Cryptology

Cryptology

Some slides were adapted from a presentation by DJ Holub. - by permission

What I will talk about

History

Basic Cryptography

Public Key Cryptography

SSL

Certificates

Certificates, Servers, and Browsers

In the beginning, there were substitution ciphers.

One letter was substituted for another to transform plaintext into ciphertext

Sometimes the substitution involved a shift, as in:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z T U V W X Y Z A B C D E F G H I J K L M N O P Q R S

Here the shift is K = 8.

(This is known as a caesar cipher, Caesar used K=3).

Sometimes the substitution involved (apparently) random substitutions

A B C D E F G H I J K L M N O P Q R S T U V W X Y ZG P H I L J A M N D K E R C B X Y S O T V F Z B W U

Each of 26 characters was used one-to-one, so letter frequency was not hidden. As a consequence, with each letter substitution you cracked, the remaining ones were easier to figure out.

Is a caesar cipher easy to decode?

Here is a ciphertext produced with a shift:

BUUBDLABUAEBXO

What is the corresponding plaintext? (Take a moment to examine this).

ATTACK AT DAWN

For K = 1.

(Caesar used K=3)

By brute-force attack, one could try all possible values of K (here a mere 26 choices) to decode a message.

A better method is to use a general table to define the substitution to be made:

For each letter in the plaintext, the table tells which letter to put in the ciphertext. For example:

ABCDEFGHIJKLMNOPQRSTUVWXYZTHE QUICKBROWNFXJMPDVRLAZYG

Plaintext: ATTACK AT DAWNCiphertext: HVVH OTHVTQHAF

Better than Caesar cipher. (Why?)

There are 27! > 1028 tables to try out!!

In reality:

Simple substitution ciphers are easy to break:

• ‘E’ is the most frequent letter in English. Cryptanalysts get a good start by looking for the most frequent letter and replacing it with an ‘E’.

• Two-letter combinations can be taken into account: certain combinations (for example ‘QR’) never occur in English, while others (for example ‘ER’) are very common. By examining frequencies of combinations of letters, a substitution cipher can be broken.

Transposition ciphers have also been used

How do I know that:

trste heekle tcevo sreen aepsl rttye shstt eehhm ceas

actually says:

The only secrets are the secrets that keep themselves

I arranged the plaintext in rows of 10 characters and wrote the ciphertext from the columns.

Theonlysecretsarethesecretsthatkeepthemselves

trste heekle tcevo sreen aepsl rttye shstt eehhm ceas

Remember Mary Queen of Scots? She lost her head because she used this kind of cipher (and because a trusted servant turned out not to be trustworthy).

Many variations on substitution ciphers have been developed

Extra letters were thrown in to confuse

Blocks of letters were encoded

Each letter of a message was coded using a different substitution cipher

How to make attacks more difficult?

A small repeated key is used to determine the value of K for each letter. At each step, the key letter index is added to the plaintext letter index. This provides for a variable shift.

Key: ABCABCABCABCABPlaintext: ATTACK AT DAWNCiphertext: BVWBENACWAFDXP ‘N’ = 14

‘B’ = 2

‘P’ = 2 + 14 = 16

Vigenere Cipher

Longer keys provide better ciphertext. (What if the length of the key = length of the Plaintext?)

Vigenere Cipher

Simple implementation:

To encrypt (produce ciphertext):

• XOR the key with the plaintext.

To decrypt (produce plain text):

• XOR the key with the ciphertext.

– Mary Queen of Scots might have kept her head if she had used a random list of letters (key) to encrypt her messages to Anthony Babington.

– How could Babington be sure the message actually came from Mary?

– How could Babington know what Mary was doing with the key to produce ciphertext from plaintext?

– How could she give Babington the same key without Thomas Morgan intercepting it?

– How could Babington be sure Mary's message was not changed in transit?

Modern Algorithms

Modern computer cryptographic algorithms are really just mathematical variations on the substitution/transformation schemes.

Three kinds of algorithms have emerged, each of which solves a different part of the problem

– One-way hash algorithms, also known as message-digest and secure-hash algorithms, create a unique fingerprint for a document. If the document is modified in any way, even by one bit, it will generate a substantially different fingerprint.

– Symmetric encryption algorithms use a single key for encryption and decryption. They are fast, but are susceptible to key interception.

– Asymmetric encryption algorithms use a pair of keys. When one key is used to encrypt, the other key must be used to decrypt. PK algorithms are asymmetric. Asymmetric algorithms require very large keys (1024 and 2048) and are slow in comparison to symmetric algorithms.

Public Key Cryptosystems

Key distribution problem most problematic, particularly in e-commerce and other commercial applications.

Use a ‘phone book’ of encryption keys: everyone’s encryption (public) key (call it P) is public knowledge.

I have mine on my personal home page.

For someone to send me a private message, they would look up my public key P and use it to encrypt the message.

Upon receipt, I decrypt it with my private (secret) key (call it S).

Public Key Cryptosystems

P = public key

S = secret (private) key

M = some message

For this system to work, at least the following conditions must be satisfied:

– S(P(M)) = M for every message M– All (S, P) pairs are distinct– Deriving S from P is as hard as reading M– Both S and P are easy to compute

Fundamental cryptographic

property

security

security

Usabilty

Public Key Cryptosystems

Scheme was outlined by Diffie and Hellman in 1976, but they had no method to satisfy all these conditions.

