Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm. David Morgan

Transcription

1 Real scripts backgrounder 3 - Polyalphabetic encipherment - XOR as a cipher - RSA algorithm David Morgan

2 XOR as a cipher

3 Bit element encipherment elements are 0 and 1 use modulo-2 arithmetic Example: message stream key stream resulting ciphertext

4 XOR - frequent appearances XOR is often the operation when the data is binary

5 Binary XOR operation XORing a bit with 1 inverts it XORing a bit with 0 leaves it alone XORing with 1: 1 XOR 1 is 0 0 XOR 1 is 1 XORing with 0: 1 XOR 0 is 1 0 XOR 0 is 0

6 XOR is mod2 addition XORing with 1: 1 XOR 1 is 0 0 XOR 1 is 1 XORing with 0: 1 XOR 0 is 1 0 XOR 0 is 0 same thing adding 1 mod2: = = 1 adding 0 mod2: = = 0

7 XOR twice with same bit leaves input as is by inverting twice (if XORing with 1) changes it, changes it back, or by inverting never (if XORing with 0) XORing twice with 1: 1 XOR 1 is 0 0 XOR 1 is 1 0 XOR 1 is 1 1 XOR 1 is 0 XORing twice with 0: 1 XOR 0 is 1 1 XOR 0 is 1 0 XOR 0 is 0 0 XOR 0 is 0 or: ( A XOR B ) XOR B = A

8 double XOR = alteration & restoration input: XOR with: result: above result: again with: above input:

9 XOR becomes a symmetric stream cipher plaintext: key: ciphertext: ciphertext: same key: plaintext:

10 XOR operation XORing key with plaintext yields ciphertext (that s called encryption) XORing key with ciphertext yields plaintext (that s called decryption) and also XORing plaintext and ciphertext yields key

11 If key is random, so is ciphertext plaintexta: keya: ciphertext: plaintextb: keyb: ciphertext: The (single) ciphertext shown is representative of both plaintexts, given the corresponding key. A key can be constructed to convert any plaintext to this same ciphertext. Attacker must ask which key was actually used, to arrive at the actual plaintext. If key is produced randomly, he has no basis to choose any particular key therefore none to choose the actual one.

12 For unbreakability keystream must be as long as the plaintext keystream elements must be random same keystream must never be re-used possession of 2 ciphertexts from same keystream facilitates recovering it same keystream must be shared by encryptor and decryptor

13 One-time pad this technique is called one-time pad (sometimes one-time tape or one-time key) random keystreams were written on paper pads each sheet to be used, torn off, and destroyed paper tapes were used later it is the only unbreakable cipher unless misued Soviet codes broken due to pad/keystream re-use (Venona project)

14 XOR based one-time pad XOR needs a random stream producer rc4 is (nearly) that

15 rc4 a stream cipher rc4 serves as a keystream machine, an endless font of utility data "RC4 generates a pseudorandom stream of bits (a keystream). As with any stream cipher, these can be used for encryption by combining it with the plaintext"

16 How to achieve keystream sharing physically secure hand delivery rc4 keystream reproducible on demand with a given key don t share the keystream, share the key that produces it shifts (and reduces) the keystream distribution problem to a key distribution problem

17 Polyaphabetic encipherment

18 Demo trying to thwart frequency analysis plain text exhibits letter frequency patterns monoalphabetic substitution preserves patterns polyalphabetic substitution destroys them

19 Occurrence of English letters

20 Occurrence of letters: Gettysburg address

21 Occurrence of letters: Gettysburg address thru Caesar cipher (monoalphabetic) Letters changed but statistical pattern preserved

22 Occurrence of letters: Gettysburg address thru differently sequenced* monoalphabetic cipher *the substitution mapping, unlike that of Caesar cipher, doesn t preserve the letters in the same sequence as that of the alphabet. They re all there, but in reassigned positions. This mapping was: bdfhjlnprtvxzacegikmoqsuwy e became j, t became m, etc (seen in both the mapping and the chart)

23 Polyalphabetic* * ciphering Vigenere table, mod26 arithmetic helper encrypt - take plaintext letter in the column header, key letter in row header. Ciphertext letter at intersection. decrypt - take key letter in the row header, find ciphertext letter in that row. Plaintext letter at that column's header. *use many alphabets-- different ones for determining what to substitute for each letter in the plaintext. Without resequencing letters, there are 25 other alphabets readily available. How many alphabets exist, altogether, if we do allow resequencing? 26*25*24* = 26! = 4.03 x A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y

