Week 2: Technologies & Classical Techniques
68-525Encryption and Authentication SystemsSpring 2010
Approach It helps to keep in mind our approach:
gain a broad tech-oriented overview of how encryption and authentication are employed
armed with that perspective, we can then learn how the individual algorithms work, confident that we’re not just studying theory for the sake of studying theory
Last time
Syllabus Terms Network vs. Computer Security Types of attacks Security Services (X.800) Legal Responsibilities Legality of Crypto
Last time (continued)
Symmetric encryption
Message integrity
Public-key encryption
Public-key authentication
Digital Signatures
Secure Key Transport
PK Infrastructure
Today
Specific applications of crypto-technology: Digital Signatures, PGP, Web of Trust, SSL, Certificates, IPsec
A first look at algorithms: classical techniques
Bob has two keys – a private key, and a matching public key. These keys were established using software (such as a PGP client)
These uber-attractive people have Bob’s public key, but only Bob has his private key. Having Bob’s public key allows them to send encrypted information to Bob and to verify that things they receive are from Bob.
Here’s an example. Susan wants to send an email to Bob that only Bob can see. So, she encrypts it using Bob’s public key
Sure enough, Bob decrypts it with his private key and ... voila! he can read it
Review of How Public-Key Works
How about authentication now? Well, the number one tool for doing authentication is to place a digital signature on a document. A digital signature attests to (1) the fact that Bob originated the document and (2) the document wasn’t modified in transit.
Bob will use some software tool to sign a document. Here’s how it works:
The tool runs the message through some hash function that compresses it down to some code that bears no statistical relationship to the original message. This is called the message digest.
The message digest is then encrypted using Bob’s private key to form the signature.
The signature is then appended to the document and sent down the wire to the recipient (in this case, Pat).
Pat receives the message. He decrypts the signature using Bob’s public key to retrieve the message digest.
Then, he hashes the original message to obtain the digest that corresponds to the message.
If the two message digests are the same, Pat knows:
(1) Bob was the sender of the message - authentication
(2) The message was not modified in transit – it has integrity
The major remaining stumbling block is ... how do we know Bob’s public key really is Bob’s?
After all, somebody else might pretend to be Bob and create a public key and send that to us.
The trick is to have some trusted third party – like Susan – sign Bob’s public key. To do this, Susan will have to review some identity information about Bob and then vouch that it really is Bob who is requesting to use a particular key.
This gives rise to a certificate. Susan is a certification authority.
Susan is a CA. She hashes Bob’s certification information and encrypts it using her private key to yield a signature, which she appends to Bob’s submission to form his certificate.
If Pat wants to verify that a message came from Bob, he decrypts Bob’s certificate first using Susan’s public key. If that was successful, he can go ahead and use Bob’s public key to decrypt the message Bob sent. As long as he trusts Susan, Pat knows that that really is Bob’s public key.
Web of Trust Of course, we might not know Susan,
so how can we trust her? If somebody we trust signed Susan’s
certificate, then we can trust the certificate that Susan signed.
Building these chains of trusted people allows us to verify that a certificate is legitimate
This is called a web of trust
Example: PGP / GPG PGP = Pretty Good Privacy An encryption / authentication mechanism Developed by Phil Zimmerman in 1991 Originally used just for email, but now used
for all sorts of encryption Open Standard: OpenPGP GNU Privacy Guard (GPG) is OpenPGP-
compliant
Getting GPG
The site for everything GPG is http://www.gnupg.org/
There are versions for most major operating systems
It is the most popular strong-encryption algorithm around today
PGP Encryption
(of recipient)
PGP Decryption
PGP Authentication
(of sender) (of sender)
Brief GPG How-to
Generating a new key pair
gpg --gen-keyThis will create a new public-key / private-key pair. The public-key is what you can distribute to others.
Listing keys gpg --list-keysThis lists all the public keys on your key ring. These are the people to whom you can send encrypted data and from whom you can accept a signature
Exporting a key gpg -o filename -a --export userOrKeyIDOnce you have this key exported to a file, you can copy its contents into a form and post it on a keyserver, such as http://pgp.mit.edu/
Importing a key gpg --import filenameIn other words, if you have a public key stored in a file, you can add it to your keyring with this command. This will allow you to send that person encrypted data and to verify that person’s signature.
Brief GPG How-to (continued)
Receiving a key from a key server
gpg --keyserver keyserverAddress --recv-keys keyIDYou must do this in order to be able to send a user data encrypted using gpg
Listing the fingerprint for a key
gpg --fingerprint userOrKeyIDThis gives a shorthand version of a key that you can use to easily communicate a key to someone else. This helps with verification.
