10/23/2020

Cryptography and Advanced

Computer Security
(CENG625)
 2 10/23/2020

Topics Covered

 Introduction to Cryptography and Cryptanalysis

 Stream Ciphers vs Block Ciphers
 Symmetric Cryptography: DES and Alternatives, AES
 Modes of Operation
 Public-Key (Asymmetric) Cryptography: RSA, Discrete Logarithm
Based Cryptography
 Digital Signatures
 Hash Functions
 Message Authentication Codes (MACs)
 Key Establishment Techniques
 Certificates
 3 10/23/2020

Textbook and Recommended Material

Textbooks
Understanding Cryptography, Christof Paar and Jan Pelzl, Springer 2010.
 
References
1.  Cryptography and Network Security: Principles and Practice, Fifth Edition.
William Stallings. Publisher: Pearson. 2011.

2. Cryptography Theory and Practice, Third Edition by D. Stinson.

Chapman&Hall/CRC. 2006.
 4 10/23/2020

Grading Scheme
 10% Participation
 35% Midterm
 40% Final exam
 15% Project
 5 10/23/2020

Chapter 1
Introduction to Cryptography and Data Security
In this chapter you will learn:
 The general rules of cryptography.
 Key lengths for short-, medium- and long-term security.
 The difference between different types of attacks against
ciphers.
 A few historical ciphers, and on the way we will learn about
modular arithmetic, which is of major Importance for
modern cryptography as well.
 Why one should only use well-established encryption
algorithms.
 6 10/23/2020

1.1 Overview of Cryptology

 Cryptography is an old business, with early examples dating
back to about 2000 B.C., when non-standard “secret”
hieroglyphics were used in ancient Egypt. Another example
is the famous Caesar cipher in ancient Rome.
 7 10/23/2020

Cryptology
 Cryptography is the science of secret writing with the goal of
hiding the meaning of a message.
 Cryptanalysis is the science and sometimes art of breaking
cryptosystems.
Cryptanalysis is of central importance for modern cryptosystems:
without people who try to break our crypto methods, we will never
know whether they are really secure or not.
 8 10/23/2020

Cryptography Branches
The focus of this course is on cryptography, it splits
into three main branches:

1- Symmetric Algorithms
2- Asymmetric (or Public-Key) Algorithms
3- Cryptographic Protocols
 9 10/23/2020

Symmetric Algorithms
 Two parties have an encryption and decryption
method for which they share a secret key.
 All cryptography from ancient times until 1976
was exclusively based on symmetric methods.
 Symmetric ciphers are still in widespread use,
especially for data encryption and integrity check
of messages.
 10 10/23/2020

Asymmetric (or Public-Key)

Algorithms
 In 1976 an entirely different type of cipher was
introduced by Whitfield Diffie, Martin Hellman and
Ralph Merkle.
 In public-key cryptography, a user possesses a
secret key as in symmetric cryptography but also a
public key.
 Asymmetric algorithms can be used for applications
such as digital signatures and key establishment,
and also for classical data encryption.
 11 10/23/2020

Cryptographic Protocols
 Crypto protocols deal with the application of
cryptographic algorithms.
 Symmetric and asymmetric algorithms can be viewed
as building blocks with which applications such as
secure Internet communication can be realized.
 The Transport Layer Security (TLS) scheme, Secure
Socket Layer (SSL) which are used in every Web
browser, are examples of a cryptographic protocol.
 12 10/23/2020

Security in Practical Systems

 In the majority of cryptographic applications in
practical systems, symmetric and asymmetric
algorithms (and often also hash functions) are all
used together.
 This is sometimes referred to as hybrid schemes.
 The reason for using both families of algorithms is
that each has specific strengths and weaknesses.
 13 10/23/2020

1.2 Symmetric Cryptography

 14 10/23/2020

1.2.1 Basics (1)

 The term channel may refer to Internet, a stretch of air in
the case of mobile phones or wireless LAN communication,
or any other communication media you can think of.
 Oscar has access to the channel, for instance, by hacking
into an Internet router or by listening to the radio signals of
a Wi-Fi communication.
 This type of unauthorized listening is called eavesdropping.
 Alice and Bob would prefer to communicate without Oscar
listening.
15 10/23/2020
 16 10/23/2020

