Professional Documents
Culture Documents
The past decade has seen an explosion in the concern for the security of information
Malicious codes (viruses, worms, etc.) caused over $28 billion in economic losses in 2003, and will grow to over $75 billion by 2007
Spams, phishing
New Internet security landscape emerging: BOTNETS !
Outline
History of Security and Definitions
Overview of Cryptography
Symmetric Cipher
Classical Symmetric Cipher
Modern Symmetric Ciphers (DES and AES)
Internet
Computers are all connected and interdependent This codependency magnifies the effects of any failures
Biological Analogy
Computing today is very homogeneous.
A single architecture and a handful of OS dominates
Computers are like the animals, the Internet provides the vector.
It is like having only one kind of cow in the world, and having them drink from one single pool of water!
Authenticity is the identification and assurance of the origin of information. Integrity refers to the trustworthiness of data or resources in terms of preventing improper and unauthorized changes.
Bob
data
secure receiver
Trudy
data
Eavesdropper
Perpetrator
Masquerader: from A
Attack on Availability
Destroy hardware (cutting fiber) or software Modify software in a subtle way (alias commands) Corrupt packets in transit
Outline
Overview of Cryptography
Symmetric Cipher
Classical Symmetric Cipher Modern Symmetric Ciphers (DES and AES)
Basic Terminology
plaintext - the original message ciphertext - the coded message
Classification of Cryptography
Number of keys used
Hash functions: no key
Secret key cryptography: one key Public key cryptography: two keys - public, private
Commercial: published
Wide review, trust
Computational security
The cost of breaking the cipher exceeds the value of the encrypted info
The time required to break the cipher exceeds the useful lifetime of the info
32
56 128 168
231 s
255 s 2127 s years 2167 s years
= 35.8 minutes
= 1142 years = 5.4 1024 = 5.9 1036
2.15 milliseconds
10.01 hours 5.4 1018 years 5.9 1030 years
26 characters (permutation)
26! = 4 1026
Outline
Overview of Cryptography
Modern Symmetric Ciphers (DES and AES) Asymmetric Cipher One-way Hash Functions and Message Digest
Requirements
Two requirements for secure use of symmetric encryption:
a strong encryption algorithm a secret key known only to sender / receiver
Y = EK(X)
X = DK(Y)
Caesar Cipher
Earliest known substitution cipher
Caesar Cipher
Define transformation as:
a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
13 14 15 16 17 18 19 20 21 22 23 24 25
Given ciphertext, just try all shifts of letters Do need to recognize when have plaintext E.g., break ciphertext "GCUA VQ DTGCM How to make it harder?
Monoalphabetic Cipher
Rather than just shifting the alphabet
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
Is that secure?
Problem is language characteristics
Human languages are redundant
Letters are not equally commonly used
Note that all human languages have varying letter frequencies, though the number of letters and their frequencies varies.
Example Cryptanalysis
Given ciphertext:
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
Transposition Ciphers
Now consider classical transposition or permutation ciphers These hide the message by rearranging the letter order, without altering the actual letters used Any shortcut for breaking it? Can recognise these since have the same frequency distribution as the original text
Giving ciphertext
MEMATRHTGPRYETEFETEOAAT
Product Ciphers
Ciphers using substitutions or transpositions are not secure because of language characteristics Hence consider using several ciphers in succession to make harder, but:
Two substitutions make another substitution
Two transpositions make a more complex transposition But a substitution followed by a transposition makes a new much harder cipher
Rotor Machines
Before modern ciphers, rotor machines were most common complex ciphers in use Widely used in WW2
German Enigma, Allied Hagelin, Japanese Purple
Outline
Overview of Cryptography
Asymmetric Cipher
One-way Hash Functions and Message Digest
Substitution-Permutation Ciphers
Substitution-permutation (S-P) networks
[Shannon, 1949]
modern substitution-transposition product cipher
56 bits
...
