1. Fall 2006CS 395 Computer Security1 Cryptography Well, a gentle intro to cryptography

2. Fall 2006CS 395 Computer Security2 Special Thanks: to our friends at the Australian Defense Force Academy for providing the basis for these slides

3. Fall 2006CS 395 Computer Security3 Definition Cryptology is the study of secret writing Concerned with developing algorithms which may be used: –To conceal the context of some message from all except the sender and recipient (privacy or secrecy), and/or –Verify the correctness of a message to the recipient (authentication or integrity) The basis of many technological solutions to computer and communication security problems

4. Fall 2006CS 395 Computer Security4 Terminology Cryptography: The art or science encompassing the principles and methods of transforming an intelligible message into one that is unintelligible, and then retransforming that message back to its original form Plaintext: The original intelligible message Ciphertext: The transformed message Cipher: An algorithm for transforming an intelligible message into one that is unintelligible by transposition and/or substitution methods

5. Fall 2006CS 395 Computer Security5 Terminology (cont). Key: Some critical information used by the cipher, known only to the sender & receiver Encipher (encode): The process of converting plaintext to ciphertext using a cipher and a key Decipher (decode): The process of converting ciphertext back into plaintext using a cipher and a key Cryptanalysis (codebreaking): The study of principles and methods of transforming an unintelligible message back into an intelligible message without knowledge of the key.

6. Fall 2006CS 395 Computer Security6 Still More Terminology… Cryptology: The field encompassing both cryptography and cryptanalysis Code: An algorithm for transforming an intelligible message into an unintelligible one using a code-book

7. Fall 2006CS 395 Computer Security7 Concepts Encryption: The mathematical function mapping plaintext to ciphertext using the specified key: C = E K (P) Decryption: The mathematical function mapping ciphertext to plaintext using the specified key: P = E K -1 (C) = D K (C) cryptographic system: The family of transformations from which the cipher function E K is chosen

8. Fall 2006CS 395 Computer Security8 Concepts (cont.) Key: Is the parameter which selects which individual transformation is used, and is selected from a keyspace K More formally we can define the cryptographic system as a single parameter family of invertible transformations E K for K in K maps P  C With unique inverse P = E K -1 for K in K maps C  P Usually assume the cryptographic system is public, and only the key is secret information

9. Fall 2006CS 395 Computer Security9 Rough Classification Private-key encryption algorithms Public-key encryption algorithms Digital signature algorithms Hash functions Block ciphers Stream ciphers We will be discussing each of these (though not all in this slide set)

10. Fall 2006CS 395 Computer Security10 Private-Key Encryption System Message Source M Cryptanalyst Message Dest. M Encrypt M with Key K1 C = E K1 (M) Decrypt C with Key K2 M = D K2 ( C) Key Source 2 Key K2 produced From key K1 Key source 1 Random key K1 produced K1 C K2 C Insecure communication channel Secure key channel

11. Fall 2006CS 395 Computer Security11 Private-Key Encryption Algorithms A private-key (or secret-key, or single-key) encryption algorithm is one where the sender and the recipient share a common, or closely related, key All traditional encryption algorithms are private- key

12. Fall 2006CS 395 Computer Security12 Cryptanalytic Attacks Cryptanalysis: The process of breaking an encrypted message without knowledge of the key. Several Types: Ciphertext only –only know algorithm and some ciphertext –use statistical attacks only –must be able to identify when have plaintext Known plaintext –know (or strongly suspect) some plaintext-ciphertext pairs –Use this knowledge in attacking cipher

13. Fall 2006CS 395 Computer Security13 Cryptanalytic Attacks Chosen plaintext: –Can select plaintext and obtain corresponding ciphertext –Use knowledge of algorithm structure in attack Chosen ciphertext –Can select ciphertext and obtain corresponding plaintext –Use knowledge of algorithm structure in attack Chosen plaintext-ciphertext –Can select plaintext and obtain corresponding ciphertext, or select ciphertext and obtain plaintext –allows further knowledge of algorithm structure to be used

14. Fall 2006CS 395 Computer Security14 Exhaustive Key Search Always theoretically possible to simply try every key Most basic attack, directly proportional to key size Assume either know or can recognize when plaintext is found

15. Fall 2006CS 395 Computer Security15 Exhaustive Key Search (cont.) Key Size (bits)Time (1µs/test)Time (1 µs/10 6 test) 3235.8 mins2.15 ms 406.4 days550 ms 561140 years10.0 hours 64~500000 years107 days 1285 × 10 24 years5 × 10 18 years

16. Fall 2006CS 395 Computer Security16 Unconditional and Computational Security Unconditional security: No matter how much computer power is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext Computational security: Given limited computing resources (e.g. time needed for calculations is greater than age of universe), the cipher cannot be broken

17. Fall 2006CS 395 Computer Security17 Classical Encryption Techniques Two basic components in classical ciphers: substitution and transposition Substitution ciphers - letters replaced by other letters Transposition ciphers – same letters, but arranged in a different order These ciphers may be: –Monoalphabetic - only one substitution / ransposition is used, or –Polyalphabetic - where several substitutions / transpositions are used Several such ciphers may be concatenated together to form a product cipher

