Security - Lecture 01
Security - Lecture 01
Lecture 1
Introduction
Course info
General concepts
Introductory examples
Symmetric Crypto History
1 / 51
Introduction
Cryptography
Adversary
2 / 51
Introduction
Course Objectives
Objectives
Learn how crypto primitives work.
Learn to use them correctly and reason about security.
Be well-oriented in basic cryptographic concepts and methods.
Have a sound understanding of theory and implementation, as well as limitations
and vulnerability.
Be familiar with a number of examples of use of cryptographic tools in common
software and hardware artefacts.
3 / 51
Introduction
Where?
Secure Communication: web traffic: HTTPS, wireless traffic 802.11i WPA2 (wifi),
GSM (cellphone), Bluetooth.
Encrypting files on disk: EFS, TrueCrypt
Content protection (DVD, Blu-ray): CSS (Content Scrambling System), AACS
User authentication
November 15, 2014
4 / 51
Introduction
!"#$%&$'()"**+!,#
!"#-%.*$)+!,#
5 / 51
Introduction
6 / 51
Introduction
&"'(%)%
&"'(%*%
+'",(%
-.%(/0(#12.33"45%
-.%6/73(2"45%
Files encrypted
If data are stolen Attacker (A) cannot read/tamper data
If A tries to modify Alice will detect it
Confidentiality & Integrity!!
Analogous to secure communication:
Alice Today sends a message to Alice Tomorrow
7 / 51
Introduction
Crypto Core
Secret key establishment
At the end of the protocol
Alice & Bob share a
secret key k.
*+",#-.&
/(&!"#$%&
*+",#-.&
/(&'()&
!"#$%&
'()&
Secure Communication
Attacker A cannot
understand transmitted
messages.
A Cannot tamper
messages.
!"
12"
!"
13"
#$%&'(%)*+,-."*%'",%-(/0,-."
8 / 51
Introduction
Anonymous
Communication
mix-net: Communicate
via a sequence of
proxies.
Messages
encrypted/decrypted
appropriately!
'()&*#*&+&&
,-./&/0"1&/)2&
!"#$%&
9 / 51
Introduction
!"#
!"#$%&
/0-%10%-&
'()&*+,&
-(+-.&
2+0)03&$)4435&
November 15, 2014
9 / 51
Introduction
Protocols
x1 x2 x3 x4 x5
Private Auctions
Auction winner =
highest bidder
pays 2nd highest bid
Other bids remain
secret.
f (x1 , x2 , x3 , x4 , x5 )
Trusted
Party
Theorem:
Anything that can be done with trusted auth. can also be done without.
10 / 51
Introduction
Crypto magic
Privately outsourcing computation
.*(/&0#0&'*%&
'%()$*&12)3&
'%()$*&
+,%)-&
!"#$%&
45&+,%)-&6&
45&)%',"/'&6&
)%',"/'&
/7189"
456,)"
!"#$%&"'()"*+,'%-."%*"/"00"
1-%%*""2"
:%;"
/"
11 / 51
Introduction
A rigorous science
12 / 51
Introduction
Cryptographic goals
Cryptographic Goals
In spite of adversaries, we want to achieve (among other things)
confidentiality (keeping secret data secret).
integrity (preventing alteration).
authentication (preventing frauds).
non-repudiation (preventing denials of messages sent).
How?
Cryptography provides basic building blocks for use in building secure systems.
13 / 51
Introduction
Things to Remember
Cryptography is:
A tremendous tool
The basis for many security mechanisms
Cryptography is not
The solution to all security problems (e.g. software bugs, social engineering)
Reliable unless implemented and used properly
Something you should try to invent yourself
many many examples of broken ad-hoc designs.
14 / 51
Introduction
Lectures:
Katerina Mitrokotsa
15 / 51
Introduction
Teaching
Lectures
Tuesdays 810 in HC4, Wednesdays 810 in HB1, week 17.
Exception week 4 Lectures Wednesday and Friday.
Web site contains info about the topics for the lectures.
Problem-solving sessions
Fridays 1012 in HC1, from week 1.
Office hours
See course web site.
16 / 51
Introduction
Text book:
Introduction to Modern Cryptography, Jonathan Katz & Yehuda Lindell
Previous course book also useful: Stallings: Cryptography and Network Security,
6th ed.
Lecture slides, problem sets, home assignments.
Additional useful resources, available on the web:
Handbook of Applied Cryptography, CRC Press 2001.
Selected papers, videos, standards. See course web site.
