Top Banner
CRYPTOSYSTEMS & CRYPTOSYSTEMS & AUTHENTICATION AUTHENTICATION Classical Cryptography- Substitution Ciphers- permutation Ciphers-Block Ciphers-DES Modes of Operation- AES-Linear Cryptanalysis, Differential Cryptanalysis- Hash Function -SHA 512- Message Authentication Codes-HMAC - Authentication Protocols UNIT II
66
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Classical cryptography

CRYPTOSYSTEMS & CRYPTOSYSTEMS & AUTHENTICATIONAUTHENTICATION

Classical Cryptography-Substitution Ciphers-permutation Ciphers-Block Ciphers-DES Modes of Operation- AES-Linear Cryptanalysis, Differential Cryptanalysis- Hash Function -SHA 512- Message Authentication Codes-HMAC - Authentication Protocols

UNIT II

Page 2: Classical cryptography

Objectives

0To introduce basic concepts & terminology of encryption

0To prepare us for studying modern cryptography

IFETCE/M.E CSE/NE7202-NIS/Unit 2

2

Page 3: Classical cryptography

Overview

0Cryptography0Basic Terminology0Classical Cryptography

0 Substitution0 Transposition0 Product

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-3

Page 4: Classical cryptography

What is Cryptography?

0 The idea of storing and transmitting data in a form that only the authorized parties can interpret.

0 Process of making and using codes to secure transmission of information

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-4

Page 5: Classical cryptography

Cryptography

0 Can be characterized by:0 type of encryption operations used

0substitution / transposition / product

0 number of keys used0single-key or private / two-key or public

0 way in which plaintext is processed0block / stream

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-5

Page 6: Classical cryptography

Basic terminology

0 Plaintext: original message to be encrypted

0 Ciphertext: the encrypted message

0 Enciphering or encryption: the process of converting plaintext into ciphertext

0 Encryption algorithm: performs encryption

0 Two inputs: a plaintext and a secret key

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-6

Page 7: Classical cryptography

Basic terminology

0 Deciphering or decryption: recovering plaintext from ciphertext

0 Decryption algorithm: performs decryption0 Two inputs: ciphertext and secret key

0 Secret key: same key used for encryption and decryption0 Also referred to as a symmetric key

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-7

Page 8: Classical cryptography

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-8

Page 9: Classical cryptography

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-9

Page 10: Classical cryptography

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-10

Page 11: Classical cryptography

Cryptanalysis

0 Opponent whose goal is to break cryptosystem is the adversary

0 Objective: to recover the plaintext of a ciphertext or, more typically, to recover the secret key.

0 Kerkhoff’s principle: adversary knows algorithm used, but not key

0 Two general approaches:0 brute-force attack0 non-brute-force attack (cryptanalytic attack)

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-11

Page 12: Classical cryptography

Brute-Force Attack0 Try every key to decipher the ciphertext.0 On average, need to try half of all possible keys 0 Time needed proportional to size of key space

Key Size (bits) Number of Alternative Keys

Time required at 1 decryption/µs

Time required at 106 decryptions/µs

32 232 = 4.3 109 231 µs = 35.8 minutes 2.15 milliseconds

56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours

128 2128 = 3.4 1038 2127 µs = 5.4 1024 years 5.4 1018 years

168 2168 = 3.7 1050 2167 µs = 5.9 1036 years 5.9 1030 years

26 characters (permutation)

26! = 4 1026 2 1026 µs = 6.4 1012 years 6.4 106 years

Page 13: Classical cryptography

Cryptanalytic Attacks

0 Classified by how much information needed by the attacker

0 Three types of attacks:0 Ciphertext only: adversary has only ciphertext; goal is to find

plaintext, possibly key. 0 Known plaintext: adversary has ciphertext, corresponding

plaintext; goal is to find key0 Chosen plaintext: adversary may supply plaintexts and obtain

corresponding ciphertext; goal is to find key0 Chosen-ciphertext attack: adversary may choose ciphertext

and corresponding decrypted plaintext ; goal is to find key

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-13

Page 14: Classical cryptography

Ciphertext-only attack

0 Given: a ciphertext c 0 Q: what is the plaintext m?0 An encryption scheme is completely insecure if it

cannot resist ciphertext-only attacks.