Publishing a key to a key server
gpg --keyserver keyserverAddress --send-key userOrKeyIDThis is another way to publish your key to a publicly known keyserver
Signing a key gpg –u yourKey --sign-key userOrKeyIDThis action indicates that you vouch for the authenticity of this key
Encrypting and signing
gpg -o outputfilename -u senderUserOrKeyID -se -r recipientUserOrKeyID filename
Decrypting gpg -o outputfile -u userOrKeyID -d filename
What’s this “signing key” stuff?
It’s how you build the web of trust When you add a signature to a public
key, you are vouching for the authenticity of that key
GPG depends on this kind of activity Key-signing typically takes place at ...
Key-Signing Parties
http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
Key-Signing Party How-To
You go around giving others the id and fingerprint of your key
They do the same for you. For each key, you do the following:
gpg --keyserver keyserver --recv-keys keyID
gpg --fingerprint keyID check that this matches the one you received at the party
gpg -u yourKeyToUse --sign-key keyID
gpg --keyserver keyserver --send-key keyID
Another example:SSL: Secure Sockets Layer
Protocol developed in 1996 by Netscape
Like PGP, uses a mix of public- and symmetric-key encryption Uses a private key to encrypt data
transferred over the SSL connection
URLs start with https: instead of http:
Where is it deployed?
A View of SSL
private key
SSL Certificates
Enable SSL to do what it does Contents:
Domain for which the certificate was issued
Legal owner of the certificate IP address of server Validity dates of certificate Server’s public key
Why use an SSL Certificate?
Confirms that you are who you say you are
Encrypts information sent between you and webserver
How does a server get a certificate?
Your server generates a public-key / private-key pair
The public-key becomes part of a CSR (certificate signing request)
Other parts of the CSR typically include Organization Name Organizational unit Country Code State or Province Locality Common Name
To whom does the CSR go? It goes to a certificate authority
Susan is a CA. She hashes Bob’s certification information and encrypts it using her private key to yield a signature, which she appends to Bob’s submission to form his certificate.
Remember this?
We will take a look at the mechanics of creating a cerfiicate later in the course
Security at a lower layer
These solutions that we have discussed all work at the application layer.
How about encrypting things at the IP layer?
That’s where IPSec comes in.
What is IPSec? A set of protocols and standards to support
the securing of data at the IP layer It’s a framework
Not an implementation Supports authentication & encryption
Certifies originator of packet Protects data from interception and tampering
while in transit Good (although Microsoft-centric)
description: http://www.microsoft.com/technet/network/ipsec/default.mspx
Why use IPSec? Secures the network
Remember the “secure the network” vs. “secure the host” debate
Is transparent to applications Secures any IP-based protocol Supports legacy software and any IP-based tool
in the future Alternative to application-level security such as
SSL Broad industry support Will be mandatory in IPv6
How is it transparent?
Disadvantages of IPSec
Processor overhead Encrypting and verifying each packet is
hard
Network design a bit more complex Additional devices
Two IPSec Protocols There are 2 IPSec protocols:
Authentication Header Encapsulating Security Payload
Biggest difference: ESP encrypts AH does not
Why both? AH used for countries that have laws
about encrypting
Security Associations Security Associations are at the heart of
IPSec There are two SAs per each IPSec
connection SAs specify
Authentication algorithm & mode Encryption algorithm & mode Keys used for auth & encryption Lifetime of the key Lifetime of the SA Source address of the SA Sensitivity level (secret or unclassified)
Basics of IPSec Operation We will cover how IPSec works later in the
course For now, understand this outline
Internet Key exchange (IKE) Sets up secure channel Negotiates SAs Negotiates algorithms and keys
Sending initial AH/ESP packet IKE exchange again
Specific to what is being done (FTP, Telnet) Traffic communicated using SA
How IPsec works
Let’s Change Gears Bigtime
Now let’s shift into talking about algorithms
Some cryptography algorithms are very complicated - DES, AES
Some are quite easy - classical techniques
We’ll start by talking about the easy ones
Objectives
To demonstrate two building blocks of encryption Substitution Transposition
In the process, to learn some of the most popular pre-computer encryption techniques
Encryption and Decryption
Encryption Algorithm
Key
K
Plaintext
P
Ciphertext
C Key
K
Plaintext
P
C = E(k, P)EncryptionP = D(k, C) Decryption
Notation
Cryptanalysis