Basics (2)
Symmetric cryptography offers a powerful solution:
 Alice encrypts her message “x” using a symmetric
algorithm, yielding the ciphertext “y”.
 Bob receives the ciphertext and decrypts the message.
 Decryption is, thus, the inverse process of encryption.
 What is the advantage? If we have a strong
encryption algorithm, the ciphertext will look like
random bits to Oscar and will contain no information
whatsoever that is useful to him.
 17 10/23/2020

Basics (3)
The variables x, y and k in Fig. 1.5 are important in
cryptography and have special names:
 x is called plaintext or cleartext,
 y is called ciphertext,
 k is called the key,
 The set of all possible keys is called the key space.
 18 10/23/2020

Basics (4)
 The system needs a secure channel for distribution
of the key between Alice and Bob.
 The secure channel shown in Fig. 1.5 can, for
instance, be a human who is transporting the key
in a wallet between Alice and Bob. This is, of
course, a somewhat cumbersome method.
 An example where this method works nicely is the
pre-shared keys used in Wi-Fi Protected Access
(WPA) encryption in wireless LANs.
 19 10/23/2020

Basics (5)
 Both the encryption and the decryption algorithms
are publicly known.
 It seems that keeping the encryption algorithm secret
should make the whole system harder to break.
 However, secret algorithms also mean untested
algorithms: The only way to find out whether an
encryption method is strong, i.e., cannot be broken
by a determined attacker, is to make it public and
have it analyzed by other cryptographers.
 20 10/23/2020

Important Remarks (1)

 If Oscar gets hold of the key, he can easily decrypt
the message since the algorithm is publicly known.
 Hence it is crucial to note that the problem of
transmitting a message securely is reduced to the
problems of transmitting a key secretly and of
storing the key in a secure fashion.
 Up till now we have only considered the problem
of confidentiality, that is, of hiding the contents of
the message from an eavesdropper.
 21 10/23/2020

Important Remarks (2)

 We will see later in this course that there are many

other things we can do with cryptography, such as
preventing Oscar from making unnoticed changes
to the message (message integrity) or assuring that
a message really comes from Alice (sender
authentication).
 22 10/23/2020

1.2.2 Simple Symmetric Encryption: The

Substitution Cipher
 We will use the substitution cipher for learning some important
facts about key lengths and about different ways of attacking
ciphers.
 The goal of the substitution cipher is the encryption of text (as
opposed to bits in modern digital systems).
 The idea is very simple: We substitute each letter of the alphabet
with another one.
Example 1.1.
A→k
B→d
C→w
··
For instance, the message ABBA would be encrypted as kddk
 23 10/23/2020

Facts about Substitution Cipher

 The substitution table should be chosen
completely randomly, so that an attacker is not
able to guess it.
 The substitution table is the key of this
cryptosystem.
 As always in symmetric cryptography, the key has
to be distributed between Alice and Bob in a
secure fashion.
 24 10/23/2020

Example
Example 1.2. Let’s look at another ciphertext:
iq ifcc vqqr fb rdq vfllcq na rdq cfjwhwz hr bnnb
hcc hwwhbsqvqbre hwq vhlq

 This does not seem to make too much sense and

looks like decent cryptography.
 However, the substitution cipher is not secure at
all! Let’s look at ways of breaking the cipher.
 25 10/23/2020

First Attack: Brute-Force or

Exhaustive Key Search
 Oscar, the attacker, has the ciphertext from
eavesdropping on the channel and happens to have
a short piece of plaintext, e.g., the header of a file
that was encrypted.
 Oscar now simply decrypts the first piece of
ciphertext with all possible keys.
 If the resulting plaintext matches the short piece of
plaintext, he knows that he has found the correct
key.
 26 10/23/2020

Mathematical Model
 27 10/23/2020

Facts about Brute Force Attack

 A brute-force attack against symmetric ciphers is
always possible in principle.
 Whether it is feasible in practice depends on the
key space, i.e., on the number of possible keys that
exist for a given cipher.
 If testing all the keys on many modern computers
takes too much time, i.e., several decades, the
cipher is computationally secure against a brute-
force attack.
 28 10/23/2020

Key Space of the Substitution

Cipher
 When choosing the replacement for the first letter A,
we randomly choose one letter from the 26 letters of
the alphabet (in the example above we chose k).
 The replacement for the next alphabet letter B was
randomly chosen from the remaining 25 letters, etc.
 Thus there exist the following number of different
substitution tables:
 Key space of the substitution cipher =
26 · 25· · ·3 · 2 · 1 = 26! ≈ 288
 29 10/23/2020

Is substitution cipher secure?

