6/3/2015 Prof. Ehud Gudes Security Ch 3 1 Chapter 3 Cryptography – Algorithms and Protocols Stallings Chp. 2,19,20, App. A,B.

04/18/23Prof. Ehud Gudes Security

Ch 3 1

Chapter 3

Cryptography – Algorithms and Protocols

Stallings Chp. 2,19,20, App. A,B

Prof. Ehud Gudes Security Ch 3

Definitions

•Cryptography is the study of message concealment.

•Cryptanalysis is the study of how to discover the encrypted message.

•Cryptanalysis is difficult and requires good mathematical knowledge, so you don’t see many hackers trying to break codes. The equivalent to hackers are now scientists employed by a government or organized crime.


Ch 3 3

Cryptography ValueAuthentication – can authenticate the identity

of users, transactions, and systems.Protection of messages – Can protect the

secrecy of a message and prevent illegal modification.Cannot protect against destruction of the message.

Protection of software and data – can protect the confidentiality of them although not avoid their destruction.For example: passwords can be encrypted.


Ch 3 4

Cryptography Value II

Digital signatures – can authenticate the origin of a message

Non-repudiation – A user that signed or otherwise authenticated a document using cryptography cannot deny having signed it.


Ch 3 5

Notation

M, P - Messages - Plain text, clear text.C - Cipher text.K - Key.

E - the encryption function C=Ek(M)

D - the decryption function M=Dk’(C)

For any key pair K,K’ and for any message M

M=Dk’(Ek(M))


Ch 3 6

Cryptography – the Process


Ch 3 7


Ch 3 8

Classification Number of keys used: symmetric (one key) and

asymmetric (encryption and decryption keys, these are the public-key systems). Neither approach is the best for all cases.

Type of encrypting operations: Symmetric systems use substitution and transposition stages. Substitutions just replace a bit or character for another. Transpositions rearrange bits or characters in the data. Product ciphers are combinations of substitutions and transpositions. Public key systems are based on invertible mathematical functions.


Ch 3 9

Classification II The way the plaintext is encrypted: block and

stream ciphers. In a block cipher a block of data is transformed, using a key, into a block of ciphertext.

In a stream cipher a stream of key bits is used to encode a stream of data one bit or character at a time. Block ciphers are more appropriate for use within computers, while stream ciphers are seen mostly in communications.


Ch 3 10

Main Principle of Cryptography

The secret is in the

KEY

Not in the Algorithm!!


Ch 3 11

Attacks

Ciphertext onlyKnown plaintextChosen plaintextChosen ciphertextChosen text


Ch 3 12

סוגי התקפות על אלגוריתמים קריפטוגרפיים

ההתקפות מסווגות לפי המידע שבידי המתקיף. נניח כי למתקיף יש גישה

לאלגוריתם, ובנוסף יש לו ידע על מבנהו הפנימי.

Cipher text only attack.בידי המתקיף קבוצה של הודעות מוצפנות המטרה : מציאת ההודעות החשופות

המתאימות, ו\או מפתח ההצפנה..הנחה : קיים אפיון סטטיסטי של ההודעות


Ch 3 13

סוגי התקפות על אלגוריתמים קריפטוגרפיים )המשך(

Known plain text attackבידי המתקיף קבוצה של זוגות) P,C .(.המטרה : מציאת מפתח ההצפנה

דוגמא : חיפוש ממצה) Exhaustive search .(

Chosen plain text attack{ המתקיף בוחר את קבוצת ההודעותP ,}

ומקבל עבורן את ההודעות המוצפנות {.C } המתאימות

.המטרה : מציאת מפתח ההצפנה : דוגמאDifferential cryptanalysis.


Ch 3 14

סוגי התקפות על אלגוריתמים קריפטוגרפיים )המשך(

Adaptive chosen plain text attack.) המתקיף בונה את קבוצת הזוגותP,C (

בהדרגה. הוא יכול לבחור את ההודעה הבאה P.על סמך תוצאות ההצפנה הקודמות ,.המטרה : מציאת מפתח ההצפנה


Ch 3 15

Caesar CipherThe rule:

Ci = E(pi) = pi + 3

A full translation chart of Caesar cipher is shown here.Plaintext A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Ciphertext d e f g h i j k l m n o p q r s t u v w x y z a b c

Using this encryption, the messageTREATY IMPOSSIBLE

Would be encoded as:T R E A T Y I M P O S S I B L Ew u h d w b l p s r v v l e o h