18. Fall 2006CS 395 Computer Security18 The Caeser Cipher 2000 years ago Julius Caesar used a simple substitution cipher, now known as the Caesar cipher –First attested use in military affairs (e.g. Gallic Wars) Concept: replace each letter of the alphabet with another letter that is k letters after original letter Example: replace each letter by 3rd letter after L FDPH L VDZ L FRQTXHUHG I CAME I SAW I CONQUERED

19. Fall 2006CS 395 Computer Security19 The Caeser Cipher Can describe this mapping (or translation alphabet) as: Plain: ABCDEFGHIJKLMNOPQRSTUVWXYZ Cipher: DEFGHIJKLMNOPQRSTUVWXYZABC

20. Fall 2006CS 395 Computer Security20 General Caesar Cipher Can use any shift from 1 to 25 –I.e. replace each letter of message by a letter a fixed distance away Specify key letter as the letter a plaintext A maps to –E.g. a key letter of F means A maps to F, B to G,... Y to D, Z to E, I.e. shift letters by 5 places Hence have 26 (25 useful) ciphers –Hence breaking this is easy. Just try all 25 keys one by one.

21. Fall 2006CS 395 Computer Security21 Mathematics If we assign the letters of the alphabet the numbers from 0 to 25, then the Caesar cipher can be expressed mathematically as follows: For a fixed key k, and for each plaintext letter p, substitute the ciphertext letter C given by C = (p + k) mod(26) Decryption is equally simple: p = (C – k) mod (26)

22. Fall 2006CS 395 Computer Security22 Cryptanalysis of the Caesar Cipher Only have 26 possible ciphers –A maps to A,B,..Z Could simply try each in turn Called an exhaustive key search Given some ciphertext, just try every shift of letters:

23. Fall 2006CS 395 Computer Security23 Mixed Monoalphabetic Cipher Rather than just shifting the alphabet, could shuffle (jumble) the letters arbitrarily Each plaintext letter maps to a different random ciphertext letter, or even to 26 arbitrary symbols Key is 26 letters long

24. Fall 2006CS 395 Computer Security24 Security of Mixed Monoalphabetic Cipher With a key of length 26, now have a total of 26! ~ 4 x 10 26 keys With so many keys, might think this is secure, but you’d be wrong Variations of the monoalphabetic substitution cipher were used in government and military affairs for many centuries into the middle ages The method of breaking it, frequency analysis was discovered by Arabic scientists All monoalphabetic ciphers are susceptible to this type of analysis

25. Fall 2006CS 395 Computer Security25 Language Redundancy and Cryptanalysis Human languages are redundant Letters in a given language occur with different frequencies. –Ex. In English, letter e occurs about 12.75% of time, while letter z occurs only 0.25% of time. In English the letters e is by far the most common letter T, r,n,i,o,a,s occur fairly often, the others are relatively rare W,b,v,k,x,q,j,z occur least often So, calculate frequencies of letters occurring in ciphertext and use this as a guide to guess at the letters. This greatly reduces the key space that needs to be searched.

26. Fall 2006CS 395 Computer Security26 Language Redundancy and Cryptanalysis Tables of single, double, and triple letter frequencies are available

27. Fall 2006CS 395 Computer Security27 Other Languages Natural languages all have varying letter frequencies Languages have different numbers of letters (cf. Norwegian) Can take sample text and count letter frequencies Seberry (1 st Ed) text, Appendix A has counts for 20 languages. Hits most European & Japanese & Malay

28. Fall 2006CS 395 Computer Security28 Performing Frequency Analysis Calculate letter frequencies for ciphertext being analyzed Compare counts/plots against known values In particular look for common peaks and troughs –Peaks at: A-E-I spaced triple, NO pair, RST triple with U shape –Troughs at: JK, X-Z Key concept - monoalphabetic substitution does not change relative letter frequencies

29. Fall 2006CS 395 Computer Security29 Table of Common English Single, Double and Triple Letters

30. Fall 2006CS 395 Computer Security30 Example with Caesar Cipher given "JXU WHUQJUIJ TYISELUHO EV COWUDUHQJYED YI JXQJ Q XKCQD UYDW SQD QBJUH XYI BYVU RO QBJUHYDW XYI QJJYJKTUI" A-E-I triple NO pair RST triple

31. Fall 2006CS 395 Computer Security31 Polyalphabetic Ciphers An approach to improving security is to use multiple cipher alphabets, hence the name polyalphabetic ciphers Makes cryptanalysis harder since have more alphabets to guess and because flattens frequency distribution Use a key to select which alphabet is used for each letter of the message –ith letter of key specifies ith alphabet to use Use each alphabet in turn Repeat from start after end of key is reached

