Introduction to Cryptography
INFSCI 1075: Network Security – Spring 2013
Sam T. Zargar
2
Security Features and Mechanisms
Security Features (Security Services) Measures intended to counter security attacks by
employing security mechanisms Take on functions of physical documents and procedures
like signatures, identity cards, endorsements, etc. Typical services: Confidentiality, integrity,
authentication, non-repudiation, and availability. Security Mechanisms
Prevent, detect, and recover from security attacks No single security mechanism can provide all the
security services
3
Remarks
Not all security services can be provided by a single security mechanism
Cryptography, if used cleverly and correctly, can provide several of the security services
Cryptography is the backbone of most security mechanisms SSL, SSH, IPSec, WPA, Kerberos, VPNs, Dial-up, etc.
Cryptography: using encryption and decryption principles/methods to conceal information
4
Limitations of Cryptography
Cryptography is not a complete solution in itself Systems and networks are not secure today
Not because of the mathematics behind cryptography The math is sound
Implementation of the cryptosystems and usage of cryptography in protocols are occasionally flawed
The human factor Why you need to study cryptography
An important component of information security today Awareness of what is used where and why it works Sense of why crypto in itself is not enough, but you need
things around it to make networks and systems secure
History For thousands of years
people have used methods of concealing information Concealing Ciphering or
Encryption Examples
Writing concealed information from the illiterate
Mirrors were used in India Tattoo messages on scalps and
allow hair to grow Biblical times (500 BC)
Substitution of one alphabet by another in a systematic way
Sparta (500 BC) Scytale (sitaali) http://en.wikipedia.org/wiki/Scyt
ale
5
6
History (2) Caesar Cipher (50 BC)
Described by Julius Caesar Example of a Shift Cipher
World War I Creation of many new ciphers ADFGVX code by the German military in World War 1
A product cipher Cryptography and Mathematics
Linkages started in the 1920s Extended to World War II Information Theory played a role in 1949 when Shannon
defined “perfect secrecy”
7
Modern Times Data Encryption Standard (DES)(1977)
Opened up a new area of research for securing digital information
All encryption algorithms from BC till 1976 were secret key algorithms Also called private key algorithms or
symmetric key algorithms Public key algorithms were introduced in
1976 by Whitfield Diffie and Martin Hellman (asymmetric)
Some Basic Terminology
8
Plaintext - original message
Ciphertext - coded message
Cipher - algorithm for transforming plaintext to ciphertext
Key - info used in cipher known only to sender/receiver
Encipher (encrypt) - converting plaintext to ciphertext
Decipher (decrypt) - recovering plaintext from ciphertext
Definitions
9
Cryptography – using encryption and decryption principles/methods to conceal information
Cryptanalysis (code breaking) - study of principles/ methods of deciphering ciphertext without knowing the key
Cryptology – study of both cryptography and cryptanalysis
Encryption Conventional (symmetric) encryption Public-key (asymmetric) encryption
10
Cryptology
CRYPTOLOGY
CRYPTOGRAPHY CRYPTANALYSIS
Private Key(Secret Key)
Public Key
Block Cipher Stream Cipher Integer Factorization
Discrete Logarithm
PR
OTO
CO
LS
Cryptography
11
Can characterize cryptographic system by: Type of encryption operations used
Substitution / transposition / product Number of keys used
Single-key or private / two-key or public Way in which plaintext is processed
block / stream
12
Block vs. Stream Ciphers Block ciphers process messages in
blocks, each of which is then en/decrypted
like a substitution on very big characters64-bits or more
Stream ciphers process messages a bit or byte at a time when en/decrypting
Many current ciphers are block ciphers
Broader range of applications
Cryptanalysis
13
The science/art of breaking an encryption scheme Objective is to recover key not just message General approaches:
Cryptanalytic attack May rely on:
Nature of encryption algorithm Characteristics of the plaintext Some plaintext-cipher text pairs
Brute-force attack Try every key …time and space complexity! On average, half of all possible keys must be tried to
achieve success.
