1 Part I Crypto Chapter 2 Crypto Basics MXDXBVTZWVMXNSPBQXLIMSCCSGXSCJXBOVQXCJZMOJZCVC TVWJCZAAXZBCSSCJXBQCJZCOJZCNSPOXBXSBTVWJC JZDXGXXMOZQMSCSCJXBOVQXCJZMOJZCNSPJZHGXXMOSPLH JZDXZAAXZBXHCSCJXTCSGXSCJXBOVQX ID: 629408
Download Presentation The PPT/PDF document "Part 1 Cryptography" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Part 1 Cryptography 1
Part I: CryptoSlide2
Chapter 2: Crypto Basics
MXDXBVTZWVMXNSPBQXLIMSCCSGXSCJXBOVQXCJZMOJZCVC
TVWJCZAAXZBCSSCJXBQCJZCOJZCNSPOXBXSBTVWJC
JZDXGXXMOZQMSCSCJXBOVQXCJZMOJZCNSPJZHGXXMOSPLHJZDXZAAXZBXHCSCJXTCSGXSCJXBOVQX plaintext from Lewis Carroll, Alice in WonderlandThe solution is by no means so difficult as you mightbe led to imagine from the first hasty inspection of the characters.These characters, as any one might readily guess,form a cipher that is to say, they convey a meaning… Edgar Allan Poe, The Gold Bug
Part 1
Cryptography
2Slide3
Part 1 Cryptography 3
Crypto
Cryptology
The art and science of making and breaking “secret codes”Cryptography making “secret codes”Cryptanalysis breaking “secret codes”Crypto all of the above (and more)Slide4
Part 1 Cryptography 4
How to Speak Crypto
A
cipher or cryptosystem is used to encrypt (encipher) the plaintext The result of encryption is ciphertext We decrypt (decipher) ciphertext to recover plaintextA key is used to configure a cryptosystemA symmetric key cryptosystem uses the same key to encrypt as to decryptA public key cryptosystem uses a public key to encrypt and a private key to decryptSlide5
Part 1 Cryptography 5
Crypto
Basic assumptions
The system is completely known to the attackerOnly the key is secretThat is, crypto algorithms are not secretThis is known as Kerckhoffs’ PrincipleWhy do we make this assumption?Experience has shown that secret algorithms are weak when exposedSecret algorithms never remain secretBetter to find weaknesses beforehandSlide6
Part 1 Cryptography 6
Crypto as Black Box
plaintext
keykeyplaintextciphertext
A generic
view of
symmetric key crypto
encrypt
decryptSlide7
Part 1 Cryptography 7
Simple Substitution
Plaintext:
fourscoreandsevenyearsagoKey: ab
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
STUVWXYZAB
zC
Ciphertext: IRXUVFRUHDQGVHYHQBHDUVDJRShift by 3 is “Caesar’s cipher”
Plaintext
CiphertextSlide8
Part 1 Cryptography 8
Ceasar’s
Cipher Decryption
Plaintext: spongebobsquarepantsab
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
STUVWXYZABz
CPlaintextCiphertextSuppose we know a Ceasar’s cipher is being used:
Given ciphertext:
VSRQJHEREVTXDUHSDQWVSlide9
Part 1 Cryptography 9
Not-so-Simple Substitution
Shift by
n for some n {0,1,2,…,25}Then key is nExample: key n = 7a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
VWXYZABCDEFz
GPlaintextCiphertextSlide10
Part 1 Cryptography 10
Cryptanalysis I: Try Them All
A simple substitution (shift by
n) is usedBut the key is unknownGiven ciphertext: CSYEVIXIVQMREXIHHow to find the key?Only 26 possible keys try them all!Exhaustive key searchSolution: key is n = 4Slide11
Part 1 Cryptography 11
Least-Simple Simple Substitution
In general, simple substitution key can be any
permutation of lettersNot necessarily a shift of the alphabetFor exampleab
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
J
I
C
A
X
S
E
Y
V
D
K
W
B
Q
T
ZRHFMPNULG
zO
Plaintext
Ciphertext
Then 26! > 2
88
possible keys!Slide12
Part 1 Cryptography 12
Cryptanalysis II: Be Clever
We know that a simple substitution is used
But not necessarily a shift by nFind the key given the ciphertext: PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOXBTFXQWAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBFXFQVXGTVJVWLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFHXZHVFAGFOTHFEFBQUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQPBQWAQJJTODXQHFOQPWTBDHHIXQVAPBFZQHCFWPFHPBFIPBQWKFABVYYDZBOTHPBQPQJTQOTOGHFQAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWFLQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFHXAFQHEFZQWGFLVWPTOFFASlide13
Part 1 Cryptography 13
Cryptanalysis II
Cannot try all 2
88 simple substitution keysCan we be more clever?English letter frequency counts…Slide14
Part 1 Cryptography 14
Cryptanalysis II
Ciphertext:
PBFPVYFBQXZTYFPBFEQJHDXXQVAPTPQJKTOYQWIPBVWLXTOXBTFXQWAXBVCXQWAXFQJVWLEQNTOZQGGQLFXQWAKVWLXQWAEBIPBFXFQVXGTVJVWLBTPQWAEBFPBFHCVLXBQUFEVWLXGDPEQVPQGVPPBFTIXPFHXZHVFAGFOTHFEFBQUFTDHZBQPOTHXTYFTODXQHFTDPTOGHFQPBQWAQJJTODXQHFOQPWTBDHHIXQVAPBFZQHCFWPFHPBFIPBQWKFABVYYDZBOTHPBQPQJTQOTOGHFQAPBFEQJHDXXQVAVXEBQPEFZBVFOJIWFFACFCCFHQWAUVWFLQHGFXVAFXQHFUFHILTTAVWAFFAWTEVOITDHFHFQAITIXPFHXAFQHEFZQWGFLVWPTOFFAAB
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
21
26
6
10
12
51
10
25
10
9
3
10
0
1
15
2842002742422286Z8Ciphertext frequency counts:
Analyze this message using statistics belowSlide15
Part 1 Cryptography 15
Cryptanalysis: Terminology
Cryptosystem is
secure if best known attack is to try all keysExhaustive key search, that isCryptosystem is insecure if any shortcut attack is knownBut then insecure cipher might be harder to break than a secure cipher!What the … ?Slide16
Part 1 Cryptography 16
Double Transposition
Plaintext:
attackxatxdawnPermute rowsand columnsCiphertext: xtawxnattxadakc Key is matrix size and permutations: (3,5,1,4,2) and (1,3,2)Slide17
Part 1 Cryptography 17
One
-Time
Pad: Encryptione=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111hei
l
h
i
t
l
e
r
001
000
010
100
001
010
111
100
000
101
111
101
110
101
111
100
000
101
110
000
110
101
