cryptology for engineers
TRANSCRIPT
Cryptology For Engineers
ALDEC Webinar
Created and Presented by Jerry Kaczynski, ALDEC Research Engineer
Rev. 1.6a
www.aldec.com
Agenda • Basic Terms
• Ciphers
• Hybrid Cryptosystem
• Authentication
• Cryptanalysis
2
www.aldec.com
BASIC TERMS
Simple Explanations
3
www.aldec.com
Cryptology • Cryptology combines Greek terms κρυπτός (kryptos = secret)
and λόγος (logos = study) to describe science or study of hiding, securely transferring and recovering information.
• Cryptology can be divided into two closely related disciplines: Cryptography – dealing with securing information,
Cryptanalysis – trying to break security.
• Cryptology finds many practical implementations in banking,
electronic commerce,
telecommunication,
military and
IP (Intellectual Property) protection.
4
www.aldec.com
Plaintext 5
To be, or not to be- that is the question: Whether 'tis nobler in the mind to suffer The slings and arrows of outrageous fortune Or to take arms against a sea of troubles, And by opposing end them. To die- to sleep- No more; and by a sleep to say we end The heartache, and the thousand natural shocks That flesh is heir to. 'Tis a consummation Devoutly to be wish'd. To die- to sleep. To sleep- perchance to dream: ay, there's the rub! For in that sleep of death what dreams may come When we have shuffled off this mortal coil, Must give us pause. There's the respect That makes calamity of so long life. For who would bear the whips and scorns of time, Th' oppressor's wrong, the proud man's contumely, The pangs of despis'd love, the law's delay, The insolence of office, and the spurns That patient merit of th' unworthy takes, . . .
• Plaintext is the document/message everybody can read and understand.
• We are using document icon to represent plaintext in diagrams.
≡
Hamlet 3/1
www.aldec.com
Cipher & Key
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
6
+3 +3
• Cipher is an algorithm that converts plaintext into something that cannot be read by uninitiated persons and later allows retrieval of the plaintext.
• Key is a value that personalizes cipher by modifying its algorithm.
• Caesar’s cipher (one of the oldest known ciphers) shifts each letter in plaintext alphabet by given number of positions.
• The key in Caesar’s cipher is the number of shifted positions (+3 in our diagram).
= +3
www.aldec.com
Cipher Strength • The stronger the cipher, the more difficult it is
to break it for some attacker.
• Strength of the cipher is measured by complexity of the algorithm and size of the key.
• The more complex the cipher algorithm, the more difficult it is to devise quick method of reversing it. (Caesar’s cipher is so simple that anybody can break it now.)
• The longer the key, the more difficult it is to guess it by trial and error approach, a.k.a. brute force attack. (Caesar’s key is 5-bit number – 1 of 26 possible in our example – so guessing it without computer takes no more than an hour.)
7
www.aldec.com
Ciphertext 8
Wr eh, ru qrw wr eh- wkdw lv wkh txhvwlrq: Zkhwkhu 'wlv qreohu lq wkh plqg wr vxiihu Wkh volqjv dqg duurzv ri rxwudjhrxv iruwxqh Ru wr wdnh dupv djdlqvw d vhd ri wurxeohv, Dqg eb rssrvlqj hqg wkhp. Wr glh- wr vohhs- Qr pruh; dqg eb d vohhs wr vdb zh hqg Wkh khduwdfkh, dqg wkh wkrxvdqg qdwxudo vkrfnv Wkdw iohvk lv khlu wr. 'Wlv d frqvxppdwlrq Ghyrxwob wr eh zlvk'g. Wr glh- wr vohhs. Wr vohhs- shufkdqfh wr guhdp: db, wkhuh'v wkh uxe! Iru lq wkdw vohhs ri ghdwk zkdw guhdpv pdb frph Zkhq zh kdyh vkxiiohg rii wklv pruwdo frlo, Pxvw jlyh xv sdxvh. Wkhuh'v wkh uhvshfw Wkdw pdnhv fdodplwb ri vr orqj olih. Iru zkr zrxog ehdu wkh zklsv dqg vfruqv ri wlph, Wk' rssuhvvru'v zurqj, wkh surxg pdq'v frqwxphob, Wkh sdqjv ri ghvslv'g oryh, wkh odz'v ghodb, Wkh lqvrohqfh ri riilfh, dqg wkh vsxuqv Wkdw sdwlhqw phulw ri wk' xqzruwkb wdnhv, . . .
