Outline Chapter 2 CONVENTIONAL ENCRYPTION: CLASSICAL TECHNIQUES
Yeuan-Kuen Lee September
Ch 2 Conventional Encryption: Classical Techniques 2
Conventional Encryption Model Steganography Classical Encryption Techniques
2.1 Conventional Encryption Model
2.1 Conventional Encryption Model
Plaintext
Original intelligible message
Ciphertext
Apparently random nonsense message
Encryption process
An algorithm - produce a different output depending on the specific key being used at the time. A key a value independent of plaintext, shared by sender and recipient.
3 Ch 2 Conventional Encryption: Classical Techniques 4
Figure 2.1 Simplified Model of Conventional Encryption
Ch 2 Conventional Encryption: Classical Techniques
2.1 Conventional Encryption Model
The ciphertext can be transformed back to the original plaintext by using a decryption algorithm and the same key that was used for encryption. The security of conventional encryption depends on the secrecy of the key, not the secrecy of the algorithm. It is impractical to decrypt a message based on the ciphertext plus knowledge of the encryption/decryption algorithm. The principal security problem is maintaining the secrecy of the key.
Ch 2 Conventional Encryption: Classical Techniques 5
2.1 Conventional Encryption Model
Encryption algorithm ( E ) Y = EK(X)
Message source Cryptanalyst
X K
Decryption Decryption Algorithm Algorithm
Encryption Encryption Algorithm Algorithm
Plaintext X = [X1, X2, , XM]
Ciphertext Y = [Y1, Y2, , YN]
Secure channel
Destination
Key source
Key K = [K1, K2, , KJ]
Decryption algorithm ( D ) X = DK(Y)
Figure 2.2 Model of Conventional Cryptosystem
Ch 2 Conventional Encryption: Classical Techniques 6
2.1 Conventional Encryption Model
An opponent
Observing Y, but not having access to K and X, may attempt to recover X or K, or both X and K. Assumed that the opponent knows E and D If only the message is interested, then an estimated plaintext X is generated. If future messages are interested, then an estimated key K is generated.
2.1 Conventional Encryption Model
Cryptography - the art of secret writing.
Classified along three independent dimensions:
1. The type of operations used for transforming plaintext to ciphertext.
Substitution Transposition
2. The number of keys used.
Symmetric, single-key, secret-key encryption Asymmetric, two-key, public-key encryption
3. The way in which the plaintext is processed.
Block cipher Stream cipher
Ch 2 Conventional Encryption: Classical Techniques 8
Ch 2 Conventional Encryption: Classical Techniques
2.1 Conventional Encryption Model
Cryptanalysis
The process of attempting to discover X or K or both. Table 2.1 summarizes the various types of cryptanalytic attacks based on the amount of information known to the cryptanalyst. Ciphertext only attack Known to cryptography
1. Encryption algorithm 2. Ciphertext to be decoded
2.1 Conventional Encryption Model
Cryptanalysis (Conti.)
Known plaintext attack
Known to cryptography
1. Encryption algorithm 2. Ciphertext to be decoded 3. One or more plaintext-ciphertext pairs formed with the secret key
Probable-word attack may have little knowledge of what is in the message
Accounting file: placement of certain key words Copyright statement in some standardized position
9 Ch 2 Conventional Encryption: Classical Techniques 10
Brute-force approach of trying all possible keys Statistical tests: type of plaintext
Ch 2 Conventional Encryption: Classical Techniques
2.1 Conventional Encryption Model
Cryptanalysis (Conti.)
Chosen-plaintext attack
Known to cryptography
1. Encryption algorithm 2. Ciphertext to be decoded 3. Plaintext message chosen by cryptanalyst, together with its corresponding ciphertext generated with the secret key
2.1 Conventional Encryption Model
Cryptanalysis (Conti.)
