95-752:4-1
Encryption - I
95-752:4-2
Definitions• Plaintext: easy to understand form
(original message)• Ciphertext: difficult to understand form• Encryption: encoding
(plaintext -> ciphertext)• Decryption: decoding
(ciphertext -> plaintext)• Cryptology: study of encryption• Cryptography: use of encryption• Cryptanalysis: breaking encryption
95-752:4-3
Cryptanalysts Role
• Break single message
• Recognize patterns to create decryption method
• Find general weakness in encryption algorithm
95-752:4-4
Breakable Encryption
• Feasible given time and data
• Brute force usually impractical
• Estimates based on current technology
• Just because the underlying scheme is based on a 'hard' problem doesn't mean that the cryptanalyst will attempt to solve it that way
95-752:4-5
Cryptanalyst’s tools
• Letter frequency data
• Prefix/suffix lists
• Letter pair/triple lists
• Common pattern lists
95-752:4-6
Encryption Algorithm• Transformation:
C=E(P)
P=D(C)
P=D(E(P))
• Keyed – adds security even if algorithm is knownSymmetric: C=E(k,P) P=D(k,C)
Asymmetric: C=E(k1,P) P=D(k2,C)
95-752:4-7
Character Representation• Enumeration – cyclic
• Y+3=B (24+3=1 with wrapping)• Modulus Arithmetic
– 0 mod 26 = 0– 1 mod 26 = 1– 26 mod 26 = 0– 27 mod 26 = 1
A B C D E … X Y Z A B C
0 1 2 3 4 … 23 24 25 0 1 2
95-752:4-8
Caesar Cipher• Julius Caesar – Gallic Wars
• Shift of three characters
• P= “PROFESSIONAL COURTESY”C=“SURIHVVLRQDO GRXUWHVB”
• Easy to use in the field
• Pattern is easy to spot and break
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
95-752:4-9
Cryptanalysis of Caesar Cipher• Obvious break between words
• Double letters easy to spot
• Repeating letter patterns
• Small words easy to peg
• C=“WKLV LV WRR HDVB”
THIS IS TOO __S_ small words
THIS IS TOO EASY spot shift of 3
95-752:4-10
Keyed Monoalphabetic Ciphers• Key Permutation (key has no repeating
letters)
• Multiplicative Modulus (key is multiplier)– f(i) = (3*i) mod 26– f(‘K’) = 3*10 mod 26 = 4 = ‘E’
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
K E Y A B C D F G H I J L M N O P Q R S T U V W X Z
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A D G J M P S V Y B E H K N Q T W Z C F I` L O R U X
95-752:4-11
Monoalphabetic Ciphers
• Can be done by direct table lookup (easy in field)
• Time to encrypt/decrypt varies directly with length
• Betrayed by letter frequencies
95-752:4-12
Example• Ciphertext:HQFUBSWLRQLVDPHDQVRIDWWDLWLWJVHFXUHFRPSXWDWLRQRYHULQVHFXUHFKDQQHOVEBXVLQJHQFUBSWLRQZHGLVXLVHWHKPHVVDJH
• Plaintext:ENCRYPTIONISAMEANSOFATTAINGSECURECOMPUTATIONOVERINSECURECHANNELSBYUSINGENCRYPTIONWEDISGUISETHEMESSAGE
95-752:4-13
Letter Frequencies• English vowel frequencies
• Ciphertext frequencies (104 letters)
Vowel A E I O U
percent 7.49 14.0 6.67 7.37 3.0
Vowel A E I O U
percent 0 0.96 0.96 0.96 4.81
Letter H L V Q W
percent 13.5 11.5 9.62 9.62 8.65
95-752:4-14
Cryptoquote
• ZJ ZJZON CZYYZQP VKQVYK LDN D JQQYZLRORZPE, ZP ZL LOZYY D JQQYZLR ORZPE. -- DPDOQYK JADPIK
• Sept 11, 2003 Pittsburgh Tribune-Review
95-752:4-15
Security of Monoalphabetic Ciphers
• Are they secure?– 26! Possible ciphers– Modern computers – 10 years to brute force– NO! In long message letter frequencies betray
text
95-752:4-16
Meaningful Observations
1. An encryption based on a hard problem is not secure just because of the difficulty of the problem
2. An encryption algorithm must be regular-- this is its weakness
3. A security measure must be strong enough to keep out the attacker only for the life of the data
95-752:4-17
Polyalphabetic Ciphers
• Flatten frequency distributions
• Conceal letter pairs
• Conceal prefixes/suffixes
• Example: (using multiplicative modulus)Odd positions use: f(i)=(3*i) mod 26Even positions use: f(i)=((5*i)+13) mod 26
95-752:4-18
Vigenere TableauxA B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P Q R S T U V W X Y Z A B C D E F G H I J K L MN O
Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
95-752:4-19
Using Vigenere Tableaux
One method:1. Choose a key2. Break text into groups of five characters3. Write key in repeating fashion4. Use letter of key to establish column5. Use letter of plaintext to establish row6. Encrypt by using intercept of row and column7. Decrypt by finding row with ciphertext in
column
95-752:4-20
Vigenere Example• Enciphering “Tale of Two Cities” using
Key of “DICKENS”
M I T W A S T H E B E S T O F T I M E S
K D I C K E N S D I C K E N S D I C K E N
P I T W A S T H E B E S T O F T I M E S X
C L B Z K W G Z H J G C X B X W Q O O W K
