Crypt Analysis

8/4/2019 Crypt Analysis

1/52

Cryptography and Steganography

Dr. Abhijit Das

Department of Computer Science and Engineering

Indian Institute of Technology Kharagpur

Kharagpur 721302 India


2/52

Hash Functions


3/52

Hash Functions: Introduction

Input: A string (message) M of any length.

Output: A string of a fixed length. The output is calledthe hash-value or the hash of M.

The hash of a message is a short representative of the

message. Easy to compute.

Provide message compression.

Alternate names: Message digest, digital fingerprint andimprint.

May be used in conjunction with secret keys.


4/52

Hash Functions: Classification

Unkeyed hash function or modification detection

code (MDC): used to preserve integrity of message,i.e., to detect modification of the message by an activeadversary or by transmission errors.

Keyed hash function or message authenticationcode (MAC): used to authenticate the source of a

message (since secret keys are used to hash amessage) in addition to preserving integrity of themessage.


5/52

Hash Functions: Desirable Properties

Collision:A hash function H maps an infinite set to a

finite set and so there must exist messages x and xsuch that H(x) = H(x). Such a pair (x,x) of messages iscalled a collision for H.

First preimage resistance: Except for few hashvalues y, it should be difficult to find a message x suchthat H(x) = y.

Second preimage resistance: Given a message x, itshould be difficult to find another message x with theproperty that H(x) = H(x).

Collision resistance: It should be difficult to find twomessages x and x with H(x) = H(x).


6/52

Hash Functions: Design

Acompression function f maps strings of length m to

strings of length n. Let r = m - n.

Break the message M into blocks M1,M2,,Ml of length r.

Start with an initial hash value H0.

For k = 1,2,,l compute the next hash valueHk+1 = f (Hk|| Mk).

Output Hl+1

as the hash value H(M) of M.

If f has the desirable properties, then H too has those.

A symmetric cipher may be used for designing one-waycompression functions. Example: f (M || K) = DES

K(M)

maps 120-bit strings to 64-bit strings.


7/52

Hash Functions: Examples

Custom-designed hash functions work based on the

general principle described earlier.

The MD family: MD2, MD4 and MD5 (128-bit hash).

The SHA family: SHA-1 (160-bit), SHA-256 (256-bit),SHA-384 (384-bit) and SHA-512 (512-bit).

RIPEMD-128 (128-bit), RIPEMD-160 (160-bit).


8/52

Hash Functions: Examples

HMAC (a keyed hash function)

Notations:M = the message to be hashedH = an unkeyed hash function

K = key for HMACP,Q = short padding blocks (not secret).

HMAC(M) = H (K || P || H (K || Q || M)).

HMAC involves two calls of H.

HMAC is efficient, since the outer call involvescomputation of hash of a short message.


9/52

Hash Function: Attacks

Birthday attack: Let H be a hash function that

produce n-bit hash values. If about 2n/2 randommessages are hashed by H, then it is highly probablethat we have found two messages x and x satisfying

H(x) = H(x). The bit-size n of hash values should be at least as large

as 128. The values greater than or equal to 160 are

recommended. Other attacks:

Attacks on the compression function

Chaining attacksAttacks on the underlying block cipher


10/52

Digital Signatures


11/52

Digital Signatures: Introduction

Digital equivalent of hand-written signatures.

Bind pieces of digital data with particular entities.

Based on public-key technology.

Signing: The signer uses his private key d to sign. Difficulty of forging:An entity without knowledge of

this private key d cannot generate a valid signature on anew piece of data.

Verifying:Anybody having access to the signers publickey e can verify the signature.

Non-repudiation:An entity should not be allowed todeny valid signatures made by him.


12/52

Digital Signatures: Classification

Signature with appendix:A representative H(M) of

the message M is computed. The signing transformationis applied on H(M). Verification requires the message M.

Signature generation:

m = H(M)s = fs(m,d)Output the signed message (M,s).

Signature verification:Compute m = H(M)

Compute m = fv(s,e)If (m=m) output signature verified

else output signature not verified


13/52


Signature with message recovery: The signing

transformation is applied to the message itself. Theverification transformation retrieves the message.


Compute the signature s = fs(M,d) Signature verification:

Recover the message M = fv(s,e)

If M looks like a valid message,output signature verified

else

output signature not verified


14/52


Deterministic signatures: For a given message the

same signature is generated on every occasion thesigning algorithm is executed.

Probabilistic signatures: On different runs of the

signing algorithm different signatures are generated,even if the message remains the same.

