Cryptography Overview: John Mitchell
Cryptography Overview: John Mitchell
Cryptography Overview
John Mitchell
Caesar cipher
German Enigma
Information theory
Claude Shannon
Complexity theory
hard PSpace
NP
BPP
easy
25
Elliptic curves
20
15
10
0
0 2 4 6 8 10 12 14 16 18 20
Cryptography
Is
A tremendous tool
The basis for many security mechanisms
Is not
The solution to all security problems
Reliable unless implemented properly
Reliable unless used properly
Something you should try to invent yourself unless
you spend a lot of time becoming an expert
you subject your design to outside review
Basic Cryptographic Concepts
Encryption scheme:
functions to encrypt, decrypt data
Symmetric encryption
Block, stream ciphers
Hash function, MAC
Map any input to short hash; ideally, no collisions
MAC (keyed hash) used for message integrity
Public-key cryptography
PK encryption: public key does not reveal key-1
Signatures: sign data, verify signature
Example: network transactions
No eavesdropping
No tampering
File 2
k k
E, D: cipher k: secret key (e.g., 128 bits)
m, c: plaintext, ciphertext n: nonce (aka IV)
Vernam (1917)
Key: 0 1 0 1 1 1 0 0 1 0
Plaintext: 1 1 0 0 0 1 1 0 0 0
Ciphertext: 1 0 0 1 1 0 1 0 1 0
Shannon ‘49:
OTP is “secure” against ciphertext-only attacks
Stream ciphers (single use key)
c PRBG(k) m
PRBG
message
ciphertext
C1 m1 PRBG(k)
C2 m2 PRBG(k)
Eavesdropper does:
C1 C2 m1 m2
k k
Key k Bits
Canonical examples:
1. 3DES: n= 64 bits, k = 168 bits
2. AES: n=128 bits, k = 128, 192, 256 bits
IV handled as part of PT block
Building a block cipher
Input: (m, k)
Repeat simple mixing operation several times
DES: Repeat 16 times:
mL mR
mR mLF(k,mR)
key expansion
k1 k2 k3 kn
R(k1, )
R(k2, )
R(k3, )
R(kn, )
m c
CT: c1 c2
Problem:
if m1=m2 then c1=c2
In pictures
Correct use of block ciphers I: CBC mode
E a secure PRP. Cipher Block Chaining with IV:
ciphertext
Q: how to do decryption?
Use cases: how to choose an IV
Single use key: no IV needed (IV=0)
IV′
ciphertext
In pictures
Correct use of block ciphers II: CTR mode
AES 128/128 61
IDEA 64/128 19
SHACAL-2 512/128 20
Hash functions and
message integrity
Cryptographic hash functions
Length-reducing function h
Map arbitrary strings to strings of fixed length
One way (“preimage resistance”)
Given y, hard to find x with h(x)=y
Collision resistant
Hard to find any distinct m, m’ with h(m)=h(m’)
Also useful: 2nd preimage resistance
Given x, hard to find x’x with h(x’)=h(x)
Collision resistance 2nd preimage resistance
Applications of one-way hash
Password files (one way)
Digital signatures (collision resistant)
Sign hash of message instead of entire message
Data integrity
Compute and securely store hash of some data
Check later by recomputing hash and comparing
Keyed hash for message authentication
MAC – Message Authentication Code
Message Integrity: MACs
Goal: message integrity. No confidentiality.
ex: Protecting public binaries on disk.
k k
Message m tag
Alice Bob
Raw CBC
H: hash function.
example: SHA-256 ; output is 256 bits
IV H(m)
h h h h
F(k1,) tag
Why are these MAC constructions secure?
… not today – take CS255
Msg M MAC
Recent developments: OCB
offset codebook mode
Rogaway, …
Public-key Cryptography
Complexity Classes
hard PSpace
Answer in polynomial space
may need exhaustive search
NP
If yes, can guess and check in
polynomial time
P
Answer in polynomial time
easy compute answer directly
Example: RSA
Arithmetic modulo pq
Generate secret primes p, q
n
Generate secret numbers a, b with xab x mod pq
Public encryption key n, a
Encrypt(n, a, x) = xa mod n
Private decryption key n, b
Decrypt(n, b, y) = yb mod n
Main properties
This appears to be a “trapdoor permutation”
Cannot compute b from n,a
Apparently, need to factor n = pq
Why RSA works (quick sketch)
Let p, q be two distinct primes and let n=p*q
Encryption, decryption based on group Zn*
For n=p*q, order (n) = (p-1)*(q-1)
Proof: (p-1)*(q-1) = p*q - p - q + 1
+ H
Check pad
on decryption.
Reject CT if invalid. G +
{0,1}n-1
Plaintext to encrypt with RSA
If RSA is trapdoor permutation, then this is chosen-ciphertext
secure (if H,G “random oracles”)
In practice: use SHA-1 or MD5 for H and G
Digital Signatures
Public-key encryption
Alice publishes encryption key
Anyone can send encrypted message
Only Alice can decrypt messages with this key
Digital signature scheme
Alice publishes key for verifying signatures
Anyone can check a message signed by Alice
Only Alice can send signed messages
Properties of signatures
Functions to sign and verify
Sign(Key-1, message)
Resists forgery
Cannot compute Sign(Key-1, m) from m and Key
Resists existential forgery:
given Key, cannot produce Sign(Key-1, m)
for any random or arbitrary m
RSA Signature Scheme
Publish decryption instead of encryption key
Alice publishes decryption key
Anyone can decrypt a message encrypted by Alice
Only Alice can send encrypt messages
In more detail,
Alice generates primes p, q and key pair a, b
Sign(x) = xa mod n
Verify(y) = yb mod n
Since ab 1 mod (n), have xab x mod n
C
Secret key K
encrypted with
server’s key Ks
S
switch to negotiated cipher
data transmission
Crypto Summary
Encryption scheme:
functions to encrypt, decrypt data
Symmetric encryption
Block, stream ciphers
Hash function, MAC
Map any input to short hash; ideally, no collisions
MAC (keyed hash) used for message integrity
Public-key cryptography
PK encryption: public key does not reveal key-1
Signatures: sign data, verify signature
Limitations of cryptography
Most security problems are not crypto problems
This is good
Cryptography works!
