1. 6/3/2015 Prof. Ehud Gudes Security Ch 3 1 Chapter 3 Cryptography – Algorithms and Protocols Stallings Chp. 2,19,20, App. A,B

2. Prof. Ehud Gudes Security Ch 3 Definitions Cryptography is the study of message concealment. Cryptanalysis is the study of how to discover the encrypted message. Cryptanalysis is difficult and requires good mathematical knowledge, so you don’t see many hackers trying to break codes. The equivalent to hackers are now scientists employed by a government or organized crime.

3. 6/3/2015 Prof. Ehud Gudes Security Ch 3 3 Cryptography Value  Authentication – can authenticate the identity of users, transactions, and systems.  Protection of messages – Can protect the secrecy of a message and prevent illegal modification. Cannot protect against destruction of the message.  Protection of software and data – can protect the confidentiality of them although not avoid their destruction. For example: passwords can be encrypted.

4. 6/3/2015 Prof. Ehud Gudes Security Ch 3 4 Cryptography Value II  Digital signatures – can authenticate the origin of a message  Non-repudiation – A user that signed or otherwise authenticated a document using cryptography cannot deny having signed it.

5. 6/3/2015 Prof. Ehud Gudes Security Ch 3 5 Notation  M, P - Messages - Plain text, clear text.  C - Cipher text.  K - Key.  E - the encryption function C=E k (M)  D - the decryption function M=D k’ (C)  For any key pair K,K’ and for any message M M=D k’ (E k (M))

6. 6/3/2015 Prof. Ehud Gudes Security Ch 3 6 Cryptography – the Process

7. 6/3/2015 Prof. Ehud Gudes Security Ch 3 7

8. 6/3/2015 Prof. Ehud Gudes Security Ch 3 8 Classification  Number of keys used: symmetric (one key) and asymmetric (encryption and decryption keys, these are the public-key systems). Neither approach is the best for all cases.  Type of encrypting operations: Symmetric systems use substitution and transposition stages. Substitutions just replace a bit or character for another. Transpositions rearrange bits or characters in the data. Product ciphers are combinations of substitutions and transpositions. Public key systems are based on invertible mathematical functions.

9. 6/3/2015 Prof. Ehud Gudes Security Ch 3 9 Classification II  The way the plaintext is encrypted: block and stream ciphers. In a block cipher a block of data is transformed, using a key, into a block of ciphertext.  In a stream cipher a stream of key bits is used to encode a stream of data one bit or character at a time. Block ciphers are more appropriate for use within computers, while stream ciphers are seen mostly in communications.

10. 6/3/2015 Prof. Ehud Gudes Security Ch 3 10 Main Principle of Cryptography The secret is in the KEY Not in the Algorithm!!

11. 6/3/2015 Prof. Ehud Gudes Security Ch 3 11 Attacks  Ciphertext only  Known plaintext  Chosen plaintext  Chosen ciphertext  Chosen text

12. 6/3/2015 Prof. Ehud Gudes Security Ch 3 12 סוגי התקפות על אלגוריתמים קריפטוגרפיים ההתקפות מסווגות לפי המידע שבידי המתקיף. נניח כי למתקיף יש גישה לאלגוריתם, ובנוסף יש לו ידע על מבנהו הפנימי.  Cipher text only attack בידי המתקיף קבוצה של הודעות מוצפנות. המטרה : מציאת ההודעות החשופות המתאימות, ו \ או מפתח ההצפנה. הנחה : קיים אפיון סטטיסטי של ההודעות.

13. 6/3/2015 Prof. Ehud Gudes Security Ch 3 13 סוגי התקפות על אלגוריתמים קריפטוגרפיים ( המשך )  Known plain text attack בידי המתקיף קבוצה של זוגות (P,C). המטרה : מציאת מפתח ההצפנה.  דוגמא : חיפוש ממצה (Exhaustive search).  Chosen plain text attack המתקיף בוחר את קבוצת ההודעות {P}, ומקבל עבורן את ההודעות המוצפנות המתאימות {C}. המטרה : מציאת מפתח ההצפנה.  דוגמא : Differential cryptanalysis.

