04/22/23 1

Computer SecurityCryptography –an introduction

04/22/23 2

Encryption

key KE key KD

x plaintext y ciphertext original plaintext x . encryption decryption

Eavesdropper

04/22/23 3

EncryptionA cryptosystem involves • an encryption algorithm E, and a • a decryption algorithm DBoth algorithms make use of a key.Let KE be the encryption key and KD the decryption key.

For symmetric cryptosystems the same key is used both encryption and decryption: KE = KD.

04/22/23 4

EncryptionIf P is the plaintext message, C the ciphertext, then for symmetric cryptosystems:

C = E (K,P) and P = D (K,E (K,P)) = D (K,C)

For an asymmetric cryptosystem

C = E (KE,P) and P = D (KD,E (KE,P)) = D (KD,C)

04/22/23 5

Kerchoffs’ assumptionThe adversary knows all details of the encrypting function except the secret key

04/22/23 6

Symmetric key encryption

There are two types of cipher systems:• Stream ciphers, • Block ciphers.

04/22/23 7

Stream ciphers

Encryption x = ISSOPMI y = wdhuvad

Key KE

04/22/23 8

Block ciphers

Encryption

x = XNE OIG TPH YRK …

y =

. Key KE wdm

. hut vap dgd …

04/22/23 9

Block ciphersAn overview of the DES Algorithm

DES is an iterated block cipher with • 16 rounds, • block length 64 bits and • key length 56 bits

04/22/23 10

Iterating Block ciphers1. Iterated block cipher Random (binary) key K round keys: K1,..., KNr

,

2. Round function g w

r = g(w r-1, K

r), where w

r-1 is the previous state

04/22/23 11

Iterated cipher …

Encryption operation:w0 x (x = plaintext) w1 = g(w0, K1),w2 = g(w1, K2),

wNr = g(wNr-1, KNr),

y wNr (y = ciphertext)

04/22/23 12

Iterated cipher …For decryption we must have:

g(.,K) must be invertible for all K

Then decryption is the reverse of encryption (bottom-up)

04/22/23 13

Data Encryption StandardDES is a special type of iterated cipher called a Feistel cipher.Block length 64 bitsKey length 56 bitsCiphertext length 64 bits

04/22/23 14

DES

The round function is:

g([Li-1,Ri-1 ]),Ki ) = (Li ,Ri),

where

Li = Ri-1 and Ri = Li-1 XOR f (Ri-1, Ki).

04/22/23 15

DES round encryption

04/22/23 16

DES inner function

04/22/23 17

DES computation path

04/22/23 18

A Round of DES

32 bit Rn+1

64 bit output

32 bit Ln+1

64 bit input

32 bit Ln

32 bit Rn

Inner Function

+

Kn

04/22/23 19

Inner function f

Combine 32 bit input and 48 bit key into 32 bit output

• Expand 32 bit input to 48 bits • XOR the 48 bit key with the expanded 48 bit input• Apply the S-boxes to the 48 bit input to produce 32 bit

output• Permute the resulting 32 bits

04/22/23 20

S Boxes• There are 8 different S-Boxes,1 for each chunk• S-box process maps 6 bit input to 4 bit output• S box performs substitution on 4 bits• There are 8 possible substitutions in each S box• Inner 4 bits are fed into an S box• Outer 2 bits determine which substitution is used

04/22/23 21

DES: Initial and Final Permutations

There is also an initial and a final permutation: the final permutation is the inverse of the initial permutation

04/22/23 22

Decrypting DES1. DES (and all Feistel structures) is reversible through a “reverse” encryption because:

– No input data is mangled and passed to the output– The properties of XOR

1. S-boxes are not reversible (and don't need to be)2. Everything needed (except the key) to produce the input to the n-1th step is available from the output of the nthstep.4. The input to the nth step is the output of the n-1th step.5. Work backwards to step 1.

