cryptography - cs3sr3/se3ra3se3ra3/2016/ln28-2016.pdf · classical cryptosystems public key...

CryptographyClassical Cryptosystems

Public Key CryptographyCryptographic Checksums

Cryptography

CS3SR3/SE3RA3

Ryszard Janicki

Acknowledgments: Material based on Computer Security: Art and Science by Matt Bishop (Chapter 9)

Ryszard Janicki Cryptography 1 / 38



Cryptography and Cryptosystems

Cryptography ≡ Secret Writing in Greek

De�nition (Cryptosystem)

A cryptosystem is a 5-tuple (E ,D,M,K ,C ), where:

M is the set of plaintexts,

K is the set of keys,

E = {Ek | k ∈ K}, where each Ek : M → C , is the set ofenciphering functions,

D = {Dk | k ∈ K}, where each Dk : C → M, is the set ofdeciphering functions.




Caesar Cipher

Example (Caesar Cipher)

Idea: letters are shifted and key=shift. If k = 3 theA→ D,B → E , . . . ,Z → C , and �HELLO� → �KHOOR�.

M = all sequences in Roman letters = {A,B,C , . . . ,Z}∗,K = {i | 0 ≤ i ≤ 25}, or K = {i | 1 ≤ i ≤ 26},E = {Ek | k ∈ K}, where for each m ∈ M,Ek(m) = mk , andmk is derived from m by shifting each letter by k ,

D = {Dk | k ∈ K}, where for each c ∈ C ,Dk(c) = ck , and ckis derived from c by shifting back each letter by k

C = M.




Goals and Adversaries

The goal of cryptography is to keep enciphered informationsecret.

An adversary wants to break a cipher-text.

Adversary knows D and E .Three types of attacks:

1 Ciphertext only - Adversary has only the ciphertext.Goal: plaintext and, if possible, the key.

2 Known Plaintext - Adversary has the ciphertext and theplaintext that was enciphered.Goal: the key

3 Chosen Plaintext - Adversary may ask that speci�c plaintextsbe enciphered, and is given the corresponding ciphetexts.Goal: the key

A good cryptosystem protects against all three types ofattacks.




Classical Cryptosystems

De�nition

Classical cryptosystems (also called single-key or symmetric

cryptosystems) are cryptosystems that use the same key forencipherement and decipherement. In these systems, for all Ek ∈ C

and k ∈ K , there is a Dk ∈ D such that Dk = E−1k

.

Example

The Caesar cipher discussed earlier had a key of 3, so theenciphering function was E3. To decipher �KHOOR�, we used thesame key in decipherment function D3. Hence, the Caesar cipher isa classical cipher.

There are two basic types of classical ciphers:transposition ciphers, andsubstitution ciphers.




Transposition Ciphers

De�nition

A transposition cipher rearranges the characters in the plaintext toform the ciptertext. The letters are not changed.

Example (Rail-Fence Cipher)

The rail-fence cipher is composed by writing the plaintext in tworows, proceeding down, then across, and reading the ciphertextacross.

1 2 3 4 5 6 7 8 =⇒ 1 3 5 7

2 4 6 8=⇒

1 3 5 7

2 4 6 8=⇒ 1 3 5 7 2 4 6 8

For example: HELLOWORLD =⇒ H L O O LE L W R D

=⇒

HLOOLELWRD





Example (Rail-Fence Cipher. Version 2)

1 2 3 4 5 6 7 8 9 =⇒1 4 7

2 5 8

3 6 9=⇒

1 4 7

2 5 8

3 6 9

=⇒ 1 4 7 2 5 8 3 6 9

For example: HELLO WORLD =⇒H L W LE O O DL R

=⇒

HLWLEOODL R





Mathematically, the key to a transposition cipher is apermutation function.Permutations does not change the frequency of plaintextcharacters, which provides means of attack.

Example

For instance because �HE� has frequency 3.05% in English, onemay assume that in �HLOOLELWRD�, �E� should follow �H�, soone may try:

H EL LO WO RL D

Reading the letters across and down produces � HELLOWORLD�.




Substitution Ciphers

De�nition

A substitution cipher changes characters in the plaintext toproduce the ciphertexts.

Example

Consider Caesar cipher with the key k = 3 or D, i.e.A→ D,B → E , . . . ,X → A,Y → B,Z → C .

HELLOWORLD → KHOORZRUOG

A Caesar cipher is susceptible to a statistical ciphertext-onlyattack.





Example

Ciphertext: KHOORZRUOG (length is 10 characters).

Numbering of letters: A→ 0,B → 1, . . . ,Z → 25.

