Want to learn more? Look up UNIK 4220 · INF3510 Information Security University of Oslo Spring...

INF3

510

Info

rmat

ion

Sec

urity

Uni

vers

ity o

f Osl

oS

prin

g 20

14

Lect

ure

5C

rypt

ogra

phy

Uni

vers

ity o

f Osl

o, s

prin

g 20

14Le

if N

ilsen

Out

line

•W

hat i

s cr

ypto

grap

hy?

•B

rief c

rypt

o hi

stor

y•

Sec

urity

issu

es•

Sym

met

ric c

rypt

ogra

phy

–S

tream

cip

hers

–B

lock

cip

hers

–H

ash

func

tions

•A

sym

met

ric c

rypt

ogra

phy

–Fa

ctor

ing

base

d m

echa

nism

s–

Dis

cret

e Lo

garit

hms

–D

igita

l sig

natu

res

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

2

Wan

t to

lear

n m

ore?

Look

up

UN

IK 4

220

Wha

t is

cryp

tolo

gy?

L05

Cry

ptog

raph

yIN

F351

0 -U

iO20

143

Se

cu

re c

om

mu

nic

atio

no

ver

un

sec

ure

ch

an

ne

ls

-C

on

fid

en

tia

lity

-In

teg

rity

-A

uth

en

tic

ity

-N

on

-re

pu

dia

tio

n

Alic

eB

ob

Sym

me

tric

cry

pto

Asy

mm

etr

ic c

ryp

to

Osc

ar

Term

inol

ogy

•C

rypt

ogra

phy

is th

e sc

ienc

e of

sec

ret w

ritin

g w

ith th

e go

al o

f hid

ing

the

mea

ning

of a

m

essa

ge.

•C

rypt

anal

ysis

is th

e sc

ienc

e an

d so

met

imes

ar

t of b

reak

ing

cryp

tosy

stem

s.

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

4

Cry

ptol

ogy

Cry

ptog

raph

yC

rypt

anal

ysis

Taxo

nom

y of

cry

ptog

raph

ic p

rimiti

ves

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

5L0

5 C

rypt

ogra

phy

Whe

n is

cry

ptog

raph

y us

ed?

•S

ome

exam

ple

situ

atio

ns:

–H

isto

rical

ly, t

he m

ilitar

y an

d sp

y ag

enci

es w

ere

the

mai

n us

ers

of c

rypt

olog

y•

Situ

atio

n: tr

ansm

ittin

g m

essa

ges

over

inse

cure

cha

nnel

s–

Now

, it i

s us

ed in

man

y ot

her a

reas

, esp

ecia

lly in

el

ectro

nic

info

rmat

ion

proc

essi

ng a

nd

com

mun

icat

ions

tech

nolo

gies

: •

Ban

king

:you

r fin

anci

al tr

ansa

ctio

ns, s

uch

as E

FTP

OS

•C

omm

unic

atio

ns:y

our m

obile

pho

ne c

onve

rsat

ions

•In

fo s

tore

d in

dat

abas

es:h

ospi

tals

, uni

vers

ities

, etc

.•

Cry

ptog

raph

y ca

n be

use

d to

pro

tect

info

rmat

ion

in

stor

age

or d

urin

g tra

nsm

issi

onIN

F351

0 -U

iO 2

014

6

Mod

el o

f sym

met

ric c

rypt

osys

tem

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

7

Term

inol

ogy

•E

ncry

ptio

n: p

lain

text

(cle

ar te

xt) M

is c

onve

rted

into

a c

iphe

rtext

C u

nder

the

cont

rol o

f a k

ey k

.–

We

writ

e C

= E

(M, k

).•

Dec

rypt

ion

with

key

kre

cove

rs th

e pl

aint

ext M

fro

m th

e ci

pher

text

C.

–W

e w

rite

M =

D(C

, k).

•S

ymm

etric

cip

hers

: the

sec

ret k

ey is

use

d fo

r bot

h en

cryp

tion

and

decr

yptio

n.•

Asy

mm

etric

cip

hers

: Pai

r of p

rivat

e an

d pu

blic

ke

ys w

here

it is

com

puta

tiona

lly in

feas

ible

to

deriv

e th

e pr

ivat

e de

cryp

tion

key

from

the

corr

espo

ndin

g pu

blic

enc

rypt

ion

key.

8L0

5 C

rypt

ogra

phy

INF3

510

-UiO

201

4

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

9

Cae

sar c

iphe

r

Exam

ple:

Cae

sar c

iphe

rP

={abcdefghijklmnopqrstuvwxyz}

C=

{DEFGHIJKLMNOPQRSTUVWXYZABC}

Plai

ntex

t:kryptologi er et spennende fag

Chi

pher

text

:NUBSWRORJL HU HT VSHQQHQGH IDJ

Not

e: C

aesa

r chi

pher

in th

is fo

rm d

oes

not i

nclu

de a

va

riabl

e ke

y, b

ut is

an

inst

ance

of a

“shi

ft-ci

pher

” us

ing

key

K=

3.

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

10

Num

eric

al e

ncod

ing

of th

e al

phab

et

Usi

ng th

is e

ncod

ing

man

y cl

assi

cal c

rypt

o sy

stem

s ca

n be

exp

ress

ed a

s al

gebr

aic

func

tions

ove

r Z26

(E

nglis

h al

phab

et) o

r Z29

(Nor

weg

ian

alph

abet

)

ab

cd

ef

gh

ij

kl

mn

o

01

23

45

67

89

1011

1213

14

pq

rs

tu

vw

xy

zæ

øå

1416

1718

1920

2122

2324

2526

2728

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

11

Shi

ft ci

pher

Let P

=C

=Z

29.

For 0

�K�

28, w

e de

fine

E(x

, K) =

x+

K(m

od 2

9)an

d D(y

, K) =

y-K

(mod

29)

(x, y

�Z

29)

Que

stio

n:W

hat i

s th

e si

ze o

f the

key

spa

ce?

Puz

zle:

ct =

LA

HY

CX

PA

JYQ

HR

BW

NN

MN

MO

XA

BN

LDA

NLX

VV

DW

RLJ

CR

XW

BFi

nd th

e pl

aint

ext!

Exh

aust

ive

sear

ch

For[i

=0, i

<26,

i++,

Prin

t["K

ey =

", i,

" P

lain

= ",

dec

rypt

[ct,1

,i]]]

Key

= 0

Pla

in =

LA

HY

CX

PA

JYQ

HR

BW

NN

MN

MO

XA

BN

LDA

NLX

VV

DW

RLJ

CR

XW

BK

ey =

1 P

lain

= K

ZGX

BW

OZI

XP

GQ

AVM

MLM

LNW

ZAM

KC

ZMK

WU

UC

VQ

KIB

QW

VA

Key

= 2

Pla

in =

JY

FWA

VN

YH

WO

FPZU

LLK

LKM

VY

ZLJB

YLJ

VTT

BU

PJH

AP

VU

ZK

ey =

3 P

lain

= IX

EV

ZUM

XG

VN

EO

YTK

KJK

JLU

XY

KIA

XK

IUS

SA

TOIG

ZOU

TYK

ey =

4 P

lain

= H

WD

UY

TLW

FUM

DN

XSJ

JIJI

KTW

XJH

ZWJH

TRR

ZSN

HFY

NTS

XK

ey =

5 P

lain

= G

VC

TXS

KV

ETL

CM

WR

IIHIH

JSV

WIG

YV

IGS

QQ

YR

MG

EX

MS

RW

Key

= 6

Pla

in =

FU

BS

WR

JUD

SK

BLV

QH

HG

HG

IRU

VH

FXU

HFR

PP

XQ

LFD

WLR

QV

Key

= 7

Pla

in =

ETA

RV

QIT

CR

JAK

UP

GG

FGFH

QTU

GE

WTG

EQ

OO

WP

KE

CV

KQ

PU

Key

= 8

Pla

in =

DS

ZQU

PH

SB

QIZ

JTO

FFE

FEG

PS

TFD

VS

FDP

NN

VO

JDB

UJP

OT

Key

= 9

Pla

in =

CR

YP

TOG

RA

PH

YIS

NE

ED

ED

FOR

SE

CU

RE

CO

MM

UN

ICA

TIO

NS

Key

= 1

0 P

lain

= B

QX

OS

NFQ

ZOG

XH

RM

DD

CD

CE

NQ

RD

BTQ

DB

NLL

TMH

BZS

HN

MR

Key

= 1

1 P

lain

= A

PW

NR

ME

PY

NFW

GQ

LCC

BC

BD

MP

QC

AS

PC

AM

KK

SLG

AY

RG

MLQ

Key

= 1

2 P

lain

= Z

OV

MQ

LDO

XM

EV

FPK

BB

AB

AC

LOP

BZR

OB

ZLJJ

RK

FZX

QFL

KP

•.