Chosen-ciphertext attack
Known to cryptography
1. Encryption algorithm 2. Ciphertext to be decoded 3. Purported ciphertext chosen by cryptanalyst, together with its corresponding decrypted plaintext generated with the secret key
Example: password file Differential cryptanalysis (explored Ch3)
Chosen-text attack chosen-plaintext or chosenciphertext attack
Ch 2 Conventional Encryption: Classical Techniques
11
Ch 2 Conventional Encryption: Classical Techniques
12
2.1 Conventional Encryption Model
Cryptanalysis (Conti.)
Only relative weak algorithms fail to withstand a ciphertext-only attack. Generally, an encryption algorithm is designed to withstand a know-plaintext attack.
2.1 Conventional Encryption Model
Unconditionally secure
If the ciphertext generated by an encryption scheme does not contain enough information to determine uniquely the corresponding plaintext, no matter how much ciphertext is available and how much time an opponent has. No encryption algorithm is unconditionally secure, except the one-time pad scheme
Conditionally secure
1. The cost of breaking the cipher exceeds the value of the encrypted information 2. The time required to break the cipher exceeds the useful lifetime of the information
Ch 2 Conventional Encryption: Classical Techniques 13 Ch 2 Conventional Encryption: Classical Techniques 14
2.1 Conventional Encryption Model
Table 2.2 Average Time Required for Exhaustive Key Search
Key Size (bits) 32 56 128 26 char perm. Number of alternative keys 232 = 4.3*109 256 = 7.2*1016 2128 = 3.4*1038 26! = 4*1026 Time required at 1 encryption/us 231 us = 35.8 min 255 us = 1142 years 2127 us = 5.4*1024 years 2*1026 us = 6.4*1012years Time required at 106 encryption/us 2.15 ms 10.01 hrs 5.4*1018 years 6.4*106 years
2.2 Steganography
Cryptography
crypto graphy : secret writing Conceal the meaning of message
Steganography
stegano graphy : covered writing Conceal the existence of message
Ch 2 Conventional Encryption: Classical Techniques
15
Ch 2 Conventional Encryption: Classical Techniques
16
2.2 Steganography
Stegosaur (Roof Lizard)
2.2 Steganography
Dear George, Greetings to all at Oxford. Many thanks for your Letter and for the summer examination package. All Entry Forms and Fees Forms should be ready for final despatch to the syndicate by Friday 20th or at the very latest, Im told, by the 21st. Admin has improved here, though theres room for improvement still; just give us all two or three more years and well really show you! Please dont let these wretched 16 + proposals destroy your basic O and A pattern. Certainly this sort of change, if implemented immediately, would bring chaos. Sincerely yours,
17 Ch 2 Conventional Encryption: Classical Techniques 18
Ch 2 Conventional Encryption: Classical Techniques
2.2 Steganography
Historical steganographic techniques
Character marking Invisible ink Pin punctures Typewriter correction ribbon
2.2 Steganography
Cryptography
Conceal the meaning of message
Conceal the existence of message
Steganography
20
Ch 2 Conventional Encryption: Classical Techniques
19
Ch 2 Conventional Encryption: Classical Techniques
2.2 Steganography
General Steganographic Model
Sender Message
Compressing Compressing Encrypting Encrypting
2.2 Steganography
Requirements of a Steganographic System
Imperceptible (image fidelity) Undetectable (Steganalysis) Security Payload
Stegomedia
Extracting Extracting
Message Receiver
Decompressing Decompressing Decrypting Decrypting
image, text audio, video Covermedia
Embedding Embedding
Limited Robustness
Stego-key Warden
Ch 2 Conventional Encryption: Classical Techniques
Stego-key (Blindness)
21 Ch 2 Conventional Encryption: Classical Techniques 22
2.2 Steganography
Steganalysis
The art of detecting any hidden message on the communication channel. If the existence of the hidden message is revealed, the goal of steganography is defeated. Two types of steganalytic techniques
Visual attack Statistical attack
Ch 2 Conventional Encryption: Classical Techniques 23
2.2 Steganography
Specific Pattern of S-Tools palette in cover-image
Result of the Airfield image embedded in the 8-bit Renoir with S-Tools. (the cover image was reduced from 248 to 32 unique colors)
luminance-ordered palette in stego-image
Ch 2 Conventional Encryption: Classical Techniques 24
2.3 Classical Encryption Techniques
Two basic building blocks
Substitution techniques - the letters of plaintext are replaced by other letters or by numbers of symbols
- Caeser cipher - Monoalphabetic cipher - Playfair cipher - Hill cipher Transposition techniques - performing some sort
of permutation on the plaintext letters
2.3 Classical Encryption Techniques
Caesar cipher
Replacing each letter of the alphabet with the letter standing three places further down the alphabet Transformation
Plain: Cipher: a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V WX Y Z A B C
<Example>
Plain: me e t Cipher: P H H W me P H a f t e r D I WH U t h e WK H t o g a WR J D p a r t y S D U WB
Rotor machines - multiple stages of encryption
Ch 2 Conventional Encryption: Classical Techniques 25
Ch 2 Conventional Encryption: Classical Techniques
26
2.3 Classical Encryption Techniques
Caesar cipher
(Conti.)
