Cryptography and applications

Cryptography and ApplicationsPHAM VAN HAU ([email protected])

SCHOOL OF COMPUTER SCIENCE AND ENGINEERING -INTERNATIONAL UNIVERSITY

The History of CryptographyCryptography has roots that begin around 2000 B.C. in Egypt

used to decorate tombs to tell the life story of the deceased

not so much about hiding the messages themselves; rather, the hieroglyphics were intended to make the life story seem more noble, ceremonial, and majestic

Some Basic Terminology plaintext - original message ciphertext - coded message cipher - algorithm for transforming plaintext to ciphertext key - info used in cipher known only to sender/receiver encipher (encrypt) - converting plaintext to ciphertext decipher (decrypt) - recovering ciphertext from plaintext cryptography - study of encryption principles/methods cryptanalysis (codebreaking) - study of principles/

methods of deciphering ciphertext without knowing key cryptology - field of both cryptography and cryptanalysis

3

Classical Substitution Ciphers where letters of plaintext are replaced by other letters or by

numbers or symbols

or if plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns

4

Caesar Cipher earliest known substitution cipher

by Julius Caesar

first attested use in military affairs

replaces each letter by 3rd letter ona b c d e f g h i j k l m n o p q r s t u v w

x y z

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

example:

meet me after the toga party

PHHW PH DIWHU WKH WRJD SDUWB

5

Caesar Cipher mathematically give each letter a numbera b c d e f g h i j k l m n o p q r s t u v w x y

z

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

then have Caesar cipher as:

c = E(p) = (p + k) mod (26)

p = D(c) = (c – k) mod (26)

6

Cryptanalysis of Caesar Cipher only have 26 possible ciphers

A maps to A,B,..Z

could simply try each in turn

given ciphertext, just try all shifts of letters

do need to recognize when have plaintext

eg. break ciphertext "GCUA VQ DTGCM"

7

More substitution ciphersMono-alphabetic Cipher

Playfair Cipher

Polyalphabetic Cipher◦ Vigenère Cipher

◦ Autokey Cipher

◦ One Time Pad

Transposition Ciphers now consider classical transposition or permutation ciphers

these hide the message by rearranging the letter order

without altering the actual letters used

can recognise these since have the same frequency distribution as the original text

28

Row Transposition Ciphers a more complex transposition

write letters of message out in rows over a specified number of columns

then reorder the columns according to some key before reading off the rows

Key: 4 3 1 2 5 6 7

Plaintext: a t t a c k p

o s t p o n e

d u n t i l t

w o a m x y z

Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ

30

scytale cipherAround 400 B.C., the Spartans would write a message on a sheet of papyrus (a type of paper) that was wrapped around a staff (a stick or wooden rod), which was then delivered and wrapped around a different staff by the recipient. The message was only readable if it was wrapped around the correct size staff, which made the letters properly match up

Enigma Code Machinehttp://www.youtube.com/watch?v=Hb44bGY2KdU

Product Ciphers ciphers using substitutions or transpositions are not

secure because of language characteristics

hence consider using several ciphers in succession to make harder, but: two substitutions make a more complex substitution

two transpositions make more complex transposition

but a substitution followed by a transposition makes a new much harder cipher

this is bridge from classical to modern ciphers

33

Symmetric Cryptography

Block and Stream CiphersBLOCK CIPHERS WORK ON BLOCKS OF BITS

STREAM CIPHERS, WHICH WORK ON ONE BIT AT A TIME

Initialization Vectors•Random values that are used with algorithms to ensure patterns are not created during the encryption process.

•(If IVs are not used, then two identical plaintext values that are encrypted with the same key will create the same ciphertext. )

•They are used with keys

•Do not need to be encrypted when being sent to the destination.

Key Distribution

• given parties A and B have various key distribution alternatives:

1. A can select key and physically deliver to B

2. third party can select & deliver key to A & B

3. if A & B have communicated previously can use previous key to encrypt a new key

4. if A & B have secure communications with a third party C,

C can relay key between A & B

Strengths and WeaknessesStrengths

Much faster (less computationally intensive) than asymmetric systems.

Hard to break if using a large key size.

Weaknesses

Requires a secure mechanism to deliver keys properly.

Each pair of users needs a unique key, so as the number of individuals increases, so does the number of keys, possibly making key management overwhelming.

Provides confidentiality but not authenticity or nonrepudiation

Types of Symmetric Systems•Data Encryption Standard (DES)

•3DES (Triple DES)

•Blowfish

•Twofish

•IDEA (International Data Encryption Algorithm)

•RC4, RC5, RC6

•AES (Advanced Encryption Standard)

•SAFER (Secure and Fast Encryption Routine)

•Serpent

Asymmetric Cryptography

RSA

by Rivest, Shamir & Adleman of MIT in 1977

best known & widely used public-key scheme

based on exponentiation in a finite (Galois) field over integers modulo a prime

nb. exponentiation takes O((log n)3) operations (easy)

uses large integers (eg. 1024 bits)

security due to cost of factoring large numbers

nb. factorization takes O(e log n log log n) operations (hard)

Ideas...