100
001
110
110
111
001
110
101
s
rlhssthsrEncryption: Plaintext Key = CiphertextPlaintext:Key:Ciphertext:Slide18
Part 1 Cryptography 18
One
-Time
Pad: Decryptione=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111srl
h
s
s
t
h
s
r
110
101
100
001
110
110
111
001
110
101
111
101
110
101
111
100
000
101
110
000
001
000
010
100
001
010
111
100
000
101
h
eilhitlerDecryption: Ciphertext Key = PlaintextCiphertext:Key:Plaintext:Slide19
Part 1 Cryptography 19
One
-Time
Pade=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111srl
h
s
s
t
h
s
r
110
101
100
001
110
110
111
001
110
101
101
111
000
101
111
100
000
101
110
000
011
010
100
100
001
010
111
100
000
101
k
illhitlerCiphertext:“key”:“Plaintext”:Double agent claims sender used following “key”Slide20
Part 1 Cryptography 20
One
-Time
Pade=000 h=001 i=010 k=011 l=100 r=101 s=110 t=111srl
h
s
s
t
h
s
r
110
101
100
001
110
110
111
001
110
101
111
101
000
011
101
110
001
011
101
101
001
000
100
010
011
000
110
010
011
000
h
elikesikeCiphertext:“key”:“Plaintext”:Or sender is captured and claims the key is…Slide21
Part 1 Cryptography 21
One
-Time
Pad SummaryProvably secure…Ciphertext provides no info about plaintextAll plaintexts are equally likely…but, only when used correctlyPad must be random, used only oncePad is known only to sender and receiverNote: pad (key) is same size as messageSo, why not distribute msg instead of pad?Slide22
Part 1 Cryptography 22
Codebook Cipher
Literally, a book filled with “
codewords”Zimmerman Telegram encrypted via codebook Februar 13605 fest 13732 finanzielle 13850 folgender 13918 Frieden 17142 Friedenschluss 17149 : :Modern block ciphers are codebooks!More about this later…Slide23
Codebook Cipher: AdditiveCodebooks also (usually) use additive
Additive
book of “random” numbersEncrypt message with codebookThen choose position in additive bookAdd additives to get ciphertextSend ciphertext and additive position (MI)Recipient subtracts additives before decryptingWhy use an additive sequence? Part 1 Cryptography 23Slide24
Part 1 Cryptography 24
Claude Shannon
The founder of Information Theory
1949 paper: Comm. Thy. of Secrecy SystemsFundamental conceptsConfusion obscure relationship between plaintext and ciphertextDiffusion spread plaintext statistics through the ciphertextProved one-time pad is secureOne-time pad is confusion-only, while double transposition is diffusion-onlySlide25
Part 1 Cryptography 25
Taxonomy of Cryptography
Symmetric Key
Same key for encryption and decryptionTwo types: Stream ciphers, Block ciphersPublic Key (or asymmetric crypto)Two keys, one for encryption (public), and one for decryption (private)And digital signatures nothing comparable in symmetric key cryptoHash algorithmsCan be viewed as “one way” cryptoSlide26
Part 1 Cryptography 26
Taxonomy of Cryptanalysis
From perspective of info available to Trudy
Ciphertext onlyKnown plaintextChosen plaintext“Lunchtime attack”Protocols might encrypt chosen dataAdaptively chosen plaintextRelated keyForward search (public key crypto)And others…Slide27
Part 1 Cryptography 27
Chapter 3:
Symmetric Key Crypto
The chief forms of beauty are order and symmetry… Aristotle“You boil it in sawdust: you salt it in glue:You condense it with locusts and tape:Still keeping one principal object in view To preserve its symmetrical shape.” Lewis Carroll, The Hunting of the SnarkSlide28
Part 1 Cryptography 28
Symmetric Key Crypto
Stream cipher
based on one-time padExcept that key is relatively shortKey is stretched into a long keystreamKeystream is used just like a one-time padBlock cipher based on codebook conceptBlock cipher key determines a codebookEach key yields a different codebookEmploys both “confusion” and “diffusion”Slide29
Part 1 Cryptography 29
Stream CiphersSlide30
Part 1 Cryptography 30
Stream Ciphers
Once upon a time, not so very long ago, stream ciphers were the king of crypto
Today, not as popular as block ciphersWe’ll discuss two stream ciphers…A5/1Based on shift registersUsed in GSM mobile phone systemRC4Based on a changing lookup tableUsed many placesSlide31
Part 1 Cryptography 31
A5/
1: Shift Registers
A5/1 uses 3 shift registersX: 19 bits (x0,x1,x2, …,x18)Y: 22 bits (y0,y1,y2, …,y21)Z: 23 bits (z
0
,
z
1
,
z
2
,
…,z
22
)Slide32
Part 1 Cryptography 32
A5/
1:
KeystreamAt each step: m = maj(x8, y10, z10) Examples: maj(0,1,0) = 0 and maj(1,1,0) = 1 If x8 = m then X steps t = x
13
x
16
x
17
x
18
x
i
=
x
i
1
for
i
= 18,17,…,1 and
x
0
= tIf y
10 = m then
Y stepst =
y20
y21
yi = y
i
1
for
i = 21,20,…,1 and y0 = tIf z10 = m then Z stepst = z7 z20 z21 z22zi = zi1 for i = 22,21,…,1 and z0 = tKeystream bit is x18 y21 z22 Slide33
Part 1 Cryptography 33
A5/1
Each variable here is a single bit
Key is used as initial fill of registersEach register steps (or not) based on maj(x8, y10, z10)Keystream bit is XOR of rightmost bits of registersy0
y
1
y
2
y
3
y
4
y
5
y
6
y
7
y
8
y
9
y
10
y
11
y
12
y
13
y
14
y
15
y
16
y
17
y
18
y
19
y20y21z0z1z2z3z4z5z6z7z8 z9 z10 z11 z12z13z14z15z16z17z18z19z20z21
z22X
YZ
x
0
x
1
x
2
x
3
x
4
x
5
x
6
x
7
x
8
x
9
x
10
x
11
x
12
x
13
x
14
x
15
x
16
x
17
x
18Slide34
Part 1 Cryptography 34
A5/1
In this example,
m = maj(x8, y10, z10) = maj(1,0,1) = 1 Register X steps, Y does not step, and Z stepsKeystream bit is XOR of right bits of registersHere,
keystream
bit will be
0
1
0 = 1
1
1
0
0
1
1
0
0
1
1
0
0
1
1
0
0
1
1
0
0
0
1
1
1
1
0
0
0
0
1
1
11000011110001XYZ1
010
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1Slide35