• L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

12

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

13

Sub

stitu

tion

ciph

er-e

xam

ple

8841

7619

9373

9701

9545

4361

6000

000 �

2103

ab

cd

ef

gh

ij

kl

mn

o

UD

MI

PY

ÆK

OX

SN

ÅF

A

pq

rs

tu

vw

xy

zæ

øå

ER

TZ

BØ

CQ

GW

HL

VJ

Pla

inte

xt:f

erm

atss

iste

teor

emC

iphe

rtext

:YP

TÅU

BZZ

OZB

PB

PATP

Å

Wha

t is

the

size

of t

he k

ey s

pace

?

Lette

r Fre

quen

cies

� s

tatis

tical

atta

cks

•E

ncry

ptio

n m

ust h

ide

stat

istic

al p

atte

rns

in d

ata

•A

chie

ved

with

a s

erie

s of

prim

itive

func

tions

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

14

Lette

r fre

quen

cies

in

Eng

lish

Less

ons

lear

ned

•A

cip

her w

ith a

sm

all k

eysp

ace

can

easi

ly b

e at

tack

ed b

y ex

haus

tive

sear

ch•

A la

rge

keys

pace

is n

eces

sary

for a

sec

ure

ciph

er, b

ut it

is b

y its

elf n

ot s

uffc

ient

•M

onoa

lpha

betic

al s

ubst

itutio

n ci

pher

s ca

n ea

sily

be

bro

ken

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

15

Vig

enér

e (1

523-

1596

)A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

B C D E F G H I J K L M N O P Q R S T U V W X Y Z A

C D E F G H I J K L M N O P Q R S T U V W X Y Z A B

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

E F G H I J K L M N O P Q R S T U V W X Y Z A B C D

F G H I J K L M N O P Q R S T U V W X Y Z A B C D E

G H I J K L M N O P Q R S T U V W X Y Z A B C D E F

H I J K L M N O P Q R S T U V W X Y Z A B C D E F G

I J K L M N O P Q R S T U V W X Y Z A B C D E F G H

J K L M N O P Q R S T U V W X Y Z A B C D E F G H I

KL M N O P Q R S T U V W X YZ A B C D E F G H I J

L M N O P Q R S T U V W X Y Z A B C D E F G H I J K

M N O P Q R S T U V W X Y Z A B C D E F G H I J K L

N O P Q R S T U V W X Y Z A B C D E F G H I J K L M

O P Q R S T U V W X YZ A B C D E F G H I J K L M N

P Q R S T U V W X Y Z A B C DE F G H I J K L M N O

Q R S T U V W X Y Z A B C D E F G H I J K L M N O P

R S T U V W X Y Z A B CD E F G H IJ K L M N O P S

S T U V W X Y Z A B C D E F G H I J K L M N O P Q R

T U V W X Y ZA B C D E F G H I J K L M N O P Q R S

U V W X Y Z A B C D E F G H I J K L M N O P Q R S T

V W X Y Z A B C D E F G H I J K L M N O P Q R S T U

W X Y Z A B C D E F G H I J K L M N O P Q R S T U V

X Y Z A B C D E F G H I J K L M N O P Q R S T U V W

YZ A B C D E F GH I J K L M N O P Q R S T U V W X

Z A B C D E F G H I J K L M N O P Q R S T U V W X Y

Key

: kryptokry

Pla

inte

xt:

OL

AOGKARI

Chi

pher

text

: ycydzykig

k �

r � y �

p �

t �o �

Pol

yalp

habe

tical

, but

com

plet

ely

inse

cure

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

16

INF3

510

-UiO

201

4

Eni

gma

•G

erm

an W

W II

cry

pto

mac

hine

•M

any

diffe

rent

var

iant

s•

Ana

lyse

d by

Pol

ish

and

Engl

ish

mat

hem

atic

ians

L05

Cry

ptog

raph

y17

Ope

ratin

g pr

inci

ples

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

18

1-B

atte

ry

2-K

eybo

ard

3-S

teck

er b

oard

4-E

ntry

rin

g

5-R

otor

s (L

M R

)

6-R

efle

ctor

7-C

ondu

ctor

8-C

onne

ctor

9-L

amp

Eni

gma

key

list

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

19

Eni

gma

encr

yptio

n ex

ampl

e

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

20

Mes

sage

: “Ic

hbi

n si

cher

, daß

unse

rFüh

rer e

ine

lose

Sch

raub

eha

t”

Eni

gma

Sim

ulat

or F

or W

indo

ws.

©19

95-1

999

Geo

ff S

ulliv

an. N

orw

ay b

uild

00

2Th

u M

ar 0

6 15

:46:

40 2

008

Rot

or O

rder

: B V

I III

Rin

gste

llung

: T E

K [2

0 05

11]

Ste

cker

s:M

essa

ge K

ey: A

A A

[01

01 0

1]

Pla

inte

xt: I

CH

BI N

SIC

H E

RD

AS

SU

NS

E R

FUH

R E

RE

IN E

LOS

E S

CH

RA

UB

EH

A T

Cip

herte

xt: O

VK

WR

IZX

JE O

XFN

R Y

PB

JZ D

BV

CG

SW

LFR

TG

HP

F K

EO

QL

KK

RLQ

I

Pra

ctic

al c

ompl

exity

for a

ttack

ing

Eni

gma

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

21

Cry

ptoa

naly

tical

assu

mpt

ions

dur

ing

WW

II:

•3

out o

f 5 ro

tors

with

kno

wn

wiri

ng•

10 s

teck

erco

uplin

gs•

Kno

wn

refle

ctor

N =

150

738

274

937

250

· 60

· 17

576

· 67

6 =

1074

5868

7327

2506

1936

0000

(77

bits

)

INF3

510

-UiO

201

4

Atta

ckin

g E

NIG

MA

Pos

isjo

n:

1 2 3 4 5 6 7

Chi

fferte

kst:J T G E F P G

Crib

:R O M M E L F

G

M F

E

34

75

TR

RA A

GG

Z

L05

Cry

ptog

raph

y22

Cry

ptan

alys

is: A

ttack

ing

Cry

ptos

yste

ms

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

23

•Cla

ssic

al A

ttack

s• M

athe

mat

ical

Ana

lysi

s• B

rute

-For

ce A

ttack

•Im

plem

enta

tion

Atta

ck: T

ry to

ext

ract

the

key

thro

ugh

reve

rse

engi

neer

ing

or p

ower

mea

sure

men

t, e.

g., f

or a

ban

king

smar

t car

d.•S

ocia

l Eng

inee

ring

: E.g

., tri

ck a

use

r int

o gi

ving

up

her p

assw

ord

Bru

te-F

orce

Atta

ck (o

r Exh

aust

ive

Key

S

earc

h)• T

reat

s th

e ci

pher

as

a bl

ack

box

• Req

uire

s (a

t lea

st) 1

pla

inte

xt-c

iphe

rtext

pai

r (x 0

, y0)

• Che

ck a

ll po

ssib

le k

eys

until

con

ditio

n is

fulfi

lled:

d K(y

0) =

x0

• How

man

y ke

ys to

we

need

?

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

24

Ker

ckho

ff’s

prin

cipl

es

•Th

e sy

stem

sho

uld

be, i

f not

theo

retic

ally

unb

reak

able

, un

brea

kabl

e in

pra

ctic

e.

•Th

e de

sign

of a

sys

tem

sho

uld

not r

equi

re s

ecre

cy a

nd

com

prom

ise

of th

e sy

stem

sho

uld

not i

ncon

veni

ence

the

corr

espo

nden

ts (K

erck

hoffs

' prin

cipl

e).

•Th

e ke

y sh

ould

be

rem

embe

rabl

e w

ithou

t not

es a

nd

shou

ld b

e ea

sily

cha

ngea

ble

•Th

e cr

ypto

gram

s sh

ould

be

trans

mitt

able

by

tele

grap

h •

The

appa

ratu

s or

doc

umen

ts s

houl

d be

por

tabl

e an

d op

erab

le b

y a

sing

le p

erso

n •

The

syst

em s

houl

d be

eas

y, n

eith

er re

quiri

ng k

now

ledg

e of

a lo

ng li

st o

f rul

es n

or in

volv

ing

men

tal s

train

L0

5 C

rypt

ogra

phy

INF3

510

-UiO

201

425

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

26

Atta

ck m

odel

s:

Kno

wn

ciph

erte

xtK

now

n pl

aint

ext

Cho

sen

plai

ntex

t (ad

aptiv

e)C

hose

n ci

pher

text

(ada

ptiv

e)W

hat a

re th

e go

als

of th

e at

tack

er?

–Fi

nd th

e se

cret

pla

inte

xt o

r par

t of t

he p

lain

text

–Fi

nd th

e en

cryp

tion

key

–D

istin

guis

h th

e en

cryp

tion

of tw

o di

ffere

nt p

lain

text

sH

ow c

leve

r is

the

atta

cker

?

