Goals of Cryptography. Definition of a Cryptosystem. Security Kerckhoff's Requirements

Transcription

1 Goals of Cryptography Chapter : Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network Transport Layer Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks : Secret Key Cryptography Cryptosystes Historical approaches Strea Ciphers Block ciphers Secrecy of data essages Only authorized people should be able to read the data Authentication of participants essages Is a user really the one he pretends to be? 3 Anonyity of participants Anonyity of sender /or receiver for third parties Fundaental ters A(lice: Sender of a essage B(ob: Recipient of a essage O(scar: Opponent, attacker on a essage Page Page Definition of a Cryptosyste Security Kerckhoff's Requireents A cryptosyste is a fivetuple (P,C,K,E,D, where the following conditions are satisfied: P is a finite set of possible plaintexts C is a finite set of possible cipher texts K, the key space, is a finite set of possible keys For each k K, there is an encryption rule e k E a corresponding decryption rule d k D Each e k :P C d k :C P are functions such that d k (e k (x=x for every plaintext x P The lastentioned property is the ain property: if a plaintext s encrypted using e k the resulting cipher text is subsequently decrypted using d k, then the original plaintext x results A cryptosyste is called breakable, if a third party is able to recover the plaintext fro a given cipher text without knowledge of the key A set of general cryptosyste requireents are given by Kerckhoff's requireents (883: The syste should be, if not theoretically unbreakable, unbreakable in practice (tie effort, cost, Coproise of the syste details should not inconvenience the correspondents The key should be reeberable without notes, easily changed The cryptogra should be transissible by telegraph The encryption apparatus should be portable operable by a single person The syste should be easy, requiring neither the knowledge of a long list of rules, nor ental strain Page 3 Page 4

2 Classification of Attackers Historical Cryptosystes Cipher textonly: Oscar possesses a string y of the cipher text Known plaintext: Oscar possesses a string x of the plaintext the corresponding cipher text y The proble now is to find out the key which produces y for x 3 Chosen plaintext: Oscar has access to the encryption achinery Hence he can chose a plaintext string x construct the corresponding cipher text string y 4 Chosen cipher text: Oscar has access to the decryption achinery Hence, he can chose a cipher text string y construct the corresponding plaintext string x Monoalphabetic cipher: Each alphabetic character is apped onto a unique alphabetic character Exaples: Shift Cipher, Substitution Cipher, Affine Cipher Polyalphabetic cipher: Each alphabetic character is apped onto various alphabetic characters Exaples: Vigenere Cipher, Hill Cipher, Perutation Cipher Cryptosystes are classified regarding the protection against attackers of these classes: is the iniu requireent on a odern cryptosyste 3 4 are hard tests on a odern cryptosyste Page 5 Page 6 Shift Cipher Substitution Cipher Idea: Map each character x on that character which follows x by a given nuber k of positions Let P = C = K = Z n = {0,,, n} For k K, define e k (x = x + k od n d k (y = y k od n where x,y Z n Idea: use a perutation over the set of characters as key to get a ore flexible schee as in the shift cipher Let P = C = Z n, K = S(Z n (set of perutations over Z n For each perutation p K, define e p (x = p(x, d p (y = p (y where p is the inverse perutation to p, x,y Z n Exaple: n=6, k=3 Encrypt: hello (7,4,,,4 to KHOOR (0,7,4,4,7 This special cipher (k=3 is called Caesar Cipher, because it is said that Julius Caesar used it Exaple: n=6 p: a F n K b G o Y c N p W d E q V e A r C f T s P g X t J h Z u L i O v S I w D k Q x M l B y U H z R coputerscience NYHWLJACPNOAKNA Page 7 Page 8