Part 1 Cryptography 35
Shift Register Crypto
Shift
register crypto efficient in hardwareOften, slow if implemented in softwareIn the past, very popularToday, more is done in software due to fast processorsShift register crypto still used in some casesResource-constrained devicesSlide36
Part 1 Cryptography 36
RC4
A self-modifying lookup table
Table always contains a permutation of the byte values 0,1,…,255Initialize the permutation using keyAt each step, RC4 does the followingSwaps elements in current lookup tableSelects a keystream byte from tableEach step of RC4 produces a byteEfficient in softwareEach step of A5/1 produces only a bitEfficient in hardwareSlide37
Part 1 Cryptography 37
RC4 Initialization
S[] is permutation of 0,1,...,255
key[] contains N bytes of key for i = 0 to 255 S[i] = i K[i] = key[i (mod N)] next i j = 0 for i = 0 to 255 j = (j +
S[i
] +
K[i
]) mod 256
swap(S[i
],
S[j
])
next
i
i
=
j
= 0Slide38
Part 1 Cryptography 38
RC4 Keystream
For each
keystream byte, swap elements in table and select byte i = (i + 1) mod 256 j = (j + S[i]) mod 256 swap(S[i], S[j]) t = (S[i] + S[j]) mod 256 keystreamByte = S[t]Use keystream
bytes like a one-time pad
Note:
first 256 bytes
should
be discarded
Otherwise, related key
attack existsSlide39
Part 1 Cryptography 39
Stream Ciphers
Stream ciphers were popular in the past
Efficient in hardwareSpeed was needed to keep up with voice, etc.Today, processors are fast, so software-based crypto is usually more than fast enoughFuture of stream ciphers?Shamir declared “the death of stream ciphers”May be greatly exaggerated…Slide40
Part 1 Cryptography 40
Block CiphersSlide41
Part 1 Cryptography 41
(Iterated) Block Cipher
Plaintext and
ciphertext consist of fixed-sized blocksCiphertext obtained from plaintext by iterating a round functionInput to round function consists of key and output of previous roundUsually implemented in softwareSlide42
Part 1 Cryptography 42
Feistel Cipher: Encryption
Feistel
cipher is a type of block cipher, not a specific block cipherSplit plaintext block into left and right halves: P = (L0,R0)For each round i = 1,2,...,n, compute Li= Ri1 Ri= Li
1
F(R
i
1
,K
i
)
where
F
is
round function
and
K
i
is
subkey
Ciphertext
:
C
= (Ln
,Rn)Slide43
Part 1 Cryptography 43
Feistel Cipher: Decryption
Start with
ciphertext C = (Ln,Rn)For each round i = n,n1,…,1, compute Ri1 = Li Li1 = Ri
F(R
i
1
,K
i
)
where
F
is round function
and
K
i
is
subkey
Plaintext:
P
=
(L
0
,R
0)Formula “works” for any function F
But only secure for certain functions FSlide44
Feistel Cipher Design ElementsSlide45
Part 1 Cryptography 45
Data Encryption Standard
DES
developed in 1970’sDES is a Feistel cipher with…64 bit block length56 bit key length16 rounds48 bits of key used each round (subkey)Each round is simple (for a block cipher)Security depends heavily on “S-boxes”Each S-boxes maps 6 bits to 4 bitsSlide46
Part 1 Cryptography 46
L
R
expandshift
shift
key
key
S-boxes
compress
L
R
28
28
28
28
28
28
48
32
48
32
32
32
32
One
Round
of
DES
48
32
K
i
P box
Slide47
Part 1 Cryptography 47
DES Expansion Permutation
Input 32 bits
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31Output 48 bits 31 0 1 2 3 4 3 4 5 6 7 8 7 8 9 10 11 12 11 12 13 14 15 16 15 16 17 18 19 20 19 20 21 22 23 24 23 24 25 26 27 28 27 28 29 30 31 0Slide48
Part 1 Cryptography 48
DES S-box
8 “substitution boxes” or S-boxes
Each S-box maps 6 bits to 4 bitsS-box number 1input bits (0,5) input bits (1,2,3,4) | 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111------------------------------------------------------------------------------------00 | 1110 0100 1101 0001 0010 1111 1011 1000 0011 1010 0110 1100 0101 1001 0000 011101 | 0000 1111 0111 0100 1110 0010 1101 0001 1010 0110 1100 1011 1001 0101 0011 100010 | 0100 0001 1110 1000 1101 0110 0010 1011 1111 1100 1001 0111 0011 1010 0101 000011 | 1111 1100 1000 0010 0100 1001 0001 0111 0101 1011 0011 1110 1010 0000 0110 1101Slide49
Part 1 Cryptography 49
DES P-box
Input 32 bits
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31Output 32 bits 15 6 19 20 28 11 27 16 0 14 22 25 4 17 30 9 1 7 23 13 31 26 2 8 18 12 29 5 21 10 3 24Slide50
Part 1 Cryptography 50
DES Subkey
56 bit DES key, numbered 0,1,2,…,55
Left half key bits, LK 49 42 35 28 21 14 7 0 50 43 36 29 22 15 8 1 51 44 37 30 23 16 9 2 52 45 38 31Right half key bits, RK 55 48 41 34 27 20 13 6 54 47 40 33 26 19 12 5 53 46 39 32 25 18 11 4 24 17 10 3Slide51
Part 1 Cryptography 51
DES Subkey
For rounds
i=1,2,...,16Let LK = (LK circular shift left by ri)Let RK = (RK circular shift left by ri)Left half of subkey Ki is of LK bits 13 16 10 23 0 4 2 27 14 5 20 9 22 18 11 3 25 7 15 6 26 19 12 1Right half of subkey Ki is RK bits
12 23 2 8 18 26 1 11 22 16 4 19
15 20 10 27 5 24 17 13 21 7 0 3Slide52
Part 1 Cryptography 52
DES Subkey
For rounds
1, 2, 9 and 16 the shift ri is 1, and in all other rounds ri is 2Bits 8,17,21,24 of LK omitted each roundBits 6,9,14,25 of RK omitted each roundCompression permutation yields 48 bit subkey Ki from 56 bits of LK and RKKey schedule generates subkeySlide53
Part 1 Cryptography 53
DES Last Word (Almost)
An initial permutation before round 1
Halves are swapped after last roundA final permutation (inverse of initial perm) applied to (R16,L16) None of this serves security purposeSlide54
Part 1 Cryptography 54
Security of DES
Security
