Applied Cryptography Spring 2017

Lecture times Thursdays 14:30-16:00 room 413 16 lectures The lectures at the following dates will be rescheduled (dates/times to be agreed, but likely to some time in April/May): 23.02. 30.03. Some other changes are possible (but hopefully, not too many).

Requirements Attend lectures (if you want to) Collect at least 20 points 2 practical assignments 20 points each Written exam 20 points Any of the above is optional The grade will be calculated (approximately) as follows: 10 56-60 6 32-38 9 52-55 5 24-31 8 46-51 4 20-23 7 39-45

Problems covered Text encryption/decryption Digital signatures Ciphers Digital signatures Hash functions (used also for authentication) Digital signature algorithms Protocols Key generation and exchange Certificates Some real cryptographic systems SSL and TLS standards (+ some others), email security Smartcards, EMV, data authentication GSM and cryptograpy, DVD "protection" etc Security of encryptions. Some attacks

Text encryption/decryption Problems covered Text encryption/decryption Ciphers Symmetric and asymmetric ciphers

Symmetric vs. asymmetric cryptography Symmetric ciphers – sender and recipient use the same key Dkey(Ekey(m)) = m Substitution cipher is an example of a symmetric cipher Impractical for big systems – number of keys is quadratic in the number of users The solution – asymmetric algorithms. Think of a locked mailbox! Different keys for encryption and decryption Dprivate key(Epublic key(m)) = m

Text encryption/decryption Problems covered Text encryption/decryption Ciphers Symmetric and asymmetric ciphers Which ciphers to use? Substitution

Simple example – substitution cipher The key is a permutation of the letters of the alphabet, i.e. a bijection Encryption is performed by substituting each letter for its corresponding letter Decryption is the same as encryption with the difference that the inverse is used

Substitution cipher – example Example: Encrypt MY DOG ATE YOUR CAT using the key ABCDEFGHIJKLMNOPQRSTUVWXYZ UWGRPNQSBJXMECAIZOYTDFHKLV U

Breaking the substitution cipher Substitution ciphers are easily broken using frequency analysis We use the fact that different letters (or combination of letters) occur with different probability Example – break TK IL KQ JKT TK IL TBST CR TBL OULRTCKJ Frequency of letters in English: ETAOINSHRDLU Most common two letter words: OF TO IN IS IT BE BY HE AS ON AT OR AN SO IF NO

Text encryption/decryption Problems covered Text encryption/decryption Ciphers Symmetric and asymmetric ciphers Which ciphers to use? Substitution XOR

Vigenère cipher (poly-alphabetic) Example: Encryption key - string of n characters e.g. "gold" We represent it with numbers corresponding to symbols from alphabet - (6,14,11,13) To encrypt i-th symbol from the block of length n, we add to it i-th number from the key (modulo size of alphabet) U

Vernam cipher (XOR) Message: m1,...,mn n bits Key: k1,...,kn n bits Ciphertext: c1,...,cn, where ci = mi  ki U

Vigenère cipher and one time pads Apart from secure key distribution problem Vigenere cipher is unbreakable if key length is not shorter than encrypted text and each key is used only once (so called one-time-pad) U

Text encryption/decryption Problems covered Text encryption/decryption Ciphers Symmetric and asymmetric ciphers Which ciphers to use? Substitution XOR DES, IDEA, AES etc (symmetric)

Data Encryption Standard (DES) Financial companies found the need for a cryptographic algorithm that would have the blessing of the US government (=NSA) First call for candidates in May 73, followed by a new call in August 74 Not very many submissions (Why?) IBM submitted Lucifer NSA worked with IBM in redesigning the algorithm [From Andre L. M. dos Santos ]

Data Encryption Standard (DES) Key length: 56 + 8 parity bits = 64 bits 8 bits are used for parity check, why is that? to make it 265 times less secure! read why 56 bits? section in the textbook. How secure is DES? In 1998 $150K machine can break the key in 5 days! For added security, triple DES is 256 more secure. [From Ravi Mukkamala]

DES Enciphering Computation [From Sai Kovvuri]

DES [From Henric Johnson]

Feistel ciphers Li-1 Ri-1 f(Ri-1,K) K + Li Ri U

AES - Single round

Time to break a code (106 decryptions/µs) [From Henric Johnson]

Text encryption/decryption Problems covered Text encryption/decryption Ciphers Symmetric and asymmetric ciphers Which ciphers to use? Substitution XOR DES, IDEA, AES etc (symmetric) RSA etc (asymmetric)

Asymmetric cryptography Each user has a public and a private key The public key is published in a “phone book” The private key is kept secret Messages encrypted with the public key can be decrypted with the private key To send a message to Mårten, look up Mårten’s public key in the “phone book”. Mårten can then decrypt the message with his private key Number of keys is linear in the number of users

RSA Asymmetric cryptographic algorithm published in 1978 (Rivest, Shamir, Adleman) The most popular asymmetric algorithm used today Now free to use – patent expired in 2000 Relies on the hardness of factoring a number consisting of two primes Actually invented by Cocks (from UK) in 1973, unfortunately the work was classified...

