1CS591/Crypto chow

C. Edward ChowC. Edward Chow

Basic CryptographyBasic Cryptography

Chapters 5&2 of “Security Engineering” Ross AndersonChapter 8 of “Computer Networks” Tanenbaum

CS691 – Chapter 9 of “Computer Security” Matt Bishopz

2CS591/Crypto chow

Topics to be CoveredTopics to be Covered

Introduction to CryptographySubstitution CiphersTransposition CiphersOne-Time Pads: Quantum Cryptography

Two Fundamental Cryptographic Principles

Symmetric-Key Algorithms Public-Key Algorithms Key Management: Digital Signatures

Introduction to CryptographySubstitution CiphersTransposition CiphersOne-Time Pads: Quantum Cryptography

Two Fundamental Cryptographic Principles

Symmetric-Key Algorithms Public-Key Algorithms Key Management: Digital Signatures

3CS591/Crypto chow

CryptographyCryptography Greek words for “Secret Writing”. Cipher vs. Code

1. Cipher: a character-to-character or bit-to-bit transformation without regard to linguistic sturcture of the msg.

2. Code: replace one word woth another word or symbol. e.g., Navajo code WWII (chay-da-gahi-nail-tsaidi(“tortoise killer).

The art of devising ciphers is called cryptography The art of breaking ciphers is called cryptanalysis Cryptography and cryptanalysis is collectively known as

Cryptology.

Greek words for “Secret Writing”. Cipher vs. Code

1. Cipher: a character-to-character or bit-to-bit transformation without regard to linguistic sturcture of the msg.

2. Code: replace one word woth another word or symbol. e.g., Navajo code WWII (chay-da-gahi-nail-tsaidi(“tortoise killer).

The art of devising ciphers is called cryptography The art of breaking ciphers is called cryptanalysis Cryptography and cryptanalysis is collectively known as

Cryptology.

4CS591/Crypto chow

CryptosystemCryptosystem

A cryptosystem is a 5-tuple (E,D,M,K,C), whereM —a set of plaintexts (some use P as symbol);K —the set of keys;C —the set of ciphertexts;E: M x K C —the set of enciphering functions;D: C x K M —the set of deciphering functions;

Caesar cipher example:M = { all sequences of Roman letters }

K = { i | i an integer such that 0 i 25 }E = { Ek | k K and m M, Ek(m)=(m+k) mod 26 }D = { Dk | k K and c C, Dk(c)=(26+c-k) mod 26 }

E.g., the word m=“HELLO” c=“KHOOR” what is k?

A cryptosystem is a 5-tuple (E,D,M,K,C), whereM —a set of plaintexts (some use P as symbol);K —the set of keys;C —the set of ciphertexts;E: M x K C —the set of enciphering functions;D: C x K M —the set of deciphering functions;

Caesar cipher example:M = { all sequences of Roman letters }

K = { i | i an integer such that 0 i 25 }E = { Ek | k K and m M, Ek(m)=(m+k) mod 26 }D = { Dk | k K and c C, Dk(c)=(26+c-k) mod 26 }

E.g., the word m=“HELLO” c=“KHOOR” what is k?

5CS591/Crypto chow

Encryption Model (Symmetric-Key Cipher)

Encryption Model (Symmetric-Key Cipher)

Adapted from Tanenbaum Computer Networks Figure 8.2

Here P=M, and key is moved as subscript of functions.

6CS591/Crypto chow

Basic Encryption MethodsBasic Encryption Methods

Two categories: Substitution Ciphers: each letter or group of letters is replaced

by another letter or another group of letters. It preserves the order of the plaintext symbol but disguise them.

– E.g., Caesar cipher; mono-alphabetic substitution (each letter map onto another letter; 26!=4x10^26 possible keys)

– ZHQM ZMGM ZMFM --G. JULIUS CAESAR Transposition Ciphers: Reorder the letters but do not disguise

them. – E.g., Rail Fence cipher

m=“HELLOWORLD” distribute the letter up and down between two rows from left to right; then output row-wise. HLOOL c=“HLOOLELWRD” ELWRD

Two categories: Substitution Ciphers: each letter or group of letters is replaced

by another letter or another group of letters. It preserves the order of the plaintext symbol but disguise them.

– E.g., Caesar cipher; mono-alphabetic substitution (each letter map onto another letter; 26!=4x10^26 possible keys)

– ZHQM ZMGM ZMFM --G. JULIUS CAESAR Transposition Ciphers: Reorder the letters but do not disguise

them. – E.g., Rail Fence cipher

m=“HELLOWORLD” distribute the letter up and down between two rows from left to right; then output row-wise. HLOOL c=“HLOOLELWRD” ELWRD

7CS591/Crypto chow

Kerckhof’s PrincipleKerckhof’s Principle

“All crypto algorithms must be public; only the keys are secret”

--- “La Cryptographie Militaire,” J. des Sciences Militaires, vol. 9, pp.5-38, Jan. 1883 and pp. 161-191, Feb. 1883.

Trying to keep the algorithm secret (security by obscurity principle?) never works. Reasons:Logistic issue: Too much effort to invent, test, and

install new algorithm “Publish the algorithm and let academic cryptologists

to break the system. If no one succeeded in 5 years, it must be pretty solid.”

Real secrecy in the key, its length a major design issue

“All crypto algorithms must be public; only the keys are secret”

--- “La Cryptographie Militaire,” J. des Sciences Militaires, vol. 9, pp.5-38, Jan. 1883 and pp. 161-191, Feb. 1883.

Trying to keep the algorithm secret (security by obscurity principle?) never works. Reasons:Logistic issue: Too much effort to invent, test, and

install new algorithm “Publish the algorithm and let academic cryptologists

to break the system. If no one succeeded in 5 years, it must be pretty solid.”

Real secrecy in the key, its length a major design issue

8CS591/Crypto chow

Key Length and Work FactorKey Length and Work Factor

2 digit key 100 combinations. 6 digit key 1 million combinations. 64 bit keys to prevent kid brother from reading your

email. 128 bit keys for routine commercial use >256 bits keep major governments at bay.

2 digit key 100 combinations. 6 digit key 1 million combinations. 64 bit keys to prevent kid brother from reading your

email. 128 bit keys for routine commercial use >256 bits keep major governments at bay.

9CS591/Crypto chow

3 Variations of Cryptoanalysis or Cipher Attacks

3 Variations of Cryptoanalysis or Cipher Attacks

Ciphertext-only: cryptoanalyst has some ciphertext; no (does not know the corresponding) plaintext; no key; no E or D functions.

Known plaintext: some matched ciphertext and plaintext. (no key; may/may not know the E or D functions)

Chosen plaintext: has the ability to encrypt pieces of plaintext of his own choosing. (know the E or D function; does not know the keys used).

Ciphertext-only: cryptoanalyst has some ciphertext; no (does not know the corresponding) plaintext; no key; no E or D functions.

