IT3122 Cryptography PDF
Document Details
Uploaded by Deleted User
Tags
Summary
These are lecture notes on the topic of cryptography. The notes cover symmetric and asymmetric cryptography, substitution ciphers, and cryptanalysis. The notes also include examples of different types of ciphers, and ways to break ciphers, including brute force attacks, and frequency analysis.
Full Transcript
Cryptography IT3122 Computer Security Intended Learning Outcomes Present an overview of the main concepts of symmetric cryptography. Explain the operation of a monoalphabetic substitution cipher. Describe the different ways of attacking ciphers. Explain the difference between c...
Cryptography IT3122 Computer Security Intended Learning Outcomes Present an overview of the main concepts of symmetric cryptography. Explain the operation of a monoalphabetic substitution cipher. Describe the different ways of attacking ciphers. Explain the difference between cryptanalysis and brute-force attack. Explain the operation of the shift cipher and the affine cipher. Explain the operation of a polyalphabetic substitution cipher. Explain the operation of a transposition cipher. Overview of the Field of Cryptology Cryptography and Cryptanalysis Cryptography: The science of securing communication against an adversary. Cryptanalysis: The science and sometimes art of breaking cryptosystems. Cryptography Symmetric Algorithms All cryptography from ancient times until 1976. Two parties have an encryption and decryption method for which they share a secret key. Asymmetric/Public-Key Algorithms Introduced by Whitfield Diffie, Martin Hellman and Ralph Merkle in 1976. Two keys exist: A user possesses a secret key as in symmetric cryptography but also a public key. Cryptographic Protocols Realize more complex security functions using cryptographic algorithms. Hybrid Schemes In most cryptographic applications in practical systems, symmetric and asymmetric algorithms (and often also hash functions) are all used together. The reason for using both families of algorithms is that each has specific strengths and weaknesses. Symmetric Cryptography Also referred to as symmetric-key, secret-key and single-key cryptography. Problem Statement: 1. There are two users, Alice and Bob, who want to communicate over an insecure channel. 2. The bad guy, Oscar has access to the channel, but should not be able to understand the communication. Communication over an Insecure Channel Solution: Symmetric Cryptography Alice encrypts her message x using a symmetric algorithm, yielding the ciphertext y. Bob receives the ciphertext and decrypts the message. Decryption is the inverse process of encryption. If we have a strong encryption algorithm, the ciphertext will look like random bits and Oscar will not be able to obtain any useful information from it. Solution: Symmetric-key Cryptosystem x – plaintext/cleartext y – ciphertext k – key The problem of transmitting a message securely is reduced to the problems of transmitting a key secretly and of storing the key in a secure fashion. Encryption and Decryption Encryption: 𝑦 = 𝑒𝑘 (𝑥) or 𝑌 = 𝐸(𝐾, 𝑋) Decryption: 𝑥 = 𝑑𝑘 𝑦 or X = 𝐷(𝐾, 𝑌) x – plaintext/cleartext y – ciphertext k – key Substitution Cipher Substitution = Replacement. Historically substitution cipher has been widely used. Goal: The encryption of text (as opposed to bits in modern digital systems). Idea: Substitute each letter of the alphabet with another one. Monoalphabetic Substitution Cipher x A B C D E F G H I J K L M y k d w h l j o b t q y c v x N O P Q R S T U V W X Y Z y u s z m g a e x f n i p r x – plaintext y – ciphertext Encryption: HELLO WORLD → blccs nsgch Decryption: ossh vsgutuo → GOOD MORNING Example: Breaking the Cipher iq ifcc vqqr fb rdq vfllcq na rdq cfjwhwz hr bnnb hcc hwwhbsqvqbre hwq vhlq