CS 591 Monday, August 23 Initial topic: A Survey of Basic Cryptography

1
CS 591Monday, August 23Initial topic A Survey
of Basic Cryptography
Peter Gemmell 277-6509 office 280-2557
cellular gemmell_at_cs.unm.edu
2
What is cryptology?

• Generalized methods to hide (encrypt) and
  authenticate information

• Generalized methods to expose and substitute
  information

(malicious adversary -- not like that in
error-correcting codes)
3
An Important Distinction
Encryption maintainng information
secret/confidential
Authentication proving and maintaining
information integrity (sometimes also
availability)
4
Cryptographic work can be at different levels
-- algorithms/primitives e.g. encryption
algorithms, signature algorithms, hash
algorithms -- protocols between more than 1
party e.g. threshold sharing -- systems e.g.
electronic cash systems, smartcard systems --
Attacks - on all the above
5
Some applications of cryptography

• network, operating systems security
• private internet, telephone communications
• electronic payments
• database security
• software protection
• pay television
• confidential, authentic military communications

6
Open system designvsclosed system design
Open design the algorithm, protocol, or system
design may be public information. The only
secret will be the private or symmetric
key(s) Closed design as much information as
possible is kept secret
7
Types of Security
-- unconditional or information theoretic
the security is provable free of assumptions --
reducible or provable one can prove that the
security is as valid as some common unproven
assumption -- ad hoc the security seems good
8
Types of algorithmsSymmetric (encryption)
Alice
Bob
k
k
sender
receiver
encryption
decryption
M ciphertext
ciphertext M
Enck
Deck
9
Types of algorithmsSymmetric (authentication)
Alice
Bob
k
k
sender
receiver
authentication
verification
M,Authk(M) OK
M M, Authk(M)
Authk
Verifyk
10
Types of algorithmsPublic Key (assymmetric
encryption)
Alice
Bob
pubkey
privkey
sender
receiver
encryption
decryption
M ciphertext
ciphertext M
Encpubkey
Decprivkey
11
Types of algorithmsPublic Key (assymmetric
authentication)
Alice
Bob
privkey
pubkey
sender
receiver
authentication
verification
M, Signprivkey(M) OK
M M, Signprivkey(M)
Signprivkey
Verifypubkey
12
Digital Signatures
A public key technique to authenticate
information in a non-repudiable way
may be legally binding
Recipient knows a) that the message is that of
the supposed sender b) can prove (a) to a third
party
13
Why Public Key is so important
It lessens the number of keys needed in a general
purpose virtual private network (VPN) Less
reliance on a trusted center for system
availability and secrecy (e.g. electronic
cash) Non-repudiation
14
Math Background Modular (clock) Arithmetic
A mod N remainder of A divided by N
B A mod N if B mod N A mod N
15
Encryption AlgorithmsHistorical and Toy
Caesar Cipher a, b, c z 1, 2, 3, 26
Enc(X) Enc(x1 xN) x1 3 mod 26 xN 3
mod 26 C1 CN
E.G. Enc(Security) Enc(19,5,3,21,18,9,20,25)
22,8,6,24,21,12,23,2 Vhfxulyb
16
Generalizations of Caesar Cipher(all weak
security)
Shift Enck(x) xk mod 26 Affine
Enck1,k2(x) k1 x k2 mod 26 Substitution
Encperm(x) perm(x)
17
Other Historial Ciphers
-- WWII American use of Navajo -- WWII German
Enigma machine
-- WWII Japanese Purple Machine
18
Unconditionally Secure CipherOne-time pad
key random bits 1100010011100100011 messag
e bits 1110011001100110001 cipher
text XOR of key, message 0010001010000010010
...
Problems number of random bits length of all
messages being encrypted (not reusable), random
bits must be known to both sender and recipient.
19
Data Encryption Standard (DES)(symmetric key)
Enck(M) wild permutation, XORs of M, S-boxes,
and k
16 rounds, 64-bit block input and output not
clean and concise (like RSA and one-time pad)
Standard for encryption of unclassified data
since 1977
56 bits (40 bits in exported versions) yield
valid concerns about vulnerability to exhaustive
key search
20
Extensions to DESthat may give a longer
effective key
Tripe-DES ciphertext EncDESk1(EncDESk2(EncD
ESk3( plaintext))) EncDESk1(DecDESk1 xor
k2(EncDESk2( plaintext)))
DESX ciphertext k1 xor EncDESk1(message xor
k3)
21
RC5 by Ron Rivest of RSA(symmetric encryption
algorithm)
Rotations, XORs, modular additions
With variable key lengths and being
more succinct than DES, it is faster and
may inspire more confidence
22
RSA(public key encryption)

