lecture 5 overview does des work? differential cryptanalysis idea – use two plaintext that barely...
TRANSCRIPT
Does DES Work?
• Differential Cryptanalysis Idea– Use two plaintext that barely differ– Study the difference in the corresponding cipher
text– Collect the keys that could accomplish the change– Repeat
2CS 450/650 – Lecture 5: DES
Cracking DES
• Diffie and Hellman then outlined a "brute force" attack on DES– By "brute force" is meant that you try as many of
the 256 possible keys as you have to before decrypting the ciphertext into a sensible plaintext message
– They proposed a special purpose "parallel computer using one million chips to try one million keys each" per second
3CS 450/650 – Lecture 5: DES
Cracking DES (cont.)
• In 1998, Electronic Frontier Foundation spent $220K and built a machine that could go through the entire 56-bit DES key space in an average of 4.5 days– On July 17, 1998, they announced they had
cracked a 56-bit key in 56 hours– The computer, called Deep Crack• used 27 boards each containing 64 chips• was capable of testing 90 billion keys a second
4CS 450/650 – Lecture 5: DES
Cracking DES (cont.)• In early 1999, Distributed. Net used the DES Cracker
and a worldwide network of nearly 100K PCs to break DES in 22 hours– combined they were testing 245 billion keys per second
• This just serves to illustrate that any organization with moderate resources can break through DES with very little effort these days
5CS 450/650 – Lecture 5: DES
Double DES
• E(k1, E(k2, M) )
– As strong as 57-bit key !
– Given message M and ciphertext c– Encrypt M with all possible keys• 256 steps
– Decrypt c with all possible keys and match Ms
• 256 steps
CS 450/650 Fundamentals of Integrated Computer Security 6
Triple DES – Two keys• E(k1, D(k2, E(k1, M) ) )
• The first key is used to DES-encrypt the message• The second key is used to DES-decrypt the encrypted
message– Since the second key is not the right key, this decryption just
scrambles the data further
• The twice-scrambled message is then encrypted again with the first key to yield the final ciphertext
• As strong as 80-bit key !7CS 450/650 – Lecture 5: DES
Triple DES – Three keys• E(k3, D(k2, E(k1, M) ) )
• The first key is used to DES-encrypt the message• The second key is used to DES-decrypt the encrypted
message– Since the second key is not the right key, this decryption just
scrambles the data further
• The twice-scrambled message is then encrypted with the third key to yield the final ciphertext
• As strong as 112-bit key !8CS 450/650 – Lecture 5: DES
Analysis of Algorithms
• Algorithms– Time Complexity– Space Complexity
• An algorithm whose time complexity is bounded by a polynomial is called a polynomial-time algorithm– An algorithm is considered to be efficient if it runs
in polynomial time.
CS 450/650 Lecture 5: Algorithm Background 9
Growth Rate T(n) = O(f(n)): T is bounded above by fThe growth rate of T(n) <= growth rate of f(n)
T(n) = (g(n)): T is bounded below by gThe growth rate of T(n) >= growth rate of g(n)
T(n) = (h(n)): T is bounded both above and below by hThe growth rate of T(n) = growth rate of h(n)
T(n) = o(p(n)): T is dominated by pThe growth rate of T(n) < growth rate of p(n)
10CS 450/650 Lecture 5: Algorithm Background
Time Complexity C O(n) O(log n) O(nlogn) O(n2) … O(nk)
O(2n) O(kn) O(nn)
11CS 450/650 Lecture 5: Algorithm Background
Polynomial
Exponential
P, NP, NP-hard, NP-complete• A problem belongs to the class P if the problem can be
solved by a polynomial-time algorithm
• A problem belongs to the class NP if the correctness of the problem’s solution can be verified by a polynomial-time algorithm
• A problem is NP-hard if it is as hard as any problem in NP– Existence of a polynomial-time algorithm for an NP-hard
problem implies the existence of polynomial solutions for every problem in NP
