Algorithms and Data Structures - Cryptography - BFH-TI …hnr1/SWS/10Crypto.pdf · ·...

Cryptography Page 1

BFH-TI: Softwareschule Schweiz

Algorithms and Data Structures

Cryptography

Dr. Rolf Haenni

CAS SD01

Berner Fachhochschule Rolf Haenni

Technik und Informatik Algorithms and Data Structures

Cryptography Page 2

Outline

Introduction

Symmetric Cryptography

Asymmetric Cryptography

RSA



Cryptography Page 3Introduction

Outline

Introduction



RSA




What is Cryptography?

I Traditionally, cryptography is the practice and study of hidingwritten information (not its existence)

Ý Kryptos: hidden (Greek)Ý Graphein: write (Greek)

I On the other side, cryptanalysis is the study of methods forobtaining the meaning of encrypted information

I Cryptology = cryptography + cryptanalysis

I Historically, cryptography was mainly motivated by militaryand diplomatic applications (dating back to the ancient Greek)

I Today, cryptography is a broad branch of both mathematicsand computer science and is widely applied in modern IT andcommunications technologies







Cryptographic Terminology

Alphabet A set of characters, e.g. {A, . . . ,Z} or {0, 1}Plaintext The original message to be transmitted, represented

as a string of characters from a given alphabet

Ciphertext The message after making its content unreadable

Encryption The process of producing ciphertext from plaintext

Decryption The reverse process of producing plaintext fromciphertext

Cipher A pair of algorithms for encryption and decryption

Key A parameter that determines the functional outputof a cipher (usually a string of 56–2048 random bits)

Cryptosystem A system consisting of a cipher, a key generationalgorithm, and other cryptographic primitives




Basic Communication Model

Entity A person, organization, . . . , which sends, receives, ormanipulates information

Sender The entity from which a transmitted message originates(often called Alice)

Recipient The entity towards which a transmitted message isaddressed (often called Bob)

Opponent An entity which attacks the security of a transmittedmessage (often called Oscar or Eve)

Trusted Third Party A neutral entity which appears to betrustworthy for both the sender and recipient

Channel Medium for transmitting a message between the senderand recipient (unsecure, secure, secured)




Basic Communication Model (cont.)

Sender Recipientciphertextplaintext plaintext

Opponent

key key




Information Security

To protect sensitive information, the principal four goals to achieveare the following:

Confidentiality The content of a message is not disclosed tounauthorized entities

Integrity The content of a message can not be modifiedby an unauthorized entity

Authenticity The sender (and the recipient) are who theyclaim they are

Non-Repudiation The sender (and the recipient) of a message cannot deny the transmission




Brute-Force-Attack

I In a brute-force attack, the opponent tries all possible keys

Key Length Number of Keys 106 Keys/s 106 Keys/µs

16 bits 216 = 65536 32.7 ms 32.7 µs

32 bits 232 = 4.3∗109 35.8 min. 2.2 ms

56 bits 256 = 7.2∗1016 1142 years 10.1 hours

64 bits 264 = 1.8∗1019 292353 years 107 days

128 bits 2128 = 3.4∗1038 5.4∗1024 years 5.4∗1018 years

256 bits 2256 = 1.2∗1077 3.5∗1063 years 3.5∗1057 years

512 bits 2512 = 1.3∗10154 2.1∗10142 years 2.1∗10136 years

1024 bits 21024 = 1.7∗10308 2.7∗10296 years 2.7∗10290 years

I Number of particles in the universe: 4∗1078 − 6∗1079

I Age of the universe: 13.7∗109 years



Cryptography Page 11Symmetric Cryptography

Outline

Introduction



RSA




Symmetric Cryptosystems

I In a symmetric cryptosystem, the sender and receiver sharethe same secret key k

I All classical ciphers (from the ancient Greek until 1976) aresymmetric

I The problem of using a symmetric cipher is to exchange thesecret key

I Traditionally, secret keys were exchanged over securechannels, e.g. personally or by a trustworthy messenger

I In modern cryptography, secret keys are exchanged oversecured channels (using asymmetric cryptosystems)

I A symmetric cryptosystem achieves confidentiality, integrity,and authenticity (but not non-repudiation)




AES

I AES (Advanced Encryption Standard) is the best symmetriccipher today

Ý Winner of a world-wide competition in 2001Ý Successor of DES (Data Encryption Standard) since 2002Ý Key length: 128, 192, or 256 bits (DES: 56 Bits)Ý Fast in both software and hardware

I AES is a block cipher (not a bit-by-bit stream cipher)

Ý The bit string message is split into blocks of size n = 128 bitsÝ In principle, each block is encrypted independentlyÝ To avoid equal ciphertext blocks, there are several modes of

operation (EBC, CBC, CFB, etc.) to link the result fromencrypting one block with the encryption of another

I AES performs a series of substitutions and permutations




Substitution Cipher

I A substitution cipher replaces each character (or a group ofcharacters) of a plaintext block by another one