First Attack: Brute-Force Attack or Exhaustive Key Search Brute-force attacks treat the cipher as a black box. Oscar, the attacker, has the ciphertext from eavesdropping on the channel and happens to have a short piece of plaintext, e.g., the header of a file that was encrypted. Oscar now simply decrypts the first piece of ciphertext with all possible keys. If the resulting plaintext matches the short piece of plaintext, he knows that he has found the correct key. Note: In practice, a brute-force attack can be more complicated because incorrect keys can give false positive results. Definition: Basic Exhaustive Key Search or Brute-Force Attack Let (𝑥, 𝑦) denote the pair of plaintext and ciphertext, and let 𝐾 = 𝑘1 , … , 𝑘𝜅 be the key space of all possible keys 𝑘𝑖. A brute-force attack now checks for every 𝑘𝑖 ∈ 𝐾 whether 𝑑 𝑘𝑖 𝑦 ≟ 𝑥 If the equality holds, a possible correct key is found; if not, proceed with the next key. First Attack: Brute-Force Attack or Exhaustive Key Search Key Space: The set of all possible keys. Key space of the substitution cipher = 26 × 25 × ⋯ × 3 × 2 × 1 = 26! ≈ 288 The key space has roughly a size of 288 , which is equal to the key space of a cipher that has a key consisting of 88 bits. Even with hundreds of thousands of high-end PCs such a search would take several decades! Is the substitution cipher secure? Second Attack: Letter Frequency Analysis The brute-force attack from above treats the cipher as a black box, i.e., we do not analyze the internal structure of the cipher. The substitution cipher can easily be broken by such an analytical attack. Major weakness of the substitution cipher: each plaintext symbol always maps to the same ciphertext symbol. The statistical properties of the plaintext are preserved in the ciphertext. Properties of Language that can be Exploited 1. Determine the frequency of every ciphertext letter. The frequency distribution, usually quite stable even for relatively short pieces of encrypted text, will be close to that of the given language in general. The most frequent letters can often easily be spotted in ciphertexts. For instance, in English E is the most frequent letter (about 13%), T is the second most frequent letter (about 9%), A is the third most frequent letter (about 8%), and so on. Relative Letter Frequencies of the English Language Properties of Language that can be Exploited 2. The method above can be generalized by looking at pairs or triples, or quadruples, and so on of ciphertext symbols. For instance, in English, the letter Q is almost always followed by a U. This behavior can be exploited to detect the substitution of the letter Q and the letter U. Properties of Language that can be Exploited 3. If we assume that word separators, which means “blanks”, have been found one can often detect frequent short words such as THE, AND, etc. Once we have identified one of these words, we immediately know three letters (or whatever the length of the word is) for the entire text. Solution: Breaking the Cipher WE WILL MEET IN THE MIDDLE OF THE LIBRARY AT NOON ALL ARRANGEMENTS ARE MADE Lesson Learned Good ciphers should hide the statistical properties of the encrypted plaintext. The ciphertext symbols should appear to be random. A large key space alone is not sufficient for a strong encryption function. Cryptanalysis The science and sometimes art of breaking cryptosystems. Classical Cryptanalysis Ciphertext-only Attack: The adversary has only access to the ciphertext. Known-plaintext Attack: In addition to the ciphertext, the adversary also knows some pieces of the plaintext. Chosen-plaintext Attack: The adversary can choose the plaintext that is being encrypted and has access to the corresponding ciphertext. Chosen-ciphertext Attack: The adversary can choose ciphertexts and obtains