Given a big number n, a message M (that is converted to integer value), if we can choose e and d that satisfy the

following conditions:

C=Me mod n for all M<n

M=Cd mod n=Med mod nor Med ≡ M mod n (denote Med conguence M modulo n)

It is infeasible to dermine d given e and n.

How RSA Works

Given two primes p, q, and two integers m, n, such that n=p.qand 0<m<n, an arbitrary integer k. Because of Euler's Theorem:– mø(n)*k+1 ≡ m mod n (1)in which, the totient ø(n) of a positive integer n is defined to be the number of positive integers less than or equal to n that are coprime to n. ø(9)=6 since the six numbers 1, 2, 4, 5, 7 and 8 are coprime to 9

– We can have med ≡ m mod n, ifed=ø(n)*k+1 or ed ≡ 1 mod ø(n)according to rules of modular arithmetic, this happens only if e (and therefore d) is relative prime to ø(n). Or gcd(ø(n),e)=1

– Since p, q are two primes, we have • ø(n)=(p-1)(q-1), it is easy to have e, and d

RSA Key Setup

each user generates a public/private key pair by:

selecting two large primes at random - p, q

computing their system modulus n=p.q

note ø(n)=(p-1)(q-1)

selecting at random the encryption key e where 1<e<ø(n), gcd(e,ø(n))=1

solve following equation to find decryption key d

–e.d ≡1 mod ø(n) and 0≤d≤n

publish their public encryption key: PU={e,n}

keep secret private decryption key: PR={d,n}

RSA Use

to encrypt a message M the sender:

obtains public key of recipient PU={e,n}

computes: C = Me mod n, where 0≤M<n

to decrypt the ciphertext C the owner:

uses their private key PR={d,n}

computes: M = Cd mod n

note that the message M must be smaller than the modulus n (block if needed)

RSA Example - Key Setup

• Select primes: p=17 & q=11

• Compute n = pq =17 x 11=187

• Compute ø(n)=(p–1)(q-1)=16 x 10=160

• Select e: gcd(e,160)=1; choose e=7

• Determine d: de ≡1 mod 160 and d < 160 Value is d=23 since 23x7=161= 10x160+1

• Publish public key PU={7,187}

• Keep secret private key PR={23,187}

RSA Example - En/Decryption

sample RSA encryption/decryption is:

given message M = 88 (nb. 88<187)

encryption:C = 887 mod 187 = 11

decryption:M = 1123 mod 187 = 88

RSA Security

possible approaches to attacking RSA are:

brute force key search (infeasible given big size of keys)

mathematical attacks (based on difficulty of computing

ø(n), by factoring modulus n)

timing attacks (on running of decryption)

Factoring Problem

mathematical approach takes 3 forms:

factor n=p.q, hence compute ø(n) and then d

determine ø(n) directly and compute d

find d directly

currently believe all equivalent to factoring

Cryptanalysis have seen slow improvements over the years

currently assume 1024-2048 bit RSA is secure

ensure p, q of similar size and matching other constraints

Timing Attacks

developed by Paul Kocher in mid-1990’s

exploit timing variations in operations

eg. multiplying by small vs large number

or IF's varying which instructions executed

infer operand size based on time taken

RSA exploits time taken in exponentiation

countermeasures

use constant exponentiation time

add random delays

blind values used in calculations

Strengths and WeaknessesStrengths

•Better key distribution than symmetric systems

•Better scalability than symmetric systems

•Can provide authentication and nonrepudiation

Weaknesses

•Works much more slowly than symmetric systems

•Mathematically intensive tasks

Key Management

public-key encryption helps address key distribution problems

have two aspects of this:

distribution of public keys

use of public-key encryption to distribute secret keys

Distribution of Public Keys

can be considered as using one of:

public announcement

publicly available directory

public-key authority

public-key certificates

Public Announcement

users distribute public keys to recipients or broadcast to community at large

eg. append PGP keys to email messages or post to news groups or email list

major weakness is forgery

anyone can create a key claiming to be someone else and broadcast it

until forgery is discovered can masquerade as claimed user

Publicly Available Directory

can obtain greater security by registering keys with a public directory

directory must be trusted with properties:

contains {name,public-key} entries

participants register securely with directory

participants can replace key at any time

directory is periodically published

directory can be accessed electronically

still vulnerable to tampering or forgery

Public-Key Authority

improve security by tightening control over distribution of keys from directory

has properties of directory

and requires users to know public key for the directory

then users interact with directory to obtain any desired public key securely

does require real-time access to directory when keys are needed

Public-Key Authority

Public-Key Certificates

certificates allow key exchange without real-time access to public-key authority

a certificate binds identity to public key

usually with other info such as period of validity, rights of use etc

with all contents signed by a trusted Public-Key or Certificate Authority (CA)

can be verified by anyone who knows the public-key authorities public-key

Public-Key Certificates

Public-key infrastructure (PKI)A public-key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates

PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA)

Differences Between Symmetric and Asymmetric SystemsAttribute Symmetric Asymmetric

Keys One key is shared betweentwo or more entities

One entity has a public key, and the other entity has the corresponding private key.

