Introduction to Computer Security

Foundations of Cryptography

Pavel Laskov

Wilhelm Schickard Institute for Computer Science

Secret communication

Encryption

Alice

Bob

Decryption

key

unitue

plaintext

I love you

plaintext

I love you

ciphertext

C ywoy cih

key

unitue

Cryptography and security objectives

Which security objectives are addressed by cryptography?

Conﬁdentiality

symmetric cryptography

asymmetric cryptography

Integrity

hashing

Authentication and non-repudiation

digital signatures

Cryptography and security objectives

Which security objectives are addressed by cryptography?

Conﬁdentiality

symmetric cryptography

asymmetric cryptography

Integrity

hashing

Authentication and non-repudiation

digital signatures

Symmetric cryptography

Encryption

Alice

Bob

Decryption

shared key

unitue

plaintext

I love you

plaintext

I love you

ciphertext

C ywoy cih

shared key

unitue

any valid key

Early permutation cipher:scytale

Encryption:

Wrap a parchment strip over a wooden

rod of a ﬁxed diameter and write letters

along the rod.

Decryption:

Wrap a received strip over a wooden rod

of the same diameter and read off the

text.

Example:

troops

headin

gnorth

sendmo

refood

!

thgsr renee oaonf odrdo pitmo snhod

Monoalphabetic substitution cipher:Caesar

Encryption

Replace each letter with the one three

positions to the right in the alphabet.

Decryption

Replace each letter with the one three

positions to the left in the alphabet.

Example:

HABES OPINIONIS MEAE TESTIMONIUM

MDEHV RSNQNRQNV PHDH XHVXNPRQNZP

Polyalphabetic substitution cipher:Vigen`ere

Encryption

Write the key over a message,

repeating as necessary.

Substitute each letter with the one

from an appropriate column in the

Vigen

`

ere tableau.

Decryption

Same as encryption,use a row

instead of a column.

Example:

unitueun

iloveyou

!

cywoycih

Polyalphabetic substitution:Enigma

Operating principle:electromechanical

varying map substitution

Main components:

3–5 rotors with pre-deﬁned connectivity

inter-rotor rings:mapping between letters and

connections

letter swap by jumper cables

Key deﬁnition:rotor types,ring positions,

jumper settings

Tag UKW Walzenlage Ringstellung ---- Steckerverbindungen ----

31 B I IV III 16 26 08 AD CN ET FL GI JV KZ PU QY WX

30 B II V I 18 24 11 BN DZ EP FX GT HW IY OU QV RS

29 B III I IV 01 17 22 AH BL CX DI ER FK GU NP OQ TY

One-time pad ciphers

Encryption:

Generate a random key sequence.

Add a key to a message using

modular arithmetic.

Decryption:

Subtract a key from a message using

modular arithmetic.

Example:

7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message

+ 23 (X) 12 (M) 2 (C) 10 (K) 11 (L) key

= 30 16 13 21 25 message + key

= 4 (E) 16 (Q) 13 (N) 21 (V) 25 (Z) mod 26

Feistel cipher:S and P boxes

S-box

Complex substitution controlled by a key

Secure if enough internal states

Unrealizable for a large number of states

P-box

Block-wise permutation of digits

Simple transformation with maximal

entropy

Insecure against a “tickling attack”

Feistel network

Revival of the idea of a product cipher

Strong polyalphabetic substitution via multiple rounds

Follows theoretical principles of Shannon

A practical Feistel cipher

A multiple-round scheme with

separate keys

Encryption:

L

i+1

= R

i

R

i+1

= L

i

f (K

i

,R

i

)

Decryption:reverse the key order

L

i+1

= R

i

R

i+1

= L

i

f (K

ni

,R

i

)

3 rounds sufﬁce to achieve a

pseudorandom permutation

DES:Digital Encryption Standard

Adopted in 1977 after two rounds of proposals

Won by IBM’s Lucifer cipher based on Feistel’s design

Key length reduced by NIST from 128 bits to 56 bits

Subject to extensive cryptanalysis research in 1990s’

Broken by specialized hardware crackers in 1997–1999

(fastest result:22 hours 15 minutes by Deep Crack)

Still widely used in practice (as 3DES)

Replaced by Advanced Encryption Standard (AES) in 2000

DES overview

Permuted

Choice 1

64 bit plaintext

56 bit key

Initial

Permutation

Iteration 1

Permuted

Choice 2

Left Circular

Shift / 2

K

1

Iteration 2

Permuted

Choice 2

Left Circular

Shift / 2

K

2

Iteration 16

Permuted

Choice 2

Left Circular

Shift / 2

K

16

32 bit Swap

Inverse Initial

Permutation

64 bit ciphertext

...