Round 16
Swap
Permutation 64-bit Output
DES Summary
Simple, easy to implement:
Hardware/gigabits/second, software/megabits/second
56-bit key DES may be acceptable for noncritical applications but triple DES (DES3) should be secure for most applications today Supports several operation modes (ECB CBC, OFB, CFB) for different applications
Avalanche Effect
Key desirable property of encryption alg
Where a change of one input or key bit results in changing more than half output bits
DES exhibits strong avalanche
Still must be able to recognize plaintext No big flaw for DES algorithms
DES Replacement
Triple-DES (3DES)
168-bit key, no brute force attacks Underlying encryption algorithm the same, no effective analytic attacks Drawbacks
Performance: no efficient software codes for DES/3DES Efficiency/security: bigger block size desirable
AES
Private key symmetric block cipher 128-bit data, 128/192/256-bit keys
Evaluation criteria
Security: effort to practically cryptanalysis Cost: computational efficiency and memory requirement Algorithm & implementation characteristics: flexibility to apps, hardware/software suitability, simplicity
AES Shortlist
After testing and evaluation, shortlist in Aug99:
MARS (IBM) - complex, fast, high security margin RC6 (USA) - v. simple, v. fast, low security margin
Outlines
Symmetric Cipher
Classical Symmetric Cipher
Modern Symmetric Ciphers (DES and AES)
Private-Key Cryptography
Private/secret/single key cryptography uses one key Shared by both sender and receiver If this key is disclosed communications are compromised Also is symmetric, parties are equal Hence does not protect sender from receiver forging a message & claiming is sent by sender
Public-Key Cryptography
Probably most significant advance in the 3000 year history of cryptography Uses two keys a public & a private key Asymmetric since parties are not equal Uses clever application of number theoretic concepts to function Complements rather than replaces private key crypto
Public-Key Cryptography
Public-key/two-key/asymmetric cryptography involves the use of two keys:
a public-key, which may be known by anybody, and can be used to encrypt messages, and verify signatures a private-key, known only to the recipient, used to decrypt messages, and sign (create) signatures
Asymmetric because
those who encrypt messages or verify signatures cannot decrypt messages or create signatures
Public-Key Cryptography
Public-Key Characteristics
Public-Key algorithms rely on two keys with the characteristics that it is:
computationally infeasible to find decryption key knowing only algorithm & encryption key computationally easy to en/decrypt messages when the relevant (en/decrypt) key is known either of the two related keys can be used for encryption, with the other used for decryption (in some schemes)
Public-Key Cryptosystems
Variable key length (usually 512 bits). Variable plaintext block size.
Plaintext must be smaller than the key. Ciphertext block size is the same as the key length.
What Is RSA?
To generate key pair:
Pick large primes (>= 256 bits each) p and q Let n = p*q, keep your p and q to yourself! For public key, choose e that is relatively prime to (n) =(p-1)(q-1), let pub = <e,n> For private key, find d that is the multiplicative inverse of e mod (n), i.e., e*d = 1 mod (n), let priv = <d,n>
RSA Example
1. Select primes: p=17 & q=11
2.
3. 4. 5. 6. 7.
Compute n = pq =1711=187
Compute (n)=(p1)(q-1)=1610=160 Select e : gcd(e,160)=1; choose e=7 Determine d: de=1 mod 160 and d < 160 Value is d=23 since 237=161= 10160+1 Publish public key KU={7,187} Keep secret private key KR={23,17,11}
decryption:
M = 1123 mod 187 = 88
Is RSA Secure?
Factoring 512-bit number is very hard! But if you can factor big number n then given public key <e,n>, you can find d, hence the private key by:
Knowing factors p, q, such that, n = p*q Then (n) =(p-1)(q-1) Then d such that e*d = 1 mod (n)
Threat
Moores law Refinement of factorizing algorithms
Outline
History of Security and Definitions
Overview of Cryptography
Symmetric Cipher
Classical Symmetric Cipher
Modern Symmetric Ciphers (DES and AES)
Asymmetric cipher?
Too expensive Plaintext has to be intelligible/understandable Desirable to cipher on a much smaller size of data which uniquely represents the long message
Hash Functions
Condenses arbitrary message to fixed size
h = H(M)
Usually assume that the hash function is public and not keyed Hash used to detect changes to message Can use in various ways with message
Birthday Problem
How many people do you need so that the probability of having two of them share the same birthday is > 50% ?