• Public key (N,e)
• Private key (p,q,d) p,q large primes
  N pq d (me)d m mod N

RSA encryption can be modified easily to work as
the RSA signature function
23
RSA(public key encryption, continued)

• Express message M as a number between 1 and N
  
• Compute EncRSAN,e(M) Me mod N
• Compute DecRSAp,q,d(Me) (Me)d M mod N
• Assumed hard factoring,
  discrete logs modulo N

24
Hash functionsH

• compress length of message 1M bits (any
  number) 128 or 160 bits
• collision-free for any x one can not
  compute y x, H(x) H(y)
• random-like behavior

E.G. SHA-1, MD5, MD2
25
Authenticationunconditionally secure
Alice
Bob
a,b
a,b
sender
receiver
authentication
verification
M M, aMb
M, aMb OK
a,b can be used only once
26
AuthenticationKeyed hash function (symmetric)
Alice
Bob
k
k
sender
receiver
authentication
verification
M M, H(k,M,k)
M, H(k,M,k) OK
H(K XOR opad, H(K XOR ipad, text))
27
Efficiency Considerations and the need for
symmetric session keys
public key algorithms tend to be slow. E.G. RSA
decrypts at the order of 10k bits/second
DES encrypts/decrypts at the order of 1Mbit/second
28
Key Exchange Establishing a (symmetric)
Session Key k
Alice
pubkeyBob
pubkeyAlice
privkeyBob
privkeyAlice
k
29
Impersonation Attack
Alice
Im Bob
pubkeyFakeBob
pubkeyAlice
privkeyAlice
privkeyFakeBob
important information
30
Certification Authority (CA)
Bob
Bob
CA
PubkeyBob
misc info
misc info
CA signature
certificate binds a name to a public key
31
Open Network
32
Virtual Private Networks (VPN)
33
VPN software/hardware
Application layer SSL, Shttp, S/WAN, PCT IP
Layer Netlock, competitors
34
Electronic Payment Systems credit card, debit
card style
Visa, bank, or other
You have received payment
Internet payer
Internet payee
35
Sample Payment Protocols

• iKP of IBM
• SEPP IBM, Netscape,GTE,CyberCash, and
  MasterCard
• VISAs design
• First Virtual
• Secure Courier, STT

36
Electronic Payment Systems Chaum-style
untraceable Cash
The Bank/Mint
Ecash withdrawer/payer
The Bank/Mint
BankSig
37
Electronic Payment Systems Trustee-traceable Cash
The Bank/Mint
Ecash Withdrawer/Payer
The Bank/Mint
38
Key Escrow, e.g. Clipper
escrow key1
escrow key2
Trustee L
escrow keyL
39
The Threshold Paradigm is one of Distributed Trust
Secret Information
40
Threshold Sharing
Dealer shares a secret S to L shareholders. Some
may be untrustworthy.
41
Threshold Sharing protects
- Secrecy no k-1 shareholders can learn the
secret
- Integrity no L-k shareholders can destroy
the secret
42
Fortezza, Capstone, and Skipjack
Skipjack a classified NSA-designed symmetric
encryption algorithm
Capstone suite of crypto functions for
govt-related use bulk data encryption algorithm
Skipjack digital signature algorithm DSA key
exchange protocol not published hash function
SHA
Fortezza a tamper-resistant PCMCIA card,
implementing Capstone algorithms
43
Man-in-the-Middle Attack
Alice
Bob
Im Bob
Im Alice
44
Crypto Information Resources