Cryptanalytic Attacks
14
Ciphertext only Cryptanalyst has only Ciphertext of possibly many messages.
Known plaintext Access to both plain and ciphertext of several messages, probable
words. Chosen plaintext
Attacker can select plaintext and obtain its ciphertext. Chosen ciphertext
Attacker has access to decrypting box, objective is deduce the key, have the corresponding plaintext.
The HUMAN factor Rubber hose attack -- threaten, torture, blackmail for the key Purchase-key attack -- bribery (or burglary) Scam attack – “excuse me, could you tell me your password?” I’m stupid attack – easy to guess key (name, birthdate, phone
number, ….)
Encryption scheme is:
15
Unconditionally secure if: No matter how much computer power or time
is available, the cipher cannot be broken since the cipher-text provides insufficient information to uniquely determine the corresponding plaintext \
e.g., one-time pad (later) Computationally secure if:
Given limited computing resources (e.g. time needed for calculations is greater than age of universe), the cipher cannot be broken and it is costly!
Brute Force Search
16
Always possible to simply try every key Most basic attack, proportional to key size Assume either know / recognize plaintext
Key Size (bits)
Number of Alternative Keys
Time required at 1 decryption/µs
Time required at 106 decryptions/µs
32 232 = 4.3 109 231 µs = 35.8 minutes
2.15 milliseconds
56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours
128 2128 = 3.4 1038 2127 µs = 5.4 1024 years
5.4 1018 years
168 2168 = 3.7 1050 2167 µs = 5.9 1036 years
5.9 1030 years
26 characters (permutation
)
26! = 4 1026 2 1026 µs = 6.4 1012 years
6.4 106 years
Symmetric Encryption
17
OR conventional / private-key / single-key Sender and receiver share a common key All classical encryption algorithms (from BC till
1976) Was only type prior to invention of public-key
in 1976 and by far most widely used
Symmetric Cipher Model
18
Conventional Encryption Model
19
Key Source
Insecure channel
Oscar
Encrypt DecryptAlice Bob
yx x
k k
Secure Channel
Requirements
20
Two requirements for secure use of symmetric encryption:a strong encryption algorithma secret key known only to sender / receiver
Mathematically have:Y = ek(X)X = dk(Y)
The functions ek() and dk() must be inverses of one another ek(dk(y)) = ? dk(ek(x)) = ? ek(dk(x)) = ?
Assume encryption/decryption algorithm is known, strength is in key
Implies a secure channel to distribute key
Substitution Ciphers
21
Classical Substitution Ciphers where letters of plaintext are replaced by
other letters or by numbers or symbols or if plaintext is viewed as a sequence of bits,
then substitution involves replacing plaintext bit patterns with ciphertext bit patterns
Shift Ciphers Idea
Represent the capital letters of the English alphabet by integers
Encryption ek(x) = (x + k) mod 26
Decryption dk(y) = (y – k) mod 26
A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
23
Caesar Cipher earliest known substitution cipher by Julius Caesar (50 BC) first attested use in military affairs replaces each letter by 3rd letter on example:meet me after the toga partyPHHW PH DIWHU WKH WRJD SDUWB
Set of Residues: Zn
25
The result of the modulo operation with modulus n is always an integer between 0 and n-1.
Modulo operation creates a set, which in modular arithmetic is referred to as the set of least residues, modulo n, or Zn
E.g. Z2 ={0,1}
Z6 ={0,1,2,3,4,5}
Z10={0,1,2,3,4,5,6,7,8,9}
The modulo operation (Quick review)
26
What is 27 mod 5? Quotient? 5 Divisor 5 27
Dividend - 25 Remainder?
2 What is -27 mod 5? Quotient? -
6 Divisor 5 -27
Dividend - (-30) Remainder?