Encryption Algorithm
Key
K
Plaintext
P
Ciphertext
C Key
K
Cryptanalyst
P̂
K̂
“cracked” plaintext and key
System Perspective
Model of a Symmetric Cryptosystem
Cryptography Characteristics
Fundamental Operations Number of Keys Processing
Fundamental Operations
Substitution Replace elements with another set of the
same size
Transposition Rearrange (permute) the elements
Cryptography Characteristics
Number of keys
One-key: Symmetric / single-key / conventional
Two-key Asymmetric / two-key / public-key
Cryptography Characteristics
Processing
Block cipher Data grouped into larger units
Stream cipher Data considered individual elements
Cryptography Characteristics
Cryptanalysis Characteristics
Method of attack Type of analytical study
Methods of Attack
Analytical Study algorithm for weaknesses to
exploit Can crack the plaintext or, better yet,
the key
Brute force Try every possible key
Key size is the crucial decision
Cryptanalysis Characteristics
Types of Analytical Study
The algorithm is usually known, but other items may or may not be
Ciphertext only Known plaintext Chosen plaintext Chosen ciphertext Chosen text
Cryptanalysis Characteristics
Judging Cryptographic Systems Unconditionally secure:
No matter how much ciphertext, can’t determine plaintext Only a “one-time pad” achieves this level
Conditionally secure Cost required to break it exceeds the
value of the encrypted information Time required to break it exceeds the
useful lifetime of the encrypted information
Brute Force Effort
Classical, Substitution-Based Techniques
Caesar Cipher Monoalphabetic Substitution Multiple Letter Encryption
Playfair Hill
Polyalphabetic Substitution Vigenere Vernam One-time Pad
Classical, Transposition-Based Techniques
Simple Railfence Column Transposition Rotor Machines
Caeser Cipher
Replace each letter with character 3 places to the right
Generalized: k places to the right
C = E(k, p) = (p + k) mod 26
p = D(k, C) = (C – k) mod 26
Substitution-based
Example: Caesar Cipher
Key 3Plain e v e r y g o o d b o y d o e s f i n eCipher H Y H U \ J R R G E R \ G R H V I L Q H
Key 5Plain e v e r y g o o d b o y d o e s f i n eCipher J [ J W ^ L T T I G T ^ I T J X K N S J
Substitution-based
Caesar Easy to Crack
Can use brute force because Key size is small (only 25 keys) Encryption and decryption algorithms
known The language of the plaintext is known
Can make this harder to crack if you use an unknown plaintext language Such as a compressed binary format
Substitution-based
Monoalphabetic Substitution
Alpha: a b c d . . . Perm: e x w c . . .Easy to crack using statistical techniques
Example:char a b c d e f g h i j k l m n o p q r s t u v w x y zsub D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
plain e v e r y g o o d b o y d o e s f i n ecipher H Y H U B J R R G E R B G R H V I L Q H
Substitution-based
Cracking Monoalphabetic Cipher
Easy to crack using statistical analysis
Substitution-based
Multiple-Letter Encryption
Playfair Cipher Hill Cipher
Substitution-based
Playfair Cipher
not even the random substitution in a monoalphabetic cipher provides security
one approach to improving security was to encrypt multiple letters
the Playfair Cipher is an example invented by Charles Wheatstone in
1854, but named after his friend Baron Playfair
Substitution-based
Playfair Key Matrix
a 5X5 matrix of letters based on a keyword
fill in letters of keyword (sans duplicates)
fill rest of matrix with other letters
Substitution-based
Playfair Key Matrix Example Using the keyword
“MONARCHY”M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
Substitution-based
Encrypting and Decrypting plaintext encrypted 2 letters at a time
1. if a pair is a repeated letter, insert filler like 'X’
2. if both letters fall in the same row, replace each with letter to right (wrapping back to start from end)
3. if both letters fall in the same column, replace each with the letter below it (again wrapping to top from bottom)
4. otherwise each letter is replaced by the letter in the same row and in the column of the other letter of the pair
Substitution-based
Example
Key: encrypt Plaintext: hello What is the ciphertext?
Security of Playfair Cipher security much improved over
monoalphabetic since have 26 x 26 = 676 digrams would need a 676-entry frequency table to
analyze (versus 26 for a monoalphabetic) was widely used for many years
eg. by US & British military in WW1 it can be broken, given a few hundred letters
since still has much of plaintext structure
Substitution-based
Hill Cipher Uses matrix arithmetic to encrypt and
decrypt C = KP mod 26where C is the vector of ciphertext, K is a matrix representing the encryption key, and P is the vector of plaintext
To decrypt, K must have an inverse. Then, P = K-1C mod 26
Substitution-based
Example: Hill
Key = (3 4 5; 1 2 3; 2 1 2) Plaintext = e b d What is the ciphertext?
