Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.

Slides:



Advertisements
Similar presentations
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
Advertisements

Intro 1 Introduction Intro 2 Good Guys and Bad Guys  Alice and Bob are the good guys  Trudy is the bad guy  Trudy is our generic “intruder”
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Enigma? Several Images from Wikipedia (an online encyclopedia)
Enigma Meghan Emilio Faculty Sponsor: Ralph Morelli (Computer Science)
Reconfigurable Computing - Verifying Circuits John Morris Chung-Ang University The University of Auckland ‘Iolanthe’ at 13 knots on Cockburn Sound, Western.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
PKZIP Stream Cipher 1 PKZIP PKZIP Stream Cipher 2 PKZIP  Phil Katz’s ZIP program  Katz invented zip file format o ca 1989  Before that, Katz created.
11.Hash Tables Hsu, Lih-Hsing. Computer Theory Lab. Chapter 11P Directed-address tables Direct addressing is a simple technique that works well.
FEAL FEAL 1.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
Point and Confidence Interval Estimation of a Population Proportion, p
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Purple 1 Purple Purple 2 Purple  Used by Japanese government o Diplomatic communications o Named for color of binder cryptanalysts used o Other Japanese.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.
Stream Ciphers 1 Stream Ciphers. Stream Ciphers 2 Stream Ciphers  Generalization of one-time pad  Trade provable security for practicality  Stream.
Chapter 2 Basic Encryption and Decryption (part B)
CMEA 1 CMEA. CMEA 2 CMEA  Cellular Message Encryption Algorithm  Designed for use with cell phones o To protect confidentiality of called number o For.
Enigma Meghan Emilio Advisor: Professor Ralph Morelli April 2004.
ORYX 1 ORYX ORYX 2 ORYX  ORYX not an acronym, but upper case  Designed for use with cell phones o To protect confidentiality of voice/data o For “data.
MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.
Enigma 1 Enigma Enigma 2 Enigma  Developed and patented (in 1918) by Arthur Scherbius  Many variations on basic design  Eventually adopted by Germany.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Review for Final Exam Systems of Equations.
IntroConcAnalysisPreviousSystemsRotors
College Algebra Prerequisite Topics Review
Cryptanalysis. The Speaker  Chuck Easttom  
Hellman’s TMTO 1 Hellman’s TMTO Attack. Hellman’s TMTO 2 Popcnt  Before we consider Hellman’s attack, consider simpler Time-Memory Trade-Off  “Population.
Factoring – Trinomials (a ≠ 1), Guess and Check It is assumed you already know how to factor trinomials where a = 1, that is, trinomials of the form Be.
The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.
Cryptography and Network Security Chapter 6. Multiple Encryption & DES  clear a replacement for DES was needed theoretical attacks that can break it.
10.4 How to Find a Perfect Matching We have a condition for the existence of a perfect matching in a graph that is necessary and sufficient. Does this.
1 Ethics of Computing MONT 113G, Spring 2012 Session 13 Limits of Computer Science.
Information Coding in noisy channel error protection:-- improve tolerance of errors error detection: --- indicate occurrence of errors. Source.
Searching and Sorting Gary Wong.
Today  Table/List operations  Parallel Arrays  Efficiency and Big ‘O’  Searching.
Pseudo-Random Functions 1/22 Encryption as Permutation Assume cryptosystem correct and P = C If x  x’ then E K (x)  E K (x’) So, no y is hit by more.
Section 2.1: Shift Ciphers and Modular Arithmetic Practice HW from Barr Textbook (not to hand in) p.66 # 1, 2, 3-6, 9-12, 13, 15.
Table of Contents Factoring – Trinomials (a ≠ 1), Guess and Check It is assumed you already know how to factor trinomials where a = 1, that is, trinomials.
1-1 Copyright © 2015, 2010, 2007 Pearson Education, Inc. Chapter 10, Slide 1 Chapter 10 Understanding Randomness.
CSCI 5857: Encoding and Encryption
Moving Around in Scratch The Basics… -You do want to have Scratch open as you will be creating a program. -Follow the instructions and if you have questions.
Cryptograpy By Roya Furmuly W C I H D F O P S L 7.
Multiple Encryption & DES  clearly a replacement for DES was needed Vulnerable to brute-force key search attacks Vulnerable to brute-force key search.
Sampling Distributions Adapted from Exploring Statistics with the TI-83 by Gail Burrill, Patrick Hopfensperger, Mike Koehler.
N-space Snakes are special maximal length loops through an N-space cube. They ’ re full of intriguing symmetries, puzzles and surprises. They ’ re simple.
Math 104 Calculus I Part 6 INFINITE SERIES. Series of Constants We’ve looked at limits and sequences. Now, we look at a specific kind of sequential limit,
UNIT 5.  The related activities of sorting, searching and merging are central to many computer applications.  Sorting and merging provide us with a.
The Storyboard stage. Mention what will be your animation medium: 2D or 3D Mention the software to be used for animation development: JAVA, Flash, Blender,
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
DATA & COMPUTER SECURITY (CSNB414) MODULE 3 MODERN SYMMETRIC ENCRYPTION.
ICS 353: Design and Analysis of Algorithms
Lecture 4 Page 1 CS 236 Online Basic Encryption Methods Substitutions –Monoalphabetic –Polyalphabetic Permutations.
1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC.
Scytale THIS IS A SCYTALE!!! SPARTA!!! One of the earliest encryption devices was the Spartan Scytale (c 500 B.C.) which consisted of a ribbon wrapped.
Statistics 11 Understanding Randomness. Example If you had a coin from someone, that they said ended up heads more often than tails, how would you test.
The Law of Averages. What does the law of average say? We know that, from the definition of probability, in the long run the frequency of some event will.
Hellman’s TMTO Attack Hellman’s TMTO 1.
Basic Encryption Methods
History and Background Part 3: Polyalphabetic Ciphers
Cryptography Lecture 18.
Fundamentals of Data Representation
Chapter -2 Block Ciphers and the Data Encryption Standard
RC4 RC
Chapter -4 STREAM CIPHERS
An electro-mechanical rotor cipher machine created by the German engineer Arthur Scherbius.
Cryptography Lecture 16.
Modern Cryptography.
By: Anthony Gervasi & Adam Dickinson
Presentation transcript:

Sigaba 1 Sigaba

Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered impossible  Like Enigma, Sigaba is a rotor machine o But instead of 3 rotors, Sigaba uses 15 rotors!  Not suitable for battlefield o Bigger, heavier, more fragile than Enigma

Sigaba 3 Sigaba  Like a big typewriter  A really big typewriter…  A really, really big typewriter…

Sigaba 4 Sigaba  Developed by Rowlett, Friedman and others o Knew odometer stepping of rotors is weakness  Sigaba uses 10 rotors to determine stepping of the 5 cipher rotors  Any of 5 cipher rotors can step o From 1 to 4 cipher rotors step for each letter  Almost like using one Enigma to determine rotor stepping of another Enigma

Sigaba 5 Sigaba  Rotors  Lots of rotors…  Rotors, rotors, and more rotors

Sigaba 6 Sigaba Wiring Diagram  Control and index rotors determine stepping of cipher rotors

Sigaba 7 Sigaba Wiring Diagram  Control and cipher rotors each permute 26 letters  Can be interchanged and inserted in reverse

Sigaba 8 Sigaba Wiring Diagram  Control rotors step like “scrambled odometer”  Index rotors set initially, but do not step  From 1 to 4 of cipher rotors step

Sigaba 9 Rotor Stepping  Index rotors do not step  Control rotors o Middle 3 step as: slow, fast, medium o Outside rotors don’t step  Cipher rotors o At least 1, at most 4 step each time o Stepping is somewhat complex…

Sigaba 10 Cipher Rotor Stepping  When a letter is typed  4 inputs to control rotors activated o These are: F,G,H,I o Then 4 (scrambled) letters output  Outputs of control rotors combined o Then fed into index rotors