95-752:4-21
Cryptanalysis of Polyalphabetic Ciphers
• Appears to be more secure
• More complex, but not immune from breaking
• Two tools:– Kasiski Method– Index of coincidence
95-752:4-22
Repeated Patterns• English has regularities (letters, letter groups,
words) that repeat• Observations:1. If code uses n alphabets in cyclic rotation, and if
a particular letter sequence appears k times in the plaintext, it will be encoded approximately k/n times from the same alphabet
2. If letter sequence is encoded the same way twice, key must have gone through a whole number of rotations and be back at the same point
3. Distance between repeats is multiple of key length
95-752:4-23
Kasiski Method
1. Identify repeated patterns of three or more letters
2. Jot down starting position of each instance
3. Compute difference between starting points
4. Determine all factors of each difference
5. Key length is one of these factors
95-752:4-24
Example for Kasiski MethodK d i c k e n s d i c k e n s d i c k e n
P I T W A S T H E B E S T O F T I M E S I
K s d i c k e n s d i c k e n s d i c k e
P T W A S T H E W O R S T O F T I M E S I
K n s d i c k e n s d i c k e n s d i c k
P T W A S T J E A G E O F W I S D O M I T
K e n s d i c k e n s d i c k e n s d i c
P W A S T H E A G E O F F O O L I S H N E
K k e n s d i c k e n s d i c k e n s d i
P S S I T W A S T H E E P O C H O F B E L
K c k e n s d i c k e n s d i c k e n s d
P I E F I T W A S T H E E P O C H O F I N
95-752:4-25
Example of Kasiski Method
• Observe “itwasthe” is encrypted with the key “nsdicken” three times
Start Distance Factors
20 --- ---
83 63 (83-20) 3,7,9,21,63
104 21(104-83) 3,7,21
• length(“dickens”)=7
95-752:4-26
Index of Coincidence• Measure of variance between frequencies in
distribution
• Divide message into pieces enciphered with same alphabet
• Measure variance of frequencies in distribution
• If measure approximates English alphabet, guess of number of alphabets is supported
Alphabets 1 2 3 5 10 large
Measure .068 .052 .047 .043 .042 .038
95-752:4-27
Perfect Cipher
• Flatten distributions to 0.038
• Very large number of alphabets – one time pad
• Large non-repeating keys on a pad
• Each different, each used once and discarded
• Problems: Printing, distribution, storage
95-752:4-28
• Use long nonrepeating sequence of numbers combined with plaintext
• Ciphertext does not give away key
• Method
1. Use binary of P
2. Xor binary of random number
3. Produces binary cipher text
Vernam Cipher
1 0 1 1 0 1
1 0 1 1 1 1
0 0 0 0 1 0
95-752:4-29
Cracking Random Numbers• Computers use algorithms to create
‘random’ numbers
• Multiplicative modulusri+1 = (a*ri+b) mod na, b, n carefully chosen; ri is initially seed
• Advantage: can reproduce series
• Disadvantage: long enough series may reveal seed, a, b, n
95-752:4-30
Known-Text Attacks
• Messages don’t have arbitrary content– Memo, Subject, To, From, Date, – Sender’s name, Receiver’s name– Organizational terms
• May also have messages where entire text is known
• By comparing ciphertext with known plaintext, can find patterns in encryption
95-752:4-31
Transposition Ciphers
• Don’t substitute characters, permute them
• Spartans used rods of fixed diameter and strips of parchment– Write across the wrappings– Read ciphertext along the wrappings– (works great with #2 pencils)
• In modern terms, use a matrix
95-752:4-32
Columnar Transposition Ciphers
• Key is number of columns in matrix, order of columns
• Ciphertext: TSHAI HAORT IGWTI SEARO ITCAN SOONW ASLSO MHUPR EOMOK SWNSS
T H I S I S A M E S
S A G E T O S H O W
H O W A C O L U M N
A R T R A N S P O S
I T I O N W O R K S
95-752:4-33
Analysis of Columnar Transposition
• Simple, but effective
• Work per character is constant, total proportional to message length
• Requires whole message in encryption buffer
• Letter frequency looks like monoalphabetic cipher
• Use digram and trigram frequency tables
95-752:4-34
Breaking Columnar Transposition
• Problem: Which columns areadjacent
• Break into strips and look for digrams & trigrams
T I
S I T A
H G C S
A W A L E
I T N S O
H I S O M
A S O M O
O E O H K
R A N U S
T R W P W
O R N
S
S
95-752:4-35
Double Transpositions
• Use two columnar transpositions – one after the other, different numbers of columns– First transposition breaks up doubled letters– Second transposition breaks up short strings
and reinforces first transposition
• Still monoalphabetic letter frequency
• More difficult to decrypt
95-752:4-36
Combination Ciphers
• Mix substitution and permutation ciphers