14. 6/3/2015 Prof. Ehud Gudes Security Ch 3 14 סוגי התקפות על אלגוריתמים קריפטוגרפיים ( המשך )  Adaptive chosen plain text attack. המתקיף בונה את קבוצת הזוגות (P,C) בהדרגה. הוא יכול לבחור את ההודעה הבאה P, על סמך תוצאות ההצפנה הקודמות. המטרה : מציאת מפתח ההצפנה.

15. 6/3/2015 Prof. Ehud Gudes Security Ch 3 15 Caesar Cipher The rule: C i = E(p i ) = p i + 3 A full translation chart of Caesar cipher is shown here. Plaintext A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Ciphertext d e f g h i j k l m n o p q r s t u v w x y z a b c Using this encryption, the message TREATY IMPOSSIBLE Would be encoded as: T R E A T Y I M P O S S I B L E w u h d w b l p s r v v l e o h

16. 6/3/201516 Table of Letters Frequencies Table 2-1 Letter Frequency Distributions in English and Pascal English Pascal Letter Count Percent Count Percent a33127.496644.70 b5731.291971.39 c15683.548786.22 d16023.625113.61 e619214.00192113.60 f9662.185043.57 g7691.742942.08 h18694.224783.39 i29436.6512158.60 j1190.2760.04 k2060.47870.61 l15793.577225.11 m15003.392701.91 n29826.7411578.19 o32617.378355.91 p10742.433402.41 q1160.26120.08 r27166.1411478.12 s30726.955944.21 t43589.8513119.28 u13293.003772.66 v5121.161270.89 w7481.691931.36 x1230.281390.98 y7271.641370.96 z160.0450.03

17. 6/3/2015 Prof. Ehud Gudes Security Ch 3 17 Monoalphabetic Cipher Take for example the key: SHARON A B C D E F G H I J K L M N O P Q R S T S H A R ON B C DE F G I J K L MP Q S

18. 6/3/201518 counts and relative frequencies of letters in the cipher Table 2-3 shows the counts and relative frequencies of letters in the cipher examined in the previous section (in [P]) Wklv phvvdjh lv qrw wrr kdug wr euhdn Table 2-3 Frequencies of Letters in wklv… Cipher Letter Count Percent w 413.33 k 2 6.66 l 2 6.66 v 413.33 p 1 3.33 h 310.00 d 310.00 j 1 3.33 q 1 3.33 r 413.33 e 1 3.33 u 2 6.66 g 1 3.33 n 1 3.33

19. 6/3/2015 Prof. Ehud Gudes Security Ch 3 19 Monoalphabetic cipher – Example for Cryptanalysis QMC MEPQJOY JH QMC GAQEJGAD PCTROEQY ANCGTY EP PMOJRICI EG PCTOCTY CUCG EQP SRINCQ EP TDAPPEHECI’ The simplest effective attack on a monoalphabetic cipher is use of frequencies in natural languages: single letters, bigrams/trigrams, small words, end/beginning of words, etc.We’ll only consider English here. We’ll use some empirical facts about single-letter frequencies, as well as knowledge about common English words. Again, the most common single letters English are e and t, with all others considerably less frequent. Thus, to attack a cryptogram, first do an accounting of the most common letters in the ciphertext. For example in: QCIV XY KEO JLYYW JBRO XN KEO JKGOOK. TOK SO KX KEO AELGAE XY KBSO. KEO NBJE CGO MLSDBYT CYR KEO AXKKXY BJ EBTE. XLG JKCKO NCBG BJ KEO HOJK JKCKO NCBG. We find ranked by order of frequency of appearance, K-15, O-13, E-9, B-7, J-7, C-6, X-6, Y-6, G-5, L-3, N-3, A-2, S-2, T-2, R-1.7 with D, H, I, M, Q, V, W occuring much less often