3
Examples
27
36 mod 9 = 0 4 9 36 -36 0
-45 mod 9 = 0 -5 9 -45 -(-
45) 0
Shift Ciphers Cipher-text: HCEGDQQM K: C What is the plain-text? Encryption
ek(x) = (x + k) mod 26
Decryption dk(y) = (y – k) mod 26
A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
28
Cryptanalysis of Caesar Cipher only have 26 possible ciphers
A maps to A,B,..Z could simply try each in turn a brute force search given ciphertext, just try all shifts of letters do need to recognize when have plaintext eg. break ciphertext "GCUA VQ DTGCM“
Monoalphabetic Cipher
30
Rather than just shifting the alphabet Could shuffle (jumble) the letters arbitrarily Each plaintext letter maps to a different random
ciphertext letter Hence key is 26 letters long
Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
Cipher:D K V Q F I B J W P E S C X H T M Y A U O L R G Z N
If we wish to replace letters
Plaintext: ifwewishtoreplaceletters Ciphertext:WIRFRWAJUHYFTSDVFSFUUFYA
Monoalphabetic Cipher Security now have a total of 26! = 4 x 1026 keys with so many keys, might think is secure but would be !!!WRONG!!! problem is language characteristics
Language Redundancy and Cryptanalysis
human languages are redundant eg "th lrd s m shphrd shll nt wnt" letters are not equally commonly used in English E is by far the most common
letter followed by T,R,N,I,O,A,S
other letters like Z,J,K,Q,X are fairly rare have tables of single, double & triple letter
frequencies for various languages
33
Seberry & Pieprzyk, "Cryptography - An Introduction to Computer Security", Prentice-Hall 1989, Appendix A has letter frequency graphs for 20 languages (most European & Japanese & Malay).
English Letter Frequencies (Stallings Fig 2.5)
Example Cryptanalysis
34
Given ciphertext:UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Count relative letter frequencies (see text) Guess P & Z are E and T Guess ZW is th and hence ZWP is the Proceeding with trial and error finally get:it was disclosed yesterday that several informal butdirect contacts have been made with politicalrepresentatives of the viet cong in moscow
The Affine Cipher
35
Use A 0, B 1, C 2, …, Z 25 Plaintext: x P = {0,1,2, …, 25} Ciphertext: y C = {0,1,2, …, 25} Encryption is defined as:
ek (x) = ax + b mod 26 How is decryption defined?
dk(y) = (y – b)/a mod 26 How do we divide modulo 26?
Example of Affine Ciphers
36
Let ek(x) = 3x + 7 mod 26 Consider encrypting “ANT” = 0, 13, 19
Ciphertext is 7, 20, 12 = “HUM” Let us decrypt it
H = 7 => (7-7)/3 = 0 = A U = 20 => (20-7)/3 = 13/3 =? 13 * 3-1 mod 26 M = 12 => (12-7)/3 = 5/3 =? 5 * 3-1 mod 26 3-1 ?
Multiplicative Inverse of 3 in Z26? Using extended Euclidean algorithm
Ref. Cryptography and Network Security (Behrouz A. Forouzan)
Chapter 2: Mathematics of Cryptography
Polyalphabetic Ciphers
37
Polyalphabetic substitution ciphers Improve security using multiple cipher
alphabets Make cryptanalysis harder with more
alphabets to guess and flatter frequency distribution
Use a key to select which alphabet is used for each letter of the message
Use each alphabet in turn Repeat from start after end of key is reached
Vigenère Cipher
38
Simplest polyalphabetic substitution cipher
Effectively multiple Caesar cipher Key is multiple letters long K = k1 k2 ...
kd nth letter specifies nth alphabet to use Use each alphabet in turn Repeat from start after d letters in
message Decryption simply works in reverse
Example of Vigenère Cipher
39
Write the plaintext out Write the keyword repeated above it Use each key letter as a Caesar cipher key Encrypt the corresponding plaintext letter E.g. Using deceptive as a keykey: deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ
A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
Security of Vigenère Cipher
40
Have multiple ciphertext letters for each plaintext letter Hence letter frequencies are obscured But not totally lost! Start with letter frequencies
See if look monoalphabetic or not E.g. 1 10 19
key: deceptivedeceptivedeceptive
Letters in positions 1,10, 19, and so on are all encrypted with the same monoalphabetic cipher!
