# MS 1 Cryptography History & Puzzles Substitution Ciphers The birth of Cryptanalysis Modern Times DES Diffie-Hellman key exchange RSA PGP Contentious Issues.

## Presentation on theme: "MS 1 Cryptography History & Puzzles Substitution Ciphers The birth of Cryptanalysis Modern Times DES Diffie-Hellman key exchange RSA PGP Contentious Issues."— Presentation transcript:

MS 1 Cryptography History & Puzzles Substitution Ciphers The birth of Cryptanalysis Modern Times DES Diffie-Hellman key exchange RSA PGP Contentious Issues “Applied Cryptography”, Bruce Schneier “Cracking DES”, Electronic Frontier Foundation “The Code Book”, Simon Singh

MS 2 Good Idea Cryptography The Basic Idea: plaintext algorithm Key ciphertext Two approaches: 1) Make algorithm secret and don’t use a key. 2) Make algorithm public but keep the key secret. Bad Idea Bmp example

MS 3 Before Computers Substitution ciphers ruled: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C Caesar (Shift by N): 26 possibilities, easy to decode A B C D E F G H I J K L M N O P Q R S T U V W X Y Z B U S H A N D G O R E F I J K L M P Q T V W X Y Z C Key Phrase: Lots of possibilities, a bit harder to decode A B C D E F G H I J K L M N O P Q R S T U V W X Y Z N D T V G K L M R E P O F I J Q U S W X B H A Y Z C Random Mapping: 4 x 10 26 possibilities, harder to decode

MS 4 Before Computers Cryptanalysis: First known publication: “A Manuscript on Deciphering Cryptographic Messages” By the ninth century Arab scholar: Abu Yusuf Ya’qub ibn Is-haq ibn as-Sabbah ibn ‘omran ibn Ismail al-Kindi Statistical “Frequency Analysis” of letters & words can easily break any mono-alphabetic substitution cipher. In English: most common letters: E, T, A, O, I, N, S, … most common 2 letters words: ON, AS, TO, AT, IT… most common 3 letters words: THE, AND, FOR, WAS,…

MS 5 ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD UEI PVUENRFUA NC UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI FU YNMUPFMT XEPU EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P YRFLI CNR P DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS FMCNRLPUFNM. ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD UEI PVUENRFUA NC --------- ------- ------ --- ---- -------- --- --------- -- UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI FU YNMUPFMT XEPU --- ------'- ------------ -------- ------- -- -------- ---- EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P YRFLI CNR P -- ------ - --------- ---- ----- ---- -- - ----- --- - DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS FMCNRLPUFNM. ---------- -------- -- -------- ---------- -----------. ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD UEI PVUENRFUA NC --e---e-t ----t-- -et-e- the ---- -e-e---- the --th---t- -- UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI FU YNMUPFMT XEPU the --t---'- --te----e--e --e---e- -e----e -t -------- -h-t EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P YRFLI CNR P he ----e- - --------- th-t ----- ---e -t - ----e --- - DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS FMCNRLPUFNM. ---e---e-t -------- t- -------e --------e- -------t---. U=t E=h I=e

MS 6 ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD UEI PVUENRFUA NC --e-i-e-t --i-to- -etoe- the -i-- -e-e-i-- the a-tho-it- o- UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI FU YNMUPFMT XEPU the -atio-'- i-te--i-e--e a-e--ie- -e-a--e it -o-tai-- -hat EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P YRFLI CNR P he -a--e- a --o-i-io- that -o--- -a-e it a --i-e -o- a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS FMCNRLPUFNM. -o-e---e-t o--i-ia- to -i---o-e --a--i-ie- i--o--atio-. F=i N=o ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD UEI PVUENRFUA NC --e---e-t ----t-- -et-e- the ---- -e-e---- the a-th---t- -- UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI FU YNMUPFMT XEPU the -at---'- --te----e--e a-e---e- -e-a--e -t ---ta--- -hat EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P YRFLI CNR P he -a--e- a --------- that ----- -a-e -t a ----e --- a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS FMCNRLPUFNM. ---e---e-t ------a- t- -------e --a-----e- ------at---. P=a

