Computer Security Cryptography an introduction

1
Computer SecurityCryptography an introduction
2
Encryption

• key KE
  key KD
• x plaintext
  y ciphertext
  original plaintext x
  
  . encryption
  
  decryption
• 
  Eavesdropper

3
Encryption

• A cryptosystem involves
• an encryption algorithm E, and a
• a decryption algorithm D
• Both algorithms make use of a key.
• Let KE be the encryption key and KD the
  decryption key.
• For symmetric cryptosystems the same key is used
  both
• encryption and decryption KE KD.

4
Encryption

• If P is the plaintext message, C the ciphertext,
  then for
• symmetric cryptosystems
• C EK(P) and P DK(EK(P)) DK(C)
• For an asymmetric cryptosystem
• C EKE(P) and P DKD(EKE(P)) DKD(C)

5
Kerchoffs assumption

• The adversary knows all details of the
• encrypting function except the secret key

6
Symmetric key encryption

• There are two types of cipher systems
• Stream ciphers,
• Block ciphers.

7
Stream ciphers

• 
  Encryption

x ISSOPMI y wdhuvad
Key KE

8
Block ciphers

• 
  Encryption

x XNEMT OIGNA TPHPM YRKRN

y

.
Key KE
wdmar .

hutpkw

vaptrh

dgdsct



9
Cryptanalysis Attacks on Cryptosystems

• Ciphertext only attack the opponent possesses a
  string of ciphertexts y1, y2,
• Known plaintext attack the opponent possesses a
  string of plaintexts x1, x2, and the
  corresponding string of ciphertexts y1, y2,

10
Attacks on Cryptosystems

• Chosen plaintext attack the opponent can choose
  a string of plaintexts x1, x2, and obtain the
  corresponding string of ciphertexts y1, y2,
• Chosen ciphertext attack the opponent can choose
  a string of ciphertexts y1, y2, and get the
  corresponding string of plaintexts x1, x2,
• Brute force attack exhaustively, for a given
  plaintext x and ciphertext y try encrypting x
  with all possible keys until you get the
  ciphertext y.

11
Attacks on Cryptosystems

• In all these attacks the goal of the adversary is
  to decrypt a challenge ciphertext.

12
Cryptanalysis(breaking cryptosystems)

• Ciphertext attack the traditional way was to
  use the statistical properties of the language.
  Most of the classical ciphers are broken this
  way.
• Known plaintext attack Linear Cryptanalysis,
  see DES.
• Chosen plaintext attack Differential
  cryptanalysis, see DES.

13
Block ciphersAn overview of the DES Algorithm

• DES is an iterated block cipher with
• 16 rounds,
• block length 64 bits and
• key length 56 bits

14
Iterating Block ciphers

• 1. Iterated block cipher
• Random (binary) key K ? round keys K1,,
  KNr,

2. Round function g w r g(w r-1, K
r), where w r-1 is the previous state
15
Iterated cipher

Encryption operation w0 ? x (x
plaintext) w1 g(w0, K1), w2 g(w1,
K2), wNr g(wNr-1, KNr), y ? wNr
(y ciphertext)
16
Iterated cipher

• For decryption we must have
• g(.,K) must be invertible for all K
• Then decryption is the reverse of encryption
• (bottom-up)

17
Data Encryption Standard

• DES is a special type of iterated cipher called a
  
• Feistel cipher.
• Block length 64 bits
• Key length 56 bits
• Ciphertext length 64 bits

18
DES

• The round function is
• g(Li-1,Ri-1 ),Ki ) (Li ,Ri),
• where
• Li Ri-1 and Ri Li-1 XOR f (Ri-1, Ki),
• with f (? , ?) the inner function

19
A DES round encryption
20
DES computation path
21
The DES inner function
22
Inner function f

• Combines 32 bit input and 48 bit key into 32 bit
  output by
• Expanding a 32 bit input to 48 bits
• XOR the 48 bit key with the expanded 48 bit input
• Applying the S-boxes to the 48 bit input to
  produce 32 bit output
• Permuting the resulting 32 bits