This is bad
People make other mistakes; crypto doesn’t solve them
baptised as Jean-Guillaume-Hubert-Victor-François-
Alexandre-Auguste Kerckhoffs von Nieuwenhof
Example cryptosystems
One-time pad
“Theoretical idea,” but leads to stream cipher
Feistel construction for symmetric key crypto
Iterate a “scrambling function”
Examples: DES, Lucifer, FREAL, Khufu, Khafre, LOKI,
GOST, CAST, Blowfish, …
AES (Rijndael) is also block cipher, but different …
Complexity-based public-key cryptography
Modular exponentiation is a “one-way” function
Examples: RSA, El Gamal, elliptic curve systems, ...
Symmetric Encryption
Encryption keeps communication secret
Encryption algorithm has two functions: E and D
To communicate secretly, parties share secret key K
Given a message M, and a key K:
M is known as the plaintext
E(K,M) → C (C known as the ciphertext)
D(K, C) → M
Attacker cannot efficiently derive M from C without K
Note E and D use same key K
Reason for the name “symmetric encryption”
One-time pad
Share a random key K
Encrypt plaintext by xor with sequence of bits
encrypt(key, text) = key text (bit-by-bit)
Decrypt ciphertext by xor with same bits
decrypt(key, text) = key text (bit-by-bit)
Advantages
Easy to compute encrypt, decrypt from key, text
This is an information-theoretically secure cipher
Disadvantage
Key is as long as the plaintext
How does sender get key to receiver securely?
Scheme requires
L i-1 R i-1 Function f(Ri-1 ,Ki)
Computation for Ki
f Ki e.g., permutation of key K
Advantage
Systematic calculation
Easy if f is table, etc.
Invertible if Ki known
Get Ri-1 from Li
Li R i
Compute f(R i-1 ,Ki)
Compute Li-1 by
Data Encryption Standard
Developed at IBM, some input from NSA, widely used
Feistel structure
Permute input bits
Repeat application of a S-box function
Apply inverse permutation to produce output
Worked well in practice (but brute-force attacks now)
Efficient to encrypt, decrypt
Not provably secure
Improvements
Triple DES, AES (Rijndael)
Block cipher modes (for DES, AES, …)
IV
No apparent pattern
Structure of AES
RC4 stream cipher – “Ron’s Code”
Design goals (Ron Rivest, 1987):
speed
support of 8-bit architecture
simplicity (circumvent export regulations)
Widely used
SSL/TLS
Windows, Lotus Notes, Oracle, etc.
Cellular Digital Packet Data
OpenBSD pseudo-random number generator
RSA Trade Secret
History
1994 – leaked to cypherpunks mailing list
1995 – first weakness (USENET post)
1996 – appeared in Applied Crypto as “alleged RC4”
1997 – first published analysis
state 000111101010110101
plain text plain text
=
cipher text cipher t
Recommendation
Discard the first 256 bytes of RC4 output [RSA, MS]
(all arithmetic mod 256)
Complete Algorithm
Key scheduling
for i := 0 to 255 S[i] := i
0 1 2 3 4 5 6 …
j := 0
for i := 0 to 255 Permutation of 256
j := j + S[i] + key[i] bytes, depending on key
swap (S[i], S[j])
2 123 134 24 1 218 53 …
i, j := 0
repeat Random generator
i := i + 1
j := j + S[i]
swap (S[i], S[j]) 2 123 134 24 9 218 53 …
output (S[ S[i] + S[j] ]) i j
+24
Example use of stream cipher?
Share secret s with web vendor
Exchange payment information as follows
Send: E(s, “Visa card #3273. . . ”)
Receive: E(s, “Order confirmed, have a nice day”)
Now eavesdropper can’t get out your Visa #
Wrong!
Suppose attacker overhears
c1 = Encrypt(s, “Visa card #3273. . . ”)
c2 = Encrypt(s, “Order confirmed, have a nice day”)
Now compute
m ← c1 ⊕ c2 ⊕ “Order confirmed, have a nice day”
Lesson: Never re-use keys with a stream cipher
Basic problem with one-time pads
This is why they’re called one-time pads
Public-key Cryptosystem
Trapdoor function to encrypt and decrypt
encrypt(key, message)
key pair
decrypt(key -1, encrypt(key, message)) = message
Resists attack
Cannot compute m from encrypt(key, m) and key,
unless you have key-1
Iterated hash functions
Repeat use of block cipher or custom function
Pad input to some multiple of block length
Iterate a length-reducing function f
f : 22k -> 2k reduces bits by 2 x
Repeat h0= some seed
Pad to x=x1x2 …xk
hi+1 = f(hi, xi)
xi
Some final function g
completes calculation f(xi-1) f
g
MAC: Message Authentication Code
General pattern of use
Sender sends Message and M1 = MAC(Message)
Receiver receives both parts
Receiver computes M2 = MAC(Message)
If M2 == M1, data is valid
If M2 != M1, data has been corrupted
IV=0
Low overhead
opad, ipad are constants