 Even with hundreds of thousands of high-end PCs
such a search would take several decades!
 Thus, we are tempted to conclude that the
substitution cipher is secure.
 But this is incorrect because there is another, more
powerful attack.
 30 10/23/2020

Second Attack: Letter Frequency

Analysis
 The major weakness of the cipher is that each
plaintext symbol always maps to the same ciphertext
symbol.
 That means that the statistical properties of the
plaintext are preserved in the ciphertext.
 If we go back to the second example we observe that
the letter q occurs most frequently in the text.
 From this we know that q must be the substitution for
one of the frequent letters in the English language.
 31 10/23/2020

Letter Frequency Analysis

 Determine the frequency of every ciphertext letter.
 The frequency distribution, often even of relatively short
pieces of encrypted text, will be close to that of the given
language in general.
 In particular, the most frequent letters can often easily be
spotted in ciphertexts.
 For instance, in English E is the most frequent letter (about
13%), T is the second most frequent letter (about 9%), A is
the third most frequent letter (about 8%), and so on.
 Table 1.1 lists the letter frequency distribution of English.
32 10/23/2020
 33 10/23/2020

Pairs or Triples, or Quadruples

Frequency Analysis
 The letter method can be generalized by looking at
pairs or triples, or quadruples, and so on of
ciphertext symbols.
 For instance, in English (and some other European
languages), the letter Q is almost always followed
by a U.
 This behavior can be exploited to detect the
substitution of the letter Q and the letter U.
 34 10/23/2020

Short Words Frequency Analysis

 If we assume that word separators (blanks) have
been found (which is only sometimes the case),
one can often detect frequent short words such as
THE, AND, etc.
 Once we have identified one of these words, we
immediately know three letters (or whatever the
length of the word is) for the entire text.
 35 10/23/2020

Combined Methods of Frequency

Analysis
 In practice, the three techniques listed above are
often combined to break substitution ciphers.
 Example 1.3. If we analyze the encrypted text
from Example 1.2, we obtain:
WE WILL MEET IN THE MIDDLE OF THE
LIBRARY AT NOON ALL ARRANGEMENTS ARE
MADE
 36 10/23/2020

Lessons learned
 Good ciphers should hide the statistical properties
of the encrypted plaintext.
 The ciphertext symbols should appear to be
random.
 A large key space alone is not sufficient for a
strong encryption function.
 37 10/23/2020

1.3 Cryptanalysis
 This section deals with recommended key lengths
of symmetric ciphers and different ways of
attacking crypto algorithms.
 Recall that a cipher should be secure even if the
attacker knows the details of the algorithm.
 38 10/23/2020

1.3.1 General Thoughts on Breaking

Cryptosystems
 People think that code breaking has to do with heavy
mathematics, smart people and large computers.
 They have images in mind of the British code
breakers during World War II, attacking the German
Enigma cipher with extremely smart mathematicians
and room-sized electro-mechanical computers.
 In practice there are also other methods of code
breaking.
39 10/23/2020
 40 10/23/2020

Classical Cryptanalysis
Classical
 Classical cryptanalysis is understood as the science of
recovering the plaintext “x” from the ciphertext “y”, or,
alternatively, recovering the key “k” from the
ciphertext “y”.
 We recall from the earlier discussion that cryptanalysis
can be divided into:
 Analytical attacks, which exploit the internal structure of
the encryption method.
 Brute-force attacks, which treat the encryption algorithm
as a black box and test all possible keys.
 41 10/23/2020

Implementation Attacks (1)

 Side-channel analysis can be used to obtain a secret key, for
instance, by measuring the electrical power consumption of a
processor which operates on the secret key.
 The power trace can then be used to recover the key by
applying signal processing techniques.
 In addition to power consumption, electromagnetic radiation
or the runtime behavior of algorithms can give information
about the secret key and are, thus, useful side channels.
 42 10/23/2020

