Introduction to Computer Security

Introduction to Computer Security
Foundations of Cryptography
Pavel Laskov
Wilhelm Schickard Institute for Computer Science
Secret communication
key
key
unitue
unitue
Alice
Bob
plaintext
I love you
ciphertext
Encryption
C ywoy cih
plaintext
Decryption
I love you
Cryptography and security objectives
Which security objectives are addressed by cryptography?
Cryptography and security objectives
Which security objectives are addressed by cryptography?
Confidentiality
symmetric cryptography
asymmetric cryptography
Integrity
hashing
Authentication and non-repudiation
digital signatures
Symmetric cryptography
any valid key
shared key
shared key
unitue
unitue
Alice
Bob
plaintext
I love you
ciphertext
Encryption
C ywoy cih
plaintext
Decryption
I love you
Early permutation cipher: scytale
Encryption:
Wrap a parchment strip over a wooden
rod of a fixed diameter and write letters
along the rod.
Decryption:
Wrap a received strip over a wooden rod
of the same diameter and read off the
text.
Example:
troops
headin
gnorth
sendmo
refood
−→ thgsr renee oaonf odrdo pitmo snhod
Monoalphabetic substitution cipher: Caesar
Encryption
Replace each letter with the one three
positions to the right in the alphabet.
Decryption
Replace each letter with the one three
positions to the left in the alphabet.
Example:
HABES OPINIONIS MEAE TESTIMONIUM
MDEHV RSNQNRQNV PHDH XHVXNPRQNZP
Polyalphabetic substitution cipher: Vigenère
Encryption
Write the key over a message,
repeating as necessary.
Substitute each letter with the one
from an appropriate column in the
Vigenère tableau.
Decryption
Same as encryption, use a row
instead of a column.
Example:
unitueun
iloveyou
−→ cywoycih
Polyalphabetic substitution: Enigma
Operating principle: electromechanical
varying map substitution
Main components:
3–5 rotors with pre-defined connectivity
inter-rotor rings: mapping between letters and
connections
letter swap by jumper cables
Key definition: rotor types, ring positions,
jumper settings
Tag
31
30
29
UKW
B
B
B
Walzenlage
I IV III
II V I
III I IV
Ringstellung
16 26 08
18 24 11
01 17 22
---- Steckerverbindungen ---AD CN ET FL GI JV KZ PU QY WX
BN DZ EP FX GT HW IY OU QV RS
AH BL CX DI ER FK GU NP OQ TY
One-time pad ciphers
Encryption:
Generate a random key sequence.
Add a key to a message using
modular arithmetic.
Decryption:
Subtract a key from a message using
modular arithmetic.
Example:
7 (H)
+ 23 (X)
= 30
= 4 (E)
4 (E)
12 (M)
16
16 (Q)
11 (L)
2 (C)
13
13 (N)
11 (L)
10 (K)
21
21 (V)
14 (O) message
11 (L) key
25
message + key
25 (Z) mod 26
Feistel cipher: S and P boxes
S-box
Complex substitution controlled by a key
Secure if enough internal states
Unrealizable for a large number of states
P-box
Block-wise permutation of digits
Simple transformation with maximal
entropy
Insecure against a “tickling attack”
Feistel network
Revival of the idea of a product cipher
Strong polyalphabetic substitution via multiple rounds
Follows theoretical principles of Shannon
A practical Feistel cipher
A multiple-round scheme with
separate keys
Encryption:
Li+1 = Ri
Ri+1 = Li ⊕ f (Ki , Ri )
Decryption: reverse the key order
Li+1 = Ri
Ri+1 = Li ⊕ f (Kn−i , Ri )
3 rounds suffice to achieve a
pseudorandom permutation
DES: Digital Encryption Standard
Adopted in 1977 after two rounds of proposals
Won by IBM’s Lucifer cipher based on Feistel’s design
Key length reduced by NIST from 128 bits to 56 bits
Subject to extensive cryptanalysis research in 1990s’
Broken by specialized hardware crackers in 1997–1999
(fastest result: 22 hours 15 minutes by Deep Crack)
Still widely used in practice (as 3DES)
Replaced by Advanced Encryption Standard (AES) in 2000
DES overview
64 bit plaintext
56 bit key
Initial
Permutation
Permuted
Choice 1
Iteration 1
Iteration 2
K1
K2
Permuted
Choice 2
Left Circular
Shift / 2
Permuted
Choice 2
Left Circular
Shift / 2
...