Known plaintext: some matched ciphertext and plaintext. (no key; may/may not know the E or D functions)

Chosen plaintext: has the ability to encrypt pieces of plaintext of his own choosing. (know the E or D function; does not know the keys used).

10CS591/Crypto chow

Basic Cipher Attacks for Mono-alphetic Substitution

Basic Cipher Attacks for Mono-alphetic Substitution

Use statistical properties of natural languages. Rank of Frequency of appearance of

Unigrams (single letter): e, t, o, a, n, i etc Digrams (two-letter): th, in, er, re, an, etc Trigrams (three-letter): the, ing, and , ion, etc

Counting the frequencies of letters in ciphertext. Tentatively assign the most common one to e; next to t... Then look at the trigrams of decipher text, if “tXe” appears, it should

be “the”! Original deciphering function should be changed to map from X to h.

Similarly, what should we do if we see “thYt”? How about “aZW”?

Use statistical properties of natural languages. Rank of Frequency of appearance of

Unigrams (single letter): e, t, o, a, n, i etc Digrams (two-letter): th, in, er, re, an, etc Trigrams (three-letter): the, ing, and , ion, etc

Counting the frequencies of letters in ciphertext. Tentatively assign the most common one to e; next to t... Then look at the trigrams of decipher text, if “tXe” appears, it should

be “the”! Original deciphering function should be changed to map from X to h.

Similarly, what should we do if we see “thYt”? How about “aZW”?

11CS591/Crypto chow

Cipher Attack: Guess a Probable Word Cipher Attack: Guess a Probable Word

Ciphertext from accounting firmCTBMN BYCTC BTJDS QXBNS GSTJC BTSWX CTQTZ CQVUJ QJSGS TJQZZ MNQJS VLNSX VSZJU JDSTS JQUUS JUBXJ DSKSU JSNTK BGAQJ ZBGYQ TLCTZ BNYBN QJSW

A likely word is financial. Based on two i are separated by four letters, we look for

same pattern in ciphertext. There are 12 hits, position 6, 15, 27, 31, 42, 48, 56. 66,

70, 71, 76, and 82. Only 31 and 42 has the next letter n (ana) separated by

one letter. i C and J; nT and S respectively. http://www.math.ucsd.edu/~crypto/programs.html

Ciphertext from accounting firmCTBMN BYCTC BTJDS QXBNS GSTJC BTSWX CTQTZ CQVUJ QJSGS TJQZZ MNQJS VLNSX VSZJU JDSTS JQUUS JUBXJ DSKSU JSNTK BGAQJ ZBGYQ TLCTZ BNYBN QJSW

A likely word is financial. Based on two i are separated by four letters, we look for

same pattern in ciphertext. There are 12 hits, position 6, 15, 27, 31, 42, 48, 56. 66,

70, 71, 76, and 82. Only 31 and 42 has the next letter n (ana) separated by

one letter. i C and J; nT and S respectively. http://www.math.ucsd.edu/~crypto/programs.html

12CS591/Crypto chow

Mono-Alphabetic Substitution Exercises/Tools

Mono-Alphabetic Substitution Exercises/Tools

http://cs.uccs.edu/~cs591/src/alphaSub.html Chapter 5 page 74. Solve this puzzle.

CYAN RWSGKFR AN AH RHTFANY MSOYRM OYSH SMSEAC NCMAKO

How about JFK quote? XYAWO GAOOA GPEMO HPQCW IPNLG RPIXL TXLOA NNYCS YXBOY MNBIN YOBTY QYNAI

http://cs.uccs.edu/~cs591/src/alphaSub.html Chapter 5 page 74. Solve this puzzle.

CYAN RWSGKFR AN AH RHTFANY MSOYRM OYSH SMSEAC NCMAKO

How about JFK quote? XYAWO GAOOA GPEMO HPQCW IPNLG RPIXL TXLOA NNYCS YXBOY MNBIN YOBTY QYNAI

13CS591/Crypto chow

Columnar Transposition CiphersColumnar Transposition Ciphers

A transposition cipher. Keyed by a phrase such as “MEGABUCK”. The letter in the key indicated the order of columns to be output. Plaintext horizontally read in, ciphertext read out column by column.

A transposition cipher. Keyed by a phrase such as “MEGABUCK”. The letter in the key indicated the order of columns to be output. Plaintext horizontally read in, ciphertext read out column by column.

14CS591/Crypto chow

Breaking Transposition CipherBreaking Transposition Cipher

Check if the frequency distribution of unigrams are the same in the ciphertext. If it is, then this is a transposition cipher.

Guess the number of columns. Assume we suspect “milliondollars” appear in ciphertext Analyze keylength: Observe digrams MO, IL, LL, LA, IR,

and OS in ciphertext as wrapping around effect keylength = 8.

Analyze order of columns. If keylength is small, column pairs (k(k-1) of them) of ciphertext can be examined and see if the patterns of digrams in the deciphered text match those of the language frequency distribution.

Check if the frequency distribution of unigrams are the same in the ciphertext. If it is, then this is a transposition cipher.

Guess the number of columns. Assume we suspect “milliondollars” appear in ciphertext Analyze keylength: Observe digrams MO, IL, LL, LA, IR,

and OS in ciphertext as wrapping around effect keylength = 8.

Analyze order of columns. If keylength is small, column pairs (k(k-1) of them) of ciphertext can be examined and see if the patterns of digrams in the deciphered text match those of the language frequency distribution.

15CS591/Crypto chow

One-Time PadsOne-Time Pads

The use of a one-time pad for encryption and the possibility of getting any possible

plaintext from the ciphertext by the use of some other pad.

Unbreakable Cipher. Choose long random bit string as key (same length of the text?) Use Bit XOR as E and D.Problem: How to distribute and protect the key.

16CS591/Crypto chow

Quantum CryptographyQuantum Cryptography

Can be used to transfer one-time pad over networks. Here Fiber channel is assumed. Light comes as little packets called Photons Photons can be polarized using filter such as sunglass. The photons after the polarized filters will be polarized

in the direction of the filter’s axis. If the beam goes through the 2nd filter and

1. the two filters are perpendicular, no photons get through.

2. The light intensity after the 2n filter is proportion to the square of the cosine of the angle between the two filter axes.

Can be used to transfer one-time pad over networks. Here Fiber channel is assumed. Light comes as little packets called Photons Photons can be polarized using filter such as sunglass. The photons after the polarized filters will be polarized

in the direction of the filter’s axis. If the beam goes through the 2nd filter and

1. the two filters are perpendicular, no photons get through.

2. The light intensity after the 2n filter is proportion to the square of the cosine of the angle between the two filter axes.

17CS591/Crypto chow

How one-time pad is sent using Quantum cryptography

How one-time pad is sent using Quantum cryptography

Alice and Bob each has two set of filters. One with vertical and horizontal filters called rectilinear basis. The other set rotate 45 degree called diagonal basis.

Alice assigns vertical as 0 and horizontal as 1; lower left to upper right as 0 and upper left to lower right as 1. Send this assignment in plain text to Bob.