• Ciphertext is the document/message encrypted using some cipher and readable only to those who have the key.
• We are using document with key icon to represent ciphertext in diagrams.
≡
Hamlet 3/1 with Caesar’s cipher & +3 key
www.aldec.com
Encryption • Encryption is the process of applying selected cipher and key to
the plaintext in order to obtain ciphertext (encrypted message).
9
Encryption
www.aldec.com
Decryption • Decryption is the process of applying known key and cipher
(in reverse) to the ciphertext in order to recover plaintext (original message).
10
Decryption
www.aldec.com
Distance
Cryptosystem • Cryptosystem is a complete system encompassing all people,
procedures, tools, ciphers, keys, and transmission channels involved in a secure data transfer.
11
Data transfer Encryption Decryption
Alice Bob
www.aldec.com
CIPHERS
How Encryption is Done
12
www.aldec.com
Substitution Ciphers • In this group of ciphers, each unit in the plaintext
(letter, symbol or group of symbols) is replaced with some other unit.
• The simplest example of substitution cipher is Caesar’s cipher we have seen in Basic Terms section.
• Substitution ciphers can be easily broken, as described in “The Gold-Bug” by Edgar Allan Poe or “The Adventure of the Dancing Men” Sherlock Holmes story by Sir Arthur Conan Doyle.
• Substitution ciphers are no longer used alone, but can be a part of larger (and safer) encryption schemes.
13
www.aldec.com
Transposition Ciphers • Transposition ciphers change position of symbols within the
message according to the predefined scheme.
• Rail Fence Cipher – a simple transposition cipher – requires the message to be written in a wave pattern and then read in regular rows:
14
P D O E A I O T V L N I C V R D T R T M M V D O I E M A S E S T E E F P
PDOEAIOTV LNICVRDTRTMMVDOIEM ASESTEEFP
• Transposition ciphers are too simple to be secure, but are still used as a part of better encryption schemes.
www.aldec.com
Symmetric Ciphers • All ciphers we have mentioned so far (and all ciphers in use until
late 20th century) have one thing in common: a secret key – number or phrase – that must be known to both sender and recipient of the message.
• Since both parties have to keep the key secret, those ciphers are known as symmetric ciphers or secret key ciphers.
15
Alice Bob We use single frame around the key
to signify that it must be secret
www.aldec.com
Block Ciphers • One class of modern symmetric ciphers performs encryption
on fixed-length chunks of data: we call them block ciphers.
• Originally 64 bit (8 characters) block size was used, now 128 bit (16 characters) blocks are more popular.
• Plaintext is divided into the block-size chunks before encryption; last chunk is padded to full block size if needed.
• Each chunk is encrypted the same way (with the same key) by identical encryption units.
• Internal operations of encryption unit consist of several rounds of substitutions, transpositions and logical operations.
• Each round gets its own key derived from the secret key using key schedule algorithm.
• Outputs of encryption units are merged into ciphertext.
16
www.aldec.com
Popular Block Ciphers • DES (Data Encryption Standard) was announced in 1976 as a national
standard in the USA and quickly gained worldwide popularity.
DES uses 64 bit block and 56 bit keys.
DES was broken in 22 hours in 1999, so it is no longer considered secure in critical applications.
• AES (Advanced Encryption Standard), a DES successor, was announced in 2001 as a winner of 5 year long contest.
AES implements 128 bit block length.
Uses 3 strengths of keys: 128 bit, 192 bit and 256 bit.
All versions of AES are safe now, although 128 bit version may be broken in the nearest future.
• Other block ciphers worth mentioning: 3DES, IDEA, Blowfish.
17
www.aldec.com
ECB – Trivial Block Cipher Mode • The simplest mode of operation for block ciphers requires only the
plaintext (divided into blocks and padded) and a secret key:
18
Plaintext
Padding
DES Encryption
DES Encryption
DES Encryption
Ciphertext
• This mode of operation is called ECB (Electronic CodeBook); it looks OK, but has one serious problem…
www.aldec.com
Pattern Preservation in ECB • If we use DES-ECB to encrypt 64x64 pixel bitmap with 256 colors:
• We will notice that ECB preserves patterns:
• This property of ECB makes it useless in serious applications. Other block cipher modes of operation were created to address this issue.
