1

Introduction to cryptography
Basic concepts
Classical techniqes
Modern conventional techniques
Cryptography Basic concepts
n Cryptography - the art or science encompassing the
principles and methods of transforming an intelligible
message into one that is unintelligible, and then
retransforming that message back to its original form
n Plaintext - the original intelligible message
n Ciphertext - the transformed message
n Cipher - an algorithm for transforming an intelligible
message into one that is unintelligible by transposition
and/or substitution methods
n Key - some critical information used by the cipher,
known only to the sender & receiver
2
Cyptography Basic concepts
n Encipher (encode) - the process of converting
plaintext to ciphertext using a cipher and a key
n Decipher (decode) - the process of converting
ciphertext back into plaintext using a cipher and
a key
n Cryptanalysis - the study of principles and
methods of transforming an unintelligible
message back into an intelligible message
without knowledge of the key. Also called
codebreaking
Conventional encryption model
Plaintext X=[X
1
,X
2
,...,X
M
], length M
M elements are letters in a finite alphabet
Secret key K=[K
1
,K
2
,...,K
j
], length J
Ciphertext Y=[Y
1
,Y
2
,...,Y
n
], length N
With message X and encryption key K the
encryption algorithm forms the ciphertext
Y=E
K
(X)
The receiver can invert the transformation
X=D
K
(Y)
3
Conventional cryptosystem model
Conventional encryption model
Security of conventional encryption depends on several
factors
(entropy of) the algorithm: it must be impractical to decrypt a
message on the basis of the cyphertext and knowledge of the
encryption/decryption algorithm (Kerckhoffs principle)
the key
secrecy of the key
length of the key (in fact entropy OF the key)
Note: the algorithm is public
feasible for widespead use
manufactures can develope low-cost chip implementations of the
algorithm
The principal security problem is maintaining the secrecy
of the key
4
Cryptographic systems - classification
Cryptographic systems are classified along three
dimensions
1. The type of operations used for transforming
plaintext to cyphertext
- substitution
- transposition
2. The number of keys used
- single key, symmetric, secret key, conventional
- two keys, asymmetric, public key
3. The way in which plaintext is processed
- block cipher
- stream cipher
Cryptanalysis
Cryptanalysis = the process of trying to discover X or K or
both
Brute force
the entropy of a key is important, random number generation
e.g. 10 letter english word has about 13 bits of entropy even thow the
key is 80 bits long
Windows NT: 128-bit key based on users password
Distributed internet key search 1999: 250 billion keys/sec
analysis of the ciphertext
statistical tests
traces of structure and pattern of plaintext may survive the encryption
process and be discernible in the ciphertext
generally not feasible with modern ciphers
Differential and linear cryptanalysis
5
Exhaustive key search
Cryptanalytic attacks
Ciphertext only
only acces to some enciphered messages
use statistical attacks only
Known plaintext
know some plaintext-ciphertext pairs
use this knowledge in attackin the cipher
Chosen plaintext
can select plaintext and obtain corresponding ciphertext
use knowledge of algorithm structure in the attack
Chosen plaintext-ciphertext
can select plaintext and obtain corresponding ciphertext,
or vice versa
allows further knowledge on algorithm structure to be
used
6
Security models
Ad-hoc secure
intuitive feeling of security
Computationally secure
the cost of breaking the cipher exceeds the value of the
encrypted information
the time required the the cipher exceeds the useful
lifetime of the information
Provably secure
the breaking is provably as difficult as some known
difficult problem, i.e. factorization
Unconditionally secure
the ciphertext does not contain enough information to
determine uniquely the corresponding plaintext, no
matter how much ciphertext is available
Vernams one-time-pad
The only cipher that has been proved to be
unconditionally secure
Invented by. G. Vernam in 1917
Key is a random bit-stream of same length as the
message
Encryption simple just XOR the message with
the key
A key must not be reused
Not very practical
Used on the Moscow-Washington hot line
7
Conventional encryption -
algorithms
Principles
S-DES
Other block ciphers
Modern block ciphers
Based on the principles of Feistel ciphers
Block ciphers seem to be applicaple to a broader
range of applications than stream ciphers
A block cipher can be used in a way to make it
operate as a stream cipher
The message is broken into blocks of bits, each of
which is encrypted separately.
