Cryptography

beamcurveAI and Robotics

Nov 21, 2013 (3 years and 10 months ago)

134 views

1

Lecture #9

Traditional Cryptography

HAIT

Summer 2005

Shimrit Tzur
-
David

2

Notations


cryptography

-

the principles and methods of
transforming an intelligible message into one that is
unintelligible, and then retransforming that message
back to its original form.


plaintext

-

the original intelligible message


ciphertext

-

the transformed message


cipher

-

an algorithm for transforming an intelligible
message into one that is unintelligible by
transposition and/or substitution methods


key

-

some critical information used by the cipher,
known only to the sender & receiver

3

Notations


Cont.


encipher

(encode)
-

the process of converting
plaintext to ciphertext using a cipher and a key


decipher

(decode)
-

the process of converting
ciphertext back into plaintext using a cipher and a key


cryptanalysis

-

the study of principles and methods
of transforming an unintelligible message back into
an intelligible message
without

knowledge of the key.
Also called
code
-
breaking



cryptology

-

both cryptography and cryptanalysis


code

-

an algorithm for transforming an intelligible
message into an unintelligible one using a code
-
book


4

Notations


Cont.


C = E
K
(P)
-

the encryption of the plaintext P
using key K gives the ciphertext C.


P = D
K
(C)
-

the decryption of C to get the
plaintext


D
K
(E
K
(P)) = P


E and D are mathematical functions of two
parameters: the key and the message.

5

Introduction


There were 3 main constraints:

1.
The ability of the code clerk to perform the necessary
transformations, often on a battlefield with little
equipment.

2.
The difficulty in switching over quickly from one
cryptographic method to another one, since this entails
retraining a large number of people.

3.
The danger of a code clerk being captured by the
enemy has made it essential to be able to change the
cryptographic method instantly if need be.

6

The encryption model



for a symmetric
-
key cipher

7

The encryption model


Cont.


The plaintext is transformed by a function that is
parameterized by a key.


The ciphertext, is then transmitted.


The enemy hears and accurately copies down the ciphertext.


Unlike the intended recipient, he does not know what the
decryption key is and so cannot decrypt the ciphertext.


Passive intruder
-

the intruder can only listen to the
communication channel


Active intruder
-

the intruder can record messages and play
them back later, inject his own messages, or modify legitimate
messages before they get to the receiver.

8

Flexibility


The cryptanalyst knows how the encryption
method, E, and decryption, D work in detail.


The amount of effort necessary to invent, test,
and install a new algorithm every time the old
method is compromised (or thought to be
compromised) has always made it impractical
to keep the encryption algorithm secret.


There is a need to keep E and D secret without
changing the encryption algorithm.

9

Flexibility


Cont.


In contrast to the general method, which may only be
changed every few years, the key can be changed as
often as required.


The basic model is a stable and publicly
-
known.


The general method parameterized by a secret and
easily changed key.


Kerckhoff's principle
: All algorithms must be public;
only the keys are secret.


If many experts have tried to break the algorithm for
few years and no one has succeeded, it is probably
pretty solid

10

The Key Length


Consider a simple combination lock:


A key length of two digits means 100 possibilities.


A key length of three digits means 1000 possibilities


A key length of six digits means a million possibilities.


The work factor for breaking the system by exhaustive search
of the key space is exponential in the key length.


To prevent your kid from reading your e
-
mail, 64
-
bit keys will
do.


For routine commercial use, at least 128 bits should be used.


To keep major governments issues, keys of at least 256 bits,
preferably more, are needed.

11

The Cryptanalysis Problem


From the cryptanalyst's point of view, the
cryptanalysis problem has two principal
variations:

1.
Quantity of ciphertext and no plaintext
-

the
ciphertext
-
only problem.

2.
Matched ciphertext and plaintext
-

the known
plaintext problem

12

The Cryptanalysis Problem


Cont.


Novices assumption: if a cipher can withstand a
ciphertext
-
only attack, the crypto
-
algorithm is secure.


In many cases the cryptanalyst can make a good guess at
parts of the plaintext.


For example, the first thing many computers say when
you call them up is ‘login:’


Equipped with some matched plaintext
-
ciphertext pairs,
the cryptanalyst's job becomes much easier.


To achieve security, the cryptographer should make sure
that the system is unbreakable even if his opponent can
encrypt arbitrary amounts of chosen plaintext.

13

Encryption Methods


Encryption methods have been divided into
two categories:


substitution ciphers


transposition ciphers



14

Substitution Ciphers


In a substitution cipher each letter or group of letters
is replaced by another letter or group of letters.


One of the oldest known ciphers is the Caesar cipher.


