Classical Cryptography CSC 482/582: Computer Security

Topics 1. Modular Arithmetic Review 2. What is Cryptography? 3. History of Cryptography 4. Transposition Ciphers 5. Substitution Ciphers 1. Cæsar cipher 2. Vigènere cipher 6. Cryptanalysis: frequency analysis 7. Block Ciphers 8. DES

CSC 482/582: Computer Security Modular Arithmetic Congruence a = b (mod N) iff a = b + kN Equivalently, a = b (mod N) iff N / (a – b) ex: 37=27 mod 10 b is the residue of a, modulo N Integers 0..N-1 are complete set of residues mod N

CSC 482/582: Computer Security Laws of Modular Arithmetic (a + b) mod N = (a mod N + b mod N) mod N (a - b) mod N = (a mod N - b mod N) mod N ab mod N = (a mod N)(b mod N) mod N a(b+c) mod N = ((ab mod N) + (ac mod N)) mod N

CSC 482/582: Computer Security What is Cryptography? Cryptography: The art and science of keeping messages secure. Cryptanalysis: the art and science of decrypting messages. Cryptology: cryptography + cryptanalysis

CSC 482/582: Computer Security Terminology Plaintext: message to be encrypted. Also called cleartext. Encryption: altering a message to keep its contents secret. Ciphertext: encrypted message. Plaintext Ciphertext Encryption Procedure

CSC 482/582: Computer Security History of Cryptography Egyptian hieroglyphics ~ 2000 B.C.E. Cryptic tomb enscriptions for regality. Spartan skytale cipher ~ 500 B.C.E. Wrapped thin sheet of papyrus around staff. Messages written down length of staff. Decrypted by wrapped around = diameter staff. Cæsar cipher ~ 50 B.C.E. Simple alphabetic substitution cipher. al-Kindi ~ 850 C.E. Cryptanalysis using letter frequencies.

CSC 482/582: Computer Security History of Cryptography Alberti’s polyalphabetic cipher 1467 Decryption of Zimmerman telegram 1917 Leads US into World War I Japanese Purple Machine cracked 1937 US breaks rotor machine for highest secrets. German Enigma machine cracked Initially broken by Polish mathematician Variants broken at Bletchley Park in UK Colossus, world’s 1 st electronic computer.

CSC 482/582: Computer Security A Transposition Cipher Rearrange letters in plaintext. Example: Rail-Fence Cipher Plaintext is HELLO WORLD Rearrange as H L O O L E L W R D Ciphertext is HLOOL ELWRD

CSC 482/582: Computer Security Cryptosystem Formal Definition 5-tuple ( E, D, M, K, C ) M set of plaintexts K set of keys C set of ciphertexts E set of encryption functions e: M  K  C D set of decryption functions d: C  K  M

CSC 482/582: Computer Security Cæsar cipher Letter shifting cipher (A=>D, B=>E, C=>F, … 5-tuple M = { all sequences of letters } K = { i | i is an integer and 0 ≤ i ≤ 25 } E = { E k | k  K and for all letters m, E k (m) = (m + k) mod 26 } D = { D k | k  K and for all letters c, D k (c) = (26 + c – k) mod 26 } C = M History: Cæsar’s key was 3.

CSC 482/582: Computer Security Cæsar cipher Plaintext is HELLO WORLD Change each letter to the third letter following it (X goes to A, Y to B, Z to C) Key is 3, usually written as letter ‘D’ Ciphertext is KHOOR ZRUOG

ROT 13 Cæsar cipher with key of chosen since encryption and decryption are same operation Used to hide spoilers, punchlines, and offensive material online. CSC 482/582: Computer Security

Kerckhoff’s Principle Security of cryptosystem should only depend on 1. Quality of shared encryption algorithm E 2. Secrecy of key K Security through obscurity tends to fail ex: DVD Content Scrambling System

CSC 482/582: Computer Security Cryptanalysis Goals 1. Decrypt a given message. 2. Recover encryption key. Adversarial models vary based on 1. Type of information available to adversary 2. Interaction with cryptosystem.

