ECE578/2 #1 Spring 2010 © 2000-2010, Richard A. Stanley ECE578 Cryptography 2. Overview of Cryptosystems Professor Richard A. Stanley.

Spring 2010© 2000-2010, Richard A. Stanley

ECE578/2 #1

ECE578 Cryptography

2. Overview of Cryptosystems

Professor Richard A. Stanley


ECE578/2 #2

Summary of last class...

• Cryptology is the science that deals with making and breaking codes for secure communications

• Cryptographic techniques are critical to modern secure communications

• Understanding the underlying mathematics is crucial to proper employment of the systems


ECE578/2 #3

Problem Areas(Remember This?)

• Languages have well-known statistics– E.g., “e” is most common letter in English– This can be exploited for cryptanalysis– Thus, substitution ciphers are not very secure– Similar problems plague book ciphers, etc.

• The only way to achieve true security is to make the ciphertext appear as random as possible


ECE578/2 #4

Modern Cryptography Uses Electronic Digital Systems

• Advantages:– Speed– Accuracy– Ability of using complex mathematics

• Disadvantages– Complex equipment– Electronic vulnerabilities– Key management


ECE578/2 #5

Symmetric Ciphers

• Same code at each end

• Important that message length < cipher length

• Billions of combinations possible

• Codes changed frequently

• Each circuit requires a code pair


ECE578/2 #6

Symmetric Key CryptographyAlice

Shared private key

Bob

Alice’s message

Shared private key


ECE578/2 #7

Enigma Perhaps the most famous

cipher machine in history.

This is an early model. Later testversions had as many as five rotors. Standard Kriegsmarine machines had

four rotors after about 1943.

Enigma was a tactical machine--designed for battlefield use.

Even today, Enigma would provideexcellent security…IF no errors

occurred on the part of the operators.


ECE578/2 #8

Enigma and Sigaba

• Illustrate the validity of Kerckhoff’s theorem

• Even when cryptanalysts were armed with a nearly perfect replication of the Enigma logic, brute-force keyspace search was useless for providing practical results

• The key needed to be discovered!


ECE578/2 #9

Cipher Example (Mauborgne/Vernam)

• Encipher• Plain: 001 010 011 100

• +key: 111 011 010 101

• Cipher: 110 001 001 001

• Decipher• Cipher: 110 001 001 001

• +key: 111 011 010 101

• Plain: 001 010 011 100

The ciphertext is simply the plain text added to the key, modulo 2. This is the

XOR function, and it is a reversible process, as seen above. So where does security

come from?


ECE578/2 #10

How to Achieve Good Cryptography?

• Well-reviewed algorithms– So weaknesses cannot “hide” until after

implementation• Excellent key generation & management

– To maintain secrecy of the key• Algorithms that are sufficiently complex so as to

not permit feasible exhaustive attacks• One such algorithm was developed by Horst

Feistel– German cryptographer, 1915-1990– IBM researcher


ECE578/2 #11

Feistel Ciphers: Characteristics• Special class of iterated block ciphers

• Ciphertext calculated from plaintext by repeated application of the same transformation or round function

• Encryption and decryption are structurally identical (subkey order reversed for decryption)

• Fast, even in software implementation

• Easily analyzed (i.e., deficiencies more readily found by analysis)


ECE578/2 #12

Feistel Ciphers in Operation• Plaintext split into two halves

• Round function f is applied to one half using a subkey

• Output of f is XOR’d with the other half of the plaintext

• Two halves are swapped

• Process repeated for n rounds

• No swap after last round


ECE578/2 #13

DES: Feistel Applied

• DES: Data Encryption Standard• Formal specification -- FIPS PUB 46-3, last

affirmed 25 October 1999 http://www.csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

• Describes two cryptographic algorithms– DES– TDEA (commonly referred to as 3DES)

• DES based on IBM Lucifer cipher of 1974


ECE578/2 #14

DES Characteristics• 64-bit block cipher• 56-bit key, with additional 8 bits used for

error checking (odd parity on each byte)• Four operating modes (not unique to DES)

– Electronic Codebook (ECB)– Cipher Block Chaining (CBC)– Cipher Feedback (CFB)– Output Feedback (OFB)


ECE578/2 #15

Subkey Generation

• Creating the subkeys in a Feistel cipher has a major effect on the overall security of the algorithm– Possible to create weak keys (e.g., all zeros)– Changes in the subkey algorithm can result in

effectively different realizations of the algorithm

• DES is based on Feistel rounds, and uses a complex method of subkey generation


ECE578/2 #16

DES Enciphering Computation

Feistel round


ECE578/2 #17

Initial Permutation


ECE578/2 #18

Cipher Function, f(Rn,Kn)


ECE578/2 #19

How Can This Happen?

