CSE 477: Introduction to

Computer Security
Lecture – 4

Course Teacher: Dr. Md Sadek Ferdous

Assistant Professor, CSE, SUST
E-mail: [email protected]
Outline
• Basic crypto concepts
Encryption Cryptographic Concepts
• Encryption: a means to allow two parties,
• A means to allow twocalled
customarily parties,
Alicecustomarily
and Bob, to called Alice and Bob, to
establish
establish confidential communication
confidential communication over
over an an insecure channel that is
insecure
subject tochannel
eavesdropping
that is subject to eavesdropping.

Alice Bob

Eve 38
EncryptionEncryption and Decryption
• TheM
• The message message
is calledMthe
is called the plaintext.
plaintext
• Alice will• convert
Alice willplaintext
convert Mplaintext M to an encrypted
to an encrypted form using an
encryptionformalgorithm
using anE that outputsalgorithm
encryption a ciphertext C for M
E that
outputs a ciphertext C for M.
Communication
Sender Recipient
channel

encrypt decrypt

ciphertext plaintext

plaintext
aint
int x

shared shared
secret secret
key key
Attacker 39
(eavesdropping)
Encryption
• As equations:
• C = E(M), M = D(C)
• The encryption and decryption algorithms are chosen so that it is infeasible for
someone other than Alice and Bob to determine plaintext M from ciphertext C
• Thus, ciphertext C can be transmitted over an insecure channel that can be
eavesdropped by an adversary
• The decryption algorithm must use some secret information known to Bob, and
possibly also to Alice, but no other party
• using an auxiliary input a secret number or string called decryption key
• the decryption algorithm itself can be implemented by standard, publicly available software
and only the decryption key needs to remain secret
• Similarly, the encryption algorithm uses as auxiliary input an encryption key,
which is associated with the decryption key
• If it is feasible to derive the decryption key from the encryption key, the
encryption key should be kept secret as well
Cryptosystem
• A cryptosystem consists of seven components:
• The set of possible plaintexts
• The set of possible ciphertexts
• The set of encryption keys
• The set of decryption keys
• The correspondence between encryption keys and decryption keys
• The encryption algorithm to use
• The decryption algorithm to use
 3. The set of encryption keys
4. The set of decryption keys
5. The correspondence between encryption
keys and decryption keys
Cryptosystem: Caesar cipher 6. The encryption algorithm to use
7. The decryption algorithm to use

41

• Replace each letter with the one “three over”

in the alphabet Caesar Cipher
• An example of a shift cipher
• Can be denoted using the following formula: • Replace each letter with the one “three over”
in the alphabet.
• s(c, k), here c represents one of 23 letters in Latin
Alphabet and k represents the key
• If k > 0, forward shift (encryption) and if k < 0,
backward shift (decryption)
• Example: s(A,3) = D, s(D,-3) = A
• For Caesar cipher, {k=3} is the set of
encryption key and {k=-3} is the set of
decryption key Public domain image from http://commons.wikimedia.org/wiki/File:Caesar3.svg
42

• Uses modulo operation in a sort of circular

shift fashion when shift goes beyond the limit
 key key

Attacker
(eavesdropping)
43

Symmetric key distribution Symmetric Key Distribution

• Requires each pair of communicating parties
• Symmetric crypto-systems are quite fast to share a (separate) secret key.
and efficient shared
secret

• However their main problem is key

distribution shared
secret

• It requires each pair of communicating

shared shared shared
secret secret secret

n !n"1 #$2
parties to share a (separate) secret key keys
• If there are n parties, it means it requires a shared
secret
44

a total of n(n − 1)/2 keys

 result, C = EPB (M), to Bob. Bob then uses his
secret key to decrypt the message as M = DSB (C).

