Cryptography

AI and Robotics

Nov 21, 2013 (4 years and 5 months ago)

147 views

1

Lecture #9

HAIT

Summer 2005

Shimrit Tzur
-
David

2

Notations

cryptography

-

the principles and methods of
transforming an intelligible message into one that is
unintelligible, and then retransforming that message
back to its original form.

plaintext

-

the original intelligible message

ciphertext

-

the transformed message

cipher

-

an algorithm for transforming an intelligible
message into one that is unintelligible by
transposition and/or substitution methods

key

-

some critical information used by the cipher,
known only to the sender & receiver

3

Notations

Cont.

encipher

(encode)
-

the process of converting
plaintext to ciphertext using a cipher and a key

decipher

(decode)
-

the process of converting
ciphertext back into plaintext using a cipher and a key

cryptanalysis

-

the study of principles and methods
of transforming an unintelligible message back into
an intelligible message
without

knowledge of the key.
Also called
code
-
breaking

cryptology

-

both cryptography and cryptanalysis

code

-

an algorithm for transforming an intelligible
message into an unintelligible one using a code
-
book

4

Notations

Cont.

C = E
K
(P)
-

the encryption of the plaintext P
using key K gives the ciphertext C.

P = D
K
(C)
-

the decryption of C to get the
plaintext

D
K
(E
K
(P)) = P

E and D are mathematical functions of two
parameters: the key and the message.

5

Introduction

There were 3 main constraints:

1.
The ability of the code clerk to perform the necessary
transformations, often on a battlefield with little
equipment.

2.
The difficulty in switching over quickly from one
cryptographic method to another one, since this entails
retraining a large number of people.

3.
The danger of a code clerk being captured by the
enemy has made it essential to be able to change the
cryptographic method instantly if need be.

6

The encryption model

for a symmetric
-
key cipher

7

The encryption model

Cont.

The plaintext is transformed by a function that is
parameterized by a key.

The ciphertext, is then transmitted.

The enemy hears and accurately copies down the ciphertext.

Unlike the intended recipient, he does not know what the
decryption key is and so cannot decrypt the ciphertext.

Passive intruder
-

the intruder can only listen to the
communication channel

Active intruder
-

the intruder can record messages and play
them back later, inject his own messages, or modify legitimate
messages before they get to the receiver.

8

Flexibility

The cryptanalyst knows how the encryption
method, E, and decryption, D work in detail.

The amount of effort necessary to invent, test,
and install a new algorithm every time the old
method is compromised (or thought to be
compromised) has always made it impractical
to keep the encryption algorithm secret.

There is a need to keep E and D secret without
changing the encryption algorithm.

9

Flexibility

Cont.

In contrast to the general method, which may only be
changed every few years, the key can be changed as
often as required.

The basic model is a stable and publicly
-
known.

The general method parameterized by a secret and
easily changed key.

Kerckhoff's principle
: All algorithms must be public;
only the keys are secret.

If many experts have tried to break the algorithm for
few years and no one has succeeded, it is probably
pretty solid

10

The Key Length

Consider a simple combination lock:

A key length of two digits means 100 possibilities.

A key length of three digits means 1000 possibilities

A key length of six digits means a million possibilities.

The work factor for breaking the system by exhaustive search
of the key space is exponential in the key length.

-
mail, 64
-
bit keys will
do.

For routine commercial use, at least 128 bits should be used.

To keep major governments issues, keys of at least 256 bits,
preferably more, are needed.

11

The Cryptanalysis Problem

From the cryptanalyst's point of view, the
cryptanalysis problem has two principal
variations:

1.
Quantity of ciphertext and no plaintext
-

the
ciphertext
-
only problem.

2.
Matched ciphertext and plaintext
-

the known
plaintext problem

12

The Cryptanalysis Problem

Cont.

Novices assumption: if a cipher can withstand a
ciphertext
-
only attack, the crypto
-
algorithm is secure.

In many cases the cryptanalyst can make a good guess at
parts of the plaintext.

For example, the first thing many computers say when
you call them up is ‘login:’

Equipped with some matched plaintext
-
ciphertext pairs,
the cryptanalyst's job becomes much easier.

To achieve security, the cryptographer should make sure
that the system is unbreakable even if his opponent can
encrypt arbitrary amounts of chosen plaintext.

13

Encryption Methods

Encryption methods have been divided into
two categories:

substitution ciphers

transposition ciphers

14

Substitution Ciphers

In a substitution cipher each letter or group of letters
is replaced by another letter or group of letters.

One of the oldest known ciphers is the Caesar cipher.