• Turn 32-bit plaintext into 48-bit output

• Add to 48-bit key

• Get 32-bit output


ECE578/2 #20

Details

• E-function takes the input to the Feistel round and expands it to 48 bits

• S boxes (for substitution) permute bits to produce the proper output

• Inverse permutation (IP-1) restores bit order after the 16 Feistel rounds


ECE578/2 #21

S-box Example


ECE578/2 #22

Key Scheduling


ECE578/2 #23

Principal DES Operating Modes(FIPS PUB 81)

• Electronic Code Book (ECB)– Encrypts one block at a time with selected key– Vulnerability: repeated plaintext can reveal key,

and then all cipher blocks can be decrypted• Cipher Block Chaining (CBC)

– Input to each block is the output of the previous block next plaintext block

– Initial block XOR’d with an Initialization Vector (IV)


ECE578/2 #24

ECB


ECE578/2 #25

CBC


ECE578/2 #26

Additional DES Modes -1

• Cipher Feedback Mode (CFB)– previous ciphertext block encrypted and output

XOR’d with plaintext block to produce current ciphertext block

– can use feedback that is less than one full data block

– initialization vector used as “seed” for the process.


ECE578/2 #27

CFB


ECE578/2 #28

Additional DES Modes -2

• Output Feedback Mode (OFB)– similar to CFB mode except data XOR’d with

each plaintext block is generated independently of both the plaintext and ciphertext

– initialization vector s0 used as “seed” for a sequence of data blocks si

– each data block si derived from encryption of the previous data block si-1


ECE578/2 #29

OFB


ECE578/2 #30

Importance of DES

• Ubiquitous, U.S. federal standard

• When it was standardized, 56-bit key made cipher computationally secure– This is no longer the case– DES has been broken using brute force attacks

in hours, using desktop PCs

• Immediate fix: Triple Data Encryption Algorithm (or Triple DES, 3DES)


ECE578/2 #31

TDEA

Encryption

Decryption


ECE578/2 #32

TDEA Realities

• Two keying options– Three separate keys (as shown previous slide)

– Two keys; EK1 = EK3

– Resultant key lengths of 168 or 112 bits• For mathematical reasons we won’t go into here, 3-

key TDEA is only about twice as secure as DES, not 3 times as secure

• Implemented in hardware, 3-key TDEA can achieve throughputs approaching 1 Gbps


ECE578/2 #33

TDEA Advantages

• Thoroughly analyzed, unlikely to have any hidden vulnerabilities

• Much less vulnerable to brute force attack than DES

• Can be implemented in silicon, with very fast throughput


ECE578/2 #34

TDEA Disadvantages

• Algorithm produces slow software implementations

• Limited to 64-bit block size

• Trebles the key distribution problem of DES


ECE578/2 #35

DES Decryption• As DES is a Feistel cipher, decryption uses the

same engine as does encryption

• For decryption:– The DES engine is precisely the same as the

encryption engine -- it is not run in reverse (e.g. with the input coming in the “bottom”)

– Instead, the key schedule is run in reverse; i.e. the first subkey used is K16, then K15, etc., finishing with K1


ECE578/2 #36

DES Mathematics

• Only two functions used– XOR– Data permutation or shifting

• At the heart of the DES engine, inside the f-box, is a Vernam cipher machine!

• Vernam, by itself, is insecure. What makes DES secure?


ECE578/2 #37

AES: The Next Generation

• Advanced Encryption Standard (FIPS PUB 197)

– Established to counter weaknesses of DES– Adopted as U. S. standard November 26, 2001– Became effective May 26, 2002– Based on Rijndael algorithm

• Joan Daemen and Vincent Rijmen, Belgians, authors

– Key lengths of 128, 192, and 256 bits– Block size of 128 bits


ECE578/2 #38

Rijndael Structure

• Rijndael is not a Feistel cipher; rather, it uses substitution boxes

• “...typically part of the bits of the intermediate state are simply transposed unchanged to another position”

• “...[each] round transformation is composed of three distinct invertible uniform transformations”


ECE578/2 #39

AES’ Future• Clearly intended to replace DES & TDEA• Designed for efficient software

implementation• Not yet as thoroughly analyzed as DES• Many implementations on the market

Probably a long coexistence of TDEA & AES• We will study in detail later in the course


ECE578/2 #40

Breaking Symmetric Ciphers

• Brute force– Inelegant, but sometimes effective if enough

computing power can be brought to bear– If cipher is complex enough, this doesn’t work

• Exploit errors– Same message enciphered in two codes– Plaintext attack– Exploit operator errors


ECE578/2 #41

Brute Force Attacks on Symmetric Cryptosystems

Assume a number N, having L decimal digits (NL).

Now posit a computer capable of 1010 divisions/second.

The computer can factor any N, using the trial division method,in approximately N0.5/1010 seconds.

