Information Security Management -- Cryptography

Fall, 2005 CPSC499 Information Security Management

Computer Computer ScienceScience

Information Security Management-- Cryptography



Summary

• Symmetric Encryption

• Public Encryption

• Digital Signature

• Key Distribution



Basic Terminology

• plaintext - the original message • ciphertext - the coded message • cipher - algorithm for transforming plaintext to ciphertext • key - info used in cipher known only to sender/receiver • encipher (encrypt) - converting plaintext to ciphertext • decipher (decrypt) - recovering ciphertext from plaintext• cryptography - study of encryption principles/methods• cryptanalysis (codebreaking) - the study of principles/

methods of deciphering ciphertext without knowing key• cryptology - the field of both cryptography and

cryptanalysis



The language of cryptography

symmetric key crypto: sender, receiver keys identical

public-key crypto: encryption key public, decryption key secret (private)

plaintext plaintextciphertext

KA

encryptionalgorithm

decryption algorithm

Alice’s encryptionkey

Bob’s decryptionkey

KB



Symmetric Encryption

• or conventional / secret-key / single-key

• sender and recipient share a common key

• all classical encryption algorithms are private-key

• was only type prior to invention of public-key in 1970’s



Symmetric Cipher Model



Symmetric Key Cryptography

symmetric key crypto: Bob and Alice share know same (symmetric) key: K

• e.g., key is knowing substitution pattern in mono alphabetic substitution cipher

plaintextciphertext

KA-B

encryptionalgorithm


A-B

KA-B

plaintextmessage, m

K (m)A-B

K (m)A-Bm = K ( )

A-B



Requirements

• two requirements for secure use of symmetric encryption:– a strong encryption algorithm– a secret key known only to sender / receiver

Y = EK(X)

X = DK(Y)

• assume encryption algorithm is known

• implies a secure channel to distribute key



Cryptography

• can characterize by:– type of encryption operations used

• substitution / transposition / product

– number of keys used• single-key or private / two-key or public

– way in which plaintext is processed• block / stream



More Definitions

• unconditional security – no matter how much computer power is

available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext

• computational security – given limited computing resources (eg time

needed for calculations is greater than age of universe), the cipher cannot be broken



Classical Substitution Ciphers

• where letters of plaintext are replaced by other letters or by numbers or symbols

• or if plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns



Caesar Cipher

• earliest known substitution cipher

• by Julius Caesar

• first attested use in military affairs

• replaces each letter by 3rd letter later

• example:meet me after the toga party

PHHW PH DIWHU WKH WRJD SDUWB



Caesar Cipher

• can define transformation as:a b c d e f g h i j k l m n o p q r s t u v w x y zD E F G H I J K L M N O P Q R S T U V W X Y Z A B C

• mathematically give each letter a numbera b c d e f g h i j k l m0 1 2 3 4 5 6 7 8 9 10 11 12n o p q r s t u v w x y Z13 14 15 16 17 18 19 20 21 22 23 24 25

• then have Caesar cipher as:C = E(p) = (p + k) mod (26)p = D(C) = (C – k) mod (26)



Cryptanalysis of Caesar Cipher

• only have 26 possible ciphers – A maps to A,B,..Z

• could simply try each in turn

• a brute force search

• given ciphertext, just try all shifts of letters

• do need to recognize when have plaintext

• eg. break ciphertext “ERE L ORYH BRX DOLFH"



Symmetric Encryption Example-- Substitution

plaintextciphertext

KA-B

encryptionalgorithm


KA-B

plaintextmessage, m

K (m)A-B

• Plaintext

• KA-B

• Ciphertext

• Encryption algorithm

• Decryption algorithm



Monoalphabetic Ciphers

• “Cipher” line can be any permutation of the 26 alphabetic char

• Statistical analysis– Letters “e” and “t” are the most frequent

occurring letters– Two and three letter occurrences of letters

appear quite often together, like “the”, “in”– Guess the appearance of the words



Types of Cryptanalytic Attacks

• ciphertext only – only know algorithm / ciphertext, statistical, can identify plaintext

• known plaintext – know/suspect plaintext & ciphertext to attack cipher

• chosen plaintext – select plaintext and obtain ciphertext to attack cipher



Brute Force Search

• always possible to simply try every key

• most basic attack, proportional to key size

• assume either know / recognise plaintext



Chosen-Plaintext Attack

Crook #1 changeshis PIN to a numberof his choice

cipher(key,PIN)

PIN is encrypted andtransmitted to bank

Crook #2 eavesdropson the wire and learnsciphertext correspondingto chosen plaintext PIN

… repeat for any PIN value



Polyalphabetic encryption

• monoalphabetic ciphers + Caesar cipher.