3 Affine Cipher Idea: cobination of a shift cipher a special perutation, ade by a ultiplication with a constant relatively prie to n Let P = C = Z n K = {(a, b Z n Z n : gcd(a, n = } For k = (a, b K, define y = e k (x = ax + b od n x = d k (y = a (y b od n, where x,y Z n Exaple: n = 6, k=(7,5 hello MROOJ (7,4,,,4 (,7,4,4, od 6 = 64 od 6 = od 6 = 43 od 6 = od 6 = 9 od 6 = od 6 = 3 od 6 = 9 Page 9 Vigenere Cipher Idea: usage of several keys to encrypt blocks of characters Thus, the sae character of plaintext is apped onto several characters in cipher text Exaple: n = 6, =5, k=(7,4,,,4 (Keyword: hello Plaintext: chine sepeo ple (,7,8,3,4; (8,4,5,4,4; (5,,4 Adding: Let be a positive integer, P = C = K = (Z n For a key k = (k,k,,k, define e k (x,,x = (x + k,,x + k d k (y,,y = (y k,,y k, where all operations are perfored in Z n Ciphertext: JLTYS ZIAPC WPP Page 0 Hill Cipher Idea: usage of several keys to encrypt blocks of characters Instead of using a vector of keys, construct a atrix with certain properties Perutation Cipher Idea: use a perutation, but do not perute the characters, but their position Let be a positive integer, K = { invertible atrices over Z n } = {A Z n gcd(det(a,n = }, P = C = (Z n For a key k K, we define e k (x = xk od n d k (y = yk od n, where x, y Z n Exaple: n=37, =, P=C={0,,9,_,a,,z}, 3 3 plaintext: good = (7,5,5,4, k = = 5 ( 7,5 ( 9,4 3 3 = 5 ( 5,4 ( 3,7 Cipher text: 94CG Let be a positive integer, P = C = (Z n, K=S({,,} For a key (a perutation p K, we define e p (x,,x = (x p(,,x p( d p (y,,y = (y s(,,y s( where s = p is the inverse perutation of p Exaple: n=37, P=C={0,,9,_,a,,z}, = 5 Plaintext: [she_i s_bea utifu l] Key = (,4,,5,3 Cipher text: [_EISH EBAS_ FIUUT L_] Page Page

4 Breaking Monoalphabetic Ciphers Statistical Characteristics of English Language Monoalphabetic ciphers preserve the frequency of alphabetic characters, pairs, etc Identify alphabetic characters due to their frequency Method to decipher natural languages: Deterine frequency of alphabetic characters of the cipher text Identify alphabetic characters according to their frequency: e, n, i, s, r, a, t (in Gerany: e, n, r, i, s, t, u, d, a, g, l, o, Deterine frequency of pairs Identify eg er to distinguish between er es 3 Look at identified text, resubstitute, guess, Solution: extension of alphabet, eg Data Encryption Stard (DES: 64 characters letter a b c d e f g h i k l probability letter n o p q r s t u v w x y z probability Partition into five groups: E, having probability about 0 T,A,O,I,N,S,H,R, each having probabilities between D,L, each having probabilities around C,U,M,W,F,G,Y,P,B, each having probabilities between V,K,J,X,Q,Z, each having probabilities less than 00 Digra frequencies th he an in er re Page 3 Page 4 Exaple: Cipher Text fro Affine Cipher Secrecy of Cryptosystes: Entropy Cipher text: FMXVEDKAPHFERBNDKRXRSREFMORUDSDKDVSHVUFEDKAPRKDLYEVLRHHRH letter frequency a b c d 7 e 5 f 4 g h 5 Guess: R (8 occurrences is encryption of e D (7 occurrences is encryption of t e k (4 = 7, e k (9 = 3 4a + b = 7, 9a + b = 3 a = 6, b = 9 d k (y = 9y 9 Plaintext: algorithsarequitegeneraldefinitionsofaritheticprocesses i k 5 l n o p q r 8 s 3 t u v 4 w x y z Page 5 Entropy: atheatical easure of inforation or uncertainty An event occurring with probability p ight be encoded by a bit string of approxiate length log c p Let X { x,, x }, P be an ro variable which takes on a finite set of ( X = x = p Entropy of X : the distribution of X a constant c >, with p H( X = 0 = for =,,, p log p c = p = values Reark: c characterises the nuber of values for eleents to be encoded Noral case: c =, ie x {0, } Exaple: let c =, = 8, p = = p 8 = 05 H(X = 8 (05 log 05 = log 05 = 3 You need 3 binary values to encode (identify one of the 8 characters Page 6

5 Perfect Security Perfect Security Properties A cryptosyste has perfect security, if the probability for the plaintext to be s independent of having observed the ciphered text to be y Let (P,C,K,E,D be a cryptosyste, P = {x,,x }, K = {k,, k l }, C = {y,,y n } P: (W,A,P P ro variable, P(P= = p i K: (W,A,P K ro variable, P(K=k = q The distribution of C=e(M,K is defined as P( C = y = r = p q i i, : e( xi, k = y Definition: A cryptosyste (P,C,K,E,D has perfect security, if H(M C = H(M Let (P,C,K,E,D be an cryptosyste with P(P=x > 0 for all x P, P(K=k > 0 for all k K, C = {e(x,k x P, k K} P = K Then: (P,C,K,E,D has perfect security, if P(K=k = for all k K K for all x P, y C exists exactly one k K: e(x,k = y Exaple: let M = K = C = {A,,Z}, define e k (x = x + k od 6, d k (y = y k od 6 If P(K=k = K then the cryptosyste has perfect security (for exactly one letter Page 7 Page 8 Strea Ciphers Structure of Strea Ciphers Advanced ciphering ethod: strea ciphers Strea ciphers encrypt a data strea as it coes in Key is as long as the data strea Exaple: Red Telephone between Moskov Washington is secured with a strea cipher Practical Methods: Synchronous strea cipher Selfsynchronising strea cipher Linear Feedback Shift Registers Idea: convert a strea of plain text into a strea of cipher text by cobining it with a keystrea as long as the plain text Proble: how to produce keystreas? initial state internal state next state function output function keystrea plaintext c i cipher text key k plaintext Define initial state for keystrea Define 'next state' function: cobine the current keystrea eleent with the key k previous cipher text characters Output function can further odify the internal state Encrypt each character of plaintext with a character of the keystrea, eg by XOR ( Page 9 Page 0

