Title: CS 591 Monday, August 23 Initial topic: A Survey of Basic Cryptography
1CS 591Monday, August 23Initial topic A Survey
of Basic Cryptography
Peter Gemmell 277-6509 office 280-2557
cellular gemmell_at_cs.unm.edu
2What is cryptology?
- Generalized methods to hide (encrypt) and
authenticate information
- Generalized methods to expose and substitute
information
(malicious adversary -- not like that in
error-correcting codes)
3An Important Distinction
Encryption maintainng information
secret/confidential
Authentication proving and maintaining
information integrity (sometimes also
availability)
4Cryptographic work can be at different levels
-- algorithms/primitives e.g. encryption
algorithms, signature algorithms, hash
algorithms -- protocols between more than 1
party e.g. threshold sharing -- systems e.g.
electronic cash systems, smartcard systems --
Attacks - on all the above
5Some applications of cryptography
- network, operating systems security
- private internet, telephone communications
- electronic payments
- database security
- software protection
- pay television
- confidential, authentic military communications
6Open system designvsclosed system design
Open design the algorithm, protocol, or system
design may be public information. The only
secret will be the private or symmetric
key(s) Closed design as much information as
possible is kept secret
7Types of Security
-- unconditional or information theoretic
the security is provable free of assumptions --
reducible or provable one can prove that the
security is as valid as some common unproven
assumption -- ad hoc the security seems good
8Types of algorithmsSymmetric (encryption)
Alice
Bob
k
k
sender
receiver
encryption
decryption
M ciphertext
ciphertext M
Enck
Deck
9Types of algorithmsSymmetric (authentication)
Alice
Bob
k
k
sender
receiver
authentication
verification
M,Authk(M) OK
M M, Authk(M)
Authk
Verifyk
10Types of algorithmsPublic Key (assymmetric
encryption)
Alice
Bob
pubkey
privkey
sender
receiver
encryption
decryption
M ciphertext
ciphertext M
Encpubkey
Decprivkey
11Types of algorithmsPublic Key (assymmetric
authentication)
Alice
Bob
privkey
pubkey
sender
receiver
authentication
verification
M, Signprivkey(M) OK
M M, Signprivkey(M)
Signprivkey
Verifypubkey
12Digital Signatures
A public key technique to authenticate
information in a non-repudiable way
may be legally binding
Recipient knows a) that the message is that of
the supposed sender b) can prove (a) to a third
party
13Why Public Key is so important
It lessens the number of keys needed in a general
purpose virtual private network (VPN) Less
reliance on a trusted center for system
availability and secrecy (e.g. electronic
cash) Non-repudiation
14Math Background Modular (clock) Arithmetic
A mod N remainder of A divided by N
B A mod N if B mod N A mod N
15Encryption AlgorithmsHistorical and Toy
Caesar Cipher a, b, c z 1, 2, 3, 26
Enc(X) Enc(x1 xN) x1 3 mod 26 xN 3
mod 26 C1 CN
E.G. Enc(Security) Enc(19,5,3,21,18,9,20,25)
22,8,6,24,21,12,23,2 Vhfxulyb
16Generalizations of Caesar Cipher(all weak
security)
Shift Enck(x) xk mod 26 Affine
Enck1,k2(x) k1 x k2 mod 26 Substitution
Encperm(x) perm(x)
17Other Historial Ciphers
-- WWII American use of Navajo -- WWII German
Enigma machine
-- WWII Japanese Purple Machine
18Unconditionally Secure CipherOne-time pad
key random bits 1100010011100100011 messag
e bits 1110011001100110001 cipher
text XOR of key, message 0010001010000010010
...
Problems number of random bits length of all
messages being encrypted (not reusable), random
bits must be known to both sender and recipient.