Public-key cryptosystems P: *  * public key S: *  * secret key For an arbitrary message M* we must have: M = S(P(M)), and M = P(S(M))

Public-key cryptosystems - Encryption [Adapted from T.Cormen, C.Leiserson, R. Rivest]

The RSA public-key cryptosystem p,q - two large primes (100 digits or more) n = pq e - small odd integer that is relatively prime to (p – 1)(q – 1) d - integer such that de  1 (mod (p – 1)(q – 1)) (it can be shown that it always exists) P = (e,n) - public key S = (d,n) - secret key Encoding: P(M) = Me (mod n) Decoding: S(C) = Cd (mod n) It works!

RSA - Correctness n = pq e - odd and relatively prime to (p – 1)(q – 1) d - such that de  1(mod (p – 1)(q – 1)) P(M) = Me (mod n), S(C) = Cd (mod n) P(S(M)) = S(P(M)) = Med (mod n), ed = 1 + k (p – 1)(q – 1) M  0 (mod p)  Med  M(Mp–1)k(q–1) (mod p)  M(1)k(q–1) (mod p)  M (mod p) M  0 (mod p)  Med  M (mod p)

RSA - Correctness Med  M (mod p) Med  M (mod q) Thus Med  M (mod n)

RSA - Complexity Encoding: P(M) = Me (mod n) Decoding: S(C) = Cd (mod n)

Breaking RSA If we can factor n we can break RSA Suppose we know p, q such that pq = n We can compute (p – 1)(q – 1) It is now trivial to compute d = e-1 mod ((p – 1)(q – 1)) The largest number that is (publicly) known to have been factored today is 512 bits

Breaking RSA If we can factor n we can break RSA Suppose we know p, q such that pq = n We can compute (p – 1)(q – 1) It is now trivial to compute d = e-1 mod ((p – 1)(q – 1)) The largest number that is (publicly) known to have been factored today is 512 bits As of 2005 the largest number factored by general-purpose methods was 663 bits long

Breaking RSA If we can factor n we can break RSA As of 2005 the largest number factored by general-purpose methods was 663 bits long RSA keys are typically 1024–2048 bits long. Some experts believe that 1024-bit keys may become breakable in the near term (though this is disputed); few see any way that 4096-bit keys could be broken in the foreseeable future. Other attacks exist for certain uses of RSA

Text encryption/decryption Problems covered Text encryption/decryption Ciphers Symmetric and asymmetric ciphers Which ciphers to use? Substitution XOR DES, IDEA, AES etc (symmetric) RSA etc (asymmetric) Stream ciphers and block ciphers

Block ciphers A block cipher B is an encryption function Ekey:{0,1}k  {0,1}l and a decryption function Dkey:{0,1}l  {0,1}k such that Dkey(Ekey(m)) = m. The value k is called block length. Usually k = l. Commonly used block ciphers include DES, 3DES and IDEA. Clear (plain) text Cipher text n bits Key

Stream ciphers

Text encryption/decryption Problems covered Text encryption/decryption Ciphers Symmetric and asymmetric ciphers Which ciphers to use? Substitution XOR DES, IDEA, AES etc (symmetric) RSA etc (asymmetric) Stream ciphers and block ciphers Chaining

Chaining ciphers - ECB Clear text Cipher text Enc Key What happens when the clear text is longer than the block length k? Most simple solution — encrypt each block separately. This mode is called ECB, Electronic Code Book Clear text Cipher text Enc Key [From Mårten Trolin]

Chaining ciphers - CBC

Text encryption/decryption Problems covered Text encryption/decryption Ciphers Symmetric and asymmetric ciphers Which ciphers to use? Substitution XOR DES, IDEA, AES etc (symmetric) RSA etc (asymmetric) Stream ciphers and block ciphers Chaining Libraries of cryptographic functions