Doe

s se

cure

cip

hers

exi

st?

•W

hat i

s a

secu

re c

iphe

r?–

Per

fect

sec

urity

–C

ompu

tatio

nal s

ecur

ity–

Pro

vabl

e se

curit

y

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

27L0

5 C

rypt

ogra

phy

INF3

510

-UiO

201

428

A p

erfe

ct s

ecur

e cr

ypto

sys

tem

Bin

ary

rand

omso

urce �

�p i

k i

c ip i

Vern

am o

ne-ti

me

pad

(191

8)Fr

ank

Mill

er (1

882)

c i=

p i �

k ip i

= c i �

k i =

p i �

k i�

k i =

p i

Not

e: a

�b

= a

+ b

(mod

2)

Offe

rs p

erfe

ct s

ecur

ity a

ssum

ing

the

key

is p

erfe

ctly

rand

om, o

f sam

e le

ngth

as

The

Mes

sage

; and

onl

y us

ed o

nce.

Pro

ved

by C

laud

e E

. Sha

nnon

in 1

949.

Cla

ude

Sha

nnon

(19

16 –

2001

) Th

e Fa

ther

of I

nfor

mat

ion

Theo

ry –

MIT

/ B

ell L

abs

•In

form

atio

n Th

eory

–D

efin

ed th

e „b

inar

y di

git“

(bit)

as

info

rmat

ion

unit

–D

efin

ition

of „

entro

py“ a

s a

mea

sure

of i

nfor

mat

ion

amou

nt•

Cry

ptog

raph

y–

Mod

el o

f a s

ecre

cy s

yste

m–

Def

initi

on o

f per

fect

sec

recy

–D

esig

ned

S-P

net

wor

ks, i

.e. a

se

ries

of s

ubst

itutio

n &

pe

rmut

atio

n fu

nctio

ns

L05

Cry

ptog

raph

y29

INF3

510

-UiO

201

4L0

5 C

rypt

ogra

phy

INF3

510

-UiO

201

430

ETC

RR

M•

Ele

ctro

nic

Tele

prin

ter

Cry

ptog

raph

ic R

egen

erat

ive

Rep

eate

r Mix

er (E

TCR

RM

) •

Inve

nted

by

the

Nor

weg

ian

Arm

y S

igna

l Cor

ps in

195

0 •

Bjø

rn R

ørho

lt, K

åre

Mes

ings

eth

•P

rodu

ced

by S

TK•

Use

d fo

r ”H

ot-li

ne” b

etw

een

Mos

kva

and

Was

hing

ton

•A

bout

200

0 de

vice

s pr

oduc

ed

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

31

Whi

te H

ouse

Cry

pto

Roo

m 1

960s

Pro

duci

ng k

ey ta

pe fo

r the

one

-tim

e pa

d

INF3

510

-UiO

201

4L0

5 C

rypt

ogra

phy

32

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

33

Ven

ona

•U

S a

ttack

on

encr

ypte

d S

ovje

tUni

ontra

ffic

due

to

re-u

se o

f one

-tim

e pa

ds•

1943

-198

0•

Ca.

300

0 m

essa

ges

decr

ypte

d•

http

://w

ww

.nsa

.gov

/abo

ut/_

files

/cry

ptol

ogic

_her

itage

/pub

licat

ions

/col

dwar

/ven

ona

_sto

ry.p

df

Sym

met

ric e

ncry

ptio

n

Is it

pos

sibl

e to

des

ign

secu

re a

nd

prac

tical

cry

pto?

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

34

Stre

am C

iphe

r vs.

Blo

ck C

iphe

r

Cip

herte

xt b

lock

s

Pla

inte

xt b

lock

s

n bi

ts

Blo

ck c

iphe

r

Key

Blo

ck

Cip

her

n bi

ts

Pla

inte

xt s

tream

Key

st

ream

ge

nera

tor

Key �

Cip

herte

xt s

tream

Key

stre

am

Stre

am c

iphe

r

L05

Cry

ptog

raph

y35

INF3

510

-UiO

201

4

MI

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

36

Sym

met

ric s

tream

cip

her

Key MI

Pse

udor

ando

m-

gene

rato

r

�

Key MI

Pse

udor

ando

m-

gene

rato

r

�P

lain

text

Cip

her t

ext

Pla

inte

xtK

ey s

tream

Key

stre

am

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

37

LFS

R

Usi

ng n

flip-

flops

we

may

gen

erat

e a

bina

ry s

eque

nce

of p

erio

d 2n

-1

11

11

0�

��

��

��

��

ni

ni

ii

ns

cs

cs

cs

�

Lin

ear

feed

back

shift

reg

iste

r

Out

put

Not

e: T

he s

tream

cip

her i

s st

atef

ul

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

38

LFS

R -

prop

ertie

s

•Eas

y to

impl

emen

t in

HW

, offe

rs fa

st c

lock

ing

•The

out

put s

eque

nce

is c

ompl

etel

y de

term

ined

of t

he

initi

al s

tate

and

the

feed

back

coe

ffici

ents

•Usi

ng “c

orre

ct” f

eedb

ack

a re

gist

er o

f len

gth

nm

ayge

nera

te a

seq

uenc

e w

ith p

erio

d 2n

-1•T

he s

eque

nce

will

prov

ide

good

sta

tistic

al p

rope

rties

•Kno

win

g 2n

cons

ecut

ive

bits

of t

he k

ey s

tream

, will

reve

al th

e in

itial

sta

te a

nd fe

edba

ck•T

he li

near

ity m

eans

that

a s

ingl

e LF

SR

is c

ompl

etel

yus

eles

s as

a s

tream

cip

her,

but L

FSR

s m

ay b

e a

usef

ul

build

ing

bloc

k fo

r the

des

ign

of a

stro

ng s

tream

cip

her

Out

put

INF3

510

-UiO

201

4

Sym

met

ric b

lock

cip

her

•Th

e al

gorit

hm re

pres

ents

a

fam

ily o

f per

mut

atio

ns o

f the

m

essa

ge s

pace

•N

orm

ally

des

igne

d by

ite

ratin

g a

less

sec

ure

roun

d fu

nctio

n•

May

be

appl

ied

in d

iffer

ent

oper

atio

nal m

odes

•M

ust b

e im

poss

ible

to d

eriv

e K

bas

ed o

n kn

owle

dge

of P

an

d C

P i

Cry

pto-

algo

rithm

Plai

ntex

t

Ci

K

Cip

herte

xt

L05

Cry

ptog

raph

y39

Blo

ck c

iphe

r and

rand

om p

erm

utat

ions

•G

iven

blo

ck s

ize

m=

64 a

nd k

ey le

ngth

l=

56 b

it•

Num

ber o

f diff

eren

t DE

S-p

erm

utat

ions

is

256

= 7

2057

5940

3792

7936

•N

umbe

r of p

ossi

ble

perm

utat

ions

of 2

64el

emen

ts

is26

4 ! =

?? (m

ore

than

271

deci

mal

dig

its)

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

40

All

perm

utat

ions

DE

S

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

41

Itrer

ated

blo

ck c

iphe

r des

ign

Alg

orith

m:

w0

xw

1

g(w

0 ,K1 )

w2

g(w

1 ,K2 )

• • wN

r-1

g(w

Nr-

2 ,KN

r-1 )

wN

r g(

wN

r-1 ,K

Nr )

y

wN

r

NB

! For

a fi

xed

K,g

mus

tbe

inje

ctiv

e in

ord

er to

de

cryp

ty

w0

g(w

0 ,K1 )x

K K1

w1

g(w

1 ,K2 )

K2

g(w

Nr-1

,KN

r )KN

r

wN

r

• •

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

42

Sub

stitu

sjon

-Per

mut

asjo

n ne

ttver

k (S

PN

):

Rou

nd fu

nctio

n g

:

wi-1

S1

S2

S3

S4

S5

� wi

Ki

Stat

e

S-bo

xes

Perm

utat

ion

Key

mix

New

stat

e

Con

fusi

on

Diff

usio

n

Dat

a E

ncry

ptio

n S

tand

ard

•P

ublis

hed

in 1

977

by th

e U

S N

atio

nal B

urea

u of

S

tand

ards

for u

se in

unc

lass

ified

gov

ernm

ent

appl

icat

ions

with

a 1

5 ye

ar li

fe ti

me.

•16

roun

d Fe

iste

l cip

her w

ith 6

4-bi

t dat

a bl

ocks

, 56

-bit

keys

.•

56-b

it ke

ys w

ere

cont

rove

rsia

l in

1977

; tod

ay,

exha

ustiv

e se

arch

on

56-b

it ke

ys is

ver

y fe

asib

le.

