Computer SecuritySet of slides 3

Dr Alexei Vernitski

Another useful example of a Cipher

Vigenere’s cipher (16th century)• It is like Caesar’s cipher• However, instead of one number acting as a

key, a sequence of numbers is used, one for each letter of the plaintext

• When you come to the end of the sequence, you start using it from the beginning again

For discussion

• Is Vigenere’s cipher more secure than Caesar’s cipher?

• How does Vigenere’s cipher make the attacker’s statistical analysis of the cipher text difficult?

• What statistical analysis can be applied to Vigenere’s cipher?

• As to the key length of Vigenere’s cipher, what would you consider the safe length of the key?

The key length

The general conclusions:• If the key is longer, it is used fewer times in the

encryption process, • therefore, the attacker can obtain less useful

statistics from the cyphertext.• The ultimate case of this is the one-time pad,

which is a key that is at least as long as the message.

One-time pad

• By a one-time pad we mean a Vigenere cipher whose key sequence (known as key stream) is as long as the message, and never reused.

• A one-time pad cipher is unbreakable. Why?

One-time pad

• Venona project is an example of breaking incorrectly used one-time pads

• Cryptanalysis by American and British code-breakers revealed that some of the one-time pad material had incorrectly been reused by the Soviets (specifically, entire pages, although not complete books), which allowed decryption (sometimes only partial) of a small part of the traffic.

http://en.wikipedia.org/wiki/Venona_project

Example: optical encryption

• This is an unusual example of a one-time pad• This cipher is unbreakable• It can be used e.g. if one half is shown on the

computer screen and the other is printed on a transparent film

To encrypt a black pixel:

and

The first slide The second slide

and

either

or

To encrypt a white pixel:

and

The first slide The second slide

and

either

or

Towards ciphers in computers

• Caesar’s cipher• Substitution cipher• Vigenere’s cipher• One-time pad (Vernam’s

cipher)

• In computers data is stored as bits, not as letters

• How can one re-apply the principles of these classical ciphers to binary data?

Substitution as XOR

• Each bit of a block is either 0 or 1• When you encrypt, one of two possible

substitutions can be used:– Either 0 → 0, 1 → 1,– Or 0 → 1, 1 → 0.

• Each of these two substitution can be produced by XORing this bit with 0 or 1

Bitwise XOR

• The same idea as in Vigenere’s cipher• The key is a binary array• The message is split in blocks• The length of the block is the same as the

length of the key• Each bit of the block is XORed with the

corresponding bit of the key

Bitwise XOR: example

0 1 1 0 1 0 1 0

1 0 1 0 1 1 0 0

block

key

XOR

XOR

• Each computer cipher uses – either XOR (typically, so-called stream ciphers)– or bit-wise XOR (typically, so-called block ciphers)

• In your opinion, what is the main design problem of stream ciphers?

• In your opinion, what is the main design problem of block ciphers?

Block cipher

• A message is a sequence of bits, for example:0110010100001011110…

• We split the message in blocks of a fixed length

• Each block is encrypted in exactly the same way, until the whole message is encrypted

Block cipher

• Each block is encrypted in exactly the same way, until the whole message is encrypted

• Therefore, to make cryptoanalysis more difficult…

• Each block should be sufficiently long (why?)• The encryption of each block should be good

Permutation

• Also called transposition• (but is NOT the same as substitution)• This is a rule directing how the order of bits

should be changed, for example:

0 1 1 0 0 1 1 0

1 1 0 0 1 0 0 1

Permutation

• Permutation makes ciphers stronger• For example, probably nobody can break the

Dorabella cipher because it uses both substitution and permutation

• However, there are techniques designed to break ciphers based on substitution and permutation: for example, differential cryptanalysis

Differential cryptanalysis

• It is called ‘differential’ because the attacker studies how a small change in the plaintext block affects the encrypted block

• It can be attempted against every cipher, but is especially successful against ciphers based on substitution and permutation

• We present it in the scenario of a known plaintext attack

• For the sake of an example, we consider a cipher with block length merely 4 bits

Example of differential cryptanalysis

• We shall apply differential cryptanalysis against a block cipher based only on applying a fixed permutation to each block and XOR of each block with a fixed binary array.