6 Definition of Strea Ciphers Autokey Cipher (Siplest Strea Cipher A Strea Cipher is a tuple (P,C,K,L,F,E,D, where the following conditions are satisfied: P is a finite set of possible plaintexts C is a finite set of possible cipher texts K, the keyspace, is a finite set of possible keys L is a finite set called the keystrea alphabet F = (f, f, is the keystrea generator For i, f i : K P i L For each z L, there is an encryption rule e z E a corresponding decryption rule d z D e z : P C d z : C P are functions such that d z (e z (x = x for every plaintext x P Idea: use key k as initial state for the first character For each following character, use the previous one for encryption Encryption is ade like in shift cipher Let P = C = K = L = Z n, z = k, + = For 0 z < n define e z (x = x + z od n d z (y = y z od n, where x,y Z n Principle: plaintext strea: x x x 3 x r encoding + k x x x r cipher strea: c c c 3 c r decoding k x x x r receiver gets: x x x 3 x r Exaple: n = 6, k = 4, plaintext thisisinsecure As strea of integers: Keystrea: Cipher text: HAPAAAAVFWGWBV Page Page Verna Cipher Security Probles of Verna Cipher Idea: use a special case of the Vigenere Cipher Choose a vector of keys as long as the plaintext In the ideal case, the key is a roly generated strea Let P = C = K = L = Z n For each z L, 0 < n: p( z = = define e z (x = x + z od n d z (y = y z od n, where x,y Z n n Exaple: n = Plaintext: Key: Cipher Text: Proble: if sae key is used twice, the Verna Cipher is insecure Let x = (,, s, x = (n,, n s, k = (z,, z s, y l = (c,, c s = ( + z,, s + z s y = (d,, d s = (n + z,, n s + z s Then for all i =,, s: ( ci di od 6 = (( i + zi od 6 ( ni + zi od 6 = ( n od 6 Solution: Onetie Pad any key is used only once i i Decrypt x x at the sae tie by using differences of coon letters Page 3 Page 4

7 Proble: Key Distribution OnetiePad is perfectly secure But how can the roly chosen key be counicated to the receiver? New proble: Transport of the key is as difficult as the transport of the essage! Solution: Usage of pseudorogenerators Best known: x 0 is starting value + = a + b od, for a, b suitably chosen Looks roly, but is absolutely not ro if x 0 is known Synchronous strea cipher Selfsynchronising strea cipher Linear feedback shift register But: Systes are no longer perfectly secure! Synchronous Strea Cipher Characteristics: Keystrea is generated independently fro cipher strea Key k is exped into a keystrea z z z 3 internal state next state function output function keystrea plaintext c i cipher text key k plaintext The keystrea generators on sender receiver side ust be synchronised: if one bit is lost, on receiver side all following bits are decrypted incorrectly No propagation of transission errors: only the garbled bit is decrypted incorrectly Protection against insertion deletion in the cipher text, because these would cause a loss of synchronisation Page 5 Page 6 Generating a Keystrea for Synchronous Strea Ciphers Siple exaples for keystrea ciphers are: Shift Cipher Use a constant keystrea with z = z = z 3 Vigenere Cipher For k = (k,, k repeat key eleents with period = + k is the start vector But: practical keystreas ust have a long period Use Vigenere Cipher with k = (k,, k Keystrea could be generated by + = + + od n Exaple: = 4, n =, k = (, 0, 0, 0 With +4 = + + od generate keystrea:, 0, 0, 0,, 0, 0,,, 0,, 0,,,, Page 7 SelfSynchronising Strea Ciphers key k Characteristics: Each keystrea bit is a function of the previous n cipher text bits The key k further odifies the output of the keystrea generator initial state internal state next state function output function keystrea plaintext c i cipher text Usage of a nbit header roly generated; after this header, both keystrea generators are synchronised Decryption keystrea generator autoatically synchronises with encryption keystrea generator Error propagation: for each cipher text bit gabled, the decryption keystrea generator produces n incorrect keystrea bits Page 8