19Data Encryption Standard (DES)(symmetric key)
Enck(M) wild permutation, XORs of M, S-boxes,
and k
16 rounds, 64-bit block input and output not
clean and concise (like RSA and one-time pad)
Standard for encryption of unclassified data
since 1977
56 bits (40 bits in exported versions) yield
valid concerns about vulnerability to exhaustive
key search
20Extensions to DESthat may give a longer
effective key
Tripe-DES ciphertext EncDESk1(EncDESk2(EncD
ESk3( plaintext))) EncDESk1(DecDESk1 xor
k2(EncDESk2( plaintext)))
DESX ciphertext k1 xor EncDESk1(message xor
k3)
21RC5 by Ron Rivest of RSA(symmetric encryption
algorithm)
Rotations, XORs, modular additions
With variable key lengths and being
more succinct than DES, it is faster and
may inspire more confidence
22RSA(public key encryption)
- Public key (N,e)
- Private key (p,q,d) p,q large primes
N pq d (me)d m mod N
RSA encryption can be modified easily to work as
the RSA signature function
23RSA(public key encryption, continued)
- Express message M as a number between 1 and N
- Compute EncRSAN,e(M) Me mod N
- Compute DecRSAp,q,d(Me) (Me)d M mod N
- Assumed hard factoring,
discrete logs modulo N
24Hash functionsH
- compress length of message 1M bits (any
number) 128 or 160 bits - collision-free for any x one can not
compute y x, H(x) H(y) - random-like behavior
E.G. SHA-1, MD5, MD2
25Authenticationunconditionally secure
Alice
Bob
a,b
a,b
sender
receiver
authentication
verification
M M, aMb
M, aMb OK
a,b can be used only once
26AuthenticationKeyed hash function (symmetric)
Alice
Bob
k
k
sender
receiver
authentication
verification
M M, H(k,M,k)
M, H(k,M,k) OK
H(K XOR opad, H(K XOR ipad, text))
27Efficiency Considerations and the need for
symmetric session keys
public key algorithms tend to be slow. E.G. RSA
decrypts at the order of 10k bits/second
DES encrypts/decrypts at the order of 1Mbit/second
28Key Exchange Establishing a (symmetric)
Session Key k
Alice
pubkeyBob
pubkeyAlice
privkeyBob
privkeyAlice
k
29Impersonation Attack
Alice
Im Bob
pubkeyFakeBob
pubkeyAlice
privkeyAlice
privkeyFakeBob
important information
30Certification Authority (CA)
Bob
Bob
CA
PubkeyBob
misc info
misc info
CA signature
certificate binds a name to a public key
31Open Network
32Virtual Private Networks (VPN)
33VPN software/hardware
Application layer SSL, Shttp, S/WAN, PCT IP
Layer Netlock, competitors
34Electronic Payment Systems credit card, debit
card style
Visa, bank, or other
You have received payment
Internet payer
Internet payee
35Sample Payment Protocols
- iKP of IBM
- SEPP IBM, Netscape,GTE,CyberCash, and
MasterCard - VISAs design
- First Virtual
- Secure Courier, STT
36Electronic Payment Systems Chaum-style
untraceable Cash
The Bank/Mint
Ecash withdrawer/payer
The Bank/Mint
BankSig
37Electronic Payment Systems Trustee-traceable Cash
The Bank/Mint
Ecash Withdrawer/Payer
The Bank/Mint
38Key Escrow, e.g. Clipper
escrow key1
escrow key2
Trustee L
escrow keyL
39The Threshold Paradigm is one of Distributed Trust
Secret Information
40Threshold Sharing
Dealer shares a secret S to L shareholders. Some
may be untrustworthy.
41Threshold Sharing protects
- Secrecy no k-1 shareholders can learn the
secret
- Integrity no L-k shareholders can destroy
the secret
42Fortezza, Capstone, and Skipjack
Skipjack a classified NSA-designed symmetric
encryption algorithm
Capstone suite of crypto functions for
govt-related use bulk data encryption algorithm
Skipjack digital signature algorithm DSA key
exchange protocol not published hash function
SHA
Fortezza a tamper-resistant PCMCIA card,
implementing Capstone algorithms
43Man-in-the-Middle Attack
Alice
Bob
Im Bob
Im Alice
44Crypto Information Resources
- RSA FAQ (http//www.rsa.com/rsalabs/newfaq/)
- Handbook of Applied Cryptography Alfred J.
Menezes, Paul C. van Oorschot and Scott A.
Vanstone (http//www.dms.auburn.edu/hac/) - B. Schneier, Applied Cryptography Protocols,
Algorithms, and Source Code in C, - John Wiley Sons, New York, 2nd Edition
- D.R. Stinson. Cryptography - Theory and
Practice. CRC Press, Boca Raton, 1995
http//bibd.unl.edu/stinson/CTAP.html - D. Kahn. The Codebreakers. Macmillan Co., New
York, 1967 -
45Homework
1. Decipher this Caesar Text Wklv lv d
whvw 2. Decipher this shift Text Bqrairaijibna
biqjmibqraiwxbiknnwijibnabibqraivnaajpniexcumi qjd
niknnwimroon nwb hint including a space
character, there are 27 letters. 3. What is a
CAPI and why is it important? 4. What is FIPS140
and why is it important? e.c. What are Alice
and Bobs real names?
46Block Ciphers
- Iterated
- Key Schedule
- Feistel -- e.g. DES
47Modes of DES Encryption
DES is a block cipher, encryptions of the same
block repeated might yield the same cipher text
- Electronic Code Book (ECB)
- Cipher Block Chaining (CBC)
- Cipher Feedback Mode (CFM)
- Output Feedback Mode (OFM)
48Electronic Code Book mode (ECB)
49Cipher Block Chaining mode (CBC)
M65-128
XOR
DES
k
C65-128
50Attacks -- characterized by needs of the attacker
- Known Plaintext
- Chosen Plaintext
- Chosen Ciphertext
Also -- number of plaintext, ciphertext pairs
51The birthday paradox
Any random set of 23 people probably shares a
birthday
52A birthday attack
If hash function H maps into message digests of
length 60 bits, then an adversary can find a
collision using only 230 inputs
53Meet in the middle attackon symmetric encryption
functions(known plain text attack)
key k k1,k2
Enck(M) Enck1(Enck2(M))
Known Plain text P, Cipher text C Enck(P)
54Meet in the middle technique
k2 000..0
k1 000..0
P
C
Enck2(P)
Deck1(C)
k2 11.1
k1 11.1
55Homework 2
- Why do people not advocate double DES ?
