Cryptography

CS461 - Spring 2007

Nikita Borisov

Research Opportunities

• Information Trust Institute undergraduate research internship program http://www.iti.uiuc.edu/iti_funding_opportunities.html

Apply by March 5

Overview

• Introduction to cryptography and cryptanalysis

• Historical ciphers• DES and AES• Stream ciphers and cipher modes

Readings

• Ch. 9 of textbook• “Applied Cryptography” by Bruce Schneier

Accessible description of cryptographic primitives

• “Handbook of Applied Cryptography” by Menezes, van Oorschot, Vanstone Dense, makes a good reference Available online• http://www.cacr.math.uwaterloo.ca/hac/

Definitions

• Cryptosystem Transforms plaintext into ciphertext using a key ciphertext unintelligible without knowledge of key

• Cryptography Cryptology (design of cryptosystems) +

cryptanalysis (study of cryptosystems)

• Always go hand in hand

Warning!

• “A little knowledge is a dangerous thing” Very true in cryptography

Historical Ciphers

• Caesar cipher

Caesar Cipher

• More formally: Encrypt(Letter, Key) = (Letter + Key) (mod 26) Decrypt(Letter, Key) = (Letter - Key) (mod 26)

• Encrypt(“NIKITA”, 3) = “QLNLWD”• Decrypt(“QLNLWD”, 3) = “NIKITA”

Attacks

• Ciphertext only attack: Recover plaintext knowing only the ciphertext

• Ciphertext: HSPAA SLRUV DSLKN LPZHK HUNLY VBZAO

PUN

Frequency analysis

HSPAA SLRUV DSLKN LPZHK HUNLY VBZAO PUN

• Find most frequent letters 4 times: L 3 times: A, H, N, P, S, U

• Guess: Decrypt(L) = E Key = L-E = 7 Decrypt(HSPAA SLRUV DSLKN LPZHK HUNLY

VBZAO PUN, 7) = ALITT LEKNO WLEDG EISAD ANGER OUSTH ING

Brute force• Ciphertext = IGKYGXOYOTYKIAXK

Decrypt(IGKYGXOYOTYKIAXK, 1) = HFJXFWNXNSXJHZWJ

Decrypt(IGKYGXOYOTYKIAXK, 2) = GEIWEVMWMRWIGYVI

Decrypt(IGKYGXOYOTYKIAXK, 3) = FDHVDULVLQVHFXUH

Decrypt(IGKYGXOYOTYKIAXK, 4) = ECGUCTKUKPUGEWTG

Decrypt(IGKYGXOYOTYKIAXK, 5) = DBFTBSJTJOTFDVSF

Decrypt(IGKYGXOYOTYKIAXK, 6) = CAESARISINSECURE

Vigenere cipher

• A different caesar cipher per letter MORESECURETHANCAESAR (Ciphertext)

+ SECRETSECRETSECRETSE (Key)

= FTUWXYVZUWYBTSFSJMTW M (13) + A (19) = F (6) mod 26 O (15) + E (5) = T (20) mod 26 ...

Vigenere analysis

• Key space? 26Length(Key)

10-20 characters to prevent brute force on modern computers

• Frequency analysis? Doesn’t work because of different keys

Vigenere Analysis

• Guess period = p• Construct p frequency tables

Cryptanalyze each onehttp://math.ucsd.edu/~crypto/java/EARLYCIPHERS/Vigenere.html

• Better yet, recover period Look for repeated n-grams

n-gram analysis• JBEDH WKDIT ZVIRR FEVYJ VSNTY BWTEG MLGMT QNIFG

LRIIN KAIXQ GEZLX YUXEC TCZDG OMBRX IOPGH WVQJL RRIIJ SPVLE DEPEW HVYYM SYBTR DXHZM WIUNU IGAYQ NHRIT VDMTY XRKXY PCTCV HJRFV IJIMA MXWLF GEJLECTC: 59, 136 (7, 11)ED: 89, 2 (87)FG: 38, 154 (2, 4, 29)GM: 29, 32 (3)HW: 4, 74 (2,5,7)II: 82, 42 (2, 4, 8, 5)IJ: 145, 83 (2, 31)IT: 123, 8 (5, 23)JL: 157, 78 (79)LE: 158, 88 (2, 5, 7)YB: 101, 24 (7, 11)

LR: 40, 79 (3,13)MT: 33, 127 (2, 47)RF: 14, 142 (2, 4, .., 128)RII: 81, 41 (2, 4, 8, 5)RI: 41,81,122 (1)RR: 13, 80 (67)TC: 137, 60 (7, 11)TY: 23, 128 (3, 5, 7)VI: 11, 144 (7, 19)VY: 17, 96 (79)XY: 133, 54 (79)

Substitution cipher

• Each letter gets mapped to another letter E.g. A -> E, B -> R, C -> Q, ...

