04/22/23 1
Computer SecurityCryptography –an introduction
04/22/23 2
Encryption
key KE key KD
x plaintext y ciphertext original plaintext x . encryption decryption
Eavesdropper
04/22/23 3
EncryptionA cryptosystem involves • an encryption algorithm E, and a • a decryption algorithm DBoth algorithms make use of a key.Let KE be the encryption key and KD the decryption key.
For symmetric cryptosystems the same key is used both encryption and decryption: KE = KD.
04/22/23 4
EncryptionIf P is the plaintext message, C the ciphertext, then for symmetric cryptosystems:
C = E (K,P) and P = D (K,E (K,P)) = D (K,C)
For an asymmetric cryptosystem
C = E (KE,P) and P = D (KD,E (KE,P)) = D (KD,C)
04/22/23 5
Kerchoffs’ assumptionThe adversary knows all details of the encrypting function except the secret key
04/22/23 6
Symmetric key encryption
There are two types of cipher systems:• Stream ciphers, • Block ciphers.
04/22/23 7
Stream ciphers
Encryption x = ISSOPMI y = wdhuvad
Key KE
04/22/23 8
Block ciphers
Encryption
x = XNE OIG TPH YRK …
y =
. Key KE wdm
. hut vap dgd …
04/22/23 9
Block ciphersAn overview of the DES Algorithm
DES is an iterated block cipher with • 16 rounds, • block length 64 bits and • key length 56 bits
04/22/23 10
Iterating Block ciphers1. Iterated block cipher Random (binary) key K round keys: K1,..., KNr
,
2. Round function g w
r = g(w r-1, K
r), where w
r-1 is the previous state
04/22/23 11
Iterated cipher …
Encryption operation:w0 x (x = plaintext) w1 = g(w0, K1),w2 = g(w1, K2),
wNr = g(wNr-1, KNr),
y wNr (y = ciphertext)
04/22/23 12
Iterated cipher …For decryption we must have:
g(.,K) must be invertible for all K
Then decryption is the reverse of encryption (bottom-up)
04/22/23 13
Data Encryption StandardDES is a special type of iterated cipher called a Feistel cipher.Block length 64 bitsKey length 56 bitsCiphertext length 64 bits
04/22/23 14
DES
The round function is:
g([Li-1,Ri-1 ]),Ki ) = (Li ,Ri),
where
Li = Ri-1 and Ri = Li-1 XOR f (Ri-1, Ki).
04/22/23 15
DES round encryption
04/22/23 16
DES inner function
04/22/23 17
DES computation path
04/22/23 18
A Round of DES
32 bit Rn+1
64 bit output
32 bit Ln+1
64 bit input
32 bit Ln
32 bit Rn
Inner Function
+
Kn
04/22/23 19
Inner function f
Combine 32 bit input and 48 bit key into 32 bit output
• Expand 32 bit input to 48 bits • XOR the 48 bit key with the expanded 48 bit input• Apply the S-boxes to the 48 bit input to produce 32 bit
output• Permute the resulting 32 bits
04/22/23 20
S Boxes• There are 8 different S-Boxes,1 for each chunk• S-box process maps 6 bit input to 4 bit output• S box performs substitution on 4 bits• There are 8 possible substitutions in each S box• Inner 4 bits are fed into an S box• Outer 2 bits determine which substitution is used
04/22/23 21
DES: Initial and Final Permutations
There is also an initial and a final permutation: the final permutation is the inverse of the initial permutation
04/22/23 22
Decrypting DES1. DES (and all Feistel structures) is reversible through a “reverse” encryption because:
– No input data is mangled and passed to the output– The properties of XOR
1. S-boxes are not reversible (and don't need to be)2. Everything needed (except the key) to produce the input to the n-1th step is available from the output of the nthstep.4. The input to the nth step is the output of the n-1th step.5. Work backwards to step 1.
