introductory lecture on cryptography and information security
TRANSCRIPT
An introduction to
Cryptography & Network Security
Dr. Bikramjit SarkarAssociate Professor
Dept. of Computer Science and EngineeringTechno India – Salt Lake
Kolkata, India.
Email: [email protected]
“THREE PEOPLE CAN KEEP A SECRET IF TWO OF THEM ARE DEAD!”
- Benjamin Franklin
Human tendency is that when told that something is secret and asked to keep it secret, people become quite eager to share that secret to everyone else.
Keeping secret is not that easy...
We are living in the Information age where there is a need to keep information of every aspect of life. And the information, like any other asset, needs to be secured.
With the advent of computers, information storage became electronic. And a need for computer security became a real challenge.
Security goals: Confidentiality – Information needs to be hidden from unauthorized access.
Integrity – Information needs to be protected from unauthorized alteration.
Availability – Information needs to be available to authorized entity, as and when required.
The actual implementation of the security goals needs some techniques. Two techniques are prevalent today:
Cryptography – Concealing the contents of a message by enciphering.
Steganography – Concealing the message itself by covering it with something else.
CryptographyCryptography (or cryptology), a word with Greek origin (Secret Writing), is the art and science towards achieving information security by encoding (enciphering) the original message to some non-readable form.
It is about constructing and analyzing protocols that overcome the influence of adversaries, considering various security goals.
Cryptography – contd..
The sender, say Alice, encodes (encrypts) the original message (plain text) into some non-readable form (cipher text) and transmit the cipher text over the communication channel.
The receiver, say Bob, receives the cipher text and decodes (decrypts) the cipher text to its original form (plain text).
Nevertheless, there is a high probability that the intruder, say Oscar, listens to the communication.
Cryptography – contd..
Although, in the past, cryptography referred only to the encryption and decryption of messages using secret keys, today it is defined as involving three distinct mechanisms:
Symmetric-key cryptography (Classical)
Asymmetric-key cryptography
Hashing
Cryptography – contd..
Symmetric-key cryptography uses a single secret key for both encryption and decryption.
Here encryption / decryption can be thought of as electronic locking / unlocking. Alice puts the message in a box and locks the box using the shared secret key. Bob unlocks the box with the same key and takes out the message. It is assumed that Oscar cannot understand the content of the transmitted message by simply eavesdropping over the channel.
Cryptography – contd..
Asymmetric-key cryptography works on a pair of keys instead of a single key: one public key and one private key.
Here Bob generates one public key and one private key and broadcasts the public key. Alice encrypts the message with Bob’s public key and transmits over the channel. At the receiver end, Bob decrypts the encrypted message by the private key and gets back the original message.
Cryptography – contd..
Hashing is a technique where fixed-length message digests are obtained out of variable length messages using some cryptographic hash functions.
Here Alice sends both the message and the message digest to Bob to provide check values.
Classical Cryptography – DefinitionThe crypto-system is a 5-tuple: (P, C, K, E, D), where,P is a finite set of possible plaintextsC is a finite set of possible cipher textsK is a finite set of possible keys (key space)
For each k € K, there exist one encryption rule ek€ E and one decryption rule dk€ D, such that,ek (x) = y and dk (y) = x, where, x € P and y € C .
dk (ek (x)) = x
Classical Cryptography – Block Diagram
Classical Cryptography – Properties Encryption rules and Decryption rules should be computable.
Given a cipher text, it should be difficult for an opponent to identify the encryption key and hence the plaintext.
For the last to hold, the key space must be large enough. Otherwise, the intruder might be able to iterate through all the keys (brute-force attack).
Classical Cryptography – Caesar cipherCaesar cipher, also known as Caesar's cipher, the shift cipher, Caesar's code or Caesar shift, is one of the simplest and most widely known encryption technique. It is a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet. For example, with a right / left shift of 3, D would be replaced by G / A, E would become H / B, and so on. The method is named after Julius Caesar, who used it in his private correspondence.