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-14

Page 15: Classical cryptography

Known-plaintext attack

0 Given: (m1,c1), (m2,c2), …, (mk,ck) and a new ciphertext c.

0 Q: what is the plaintext of c?0 Q: what is the secret key in use?

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-15

Page 16: Classical cryptography

Chosen-plaintext attack

0 Given: (m1,c1), (m2,c2), …, (mk,ck), where m1, m2, …, mk are chosen by the adversary; and a new ciphertext c.

0 Q: what is the plaintext of c, or what is the secret key?

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-16

Page 17: Classical cryptography

Chosen-Plaintext Attack

Crook #1 changeshis PIN to a numberof his choice

cipher(key,PIN)

PIN is encrypted andtransmitted to bank

Crook #2 eavesdropson the wire and learnsciphertext correspondingto chosen plaintext PIN

… repeat for any PIN value

Page 18: Classical cryptography

Chosen-ciphertext attack

0 Given: (m1,c1), (m2,c2), …, (mk,ck), where c1, c2, …, ck are chosen by the adversary; and a new ciphertext c.

0 Q: what is the plaintext of c, or what is the secret key?

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-18

Page 19: Classical cryptography

Basis for Attacks

0 Mathematical attacks0 Based on analysis of underlying mathematics

0 Statistical attacks0 Make assumptions about the distribution of letters,

pairs of letters (digrams), triplets of letters (trigrams), etc.0Called models of the language

0 Examine ciphertext, correlate properties with the assumptions.

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-19

Page 20: Classical cryptography

Statistical Attack

0 Compute frequency of each letter in ciphertext:G 0.1 H 0.1 K 0.1 O 0.3

R 0.2 U 0.1 Z 0.1

0 Apply 1-gram model of English0 Frequency of characters (1-grams) in English is on next

slide

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-20

Page 21: Classical cryptography

Cryptology

CRYPTOLOGY

CRYPTOGRAPHY CRYPTANALYSIS

Private Key(Secret Key)

Public Key

Block Cipher Stream Cipher Integer Factorization

Discrete Logarithm

Page 22: Classical cryptography

More Definitions

0 Unconditional security 0 no matter how much computer power is available, the

cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext

0 Computational security 0 given limited computing resources (eg time needed for

calculations is greater than age of universe), the cipher cannot be broken

Page 23: Classical cryptography

Cryptosystem

0 Quintuple (E, D, M, K, C)0 M set of plaintexts0 K set of keys0 C set of ciphertexts0 E set of encryption functions e: M K C0 D set of decryption functions d: C K M

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-23

Page 24: Classical cryptography

Example

0Example: Cæsar cipher0M = { sequences of letters }0K = { i | i is an integer and 0 ≤ i ≤ 25 }

0E = { Ek | k K and for all letters m,

Ek(m) = (m + k) mod 26 }

0D = { Dk | k K and for all letters c,

Dk(c) = (26 + c – k) mod 26 }

0C = M

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-24

Page 25: Classical cryptography

Ciphers0Symmetric cipher: same key used for

encryption and decryption

0Block cipher: encrypts a block of plaintext at a time

(typically 64 or 128 bits)

0Stream cipher: encrypts data one bit or one byte at

a time0Asymmetric cipher: different keys used for

encryption and decryptionIFETCE/M.E CSE/NE7202-NIS/Unit 2

25

Page 26: Classical cryptography

Classical Cryptography

0Sender, receiver share common key0Keys may be the same, or trivial to derive

from one another0Sometimes called symmetric cryptography

0Two basic types0Transposition ciphers0Substitution ciphers0Combinations are called product ciphers

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-26

Page 27: Classical cryptography

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-27

Page 28: Classical cryptography

Classical Ciphers

0Plaintext is viewed as a sequence of elements (e.g., bits or characters)

0Substitution cipher: replacing each element of the plaintext with another element.