04/18/23 16

Table of Letters FrequenciesTable 2-1 Letter Frequency Distributions in English and Pascal

English Pascal Letter Count Percent Count Percent

a 3312 7.49 664 4.70b 573 1.29 197 1.39c 1568 3.54 878 6.22d 1602 3.62 511 3.61e 6192 14.00 1921 13.60f 966 2.18 504 3.57g 769 1.74 294 2.08h 1869 4.22 478 3.39i 2943 6.65 1215 8.60j 119 0.27 6 0.04k 206 0.47 87 0.61l 1579 3.57 722 5.11m 1500 3.39 270 1.91n 2982 6.74 1157 8.19o 3261 7.37 835 5.91p 1074 2.43 340 2.41q 116 0.26 12 0.08r 2716 6.14 1147 8.12s 3072 6.95 594 4.21t 4358 9.85 1311 9.28u 1329 3.00 377 2.66v 512 1.16 127 0.89w 748 1.69 193 1.36x 123 0.28 139 0.98y 727 1.64 137 0.96z 16 0.04 5 0.03


Ch 3 17

Monoalphabetic Cipher

Take for example the key: SHARON

A B C D E F G H I J K L M N O P Q R S T

S H A R ON B C DE F G I J K L MP Q S

04/18/23 18

counts and relative frequencies of letters in the cipher

Table 2-3 shows the counts and relative frequencies of letters in the cipher examined in the previous section (in [P])

Wklv phvvdjh lv qrw wrr kdug wr euhdn

Table 2-3 Frequencies of Letters in wklv… Cipher

Letter Count Percent Letter Count Percent w 4 13.33 k 2 6.66 l 2 6.66 v 4 13.33 p 1 3.33 h 3 10.00 d 3 10.00 j 1 3.33 q 1 3.33 r 4 13.33 e 1 3.33 u 2 6.66 g 1 3.33 n 1 3.33


Ch 3 19

Monoalphabetic cipher – Example for Cryptanalysis

QMC MEPQJOY JH QMC GAQEJGAD PCTROEQY ANCGTY EP PMOJRICI EG PCTOCTY CUCG EQP SRINCQ EP TDAPPEHECI’

The simplest effective attack on a monoalphabetic cipher is use of frequencies in natural languages: single letters, bigrams/trigrams, small words, end/beginning of words, etc.We’ll only consider English here. We’ll use some empirical facts about single-letter frequencies, as well as knowledge about common English words. Again, the most common single letters English are e and t, with all others considerably less frequent.

Thus, to attack a cryptogram, first do an accounting of the most common letters in the ciphertext. For example in:

QCIV XY KEO JLYYW JBRO XN KEO JKGOOK. TOK SO KX KEO AELGAE XY KBSO. KEO NBJE CGO MLSDBYT CYR KEO AXKKXY BJ EBTE. XLG JKCKO NCBG BJ KEO HOJK JKCKO NCBG.

We find ranked by order of frequency of appearance,K-15, O-13, E-9, B-7, J-7, C-6, X-6, Y-6, G-5, L-3, N-3, A-2, S-2, T-2, R-1.7

with D, H, I, M, Q, V, W occuring much less often


Ch 3 20

Monoalphabetic cipher – Example for Cryptanalysis (Cont.)

Thus, we would imagine that ‘K’ is either ‘e’ or ‘t’, and perhaps ‘O’ is the other of the two. Trying first K=e and O=t, we have (in part)

QCIV XY eEt JLYYW JBRt XN eEt JeGtte. Tte St eX eEt AELGAE XY…The ‘Tte’ in the second sentence immediately raises a problem: it seems

unlikely that ‘T’ can be anything that would make this a word that could begin a sentence. So try K=t and O=e instead:

QCIV XY tEe JLYYW JBRe XN tEe JtGeet. Tet Se tX tEe AELGAE XY tBSe. tEe NBJE Cge MLSDBYT CYR tEe AXttXY BJ EBTE. XLG JtCte NCBG BJ tEe HeJt JtCte NCBG

The ‘tEe’ suggests E=h, the ‘tX’ suggests X=o, and then ‘XY’ suggests Y=n. This gives:

QCIV on the JLnnW JBRe oN the JtGeet. Tet Se to the AhLGAh on tBSe. the NBJh Cge MLSDBnT CnR the Aotton BJ hBTh. oLG JtCte NCBG BJ the HeJt JtCte NCBG.


