Cryptology Some slides were adapted from a presentation by DJ Holub. - by permission
Jan 26, 2016
Cryptology
Some slides were adapted from a presentation by DJ Holub. - by permission
What I will talk about
History
Basic Cryptography
Public Key Cryptography
SSL
Certificates
Certificates, Servers, and Browsers
In the beginning, there were substitution ciphers.
One letter was substituted for another to transform plaintext into ciphertext
Sometimes the substitution involved a shift, as in:
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
Here the shift is K = 8.
(This is known as a caesar cipher, Caesar used K=3).
Sometimes the substitution involved (apparently) random substitutions
A B C D E F G H I J K L M N O P Q R S T U V W X Y ZG P H I L J A M N D K E R C B X Y S O T V F Z B W U
Each of 26 characters was used one-to-one, so letter frequency was not hidden. As a consequence, with each letter substitution you cracked, the remaining ones were easier to figure out.
Is a caesar cipher easy to decode?
Here is a ciphertext produced with a shift:
BUUBDLABUAEBXO
What is the corresponding plaintext? (Take a moment to examine this).
ATTACK AT DAWN
For K = 1.
(Caesar used K=3)
By brute-force attack, one could try all possible values of K (here a mere 26 choices) to decode a message.
A better method is to use a general table to define the substitution to be made:
For each letter in the plaintext, the table tells which letter to put in the ciphertext. For example:
ABCDEFGHIJKLMNOPQRSTUVWXYZTHE QUICKBROWNFXJMPDVRLAZYG
Plaintext: ATTACK AT DAWNCiphertext: HVVH OTHVTQHAF
Better than Caesar cipher. (Why?)
There are 27! > 1028 tables to try out!!
In reality:
Simple substitution ciphers are easy to break:
• ‘E’ is the most frequent letter in English. Cryptanalysts get a good start by looking for the most frequent letter and replacing it with an ‘E’.
• Two-letter combinations can be taken into account: certain combinations (for example ‘QR’) never occur in English, while others (for example ‘ER’) are very common. By examining frequencies of combinations of letters, a substitution cipher can be broken.
Transposition ciphers have also been used
How do I know that:
trste heekle tcevo sreen aepsl rttye shstt eehhm ceas
actually says:
The only secrets are the secrets that keep themselves
I arranged the plaintext in rows of 10 characters and wrote the ciphertext from the columns.
Theonlysecretsarethesecretsthatkeepthemselves
trste heekle tcevo sreen aepsl rttye shstt eehhm ceas
Remember Mary Queen of Scots? She lost her head because she used this kind of cipher (and because a trusted servant turned out not to be trustworthy).
Many variations on substitution ciphers have been developed
Extra letters were thrown in to confuse
Blocks of letters were encoded
Each letter of a message was coded using a different substitution cipher
How to make attacks more difficult?
A small repeated key is used to determine the value of K for each letter. At each step, the key letter index is added to the plaintext letter index. This provides for a variable shift.
Key: ABCABCABCABCABPlaintext: ATTACK AT DAWNCiphertext: BVWBENACWAFDXP ‘N’ = 14
‘B’ = 2
‘P’ = 2 + 14 = 16
Vigenere Cipher
Longer keys provide better ciphertext. (What if the length of the key = length of the Plaintext?)
Vigenere Cipher
Simple implementation:
To encrypt (produce ciphertext):
• XOR the key with the plaintext.
To decrypt (produce plain text):
• XOR the key with the ciphertext.
– Mary Queen of Scots might have kept her head if she had used a random list of letters (key) to encrypt her messages to Anthony Babington.
– How could Babington be sure the message actually came from Mary?
– How could Babington know what Mary was doing with the key to produce ciphertext from plaintext?
– How could she give Babington the same key without Thomas Morgan intercepting it?
– How could Babington be sure Mary's message was not changed in transit?
Modern Algorithms
Modern computer cryptographic algorithms are really just mathematical variations on the substitution/transformation schemes.
Three kinds of algorithms have emerged, each of which solves a different part of the problem
– One-way hash algorithms, also known as message-digest and secure-hash algorithms, create a unique fingerprint for a document. If the document is modified in any way, even by one bit, it will generate a substantially different fingerprint.
– Symmetric encryption algorithms use a single key for encryption and decryption. They are fast, but are susceptible to key interception.
– Asymmetric encryption algorithms use a pair of keys. When one key is used to encrypt, the other key must be used to decrypt. PK algorithms are asymmetric. Asymmetric algorithms require very large keys (1024 and 2048) and are slow in comparison to symmetric algorithms.
Public Key Cryptosystems
Key distribution problem most problematic, particularly in e-commerce and other commercial applications.
Use a ‘phone book’ of encryption keys: everyone’s encryption (public) key (call it P) is public knowledge.
I have mine on my personal home page.
For someone to send me a private message, they would look up my public key P and use it to encrypt the message.
Upon receipt, I decrypt it with my private (secret) key (call it S).
Public Key Cryptosystems
P = public key
S = secret (private) key
M = some message
For this system to work, at least the following conditions must be satisfied:
– S(P(M)) = M for every message M– All (S, P) pairs are distinct– Deriving S from P is as hard as reading M– Both S and P are easy to compute
Fundamental cryptographic
property
security
security
Usabilty
Public Key Cryptosystems
Scheme was outlined by Diffie and Hellman in 1976, but they had no method to satisfy all these conditions.