Sigaba 11 Cipher Rotor Stepping  Outputs of control rotors combined o Result(s) go into index rotors o From 1 to 4 inputs to index rotors  Index rotor outputs combined in pairs o Active index rotor outputs determine which cipher rotors step

Sigaba 12 Cipher Rotor Stepping  F,G,H,I input to control rotors  Let I 0,I 1,…,I 9 be inputs to index rotors o I 0 is always inactive, and… I 1 = BI 2 = C I 3 = D  E I 4 = F  G  HI 5 = I  J  KI 6 = L  M  N  O I 7 = P  Q  R  S  TI 8 = U  V  W  X  Y  Z I 9 = A  Where “  ” is OR, and o A,B,C,…, Z are control rotor outputs

Sigaba 13 Cipher Rotor Stepping  Let O 0,O 1,…,O 9 be index rotor outputs  If C i == 1, cipher rotor i steps o Cipher rotors numbered left-to-right  Then the C i given by C 0 = O 0  O 9 C 1 = O 7  O 8 C 2 = O 5  O 6 C 3 = O 3  O 4 C 4 = O 1  O 2  Note that 1 to 4 of the O i are active  Implies that 1 to 4 of C i are active

Sigaba 14 Stepping Maze  A picture is worth 2 10 words ?

Sigaba 15 Theoretical Keyspace  If cipher/control rotors all set to “ A ”  And index rotors all set to “ 0 ” o Select 5 cipher rotors: (26!) 5 = o Select 5 control rotors: (26!) 5 = o Select 5 index rotors: (10!) 5 =  Keyspace is enormous: 993 bits!

Sigaba 16 WWII Sigaba Keyspace  10 cipher and control rotors o 2 orientations for each o Control rotors set to any initial position o Cipher rotors set to default positions (usually)  5 index rotor o Inserted in a fixed order o Each set to one of 10 initial positions  Apparently, gives 10!  2 10  26 5  10 5 =

Sigaba 17 WWII Actual Keyspace  Keyspace of 10!  2 10  26 5  10 5 = ?  Control rotors settings sent in the clear! o Sent as part of the message indicator (MI) o An attacker could see this  So, actual keyspace: 10!  2 10  10 5 = o On POTUS-PRIME link, bit keyspace used  Why give away so much of keyspace?

Sigaba 18 WWII Actual Keyspace  Why give away so much of keyspace?  Device is complex to configure  Larger keyspace means o More settings to initialize o More chance for error o Problem for time-sensitive info  One daily key o Then MI gives unique message key

Sigaba 19 WWII Theoretical Keyspace  Given components available in WWII  Appears that maximum keyspace was 10!  2 10   5!  10 5 =  But this is a little too high o Index rotors do not rotate o So only 10! different index perms o And 10! < 5!  10 5  So it looks like largest possible keyspace 10!  2 10   10! =

Sigaba 20 WWII Theoretical Keyspace  About 10!  2 10   10! = ?  No, this is still too high!  Index rotor outputs are ORed in pairs o Used to determine cipher rotor stepping o As seen previously  Therefore, 32 equivalent index perms  Final answer: maximum WWII keyspace 10!  2 10   10!/32 =

Sigaba 21 Sigaba Attack  Assumptions o Full 95.6 bit WWII keyspace is used o Trudy has a Sigaba machine (so Trudy knows rotor permutations) o Trudy has some known plaintext o Goal: use as little known plaintext as possible  How efficiently can we attack Sigaba under these assumptions?

Sigaba 22 Sigaba Attack  Two phases to this (complex) attack  Primary phase o Find all cipher rotor settings that are consistent with known plaintext o Requires some amount of known plaintext  Secondary phase o Find control rotor settings, index perm o May require more known plaintext

Sigaba 23 Primary Phase  Select and initialize cipher rotors o Binomial(10,5)  5!  2 5  26 5 = settings  For each of these settings, how many cipher perms are possible at next step? o From 1 to 4 cipher rotors can step o 30 ways that 1 to 4 (out of 5) rotors can step  How can we use this information?