I Example: Caesar’s Cipher

abcdefghij k l m n o p q r s t u v w x y z↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓012345678910101213141516171819202122232425

Ý Plaintext: m = [M0M1 · · ·Mn−1], Mi ∈ {0, . . . , 25}Ý Ciphertext: c = [C0C1 · · ·Cn−1], Ci ∈ {0, . . . , 25}Ý Key: k ∈ {0, . . . , 25}Ý Encryption: Ci = Ek(Mi ) = Mi + k mod 26Ý Decryption: Mi = Dk(Ci ) = Ci − k mod 26

I AES substitutes groups of 8 bits (1 byte)




Permutation Cipher

I A permutation cipher changes the order of the characters inthe block

I Example: Shift Cipher

Ý Each character in a plaintext block is shifted to the left by kpositions (in a circular fashion)

Ý Plaintext: m = [M0M1 · · ·Mn−1]Ý Ciphertext: c = [C0C1 · · ·Cn−1]Ý Key: k ∈ {0, . . . , n − 1}Ý Encryption: c = Ek(m) = [M0+k mod n · · ·Mn−1+k mod n]Ý Decryption: m = Dk(c) = [C0−k mod n · · ·Cn−1−k mod n]

I In AES, each 128-bits block is divided into 4 words of size 32,which are individually shifted to the left by 0, 8, 16, or 24bits, respectively




Product Cipher

I If the amount of ciphertext is large enough, pure substitutionor permutation ciphers are easy to decrypt with a frequencyanalysis (even if the key space is too large for a brute-forceattack)

I The frequencies of the characters in the ciphertext arecompared with their frequencies in plaintext samples

I To prevent a frquency analysis, substitutions (S-boxes) andpermutations (P-boxes) are repeatedly applied in r rounds

I Such ciphers are called product ciphers or SP-networks

I AES has 10 rounds for 128-bit keys, 12 rounds for 192-bitkeys, and 14 rounds for 256-bit keys




Frequency Analysis

Example: Frequencies of letters in plain English

8.2

1.5

2.8

4.3

12.7

2.2 2.0

6.1

7.0

0.20.8

4.0

2.4

6.77.5

1.9

0.1

6.06.3

9.1

2.8

1.0

2.4

0.2

2.0

0.10

2

4

6

8

10

12

14

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z



Cryptography Page 18Asymmetric Cryptography

Outline

Introduction



RSA




Asymmetric Cryptosystems

I In a asymmetric cryptosystem, each entity possesses two keys

Ý Private key e (kept secretly)Ý Public key d (distributed publicly)

I No secure channel is needed to distribute the public key!

I Alice encrypts the plaintext m with the public key eB of Bob:

c = EeB(m)

I Bob uses his private key dB to decrypt the ciphertext c :

m = DdB(c) = DdB

(EeB(m))

I Asymmetric encryption achieves confidentiality only




Man-in-the-Middle Attack

I Asymmetric cryptosystems facilitate but do not entirely solvethe key exchange problem

I The remaining problem is to know whether a given public keybelongs to the entity who claims to own it

I An opponent can thus distribute faked public keys in thename of other entities

I In a Man-in-the-Middle Attack, the opponent Oscar sendsfaked public keys to Alice and the Bob

Ý Alice thinks Oscar is Bob and sends him an encrypted messageÝ Oscar decrypts Alice’s message and sends it encrypted to BobÝ Vice versa

I The key authentication problem is solved with certificates




Hybrid Cryptosystems

I All known asymmetric cryptosystems are relatively inefficientI A hybrid cryptosystem combines the flexibility of asymmetric

with the efficiency of symmetric cryptosystems

Ý Alice encrypts m symmetrically with a secret key kÝ The secret key k is ecrypted with Bob’s public key eB

Ý Ek(m) and EeB(k) are transmitted over an insecure channel

Ý Bob uses his private key dB to decrypt k = DdB(EeB

(k))Ý The secret key k is used to decrypt m = Dk(Ek(m))

I In other words, the secret key k is exchanged over a securedchannel

I Most cryptographic applications today use hybrid systems




Hybrid Cryptosystem

m ||

k

SE SD

k

m

ADdBAEeB

Alice Bob

I SE/SD: Symmetric encryption/decrpytion

I AE/AD: Asymmetric encryption/decrpytion




Digital Signatures

I Asymmetric cryptosystems can also be used to generatedigital signatures

Ý Alice generates a hash code h = h(m) of the message mÝ h is encrypted with Alice’s private key dA to get s = EdA

(h)Ý m together with its signature s is sent to BobÝ Bob decrypts h = DeA

(s) with Alice’s public key eA

Ý Bob computes h(m) and compares it with h

I With digital signatures, we can achieve integrity, authenticity,and non-repudiation

I Combined with asymmetric encryption/decryption, all foursecurity requirements are achieved




Digital Signature

h

m || m h

?=ADeA

AEdA

Alice Bob




Hybrid Cryptosystem with Digital Signature

h

m ||

k

SE || SD

k

m h

?=

ADeA

ADdB

AEdA

AEeB

Alice Bob



Cryptography Page 26RSA

Outline

Introduction



RSA




RSA

I The first asymmetric cryptosystem was discovered in 1977 byRivest, Shamir, and Adleman (RSA)

I The method is based on number theory

Ý Prime numbers: 2, 3, 5, 7, 11, 13, 17, . . .

