1. Applied Cryptography
Spring 2017

2. Lecture times Thursdays 14:30-16:00 room 413 16 lectures
The lectures at the following dates will be rescheduled
(dates/times to be agreed, but likely to some time in
April/May):
23.02.
30.03.
Some other changes are possible (but hopefully, not too
many).

3. Requirements Attend lectures (if you want to)
Collect at least 20 points
2 practical assignments 20 points each
Written exam points
Any of the above is optional
The grade will be calculated (approximately) as follows:

4. Problems covered Text encryption/decryption Digital signatures
Ciphers
Digital signatures
Hash functions (used also for authentication)
Digital signature algorithms
Protocols
Key generation and exchange
Certificates
Some real cryptographic systems
SSL and TLS standards (+ some others), security
Smartcards, EMV, data authentication
GSM and cryptograpy, DVD "protection" etc
Security of encryptions. Some attacks

5. Text encryption/decryption
Problems covered
Text encryption/decryption
Ciphers
Symmetric and asymmetric ciphers

6. Symmetric vs. asymmetric cryptography
Symmetric ciphers – sender and recipient use the same key
Dkey(Ekey(m)) = m
Substitution cipher is an example of a symmetric cipher
Impractical for big systems – number of keys is quadratic in the number of users
The solution – asymmetric algorithms. Think of a locked mailbox! Different keys for encryption and decryption
Dprivate key(Epublic key(m)) = m

7. Text encryption/decryption
Problems covered
Text encryption/decryption
Ciphers
Symmetric and asymmetric ciphers
Which ciphers to use?
Substitution

8. Simple example – substitution cipher
The key is a permutation of the letters of the alphabet, i.e. a bijection
Encryption is performed by substituting each letter for its corresponding letter
Decryption is the same as encryption with the difference that the inverse is used

9. Substitution cipher – example
Example: Encrypt MY DOG ATE YOUR CAT using the key
ABCDEFGHIJKLMNOPQRSTUVWXYZ
UWGRPNQSBJXMECAIZOYTDFHKLV U

10. Breaking the substitution cipher
Substitution ciphers are easily broken using frequency analysis
We use the fact that different letters (or combination of letters) occur with different probability
Example – break
TK IL KQ JKT TK IL TBST CR TBL OULRTCKJ
Frequency of letters in English: ETAOINSHRDLU
Most common two letter words: OF TO IN IS IT BE BY HE AS ON AT OR AN SO IF NO

11. Text encryption/decryption
Problems covered
Text encryption/decryption
Ciphers
Symmetric and asymmetric ciphers
Which ciphers to use?
Substitution
XOR

12. Vigenère cipher (poly-alphabetic)
Example:
Encryption key - string of n characters e.g. "gold"
We represent it with numbers corresponding to
symbols from alphabet - (6,14,11,13)
To encrypt i-th symbol from the block of length n,
we add to it i-th number from the key (modulo size
of alphabet) U

13. Vernam cipher (XOR) Message: m1,...,mn n bits Key: k1,...,kn n bits
Ciphertext: c1,...,cn, where ci = mi  ki U

14. Vigenère cipher and one time pads
Apart from secure key distribution problem Vigenere cipher is unbreakable if key length is not shorter than encrypted text and each key is used only once (so called one-time-pad) U

15. Text encryption/decryption
Problems covered
Text encryption/decryption
Ciphers
Symmetric and asymmetric ciphers
Which ciphers to use?
Substitution
XOR
DES, IDEA, AES etc (symmetric)

16. Data Encryption Standard (DES)
Financial companies found the need for a cryptographic algorithm that would have the blessing of the US government (=NSA)
First call for candidates in May 73, followed by a new call in August 74
Not very many submissions (Why?)
IBM submitted Lucifer
NSA worked with IBM in redesigning the algorithm
[From Andre L. M. dos Santos ]

17. Data Encryption Standard (DES)
Key length: parity bits = 64 bits
8 bits are used for parity check, why is that? to make it 265 times less secure! read why 56 bits? section in the textbook.
How secure is DES? In 1998 $150K machine can break the key in 5 days! For added security, triple DES is 256 more secure.
[From Ravi Mukkamala]

18. DES
Enciphering Computation
[From Sai Kovvuri]

19. DES
[From Henric Johnson]

20. Feistel ciphers
Li-1
Ri-1
f(Ri-1,K) K + Li Ri U

21. AES - Single round

22. Time to break a code (106 decryptions/µs)
[From Henric Johnson]

23. Text encryption/decryption
Problems covered
Text encryption/decryption
Ciphers
Symmetric and asymmetric ciphers
Which ciphers to use?
Substitution
XOR
DES, IDEA, AES etc (symmetric)
RSA etc (asymmetric)

24. Asymmetric cryptography
Each user has a public and a private key
The public key is published in a “phone book”
The private key is kept secret
Messages encrypted with the public key can be decrypted with the private key
To send a message to Mårten, look up Mårten’s public key in the “phone book”.
Mårten can then decrypt the message with his private key
Number of keys is linear in the number of users

25. RSA
Asymmetric cryptographic algorithm published in 1978 (Rivest, Shamir, Adleman)
The most popular asymmetric algorithm used today
Now free to use – patent expired in 2000
Relies on the hardness of factoring a number consisting of two primes
Actually invented by Cocks (from UK) in 1973,
unfortunately the work was classified...