Can be viewed as a substitution cipher with a very large
alphabet
The structure of the algorihtms is generally very
complex
8
Feistel Cipher
A foundation for many modern block ciphers
The exact realization of a Feistel Cipher depends on the
following design features
blokc size: larger block-size increases security but decreases
encryption/decryption speed
key size: 128 is now considered safe
number of rounds: a single round offers weak security, but repeating
rounds offer increasing security. Typically 16 rounds are used
subkey generation algorithm: greater complexity should lead to greater
difficulty of cryptanalysis
round function: greater complexity generally means greater resistance to
cryptanalysis
implementation issues: speed and memory requirements in
software/hardware implementation
ease of analysis: a simple algorithm can be e.g. analysed for
vulnerabilities. (DES is not easy to analyze)
9
Substitution-Permutation Ciphers
Shannon introduced the idea of substitution-permutation
(S-P) networks, which now form the basis of modern block
ciphers
An S-P network is the modern form of a substitution-transposition
product cipher (like Enigma)
S-P networks are based on the two primitive cryptographic
operation, substitution and permutation
mixing transformations
Shannons mixing transformations are a special form of
product ciphers where
S-Boxes provide confusion of input bits
P-Boxes provide diffusion across S-box inputs
Substitution-Permutation Ciphers cont...
Avalanche effect
a small change in either the plaintext or the key produce
a significant change in the ciphertext
In DES a one bit change in either the key or plaintext
produce on the average 35 changed bits in the
ciphertext
Completeness effect
each ciphertext bit is a complex function of all input
bits (in a block)
10
Simplified DES (S-DES)
An educational rather than secure algorithm
A block cipher which encrypts an 8-bit block of
plaintext using a 10-bit key and outputs an 8-bit block of
ciphertext
Has a general structure of Shannons mixing transform
Encryption involves five functions
an initial permutation
f
K
involving both substitution and permutation both depending
on the key
simple permutation SW
f
K
again
an inverse of the initial permutation
Additionally there is a key generation algorithm to
generate sub-keys
DES vs. S-DES
DES adopted as NIST FIPS 46 in 1977
the algorithm is DEA
DES operates with 64-bit blocks
16 rounds:IP
-1
f
K16
SW f
K15
SW.... SW f
K1
IP
A 56-bit key is used to form 16 48-bit sub-keys
F acts on 32-bits
There are 8 rows corresponding to 8 S-boxes.
Each S-box has 4 rows and 16 columns. First and
last bit of a row picks the row of an S-box, the
four bits in the middle pick the column.
Basically, DES is a scaled-up
version of S-DES
n
32
n
1
n
2
n
3
n
4
n
5
n
4
n
5
n
6
n
7
n
8
n
9
. ...... .
n
28
n
29
n
30
n
31
n
32
n
1
11
The strength of DES
Concerns about the algorithm
most cryptanalyzed algorithm security
no known efficient cryptanalytic attack
the design criteria for S-boxes not released, potential
threat
The key length
EFF DES Cracker, built for $250000. Broke DES in
three days.
DES is not safe any longer
Recognizing the plaintext may take time making DES
secure
12
13
Overview of Block Ciphers
An overview of the most important
symmetric ciphers in current use
DES
TDEA
IDEA
Blowfish
Cast-128
Triple-DEA
TDEA
FIPS 46-3 in 1999
Based on using DES three
times in an encrypt-decrypt-
encrypt secuence with three
different keys
Much stronger than DES
Slow compared to some new
block ciphers, fixed 64bit
block size
Also a two-key version exists
C = EK3[DK2[EK1[P]]]
Used in eg. PGP and S/MIME
TDEA and AES will coexist in
FIPS approved algorithms
14
Key distribution
The problem to estabslish a secret shared by the
two parties and protected from access by others
number of communicating pairs can be very large
keys has to be changed frequently
Ways of distributing the keys for two parties, A
and B
1. A selects the key and physically delivers it to B
2. A third party selects the key and physically delivers it
to A and B
3. If A and B have previously used a key, one party can
transmit the new key to the other encrypted using the
old key
4. If A and B both have an encrypted connection to a
trusted third party C, C can deliver the key to A and B
using the encrypted links
Key distribution
Ways 1. and 2. require manual delivery
ok for link encryption
impossible for end-to-end encryption
N hosts, [N(N-1)]/2 possible pairs of commmunication
Way 3. can be used in both link and end-to-end
communcation
if an attacer gets one key, also all subsequent keys are
exposed
Some variatioon of way 4. is the most commonly
used for end-to-end encryption
a key distribution center (KDC) is used
a hierarchy of keys, at least two levels
15
Two hierachies of keys
Session key:
Data encrypted with a one-time session key.At
the conclusion of the session the key is
destroyed
Permanent (master) key:
Used between entities for the purpose of
distributing session keys
a unique marster key for each host for
communicating wiht KDC
16
Public Key Cryptography
Principles
RSA Key Management
Diffie-Hellman
Introduction
The idea of Public key cryptography proposed by
Diffie and Hellman 1976
Cryptosystems: RSA, Merkle-Hellman, Rabin,
McEliece, El Gamal, Ellliptic curves
Public key algorithms are based on mathematical
functions rather than subsitution and transtosition
The Public key cryptgraphy is asymmetric
involving the use of two separate keys
profound consequencies in the areas of confidentiality,
authentication and key distribution
17
Introduction cont...