Sigaba 24 Primary Phase  Given a putative cipher rotor setting…  Check whether it matches known plaintext  If not, discard it  If a match, try all 30 steps and keep any that match with next known plaintext  Repeat until either o No matches (putative setting is discarded) o Used all known plaintext (save for secondary)

Sigaba 25 Primary Phase  Correct rotor setting is said to be causal o All incorrect settings are random  How many random matches do we expect?  First letter matches with probability 1/26  If it matches, then must try all 30 steps o Each matches with probability 1/26 o Binomial distribution with p = 1/26 and n = 30  Expected matches is 30/26 =  If first letter matches, then after n steps, we expect about (1.154) n surviving paths

Sigaba 26 Primary Phase  If first plaintext matches, about (1.154) n surviving paths after n steps  This looks bad…  We want to eliminate putative cipher rotor settings that are incorrect o The random settings  How to do this when we get more paths!

Sigaba 27 Primary Phase  Maybe not as bad as it seems…  We are only concerned with initial cipher rotor guess, not paths  In fact o Some paths merge o Expected distribution of paths differs in causal case and random cases

Sigaba 28 Primary Phase: Merging Paths  Suppose first 3 plaintext match o With initial settings AAAAA Consistent pathsMerged consistent paths  Can merge paths since only the rotor settings (not path) needed for next step

Sigaba 29 Primary Phase: Distributions  In causal and random cases, expected number of paths differs  Empirical results show that… RandomCausal  However, the variance is high

Sigaba 30 Primary Phase: Bottom Line  Test each of cipher rotor settings  Only 1/26 match 1st plaintext letter  Many others eliminated due to merging  More eliminated by expected distribution o Note: this makes the attack probabilistic  Can reduce primary survivors to about 2 20

Sigaba 31 Secondary Phase  Discussion here applies to each primary phase survivor  Each primary survivor gives putative cipher rotors and settings  Obvious secondary test is to… o Try all control and index settings: 10!/32  5!  2 5  26 5 = of these o Work of more than 2 52 per primary survivor  Can we do better?

Sigaba 32 Secondary Phase  Primary work is about 2 43 o With about 2 20 survivors  Obvious secondary has total work about 2 72 o Since 2 52 work for each of 2 20 survivors  Can we improve secondary phase?  Cipher rotor motion is not uniform o Recall that from 1 to 4 steps for each letter o Also, index permutation is fixed for a message

Sigaba 33 Stepping Maze  Model control permutations as random  Probabilities of the C i are not uniform

Sigaba 34 Example  Consider index perm  o C 4 connected to 10 control letters o C 2 connected to 1 control letter  C 4 will step much more frequently than C 2

Sigaba 35 Index Perm Inputs  Can use this table to determine input pairs o Count number of times each cipher rotor steps (using the known plaintext)

Sigaba 36 Improved Secondary  About 100 to 200 known plaintexts  Reduces number of index perms to… o …about 2 7  This reduces secondary work from o 10!/32  5!  2 5  26 5 =  To about o 2 7  5!  2 5  26 5 =  Note: this work is per primary survivor

Sigaba 37 Sigaba Attack: Bottom Line  WWII Sigaba had a readily available keyspace of 95.6 bits  Our attack has work factor of about 2 60 o Under reasonable assumptions  Sigaba as generally used in WWII had exhaustive key search work of

Sigaba 38 Bottom Bottom Line  Given limitations of WWII, our attack shows Sigaba has, at most, 60 bits of security  Although 95.6 bits of key available, only 47.6 generally used  However, on link between Roosevelt and Churchill ( POTUS-PRIME ), 71.9 bit key used  It would not make sense to have bigger key than work for reasonable shortcut attack

Sigaba 39 Bottom Bottom Bottom Line  Our attack is less work than exhaustive key search on POTUS-PRIME link  Conclusion?  Developers of Sigaba (Rowlett and Friedman) were unaware of the attack  Or they did not consider it practical

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.