CSC 482/582: Computer Security Cryptanalysis Adversarial Models ciphertext only: adversary has only ciphertext; goal is to find plaintext, possibly key. known plaintext: adversary has ciphertext, corresponding plaintext; goal is to find key. chosen plaintext: adversary may supply plaintexts and obtain corresponding ciphertext; goal is to find key.

CSC 482/582: Computer Security Classical Cryptography Sender and receiver share common key Keys may be the same, or be trivial to derive from one another. Sometimes called symmetric cryptography.

CSC 482/582: Computer Security Substitution Ciphers Substitute plaintext chars for ciphered chars. Simple: Always use same substitution function. Polyalphabetic: Use different substitution functions based on position in message.

CSC 482/582: Computer Security Cryptanalysis of Cæsar Cipher Exhaustive search If the key space is small enough, try all possible keys until you find the right one. Cæsar cipher has only 26 possible keys.

CSC 482/582: Computer Security General Simple Substitution Cipher Key Space: All permutations of alphabet. Encryption: Replace each plaintext letter x with K(x) Decryption: Replace each ciphertext letter y with K -1 (y) Example: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z K= F U B A R D H G J I L K N M P O S Q Z W X Y V T C E CRYPTO BQCOWP

CSC 482/582: Computer Security General Substitution Cryptanalysis Exhaustive search impossible Key space size is 26! =~ 4 x Historically thought to be unbreakable.

CSC 482/582: Computer Security Cryptanalysis: Frequency Analysis Languages have different frequencies of letters digraphs (groups of 2 letters) trigraphs (groups of 3 letters) etc. Simple substitution ciphers preserve frequency distributions.

CSC 482/582: Computer Security English Letter Frequencies

CSC 482/582: Computer Security Additional Frequency Features Digraph frequencies Common digraphs: EN, RE, ER, NT Vowels other than E rarely followed by another vowel. The letter Q is followed only by U. …

CSC 482/582: Computer Security Countering Frequency Analysis Nulls Insert additional symbols (numbers) which have no meaning in random places. Idiosyncratic spellings n0rM4L s34rCh Hacker speak: Homophonic substitution Each letter has multiple substitutions. Techniques increase difficulty but don’t make impossible.

CSC 482/582: Computer Security Countering Frequency Analysis Primary weakness of simple substition: Each ciphertext letter corresponds to only one letter of plaintext. Solution: polyalphabetic substitution Use multiple cipher alphabets. Switch between cipher alphabets from character to character in the plaintext.

CSC 482/582: Computer Security Letter Frequency Distributions

CSC 482/582: Computer Security Vigènere Cipher Use phrase instead of letter as key. Example Message THE BOY HAS THE BALL Key VIG Encipher using Cæsar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG Reproduction of CSA Cipher Disk

CSC 482/582: Computer Security Relevant Parts of Tableau G I V A G I V B H J W E L M Z H N P C L R T G O U W J S Y A N T Z B O Y E H T Tableau shown only has relevant rows and columns. Example encipherments: key V, letter T: follow V column down to T row (giving “O”) Key I, letter H: follow I column down to H row (giving “P”)

CSC 482/582: Computer Security Useful Terms period: length of key In earlier example, period is 3 tableau: table used to encipher and decipher Vigènere cipher has key letters on top, plaintext letters on the left.

CSC 482/582: Computer Security Vigènere Cryptanalysis 1. Find key length (period), which we will call n. 2. Break message into n parts, each part being enciphered using the same key letter. 3. Use frequency analysis to solve resulting n simple substitution ciphers. key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG

CSC 482/582: Computer Security Kasiski Test Conjunction of key repetition with repeated portion of plaintext produces repeated ciphertext. Example: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG Key and plaintext line up over the repetitions. Distance between repetitions is 9 Repeated phrase “OPK” at 1 st and 10 th positions. Period is a multiple of 9 (1, 3 or 9.)