20. 6/3/2015 Prof. Ehud Gudes Security Ch 3 20 Monoalphabetic cipher – Example for Cryptanalysis (Cont.) Thus, we would imagine that ‘K’ is either ‘e’ or ‘t’, and perhaps ‘O’ is the other of the two. Trying first K=e and O=t, we have (in part) QCIV XY eEt JLYYW JBRt XN eEt JeGtte. Tte St eX eEt AELGAE XY… The ‘Tte’ in the second sentence immediately raises a problem: it seems unlikely that ‘T’ can be anything that would make this a word that could begin a sentence. So try K=t and O=e instead: QCIV XY tEe JLYYW JBRe XN tEe JtGeet. Tet Se tX tEe AELGAE XY tBSe. tEe NBJE Cge MLSDBYT CYR tEe AXttXY BJ EBTE. XLG JtCte NCBG BJ tEe HeJt JtCte NCBG The ‘tEe’ suggests E=h, the ‘tX’ suggests X=o, and then ‘XY’ suggests Y=n. This gives: QCIV on the JLnnW JBRe oN the JtGeet. Tet Se to the AhLGAh on tBSe. the NBJh Cge MLSDBnT CnR the Aotton BJ hBTh. oLG JtCte NCBG BJ the HeJt JtCte NCBG.

21. 6/3/2015 Prof. Ehud Gudes Security Ch 3 21 Monoalphabetic cipher – Example for Cryptanalysis (Cont.) The ‘Tet Se to the’ suggests ‘get me to the’, so T=g and S=m. and ‘JtGeet’ could be ‘street’, so J=s, G=r: QCIV on the sLnnW sBRe oN the street. get me to the AhLrAh on tBme. the NBsh Cre MLmDBng CnR the Aotton Bs hBgh. oLr stCte NCBr Bs the Hest stCte NCBr. The ending on ‘MLmDBng’, and also ‘Bs hBgh’, suggest B=I. Also the ‘oLr’ suggests L=u. Rewrite: QCIV on the sunnW siRe oN the street. Get me to the AhurAh on time. the Nish Cre MumDing CnR the Aotton is high. our stCte NCir is the Hest stCte NCir. Then ‘sunnW siRe oN’ suggests W=y, R=d, and N=f: QCIV on the sunny side of the street. get me to the AhurAh on time. the fish Cre

22. 6/3/201522 Vignere Table

23. 6/3/2015 Prof. Ehud Gudes Security Ch 3 23 Poly-alphabetic Cipher – using Vignere Table letter (B) is converted to the ciphertext letter in row 1 (B), column 9 (j), in this tableau. The letter in that position is k. the encryption of this message starts as shown below. Julie tjuli etjul ietju lietj uliet julie tjuli BUTSO FTWHA TLIGH TTHRO UGHYO NDERW INDOW BREAK koeas ycqsi … With a six letter keyword such as juliet this algorithm effectively spreads the effect of the frequency of each letter onto six others, which flattens the distribution substantially. Long keywords can be used, but a keyword of length three usually suffices to smooth out the distribution

24. 6/3/2015 Prof. Ehud Gudes Security Ch 3 24 Polyalphabetic cipher – finding the key length The Dickens It was the best of times… example has much repetition so it demonstrates this argument quickly. Suppose the keyword is dickens. dicke nsdic kensd icken sdick ensdi ckens dicke ITWAS THEBE STOFT IMESI TWAST HEWOR STOFT IMESI nsdic kensd icken sdick ensdi ckens dicke nsdic TWAST HEAGE OFWIS DOMIT WASTH EAGEO FFOOL ISHNE kensd icken sdick ensdi ckens dicke nsdic kensd SSITW ASTHE EPOCH OFBEL IEFIT WASTH EEPOC HOFIN The phrase IT WAS THE is enciphered with keyword nsdicken once in the first line and twice in the third line. These three cases all appear as identical 8-character patterns in the ciphertext.

25. 6/3/2015 Prof. Ehud Gudes Security Ch 3 25 Kasiski Method – Finding the Key Length in Poly-Alphabetic Ciphers StartingDistance from Position PreviousFactors 20 83 63 (83-20)3, 7, 9, 21, 63 104 21 (104-83)3, 7, 21 From this short example, we may guess that a keyword of 21 is improbable. Thus the key length is probably either 3 or 7. With more repeats you could reduce the number of possibilities for key length. Let us continue with the key length possibilities of 3 and 7. For the Kasiski method, the steps are 1. Identify repeated patterns of three or more characters. 2. For each pattern write down the position at which each instance of the pattern begins. 3. Compute the difference between the starting points of successive instances. 4. Determine all factors of each difference. 5. If a polyalphabetic substitution cipher was used, the key length will be one of the factors that appears often in step 4. 6. Once the key-length is known use mono-alphabetic techniques