The main problems of conventional encryption
that can be solved with public key cryptography
1. Key distribution
- in a conventional scheme the communicating parties
have to either share a common secret key or use a key
distribution centre
- in a public key scheme it is possible to exchange a
session key securely
2. Authentication
- the need for a digital signature
Misconceptions about public key
encryption
Public key encryption is more secure than secret key
encryption
the security of any encryption scheme depends on the length of the key
and the and the computational work in breaking the cipher.
no principal difference between conventional/publik key encryption in this
respect
Public key encryption is a general purpose technique and
has made conventional encrytpion obsolete
the computational overhead of current public key shemes compared to
conventional encryption is high
conventional encryption will be used to foreseeable future
Key distribution is trivial when using public key
encryption
the procedures and protocols ar no simpler nor more efficient than those
required for conventional encryption
18
Principles of public-key cryptosystems
Public key algorithms use one key for encryption
and an other, related key for decryption
a pair of keys: public key and private key (note: term
secret key refers to a conventional encrytpion key)
it is not practical to deduce one key from the other
Everybody has acces to the public key, whereas
the private key is kept secret
Anybody can encrypt messages, but only the receiver
can decrypt messages
In some public key cryptosystems (e.g. RSA) it is
possible to use either of the keys for encryption
and the other for decryption.
The basic principle
The message source is A and the destination B.
Confidentiality:
B generates the related keys: a public key KU
b
and a private key
KR
b
.
With the message X and KU
b
as input A can form the ciphertext
Y=E
KUb
(X). The receiver B having the private key KR
b
is able to
decrypt the ciphertext X=E
KRb
(Y).
Authentication:
Also A generates the related keys: a public key KU
a
and a
private key KR
a
. A prepares a message to B and encrypts it with
own private key Y=E
KRa
(X). B can decrypt the message using As
public key KU
a
Y=E
KUa
(X). If the message decrypts, only A could
have sent it, since it was encrypted with As private key. The
entire encrypted message serves as a digital signature in this
case. Furthermore this offers data integrity since it is impossible
to alter the message without KR
a
.
However this is not a practical authentication sotution, it merely
illustrates the principle.
19
The basic principles cont...
Confidentiality and Authentication at the same time:
The previous authentication scheme did not offer any secrecy,
i.e. the message is safe from alteration but not from
eavesdropping. However it is easy to provide both functions by a
double-use of public key scheme.
Z=E
KUb
[E
KRa
(X)]
X=E
KUa
[E
KRb
(Z)]
In other words the authentication function is hidden inside the
secrecy function. This is computationally a heavy solution, since
the public key algorithm must be executed four times.
1. One of the two keys must be kept secret
2. It must be impractical to decipher the
message a message if no other
information is available
3. Knowledge of the algorithm plus one of
the keys plus samples of the ciphertext
must be insufficient to determine the
other key
1. The key must be kept secret
2. It must be impractical to decipher the
message a message if no other
information is available
3. Knowledge of the algorithm plus
samples of the ciphertext must be
insufficient to determine the key
Needed for Security: Needed for Security:
1. One algorithm is used for encrytpion
and decryption with a pair of keys, one
for encryption and one for decryption
2. The sender and the receiver must each
have one of the matched pair of keys
1. The same algorithm with the same
key is used for encrytpion and
decryption
2. The sender and the receiver must
share the algorithm and the key
Needed to work: Needed to work:
Public-key encryption Conventional Encryption
20
21
One-way function
A one- way function is is one-to-one (every value has a
unique inverse) with the condition that calculation Y=f(X) is
easy and its inverse X=F
-1
(Y) infeasible.