If N has 100 digits, this process will require approximately1040 seconds.

However, the currently estimated age of the Universe isonly approximately 3.8 x 1017 seconds!


ECE578/2 #42

Key Types

• Permanent – Used for a fixed, prearranged period of time– Typically used for applications such as key

distribution, government communications, etc.

• Session– Valid only for current communications session– Destroyed after session terminates


ECE578/2 #43

Symmetric Crypto Keys

• Ideally, are purely random numbers• Characteristics:

– The keys are prepositioned at each end– Random numbers can be generated by capturing stellar

noise, diode shot noise, etc.– Parties need only agree on where in key stream to start– The key does not have to obey any mathematical function

other than randomness

• Many implementations use pseudo-random numbers, which can be generated by software


ECE578/2 #44

Number of Keys Problem

• If we have N users, each needing a key that will let them talk securely with each of the other users, how many keys do we need? Assume each key is bilateral (i.e. it works in both directions).

• What is the answer if the keys are unilateral (i.e., A to B requires a different key than B to A)?


ECE578/2 #45

Number of Keys Examples

• Two users, one key (A to B and B to A)

• Three users– A to B, K1

– A to C, K2

– B to C, K3

• Four Users?– Let’s use the chart paper


ECE578/2 #46

Key Distribution Problem

• Secret keys must be prepositioned at all locations before secure communications can occur.

• How to do this?– Secure physical transport– Secure electronic transport

• The search for a way to accomplish this led to the development of public key cryptography, which we will look at next


ECE578/2 #47

Asymmetric Ciphers

• Also known as public key cryptography

• Until Diffie-Hellman in 1976, this concept was heretical. It is still counterintuitive.

• Key has two parts– Public: everybody knows or can know– Private: only holder knows

• Based on large prime numbers


ECE578/2 #48

Asymmetric CryptographyAlice

Bob’s public key

Bob

Bob’s private key

Alice’s message


ECE578/2 #49

The Original Goal

• Diffie and Hellman did not set out to invent a new kind of cryptography

• The goal was to find a way to establish symmetrical session keys without prior placement of the keys by some other means– i.e. to solve the key distribution problem

• This is still the primary use of the D-H exchange


ECE578/2 #50

But then...

• Diffie-Hellman key exchanges proved immensely useful

• Others found that there other uses for this general crypto principle and algorithms were developed for encrypting data– RSA– El Gamal– etc.


ECE578/2 #51

Something Different

• Clearly, asymmetric crypto differs in a basic way from symmetric crypto– The keys are mathematically related, and

cannot be purely random numbers– The algorithms are quite different from the

universe of Feistel ciphers and S-boxes

• Is this a replacement for symmetric crypto, or a complement to it?


ECE578/2 #52

Asymmetric Crypto Properties

• The encryption function is one-way• The encryption process is fungible

– Can encrypt with public key and decrypt with private key, and vice versa

• So what?– Could this approach be used to sign documents?– Can a signed document be used for authentication?


ECE578/2 #53

How Does It Work?

• Asymmetric cryptography is based on modulus arithmetic, which is a form of finite arithmetic in rings

• Modulus arithmetic makes it computation-ally infeasible to recover the number whose modulus is stated, provided certain conditions are met

• You can cheat: the Windows calculator has a modulus arithmetic mode


ECE578/2 #54

Diffie-Hellman Key Exchange-1

• Alice and Bob agree on a large prime, n and g, where g is a primitive root mod n. These need not be kept secret

• Alice chooses a large random integer x and sends to Bob: X=gx mod n

• Bob chooses a large random integer y and sends to Alice: Y=gy mod n

• NB: x and y are never transmitted


ECE578/2 #55

Diffie-Hellman Key Exchange-2• Alice computes k=Yx mod n• Bob computes k’=Xy mod n• But k = k’ = gxy mod n • Therefore, Bob and Alice now have a secret

key, k, that they can share for communications

• Eavesdroppers know only n, g, X, and Y, not x or y, which are required to compute k


ECE578/2 #56

Diffie-Hellman Security

• D-H security depends on the difficulty of factoring large numbers (size of n)

• It is computationally infeasible to recover x and y from the data known to an eavesdropper by any means other than exhaustive key search

• Caveats– n must be large

– ((n-1)/2) should also be prime

– g can be small -- even one digit


ECE578/2 #57

Diffie-Hellman Drawbacks

• Slow!– Computationally intensive– Requires several communications exchanges

• Example:– Using D-H to set up a session key in a cellular

telephone could take nearly one minute!

• So, other key exchange protocols have been established that are more efficient


ECE578/2 #58

Asymmetric Crypto Uses?

• Only good for key exchange?