Alice pick a one-time pad. 1001110010100110 Transfer them bit by bit to Bob using one of the two bases at random. See

Figure 8-5(a) Bob does not know which bases to use, he randomly pick one. See Figure

8-5(b). If he picks right, he gets correct bits. If not, he gets random bit. A photon hit a filter with 45 degree to photon’s polarization, will randomly

jump to the axis of the filter or perpendicular to that. Figure 8-5(c). Bob tells Alice the axes he used in plaintext. Alice tells him which are

right/wrong in plaintext. Figure 8-5(d). Now both have a correct bit string. Figure 8-5(e).

Trudy’s choices of bases Figure 8-5(f). Trudy’s bit pattern with Unknown bits.

Alice and Bob each has two set of filters. One with vertical and horizontal filters called rectilinear basis. The other set rotate 45 degree called diagonal basis.

Alice assigns vertical as 0 and horizontal as 1; lower left to upper right as 0 and upper left to lower right as 1. Send this assignment in plain text to Bob.

Alice pick a one-time pad. 1001110010100110 Transfer them bit by bit to Bob using one of the two bases at random. See

Figure 8-5(a) Bob does not know which bases to use, he randomly pick one. See Figure

8-5(b). If he picks right, he gets correct bits. If not, he gets random bit. A photon hit a filter with 45 degree to photon’s polarization, will randomly

jump to the axis of the filter or perpendicular to that. Figure 8-5(c). Bob tells Alice the axes he used in plaintext. Alice tells him which are

right/wrong in plaintext. Figure 8-5(d). Now both have a correct bit string. Figure 8-5(e).

Trudy’s choices of bases Figure 8-5(f). Trudy’s bit pattern with Unknown bits.

18CS591/Crypto chow

Quantum CryptographyQuantum Cryptography

19CS591/Crypto chow

Two Fundamental Cryptographic PrinciplesTwo Fundamental Cryptographic Principles

Redundancy: Messages must contains some redundancy. E.g., Last three bytes of encrypted packet content

are product # and quantity. Recent fired employee can capture the packet

replace the last three byte quantity field with a random number.

How redundancy can help? Freshness

Some method is needed to foil replay attacks.How to defense reply attacks? Timestamp alone?

Redundancy: Messages must contains some redundancy. E.g., Last three bytes of encrypted packet content

are product # and quantity. Recent fired employee can capture the packet

replace the last three byte quantity field with a random number.

How redundancy can help? Freshness

Some method is needed to foil replay attacks.How to defense reply attacks? Timestamp alone?

20CS591/Crypto chow

Symmetric-Key AlgorithmsSymmetric-Key Algorithms

DES – The Data Encryption Standard AES – The Advanced Encryption Standard Cipher Modes Other Ciphers Cryptanalysis

DES – The Data Encryption Standard AES – The Advanced Encryption Standard Cipher Modes Other Ciphers Cryptanalysis

21CS591/Crypto chow

Product CiphersProduct Ciphers

Basic elements of product ciphers.

(a) P-box. (b) S-box. (c) Product. Hardware implementation. P: permutation (transpose).

S: Substitution; 01234567 in, 24506713 out. Software implementation: through iterations called rounds

Basic elements of product ciphers.

(a) P-box. (b) S-box. (c) Product. Hardware implementation. P: permutation (transpose).

S: Substitution; 01234567 in, 24506713 out. Software implementation: through iterations called rounds

22CS591/Crypto chow

Data Encryption StandardData Encryption Standard

The data encryption standard 1977/IBM (12856 bits key) for unclassified info. (a) General outline.(b) Detail of one iteration. The circled + means exclusive OR.

The data encryption standard 1977/IBM (12856 bits key) for unclassified info. (a) General outline.(b) Detail of one iteration. The circled + means exclusive OR.

Ri-1 expand to 48 bit; exclusive or with Ki

Divide into 8 groups 6bit each

Each group goes through S-Box; output is 4 bits.

23CS591/Crypto chow

Triple DESTriple DES

IS8732; two keys (a) Triple encryption using DES. (b) Decryption.

Compatible with old DES. If we use the same key instead a different K2.

128 bit key2^128=3*10^38keys; evaluate one key per picoseconds it takes 10^10 years.

IS8732; two keys (a) Triple encryption using DES. (b) Decryption.

Compatible with old DES. If we use the same key instead a different K2.

128 bit key2^128=3*10^38keys; evaluate one key per picoseconds it takes 10^10 years.

24CS591/Crypto chow

AES – The Advanced Encryption Standard

AES – The Advanced Encryption Standard

Rules for AES proposals

1. The algorithm must be a symmetric block cipher.

2. The full design must be public.

3. Key lengths of 128, 192, and 256 bits supported.

4. Both software and hardware implementations required

5. The algorithm must be public or licensed on nondiscriminatory terms.

http://csrc.nist.gov/CryptoToolkit/aes/rijndael/

Rules for AES proposals

1. The algorithm must be a symmetric block cipher.

2. The full design must be public.

3. Key lengths of 128, 192, and 256 bits supported.

4. Both software and hardware implementations required

5. The algorithm must be public or licensed on nondiscriminatory terms.

http://csrc.nist.gov/CryptoToolkit/aes/rijndael/

25CS591/Crypto chow

AES (2)AES (2) An outline of Rijndael, by Joan Daemen and Vincent Rijmen 86 votes An outline of Rijndael, by Joan Daemen and Vincent Rijmen 86 votes

26CS591/Crypto chow

AES (3)AES (3)

Creating of the state and rk arrays. Creating of the state and rk arrays.

27CS591/Crypto chow

Electronic Code Book ModeElectronic Code Book Mode

The plaintext of a file encrypted as 16 DES blocks.

AES/DES are monoalphabetic substitution cipher. Same plaintext with same key in, same ciphertext out.

Cipher Attack: Just substitute 12th block with 4th block and Leslie has a Merry Christmas.

The plaintext of a file encrypted as 16 DES blocks.

AES/DES are monoalphabetic substitution cipher. Same plaintext with same key in, same ciphertext out.

Cipher Attack: Just substitute 12th block with 4th block and Leslie has a Merry Christmas.

28CS591/Crypto chow

Cipher Block Chaining ModeCipher Block Chaining Mode

Use the chaining mode to defeat the above attack. C1 depends on C0. Cipher block chaining. (a) Encryption. (b) Decryption.

Use the chaining mode to defeat the above attack. C1 depends on C0. Cipher block chaining. (a) Encryption. (b) Decryption.

29CS591/Crypto chow

Cipher Feedback ModeCipher Feedback Mode For terminal type application, wait for 8 characters

before sending the ciphertext is not an option. Use Character Chaining mode with a shift register. (a) Encryption. (b) Decryption.

For terminal type application, wait for 8 characters before sending the ciphertext is not an option.

Use Character Chaining mode with a shift register. (a) Encryption. (b) Decryption.