Ch 3 21

Monoalphabetic cipher – Example for Cryptanalysis (Cont.)

The ‘Tet Se to the’ suggests ‘get me to the’, so T=g and S=m. and ‘JtGeet’ could be ‘street’, so J=s, G=r:

QCIV on the sLnnW sBRe oN the street. get me to the AhLrAh on tBme. the NBsh Cre MLmDBng CnR the Aotton Bs hBgh. oLr stCte NCBr Bs the Hest stCte NCBr.

The ending on ‘MLmDBng’, and also ‘Bs hBgh’, suggest B=I. Also the ‘oLr’ suggests L=u. Rewrite:

QCIV on the sunnW siRe oN the street. Get me to the AhurAh on time. the Nish Cre MumDing CnR the Aotton is high. our stCte NCir is the Hest stCte NCir.

Then ‘sunnW siRe oN’ suggests W=y, R=d, and N=f:QCIV on the sunny side of the street. get me to the AhurAh on time. the

fish Cre

04/18/23 22

Vignere Table


Ch 3 23

Poly-alphabetic Cipher – using Vignere Table

letter (B) is converted to the ciphertext letter in row 1 (B), column 9 (j), in this tableau. The letter in that position is k. the encryption of this message starts as shown below.

Julie tjuli etjul ietju lietj uliet julie tjuliBUTSO FTWHA TLIGH TTHRO UGHYO NDERW INDOW BREAK

koeas ycqsi …

With a six letter keyword such as juliet this algorithm effectively spreads the effect of the frequency of each letter onto six others, which flattens the distribution substantially. Long keywords can be used, but a keyword of length three usually suffices to smooth out the distribution


Ch 3 24

Polyalphabetic cipher – finding the key length

The Dickens It was the best of times… example has much repetition so it demonstrates this argument quickly. Suppose the keyword is dickens.

dicke nsdic kensd icken sdick ensdi ckens dickeITWAS THEBE STOFT IMESI TWAST HEWOR STOFT IMESI

nsdic kensd icken sdick ensdi ckens dicke nsdicTWAST HEAGE OFWIS DOMIT WASTH EAGEO FFOOL ISHNE

kensd icken sdick ensdi ckens dicke nsdic kensdSSITW ASTHE EPOCH OFBEL IEFIT WASTH EEPOC HOFIN

The phrase IT WAS THE is enciphered with keyword nsdicken once in the first line and twice in the third line. These three cases all appear as identical 8-character patterns in the ciphertext.


Ch 3 25

Kasiski Method – Finding the Key Length in Poly-Alphabetic Ciphers

Starting Distance fromPosition Previous Factors 20 83 63 (83-20) 3, 7, 9, 21, 63 104 21 (104-83) 3, 7, 21

From this short example, we may guess that a keyword of 21 is improbable. Thus the key length is probably either 3 or 7. With more repeats you could reduce the number of possibilities for key length. Let us continue with the key length possibilities of 3 and 7.

For the Kasiski method, the steps are1. Identify repeated patterns of three or more characters.2. For each pattern write down the position at which each instance of the

pattern begins.3. Compute the difference between the starting points of successive

instances.4. Determine all factors of each difference.5. If a polyalphabetic substitution cipher was used, the key length will be

one of the factors that appears often in step 4.6. Once the key-length is known use mono-alphabetic techniques


Ch 3 26

VERNAM Cipher


Ch 3 27

Vernam Cipher

For example, the binary number101101100101011100101101011100101

Can be encoded with the random binary stream101111011110110101100100100110001

To produce the following ciphertext000010111011101001001001111010100


Ch 3 28

Vernam Cipher - Cryptanalysis

The problem with this form of random number generator is its dependability. Because each number depends only on the previous number, you can determine constants by solving a series of equations.

r1 = a * r0 + b mod n

r2 = a * r1 + b mod n

r3 = a * r2 + b mod n

An interceptor who has r0, r1, r2 and r3 can resolve for a, b, and n.

An interceptor can get r0, r1, r2 and r3 by a probable word attack. With a Vernam cipher, each ciphertext letter comes from the formula

ci = ri + pi mod n

If an interceptor of the ciphertext guesses that the message starts with MEMO (M = 12, E = 4, O = 14), the interceptor can try to substitute probable values of pi and solve for values of ri.