DES round structure

L

i-1

R

i-1

Expansion

Permutation

C

i-1

D

i-1

Left Shift

Left Shift

Permutation Contraction

(Perm. Choice 2)

+

48

48

K

i

S-Box: Choice

Substitution

Permutation

+

L

i

R

i

C

i

D

i

48

32

32 bit

32 bit

28 bit

28 bit

32

Data to be encrypted

Key used for encryption

Other symmetric ciphers

Block ciphers

Algorithm

Key size

Block size

Rounds

Applications

3DES

112/168

64

48

Finance,PGP,S/MIME

AES

128/192/256

128

10/12/14

Repl.for DES/3DES

IDEA

128

64

8

PGP

Blowﬁsh

up to 448

64

16

Various software

RC5

up to 2048

64

up to 255

Various software

Streamciphers

Algorithm

Key size

IV

State

Applications

A5/2

54

114

64

GSM

RC4

40-256

8

2064

WEP,WPA,SSL,SSH,Kerberos,etc.

Resum´e of symmetric cryptography

Provides (with some exceptions) a reliable means for

enforcing conﬁdentiality

Highly efﬁcient

Key distribution is a major problem!

Asymmetric cryptography

Encryption

Alice

Bob

Decryption

Bob's public key

unitue

plaintext

I love you

plaintext

I love you

ciphertext

C ywoy cih

Bob's private key

zxtr9y

specially generated

keypair

Prime numbers

An integer p is a prime number if its only divisors are 1 and

p.

A positive integer c is said to be the greatest common divisor

of a and b if

c is a divisor of a and of b;

any divisor of a and of b is a divisor of c.

Integers a and b are said to be relatively prime if

gcd(a,b) = 1.

Euler’s totient function

A totient f(n) of an integer n is the number of integers less

than n that are relatively prime to n.

Example:

f(9) = 6:f1,2,4,5,7,8g

Two integers a and b are congruent modulo n,written as

a b mod n,if

(a mod n) = (b mod n)

Euler’s Theorem:If a and n are relatively prime,then

a

f(n)

1 mod n.

RSA overview

Alice sends her love message to Bob via RSA:

Alice

Bob

Generate a keypair K

u

/K

r

Send K

u

to Alice

Encrypt plaintext Mwith K

u

Send ciphertext C to Bob

Decrypt C with K

r

RSA key generation

Step

Condition

Select p,q

p,q prime,p 6= q

Compute n = p q

Compute f(n) = (p 1)(q 1)

Select 1 < e < f(n)

gcd(f(n),e) = 1

Compute d

(de) mod f(n) = 1 ()

Public key

K

u

= fe,ng

Private key

K

r

= fd,ng

RSA encryption and decryption

Encryption:

Plaintext:

M< n

Ciphertext:

C = M

e

mod n

Decryption:

Ciphertext:

C

Plaintext:

M= C

d

mod n

Correctness of RSA encryption

By the property (),

(de) mod f(n) = 1 ) 9k:(de) = 1 +kf(n).

Then,

M

?

C

d

mod n

(M

e

)

d

mod n

M

(ed)

mod n

M

1+kf(n)

mod n

?

M mod n

Correctness of RSA encryption (ctd.)

For prime numbers p,

f(p) = (p 1).

By the key generation algorithm and the multiplicative property of

the totient function,

f(n) = f(p) f(q) = (p 1) (q 1).

By Euler’s Theorem,if p does not divide M,

M

(p1)

= 1 mod p

and since (p 1) divides f(n)

M

1+kf(n)

M mod p.

Similar argument holds for q and hence for n = pq.

What’s secret in RSA?

An attacker needs to know d to decrypt C.

To ﬁnd d,an attacker needs to solve ():

(de) mod f(n) = 1.

For this,he needs to know f(n).

If p and q are known,then ﬁnding f(n) is trivial:

f(n) = (p 1) (q 1)

However p and q are discarded during key generation.

Factoring n into a product of two prime numbers is an

intractable problem!

Finding f(n) directly is likewise intractable.

Other asymmetric ciphers

Algorithm

E/D

D.S.

KEX

Hardness

RSA

Yes

Yes

Yes

Factorization

ElGamal

Yes

No

No

DLP

DSS

No

Yes

No

DLP

Difﬁe-Hellmann

No

No

Yes

DLP

Elliptic curve

Yes

Yes

Yes

EC DLP

Summary

Cryptographic methods provide solutions for various

conﬁdentiality,integrity and authentication tasks.

Symmetric cryptography is based on a single key that must

be shared between the communication parties and kept

secret.

Asymmetric cryptography is based two related keys;only

one of them (private key) must be kept secret,the other one

(public key) can be distributed over insecure media.

Next lecture

Cryptographic hash functions

Digital signatures

## Comments 0

Log in to post a comment