Probabilistic signatures offer better protection against

some kinds of forgery. Deterministic signatures are of two types:

Multiple-use signatures: Slow. Parameters are used multiple

times.One-time signatures: Fast. Parameters are used only once.


15/52

Digital Signatures: Examples

RSA with appendix

Parameter selection:

Select two large primes p and q.Compute n = pq and (n) = (p - 1)(q - 1).Select a random integer e with gcd(e,(n)) = 1.

Compute an integer d satisfying ed = 1 (mod (n)).

Publish (e,n) as the verification key.Keep d secret as the signing key.


16/52



Generate the short representative m = H(M) of M.Sign m as s = md (mod n).Output (M,s) as the signed message.

Signature verification:Generate the short representative m = H(M) of M.Invert signature as m = se (mod n).

If (m = m), output signature verified,else output signature not verified.

Forging: If any key other than d is used to sign m, the

equality m = m will not be satisfied. So forging RSAsignatures is as difficult as knowing d.


17/52


RSA with message recovery

Parameter selection: Same as before.

Signature generation:Compute s = Md (mod n).

Output the signature s.

Signature verification:Compute M = se (mod n).

If M is a valid message, output signature verified,else output signature not verified.

Forging: If any key other than d is used to generate s,

the recovered message M will almost certainly look likea meaningless sequence of symbols.


18/52


Rabin Signature ElGamal signature

Schnorr signature

Nyberg-Rueppel signature

Digital signature algorithm (DSA)

Elliptic curve version of DSA (ECDSA)

XTR signature

NTRUSign

. . .


19/52

Digital Signatures: Blind Signatures

The signer is not allowed to know the message to sign.

Still his active participation is necessary for signing. Blind RSA signature:

Parameter generation:As before.

Signature generation:A generates a random integer k coprime to n.A blinds m as m* = mke (mod n).B signs s* = (m*)d (mod n).

A retrieves Bs signature s = s*k-1 (mod n).

Signature verification:As before.


20/52

Digital Signatures: Undeniable

Signatures

An active participation of the signer is necessary duringsignature verification.

A signer is not allowed to deny a legitimate signaturemade by him.

An undeniable signature comes with a denial ordisavowal protocol that generates one of the followingthree outputs:

Signature verified

Signature forged

The signer is trying to deny his signature by not properly

participating in the protocol.


21/52

Digital Signatures: Attacks

Total break: An attacker knows the signing key or has

a function that is equivalent to the signature generationtransformation.

Selective forgery:An attacker can generatesignatures (without the participation of the legitimatesigner) on a set of messages chosen by the attacker.

Existential forgery: The attacker can generatesignatures on certain messages over which the attacker

has no control.


22/52

Digital Signatures: Attacks

Key-only attack: The attacker knows only the

verification (public) key of the signer. This is the mostdifficult attack to mount.

Known-message attack: The attacker knows some

messages and the signatures of the signer on thesemessages.

Chosen-message attack: This is similar to the known-

message attack except that the messages for which thesignatures are known are chosen by the attacker.

Adaptive chosen-message attack: The messages to

be signed are adaptively chosen by the attacker.


23/52

Digital Certificates


24/52

Digital Certificates: Introduction

Bind public-keys to entities.

Required to establish the authenticity of public keys.

Guard against malicious public keys.

Promote confidence in using others public keys.

Require a Certification Authority (CA) whom every entityover a network can believe. Typically, a governmentorganization or a reputed company can be a CA.

In case a certificate is compromised, one requires torevoke it.

A revoked certificate cannot be used to establish the

authenticity of a public key.


25/52

Digital Certificates: Contents

A digital certificate contains particulars about the entity

whose public key is to be embedded in the certificate. Itcontains:

Name, address and other personal details of the entity.

The public key of the entity. The key pair may be generated byeither the entity or the CA. If the CA generates the key pair,then the private key is handed over to the entity by trustedcouriers.

The certificate is digitally signed by the private key ofthe CA.

If signatures are not forgeable, nobody other than the

CA can generate a valid certificate for an entity.


26/52

Digital Certificates: Revocation

A certificate may become invalid due to several reasons:

Expiry of the certificate

Possible or suspected compromise of the entitys private key

An invalid certificate is revoked by the CA.

The CA maintains a list of revoked certificates theCertificate Revocation List (CRL).

An entity A willing to use Bs public key looks up the

certificate for Bs public key. If the CAs signature isverified on this certificate and if the certificate is notfound in the CRL, then A gains the desired confidence to

use Bs public key.