26. Public-key cryptosystems
P: *  * public key
S: *  * secret key
For an arbitrary message M* we must have:
M = S(P(M)), and
M = P(S(M))

27. Public-key cryptosystems - Encryption
[Adapted from T.Cormen, C.Leiserson, R. Rivest]

28. The RSA public-key cryptosystem
p,q - two large primes (100 digits or more)
n = pq
e - small odd integer that is relatively prime to
(p – 1)(q – 1)
d - integer such that de  1 (mod (p – 1)(q – 1))
(it can be shown that it always exists)
P = (e,n) - public key
S = (d,n) - secret key
Encoding: P(M) = Me (mod n)
Decoding: S(C) = Cd (mod n)
It works!

29. RSA - Correctness
n = pq
e - odd and relatively prime to (p – 1)(q – 1)
d - such that de  1(mod (p – 1)(q – 1))
P(M) = Me (mod n), S(C) = Cd (mod n)
P(S(M)) = S(P(M)) = Med (mod n), ed = 1 + k (p – 1)(q – 1)
M  0 (mod p)  Med  M(Mp–1)k(q–1) (mod p)
 M(1)k(q–1) (mod p)
 M (mod p)
M  0 (mod p)  Med  M (mod p)

30. RSA - Correctness
Med  M (mod p)
Med  M (mod q)
Thus Med  M (mod n)

31. RSA - Complexity Encoding: P(M) = Me (mod n)
Decoding: S(C) = Cd (mod n)

32. Breaking RSA If we can factor n we can break RSA
Suppose we know p, q such that pq = n
We can compute (p – 1)(q – 1)
It is now trivial to compute d = e-1 mod ((p – 1)(q – 1))
The largest number that is (publicly) known to have been factored today is 512 bits

33. Breaking RSA If we can factor n we can break RSA
Suppose we know p, q such that pq = n
We can compute (p – 1)(q – 1)
It is now trivial to compute d = e-1 mod ((p – 1)(q – 1))
The largest number that is (publicly) known to have been factored today is 512 bits
As of 2005 the largest number factored by general-purpose methods was 663 bits long

34. Breaking RSA If we can factor n we can break RSA
As of 2005 the largest number factored by general-purpose methods was 663 bits long
RSA keys are typically 1024–2048 bits long. Some experts believe that 1024-bit keys may become breakable in the near term (though this is disputed); few see any way that 4096-bit keys could be broken in the foreseeable future.
Other attacks exist for certain uses of RSA

35. Text encryption/decryption
Problems covered
Text encryption/decryption
Ciphers
Symmetric and asymmetric ciphers
Which ciphers to use?
Substitution
XOR
DES, IDEA, AES etc (symmetric)
RSA etc (asymmetric)
Stream ciphers and block ciphers

36. Block ciphers
A block cipher B is an encryption function Ekey:{0,1}k  {0,1}l and a decryption function Dkey:{0,1}l  {0,1}k such that Dkey(Ekey(m)) = m.
The value k is called block length. Usually k = l.
Commonly used block ciphers include DES, 3DES and IDEA.
Clear (plain) text
Cipher text
n bits
Key

37. Stream ciphers

38. Text encryption/decryption
Problems covered
Text encryption/decryption
Ciphers
Symmetric and asymmetric ciphers
Which ciphers to use?
Substitution
XOR
DES, IDEA, AES etc (symmetric)
RSA etc (asymmetric)
Stream ciphers and block ciphers
Chaining

39. Chaining ciphers - ECB Clear text Cipher text Enc Key
What happens when the clear text is longer than the block length k?
Most simple solution — encrypt each block separately.
This mode is called ECB, Electronic Code Book
Clear text
Cipher text
Enc
Key
[From Mårten Trolin]

40. Chaining ciphers - CBC

41. Text encryption/decryption
Problems covered
Text encryption/decryption
Ciphers
Symmetric and asymmetric ciphers
Which ciphers to use?
Substitution
XOR
DES, IDEA, AES etc (symmetric)
RSA etc (asymmetric)
Stream ciphers and block ciphers
Chaining
Libraries of cryptographic functions

42. Text encryption/decryption
Problems covered
Text encryption/decryption
Ciphers
Symmetric and asymmetric ciphers
Which ciphers to use?
Stream and block ciphers
Chaining
Stream ciphers and block ciphers
Libraries of cryptographic functions
Digital signatures
Hash functions
MD5, SHA-1 etc