04/22/23 23
Encrypt round n Decrypt round n+1
32 bit Rn+1
64 bit input
32 bit Ln+1
64 bit output
32 bit Ln
32 bit Rn
Inner Function
+
Kn
32 bit Rn+1
64 bit output
32 bit Ln+1
64 bit input
32 bit Ln
32 bit Rn
Inner Function
+
Kn
04/22/23 24
Attacks on DES• Brute force• Linear Cryptanalysis -- Known plaintext attack• Differential cryptanalysis
– Chosen plaintext attack– Modify plaintext bits, observe change in ciphertext
No dramatic improvement on brute force
04/22/23 25
Countering Attacks• Large keyspace combats brute force attack• Triple DES (say EDE mode, with usually 2 keys)• Use AES
04/22/23 26
Modes of operationFour basic modes of operation are available for block ciphers:• Electronic codebook mode: ECB• Cipher block chaining mode: CBC• Cipher feedback mode: CFB• Output feedback mode: OFB
04/22/23 27
Electronic Codebook mode, ECB
Each plaintext xi is encrypted with the same key K:
yi = eK(xi).
So, the naïve use of a block cipher.
04/22/23 28
ECBx1 x2 x3 x4
y4y3y2y1
DES DES DES DES
04/22/23 29
Cipher Block Chaining mode, CBC
Each cipher block yi-1 is xor-ed with the next plaintext xi :
yi = eK(yi-1 XOR xi)
before being encrypted to get the next plaintext yi.
The chain is initialized with an initialization vector: y0 = IV
with length, the block size.
04/22/23 30
CBCx1
+ + ++IV
x2 x3 x4
y4y3y2y1
DES DES DES DES
04/22/23 31
Cipher and Output feedback modes (CFB & OFB)
CFBz0 = IV and recursively:
zi = eK(yi-1) and yi = xi XOR zi
OFBz0 = IV and recursively:
zi = eK(zi-1) and yi = xi XOR zi
04/22/23 32
CFB mode
IV eK eK
y1
+
x1
eK
x2
y2
+
04/22/23 33
OFB modeIV eK eK
y1
+
x1 x2
y2
+
04/22/23 34
Double & Triple DES
Double: C = E(k2,E(k1,m)
Triple: C = E(k1,D(k2,E(k1,m)
04/22/23 35
AESBlock length 128 bits.Key lengths 128 (or 192 or 256).
The AES is an iterated cipher with Nr=10 (or 12 or 14)In each round we have: • Subkey mixing: State Roundkey XOR State• A substitution: SubBytes(State)• A permutation: ShiftRows(State) & MixColumns(State)
04/22/23 36
Asymmetric key encryption
Public Key Cryptography
04/22/23 37
Public Key Cryptography
Alice Bob
Alice and Bob want to exchange a private key in public.
04/22/23 38
Public Key CryptographyThe Diffie-Hellman protocol
Alice ga mod p Bob
gb mod p
The private key is: gab mod p where p is a prime and g is a generator of Zp
04/22/23 39
Finite FieldsTheoremIf p is a prime then Zp is a cyclic group.
The generator of Zp is called a primitive element modulo p
04/22/23 40
Public Key CryptographyEncryption schemes
Let • P be the set of all plaintext messages • C be the set of ciphertexts• K be the set of all keys
04/22/23 41
The RSA cryptosystemLet n = pq, where p and q are primes.Let P = C = Zn, and define K = {(n,p,q,e,d) : ed = 1 mod (n) }.
For each key K = (n,p,q,e,d), define
c = eK(m) = me mod nand dK(c) = cd mod n,
where (m,c) Zn.
Public key = (n,e), Private key (n,d).
04/22/23 42
Check
We have: ed = 1 mod (n), so ed = 1 + t(n).Therefore, dK(eK(m)) = (me)d = med = m t(n)+1
= (m(n)) t m = 1.m = m mod n
04/22/23 43
Examplep = 101, q = 113, n = 11413. (n) = 100x112 = 11200 = 26527For encryption use e = 3533.Then d = e-1 mod11200 = 6597.Bob publishes: n = 11413, e = 3533.Suppose Alice wants to encrypt: 9726.She computes 97263533 mod 11413 = 5761To decrypt it Bob computes: 57616597 mod 11413 = 9726
04/22/23 44
Implementation
1. Generate two large primes: p,q2. n pq and (n)= (p-1)(q-1)3. Choose random e: with 1<e< (n) & gcd(e,(n))=14. d e -1 mod (n)5. The public key is (n,e) and the private key is (p,q,d)
04/22/23 45
Security of RSA
1. Relation to factoring. Recovering the plaintext m from an RSA ciphertext c iseasy if factoring is possible.
2. The RSA problem Given (n,e) and c, compute: m such that me = c mod n
04/22/23 46
The ElGamal encryption scheme
Let p be a prime and g Zp a primitive element.