• What’s the key space? 26!

• Cryptogram puzzles in newspapers How do you solve them?

Permutation Cipher

• Rearrange letters instead of substituting them• E.g.

Plaintext = “HELLO WORLD” H W E O L R L L O D Ciphertext = “HWEOLRLLOD”

Modern Ciphers

• Enigma Machine to encrypt German

communications in WWII Consisted of plug board, 3 rotors,

and reflector board Each implemented a substitution Rotors shifted after each letter,

so like Vigenere, but with period of about 16,900

Enigma cryptanalysis

• Brute force out of the question 1023 keys if plugboard is known, or 10114 if unknown

• Known plaintext attack Learn (or guess) part of plaintext, decrypt the rest How to obtain plaintext?• “Nothing to report” is a common one• “eins” (1) appeared in 90% of messages• Set up mines in some area, look for reports

• Bombe, designed by Alan Turing Automated cryptanalysis based on known plaintext and

frequency analysis tests

Data Encryption Standard (DES)• Designed at IBM in 1975

Based on Lucifer designed by Feistel and Coppersmith

Changes suggested by the NSA

• Standardized by NIST in 1977 Official cipher for civilian cryptography Reviewed by the NSA

• Combines substitutions and permutations Operates on bits

Feistel Network

• Iterative structure• Efficient hardware

implementation• Non-linear element

F provides security• Multiple rounds

provide mixing (diffusion) between the two halves

“F” of DES

DES Criticism

• NSA involvement in DES design was criticized

• Allegedly, they: Made it deliberately weaker (56-bit keys) Modified S-boxes

• Idea is that the NSA made DES easy for them to break, but not everyone else

Differential Cryptanalysis

• Invented in 1990 by Shamir and Biham• Linear encryption:

E(P xor ∆) = E(P) xor E(∆)

• Non-linear element (S-boxes) designed to prevent this

• Differential characteristic E(P xor ∆) = E(P) xor ∆’ with “high” probability Obtain many pairs E(P xor ∆) and E(P) Look for statistical patterns, recover key

Chosen Plaintext

• Chosen plaintext attack Find encryption of particular plaintext (pairs in this

case), use it to recover key / decrypt other messages

Is this a practical attack?

• Not practical for DES 247 chosen plaintexts required! S-boxes were found to specifically resist

differential attacks

Key size

• 256 not that large• In 70’s, published design of a $20M machine to

break DES in a day Within the NSA’s budget

• 1998: “Deep Crack” Built by EFF for ~$250,000 Broke DES challenge in 56 hours

• Other distributed projects broke other challenges• NIST reaffirmed as federal standard, but Triple-DES

recommended

Triple-DES

• C = Encrypt(K1, Decrypt(K2, Encrypt(K3, P)))

• Key length = 168 bits• Effective key length: 112 bits

Meet in the middle attack: Pick all pairs K1, K2 and encrypt plaintext

Pick all values of K3 and decrypt ciphertext

Look for matches

• Still too slow for brute force

AES contest

• Death of DES of imminent• Triple-DES secure, but slow in software

DES designed for hardware implementation

• NIST held a contents to find an ``Advanced Encryption Standard’’

• Started in 1997, finished in 2001

AES Criteria

• Requirements Symmetric block cipher Large key size: 128, 192, or 256 bits Large block size: 128 bits

• Desired features: Security Performance (hardware and software) Simplicity Flexibility Licensing

AES Selection Process

• 15 entrants• Two conferences:

Aug 1998, March 1999

• Teams analyze their own and each other’s designs

• After 1999 conference, 5 were left standing

AES Finalists

• MARS (Coppersmith, DES veteran) “Kitchen sink” cipher

• RC6 (Rivest)• Rijndael (Rijmen, Daemen)

Simple algebraic structure

• Serpent (Anderson, Biham, Knudsen)• Twofish (Schneier, Kelsey, Whiting, Wagner,

Hall, Ferguson)

AES winner

• AES3 conference in April 2000• Winner chosen in October 2000

Rijndael was selected Basic feeling: all algorithms are “good enough” on

security, but Rijndael is simple and fast

• AES and Rijndael now synonymous Most recent encryption standards use it

DES and AES redux

• DES kick-started the field of open cryptanalysis Closed cryptanalysis was much further ahead

back in the 70’s, claim is we only recently caught up

• AES rejuvenated the field of cipher design Many new ideas explored NIST selection process largely praised

• Cipher design notoriously hard Best security assurance is peer analysis

Midterm Statistics

• Average: 74.3, Median 77

Message Size

• DES and AES are block ciphers Encrypt a block of 64 or 128 bits into another

block of 64 or 128 bits

• Most messages we want to encrypt are larger than a block (some are smaller)

• How do we use block ciphers?