23
S Boxes

• There are 8 different S-Boxes,1 for each chunk
• S-box process maps 6 bit input to 4 bit output
• S box performs substitution on 4 bits
• There are 8 possible substitutions in each S box
• Inner 4 bits are fed into an S box
• Outer 2 bits determine which substitution is used

24
DES Initial and Final Permutations

• There is also an initial and a final permutation
  the
• final permutation is the inverse of the initial
  permutation

25
Decrypting DES

• DES (and all Feistel structures) is reversible
  through a
• reverse encryption because
• No input data is mangled and passed to the output
• The properties of XOR
• S-boxes are not reversible (and don't need to be)
• Everything needed (except the key) to produce the
  input
• to the n-1th step is available from the
  output of the nthstep.
• 4. The input to the nth step is the output of the
  n-1th step.
• 5. Work backwards to step 1.

26
Encrypt round n Decrypt round n1
64 bit output
Kn
27
Attacks on DES

• Brute force
• Linear Cryptanalysis
• -- Known plaintext attack
• Differential cryptanalysis
• Chosen plaintext attack
• Modify plaintext bits, observe change in
  ciphertext
• No dramatic improvement on brute force

28
Countering Attacks

• Large keyspace combats brute force attack
• Triple DES (say EDE mode, with usually 2 keys)
• Use AES

29
Modes of operation

• Four basic modes of operation are available for
• block ciphers
• Electronic codebook mode ECB
• Cipher block chaining mode CBC
• Cipher feedback mode CFB
• Output feedback mode OFB

30
Electronic Codebook mode, ECB

• Each plaintext xi is encrypted with the same key
  K
• yi eK(xi).
• So, the naïve use of a block cipher.

31
ECB
x1
x2
x3
x4
DES
DES
DES
DES
y4
y3
y2
y1
32
Cipher Block Chaining mode, CBC

• Each cipher block yi-1 is xor-ed with the next
  plaintext xi
• yi eK(yi-1 XOR
  xi)
• before being encrypted to get the next plaintext
  yi.
• The chain is initialized with
• an initialization vector y0 IV
• with length, the block size.

33
CBC
x1
x2
x3
x4
IV




DES
DES
DES
DES
y4
y3
y2
y1
34
Cipher and Output feedback modes (CFB OFB)

• CFB
• z0 IV and recursively
• zi eK(yi-1) and yi xi
  XOR zi
• OFB
• z0 IV and recursively
• zi eK(zi-1) and yi xi
  XOR zi

35
CFB mode
x1
x2
IV
eK
eK

eK

y1
y2
36
OFB mode
IV
eK
eK
x1
x2


y1
y2
37
Double Triple DES

• Double DES C E(k2,E(k1,m))
• Triple DES C
  E(k1,D(k2,E(k1,m)

38
AES

• Block length 128 bits.
• Key lengths 128 (or 192 or 256).
• The AES is an iterated cipher with Nr10 (or 12
  or 14)
• In each round we have
• Subkey mixing State ? Roundkey XOR State
• A substitution SubBytes(State)
• A permutation ShiftRows(State)
  MixColumns(State)

39
One time pad

• This is a binary stream cipher whose key
  stream is a random stream.
• This cipher has perfect secrecy.

40
One time pad

• The One-Time-Pad is a Stream Cipher for which
• The plaintext x e P, ciphertext y e C and key K e
  K are
• all binary n-tuples.
• P C K (Z2)n
• and
• eK(x) (x1K1, , xnKn) mod 2
• Decryption is identical to encryption
• dK(x) (y1K1, , ynKn) mod 2

41
Perfect secrecy

• Definition
• We have perfect secrecy if
• PrXx Yy PrXx ,
• for all x e P ,y e C.

42
Perfect secrecy

• Theorem
• The One-Time-Pad provides perfect secrecy.
• Proof
• Fix the plaintext x e P.
• For each ciphertext y e C there is at least one
  key K with
• y eK (x) xK mod 2,
• and, for each plaintext x e P there is a key K
  with
• x dK (y) yK mod 2.
• So C K, and there is exactly one key K with
  
• y eK (x) .