19
www.aldec.com
CBC – Practical Block Cipher Mode • Cipher-Block Chaining mode (CBC) XORs each block of plaintext with
the ciphertext block from the previous encryption unit. Since the first unit has no predecessor, Initialization Vector (IV) is used with the first block of plaintext.
20
DES Encryption
Plaintext_1
IV
X
Ciphertext_1
DES Encryption
Plaintext_2
X
Ciphertext_2
*IV should be random, but does not have to be secret.
. . .
. . .
. . .
www.aldec.com
CBC vs. ECB • CBC mode uses data from two neighboring units to avoid pattern
preservation.
• Let’s compare results of encrypting our “K” bitmap using ECB and CBC modes:
• CBC is the most popular (but not the only one) block cipher mode of operation in practical applications.
21
ECB
CBC
www.aldec.com
Stream Ciphers • Some applications require encryption performed very quickly on live
stream of data – audiovisual data transmission is a good example.
• Block ciphers are not the most efficient in those applications, so stream ciphers may be used instead.
• Stream cipher combines (XORs) plaintext data stream with pseudorandom data stream (keystream) to produce ciphertext data stream.
22
X
Plaintext stream
Keystream
Ciphertext stream
• Most popular stream cipher is RC4 (designed in 1987). New generation includes ciphers such as Salsa20 and Rabbit.
• Some modes of operation (CFB, OFB, CTR) can turn block cipher into a stream cipher.
www.aldec.com
Advantages of Symmetric Ciphers • Modern symmetric ciphers (block and stream)
are frequently used due to several advantages:
Security (if you are using latest/updated versions).
Fast operation.
Easy implementation in software (e.g. OpenSSL library).
Efficient implementation in hardware (some may be patented, though).
• There is one serious disadvantage of symmetric ciphers:
Managing secret keys. (Getting secret keys to all involved parties and keeping them secure from unauthorized access is a critical part of symmetric cipher cryptosystem.)
23
www.aldec.com
Asymmetric Ciphers • New idea appeared in the 20th century: an asymmetric cipher with a
public key (available to anybody) that allows message encryption, but not decryption.
• To decrypt a message, matching private key is needed; it is used only by the message recipient.
24
We use double frame around private key and no frame around public key
Public Key
Private Key
Bob Alice
www.aldec.com
RSA Cipher • RSA* is the most popular asymmetric cipher based on the following
principles: Finding two large, random prime numbers p and q and computing n=pq is easy.
Factorizing n is extremely expensive operation, so even if you reveal n, recovering p and q is not feasible.
Selecting two more numbers d and e (related to p and q) lets you create simple function for message encryption: me mod n and ciphertext decryption: cd mod n.
Public key contains modulus n and public exponent e.
Private key contains modulus n and private exponent d.
• RSA was developed independently in the 1973-76 period by the UK intelligence agency and MIT* teams.
• RSA with keys shorter than 1024 bits is no longer considered secure; 2048 bit keys are recommended for long-term applications.
25
*RSA stands for Rivest, Shamir and Adleman – its MIT inventors.
www.aldec.com
Sample RSA Cryptosystem • In typical RSA cryptosystem sender grabs up-to-date public key of the
recipient, encrypts and sends the message. Recipient uses private key to decrypt the message.
26
Alice Bob
Public Key Private Key
Padded Plaintext
RSA Encryption
Encrypted Plaintext
Data transfer
Encrypted Plaintext
RSA Decryption
Decrypted Plaintext
www.aldec.com
Advantages of Asymmetric Ciphers • The main advantages of asymmetric ciphers include:
Easy key distribution.
High security.
Versatility.
• The key disadvantage of asymmetric ciphers is:
Complex/slow operation.
In practical applications, only sending messages shorter than key length makes sense.
Proper padding of the message is required to maintain high security.
27
www.aldec.com
Benefits of Encoding • Sometimes encrypted information must be transferred via channels
prepared for text data (e.g. e-mail, IP embedded in source code).
• All modern ciphers produce pure binary output, which can fool text tools into things like jumping to new page, ending transmission.
• The method of solving this problem is called encoding: for each 3 bytes of un-encoded message, 4 printable characters are generated.