Implementation Attacks (2)

 Note also that implementation attacks are mostly
relevant against cryptosystems to which an
attacker has physical access, such as smart cards,
SIM cards ...
 In most Internet-based attacks against remote
systems, implementation attacks are usually not a
concern.
 43 10/23/2020

Social Engineering Attacks

 Bribing, blackmailing, tricking or classical espionage can be
used to obtain a secret key by involving humans.
 For instance, forcing someone to reveal his/her secret key, e.g.,
by holding a gun to his/her head can be quite successful.
 Another, less violent, attack is to call people whom we want to
attack on the phone, and say: “This is the IT department of
your company. For important software updates we need your
password”.
 Malware can also reveal secret keys in software systems.
 44 10/23/2020

Kerckhoffs’ Principle
A cryptosystem should be secure even if the attacker
(Oscar) knows all details about the system, with the
exception of the secret key. In particular, the system
should be secure when the attacker knows the
encryption and decryption algorithms.
 45 10/23/2020

Security by Obscurity is not Good

 To design a system which appears to be more secure
because we keep the details hidden. This is called
security by obscurity.
 Experience and military history has shown that such
systems are almost always weak, and they are very often
broken easily as soon as the secret design has been
reverse-engineered or leaked out through other means.
 An example is the Content Scrambling System (CSS) for
DVD content protection, which was broken easily once
it was reverse engineered.
 46 10/23/2020

1.3.2 How Many Key Bits Are

Enough?
 The discussion of key lengths for symmetric crypto algorithms
is only relevant if a brute-force attack is the best known attack.
 As we saw in Sect. 1.2.2 during the security analysis of the
substitution cipher, if there is an analytical attack that works, a
large key space does not help at all.
 The key lengths for symmetric and asymmetric algorithms are
dramatically different.
 For instance, an 80-bit symmetric key provides roughly the
same security as a 1024-bit RSA (RSA is a popular
asymmetric algorithm) key.
 47 10/23/2020

Important to Recall
 A large key space is a necessary but not sufficient condition
for a secure symmetric cipher.
 The cipher must also be strong against analytical attacks.
 48 10/23/2020

1.4 Modular Arithmetic and More

Historical Ciphers
 A very popular special case of the substitution
cipher is the Caesar cipher, which is said to have
been used by Julius Caesar to communicate with
his army.
 The Caesar cipher simply shifts the letters in the
alphabet by a constant number of steps.
 When the end of the alphabet is reached, the letters
repeat in a cyclic way, similar to numbers in
modular arithmetic.
 49 10/23/2020

Affine Cipher
 To make computations with letters more
practicable, we can assign each letter of the
alphabet a number.
 By doing so, an encryption with the Caesar cipher
simply becomes a (modular) addition with a fixed
value.
 Instead of just adding constants, a multiplication
with a constant can be applied as well.
 This leads us to the affine cipher.
 50 10/23/2020

1.4.1 Modular Arithmetic

 Almost all crypto algorithms, both symmetric ciphers and asymmetric
ciphers, are based on arithmetic within a finite number of elements.
 In the following we introduce modular arithmetic, which is a simple way of
performing arithmetic in a finite set of integers.
 Example 1.5. We consider the set of the nine numbers:
{0,1,2,3,4,5,6,7,8}
 We can do regular arithmetic as long as the results are smaller than 9. For
instance:
2×3 = 6
4+4 = 8
 But what about 8+4? Now we try the following rule: Perform regular
integer arithmetic and divide the result by 9. We then consider only the
remainder rather than the original result.
 Since 8+4 = 12, and 12/9 has a remainder of 3, we write:
8+4 ≡3 mod 9
 51 10/23/2020

Definition of the Modulo Operation

 52 10/23/2020

Computation of the Remainder

 It is always possible to write a ∈ Z, such that
a = q ·m+r for 0 ≤ r < m (1.1)
 Since a−r = q ·m (m divides a−r) we can now
write: a ≡ r mod m. Note that
r ∈ {0,1,2, . . . ,m−1}.
 Example 1.6. Let a = 42 and m = 9. Then

42 = 4 · 9+6
and therefore 42 ≡ 6 mod 9.
 53 10/23/2020

The Remainder Is Not Unique (1)