•C

ontro

vers

ial b

ecau

se o

f cla

ssifi

ed d

esig

n cr

iteria

, how

ever

no

loop

hol

e w

as e

ver f

ound

.

43L0

5 C

rypt

ogra

phy

INF3

510

-UiO

201

4L0

5 C

rypt

ogra

phy

INF3

510

-UiO

201

444

DE

S a

rchi

tect

ure

DES

(P):

(L0, R

0)

= IP

(P)

FOR

i =

1 TO

16L i

= R

i-1

Ri=

L i-1

�f(

Ri-

1,Ki)

C =

IP-1(R

16,L

16)

64 b

it d

ata

blo

ck56

bit

key

72.0

57.5

94.0

37.9

27.9

36

�f

K1

P (

64 b

its)

IP

L 0R

0

L 1R

1

�f

K2

IP-1

R16

L 16

�f

K16

C (

64 b

its)

L 15

R15

EFF

DE

S-c

rack

er

•D

edic

ated

AS

IC w

ith 2

4 D

ES

sea

rch

engi

nes

•27

PC

Bs

hous

ing

1800

circ

uits

•C

an te

st 9

2 bi

llion

key

s pe

r sec

ond

•C

ost 2

50 0

00 $

•D

ES

key

foun

d Ju

ly 1

998

afte

r 56

hour

s se

arch

•C

ombi

ned

effo

rt D

ES

Cra

cker

and

100

.000

PC

s co

uld

test

245

bill

ion

keys

per

sec

ond

and

foun

d ke

y af

ter 2

2 ho

urs

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

45

Cop

acob

ana

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

46

CO

PAC

OB

AN

A, t

he C

ost-O

ptim

ized

Par

alle

l CO

de B

reak

er, i

s an

FP

GA

-ba

sed

mac

hine

whi

ch is

opt

imiz

ed fo

r run

ning

cry

ptan

alyt

ical

alg

orith

ms.

C

OPA

CO

BA

NA

is s

uita

ble

for p

aral

lel c

ompu

tatio

n pr

oble

ms

whi

ch h

ave

low

com

mun

icat

ion

requ

irem

ents

. DE

S c

rack

ing

is s

uch

a pa

ralle

lizab

le

prob

lem

: an

exha

ustiv

e ke

y se

arch

of t

he D

ata

Enc

rypt

ion

Sta

ndar

d (D

ES

) tak

es n

o lo

nger

than

a w

eek

on a

vera

ge w

ith C

OPA

CO

BA

NA

. O

ther

cip

hers

can

be

atta

cked

too,

and

CO

PAC

OB

AN

A ca

n al

so b

e us

ed

for p

aral

lel c

ompu

ting

prob

lem

out

side

cry

ptog

raph

y.

(And

yes

, we

know

, Rio

de

Jane

iro's

fam

ous

beac

h is

spe

lled

slig

htly

di

ffere

ntly,

Cop

acab

ana

;)

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

47

DE

S S

tatu

s

•D

ES

er t

he “w

ork

hors

e” w

hich

ove

r 30

year

s ha

ve in

spire

d

cryp

togr

aphi

c re

sear

ch a

nd

deve

lopm

ent

•“O

utda

ted

by n

ow”!

•S

ingl

e D

ES

can

not

be

con

side

red

as a

se

cure

blo

ck c

iphe

r•

Use

3D

ES

(AN

SI

9.52

) or D

ES

X

EE/

DE

P

K1

K2

K3

C

3DES

EK

��

K1

K2

DES

X

Adv

ance

d E

ncry

ptio

n S

tand

ard

•P

ublic

com

petit

ion

to re

plac

e D

ES

: bec

ause

56-

bit k

eys

and

64-b

it da

ta b

lock

s no

long

er

adeq

uate

.•

Rijn

dael

nom

inat

ed a

s th

e ne

w A

dvan

ced

Enc

rypt

ion

Sta

ndar

d (A

ES

) in

2001

[FIP

S-1

97].

•R

ijnda

el (p

rono

unce

as

“Rhi

ne-d

oll”)

des

igne

d by

Vin

cent

Rijm

en a

nd J

oan

Dae

men

. •

128-

bit b

lock

siz

e (N

ote

erro

r in

Har

ris p

. 809

)•

128-

bit,

196-

bit,

and

256-

bit k

ey s

izes

.•

Rijn

dael

is n

ota

Feis

tel c

iphe

r.

48L0

5 C

rypt

ogra

phy

INF3

510

-UiO

201

4

Rijn

dael

, the

sel

ecte

d A

ES

cip

her

Des

igne

d by

Vin

cent

Rijm

en a

nd J

oan

Dae

men

from

B

elgi

um

Vinc

ent R

ijmen

,w

orks

at

K.U

.Leu

ven

Joan

Dae

men

Wor

ks a

t STM

icro

-el

ectro

nics

, B

elgi

um

L05

Cry

ptog

raph

y49

INF3

510

-UiO

201

4

Rijn

dael

roun

d fu

nctio

n

a 0 a 1 a 2 a 3

a 4 a 5 a 6 a 7

a 8 a 9 a 10

a 11

a 12

a 13

a 14

a 15

a 0 a 1 a 2 a 3

a 4 a 5 a 6 a 7

a 8 a 9 a 10

a 11

a 12

a 13

a 14

a 15

Initi

al st

ate

a 0a 1

a 2a 3

a 4a 5

a 6a 7

a 8a 9

a 10

a 11

a 12

a 13

a 14

a 15

a 0a 1

a 2a 3

a 4a 5

a 6a 7

a 8a 9

a 10

a 11

a 12

a 13

a 14

a 15

S-b

ox

Row

-shi

ft

Col

oum

n-m

ix

a 0 a 1 a 2 a 3

a 4 a 5 a 6 a 7

a 8 a 9 a 10

a 11

a 12

a 13

a 14

a 15

�

Key

-mix

a 0 a 1 a 2 a 3

a 4 a 5 a 6 a 7

a 8 a 9 a 10

a 11

a 12

a 13

a 14

a 15

End

stat

e

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

50

Rijn

dael

enc

rypt

ion

1. K

ey m

ix (r

ound

key

K0)

2.N

r-1 ro

unds

con

tain

ing:

a) B

yte

subs

titut

ion

b) R

ow sh

iftc)

Col

oum

n m

ixd)

Key

mix

(rou

nd k

ey K

i)3.

Las

t rou

nd c

onta

inin

g:a)

Byt

e su

bstit

utio

nb)

Row

shift

c)

Key

mix

(rou

nd k

ey K

Nr)

Key

R

ound

s12

8

1019

2

1225

6

14

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

51

Usi

ng e

ncry

ptio

n fo

r rea

l

•W

ith a

blo

ck c

iphe

r, en

cryp

ting

a n-

bit b

lock

Mw

ith a

key

kgi

ves

a ci

pher

text

blo

ck C

= E

(M,k

).•

Giv

en a

wel

l des

igne

d bl

ock

ciph

er, o

bser

ving

C

wou

ld te

ll an

adv

ersa

ry n

othi

ng a

bout

Mor

k.

•W

hat h

appe

ns if

the

adve

rsar

y ob

serv

es tr

affic

ov

er a

long

er p

erio

d of

tim

e?–

The

adve

rsar

y ca

n de

tect

if th

e sa

me

mes

sage

had

be

en s

ent b

efor

e; if

ther

e ar

e on

ly tw

o lik

ely

mes

sage

s “b

uy” a

nd “s

ell”

it m

ay b

e po

ssib

le to

gu

ess

the

plai

ntex

t with

out b

reak

ing

the

ciph

er.

