15-349

Introduction to Computer and Network Security

Iliano Cervesato

24 August 2008 – Introduction to Cryptography

2

Where we are

Course intro Cryptography

Intro to crypto Modern crypto Symmetric encryption Asymmetric encryption Beyond encryption Cryptographic protocols Attacking protocols

Program/OS security & trust Networks security Beyond technology

3

Outline

Basic concepts Protecting information Goals of cryptography Brief history

Cryptographic toolbox (preview) Cryptanalysis

Traditional attack models Side-channel attacks

Early ciphers Substitution ciphers Transposition ciphers

4

Confidentiality of Communication

Implement a virtual trusted channel over an insecure medium

E D

5

Confidentiality of storage

Implement a virtual trusted safebox over an insecure storage medium

E

6

Insecure Channels

External observer can

Read traffic Interception

Inject new traffic Fabrication

Block traffic … (sometimes) Interruption

Modify traffic … (sometimes) Modification

Activeattack

Passiveattack

7

Representing Data

Divide data into blocksCharacter, records, …

Represent each block by a numberE.g., ASCII

Why?Cryptography is based on

mathematics

8

Encryption and Decryption

E, D realize a virtual trusted channel

ED

Message(cleartext,plaintext) Message

(cleartext, plaintext)

Encrypted message(ciphertext)

Encrypted message(ciphertext)

Encryption

Decryption

XX

9

Keys

What are E and D? Channel-specific algorithm

Requires a lot ofalgorithms Hard

Universal algorithmsParameterized by key

Easier– 1 algorithm– Large space of keys

Em s

Em s

k

10

Classical Cryptography

E, D realize a virtual trusted channel, given key

ED

Message(cleartext,plaintext) Message

(cleartext, plaintext)

Encrypted message(ciphertext)

Encrypted message(ciphertext)

Encryption

Decryption

key key

XX

11

Goals of Cryptography

Not just about confidentiality! Integrity

Digital signatures Hash functions

Non-repudiation, fair exchange Contract signing

Anonymity Electronic cash Electronic voting

…Non-goals Denial of service

12

A Brief History of Cryptography

~2000 years ago: Substitution ciphers

A few centuries later: Transposition ciphers

Renaissance: Polyalphabetic ciphers

1844: Mechanization

1976: Public-key cryptography

13

Substitution Ciphers

Replace each letter with another

Key: substitution table How to break it?

Brute force? 26! possibilities (= 4x1026) Count the frequencies of letters, pairs, …

Koran was tabulated by 1412

Ciphertext is enough: ciphertext-only attack

Example:

A CB ED F

…X AY BZ C

Caesar’s cipher:

QVAQBCWZQRLWDVEFW

V XW MX TY JZ P

O SP RQ IR DS UT YU K

H LI QJ NK HL FM AN B

A VB EC ZD CE WF GG O

IAMINDECIPHERABLE

14

Renaissance Ciphers

Use message and key letters for cipher

Key: a word (CRYPTO) Example:

Polyalphabetic cipher: Encryption of letter is context-dependent

Seed of modern cryptography

CRYPTOCRYPTOCRYPTWHATANICEDAYTODAY

ZZZJUCLUDTUNWGCQS

+ (mod 26)

15

Book Ciphers

Same thing but with very long key Key: a poem, a book, …

(TOBEORNOTTOBETHATISTHEQUESTION…) Example:

… there are not all that many famous books, poems, etc.

TOBEORNOTTOBETHATWHATANICEDAYTODAY

PVBXOEVQXWOZXHKAR

+ (mod 26)

16

One-Time Pad

Same thing, but now key is a infinite random string

Example:

This is a perfect cipher How to remember/transmit the key??

Short key stretched by means of a random number generator

Vernam cipher Use (xor) to combine key and message

YKSUFTGOARFWPFWELWHATANICEDAYTODAY

ZZZJUCLUDTUNWGCQS

+ (mod 26)

17

Book Ciphers

Same thing, but now use a very long key

18

Transposition Ciphers

Switch letters around by a permutation

Example: HELLOWORLD Key: permutation

Breakable with ciphertext-only attack

1 2 3 4 5

3 5 4 1 2k =

LOLHERDLWO

19

More transposition

Write code in rows and read it in columns

A very regular type of permutation

THEGOALOFSUBSITUTIONISCONFUSIONXXXX

THE GOAL OF SUBSITUTION IS CONFUSION

TOTSIHFUCOESTONGUINXOBOFXASNUXLIISX

20

Confusion and Diffusion

Confusion Replace symbol with

another

Diffusion Mix up symbols

WHATANI

ZZZJUCL

WHATANI

ANWIHAT

Modern ciphers are a combination

21

Mechanization

1844: invention of telegraph Beginning of civilian crypto

Rotor machines Key: initial position of rotors Culminate in WW II

1975: DES 1996-2000 AES

1976: Public key cryptography

We willexaminein somedetail

Th

e E

nig

ma

22

Cryptographic Toolbox

EncryptionSymmetricAsymmetric

DigestsHashing

Digital signaturesCertificates

23

Symmetric Encryption

Dk(Ek(m)) = m

ED

MM

XX

kMessage(cleartext)

Message(cleartext)

Encrypted message(ciphertext)

Encrypted message(ciphertext)

Secret key

Decryption

box

Encryption

box

24

Asymmetric Encryption

Dk (Ek(m)) = m

ED

MM

XX

k

Cleartext

Cleartext

CiphertextCiphertext

Public key

Decryption

box

Encryption

box

k-1

Private key

-1

Public data

k

25

Digital Signatures

Vk (m,s) =

SV

MM

M, sM, s

kMessage

Message

SignatureSignature

signature key

Verification

box

Signature

box

k-1

Verification key

-1

Public data

k

true if s =Sk(m)

false otherwise

26

Certificates

How do you know this public key is mine?

CertificateBinding between key and ownerCertified by authority

Who is the authority?Public-key infrastructure

27

Message Digests

Short message to certify integrity Un-keyed

Checksums, hashesNo crypto

Anybody can calculate/modify it

KeyedMACsBased on a secret key

Only owners can calculate/modify it

28

Cryptanalysis

The art science of breaking a cipher Try all possible plaintext corresponding to a

ciphertext Plain silly!

Try all possible keys for an encryption algorithm Algorithm must be known Enormous space of keys

Exploit weaknesses, regularities, shortcuts Side-channel attacks E.g., basic substitution cipher

29

What is “breaking a cipher”?

Recover the key kHardOften not needed!

Decipher a single message Decipher all messages Modify messages

“Attack at dawn” “attack at dusk”

Exploit properties of the cipher

30

Attack Models

Good ciphers resist all attack models

x

Random

Ciphertext Only

m, x

Ek(m)

Known Plaintext

Random

x, m

Dk(x)

Chosen Ciphertext

Chosen

m, x

Ek(m)

Chosen Plaintext

Chosen

31

Sneaky Attacks

Obtain the key somehow Network sniffers, worms, backup tapes, … Blackmail, bribery, torture, …

Side-channel cryptanalysis Power consumption Encryption time Radiation

Be careful!

off-peak computation

random noise physical shielding

Better implementation and design

From http://www.cryptography.com/dpa/technical

Detail: Round 2 Round 3

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

Differential Power Analysis on DES