26. 6/3/2015 Prof. Ehud Gudes Security Ch 3 26 VERNAM Cipher

27. 6/3/2015 Prof. Ehud Gudes Security Ch 3 27 Vernam Cipher For example, the binary number 101101100101011100101101011100101 Can be encoded with the random binary stream 101111011110110101100100100110001 To produce the following ciphertext 000010111011101001001001111010100

28. 6/3/2015 Prof. Ehud Gudes Security Ch 3 28 Vernam Cipher - Cryptanalysis The problem with this form of random number generator is its dependability. Because each number depends only on the previous number, you can determine constants by solving a series of equations. r 1 = a * r 0 + b mod n r 2 = a * r 1 + b mod n r 3 = a * r 2 + b mod n An interceptor who has r 0, r 1, r 2 and r 3 can resolve for a, b, and n. An interceptor can get r 0, r 1, r 2 and r 3 by a probable word attack. With a Vernam cipher, each ciphertext letter comes from the formula c i = r i + p i mod n If an interceptor of the ciphertext guesses that the message starts with MEMO (M = 12, E = 4, O = 14), the interceptor can try to substitute probable values of p i and solve for values of r i.

29. 6/3/2015 Prof. Ehud Gudes Security Ch 3 29 Vernam Cipher (Cont.) r 0 = c 0 – 12 mod n r 1 = c 1 – 4 mod n r 2 = c 2 – 12 mod n r 3 = c 3 – 14 mod n With these values of r 0 to r 3, the interceptor may be able to solve the three equations for a, b, and n. Given those, the interceptor can generate the full sequence of random numbers and obtain plaintext directly.

30. Vernam Cipher – a weakness  If we know both a message M and the Cipher C, we like the computation K = f (M,C) To be difficult  In Vernam f is very easy, its also a XOR !

31. Pseudorandom verses Random Numbers  often use algorithmic technique to create pseudorandom numbers which satisfy statistical randomness tests but likely to be predictable  true random number generators use a nondeterministic source e.g. radiation, gas discharge, leaky capacitors increasingly provided on modern processors

32. 6/3/2015 Prof. Ehud Gudes Security Ch 3 32 Permutation Cipher As an example, you would write the plaintext message as: T H I S I S A M E S S A G E T O S H O W H O W A C O L U M N A R T R A N S P O S I T I O N W O R K S The resulting ciphertext would then be read as tssoh oaniw haaso lrsto imghw utpir seeoa mrook istwc nasns

33. 6/3/201533 Finding the Column Positions in Permutation Cipher tssohoatssohoa niwhaasolrstoniwhaasolrsto niwhaasolrstoniwhaasolrsto niwhaasolrstoniwhaasolrsto niwhaasolrstoniwhaasolrsto niwhaasolrstoniwhaasolrsto niwhaasolrstoniwhaasolrsto tssohoatssohoa tssohoatssohoa tssohoatssohoa tssohoatssohoa tssohoatssohoa Improvement - The empty holes method

34. 6/3/2015 Prof. Ehud Gudes Security Ch 3 34 Product Ciphers 1. Although substitution ciphers and permutation ciphers alone, are quite easy to break, their combination is quite a strong cipher! 2. This was the basis of most classical ciphers like the Enigma machine of World-war II (see book by Sing…) 3. Its also the basis for the DES cipher

35. 6/3/2015 Prof. Ehud Gudes Security Ch 3 35 Shannon’s Principles for a Good Cipher 1. The amount of secrecy needed should determine the labor required for encryption/decryption. 2. The keys and ciphering algorithm should be “free” from complexity. 3. The implementation of the cipher algorithm should be simple and effective. 4. Errors in ciphering should not propagate to the entire message. 5. The size of the enciphered text should not be much larger then the size of the clear text.

36. 6/3/2015 Prof. Ehud Gudes Security Ch 3 36 Shanon’s Theory

37. 6/3/2015 Prof. Ehud Gudes Security Ch 3 37 Shanon’s Theory A system has perfect secrecy if by intercepting cipher code, nothing can be learned on the original message. i.e. H(M|C) = H(M) A Perfect Cipher

38. 6/3/2015 Prof. Ehud Gudes Security Ch 3 38 Shanon’s Theory (1949) Confusion – a complex functional relationship between the Key, Plain-text and Cipher-text. Diffusion – Information from one plain bit is diffused over all bits of the cipher (block).