• RSA FAQ (http//www.rsa.com/rsalabs/newfaq/)
• Handbook of Applied Cryptography Alfred J.
  Menezes, Paul C. van Oorschot and Scott A.
  Vanstone (http//www.dms.auburn.edu/hac/)
• B. Schneier, Applied Cryptography Protocols,
  Algorithms, and Source Code in C,
• John Wiley Sons, New York, 2nd Edition
• D.R. Stinson. Cryptography - Theory and
  Practice. CRC Press, Boca Raton, 1995
  http//bibd.unl.edu/stinson/CTAP.html
• D. Kahn. The Codebreakers. Macmillan Co., New
  York, 1967

45
Homework
1. Decipher this Caesar Text Wklv lv d
whvw 2. Decipher this shift Text Bqrairaijibna
biqjmibqraiwxbiknnwijibnabibqraivnaajpniexcumi qjd
niknnwimroon nwb hint including a space
character, there are 27 letters. 3. What is a
CAPI and why is it important? 4. What is FIPS140
and why is it important? e.c. What are Alice
and Bobs real names?
46
Block Ciphers

• Iterated
• Key Schedule
• Feistel -- e.g. DES

47
Modes of DES Encryption
DES is a block cipher, encryptions of the same
block repeated might yield the same cipher text

• Electronic Code Book (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feedback Mode (CFM)
• Output Feedback Mode (OFM)

48
Electronic Code Book mode (ECB)
49
Cipher Block Chaining mode (CBC)
M65-128
XOR
DES
k
C65-128
50
Attacks -- characterized by needs of the attacker

• Known Plaintext
• Chosen Plaintext
• Chosen Ciphertext

Also -- number of plaintext, ciphertext pairs
51
The birthday paradox
Any random set of 23 people probably shares a
birthday
52
A birthday attack
If hash function H maps into message digests of
length 60 bits, then an adversary can find a
collision using only 230 inputs
53
Meet in the middle attackon symmetric encryption
functions(known plain text attack)
key k k1,k2
Enck(M) Enck1(Enck2(M))
Known Plain text P, Cipher text C Enck(P)
54
Meet in the middle technique
k2 000..0
k1 000..0
P
C
Enck2(P)
Deck1(C)
k2 11.1
k1 11.1
55
Homework 2

• Why do people not advocate double DES ?
• Why do people not use error correcting codes
  for encryption?
• Why do people not use error correcting codes
  for authentication?

56
Using CBC DES for authentication(symmetric)
M1-64
Mlast block
XOR
DES
DES
k
Authk(M)
57
RSA(public key signatures)

• Public key (N,e)
• Private key (p,q,d) p,q large primes
  N pq d (xe)d x mod N

58
RSA(public key signatures, continued)

• Hash message M to a number H(M)
• Compute SignRSAp,q,d(M) H(M)d mod N
• VerifyRSAN,e(M, SignRSA(M)) OK
  iff SignRSA(M)e H(M) mod N

59
The Digital Signature AlgorithmDSA/DSSset-up
60
The Digital Signature Algorithmsigning process
M message to be signed H hash function such
as SHA or MD5 or MD2 k a random one-time signing
key r (gk mod p) mod q s k-1(H(M) xr) mod
q Sigx(M) (r,s)
61
The Digital Signature Algorithmsignature
verification process
Given M, (r,s) compute u1 s-1 H(M) mod q u2
s-1 r mod q v (gu1 yu2 mod p) mod q accept
v r
62
Primality Testing
For security and general fault-tolerant
reasons, need to know if p is really prime
(divisible only by 1 and p)
Probabilistic Miller-Rabin Solovay-Strassen
100 guaranteed Atkins
63
Strong primes p