MS 7 ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD UEI PVUENRFUA NC -re-i-e-t --i-to- -etoe- the -i-- re-e-i-- the a-thorit- of UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI FU YNMUPFMT XEPU the -atio-'- i-te--i-e--e a-e--ie- -e-a--e it -o-tai-- -hat EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P YRFLI CNR P he -a--e- a -ro-i-io- that -o--- -a-e it a -ri-e for a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS FMCNRLPUFNM. -o-er--e-t offi-ia- to -i---o-e --a--ifie- i-for-atio-. C=f R=r ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD UEI PVUENRFUA NC -re-i-e-t cli-to- -etoe- the -ill re-e-i-- the authority of UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI FU YNMUPFMT XEPU the -atio-'- i-telli-e-ce a-e-cie- -ecau-e it co-tai-- -hat EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P YRFLI CNR P he calle- a -ro-i-io- that -oul- -a-e it a cri-e for a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS FMCNRLPUFNM. -o-er--e-t official to -i-clo-e cla--ifie- i-for-atio-. Y=c K=l V=u A=y

MS 8 O=p T=s S=d M=n L=m ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD UEI PVUENRFUA NC president clinton -etoed the -ill rene-in- the authority of UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI FU YNMUPFMT XEPU the nation's intelli-ence a-encies -ecause it contains -hat EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P YRFLI CNR P he called a pro-ision that -ould ma-e it a crime for a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS FMCNRLPUFNM. -o-ernment official to disclose classified information. W=v H=b D=g M=n L=m X=w J=k ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD UEI PVUENRFUA NC president clinton vetoed the bill renewing the authority of UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI FU YNMUPFMT XEPU the nation's intelligence agencies because it contains what EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P YRFLI CNR P he called a provision that would make it a crime for a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS FMCNRLPUFNM. government official to disclose classified information.

MS 9 There are patches to try to increase the security of the mono-alphabetic substitution cipher: -Eliminate spaces -Use many to one mappings that level the frequencies -Lots of other clever ideas… Still very weak! Clever cryptanalysists knew how to beat them all hundreds of years ago !! Polyalphabetic substitution ciphers provided the next big step. (Worked OK until the dawn of modern computers). Idea: Use many different substitution alphabets; different ones for different letters.

MS 10 Vigenere square (1586) a b c d e f g h i j k l m n o p q r s t u v w x y z 1 B C D E F G H I J K L M N O P Q R S T U V W X Y Z A 2 C D E F G H I J K L M N O P Q R S T U V W X Y Z A B 3 D E F G H I J K L M N O P Q R S T U V W X Y Z A B C 4 E F G H I J K L M N O P Q R S T U V W X Y Z A B C D 5 F G H I J K L M N O P Q R S T U V W X Y Z A B C D E 6 G H I J K L M N O P Q R S T U V W X Y Z A B C D E F 7 H I J K L M N O P Q R S T U V W X Y Z A B C D E F G 8 I J K L M N O P Q R S T U V W X Y Z A B C D E F G H 9 J K L M N O P Q R S T U V W X Y Z A B C D E F G H I 10 K L M N O P Q R S T U V W X Y Z A B C D E F G H I J 11 L M N O P Q R S T U V W X Y Z A B C D E F G H I J K 12 M N O P Q R S T U V W X Y Z A B C D E F G H I J K L 13 N O P Q R S T U V W X Y Z A B C D E F G H I J K L M 14 O P Q R S T U V W X Y Z A B C D E F G H I J K L M N 15 P Q R S T U V W X Y Z A B C D E F G H I J K L M N O 16 Q R S T U V W X Y Z A B C D E F G H I J K L M N O P 17 R S T U V W X Y Z A B C D E F G H I J K L M N O P Q 18 S T U V W X Y Z A B C D E F G H I J K L M N O P Q R 19 T U V W X Y Z A B C D E F G H I J K L M N O P Q R S 20 U V W X Y Z A B C D E F G H I J K L M N O P Q R S T 21 V W X Y Z A B C D E F G H I J K L M N O P Q R S T U 22 W X Y Z A B C D E F G H I J K L M N O P Q R S T U V 23 X Y Z A B C D E F G H I J K L M N O P Q R S T U V W 24 Y Z A B C D E F G H I J K L M N O P Q R S T U V W X 25 Z A B C D E F G H I J K L M N O P Q R S T U V W X Y 26 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