39. 6/3/201539 Unicity Distance Key equivocation H c (K) = P(c) P c (K) log 2 Pc(K) – prob. of K given C. Hc(K) = H(K) means the cipher is (theoretically) breakable Unicity Distance = where D is the Language Redundancy – the number of characters required to break the cipher (theoretically)

40. 6/3/2015 Prof. Ehud Gudes Security Ch 3 40 צופן מושלם תהי {M={M 1,M 2,…,M n קבוצת כל ההודעות האפשריות, ו -{C={C 1,C 2,…,C n קבוצת כל ההודעות המוצפנות בהתאמה, צופן הוא מושלם אם לכל i,j p(M i |C j )=p(M i ) ידיעת הטקסט המוצפן אינה מוסיפה ידע על הטקסט המקורי צופן מושלם חסין ל - Known Cipher text attacks

41. 6/3/2015 Prof. Ehud Gudes Security Ch 3 41  ניתן להוכיח שבצופן מושלם מספר המפתחות גדול או שווה למספר ההודעות.  הצופן היחיד המושלם הוא One-Time Pad כל הודעה מוצפנת באמצעות מפתח אקראי שונה  הצפנת ההודעה נעשית ע “ י XOR בינה ובין המפתח

42. 6/3/2015 Prof. Ehud Gudes Security Ch 3 42  נאמר כי אלגוריתם הצפנה הוא Unconditionally Secure אם בהינתן אינסוף משאבים, ומספר אינסופי של זוגות של הודעות חשופות ומוצפנות, לא ניתן, בהינתן הצפנת ההודעה הבאה, למצוא את ההודעה החשופה המתאימה לה.  One time pad הוא אלגוריתם ההצפנה היחיד שהוא Unconditionally Secure

43. 6/3/2015 Prof. Ehud Gudes Security Ch 3 43 Computational Security  אלגוריתם הצפנה יקרא Computationally secure אם מעשית קשה מאד לשחזר את הטקסט המקורי בהנתן הטקסט המוצפן  מאחר שאלגוריתם ההצפנה היחיד המושלם הוא One-time pad, ניתן בהינתן כמות מספקת של כוח חישוב וזמן לפצח כל אלגוריתם הצפנה  לגבי כל האלגוריתמים הקריפטוגרפיים הידועים, לא ידועים חסמים תחתונים על מספר הפעולות הדרושות לפיצוחם

44. 6/3/2015 Prof. Ehud Gudes Security Ch 3 44 החוזק של אלגוריתם הצפנה ( Shanon )  The work factor של אלגוריתם הצפנה הוא הזמן שנדרש בכדי לפצחו - מציאת הודעה או מציאת המפתח בהינתן ה -Cipher text  ה -Work Factor נמדד בזמן ובכסף שיש להשקיע בפיצוח האלגוריתם  מעשית ה -work factor הוא המדד לחוזק של אלגוריתם הצפנה

45. 6/3/2015 Prof. Ehud Gudes Security Ch 3 45 Stream and block Ciphers  פונקציות הצפנה מקבלות קלטים בעלי אורך קבוע  בכדי להצפין הודעה M, שאורכה עולה על אורך הקלט של פונקצית ההצפנה, מחלקים את M לבלוקים שאורכם כאורך הקלט של פונקצית ההצפנה ( אם יש צורך מבצעים דיפון ). כל בלוק עובר הצפנה בנפרד  נבחין בין שני סוגי צפנים - Block ciphers ו -Stream ciphers

46. 6/3/2015 Prof. Ehud Gudes Security Ch 3 46 צפני בלוקים  תהי M הודעת הקלט M=M 1 M 2 …M n  ההצפנה מתבצעת ע ” י C i =E k (M i …)  ההצפנה של כל בלוק מתבצעת בצורה זהה על ידי שימוש באותו מפתח.  במקרה הכללי - הקלט יכול להיות פונקציה של כל הבלוקים הקודמים בהודעה, אבל המפתח נשאר קבוע.  אורך בלוק הקלט צריך להיות גדול מספיק בכדי שלא ניתן יהיה לבצע Exhaustive search

