Introduction to Cryptography Techniques How secure is that banking network traffic?

Social and Computing Implications of Cryptography The internet is a collection of networks designed to deliver data packets. The internet is a collection of networks designed to deliver data packets. Packets are easy to sniff. Packets are easy to sniff. The internet is not secure, but is used to connect banks, the power grid, pipelines, transportation systems, etc. The internet is not secure, but is used to connect banks, the power grid, pipelines, transportation systems, etc.

Terms Plaintext – the readable message Plaintext – the readable message Ciphertext – the coded message Ciphertext – the coded message EncryptionDecryption plaintext ciphertext plaintext key

Types of Attacks Ciphertext Only Ciphertext Only – adversary uses just the ciphertext to gain either the key or the plaintext (really bad encryption) Known Plaintext Known Plaintext – adversary gets the key using some ciphertext and its plaintext Chosen Plaintext Chosen Plaintext – adversary introduces some plaintext to generate some ciphertext

Symmetric Key Encryption Both parties share a secret key The single key is used for both encryption and decryption Encryption and decryption are equal efforts

Shift Ciphers key = amount to shift each character Example: Rotate13 ‘A’ + 13 = = 14 = ‘N’ So, the message “aardvark” becomes “nneqinex”.

Shift Ciphers Advantage of Rot13: Easy to implement. Rot13('A') = 'N' (1 + 13)%26 = 14 Rot13('N') = 'A' ( )%26 = 1 So, one function does both encoding and decoding. Disadvantage of Any Rotation: Very easy to break – just try all 26 possibilities. Brute Force aka - Brute Force attack.

Substitution Cipher Key = list of character substitutions Example: Key = “Chair” A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Y Z c h a i r B D E F G J K L M N O P Q S T U V W X Disadvantage: Susceptible to Character Frequency Analysis

Character Frequencies

Polyalphbetic Ciphers Key is repeated and used to shift characters. Example plaintextnow is the time for all + keyaar dv ark aard var kaa Ciphertextopo mo uzp ujei bpj lmm

Polyalphbetic Ciphers Advantage: Thwarts character frequency analysis. For example, an “e” will encrypt to several different letters. Disadvantage: Statistics can still be used to break the code.

Polyalphbetic Ciphers How to Break Them: 1 - Look for repeated strings. For example, if the characters “thi” appear together frequently, then it could be because the key is hitting a common word. Text = and we need to test and retest Key = ste ve stev es teve ste vestev Sum = thi sj gyjz yh njoy thi njmyxp

Polyalphbetic Ciphers How to Break Them: 2 – Determine Probable Key Length The start of strings “thi” are frequently separated by distances that are multiples of 5. So, key length is probably five. 3A – Try keys of that length. 3B – Use CharFreqAnal on characters separated by that length.

One-Time Pad Key is used to shift the plaintext. Key is used only once. Key has same length as the message. Advantage: Unbreakable! Disadvantage: Requires lots of keys.

DES History DES Data Encryption Standard Solicited in 1973 by the National Bureau of Standards (National Institute of Standards and Technology) Developed by IBM and the NSA Adopted in 1977

DES Design Principles Confusion Confusion – complicate the relationship between key and ciphertext Diffusion Diffusion – spread structure of plaintext around the ciphertext

DES Design Overview Key = 56 bits plus 8 parity bits 70,000,000,000,000,000 possible keys of 56 bits Key generates 16 subkeys 16 rounds of functions

Breaking DES – design of $1M machine to search entire key space in one day – design of $1M machine to search entire key space in one hour “DES Challenge” prize claimed in 22 hours by distributed.net University of Bochum and Kiel, Germany, uses $10,000 hardware cost to get average time of 6.4 days University of Bochum and Kiel, Germany, uses $10,000 hardware cost to get average time of 6.4 days. triple DES is much less breakable

Unix Crypt “man 3 crypt” #include char *crypt(const char *key, const char *salt); crypt is the password encryption function. It is based on the Data Encryption Standard algorithm with variations intended (among other things) to discourage use of hardware implementations of a key search.

Password Salt Based on time when password created Based on time when password created First two letters in the passwd field First two letters in the passwd field Used to discourage a brute force attack Used to discourage a brute force attack Encrypting every dictionary word then comparing that list to passwd entries will not work since every dictionary word can yield 4096 different possibilities. Even if my password is the same for two systems, they have different salts so they look different Even if my password is the same for two systems, they have different salts so they look different

Public Key Encryption Two Keys : encryption and decryption Encryption key is public Decryption key is private Once sender encrypts a message, even they can’t decrypt it

Public Key Encryption 1.Receiver sends their public key to the sender 2.Sender encrypts message using that public key 3.Sender sends encrypted message 4.Receiver decrypts message using their private key

Summary Nothing on a public network is completely safe.