EPICS Spring 2003 Slide 1 An Introduction to Cryptography Edward J. Delp Purdue University School of Electrical and Computer Engineering Video and Image Processing Laboratory ( VIPER) West Lafayette, Indiana email: [email protected]http://www.ece.purdue.edu/~ace
134
Embed
An Introduction to Cryptography - Purdue Engineeringace/mobility/talks/secure1-crypto.pdf · An Introduction to Cryptography Edward J. Delp Purdue University School of Electrical
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
EPICS Spring 2003 Slide 1
An Introduction to Cryptography
Edward J. Delp
Purdue University School of Electrical and Computer Engineering
Video and Image Processing Laboratory (VIPER)West Lafayette, Indiana
• certificational security– secure because it has withstood the test of time in that
no attacks have been successful• provable security
– successfully attacking a provable system is identical to attacking a classically know “hard” problem
“A Note on the Security of the OAEP-Enhanced RSA Public-Key Encryption Scheme,” RSA Laboratories Bulletin Number 9, February 23, 1999.
EPICS Spring 2003 Slide 15
Cryptanalysis
• Used to break or attack cipher systems• Attack can be brute force (exhaustive search on the
keyspace)• Exploit vulnerabilities in the cipher system or the way it
is used• “Black bag jobs”• “rubber hose” techniques• “purchase key” technique• “dumpster diving”• social engineering
EPICS Spring 2003 Slide 16
Cryptanalysis
• Known plaintext• Known ciphertext• Chosen plaintext• Cripping• Differential approaches• Traffic flow analysis• Exploit “poor” use of the encryption system
EPICS Spring 2003 Slide 17
Cryptanalysis
• How do you know when you have been success in your attack?
• Shannon showed this using the unicity distance:
K - key space, P - plaintext, RL - redundancy in plaintext
PRK
nL 2
2
loglog
=
EPICS Spring 2003 Slide 18
Cryptanalysis
• Unicity distance indicates much ciphertext is needed to ensure there is only one plaintext that corresponds to this ciphertext - “spurious keys”
• Example - simple letter substitution cipher
• hence given a ciphertext of 25 letters a unique decryption is possible
75.0;!26;26 === LRKP
25=n
EPICS Spring 2003 Slide 19
Why Use Encryption?
• Enhance ability to conduct global commerce• Privacy• Authentication
EPICS Spring 2003 Slide 20
Cryptographic Systems
• Protocols describe how encryption system is used
• In many cases the security of the system is compromised by the protocol and NOT the encryption algorithm
– “man in the middle” attack
EPICS Spring 2003 Slide 21
Types of Cryptographic Systems
C = S(P)S(•) - encryption function
P = H(C)H(•) - decryption function
EPICS Spring 2003 Slide 22
Types of Cryptographic Systems
• Totally Secret– Kerckhoff’s Principle - “The security of any cipher
lies in the key and NOT in the algorithm.”• Public Algorithm (Secret Key)• Public Key System
EPICS Spring 2003 Slide 23
Types of Cryptographic Systems
Totally secret systems - all aspects of the encryption/decryption is secret
EPICS Spring 2003 Slide 24
Public Algorithm
• Algorithms are known but parameters (keys) are secret
C = Sk(P)P = Hk(C)K ≈ key
• Use same key for enciphering and deciphering• Block Ciphers -- DES, IDEA, Twofish, TEA• Stream Ciphers• Problem: key management
EPICS Spring 2003 Slide 25
Public Key Cryptography
• Two keysE ~ enciphering keyD ~ deciphering key
C = SE(P)P= HD(C)
• Computationally infeasible to derive D from E• Each user could publish E in a “public key directory”
EPICS Spring 2003 Slide 26
Public Key Cryptography
• No problem with key distribution - really?– fronting attacks– “man in the middle” attack
• Authentication - use private deciphering key to enciphering a message
EPICS Spring 2003 Slide 27
Authentication
• Two keysE ~ enciphering keyD ~ deciphering key
Ca = SD(P) - encipher with private keyP= HE(Ca) - decipher with public key
The message P has been “signed”
EPICS Spring 2003 Slide 28
Public Key Cryptography
• Must protect public key directory• Application of the use of signatures• Certify the public key with a broker of trust (the US Post
Office?!)
EPICS Spring 2003 Slide 29
History of Public Key Cryptography
• Diffie, Hellman, and Merkle are credited with being the inventors of public key cryptography
– W. Diffie and M.E. Hellman, “Privacy and Authentication: An Introduction to Cryptography,” Proceedings of the IEEE, Vol. 67, No. 3, March 1979, pp. 397-427.