• Character set in the encoding output is selected so that it looks the same no matter which text tools open it.
• Once popular UUencoding was now replaced with Base64 encoding.
28
Encoding can be very useful!
66 EF 21 AC 78 C0 65 97 FD 65 3F 66 C6 A4 A8 82 76 43 03 97 AA 0C C4 63 3F FA EB BE 7F 0E BF 54
Zu8hrHjAZZf9ZT9mxqSognZDA5eqDMRjP/rrvn8Ov1Q=
Plaintext
AES ciphertext (hex)
Base64 encoded ciphertext
www.aldec.com
HYBRID CRYPTOSYSTEMS
How to Have Cookie and Eat It, Too…
29
www.aldec.com
Bright Idea • We have noted in the Ciphers section that the greatest
problem with symmetric ciphers is key exchange and security.
• Asymmetric ciphers do not have this problem, but are too slow to process large amounts of data.
• What would happen if: Alice encrypts big message using symmetric cipher
with random secret key.
Alice encrypts secret key using asymmetric cipher and Bob’s public key.
Alice sends encrypted data and encrypted key to Bob
Bob decrypts secret key using his private key.
Bob decrypts message using recovered secret key and discards the key.
• We would get very practical hybrid cryptosystem!
30
www.aldec.com
Hybrid Cryptosystem Diagram 31
Alice Bob
Public Key
Secret Key
Plaintext
Symmetric Encryption
Ciphertext
Asymmetric Encryption
Encrypted Key
Ciphertext
Encrypted Key
Private Key
Asymmetric Decryption
Secret Key
Symmetric Decryption
Decrypted Plaintext
www.aldec.com
Why Hybrid Cryptosystems Work? • Hybrid cryptosystems try to have the best of both worlds:
Speed and security of established symmetric ciphers.
Easy key handling and security of asymmetric ciphers.
• Very secure symmetric keys are typically 256 bit long, so encrypting them using slow asymmetric cipher does not waste too much time.
• Since the symmetric secret key (session key) is sent with the message, it can be selected randomly and discarded after decryption.
• Reuse of session keys is a serious offence against hybrid cryptosystem security!
32
www.aldec.com
Advanced Hybrid Cryptosystems • Our main Hybrid Cryptosystem Diagram shows
ciphertext packaged with just one encrypted key.
• We can encrypt session key more times, using different public key each time.
• As long as ‘suitcase’ with encrypted key is clearly marked, private key owner will be able to identify the one meant for him/her.
• Same message can be encrypted for multiple recipients if we use this methodology.
• This cryptosystem is used for standard-compliant distribution of HDL IP.
33
www.aldec.com
AUTHENTICATION
Do You Know Who Are You Talking To?
34
www.aldec.com
Verifying Identities • Imagine this situation: Chuck pretends to be Bob and sends Alice a
message stating that he has to change his public key. If Alice believes him, she will be sending to Chuck secret messages that were meant to reach Bob…
• If attackers can convince you that they are somebody you know and trust, they may get access to your secrets without breaking the encryption algorithm or guessing the key.
• That’s why authentication – the process of verifying identity of the source of information gets so important.
35
www.aldec.com
Digital Signatures – Basics • Digital signatures are the reliable way of authenticating sender of the
encrypted message. They utilize one cryptographic technique we already discussed – asymmetric ciphers, and one we have to introduce – message digests created using hash functions.
• If you look at the RSA cipher description, you will notice that encryption and decryption are almost identical – only exponents are different. It means that you can use decryption exponent for encryption purposes and vice versa!
• Signing entire message using inverted asymmetric cipher is impractical, that’s why long message is converted into short, fixed-length, unique digest before signing.
36
011001
www.aldec.com
Signing Flow • Alice encrypts message using Bob’s public key.
• Alice computes digest of the message.
• Alice signs digest using her own private key.
• Alice sends encrypted message and signed digest to Bob.
• Bob decrypts message using his own private key.
• Bob computes digest of the message.
• Bob decrypts received digest using Alice’s public key.
• Bob compares computed and received digests. If both are the same, it means that sender knows Alice’s private key the sender must be Alice.
37
B
A D SD
SD
D
B
D
A SD D
D D = ?
www.aldec.com
Popular Algorithms • Cryptographic hash functions should be irreversible (you
cannot retrieve message from its digest) and resistant to collisions (finding two different messages with the same digest).