04/22/23 23

Encrypt round n Decrypt round n+1

32 bit Rn+1

64 bit input

32 bit Ln+1

64 bit output

32 bit Ln

32 bit Rn

Inner Function

+

Kn

32 bit Rn+1

64 bit output

32 bit Ln+1

64 bit input

32 bit Ln

32 bit Rn

Inner Function

+

Kn

04/22/23 24

Attacks on DES• Brute force• Linear Cryptanalysis -- Known plaintext attack• Differential cryptanalysis

– Chosen plaintext attack– Modify plaintext bits, observe change in ciphertext

No dramatic improvement on brute force

04/22/23 25

Countering Attacks• Large keyspace combats brute force attack• Triple DES (say EDE mode, with usually 2 keys)• Use AES

04/22/23 26

Modes of operationFour basic modes of operation are available for block ciphers:• Electronic codebook mode: ECB• Cipher block chaining mode: CBC• Cipher feedback mode: CFB• Output feedback mode: OFB

04/22/23 27

Electronic Codebook mode, ECB

Each plaintext xi is encrypted with the same key K:

yi = eK(xi).

So, the naïve use of a block cipher.

04/22/23 28

ECBx1 x2 x3 x4

y4y3y2y1

DES DES DES DES

04/22/23 29

Cipher Block Chaining mode, CBC

Each cipher block yi-1 is xor-ed with the next plaintext xi :

yi = eK(yi-1 XOR xi)

before being encrypted to get the next plaintext yi.

The chain is initialized with an initialization vector: y0 = IV

with length, the block size.

04/22/23 30

CBCx1

+ + ++IV

x2 x3 x4

y4y3y2y1

DES DES DES DES

04/22/23 31

Cipher and Output feedback modes (CFB & OFB)

CFBz0 = IV and recursively:

zi = eK(yi-1) and yi = xi XOR zi

OFBz0 = IV and recursively:

zi = eK(zi-1) and yi = xi XOR zi

04/22/23 32

CFB mode

IV eK eK

y1

+

x1

eK

x2

y2

+

04/22/23 33

OFB modeIV eK eK

y1

+

x1 x2

y2

+

04/22/23 34

Double & Triple DES

Double: C = E(k2,E(k1,m)

Triple: C = E(k1,D(k2,E(k1,m)

04/22/23 35

AESBlock length 128 bits.Key lengths 128 (or 192 or 256).

The AES is an iterated cipher with Nr=10 (or 12 or 14)In each round we have: • Subkey mixing: State Roundkey XOR State• A substitution: SubBytes(State)• A permutation: ShiftRows(State) & MixColumns(State)

04/22/23 36

Asymmetric key encryption

Public Key Cryptography

04/22/23 37

Public Key Cryptography

Alice Bob

Alice and Bob want to exchange a private key in public.

04/22/23 38

Public Key CryptographyThe Diffie-Hellman protocol

Alice ga mod p Bob

gb mod p

The private key is: gab mod p where p is a prime and g is a generator of Zp

04/22/23 39

Finite FieldsTheoremIf p is a prime then Zp is a cyclic group.

The generator of Zp is called a primitive element modulo p

04/22/23 40

Public Key CryptographyEncryption schemes

Let • P be the set of all plaintext messages • C be the set of ciphertexts• K be the set of all keys

04/22/23 41

The RSA cryptosystemLet n = pq, where p and q are primes.Let P = C = Zn, and define K = {(n,p,q,e,d) : ed = 1 mod (n) }.

For each key K = (n,p,q,e,d), define

c = eK(m) = me mod nand dK(c) = cd mod n,

where (m,c) Zn.

Public key = (n,e), Private key (n,d).

04/22/23 42

Check

We have: ed = 1 mod (n), so ed = 1 + t(n).Therefore, dK(eK(m)) = (me)d = med = m t(n)+1

= (m(n)) t m = 1.m = m mod n

04/22/23 43

Examplep = 101, q = 113, n = 11413. (n) = 100x112 = 11200 = 26527For encryption use e = 3533.Then d = e-1 mod11200 = 6597.Bob publishes: n = 11413, e = 3533.Suppose Alice wants to encrypt: 9726.She computes 97263533 mod 11413 = 5761To decrypt it Bob computes: 57616597 mod 11413 = 9726

04/22/23 44

Implementation

1. Generate two large primes: p,q2. n pq and (n)= (p-1)(q-1)3. Choose random e: with 1<e< (n) & gcd(e,(n))=14. d e -1 mod (n)5. The public key is (n,e) and the private key is (p,q,d)

04/22/23 45

Security of RSA

1. Relation to factoring. Recovering the plaintext m from an RSA ciphertext c iseasy if factoring is possible.

2. The RSA problem Given (n,e) and c, compute: m such that me = c mod n

04/22/23 46

The ElGamal encryption scheme

Let p be a prime and g Zp a primitive element.