43
Perfect secrecy

• Proof, continued
• Using Bayes theorem
• Prxy Pryx (Prx / Pry)
• PrKK (Prx / Pry).
• We have PrKK 1/K Pry.
• It follows that
• Prxy Prx,
• so we have perfect secrecy.

44
Asymmetric key encryptionPublic Key Cryptography
45
Public Key Cryptography

• Alice
  Bob

Alice and Bob want to exchange a private key in
public.
46
Public Key CryptographyThe Diffie-Hellman
protocol

• Alice ga mod p
  Bob
• gb mod p
  
• The private key is gab mod p
• where p is a prime and g is a generator of Zp

47
Finite Fields

• Theorem
• If p is a prime then Zp is a cyclic group.
• The generator of Zp is called a primitive element
  
• modulo p

48
Public Key CryptographyEncryption schemes

• Let
• P be the set of all plaintext messages
• C be the set of ciphertexts
• K be the set of all keys

49
The RSA cryptosystem

• Let n pq, where p and q are primes.
• Let P C Zn, and define
• K (n,p,q,e,d) ed 1 mod f(n) .
• For each key K (n,p,q,e,d), define
• c eK(m) me mod n
• and
• dK(c) cd mod n,
• where (m,c) e Zn.
• Public key (n,e), Private key (n,d).

50
Check

• We have ed 1 mod f(n), so ed 1 tf(n).
• Therefore,
• dK(eK(m)) (me)d med m tf(n)1
• (mf(n)) t m 1.m m
  mod n

51
Example

• p 101, q 113, n 11413.
• f (n) 100x112 11200 26527
• For encryption use e 3533.
• Then d e-1 mod11200 6597.
• Bob publishes n 11413, e 3533.
• Suppose Alice wants to encrypt 9726.
• She computes 97263533 mod 11413 5761
• To decrypt it Bob computes
• 57616597 mod 11413 9726

52
Implementation

• Generate two large primes p,q
• n ? pq and f (n) (p-1)(q-1)
• Choose random e with 1ltelt f (n) gcd(e,f (n))1
• d ? e -1 mod f (n)
• The public key is (n,e) and the private key is
  (p,q,d)

53
Security of RSA

• Relation to factoring.
• Recovering the plaintext m from an RSA
  ciphertext c is
• easy if factoring is possible.
• The RSA problem
• Given (n,e) and c, compute m such that me c
  mod n

54
The ElGamal encryption scheme

• Let p be a prime and g e Zp a primitive element.
• Let P Zp-1,
• C Zp-1 x Zp-1 and
• K (p,g,x,y) y gx modp .
• The values p,g,y are the public key.
• x is the private key.

55
The ElGamal encryption scheme

• Encryption
• Let m e Zp-1 be a message.
• For K (p,g,x,y) y gx mod p , and
  secret random
• number k e Zp-1, define eK(m,k) (s,t),
  where
• s gk mod p
• t m yk mod p
• Decryption
• For s,t e Zp-1, define dK(s,t) t
  (sx)-1mod p

56
The security of ElGamal

• The Diffie-Hellman problem.
• Given a prime p,g e Zp-1, and x,y e Zp-1,
  find x log gy mod p.
• The security of the ElGamal encryption is reduced
  to the
• difficulty of breaking the Diffie-Hellman
  problem.

57
Digital Signatures
58
Public Key CryptographySignature schemes

• Let
• P be the set of all messages
• A be the set of signatures
• K be the set of all keys

59
The RSA digital signature

• Let n pq, where p and q are primes.
• Let P A Zn , and define
• K (n,p,q,e,d) ed 1 mod f(n) .
• For each key K (n,p,q,e,d), define
• sigK(m) md mod n
• and
• verK(m,y) true ye m mod
  n,
• where (m,y) e Zn.
• Public key (n,e), Private key (n,d).

60
The ElGamal signature scheme

• Let p be a prime and g e Zp a primitive
  element.
• Let P Zp-1,
• A Zp-1 x Zp-1 and
• K (p,g,x,y) y gx modp .
• The values p,g,y are the public key.
• x is the private key.