• Historic MD5 hash function with 128-bit digest was broken in 2008 and newer SHA-1 with 160-bit digest is considered vulnerable.
• Newer hash functions: SHA-2 (256 and 512-bit digest) and Whirlpool (512-bit digest) are considered secure.
• There are signature schemes based on RSA cipher, e.g. RSA-PSS.
• Very popular signing algorithm is called DSA (Digital Signature Algorithm).
38
www.aldec.com
CRYPTANALYSIS
The Enemy Knows The System
39
www.aldec.com
Security Through Obscurity? • For long time it was assumed that all elements
of the cryptosystem should be kept secret to increase security.
• It was discovered in the late 19th century that in a well-designed cryptosystem only keys must be secret – revealing ciphers used should not compromise security. Claude Shannon described it briefly: The enemy knows the system.
• Obscurity may discourage some attackers, but if they succeed anyway, legitimate users of the cryptosystem will not realize that they have a problem…
• Popular ciphers are constantly scrutinized by the community, so their users know immediately when problems are discovered.
40
www.aldec.com
Beginnings of Cryptanalysis • Cryptanalysis was always driving the development of better ciphers.
• Frequency analysis was invented in the 9th century: it checks frequency of letter occurrences in real language and compares it with the frequency of symbols occurrences in the ciphertext.
• Letter frequency diagram of the English language is shown here (with six most frequent letters highlighted).
• If six most frequent letters in a ciphertext are g, v, c, q, k, p - we can suspect that it is using Caesar’s cipher with shift +2.
• Frequencies of letter groups and words can also be utilized in frequency analysis.
41
www.aldec.com
20th Century Cryptanalysis • The most spectacular success of cryptanalysis
in the 20th century was braking the cryptosystem of German ENIGMA shortly before the 2nd World War. Since the machine was resistant to frequency analysis, advanced math apparatus and other methods were used instead.
• Differential cryptanalysis tests how differences in a plaintext manifest in the ciphertext generated from it – in order to break encryption.
• Linear cryptanalysis finds affine approximation to the operation of the cipher.
• Both differential and linear cryptanalysis were used successfully to break modern block and stream ciphers.
42
www.aldec.com
Fighting Cryptanalysis • Using the most recent ciphers and other elements of
the cryptosystem is the key to secure information transfer.
• Maintaining high level of randomness is important: if somebody always starts his messages with “Dear Friend, …”, does not change cipher key and uses fixed Initialization Vector, even the best cipher will not help!
• IVs should always be randomly generated before each symmetric encryption session. The same rule applies to secret keys in hybrid cryptosystems.
• Proper message padding is critical for securing asymmetric cryptosystems.
• Always remember about side attacks – attempts to compromise the implementation of the cipher, not the cipher itself.
43
www.aldec.com
Summary • This webinar should give everybody solid background
required for any practical application of cryptology.
• Although information presented here is not embargoed anywhere, access to actual algorithms and their implementations may be prohibited in some areas due to political and/or copyright reasons. Always proceed with caution with your cryptology applications!
• We did not have time to discuss some additional cryptology-related topics such as key management, certificates, etc. They will receive adequate treatment in our next webinar.
• Check back with ALDEC for the next webinar “Secure IP Delivery -
Practical Introduction for HDL Users”.
44
www.aldec.com
Conclusion • Feel free to contact ALDEC if you need more info about EDA-related topics and our design
creation and verification tools.
45
Standards and Other Cryptology Documents: DES official description: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf AES official description: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf RSA standard page: http://www.rsa.com/rsalabs/node.asp?id=2125 DSA official description: http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf Public keys and signing: http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf NOTES: Wikipedia is a surprisingly reliable source of additional data about cryptology.
Visit cryptool.org if you want to experiment with cryptology safely.
ALDEC Website: http://www.aldec.com Telephone E-mail USA +1-702-990-4400 [email protected] Canada: +1-613-867-8600 [email protected] Europe: +33-6-80-32-60-56 [email protected] Japan: +81-3-5312-1791 [email protected] India: +91-80-32551030 [email protected] China: +86-21-6875-20-30 [email protected] Taiwan: +886-2-26599119 ext. 950 [email protected] Israel: +972-52-2573422 [email protected]