A trap- door one- way function is a one-way function which
is however easy to calculate also in the inverse direction with
some additional information.
A trap-door one-way function is a family of invertible
functions f
k
such that,
Y=f
k
(X) easy if k and X are known
X=f
k
-1
(X) easy if k and Y are known
X=f
k
-1
(X) unfeasible if Y is known but k unknown.
The developement of a practical public key cryptosistem
depends on discovery of a suitable trap-door one-way
function.
22
One-way functions cont...
It is not known if one-way functions exist or not,
but many functions are believed to be one-way.
In practice one-way functions are complex to
calculate in both directions. Public key
cryptography could not exist without computers.
Easy to calculate means in this context that the
problem can be solved in polynomial time as a function
of input length
Infeasible a fuzzier concept. The problem is said to
be infeasible if the effort needed to solve it grows faster
than polynomial time as a function of input length. An
example is a solving effort of 2
n
for input length n.
Keyed one-way function produces a conventional
cryptosystem.
One-way functions cont...
Public key cryptosystems are based on the following
trap-door one-way functions:
Finding the discrete logarihtm
a
x
mod p = b; find x?
easy for integers, but difficult with remainder classes
(modulus)
Finding the prime factors of large numbers
a = p * q; find p and q when a is known?
Elliptic curves
Knapsack problem (historical)
Generally some NP-complete problem
23
The RSA algorithm
Developed 1977 Riverst, Shamir, Adelman at
MIT.
The first real public key cryptosystem capable of
encryption and digital signatures.
The only widely accepted and implemented
general purpose PKC
A block coder, blocks are interpreted as integers
Based on factoring of large numbrers, which is not
known to be NP-complete
Security is considered equivalent to factoring
Not pathented since 2000
RSA ...
Encryption and decryption are of the following form for a plaintext
block M and ciphertext block C:
C = M
e
mod n
M = C
d
mod n = (M
e
)
d
mod n = M
ed
mod n
Both the sender and receiver know n and e, but only the receiver
know d. Thus the public key is KU={n,e} and the private key KR
KU={n,d}.
The requrements for this PKC:
1. It is possible to find a value e,d,n s.t. M
ed
= M mod n for all M < n
2. It is (relatively) easy to calculate M
e
and C
d
for all M < n
3. It is infeasible to determine d given e and n.
24
The RSA Algorithm
RSA example key generation
1. Select two primes p=7 and q= 17.
2. Calculate n = pq = 119.
3. Calculate (n) = (p-1)(q-1) = 96.
4. Select e s.t. e is relatively prime to (n) =96 and less than (n); in this
case select e = 5.
5. Determine d s.t. de = 1 mod 96 and d <96. The correct value is d = 77,
because 77*5 = 385 = 4*96+1.
KU = {5,119} and KR = {77,119}
25
RSA example encryption
and decryption
Encryption C = M
e
mod n
Decryption M = C
d
mod n
RSA cryptanalysis
Brute force: number of different keys has to be large,
just like in conventional cryptography
however large keys slow down the encryption rapidly
making its use impractical
Mathematical attacs: attacks against the one-way
function
RSA 129 was broken in 1994
1600 used over the internet. took 8 months
130 digit number is the longest that has been factorised
Now recommended the use of 1024 bit keys (300 digits)
Timing attacks
an attack from a completely unexpected direction
monitor the execution times of different parts of the
algorithm and thus gain knowledge of the key
ciphertext only attack
26
Key management
One of the major applications of PKCs
There are two aspects to the use of a PKC in this
regard:
the distribution of public keys
1. Public announcement
2. Publicly available directory
3. Public-key authority
4. Public key certificates
the use of public-key encryption to distribute secret
keys.