MS 11 Vigenere square a b c d e f g h i j k l m n o p q r s t u v w x y z 1 B C D E F G H I J K L M N O P Q R S T U V W X Y Z A 2 C D E F G H I J K L M N O P Q R S T U V W X Y Z A B 3 D E F G H I J K L M N O P Q R S T U V W X Y Z A B C 4 E F G H I J K L M N O P Q R S T U V W X Y Z A B C D 5 F G H I J K L M N O P Q R S T U V W X Y Z A B C D E 6 G H I J K L M N O P Q R S T U V W X Y Z A B C D E F 7 H I J K L M N O P Q R S T U V W X Y Z A B C D E F G 8 I J K L M N O P Q R S T U V W X Y Z A B C D E F G H 9 J K L M N O P Q R S T U V W X Y Z A B C D E F G H I 10 K L M N O P Q R S T U V W X Y Z A B C D E F G H I J 11 L M N O P Q R S T U V W X Y Z A B C D E F G H I J K 12 M N O P Q R S T U V W X Y Z A B C D E F G H I J K L 13 N O P Q R S T U V W X Y Z A B C D E F G H I J K L M 14 O P Q R S T U V W X Y Z A B C D E F G H I J K L M N 15 P Q R S T U V W X Y Z A B C D E F G H I J K L M N O 16 Q R S T U V W X Y Z A B C D E F G H I J K L M N O P 17 R S T U V W X Y Z A B C D E F G H I J K L M N O P Q 18 S T U V W X Y Z A B C D E F G H I J K L M N O P Q R 19 T U V W X Y Z A B C D E F G H I J K L M N O P Q R S 20 U V W X Y Z A B C D E F G H I J K L M N O P Q R S T 21 V W X Y Z A B C D E F G H I J K L M N O P Q R S T U 22 W X Y Z A B C D E F G H I J K L M N O P Q R S T U V 23 X Y Z A B C D E F G H I J K L M N O P Q R S T U V W 24 Y Z A B C D E F G H I J K L M N O P Q R S T U V W X 25 Z A B C D E F G H I J K L M N O P Q R S T U V W X Y 26 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Keyword VOTEVOTEVOTEVOTEVOTE… Plaintext ihavethreestinkydogs… Ciphertext DVTZZHAVZSLXDBDCYCZW… Immune to frequency analysis !

MS 12 Keyword VOTEVOTEVOTEVOTEVOTE… Plaintext ihavethreestinkydogs… Ciphertext DVTZZHAVZSLXDBDCYCZW… This can still be cryptanalyzed: - just N monoaphabetic substitution ciphers (N is length of key) - so, just solve the N monoaphabetic problems as before DZZDY… VHSBC… TALDZ… ZVXCW… Do frequency analysis on these separately

MS 13 OK, so make the key longer. Make it as long as the message ! If there are patterns in the key (for example, words), the message can still be decrypted with a bit of work. Keyword VOTINGISIMPORTANTFOR… Plaintext ihavethreestinkydogs… Ciphertext DVTDRZPJMQPHAGKLWTUJ… Enigma: Repeated after 26 3 = 17,576 letters Successfully broken by Rajewski, Turing et al. (a lot of work…protocol important)

MS 14 However: IF If the key is as long as the message AND The key is completely random THEN The encryption is perfect (can’t be broken) !!! This is called a “One Time Pad”

MS 15 The proof that a one time pad gives perfect security is simple: Suppose you have the ciphertext Since all keys are equally likely, then all decoded messages are equally likely ! Keyword ASDF Plaintext dogs Ciphertext DGJX Keyword ASDF Plaintext dogs Ciphertext DGJX Keyword BGQF Plaintext cats How message was encoded: How it should be decoded given the correct key: How it could be decoded given an equally likely key:

MS 16 Along come computers *Computing engines were spawned from code-breaking efforts during WW-II (Turing). Tailor made for both code making & braking* Represent message as a list of numbers (bits) and operate on these with your favorite algorithm. Simplest Case: Exclusive OR Plaintext DEAD 1101 1110 1010 1101 0  0 = 0 1  0 = 1 0  1 = 1 1  1 = 0 Key BEEF 1011 1110 1110 1111 Ciphertext 0110 0000 0100 0010 = 6042  =

MS 17 This is an example of Symmetric Key Encryption Plaintext DEAD 1101 1110 1010 1101 Key BEEF 1011 1110 1110 1111 Ciphertext 0110 0000 0100 0010 = 6042  = Key BEEF 1011 1110 1110 1111  Plaintext 1101 1110 1010 1101 = DEAD = Ciphertext 6042 0110 0000 0100 0010 Real Simple: Same key to encode and decode

MS 18 SO: Just generate a long “one time pad” bitstream, do the simple XOR, and we have perfect security. This has two problems: 1) It’s hard to generate a long truly random bitstream. 2) Sender and receiver must both have the same one time pad (i.e. the key). If we make the algorithm more sophisticated we can make the minimum length of a secure key much shorter.