43. Public-key cryptosystems - Digital signature
[Adapted from T.Cormen, C.Leiserson, R. Rivest]

44. Unix passwords httpd:Nologin:100:22:httpd:/usr/users/httpd:/bin/sh
guest:41LYDCYHYJzHQ:200:15:Guest:/usr/users/guest:/bin/tcsh
oracle:Nologin:201:200::/usr/users/oracle:/bin/tcsh
mysql:LS6qP.LbvchSk:202:202::/usr/users/mysql:/bin/tcsh
Andris:Ie7K1yjGLDqsw:203:203::/usr/users/Andris:/bin/tcsh
Initially Unix password length was up to 8 characters,
encrypted by 1-way hash function crypt(3).
Are they safe?

45. Properties of good hash functions
Let H be a hash function
One-way
Given x, unfeasible to compute an v such that H(v) = x
Collision-free
Unfeasible to find x1 and x2 such that H(x1) = H(x2) and x1  x2

46. MD5 Step 1: Append padding bits
MD5 Message Digest Algorithm
Step 1: Append padding bits
Padded so that its bit length  448 mod 512 (i.e., the length of padded message is 64 bits less than an integer multiple of 512 bits)
Padding is always added, even if the message is already of the desired length (1 to 512 bits)
Padding bits: 1000….0 (a single 1-bit followed by the necessary number of 0-bits)
[From H. Yoon]

47. MD5 Step 1: Append padding bits Step 2: Append length
MD5 Message Digest Algorithm
Step 1: Append padding bits
Step 2: Append length
64-bit length: contains the length of the original message modulo 264
The expanded message is Y0, Y1, …, YL-1; the total length is L  512 bits
The expanded message can be thought of as a multiple of bit words
Let M[0 … N-1] denote the word of the resulting message, where N = L  16
[From H. Yoon]

48. MD5 processing of a single (MD5 compression function)
MD5 Message Digest Algorithm
MD5 
MD5 processing of a single
512-bit block
(MD5 compression function)
[From H. Yoon]

49. SHA-3 - Keccak Selected as SHA-3 on 2.10.2012.
Hash sizes:224,256,384,512
SHA-3 - Keccak
The sponge construction for hash functions. pi are input, zi are
hashed output. The unused "capacity" c should be twice the desired
resistance to collision or preimage attacks.
Designed by: G.Bertoni, J.Daemen, M.Peeters, G.Assche.
Built upon RadioGatún.

50. Text encryption/decryption
Problems covered
Text encryption/decryption
Ciphers
Symmetric and asymmetric ciphers
Which ciphers to use?
Stream and block ciphers
Chaining
Stream ciphers and block ciphers
Libraries of cryptographic functions
Digital signatures
Hash functions
MD5, SHA-1 etc
Digital signature algorithms (DSA etc)

51. Digital signature algorithm - DSA

52. Text encryption/decryption Digital signatures
Problems covered
Text encryption/decryption
Ciphers
Digital signatures
Hash functions
Digital signature algorithms
Protocols
Key generation and exchange

53. What is a protocol?
Protocol - a series of steps, involving two or more parties,
designed to accomplish a task.
For cryptographic protocols:
— It should not be possible to do more or learn more than
what is specified in the protocol

54. Types of protocols

55. Communications using symmetric cryptography
(1)  Alice and Bob agree on a cryptosystem.
(2)  Alice and Bob agree on a key.
(3)  Alice takes her plaintext message and encrypts it using
the encryption algorithm and the key. This creates a
ciphertext message.
(4)  Alice sends the ciphertext message to Bob.
(5)  Bob decrypts the ciphertext message with the same
algorithm and key and reads it.

56. Communications using public-key cryptography
(1)  Alice and Bob agree on a public-key cryptosystem.
(2)  Bob sends Alice his public key.
(3)  Alice encrypts her message using Bob’s public key and
sends it to Bob.
(4)  Bob decrypts Alice’s message using his private key.

57. Text encryption/decryption Digital signatures
Problems covered
Text encryption/decryption
Ciphers
Digital signatures
Hash functions
Digital signature algorithms
Protocols
Key generation and exchange
Certificates

58. Digital Certificates
A digital identity document binding a public-private key pair to a specific person or organization
Verifying a digital signature only proves that the signer had the private key corresponding to the public key used to decrypt the signature
This does not prove that the public-private key pair belonged to the claimed individual
We need an independent third party to verify the person’s identity (through non-electronic means) and issue a digital certificate
[Adapted from Information Security Group, ICU] 52

59. Public Key Certificate (EMV)
Core
General information
about the user and the application
Public Key Certificate
EMV formatting
Public Key
Remainder
User’s public key (including remainder)
Hash Result
Hash of data
Signature (decryption) by a Trusted Third Party
[From M.Ganley]