30CS591/Crypto chow

Stream Cipher ModeStream Cipher Mode In previous modes, one bit Tx error messing whole block. In Stream cipher mode, early ciphertext does not involve

with later encryption and one bit Tx error one bit plaintext error

A stream cipher. (a) Encryption. (b) Decryption.

In previous modes, one bit Tx error messing whole block. In Stream cipher mode, early ciphertext does not involve

with later encryption and one bit Tx error one bit plaintext error

A stream cipher. (a) Encryption. (b) Decryption.

31CS591/Crypto chow

Counter ModeCounter Mode Except electronic code book mode, previous modes

requires first decrypting all the blocks ahead the current block. Make it difficult to do random access of encrypted files. (problem is reuse attack, when same key is used.

Encryption using counter mode.

Except electronic code book mode, previous modes requires first decrypting all the blocks ahead the current block. Make it difficult to do random access of encrypted files. (problem is reuse attack, when same key is used.

Encryption using counter mode.

32CS591/Crypto chow

CryptanalysisCryptanalysis Rijndael got adopted as AES . Serpent(cambridge) 2nd. http://csrc.nist.gov/CryptoToolkit/aes/rijndael/ http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ Some common symmetric-key cryptographic algorithms.

Rijndael got adopted as AES . Serpent(cambridge) 2nd. http://csrc.nist.gov/CryptoToolkit/aes/rijndael/ http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ Some common symmetric-key cryptographic algorithms.

33CS591/Crypto chow

Public-Key AlgorithmsPublic-Key Algorithms

1976 Diffie and Hellman proposed crypto scheme with two keys; public key and private key. Requirement:Must be computationally easy to encipher/decipher

msg using these keys.Must be computationally infeasible to derive the

private key from public key.Must be computationally infeasible to determine the

private key from a chosen plaintext attack. Symmetric key exchange protocol RSA Other Public-Key Algorithms

1976 Diffie and Hellman proposed crypto scheme with two keys; public key and private key. Requirement:Must be computationally easy to encipher/decipher

msg using these keys.Must be computationally infeasible to derive the

private key from public key.Must be computationally infeasible to determine the

private key from a chosen plaintext attack. Symmetric key exchange protocol RSA Other Public-Key Algorithms

34CS591/Crypto chow

Diffie-Hellman’s Symmetric Key Exchange Protocol

Diffie-Hellman’s Symmetric Key Exchange Protocol

It is based on discrete logarithm problem. Alice and Bob chooses a prime p=53 and g=17 which is not 0, 1, or

p-1=52. Alice chooses private key=5, public key=175 mod 53 =40. Bob choose private key=7, public key=177 mod 53=6. Bob would like to send msg to alice. Bob compute the shared secret key by enciphering Alice’s public key

using his private key:407 mod 53 = 38

Encipher the msg with key=38. Alice computes the shared secret key as

65 mod 53=38. Then decipher the msg with key=38.

It is based on discrete logarithm problem. Alice and Bob chooses a prime p=53 and g=17 which is not 0, 1, or

p-1=52. Alice chooses private key=5, public key=175 mod 53 =40. Bob choose private key=7, public key=177 mod 53=6. Bob would like to send msg to alice. Bob compute the shared secret key by enciphering Alice’s public key

using his private key:407 mod 53 = 38

Encipher the msg with key=38. Alice computes the shared secret key as

65 mod 53=38. Then decipher the msg with key=38.

35CS591/Crypto chow

Modular ArithmeticModular Arithmetic

36CS591/Crypto chow

Properties of Modular ArithmeticProperties of Modular Arithmetic

37CS591/Crypto chow

38CS591/Crypto chow

Fermat Theorem ExampleFermat Theorem Example

39CS591/Crypto chow

40CS591/Crypto chow

Totient Function PropertiesTotient Function Properties

41CS591/Crypto chow

42CS591/Crypto chow

Euler’s Theorem and ExamplesEuler’s Theorem and Examples

43CS591/Crypto chow

RSARSA A response to Diffie Helleman challege by Ron Rivest, Adi

Sharmir, and Len Adleman at MIT. An exponentiation cipher utilizing Euler’s Theorem. Choose two prime numbers p and q. Let n = p*q. The totient (n) of n is the number of numbers less

than n with no factors in common with n. (n)=(p-1)(q-1) E.g., (10) =4; since 1,3, 7, 9 are relative prime of 10. Choose e <n; e be relative prime to (n). Find d such that e*d mod (n) = 1. The public key is (e,n), private key is (d, n). Med mod n = M (this holds if e*d mod (n) = 1) C=Me mod n M=cd mod n

A response to Diffie Helleman challege by Ron Rivest, Adi Sharmir, and Len Adleman at MIT.

An exponentiation cipher utilizing Euler’s Theorem. Choose two prime numbers p and q. Let n = p*q. The totient (n) of n is the number of numbers less

than n with no factors in common with n. (n)=(p-1)(q-1) E.g., (10) =4; since 1,3, 7, 9 are relative prime of 10. Choose e <n; e be relative prime to (n). Find d such that e*d mod (n) = 1. The public key is (e,n), private key is (d, n). Med mod n = M (this holds if e*d mod (n) = 1) C=Me mod n M=cd mod n

44CS591/Crypto chow

45CS591/Crypto chow

RSA: Confidentiality ExampleEncrypted using Alice’s Public key

RSA: Confidentiality ExampleEncrypted using Alice’s Public key

Let p=7 and q = 11. n=77 and (n) =60. Alice choose e=17, a relative prime to 60 private key is d=53

where e*d mod (n) =1; 17*53 mod 60 = 1 If we represent 07 as and 25 as Z, 26 as blank, then HELLO WORLD will be 07 04 11 11 14 26 22 14 17 11 03. Using

Alice public key the cipher text is: 07^17 mod 77 = 28 04^17 mod 77 = 16 11^17 mod 77 = 44 … 03^17 mod 77 = 75. Only Alice can decipher with private key 53.

Let p=7 and q = 11. n=77 and (n) =60. Alice choose e=17, a relative prime to 60 private key is d=53

where e*d mod (n) =1; 17*53 mod 60 = 1 If we represent 07 as and 25 as Z, 26 as blank, then HELLO WORLD will be 07 04 11 11 14 26 22 14 17 11 03. Using

Alice public key the cipher text is: 07^17 mod 77 = 28 04^17 mod 77 = 16 11^17 mod 77 = 44 … 03^17 mod 77 = 75. Only Alice can decipher with private key 53.

46CS591/Crypto chow

RSA: Origin Authentication ExampleEncrypted using Alice’s Private keyRSA: Origin Authentication ExampleEncrypted using Alice’s Private key

Let p=7 and q = 11. n=77 and (n) =60. Alice choose e=17, private key is d=53. Public key is (17, 77).

07^53 mod 77 = 35 04^53 mod 77 = 09 11^53 mod 77 = 44 … 03^53 mod 77 = 05

Let p=7 and q = 11. n=77 and (n) =60. Alice choose e=17, private key is d=53. Public key is (17, 77).