CSC 482/582: Computer Security Example Vigènere Ciphertext ADQYS MIUSB OXKKT MIBHK IZOOO EQOOG IFBAG KAUMF VVTAA CIDTW MOCIO EQOOG BMBFV ZGGWP CIEKQ HSNEW VECNE DLAAV RWKXS VNSVP HCEUT QOIOF MEGJS WTPCH AJMOC HIUIX

CSC 482/582: Computer Security Repetitions in Example LettersStartEndDistanceFactors MI , 5 OO OEQOOG , 3, 5 FV , 2, 2, 3 AA , 2, 11 MOC , 2, 2, 3, 3 QO , 7 PC , 2, 2, 2, 3 NE , 3 SV CH , 3

CSC 482/582: Computer Security Estimate of Period OEQOOG is probably not a coincidence Two character repetitions may be chance. Period may be 1, 2, 3, 5, 6, 10, 15, or 30 Most others (7/10) have 2 in their factors Almost as many (6/10) have 3 in their factors. Begin with period of 2  3 = 6.

CSC 482/582: Computer Security Letter Coincidence Coincidence: Picking two letters at random from a message that are identical. Procedure Place one text above other. Count coincidences. Coincidence probabilities for two letters: Random English letters: 1/26  English plaintext:

CSC 482/582: Computer Security English Letter Frequencies a0.080h0.060n0.070t0.090 b0.015i0.065o0.080u0.030 c j0.005p0.020v0.010 d0.040k0.005q0.002w0.015 e0.130l0.035r0.065x0.005 f0.020m0.030s0.060y0.020 g0.015z0.002

CSC 482/582: Computer Security Index of Coincidence Probability that two randomly chosen letters of a ciphertext of N characters coincide. F i is frequency of cipher character number i N is the length of the ciphertext

CSC 482/582: Computer Security Index of Coincidence Expected IC Random: Plaintext: Expected IC by period 2: : : : : Index of Coincidence Shorter Key Longer Key

CSC 482/582: Computer Security Compute IC for Example IC = Number of Coincidences/Number of Pairs = (  0≤i≤25 [n i (n i – 1)] ) / ( N (N – 1) ) For our ciphertext, IC = Indicates a key of slightly more than 5. A statistical measure, so it can be in error, but it agrees with the previous estimate (which was 6.)

CSC 482/582: Computer Security Splitting Into Alphabets AlphabetIC AIKHOIATTOBGEEERNEOSAI DUKKEFUAWEMGKWDWSUFWJU QSTIQBMAMQBWQVLKVTMTMI YBMZOAFCOOFPHEAXPQEPOX SOIOOGVICOVCSVASHOGCC MXBOGKVDIGZINNVVCIJHH Divide cipher into 6 (period) alphabets. IC indicates single alphabet, except #4 and #6.

CSC 482/582: Computer Security Frequency Examination ABCDEFGHIJKLMNOPQRSTUVWXYZ HMMMHMMHHMMMMHHMLHHHMLLLLL Unshifted frequencies (H high, M medium, L low)

CSC 482/582: Computer Security Begin Decryption First matches characteristics of unshifted alphabet Third matches if I shifted to A Sixth matches if V shifted to A Substitute into ciphertext (bold are substitutions) ADIYS RIUKB OCKKL MIGHKAZOTO EIOOL IFTAG PAUEF VATAS CIITW EOCNO EIOOL BMTFV EGGOP CNEKI HSSEW NECSE DDAAA RWCXS ANSNPHHEUL QONOF EEGOS WLPCM AJEOC MIUAX

CSC 482/582: Computer Security Look For Clues AJE in last line suggests “are”, meaning second alphabet maps A into S: ALIYS RICKB OCKSL MIGHS AZOTO MIOOL INTAG PACEF VATIS CIITE EOCNO MIOOL BUTFV EGOOP CNESI HSSEE NECSE LDAAA RECXS ANANP HHECL QONON EEGOS ELPCM AREOC MICAX

CSC 482/582: Computer Security Next Alphabet MICAX in last line suggests “mical” (a common ending for an adjective), meaning fourth alphabet maps O into A: ALIMS RICKP OCKSL AIGHS ANOTO MICOL INTOG PACET VATIS QIITE ECCNO MICOL BUTTV EGOOD CNESI VSSEE NSCSE LDOAA RECLS ANAND HHECL EONON ESGOS ELDCM ARECC MICAL