STATISTICAL ATTACK:

Frequencies of letters in �KHOORZRUOG�:6 7 10 14 17 20 25

c = G H K O R U Z

f (c) = 0.1 0.1 0.1 0.3 0.2 0.1 0.1

Correlation with average English text:

Φ(i) =25∑c=0

f (c)p(c − i),

where p(x) are character frequencies in English (see Table 9-1on page 11).




Character Frequencies in English

• p(0) = p(a) = 0.080, p(1) = p(b) = 0.015, . . . , p(25) = p(z) = 0.002





Example (continuation)

Ciphertext: KHOORZRUOG.

Numbering of letters: A→ 0,B → 1, . . . ,Z → 25.

STATISTICAL ATTACK:

For �KHOORZRUOG�, we have

Φ(i) = 0.1p(6− i) + 0.1p(7− i) + 0.1p(10− i) +0.3p(14− i) + 0.1p(20− i) + 0.1p(25− i)

We are looking to the biggest Φ(i), i = 0, . . . , 25.




Values of Φ(i) for `KHOORZROOG`� in English

Φ(6) = 0.0660 =⇒ KHOORZROOG → EBIILTLOIA,

Φ(10) = 0.0635 =⇒ KHOORZROOG → AXEEHPHKEW ,

Φ(3) = 0.0575 =⇒ KHOORZROOG → HELLOWORLD,

Φ(14) = 0.0535 =⇒ KHOORZROOG →WTAADLDGAS ,




Vigenère Cipher

Invented by Blaise de Vigenère in 1586.

De�nition

The Vigenère cipher chooses a sequence of keys, represented by astring. The key letters are applied to successive plaintextcharacters, and when the end of the key is reached, the key startsover. The length of the key is called the period of the cipher.

In other words, like Caesar cipher, but we use a phrase.

Figure 9-3 on page 15 shows a tableau to implement thiscipher e�ciently.

Because this requires several di�erent key letters, this type ofcipher is called polyalphabetic.




Vigenère Cipher

Example

Letters enumeration:A→ 0, . . . ,G → 6, . . . , I → 8, . . . ,V → 21, . . . ,Z → 25.

Message: THE BOY HAS THE BALLKey: VIG or 21-8-6.

We encipher using Caesar cipher for each letter:

Plaintext T H E B O Y H A S T H E B A L L

Keys V I G V I G V I G V I G V I G V

Ciphertext O P K W W E C I Y O P K W I M G,

since (T + V ) mod 26 = O, (H + I ) mod 26 = P,(E + G ) mod 26 = K , etc.




Vigenère Cipher

Breaking is not easy but possible (Friedrich Kasiski in 1863).Breaking is based on the observation, that repetitions occurwhen characters of the key appear over the same characters inthe ciphertext.

Example

Plaintext T H E B O Y H A S T H E B A L L

Keys V I G V I G V I G V I G V I G V

Ciphertext O P K W W E C I Y O P K W I M G,

The string OPK appears twice. The ciphertext repetitions arenine character apart. Hence 9 is a multiple of the period, i.e.period must be either 3 or 9.

We can then use some statistical analysis to break the cipher,however it is not easy.




Example (Vigenère Cipher)

The following message was enciphered with a Vigenère cipher.Find the key and decipher it:

2

7. A noted computer security expert has said that without integrity, no system can provideconfidentiality.

a. Do you agree? Justify your answer.b. Can a system provide integrity without confidentiality? Again, justify your answer.

8. A cryptographer once claimed that security mechanism other than cryptography wereunnecessary because cryptography could provide any desired level of confidentiality andintegrity. Ignoring availability, either justify or refute the cryptographer claim.

9. Given the security levels TOP SECRET, SECRET, CONFIDENTIAL, andUNCLASSIFIED (ordered from highest to lowest), and the categories A, B and C, specifywhat type of access (read, write, both, or neither) is allowed in each of the followingsituations. Assume that discretionary access controls allow anyone access unlessotherwise specified.

a. Paul, cleared for (TOP SECRET, {A, C}), wants to access a document classified(SECRET, {B, C}).

b. Anna, cleared for (CONFIDENTIAL, {C}), wants to access a document classified(CONFIDENTIAL, {B}).

c. Jesse, cleared for (SECRET, {C}), wants to access a document classified(CONFIDENTIAL, {C}).

d. Sammi, cleared for (TOP SECRET, {A, C}), wants to access a documentclassified (CONFIDENTIAL, {A}).

e. Robin, who has no clearances (and so works at the UNCLASSIFIED level), wantsto access a document classified (CONFIDENTIAL, {B}).