L05

Cry

ptog

raph

y52

INF3

510

-UiO

201

4

Blo

ck C

iphe

rs: M

odes

of O

pera

tion

•B

lock

cip

hers

can

be

used

in d

iffer

ent m

odes

in

orde

r to

prov

ide

diffe

rent

sec

urity

ser

vice

s.•

Com

mon

mod

es in

clud

e:–

Elec

troni

c C

ode

Boo

k (E

CB

)–

Cip

her B

lock

Cha

inin

g (C

BC

)–

Out

put F

eedb

ack

(OFB

)–

Cip

her F

eedb

ack

(CFB

)–

Cou

nter

Mod

e (C

TR)

–G

aloi

s C

ount

er M

ode

(GC

M) {

Aut

hent

icat

ed

encr

yptio

n}

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

53

Ele

ctro

nic

Cod

e B

ook

•E

CB

Mod

e en

cryp

tion

–S

impl

est m

ode

of o

pera

tion

–P

lain

text

dat

a is

div

ided

into

blo

cks

M1,

M2,

…, M

n

–E

ach

bloc

k is

then

pro

cess

ed s

epar

atel

y•

Pla

inte

xt b

lock

and

key

use

d as

inpu

ts to

the

encr

yptio

n al

gorit

hm

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

54

Enc

rypt

K

M1

C1

Enc

rypt

K

M2

C2

Enc

rypt

K

Mn

Cn

Dec

rypt

K

C1

M1

Dec

rypt

K

C2

M2

Dec

rypt

K

Cn

Mn

EC

B M

ode

•E

CB

Mod

e Is

sues

–P

robl

em: F

or a

giv

en k

ey, t

he s

ame

plai

ntex

t blo

ck

alw

ays

encr

ypts

to th

e sa

me

ciph

erte

xt b

lock

. •

This

may

allo

w a

n at

tack

er to

con

stru

ct a

cod

e bo

ok o

f kno

wn

plai

ntex

t/cip

herte

xt b

lock

s.•

The

atta

cker

cou

ld u

se th

is c

odeb

ook

to in

sert,

del

ete,

reor

der

or re

play

dat

a bl

ocks

with

in th

e da

ta s

tream

with

out d

etec

tion

–O

ther

mod

es o

f ope

ratio

n ca

n pr

even

t thi

s, b

y no

t en

cryp

ting

bloc

ks in

depe

nden

tly•

For e

xam

ple,

usi

ng th

e ou

tput

of o

ne b

lock

enc

rypt

ion

as in

put

to th

e ne

xt (c

hain

ing)

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

55

Use

a s

ecur

e m

ode!

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

56

Pla

inte

xtC

iphe

rtext

usi

ngE

CB

mod

eC

iphe

rtext

usi

ngse

cure

mod

e

Cip

her B

lock

Cha

inin

g M

ode

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

57

M1

M2

MN

M1

M2

MN

C1

C2

CN

CTR

Cou

nter

M

ode

L05

Cry

ptog

raph

y58

INF3

510

-UiO

201

4

Blo

ck c

iphe

r: A

pplic

atio

ns

•B

lock

cip

hers

are

ofte

n us

ed fo

r pro

vidi

ng

conf

iden

tialit

y se

rvic

es•

They

are

use

d fo

r app

licat

ions

invo

lvin

g pr

oces

sing

larg

e vo

lum

es o

f dat

a, w

here

tim

e de

lays

are

not

crit

ical

.–

Exa

mpl

es:

•C

ompu

ter f

iles

•D

atab

ases

•E

mai

l mes

sage

s

•B

lock

cip

hers

can

als

o be

use

d to

pro

vide

in

tegr

ity s

ervi

ces,

i.e.

for m

essa

ge a

uthe

ntic

atio

nL0

5 C

rypt

ogra

phy

INF3

510

-UiO

201

459

Inte

grity

Che

ck F

unct

ions

L05

Cry

ptog

raph

y60

INF3

510

-UiO

201

4

61

Has

h fu

nctio

ns

Has

h fu

nctio

n

Has

h va

lue

INF3

510

-UiO

201

4L0

5 C

rypt

ogra

phy

App

licat

ions

of h

ash

func

tions

•P

rote

ctio

n of

pas

swor

d•

Com

parin

g fil

es•

Aut

hent

icat

ion

of S

W d

istri

butio

ns•

Bitc

oin

•G

ener

atio

n of

Mes

sage

Aut

hent

icat

ion

Cod

es

(MA

C)

•D

igita

l sig

natu

res

•P

seud

o nu

mbe

r gen

erat

ion/

Mas

k ge

nera

tion

func

tions

•K

ey d

eriv

atio

nL0

5 C

rypt

ogra

phy

INF3

510

-UiO

201

462

Has

h fu

nctio

ns (m

essa

ge d

iges

t fun

ctio

ns)

Req

uire

men

ts fo

r a o

ne-w

ay h

ash

func

tion

h:

1.E

ase

of c

ompu

tatio

n: g

iven

x, i

t is

easy

to

com

pute

h(x

).2.

Com

pres

sion

: hm

aps

inpu

ts x

of a

rbitr

ary

bitle

ngth

to o

utpu

ts h

(x)o

f a fi

xed

bitle

ngth

n.

3.O

ne-w

ay: g

iven

a v

alue

y, i

t is

com

puta

tiona

lly

infe

asib

le to

find

an

inpu

t xso

that

h(x

)=y.

4.C

ollis

ion

resi

stan

ce: i

t is

com

puta

tiona

lly

infe

asib

le to

find

x a

nd x

’, w

here

x �

x’, w

ith

h(x)

=h(x

’)(n

ote:

two

varia

nts

of th

is p

rope

rty).

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

63

Pro

perti

es o

f has

h fu

nctio

ns

64

x h(x)

Eas

e of

com

puta

tion

? h(.)

Pre

-imag

ere

sist

ance

h(x)

Col

lisio

n

xx’

Wea

k co

llisio

n re

sist

ance

(2nd

pre-

imag

ere

sist

ance

)

h(x)

x?

h(.)

Stro

ng

collis

ion

resi

stan

ce

??

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

Freq

uent

ly u

sed

hash

func

tions

•M

D5:

128

bit

dige

st. B

roke

n. O

ften

used

in In

tern

et

prot

ocol

s bu

t no

long

er re

com

men

ded.

•S

HA

-1 (S

ecur

e H

ash

Alg

orith

m):1

60 b

it di

gest

. P

oten

tial

atta

cks

exis

t. D

esig

ned

to o

pera

te w

ith th

e U

S D

igita

l S

igna

ture

Sta

ndar

d (D

SA

);•

SH

A-2

56, 3

84, 5

12 b

it di

gest

. Stil

l sec

ure.

Rep

lace

men

t fo

r SH

A-1

•

RIP

EM

D-1

60: 1

60 b

it di

gest

. Stil

l sec

ure.

Has

h fu

nctio

n fre

quen

tly u

sed

by E

urop

ean

cryp

togr

aphi

c se

rvic

e pr

ovid

ers.

•N

IST

com

petit

ion

for n

ew s

ecur

e ha

sh a

lgor

ithm

, an

noun

cem

ent o

f win

ner e

xpec

ted

in 2

012.

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

65

And

the

win

ner i

s?

66

•N

IST

anno

unce

dK

ecca

kas

the

win

nero

f the

SH

A-3

Cry

ptog

raph

ic

Has

h A

lgor

ithm

Com

petit

ion

on O

ctob

er 2

, 201

2, a

nd e

nded

the

five-

year

com

petit

ion.

•K

ecca

kw

as d

esig

ned

by a

team

of c

rypt

ogra

pher

s fro

m B

elgi

um a

nd

Italy

, the

y ar

e:–

Gui

do B

erto

ni (I

taly

) of S

TMic

roel

ectro

nics

,–

Joan

Dae

men

(Bel

gium

) of S

TMic

roel

ectro

nics

,–

Mic

haël

Pee

ters

(Bel

gium

) of N

XP

Sem

icon

duct

ors,

and

–G

illes

Van

Ass

che

(Bel

gium

) of S

TMic

roel

ectro

nics

.

INF3

510

-UiO

201

4L0

5 C

rypt

ogra

phy

Kec

cak

and

spon

ge fu

nctio

ns

67IN

F351

0 -U

iO 2

014

L05

Cry

ptog

raph

y

MA

C a

nd M

AC

alg

orith

ms

•M

AC

mea

ns tw

o th

ings

:1.

The

com

pute

d m

essa

ge a

uthe

ntic

atio

n co

de h

(M, k

)2.

Gen

eral

nam

e fo

r alg

orith

ms

used

to c

ompu

te a

MA

C

•In

pra

ctic

e, th

e M

AC

alg

orith

m is

e.g

.–

HM

AC

(Has

h-ba

sed

MA

C a

lgor

ithm

))–

CB

C-M

AC

(CB

C b

ased

MA

C a

lgor

ithm

)–

CM

AC

(Cip

her-

base

d M

AC

alg

orith

m)

•M

AC

alg

orith

ms,

a.k

.a. k

eyed

has

h fu

nctio

ns,

supp

ort d

ata

orig

in a

uthe

ntic

atio

n se

rvic

es.