CSC 482/582: Computer Security Got It! QI means that U maps into I, as Q is always followed by U: ALIME RICKP ACKSL AUGHS ANATO MICAL INTOS PACET HATIS QUITE ECONO MICAL BUTTH EGOOD ONESI VESEE NSOSE LDOMA RECLE ANAND THECL EANON ESSOS ELDOM ARECO MICAL

CSC 482/582: Computer Security Rotor Machines Observation: If Vigènere key is very long, frequency analysis won’t work. Implement: multiple rounds of Vigènere substitution. Machine contains multiple cylinders. Each cylinder has 26 states (ciphers.) Cylinders rotate to change states on different schedules. m-cylinder machine has 26 m substitution ciphers.

CSC 482/582: Computer Security Enigma Machine 3 rotors: substitutions. 3 rotors can be used in any order: 6 combinations. Some machines had up to 8 rotors Plug board: 6 pairs of letters can be swapped. Total keys ~ 10 16

CSC 482/582: Computer Security One-Time Pad A Vigenère cipher with a random key at least as long as the message. Provably unbreakable. Example ciphertext: DXQR. Equally likely to correspond to plaintext DOIT (key AJIY ) plaintext DONT (key AJDY ) and any other 4 letters.

CSC 482/582: Computer Security One-Time Pad Warning: keys must be random, or you can attack the cipher by trying to regenerate the key. Approximations, such as using pseudorandom number generators to generate keys, are not random.

CSC 482/582: Computer Security Block Ciphers Encrypt groups (blocks) of chars at once. Improvement over single char substitution Cryptanalysis must use digraph frequencies for two-char blocks. Longer blocks are more difficult to analyze. Modern ciphers are block ciphers. Example: Playfair Cipher, 1854

CSC 482/582: Computer Security Playfair Cipher Create 5x5 table Fill in spaces with letters of key, dropping duplicate letters. Fill remaining spaces with unused letters of alphabet in order Drop Q … or I = J PLAYF I|JREXM BCDGH KNOQS TUVWZ Charles Wheatstone

CSC 482/582: Computer Security Playfair Cipher Encryption Algorithm 1. If letters of pair are identical (or only one letter remains), add an “X” after first letter. 2. If two letters are in same row or column, replace them with the succeeding letters. 3. Otherwise, two letters form a rectangle, and we replace them with letters on the same row respectively at the other pair of corners.

CSC 482/582: Computer Security Playfair Cipher Example Plaintext is HELLO WORLD Pair HE is rectangle, replace with DM Pair LX (X inserted) is rectangle, YR Pair LO is rectangle, replace with AN Pair WO is rectangle, replace with VQ Pair RL is in column, replace with CR Pair DX is rectangle, replace with GE Ciphertext is DMYRANVQCRGE PLAYF I|JREXM BCDGH KNOQS TUVWZ

CSC 482/582: Computer Security Transposition Cipher Cryptanalysis Anagramming If 1-gram frequencies match English frequencies, but other n-gram frequencies do not, then, message likely ciphered via transposition. Rearrange letters to form n-grams with highest frequencies.

CSC 482/582: Computer Security Cryptanalysis Example Ciphertext: HLOOLELWRD Frequencies of 2-grams beginning with H HE HO HL, HW, HR, HD < Frequencies of 2-grams ending in H WH EH, LH, OH, RH, DH ≤ Implies E follows H

CSC 482/582: Computer Security Cryptanalysis Example Arrange so the H and E are adjacent HE LL OW OR LD Read across, then down, to recover plaintext.

CSC 482/582: Computer Security SP-Networks Combine Substitution+Permutation (transposition) Confusion: adding unknown key values will confuse attacker about value of plaintext symbol. Diffusion: Spread plaintext data throughout ciphertext. Designing for Security Block Size Number of Rounds Each input bit is XOR of several output bits from previous round. Choice of S-boxes

CSC 482/582: Computer Security Overview of the DES Block cipher: encrypts blocks of 64 bits 56-bit key + 8 parity bits Product cipher substitution + transposition 16 rounds (iterations) of encryption round key generated from user key