Ch 3 29

Vernam Cipher (Cont.)

r0 = c0 – 12 mod n

r1 = c1 – 4 mod n

r2 = c2 – 12 mod n

r3 = c3 – 14 mod nWith these values of r0 to r3, the interceptor may be able to solve the three equations for a, b, and n. Given those, the interceptor can generate the full sequence of random numbers and obtain plaintext directly.

Vernam Cipher – a weakness

If we know both a message M and the Cipher C, we like the computation K = f (M,C)To be difficult

In Vernam f is very easy, its also a XOR !

Pseudorandom verses Random Numbers

often use algorithmic technique to create pseudorandom numberswhich satisfy statistical randomness testsbut likely to be predictable

true random number generators use a nondeterministic sourcee.g. radiation, gas discharge, leaky

capacitorsincreasingly provided on modern processors


Ch 3 32

Permutation CipherAs an example, you would write the plaintext message as:

T H I S I

S A M E SS A G E TO S H O WH O W A CO L U M NA R T R AN S P O SI T I O NW O R K S

The resulting ciphertext would then be read astssoh oaniw haaso lrsto imghwutpir seeoa mrook istwc nasns

04/18/23 33

Finding the Column Positions in Permutation Cipher

t

s

s

o

h

o

a

n

i

w

h

a

a

s

o

l

r

s

t

o

n

i

w

h

a

a

s

o

l

r

s

t

o

n

i

w

h

a

a

s

o

l

r

s

t

o

n

i

w

h

a

a

s

o

l

r

s

t

o

n

i

w

h

a

a

s

o

l

r

s

t

o

n

i

w

h

a

a

s

o

l

r

s

t

o

t

s

s

o

h

o

a

t

s

s

o

h

o

a

t

s

s

o

h

o

a

t

s

s

o

h

o

a

t

s

s

o

h

o

a

Improvement - The empty holes method


Ch 3 34

Product Ciphers

1. Although substitution ciphers and permutation ciphers alone, are quite easy to break, their combination is quite a strong cipher!

2. This was the basis of most classical ciphers like the Enigma machine of World-war II (see book by Sing…)

3. Its also the basis for the DES cipher


Ch 3 35

Shannon’s Principles for a Good Cipher

1. The amount of secrecy needed should determine the labor required for encryption/decryption.

2. The keys and ciphering algorithm should be “free” from complexity.

3. The implementation of the cipher algorithm should be simple and effective.

4. Errors in ciphering should not propagate to the entire message.

5. The size of the enciphered text should not be much larger then the size of the clear text.


Ch 3 36

Shanon’s Theory


Ch 3 37

Shanon’s Theory

A system has perfect secrecy if by intercepting cipher code, nothing can be learned on the original message.

i.e. H(M|C) = H(M)

A Perfect Cipher


Ch 3 38

Shanon’s Theory (1949)

Confusion – a complex functional relationship between the Key, Plain-text and Cipher-text.

Diffusion – Information from one plain bit is diffused over all bits of the cipher (block).

04/18/23 39

Unicity Distance

Key equivocationHc(K) = P(c) Pc(K) log2

Pc(K) – prob. of K given C.Hc(K) = H(K) means the cipher is (theoretically)

breakable

Unicity Distance = where D is the Language Redundancy – the

number of characters required to break the cipher (theoretically)

Pc(K)1

c

k

DKH )(


Ch 3 40

צופן מושלם

קבוצת כל ההודעות M1,M2,…,Mn{=Mתהי }קבוצת כל C1,C2,…,Cn{=Cהאפשריות, ו-}

ההודעות המוצפנות בהתאמה, צופן הוא i,jמושלם אם לכל

p(Mi|Cj)=p(Mi) ידיעת הטקסט המוצפן אינה מוסיפה ידע על

הטקסט המקורי -צופן מושלם חסין לKnown Cipher text

attacks


Ch 3 41

ניתן להוכיח שבצופן מושלם מספר המפתחותגדול או שווה למספר ההודעות.

הצופן היחיד המושלם הואOne-Time Pad כל הודעה מוצפנת באמצעות מפתח אקראי

שונה הצפנת ההודעה נעשית ע“יXOR בינה ובין

המפתח


Ch 3 42

נאמר כי אלגוריתם הצפנה הואUnconditionally Secure

אם בהינתן אינסוף משאבים, ומספר אינסופי של זוגות של הודעות חשופות ומוצפנות, לא ניתן,

בהינתן הצפנת ההודעה הבאה, למצוא את ההודעה החשופה המתאימה לה.