the corresponding plaintexts. Cryptanalysis vs Brute-force Attack Cryptanalysis: Cryptanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext or even some sample plaintext–ciphertext pairs. This type of attack exploits the characteristics of the algorithm to attempt to deduce a specific plaintext or to deduce the key being used. Brute-force Attack: The attacker tries every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained. On average, half of all possible keys must be tried to achieve success. Implementation Attacks Side-channel analysis can be used to extract a secret key by observing the behaviour of a cryptographic implementation. E.g., Using the electrical power consumption or electromagnetic radiation of the CPU that computes the cryptographic algorithms as side channels, the attacker records the power or electromagnetic traces and applies signal processing techniques to recover the key. Timing side-channels: The adversary measures the run time behavior of a cryptographic implementation and attempts to compute the key from the timing measurements Software side-channels: The adversary controls one process with which he or she can learn secret values such as cryptographic keys from another process by exploiting effects such as timing behaviour or cache access patterns. Social Engineering Attacks Bribing Blackmailing Tricking Classical espionage https://xkcd.com/538/ Lesson Learned An attacker always looks for the weakest link in your cryptosystem. That means we must choose strong algorithms, and we must make sure that all other attacks such as social engineering and implementation attacks are not feasible. Security by Obscurity A system can appear to be more secure because we keep the details hidden. However, experience and military history has shown over time that such systems are almost always weak, and they are very often broken easily as soon as the secret design has been reverse-engineered or leaked out through other means. E.g., Content Scramble System (CSS) Kerckhoffs’ Principle Kerckhoff’s Principle: A cryptosystem should be secure even if the attacker knows all details about the system, with the exception of the secret key. In particular, the system should be secure when the attacker knows the encryption and decryption algorithms. Solid cryptosystems should adhere to Kerckhoffs’ Principle. Shift/Caesar Cipher A B C D E F G H I J K L M 0 1 2 3 4 5 6 7 8 9 10 11 12 N O P Q R S T U V W X Y Z 13 14 15 16 17 18 19 20 21 22 23 24 25 Let 𝑥, 𝑦, 𝑘 ∈ ℤ26. Encryption: 𝑦 = 𝑒𝑘 𝑥 ≡ 𝑥 + 𝑘 𝑚𝑜𝑑 26 Decryption: 𝑥 = 𝑑𝑘 𝑦 ≡ 𝑦 − 𝑘 𝑚𝑜𝑑 26 Ways of Attacking Shift Cipher 1. Brute-force Attack: Since there are only 26 different keys (shift positions), one can easily launch a brute-force attack by trying to decrypt a given ciphertext with all possible 26 keys. 2. Letter Frequency Analysis: As soon as the attacker has discovered the ciphertext letter for one plaintext letter, he/she knows the number of shifts and thus has the key Affine Cipher Extension of the shift cipher. Let 𝑥, 𝑦, 𝑎, 𝑏 ∈ ℤ26. Encryption: 𝑦 = 𝑒𝑘 𝑥 ≡ 𝑎𝑥 + 𝑏 𝑚𝑜𝑑 26 Decryption: 𝑥 = 𝑑𝑘 𝑦 ≡ 𝑎−1 (𝑦 − 𝑏) 𝑚𝑜𝑑 26 with the key: 𝑘 = (𝑎, 𝑏), which has the restriction: gcd 𝑎, 26 = 1. Affine Cipher An element 𝑎 and the modulus must be relatively prime for the inverse of 𝑎 to exist. 