CSC 482/582: Computer Security Encipherment Split 64-bit block L 0 =init left half R 0 =init right half Encrypt with f=round fn K 1 =round 1 key Join L + R halves L 16 =round 16 left half R 16 =round 16 right half

CSC 482/582: Computer Security The f Function Each round has effect: L i = R i-1 R i = L i-1  f(R i-1, K i )

CSC 482/582: Computer Security Controversy Considered too weak Diffie, Hellman said in a few years technology would allow DES to be broken in days (1976). EFF built “Deep Crack” in 1998 for $250,000. Brute forced DES in 56 hours RIVYERA averages under 1 day, costs under $10,000. Design decisions not public NSA involved in weakening cipher. 128-bit key reduced to 56 bits. S-boxes may have backdoors.

CSC 482/582: Computer Security Differential Cryptanalysis A chosen ciphertext attack Biham and Shamir (1990) Examines pairs of plaintext with particular diffs. Requires 2 47 plaintext, ciphertext pairs. Only 2 14 pairs required with 8 round DES. Revealed several properties S-box designed to resist differential cryptanalysis. IBM revealed knowledge of technique at design time. Linear cryptanalysis improves result Linear approximation of DES. Requires 2 43 plaintext, ciphertext pairs. DES not designed to resist this technique.

CSC 482/582: Computer Security DES Modes Electronic Code Book Mode (ECB) Encipher each block independently. 64-bit blocks = 8 characters will be repeated. Attacker can build dictionary of blocks. Cipher Block Chaining Mode (CBC) XOR each block with previous ciphertext block. Requires an initialization vector for the first one. Triple DES: Encrypt-Decrypt-Encrypt Mode (3 keys: k, k´, k´´) c = DES k (DES k´ –1 (DES k’’ (m))) Middle decrypt allows backward compatibility if k=k´=k´´ Double-encryption vulnerable to meet-in-middle attack, reducing difficulty from to 2 57.

CSC 482/582: Computer Security CBC Mode Encryption  init. vector m1m1 DES c1c1  m2m2 c2c2 sent … … …

CSC 482/582: Computer Security CBC Mode Decryption  init. vector c1c1 DES m1m1 … … …  c2c2 m2m2

CSC 482/582: Computer Security Self-Healing Property Plaintext “heals” after 2 blocks. i.e., if ciphertext altered, error propagated 2 blocks. Initial message Received as (underlined 4c should be 4b) ef7c4cb2b4ce6f3b f6266e3a97af0e2c 746ab9a6308f e60b451b09603d Which decrypts to efca61e19f4836f

CSC 482/582: Computer Security Current Status of DES Design for computer system, associated software that could break any DES-enciphered message in a few days published in Several challenges to break DES messages solved using distributed computing. NIST selected Rijndael as Advanced Encryption Standard, replacement to DES in October Rijndael winner of 3-year competition of 15 ciphers. DES too easily crackable. Triple DES too slow.

Advanced Encryption Standard Block size is 128 bits Variable key size 128, 192, and 256 bits 10, 12, and 14 rounds Known attacks Only vulnerable to attacks on a reduced # of rounds. CSC 482/582: Computer Security

Key Points Cryptography is the art of securing messages. Types of ciphers Substitution (monoalphabetic and polyalphabetic) Transposition (permutation) Product Cryptanalysis Language features can be used to break ciphers. Frequency analysis: Kasiski test, Index of Coincidence. Block ciphers ECB mode insecure; need to use CBC for block ciphers DES obsolete due to small 56-bit keys. 3DES=112 bit key. AES current standard with 128, 192, and 256 bit keys.

CSC 482/582: Computer Security References 1. Matt Bishop, Introduction to Computer Security, Addison-Wesley, David Kahn, The Codebreakers, MacMillan, Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook of Applied Cryptography, CRC Press, Alfred J. MenezesPaul C. van OorschotScott A. Vanstone 4. NIST, FIPS Publication 46-3: Data Encryption Standard (DES), 1999, 5. Bruce Schneier, Applied Cryptography, 2 nd edition, Wiley, US Government Dept of the Army, FM FIELD MANUAL, 1990, 7. John Viega and Gary McGraw, Building Secure Software, Addison- Wesley, 2002.