depends heavily on S-boxesEverything else in DES is linearThirty+ years of intense analysis has revealed no “back door”Attacks, essentially exhaustive key searchInescapable conclusions Designers of DES knew what they were doingDesigners of DES were way ahead of their timeSlide55
Part 1 Cryptography 55
Block Cipher Notation
P =
plaintext block C = ciphertext blockEncrypt P with key K to get ciphertext CC = E(P, K)Decrypt C with key K to get plaintext PP = D(C, K)Note: P = D(E(P, K), K) and C = E(D(C, K), K)But P D(E(P, K1), K2) and C
E(D(C, K
1
), K
2
)
when
K
1
K
2Slide56
Part 1 Cryptography 56
Triple DES
Today, 56 bit DES key is too
smallExhaustive key search is feasibleBut DES is everywhere, so what to do?Triple DES or 3DES (112 bit key) C = E(D(E(P,K1),K2),K1) P = D(E(D(C,K1),K2),K1)Why Encrypt-Decrypt-Encrypt with 2 keys?Backward compatible: E(D(E(P,K),K),K) = E(P,K)And 112 bits is enoughSlide57
Part 1 Cryptography 57
3DES
Why not
C = E(E(P,K),K) ?Trick question --- it’s still just 56 bit keyWhy not C = E(E(P,K1),K2) ?A (semi-practical) known plaintext attackPre-compute table of E(P,K1) for every possible key K1 (resulting table has 256 entries) Then for each possible K2 compute D(C,K2) until a match in table is foundWhen match is found, have E(P,K1
) = D(C,K
2
)
Result gives us keys:
C = E(E(P,K
1
),K
2
)
Slide58
Part 1 Cryptography 58
Advanced Encryption Standard
Replacement for DES
AES competition (late 90’s)NSA openly involvedTransparent processMany strong algorithms proposedRijndael Algorithm ultimately selected (pronounced like “Rain Doll” or “Rhine Doll”)Iterated block cipher (like DES)Not a Feistel cipher (unlike DES)Slide59
Part 1 Cryptography 59
AES Overview
Block size:
128 bits (others in Rijndael)Key length: 128, 192 or 256 bits (independent of block size)10 to 14 rounds (depends on key length)Each round uses 4 functions (3 “layers”)ByteSub (nonlinear layer)ShiftRow (linear mixing layer)MixColumn (nonlinear layer)AddRoundKey (key addition layer)Slide60
Part 1 Cryptography 60
AES ByteSub
ByteSub
is AES’s “S-box”Can be viewed as nonlinear (but invertible) composition of two math operationsTreat 128 bit block as 4x6 byte arraySlide61
Part 1 Cryptography 61
AES “S-box”
First 4
bits ofinputLast 4 bits of inputSlide62
Part 1 Cryptography 62
AES ShiftRow
Cyclic shift rowsSlide63
Part 1 Cryptography 63
AES MixColumn
Implemented as a (big) lookup table
Invertible, linear operation applied to each columnSlide64
Part 1 Cryptography
64
AES AddRoundKey
RoundKey (subkey) determined by key schedule algorithmXOR subkey with blockBlockSubkeySlide65
Part 1 Cryptography 65
AES Decryption
To decrypt, process must be invertible
Inverse of MixAddRoundKey is easy, since “” is its own inverseMixColumn is invertible (inverse is also implemented as a lookup table)Inverse of ShiftRow is easy (cyclic shift the other direction)ByteSub is invertible (inverse is also implemented as a lookup table)Slide66
Part 1 Cryptography 66
A Few Other Block Ciphers
Briefly…
IDEABlowfishRC6More detailed…TEASlide67
Part 1 Cryptography 67
Block Cipher ModesSlide68
Part 1 Cryptography 68
Multiple Blocks
How to encrypt multiple blocks?
Do we need a new key for each block?As bad as (or worse than) a one-time pad!Encrypt each block independently?Make encryption depend on previous block?That is, can we “chain” the blocks together?How to handle partial blocks?We won’t discuss this issueSlide69
Part 1 Cryptography 69
Modes of Operation
Many modes
we discuss 3 most popularElectronic Codebook (ECB) modeEncrypt each block independentlyMost obvious, but has a serious weaknessCipher Block Chaining (CBC) modeChain the blocks togetherMore secure than ECB, virtually no extra workCounter Mode (CTR) modeBlock ciphers acts like a stream cipherPopular for random accessSlide70
Part 1 Cryptography 70
Electronic Codebook
(ECB)
ModeNotation: C = E(P,K)Given plaintext P1,P2,…,Pm,…Most obvious way to use a block cipher: Encrypt Decrypt C1 = E(P1, K) P1
=
D(C
1
,
K
)
C
2
=
E(P
2
,
K
)
P
2
=
D(C
2
,
K
)
C
3
= E(P3
, K) … P
3 = D(C3,
K) …For
fixed key K, this is “electronic” version of a codebook cipher (without additive)
With a different codebook for each keySlide71
Part 1 Cryptography 71
ECB Cut and Paste
Suppose plaintext is
Alice likes Bob. Trudy likes Tom.Assuming 64-bit blocks and 8-bit ASCII: P1 = “Alice li”, P2 = “kes Bob.”, P3 = “Trudy li”, P4 = “ke
s
Tom
.
”
Ciphertext:
C
1
,C
2
,C
3
,C
4
Trudy cuts and pastes:
C
1
,
C
4
,C
3
,
C
2
Decrypts as
Alice
likes Tom. Trudy likes
Bob.Slide72
Part 1 Cryptography 72
ECB Weakness
Suppose
Pi = PjThen Ci = Cj and Trudy knows Pi = PjThis gives Trudy some information, even if she does not know Pi or PjTrudy might know PiIs this a serious issue?Slide73
Part 1 Cryptography 73
Alice Hates ECB Mode
Alice’s uncompressed
image, and ECB encrypted (TEA)Why does this happen?Same plaintext yields same ciphertext!Slide74
Part 1 Cryptography 74
Cipher Block Chaining
(CBC)
ModeBlocks are “chained” togetherA random initialization vector, or IV, is required to initialize CBC modeIV is random, but not secret Encryption Decryption C1 = E(IV P1, K), P1 = IV D(C1, K),
C
2
=
E(C
1
P
2
,
K),
P
2
=
C
1
D(C
2
,
K),
C
3
=
E(C
2
P3
, K),… P3 =
C2 D(C
3, K),…
Analogous to classic codebook with additiveSlide75Slide76
Part 1 Cryptography 76
CBC Mode
Identical plaintext blocks yield different
ciphertext blocks this is good!If C2 is garbled to, say, G then P2 C1 D(G, K), P3 G D(C3, K)But P4 = C3
D(C
4
,
K),
P
5
=
C
4
D(C
5
,
K),…
Automatically recovers from errors
!
