Brought to you by Max (ICQ:31252512 TEL:61337706)March 12, 2005
Modern Cryptography
Page 2
Spoiler Warning
• After listening to this talk, you may become disappointed with this book!
• Much of the book’s content is about cryptography, but those about modern cryptography is often inaccurate
Page 3
Build Your Own Cryptosystem
• Have you heard about any cryptosystem?• Have you tried to design your own encryption
algorithm?• Some software companies do this• But this is in fact very insecure
A cryptosystem can have many hidden flaws!
Page 4
A simple cryptosystem I used in F.1
• Substitute English alphabets with numbers 01..26 <-> A..Z 00 <-> Space 27..99 <-> Nothing, added to obfuscate the eavesdropper This is a kind of monoalphabetic substitution cipher
• Example HELLO WORLD 08 05 48 37 36 12 12 15 00 23 61 15 18 12 04 95
• Problems?
Page 5
Classical Ciphers
• Monoalphabetic Substitution Cipher Example : Caesar, simple substitution
• Substitutes every letter with a fixed letter• Very vulnerable to frequency analysis
Page 6
Classical Ciphers
• Polyalphabetic Substitution Cipher Example : Vigenere Cipher, Enigma
• Substitution depends on position• Vulnerable to frequency analysis on
collections of letters
Page 7
Classical Ciphers
• Transposition Cipher Example : Columnar transposition
• Moves the position of letters around• Again vulnerable to frequency analysis
Page 8
Classical Ciphers
• Hill Cipher• Based on matrix multiplication• Vulnerable to known plaintext attack
Page 9
Modern Cryptography
• Cryptosystem Key generation (an cryptosystem without key is useless) Encryption Decryption
• Confusing Words Cryptography is the study of cryptosystems and their
applications “Cipher” usually means the same thing as “Cryptosystem” Plaintext / cleartext means un-encrypted data Ciphertext / crypto-text means encrypted data
Page 10
Symmetric Ciphers (Private Key Cryptosystems)
• Most famous : DES (Data Encryption Standard) 64 bit Key (56 bit for encryption, 8 bit for error check) In Digital Fortress, the brute force code breaking machine
TRANSLTR can break DES in 10 minutes However this is totally useless, because if we encrypt the
data with 3 keys consecutively (this is called 3DES), it would take 256x2 x 10 minutes to break!
• New algorithm : AES (Advanced Encryption Standard)
128, 192 or 256 bit Key Widely used
• Main problem with symmetric ciphers Key Distribution
Page 11
Asymmetric Cipher (Public Key Cryptosystem)
• Most famous : RSA• A little number theory
n = p*q (p and q are large primes) Choose e, d such that e*d = 1 (mod (n))
• Encryption and Decryption Public key is (n,e) Private key is (n,d) C = Me
M = Cd
• To break RSA we need to factorize n Current fastest algorithm : Number Field Sieve
Page 12
Why still use symmetric ciphers?
• Symmetric ciphers are much faster than asymmetric ones
At least 100x• Key length of symmetric ciphers can be much shorter th
an asymmetric ciphers AES key of 128 bit is roughly as strong as a RSA key of 2048 bit
• Use asymmetric cipher to encrypt the keys of symmetric cipher!
• Other well known algorithms Symmetric : RC5, IDEA, BlowFish, … Asymmetric : El-Gamal, Elliptic Curve Cryptography (ECC), XTR,
…
Page 13
The One Time Pad
• One Time Pad is the only form of “Perfectly Secure” cryptosystem
• Length of Key must be at least length of Message• Vernam Cipher
Use bitwise XOR• Sometimes used by governments to transfer keys to em
bassies
Page 14
Digital Signatures
• Many asymmetric encryption/decryption schemes are just mathematical functions, we can reverse the order
Dec(Enc(X)) = Enc(Dec(X)) = X• Therefore we can use them for “digital signature”
Example : RSA If we send M to somebody, we also send s=Md
The other party can check M has not been altered by verifying se
=M
Page 15
Public Key Infrastructure
• Certificate Authorities (CA) Store your public key in their server and verifies their
authenticity
• Hierarchy of Trust• Example scenario
When you send a message, you also send a certificate as well as signature signed with your private key
When the other party receive the message, it first go to the CA which issued your cert to verify it
Then it use your public key listed in the cert to verify the message
Page 16
The Real World
• What I told you is INSECURE !• Dolev-Yao Threat Model
Attackers control the whole network Attackers can intercept, duplicate, replay, modify, or forge any
message, but Attackers cannot find the plaintext from a ciphertext without th
e key, and Attackers cannot find the private key from a public key
• Recall the BT incident 90% of what the Customs did (mainly eavesdropping) can be do
ne by everyone on the Internet
Page 17
Attack on RSA
• Scenario I eavesdropped an RSA-encrypted message for you (Me,
where e is your public key) I ask you to forward this message to someone else, but I
lie to you that this is a unencrypted message I also remind you to sign the message before forwarding In fact, the other person is myself Signature of Me = (Me)d = Med = M !
• In this scenario you acted as a “Decryption Oracle” and provided “Oracle Services” to me, the attacker
Page 18
Attack on RSA
• A fix? Check every message to see if it is actually encrypted
• This is useless• Another scenario
When I eavesdropped Me, I compute Me Xe = (MX)e, where X is an integer I chose
I send (MX)e to you and ask you to sign it. When you try to decrypt it you get MX, which looks innoculous
Feeling safe, you sign it, and send MX back to me I can compute MX X-1 to get M (taking multiplicative inverse is ea
sy)• This is called the “Chosen Ciphertext Attack”
Page 19
Attack on RSA
• A real solution is to apply cryptographic hash function before signing
• Properties of cryptographic hash function One way Non-linear Collision free
• However, many other attacks are possible Now, formal methods are used to model the attacks A “really secure” version of RSA is the RSA-OAEP Many research are ongoing
Page 20
Links
• Cryptography A-Z http://www.ssh.com/support/cryptography/index.html
• Handbook of Applied Cryptography http://www.cacr.math.uwaterloo.ca/hac/
• Wikipedia http://www.wikipedia.org/