17 / 51
Introduction
Examination
Programming assignment
One assignment; done in groups of two or individually.
Exam
Written (closed-book) exam on the 13th of January at 14:00-18:00.
18 / 51
Introduction
Course evaluation
Chalmers procedure
19 / 51
Introduction
20 / 51
Introduction
21 / 51
Alice: k
m
Bob: k
c:=E(k,m)
same key!
m
D
Symmetric ciphers
E , D: cipher, k: secret key (e.g. 128 bits)
m, c: plaintext, ciphertext
22 / 51
Alice: k
m
Bob: k
c:=E(k,m)
same key!
m
D
Symmetric ciphers
E , D: cipher, k: secret key (e.g. 128 bits)
m, c: plaintext, ciphertext
Attention: Encryption algorithm is publicly known Never use a proprietary cipher!
22 / 51
Alice: k
m
Bob: k
c:=E(k,m)
same key!
m
D
Symmetric ciphers
E , D: cipher, k: secret key (e.g. 128 bits)
m, c: plaintext, ciphertext
Attention: Encryption algorithm is publicly known Never use a proprietary cipher!
Kerckhoffs principle
Security should not rest on secrecy of the algorithms, but only on the secrecy of K .
November 15, 2014
22 / 51
Use Cases
23 / 51
Historical development
24 / 51
Ciphers
There are two types of basic algorithms:
transposition ciphers rearrange the order of letters in plaintext.
Example: transposition 7 POISONISNTART
substitution ciphers replace characters in plaintext by others.
Example: substitution 7 TVCTUJUVUJPO where a 7 B, b 7 C, c 7 D, .
25 / 51
Notational Convention
26 / 51
Transposition Cipher
27 / 51
28 / 51
Transposition variants
A major problem in the old days was to remember the permutation. Some tricks used:
Route transposition: Plaintext is written in one pattern (diagonal, spiral, triangle,
) and read out in another.
5
0
0
Use of keywords, e.g. alphabetical ordering of letters in 0231 gives (0, 2, 3, 1) for
clue
n = 4.
Longer blocks means more security and more difficulty in remembering key!
29 / 51
But ...
Transposition ciphers (with reasonable block sizes) are easily broken using frequency
analysis.
30 / 51
ac
bw
cn
Substitution cipher
c := E (k, bcza) = wnac
D(k, c) = bcza
k :=
...
za
31 / 51
Caesars cipher
Caesars cipher
Each letter in the plaintext is replaced by the letter three steps ahead
plain alphabet
cipher alphabet
a b c d e f g h i j k l m n o p q r s t u v w
D E F G H I J K L M N O P Q R S T U V W X Y Z
M = one one two
Problem
Encryption method must be kept secret from the adversary!
There is no key!
If method becomes known, all is lost.
32 / 51
Caesar Cipher
Caesar cipher
Shift by 3
ad
be
cf
...
yb
zc
33 / 51
Quiz question!
|K| = 26
|K| = 26!
|K| = 226
|K| = 262
34 / 51
Quiz question!
|K| = 26
|K| = 226
|K| = 262
34 / 51
35 / 51
35 / 51
36 / 51
37 / 51
Types of attacks
Ciphertext only attack: The Adversary has one or more ciphertexts.
Known plaintext attacks: The Adversary has one or more plaintexts and the
corresponding cipher texts.
Chosen plaintext attack: The Adversary can choose plain texts, have them
encrypted and obtain the corresponding ciphertexts.
38 / 51
(
%)
( 8.07)
( 1.40)
( 2.27)
( 4.71)
(12.49)
( 2.26)
( 2.08)
( 6.57)
( 6.81)
( 0.11)
( 0.79)
( 3.68)
( 2.56)
( 7.08)
( 7.74)
( 1.62)
( 0.11)
( 6.16)
( 6.30)
( 8.99)
( 2.78)
( 0.86)
( 2.37)
( 0.11)
( 2.03)
( 0.04)
e
t
a
o
n
i
h
s
r
d
l
u
m
w
c
f
g
y
p
b
v
k
q
x
j
z
November 15, 2014
39 / 51
An Example
Ciphertext
UKBYBIPOUZBCUFEEBORUKBYBHOBBRFESPVKBWFOFERVNBCVBZPRUBOFER
VNBCVBPCYYFVUFOFEIKNWFRFIKJNUPWRFIPOUNVNIPUBRNCUKBEFWWFDNC
HXCYBOHOPYXPUBNCUBOYNRVNIWNCPOJIOFHOPZRVFZIXUBORJRUBZRBCHN
CBBONCHRJZSFWNVRJRUBZRPCYZPUKBZPUNVPWPCYVFZIXUPUNFCPWRVNB
CVBRPYYNUNFCPWWJUKBYBIPOUZBCUIPOUNVNIPUBRNCHOPYXPUBNCUBOY
NRVNIWNCPOJIOFHOPZRNCRVNBCUNENVVFZIXUNCHPCYVFZIXUPUNFCPWZP
UKBZPUNVR
!" #$"
!!!"!