Using known frequency characteristics of plaintext language to attack each monoalphabetic ciphers
Solution: Increase the key size to the length of message!
Autokey Cipher
41
Ideally want a key as long as the message Vigenère proposed the autokey cipher With keyword as a prefix to as much of the
message as is needed to be used as key Knowing keyword can recover the first few
letters Use these in turn on the rest of the
message But still have frequency characteristics to
attack E.g. Given deceptive as a keykey: deceptivewearediscoveredsav
plaintext: wearediscoveredsaveyourself
ciphertext:ZICVTWQNGKZEIIGASXSTSLVVWLA
One-Time Pad
42
If a truly random key as long as the message is used, the cipher will be secure
Called a One-Time pad
It is unbreakable since ciphertext bears no statistical relationship to the plaintext
Since for any plaintext & any ciphertext there exists a key mapping one to other
Can only use the key once though
There are problems in generation & safe distribution of key
Brute Force Search
43
Always possible to simply try every key Most basic attack, proportional to key size Assume either know / recognize plaintext
Key Size (bits)
Number of Alternative Keys
Time required at 1 decryption/µs
Time required at 106 decryptions/µs
32 232 = 4.3 109 231 µs = 35.8 minutes
2.15 milliseconds
56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours
128 2128 = 3.4 1038 2127 µs = 5.4 1024 years
5.4 1018 years
168 2168 = 3.7 1050 2167 µs = 5.9 1036 years
5.9 1030 years
26 characters (permutation
)
26! = 4 1026 2 1026 µs = 6.4 1012 years
6.4 106 years
Question
44
Assume that you have a PC that can do 106 decryption per µs. You want to decrypt an algorithm that its key space/key size has 56 bits using brute force approach. So you need to in average check half of the key space. How long does it take to check half of the key space using your PC? (µs = 10-6 seconds)
256 / 2 = 255 different keys to be checked (should be decrypted)
In each µs you can decrypt 106 ciphertexts using 106 keys out of 255
So: How many µs to decrypt using 255 keys? 255 / 106 = 36028797018.963968 µs =
36028797018.963968 *10-6 ~ 36029 s
36029 s / 60 ~ 600 min 600 min / 60 ~ 10 hours
Transposition Ciphers
45
Transposition Ciphers
46
Now consider classical transposition or permutation ciphers
Hide the message by rearranging the letter order without altering the actual letters used.
Can recognize these since they have the same frequency distribution as the original text
47
Permutation Cipher Permutation cipher
Do not change the plaintext Simply shuffle the plaintext according to a known
permutation π(j) Different from the substitution cipher
Suppose the plaintext is x = (x1,x2,x3,… xm) Encryption is: ek(x) = y = (xπ(1),xπ(2),xπ(3),…
xπ(m)) Note that the ciphertext still consists of the
same elements that were present in the plaintext
48
Example of Permutation Cipher
Encrypt HOTDOG = HOT DOG Shuffling, we get THO GDO
Decrypt THO GDO Shuffling, we get HOTDOG
P 1 2 3(P) 3 1 2
C 1 2 3-1(C) 2 3 1
More like an anagram
Rail Fence cipher
49
Write message letters out diagonally over a number of rows then read off cipher row by row
E.g. write message out as: Org message: meet me after the toga party
m e m a t r h t g p r y e t e f e t e o a a t
Giving ciphertextMEMATRHTGPRYETEFETEOAAT
50
Remarks on Permutation Cipher Read Section 2.3 ‘Transposition Techniques’ for
more on permutations Permutations and substitutions are very
important in modern encryption schemes Example: DES makes use of permutations Example: AES makes use of many rounds of
substitutions and permutations
Product Ciphers
51
Product Ciphers
52
Ciphers using substitutions or transpositions are not secure because of language characteristics
Hence consider using several ciphers in succession to make the cipher harder: Two substitutions make more complex substitution Two transpositions make more complex
transposition But a substitution followed by a transposition
makes a new difficult cipher! This is a bridge from classical to modern
ciphers (e.g. AES)
53
Example of Product Cipher
Encrypt (Using Permutation) ZDKLBM = Shuffling, we get KZDMLB
Decrypt KZDMLB Shuffling, we get ZDKLBM Then Key : SPRING
Decrypted: ?