10. Give an example that demonstrates that the integrity level of subjects decreases in Biba’slow-water-mark policy. Under what conditions will the integrity level remainunchanged?

11. Decipher the following ciphertext, which was enciphered using the Caesar cipher:TEBKFKQEBZLROPBLCERJXKBSBKQP

12. Exercise 8 from page 242 of Bishop’s textbook. See below:

SOLUTION

We begin by looking for repetitions in the ciphertext.

�IYO� appears twice 25 spaces apart.

�KRG� also appears twice, 20 spaces apart.

�LVF� is also repeated 55 spaces apart.

This leads us to the likelihood that the key is a commondivisor of these, so (as a �rst guess) we take the key length tobe 5.

This means we should try breaking the message into 5sequences:




Example

This means we should try breaking the message into 5 sequences:

T S M V MM P P C WC Z U G XH P E C PR F A U EI O B Q WP P I M SF X I P CT S Q P KS Z N U LO P A C RD D P K TS L V F WE L T K RG H I Z SF N I D FA R M U EN O S K RG D I P HW S G V LE D M C MS M W K PI Y O J ST L V F AH P B J IR A Q I WH L D G AI Y O U X

Counting characters in each column (alphabet) yields:

Column #1 #2 #3 # 4 #5A 1 1 2 0 2B 0 0 2 0 0C 1 0 0 4 1D 1 3 1 1 0E 2 0 1 0 2F 2 1 0 2 1G 2 0 1 2 0H 3 1 0 0 1I 3 0 5 1 1J 0 0 0 2 0K 0 0 0 4 1L 0 4 0 0 2M 1 1 3 1 2N 1 1 1 0 0O 1 2 2 0 0P 0 4 2 3 2Q 0 0 2 1 0R 2 1 0 0 2S 3 3 1 0 3T 3 0 1 0 1U 0 0 1 4 0V 0 0 2 2 0W 1 0 1 0 4X 0 1 0 0 2Y 0 2 0 0 0Z 0 2 0 1 0

16




Example

Observe that the highest frequency character in column 3 (ì')seems to correspond to the letter à' due to the gap followingit, according to the frequencies of characters on right side ofpage 219 of the textbook and page 11 of this Lecture Notes.

We decrypt the 3rd character, and then every 5th, accordingto this, and from the Vignère tableau we guess that the 3rdcharacter in the key is ì'.

TSeNM MPhCW CZmGX HPwCP RFsUE IOtQW PPaMSFXaPC TSiPK SZfUL OPsCR DDhKT SLnFW ELlKR GHaZSFNaDF AReUE NOkKR GDaPH WSyVL EDeCM SMoKPIYgJS TLnFA HPuJI RAiIW HLvGA IYgUX

Next we guess that column 1 does not appear shifted sincethe frequencies are about the same as the standard, so the�rst character could be à'.

tSeNM mPhCW cZmGX hPwCP rFsUE iOtQW pPaMSfXaPC tSiPK sZfUL oPsCR dDhKT sLnFW eLlKR gHaZSfNaDF aReUE nOkKR gDaPH wSyVL eDeCM sMoKP iYgJStLnFA hPuJI rAiIW hLvGA iYgUX




Example

tSeNM mPhCW cZmGX hPwCP rFsUE iOtQW pPaMS fXaPCtSiPK sZfUL oPsCR dDhKT sLnFW eLlKR gHaZS fNaDF aReUEnOkKR gDaPH wSyVL eDeCM sMoKP iYgJS tLnFA hPuJI rAiIWhLvGA iYgUX

The �rst word may be `the' and the frequencies of the secondcolumn �t in the right places, so assume S maps to h in the 2ndcolumn, making the frst three letters of the key: `ali'.

theNM mehCW comGX hewCP rusUE idtQW peaMS fmaPC thiPKsofUL oesCR dshKT sanFW ealKR gwaZS fcaDF ageUE ndkKRgsaPH whyVL eseCM sboKP ingJS tanFA heuJI rpiIW havGA ingUX

Now we can look for parts of words to give us a clue. `com' couldbe `come', `thi' could be `this', or `hav' could be `have'. Since the�rst and third of these examples use the same mapping but thesecond uses a di�erent one, we �rst try the letter `C' as the key forthe column 4 since that maps `G' to `e'.

thetM mehaW comeX hewaP russE idtoW peakS fmanC thinKsofsL oesaR dshiT sandW ealiR gwaxS fcabF agesE ndkiR gsanHwhytL eseaM sboiP inghS tandA heuhI rpigW haveA ingsX