Let P = Zp-1,

C = Zp-1 x Zp-1 and

K = {(p,g,x,y): y = gx modp }.• The values p,g,y are the public key.• x is the private key.

04/22/23 47

The ElGamal encryption scheme

• Encryption Let m Zp-1 be a message.

For K = {(p,g,x,y): y = gx mod p }, and secret random number k Zp-1, define: eK(m,k) = (s,t), where

– s = gk mod p– t = m yk mod p

• Decryption For s,t Zp-1, define: dK(s,t) = t (sx)-1mod p

04/22/23 48

The security of ElGamal• The Diffie-Hellman problem. Given a prime p,g e Zp-1, and x,y e Zp-1, find xlog gy mod p.

The security of the ElGamal encryption is reduced to the difficulty of breaking the Diffie-Hellman problem.

04/22/23 49

Digital Signatures

04/22/23 50

Public Key CryptographySignature schemes

Let • P be the set of all messages • A be the set of signatures• K be the set of all keys

04/22/23 51

The RSA digital signatureLet n = pq, where p and q are primes.

Let P = A = Zn , and define

K = {(n,p,q,e,d) : ed = 1 mod (n) }.

For each key K = (n,p,q,e,d), define

sigK(m) = md mod nand verK(m,y) = true ye = m mod n,

where (m,y) Zn.

Public key = (n,e), Private key (n,d).

04/22/23 52

The ElGamal signature scheme

Let p be a prime and g Zp a primitive element.

Let P = Zp-1,

A = Zp-1 x Zp-1 and

K = {(p,g,x,y): y = gx modp }.• The values p,g,y are the public key.• x is the private key.

04/22/23 53

The ElGamal signature scheme

• Signing Let m Zp-1 be a message.

For K = {(p,g,x,y): y = gx mod p }, and secret random number k Zp-1, define: sigK(m,k) = (s,t), where

– s = gk mod p– t = (m-xs)k-1 mod p-1

• Verification verK(m,(s,t)) = true st·ys = gm modp .

04/22/23 54

Toy exampleLet p = 467, g = 2, x = 127,

message m = 100,Choose k = 213. Then k-1mod 466 = 431.The signature is:

– s = 2213 mod 467 = 29– t = (m-xs)k-1 mod(p-1) = (100-127x29)431 mod 466 = 51

Verification: 2100 ? 132292951 mod 467

04/22/23 55

The security of the ElGamal signature

• If the Discrete Logarithm problem can be solved then ElGamal signatures can be forged.

• The converse may not be true.• The exponent k must be

– private– cannot be used twice– best: chosen at random.

04/22/23 56

The Digital Signature AlgorithmLet p be a an L-bit prime prime, 512 L 1024 and L 0 mod 64 ,let q be a 160-bit prime that divides p-1 and Let Zp

* be a q-th root of 1 modulo p.Let P = Zp-1, A = Zq x Zq and K = {(p,q,,x,y): y =

x modp }.• The values ,y are the public key.• x is the private key.

04/22/23 57

The Digital Signature scheme

• Signing Let m Zp-1 be a message. For K = {{(p,q,,x,y): y = x mod p }, and secret random number k Zp-1, define: sigK(m,k) = (s,t), where

– s = (k mod p) mod q– t = (SHA1(m)+xs)k-1mod q

• Verification Let

– e1 = SHA-1(m) t-1 mod q– e2 = st-1 mod q

verK(m,(s,t)) = true (e1 ye2 mod p) mod q = s.

04/22/23 58

The Digital Signature scheme

Verification – continued

Check:(e1 ye2 mod p) mod q = ( SHA1(m) t-1 y st-1mod p) mod q = = ( SHA1(m) t-1 xst-1mod p) mod q = = ( SHA1(m) t-1 xst-1mod p) mod q = = ( (SHA1(m)+ xs)t-1mod p) mod q = = ( k mod p) mod q = s