One time pad הוא אלגוריתם ההצפנה Unconditionally Secureהיחיד שהוא


Ch 3 43

Computational Security

אלגוריתם הצפנה יקראComputationally secure אם מעשית קשה מאד לשחזר את

הטקסט המקורי בהנתן הטקסט המוצפן מאחר שאלגוריתם ההצפנה היחיד המושלם

, ניתן בהינתן כמות One-time padהוא מספקת של כוח חישוב וזמן לפצח כל אלגוריתם

הצפנה לגבי כל האלגוריתמים הקריפטוגרפיים

הידועים, לא ידועים חסמים תחתונים על מספר הפעולות הדרושות לפיצוחם


Ch 3 44

Shanonהחוזק של אלגוריתם הצפנה ((

The work factor של אלגוריתם הצפנה הוא הזמן שנדרש בכדי לפצחו - מציאת הודעה או

Cipher textמציאת המפתח בהינתן ה--הWork Factor נמדד בזמן ובכסף שיש

להשקיע בפיצוח האלגוריתם-מעשית הwork factor הוא המדד לחוזק של

אלגוריתם הצפנה


Ch 3 45

Stream and block Ciphers

פונקציות הצפנה מקבלות קלטים בעלי אורךקבוע

בכדי להצפין הודעהM שאורכה עולה על אורך , Mהקלט של פונקצית ההצפנה, מחלקים את

לבלוקים שאורכם כאורך הקלט של פונקצית ההצפנה (אם יש צורך מבצעים דיפון). כל בלוק

עובר הצפנה בנפרד - נבחין בין שני סוגי צפניםBlock ciphers

Stream ciphersו-


Ch 3 46

צפני בלוקים

תהיM הודעת הקלט M=M1M2…Mn

ההצפנה מתבצעת ע”יCi=Ek(Mi…)

ההצפנה של כל בלוק מתבצעת בצורה זהה עלידי שימוש באותו מפתח.

במקרה הכללי - הקלט יכול להיות פונקציה שלכל הבלוקים הקודמים בהודעה, אבל המפתח

נשאר קבוע. אורך בלוק הקלט צריך להיות גדול מספיק בכדי

Exhaustive searchשלא ניתן יהיה לבצע


Ch 3 47

Stream ciphers

מפתח ההצפנה (והפענוח) משתנה. ההצפנהKey streamמתבצעת בעזרת

-הkey stream יכול להיות פונקציה של הבלוקים הקודמים, של מספר הבלוק, ושל מפתח קלט

Stream ciphers בדרך כלל פועלים על בלוקים מאורכים קטנים (סיביות בודדות או בתים).

-בחלק מהStream ciphers ההצפנה נעשית על ידי Key stream של הודעת הקלט עם ה-xorביצוע


Ch 3 48

Stream ciphersצפני בלוקים לעומת

,כפי שאמרנוstream cipher לעיתים קרובות עובדים על יחידות קטנות של קלט. עובדה זו

הופכת אותם למתאימים יותר למימוש בחמרה מאשר בתכנה

צפני בלוקים בדרך כלל עובדים על יחידות קלט סיביות (מילה)32שהן כפולות של

בדרך כללstream ciphers מהירים יותר מצפני בלוקים.

כיום, השימוש בצפני בלוקים נפוץ יותר


Ch 3 49

ECBElectronic Code Book

ENC

M0

C0

K ENC

M1

C1

K ENC

Mn

Cn

K...


Ch 3 50

CBCCipher Block Chaining

ENC

M1

C1

K ENC

Mn

Cn

K

...K ENC

M0

C0

IV

Cipher Feedback (CFB)


Ch 3 53

Advantages / Disadvantages of Block Cipher

Advantages:

•Higher Diffusion

•Immunity to malicious insertions

•Same data, same cipher – good for retrievalDisadvantages:

•Lower speed

•Higher error propagation (block boundary?)

•Same data, same cipher – disclose statistics


Ch 3 54

Advantages / Disadvantages of Stream Cipher

Advantages:

•High speed of encryption

•Low error propagation (on single bit/char)

Disadvantages:

•Low Diffusion

•Susceptibility to malicious insertions


Ch 3 55

דוגמאות לצפני בלוקים סימטריים

DESIDEARC5AES - Rijndeal


Ch 3 56

The Data Encryption Standard

The DES is a product cipher consisting of a series of permutations and substitutions. More specifically, it is a block cipher with an initial permutation, 16 rounds of encryption, a 32-bit swap, and final permutation.