 It is somewhat surprising that for every given modulus
m and number a, there are (infinitely) many valid
remainders.
 Example 1.7. We want to reduce 12 modulo 9. Here are
several results which are correct according to the
definition:
 12 ≡3 mod 9, 3 is a valid remainder since 9|(12−3)
 12 ≡ 21 mod 9, 21 is a valid remainder since 9|(21−3)
 12≡−6 mod 9, −6 is a valid remainder since 9|(−6−12)
where the “x|y” means “x divides y”.
 54 10/23/2020

The Remainder Is Not Unique (2)

There is a system behind this behavior. The set of

numbers
{. . . ,−24,−15,−6,3,12, 21, . . .}
form what is called an equivalence class.
 There are eight other equivalence classes for the
modulus 9:
{. . . ,−27,−18,−9, 0, 9,18,27, . . .}
{. . . ,−26,−17,−8, 1, 10,19,28, . . .}
{. . . ,−19,−10,−1, 8, 17,26,35, . . .}
 55 10/23/2020

All Members of a Given Equivalence

Class Behave Equivalently
 For a given modulus m, it does not matter which
element from a class we choose for a given
computation.
 This property of equivalent classes has major
practical implications.
 If we have involved computations with a fixed
modulus — which is usually the case in
cryptography — we are free to choose the class
element that results in the easiest computation.
 56 10/23/2020

Example 1.8
 The core operation in many practical public-key
schemes is an exponentiation of the form xe mod m,
where x,e,m are very large integers, say, 2048 bits each.
 Using a toy-size example, we can demonstrate two
ways of doing modular exponentiation.
 We want to compute 38 mod 7.
 The first method is the straightforward approach, and
for the second one we switch between equivalent
classes.
 57 10/23/2020

First Method
 38 = 6561 ≡ 2 mod 7, since 6561 = 937 · 7+2
 Note that we obtain the fairly large intermediate
result 6561 even though we know that our final
result cannot be larger than 6.
 58 10/23/2020

Second Method
 Here is a much smarter method: First we perform two partial
exponentiations:
38 = 34 · 34 = 81 · 81
 We can now replace the intermediate results 81 by another
member of the same equivalence class.
 The smallest positive member modulo 7 in the class is 4 (since
81 = 11 · 7+4). Hence:
38 = 81 · 81 ≡ 4 · 4 = 16 mod 7
 From here we obtain the final result easily as 16 ≡ 2 mod 7.
 59 10/23/2020

Facts
 As a general rule we should remember that it is
almost always of computational advantage to
apply the modulo reduction as soon as we can in
order to keep the numbers small.

 Of course, the final result of any modulo

computation is always the same, no matter how
often we switch back and forth between equivalent
classes.
 60 10/23/2020

Which Remainder Do We Choose?

 By agreement, we usually choose r in Eq. (1.1)
such that:
0 ≤ r ≤ m−1.
 However, mathematically it does not matter which
member of an equivalent class we use.
 61 10/23/2020

1.4.2 Integer Rings

Example 1.9. Let m=9, i.e., we are dealing with the ring Z9
={0,1,2,3,4,5,6,7,8}.
Let’s look at a few simple arithmetic operations:
6+8 = 14 ≡5 mod 9
6×8 = 48 ≡3 mod 9
 62 10/23/2020

Properties of Rings (1)

 We can add and multiply any two numbers and the
result is always in the ring. A ring is said to be
closed.
 Addition and multiplication are associative, e.g.,
a+(b+c) = (a+b)+c, and a · (b · c) = (a · b) · c for
all a,b,c ∈ Zm.
 There is the neutral element 0 with respect to
addition, i.e., for every element a ∈ Zm it holds that
a+0 ≡ a mod m.
 63 10/23/2020

Properties of Rings (2)

 For any element a in the ring, there is always the
negative element −a such that a+(−a) ≡0 mod m,
i.e., the additive inverse always exists.
 There is the neutral element 1 with respect to
multiplication, i.e., for every element a ∈ Zm it
holds that a×1 ≡ a mod m.
 The multiplicative inverse exists only for some, but
not for all, elements. Let a ∈ Z, the inverse a−1 is
defined such that a · a−1 ≡1 mod m.
 64 10/23/2020

Properties of Rings (3)

 An element a ∈ Z has a multiplicative inverse a−1
if and only if gcd(a,m) = 1, where gcd is the
greatest common divisor , i.e., the largest integer
that divides both numbers a and m.