24 Occurrence of letters: Gettysburg address thru polyalphabetic ciphers Each time you remap a letter: shift mapping alphabet fwd 1 letter, or shift mapping alphabet back 1 letter, or randomly generate a whole new one Letters changed and statistical pattern destroyed

25 RSA

26 Several algorithms with public-key properties RSA ElGamal DSA Rivest, Shamir, Adelman; MIT Taher ElGamal, Netscape NSA, NIST

27 RSA key generation steps 1. choose 2 primes call them p, q 2. multiply them call product n 3. multiply their predecessors (p-1,q-1) call product φ 4. pick some integer call it e between 1 and φ (exclusive) sharing no prime factor with φ 5. find the integer (there s only one) that call it d times e divided by φ leaves 1 then your keys are: public: e together with n (e is for encryption ) private: d together with n (d is for decryption )

28 Encrypting with public key {e,n} ( c = m e mod n ) 1. choose a cleartext message call it m in the form of a number less than n 2. raise it to power e 3. divide that by n call remainder c then your ciphertext result is c

29 Decrypting with private key {d,n} ( m = c d mod n ) 1. take ciphertext c 2. raise it to power d 3. divide that by n call remainder r then your recovered result is r r is identically the original cleartext message m

30 How will we do keygen step 4? 1. choose 2 primes easy 2. multiply them easy 3. multiply their predecessors (p-1,q-1) easy 4. pick some integer e not easy between 1 and φ (exclusive) sharing no prime factor with φ 5. find the integer d (there s only one) that not easy times e divided by φ leaves 1 then your keys are: public: e together with n (e is for encryption ) private: d together with n (d is for decryption )

31 Numbers sans common prime factor numbers whose gcd * is 1 will do find x such that gcd(x, φ)=1 how do we find gcd of 2 numbers Euclid s algorithm * greatest common divisor

32 How will we do keygen step 5? 1. choose 2 primes easy 2. multiply them easy 3. multiply their predecessors (p-1,q-1) easy 4. pick some integer e not easy between 1 and φ (exclusive) sharing no prime factor with φ 5. find the integer d (there s only one) that not easy times e divided by φ leaves 1 then your keys are: public: e together with n (e is for encryption ) private: d together with n (d is for decryption )

33 Successively test candidates multiply each integer, from 1, by e divide by φ check if remainder is 1 keep going till you find the one that is

34 RSA key generation example 1. choose 2 primes p=5 q=11 2. multiply them n=55 3. multiply their predecessors (p-1,q-1) φ=40 4. pick some integer e=3 between 1 and φ (exclusive) sharing no prime factor with φ 5. find the integer (there s only one) that d=27 times e divided by φ leaves 1 then your keys are: public: e together with n 3, 55 private: d together with n 27, 55

35 Encrypting with public key {e,n} ( c = m e mod n ) e = 3 n = choose a cleartext message m=7 in the form of a number less than n 2. raise it to power e 7 3 = divide that by n 343 = 55x6+13 then your ciphertext result is c c=13

36 Decrypting with private key {d,n} ( m = c d mod n ) d = 27 n = take ciphertext c raise it to power d = divide that by n = 55 x then your recovered result is r r=7 r is identically the original cleartext message m

37 How to encrypt messages? RSA doesn t encrypt messages only individual numbers but all digital data is numeric so split arbitrary data into small-enough bit blocks, then treat them individually how? any way it can be done, doesn t matter in theory up to you

38 Blocking data - possibility 1 RED APPLE = use 3-decimal-digit blocks separately encrypt: be prepared for maximum ~ 999 minimum φ 1000, eg p=31 q=37

39 Blocking data - possibility 2 ABC = use 12-bit blocksize separately encrypt: be prepared for maximum 4096 minimum φ 4097, eg p=67 q=71

40 Some considerations RSA key size refers to n p and q should be about equal length but not extremely close (eg avoid successive primes) larger key, slower operation double n pubkey ops 2x slower, privkey 4x e can stay fixed while n rises, but d up proportionately practical keylengths, 1024 or 2048 bits RSA and DES per-keylength security comparisons apples and oranges

41 Info sources - RSA RSA and A Miniature RSA Example Exploring RSA Encryption, Linux Journal