1. Simple secret key distribution
2. Secret key distribution with confidentiality and authentication
Distribution of public keys
Public announcement
Simply publice the public keys of some widely accepted
standard like RSA
anybody can send his public key to any participant or broadcast it to the
community at large
eg. many PGP users have adopted a practice of appending their public key to
messages that they send to public forums
n This approach is very
convenient, but it has a
major weakness:
anybody can easily
forge the public
announcement
n thus the forger is able to
read the all encrypted
messages intended for the
original receiver
n the forger is also able to
use the forged keys for
authentication
27
Distribution of public keys
Publicly available directory
Maintain a publicly available dynamic directory of public
keys
maintenance and distribution of the public keys in the responsibility of a
trusted entity (TTP)
The needed elements for this kind of scheme
1. Participants register a
public key using some form
of secure authenticated
communication
2. A participant can raplace
an existing key at any time
3. Periodically the authority
publishes the whole
directory of keys
n There are still
vulnerabilities
n the opponent could tamper
with the records kept by
the authority
Distribution of public keys
Public key authority
n A central authority maintains a dynamic directory of public keys
of all participants.
n All participants reliably know the public key of the authority
1. The initiator A sends a timestamped message to the authority
requesting for the current public key of B.
2. The authority responds with a message encrypted with the
authoritys private key KR
auth.
The message contains
- KU
b
which A can use to encrypt messages to B
- the original request so that A can verify that it was not
altered by the opponent
- the original timestamp so that A can determine this is not an
old message containing a non valid public key for B (replay-
attack)
3. A sends its identifier ID
A
and a nonce N1 used for identifying the
transaction uniquely. The message is encrypted with KU
B
4. B retrieves the public key of A from the authority in a same
manner that A did.
28
Distribution of public keys
Public key authority
n New public keys have been securely delivered to A and B.
However two additional steps are needed for mutual
authentication
6. B sends a message to A encrypted with KU
A
and containin As
nonce N1 and a new nonce N2. Because only B could have
decrypted N1 Bs authenticity is verified.
7. A returns N2 encrypted with Bs public key to assure As identity.
n Note that steps 1-5 need only be taken infrequently because A
and B both save the publick keys.
n The authority could be somewhat a bottleneck in the system
n The directory maintained by the authority is vulnerable to
tampering
29
Distribution of public keys
Public key Certificates
n Suggested by Kohnfelder in 1978
n In this approach certificates are used to enable
participants to exchange keys without contacting the
authority in a way that is as reliable as if the keys were
obtained from the certificate authority (CA)
n A certificate contains a public key and other information,
is created by the authority, and is given to the participant
with the matching private key.
n A participant conveys its public key to another by
transmitting the certificate. Other participants can verify
that the certificate was created by the authority.
n In a simple PKI architecture, that CA may be the systems
administrator who issues certificates to end users.
n In a more complex environment, a CA may be a large
enterprise, a government agency, or a third-party
consortium that acts as a trust agent for a specific
industry.
Distribution of public keys
Public key Certificates
n The requirements for the scheme
n Any participant must be able to decrypt certificates to
get the public key and other information
n Any participant must be able to verify that the
cerificate has been created by the authority
n Only the authority can create or update certificates
n Any participant must be able to verify the currency of
the certificate
n Trusting a CA assumes that the authority has taken
significant measures to verify the certificate holder's
identity.
n The basic principle
n The certificate of a participant A is
C
A
=E
KRauth
[T,ID
A
,KU
a
]
n Any participant can read the certificate
D
KUauth
[C
A
] = D
KUauth
[ E
KRauth
[T,ID
A
,KU
a
]] = (T,ID
A
,KU
a
)
30
Distribution of public keys
Public key Certificates
n In practice, the certificate contains also other information
n Version
n validity time
n used algorithms
n issuer
n extensions
n X.509 standard has become universally accepted for
formatting public key certificates.
n used in IPSec, SSL, SET, S/MIME
31
Public key distribution of Secret Keys
Simple secret key distribution
n It is assumed that A and B have already exchanged public keys
and now they want to exchange secret keys (i.e. conventional
session keys ) for the transmission of the messages
1. The initiator A generates a key pair {KU
a
,KR
a
} and transmits a
message to B consisting of KU
a
and As identifier ID
A
2. B generates the secret key K
s
and transmits it to A encrypted
with KU
a
3. A computes D
KRa
[ E
KUa
[K
s
]]. Now both A and B know the secret
key K
s
4. Public and private keys involved are discarded.
n This is an attractive protocol. No keys exist before or after the
key exchange so there is no risk of compromising the keys. Also
the communication is safe from eavesdropping.
n This protocol is however vulnerable to an active attac so called
man in the midde attack.