Cut and paste is still possible, but more complex (and will cause garbles)Slide77
Part 1 Cryptography 77
Alice Likes CBC Mode
Alice’s uncompressed image, Alice CBC encrypted (TEA)
Why does this happen?Same plaintext yields different ciphertext!Slide78
Part 1 Cryptography 78
Counter
(CTR) Mode
CTR is popular for random accessUse block cipher like a stream cipher Encryption Decryption C1 = P1 E(IV, K), P1 = C1 E(IV, K), C2 = P2 E(IV+1, K), P2 =
C
2
E(IV+1, K),
C
3
=
P
3
E(IV+2, K),…
P
3
=
C
3
E(IV+2, K),…
CBC
can also be
used for random
access
With a significant limitation…Slide79Slide80
Advantages of CTR modeHardware efficiency
Encryption/decryption can be done in parallel on multiple blocks of plaintext or ciphertext
Throughput is only limited by the amount of parallelism that is achieved
Software efficiencyBecause of the opportunities for parallel execution, processors that support parallel features can be effectively utilizedPreprocessingThe execution of the underlying encryption algorithm does not depend on input of the plaintext or ciphertext --- when the plaintext or ciphertext input is presented, the only computation is a series of XORs, greatly enhancing throughputRandom accessThe ith block of plaintext or ciphertext can be processed in random-access fashionProvable securityIt can be shown that CTR is at least as secure as the other modes discussed in this sectionSimplicityRequires only the implementation of the encryption algorithm and not the decryption algorithmSlide81
Part 1 Cryptography 81
IntegritySlide82
Part 1 Cryptography 82
Data Integrity
Integrity
detect unauthorized writing (i.e., modification of data)Example: Inter-bank fund transfersConfidentiality may be nice, integrity is criticalEncryption provides confidentiality (prevents unauthorized disclosure)Encryption alone does not provide integrityOne-time pad, ECB cut-and-paste, etc.Slide83
Part 1 Cryptography 83
MAC
Message Authentication Code (
MAC)Used for data integrity Integrity not the same as confidentialityMAC is computed as CBC residueThat is, compute CBC encryption, saving only final ciphertext block, the MACSlide84
Part 1 Cryptography 84
MAC Computation
MAC
computation (assuming N blocks) C1 = E(IV P1, K), C2 = E(C1 P2, K), C3 = E(C2 P3
,
K),…
C
N
= E(C
N
1
P
N
,
K) = MAC
MAC
sent with
IV
and plaintext
Receiver does same computation and verifies that result agrees with
MAC
Note: receiver must
know the key
KSlide85
Part 1 Cryptography 85
Does
a
MAC work?Suppose Alice has 4 plaintext blocksAlice computes C1 = E(IVP1,K), C2 = E(C1P2,K),
C
3
=
E(
C
2
P
3
,K
),
C
4
=
E(
C
3
P
4
,K
) =
MAC
Alice sends
IV,P
1
,P2,P
3,P4 and
MAC to Bob Suppose Trudy changes P
2 to X Bob computes
C1 = E(IV
P
1
,K
), C2 = E(C1X,K), C3 = E(C2P3,K), C4 = E(C3P4,K) = MAC MACThat is, error propagates into MACTrudy can’t make MAC == MAC without KSlide86
Part 1 Cryptography 86
Confidentiality and Integrity
Encrypt with one key
, MAC with another key Why not use the same key?Send last encrypted block (MAC) twice? This cannot add any security!Using different keys to encrypt and compute MAC works, even if keys are relatedBut, twice as much work as encryption aloneCan do a little better about 1.5 “encryptions”Confidentiality and integrity with same work as one encryption is a research topicSlide87
Part 1 Cryptography 87
Uses for Symmetric Crypto
Confidentiality
Transmitting data over insecure channelSecure storage on insecure mediaIntegrity (MAC)Authentication protocols (later…)Anything you can do with a hash function (upcoming chapter…)Slide88
Part 1 Cryptography 88
Chapter 4:
Public Key Cryptography
You should not live one way in private, another in public. Publilius SyrusThree may keep a secret, if two of them are dead. Ben FranklinSlide89
Part 1 Cryptography 89
Public Key Cryptography
Two keys
Sender uses recipient’s public key to encryptRecipient uses private key to decryptBased on “trap door one way function”“One way” means easy to compute in one direction, but hard to compute in other directionExample: Given p and q, product N = pq easy to compute, but given N, it’s hard to find p and q“Trap door” used to create key pairsSlide90
Part 1 Cryptography 90
Public Key Cryptography
Encryption
Suppose we encrypt M with Bob’s public keyBob’s private key can decrypt to recover MDigital SignatureSign by “encrypting” with your private keyAnyone can verify signature by “decrypting” with public keyBut only you could have signedLike a handwritten signature, but way better…Slide91
Part 1 Cryptography 91
KnapsackSlide92
Part 1 Cryptography 92
Knapsack Problem
Given a set of
n weights W0,W1,...,Wn-1 and a sum S, is it possible to find ai {0,1} so that S = a0W0+a1W1 +...+ an-1Wn-1 (technically, this is “subset sum” problem)Example
Weights
(62,93,26,52,166,48,91,141)
Problem: Find subset that sums to
S=302
Answer:
62+26+166+48=302
The (general) knapsack is NP-completeSlide93
Part 1 Cryptography 93
Knapsack Problem
General knapsack
(GK) is hard to solveBut superincreasing knapsack (SIK) is easySIK: each weight greater than the sum of all previous weightsExampleWeights (2,3,7,14,30,57,120,251) Problem: Find subset that sums to S=186Work from largest to smallest weight Answer: 120+57+7+2=186Slide94
Part 1 Cryptography 94
Knapsack Cryptosystem
Generate
superincreasing knapsack (SIK)Convert SIK into “general” knapsack (GK)Public Key: GKPrivate Key: SIK plus conversion factor Ideally…Easy to encrypt with GKWith private key, easy to decrypt (convert ciphertext to SIK problem)Without private key, must solve GKSlide95
Part 1 Cryptography 95
Knapsack Keys
Start with
(2,3,7,14,30,57,120,251) as the SIKChoose m = 41 and n = 491 (m, n relatively prime, n exceeds sum of elements in SIK)Compute “general” knapsack 2 41 mod 491 = 82 3 41 mod 491 = 123 7
41 mod 491 = 287
14
41 mod 491 = 83
30
41 mod 491 = 248
57
41 mod 491 = 373
120
41 mod 491 = 10
251
41 mod 491 = 471
“General” knapsack:
(82,123,287,83,248,373,10,471)Slide96
Part 1 Cryptography 96
Knapsack
Cryptosystem
Private key: (2,3,7,14,30,57,120,251) m1 mod n = 411 mod 491 = 12Public key: (82,123,287,83,248,373,10,471)Example: Encrypt 10010110 82 + 83 + 373 + 10 = 548To decrypt, 548 · 12 = 193 mod 491
Solve (easy) SIK with
S = 193
Obtain plaintext
10010110Slide97
Part 1 Cryptography 97
Knapsack Weakness
Trapdoor:
Convert SIK into “general” knapsack using modular arithmeticOne-way: General knapsack easy to encrypt, hard to solve; SIK easy to solveThis knapsack cryptosystem is insecureBroken in 1983 with Apple II computerThe attack uses lattice reduction“General knapsack” is not general enough!This special knapsack is easy to solve!Slide98
Part 1 Cryptography 98
RSASlide99
Part 1 Cryptography 99
RSA
By Clifford Cocks
(GCHQ), independently, Rivest, Shamir, and Adleman (MIT)RSA is the gold standard in public key cryptoLet p and q be two large prime numbersLet N = pq be the modulusChoose e relatively prime to (p1)(q1)Find d such that ed
= 1 mod (p
1)(q
1
)
i.e.,
d
= e
-1
mod
(p
1)(q
1
)
Public key
is
(
N
,
e
)
Private key
is
dSlide100
Part 1 Cryptography 100
RSA
Message
M is treated as a numberTo encrypt M we computeC = Me mod N To decrypt ciphertext C computeM = Cd mod N Recall that e and N are publicIf Trudy can factor N=pq, she can use e to easily find d since ed = 1 mod (p
1)(q
1)
Factoring the modulus breaks RSA
Is
factoring
the
only way to break
RSA?Slide101
Part 1 Cryptography 101
Does RSA Really Work?