2.3 Classical Encryption Techniques
Caesar cipher
Fig.2.4
(Conti.)
If we assign a numerical equivalent to each letter (a=0, b=1, c=2etc), then for each plaintext letter p, substitute the ciphertext letter C : C = E(p) = (p + 3) mod 26 General Caesar algorithm C = E(p) = (p + k) mod 26 where 1 k 25 Decryption algorithm p = D(C) = (C - k) mod 26
Ch 2 Conventional Encryption: Classical Techniques 27
Brute-force cryptanalysis Why? Three important characteristics:
1. The encryption and decryption algorithms are known. 2. There are only 25 keys to try. 3. The language of the plaintext is known and easily recognizable.
< Fig.2.5 > Using ZIP algorithm to Compress the plaintext before encryption
Ch 2 Conventional Encryption: Classical Techniques 28
2.3 Classical Encryption Techniques
Monoalphabetic cipher
An arbitrary substitution is used 26! ( 41026 ) possible keys: to eliminate brute-force attack (table 2.2) If the cryptanalyst knows the nature of the plaintext (e.g., noncompressed English text), then the analyst can exploit the regularities of the language.
< Fig.2.6 > Relative frequency of letters in English text
2.3 Classical Encryption Techniques
Fig. 2.6 Relative frequency of letters in English text
Ch 2 Conventional Encryption: Classical Techniques 29 Ch 2 Conventional Encryption: Classical Techniques 30
2.3 Classical Encryption Techniques
Monoalphabetic cipher
(Conti.)
2.3 Classical Encryption Techniques
Playfair cipher
The best-known multiple-letter encryption cipher Treat digrams in the plaintext as single units and translates these units into ciphertext digrams. 5*5 matrix of letters constructed using a keyword.
M M C C E E L L U U
31 Ch 2 Conventional Encryption: Classical Techniques
Digram two-letter combination Frequency of diagrams is a powerful regularity.
The most common digram is th. (ZW)
Trigram three-letter combination
The most frequent trigram is the. (ZWP)
O O H H F F P P V V
N N Y Y G G Q Q W W
A A B B I/J I/J S S X X
R R D D K K T T Z Z
32
Homophone
Provide multiple substitutes for a single letter Multiple-letter patterns (e.g., digram frequencies) still survive in the ciphertext
Ch 2 Conventional Encryption: Classical Techniques
2.3 Classical Encryption Techniques
Playfair cipher
(Conti.)
2.3 Classical Encryption Techniques
Playfair cipher
(Conti.)
Plaintext is encrypted two letters at a time, according to the following rules: 1. Repeating plaintext letter that would fall in the same pair are separated with a filler letter (such as x)
3. Plaintext letters that fall in the same column of the matrix are replaced by the letter beneath, with the top element of the column circularity following the last.