• British claim they did it in 1970 (http://www.gchq.gov.uk/about/history.html)
• NSA claim they also invented ithttp://www.research.att.com/~smb/nsam-160/
EPICS Spring 2003 Slide 30
Key Management
• Block Ciphers - how do you distribute keys• Public Key - protect public key directory• Political issue - key recovery
EPICS Spring 2003 Slide 31
Clipper and CapstoneEscrowed Encryption Standard, also known as “CLIPPER,” is a cryptographic device intended to protect private communications while at the same time permitting government agents to obtain the "keys" upon presentation of "legal authorization." The "keys" would be held by two government "escrow agents" and would enable the government to access the encrypted private communication. (February 4, 1992)Clipper would be used to encrypt voice transmissions, a similar device known as Capstone would be used to encrypt data. Both systems based on the SKIPJACKalgorithm.
http://www.eff.org/pub/Privacy/Clipper/
EPICS Spring 2003 Slide 32
Encryption Systems
• Trapdoor Functions - easily computable functions with a computationally infeasible inverse (without use of special knowledge)
EPICS Spring 2003 Slide 33
Public Key Systems
• Trapdoor-Knapsack System (Merkle and Hellman)
• Discrete Log (El Gamal)
• RSA (Rivest, Shamir, Adleman)
• Elliptic Curve Methods
EPICS Spring 2003 Slide 34
Knapsack System
Subset Sum Problem:
Given positive integers a1, a2, …, an and positive integer c,determine the subset of the integers which sum to c.
• Shamir proposed an interesting attack on the Knapsack system:
– A. Shamir and R.E. Zippel, "On the Security of the Merkle-Hellman Cryptographic System," IEEE Transactions on Information Theory, Vol. 26, No. 3, May 1980, pp. 339-340.
– A. Shamir, "A Polynomial-Time Algorithm for Breaking the Basic Merkle-Hellman Cryptosystem," IEEE Transactions on Information Theory, Vol. 30, No. 5, September 1984, pp. 699-704.
EPICS Spring 2003 Slide 41
Encipher block of x bits using y bits of key to produce x bits of ciphertext
• Message extension
• Substitution cipher
Block Ciphers
EPICS Spring 2003 Slide 42
Block Cipher
• Think of substitution operation as a permutation
• (2x)! Permutations
• Key requires log2[(2x)!] bits– are all keys equally likely? ⇒ entropy of the key space
EPICS Spring 2003 Slide 43
Block Ciphers Problems
• Vulnerable to statistical attacks
• Vulnerable to dictionary attacks
EPICS Spring 2003 Slide 44
Triple Encryption
• Use block cipher three times– Tuchman, W, “Hellman Presents No Shortcut
Solutions to DES”, IEEE Spectrum, vol. 16 no. 7, July 1979, pp. 40-41.
• “Encrypt-Decrypt-Encrypt”– use two or three keys– see RFC 1851
http://www.landfield.com/rfcs/rfc1851.html
EPICS Spring 2003 Slide 45
Block Ciphers
• Translation Cipherc = m + ti
ti - offset associated with the key• Linear Cipher
c = AimAi - matrix associated with the key
• Affine Cipherc = Am + t
EPICS Spring 2003 Slide 46
Feistel Cipher
• Plaintext must be even number of bits, 2n• Plaintext, m, split into 2 halves m = (m0, m1)• Key has subkeys (k1, k2, …, kh)• Each subkey describes a transformation fki
(mi)• Hence - reverse halves of c and use as input to decipher c• Exact same hardware used for both enciphering and
deciphering, i.e do not need • in fact need not exist!