47. 6/3/2015 Prof. Ehud Gudes Security Ch 3 47 Stream ciphers  מפתח ההצפנה ( והפענוח ) משתנה. ההצפנה מתבצעת בעזרת Key stream  ה -key stream יכול להיות פונקציה של הבלוקים הקודמים, של מספר הבלוק, ושל מפתח קלט  Stream ciphers בדרך כלל פועלים על בלוקים מאורכים קטנים ( סיביות בודדות או בתים ).  בחלק מה -Stream ciphers ההצפנה נעשית על ידי ביצוע xor של הודעת הקלט עם ה -Key stream

48. 6/3/2015 Prof. Ehud Gudes Security Ch 3 48 צפני בלוקים לעומת Stream ciphers  כפי שאמרנו, stream cipher לעיתים קרובות עובדים על יחידות קטנות של קלט. עובדה זו הופכת אותם למתאימים יותר למימוש בחמרה מאשר בתכנה  צפני בלוקים בדרך כלל עובדים על יחידות קלט שהן כפולות של 32 סיביות ( מילה )  בדרך כלל stream ciphers מהירים יותר מצפני בלוקים.  כיום, השימוש בצפני בלוקים נפוץ יותר

49. 6/3/2015 Prof. Ehud Gudes Security Ch 3 49 ECB Electronic Code Book ENC M0M0 C0C0 K M1M1 C1C1 K MnMn CnCn K...

50. 6/3/2015 Prof. Ehud Gudes Security Ch 3 50 CBC Cipher Block Chaining ENC M1M1 C1C1 K MnMn CnCn K... K ENC M0M0 C0C0 IV

51. 6/3/2015 Prof. Ehud Gudes Security Ch 3 51 CFB & OFB Cipher Feedback and Output Feedback  שני המודים הללו הופכים צופן בלוקים ל -Stream cipher. באלגוריתם ההצפנה וב -IV משתמשים בכדי לייצר key stream. בכל סיבוב של הצפנה מיוצרות j סיביות (j יכול להיות בין 1 ל -64, בד ” כ הוא כפולה של בית ). ההצפנה נעשית ע ” י XOR של j הסיביות הבאות של ההודעה עם j הסיביות הבאות של ה -key stream.  ב -OFB ה -key stream אינו תלוי בהודעה המוצפנת.  ב -CFB ה -key stream תלוי ב -cipher text.

52. Cipher Feedback (CFB)

53. 6/3/2015 Prof. Ehud Gudes Security Ch 3 53 Advantages / Disadvantages of Block Cipher Advantages: Higher Diffusion Immunity to malicious insertions Same data, same cipher – good for retrieval Disadvantages: Lower speed Higher error propagation (block boundary?) Same data, same cipher – disclose statistics

54. 6/3/2015 Prof. Ehud Gudes Security Ch 3 54 Advantages / Disadvantages of Stream Cipher Advantages: High speed of encryption Low error propagation (on single bit/char) Disadvantages: Low Diffusion Susceptibility to malicious insertions

55. 6/3/2015 Prof. Ehud Gudes Security Ch 3 55 דוגמאות לצפני בלוקים סימטריים  DES  IDEA  RC5  AES - Rijndeal

56. 6/3/2015 Prof. Ehud Gudes Security Ch 3 56 The Data Encryption Standard  The DES is a product cipher consisting of a series of permutations and substitutions. More specifically, it is a block cipher with an initial permutation, 16 rounds of encryption, a 32-bit swap, and final permutation.  All books on cryptography and data security describe this algorithm in gory detail.  It uses a 56-bit key(+8 bits parity) and it has been implemented in hardware and software.  The controversy about the Key length

57. 6/3/2015 Prof. Ehud Gudes Security Ch 3 57 The DES Cipher

58. 6/3/2015 Prof. Ehud Gudes Security Ch 3 58 DES – one iteration

59. Exhaustive Key Search

60. Symmetric Encryption Algorithms

61. 6/3/2015 Prof. Ehud Gudes Security Ch 4 61 DES התקן  פותח ע ” י I.B.M. אומץ ע ” י NIST.  אורך בלוק קלט - 64 סיביות  אורך המפתח - 64 סיביות 8 סיביות הן סיביות זוגיות  יולי 1998 : Deep Crack - מכונה שפותחה במיוחד למטרה זו, ועלתה 210000$. היא מצאה מפתח תוך 56 שעות.