Bob to Alice: rB
Alice to Bob: MD(KAB|rB) Only need to compare MD results
MD5 Overview
MD5 Overview
1. Pad message so its length is 448 mod 512 2. Append a 64-bit original length value to message 3. Initialise 4-word (128-bit) MD buffer (A,B,C,D) 4. Process message in 16-word (512-bit) blocks:
Using 4 rounds of 16 bit operations on message block & buffer Add output to buffer input to form new buffer value
ABCD=fF(ABCD,mi,T[1..16])
C D B ABCD=fG(ABCD,mi,T[17..32]) ABCD=fH(ABCD,mi,T[33..48]) A
ABCD=fI(ABCD,mi,T[49..64])
+ + + +
MD i+1
General Logic
Input message must be < 264 bits
not really a problem
Message is processed in 512-bit blocks sequentially Message digest is 160 bits SHA design is similar to MD5, a little slower, but a lot stronger
Designed for compatibility with increased security provided by the AES cipher Structure & detail are similar to SHA-1 Hence analysis should be similar, but security levels are rather higher
Backup Slides
Cryptanalysis Scheme
Ciphertext only:
Exhaustive search until recognizable plaintext Need enough ciphertext
Known plaintext:
Secret may be revealed (by spy, time), thus <ciphertext, plaintext> pair is obtained
Great for monoalphabetic ciphers
Chosen plaintext:
Choose text, get encrypted Pick patterns to reveal the structure of the key
One-Time Pad
If a truly random key as long as the message is used, the cipher will be secure - One-Time pad E.g., a random sequence of 0s and 1s XORed to plaintext, no repetition of keys Unbreakable since ciphertext bears no statistical relationship to the plaintext For any plaintext, it needs a random key of the same length
Hard to generate large amount of keys
1 2 0 0
3 1
4 0
32 1
1 bit
Output
1 22
0 6
..
1 3
13 32
One round
48 bits Ki
Ci
28 bits
Di
28 bits
A DES Round
32 bits Ln 32 bits Rn
Mangler Function
48 bits
S-Boxes
P 32 bits 32 bits Ln+1 32 bits Rn+1
48 bits Ki
Mangler Function
4 4 4 4 4 4 4 4 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
S1 S2 S3 S4 S5 S6 S7 S8 4 4 4 4 4 4 4 4 Permutation
1 2 0 0
3 1
4 0
5 . 1
32 1
Output 1 1 0 2 0 3 1 4 0 5 1 6 0 7 1 8 .. 1 0 48
2 bits used to select amongst 4 substitutions for the rest of the 4-bit quantity
2 bits row
4 bits column
I1 I2 I3 I4 I5 I6
Si
i = 1,8.
O1 O2 O3 O4
S-Box Examples
Each row and column contain different numbers.
0
0 14
1
4
2
13
3
1
4
2
5
15
6
11
7
8
8
3
9. 15
1
2
0
4
15
1
7
14
4
8
14
13
2
6
13
2
1
11
10
15
15
12
Padding Twist
Given original message M, add padding bits 10* such that resulting length is 64 bits less than a multiple of 512 bits. Append (original length in bits mod 264), represented in 64 bits to the padded message Final message is chopped 512 bits a block
with message blocks Is this a real one-time pad ? Add a random 64 bit number (aka IV) b1=MD(KAB|IV), bi=MD(KAB|bi-1),
MD5 Process
As many stages as the number of 512-bit blocks in the final padded message Digest: 4 32-bit words: MD=A|B|C|D Every message block contains 16 32-bit words: m0|m1|m2|m15
Digest MD0 initialized to: A=01234567,B=89abcdef,C=fedcba98, D=76543210 Every stage consists of 4 passes over the message block, each modifying MD
Different Passes...
Each step i (1 <= i <= 64): Input:
mi a 32-bit word from the message With different shift every round
Ti int(232 * abs(sin(i)))
Provided a randomized set of 32-bit patterns, which eliminate any regularities in the input data ABCD: current MD
Output:
ABCD: new MD
a,b,c,d refer to the 4 words of the buffer, but used in varying permutations
note this updates 1 word only of the buffer after 16 steps each word is updated 4 times
C = 98badcfe
D = 10325476 E = c3d2e1f0
Basic Steps...
Step 4: the 80-step processing of 512-bit blocks 4 rounds, 20 steps each. Each step t (0 <= t <= 79):
Input:
Wt a 32-bit word from the message
Kt a constant. ABCDE: current MD.
Output:
ABCDE: new MD.