Public key cryptography 45

Public-Key Cryptography
• Bob has two keys: a private key, SB, which Bob
keeps secret, and a public key, PB, which Bob • Separate keys are used for encryption and
broadcasts widely decryption.
Communication

• In order for Alice to send an encrypted

Sender Recipient
channel

message to Bob, she needs only obtain Bob’s encrypt decrypt

public key, PB, and use that to encrypt her plaintext

plaintext
plai
int x
ciphertext plaintext

message, M, and send the result, 𝐶 = public

key
private
key

𝐸$% (𝑀) , to Bob. Attacker

(eavesdropping)
46

• Bob then uses his secret key to decrypt the

message as 𝑀 = 𝐷*% (𝐶)
• That is, separate keys are used for encryption
and decryption
Public key distribution
• How many keys do we need to distribute for n users??
Public key distribution
Public Key Distribution
• Only one key is needed
• Only foriseach
one key recipient!
needed for each recipient
private private

public public

n key
pairs
public public

private private
47
Combining symmetric and public key systems
• The main disadvantage of public-key cryptosystems is that they are
much slower than existing symmetric encryption schemes
• Hence, public-key cryptography is unsuitable for interactive sessions that use
a lot of back-and-forth communication
• Also, public-key cryptosystems have larger key lengths than that for
symmetric cryptosystems
• For example, RSA is commonly used with 2,048-bit keys while AES is typically
used with 256-bit keys
 Also, public-key cryptosystems require in practice a key length that is
one order of magnitude larger than that for symmetric cryptosystems. For
example, RSA is commonly used with 2, 048-bit keys while AES is typically
used with 256-bit keys.

Combining symmetric and public key systems In order to work around these disadvantages, public-key cryptosystems
are often used in practice just to allow Alice and Bob to exchange a shared
secret key, which they subsequently use for communicating with a symmet-
ric encryption scheme, as shown in Figure 12.

• To work around these Communication

disadvantages, Sender
channel
Recipient

encryptt d
decrypt
t
• public-key cryptosystems are often secret
k
key ciphertext
secret
key
used in practice just to allow Alice
and Bob to exchange a shared secret public key private key

key shared
h d shared
h d
secret key Attacker secret key

• Once exchanged, the shared (eavesdropping)

secret key then can be used for encrypt decrypt

communication encrypted with a plaintext ciphertext plaintext

symmetric encryption scheme

Figure 12: Use of a public-key cryptosystem to exchange a shared secret
key, which is subsequently employed for communicating with a symmetric
encryption scheme. The secret key is the “plaintext” message sent from the
sender to the recipient. © Igor Nazarenko/Shutterstock
Digital signature
• Public key crypto systems allow the reversing the order in which encryption
and decryption is carried out
• 𝐸$% 𝐷*% 𝑀 =𝑀
• This concept is leveraged to create digital signatures
• To sign a message, M, Alice just decrypts it with her private key, 𝑆, , creating
𝐶 = 𝐷*- (𝑀)
• Anyone can encrypt this message using Alice’s public key, as 𝑀. = 𝐸$- 𝐶
and then compare if 𝑀 = 𝑀.
• If they match, the signature is valid
• Indeed, no one but Alice, who has private key 𝑆, , could have produced such
an object C, so that 𝑀′ = 𝐸$- 𝐶
• Only disadvantage, the signature is as long as the message!
• Compare it with real life signatures!
Man In The Middle (MITM) Attack Your Computer The Internet Website Server

• Charlie is in the middle between Alice and Bob

• Charlie can:
• View traffic
• Change traffic
• Add traffic
• Delete traffic Alice Bob

• Charlie could be: Charlie

• Internet service provider

• Virtual Private Network (VPN) provider
• WIFI provider such as a coffee shop
• An attacker re-routing your connection
• An incompetent admin (it happens)
 consists of simply transmitting the ciphertext, assures confidentiality. How
ever, it does not guarantee the authenticity and integrity of the message
the adversary can intercept and modify the ciphertext. Suppose that Alic

Simple attacks on crypto systems: MITM

sends to Bob ciphertext C corresponding to a message M. The adversar
modifies C into an altered ciphertext C 0 received by Bob. When Bo
decrypts C 0 , he obtains a message M0 that is different from M. Thus, Bob
led to believe that Alice sent him message M0 instead of M. This man-in
the-middle attack is illustrated in Figure 13.