• As it turns out, NO– Other algorithms useful for providing data

secrecy, like symmetric cryptography– Can be used to provide

• confidentiality

• integrity

• authenticity


ECE578/2 #59

RSA Encryption Algorithm

• Ron Rivest, Adi Shamir, Len Adelman– First published 1978, from MIT

– Block cipher, asymmetric key

– Plain and cipher texts are integers between 0 and n-1, for some n that is part of the keys

• Like all asymmetric key systems, RSA depends for security on the difficulty of factoring large numbers– There is a problem here


ECE578/2 #60

RSA Mechanics

• C = ciphertext– C = Me mod n

• M = plaintext– M = Cd mod n = (Me)d mod n = Med mod n

• Both parties know n, e

• Only the receiving party knows d


ECE578/2 #61

Therefore...

• Public key: KU = {e,n}

• Private key: KR = {d,n}

• Requirements for this to work:– e, d, n exist such that Med = M mod n for all

M<n– Easy to calculate Me and C for M<n– Infeasible to calculate d given e, n

• Computationally secure if e, n sufficiently large


ECE578/2 #62

Important Definitions

• Euler’s totient function, (n) – Defined as the number of positive integers < n

and relatively prime to n– We can show that if n=pq, p, q prime, then

(n) = (p-1)(q-1)

• Relatively prime numbers– a and b (integers) are relatively prime if they

have no prime factors in common• i.e. only common prime factor is unity


ECE578/2 #63

RSA Example

• Select two primes: p = 7, q = 17

• Calculate n = pq = 7 x 17 = 119

• Calculate (n) = (p-1)(q-1) = 6 x 16 = 96

• Select e relatively prime to & less than (n) – In this example e = 5

• Calculate d = e-1 mod (n) = 77

• KU = {5, 119} KR = {77, 119}Public key Private key

This bit is perhaps unclear


ECE578/2 #64

Another View

• d = e-1 mod (n) looks difficult, as e-1 < 1

• Multiply both sides by e, which givesde = 1 mod (n), where (n) = 96 in this case

• e has been selected as being 5, therefore we must now find the value for d that satisfies the above equation

• 77 is that value, as 5 x 77 = 1 mod 9677 x 5 = 385 = 4 x 96 + 1


ECE578/2 #65

RSA Encrypt/Decrypt

• Using KU, KR we have calculated, let M=19 (plaintext)– KU = {5, 119} KR = {77, 119}

• Encryption:– Me mod n = 195 mod 119 = 66 = C (ciphertext)

• Decryption– Cd mod n = 6677 mod 119 = 19 = M (plaintext)

• Q.E.D.

Public key e , n Private key d, n


ECE578/2 #66

RSA Importance

• Together with Diffie-Hellman, RSA is the most widely used asymmetric key algorithm

• RSA was patented by its inventors, but the patents expired in 2000

• RSA is now freely usable by anyone, and is widely incorporated into common products, such as web browsers, VPN devices, etc.


ECE578/2 #67

Breaking RSA

• Discover the private key, d– Easy to do if p and q, factors of n, are known– Hard part is factoring n– Factoring 200-digit n has been done

• Find eth roots mod n– Not known to be equivalent to factoring– No general methods known

• Brute force key search


ECE578/2 #68

Practical RSA Security

• Choose a sufficiently large n– 200 digits 663 bits, which has been factored– Too close to 512 bits for comfort– So, pick n > 1000 bits (e.g.,1024, 2048, 4096)– Evaluate how long security is required, as

longer keys require more computation, and are therefore slower to encrypt/decrypt

• Guard the private key carefully!


ECE578/2 #69

Why Do We Want to Do This?

• Symmetric cryptography is fast

• Asymmetric cryptography is slow – As much as 1000X slower than symmetric

• Therefore, we want to use the slow asymmetric crypto -- which does not require prepositioning of keys -- to create and/or exchange symmetric session keys so that data can be exchanged quickly


ECE578/2 #70

Summary

• Both symmetric and asymmetric crypto have their uses in communications

• Symmetric keys can be purely random, but asymmetric keys are mathematically related

• Symmetric crypto is much faster than asymmetric, which leads to combining the types in practical applications


ECE578/2 #71

Homework

• Read Stinson, Chapter 3.1 – 3.5• Prove that decryption in a Feistel cipher can be

done by applying the encryption algorithm to the ciphertext, with the key schedule reversed.

• Suppose a sequence of plaintext blocks, x1…xn, yields the ciphertext sequence y1…yn. Suppose that one ciphertext block, say yi, is transmitted incorrectly. Show that the number of plaintext blocks that will be decrypted incorrectly is equal to one in ECB or EFB modes, and equal to two if CBC or CFB modes are used.

ECE578/2 #1 Spring 2010 © 2000-2010, Richard A. Stanley ECE578 Cryptography 2. Overview of Cryptosystems Professor Richard A. Stanley.

Documents