Given
C = Me mod N we must show M = Cd mod N = Med mod NWe’ll use Euler’s Theorem: If x is relatively prime to n then x(n) = 1 mod n Facts: ed = 1 mod (p
1)(q
1)
By definition of “mod”,
ed
=
k(p
1)(q
1) + 1
(N
) = (
p
1)(q
1)Then,
ed 1 = k(p
1)(q 1) = k(N
) Finally, C
d = M
ed = M(
ed 1) + 1
=
M
M
ed 1 = MMk(N) = M(M(N))k = M(1 mod N)k = M1k = M mod N Slide102
Part 1 Cryptography 102
Simple RSA Example
Example of RSA
Select “large” primes p = 11, q = 3 Then N = pq = 33 and (p − 1)(q − 1) = 20 Choose e = 3 (relatively prime to 20)Find d such that ed = 1 mod 20 We
find
that
d
= 7
works
Public key:
(N,
e
) = (33, 3)
Private key:
d
= 7
Slide103
Part 1 Cryptography 103
Simple RSA Example
Public key:
(N, e) = (33, 3) Private key: d = 7Suppose message M = 8Ciphertext C is computed asC = Me mod N = 83 = 512 = 17 mod 33 Decrypt C to recover the message M byM = Cd mod N = 177
= 410,338,673 = 12,434,505
33 + 8 = 8 mod 33 Slide104
Part 1 Cryptography 104
More Efficient RSA (1)
Modular exponentiation example
520 = 95367431640625 = 25 mod 35 A better way: repeated squaring 20 = 10100 base 2(1, 10, 101, 1010, 10100) = (1, 2, 5, 10, 20)Note that 2 = 1 2, 5 = 2 2 + 1, 10 = 2 5, 20 = 2 1051= 5 mod 3552= (51)
2
= 5
2
= 25 mod 35
5
5
= (5
2
)
2
5
1
= 25
2
5 = 3125 = 10 mod 35
5
10
= (5
5
)
2
= 10
2
= 100 = 30 mod 35520
= (510)2 = 30
2 = 900 = 25 mod 35No huge numbers and it’s efficient!Slide105
Part 1 Cryptography 105
More Efficient RSA (2)
Use
e = 3 for all users (but not same N or d) Public key operations only require 2 multipliesPrivate key operations remain expensiveIf M < N1/3 then C = Me = M3 and cube root attackFor any M, if C1, C2, C3 sent to 3 users, cube root attack works (uses Chinese Remainder Theorem)Can prevent cube root attack by padding message with random bitsNote:
e
= 2
16
+ 1
also used (“better” than
e
= 3
)Slide106
Part 1 Cryptography 106
Diffie-HellmanSlide107
Part 1 Cryptography 107
Diffie
-Hellman Key Exchange
Invented by Williamson (GCHQ) and, independently, by D and H (Stanford)A “key exchange” algorithmUsed to establish a shared symmetric keyNot for encrypting or signingBased on discrete log problem: Given: g, p, and gk mod pFind: exponent kSlide108
Part 1 Cryptography 108
Diffie
-Hellman
Let p be prime, let g be a generator For any x {1,2,…,p-1} there is n s.t. x = gn mod pAlice selects her private value aBob selects his private value bAlice sends ga mod p to BobBob sends
g
b
mod
p
to Alice
Both compute shared secret,
g
ab
mod
p
Shared secret can be used as symmetric keySlide109
Part 1 Cryptography 109
Diffie-Hellman
Suppose
Bob and Alice use Diffie-Hellman to determine symmetric key K = gab mod p Trudy can see ga mod p and gb mod pBut… ga gb mod p = ga+b mod p
g
ab
mod
p
If Trudy can find
a
or
b
,
she gets key
K
If Trudy can solve
discrete log
problem, she can find
a
or
bSlide110
Part 1 Cryptography 110
Diffie-Hellman
Public:
g and pPrivate: Alice’s exponent a, Bob’s exponent bAlice, aBob, bga mod p
g
b
mod p
Alice computes
(
g
b
)
a
=
g
ba
= g
ab
mod
p
Bob computes
(
g
a
)
b
= g
ab
mod
p
Use
K = g
ab mod p as symmetric key Slide111
Part 1 Cryptography 111
Diffie-Hellman
Subject to man-in-the-middle (MiM) attack
Alice, aBob, bga mod pgb mod p
Trudy,
t
g
t
mod p
g
t
mod p
Trudy shares secret
g
at
mod
p
with Alice
Trudy shares secret
g
bt
mod
p
with Bob
Alice and Bob don’t know Trudy exists!Slide112
Part 1 Cryptography 112
Diffie-Hellman
How to prevent
MiM attack?Encrypt DH exchange with symmetric keyEncrypt DH exchange with public keySign DH values with private keyOther?At this point, DH may look pointless……but it’s not (more on this later)In any case, you MUST be aware of MiM attack on Diffie-HellmanSlide113
Part 1 Cryptography 113
Elliptic Curve CryptographySlide114
Part 1 Cryptography 114
Elliptic Curve Crypto (ECC)
“Elliptic curve” is
not a cryptosystemElliptic curves are a different way to do the math in public key systemElliptic curve versions DH, RSA, etc.Elliptic curves may be more efficientFewer bits needed for same securityBut the operations are more complexSlide115
Part 1 Cryptography 115
What is an Elliptic Curve?