In this method, a becomes D, b becomes E, c
becomes F, ... , and z becomes C.

For example, ‘attack’ becomes DWWDFN.

A slight generalization of the Caesar cipher allows
the ciphertext alphabet to be shifted by
k

letters,

In this case
k

becomes a key to the general method of
circularly shifted alphabets.

15

Monoalphabetic Substitution

(Symbol
-
for
-
symbol)

The next improvement is to have each of the symbols in
the plaintext map onto some other letters. For example:

plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z

ciphertext: Q W E R T Y U I O P A S D F G H J K L Z X C V
B N M

The key is the 26
-
letter string corresponding to the full
alphabet.

The plaintext ‘attack’ would be transformed into
QZZQEA.

Does it look safe?

16

Monoalphabetic Substitution

Cont.

At first glance this might appear to be a safe system.

There are 26! possible keys is in use. Trying all of them
is not a promising approach. A computer would take
~10
10

years to try all the keys.

Nevertheless, given a surprisingly small amount of
ciphertext, the cipher can be broken easily.

The basic attack takes advantage of the statistical
properties of natural languages. In English,
e

is the most
common letter, followed by
t, o, a, n, i,

etc. The most
common two
-
letter combinations are
th, in, er, re
, and
an
.
The most common three
-
letter combinations are the,
ing,
and
, and
ion
.

17

Transposition Ciphers

Substitution ciphers preserve the order of the plaintext symbols.

Transposition ciphers, in contrast, reorder the letters but do not
disguise them.

The columnar transposition:

18

The Columnar Transposition

The cipher is keyed by a word or phrase not
containing any repeated letters.

In the example, MEGABUCK is the key.

The purpose of the key is to number the columns,
column 1 being under the key letter closest to the start
of the alphabet, and so on.

The plaintext is written horizontally, in rows, padded
to fill the matrix if need be.

The ciphertext is read out by columns, starting with
the column whose key letter is the lowest.

19

Breaking Transposition Cipher

Step 1:

The cryptanalyst must be aware that he
is dealing with a transposition cipher.

By looking at the frequency of E, T, A, O, I, N,
etc., it is easy to see if they fit the normal pattern
for plaintext.

Step 2:

Make a guess at the number of
columns

the plaintext phrase milliondollars occurs
somewhere in the message

Step 3:

Order the columns

By frequency

20

One
-

Unbreakable cipher

Choose a random bit string as the key.

Convert the plaintext into a bit string

Compute the XOR of these two strings, bit by bit.

The resulting ciphertext cannot be broken.

The reason derives from information theory: there is
simply no information in the message because all
possible plaintexts of the given length are equally likely.

21

Cryptographic Principles

Redundancy

All encrypted messages must contain some
redundancy, that is, information not needed to
understand the message.

Freshness

Some measures must be taken to ensure that each
message received can be verified as being fresh,
that is, sent very recently.

22

Redundancy Motivation

Consider a mail
-
order company, The Couch Potato
(TCP), with 60,000 products.

Ordering messages consist of a 16
-
byte customer
name followed by a 3
-
byte data field.

The last 3 bytes are to be encrypted using a very long
key known only by the customer and TCP.

This might seem secure since passive intruders cannot
decrypt the messages.

Suppose that a recently
-
fired employee wants to
punish TCP.

23

Motivation

Cont.

Just before leaving, he takes the customer list with him.

He writes a program to generate fictitious orders using real
customer names.

Since he does not have the list of keys, he just puts random
numbers in the last 3 bytes, and sends hundreds of orders.

When these messages arrive, TCP's computer uses the
customer's name to locate the key and decrypt the message.

Unfortunately for TCP, almost every 3
-
byte message is valid,
so the computer begins printing out shipping instructions.

In this way an active intruder can cause a massive amount of
trouble, even though he cannot understand the messages his
computer is generating.

24

The Solution

This problem can be solved by the addition of
redundancy to all messages.

For example, if order messages are extended to 12
bytes, the first 9 of which must be zeros, then this
attack no longer works because the ex
-
employee can
no longer generate a large stream of valid messages.

All messages must contain considerable redundancy
so that active intruders cannot send random junk and
have it be interpreted as a valid message.

25

Freshness

This measure is needed to prevent active intruders
from playing back old messages.

If no such measures were taken, our ex
-
employee
could keep repeating previously sent valid messages.

Some method is needed to foil replay attacks

A solution is to include in every message a timestamp
valid only for, say, 10 seconds.

The receiver can then just keep messages around for
10 seconds. Messages older than 10 seconds can be
thrown out.