• Two Caesar ciphers (k=5, k=19)

• Repeating pattern c1, c2, c2, c1, c2



Transposition Ciphers

• now consider classical transposition or permutation ciphers

• these hide the message by rearranging the letter order

• without altering the actual letters used

• can recognise these since have the same frequency distribution as the original text



Rail Fence cipher

• write message letters out diagonally over a number of rows

• then read off cipher row by row

• eg. write message out as:m e m a t r h t g p r y

e t e f e t e o a a t

• giving ciphertextMEMATRHTGPRYETEFETEOAAT



Row Transposition Ciphers

• a more complex scheme• write letters of message out in rows over a

specified number of columns• then reorder the columns according to

some key before reading off the rowsKey: 4 3 1 2 5 6 7Plaintext: a t t a c k p o s t p o n e d u n t i l t w o a m x y zCiphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ



Product Ciphers

• ciphers using substitutions or transpositions are not secure because of language characteristics

• hence consider using several ciphers in succession to make harder, but: – two substitutions make a more complex substitution – two transpositions make more complex transposition – but a substitution followed by a transposition makes a

new much harder cipher

• this is bridge from classical to modern ciphers



Simple Idea: One-Time Pad

= 10111101…---------------

= 00110010… 10001111…

00110010…

10111101…

Key is a never-repeating bitsequence as long as plaintext

Encrypt by bitwise XOR ofplaintext and key:ciphertext = plaintext key

Decrypt by bitwise XOR ofciphertext and key:ciphertext key = (plaintext key) key =plaintext (key key) =plaintext

Cipher achieves perfect secrecy if and only if there are as many possible keys as possible plaintexts, andevery key is equally likely (Claude Shannon’s result)



Advantages of One-Time Pad

• Easy to compute

– Encryption and decryption are the same operation

– Bitwise XOR is very cheap to compute

• As secure as possible

– Given a ciphertext, all plaintexts are equally likely, regardless of attacker’s computational resources

– …as long as the key sequence is truly random

• True randomness is expensive to obtain in large quantities

– …as long as each key is same length as plaintext• But how does the sender communicate the key to

receiver?



Problems with One-Time Pad

• Key must be as long as plaintext– Impractical in most realistic scenarios– Still used for diplomatic and intelligence traffic

• Does not guarantee integrity– One-time pad only guarantees confidentiality– Attacker cannot recover plaintext, but can

easily change it to something else

• Insecure if keys are reused– Attacker can obtain XOR of plaintexts



Modern Block Ciphers

• will now look at modern block ciphers

• one of the most widely used types of cryptographic algorithms

• provide secrecy and/or authentication services

• in particular will introduce DES (Data Encryption Standard)



Block vs Stream Ciphers

• block ciphers process messages into blocks, each of which is then en/decrypted

• like a substitution on very big characters– 64-bits or more

• stream ciphers process messages a bit or byte at a time when en/decrypting

• many current ciphers are block ciphers

• hence are focus of course



Block Ciphers

• Operates on a single chunk (“block”) of plaintext– For example, 64 bits for DES– Same key is reused for each block (can use short keys)

• Result should look like a random permutation– As if plaintext bits were randomly shuffled

• Only computational guarantee of secrecy– Not impossible to break, just very expensive

• If there is no efficient algorithm (unproven assumption!), then can only break by brute-force, try-every-possible-key search

– Time/cost of breaking the cipher exceeds the value and/or useful lifetime of protected information



Permutation

123

4

123

4CODE becomes DCEO

• For N-bit input, N! possible permutations• Idea: split plaintext into blocks, for each block use secret

key to pick a permutation, rinse and repeat– Without the key, permutation should “look random”



Block Cipher Operation (Simplified)