Ý Greatest common divisor: gcd(x , y), e.g. gcd(14, 42) = 7

Ý Euler function:

ϕ(x) =

1 if x = 1,

x − 1, if x is prime

(y − 1) ∗ y z−1, if x = y z and y is prime

ϕ(y) ∗ ϕ(z), if x = y ∗ z and gcd(y , z) = 1

x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 · · ·ϕ(x) 1 1 2 2 4 2 6 4 6 4 10 4 12 6 . . .




RSA Key Generation

I Choose N = p ∗ q, such that p and q are prime

I Compute ϕ(N) = (p − 1)(q − 1)

I Public key: choose 1 < e < ϕ(N) such that gcd(e, ϕ(N)) = 1I Private key: compute d such that e ∗ d mod ϕ(N) = 1

Ý Modular multiplicative inverse

I Example:

Ý p = 3, q = 11Ý N = 3 ∗ 11 = 33Ý ϕ(22) = 2 ∗ 10 = 20Ý e = 3, which satifies gcd(3, 20) = 1Ý d = 7, which satisfies 3 ∗ 7 mod 20 = 1




RSA Encryption and Decryption

I Split plaintext into blocks m of length n = blog Nc bits

I Interpret each block as a number m < N

I Encryption: c = Ee(m) = me mod N

I Decryption: m = Dd(c) = cd mod N

I Proof . . .

I Example: e = 3, d = 7, N = 33

Ý n = blog 33c = 5Ý m = [00110] = 6Ý c = 63 mod 33 = 216 mod 33 = 18 = [10010]Ý m = 187 mod 33 = 612′220′032 mod 33 = 6




Attacking RSA

I To attack an RSA-encrypted ciphertext c , we need to infer dfrom e and N

I For this, we need to know ϕ(N) = (p − 1)(q − 1)

I For this, we need to infer p and q from N = p ∗ qI In other words, we need to recover the prime factors of N

Ý Easy for small numbersÝ Difficult for large numbersÝ Practically impossible for very large numbers

I The RSA key length is usually 512, 1024, or 2048 bits

I The factorization problem is widely believed to be unfeasible,but this is still unproven




RSA Algorithms

I To implement RSA, we need efficient algorithms to performthe following tasks with very large number:

Ý Generate prime numbers at random (see §10.1.6)Ý Integer multiplication (see §10.4.4)Ý Greatest common divisor (see §10.1.2)Ý Modular multiplicative inverse (see §10.1.5)Ý Modular exponentiation (see §10.1.4)

I Prime numbers are generated by generating random numbersand testing them for primality

I The best known primality test runs in O(log6+ε n) time, whichis very slow if n is large (polynomial in the number of bits)

I There are various efficient probabilistic primality tests, whichhave error probabilities that converge quickly towards 0




Euclid’s Algorithm

I The greatest common divisor is efficiently computed byEuclid’s algorithm:

gcd(x , y) =

{x , if y = 0

gcd(y , x mod y), otherwise

I Example:

gcd(108, 44) = gcd(44, 20) = gcd(20, 4) = gcd(4, 0) = 4

I Runs in O(log max(x , y)) time, i.e. linear in the number of bits

I There is a variation called binary Euclid’s algorithm, in whichthe modulo operator is replaced by divisions by 2 (right-shift)

I Another variation called extended Euclid’s algorithm computesmodular multiplicative inverses




Repeated Squaring Algorithm

I The modular exponentiation is efficiently computed with therepeated squaring algorithm:

xy mod n =

x , if y = 1

(xy/2 mod n)2 mod n, if y is even

x ∗ (xy−1 mod n) mod n, if y is oddI Example:

187 mod 33 = 18 ∗ (186 mod 33) mod 33

= 18 ∗ ((183 mod 33)2 mod 33) mod 33

= 18 ∗ ((18 ∗ (182 mod 33) mod 33)2 mod 33) mod 33

= 18 ∗ ((18 ∗ ((18 mod 33)2 mod 33) mod 33)2 mod 33) mod 33

= · · · = 6

I Runs in O(log y) time, i.e. linear in the number of bits



Date post:	21-May-2018
Category:	Documents
Upload:	lamkhanh
View:	222 times
Download:	0 times

Algorithms and Data Structures - Cryptography - BFH-TI …hnr1/SWS/10Crypto.pdf · ·...

Documents