%" #&"
%*"
++"
!!!%&!
'.!" $"
('"
+,"
!!!$#!
/0%" $"
'" ##"
!!!#!
'!" +,"
(" #)"
!!!$!
'%"
*" )$"
-"
123"
!!!#'"!
&"
;756789:"
456789:"
40 / 51
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
(
%)
( 8.07)
( 1.40)
( 2.27)
( 4.71)
(12.49)
( 2.26)
( 2.08)
( 6.57)
( 6.81)
( 0.11)
( 0.79)
( 3.68)
( 2.56)
( 7.08)
( 7.74)
( 1.62)
( 0.11)
( 6.16)
( 6.30)
( 8.99)
( 2.78)
( 0.86)
( 2.37)
( 0.11)
( 2.03)
( 0.04)
Slide left diagram downwards (with wrap-around) until it matches the right.
November 15, 2014
41 / 51
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
(
%)
( 8.07)
( 1.40)
( 2.27)
( 4.71)
(12.49)
( 2.26)
( 2.08)
( 6.57)
( 6.81)
( 0.11)
( 0.79)
( 3.68)
( 2.56)
( 7.08)
( 7.74)
( 1.62)
( 0.11)
( 6.16)
( 6.30)
( 8.99)
( 2.78)
( 0.86)
( 2.37)
( 0.11)
( 2.03)
( 0.04)
Slide left diagram downwards (with wrap-around) until it matches the right.
Can we do it better than visually?
41 / 51
Correlation
25
Let {fi }25
i =0 be observed relative letter frequencies in ciphertext and {pi }i =0 letter
frequencies in English.
25
X
i =0
for k = 0, 1, . . . 25. The k for which ck is maximal is likely to be the correct shift.
In fact, maximal ck is expected to be ca 0.066, while all others are around 0.038.
42 / 51
!""""#"""""C R Y P T O C R Y P T O C R Y P T
%&"$'(")*+"
""""$"""#"""""W H A T A N I C E D A Y T O D A Y
"""""","""#"""""Z Z Z J U C L U D T U N W G C Q S
43 / 51
44 / 51
Example
ASXER
FFSTS
DHSDF
HMHKO
CDMBV
FDLKG
DOSVW
AKEWQ
DCRWE
DBEBD
BDHFG
FHGLS
OWESS
ALQWE
RCVMG
GFROI
GNBLK
SDVKH
DGAGF
EKKEW
LERRK
OLFGL
RTYJH
FSERF
JHKFV
DSPIO
DLHMD
LSATR
FLFRL
DEFES
DRDGN
NJLDM
BEBDG
FLEKG
YLKRU
SDEYN
45 / 51
Kasiskis test
Kasiskis test
Find (several) repeating n-grams in ciphertext and for each pair compute the
distance (difference in position) between the two occurrences.
The period is probably a common factor of all these numbers. So, compute the
(pairwise) gcd of the distances.
Example
CDRAWSD occurs in a ciphertext at position 37, 254 and 457.
gcd(254 37, 457 254) = 7, so probable period is 7.
46 / 51
Rotor Machines
!"
#"
$"
%"
%"
&"
'"
("
/01"
)"
*"
+"
%"
%"
,"
-"
."
."
)"
*"
+"
%"
%"
,"
-"
-"
."
)"
*"
+"
%"
%"
,"
47 / 51
Rotor Machines
48 / 51
49 / 51
Things to remember
Things to remember
Cryptography is a tremendous tool !
Not the solution to all security problems!!
Security should not rest on the secrecy of algorithm.
Historical ciphers all badly broken
Questions
How do we break a substitution cipher?
What is the difference between a substitution and a transposition cipher?
How can we break the Vigener cipher?
Tomorrow One Time Pad & Stream ciphers
50 / 51
References:
Crypto Course Stanford, Dan Boneh
Cryptography and Network Security: Principles and practice (Chapters 1.1, 2)
Introduction to Modern Cryptography, Lindell and Katz (Chapter 1)
51 / 51