Key exchange Out-of-band through securemechanisms.

A public key is made available to everyone, and a private key is kept secret by the owner.

Speed Algorithm is less complex and faster.

The algorithm is more complex and slower.

Use Bulk encryption, whichmeans encrypting files andcommunication paths.

Key distribution and digital signatures.

Security serviceprovided

Confidentiality. Authentication and nonrepudiation

Types of Asymmetric SystemsThe Diffie-Hellman Algorithm

RSA

El Gamal

Elliptic Curve Cryptosystems

LUC

Knapsack

Zero Knowledge Proof

Hybrid Encryption Methods

Public-Key Distribution of Secret Keys

use previous methods to obtain public-key

can use for secrecy or authentication

but public-key algorithms are slow

so usually want to use private-key encryption to protect message contents

hence need a session key

have several alternatives for negotiating a suitable session

Simple Secret Key Distribution

proposed by Merkle in 1979

A generates a new temporary public key pair

A sends B the public key and their identity

B generates a session key K sends it to A encrypted using

the supplied public key

A decrypts the session key and both use

problem is that an opponent can intercept and impersonate both halves of protocol

Public-Key Distribution of Secret Keys

if have securely exchanged public-keys:

Hybrid Key Distribution

retain use of private-key KDC

shares secret master key with each user

distributes session key using master key

public-key used to distribute master keys

especially useful with widely distributed users

rationale

performance

backward compatibility

Diffie-Hellman Key Exchange

first public-key type scheme proposed

by Diffie & Hellman in 1976 along with the exposition of public key concepts

note: now know that Williamson (UK CESG) secretly

proposed the concept in 1970

is a practical method for public exchange of a secret key

used in a number of commercial products

Diffie-Hellman Key Exchange

a public-key distribution scheme

cannot be used to exchange an arbitrary message

rather it can establish a common key

known only to the two participants

value of key depends on the participants (and their private and public key information)

based on exponentiation in a finite (Galois) field (modulo a prime or a polynomial) - easy

security relies on the difficulty of computing discrete logarithms (similar to factoring) – hard

Diffie-Hellman Setup

all users agree on global parameters:

large prime integer or polynomial q

–a being a primitive root mod q

each user (eg. A) generates their key

chooses a secret key (number): xA < q

compute their public key: yA = axA mod q

each user makes public that key yA

Diffie-Hellman Key Exchange

shared session key for users A & B is KAB: KAB = a

xA.xB mod q

= yAxB mod q (which B can compute)

= yBxA mod q (which A can compute)

KAB is used as session key in private-key encryption scheme between Alice and Bob

if Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys

attacker needs an x, must solve discrete log

Diffie-Hellman Example

users Alice & Bob who wish to swap keys:

agree on prime q=353 and a=3

select random secret keys:

A chooses xA=97, B chooses xB=233

compute respective public keys:–yA=3

97 mod 353 = 40 (Alice)

–yB=3233

mod 353 = 248 (Bob)

compute shared session key as:–KAB= yB

xA mod 353 = 24897

= 160 (Alice)

–KAB= yAxB mod 353 = 40

233= 160 (Bob)

Key Exchange Protocols

users could create random private/public D-H keys each time they communicate

users could create a known private/public D-H key and publish in a directory, then consulted and used to securely communicate with them

both of these are vulnerable to a meet-in-the-Middle Attack

authentication of the keys is needed

Kerckhoffs’ PrincipleAuguste Kerckhoffs published a paper in 1883 stating that

•the only secrecy involved with a cryptography system should be the key.

•algorithm should be publicly known.

•if security were based on too many secrets, there would be more vulnerabilities to possibly exploit.

Hash Functions•condenses arbitrary message to fixed sizeh = H(M)

•usually assume that the hash function is public and not keyed

•hash used to detect changes to message

•can use in various ways with message

•most often to create a digital signature

Requirements for Hash Functions•can be applied to any sized message M

•produces fixed-length output h

•is easy to compute h=H(M) for any message M

•given h is infeasible to find x s.t. H(x)=h• one-way property

•given x is infeasible to find y s.t. H(y)=H(x)• weak collision resistance

•is infeasible to find any x,y s.t. H(y)=H(x)• strong collision resistance

Various Hashing AlgorithmsMD2

MD4

MD5

SHA

SHA-1

SHA-2 family: SHA-256, SHA-384, and SHA-512

HAVAL

Tiger

Attacks Against One-Way Hash FunctionsIf the algorithm does produce the same value for two distinctly different messages, this is called a collision

An attacker can attempt to force a collision, which is referred to as a birthday attack

How many people must be in the same room for the chance to be greater than even that another person has the same birthday as you?