[ mu ]
[ CM ]
M M C C E E L L U U O O H H F F P P V V N N Y Y G G Q Q W W A A B B I/J I/J S S X X R R D D K K T T Z Z
34
[ balloon ]
[ ba lx lo on ]
M M C C E E L L U U
O O H H F F P P V V
N N Y Y G G Q Q W W
A A B B I/J I/J S S X X
R R D D K K T T Z Z
33
2. Plaintext letters that fall in the same row of the matrix are replaced by the letter to the right in a circular fashion
4. Otherwise, each plaintext letter is replaced by the letter that lies in its own row and the column occupied by the other plaintext letter.
[ ar ]
[ RM ]
[ hs ] [ ea ]
[ BP ], [ IM ] ( or [ JM ] )
Ch 2 Conventional Encryption: Classical Techniques
Ch 2 Conventional Encryption: Classical Techniques
2.3 Classical Encryption Techniques
Playfair cipher
(Conti.)
2.3 Classical Encryption Techniques
There are 26*26=676 digrams, so that identification of individual digrams is more difficult. The relative frequencies of individual letters exhibit a much greater range than that of diagrams, making frequency analysis much more difficult. Standard field system by the British Army in WWI Considerable use by the U.S. Army and other allied forces during WWII. However, it still leaves much of the structure of the plaintext language intact.
Fig.2.7 Relative Frequency of Occurrence of Letters.
Ch 2 Conventional Encryption: Classical Techniques 35 Ch 2 Conventional Encryption: Classical Techniques 36
2.3 Classical Encryption Techniques
Hill cipher
Lester Hill, 1929 Take m successive plaintext letters and substitutes for them m ciphertext letters The substitution is determined by m linear transformation.
2.3 Classical Encryption Techniques
Hill cipher
(Conti.)
Matrix-vector form
c1 k11 k12 k13 p1 c = k 2 21 k22 k23 p2 c3 k31 k32 k33 p3
For m = 3, C1 = (k11p1+k12p2+k13p3) mod 26 C2 = (k21p2+k22p2+k23p3) mod 26 C3 = (k31p3+k32p2+k33p3) mod 26
C = KP where C and P are column vectors of length 3, representing the plaintext and ciphertext, and K is a 3*3 matrix, representing the encryption key. Operation are performed mod 26.
37 Ch 2 Conventional Encryption: Classical Techniques 38
Ch 2 Conventional Encryption: Classical Techniques
2.3 Classical Encryption Techniques
Hill cipher
Example:
Plaintext paymoremoney Key
17 17 5 K = 21 18 21 2 2 19
2.3 Classical Encryption Techniques
Hill cipher
(Conti.)
(Conti.)
Decryption requires using K-1 , the inverse of the matrix K,
4 9 15 K -1 = 15 17 6 24 0 17
KK-1 = K-1K=I General Expressions C = EK(P) = KP P = DK(C) = K-1C = K-1KP = P
39 40
The first three letters is pay = (15, 0, 24) t C = KP mod 26 = (375, 819, 486) t mod 26 = (11, 13, 18) t = LNS Ciphertext LNSHDLEWMTRW
Ch 2 Conventional Encryption: Classical Techniques
Ch 2 Conventional Encryption: Classical Techniques
2.3 Classical Encryption Techniques
Hill cipher
(Conti.)
2.3 Classical Encryption Techniques
Hill cipher
(Conti.)
As with Playfair, the strength of the Hill cipher is that it completely hides single-letter frequencies. A 3*3 Hill cipher hides not only single-letter but twoletter frequency information. Use a larger matrix hides more frequency information Strong against a ciphertext-only attack Easily broken with a known plaintext attack.
For an m*m Hill cipher, suppose we have m plaintext-ciphertext pairs, each of length m. Pj = ( p1j, p2j, p3j, p4j . . ., pmj ) Cj = ( c1j, c2j, c3j, c4j . . ., cmj ) Cj = KPj for 1 j m and for some unknown key matrix K. Define X = (pij) , Y = (cij). If X has an inverse, K =X-1Y Y = XK
Ch 2 Conventional Encryption: Classical Techniques
41
Ch 2 Conventional Encryption: Classical Techniques
42
2.3 Classical Encryption Techniques
Polyalphabetic ciphers
Use different monoalphabetic substitutions as one proceeds through the plaintext message 1. A set of related monoalphabetic substitution rules is used. 2. A key determines which particular rule is chosen for a given transformation.