All books on cryptography and data security describe this algorithm in gory detail.

It uses a 56-bit key(+8 bits parity) and it has been implemented in hardware and software.

The controversy about the Key length


Ch 3 57

The DES Cipher


Ch 3 58

DES – one iteration

Exhaustive Key Search

Symmetric Encryption Algorithms


Ch 4 61

DES התקן פותח ע”יI.B.M אומץ ע”י .NIST. - סיביות64אורך בלוק קלט - סיביות64אורך המפתח

8סיביות הן סיביות זוגיות

1998יולי : Deep Crack מכונה שפותחה - . היא 210000$במיוחד למטרה זו, ועלתה

שעות.56מצאה מפתח תוך


Ch 3 62

הצפנה כפולה ומשולשת

הצפנה כפולהC=Ek1 (Ek2(M))

M=Dk2 (Dk1(C))

-הצפנה כפולה חשופה לMan in the middle attack

הצפנה משולשתC=Ek1 (Dk2 (Ek3 (M))

M=Dk3 (Ek2 (Dk1 (C))

Triple DES (3DES)first used in financial applicationsin DES FIPS PUB 46-3 standard of 1999uses three keys & three DES executions:

C = E(K3, D(K2, E(K1, P)))

decryption same with keys reverseduse of decryption in second stage gives

compatibility with original DES userseffective 168-bit key length, slow, secureAES will eventually replace 3DES


Ch 3 64

IDEAInternational Data Encryption Alg.

) ע”י 1992פותח (Massey-ו Lai. סיביות.64אורך בלוק הקלט סיביות.128אורך המפתח 216+1 וכפל מודולו 216מבוסס על חיבור מודולו. .קל למימוש בתכנה.מקובל יותר באירופה


Ch 3 65

RC5

הומצא ע”יRon Rivest-1995 ב. 2048 ל-0בעל אורך מפתח משתנה (בין

סיביות), אורך בלוק משתנה ומספר סיבובים ).255 ל-0משתנה (בין

פשוט למימוש - מבוסס עלxor-חיבור ו rotate

Advanced Encryption Standard (AES)

needed a better replacement for DESNIST called for proposals in 1997selected Rijndael in Nov 2001published as FIPS 197symmetric block cipheruses 128 bit data & 128/192/256 bit

keysnow widely available commercially


Ch 3 67

The Advanced Encryption Standard

The AES (Rijndael) uses block and key sizes of 16,24, or 32 bytes. It uses 10, 12, or 14 rounds.

Each round applies byte subtraction, row shift, column mixing, and key addition. Bytes are transformed using invertible substitutions (to add nonlinearity).

Bytes in columns are linearly combined for diffusion. Row shifts provide diffusion over multiple rounds. Key addition makes round function key dependent

Advanced Encryption Standard (AES)

04/18/23 69

AES (Cont.) Byte substitution. Bytes are transformed using invertible

substitutions (to add nonlinearity). The substitution table is based on inverses in a field of (256) assures that each input byte is substituted into a unique output byte.

Shift row. Each byte is shifted a number of bytes depending on its location in the block, and on the key length. Row shifts provide diffusion over multiple rounds. The tables for shift row are given.

Mix column. This is the most complex operation. Bytes in columns are linearly combined for diffusion.. Each column is multiplied by a matrix which represents a polynomial mod 256. That it, Each column is considered as a polynomial:–aj(x) =a0jx3 + a1jx2

+a2jx+a3j–Multiplied modulo x4 +1 with a fixed polynomial:–c(x) =’03’x3 +’01’x2 +’01’ )

Key addition Key addition makes each round key dependent. Before the first round, the key is expanded into Nk bytes where Nk is the size of the block times the number of rounds. Then in each round, the next required number of key bytes are extracted, shifted and xored between them resulting with a great key diffusion.


Ch 3 70

Public Key Systems (PKS)These algorithms use two keys, one of which is public

and the other secret. The approach is based on the infeasibility of determining the decryption key given the algorithm and the public key.

Main advantage: to communicate privately among N users, you need 2N keys, instead of N(N-1)/2 keys with symmetric encryption

Instead of permutations and substitutions these algorithms use properties of mathematical functions. In particular, they use the theory of NP functions, those for which there is no polynomial time algorithm.