0Transposition (or permutation) cipher: rearranging the order of the elements of the plaintext.

0Product cipher: using multiple stages of substitutions and transpositions

IFETCE/M.E CSE/NE7202-NIS/Unit 2

28

Page 29: Classical cryptography

Substitution Ciphers

0Change characters in plaintext to produce ciphertext

0Monoalphabetic Substitution0 Each plaintext character is mapped onto a unique

character of a ciphertext.

0Polyalphabetic Substitution0 Each plaintext character can be mapped onto m

alphabetic characters of a ciphertext.

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-29

Page 30: Classical cryptography

Monoalphabetic Ciphers

0Shift Cipher(Ceaser)0Substitution Cipher0Affine Cipher0Hill Cipher

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-30

Page 31: Classical cryptography

1.Caesar Cipher

0 Earliest known substitution cipher0 Invented by Julius Caesar 0 Each letter is replaced by the letter three positions further

down the alphabet.Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z

Cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C0 Example: ohio state RKLR VWDWH

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-31

Page 32: Classical cryptography

Caesar Cipher

0Mathematically, map letters to numbers:a, b, c, ..., x, y, z

0, 1, 2, ..., 23, 24, 25

0Then the general Caesar cipher is:c = EK(p) = (p + k) mod 26

p = DK(c) = (c – k) mod 26

0Can be generalized with any alphabet.

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-32

Page 33: Classical cryptography

Cryptanalysis of Caesar Cipher

0Only have 26 possible ciphers 0 A maps to A,B,..Z

0Could simply try each in turn 0A brute force search 0Given ciphertext, just try all shifts of letters0Do need to recognize when have plaintext0Eg. break ciphertext "GCUA VQ DTGCM"

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-33

Page 34: Classical cryptography

2.Monoalphabetic Cipher

0Shuffle (jumble) the letters arbitrarily 0Each plaintext letter maps to a different

random ciphertext letter 0Hence key is 26 letters long

Plain letters: abcdefghijklmnopqrstuvwxyz

Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN

Plaintext: ifwewishtoreplaceletters

Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-34

Page 35: Classical cryptography

Monoalphabetic Cipher Security

0Now have a total of 26! = 4 x 1026 keys 0With so many keys, might think is secure

0But not secure against some cryptanalytic attacks.

0Problem is language characteristics

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-35

Page 36: Classical cryptography

Language Statistics and Cryptanalysis

0Human languages are not random.

0Letters are not equally frequently used.

0In English, E is by far the most common letter, followed by T, R, N, I, O, A, S.

0Other letters like Z, J, K, Q, X are fairly rare.

0There are tables of single, double & triple letter frequencies for various languages

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-36

Page 37: Classical cryptography

English Letter Frequencies

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-37

Page 38: Classical cryptography

Statistics for double & triple letters

0 In decreasing order of frequency

0 Double letters:

th he an in er re es on, …

0 Triple letters:

the and ent ion tio for nde, …

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-38

Page 39: Classical cryptography

Use in Cryptanalysis0 Key concept - monoalphabetic substitution ciphers do not

change relative letter frequencies 0 To attack, we

0 calculate letter frequencies for ciphertext0 compare this distribution against the known one

0 If caesar cipher look for common peaks/troughs 0 peaks at: A-E-I triple, NO pair, RST triple0 troughs at: JK, X-Z

0 For monoalphabetic must identify each letter0 tables of common double/triple letters help

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-39

Page 40: Classical cryptography

Example Cryptanalysis

0Given ciphertext:UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZVUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSXEPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ

0Count relative letter frequencies 0Guess P & Z are e and t0Guess ZW is th and hence ZWP is the0Proceeding with trial and error finally get:

it was disclosed yesterday that several informal butdirect contacts have been made with politicalrepresentatives of the viet cong in moscow