Example

thetM mehaW comeX hewaP russE idtoW peakS fmanCthinK sofsL oesaR dshiT sandW ealiR gwaxS fcabF agesEndkiR gsanH whytL eseaM sboiP inghS tandA heuhI rpigWhaveA ingsX

Now we can begin to read parts of the text. the second groupof characters seems to be `has'. To map the plain text s tocipher text w, we would have had to use the key letter `e',which makes sense as we now have a full keyword: `Alice' andwe can now decrypt the full text:

theti mehas comet hewal russa idtos peako fmany thing sofshoesan dship sands ealin gwaxo fcabb agesa ndkin gsand whytheseai sboil ingho tandw heuhe rpigs havew ingst

with punctuation:The time as come the walrus said to speak of many things ofshoes and ships and sealing wax of cabbages and kings andwhy the sea is boiling hot and whether pigs have wingst.




One-Time Pad

A Vigenère cipher with a random key at least as long as themessage.

Proven unbreakable.

Why? Look at ciphertext DXQR. Equally likely to correspondto plaintext DOIT (Key AJIY) and to DONT (key AJDY) andany other 4 letters.

Warning: keys must be random, or you can attack the cipherby trying to regenerate the key.

Approximations, such as using pseudo-random numbergenerators to generate keys, are not random.




Hybrid Ciphers

We can (and often do) use more than one technique, forexample use both transposition ciphers and substitutionciphers.

We will show later how Vigenère cipher (substitution cipher)composed with rail-fence (transposition cipher) can be used toencrypt passwords.




Public Key Cryptography

Two keys:

PRIVITE KEY known only to individualPUBLIC KEY available to anyone

A has private key kA and public key KA, while B has privatekey kB and public key KB . A message send by A andencrypted using kA and KB practically can only be decryptedwhen B will use kB and KA. How is it possible?

The private key k and the public key K are not random.

The public key K is a function of the private key k , i.e.K = f (k) for some function f (hence KA = f (kA) andKB = f (kB)).

The function f must have the property that for any K , �ndingf −1(K ) is practically impossible.




Public Key Cryptography

Conditions:1 It must be computationally easy to encipher or decipher a

message given the appropriate key.2 It must be computationally infeasible to derive the private key

from the public key.3 It must be computationally infeasible to determine the private

key from a chosen plaintext attack.




Di�e-Hellman Scheme

First proposed by James Ellis in 1970, but classi�ed until 1997.

Reinvented by W. Di�e and M. Hellman in 1976.

It is based on the Discrete Logarithm Problem.

De�nition (Discrete Logarithm Problem)

Find k such thatn = gk mod p

for a given natural numbers n, g and a prime number p.

The Discrete Logarithm Problem is infeasible for big p.




Algorithm (Di�e-Hellman Protocol)

Shared Knowledge: p and g, where g 6= 0, 1, p − 1.

Each user chooses a private key ka and computes a public key

Ka = gka mod p.

If A and B want to communicate, they encipher the other's

public key using they own public key using the formulas:

SA,B = K kA

Bmod p (used by A), and

SB,A = K kB

Amod p (used by B).

The protocol is based on the following theorem:

Theorem

SA,B = SB,A

The key SA,B = SB,A is used for communication between A

and B.




Di�e-Hellman Scheme

The Di�e-Hellman Protocol is a symmetric key exchange

protocol.

Example

Let p = 53, g = 17 and kA = 5, kB = 7. HenceKA = gkA mod p = 175 mod 53 = 40KB = gkB mod p = 177 mod 53 = 6

Now we have:SA,B = K kA

Bmod p = 65 mod 53 = 38

SB,A = K kB

Amod p = 407 mod 53 = 38

The prime number p must be large, hundreds or eventhousands of bits!!!




RSA Protocol

Invented by R. Rivest, A. Shamir and L. Adleman in 1978.It is based on the properties of the totient function Φ(n).

De�nition

A number k is relatively prime to a number n if k has no factors incommon with n.

De�nition

The totient function Φ(n) is the number of positive integers lessthan n and relatively prime to n.

Example

Φ(10) = 4, as 1, 3, 7, 9 are relatively prime to 10.

Φ(21) = 12, as 1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 arerelatively prime to 21.




Theorem

If p and q are two distinct primes, then Φ(pq) = (p − 1)(q − 1).

Algorithm (RSA Protocol)

Choose two large prime numbers p and q.

Compute n = pq. Then Φ(n) = (p − 1)(q − 1).

Choose e < n such that e is relatively prime to Φ(n).

Compute d such that ed mod Φ(n) = 1.

