implementing and breaking cryptographic algorithms cs651 security april 18, 2001 shaun arnold,...
TRANSCRIPT
Implementing and Breaking Cryptographic Algorithms
CS651 Security
April 18, 2001
Shaun Arnold, Thomas Daniels, Chris Taylor, Mike Walker
Overview
• Cryptography seems like a great idea but …– how easily is it broken– how well designed are the algorithms– what are performance trade offs– can it be analyzed
• Goal: Find answers or postulations to most (or all) of these questions
Outline• Mono-alphabetic ciphers• Poly-alphabetic ciphers (Vigenere)• Rotor machine• Statistical analyzer• Breaking mono-alphabetic cipher• Key length analysis• Breaking poly-alphabetic cipher• RSA• Breaking the RSA implementation
Monoalphabetic Ciphers
• Definition– A technique that replaces a single letter with
another single letter.
An example:
a b c d e f g h i j k l m n o p q r s t u v w x y z
T H O M A S U V W X Y Z B D C F G I J K E L N Q R P
Monoalphabetic Ciphers
• Caesar Cipher– Replaces each letter of the alphabet with the
letter three places down in the alphabet.
• General Shift Cipher– Replace each letter of the alphabet with the
letter n places down in the alphabet with wrapping.
Monoalphabetic Ciphers
• Keyspace– Normal: 26! keys– Shift cipher: 25 keys
• Strengths– Easy computation.– Fast to encrypt and decrypt.
Monoalphabetic Ciphers
• Weaknesses– For the shift cipher, there are only 25 keys.– Sentence structure is maintained– Regularities of the language are maintained.
Polyalphabetic Ciphers
• Definition– The use of multiple monoalphabetic
substitutions as one proceeds through a plaintext message.
– Includes:
A set of related monoalphabetic substitution rules
A key determines which rule to choose.
Polyalphabetic Ciphers
• Strengths– Stronger than monoalphabetic– Large keyspace
• Example: Vigenere– Given a key letter x and a plaintext letter y, the
ciphertext is at the intersection of the row labeled x and the column labeled and the column labeled y.
Polyalphabetic Ciphers A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
CARS CA RSCARS CARSTHIS IS REALLY COOLVHZK KS IWCLCQ EOFD
Rotor Machines
• Another form of letter substitution• Used during World War II by the Germans and the
Japanese (enigma and purple)• Hardwired connections from 26 incoming contacts
to 26 outgoing contacts on each rotor• As each letter was typed, the rotors would rotate like
an odometer• Key for a message would consist of initial
configuration of the rotors (26^3 keyspace)
Software implementation of rotor
• An array of 26 offsets specifies the contact configuration of one rotor– only one-to-one correspondences are allowed– 26! possible configurations for each rotor
• (26!)^3 possible different machines could be built
• For a particular machine (contacts fixed), there are 26^3 possible initial configurations for a message (key space)
• Letter substitution repeats after 26^3 letters
Example ciphertext/plaintext pair
This plaintext is to be encrypted with the rotor engine using the configuration given in Stalling page forty three in figure eight of chapter two
JSHK RHHKMVNVZ SA ND TC YEZEPWHYK AAGD NNG YSYKK GVOVFL RRKSY RRI IZNBJKJWTIPTO YPRET IC IEODDCAZ HZBZ YRKKH YIPCN IK LOWOJX CJXKK DC MZWAGDJ EOX
Cryptanalysis
“The first step in breaking any cipher is to try to find features which correspond to the original plaintext. Whereas codes substitute groups of letters or figures for words, phrases, or even complete concepts, ciphers replace every individual letter of every individual word. They therefore tend to reflect the characteristics of the original language of the original text. This makes them vulnerable to studies of letter frequency.”