An elliptic curve E is the graph of an equation of the form
y2 = x3 + ax + bAlso includes a “point at infinity”What do elliptic curves look like?See the next slide!Slide116
Part 1 Cryptography 116
Elliptic Curve Picture
Consider elliptic curve
E: y2 = x3 - x + 1If P1 and P2 are on E, we can define P3 = P1 + P2 as shown in pictureAddition is all we need
P
1
P
2
P
3
x
ySlide117
Part 1 Cryptography 117
Points on Elliptic Curve
Consider
y2 = x3 + 2x + 3 (mod 5) x = 0 y2 = 3 no solution (mod 5) x = 1 y2 = 6 = 1 y = 1,4 (mod 5) x = 2 y2 = 15 = 0 y = 0 (mod 5) x = 3 y2 = 36 = 1 y = 1,4 (mod 5) x = 4 y2 = 75 = 0 y = 0 (mod 5)
Then points on the elliptic curve are
(1,1) (1,4) (2,0) (3,1) (3,4) (4,0)
and the point at infinity:
Slide118
Part 1 Cryptography 118
Elliptic Curve Math
Addition on:
y2 = x3 + ax + b (mod p) P1=(x1,y1), P2=(x2,y2) P1 + P2 = P3 = (x3,y3) where x3 = m2 - x1
- x
2
(mod p)
y
3
= m(x
1
- x
3
) - y
1
(mod p)
And
m = (y
2
-y
1
)
(x
2
-x
1
)
-1
mod p, if P1
P2 m = (3x1
2+a)(2y1
)-1 mod p, if P
1 = P2Special cases: If m
is infinite, P3 =
, and + P = P for all
P Slide119
Part 1 Cryptography 119
Elliptic Curve Addition
Consider
y2 = x3 + 2x + 3 (mod 5). Points on the curve are (1,1) (1,4) (2,0) (3,1) (3,4) (4,0) and What is (1,4) + (3,1) = P3 = (x3,y3)? m = (1-4)(3-1)-1 = -32-1 = 2(3) = 6 = 1 (mod 5) x3 = 1 - 1 - 3 = 2 (mod 5) y
3
= 1(1-2) - 4 = 0 (mod 5)
On this curve,
(1,4) + (3,1) =
(2,0)
Slide120
Part 1 Cryptography 120
ECC Diffie-Hellman
Public:
Elliptic curve and point (x,y) on curvePrivate: Alice’s A and Bob’s BAlice, ABob, BA
(x,y)
B(x,y)
Alice computes
A(B(x,y))
Bob computes
B(A(x,y))
These are the same since
AB = BASlide121
Part 1 Cryptography 121
ECC Diffie-Hellman
Public:
Curve y2 = x3 + 7x + b (mod 37) and point (2,5) b = 3Alice’s private: A = 4Bob’s private: B = 7Alice sends Bob: 4(2,5) = (7,32)Bob sends Alice: 7(2,5) = (18,35)Alice computes: 4(18,35) = (22,1)Bob computes: 7(7,32) = (22,1)Slide122
Part 1 Cryptography 122
Uses for Public Key CryptoSlide123
Part 1 Cryptography 123
Uses for Public Key Crypto
Confidentiality
Transmitting data over insecure channelSecure storage on insecure mediaAuthentication (later)Digital signature provides integrity and non-repudiationNo non-repudiation with symmetric keysSlide124
Part 1 Cryptography 124
Non-non-repudiation
Alice orders 100 shares of stock from Bob
Alice computes MAC using symmetric keyStock drops, Alice claims she did not orderCan Bob prove that Alice placed the order?No! Since Bob also knows the symmetric key, he could have forged messageProblem: Bob knows Alice placed the order, but he can’t prove itSlide125
Part 1 Cryptography 125
Non-repudiation
Alice orders 100 shares of stock from Bob
Alice signs order with her private keyStock drops, Alice claims she did not orderCan Bob prove that Alice placed the order?Yes! Only someone with Alice’s private key could have signed the orderThis assumes Alice’s private key is not stolen (revocation problem)Slide126
Part 1 Cryptography 126
Public Key Notation
Sign
message M with Alice’s private key: [M]AliceEncrypt message M with Alice’s public key: {M}Alice Then{[M]Alice}Alice = M[{M}Alice]Alice = MSlide127
Part 1 Cryptography 127
Sign and Encrypt
vs
Encrypt and SignSlide128
Part 1 Cryptography 128
Confidentiality and
Non-repudiation?
Suppose that we want confidentiality and integrity/non-repudiationCan public key crypto achieve both?Alice sends message to BobSign and encrypt {[M]Alice}BobEncrypt and sign [{M}Bob]AliceCan the order possibly matter?Slide129
Part 1 Cryptography 129
Sign and Encrypt
Alice
Bob{[M]Alice}Bob Q: What’s the problem? A: No problem public key is publicCharlie{[M]
Alice
}
Charlie
M
= “I love you”Slide130
Part 1 Cryptography 130
Encrypt and Sign
Alice
Bob[{M}Bob]Alice Note that Charlie cannot decrypt M Q: What is the problem? A: No problem public key is public
Charlie
[{M}
Bob
]
Charlie
M
= “My theory, which is mine….”Slide131
Part 1 Cryptography 131
Public Key InfrastructureSlide132
Part 1 Cryptography 132
Public Key Certificate
Certificate
contains name of user and user’s public key (and possibly other info)It is signed by the issuer, a Certificate Authority (CA), such as VeriSign M = (Alice, Alice’s public key), S = [M]CA Alice’s Certificate = (M, S)Signature on certificate is verified using CA’s public key: Verify that M = {S}CA Slide133
Part 1 Cryptography 133
Certificate Authority
Certificate authority (CA) is a trusted 3rd party (TTP)
creates and signs certificatesVerify signature to verify integrity & identity of owner of corresponding private keyDoes not verify the identity of the sender of certificate certificates are public keys!Big problem if CA makes a mistake (a CA once issued Microsoft certificate to someone else)A common format for certificates is X.509Slide134
Part 1 Cryptography 134
PKI
Public Key Infrastructure (PKI): the
stuff needed to securely use public key cryptoKey generation and managementCertificate authority (CA) or authoritiesCertificate revocation lists (CRLs), etc.No general standard for PKIWe mention 3 generic “trust models”Slide135
Part 1 Cryptography 135
PKI Trust Models
Monopoly model
One universally trusted organization is the CA for the known universeBig problems if CA is ever compromisedWho will act as CA???System is useless if you don’t trust the CA!Slide136
Part 1 Cryptography 136
PKI Trust Models
Oligarchy
Multiple trusted CAsThis is approach used in browsers todayBrowser may have 80 or more certificates, just to verify certificates!User can decide which CAs to trust Slide137
Part 1 Cryptography 137
PKI Trust Models
Anarchy model
Everyone is a CA…Users must decide who to trustThis approach used in PGP: “Web of trust”Why is it anarchy? Suppose a certificate is signed by Frank and you don’t know Frank, but you do trust Bob and Bob says Alice is trustworthy and Alice vouches for Frank. Should you accept the certificate?Many other trust models and PKI issuesSlide138
Part 1 Cryptography 138
Confidentiality
in the Real WorldSlide139
Part 1 Cryptography 139
Symmetric Key vs Public Key
Symmetric key +’
sSpeedNo public key infrastructure (PKI) neededPublic Key +’sSignatures (non-repudiation)No shared secret (but, private keys…)Slide140
Part 1 Cryptography 140
Notation Reminder
Public key notation
Sign M with Alice’s private key [M]Alice Encrypt M with Alice’s public key {M}Alice Symmetric key notationEncrypt P with symmetric key K C = E(P,K) Decrypt C with symmetric key K P = D(C,K) Slide141
Part 1 Cryptography 141
Real World Confidentiality
Hybrid cryptosystem
Public key crypto to establish a keySymmetric key crypto to encrypt data…AliceBobI’m Alice, {K}BobE(Bob’s data, K)
E(Alice’s data, K)
Can Bob be sure he’s talking to Alice?Slide142
Part 1 Cryptography 142
Chapter 5: Hash Functions++
“I'm sure [my memory] only works one way.” Alice remarked.