60. Digital Certificates authority Certificate Authority customer bank
Internet
Digital
Wallet
Cyber Shopping Mall
Payment
System
Certificate Authority
customer
merchant
bank
authority
[Adapted from Information Security Group, ICU] 52

61. Text encryption/decryption Digital signatures
Problems covered
Text encryption/decryption
Ciphers
Digital signatures
Hash functions
Digital signature algorithms
Protocols
Key generation and exchange
Certificates
Some real cryptographic systems
SSL and TLS standards (+ some others)

62. SSL – establishing communications

63. Text encryption/decryption Digital signatures
Problems covered
Text encryption/decryption
Ciphers
Digital signatures
Hash functions
Digital signature algorithms
Protocols
Key generation and exchange
Certificates
Some real cryptographic systems
SSL and TLS standards (+ some others), security
Smartcards, EMV, data authentication
Electronic voting systems (or their absence :) (???)

64. What are "smart cards"? 8 (16, 32) bit CPU
Often at or MHz
RAM : 128 bytes- 16 Kbytes
ROM : Kbytes
Contains the code
EEPROM : Kbytes
Contains the data
A small part are OTP (One Time Programmable) bytes
Optional:
Random Noise Generation, sensors, security logic,
Modular Exponentiations Unit or Co-processor

65. EMV – Europay, MasterCard, Visa
Necessary to have standards for smart-cards
Physical size
Electrical connection
API for payment applications
Any smart-card must be usable anywhere
Europay, MasterCard and Visa have created specifications named EMV for this purpose

66. Smart-card transaction flow
Terminal
Acquirer
Issuer
Card – terminal
interaction
On-line authorization
(conditional)
Card – terminal interaction
(if after online authorization)
Transaction data transfer
(possibly including declined transactions’ info)

67. Problems covered Text encryption/decryption Digital signatures
Ciphers
Digital signatures
Hash functions
Digital signature algorithms
Protocols
Key generation and exchange
Certificates
Some real cryptographic systems
SSL and TLS standards (+ some others), security
Smartcards, EMV, data authentication
GSM and cryptograpy, DVD "protection" etc

68. Base Station Controller
GSM security
54 bits is the effective key length
of the A5/1 algorithm.
40 bits is the effective key length
of the GEA algorithm.
Both algorithm employ (“ineffective”)
64-bit keys.
GPRS - Confidentiality:
GEA1
GEA2
GEA3 (new, open)
RBS
SGSN
Authentication: A3 Algorithm
Base Station Controller
CS - Confidentiality,
A5/1
A5/2
A5/3 (new, open)
Radio Base Station
MSC
[From M.Näslund]

69. DVD data encryption
[From D.Touretzky]

70. DVD - authentication
[From G.Kesden]

71. Key revocation - subset difference scheme

72. Problems covered Text encryption/decryption Digital signatures
Ciphers
Digital signatures
Hash functions
Digital signature algorithms
Protocols
Key generation and exchange
Certificates
Some real cryptographic systems
SSL and TLS standards (+ some others), security
Smartcards, EMV, data authentication
GSM and cryptograpy, DVD "protection" etc
Security of encryptions. Some attacks

73. Textbooks Bruce Schneier Applied Cryptography:
Protocols, Algorithms, and
Source Code in C
John Wiley & Sons 1996

74. Textbooks Wenbo Mao Modern Cryptography: theory and practice
Prentice Hall, 2003

75. Textbooks Christof Paar Jan Pelzl Understanding Cryptography
Springer, 2010

76. Textbooks Niels Ferguson Bruce Schneier Practical Cryptography
Wiley Publishing Inc 2003

77. Textbooks Alfred J. Menezes Paul C. van Oorschot Scott A. Vanstone
Handbook of Applied
Cryptography
CRC Press 1996

78. Textbooks Stephen Thomas SSL and TLS Essentials: Securing the Web
Wiley Publishing Inc. 2000

79. Textbooks Eric Rescorla SSL and TLS: Designing and building secure
systems
Addison-Wesley 2001

80. Textbooks Sheila Frankel Demystifying the IPsec Puzzle
Artech House 2001

81. Textbooks Joan Daemen Vincent Rijmen The Design of Rijndael
Springer 2002

82. Web page(s) http://susurs.mii.lu.lv/juris/courses/ac2017.html
It is expected to contain:
short summaries of lectures
power point presentations
problems for programming assignments/project
other relevant information (exam dates, changes in
lecture times etc)

83. Web page(s) http://susurs.mii.lu.lv/juris/courses/ac2017.html
Course material also available as e-course:
The original lectures by Mårten Trolin
(Spring 2003) are available on DVD

84. Contact information
Juris Vīksna
Room 421, Rainis boulevard 29
phone: