![Page 1: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/1.jpg)
1
Lecture #9Traditional Cryptography
HAIT
Summer 2005
Shimrit Tzur-David
![Page 2: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/2.jpg)
2
Notations
• cryptography - the principles and methods of transforming an intelligible message into one that is unintelligible, and then retransforming that message back to its original form.
• plaintext - the original intelligible message • ciphertext - the transformed message • cipher - an algorithm for transforming an intelligible
message into one that is unintelligible by transposition and/or substitution methods
• key - some critical information used by the cipher, known only to the sender & receiver
![Page 3: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/3.jpg)
3
Notations – Cont.
• encipher (encode) - the process of converting plaintext to ciphertext using a cipher and a key
• decipher (decode) - the process of converting ciphertext back into plaintext using a cipher and a key
• cryptanalysis - the study of principles and methods of transforming an unintelligible message back into an intelligible message without knowledge of the key. Also called code-breaking
• cryptology - both cryptography and cryptanalysis • code - an algorithm for transforming an intelligible
message into an unintelligible one using a code-book
![Page 4: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/4.jpg)
4
Notations – Cont.
• C = EK(P) - the encryption of the plaintext P using key K gives the ciphertext C.
• P = DK(C) - the decryption of C to get the plaintext
• DK(EK(P)) = P
• E and D are mathematical functions of two parameters: the key and the message.
![Page 5: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/5.jpg)
5
Introduction • There were 3 main constraints:
1. The ability of the code clerk to perform the necessary transformations, often on a battlefield with little equipment.
2. The difficulty in switching over quickly from one cryptographic method to another one, since this entails retraining a large number of people.
3. The danger of a code clerk being captured by the enemy has made it essential to be able to change the cryptographic method instantly if need be.
![Page 6: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/6.jpg)
6
The encryption model – for a symmetric-key cipher
![Page 7: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/7.jpg)
7
The encryption model – Cont.
• The plaintext is transformed by a function that is parameterized by a key.
• The ciphertext, is then transmitted. • The enemy hears and accurately copies down the ciphertext.• Unlike the intended recipient, he does not know what the
decryption key is and so cannot decrypt the ciphertext.• Passive intruder - the intruder can only listen to the
communication channel• Active intruder - the intruder can record messages and play
them back later, inject his own messages, or modify legitimate messages before they get to the receiver.
![Page 8: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/8.jpg)
8
Flexibility
• The cryptanalyst knows how the encryption method, E, and decryption, D work in detail.
• The amount of effort necessary to invent, test, and install a new algorithm every time the old method is compromised (or thought to be compromised) has always made it impractical to keep the encryption algorithm secret.
• There is a need to keep E and D secret without changing the encryption algorithm.
![Page 9: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/9.jpg)
9
Flexibility – Cont.• In contrast to the general method, which may only be
changed every few years, the key can be changed as often as required.
• The basic model is a stable and publicly-known.• The general method parameterized by a secret and
easily changed key. • Kerckhoff's principle: All algorithms must be public;
only the keys are secret.• If many experts have tried to break the algorithm for
few years and no one has succeeded, it is probably pretty solid
![Page 10: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/10.jpg)
10
The Key Length
• Consider a simple combination lock:– A key length of two digits means 100 possibilities. – A key length of three digits means 1000 possibilities– A key length of six digits means a million possibilities.
• The work factor for breaking the system by exhaustive search of the key space is exponential in the key length.
• To prevent your kid from reading your e-mail, 64-bit keys will do.
• For routine commercial use, at least 128 bits should be used. • To keep major governments issues, keys of at least 256 bits,
preferably more, are needed.
![Page 11: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/11.jpg)
11
The Cryptanalysis Problem
• From the cryptanalyst's point of view, the cryptanalysis problem has two principal variations:
1. Quantity of ciphertext and no plaintext - the ciphertext-only problem.
2. Matched ciphertext and plaintext - the known plaintext problem
![Page 12: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/12.jpg)
12
The Cryptanalysis Problem – Cont.
• Novices assumption: if a cipher can withstand a ciphertext-only attack, the crypto-algorithm is secure.
• In many cases the cryptanalyst can make a good guess at parts of the plaintext.
• For example, the first thing many computers say when you call them up is ‘login:’
• Equipped with some matched plaintext-ciphertext pairs, the cryptanalyst's job becomes much easier.
• To achieve security, the cryptographer should make sure that the system is unbreakable even if his opponent can encrypt arbitrary amounts of chosen plaintext.
![Page 13: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/13.jpg)
13
Encryption Methods
• Encryption methods have been divided into two categories: – substitution ciphers– transposition ciphers
![Page 14: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/14.jpg)
14
Substitution Ciphers • In a substitution cipher each letter or group of letters
is replaced by another letter or group of letters. • One of the oldest known ciphers is the Caesar cipher. • In this method, a becomes D, b becomes E, c
becomes F, ... , and z becomes C. • For example, ‘attack’ becomes DWWDFN. • A slight generalization of the Caesar cipher allows
the ciphertext alphabet to be shifted by k letters, instead of always 3.