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-40

Page 41: Classical cryptography

3.Playfair Cipher

Not even the large number of keys in a monoalphabetic cipher provides security

One approach to improving security was to encrypt multiple letters

Playfair Cipher was invented by Charles Wheatstone in 1854, but named after his friend Baron Playfair

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-41

Page 42: Classical cryptography

Playfair Key Matrix

0A 5X5 matrix of letters based on a keyword 0Fill in letters of keyword (sans duplicates) 0Fill rest of matrix with other letters0Eg. using the keyword MONARCHY

MM OO NN AA RR

CC HH YY BB DD

EE FF GG I/JI/J KK

LL PP QQ SS TT

UU VV WW XX ZZIFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-42

Page 43: Classical cryptography

Encrypting and Decrypting0Plaintext is encrypted two letters at a time

1. if a pair is a repeated letter, insert filler like 'X’

2. if both letters fall in the same row, replace each with letter to right (wrapping back to start from end)

3. if both letters fall in the same column, replace each with the letter below it (wrapping to top from bottom)

4. otherwise each letter is replaced by the letter in the same row and in the column of the other letter of the pair

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-43

Page 44: Classical cryptography

Security of Playfair Cipher

0Equivalent to a monoalphabetic cipher with an alphabet of 26 x 26 = 676 characters.

0Security is much improved over the simple monoalphabetic cipher.

0Widely used for many yearseg. by US & British military in WW1 and WW2

0Once thought to be unbreakable.0Actually, it can be broken, because it still

leaves some structure of plaintext intact.

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-44

Page 45: Classical cryptography

Polyalphabetic Substitution Ciphers

0A sequence of monoalphabetic ciphers (M1, M2, M3, ..., Mk) is used in turn to encrypt letters.

0A key determines which sequence of ciphers to use.

0Each plaintext letter has multiple corresponding ciphertext letters.

0This makes cryptanalysis harder since the letter frequency distribution will be flatter.

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-45

Page 46: Classical cryptography

1.Vigenère Cipher

0Simplest polyalphabetic substitution cipher0Effectively multiple caesar ciphers

0Key is multiple letters long K = k1 k2 ... kd

0ith letter specifies ith alphabet to use 0Use each alphabet in turn 0Repeat from start after d letters in message0Decryption simply works in reverse

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-46

Page 47: Classical cryptography

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-47

Page 48: Classical cryptography

Example of Vigenère Cipher

0Keyword: deceptivekey: deceptivedeceptivedeceptive

plaintext: wearediscoveredsaveyourself

ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-48

Page 49: Classical cryptography

Security of Vigenère Ciphers0There are multiple ciphertext letters corresponding

to each plaintext letter.0So, letter frequencies are obscured but not totally

lost.0To break Vigenere cipher:

1. Try to guess the key length. How?

2. If key length is N, the cipher consists of N Caesar ciphers. Plaintext letters at positions k, N+k, 2N+k, 3N+k, etc., are encoded by the same cipher.

3. Attack each individual cipher as before.IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-49

Page 50: Classical cryptography

Guessing the Key Length0Main idea: Plaintext words separated by multiples

of the key length are encoded in the same way. 0In our example, if plaintext = “…thexxxxxxthe…”

then “the” will be encrypted to the same ciphertext words.

0So look at the ciphertext for repeated patterns.0E.g. repeated “VTW” in the previous example

suggests a key length of 3 or 9: ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

0Of course, the repetition could be a random fluke.0Then attack each monoalphabetic cipher

individually using same techniques as before

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-50

Page 51: Classical cryptography

2.Vernam Cipher

0 Ultimate defense is to use a key as long as the plaintext with no statistical relationship to it

0 Invented by AT&T engineer Gilbert Vernam in 19180 Originally proposed using a very long but eventually

repeating key

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-51

Page 52: Classical cryptography

3.One-Time Pad

0If a truly random key as long as the message is used, the cipher will be secure

0Called as One-Time pad0It is unbreakable since ciphertext bears no

statistical relationship to the plaintext0Since for any plaintext & any ciphertext there

exists a key mapping one to other0Can use the key only once though0Problems in generation & safe distribution of key

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-52

Page 53: Classical cryptography

4.Rotor Cipher Machines0 Before modern ciphers, rotor machines were most common

complex ciphers in use.