Statistical Frequency Program
• Reports the frequency of occurrence of all individual letters and any double and triple letter groups which appear above a given threshold (e.g. >= 5%)
• Very useful for breaking monoalphabetic ciphers
• Also a good profiler for patterns in specific genres of plaintext
Example of statistical analysis
• Here is some English prose to get frequency statistics on.– 1 0 2 0 8 1 2 2 4 0 0 1 1 3 4 1 1 3 7 5 1 0 0 0 1 0– a b c d e f g h i j k l m n o p q r s t u v w x y z– 3 2 2 2 2 2 2– is en et re so st ti– no three letter groups appeared more than once
• This text is too short to get good results
Breaking the monoalphabetic cipher
• Messages as short as 94 letters were broken relatively easily (~3.6 * key length)
• First run statistical analyzer on ciphertext
• Using resulting statistics and clever observations, begin to make guesses at character substitutions
• Unix tr utility is very useful to progressively substitute into the ciphertext
94 letter example
YCD ITJDTRI EDT TPZTP RCCBI EOP MSIR VT WTNR YDCM JXQBPDTO EOP YDCM YCCBI GTBB PCOT RTEM RXQI MTIIEZT QI E IXCDR COT
0 5 10 7 6 0 1 0 10 2 0 0 5 1 5 6 3 7 1 14 0 1 1 3 4 2
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
DT - 3, YDC - 2, EOP - 2, DCM - 2, COT - 2, CCB -2, CBI - 2
YCD IeJDeRI EDe ePZeP RCCBI EOP MSIR Ve WeNR YDCM JXQBPDeO EOP YDCM YCCBI GeBB PCOe ReEM RXQI MeIIEZe QI E IXCDR COe
YCD seJDeRs EDe ePZeP RCCBs EOP MSsR Ve WeNR YDCM JXQBPDeO EOP YDCM YCCBs GeBB PCOe ReEM RXQs MessEZe Qs E sXCDR COe
YCD seJDeRs aDe ePZeP RCCBs aOP MSsR Ve WeNR YDCM JXQBPDeO aOP YDCM YCCBs GeBB PCOe ReaM RXQs MessaZe Qs a sXCDR COe
YCD seJDeRs aDe ePgeP RCCBs aOP mSsR Ve WeNR YDCm JXQBPDeO aOP YDCm YCCBs GeBB PCOe Ream RXQs message Qs a sXCDR COe
YCD seJDeRs aDe ePgeP RCCBs aOP mSsR Ve WeNR YDCm JXiBPDeO aOP YDCm YCCBs GeBB PCOe Ream RXis message is a sXCDR COe
YCD seJDets aDe ePgeP tCCBs aOP mSst Ve WeNt YDCm JXiBPDeO aOP YDCm YCCBs GeBB PCOe team tXis message is a sXCDt COe
YoD seJDets aDe ePgeP tooBs aOP must Ve WeNt YDom JhiBPDeO aOP YDom YooBs GeBB PoOe team this message is a shoDt oOe
Yor seJrets are ePgeP tooBs aOP must Ve WeNt Yrom JhiBPreO aOP Yrom YooBs GeBB PoOe team this message is a short oOe
for seJrets are ePgeP tooBs anP must Ve WeNt from JhiBPren anP from fooBs GeBB Pone team this message is a short one
for secrets are edged tools and must Ve WeNt from children and from fools Gell done team this message is a short one
for secrets are edged tools and must be kept from children and from fools well done team this message is a short one
for secrets are edged tools and must be kept from children and from fools well done team this message is a short one
E V J P T Y Z X Q ? W B M O C N ? D I R S ? G ?
a b c d e f g h i j k l m n o p q r s t u v w x
Analyzing the Key Length
• Assume dealing with poly-alphabetic cipher
• Two letter combinations
• Let’s get VERBOSE
• Whoa!, Too Much Information (TMI)
Cracking the Poly
• Establish key length
• Attack (assumed Vigenere)– Brute-force automation– Trial and Error (random walk)– Other clever (or not so clever) means
The Test
• 4 blocks of cipher text of varying length– 55 char, 10 words – 4282 char, 765 words– 4194 char, ? words– 771 char, 123 words
• Keylengths respectively– 18?, 7, 11, 7
B & E
• First three had spaces to delimit words– all but shortest was cracked (and that could
have been done with brute force)– one had unencrypted years (trivial)– crack time: ~ 2 hours
• No spaces to delimit words– became much more difficult– crack time: ~ 5-6 hours
the
wzl
the
nis
How To Solve It
• Assume “the” is in passage somewhere
• Start at beginning and work it
• Ex.pgpwhgeIkhbfapwzbsvmjhjzjrrzdgbsyandvirczcnnknptfxikoahjxusioomovmubpr
1234567890112345678901123456789011234567890112345678901123456789...