 The fact that two numbers have a gcd of 1 is of

great importance in number theory, and there is a
special name for it: if gcd(a,m) = 1, then a and m
are said to be relatively prime or coprime.
 65 10/23/2020

Example 1.10
 Let’s see whether the multiplicative inverse of 15
exists in Z26.
 Because gcd(15,26) = 1, the inverse must exist.
 On the other hand, since gcd(14,26) = 2 ≠ 1, the
multiplicative inverse of 14 does not exist in Z26.
 66 10/23/2020

Other properties of Ring

 Another ring property is that a×(b+c) = (a×b)+(a×c) for all
a,b,c ∈ Zm, i.e., the distributive law holds.
 In summary, roughly speaking, we can say that the ring Zm is
the set of integers {0,1,2, . . . ,m−1} in which we can add,
subtract, multiply, and sometimes divide.
 As mentioned earlier, the ring Zm , and thus integer arithmetic
with the modulo operation, is of central importance to modern
public-key cryptography.
 In practice, the integers involved have a length of 150–4096
bits so that efficient modular computations are a crucial
aspect.
 67 10/23/2020

1.4.3 Shift Cipher (or Caesar Cipher)

 The shift cipher is actually a special case of the substitution
cipher and has a very elegant mathematical description.
 The shift cipher itself is extremely simple: We simply shift
every plaintext letter by a fixed number of positions in the
alphabet.
 For instance, if we shift by 3 positions, A would be substituted
by d, B by e, etc.
 The only problem arises towards the end of the alphabet: what
should we do with X, Y, Z ?
 As you might have guessed, they should “wrap around”. That
means X should become a, Y should become b, and Z is
replaced by c.
 68 10/23/2020

Shift Cipher (2)

 The shift cipher also has an elegant description using modular
arithmetic.
 For the mathematical statement of the cipher, the letters of the
alphabet are encoded as numbers, as depicted in Table 1.3.
 69 10/23/2020

Shift Cipher (3)

 Both the plaintext letters and the ciphertext letters are now
elements of the ring Z26.
 Also, the key, i.e., the number of shift positions, is also in Z26
since more than 26 shifts would not make sense.
70 10/23/2020
 71 10/23/2020

Is Shift Cipher Secure?

 The shift cipher is not secure at all.
 There are two ways of attacking it:
1. Since there are only 26 different keys (shift
positions), one can easily launch a brute-force attack by
trying to decrypt a given ciphertext with all possible 26
keys. If the resulting plaintext is readable text,
you have found the key.
2. As for the substitution cipher, one can also use
letter frequency analysis.
 72 10/23/2020

1.4.4 Affine Cipher

 The affine cipher encrypts by multiplying the plaintext by one
part of the key followed by addition of another part of the key.
 73 10/23/2020

Choosing of parameter “a”

 The restriction gcd(a,26) = 1 comes from the fact that
the key parameter a needs to be inverted for
decryption.
 We recall from Sect. 1.4.2 that an element a and the
modulus must be relatively prime for the inverse of a
to exist.
 Thus, a must be in the set:

a∈ {1,3,5,7,9,11,15,17,19,21,23,25}
 74 10/23/2020

Computing a−1
 But how do we find a−1? For now, we can simply
compute it by trial and error:
 For a given a we simply try all possible values a−1
until we obtain: a · a−1 ≡ 1 mod 26
 For instance, if a = 3, then a−1 = 9 since 3 · 9 = 27
≡ 1 mod 26.
75 10/23/2020
 76 10/23/2020

Is the affine cipher secure?

 No! The key space is only a bit larger than in the case of the
shift cipher:
 key space = (#values for a)×(#values for b) = 12×26 = 312
 A key space with 312 elements can, of course, still be
searched exhaustively, i.e., brute-force attacked, in a fraction
of a second with current desktop PCs.
 In addition, the affine cipher has the same weakness as the
shift and substitution cipher: The mapping between plaintext
letters and ciphertext letters is fixed.
 Hence, it can easily be broken with letter frequency analysis.
 77 10/23/2020

Lessons Learned