- Why do people not use error correcting codes
for encryption? - Why do people not use error correcting codes
for authentication?
56Using CBC DES for authentication(symmetric)
M1-64
Mlast block
XOR
DES
DES
k
Authk(M)
57RSA(public key signatures)
- Public key (N,e)
- Private key (p,q,d) p,q large primes
N pq d (xe)d x mod N
58RSA(public key signatures, continued)
- Hash message M to a number H(M)
- Compute SignRSAp,q,d(M) H(M)d mod N
- VerifyRSAN,e(M, SignRSA(M)) OK
iff SignRSA(M)e H(M) mod N
59The Digital Signature AlgorithmDSA/DSSset-up
60The Digital Signature Algorithmsigning process
M message to be signed H hash function such
as SHA or MD5 or MD2 k a random one-time signing
key r (gk mod p) mod q s k-1(H(M) xr) mod
q Sigx(M) (r,s)
61The Digital Signature Algorithmsignature
verification process
Given M, (r,s) compute u1 s-1 H(M) mod q u2
s-1 r mod q v (gu1 yu2 mod p) mod q accept
v r
62Primality Testing
For security and general fault-tolerant
reasons, need to know if p is really prime
(divisible only by 1 and p)
Probabilistic Miller-Rabin Solovay-Strassen
100 guaranteed Atkins
63Strong primes p
- p1 has a large prime factor
- p-1 has a large prime factor r
- r-1 has a large prime factor
foils factoring, discrete log, RSA attacks
64Elliptic Curve Algorithmspublic key
encryption/authentication
Issue the public and private keys and
signatures of assymmetric encryption encryption
and signatures are too big and slow
Solution? Instead of operating on the numbers
1 N or 1 p, operate on eliptic curve
elements (x,y) such that y2 x3 ax b (mod
p)
65Factoring Techniques
- Try all primes lt squareroot(p)
- Pollards rho method
- Elliptic curve methods
- Quadratic sieve
- Number field sieve
- .
discrete logs index calculus ...
Best current algorithms can factor, take discrete
logs of roughly 400 bits.
66Pseudo-random number generators
- Problems
- getting many truly random bits is slow
- getting many shared truly random bits is more
awkward - getting good randomness is important for many
crypto algorithms
- Solution
- theory pseudo-random strings that are
polynomial time indistinguishable from truly
random strings - practice use DES, hash functions generate bits
from a random seed (FIPS 186)
67Stream Ciphers(example -- binary cipher)
key k input M1M2 M3 M4 key stream k1 k2 k3
k4 cipher stream C1 C2C3 C4 Ci ki xor Mi
key stream ki depends on k and possibly M1M2
... Mi-1
68Zero-knowledge proofs(crypto tools)
Prover
Verifier
(Interactive proofs)
69Zero knowledge proofs are simulateable(conversati
on distributions are indistinguishable)
conversation 1
Simulator
Verifier
conversation 2
70Complexity Theory
P problems that can be solved in polynomial
time, I.e. problems that can be solved
efficiently NP broad set of problems that
includes P NP-complete the hardest problems in
NP, they appear to have no efficient
solution Factoring, discrete log are in NP, not
known to be NP-complete or in P
71Quantum Computation
Radically new machine design can factor, compute
discrete logarithms, and compute other things it
is believed conventional machines can not.
Can a quantum machine be built?
72More Notation
One-way function a function that is easy to
compute in one direction, but hard to invert,
e.g. a hash function Trap-door one-way function
a function that is easy to compute in one
direction, but hard to invert unless one
knows the key, e.g. the RSA encryption function
73Some security partners for crypto(Crypto can not
solve all security problems)
- Secure operating system/network security
- Tamper-resistant hardware -- e.g. prevent
adversary from learning keys of his own smart
card. -- e.g. detect tampering in smartcard - Proper personal management of passwords --
e.g. non-dictionary words -- sufficiently many
characters -- not written down -- limitted
number of tries -- one-time passwords
743rd Homework
- What is wrong with making RSA more efficient
by letting one prime be smaller -- say of only 30
bits. - How many bits should an RSA/DSA modulus / DES
key have -- for personal email? -- for
business email? -- for military/classified
data? -- for a CAs signature key? - How could one authenticate a small message
say of 50 bits using a symmetric one-time key? - Which is a better way for Alice to send Bob an
authenticated and encrypted message M? --
EncpubkeyBob(M, SignprivkeyAlice(M)) --
EncpubkeyBob(M),SignprivkeyAlice(EncpubkeyBob(M))
75Extra questions
- What about the case y (-1)x mod p ? Isnt
it easy - to find a value x that maps to y? Doesnt this
put a damper - on the idea that discrete log is hard?
- What sort of a function is f(x,y) gxhy mod
p? ( assuming g and h are generators of Zp) - What is PGP?
- What are Montgomery Multiplication,
Brickell-McCurley fast modular exponentation? - What is a group? a field?
- What is a knapsack system?