Let P = Zp-1,
C = Zp-1 x Zp-1 and
K = {(p,g,x,y): y = gx modp }.• The values p,g,y are the public key.• x is the private key.
04/22/23 47
The ElGamal encryption scheme
• Encryption Let m Zp-1 be a message.
For K = {(p,g,x,y): y = gx mod p }, and secret random number k Zp-1, define: eK(m,k) = (s,t), where
– s = gk mod p– t = m yk mod p
• Decryption For s,t Zp-1, define: dK(s,t) = t (sx)-1mod p
04/22/23 48
The security of ElGamal• The Diffie-Hellman problem. Given a prime p,g e Zp-1, and x,y e Zp-1, find xlog gy mod p.
The security of the ElGamal encryption is reduced to the difficulty of breaking the Diffie-Hellman problem.
04/22/23 49
Digital Signatures
04/22/23 50
Public Key CryptographySignature schemes
Let • P be the set of all messages • A be the set of signatures• K be the set of all keys
04/22/23 51
The RSA digital signatureLet n = pq, where p and q are primes.
Let P = A = Zn , and define
K = {(n,p,q,e,d) : ed = 1 mod (n) }.
For each key K = (n,p,q,e,d), define
sigK(m) = md mod nand verK(m,y) = true ye = m mod n,
where (m,y) Zn.
Public key = (n,e), Private key (n,d).
04/22/23 52
The ElGamal signature scheme
Let p be a prime and g Zp a primitive element.
Let P = Zp-1,
A = Zp-1 x Zp-1 and
K = {(p,g,x,y): y = gx modp }.• The values p,g,y are the public key.• x is the private key.
04/22/23 53
The ElGamal signature scheme
• Signing Let m Zp-1 be a message.
For K = {(p,g,x,y): y = gx mod p }, and secret random number k Zp-1, define: sigK(m,k) = (s,t), where
– s = gk mod p– t = (m-xs)k-1 mod p-1
• Verification verK(m,(s,t)) = true st·ys = gm modp .
04/22/23 54
Toy exampleLet p = 467, g = 2, x = 127,
message m = 100,Choose k = 213. Then k-1mod 466 = 431.The signature is:
– s = 2213 mod 467 = 29– t = (m-xs)k-1 mod(p-1) = (100-127x29)431 mod 466 = 51
Verification: 2100 ? 132292951 mod 467
04/22/23 55
The security of the ElGamal signature
• If the Discrete Logarithm problem can be solved then ElGamal signatures can be forged.
• The converse may not be true.• The exponent k must be
– private– cannot be used twice– best: chosen at random.
04/22/23 56
The Digital Signature AlgorithmLet p be a an L-bit prime prime, 512 L 1024 and L 0 mod 64 ,let q be a 160-bit prime that divides p-1 and Let Zp
* be a q-th root of 1 modulo p.Let P = Zp-1, A = Zq x Zq and K = {(p,q,,x,y): y =
x modp }.• The values ,y are the public key.• x is the private key.
04/22/23 57
The Digital Signature scheme
• Signing Let m Zp-1 be a message. For K = {{(p,q,,x,y): y = x mod p }, and secret random number k Zp-1, define: sigK(m,k) = (s,t), where
– s = (k mod p) mod q– t = (SHA1(m)+xs)k-1mod q
• Verification Let
– e1 = SHA-1(m) t-1 mod q– e2 = st-1 mod q
verK(m,(s,t)) = true (e1 ye2 mod p) mod q = s.
04/22/23 58
The Digital Signature scheme
Verification – continued
Check:(e1 ye2 mod p) mod q = ( SHA1(m) t-1 y st-1mod p) mod q = = ( SHA1(m) t-1 xst-1mod p) mod q = = ( SHA1(m) t-1 xst-1mod p) mod q = = ( (SHA1(m)+ xs)t-1mod p) mod q = = ( k mod p) mod q = s