoring.
• Recovering the plaintext m from an RSA
  ciphertext c is
• easy if factoring is possible.
• The RSA problem
• Given (n,e) and c, compute m such that me c
  mod n

46
The Rabin cryptosystem

• Let n pq, p,q primes with p,q 3 mod 4. Let
  P C Zn
• and define K (n,p,q).
• For K (n,p,q) define
• eK(x) x 2 mod n
• dK(y) mod n
• The value of n is the public key, while p,q are
  the private key.

47
The RSA digital signature scheme

• Let n pq, where p and q are primes.
• Let P A Zn , and define
• e,d such that ed 1 mod f(n).
• Define
• sigK(m) md mod n
• and
• verK(m,y) true y me mod
  n,
• where (m,y) e Zn.
• Public key (n,e), Private key (n,d).

48
The Digital Signature Algorithm

• Let p be a an L-bit prime prime,
• 512 ? L ? 1024 and L ? 0 mod 64 ,
• let q be a 160-bit prime that divides p-1 and
• Let ? e Zp be a q-th root of 1 modulo p.
• Let M Zp-1,
• A Zq x Zq and
• K (x,y) y ? x modp .
• The public key is p,q,?,y.
• The private key is (p,q,?), x.

49
The Digital Signature scheme

• Signing
• Let m e Zp-1 be a message.
• For public key is p,g,?,y, with y ?x mod
  p, and
• secret random number k e Zp-1, define
  sigK(m,k) (s,t), where
• s (?k mod p) mod q
• t (SHA1(m)xs)k-1mod q
• Verification
• Let
• e1 SHA-1(m) t-1 mod q
• e2 st-1 mod q
• verK(m,(s,t)) true
  (?e1 ye2 mod p) mod q s.