• The straightforward use of a

cryptosystem presented, which Sender
Communication
channel
Recipient

consists of simply transmitting the

ciphertext, assures confidentiality
encryptt d
decrypt
t

plaintext M plaintext M′

• However, it does not guarantee the shared shared

authenticity and integrity of the secret
k
key
ciphertext C ciphertext C′ secret
k
key

message if the adversary can

intercept and modify the ciphertext Attacker
(intercepting)
• How the recipient can be assured
Man-In-The-Middle
that the message s(he) receives is Figure 13: A man-in-the-middle attack where the adversary modifies th
ciphertext and the recipient decrypts the altered ciphertext into an incorre
the intended one? message. © Igor Nazarenko/Shutterstock
Simple attacks on crypto systems: MITM
• Bob (M, S): (C,S) -> Eve (C’,S’) -> Alice (C’, S’): (M’,S’)??
• Note that Mʹ will be different from the original message M
• When Alice verifies the digital signature Sʹ, she obtains message Mʹ by encrypting S’
• Thus, Alice is led to believe that Bob has signed Mʹ instead of M
• Note that in the above attacks the adversary can arbitrarily alter the
transmitted ciphertext or signature
• However, the adversary cannot choose, or even figure out, what would be
the resulting plaintext since she does not have the ability to decrypt
• Thus, the above attacks are effective only if any arbitrary sequence of bits
is a possible message
• This scenario occurs, for example, when a randomly generated symmetric
key is transmitted encrypted with a public-key cryptosystem
Simple attacks on crypto systems: brute-force
• How about brute forcing a crypto system?
• Trying different probable keys over a cipher text to decrypt it to a meaningful
text
• Mind you, encryption and decryption functions are open, just the key
is secret!
• If the plaintext is an arbitrary binary string, this attack cannot
succeed, as there is no way for the attacker to distinguish a valid
message
• However, if the plaintext is known to be text in a natural language,
then the adversary hopes that only a small subset of the decryption
results (ideally just a single plaintext) will be a meaningful text for the
language
Brute force attack
• Some knowledge about the possible message being sent will then
help the attacker pinpoint the correct plaintext
• Key should be a sufficiently long random value to make exhaustive
search attacks unfeasible
• Problem is it is usually easy to recognize that a message is a valid
plaintext
• For example, given a certain ciphertext, if an attacker could decrypt it with a
given key and get message NGGNPXNGQNJABAVEIVARORNPU, which she can
immediately dismiss
• But if she gets message ATTACKATDAWNONIRVINEBEACH, then she can be
confident she has found the decryption key
• This ability is related to the unicity distance for a cryptosystem
Brute force attack
• English text is typically represented with 8-bit ASCII encoding
• A message with t characters has n bits, with n = 8t
• The total number of possible n-bit (or t-byte) arrays is 212 = 23
• It is estimated that each character of English text carries about 1.25
bits of information, known as the entropy of English
• The number of t-byte arrays that correspond to English text:
• 24.672 = 24.673/1 ≈ 2:.4;3
Brute force attack
• In general, for some constant 0 < α < 1, there are 2αn valid text
messages among the 2n possible plaintexts
• as not all combinations are valid messages
• The probability that a randomly selected plaintext corresponds to
6<= 4
meaningful text is represented with: = = >?< =
6 6
• The fraction of valid messages tends rapidly to zero as n grows
Brute force attack
• Let k be the length (number of bits) of the decryption key
• For a given ciphertext, there are 2k possible plaintexts, each
corresponding to a key
• From the previous discussion, each such plaintext is a valid text
4
message with probability 6 >?< =
• Hence, the expected number of plaintexts corresponding to valid text
6@
messages is >?< =
6
• As the key length k is fixed, the above number tends rapidly to zero as
the ciphertext length n grows
Brute force attack
• We expect that there is a unique valid plaintext for the given ciphertext
B
when 𝑛 =
4CD
• The above threshold value for n is called the unicity distance for the given
language and key length
• The unicity distance for a cryptosystem is the minimum number of
characters of ciphertext that are needed so that there is a single intelligible
plaintext associated with it
• Consider a cipher text: FJKFPO that is encrypted with a substitution cipher
(discussed later) and brute force might result in the following: thatis ofyour
season onyour thatwe thetop thetwo oxford thatin thatof
• Which is the correct one? It is impossible to know!
Brute force attack
• For the English language and the 256-bit AES cryptosystem, the
unicity distance is about 304 bits or 38 ASCII-encoded characters
• This is only half a line of text
• We can conclude that brute-force decryption is likely to succeed for
messages in natural language that are not too short
• Namely, when a key yields a plaintext that is a meaningful text, the
attacker has probably recovered the original message