07^53 mod 77 = 35 04^53 mod 77 = 09 11^53 mod 77 = 44 … 03^53 mod 77 = 05

47CS591/Crypto chow

RSA: Confidentiality and Authentication Example

RSA: Confidentiality and Authentication Example

Encrypted using Sender’s Private key and the recipient’s public key Bob’s public key 37, private key 13. Alice’s public key 17, private key 53. Encipherment:

(07^53 mod 77)^37 mod 77 = 07 (04^53 mod 77)^37 mod 77 = 37 (11^53 mod 77)^37 mod 77 = 44 … (03^53 mod 77)^37 mod 77 = 47

Decipherment: decipher with recipient’s private key and authenticate with sender’s public key. (07^13 mod 77)^17 mod 77 = 07 (37^13 mod 77)^17 mod 77 = 04 (44^13 mod 77)^17 mod 77 = 11 … (47^13 mod 77)^17 mod 77 = 03

Encrypted using Sender’s Private key and the recipient’s public key Bob’s public key 37, private key 13. Alice’s public key 17, private key 53. Encipherment:

(07^53 mod 77)^37 mod 77 = 07 (04^53 mod 77)^37 mod 77 = 37 (11^53 mod 77)^37 mod 77 = 44 … (03^53 mod 77)^37 mod 77 = 47

Decipherment: decipher with recipient’s private key and authenticate with sender’s public key. (07^13 mod 77)^17 mod 77 = 07 (37^13 mod 77)^17 mod 77 = 04 (44^13 mod 77)^17 mod 77 = 11 … (47^13 mod 77)^17 mod 77 = 03

48CS591/Crypto chow

RSA Cipher Attack/Defense ExampleRSA Cipher Attack/Defense Example

Simplified example, character as block. NO can be swapped and interpreted as ON. (Attack is on or not?)

Defense: 6 bits for block # followed by 8 bit character. The rest 1010 bits contains random data. Rearrange of blocks can be detected by checking the block # field.

This is an application of the Redundancy principle.

Simplified example, character as block. NO can be swapped and interpreted as ON. (Attack is on or not?)

Defense: 6 bits for block # followed by 8 bit character. The rest 1010 bits contains random data. Rearrange of blocks can be detected by checking the block # field.

This is an application of the Redundancy principle.

49CS591/Crypto chow

RSARSA Actual RSA primes should be at least 512 bits modulus at least 1024 bits. RSA combined with hash to prevent reordering attack. An example of the RSA algorithm. Here p=3, q=11, n=33, z=(p-1)*(q-1)=20,

choose d=7, which is relative prime of z. choose e=3 where e*d mod 20 = 1. Here (3, 20) is public key. (7,20) is private key. C=Pe mod n; P=Cd mod n;

Actual RSA primes should be at least 512 bits modulus at least 1024 bits. RSA combined with hash to prevent reordering attack. An example of the RSA algorithm. Here p=3, q=11, n=33, z=(p-1)*(q-1)=20,

choose d=7, which is relative prime of z. choose e=3 where e*d mod 20 = 1. Here (3, 20) is public key. (7,20) is private key. C=Pe mod n; P=Cd mod n;

50CS591/Crypto chow

Digital SignaturesDigital Signatures

Symmetric-Key SignaturesPublic-Key SignaturesMessage DigestsThe Birthday Attack

Symmetric-Key SignaturesPublic-Key SignaturesMessage DigestsThe Birthday Attack

51CS591/Crypto chow

Symmetric-Key SignaturesSymmetric-Key Signatures

Digital signatures with Big Brother (BB: a central authority trust by everyone; knows everything!).

Everyone (i) carries secret key Ki to BB’s office. Alice enciphers the following data with her secret key KA

(B:Bob’s ID, RA: a random number chosen by Alice, t: timestamp, P: plaintext msg.); send it to BB.

BB deciphers with KA; encrypted the data together with a signed msg KBB(A, t, P) using B’s secret key.

Digital signatures with Big Brother (BB: a central authority trust by everyone; knows everything!).

Everyone (i) carries secret key Ki to BB’s office. Alice enciphers the following data with her secret key KA

(B:Bob’s ID, RA: a random number chosen by Alice, t: timestamp, P: plaintext msg.); send it to BB.

BB deciphers with KA; encrypted the data together with a signed msg KBB(A, t, P) using B’s secret key.

52CS591/Crypto chow

Symmetric-Key Signatures: Nonrepudiation and Against Relay Attack

Symmetric-Key Signatures: Nonrepudiation and Against Relay Attack BB will not accept a msg from Alice unless it is

encrypted with KA. KBB(A, t, P) contains the proof that A sent P at time t. Against replay attack:

Against instant replay: Within some time period, Bob can check if RA has been reuse; drop those packet.

Against old replay: Based on the timestamp, Bob can discard old messages.

Disadvantage: BB needs to be trusted by everyone.BB gets to read all signed msgs.

BB will not accept a msg from Alice unless it is encrypted with KA.

KBB(A, t, P) contains the proof that A sent P at time t. Against replay attack:

Against instant replay: Within some time period, Bob can check if RA has been reuse; drop those packet.

Against old replay: Based on the timestamp, Bob can discard old messages.

Disadvantage: BB needs to be trusted by everyone.BB gets to read all signed msgs.

53CS591/Crypto chow

Public-Key SignaturesPublic-Key Signatures

Digital signatures using public-key cryptography.

1991, NIST proposed Digital Signature Standard (DSS) using variant of the EL Gamal public key algorithm (discrete logarithm).

But it is too secret (NSA designed); too slow (10-40 times slower than RSA for checking signature); too new (not yet thoroughly analyzed); too insecure (fixed 512bits; later changed to 1024 bits)

Digital signatures using public-key cryptography.

1991, NIST proposed Digital Signature Standard (DSS) using variant of the EL Gamal public key algorithm (discrete logarithm).

But it is too secret (NSA designed); too slow (10-40 times slower than RSA for checking signature); too new (not yet thoroughly analyzed); too insecure (fixed 512bits; later changed to 1024 bits)

54CS591/Crypto chow

Message DigestsMessage Digests Authentication without encrypting the entire msg. 4 properties of Message Digest (MD hash function: arbitrarily long plaintext

fixed-length bit string. Given P, it is easy to compute MD(P). Given MD(P), it is effectively impossible to find P. Given P no one can find P’ such that MD(P’)=MD(P). A change to the input of even 1 bit produces a very different output.

For example, Instead of KBB(A, t, P) , we have KBB(A, t, MD(P))

Digital signatures using message digests.

Authentication without encrypting the entire msg. 4 properties of Message Digest (MD hash function: arbitrarily long plaintext

fixed-length bit string. Given P, it is easy to compute MD(P). Given MD(P), it is effectively impossible to find P. Given P no one can find P’ such that MD(P’)=MD(P). A change to the input of even 1 bit produces a very different output.

For example, Instead of KBB(A, t, P) , we have KBB(A, t, MD(P))

Digital signatures using message digests.