)(1 •−ikf
)(1 •−ikf
EPICS Spring 2003 Slide 50
Data Encryption StandardDES 1977
• A Feistel cipher with subkeys that are a function of the round
• Based on the IBM Lucifer cipher• A US standard• Several operational modes - block or feedback mode• 64-bit plaintext• 56-bit key• 16 roundshttp://csrc.nist.gov/cryptval/des.htmhttp://csrc.nist.gov/encryption/tkencryption.html
EPICS Spring 2003 Slide 51
DES
• Input (L, R) (each 32 bits)• nth round
input Ln-1Rn-1
Ln = Rn-1
Rn = Ln-1 + f(Rn-1, Kn)Kn ~ 48 bits chosen for the 56 bit keyKn = KS(n, key)
EPICS Spring 2003 Slide 52
DES
EPICS Spring 2003 Slide 53
DES
EPICS Spring 2003 Slide 54
DES
EPICS Spring 2003 Slide 55
DES
EPICS Spring 2003 Slide 56
DES
• E maps 32-bit input → 48-bit output• S boxes? - 6 bits in / 4 bits out
– MSB and LSB of input form row index– block ciphers (not affine)– middle 4 bits form column index
EPICS Spring 2003 Slide 57
Cracking DES
http://www.eff.org/descracker.html
EPICS Spring 2003 Slide 58
DES “Hardware”
90 Billion keys/second - 4.5 days to break a 56 bit single DES key
EPICS Spring 2003 Slide 59
DES Hacking
• In 1999, new hack broke it in 22 hours –http://www.eff.org//Privacy/Crypto_misc/DESCracker/HTML/19990119_deschallenge3.html
• Matrix multiplication is performed: each column is multiplied by the matrix:
2 3 1 11 2 3 11 1 2 33 1 1 2
EPICS Spring 2003 Slide 72
Add Key Round
• XORs the key round
EPICS Spring 2003 Slide 73
Rijndael• Hence Rijndael is:
ARK
BSBSRMCARK
BSBSRMCARK...BSBSRMCARK
BSBSRARK
EPICS Spring 2003 Slide 74
Key Schedule• For 128 and 192 bit keys
– original key, followed by stretches, each the length of the original key, consisting of four-byte words such that each word is the XOR of the preceding four-byte word and either the corresponding word in the previous stretch or a function of it
– first word in a stretch, the word is first rotated one byte to the left, and then its bytes are transformed using the S-box from the Byte Sub step, and then a round-dependent constant is XORedto its first byte
• For 256 bit keys in length, in addition, the S-box from the Byte Sub step alone is applied to the word from the preceding stretch for the fifth word in a stretch
EPICS Spring 2003 Slide 75
Blowfish
• Blowfish - http://www.counterpane.com/blowfish.html– symmetric block cipher that can be used as a drop-in
replacement for DES– 64 bit block cipher with variable-key length– uses Feistel structure
• Blowfish has two steps– key expansion - key as large as 448 its converted to
subkey array of 4168 bits– encryption - 16 rounds of the Feistel structure– four 32 bit S-boxes that have 256 entries
S[ 0 ] = 0xB7E15163for i = 1 to 43 do S[i] = S[i-1] + 0x9E3779B9A = B = i = j = 0for s = 1 to 132 do
{ A = S[ i ] = ( S[ i ] + A + B ) <<< 3B = L[ j ] = ( L[ j ] + A + B ) <<< ( A + B )i = ( i + 1 ) mod 44j = ( j + 1 ) mod c }
EPICS Spring 2003 Slide 97
Public Key Cryptography
RSA (1978)Rivest, Shamir, and Adleman
Problem: factor a large integer into the product of two integers
EPICS Spring 2003 Slide 98
RSA
• Public key: choose integers h and n• Plaintext block: m• Encipher: • Decipher:• h - public enciphering key (known)• d - private deciphering key• n - known
)mod(nmc h=)mod(ncm d=
EPICS Spring 2003 Slide 99
RSA
• Generate d and h - choose two prime numbers p and q such that pq = n
• p and q are secret• Choose d such that
GCD(d, φ(n)) = 1φ(n) = (p-1)(q-1)φ(n) ~ Euler’s Totient Function
EPICS Spring 2003 Slide 100
RSA
Example:p = 61q = 53n = 3233φ(n) = 3120choose d = 37 ⇒ h = 253dh = 1 mod φ(n)
EPICS Spring 2003 Slide 101
RSA• How to attack RSA
– factor n ⇒ p and q ⇒ d from h– n ~ 300 digits
• ~ 1.5 x 1029 operations to factor n• 1 µs/operation ⇒ 4 x 1015 years
protocol known as the Optimal Asymmetric Encryption Padding (OAEP)