8 Linear Feedback Shift Registers (LFSR Shift Register for Keystrea Generation Idea: Generate keystrea by use of shift registers of length As initial state, use a key k = (k,, k Siplest exaple: Autokey Cipher for = Generation of keystrea in three stages: k is used as next keystrea bit k,, k are shifted one stage to the left 3 Copute the new value of k by a 'linear feedback': = 0 a k + The values a {0, } are coefficients which deterine, which k are to be considered for coputing k k = For achieving a long period: see LFSR as polynoial Degree of polynoial is length of shift register: k k 4 x 4 + k 3 x 3 + k x k k 3 k 4 + k x + For a axialperiod LFSR, the polynoial fored by the shift register plus the constant ust be a priitive polynoial od Priitive polynoial of degree n: irreducible polynoial that divides x n +, but not x d + for any d that divides n Exaple: = 4 Actual keystrea bit k k k 3 k Cobine several shift registers for longer periods Exaples: Geffe Generator, Alternating StopGo Generator Page 9 Page 30 Geffe Generator Alternating StopGo Generator Characteristics: Keystrea generator using 3 LFSRs, cobined in nonlinear anner Two LFSRs are input to a ultiplexer One LFSR controls output If a, a, a 3 are outputs of the LFSRs, the overall output is b = (a a ( (a a 3 Characteristics: Keystrea generator using 3 LFSRs of different length LFSR is clocked when the output of LFSR is LFSR3 is clocked when the output of LFSR is 0 The output is a xor of LFSR LFSR3 LFSR LFSR3 LFSR a a 3 a to Multiplexer b Linear coplexity: if the LFSRs have the lengths n, n, n 3 the linear coplexity of the generator is (n + n + n n 3 (the '+' coes fro the negation operation Cryptographically weak, falls to a correlation attack: the output b equals the output of LFSR LFSR3 75% of the tie LFSR clock LFSR LFSR3 b Long period large linear coplexity Correlation attack against LFSR possible, but it does not substantially weaken the generator Page 3 Page 3

9 Block Ciphers Definition of Block Ciphers Block ciphers siultaneously encrypt groups of characters of a plaintext essage using a fixed encryption transforation Meoryless, ie the sae function ( the sae key is used to encrypt successive blocks Practical Methods: Data Encryption Stard (DES International Data Encryption Algorith (IDEA Advanced Encryption Stard (AES A Block Cipher is a function which aps nbit plaintext blocks to nbit cipher text blocks; n is called the blocklength A nbit Block Cipher is a tuple (P,C,K,E,D, where the following conditions are satisfied: P = Z n is a finite set of possible plaintext blocks over Z of length n C = Z n is a finite set of possible cipher text blocks over Z of length n K, the keyspace, is a finite set of possible keys For each k K, there is an encryption rule e k E a corresponding decryption rule d k D: e k : P x K C is an biective apping (the encryption function for k, d k : C x K P is the inverse apping (the decryption function with d k (e k (x = x for every plaintext x P Page 33 Page 34 Design Characteristics for Block Ciphers Definition of Encryption Function e k Choice of blocklength n n too long coplex algorith, perforance loss n too short weak encryption, easy to attack Modern variants use n = bit, 64 bit is seen as the right coproise Definition of encryption function e k Assue n = 64, = : apping of values would take about 70 bit For encryption decryption it is not possible to use a table using algoriths for replacing blocks Achieving different results by using a secret key k in the algorith syetric cryptography, secret key cryptography Good algoriths can be published, data are protected by hiding the key Choice of the key length of k Practical key length: bit k too short systeatic testing of all valid keys (Brute Force attack Against Brute Force attacks, a iniu of 70 bit are necessary Page 35 Encryption function Use a cobination of substitution perutation, called a round Nuber of rounds deterines the quality of the encryption Substitution Divide a nbit block in saller chunks with bit ( typically = 4 6 Replacing a bit block with another one by using a table Perutation Exchanging bits by using an invertible function (Perutation Cipher Result of one round Should look like a succession of ro nubers Each input bit should have the sae influence on an output bit Achieved by alternating application of substitution perutation Suitable choice n = ², ie each bit of one bit chunk of the input block Can be passed to a different bit chunk of the output block Reark: encryption decryption have the sae expense Page 36

10 One Round in an Encryption Function 64 bit input block 8 bit 8 bit 8 bit 8 bit 8 bit 8 bit 8 bit 8 bit k S S S 3 S 4 S 5 S 6 S 7 S 8 8 bit 8 bit 8 bit 8 bit 8 bit 8 bit 8 bit 8 bit 64 bit interediate block 64 bit output block Input block with 64 bit Divide input block into 8bit pieces (n = 8bit substitution functions s i derived fro the key k Join 8bit blocks into an interediate block Perutation of the 64 bits, possibly based on the key (best diffusion of single bits by apping the bits of an 8bit piece into different output pieces Page 37