“I can't remember things before they happen.”“It's a poor sort of memory that only works backwards,” the Queen remarked.“What sort of things do you remember best?" Alice ventured to ask.“Oh, things that happened the week after next,"the Queen replied in a careless tone. Lewis Carroll, Through the Looking GlassSlide143
Part 1 Cryptography 143
Chapter 5: Hash Functions++
A boat, beneath a sunny sky
Lingering onward dreamilyIn an evening of July Children three that nestle near,Eager eye and willing ear,... Lewis Carroll, Through the Looking GlassSlide144
Part 1 Cryptography 144
Hash Function Motivation
Suppose Alice signs
MAlice sends M and S = [M]Alice to BobBob verifies that M = {S}AliceCan Alice just send S?If M is big, [M]Alice costly to compute & sendSuppose instead, Alice signs h(M), where h(M) is much smaller than M
Alice sends
M
and
S = [
h(M)]
Alice
to Bob
Bob verifies that
h(M
) = {
S}
AliceSlide145
Part 1 Cryptography 145
Hash Function Motivation
So, Alice signs
h(M) That is, Alice computes S = [h(M)]Alice Alice then sends (M, S) to BobBob verifies that h(M) = {S}AliceWhat properties must h(M) satisfy?Suppose Trudy finds M’ so that h(M) = h(M’)Then Trudy can replace (M, S) with (M’, S)
Does Bob detect this tampering?
No, since
h(M
’) =
h(M
) = {
S}
Alice
Slide146
Part 1 Cryptography 146
Crypto Hash Function
Crypto hash function
h(x) must provideCompression output length is smallEfficiency h(x) easy to compute for any xOne-way given a value y it is infeasible to find an x such that h(x) = yWeak collision resistance given x and h(x
)
, infeasible to find
y
x
such that
h(y
) =
h(x
)
Strong collision resistance
infeasible
to find
any
x
and
y
, with
x
y such that h(x) =
h(y)Lots of collisions exist, but hard to find
anySlide147
Part 1 Cryptography 147
Non-crypto Hash (1)
Data
X = (X0,X1,X2,…,Xn-1), each Xi is a byteDefine h(X) = X0+X1+X2+…+Xn-1Is this a secure cryptographic hash?Example: X = (10101010, 00001111)Hash is h(X) = 10111001If Y = (00001111, 10101010) then h(X
) =
h(Y
)
Easy to find collisions, so
not
secure…Slide148
Part 1 Cryptography 148
Non-crypto Hash (2)
Data
X = (X0,X1,X2,…,Xn-1)Suppose hash is defined as h(X) = nX0+(n1)X1+(n2)X2+…+1Xn-1Is this a secure cryptographic hash?Note that h(10101010, 00001111)
h(00001111, 10101010)
But hash of
(00000001, 00001111)
is same as hash of
(00000000, 00010001)
Not
“secure”,
but this hash is used in the (non-crypto) application
rsyncSlide149
Part 1 Cryptography 149
Non-crypto Hash (3)
Cyclic Redundancy Check (CRC)
Essentially, CRC is the remainder in a long division calculationGood for detecting burst errorsRandom errors unlikely to yield a collisionBut easy to construct collisionsCRC has been mistakenly used where crypto integrity check is required (e.g., WEP)Slide150
Part 1 Cryptography 150
Popular Crypto Hashes
MD5
invented by Rivest128 bit outputNote: MD5 collisions easy to findSHA-1 A U.S. government standard, inner workings similar to MD5160 bit outputMany other hashes, but MD5 and SHA-1 are the most widely usedHashes work by hashing message in blocksSlide151
Part 1 Cryptography 151
HMAC
Can compute a
MAC of the message M with key K using a “hashed MAC” or HMACHMAC is a keyed hashWhy would we need a key?How to compute HMAC?Two obvious choices: h(K,M) and h(M,K)Which is better?Slide152
Part 1 Cryptography 152
HMAC
Should we compute
HMAC as h(K,M) ?Hashes computed in blocksh(B1,B2) = F(F(A,B1),B2) for some F and constant AThen h(B1,B2) = F(h(B1),B2) Let M’ = (M,X)Then h(K,M’) =
F(h(K,M),X
)
Attacker can compute
HMAC
of
M’
without
K
Is
h(M,K
)
better?
Yes, but… if
h(M
’) =
h(M
)
then we might have
h
(M,K
)=
F(h(M),K
)=
F(h(M’),K
)=
h(M’,K
) Slide153
Part 1 Cryptography 153
The Right Way to HMAC
Described in RFC 2104
Let B be the block length of hash, in bytesB = 64 for MD5 and SHA-1 and Tigeripad = 0x36 repeated B timesopad = 0x5C repeated B timesThenHMAC(M,K) = h(K opad, h(K ipad, M))Slide154
Part 1 Cryptography 154
Random Numbers in CryptographySlide155
Part 1 Cryptography 155
Random Numbers
Random numbers used to generate
keysSymmetric keysRSA: Prime numbersDiffie Hellman: secret valuesRandom numbers used for noncesSometimes a sequence is OKBut sometimes nonces must be randomRandom numbers also used in simulations, statistics, etc.Such numbers need to be “statistically” randomSlide156
Random and pseudorandom Numbers
A number of network security algorithms based on cryptography make use of random numbers
Examples:
Generation of keys for the RSA public-key encryption algorithm and other public-key algorithmsGeneration of a symmetric key for use as a temporary session key; used in a number of networking applications such as Transport Layer Security, Wi-Fi, e-mail security, and IP securityIn a number of key distribution scenarios, such as Kerberos, random numbers are used for handshaking to prevent replay attacksTwo distinct and not necessarily compatible requirements for a sequence of random numbers are:RandomnessUnpredictabilitySlide157
unpredictabilityIn applications such as reciprocal authentication and session key generation, the requirement is not so much that the sequence of numbers be statistically random but that the successive members of the sequence are unpredictable
With “true” random sequences, each number is statistically independent of other numbers in the sequence and therefore unpredictable
Care must be taken that an opponent not be able to predict future elements of the sequence on the basis of earlier elementsSlide158
Part 1 Cryptography 158
Random Numbers
Cryptographic
random numbers must be statistically random and unpredictableSuppose server generates symmetric keys…Alice: KABob: KBCharlie: KCDave: KDBut, Alice, Bob, and Charlie don’t like DaveAlice, Bob, and Charlie working together must not be able to determine KD