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

68

Pra

ctic

al m

essa

ge in

tegr

ity w

ith M

AC

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

69

Sha

red

secr

et

key

h(M

,K)

MA

Cfu

nctio

nM

AC

func

tion

Mes

sage

MR

ecei

ved

mes

sage

M’

Alic

eB

ob

Verif

y h(

M,K

) = h

(M ’,

K)

Sha

red

secr

et k

ey

h(M

’ ,K

) M

AC

MA

C s

ent

toge

ther

with

m

essa

ge M

MA

C

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

70

HM

AC

•D

efin

e:

ipad

= 3

636…

.36

(512

bit)

•op

ad =

5C

5C…

5C (5

12 b

it)

•H

MA

CK(x

) = S

HA

-1((

K �

opad

) || S

HA

-1((K

�ip

ad) |

| x))

HM

AC

Kip

ad

x

opad

SH

A-1

SH

A-1

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

71

CB

C-M

AC

•C

BC

-MA

C(x

,K)

•se

tt x

= x 1

|| x 2

|| …

. || x

n

•IV

00

… 0

•y 0

IV•

fori

1 to

n•

doy i

e K(y

i-1�

x i)•

retu

rn(y

n)

IV

x 1x 2

x n

e Ke K

e K

MA

C

Has

h fu

nctio

ns a

nd M

essa

ge A

uthe

ntic

atio

n

•S

hare

d se

cret

key

is u

sed

with

a M

AC

•W

hen

used

dur

ing

mes

sage

tran

smis

sion

, thi

s pr

ovid

es M

essa

ge A

uthe

ntic

atio

n:–

A c

orre

ct M

AC

val

ue c

onfir

ms

the

send

er o

f the

m

essa

ge is

in p

osse

ssio

n of

the

shar

ed s

ecre

t key

–H

ence

, muc

h lik

e a

pass

wor

d, it

con

firm

s th

e au

then

ticity

of t

he m

essa

ge s

ende

r to

the

rece

iver

.•

Inde

ed, m

essa

ge in

tegr

ity is

mea

ning

less

with

out

know

ing

who

sen

t the

mes

sage

.

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

72

Pub

lic-K

ey C

rypt

ogra

phy

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

74

Sym

met

ric c

rypt

osys

tem

Alic

eB

ob

Osc

ar

Encr

ypto

rD

ecry

ptor

Key

sour

ce

Secu

rech

anne

l

Sym

met

ric k

ey d

istri

butio

n

•S

hare

d ke

y be

twee

n ea

ch p

air

•In

net

wor

k of

nus

ers,

eac

h pa

rtici

pant

nee

ds n

-1 k

eys.

•To

tal n

umbe

r of e

xcha

nged

key

s:=

(n-1

)+ (n

-2) +

… +

2 +

1=

n(n-

1)/2

•G

row

s qu

adra

ticly

, whi

ch is

pr

oble

mat

ic.

•Is

ther

e a

bette

r way

?N

etw

ork

of 5

nod

es

L05

Cry

ptog

raph

y75

INF3

510

-UiO

201

4L0

5 C

rypt

ogra

phy

INF3

510

-UiO

201

476

Asy

mm

etris

k kr

ypto

syst

em

Alic

eB

ob

Osc

ar

Encr

ypto

rD

ecry

ptor

Key

sou

rce

Aut

hent

icch

anne

l

d k

e k

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

77

Pub

lic k

ey in

vent

ors?

Mar

ty H

ellm

an a

nd W

hit D

iffie

, Sta

nfor

d 19

76

R. R

ives

t, A

. Sha

mir

and

L. A

dlem

an, M

IT 1

978

Jam

es E

llis,

CE

SG

197

0

C. C

ocks

, M. W

illia

mso

n, C

ES

G 1

973-

1974

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

78

Asy

mm

etric

cry

pto

Pub

lic k

ey c

rypt

ogra

phy

was

bor

n in

May

197

5, th

e ch

ild o

f tw

o pr

oble

ms

and

a m

isun

ders

tand

ing!

Key

Dis

trib

uti

on

!

Dig

ita

l sig

nin

g!

Tra

p-d

oo

ro

ne

-wa

yfu

nc

tio

ns

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

79

One

-way

func

tions

Mod

ular

pow

er fu

nctio

nG

iven

n=

pq, w

here

pan

d q

are

prim

e nu

mbe

rs. N

oef

ficie

nt a

lgor

itms

to fi

nd p

and

q.

Cho

se a

pos

itive

inte

ger b

and

defin

e f:

Zn�

Zn

f(x) =

xb

mod

n

Mod

ular

exp

onen

tiatio

nG

iven

prim

e p,

gen

erat

or g

and

a m

odul

ar

pow

er a

= g

x(m

od p

). N

oef

ficie

nt a

lgor

itms

to fi

nd x

. f: Z

p�

Zp

f(x) =

gx

mod

p

Pub

lic K

ey E

ncry

ptio

n

•P

ropo

sed

in th

e op

en li

tera

ture

by

Diff

ie &

H

ellm

an in

197

6.•

Eac

h pa

rty h

as a

pub

lic e

ncry

ptio

n ke

yan

d a

priv

ate

decr

yptio

n ke

y.•

Red

uces

tota

l num

ber o

f exc

hang

ed k

eys

to n

•C

ompu

ting

the

priv

ate

key

from

the

publ

ic k

ey

shou

ld b

e co

mpu

tatio

nally

infe

asib

le.

•Th

e pu

blic

key

nee

d no

t be

kept

sec

ret b

ut it

is

not n

eces

saril

y kn

own

to e

very

one.

•Th

ere

can

be a

pplic

atio

ns w

here

eve

n ac

cess

to

pub

lic k

eys

is re

stric

ted.

80

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

Ral

ph M

erkl

e, M

artin

Hel

lman

and

W

hitfi

eld

Diff

ie•

Mer

kle

inve

nted

(197

4) a

nd

publ

ishe

d (1

978)

Mer

kle’

s pu

zzle

, a k

ey e

xcha

nge

prot

ocol

whi

ch w

as

unpr

actic

al

•D

iffie

& H

ellm

an in

vent

ed

(influ

ence

d by

Mer

kle)

a

prac

tical

key

exc

hang

e al

gorit

hm u

sing

dis

cret

e ex

pone

ntia

tion.

•D

&H

def

ined

pub

lic-k

ey

encr

yptio

n (e

quiv

. to

non-

secr

et e

ncry

ptio

n)•

Def

ined

dig

ital s

igna

ture

•P

ublis

hed

1976

in “ N

ew

dire

ctio

ns in

cry

ptog

raph

y”L0

5 C

rypt

ogra

phy

81IN

F351

0 -U

iO 2

014

Mer

kle,

Hel

lman

and

Diff

ie

Diff

ie-H

ellm

an k

ey a

gree

men

t (ke

y ex

chan

ge)

(pro

vide

s no

aut

hent

icat

ion)

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

82

gam

odp

Alic

e co

mpu

tes

the

shar

ed

secr

et

(gb )

a=

gab

mod

p

Bob

com

pute

s th

e sa

me

secr

et

(ga )

b=

gab

mod

p.

Alic

e pi

cks

rand

om

inte

ger a

gbm

odp

Bob

pic

ks ra

ndom

in

tege

r b

Com

puta

tiona

llyim

poss

ible

to c

ompu

te

disc

rete

loga

rithm

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

83

Exa

mpl

e

•Z

11us

ing

g =

2:–

21=

2 (m

od 1

1)26

= 9

(mod

11)

–22

= 4

(mod

11)

27=

7 (m

od 1

1)–

23=

8 (m

od 1

1)28

= 3

(mod

11)

–24

= 5

(mod

11)

29=

6 (m

od 1

1)–

25=

10 (m

od 1

1)21

0=

1 (m

od 1

1)

•lo

g 25

= 4

•lo

g 27

= 7

•lo

g 21

= 10

(0

mod

10)