• NP-complete problems are the NP-hard problems that are also in NP
12CS 450/650 Lecture 5: Algorithm Background
Relationships between different classes
NP
P
NP-complete
NP-hard
13CS 450/650 Lecture 5: Algorithm Background
Partitioning Problem
• Given a set of n integers, partition the integers into two subsets such that the difference between the sum of the elements in the two subsets is minimum– NP-complete
13, 37, 42, 59, 86, 100
14CS 450/650 Lecture 5: Algorithm Background
Sum 165 17286 10042 5937 13
Bin Packing Problem
• Suppose you are given n items of sizes s1, s2,..., sn
• All sizes satisfy 0 si 1
• The problem is to pack these items in the fewest number of bins, – given that each bin has unit capacity– NP-hard
15CS 450/650 Lecture 5: Algorithm Background
Lecture 6
RSA
CS 450/650
Fundamentals of Integrated Computer Security
Slides are modified from Hesham El-Rewini
RSA• Invented by Cocks (GCHQ), independently, by
Rivest, Shamir and Adleman (MIT)• Two keys e and d used for Encryption and
Decryption– The keys are interchangeable • M = D(d, E(e, M) ) = D(e, E(d, M) )
– Public key encryption
• Based on problem of factoring large numbers– Not in NP-complete– Best known algorithm is exponential
17CS 450/650 Lecture 6: RSA
RSA
• To encrypt message M compute– c = Me mod N
• To decrypt ciphertext c compute– M = cd mod N
18CS 450/650 Lecture 6: RSA
• Let p and q be two large prime numbers• Let N = pq
• Choose e relatively prime to (p1)(q1)– a prime number larger than p-1 and q-1
• Find d such that ed mod (p1)(q1) = 1
Key Choice
19CS 450/650 Lecture 6: RSA
RSA
• Recall that e and N are public
• If attacker can factor N, he can use e to easily find d – since ed mod (p1)(q1) = 1
• Factoring the modulus breaks RSA• It is not known whether factoring is the only
way to break RSA20CS 450/650 Lecture 6: RSA
Does RSA Really Work?
• Given c = Me mod N we must show – M = cd mod N = Med mod N
• We’ll use Euler’s Theorem– If x is relatively prime to N then x(N) mod N =1• (n): number of positive integers less than n that are
relatively prime to n.• If p is prime then, (p) = p-1
21CS 450/650 Lecture 6: RSA
Does RSA Really Work?
• Facts: – ed mod (p 1)(q 1) = 1– ed = k(p 1)(q 1) + 1 by definition of mod– (N) = (p 1)(q 1)– Then ed 1 = k(p 1)(q 1) = k(N)
• Med = M(ed-1)+1 = MMed-1 = MMk(N) = M(M(N)) k mod N = M1 k mod N
= M mod N 22CS 450/650 Lecture 6: RSA
Example
• Select primes p=11, q=3.• N = p* q = 11*3 = 33
• Choose e = 3
• check gcd(e, p-1) = gcd(3, 10) = 1 – i.e. 3 and 10 have no common factors except 1
• check gcd(e, q-1) = gcd(3, 2) = 1• therefore gcd(e, (p-1)(q-1)) = gcd(3, 20) = 1
23CS 450/650 Lecture 6: RSA
Example (cont.)
• p-1 * q-1 = 10 * 2 = 20 • Compute d such that
e * d mod (p-1)*(q-1) = 13 * d mod 20 = 1
d = 7
Public key = (N, e) = (33, 3)Private key = (N, d) = (33, 7)
24CS 450/650 Lecture 6: RSA
Example (cont.)
• Now say we want to encrypt message m = 7
• c = Me mod N = 73 mod 33 = 343 mod 33 = 13– Hence the ciphertext c = 13
• To check decryption, we computeM' = cd mod N = 137 mod 33 = 7
25CS 450/650 Lecture 6: RSA
More Efficient RSA• Modular exponentiation example– 520 = 95367431640625 = 25 mod 35
• A better way: repeated squaring – Note that 20 = 2 10, 10 = 2 5, 5 = 2 2 + 1, 2 = 1 2– 51= 5 mod 35– 52= (51) 2 = 52 = 25 mod 35– 55= (52) 2 51 = 252 5 = 3125 = 10 mod 35– 510 = (55) 2 = 102 = 100 = 30 mod 35– 520 = (510) 2 = 302 = 900 = 25 mod 35
• No huge numbers and it’s efficient!
CS 450/650 Lecture 6: RSA 26
RSA key-length strength
• RSA has challenges for different key-lengths– RSA-140• Factored in 1 month using 200 machines in 1999
– RSA-155 (512-bit)• Factored in 3.7 months using 300 machines in 1999
– RSA-160• Factored in 20 days in 2003
– RSA-200• Factored in 18 month in 2005
– RSA-210, RSA-220, RSA-232, … RSA-204827CS 450/650 Lecture 6: RSA