Text encryption/decryption Problems covered Text encryption/decryption Ciphers Symmetric and asymmetric ciphers Which ciphers to use? Stream and block ciphers Chaining Stream ciphers and block ciphers Libraries of cryptographic functions Digital signatures Hash functions MD5, SHA-1 etc

Public-key cryptosystems - Digital signature [Adapted from T.Cormen, C.Leiserson, R. Rivest]

Unix passwords httpd:Nologin:100:22:httpd:/usr/users/httpd:/bin/sh guest:41LYDCYHYJzHQ:200:15:Guest:/usr/users/guest:/bin/tcsh oracle:Nologin:201:200::/usr/users/oracle:/bin/tcsh mysql:LS6qP.LbvchSk:202:202::/usr/users/mysql:/bin/tcsh Andris:Ie7K1yjGLDqsw:203:203::/usr/users/Andris:/bin/tcsh Initially Unix password length was up to 8 characters, encrypted by 1-way hash function crypt(3). Are they safe?

Properties of good hash functions Let H be a hash function One-way Given x, unfeasible to compute an v such that H(v) = x Collision-free Unfeasible to find x1 and x2 such that H(x1) = H(x2) and x1  x2

MD5 Step 1: Append padding bits MD5 Message Digest Algorithm Step 1: Append padding bits Padded so that its bit length  448 mod 512 (i.e., the length of padded message is 64 bits less than an integer multiple of 512 bits) Padding is always added, even if the message is already of the desired length (1 to 512 bits) Padding bits: 1000….0 (a single 1-bit followed by the necessary number of 0-bits) [From H. Yoon]

MD5 Step 1: Append padding bits Step 2: Append length MD5 Message Digest Algorithm Step 1: Append padding bits Step 2: Append length 64-bit length: contains the length of the original message modulo 264 The expanded message is Y0, Y1, …, YL-1; the total length is L  512 bits The expanded message can be thought of as a multiple of 16 32-bit words Let M[0 … N-1] denote the word of the resulting message, where N = L  16 [From H. Yoon]

MD5 processing of a single (MD5 compression function) MD5 Message Digest Algorithm MD5  MD5 processing of a single 512-bit block (MD5 compression function) [From H. Yoon]

SHA-3 - Keccak Selected as SHA-3 on 2.10.2012. Hash sizes:224,256,384,512 SHA-3 - Keccak The sponge construction for hash functions. pi are input, zi are hashed output. The unused "capacity" c should be twice the desired resistance to collision or preimage attacks. Designed by: G.Bertoni, J.Daemen, M.Peeters, G.Assche. Built upon RadioGatún.

Text encryption/decryption Problems covered Text encryption/decryption Ciphers Symmetric and asymmetric ciphers Which ciphers to use? Stream and block ciphers Chaining Stream ciphers and block ciphers Libraries of cryptographic functions Digital signatures Hash functions MD5, SHA-1 etc Digital signature algorithms (DSA etc)

Digital signature algorithm - DSA

Text encryption/decryption Digital signatures Problems covered Text encryption/decryption Ciphers Digital signatures Hash functions Digital signature algorithms Protocols Key generation and exchange

What is a protocol? Protocol - a series of steps, involving two or more parties, designed to accomplish a task. For cryptographic protocols: — It should not be possible to do more or learn more than what is specified in the protocol

Types of protocols

Communications using symmetric cryptography (1)  Alice and Bob agree on a cryptosystem. (2)  Alice and Bob agree on a key. (3)  Alice takes her plaintext message and encrypts it using the encryption algorithm and the key. This creates a ciphertext message. (4)  Alice sends the ciphertext message to Bob. (5)  Bob decrypts the ciphertext message with the same algorithm and key and reads it.

Communications using public-key cryptography (1)  Alice and Bob agree on a public-key cryptosystem. (2)  Bob sends Alice his public key. (3)  Alice encrypts her message using Bob’s public key and sends it to Bob. (4)  Bob decrypts Alice’s message using his private key.