𝑎 ∈ {1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25} 𝑎 ∙ 𝑎−1 ≡ 1 𝑚𝑜𝑑 26 E.g., if 𝑎 = 3, then 𝑎−1 = 9 since 3 ∙ 9 = 27 ≡ 1 𝑚𝑜𝑑 26. The inverse of 𝑎−1 is 𝑎 itself. Ways of Attacking Affine Cipher 1. Brute-force Attack: Since there are only 312 different keys, one can easily launch a brute- force attack by trying to decrypt a given ciphertext with all possible 312 keys. 2. Letter Frequency Analysis Polyalphabetic Substitution Cipher (Vigenère Cipher) Extension of the shift cipher. Instead of using a single key 𝑘 for the shift, it uses 𝑙 different shifts that are derived from a secret code word 𝑐. The code word consists of 𝑙 letters and has the form 𝑐 = (𝑐0 , 𝑐1 , … , 𝑐𝑙−1 ). Each letter 𝑐𝑖 corresponds to a number 0, … , 25, which is given by its position in the alphabet. These numbers are the 𝑙 shift positions, which we denote (𝑘0 , 𝑘1 , … , 𝑘𝑙−1 ). Encryption: 𝑦𝑗 ≡ 𝑥𝑗 + 𝑘(𝑗 𝑚𝑜𝑑 𝑙) 𝑚𝑜𝑑 26 Decryption: 𝑥𝑗 ≡ 𝑦𝑗 − 𝑘(𝑗 𝑚𝑜𝑑 𝑙) 𝑚𝑜𝑑 26 where 𝑥𝑗 denotes the 𝑗th letter of the plaintext 𝑥 = (𝑥0 , 𝑥1 , … ). Plaintext: GOODMORNING Key: APPLEAPPLEA Ciphertext: GDDOQOGCTRG WEAREDISCOVEREDSAVEYOURSELF ALGORITHMALGORITHMALGORITHM WPGFVLBZOOGKFVLLHHEJUIIAXSR Cryptanalysis of Vigenère Cipher The strength of this cipher is that there are multiple ciphertext letters for each plaintext letter, one for each unique letter of the keyword. Thus, the letter frequency information is obscured. However, not all knowledge of the plaintext structure is lost. Cryptanalysis of Vigenère Cipher An analyst looking at only the ciphertext would detect the repeated sequences FVL at a displacement of 9 and assume that the keyword is either three or nine letters in length. The appearance of FVL twice could be by chance and may not reflect identical plaintext letters encrypted with identical key letters. However, if the message is long enough, there will be several such repeated ciphertext sequences. By looking for common factors in the displacements of the various sequences, the analyst should be able to make a good guess of the keyword length. Cryptanalysis of Vigenère Cipher If the keyword length is 𝑚, then the cipher, in effect, consists of 𝑚 monoalphabetic substitution ciphers. E.g., with the keyword ALGORITHM, the letters in positions 1, 10, 19, and so on are all encrypted with the same monoalphabetic cipher. Thus, we can use the known frequency characteristics of the plaintext language to attack each of the monoalphabetic ciphers separately. Cryptanalysis of Vigenère Cipher The periodic nature of the keyword can be eliminated by using a nonrepeating keyword that is as long as the message itself. Transposition Cipher Mapping is achieved by performing some sort of permutation on the plaintext letters. Transpositions might look less secure than substitutions, but can in fact be more secure. E.g., rail fence technique: THEQUICKBROWNFOXJUMPSOVERTHELAZYDOG t e u c b o n o j m s v r h l z d g h q i k r w f x u p o e t e a y o teucbonojmsvrhlzdghqikrwfxupoeteayo Scytale of Sparta Columnar Transposition Key: 4 3 1 2 5 6 7 Plaintext: T H E Q U I C K B R O W N F O X J U M P S O V E R T H E L A Z Y D O G Ciphertext: ERJEZQOURYHBXVATKOOLUWMTDINPHOCFSEG Cryptanalysis of Transposition Cipher A pure transposition cipher is easily recognized because it has the same letter frequencies as the original plaintext. For the type of columnar transposition just shown, cryptanalysis is straightforward and involves laying out the ciphertext in a matrix and playing around with column positions. Digram and trigram frequency tables can be useful. Cryptanalysis of Transposition Cipher The transposition cipher can be made significantly more secure by performing more than one stage of transposition. The result is a more complex permutation that is not easily reconstructed. Double Transposition Key: 4 3 1 2 5 6 7 Plaintext: E R J E Z Q O U R Y H B X V A T K O O L U W M T D I N P H O C F S E G Ciphertext: JYKTCEHODFRRTMOEUAWHZBOISQXLNEOVUPG Questions References C. Paar, J. Pelzl and T. Güneysu, “Introduction to Cryptography and Data Security,” Understanding Cryptography: From Established Symmetric and Asymmetric Ciphers to Post-Quantum Algorithms, Springer, 2nd Edition, 2024, pp. 1–35. W. Stallings, “Classical Encryption Techniques,” Cryptography and Network Security: Principles and Practice, 8th Edition, 2023, pp. 83–111.