Exa

mpl

e (2

)p

= 30

1966

2633

4536

6522

6674

6444

1118

5277

1272

0472

1722

0445

4398

0521

8819

8428

0643

9806

9801

6315

3421

2777

7985

323

7655

7869

1594

7633

9074

5786

2442

4721

4461

6346

7145

9842

3225

8260

7797

6000

9055

4994

6633

5561

6968

8641

7869

5339

600

4062

3713

9959

9729

5449

7740

0404

5416

7331

3622

5768

2517

1747

5634

6384

0240

9117

9117

2271

5606

9618

7007

6297

223

4159

1375

2658

3857

9703

6214

2317

2371

4806

8590

9595

2889

1803

8021

1902

8293

8283

6838

6437

2233

0258

2405

9867

6263

586

9477

2029

5337

6952

8178

6665

6787

9514

9819

9927

2674

6898

8598

6300

0921

2473

0492

5995

4102

1908

2086

7272

7813

714

8522

5720

1484

4749

0835

2209

0193

1907

4690

7275

6065

2162

4184

1443

5225

6368

9274

9339

8678

0895

5031

0568

7892

8755

875

5227

0014

1844

8833

5635

1776

8339

6400

3g

= 17

2148

4410

2945

4272

0413

6512

1778

8953

8496

3798

8183

4679

8765

9847

4115

7149

6616

1705

0730

2662

8129

2988

3501

017

4348

2503

0800

6877

8341

0370

2727

2697

2149

9966

7683

2329

0540

2169

9277

0986

7285

3850

8742

3829

4159

5672

2486

2481

799

4917

9397

4944

7675

0553

7478

6840

9726

5404

4030

5778

4600

0645

0549

5042

4877

6668

6098

6820

1521

0988

7355

2043

631

7965

3945

0984

9072

4068

9054

1468

1792

6365

1065

2507

9461

0243

4852

1662

7272

1706

6350

1147

4226

2899

4581

7893

3908

279

9157

8201

4086

4919

6984

7648

6330

2981

0524

7140

9215

8468

7117

6739

1090

4986

6118

6091

1795

4454

5125

7320

9668

379

5760

4205

6062

0966

2832

5900

2319

1009

0325

3019

1133

3152

1813

9480

3908

6102

1493

7044

6134

1174

0650

8009

8933

4729

586

0512

4234

7771

0566

9101

0439

0324

2905

8Fi

nn a

når

ga(m

od p

) =

4411

3216

3550

6521

5159

6844

8863

9683

2491

4909

2460

4276

5028

8245

9428

9876

6876

5718

2492

1690

2766

6262

0979

1538

209

5283

0455

1039

8284

9705

0549

8042

7000

2582

4132

1067

4451

6429

1945

7098

7544

9674

2371

0675

4516

1032

7665

8256

727

2413

6033

7237

6920

9803

3897

6048

5571

5556

4281

9285

3384

0136

7427

3248

9850

5506

4876

1094

6300

5314

8353

9064

2583

853

1769

8361

5599

0739

2252

3609

6893

4338

5582

6960

3389

5191

7912

1915

0497

3335

3702

0837

2185

6421

9880

4149

2207

985

6566

4346

6560

4898

6816

6984

5852

9646

2404

7443

2391

2050

1341

2774

9969

2338

5171

1320

1830

2108

1218

4500

6721

0124

727

0098

8032

7560

1662

6566

1675

7996

3223

0423

9541

4267

5792

6222

2147

6259

6502

3052

4198

6906

1244

0277

9894

1410

432

6855

1743

8781

3098

8606

0783

1088

1106

17

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

84

Sol

utio

n

a =

7189

3136

1497

0965

3804

5034

7867

7866

5736

9506

0790

7206

2126

0648

6991

9324

9561

4375

8812

6371

185

8169

4154

9290

9939

6752

2517

8726

8346

5480

5189

5320

1710

7966

3652

6807

4156

4200

2868

8148

7888

963

1989

5353

3111

7023

6034

8366

5844

9187

1177

2382

0644

8551

8405

5305

9455

0171

0227

6155

5809

3657

781

9310

9639

8936

9822

0411

5485

7860

1884

1771

2902

2057

5508

6669

0223

0521

6052

3604

8362

3367

5971

504

2593

8247

6301

2736

8253

3632

9529

2024

7361

4393

7779

9123

1814

2315

4997

1174

7531

8825

0142

4082

252

2816

4641

1119

5458

7558

2301

1214

0813

2266

9809

8654

7390

2563

6607

1064

2521

2812

4210

3815

5501

562

3700

5192

2318

3615

5067

2623

0814

1154

7951

9473

5834

7535

7010

4459

6633

2533

7960

3049

4190

6119

476

1818

1858

3000

9466

2765

8955

2696

3615

406

It is

eas

y to

com

pute

ga

(mod

p) {

0.01

6 s}

, but

it is

co

mpu

taio

nally

infe

asab

le to

com

pute

the

expo

nent

afro

m

the

ga.

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

85

Diff

ie-H

ellm

an A

pplic

atio

ns

•IP

Sec

(IP

Sec

urity

)–

IKE

(Int

erne

t Key

Exc

hang

e) is

par

t of t

he IP

Sec

pr

otoc

ol s

uite

–IK

E is

bas

ed o

n D

iffie

-Hel

lman

Key

Agr

eem

ent

•S

SL/

TLS

–S

ever

al v

aria

tions

of S

SL/

TLS

pro

toco

l inc

ludi

ng•

Fixe

d D

iffie

-Hel

lman

•E

phem

eral

Diff

ie-H

ellm

an•

Ano

nym

ous

Diff

ie-H

ellm

an

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

86

Ron

Riv

est,

Adi

Sha

mir

and

Len

Adl

eman

•R

ead

abou

t pub

lic-k

ey c

rypt

ogra

phy

in 1

976

artic

le

by D

iffie

& H

ellm

an: “

New

dire

ctio

ns in

cry

ptog

raph

y”•

Intri

gued

, the

y w

orke

d on

find

ing

a pr

actic

al

algo

rithm

•S

pent

sev

eral

mon

ths

in 1

976

to re

-inve

nt th

e m

etho

d fo

r non

-sec

ret/p

ublic

-key

enc

rypt

ion

disc

over

ed b

y C

liffo

rd C

ocks

3 y

ears

ear

lier

•N

amed

RS

A a

lgor

ithm

L05

Cry

ptog

raph

y87

INF3

510

-UiO

201

4L0

5 C

rypt

ogra

phy

INF3

510

-UiO

201

488

RS

A p

aram

etre

(tex

tboo

k ve

rsio

n)

•B

ob g

ener

ates

two

larg

e pr

ime

num

bers

pan

d q

and

com

pute

s n

= p·

q.

•H

e th

en c

ompu

tes

a pu

blic

enc

rypt

ion

expo

nent

e, s

uch

that

•(e

, (p-

1)(q

-1))

) = 1

and

com

pute

s th

e co

rres

pond

ing

decr

yptio

n ex

spon

ent d

, by

sol

ving

:

d·e

1 (m

od (p

-1)(

q-1)

)

•B

ob’s

pub

lic k

ey is

the

pair

PB

= (e

, n) a

nd th

e co

rres

pond

ing

priv

ate

and

secr

et k

ey is

SB

= (d

, n).

Enc

rypt

ion:

C =

Me

(mod

n)

Dec

rypt

ion:

M =

Cd

(mod

n)

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

89

RS

A to

y ex

ampl

e

•S

et p

= 15

7, q

= 22

3. T

hen

n =

p·q

=157

·22

3 =

3501

1 an

d(p

-1)(

q-1)

= 1

56 ·2

22 =

346

32•

Set

enc

rypt

ion

expo

nent

: e=

1421

3 {g

cd(3

4632

,142

13) =

1}

•P

ublic

key

: (14

213,

350

11)

•C

ompu

te: d

= e

-1=

1421

3 -1

(mod

346

32) =

316

13•

Priv

ate

key:

(316

13, 3

5011

)

•E

ncry

ptio

n:•

Pla

inte

xt M

= 1

9726

, the

n C

= 1

9726

1421

3(m

od 3

5011

) = 3

2986

•D

ecry

ptio

n:•

Cip

here

rtext

C =

329

86, t

hen

M =

329

8631

613 (

mod

350

11) =

197

26

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

90

Fact

orin

g re

cord

–D

ecem

ber 2

009

•Fi

nd th

e pr

oduc

t of

•p

= 33

4780

7169

8956

8987

8604

4169

8482

1269

0817

7047

9498

3713

7685

68•

9124

3138

8982

8837

9387

8002

2876

1471

1652

5317

4308

7737

8144

6799

9489

•

and

•q=

367

4604

3666

7995

9042

8244

6337

9962

7952

6322

7915

8164

3430

8764

26•

7603

2283

8157

3966

6511

2792

3337

3417

1433

9681

0270

0927

9873

6308

917?

Ans

wer

:n=

123

0186

6845

3011

7755

1304

9495

8384

9627

2077

2853

5695

9533

4792

1973

2

24

5215

1726

4005

0726

3657

5187

4520

2199

7864

6938

9956

4749

4277

4063

8459

251

9255

7326

3034

5373

1548

2685

0791

7026

1221

4291

3461

6704

2921

4311

6022

212

4047

9274

7377

9408

0665

3514

1959

7459

8569

0214

3413

Com

puta

tion

time

ca. 0

.000

0003

s o

n a

fast

lapt

op!

RS

A76

8 -L

arge

st R

SA

-mod

ulus

that

hav

e be

en fa

ctor

ed (1

2/12

-200

9)U

p to

200

7 th

ere

was

50

000$

priz

e m

oney

for t

his

fact

oris

atio

n!

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

91

Com

puta

tiona

l effo

rt?

•Fa

ctor

ing

usin

g N

FS-a

lgor

ithm

(Num

ber F

ield

Sie

ve)

•6

mnd

usi

ng 8

0 co

res

to fi

nd s

uita

ble

poly

nom

ial

•S

oldi

ng fr

om A

ugus

t 200

7 to

Apr

il 20

09 (1

500

AM

D64

-år)

•19

2 79

6 55

0 * 1

92 7

95 5

50 m

atris

e (1

05 G

B)

•11

9 da

ys o

n 8

diffe

rent

clu

ster

s•

Cor

resp

onds

to 2

000

year

s pr

oces

sing

on

one

sing

le c

ore

2.2G

Hz

AM

D O

pter

on (c

a. 2

67in

stru

ctio

ns)

Asy

mm

etric

Cip

hers

: E

xam

ples

of C

rypt

osys

tem

s•

RS

A: b

est k

now

n as

ymm

etric

alg

orith

m.