55CS591/Crypto chow

MD5MD5 Designed by Ronald Rivest 1992. 5th of a series of MD. Pre-computation Step:

First pad the msg a length of 448 bits (mod 512). Original msg is then appended with 64 bit integer; make it a multiple of 512 bits. Initialize 128-bit buffer to a fixed value.

Computation step: Take 512 bit block of input, perform 4 round of mixing, thoroughly with 128 bit

buffer (with sine function and table look up) Process continues until all input consume. The content of 128-bit buffer form

the message digest. You can access it on our CS Unix machines using OpenSSL pacckage “openssl

md5” For example, the following yield a pretty good random key:

bash-2.05a# (date; ps auxg) | openssl md57741348ddf1371aefc921d504fa51e6abash-2.05a# (date; ps auxg) | openssl md57c56744bb2440abcc2de7a492ae32d06

Designed by Ronald Rivest 1992. 5th of a series of MD. Pre-computation Step:

First pad the msg a length of 448 bits (mod 512). Original msg is then appended with 64 bit integer; make it a multiple of 512 bits. Initialize 128-bit buffer to a fixed value.

Computation step: Take 512 bit block of input, perform 4 round of mixing, thoroughly with 128 bit

buffer (with sine function and table look up) Process continues until all input consume. The content of 128-bit buffer form

the message digest. You can access it on our CS Unix machines using OpenSSL pacckage “openssl

md5” For example, the following yield a pretty good random key:

bash-2.05a# (date; ps auxg) | openssl md57741348ddf1371aefc921d504fa51e6abash-2.05a# (date; ps auxg) | openssl md57c56744bb2440abcc2de7a492ae32d06

56CS591/Crypto chow

SHA-1SHA-1

Developed by NSA and blessed by NIST in FIP 180-1 It generates 160 bit message digest. Use of SHA-1 and RSA for signing nonsecret messages.

bash-2.05a# (date; ps auxg) | openssl sha144c702745bdeced27d8c01b8bcda28bb311e51f4

Developed by NSA and blessed by NIST in FIP 180-1 It generates 160 bit message digest. Use of SHA-1 and RSA for signing nonsecret messages.

bash-2.05a# (date; ps auxg) | openssl sha144c702745bdeced27d8c01b8bcda28bb311e51f4

57CS591/Crypto chow

SHA-1 (2)SHA-1 (2)

(a) A message padded out to a multiple of 512 bits. (b) The output 32 bit variables. (c) The word array.

(a) A message padded out to a multiple of 512 bits. (b) The output 32 bit variables. (c) The word array.

58CS591/Crypto chow

SHA1SHA1

Copy 16 work block input to w0 to w15. Scramble them to w16 to w79 with

Wi= S1(Wi-3 XOR Wi-8 XOR Wi-14 XOR Wi-16) (16 <=i<= 79) Sb(W) represent the left circular rotation of 32-bit word W by b bits. Actual step in pseudo-C code:

for (i = 0; i < 80; i++) {temp = S5(A) + fi (B, C, D) + E + Wi + Ki; E=D; D=C; C = S30

(B); B=A; A =temp;} f (B, C, D) = (B AND C) OR (NOT B AND D) ( 0<= i <=19)

f (B, C, D) = B XOR C XOR D (20 <= i <= 39) f (B, C, D) = (B AND C) OR (B AND D) OR (C AND D) (40 <= i <= 59) f (B, C, D) = B XOR C XOR D (60<= i <= 79)

At the end of 80 iterations, A-E added to H0-H4 respectively. Continue the rest of the input blocks. Work ongoing for 256, 384, 512bit hashes.

Copy 16 work block input to w0 to w15. Scramble them to w16 to w79 with

Wi= S1(Wi-3 XOR Wi-8 XOR Wi-14 XOR Wi-16) (16 <=i<= 79) Sb(W) represent the left circular rotation of 32-bit word W by b bits. Actual step in pseudo-C code:

for (i = 0; i < 80; i++) {temp = S5(A) + fi (B, C, D) + E + Wi + Ki; E=D; D=C; C = S30

(B); B=A; A =temp;} f (B, C, D) = (B AND C) OR (NOT B AND D) ( 0<= i <=19)

f (B, C, D) = B XOR C XOR D (20 <= i <= 39) f (B, C, D) = (B AND C) OR (B AND D) OR (C AND D) (40 <= i <= 59) f (B, C, D) = B XOR C XOR D (60<= i <= 79)

At the end of 80 iterations, A-E added to H0-H4 respectively. Continue the rest of the input blocks. Work ongoing for 256, 384, 512bit hashes.

59CS591/Crypto chow

The Birth Day AttackThe Birth Day Attack

It takes 2m operations to attack m-bit MD. But it takes 2m/2 operations using birthday attack. Yuval

1979 paper on “how to swindle Rabin” Example: two tenure faculty up for promotion: Tom and

Dick. Tom earlier by two years. Tom asks Dept. Chair, Marilyn to write recommendation letter:

Secretary Ellen Loves Dick. She prepares two letters.

It takes 2m operations to attack m-bit MD. But it takes 2m/2 operations using birthday attack. Yuval

1979 paper on “how to swindle Rabin” Example: two tenure faculty up for promotion: Tom and

Dick. Tom earlier by two years. Tom asks Dept. Chair, Marilyn to write recommendation letter:

Secretary Ellen Loves Dick. She prepares two letters.

60CS591/Crypto chow

Official Letter 1Official Letter 1

Dear Dean Smith,This [letter I message] is to give my [honest I frank] opinion of Prof. Tom

Wilson, who is [a candidate I up] for tenure [now I this year]. I have [known I worked with] Prof. Wilson for [about I almost] six years. He is an [outstanding I excellent] researcher of great [talent I ability] known [worldwide I internationally] for his [brilliant I creative] insights into [many I a wide variety of] [difficult I chal lenging] problems.

He is also a [highly I greatly] [respected I admired] [teacher I educator]. His students give his [classes I courses] [rave I spectacular] reviews. He is [our I the Department's] [most popular I best-loved] [teacher I instructor].

[In addition I Additionally] Prof. Wilson is a [gifted I effective] fund raiser. His [grants I contracts] have brought a [large I substantial] amount of money into [the I our] Department. [This money has I These funds have] [enabled I permitted] us to [pursue I carry out] many [special I important] programs, [such as I for ex ample] your State 2000 program. Without these funds we would [be unable I not be able] to continue this program. which is so [important I essential] to both of us. I strongly urge you to grant him tenure.

Dear Dean Smith,This [letter I message] is to give my [honest I frank] opinion of Prof. Tom

Wilson, who is [a candidate I up] for tenure [now I this year]. I have [known I worked with] Prof. Wilson for [about I almost] six years. He is an [outstanding I excellent] researcher of great [talent I ability] known [worldwide I internationally] for his [brilliant I creative] insights into [many I a wide variety of] [difficult I chal lenging] problems.

He is also a [highly I greatly] [respected I admired] [teacher I educator]. His students give his [classes I courses] [rave I spectacular] reviews. He is [our I the Department's] [most popular I best-loved] [teacher I instructor].