Answer: 253

How many people must be in the same room for the chance to be greater than even that at least two people share the same birthday?

Answer: 23

Message Authentication Code (MAC)•generated by an algorithm that creates a small fixed-sized block• depending on both message and some key

• like encryption though need not be reversible

•appended to message as a signature

•receiver performs same computation on message and checks it matches the MAC

•provides assurance that message is unaltered and comes from sender

HMAC

CBC-MAC

CryptosystemsA cryptosystem is made up of at least the following:

•Software

•Protocols

•Algorithms

•Keys

Services of Cryptosystems•Confidentiality Renders the information unintelligible except by authorized

•entities.

•Integrity Data has not been altered in an unauthorized manner since it was created, transmitted, or stored.

•Authentication Verifies the identity of the user or system that created information.

•Nonrepudiation Ensures that the sender cannot deny sending the message.

Digital signature for a message

Link Encryption vs. End-to-End EncryptionLink encryption encrypts all the data (except data link control messaging information) along a specific communication path, as in a satellite link, T3 line, or telephone circuit

end-to-end encryption happens within the applications

SSL encryption takes place at the transport layer.

HTTP SecureHTTP Secure (HTTPS) is HTTP running over SSL (developed by Netscape)

SSL :◦ it is not an open-community protocol

◦ works at the transport layer

◦ uses public key encryption

◦ provides data encryption, server authentication, message integrity, and optional client authentication

The open-community version of SSL is Transport Layer Security (TLS)

Pretty Good Privacy•Freeware e-mail security program and was released in 1991

•PGP is a complete cryptosystem that uses cryptographic protection to protect e-mail and files.

•It can use RSA public key encryption for key management and use

•IDEA symmetric cipher for bulk encryption of data

•PGP uses “web of trust” in its key management approach

Secure ShellSSH is a program and a set of protocols that work together to provide a secure tunnel between two computers.

The two computers go through a handshaking process and exchange (via Diffie-Hellman) a session key that will be used during the session to encrypt and protect the data sent

SSH should be used instead of Telnet, FTP, rlogin, rexec, or rsh

Internet Protocol Security (IPSec)•IPSec uses two basic security protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP).

•AH is the authenticating protocol

•ESP is an authenticating and encrypting protocol that uses cryptographic mechanisms to provide source authentication, confidentiality, and message integrity

•IPSec can work in one of two modes: ◦ transport mode, in which the payload of the message is protected

◦ tunnel mode, in which the payload and the routing and header information are protected

AttacksCipher-Only Attacks

Known-Plaintext Attacks

Chosen-Plaintext Attacks

Chosen-Ciphertext Attacks

Differential Cryptanalysis

Side-Channel Attacks

Replay Attacks

Steganography an alternative to encryption

hides existence of message

using only a subset of letters/words in a longer message marked in some way

using invisible ink

hiding in graphic image or sound file

has drawbacks

high overhead to hide relatively few info bits

91

Example

92

Removing all but the last 2 bits of each color component produces an almost

completely black image. Making that image 85 times brighter produces the image

on the right hand-side

.

93

Jane S., a chief sub editor and editor, can always be found

hard at work in her cubicle. Jane works independently, without

wasting company time talking to colleagues. She never

thinks twice about assisting fellow employees, and she always

finishes given assignments on time. Often Jane takes extended

measures to complete her work, sometimes skipping

coffee breaks. She is a dedicated individual who has absolutely no

vanity in spite of her high accomplishments and profound

knowledge in her field. I firmly believe that Jane can be

classed as a high-caliber employee, the type which cannot be

dispensed with. Consequently, I duly recommend that Jane be

promoted to executive management, and a proposal will be

sent away as soon as possible.

Project Leader

Example 2: Letter of Recommendation

Jane S., a chief sub editor and editor, can always be found

hard at work in her cubicle. Jane works independently, without

wasting company time talking to colleagues. She never

thinks twice about assisting fellow employees, and she always

finishes given assignments on time. Often Jane takes extended

measures to complete her work, sometimes skipping

coffee breaks. She is a dedicated individual who has absolutely no

vanity in spite of her high accomplishments and profound

knowledge in her field. I firmly believe that Jane can be

classed as a high-caliber employee, the type which cannot be

dispensed with. Consequently, I duly recommend that Jane be

promoted to executive management, and a proposal will be

sent away as soon as possible.

Project Leader

(copied from http://gadgetopia.com/post/2278)