27/52

Steganography


28/52

Steganography: Introduction

Literally means covered writing (Greek).

Hiding messages in innocent media.

May be used in conjunction with cryptography, i.e., themessage may be encrypted before hiding.

An encrypted message arouses suspicion duringtransmission. A hidden message is invisible and is notexpected to arouse suspicion.

Digital watermarking embeds copyright, ownership,license and similar information in a medium. It isdifferent from steganography only in the intent of

hiding. They share same operational and functionalbehaviors.


29/52

Steganography: History

Shave the messengers head, tattoo the secret message,

allow hair to grow and then send the messenger. Whenthe messenger reaches the destination, his head can beshaved once again in order to see the hidden message.

German spy sent this message during World War II:

Apparently neutrals protest is thoroughly discounted and ignored.Isman hard hit. Blockade issue affects pretext for embargo on by-products, ejecting suets and vegetable oils.

Extracting second letters from the words gives:

Pershing sails from NY June I.


30/52

Steganography: Terminology

Formula:

Cover-medium + embedded message + Stego-key= Stego-medium.

Multimedia files are good covers for hiding messages:

ImagesSound files

Movies

Binary filesText files

We will concentrate on embedding messages in image

files. The media are then called cover-image andstego-image.


31/52

Steganography: Image Files

Size of an image is determined by pixels. A pixel is an

instance of color.A color can be specified by the primary components:

Red, Green and Blue. Each component is represented by

a byte (an 8-bit value between 0 and 255).Example: 00 00 00 is black, FF 00 00 is red, FF FF 00 isyellow, and FF FF FF is white.

Each pixel can be represented by an 8-bit value (GIF) ora 24-bit value (JPEG, BMP).

The image data is usually compressed.

Lossless compression: The exact pixel values are stored.Lossy compression: Approximate pixel values are stored.


32/52

Steganography: Image Files

A GIF (Graphic Interchange Format) image is an 8-bit

image file. Supports at most 256 colors per image.

Color-map table: An index of 256 (or less) colors

occurring in the image. Each pixel is represented by an 8-bit value which refers

to the index of the color in the color-map table.

A JPEG (Joint Photography Experts Group) image is a24-bit image file that uses lossy compression based onthe discrete cosine transform (DCT).

Both GIF and JPEG formats use adaptations of theLempel-Ziv (LZ) compression algorithm.


33/52

Steganography: Methods

Least significant bit (LSB) insertion: Modify the LSB

of a pixel value based on the message to hide. Smallchanges in the pixel values cannot be noticed by humanobservers.

Properties:Simple to implement.

Compatible with lossless compression.

Better adapted to 24-bit images.Often works well with gray-scale images.

Causes expansion of the number of colors in an image.

Extremely vulnerable to image manipulations.


34/52


Masking and filtering: Marks the image in a non-

detectable manner, for example, by increasing theintensity subtly at certain locations of the image.Typically noisy and busy areas of an image are chosen

to hide the message.

Properties:

The hidden message is more integrated to the cover image.Robust against image manipulations like rotation, smoothing.

Multiple insertion of the hidden message makes stego-imagesrobust again cropping.

Can withstand some amount of compression.


35/52


Algorithms and transformation: These are the most

sophisticated hiding mechanism that use specialalgorithms to hide a message in an image. For example,the DCT algorithm may be exploited in order to hide a

message in a JPEG file. The DCT uses floating-pointcalculations with rounding-off errors and so thecompression is lossy. Suitably modifying the floatingpoint arithmetic may hide a message.

Properties:

Integrates the message in the image in the best way.

Most robust against image manipulation.

Compatible with lossy compression.


36/52

Steganography: LSB Example

Suppose we want to hide the letter C in a GIF image.

The ASCII value of C is 67, i.e., 01000011. Suppose that the first eight pixels of the GIF image are:

00110101 01001000 00101000 00110101

00101111 00011100 01001000 01001000 Modifying the LSBs corresponding to C gives:

00110100 01001001 00101000 00110100

00101110 00011100 01001001 01001001 Changes in the index values (in the color-map table)

may lead to easily detectable patterns in the image (for

example, a red spot in the blue sky). More sophisticated algorithms smooth out the patterns.


37/52

Steganography: Examples

StegoDos: handles 8-bit images, uses LSB insertion. Hide and Seek: LSB-based.

Hide4PGP: LSB-based.

S-Tools: LSB-based. SysCop: LSB-based.

White Noise Storm: LSB-based.

Mandelsteg: hides messages in a fractal image.