PUBLIC KEY: (e, n)

PRIVITE KEY: d

ENCIPHER: c = me mod n (uses PUBLIC KEY (e, n))

DECIPHER: m = cd mod n (uses PRIVATE KEY d)

Actual RSA primes p and q should be at least 512 bits long,giving a modulus, i.e. n = pq, of at least 1024 bits.




Example (Con�dentiality)

p = 7, q = 11, n = pq = 77,Φ(n) = (p − 1)(q − 1) = 60.

A chooses e = 17 (e < n and e must be relatively prime to Φ(n),making d = 53 (ed mod Φ(n) = 1, and here 17 · 53 mod 60 = 1).

B wants to send A secret message HELLO.

We assume each character in plaintext is represented by a numberbetween 00(A) and 25(Z ); 26 representing blank.

Hence HELLO ≡ 07 04 11 11 14.

ENCIPHER: c = me mod n (uses PUBLIC KEY (e, n))0717 mod 77 = 280417 mod 77 = 161117 mod 77 = 441117 mod 77 = 441417 mod 77 = 42

B sends 28 16 44 44 42




Example (Con�dentiality - Continuation)

B sends 28 16 44 44 42

A receives B sends 28 16 44 44 42

A uses private key: d = 53.

DECIPHER: m = cd mod n (uses PRIVATE KEY d)2853 mod 77 = 07 → H1653 mod 77 = 04 → E4453 mod 77 = 11 → L4453 mod 77 = 11 → L4253 mod 77 = 14 → O

No one else could read it, as only A knows her private key andthat is needed for decryption.

However A cannot be sure it it was B who sent it!




Example (Con�dentiality & Authentication)

p = 7, q = 11, n = pq = 77,Φ(n) = (p − 1)(q − 1) = 60.

A chooses e = 17, making d = 53.

B chooses e = 37, making d = 13.

A wants to send B secret message HELLO in con�dence andauthenticated.

ENCIPHER: c = (mdA mod n)eB mod n (it uses PUBLICKEY (eB , n) and PRIVATE KEY dA).

HELLO ≡ 07 04 11 11 14(0753 mod 77)37 mod 77 = 07(0453 mod 77)37 mod 77 = 37(1153 mod 77)37 mod 77 = 44(1153 mod 77)37 mod 77 = 44(1453 mod 77)37 mod 77 = 14

B receives 07 37 44 44 14Ryszard Janicki Cryptography 34 / 38



Example (Con�dentiality & Authentication - Continuation)

B receives 07 37 44 44 14

DECIPHER: m = (cdB mod n)eA mod n (it uses PUBLICKEY (eA, n) and PRIVATE KEY dB).

(0753 mod 77)17 mod 77 = 07 → H(3753 mod 77)17 mod 77 = 04 → E(4453 mod 77)17 mod 77 = 11 → L(4453 mod 77)17 mod 77 = 11 → L(4253 mod 77)17 mod 77 = 14 → O




Cryptographic Checksums - Motivation

Alice wants to send Bob a message of n bits, and she wantsBob to be able to verify that the message he receives is thesame one that was sent.

Alice applies a checksum function to generate a much smallerset of k bits (called the checksum of message digest) from theoriginal n bits.

Alice then sends Bob both the message and the checksum.

When Bob gets the message, he recomputes the checksumand compares it with the one Alice sent.

If they match, Bob assumes that message has not beenchanged.

Every transmission of data is a subject to some errors. Thelonger message the greater probability of error. Hence k-longchecksum is more reliable than n-long message.




Cryptographic Checksums

Example (Parity Bit)

The parity bit is a single-bit checksum.

Odd Parity: the sum of the 1-bits in the character or numberrepresentation and the parity bit is odd.In ASCII: A → 0111101, hence p0111101 = 00111101,where p is the parity bit (and p = 0 in this case).

the message 00111101 means A and a con�rmation that themessage has arrived unchanged.




Cryptographic Checksums

De�nition (Cryptographic Checksum Function)

A cryptographic checksum function (or strong hash function)h : A→ B is a function that has the following properties.

1 For any x ∈ A, h(x) is easy to compute.

2 For any y ∈ B, it is computationally infeasible to �nd x ∈ A

such that h(x) = y .

3 Given any x ∈ A, it is computationally infeasible to �ndanother x ′ ∈ A such that x 6= x ′ and h(x ′) = h(x).

Checksums are mainly used to detect transmission errors.

However they can also indicate attacks during transmissions.


cryptography - cs3sr3/se3ra3se3ra3/2016/ln28-2016.pdf · classical cryptosystems public key...

Documents