32. Fall 2006CS 395 Computer Security32 Vigenere Cipher Simplest polyalphabetic substitution cipher is the Vigenère Cipher It is really multiple Caesar ciphers Key is multiple letters long K = k 1 k 2... k d Can describe this mathematically as the function: Encryption is done using E k i (a): a  (a + k i )(mod 26) Decryption is done using D k i (a): a  (a - k i )(mod 26)

33. Fall 2006CS 395 Computer Security33 Vigenere Example Write the plaintext Under it write the keyword repeated Then using each key letter in turn as a Caesar cipher key, encrypt the corresponding plaintext letter

34. Fall 2006CS 395 Computer Security34 Vigenere Example (cont)

35. Fall 2006CS 395 Computer Security35 Cracking Vigenere First, need to know that you’re up against Vigenere. –With enough ciphertext, frequency analysis should help reveal this. Next, determine the key length –Observation: If two identical sequences of plaintext occur at a distance that is an integer multiple of the key length, then their ciphertext will be identical –Ex: key: DECEPTIVEDECEPTIVEDECEPTIVE Plaintext: WEAREDISCOVEREDSAVEYOURSELF Ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

36. Fall 2006CS 395 Computer Security36 Cracking Vigenere (cont) By collecting enough of these, cryptanalyst can get the key length. Now breaking the cipher amounts to breaking several monoalphabetic ciphers. A potential solution? Use a key that is as long as the message. Well, not quite….

37. Fall 2006CS 395 Computer Security37 Autokey Cipher If more alphabets helps to improve the security, at limit want as many alphabets as letters in message (but how to transfer such a key?) Vigenère proposed the autokey cipher where the keyword is prefixed to the message and then that is used as the key for the message Knowing keyword can recover the first few letters then use these in turn on the rest of the message –eg. given key "DECEPTIVE" and message "WE ARE DISCOVERED SAVE YOURSELF"

38. Fall 2006CS 395 Computer Security38 Book Cipher Another method of creating a key as long as a message is to use words from a book to specify the translation alphabets Key used is then the book and page and paragraph to start from British used this some in WWII (called them poem codes) –Big problem

39. Fall 2006CS 395 Computer Security39 Problems with Autokey and Book Cipher Both Autokey and Book ciphers look like they have good characteristics but problem is that the same language characteristics are used by the key as the message –i.e., a key of 'E' will be used more often than a 'T' etc, hence an 'E' encrypted with a key of 'E‘ occurs with probability (0.1275) 2 = 0.01663, about twice as often as a 'T‘ encrypted with a key of 'T' Have to use a larger frequency table, but it exists Given sufficient ciphertext this can be broken BUT, if a truly random key as long as the message is used, the cipher is provably unbreakable –Called a Vernam Cipher or One-Time pad

40. Fall 2006CS 395 Computer Security40 One-Time Pad A true solution: Choose a truly random key as long as the message itself –This reveals nothing statistically about the plaintext message. This lack of information about plaintext means that a one-time pad is unbreakable. Practical considerations –Though used during WWII, there are difficulties Sender and receiver must be in possession of, and protect, the random key. If the receiver loses the key, they will have no way to reconstruct the plaintext. –Rarely used in practice

41. Fall 2006CS 395 Computer Security41 Transposition Ciphers Also known as permutation ciphers Core idea: hide the message by rearranging the letter order without altering the actual letters used Can recognize these since have the same frequency distribution as the original text Very Simple Example: Mirror Cipher (write message backwards). Obviously not very secure –But what about mirror image in Russian?!

42. Fall 2006CS 395 Computer Security42 Scytale Cipher An early Greek transposition cipher a strip of paper was wound round a staff, then the message was written along staff in rows. When paper removed, were left with a strip of seemingly random letters. Not very secure as key was width of paper & staff

43. Fall 2006CS 395 Computer Security43 Row Transposition Ciphers Group the message and shuffle letters within each group More formally write letters across rows, then reorder the columns before reading off the rows Always have an equivalent pair of keys (Read vs Write)

44. Fall 2006CS 395 Computer Security44 Cracking Transposition Ciphers There are many more transposition ciphers of increasing complexity. Cracking them involves educated guessing at row and column arrangements with much trial and error BUT, there is software that will do a lot of this stuff for you (and it’s out there and freely available) Bottom line, transposition ciphers are no more secure than pure substitution ciphers. (With the exception of the one-time pad, of course).

45. Fall 2006CS 395 Computer Security45 Increasing Cipher Security Ciphers based on just substitutions or transpositions are not secure Have seen how these can be attacked because they do not sufficiently obscure the underlying language structure Hence consider using several ciphers in succession to make cryptanalysis harder, but: –two substitutions are really only one more complex substitution –two transpositions are really only one more complex transposition –BUT a substitution followed by a transposition makes a new much harder cipher

46. Fall 2006CS 395 Computer Security46 Steganography an alternative to encryption hides existence of message –using only a subset of letters/words in a longer message marked in some way –using invisible ink –hiding in LSB in graphic image or sound file has drawbacks –high overhead to hide relatively few info bits