Rivest, Shamir, and Adelman developed the so-called RSA cipher used in most current systems. This takes advantage of the difficulty of factoring a number into primes.


Ch 3 71

אלגוריתמי מפתח ציבוריDiffie- Hellman (1974).מפתח ההצפנה ומפתח הפענוח שונים אם נתון מפתח ההצפנה, קשה למצוא

את מפתח הפענוח ניתן לפרסם את מפתח ההצפנה (ומכאן

מקור השם)

- מפתח ההצפנהKeהמפתח הציבורי ,

- מפתח הפענוחKdהמפתח הפרטי ,


Ch 3 72

אלגוריתמי מפתח ציבורי

- דוגמאות ( RSA(יש אחרים נוחים לשימוש - אין צורך בפרוטוקול להסכמה

על מפתח משותף איטיים (משמש בד"כ להצפנת מפתח בלבד

ולא להצפנת נתונים...)”חשופים להתקפת “האיש שבאמצע

”הבעיה “במי לבטוחהפתרון - בכל מי שמוכיח את זהותו


Ch 3 73

”התקפת“ האיש שבאמצעMan in the middle attack

Alice Bob

Hello, I am Alice

Hello, I am Bob

Matt

Hello, I am Alice

Hello, I am Alice

Hello, I am BobHello, I am Bob

04/18/23 74

”התקפת“ האיש שבאמצעMan in the middle attack

Alice Bob

Hello, I am Alice KA

Hello, I am Bob KB

Matt

Hello, I am Alice KA

Hello, I am Alice KA’

Hello, I am Bob KB

Hello, I am Bob KB’

Solution - Certificates


Ch 3 75

Merkle-Hellman - The Encryption Technique

Public key is a beautiful idea – how to achieve?First attempt - the Merkle-Hellman encryption

technique. The public key is the set of integers of a

knapsack (not a superincreasing knapsack); the private key is a corresponding superincreasing knapsack.

The contribution of Merkle and Hellman was the design of a technique for converting a superincreasing knapsack into a regular one. The trick is to change the numbers in a nonobvious but reversible way.


Ch 3 76

The Encryption Technique cont.

96: 73? Yes 95: 73? Yes96-73=23 38? No 95-73=22: 38? No23: 17: Yes 22: 17? Yes23-17=6: 11? No 22-17=5: 11? No6: 4? Yes 5: 4? Yes6-4=2: 1? Yes 5-4=1: 1? Yes2-1=1: No solution 1-1=0 Solution

Figure 3-6 Example of Solving a Simple Knapsack


Ch 3 77

Public Key Using the Knapsack Problem

1. Select a simple (super-increasing) Knapsack S

2. Convert problem to hard Knapsack (select w and n relatively prime)

H = w*S mod n3. Encrypt: C=H*M mod n

Since H is hard C is hard to break4. Decrypt:

C’ = w-1 * C = w-1w S M = S M mod nsince S is simple, M can be computed easily!


Ch 3 78

Knapsack Example1. Simple knapsack: = (1,2,4,9)2. W = 15, n = 17 15 . 8 = 1 mod 17 w-1 = 8

Hard knapsack: (15,13,9,16)3. Message = 1100 1011 1010 01014. Encryption:

P=0100 1011 1010 0101[0,1,0,0]*[15,13,9,16]=13[1,0,1,1]*[15,13,9,16]=40

[1,0,1,0]*[15,13,9,16]=24

[0,1,0,1]*[15,13,9,16]=29


Ch 3 79

Knapsack Example cont.5. Decryption:

13 * 8 = 104 mod 17 = 2

40 * 8 = 320 mod 17 = 14 24 * 8 = 192 mod 17 = 5 29 * 8 = 232 mod 17 = 11

the recovered message is thus 0100101110100101

How?C = S * M Note: S is super-increasing!C = 2, S = (1,2,4,9) M = (0,1,0,0)C = 14, S = (1, 2, 4, 9) M = (1, 0, 1, 1)

6/3/2015 Prof. Ehud Gudes Security Ch 3 1 Chapter 3 Cryptography – Algorithms and Protocols Stallings Chp. 2,19,20, App. A,B.

Documents

ehud gudes security

process slide

b slide

c cipher text

stream of key bits

publickey systems

public key systems

stream ciphers