• Suppose the following known plaintext blocks0000 1000 1100 0110 1111

• correspond to the following ciphertext blocks1001 1000 0000 0101 0110.

• Break the cipher by determining exactly what permutation was applied and what binary array was used to XOR with each block.

S-box

• S-box or a substitution box is a function producing a highly non-linear substitution of bits in a binary array

• In books, S-boxes are normally represented as look-up tables

S-box: an example(in the form of a table as S-boxes are often represented in books)

  *00* *01* *10* *11*

0**0 01 00 11 10

0**1 11 10 01 00

1**0 00 10 01 11

1**1 11 01 00 11

S-box: non-linearity

  *00* *01* *10* *11*

0**0 01 00 11 10

0**1 11 10 01 00

1**0 00 10 01 11

1**1 11 01 00 11

For example, does the first bit of the output depend on the third bit of the input?Yes in a half of the cases, No in the other half of the cases

Famous block ciphers

• DES• Triple DES• AES

A round in a Feistel cipher

Left-hand part of the block

Left-hand part of the block

Right-hand part of the block

Right-hand part of the block

XOR F

Rounds in a Feistel cipher

Left-hand part of the block

Left-hand part of the block

Right-hand part of the block

Right-hand part of the block

XOR F

XOR

Right-hand part of the blockLeft-hand part of the block

F

DES

• DES stands for Data Encryption Standard• This is a block cipher with the block size 64

and the key size 56• Number of S-boxes: 8• Number of rounds: 16• Which of these parameters make DES an

insecure cipher?

Breaking DES

• In 1998, a purpose-built computer Deep Crack decrypted a DES-encrypted text in only 56 hours

• In 2012, a cloud computing tool allows members of the general public to recover a DES key from a known plaintext-ciphertext pair in about 24 hours.

Triple DES

• The algorithm is easy:– Encrypt with DES using key 1– Decrypt with DES using key 2– Encrypt with DES using key 3

• Why is Triple DES stronger than DES?

AES

• AES has been created in the 1990s to provide the businesses worldwide with a new common secure cryptosystem instead of DES

• It has been tested by many cryptologists and is very good

• AES can work with keys consisting of 128 or 192 or 256 bits (which is much better than the 56-bit keys of DES)

• A cute cartoon guide to AES:http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

Modes of operation (of block ciphers)

• What if blocks repeat because of the peculiar nature of your data?

• What if you are sending the same message again?

• How can we improve security in these scenarios?

Homework

1. You might read that triple DES is ‘too slow’.For example:http://1.bp.blogspot.com/_Zfbv3mHcYrc/SreojET_QBI/AAAAAAAABkc/knYwS6AsM04/s1600-h/aes_act_1_scene_11_triple_des_1100.png

In what sense and in what context can one be saying that triple DES is too slow?

2. Some experts think that the block length of DES is too short and, therefore, is insecure (why?). What is the block length of Triple DES? What is the block length of AES?

Sample exam questions

• Describe how an attack based on differential cryptanalysis can be organised against a block cipher

• Explain briefly what an S-box is and how it contributes to security

Sample exam questions

• You work as a computer consultant. Your customer asks you which vulnerabilities were discovered in DES that made it necessary to invent new ciphers to replace DES. What will you reply?

• You work as a computer consultant. Your customer asks you about a computer cipher called Triple AES. What will you reply?

Sample exam questions

• Explain how the short key length makes DES a weak cipher

• Explain how the short block length might make DES a weak cipher

Sample exam questions

• Explain the difference between DES, Triple DES and AES.

• State which one of them you would recommend to use.