Soon afterwards, such a method was discovered by Rivest, Shamir, and Adelman. The scheme was known as the RSA public-key cryptosystem.
System is based on arithmetic algorithms performed on very large integers.
Public Key Cryptosystems
Encryption key P is the integer pair (N, p)
Decryption key S is the integer pair (N, s), where s is kept secret.
Numbers are intended to be very large (N~200 digits and s,p ~ 100 digits)
Public Key Cryptosystems
The message is broken up into numbers < N (for example by taking log N bits at a time from the binary string corresponding to the character encoding of the message)
Then these numbers are raised to a power modulo N:
To encrypt a piece of a message M
C = P(M) = Mp mod N
To decrypt a ciphertext C:
M = S(C) = Cs mod N
Secure Socket Layers (SSL)
These four concepts lie at the core of SSL (Secure Socket Layers):
– Authentication of identity – Selection of encryption algorithm – Secure key exchange – Integrity of the message
Authentication
The public key/private key pair
– A ciphertext encrypted with a public key can only be decrypted by the corresponding private key
– Babington would use Mary's public key to encrypt his messages to her
– Mary would have decrypted those messages with her private key
Handshake
Through a negotiation process known as a handshake, an SSL client and server authenticate their identities
Initiation by client (ClientHello)
The client always initiates the SSL connection and handshake
The client sends:
a random cookie
cipher suites it supports, in order by preference
Handshake (ct’d)
Reply by Server (ServerHello)
The server sends
a random cookie
the cipher suite it prefers among those listed in the ClientHello
Handshake (ct’d)
Authentication of identify• The server presents its X.509 certificate (which
contains its public key) to the client
• The server may, but usually does not, ask the client for its certificate (CertificateRequest)
• The server sends a ServerHelloDone
Client authenticates the server• The client verifies that the certificate is in order
and has been issued by an acceptable CA.
Selection of Encryption Algorithm
Selection of encryption algorithm
In its ClientHello, the client informed the server of the cipher suites (algorithms) it supports
In its ServerHello, the server indicated which of these it would like to use
The client either accepts that suite or proposes an alternate (ChangeCipherSpec)
If the client and server agree on a suite, they continue
Handshake
Session key exchange
• Using a random seed value (called a nonce) from the client and server, the client generates a random session key.
• The session key is used for message encryption using a symmetric algorithm
• Another (also generated) key is used for applying the Message Authentication Code (MAC) (a digest)
Handshake
The client sends a ChangeCipherSpec to indicate that it is ready to proceed using the negotiated cipher suite and keys
Both client and server send a Finished, which is the first message encrypted according to the negotiated cipher suite and keys
From this point forward, for each application message sent, SSL applies a MAC and then encrypts the message and MAC using the session key
SSL Complications (No longer a problem?)
The export of encryption products (software and hardware) is tightly controlled by the US government
The US government classifies cryptographic algorithms as munitions (like Bradley Fighting Vehicles) and restricts the key strength for export
The government only allows 40-bit keys in exported encryption software
Everything on the web is (potentially) exported
40-bit keys are not long enough for secure encryption (A graduate student at Cal broke RSA's 40-bit key in 4 hours.)
Revised export regulations have removed many restrictions
SSL Complications (No longer a problem?) – ct’d
SSL effectively requires RSA public key cryptography
SSL originally only supported RSA public key cryptography (PKC) and RSA encryption algorithms, effectively granting them a monopoly
RSA owns a patent on its PK algorithm in the U.S. and Canada Commercial secure web servers must license RSAREF or BSAFE to be legal in this country
Until that patent expires, we are all ho$tage$
The minimum purchase for a complete, licensed SSL implementation that uses RSA algorithms is $15,000 + $7,000
Celebrate RSA Independence Day: September 20, 2000
Public Key Distribution
PKs are distributed in an X.509 certificate issued by a Certificating Authority (CA)
CA merely certifies that a public key belongs to a given entity, and that that entity owns the common name.
The secure server certificate itself is just a data record that contains
The public key issued to a single server Distinguished Name, which has subfields of
• Common name, organization, organizational unit, city, country
Expiration date Serial number
The CA "signs" the certificate (encrypted hash)
Browser Authentication of Server
When a browser receives a certificate, it verifies that:
The common name matches the DNS entry exactly, and with MSIE, the server name
That it recognizes the CA that signed the certificate
That the CA actually signed the certificate It does this by hashing the certificate, decrypting the
"signature" with the CA's public key, and comparing the two Therefore, CAs must have certificates, and those certificates
must be installed in the browser
If an older browser doesn't accept the certificate: Netscape will complain but encrypt anyway IE will complain and not allow SSL
Certificate Chains
CAs also have certificates (usually several) which contain the public key they use to sign certificates
Who signs a CA certificate?
Each CA certificate chains to a "root" certificate A CA may self-sign its own root certificate, as do
VeriSign and Thawte A CA may chain to another CAs root certificate, as
Equifax does to Thawte
A CA offers more than one kind of secure server certificate by having separate chains back to its root certificate.
Demo of Public Key Encryption
Browser CA certificates
Example server certificate
PK cryptography demo
Links
www.gnupg.org (GNU Privacy Guard)
http://www.gpg4win.org/ (gpg for win32 with gui tools)