• In this case k becomes a key to the general method of circularly shifted alphabets.
![Page 15: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/15.jpg)
15
Monoalphabetic Substitution(Symbol-for-symbol)
• The next improvement is to have each of the symbols in the plaintext map onto some other letters. For example:– plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z
– ciphertext: Q W E R T Y U I O P A S D F G H J K L Z X C V B N M
• The key is the 26-letter string corresponding to the full alphabet.
• The plaintext ‘attack’ would be transformed into QZZQEA.
• Does it look safe?
![Page 16: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/16.jpg)
16
Monoalphabetic Substitution – Cont.• At first glance this might appear to be a safe system. • There are 26! possible keys is in use. Trying all of them
is not a promising approach. A computer would take ~1010 years to try all the keys.
• Nevertheless, given a surprisingly small amount of ciphertext, the cipher can be broken easily.
• The basic attack takes advantage of the statistical properties of natural languages. In English, e is the most common letter, followed by t, o, a, n, i, etc. The most common two-letter combinations are th, in, er, re, and an. The most common three-letter combinations are the, ing, and, and ion.
![Page 17: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/17.jpg)
17
Transposition Ciphers • Substitution ciphers preserve the order of the plaintext symbols. • Transposition ciphers, in contrast, reorder the letters but do not
disguise them. • The columnar transposition:
![Page 18: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/18.jpg)
18
The Columnar Transposition
• The cipher is keyed by a word or phrase not containing any repeated letters.
• In the example, MEGABUCK is the key. • The purpose of the key is to number the columns,
column 1 being under the key letter closest to the start of the alphabet, and so on.
• The plaintext is written horizontally, in rows, padded to fill the matrix if need be.
• The ciphertext is read out by columns, starting with the column whose key letter is the lowest.
![Page 19: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/19.jpg)
19
Breaking Transposition Cipher• Step 1: The cryptanalyst must be aware that he
is dealing with a transposition cipher. – By looking at the frequency of E, T, A, O, I, N,
etc., it is easy to see if they fit the normal pattern for plaintext.
• Step 2: Make a guess at the number of columns– the plaintext phrase milliondollars occurs
somewhere in the message
• Step 3: Order the columns– By frequency
![Page 20: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/20.jpg)
20
One-Time Pads • Unbreakable cipher
– Choose a random bit string as the key. – Convert the plaintext into a bit string– Compute the XOR of these two strings, bit by bit.
• The resulting ciphertext cannot be broken.• The reason derives from information theory: there is
simply no information in the message because all possible plaintexts of the given length are equally likely.
![Page 21: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/21.jpg)
21
Cryptographic Principles
• Redundancy – All encrypted messages must contain some
redundancy, that is, information not needed to understand the message.
• Freshness – Some measures must be taken to ensure that each
message received can be verified as being fresh, that is, sent very recently.
![Page 22: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/22.jpg)
22
Redundancy Motivation
• Consider a mail-order company, The Couch Potato (TCP), with 60,000 products.
• Ordering messages consist of a 16-byte customer name followed by a 3-byte data field.
• The last 3 bytes are to be encrypted using a very long key known only by the customer and TCP.
• This might seem secure since passive intruders cannot decrypt the messages.
• Suppose that a recently-fired employee wants to punish TCP.
![Page 23: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/23.jpg)
23
Motivation – Cont.
• Just before leaving, he takes the customer list with him. • He writes a program to generate fictitious orders using real
customer names. • Since he does not have the list of keys, he just puts random
numbers in the last 3 bytes, and sends hundreds of orders.• When these messages arrive, TCP's computer uses the
customer's name to locate the key and decrypt the message. • Unfortunately for TCP, almost every 3-byte message is valid,
so the computer begins printing out shipping instructions.• In this way an active intruder can cause a massive amount of
trouble, even though he cannot understand the messages his computer is generating.
![Page 24: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/24.jpg)
24
The Solution
• This problem can be solved by the addition of redundancy to all messages.
• For example, if order messages are extended to 12 bytes, the first 9 of which must be zeros, then this attack no longer works because the ex-employee can no longer generate a large stream of valid messages.
• All messages must contain considerable redundancy so that active intruders cannot send random junk and have it be interpreted as a valid message.
![Page 25: 1 Lecture #9 Traditional Cryptography HAIT Summer 2005 Shimrit Tzur-David](https://reader031.vdocuments.site/reader031/viewer/2022032107/56649ec15503460f94bccaca/html5/thumbnails/25.jpg)
25
Freshness
• This measure is needed to prevent active intruders from playing back old messages.
• If no such measures were taken, our ex-employee could keep repeating previously sent valid messages.
• Some method is needed to foil replay attacks• A solution is to include in every message a timestamp
valid only for, say, 10 seconds. • The receiver can then just keep messages around for
10 seconds. Messages older than 10 seconds can be thrown out.