nhe
nis
DECRYPTED TEXT
POSSIBLE KEY
RSA Encryption
• RSA Implementation
• Attacking RSA Implementation
RSA Implementation
• 64-bit asymmetric block encryptionC = Me mod nM = Cd mod n = (Me mod n)d mod n = Med mod n
KU = {e, n}; KR = {d, n}n = pq; p and q are large primes
• BigInt class allows arbitrary integer length– Typical prime: 24-33 decimal digits– Typical e: 4 digits– Typical n: 48 – 66 digits – Latest RSA challenge (n): 155 digits factored in ~5
months (1999)
RSA Game
• Intercept encrypted email message:Date: Tue, 27 Mar 2001 22:05:41 -0500 (EST)From: Shaun C. Arnold [email protected]
20105813699066933652114750065334914038566035999047214409655374357127189821673372056776533134283591795357193171912473639612889906385342116384377609897511196455829319273754942488085059927130420128944948701514530867560742525817580952245595802503753618438073822435799836892698252078898979704532606448317684588947647820846461385450061202389685990080854483577574475377856809016714823353811366414574730869546386941974433807952398 […]
• Assume RSA implementation is known• Only ciphertext is available
RSA Attack Strategy• Timing attack: Exploit prime number generator implementation
main(){BigInt P = GetPrime();BigInt Q = GetPrime();[…]
GetPrime( ) {srand48( (unsigned int) time(0) );BigInt N = rand_int( 1024, 1033 );if( n % 2 == 0) { n = n + 1; }while(!is_prime( N )) { N += 2; }return N;
} • Total time since project assigned: 7,862,400 seconds
RSA Attack
• Determine search space– Script measured prime number generation
• 14 - 82 seconds per number on dept. machines
– 12-110 seconds for prime number generation– Run within ~5 minutes of email timestamp (300 sec.)– ~30,000 search combinations * 2 min = ~42 days, or
3,628,800 seconds
• Parallel execution of crack program– 103 450-Mhz PII Linux machines (Centurion)– ~12 hours running time
RSA Attack Foiled?
Date: Fri, 6 Apr 2001 20:13:52 -0400
From: Andrew Grimshaw <[email protected]>
To: Michael Pittman Walker <[email protected]>
Subject: crackdriver
Mike,
This code is killing the net. What is it? It is all over the testnet machines.
Nuke it now please.
Andrew
RSA Attack: Results
• 19 Megs output:
Start: 985748522 Second: 985748581>c`bW+^E^R#(SbM^]1Z^E^Bi=@=!;^LV\
BQRY^G^P^PN0Uz^CY<}b^Vc)@R`+LT#^P,]^c>{^^YH+*^M85-^W#&[$K*^BS^E
Start: 985748522 Second: 985748582Anyone who attempts to generate random numbers bydeterministic means is of course living in a stateof sinJohn von NeumannStart: 985748522 Second: 985748583,*!F^E&/^F.>Y.^EUM^X^DAaO^C^AXT^[L/
0>^PaSGy@^X^S5^PM5B^Rna^B^X?^V{DE^\C^T^QA WS^O7a'^Y0*
Summary
• Length of text and redundancy influence cryptanalysis
• Long keys make cryptanalysis difficult for poly (keylength:text length)
• RSA (and other algorithms) strength depends on correctness of implementation
Questions?
1. How hard is cryptanalysis without knowing the algorithm?
2. When does cryptanalysis become infeasible?
How hard is cryptanalysis without knowing the algorithm?
• In general, cryptographic strength should not rest on this. Assume the cracker knows.
• Nature of plaintext (CC #, English prose)– how much of the plaintext space is meaningful?– Redundancy in message
• Ratio of message length to key length
• Plaintext/Ciphertext pairs
When does cryptanalysis become infeasible?
• Key length >= Message length?– Focus on the key instead of the message
• One time pad
Example (=rand(lines, columns))
• The quick brown fox jumps over the lazy dog– 1 1 1 1 3 1 1 2 1 1 1 1 1 1 4 1 1 2 1 2 2 1 1 1 1 1– a b c d e f g h i j k l m n o p q r s t u v w x y z– 35 letters total– only 2 repeated double letter combos (th, he)– only 1 repeated triple letter combo (the)
Even Better
• The quick brown fox jumps over a lazy dog– 2 1 1 1 2 1 1 1 1 1 1 1 1 1 4 1 1 2 1 1 2 1 1 1 1 1– a b c d e f g h i j k l m n o p q r s t u v w x y z– 33 letters total– no repeated double letter combos– no repeated triple letter combos
• Even a monoalphabetic cipher (26 letter key) would be difficult to break