Electronic Code Book

• Split message up into blocks• Encrypt each one separately• I.e.

P = P1 | P2 | P3 | ... C = E(K,P1) | E(K, P2) | E(K, P3) | ...

• Easy but not very secure

Plaintext

Ciphertext

Randomized Encryption

• Block ciphers are deterministic• If P1 = P2 then E(K, P1) = E(K, P2)• This is undesirable for many contexts

• Randomized encryption: C = Encrypt(K, R, P) R is not secret, often embedded as part of C

• E.g.: Encrypt(K,R,P) = (R, E(K, P xor R))

Cipher Block Chaining (CBC)

• Builds on randomized encryption• Uses a single R per message:

C1 = E(K, P1 xor R) C2 = E(K, P2 xor C1) C3 = E(K, P3 xor C2) ...

• R called Initialization Vector or IV

CBC Diagram

CBC Decryption

Cipher Block Chaining

• Security Single bit change in plaintext affects all following

bits

• Resilience Ciphertext error results in two corrupted blocks

• Synchronization Recover after losing sync with sender

• Parallelism Decryption only requires previous cipher block

Propagating CBC

• C1 = E(K, P1 xor IV)• C2 = E(K, P2 xor P1 xor C1)• C3 = E(K, P3 xor P2 xor C2)

• Single bit error in ciphertext propagates to all following bits Why would we want this?

Ciphertext Feedback Mode

• Encrypt: C1 = E(K, IV) xor P1 C2 = E(K, C1) xor P2 ...

• Decrypt P1 = E(K, IV) xor C1 P2 = E(K, C1) xor C2 ...

CFB diagram

CFB decryption

CFB

• Error propagation Plaintext bit: forever Ciphertext bit: two blocks

• Advantages over CBC Only use Encrypt function, never Decrypt No need to pad message

Output Feedback

• Special output sequence: O1 = E(K, IV) O2 = E(K, O1) ...

• Encryption / decryption Ci = Pi xor Oi Pi = Ci xor Oi

OFB diagram

OFB properties

• No error propagation Single bit error affects only one bit

• No padding required Like CFB

• Encryption and decryption are the same• Can precompute Oi sequence

Only one XOR left to encrypt Good for streaming multimedia

Stream Ciphers

• Used to encrypt streaming data• Basic operation:

Keystream generator:• Key,IV -> Keystream• Key short, Keystream long (“infinite”)

Encryption / Decryption• Ciphertext = Plaintext xor Keystream• Plaintext = Ciphertext xor Keystream

• Often very fast, esp. in hardware

LFSRs

• Linear Feedback Shift Register

• Very fast to implement in hardware• Maximal period (2^n-1)

LFSR-based stream ciphers

• Combine one or more LSFRs in a non-linear fashion Why non-linear?

• A5/1, A5/2 used in GSM cellphones (broken)

RC4

• Stream cipher designed by Ron Rivest• Simple, fast to implement in software• Very popular

Used in SSL/TLS, WEP/WPA

RC4for i=0 to 255 S[i] = ij=0for i=0 to 255 j = (j + S[i] + key[i mod keylen]) mod 256 swap(S[i],S[j])

i=j=0while True

i = i+1 mod 256 j = j + S[i] mod 256 swap(S[i],S[j]) output S[S[i]+S[j]]

Stream cipher concerns

• Must be very careful about choosing IV Do not want to use the same key stream to

encrypt two plaintexts C1 = P1 xor Keystream C2 = P2 xor Keystream C1 xor C2 = P1 xor P2

• Must worry about integrity Attacker can change: “PAY ALICE $1M” to “PAY

NIKITA$1M” by flipping bits NB: Other modes don’t solve integrity either

Counter Mode

• Another way to turn block cipher into stream cipher• C1 = E(K, IV+1) xor P1• C2 = E(K, IV+2) xor P2• ...

• Completely parallelizable• Random access possible

Decrypt block n without computing other blocks

• AES-CTR is a popular choice today

One-Time Pads

• Inspiration for stream ciphers len(Key) = len(Message) Ciphertext = Plaintext xor Key

• Unconditionally secure Even under brute force attack Different key yields different plaintexts

• Used for highly secure communication Same problem as stream ciphers

For exams & homeworks

• Define cryptography / cryptology / cryptanalysis• Ciphertext only / known plaintext / chosen plaintext• Understand early ciphers and how to attack them• DES: what are weaknesses, what is triple-DES,

meet-in-the-middle attack• AES: motivation for AES, name of winner• Everything from today’s lecture, except RC4 source

code