Jsteg-Jpeg: handles Jpeg images by manipulation ofDCT coefficients.


38/52

Steganography: Examples Text message to hide:

Steganography is the art and science of communicating in a way which hides the

existence of the communication. In contrast to cryptography, where the enemy isallowed to detect, intercept and modify messages without being able to violatecertain security premises guaranteed by a cryptosystem, the goal of steganographyis to hide messages inside other harmless messages in a way that does not allowany enemy to even detect that there is a second secret message present.

Cover image Stego image produced by StegoDos


39/52


Image file to hide:

Image of a major Soviet strategic bomber base


40/52


Cover image:

Pierre-Auguste Renoirs Le Moulin de la Galette.


41/52


Stego-image produced by White Noise Storm:


42/52


Stego-image produced by S-Tools:


43/52

Steganography: ExamplesWatermarked image obtained by masking:


44/52

Steganalysis


45/52

Steganalysis: Introduction

Steganalysis refers to the art of detecting and

rendering useless covert messages. Classification:

Stego-only attack: Only the stego-medium is available to the

attacker.Known-cover attack: Both the original cover medium and the

corresponding stego-medium are available.

Known-message attack: The hidden message and the stego-

medium are available.

Chosen-message attack: Similar to the known-message attackexcept that the message(s) are chosen by the attacker.

Adaptive chosen-message attack: Same as chosen-messageattack, but the messages are chosen adaptively.


46/52

Steganalysis: Detection of Hidden

Information

Looking for unusual features in a medium:

May be done by a human observer. Example: Red dot in animmaculately blue sky. Another example of a stego-imageproduced by Hide and Seek is given below:

Unusual features may be detected electronically. This isparticularly needed, because our eyes (and ears) are insensitiveto small variations. Examples: Slightly colored pixels in a gray-scale image, rapid change in pixel values in a small region.


47/52


Information

Search for signatures of known steganographicsoftware.

Look for obvious and repetitive patterns.

In a known-cover attack, one should compare theoriginal cover medium with the stego medium.

Image processing: Luminance defined as

L = (0.299 x R) + (0.587 x G) + (0.114 x B)

is a promising message detection parameter.


48/52


Information

S-Tools handles 8-bit images by first reducing the

number of colors in the original image to 32 and thenapplying LSB insertion. So many indexes of pixels differonly by one bit (the LSB). Therefore, the variance in

colors produced by normal images is usually muchlarger than stego-images produced by S-Tools.

Mandelsteg produces images with 256 palette entries

with two entries for each of 128 different colors. Hide and Seek produces images whose 8-bit color

values are multiples of 4. For example, the whitest color

in a stego image from this software has the RGB value252,252,252.


49/52

Steganalysis: Destroying Hidden

Information

Once existence of a hidden message is detected, it is

necessary to read it. This is not always easy, since thehidden message may be encrypted. The next best thingthat an attacker can do is to destroy the message.

Break the image I in two parts:I = v + t,

where t is threshold of human imperceptibility.

Choose some t in the region of human imperceptibilityand modify the image as:

I = v + t.

I and I look the same, but I has the hidden messagedistorted beyond recovery possibilities.


50/52

References


51/52

References: Cryptography

Alfred J Menezes, Paul C van Oorschot and Scott A Vanstone,

Handbook of Applied Cryptography, CRC Press, Fifth Printing(August 2001). ISBN: 0-8493-8523-7.http://www.cacr.math.uwaterloo.ca/hac/

William Stallings, Cryptography and Network Security, Pearson

Education, 2003. ISBN: 81-7808-902-5. Bruce Schneier, Applied Cryptography, John Wiley & Sons, Inc.

Asian edition 2002. ISBN: 9971-51-348-X.

Neal Koblitz, A Course in Number Theory and Cryptography(Graduate Texts in Mathematics, No 114), Springer-Verlag, 2ndedition (August 1, 1994). ISBN: 0-3879-4293-9.

A Das and C E Veni Madhavan, Book on public-key cryptography,

Forthcoming.


52/52

References: Steganography

Neil F Johnson, Zoran Duric, Sushil Jajodia, Information Hiding:Steganography and Watermarking - Attacks and Countermeasures,(Advances in Information Security, Volume 1), Kluwer AcademicPublishers, 2001. ISBN: 0-79237-204-2.

Stefan Katzenbeisser, Fabien A P Petitcolas (editors), InformationHiding Techniques for Steganography and Digital Watermarking,Artech House Books, January 2000. ISBN: 1-58053-035-4

Crypt Analysis

Documents