Block of plaintext

S S S S

S S S S

S S S S

Key

Add some secret key bitsto provide confusion

Each S-box permutes its input bits in a “random-looking” way to provide diffusion (spread plaintext bits throughout ciphertext)

repeat for several rounds

Block of ciphertextProcedure must be reversible

(for decryption)



Block Cipher Principles

• needed since must be able to decrypt ciphertext to recover messages efficiently

• block ciphers look like an extremely large substitution

• instead create from smaller building blocks

• using idea of a product cipher (substitution followed by transposition)



Claude Shannon and Substitution-Permutation Ciphers

• in 1949 Claude Shannon introduced idea of substitution-permutation (S-P) networks– modern substitution-transposition product cipher

• these form the basis of modern block ciphers • S-P networks are based on the two primitive

cryptographic operations we have seen before: – substitution (S-box)– permutation (P-box)

• provide confusion and diffusion of message



Confusion and Diffusion

• cipher needs to completely obscure statistical properties of original message

• a one-time pad does this• more practically Shannon suggested

combining elements to obtain:• diffusion – dissipates statistical structure

of plaintext over bulk of ciphertext• confusion – makes relationship between

ciphertext and key as complex as possible



Data Encryption Standard (DES)

• most widely used block cipher in world

• adopted in 1977 by NBS (now NIST http://www.itl.nist.gov/fipspubs/fip46-2.htm )

• encrypts 64-bit data using 56-bit key

• has widespread use

• has been considerable controversy over its security



DES History

• IBM developed Lucifer cipher– by team led by Feistel– used 64-bit data blocks with 128-bit key

• then redeveloped as a commercial cipher with input from NSA and others

• in 1973 NBS issued request for proposals for a national cipher standard

• IBM submitted their revised Lucifer which was eventually accepted as the DES



DES Encryption



Strength of DES – Key Size

• 56-bit keys have 256 = 7.2 x 1016 values

• brute force search looks hard

• recent advances have shown is possible– in 1997 on Internet in a few months – in 1998 on dedicated h/w (EFF) in a few days – in 1999 above combined in 22hrs!

• still must be able to recognize plaintext



Design Principles

• block size – increasing size improves security, but slows cipher

• key size – increasing size improves security, makes exhaustive key

searching harder, but may slow cipher • number of rounds

– increasing number improves security, but slows cipher • subkey generation

– greater complexity can make analysis harder, but slows cipher • round function

– greater complexity can make analysis harder, but slows cipher • fast software en/decryption & ease of analysis

– are more recent concerns for practical use and testing



Confidentiality using Symmetric Encryption

• have two major placement alternatives

• link encryption– encryption occurs independently on every link– implies must decrypt traffic between links

• end-to-end encryption– encryption occurs between original source

and final destination– need devices at each end with shared keys



Placement of Encryption

• can place encryption function at various layers in OSI Reference Model– link encryption occurs at layers 1 or 2– end-to-end can occur at layers 3, 4, 6, 7– as move higher less information is encrypted

but it is more secure though more complex with more entities and keys



Summary

• Symmetric encryption

• Public encryption


• Key distribution



Private-Key Cryptography

• traditional private/secret/single key cryptography uses one key

• shared by both sender and receiver • if this key is disclosed communications are

compromised • also is symmetric, parties are equal • hence does not protect sender from

receiver forging a message & claiming is sent by sender



Public-Key Cryptography

• probably most significant advance in the 3000 year history of cryptography

• uses two keys – a public & a private key

• asymmetric since parties are not equal

• uses clever application of number theoretic concepts to function

• complements rather than replaces private key crypto




• public-key/two-key/asymmetric cryptography involves the use of two keys: – a public-key, which may be known by anybody, and

can be used to encrypt messages, and verify signatures

– a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures

• is asymmetric because– those who encrypt messages or verify signatures

cannot decrypt messages or create signatures






Public-Key Characteristics

• Public-Key algorithms rely on two keys with the characteristics that it is:– computationally infeasible to find decryption

key knowing only algorithm & encryption key– computationally easy to en/decrypt messages

when the relevant (en/decrypt) key is known– either of the two related keys can be used for

encryption, with the other used for decryption (in some schemes)