2.3 Classical Encryption Techniques
Vigenere cipher
26 Caesar ciphers are used, with shifts of 0 through 25 Each cipher is denoted by a key letter (from a to z)
Table 2.4 The Modern Vigenere Tablean
Ch 2 Conventional Encryption: Classical Techniques 43 Ch 2 Conventional Encryption: Classical Techniques 44
2.3 Classical Encryption Techniques
Vigenere cipher (Conti.)
Given a key letter x and a plaintext letter y, the ciphertext letter is at the intersection of the row labeled x and the column labeled y
key: d e c e p t i v e d e c e p t i v e d e c e p t i v e plaintext: w e a r e d i s c o v e r e d s a v e y o u r s e l f ciphertext: Z I C V T W Q N G R Z G V T W A V Z H C Q Y G L M G J
2.3 Classical Encryption Techniques
Vigenere cipher
Attack:
1. Either monoalphabetic substitution or a Vigenere cipher? If a monoalphabetic substitution is used, then the statistical properties of the ciphertext should be the same as that of the language of the plaintext. Referring to Fig. 2.6
(Conti.)
Not all knowledge of the plaintext structure is lost. Example: Fig. 2.7.
The strength is that there are multiple ciphertext letters for each plaintext letter, one for each unique letter of the keyword.
Ch 2 Conventional Encryption: Classical Techniques 45
Ch 2 Conventional Encryption: Classical Techniques
46
2.3 Classical Encryption Techniques
Vigenere cipher
Attack (Conti.)
2. How to determine the keyword length?
If two identical sequences of plaintext letters occur at a distance that is an integer multiple of the keyword length, they will generate identical ciphertext sequences An analyst looking at only the ciphertext can detect the repeated sequences, e.g., VTW at a displacement of 9. Assume that the keyword either 3 or 9 in length By looking for common factors in the displacements of the various sequences, the analyst will make a good guess of the keyword length.
Ch 2 Conventional Encryption: Classical Techniques 47
2.3 Classical Encryption Techniques
Vigenere cipher
Attack (Conti.)
3. If the keyword length is N, then the cipher consists of N monoalphabetic substitution ciphers.
The letters at positions 1, N+1, 2N+1, and so on will be encrypted with the same monoalphabetic ciphers. (Conti.)
(Conti.)
4. Each monoalphabetic ciphers can be attacked using frequency characteristics
Using a non-repeating keyword can eliminate the periodic nature
Ch 2 Conventional Encryption: Classical Techniques
48
2.3 Classical Encryption Techniques
Vigenere cipher
(Conti.)
2.3 Classical Encryption Techniques
Vigenere cipher
(Conti.)
Autokey system a keyword is concatenated with the plaintext itself to provide a running key
key: plaintext: d e w e c e p t a r e i v e w e a r e s c o v e r e I d i d s s c o v e r e d s s e a v l f d i a v e y o u r
Ultimate defense - To choose a keyword that is as long as the plaintext and has no statistical relationship to it Vernam cipher: 1918, AT&T engineer, Gilbert Vernam
binary data C i = p i ki pi = ith binary digit of plaintext ki = ith binary digit of key Ci = ith binary digit of ciphertext = exclusive-or (XOR) operation pi = Ci ki
Ch 2 Conventional Encryption: Classical Techniques 50
ciphertext: Z I
C V T W Q N G K Z E I
G A S X S T S L V V W L A
Statistical techniques can be applied to cryptanalysis since the key and the plaintext share the same frequency distribution of letters Example: e enciphered by e can be expeated to occur with a frequency of (0.1275)2=0.0163
Ch 2 Conventional Encryption: Classical Techniques 49
2.3 Classical Encryption Techniques
Vigenere cipher
(Conti.)