–R

SA

= R

ives

t, S

ham

ir, a

nd A

dlem

an (p

ublis

hed

1977

)–

His

toric

al N

ote:

U.K

. cry

ptog

raph

er C

liffo

rd C

ocks

in

vent

ed th

e sa

me

algo

rithm

in 1

973,

but

did

n’t p

ublis

h.•

ElG

amal

Cry

ptos

yste

m–

Bas

ed o

n th

e di

fficu

lty o

f sol

ving

the

disc

rete

log

prob

lem

.•

Ellip

tic C

urve

Cry

ptog

raph

y–

Bas

ed o

n th

e di

fficu

lty o

f sol

ving

the

EC

dis

cret

e lo

g pr

oble

m.

–P

rovi

des

sam

e le

vel o

f sec

urity

with

sm

alle

r key

siz

es.

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

92

Sprin

g 20

14U

NIK

4250

Sec

urity

in D

istri

bute

d Sy

stem

s93

Elli

ptic

cur

ves

•Le

t p �

3 be

a p

rime.

An

ellip

tic c

urve

y2

= x3

+ ax

+ b

over

GF(

p) =

Zp

cons

ist o

f all

solu

tions

(x, y

) �Z

p�Z

pto

the

equa

tion

y2

x3+

ax+

b(m

od p

)

•w

here

a, b

�Z

par

e co

nsta

nts

such

that

4a3

+ 27

b2

0 (m

od p

), to

geth

er w

ith a

spe

cial

poi

nt O

whi

ch is

den

oted

as

the

poin

t at i

nfin

ity.

Sprin

g 20

14U

NIK

4250

Sec

urity

in D

istri

bute

d Sy

stem

s94

Elli

ptic

cur

ve o

ver R

-2

24

6

-6

-4

-2246

y2=

x3

–4x

Rem

embe

rO

Sprin

g 20

14U

NIK

4250

Sec

urity

in D

istri

bute

d Sy

stem

s95

Poi

nt a

dditi

on

x +

y

-2

24

6

-6

-4

-2246

xy

Asy

mm

etric

Enc

rypt

ion:

B

asic

enc

rypt

ion

oper

atio

n

•In

pra

ctic

e, la

rge

mes

sage

s ar

e no

t enc

rypt

ed d

irect

ly w

ith

asym

met

ric a

lgor

ithm

s. H

ybrid

sys

tem

s ar

e us

ed, w

here

onl

y sy

mm

etric

ses

sion

key

is e

ncry

pted

with

asy

mm

etric

alg

.L0

5 C

rypt

ogra

phy

INF3

510

-UiO

201

496

Bob

’s

priv

ate

key

C =

E(M

,Kpu

b)M

= D

(C,K

priv)

Bob

’s

publ

ic k

ey

Alic

e’s

publ

ic k

eyrin

g

Encr

yptio

nO

pera

tion

Dec

rypt

ion

Ope

ratio

n

Plai

ntex

t Mci

pher

text

plai

ntex

t

Alic

eB

ob

Hyb

rid C

rypt

osys

tem

s

•S

ymm

etric

cip

hers

are

fast

er th

an a

sym

met

ric

ciph

ers

(bec

ause

they

are

less

com

puta

tiona

lly

expe

nsiv

e ),

but .

..•

Asy

mm

etric

cip

hers

sim

plify

key

dis

tribu

tion,

th

eref

ore

...•

a co

mbi

natio

n of

bot

h sy

mm

etric

and

asy

mm

etric

ci

pher

s ca

n be

use

d –

a hy

brid

sys

tem

:–

The

asym

met

ric c

iphe

r is

used

to d

istri

bute

a ra

ndom

ly

chos

en s

ymm

etric

key

.–

The

sym

met

ric c

iphe

r is

used

for e

ncry

ptin

g bu

lk d

ata.

L05

Cry

ptog

raph

y97

INF3

510

-UiO

201

4

Con

fiden

tialit

y S

ervi

ces:

Hyb

rid C

rypt

osys

tem

s

Bob

’s

priv

ate

key

Bob

’s

publ

ic k

ey

Pla

inte

xt M

C

Pla

inte

xt

MC

= E

(M,K

)M

= D

(C,K

)

Alic

e’s

publ

ic k

eyrin

g

KR

ando

m

sym

met

ric k

ey

KR

ando

m

sym

met

ric k

ey

Enc

rypt

edK

Encr

yptio

nO

pera

tion

Dec

rypt

ion

Ope

ratio

n

Encr

yptio

nO

pera

tion

Dec

rypt

ion

Ope

ratio

n

Alic

eB

ob

L05

Cry

ptog

raph

y98

INF3

510

-UiO

201

4

Dig

ital S

igna

ture

s

L05

Cry

ptog

raph

y99

INF3

510

-UiO

201

4

Dig

ital S

igna

ture

Mec

hani

sms

•A

MA

C c

anno

t be

used

as

evid

ence

that

sho

uld

be

verif

ied

by a

third

par

ty.

•D

igita

l sig

natu

res

used

for n

on-re

pudi

atio

n, d

ata

orig

in

auth

entic

atio

n an

d da

ta in

tegr

ity s

ervi

ces,

and

in s

ome

auth

entic

atio

n ex

chan

ge m

echa

nism

s.•

Dig

ital s

igna

ture

mec

hani

sms

have

thre

e co

mpo

nent

s:–

key

gene

ratio

n–

sign

ing

proc

edur

e (p

rivat

e)–

verif

icat

ion

proc

edur

e (p

ublic

)

•A

lgor

ithm

s–

RS

A–

DS

A a

nd E

CD

SA

100

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

Pra

ctic

al d

igita

l sig

natu

re b

ased

on

hash

val

ue

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

101

Alic

e’s

priv

ate

key

Alic

e’s

publ

ic k

ey

Sig

= D

(h(M

),Kpr

iv)

h(M

)= E

(Sig

,Kpu

b)

Bob

’s

publ

ic k

eyrin

g

Sign

hash

edm

essa

ge

Rec

over

hash

from

Sig

Plai

ntex

tM

Dig

ital

Sign

atur

e

Rec

eive

d pl

aint

ext M

’

Alic

e

Bob

Com

pute

has

h h(

M’ )

Verif

y h(

M) =

h(M

’ )C

ompu

te h

ash

h(M

)

Dig

ital S

igna

ture

s

•To

get

an

auth

entic

atio

n se

rvic

e th

at li

nks

a do

cum

ent t

o A

’s n

ame

(iden

tity)

and

not

just

a

verif

icat

ion

key,

we

requ

ire a

pro

cedu

re fo

r Bto

ge

t an

auth

entic

cop

y of

A’s

publ

ic k

ey.

•O

nly

then

do

we

have

a s

ervi

ce th

at p

rove

s th

e au

then

ticity

of d

ocum

ents

‘sig

ned

by A

’.•

This

can

be

prov

ided

by

a P

KI (

Pub

lic K

ey

Infra

stru

ctur

e)•

Yet

eve

n su

ch a

ser

vice

doe

s no

t pro

vide

non

-re

pudi

atio

nat

the

leve

l of p

erso

ns.

102

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

Diff

eren

ce b

etw

een

MA

Cs

& D

ig. S

ig.

•M

AC

s an

d di

gita

l sig

natu

res

are

both

au

then

ticat

ion

mec

hani

sms.

•M

AC

: the

ver

ifier

nee

ds th

e se

cret

that

was

us

ed to

com

pute

the

MA

C; t

hus

a M

AC

is

unsu

itabl

e as

evi

denc

e w

ith a

third

par

ty.

–Th

e th

ird p

arty

doe

s no

t hav

e th

e se

cret

.–

The

third

par

ty c

anno

t dis

tingu

ish

betw

een

the

parti

es k

now

ing

the

secr

et.

•D

igita

l sig

natu

res

can

be v

alid

ated

by

third

pa

rties

, and

can

in th

eory

ther

eby

supp

ort

both

non

-rep

udia

tion

and

auth

entic

atio

n. 103

? �

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

Key

leng

thco

mpa

rison

:S

ymm

etric

and

Asy

mm

etric

cip

hers

offe

ring

com

para

ble

secu

rity

AES

Key

Siz

eR

SA K

ey S

ize

Ellip

tic c

urve

Key

Si

ze-

1024

163

128

3072

256

192

7680

384

256

1536

051

2

L05

Cry

ptog

raph

y10

4

Ano

ther

look

at k

ey le

ngth

s

L05

Cry

ptog

raph

y10

5

End

of l

ectu

re

L05

Cry

ptog

raph

yIN

F351

0 -U

iO 2

014

106

Date post:	09-Oct-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Want to learn more? Look up UNIK 4220 · INF3510 Information Security University of Oslo Spring...

Documents