Public-Key Cryptosystems



Public-Key Applications

• can classify uses into 3 categories:– encryption/decryption (provide secrecy)– digital signatures (provide authentication)– key exchange (of session keys)

• some algorithms are suitable for all uses, others are specific to one



Security of Public Key Schemes

• like private key schemes brute force exhaustive search attack is always theoretically possible

• but keys used are too large (>512bits) • security relies on a large enough difference in

difficulty between easy (en/decrypt) and hard (cryptanalysis) problems

• more generally the hard problem is known, its just made too hard to do in practise

• requires the use of very large numbers• hence is slow compared to secret key schemes



Public key encryption algorithms

need K ( ) and K ( ) such thatB B. .

given public key K , it should be impossible to compute private key K

B

B

Requirements:

1

2

RSA: Rivest, Shamir, Adelson algorithm

+ -

K (K (m)) = m BB

- +

+

-



RSA: Choosing keys

1. Choose two large prime numbers p, q. (e.g., 1024 bits each)

2. Compute n = pq, z = (p-1)(q-1)

3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”).

4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ).

5. Public key is (n,e). Private key is (n,d).

K B+ K B

-



RSA: Encryption, decryption

0. Given (n,e) and (n,d) as computed above

1. To encrypt bit pattern, m, compute

c = m mod n

e (i.e., remainder when m is divided by n)e

2. To decrypt received bit pattern, c, compute

m = c mod n

d (i.e., remainder when c is divided by n)d

m = (m mod n)

e mod n

dMagichappens!

c



RSA example:

Bob chooses p=5, q=7. Then n=35, z=24.e=5 (so e, z relatively prime).d=29 (so ed-1 exactly divisible by z.

letter m me c = m mod ne

l 12 1524832 17

c m = c mod nd

17 481968572106750915091411825223071697 12

cdletter

l

encrypt:

decrypt:



RSA: Why is that m = (m mod n)

e mod n

d

(m mod n)

e mod n = m mod n

d ed

Useful number theory result: If p,q prime and n = pq, then:

x mod n = x mod ny y mod (p-1)(q-1)

= m mod n

ed mod (p-1)(q-1)

= m mod n1

= m

(using number theory result above)

(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )



RSA: another important property

The following property will be very useful later:

K (K (m)) = m BB

- +K (K (m))

BB+ -

=

use public key first, followed

by private key

use private key first,

followed by public key

Result is the same!



Summary







Digital Signatures

Cryptographic technique analogous to hand-written signatures.

• sender (Bob) digitally signs document, establishing he is document owner/creator.

• verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document



Digital Signatures

Simple digital signature for message m:• Bob signs m by encrypting with his private

key KB, creating “signed” message, KB(m)--

Dear Alice

Oh, how I have missed you. I think of you all the time! …(blah blah blah)

Bob

Bob’s message, m

Public keyencryptionalgorithm

Bob’s privatekey

K B-

Bob’s message, m, signed

(encrypted) with his private key

K B-(m)



Digital Signatures (more)

• Suppose Alice receives msg m, digital signature KB(m)

• Alice verifies m signed by Bob by applying Bob’s public key KB to KB(m) then checks KB(KB(m) ) = m.

• If KB(KB(m) ) = m, whoever signed m must have used

Bob’s private key.

+ +

-

-

- -

+

Alice thus verifies that: Bob signed m. No one else signed m. Bob signed m and not m’.

Non-repudiation: Alice can take m, and signature KB(m) to court and prove

that Bob signed m. -



Internet checksum: poor crypto hash function

Internet checksum has some properties of hash function:

produces fixed length digest (16-bit sum) of message is many-to-one

But given message with given hash value, it is easy to find another message with same hash value:

I O U 10 0 . 99 B O B

49 4F 55 3130 30 2E 3939 42 D2 42

message ASCII format

B2 C1 D2 AC

I O U 90 0 . 19 B O B

49 4F 55 3930 30 2E 3139 42 D2 42

message ASCII format

B2 C1 D2 ACdifferent messagesbut identical checksums!



Message Digests

Computationally expensive to public-key-encrypt long messages

Goal: fixed-length, easy- to-compute digital “fingerprint”

• apply hash function H to m, get fixed size message digest, H(m).