61
The ElGamal signature scheme

• Signing
• Let m e Zp-1 be a message.
• For K (p,g,x,y) y gx mod p , and
  secret random
• number k e Zp-1, define sigK(m,k) (s,t),
  where
• s gk mod p
• t (m-xs)k-1 mod p-1
• Verification
• verK(m,(s,t)) true
  stys gm modp .

62
Toy example

• Let p 467, g 2, x 127,
• message m 100,
• Choose k 213. Then k-1mod 466 431.
• The signature is
• s 2213 mod 467 29
• t (m-xs)k-1 mod(p-1) (100-127x29)431 mod 466
  51
• Verification 2100 ?? 132292951 mod 467

63
The security of the ElGamal signature

• If the Discrete Logarithm problem can be solved
  then ElGamal signatures can be forged.
• The converse may not be true.
• The exponent k must be
• private
• cannot be used twice
• best chosen at random.

64
The Digital Signature Algorithm

• Let p be a an L-bit prime prime,
• 512 ? L ? 1024 and L ? 0 mod 64 ,
• let q be a 160-bit prime that divides p-1 and
• Let ? e Zp be a q-th root of 1 modulo p.
• Let P Zp-1,
• A Zq x Zq and
• K (p,q,?,x,y) y ? x modp .
• The values ?,y are the public key.
• x is the private key.

65
The Digital Signature scheme

• Signing
• Let m e Zp-1 be a message.
• For K (p,q,?,x,y) y ?x mod p , and
  secret random
• number k e Zp-1, define sigK(m,k) (s,t),
  where
• s (?k mod p) mod q
• t (SHA1(m)xs)k-1mod q
• Verification
• Let
• e1 SHA1(m) t-1 mod q
• e2 st-1 mod q
• verK(m,(s,t)) true
  (?e1 ye2 mod p) mod q s).

66
The Digital Signature scheme

• Verification continued
• Check
• (?e1 ye2 mod p) mod q (? SHA1(m) t-1 y
  st-1mod p) mod q
• (?
  SHA1(m) t-1 ? xst-1mod p) mod q
• (?
  SHA1(m) t-1 ? xst-1mod p) mod q
• (?
  (SHA1(m) xs)t-1mod p) mod q
• (? k mod
  p) mod q s

67
Cryptographic hash functions

• Messages can be quite long. Therefore, before
  digitally signing a
• message it is hashed.
• A hash function (unkeyed) is a mapping h X ? Y,
• where
• X is a set of possible messages
• Y is the set of possible message digests
• Message digests have fixed length (typically 160
  bits,
• but also 256 or 516)

68
Properties of cryptographic hash functions

• One way or preimage resistant given a hash
  function h,
• and a message digest y, the equation
• y h(x) cannot be solved efficiently for x.
• Second preimage resistant given a hash function
  h,
• a message x and the message digest y h(x),
• the equation y h(x) cannot be solved
  efficiently for
• a second preimage x, different from x, with
  y h(x).
• Collision resistant one cannot find efficiently
  a pair of distinct messages x, x for which h(x)
  h(x).

69
Properties of cryptographic hash functions

• One way or preimage resistant given a hash
  function h,
• and a message digest y, the equation
• y h(x) cannot be solved efficiently for x.
• Second preimage resistant given a hash function
  h,
• a message x and the message digest y h(x),
• the equation y h(x) cannot be solved
  efficiently for
• a second preimage x, different from x, with
  y h(x).
• Collision resistant one cannot find efficiently
  a pair of distinct messages x, x for which h(x)
  h(x).

70
Properties of cryptographic hash functions

• One way or preimage resistant given a hash
  function h,
• and a message digest y, the equation
• y h(x) cannot be solved efficiently for x.
• Second preimage resistant given a hash function
  h,
• a message x and the message digest y h(x),
• the equation y h(x) cannot be solved
  efficiently for
• a second preimage x, different from x, with
  y h(x).
• Collision resistant one cannot find efficiently
  a pair of distinct messages x, x for which h(x)
  h(x).