0 Widely used in WW2.

0 Used a series of rotating cylinders.

0 Implemented a polyalphabetic substitution cipher of period K.

0 With 3 cylinders, K = 263 =17,576.

0 With 5 cylinders, K = 265 =12 x 106.

0 What is a key?0 If the adversary has a machine0 If the adversary doesn’t have a machine

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-53

Page 54: Classical cryptography

IFETCE/M.E CSE/NE7202-NIS/Unit 2 54

Page 55: Classical cryptography

German secret setting sheets

IFETCE/M.E CSE/NE7202-NIS/Unit 2

DateWhich rotors to use (there were 10 rotors) Ring settingPlugboard setting

Slide #9-55

Page 56: Classical cryptography

The Rotors

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-56

Page 57: Classical cryptography

Enigma Rotor Machine

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-57

Page 58: Classical cryptography

Enigma Rotor Machine

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-58

Page 59: Classical cryptography

Transposition Ciphers

0Also called permutation ciphers.

0Shuffle the plaintext, without altering the actual letters used.

0Can recognise these since have the same frequency distribution as the original text

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-59

Page 60: Classical cryptography

1.Rail Fence cipher

0Write message letters out diagonally over a number of rows

0Then read off cipher row by row0Eg. write message out as:

m e m a t r h t g p r y e t e f e t e o a a t

0CiphertextMEMATRHTGPRYETEFETEOAAT

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-60

Page 61: Classical cryptography

2.Row Transposition Ciphers

0Plaintext is written row by row in a rectangle.

0Ciphertext: write out the columns in an order specified by a key.

Key: 3 4 2 1 5 6 7

Plaintext:

Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ

IFETCE/M.E CSE/NE7202-NIS/Unit 2

a t t a c k po s t p o n e

d u n t i l tw o a m x y z

Slide #9-61

Page 62: Classical cryptography

Product Ciphers0Ciphers using substitutions or transpositions are

not secure because of language characteristics0Consider using several ciphers in succession to

make harder, but: 0 two substitutions make a more complex substitution 0 two transpositions make more complex transposition

0Uses a sequence of substitutions and transpositions0 Harder to break than just substitutions or transpositions

0This is a bridge from classical to modern ciphers

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-62

Page 63: Classical cryptography

Unconditional & Computational Security

0 A cipher is unconditionally secure if it is secure no matter how much resources (time, space) the attacker has.

0 A cipher is computationally secure if the best algorithm for breaking it will require so much resources (e.g., 1000 years) that practically the cryptosystem is secure.

0 All the ciphers we have examined are not unconditionally secure.

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-63

Page 64: Classical cryptography

An unconditionally Secure Cipher

IFETCE/M.E CSE/NE7202-NIS/Unit 2

1 2 3 4

1 2 3 4

1 2 3 4

Key = (random, )

Plaintext =

Cipherte

Vernam’s one-time pad cip

used one-time only

xt =

where

Can be proved to be unconditionally sec

her

ur . e

i i i

k k k k

m m m m

c c c c

c m k

Slide #9-64

Page 65: Classical cryptography

Classical to Modern Cryptography

0 Classical cryptography0 Encryption/decryption done by hand

0 Modern cryptography0 Computers to encrypt and decrypt0 Same principles, but automation allows ciphers to

become much more complex

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-65

Page 66: Classical cryptography

Summary

0 Classical Cryptography0 Substitution0 Transposition

IFETCE/M.E CSE/NE7202-NIS/Unit 2 Slide #9-66