[In addition I Additionally] Prof. Wilson is a [gifted I effective] fund raiser. His [grants I contracts] have brought a [large I substantial] amount of money into [the I our] Department. [This money has I These funds have] [enabled I permitted] us to [pursue I carry out] many [special I important] programs, [such as I for ex ample] your State 2000 program. Without these funds we would [be unable I not be able] to continue this program. which is so [important I essential] to both of us. I strongly urge you to grant him tenure.

61CS591/Crypto chow

Fake LetterFake Letter

Dear Dean Smith.This [letter I message] is to give my [honest I frank] opinion of Prof. Tom Wilson, who is

[a candidate I up] for tenure [now I this year]. I have [known I worked with] Tom for [about I almost] six years. He is a [poor I weak] researcher not well known in his [field I area]. His research [hardly ever I rarely] shows [insight in I understanding of] the [key I major] problems of [the I our] day.

Furthermore, he is not a [respected I admired] [teacher I educator]. His stu dents give his [classes I courses] [poor I bad ] reviews. He is [our I the Department's] least popular [teacher I instructor], known [mostly I primarily] within [the I our] Department for his [tendency I propensity] to [ridicule I embar rass] students [foolish I imprudent] enough to ask questions in his classes.

[In addition I Additionally] Tom is a [poor I marginal] fund raiser. His [grants I contracts] have brought only a [meager I insignificant] amount of money into [the I our] Department. Unless new [money is I funds are] quickly located, we may have to cancel some essential programs, such as your State 2000 program. Unfortunately, under these [conditions I circumstances] I cannot in good [consci ence I faith] recommend him to you for [tenure I a permanent position].

Dear Dean Smith.This [letter I message] is to give my [honest I frank] opinion of Prof. Tom Wilson, who is

[a candidate I up] for tenure [now I this year]. I have [known I worked with] Tom for [about I almost] six years. He is a [poor I weak] researcher not well known in his [field I area]. His research [hardly ever I rarely] shows [insight in I understanding of] the [key I major] problems of [the I our] day.

Furthermore, he is not a [respected I admired] [teacher I educator]. His stu dents give his [classes I courses] [poor I bad ] reviews. He is [our I the Department's] least popular [teacher I instructor], known [mostly I primarily] within [the I our] Department for his [tendency I propensity] to [ridicule I embar rass] students [foolish I imprudent] enough to ask questions in his classes.

[In addition I Additionally] Tom is a [poor I marginal] fund raiser. His [grants I contracts] have brought only a [meager I insignificant] amount of money into [the I our] Department. Unless new [money is I funds are] quickly located, we may have to cancel some essential programs, such as your State 2000 program. Unfortunately, under these [conditions I circumstances] I cannot in good [consci ence I faith] recommend him to you for [tenure I a permanent position].

62CS591/Crypto chow

The Rest of StoryThe Rest of Story Now Ellen programs her computer to compute the 232 message digests of each

letter overnight. Chances are. one digest of the first letter will match one digest of the second letter. If not. she can add a few more options and try again during the weekend. Suppose that she finds a match. Call the "good" letter A and the "bad" one B.

Ellen now e-mails letter A to Marilyn for her approval. Letter B she keeps completely secret, showing it to no one. Marilyn, of course. approves, computes her 64-bit message digest. signs the digest. and e-mails the signed digest off to Dean Smith. Independently, Ellen e-mails letter B to the Dean (not letter A, as she is supposed to).

After getting the letter and signed message digest. the Dean runs the message digest algorithm on letter B, sees that it agrees with what Marilyn sent him, and fires Tom. The Dean does not realize that Ellen managed to generate two letters with the same message digest and sent her a different one than Marilyn saw and approved. (Optional ending: Ellen tells Dick what she did. Dick is appalled and breaks off with her. Ellen is furious and confesses to Marilyn. Marilyn calls the Dean. Tom gets tenure after all.) With MD5 the birthday attack is difficult be cause even at 1 billion digests per second, it would take over 500 years to com pute all 264 digests of two letters with 64 variants each, and even then a match is not guaranteed. Of course, with 5000 computers working in parallel, 500 years becomes 5 weeks. SHA-1 is better (because it is longer).

Now Ellen programs her computer to compute the 232 message digests of each letter overnight. Chances are. one digest of the first letter will match one digest of the second letter. If not. she can add a few more options and try again during the weekend. Suppose that she finds a match. Call the "good" letter A and the "bad" one B.

Ellen now e-mails letter A to Marilyn for her approval. Letter B she keeps completely secret, showing it to no one. Marilyn, of course. approves, computes her 64-bit message digest. signs the digest. and e-mails the signed digest off to Dean Smith. Independently, Ellen e-mails letter B to the Dean (not letter A, as she is supposed to).

After getting the letter and signed message digest. the Dean runs the message digest algorithm on letter B, sees that it agrees with what Marilyn sent him, and fires Tom. The Dean does not realize that Ellen managed to generate two letters with the same message digest and sent her a different one than Marilyn saw and approved. (Optional ending: Ellen tells Dick what she did. Dick is appalled and breaks off with her. Ellen is furious and confesses to Marilyn. Marilyn calls the Dean. Tom gets tenure after all.) With MD5 the birthday attack is difficult be cause even at 1 billion digests per second, it would take over 500 years to com pute all 264 digests of two letters with 64 variants each, and even then a match is not guaranteed. Of course, with 5000 computers working in parallel, 500 years becomes 5 weeks. SHA-1 is better (because it is longer).

63CS591/Crypto chow

Management of Public KeysManagement of Public Keys

CertificatesX.509Public Key Infrastructures

CertificatesX.509Public Key Infrastructures

64CS591/Crypto chow

Problems with Public-Key Encryption

Problems with Public-Key Encryption

A way for Trudy to subvert public-key encryption. A way for Trudy to subvert public-key encryption.

65CS591/Crypto chow

CertificatesCertificates

A possible certificate and its signed hash. A possible certificate and its signed hash.

66CS591/Crypto chow

X.509X.509

The basic fields of an X.509 certificate. The basic fields of an X.509 certificate.

67CS591/Crypto chow

Public-Key InfrastructuresPublic-Key Infrastructures

(a) A hierarchical PKI. (b) A chain of certificates. (a) A hierarchical PKI. (b) A chain of certificates.

68CS591/Crypto chow

Communication SecurityCommunication Security

IPsecFirewallsVirtual Private NetworksWireless Security

IPsecFirewallsVirtual Private NetworksWireless Security

69CS591/Crypto chow

IPsecIPsec

The IPsec authentication header in transport mode for IPv4.

The IPsec authentication header in transport mode for IPv4.

70CS591/Crypto chow

IPsec (2)IPsec (2)

(a) ESP in transport mode. (b) ESP in tunnel mode. (a) ESP in transport mode. (b) ESP in tunnel mode.

71CS591/Crypto chow

FirewallsFirewalls

A firewall consisting of two packet filters and an application gateway.