2.3 Classical Encryption Techniques
Vigenere cipher
One-time pad
Army Signal Corp officer, Joseph Mauborgne Using a random key that was truly as long as the message (Conti.)
Vernam cipher (Conti.)
The essence of this technique is the mean of construction of the key. Use a running loop of tape as keyword : a very long but repeating keyword Can be broken with sufficient ciphertext, the use of known or probable plaintext sequences, or both.
Unbreakable Produce random output that bears no statistical relationship to the plaintext The practical difficult sender and receiver must be in possession of, and protect, the random key.
Ch 2 Conventional Encryption: Classical Techniques
51
Ch 2 Conventional Encryption: Classical Techniques
52
2.3 Classical Encryption Techniques
Transposition Techniques
Performs some sort of permutation on the plaintext letters Rail fence technique
The plaintext is written down as a sequence of diagonals and then read off as a sequence of rows Plaintext meet me after the toga party m e e t m e a f t e r t h e t o g a p a r t y
2.3 Classical Encryption Techniques
Transposition Techniques
A more complex scheme
to write the message in a rectangle, row by row, and read the message off, column by column, but permute the order of the columns. The order of the columns then becomes the key. Plaintext attack postponed until two am xyz Key: 4 3 1 2 5 6 7 plaintext: a t t a c k p o s t p o n e d u n t i l t w o a m x y z Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ
Ch 2 Conventional Encryption: Classical Techniques 54
(Conti.)
Ciphertext MEMATRHTGPRYETEFETEOAAT
Ch 2 Conventional Encryption: Classical Techniques 53
2.3 Classical Encryption Techniques
Transposition Techniques
(Conti.)
2.3 Classical Encryption Techniques
Transposition Techniques
The original sequence of letters is After the first transposition:
(Conti.)
Perform more than one stage of transposition
Key: 4 3 1 2 5 6 7 plaintext: t t n a a p t m t s u o a o d w c o i x k n l y p e t z Ciphertext: NSCYAUOPTTWLTMDNAOIEPAXTTOKZ
Perform more than one stage of transposition (Conti.)
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 03 10 17 24 04 11 18 25 02 09 16 23 01 08 15 22 05 12 19 26 06 13 20 27 07 14 21 28 17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 13 04 23 19 14 11 01 26 21 18 08 06 28
After the second transposition:
This is a much less structured permutation and is much more difficult to cryptanalysis.
Ch 2 Conventional Encryption: Classical Techniques 55 Ch 2 Conventional Encryption: Classical Techniques 56
2.3 Classical Encryption Techniques
Rotor machines
Rotors are 75a-e.
2.3 Classical Encryption Techniques
Rotor machines
(Conti.)
Consists of a set of independently rotating cylinders A single cylinder defines a monoalphabetic substitution After each input key is depressed, the cylinder rotates one position, so that the internal connections are shifted accordingly. Thus, a different monoalphabetic substitution cipher is defined.
Edward Heberns Electric Code Machine, 1921 U.S. Patent 1683072.
Ch 2 Conventional Encryption: Classical Techniques 57
A polyalphabetic substitution algorithm with a period of 26.
Ch 2 Conventional Encryption: Classical Techniques
58
2.3 Classical Encryption Techniques
Rotor machines
Multiple cylinders
The output pins of one cylinder are connected to the input pins of the next The cylinder farthest from the operator input rotates one pin position with each keystroke For every complete rotation of the outer cylinder, the middle cylinder rotates one pin position For every complete rotation of the middle cylinder, the inner cylinder rotates one pin position 26*26*26=17576 different substitution algorithms Point to the way to DES
Ch 2 Conventional Encryption: Classical Techniques 59
2.3 Classical Encryption Techniques
(Conti.)
Fig. 2.8 Three-Rotor Machine with wiring represented by numbered contacts.
Ch 2 Conventional Encryption: Classical Techniques 60