Hash function properties:

• many-to-1• produces fixed-size msg digest

(fingerprint)• given message digest x,

computationally infeasible to find m such that x = H(m)

large message

m

H: HashFunction

H(m)



large message

mH: Hashfunction H(m)

digitalsignature(encrypt)

Bob’s private

key K B-

+

Bob sends digitally signed message:

Alice verifies signature and integrity of digitally signed message:

KB(H(m))-

encrypted msg digest

KB(H(m))-

encrypted msg digest

large message

m

H: Hashfunction

H(m)

digitalsignature(decrypt)

H(m)

Bob’s public

key K B+

equal ?

Digital signature = signed message digest



Digital Envelopes-- Symmetric + Asymmetric

• Generate a secret key (session key) at random. • Encrypt the message using the session key and

symmetric algorithm.• Encrypt the session key with the recipient’s

public key. This becomes the “digital envelope”.• Send the encrypted message and the digital

envelope to the recipient. • Figure …



Summary







Key Distribution

• symmetric schemes require both parties to share a common secret key

• issue is how to securely distribute this key

• often secure system failure due to a break in the key distribution scheme



Key Distribution

• given parties A and B have various key distribution alternatives:

1. A can select key and physically deliver to B

2. third party can select & deliver key to A & B

3. if A & B have communicated previously can use previous key to encrypt a new key

4. if A & B have secure communications with a third party C, C can relay key between A & B



Trusted Intermediaries

Symmetric key problem:• How do two entities

establish shared secret key over network?

Solution:• trusted key distribution

center (KDC) acting as intermediary between entities

Public key problem:• When Alice obtains

Bob’s public key (from web site, e-mail, diskette), how does she know it is Bob’s public key, not Trudy’s?

Solution:• trusted certification

authority (CA)



Key Distribution Center (KDC)

• Alice, Bob need shared symmetric key.• KDC: server shares different secret key with

each registered user (many users)

• Alice, Bob know own symmetric keys, KA-KDC KB-KDC ,

for communicating with KDC.

KB-KDC

KX-KDC

KY-KDC

KZ-KDC

KP-KDC

KB-KDC

KA-KDC

KA-KDC

KP-KDC

KDC



Key Distribution Center (KDC)

Aliceknows

R1

Bob knows to use R1 to communicate with Alice

Alice and Bob communicate: using R1 as session key for shared symmetric

encryption

Q: How does KDC allow Bob, Alice to determine shared symmetric secret key to communicate with each other?

KDC generates

R1

KB-KDC(A,R1)

KA-KDC(A,B)

KA-KDC(R1, KB-KDC(A,R1) )



Key Management (public)

• public-key encryption helps address key distribution problems

• have two aspects of this:– distribution of public keys– use of public-key encryption to distribute

secret keys



Distribution of Public Keys

• can be considered as using one of:– Public announcement– Publicly available directory– Public-key authority– Public-key certificates



Public Announcement

• users distribute public keys to recipients or broadcast to community at large– eg. append PGP keys to email messages or

post to news groups or email list

• major weakness is forgery– anyone can create a key claiming to be

someone else and broadcast it– until forgery is discovered can masquerade as

claimed user



Certification Authorities

• Certification authority (CA): binds public key to particular entity, E.

• E (person, router) registers its public key with CA.– E provides “proof of identity” to CA.

– CA creates certificate binding E to its public key.

– certificate containing E’s public key digitally signed by CA – CA says “this is E’s public key”

Bob’s public

key K B+

Bob’s identifying informatio

n

digitalsignature(encrypt)

CA private

key K CA-

K B+

certificate for Bob’s public

key, signed by CA



Certification Authorities

• When Alice wants Bob’s public key:– gets Bob’s certificate (Bob or elsewhere).– apply CA’s public key to Bob’s certificate,

get Bob’s public key

Bob’s public

key K B+

digitalsignature(decrypt)

CA public

key K CA+

K B+



A certificate contains:

• Serial number (unique to issuer)• info about certificate owner, including algorithm and

key value itself (not shown)• info about certificate

issuer• valid dates• digital signature by

issuer



Summary





Date post:	30-Jan-2016
Category:	Documents
Upload:	andie
View:	34 times
Download:	1 times

Information Security Management -- Cryptography

Documents