Polyalphabetic Ciphers polyalphabetic substitution ciphers improve security using multiple cipher
alphabets make cryptanalysis harder
with more alphabets to guess flatter frequency distribution
use a key to select which alphabet is used for each letter of the message
use each alphabet in turn repeat from start after end of key is reached
Substitution-based
Vigenère Cipher
simplest polyalphabetic substitution cipher
effectively multiple caesar ciphers key is multiple letters long
K = k1 k2 ... kd ith letter specifies ith alphabet to use use each alphabet in turn
Substitution-based
Vigenère Cipher (continued)
repeat from start after d letters in message
decryption simply works in reverse A matrix called the Vigenère Tableau
is generally helpful
Substitution-based
Vigenère Tableau
Substitution-based
Example of Vigenère Cipher write the plaintext out write the keyword repeated above it use each key letter as a caesar cipher key encrypt the corresponding plaintext letter eg using keyword deceptive
key: deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ
Substitution-based
Security of Vigenère Ciphers
have multiple ciphertext letters for each plaintext letter hence letter frequencies are obscured but not totally lost
Strategy: start with letter frequencies
see if look monoalphabetic or not if not, then need to determine number of
alphabets, since then can attack each
Substitution-based
Kasiski Method for Breaking Vigenère
method developed by Babbage / Kasiski repetitions in ciphertext give clues to
period so find same plaintext an exact period apart
which results in the same ciphertext For example
repeated “VTW” in previous example on slide 75 suggests size of 3 or 9
then attack each monoalphabetic cipher individually using same techniques as before
Substitution-based
Autokey Cipher
ideally want a key as long as the message Vigenère proposed the autokey cipher
with keyword is prefixed to message as key
eg. given key deceptivekey: deceptivewearediscoveredsav
plaintext: wearediscoveredsaveyourself
ciphertext:ZICVTWQNGKZEIIGASXSTSLVVWLA
Substitution-based
Vernam Cipher Similar to autokey in that the key is as long
as the message itself However, the key is completely random
No statistical relationship to the message It may be repeating, however, and it may
be reused Each ciphertext character is determined by
XOR-ing plaintext character with key character: Ci = pi xor ki
Each plaintext is recovered by repeating:Pi = Ci xor ki
Example: Vernam
Key: cat Plain: dog What is the cipher text?
One-Time Pad if a truly random key as long as the
message is used, the cipher will be secure called a One-Time pad
is unbreakable since ciphertext bears no statistical relationship to the plaintext
can only use the key once though problems in generation & safe distribution
of key
Transposition Ciphers
now consider classical transposition or permutation ciphers
these hide the message by rearranging the letter order without altering the actual letters used
can recognize these since have the same frequency distribution as the original text
Rail Fence cipher write message letters out diagonally over a
number of rows then read off cipher row by row eg. write message out as:
m e m a t r h t g p r y e t e f e t e o a a t
giving ciphertextMEMATRHTGPRYETEFETEOAAT
Row Transposition Ciphers a more
complex transposition
write letters of message out in rows over a specified number of columns
then reorder the columns according to some key before reading off the rows
Key 4 3 1 2 5 6 7
Plaintext a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
Ciphertext TTNAAPTMTSUOAODWCOIXKNLYPETZ
Product Ciphers ciphers using substitutions or transpositions
are not secure because of language characteristics
hence consider using several ciphers in succession to make harder, but: two substitutions make a more complex
substitution two transpositions make more complex
transposition but a substitution followed by a transposition
makes a new much harder cipher bridge from classical to modern ciphers
Rotor Machines before modern ciphers, rotor machines
were most common complex ciphers in use widely used in WW2
German Enigma, Allied Hagelin, Japanese Purple see http://russells.freeshell.org/enigma/
implemented a very complex, varying substitution cipher
used a series of cylinders, each giving one substitution, which rotated and changed after each letter was encrypted
with 3 cylinders have 263=17576 alphabets
Rotor Machine Schematic
Example Rotor Machine
Steganography an alternative to encryption hides existence of message
using only a subset of letters/words in a longer message marked in some way
using invisible ink hiding in LSB in graphic image or sound
file has drawbacks
high overhead to hide relatively few info bits
Next week
Data Encryption Standard Text Chapter 3 and a little of Chapter 6