• p1 has a large prime factor
• p-1 has a large prime factor r
• r-1 has a large prime factor

foils factoring, discrete log, RSA attacks
64
Elliptic Curve Algorithmspublic key
encryption/authentication
Issue the public and private keys and
signatures of assymmetric encryption encryption
and signatures are too big and slow
Solution? Instead of operating on the numbers
1 N or 1 p, operate on eliptic curve
elements (x,y) such that y2 x3 ax b (mod
p)
65
Factoring Techniques

• Try all primes lt squareroot(p)
• Pollards rho method
• Elliptic curve methods
• Quadratic sieve
• Number field sieve
• .

discrete logs index calculus ...
Best current algorithms can factor, take discrete
logs of roughly 400 bits.
66
Pseudo-random number generators

• Problems
• getting many truly random bits is slow
• getting many shared truly random bits is more
  awkward
• getting good randomness is important for many
  crypto algorithms

• Solution
• theory pseudo-random strings that are
  polynomial time indistinguishable from truly
  random strings
• practice use DES, hash functions generate bits
  from a random seed (FIPS 186)

67
Stream Ciphers(example -- binary cipher)
key k input M1M2 M3 M4 key stream k1 k2 k3
k4 cipher stream C1 C2C3 C4 Ci ki xor Mi
key stream ki depends on k and possibly M1M2
... Mi-1
68
Zero-knowledge proofs(crypto tools)
Prover
Verifier
(Interactive proofs)
69
Zero knowledge proofs are simulateable(conversati
on distributions are indistinguishable)
conversation 1
Simulator
Verifier
conversation 2
70
Complexity Theory
P problems that can be solved in polynomial
time, I.e. problems that can be solved
efficiently NP broad set of problems that
includes P NP-complete the hardest problems in
NP, they appear to have no efficient
solution Factoring, discrete log are in NP, not
known to be NP-complete or in P
71
Quantum Computation
Radically new machine design can factor, compute
discrete logarithms, and compute other things it
is believed conventional machines can not.
Can a quantum machine be built?
72
More Notation
One-way function a function that is easy to
compute in one direction, but hard to invert,
e.g. a hash function Trap-door one-way function
a function that is easy to compute in one
direction, but hard to invert unless one
knows the key, e.g. the RSA encryption function
73
Some security partners for crypto(Crypto can not
solve all security problems)

• Secure operating system/network security
• Tamper-resistant hardware -- e.g. prevent
  adversary from learning keys of his own smart
  card. -- e.g. detect tampering in smartcard
• Proper personal management of passwords --
  e.g. non-dictionary words -- sufficiently many
  characters -- not written down -- limitted
  number of tries -- one-time passwords

74
3rd Homework

• What is wrong with making RSA more efficient
  by letting one prime be smaller -- say of only 30
  bits.
• How many bits should an RSA/DSA modulus / DES
  key have -- for personal email? -- for
  business email? -- for military/classified
  data? -- for a CAs signature key?
• How could one authenticate a small message
  say of 50 bits using a symmetric one-time key?
• Which is a better way for Alice to send Bob an
  authenticated and encrypted message M? --
  EncpubkeyBob(M, SignprivkeyAlice(M)) --
  EncpubkeyBob(M),SignprivkeyAlice(EncpubkeyBob(M))

75
Extra questions

• What about the case y (-1)x mod p ? Isnt
  it easy
• to find a value x that maps to y? Doesnt this
  put a damper
• on the idea that discrete log is hard?
• What sort of a function is f(x,y) gxhy mod
  p? ( assuming g and h are generators of Zp)
• What is PGP?
• What are Montgomery Multiplication,
  Brickell-McCurley fast modular exponentation?
• What is a group? a field?
• What is a knapsack system?