Text encryption/decryption Digital signatures Problems covered Text encryption/decryption Ciphers Digital signatures Hash functions Digital signature algorithms Protocols Key generation and exchange Certificates

Digital Certificates A digital identity document binding a public-private key pair to a specific person or organization Verifying a digital signature only proves that the signer had the private key corresponding to the public key used to decrypt the signature This does not prove that the public-private key pair belonged to the claimed individual We need an independent third party to verify the person’s identity (through non-electronic means) and issue a digital certificate [Adapted from Information Security Group, ICU] 52

Public Key Certificate (EMV) Core General information about the user and the application Public Key Certificate EMV formatting Public Key Remainder User’s public key (including remainder) Hash Result Hash of data Signature (decryption) by a Trusted Third Party [From M.Ganley]

Digital Certificates authority Certificate Authority customer bank Internet Digital Wallet Cyber Shopping Mall Payment System Certificate Authority customer merchant bank authority [Adapted from Information Security Group, ICU] 52

Text encryption/decryption Digital signatures Problems covered Text encryption/decryption Ciphers Digital signatures Hash functions Digital signature algorithms Protocols Key generation and exchange Certificates Some real cryptographic systems SSL and TLS standards (+ some others)

SSL – establishing communications

Text encryption/decryption Digital signatures Problems covered Text encryption/decryption Ciphers Digital signatures Hash functions Digital signature algorithms Protocols Key generation and exchange Certificates Some real cryptographic systems SSL and TLS standards (+ some others), email security Smartcards, EMV, data authentication Electronic voting systems (or their absence :) (???)

What are "smart cards"? 8 (16, 32) bit CPU Often at 3.5795 or 4.9152 MHz RAM : 128 bytes- 16 Kbytes ROM : 1 - 32 Kbytes Contains the code EEPROM : 1 - 32 Kbytes Contains the data A small part are OTP (One Time Programmable) bytes Optional: Random Noise Generation, sensors, security logic, Modular Exponentiations Unit or Co-processor

EMV – Europay, MasterCard, Visa Necessary to have standards for smart-cards Physical size Electrical connection API for payment applications Any smart-card must be usable anywhere Europay, MasterCard and Visa have created specifications named EMV for this purpose

Smart-card transaction flow Terminal Acquirer Issuer Card – terminal interaction On-line authorization (conditional) Card – terminal interaction (if after online authorization) Transaction data transfer (possibly including declined transactions’ info)

Problems covered Text encryption/decryption Digital signatures Ciphers Digital signatures Hash functions Digital signature algorithms Protocols Key generation and exchange Certificates Some real cryptographic systems SSL and TLS standards (+ some others), email security Smartcards, EMV, data authentication GSM and cryptograpy, DVD "protection" etc

Base Station Controller GSM security 54 bits is the effective key length of the A5/1 algorithm. 40 bits is the effective key length of the GEA algorithm. Both algorithm employ (“ineffective”) 64-bit keys. GPRS - Confidentiality: GEA1 GEA2 GEA3 (new, open) RBS SGSN Authentication: A3 Algorithm Base Station Controller CS - Confidentiality, A5/1 A5/2 A5/3 (new, open) Radio Base Station MSC [From M.Näslund]

DVD data encryption [From D.Touretzky]

DVD - authentication [From G.Kesden]

Key revocation - subset difference scheme

Problems covered Text encryption/decryption Digital signatures Ciphers Digital signatures Hash functions Digital signature algorithms Protocols Key generation and exchange Certificates Some real cryptographic systems SSL and TLS standards (+ some others), email security Smartcards, EMV, data authentication GSM and cryptograpy, DVD "protection" etc Security of encryptions. Some attacks

Textbooks Bruce Schneier Applied Cryptography: Protocols, Algorithms, and Source Code in C John Wiley & Sons 1996

Textbooks Wenbo Mao Modern Cryptography: theory and practice Prentice Hall, 2003

Textbooks Christof Paar Jan Pelzl Understanding Cryptography Springer, 2010

Textbooks Niels Ferguson Bruce Schneier Practical Cryptography Wiley Publishing Inc 2003

Textbooks Alfred J. Menezes Paul C. van Oorschot Scott A. Vanstone Handbook of Applied Cryptography CRC Press 1996

Textbooks Stephen Thomas SSL and TLS Essentials: Securing the Web Wiley Publishing Inc. 2000

Textbooks Eric Rescorla SSL and TLS: Designing and building secure systems Addison-Wesley 2001

Textbooks Sheila Frankel Demystifying the IPsec Puzzle Artech House 2001

Textbooks Joan Daemen Vincent Rijmen The Design of Rijndael Springer 2002

Web page(s) http://susurs.mii.lu.lv/juris/courses/ac2017.html It is expected to contain: short summaries of lectures power point presentations problems for programming assignments/project other relevant information (exam dates, changes in lecture times etc)

Web page(s) http://susurs.mii.lu.lv/juris/courses/ac2017.html Course material also available as e-course: https://estudijas.lu.lv/login/index.php The original lectures by Mårten Trolin (Spring 2003) are available on DVD

Contact information Juris Vīksna Room 421, Rainis boulevard 29 phone: +371-67213716