M. Bellare and P. Rogaway, “Optimal Asymmetric Encryption - How to Encrypt with RSA,” Eurocrypt1994, pp.92-111.
EPICS Spring 2003 Slide 102
Public Key Cryptography
Discrete Log ProblemEl Gamal Cipher
• p - prime number• α and β intergers• Find a such that αa = β mod (p)
EPICS Spring 2003 Slide 103
El Gamal Cipher
• Discrete Log Problem - αa = β mod (p)– p, α, and β are public key– a is secret (deciphering key)
• Chose k• x - plaintext
y1 = αk mod (p)y2 = xβk mod(p)c = (y1, y2)
EPICS Spring 2003 Slide 104
El Gamal Cipher
• Plaintext masked by βk
• decryption - compute βk from αk and then divide to obtain x
x = y2 (y1a)-1 mod (p)
y1a = (αk )a mod (p)
y1a = βk mod (p)
x = x βk (βk )-1 mod (p)• To attack the cipher must solve the discrete log problem
for a
EPICS Spring 2003 Slide 105
Diffie-Hellman Key Exchange• Choose prime number n and integer g - can be made
public• User 1 ⇒ A = gx mod n (x random integer); send A to
User 2• User 2 ⇒ B = gy mod n (y random integer): send B to
User 1• User 1 ⇒ k = Bx mod n• User 2 ⇒ h = Ay mod n• k = h = gxy use as the keyillegal user knows: n, g, A, and B ⇒ to find key - solve the
discrete log
EPICS Spring 2003 Slide 106
Other Public Key Techniques
• Elliptic Curve Systems• Cellular Automata• DES Variants• Ong-Schnorr-Shamir• ESIGN
EPICS Spring 2003 Slide 107
Elliptic Curve Cryptosystems
• Elliptic Curve Systems - generalization of the discrete log problem and RSA systems to a Galois Field which modular multiplication is replaced by the elliptic curve addition operation, for example:
y2 = x3 + ax + b (mod p) (p is prime)Find points solutions to curve (x, y) pairs• PKCS #13: Elliptic Curve Cryptography Standard -
http://www.rsasecurity.com/rsalabs/pkcs/pkcs-13/
http://world.std.com/~dpj/elliptic.html
EPICS Spring 2003 Slide 108
Stream Ciphers
• Key generator - generate random sequence– Can it really be random?
• Can produce “error resilient” cipher
EPICS Spring 2003 Slide 109
Stream Cipher
• Another way to look at:
Pi i=1, 2, 3, … plaintextRi i=1, 2, 3, … random numbers used as the key
sequence
Ci = Pi ⊕ Ri ciphertext
EPICS Spring 2003 Slide 110
Key Generator
• Shift Register sequence
• Linear Shift Register Sequence
EPICS Spring 2003 Slide 111
LSR Sequences
f(•) = c0s0 + c1s1 + … + cn-1sn-1
ci ~ feedback coefficients
• Output is function of the ci’s and the initial fill
• Output sequence is periodic, maximum period 2n-1
• How do you choose the feedback coefficeints?
– use m-sequences (nice correlation properties)
– also known as pseudo-random sequences
EPICS Spring 2003 Slide 112
Linear Shift Register
• Not very secure• know 2n bits ⇒ can obtain the entire 2n - 1 bits• use non-linear sequences• random number generation
EPICS Spring 2003 Slide 113
RC4
• Stream cipher - Ci = Pi ⊕ Ri
• To generate Ri: one 8x8 s-box of bytes Si i=0, 1, …, 255i=0, j=0i=(i+1) mod 256j= (j+ Si ) mod 256swap Si and Sj
t= (Si + Sj) mod 256R = St
EPICS Spring 2003 Slide 114
RC4
• Generation of the s-box - 8x8 matrix– initially fill it with 0, 1, 2, …, 255– take key and fill another array, repeat key to fill the
entire array, call this K0, K1, …, K255
for i=0 to 255j = (j+ Si + Ki) mod 256swap Si and Sj
EPICS Spring 2003 Slide 115
RC4
• RSA claims the RC4 is immune to short cycles and other attacks and is very nonlinear – it has been broken!
• can extend to larger s-box
• Lots of controversy when RC4 was leaked to the public• RC4 used in Cellular Digital Packet Data (CDPD) and
WEP
• See Airsnort - http://airsnort.shmoo.com/
EPICS Spring 2003 Slide 116
Authentication Signature Schemes
• Who are you?• Are you who you say you are?• Signing a document
EPICS Spring 2003 Slide 117
Signatures
• Digital Signatures vs. Conventional Signatures• “Signing” a document
– Conventional Signature - physically part of the document
– Digital Signature - must have a “binding” operation to bind signature to message
• Verification– Conventional - compare to other authentic document– Digital - public algorithm anyone can verify the
signature
EPICS Spring 2003 Slide 118
Signatures
• A copy of signed digital document is identical to the original