In this method, a becomes D, b becomes E, c
becomes F, ... , and z becomes C.


For example, ‘attack’ becomes DWWDFN.


A slight generalization of the Caesar cipher allows
the ciphertext alphabet to be shifted by
k

letters,
instead of always 3.


In this case
k

becomes a key to the general method of
circularly shifted alphabets.

15

Monoalphabetic Substitution

(Symbol
-
for
-
symbol)


The next improvement is to have each of the symbols in
the plaintext map onto some other letters. For example:


plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z


ciphertext: Q W E R T Y U I O P A S D F G H J K L Z X C V
B N M


The key is the 26
-
letter string corresponding to the full
alphabet.


The plaintext ‘attack’ would be transformed into
QZZQEA.


Does it look safe?

16

Monoalphabetic Substitution


Cont.


At first glance this might appear to be a safe system.


There are 26! possible keys is in use. Trying all of them
is not a promising approach. A computer would take
~10
10

years to try all the keys.


Nevertheless, given a surprisingly small amount of
ciphertext, the cipher can be broken easily.


The basic attack takes advantage of the statistical
properties of natural languages. In English,
e

is the most
common letter, followed by
t, o, a, n, i,

etc. The most
common two
-
letter combinations are
th, in, er, re
, and
an
.
The most common three
-
letter combinations are the,
ing,
and
, and
ion
.

17

Transposition Ciphers


Substitution ciphers preserve the order of the plaintext symbols.


Transposition ciphers, in contrast, reorder the letters but do not
disguise them.


The columnar transposition:

18

The Columnar Transposition


The cipher is keyed by a word or phrase not
containing any repeated letters.


In the example, MEGABUCK is the key.


The purpose of the key is to number the columns,
column 1 being under the key letter closest to the start
of the alphabet, and so on.


The plaintext is written horizontally, in rows, padded
to fill the matrix if need be.


The ciphertext is read out by columns, starting with
the column whose key letter is the lowest.


19

Breaking Transposition Cipher


Step 1:

The cryptanalyst must be aware that he
is dealing with a transposition cipher.


By looking at the frequency of E, T, A, O, I, N,
etc., it is easy to see if they fit the normal pattern
for plaintext.


Step 2:

Make a guess at the number of
columns


the plaintext phrase milliondollars occurs
somewhere in the message


Step 3:

Order the columns


By frequency


20

One
-
Time Pads


Unbreakable cipher


Choose a random bit string as the key.


Convert the plaintext into a bit string


Compute the XOR of these two strings, bit by bit.


The resulting ciphertext cannot be broken.


The reason derives from information theory: there is
simply no information in the message because all
possible plaintexts of the given length are equally likely.

21

Cryptographic Principles


Redundancy


All encrypted messages must contain some
redundancy, that is, information not needed to
understand the message.


Freshness


Some measures must be taken to ensure that each
message received can be verified as being fresh,
that is, sent very recently.

22

Redundancy Motivation


Consider a mail
-
order company, The Couch Potato
(TCP), with 60,000 products.


Ordering messages consist of a 16
-
byte customer
name followed by a 3
-
byte data field.


The last 3 bytes are to be encrypted using a very long
key known only by the customer and TCP.


This might seem secure since passive intruders cannot
decrypt the messages.


Suppose that a recently
-
fired employee wants to
punish TCP.

23

Motivation


Cont.


Just before leaving, he takes the customer list with him.


He writes a program to generate fictitious orders using real
customer names.


Since he does not have the list of keys, he just puts random
numbers in the last 3 bytes, and sends hundreds of orders.


When these messages arrive, TCP's computer uses the
customer's name to locate the key and decrypt the message.


Unfortunately for TCP, almost every 3
-
byte message is valid,
so the computer begins printing out shipping instructions.


In this way an active intruder can cause a massive amount of
trouble, even though he cannot understand the messages his
computer is generating.

24

The Solution


This problem can be solved by the addition of
redundancy to all messages.


For example, if order messages are extended to 12
bytes, the first 9 of which must be zeros, then this
attack no longer works because the ex
-
employee can
no longer generate a large stream of valid messages.


All messages must contain considerable redundancy
so that active intruders cannot send random junk and
have it be interpreted as a valid message.

25

Freshness


This measure is needed to prevent active intruders
from playing back old messages.


If no such measures were taken, our ex
-
employee
could keep repeating previously sent valid messages.


Some method is needed to foil replay attacks


A solution is to include in every message a timestamp
valid only for, say, 10 seconds.


The receiver can then just keep messages around for
10 seconds. Messages older than 10 seconds can be
thrown out.