Iteration 16
32 bit Swap
Inverse Initial
Permutation
64 bit ciphertext
K16
Permuted
Choice 2
Left Circular
Shift / 2
DES round structure
Data to be encrypted
32 bit
32 bit
Li-1
Key used for encryption
28 bit
28 bit
Ri-1
Ci-1
Di-1
Expansion
Permutation
Left Shift
Left Shift
48
+
48
48
Ki
Permutation Contraction
(Perm. Choice 2)
S-Box: Choice
Substitution
32
Permutation
32
+
Li
Ri
Ci
Di
Other symmetric ciphers
Block ciphers
Algorithm
Key size
Block size
Rounds
Applications
3DES
AES
IDEA
Blowfish
RC5
112/168
128/192/256
128
up to 448
up to 2048
64
128
64
64
64
48
10/12/14
8
16
up to 255
Finance, PGP, S/MIME
Repl. for DES/3DES
PGP
Various software
Various software
Stream ciphers
Algorithm
Key size
IV
State
Applications
A5/2
RC4
54
40-256
114
8
64
2064
GSM
WEP, WPA, SSL, SSH, Kerberos, etc.
Resumé of symmetric cryptography
Provides (with some exceptions) a reliable means for
enforcing confidentiality
Highly efficient
Key distribution is a major problem!
Asymmetric cryptography
specially generated
keypair
Bob’s public key
Bob’s private key
unitue
zxtr9y
Alice
Bob
plaintext
I love you
ciphertext
Encryption
C ywoy cih
plaintext
Decryption
I love you
Prime numbers
An integer p is a prime number if its only divisors are ±1 and
±p.
A positive integer c is said to be the greatest common divisor
of a and b if
c is a divisor of a and of b;
any divisor of a and of b is a divisor of c.
Integers a and b are said to be relatively prime if
gcd(a, b) = 1.
Euler’s totient function
A totient φ(n) of an integer n is the number of integers less
than n that are relatively prime to n.
Example:
φ (9) = 6 :
{1, 2, 4, 5, 7, 8}
Two integers a and b are congruent modulo n, written as
a ≡ b mod n, if
(a mod n) = (b mod n)
Euler’s Theorem: If a and n are relatively prime, then
aφ(n) ≡ 1 mod n.
RSA overview
Alice sends her love message to Bob via RSA:
Alice
Bob
Generate a keypair Ku / Kr
Send Ku to Alice
Encrypt plaintext M with Ku
Send ciphertext C to Bob
Decrypt C with Kr
RSA key generation
Step
Select p, q
Compute n = p × q
Compute φ(n) = (p − 1)(q − 1)
Select 1 < e < φ(n)
Compute d
Public key
Private key
Condition
p, q prime, p 6= q
gcd(φ(n), e) = 1
(de) mod φ(n) = 1
Ku = {e, n}
Kr = {d, n}
(∗)
RSA encryption and decryption
Encryption:
Plaintext:
Ciphertext:
M<n
C = Me mod n
Decryption:
Ciphertext:
Plaintext:
C
M = Cd mod n
Correctness of RSA encryption
By the property (∗),
(de) mod φ(n) = 1 ⇒ ∃k : (de) = 1 + kφ(n).
Then,
?
M ≡ Cd mod n
≡ (Me )d mod n
≡ M(ed) mod n
≡ M1+kφ(n) mod n
?
≡ M mod n
Correctness of RSA encryption (ctd.)
For prime numbers p,
φ (p) = (p − 1).
By the key generation algorithm and the multiplicative property of
the totient function,
φ (n) = φ (p) · φ (q) = (p − 1) · (q − 1).
By Euler’s Theorem, if p does not divide M,
M(p−1) = 1 mod p
and since (p − 1) divides φ(n)
M1+kφ(n) ≡ M mod p.
Similar argument holds for q and hence for n = pq.
What’s secret in RSA?
An attacker needs to know d to decrypt C.
To find d, an attacker needs to solve (∗):
(de) mod φ(n) = 1.
For this, he needs to know φ(n).
If p and q are known, then finding φ(n) is trivial:
φ (n) = (p − 1) · (q − 1)
However p and q are discarded during key generation.
Factoring n into a product of two prime numbers is an
intractable problem!
Finding φ(n) directly is likewise intractable.
Other asymmetric ciphers
Algorithm
RSA
ElGamal
DSS
Diffie-Hellmann
Elliptic curve
E/D
Yes
Yes
No
No
Yes
D.S.
Yes
No
Yes
No
Yes
KEX
Yes
No
No
Yes
Yes
Hardness
Factorization
DLP
DLP
DLP
EC DLP
Summary
Cryptographic methods provide solutions for various
confidentiality, integrity and authentication tasks.
Symmetric cryptography is based on a single key that must
be shared between the communication parties and kept
secret.
Asymmetric cryptography is based two related keys; only
one of them (private key) must be kept secret, the other one
(public key) can be distributed over insecure media.
Next lecture
Cryptographic hash functions
Digital signatures