A firewall consisting of two packet filters and an application gateway.

72CS591/Crypto chow

Virtual Private NetworksVirtual Private Networks

(a) A leased-line private network. (b) A virtual private network.

(a) A leased-line private network. (b) A virtual private network.

73CS591/Crypto chow

802.11 Security802.11 Security

Packet encryption using WEP. Packet encryption using WEP.

74CS591/Crypto chow

Authentication ProtocolsAuthentication Protocols

Authentication Based on a Shared Secret Key

Establishing a Shared Key: Diffie-Hellman Authentication Using a Key Distribution

Center Authentication Using Kerberos Authentication Using Public-Key

Cryptography

Authentication Based on a Shared Secret Key

Establishing a Shared Key: Diffie-Hellman Authentication Using a Key Distribution

Center Authentication Using Kerberos Authentication Using Public-Key

Cryptography

75CS591/Crypto chow

Authentication Based on a Shared Secret Key

Authentication Based on a Shared Secret Key

Two-way authentication using a challenge-response protocol. Two-way authentication using a challenge-response protocol.

76CS591/Crypto chow

Authentication Based on a Shared Secret Key (2)Authentication Based on a Shared Secret Key (2)

A shortened two-way authentication protocol. A shortened two-way authentication protocol.

77CS591/Crypto chow

Authentication Based on a Shared Secret Key (3)Authentication Based on a Shared Secret Key (3)

The reflection attack. The reflection attack.

78CS591/Crypto chow

Authentication Based on a Shared Secret Key (4)Authentication Based on a Shared Secret Key (4)

A reflection attack on the protocol of Fig. 8-32. A reflection attack on the protocol of Fig. 8-32.

79CS591/Crypto chow

Authentication Based on a Shared Secret Key (5)Authentication Based on a Shared Secret Key (5)

Authentication using HMACs. Authentication using HMACs.

80CS591/Crypto chow

Establishing a Shared Key:The Diffie-Hellman Key Exchange

Establishing a Shared Key:The Diffie-Hellman Key Exchange

The Diffie-Hellman key exchange. The Diffie-Hellman key exchange.

81CS591/Crypto chow

Establishing a Shared Key:The Diffie-Hellman Key Exchange

Establishing a Shared Key:The Diffie-Hellman Key Exchange

The bucket brigade or man-in-the-middle attack. The bucket brigade or man-in-the-middle attack.

82CS591/Crypto chow

Authentication Using a Key Distribution Center

Authentication Using a Key Distribution Center

A first attempt at an authentication protocol using a KDC.

A first attempt at an authentication protocol using a KDC.

83CS591/Crypto chow

Authentication Using a Key Distribution Center (2)Authentication Using a Key Distribution Center (2)

The Needham-Schroeder authentication protocol. The Needham-Schroeder authentication protocol.

84CS591/Crypto chow

Authentication Using a Key Distribution Center (3)Authentication Using a Key Distribution Center (3)

The Otway-Rees authentication protocol (slightly simplified).

The Otway-Rees authentication protocol (slightly simplified).

85CS591/Crypto chow

Authentication Using KerberosAuthentication Using Kerberos

The operation of Kerberos V4. The operation of Kerberos V4.

86CS591/Crypto chow

Authentication Using Public-Key Cryptography

Authentication Using Public-Key Cryptography

Mutual authentication using public-key cryptography. Mutual authentication using public-key cryptography.

87CS591/Crypto chow

E-Mail SecurityE-Mail Security

PGP – Pretty Good PrivacyPEM – Privacy Enhanced MailS/MIME

PGP – Pretty Good PrivacyPEM – Privacy Enhanced MailS/MIME

88CS591/Crypto chow

PGP – Pretty Good PrivacyPGP – Pretty Good Privacy

PGP in operation for sending a message. PGP in operation for sending a message.

89CS591/Crypto chow

PGP – Pretty Good Privacy (2)PGP – Pretty Good Privacy (2)

A PGP message. A PGP message.

90CS591/Crypto chow

Web SecurityWeb Security

ThreatsSecure NamingSSL – The Secure Sockets LayerMobile Code Security

ThreatsSecure NamingSSL – The Secure Sockets LayerMobile Code Security

91CS591/Crypto chow

Secure NamingSecure Naming (a) Normal situation. (b) An attack based on breaking

into DNS and modifying Bob's record.

(a) Normal situation. (b) An attack based on breaking into DNS and modifying Bob's record.

92CS591/Crypto chow

Secure Naming (2)Secure Naming (2)

How Trudy spoofs Alice's ISP. How Trudy spoofs Alice's ISP.

93CS591/Crypto chow

Secure DNSSecure DNS

An example RRSet for bob.com. The KEY record is Bob's public key. The SIG record is the top-level com server's signed has of the A and KEY records to verify their authenticity.

94CS591/Crypto chow

Self-Certifying NamesSelf-Certifying Names

A self-certifying URL containing a hash of server's name and public key.

A self-certifying URL containing a hash of server's name and public key.

95CS591/Crypto chow

SSL—The Secure Sockets LayerSSL—The Secure Sockets Layer

Layers (and protocols) for a home user browsing with SSL.

Layers (and protocols) for a home user browsing with SSL.

96CS591/Crypto chow

SSL (2)SSL (2)

A simplified version of the SSL connection establishment subprotocol.

A simplified version of the SSL connection establishment subprotocol.

97CS591/Crypto chow

SSL (3)SSL (3) Data transmission using SSL. Data transmission using SSL.

98CS591/Crypto chow

Java Applet SecurityJava Applet Security Applets inserted into a Java Virtual Machine

interpreter inside the browser.

Applets inserted into a Java Virtual Machine interpreter inside the browser.

99CS591/Crypto chow

Social IssuesSocial Issues

Privacy Freedom of Speech Copyright

Privacy Freedom of Speech Copyright

100CS591/Crypto chow

Anonymous RemailersAnonymous Remailers

Users who wish anonymity chain requests through multiple anonymous remailers.

Users who wish anonymity chain requests through multiple anonymous remailers.

101CS591/Crypto chow

Freedom of SpeechFreedom of Speech

Possibly banned material:

1. Material inappropriate for children or teenagers.

2. Hate aimed at various ethnic, religious, sexual, or other groups.

3. Information about democracy and democratic values.

4. Accounts of historical events contradicting the government's version.

5. Manuals for picking locks, building weapons, encrypting messages, etc.

Possibly banned material:

1. Material inappropriate for children or teenagers.

2. Hate aimed at various ethnic, religious, sexual, or other groups.

3. Information about democracy and democratic values.

4. Accounts of historical events contradicting the government's version.

5. Manuals for picking locks, building weapons, encrypting messages, etc.

102CS591/Crypto chow

SteganographySteganography

(a) Three zebras and a tree. (b) Three zebras, a tree, and the complete text of five plays by William Shakespeare.

(a) Three zebras and a tree. (b) Three zebras, a tree, and the complete text of five plays by William Shakespeare.