Soon afterwards, such a method was discovered by Rivest, Shamir, and Adelman. The scheme was known as the RSA public-key cryptosystem.

System is based on arithmetic algorithms performed on very large integers.

Public Key Cryptosystems

Encryption key P is the integer pair (N, p)

Decryption key S is the integer pair (N, s), where s is kept secret.

Numbers are intended to be very large (N~200 digits and s,p ~ 100 digits)

Public Key Cryptosystems

The message is broken up into numbers < N (for example by taking log N bits at a time from the binary string corresponding to the character encoding of the message)

Then these numbers are raised to a power modulo N:

To encrypt a piece of a message M

C = P(M) = Mp mod N

To decrypt a ciphertext C:

M = S(C) = Cs mod N

Secure Socket Layers (SSL)

These four concepts lie at the core of SSL (Secure Socket Layers):

– Authentication of identity – Selection of encryption algorithm – Secure key exchange – Integrity of the message

Authentication

The public key/private key pair

– A ciphertext encrypted with a public key can only be decrypted by the corresponding private key

– Babington would use Mary's public key to encrypt his messages to her

– Mary would have decrypted those messages with her private key

Handshake

Through a negotiation process known as a handshake, an SSL client and server authenticate their identities

Initiation by client (ClientHello)

The client always initiates the SSL connection and handshake

The client sends:

a random cookie

cipher suites it supports, in order by preference

Handshake (ct’d)

Reply by Server (ServerHello)

The server sends

a random cookie

the cipher suite it prefers among those listed in the ClientHello

Handshake (ct’d)

Authentication of identify• The server presents its X.509 certificate (which

contains its public key) to the client

• The server may, but usually does not, ask the client for its certificate (CertificateRequest)

• The server sends a ServerHelloDone

Client authenticates the server• The client verifies that the certificate is in order

and has been issued by an acceptable CA.

Selection of Encryption Algorithm

Selection of encryption algorithm

In its ClientHello, the client informed the server of the cipher suites (algorithms) it supports

In its ServerHello, the server indicated which of these it would like to use

The client either accepts that suite or proposes an alternate (ChangeCipherSpec)

If the client and server agree on a suite, they continue

Handshake

Session key exchange

• Using a random seed value (called a nonce) from the client and server, the client generates a random session key.

• The session key is used for message encryption using a symmetric algorithm

• Another (also generated) key is used for applying the Message Authentication Code (MAC) (a digest)

Handshake

The client sends a ChangeCipherSpec to indicate that it is ready to proceed using the negotiated cipher suite and keys

Both client and server send a Finished, which is the first message encrypted according to the negotiated cipher suite and keys

From this point forward, for each application message sent, SSL applies a MAC and then encrypts the message and MAC using the session key

SSL Complications (No longer a problem?)

The export of encryption products (software and hardware) is tightly controlled by the US government

The US government classifies cryptographic algorithms as munitions (like Bradley Fighting Vehicles) and restricts the key strength for export

The government only allows 40-bit keys in exported encryption software

Everything on the web is (potentially) exported

40-bit keys are not long enough for secure encryption (A graduate student at Cal broke RSA's 40-bit key in 4 hours.)

Revised export regulations have removed many restrictions

SSL Complications (No longer a problem?) – ct’d

SSL effectively requires RSA public key cryptography

SSL originally only supported RSA public key cryptography (PKC) and RSA encryption algorithms, effectively granting them a monopoly

RSA owns a patent on its PK algorithm in the U.S. and Canada Commercial secure web servers must license RSAREF or BSAFE to be legal in this country

Until that patent expires, we are all ho$tage$

The minimum purchase for a complete, licensed SSL implementation that uses RSA algorithms is $15,000 + $7,000

Celebrate RSA Independence Day: September 20, 2000

Public Key Distribution

PKs are distributed in an X.509 certificate issued by a Certificating Authority (CA)

CA merely certifies that a public key belongs to a given entity, and that that entity owns the common name.

The secure server certificate itself is just a data record that contains

The public key issued to a single server Distinguished Name, which has subfields of

• Common name, organization, organizational unit, city, country

Expiration date Serial number

The CA "signs" the certificate (encrypted hash)

Browser Authentication of Server

When a browser receives a certificate, it verifies that:

The common name matches the DNS entry exactly, and with MSIE, the server name

That it recognizes the CA that signed the certificate

That the CA actually signed the certificate It does this by hashing the certificate, decrypting the

"signature" with the CA's public key, and comparing the two Therefore, CAs must have certificates, and those certificates

must be installed in the browser

If an older browser doesn't accept the certificate: Netscape will complain but encrypt anyway IE will complain and not allow SSL

Certificate Chains

CAs also have certificates (usually several) which contain the public key they use to sign certificates

Who signs a CA certificate?

Each CA certificate chains to a "root" certificate A CA may self-sign its own root certificate, as do

VeriSign and Thawte A CA may chain to another CAs root certificate, as

Equifax does to Thawte

A CA offers more than one kind of secure server certificate by having separate chains back to its root certificate.

Demo of Public Key Encryption

Browser CA certificates

Example server certificate

PK cryptography demo

Links

www.gnupg.org (GNU Privacy Guard)

http://www.gpg4win.org/ (gpg for win32 with gui tools)