• Substitution for confusion of information
• Permutation for diffusion of information
• Done right, each supports the other
• All modern ciphers are combinations
95-752:4-37
Answer to Cryptoquote
• IF FIFTY MILLIONPEOPLE SAY A FOOLISHTHING, IT IS STILL A FOOLISH THING.-- ANATOLE FRANZE
95-752:4-38
Automated Ciphers
• Stream Ciphers: encrypt data as it comes– fast– low error propagation– information not diffused– susceptible to modification and insertion
• Block Ciphers: encrypt data in fixed-size blocks– Slower– Larger error propagation– Information may be diffused– harder to modify or insert into blocks
95-752:4-39
Data Encryption Standards
• 1972 – NBS issues call for proposals
• 1974 – IBM responds with “lucifer” (DEA)
• 1976 – DES adopted
• 1986 – DES re-certification denied
• 1997 – NIST issues call for AES proposals
• 1999 – 5 submissions selected as finalists
• 2001 – Rijndahl algorithm selected
95-752:4-40
DES Overview
• Combination cipher
• 16 rounds of combined substitution and transposition
• Plaintext encrypted in 64-bit blocks
• Keys are 56 bits long (plus 8 error bits)
• Uses only arithmetic and logical operations on 64-bit numbers
95-752:4-41
DES Modes
All modes: same key and algorithm encrypts and decrypts
• ECB – Electronic code book / Native mode
• CBC – Cipher-block chaining
• OFB – Output feedback
• CFB – Cipher feedback
95-752:4-42
DES Algorithms
• Crypting algorithm – method of encryption or decryption
• Key scheduling algorithm – method of generating pieces of key needed for each round of crypting algorithm
• Parts: – Permutation boxes (p-boxes)– Substitution boxes (s-boxes)– exclusive OR (x-or)
95-752:4-43
Permutation Boxes
• Used as invertible initial and final disguise of information
• Fixed permutations at binary level
95-752:4-44
Substitution Boxes• Confusion and non-linearity
• Interpret bits as numbers, pull replacement from table
• 6-bit input, 4-bit output– first and last bit pick row of table– middle four bits pick column of table– elements of table are 4-bit numbers
• Not invertible
• Rationale for values is still secret
95-752:4-45
S-Box ValuesColumn Number
RowNo.
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
95-752:4-46
DES Cycle1. Crypting algorithm feeds 32 bits to cycle2. Subject block to Permutation Expansion,
converting 32 bits to 48 bits3. XOR expanded block with 48 bits from key to
make pre-S block4. Apply S box
1. Break pre-S block into 8 six-bit chunks2. Process each chunk through s-box in parallel3. Result is 32-bit post-S block
5. post-S fed into final permutation to produce 32-bit cycle result
95-752:4-47
Crypting Algorithm1. Input 64 bits of plaintext2. Rearrange by initial permutation p-box3. Split block
1. two 32-bit halves (left and right)2. save copy of right half as R03. leave left half alone
4. Feed right to DES Cycle5. XOR left with cycle result to be new right6. R0 becomes new left7. Repeat 3-6 sixteen times8. Submit final block to inverse of initial
permutation
95-752:4-48
Key Scheduling Algorithm
• Combination of shifts and permutation
• Shifts are determined from table
• Permutation selects 48 of 56 bits
• Produces 16 different slices from key
• Slices are normally computed before crypting
95-752:4-49
DES Weaknesses
• Brute force attacks somewhat practical
• Error affects entire block
• Must use feedback modes or each block encrypted in same way
• Weak key produces trivial breaking
95-752:4-50
Alternatives to DES
• Triple DES
• Third party encryption (Blowfish, IDEA)
• AES
DES DES-1 DES
k1 k2 k1
95-752:4-51
Advanced Encryption Standard
• Public competition, public royalty-free algorithms• Five finalists all considered equally strong• Rijndahl won because of efficiency and flexibility• 128 bit block size• Keys can be any multiple of 64 bits (128, 192 and
256 are standard)
95-752:4-52
AES Round
• State: represent 128 bits as a 4x4 matrix of bytes
• Substitution: replace bytes via a substitution table (defined by high-level algebra)
• Shift row of state
• Mix column of state
• Add round key
95-752:4-53
AES Structure
• Apply round n times, where n depends on key size: 9 for 128, 11 for 192, 13 for 256
• Longer key sizes can be accommodated by increasing n.
• Each operation is very fast (add is actually an xor/shift) so algorithm is very efficient
95-752:4-54
AES Cryptanalysis
• No significant holes
• Algorithm is very regular (both good and bad)
• Algorithm is better than usual at diffusion
• Underlying algebra may make hidden shortcuts unlikely