Public key distribution of Secret Keys
Man in the middle - attack
n In the previous simple secret key distribution, suppose that an
opponent E has control of the communicating channel
1. The initiator A generates a key pair {KU
a
,KR
a
} and transmits a
message to B consisting of KU
a
and As identifier ID
A
2. E intercepts the message, creates its own key pair {KU
e
,KR
e
}
and transmits KU
e
|| ID
A
to B.
3. B generates the secret key K
s
and transmits it to A encrypted
with KU
e
believing that it was As public key
4. E intercepts the message and learns K
s
by decrypting the
message with KR
e
5. E transmits K
s
to A encrypted with KU
a
n Neither A nor B noticed anything wrong in the key exchange. A
and B are unaware that E also knows the secret key.
n E no longer actively interferes the communication, but simply
eavesdrops.
32
Secret key distribution with confidentiality and
authentication (countermeasure to man-in-the-middle)
n A scheme profiding protection against passive and active attacks
1. A sends ID
A
and a nonce N1 to identify the transaction uniquely
encrypted with KU
b
2. B replays with N1 and a new nonce N2 encrypted with Ku
a
. The
presence of N1 in the message assures A that the correspondent
is B.
3. A returns N2 encrypted with Bs public key. This assures B that
the correspondent is A.
4. A generates the secret key K
s
and transmits M=E
KUb
[E
KRa
[K
s
]] to
B. Now only B can decrypt M and encryption with As private key
proves that A was the sender of M.
5. B computes E
KRb
[E
KUa
[M]] to recover the key.
33
Diffie-Hellman key exchange
n The first published public key algorithm by Diffie and Hellman
1976.
n Not pathented since 1997
n Widely used in commercial products
n The purpose is to enable two users to exchange a key securely
to be used in subsequent encryption of messages.
n both communicating parties can independently get the secret
key without exchangin any secret information.
n allows the construction of a common secret key over an
insecure communication channel
n The algorithm is based on the difficulty of computing discrete
logarithms in remainder-class arithmetic
n it is relatively easy to calculate exponentials modulo a prime,
but it is infeasible to calculate discrete logarithms
34
Diffie-Hellman - example
n Global public elements are chosen as the prime q =97 and
primitive root of q as =5.
n A and B selects the secret keys X
A
= 36 and X
B
= 58.
n Each computes the public key:
n Y
A
= 5
36
= 50 mod 97
n Y
B
= 5
58
= 44 mod 97
n A and B exchange the public keys (encryption is not needed)
n Now each can compute the common secret key
n K = (Y
B
)
X
A mod 97 = 44
36
= 75 mod 97
n K = (Y
A
)
X
B mod 97 = 50
58
= 75 mod 97
n An opponent who knows {q, , Y
A
,Y
B
} and cannot compute
K=75 without taking a discrete logarithm.
A simple protocol using Diffie-Hellman key
exchange
35
Diffie-Hellman - attacks
n The key exchange is vulnerable to man in the middle attack
n the opponent is able to control the communication line
n use digital signatures as a countermeasure
n Mathematical attacks: the algorithm is generally considered
secure
n the security may be compromised by bad choises of the
modoulus and generator
Other public key applications -
blind signature (just an example)
n The purpose is to be able to get a singnature without exposing
anything of the message being signed
n The person who signs does not know what he signed, but he is
able to prove later that the signature is (or is not) his.
n eCash is an example application, others time-stamp services and
anonymous acces services
n A wants B to sign a message M without B knowing anything
about M. We use RSA to implement the blind signature.
n B has a public key (n,e) and a private key (n,d). A generates a
random number r s.t. gcd(r,n) = 1.
n A sends a message M = r
e
M mod n. (the message M is blinded
with a random number r)
n B responds with S = (M)
d
= (r
e
M)
d
mod n
n Because S = rM
d
mod n A can get the signature S as
S = S r
-1
mod n = (rM
d
)/r mod n = M
d
mod n (A removes
the blinding)
Thus S has now a signature of B !
Note that only commutative algorithms (like RSA) can be used.