62. 6/3/2015 Prof. Ehud Gudes Security Ch 3 62 הצפנה כפולה ומשולשת  הצפנה כפולה C=E k1 (E k2 (M)) M=D k2 (D k1 (C))  הצפנה כפולה חשופה ל -Man in the middle attack  הצפנה משולשת C=E k1 (D k2 (E k3 (M)) M=D k3 (E k2 (D k1 (C))

63. Triple DES (3DES)  first used in financial applications  in DES FIPS PUB 46-3 standard of 1999  uses three keys & three DES executions: C = E(K 3, D(K 2, E(K 1, P)))  decryption same with keys reversed  use of decryption in second stage gives compatibility with original DES users  effective 168-bit key length, slow, secure  AES will eventually replace 3DES

64. 6/3/2015 Prof. Ehud Gudes Security Ch 3 64 IDEA International Data Encryption Alg.  פותח ( 1992) ע ” י Massey ו -Lai.  אורך בלוק הקלט 64 סיביות.  אורך המפתח 128 סיביות.  מבוסס על חיבור מודולו 2 16 וכפל מודולו 2 16 +1.  קל למימוש בתכנה.  מקובל יותר באירופה.

65. 6/3/2015 Prof. Ehud Gudes Security Ch 3 65 RC5  הומצא ע ” י Ron Rivest ב -1995. בעל אורך מפתח משתנה ( בין 0 ל -2048 סיביות ), אורך בלוק משתנה ומספר סיבובים משתנה ( בין 0 ל - 255).  פשוט למימוש - מבוסס על xor חיבור ו -rotate

66. Advanced Encryption Standard (AES)  needed a better replacement for DES  NIST called for proposals in 1997  selected Rijndael in Nov 2001  published as FIPS 197  symmetric block cipher  uses 128 bit data & 128/192/256 bit keys  now widely available commercially

67. 6/3/2015 Prof. Ehud Gudes Security Ch 3 67 The Advanced Encryption Standard  The AES (Rijndael) uses block and key sizes of 16,24, or 32 bytes. It uses 10, 12, or 14 rounds.  Each round applies byte subtraction, row shift, column mixing, and key addition. Bytes are transformed using invertible substitutions (to add nonlinearity).  Bytes in columns are linearly combined for diffusion. Row shifts provide diffusion over multiple rounds. Key addition makes round function key dependent

68. Advanced Encryption Standard (AES)

69. 6/3/201569 AES (Cont.)  Byte substitution. Bytes are transformed using invertible substitutions (to add nonlinearity). The substitution table is based on inverses in a field of (256) assures that each input byte is substituted into a unique output byte.  Shift row. Each byte is shifted a number of bytes depending on its location in the block, and on the key length. Row shifts provide diffusion over multiple rounds. The tables for shift row are given.  Mix column. This is the most complex operation. Bytes in columns are linearly combined for diffusion.. Each column is multiplied by a matrix which represents a polynomial mod 256. That it, Each column is considered as a polynomial:–a j (x) =a 0j x 3 + a 1j x 2 +a 2j x+a 3j –Multiplied modulo x 4 +1 with a fixed polynomial:– c(x) =’03’x3 +’01’x2 +’01’ )  Key addition Key addition makes each round key dependent. Before the first round, the key is expanded into Nk bytes where Nk is the size of the block times the number of rounds. Then in each round, the next required number of key bytes are extracted, shifted and xored between them resulting with a great key diffusion.

70. 6/3/2015 Prof. Ehud Gudes Security Ch 3 70 Public Key Systems (PKS)  These algorithms use two keys, one of which is public and the other secret. The approach is based on the infeasibility of determining the decryption key given the algorithm and the public key.  Main advantage: to communicate privately among N users, you need 2N keys, instead of N(N-1)/2 keys with symmetric encryption  Instead of permutations and substitutions these algorithms use properties of mathematical functions. In particular, they use the theory of NP functions, those for which there is no polynomial time algorithm.  Rivest, Shamir, and Adelman developed the so-called RSA cipher used in most current systems. This takes advantage of the difficulty of factoring a number into primes.