j 1st 2 3 4 5 6
(j) 3 1 2 6 4 5
k 1st 2 3 4 5 6
-1(k) 2 3 1 5 6 4
2- Permutation
A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
1- Substitution: (e.g. Vigenère ): Key: SPRINGText: HOTDOG Encrypt (Using Substitution ) Decrypted: ZDKLBM
54
How about…
j 1 2 3 4 5 6
(j) 3 1 2 6 4 5
k 1 2 3 4 5 6
-1(k) 2 3 1 5 6 4
2- Permutation
A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25
A substitution then a permutation, then another substitution and permutation as an encryption? More secure? (Please think about it)1- Substitution: (e.g. Vigenère ): Key: SPRING Text: HOTDOG Encrypt (Using Substitution ) Decrypted: ZDKLBM
3- Substitution: (e.g. Vigenère ): Key: SPRING Text: KZDMLB Encrypt (Using Substitution ) Decrypted: CQUUYH 4- Permutation: Encrypt (Using Permutation) CQUUYH = Shuffling, we get UCQHUYPlease do the decryption yourself
Encrypt (Using Permutation) ZDKLBM = Shuffling, we get KZDMLB
Rotor Machines
55
Before modern ciphers, rotor machines were most common complex ciphers in use
Widely used in WorldWarII German Enigma, Allied Hagelin, Japanese Purple
Implemented very complex, varying substitution cipher
Used a series of cylinders, each giving one substitution, which rotated and changed after each letter was encrypted
With 3 cylinders had 263=17576 alphabets
Hagelin Rotor Machine
56
Rotor Machine Principles
An alternative to Encryption
58
Steganography
59
An alternative to encryption Art of hiding information in the midst of
irrelevant data This is NOT cryptography Hides existence of message
Using only a subset of letters/words in a longer message marked in some way
Using invisible ink Hiding in LSB (least-signifcant-bit)in graphic image
or sound file Has drawbacks
High overhead to hide relatively few info bits
Example of Steganography
60
Dear George,Greetings to all at Oxford. Many thanks for yourletter and for the summer examination package.All entry forms and fees forms should be readyfor final dispatch to the syndicate by Friday20th or at the latest I am told by the 21st.Admin has improved here though there is roomfor improvement still; just give us all two or threemore years and we will really show you! Pleasedon’t let these wretched 16+ proposals destroyyour basic O and A pattern. Certainly thissort of change, if implemented immediately, would bring chaos.
Sincerely yours,
Example of Steganography
61
Dear George,Greetings to all at Oxford. Many thanks for yourletter and for the summer examination package.All entry forms and fees forms should be readyfor final dispatch to the syndicate by Friday20th or at the latest I am told by the 21st.Admin has improved here though there is roomfor improvement still; just give us all two or threemore years and we will really show you! Pleasedon’t let these wretched 16+ proposals destroyyour basic O and A pattern. Certainly thissort of change, if implemented immediately, would bring chaos.
Sincerely yours,
Summary
62
Have considered: Classical cipher techniques and terminology Monoalphabetic substitution ciphers Cryptanalysis using letter frequencies Polyalphabetic ciphers Transposition ciphers Product ciphers Steganography ROTOR Machines