Caesar cipher – ComputationP = C = K = Z26 = {0, 1, 2, ..., 24, 25}
For simplicity, remove spaces and consider only upper case characters of English alphabet and each character is assigned with the numeric values as follows:A = 0, B = 1, C = 2, ..., X = 23, Y = 24, Z = 25.
ek € E: y = ek (x) = (x + k) mod 26dk € D: x = dk (y) = (y – k) mod 26}x, y, k €
Z26
Caesar cipher – IllustrationLet us consider the key k = 11 and the original message (plaintext) WEWILLMEETSo, the sequence of corresponding integersxi: 22 – 4 – 22 – 8 – 11 – 11 – 12 – 4 – 4 – 19ek € E: yi = ek (xi) = (xi + 11) mod 26yi : 7 – 15 – 7 – 19 – 22 – 22 – 23 – 15 – 15 – 4So, the sequence of corresponding characters (cipher text): HPHTWWXPPEThe plaintext can be obtained back by the decryption rule dk € D: xi = dk (yi) = (y – k) mod 26So, dk: HPHTWWXPPE → WEWILLMEET
Caesar cipher – CryptanalysisIt should be noted that the enciphering algorithms are public but what makes the crypto-system applicable is the secrecy of the key. Cryptanalysis refers to the process of computing the key, which is concerned to the intruders.
Caesar cipher is vulnerable mainly to two types of attacks (cryptanalysis):
Brute-force attack
Statistical attack
Caesar cipher – Brute-force attackThe Caesar cipher is vulnerable to brute-force attacks that uses exhaustive key searches.
The key-domain of the Caesar cipher is very small. Only 26 possible keys are there, out of which 0 is useless.
This leaves only 25 possible keys for encryption / decryption.
The intruder can easily launch a brute-force attack on the cipher text.
Brute-force attack: exampleLet us consider that Oscar has intercepted the cipher text UVACLYFZLJBYL. Now Oscar will keep trying with all possible keys (1 to 25) and with the key 7, he will find a character-sequence NOTVERYSECURE which makes sense (Plaintext).Key Plaintext
1 TUZBKXEYKIAXK2 STYAJWDXJHZWJ3 RSXZIVCWIGYVI4 QRWYHUBVHFXUH5 PQVXGTAUGEWTG6 OPUWFSZTFDVSF7 NOTVERYSECURE
Caesar cipher – Statistical attackThe Caesar cipher is also subject to statistical attacks that uses the frequency of occurrence of characters for a particular language.
Frequency of occurrence of letters (English)Letter
Frequency
Letter
Frequency
Letter
Frequency
Letter
Frequency
E 12.7 H 6.1 W 2.3 K 0.08T 9.1 R 6.0 F 2.2 J 0.02A 8.2 D 4.3 G 2.0 Q 0.01O 7.5 L 4.0 Y 2.0 X 0.01I 7.0 C 2.8 P 1.9 Z 0.01N 6.7 U 2.8 B 1.5S 6.3 M 2.4 V 1.0
Statistical attack: exampleLet us consider that Oscar has intercepted the cipher text as follows:
XLILSYWIMWRSAJSVWEPIJSVJSYVQMPPMSRHSPPEVWMXMWASVXLQSVILYVVCFIJSVIXLIWIPPIVVIGIMZIWQSVISJJIVW
Oscar now tabulates the frequency of letters in the cipher text and gets I = 14, V = 13, S = 12 and so on.
Statistical attack: example – contd..
This shows that the character I in the cipher text has the highest frequency of occurrence.
Oscar, therefore, makes a prediction that the character I in the cipher text probably corresponds to the character E in the plain text. And hence the key is possibly 4. With the key of value 4 if the cipher text is decrypted, it becomes readable (plaintext):
THEHOUSEISNOWFORSALEFORFOURMILLIONDOLLARSITISWORTHMOREHURRYBEFORETHESELLERRECEIVESMOREOFFERS
ConclusionIt is, therefore, prevalent that the Caesar cipher is not that efficient to be applicable towards information security in this electronic age. So, there is a need of more efficient and secure algorithms.
Due to several reports of failure of different enciphering algorithms, ultimately Rijndael won the competition and got selected as Advanced Encryption Standards by NIST in 2001 – 2002.
But no algorithm has been able to provide ultimate security.
"The ultimate security is your understanding of reality."
- H. Stanley Judd