71. 6/3/2015 Prof. Ehud Gudes Security Ch 3 71 אלגוריתמי מפתח ציבורי  Diffie- Hellman (1974).  מפתח ההצפנה ומפתח הפענוח שונים  אם נתון מפתח ההצפנה, קשה למצוא את מפתח הפענוח  ניתן לפרסם את מפתח ההצפנה ( ומכאן מקור השם )  מפתח ההצפנה - K e, המפתח הציבורי  מפתח הפענוח - K d, המפתח הפרטי

72. 6/3/2015 Prof. Ehud Gudes Security Ch 3 72 אלגוריתמי מפתח ציבורי  דוגמאות - ) RSA יש אחרים )  נוחים לשימוש - אין צורך בפרוטוקול להסכמה על מפתח משותף  איטיים ( משמש בד " כ להצפנת מפתח בלבד ולא להצפנת נתונים...)  חשופים להתקפת “ האיש שבאמצע ” הבעיה “ במי לבטוח ” הפתרון - בכל מי שמוכיח את זהותו

73. 6/3/2015 Prof. Ehud Gudes Security Ch 3 73 התקפת “ האיש שבאמצע ” Man in the middle attack AliceBob Hello, I am Alice Hello, I am Bob Matt Hello, I am Alice Hello, I am Bob

74. 6/3/201574 התקפת “ האיש שבאמצע ” Man in the middle attack AliceBob Hello, I am Alice K A Hello, I am Bob K B Matt Hello, I am Alice K A Hello, I am Alice K A’ Hello, I am Bob K B Hello, I am Bob K B’ Solution - Certificates

75. 6/3/2015 Prof. Ehud Gudes Security Ch 3 75 Merkle-Hellman - The Encryption Technique Public key is a beautiful idea – how to achieve? First attempt - the Merkle-Hellman encryption technique. The public key is the set of integers of a knapsack (not a superincreasing knapsack); the private key is a corresponding superincreasing knapsack. The contribution of Merkle and Hellman was the design of a technique for converting a superincreasing knapsack into a regular one. The trick is to change the numbers in a nonobvious but reversible way.

76. 6/3/2015 Prof. Ehud Gudes Security Ch 3 76 The Encryption Technique cont. 96:73?Yes95:73?Yes 96-73=2338?No95-73=22:38?No 23:17:Yes22:17?Yes 23-17=6:11?No22-17=5:11?No 6:4?Yes5:4?Yes 6-4=2:1?Yes5-4=1:1?Yes 2-1=1:No solution1-1=0Solution Figure 3-6 Example of Solving a Simple Knapsack

77. 6/3/2015 Prof. Ehud Gudes Security Ch 3 77 Public Key Using the Knapsack Problem 1. Select a simple (super-increasing) Knapsack S 2. Convert problem to hard Knapsack (select w and n relatively prime) H = w*S mod n 3. Encrypt: C=H*M mod n Since H is hard C is hard to break 4. Decrypt: C’ = w -1 * C = w -1 w S M = S M mod n since S is simple, M can be computed easily!

78. 6/3/2015 Prof. Ehud Gudes Security Ch 3 78 Knapsack Example 1. Simple knapsack: = (1,2,4,9) 2. W = 15, n = 17 15. 8 = 1 mod 17 w -1 = 8 Hard knapsack: (15,13,9,16) 3. Message = 1100 1011 1010 0101 4. Encryption: P=0100 1011 1010 0101 [0,1,0,0]*[15,13,9,16]=13 [1,0,1,1]*[15,13,9,16]=40 [1,0,1,0]*[15,13,9,16]=24 [0,1,0,1]*[15,13,9,16]=29

79. 6/3/2015 Prof. Ehud Gudes Security Ch 3 79 Knapsack Example cont. 5. Decryption: 13 * 8 = 104 mod 17 = 2 40 * 8 = 320 mod 17 = 14 24 * 8 = 192 mod 17 = 5 29 * 8 = 232 mod 17 = 11 the recovered message is thus 0100101110100101 How? C = S * M Note: S is super-increasing! C = 2, S = (1,2,4,9) M = (0,1,0,0) C = 14, S = (1, 2, 4, 9) M = (1, 0, 1, 1)