MS 19 plaintext block f N bit Key ciphertext block Suppose we have an algorithm that takes a block of plaintext and converts it into a block of ciphertext using an N bit key. Suppose that changing any single bit in the key completely changes the ciphertext. We could only break this by trying all 2 N possible keys. If N = 128, the time required is way beyond the age of the universe. DES (Digital Encryption Standard)

MS 20 DES 64 bit plaintext block IP L0L0 R0R0 L 1 =R 0 R 1 =L 0 + f(R 0,K 1 ) f K 1 (derived from 56 bit key) L 16 =R 15 f K 16 (derived from 56 bit key) IP -1 repeat 16 times… 64 bit ciphertext block R 16 =L 15 + f(R 15,K 16 ) 32

MS 21 IP (Initial Permutation): 81624324048 56 81624324048 56

MS 22 L0L0 R0R0 L1L1 R1R1 48 bit subkey Generator K 48 = g(i,K 56 ) (The key for each round is deterministically found from the input 56 bit key). Expansion Permutation S-Box Substitution P-Box Permutation 32 48 32

MS 23 145891213161720212425282932 148 Expansion Permutation 32 48

MS 24 148 X-OR with 48 bit key 148

MS 25 S-box 1 S-box 2 S-box 3 S-box 4 S-box 5 S-box 6 S-box 7 S-box 8 145891213161720212425282932 148 S-Box Substitution 48 32

MS 26 S-box 1 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 Page select How an S-Box works

MS 27 145891213161720212425282932 P-Box Permutation 32 145891213161720212425282932

MS 28 IP -1 (Final Permutation): 81624324048 56 81624324048 56

MS 29 Initial Key Permutation 81624324048 56 81624324048 56 64

MS 30 Key Split & Shift & Compress 81624324048 56 Shift left by N i 81624324048 56 N i = {1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1} 81624324048 Shift accumulates every round K 48 K 56

MS 31 plaintext block f 56 bit Key ciphertext block Very Fast: Ideally suited for implementation in hardware (bit shifts, look-ups etc). Dedicated hardware (in 1996) could run DES at 200 Mbyte/s. DES Advantages: Well suited for voice, video etc.

MS 32 plaintext block f 56 bit Key ciphertext block Not too good: Trying all 2 56 possible keys is not that hard these days. If you spend ~\$25k you can build a DES password cracker that can will succeed in a few hours. DES Security: (Thank the NSA for this) Back in 1975 this would have cost a few billion \$\$. It is widely believed that the NSA did this. Similar algorithms with longer keys are available today (IDEA). EFF

MS 33 With any symmetric algorithm, the key must be agreed upon by sender and receiver in a secure way. Other Issues: Then along came Diffie & Hellman… Before 1976, key exchange was by far the biggest problem in secure communications !

MS 34 Modular Arithmetic Modular Arithmetic to the Rescue: Diffie–Hellman Key Exchange How Alice and Bob want to come up with the same key by talking on the phone without giving it away to a third party listening to the conversation. 1)They agree on a large prime number p and a small integer g. These numbers are not secret. 2)Alice picks a large random integer a, and calculates A = g a mod p Alice tells Bob what A is. 3)Bob picks a large random integer b, and calculates B = g b mod p Bob tells Alice what B is. 4)Alice computes K a = B a mod p. 5)Bob computes K b = A b mod p. Low and behold: K a = K b = g ab mod p. Someone spying on the phone can not get the key without knowing a and b, which were never spoken. Figuring out a and b from A, B, g, and p is as hard as it is to factor numbers the same size as p, hence p should be big (hundreds of digits).

MS 35 Generating Huge Primes:Idea: 1)Pick a big random number. 2)Test to see if it’s prime. There are several probabilistic methods: Choose a possible prime p = 33209533878488951298293621905948288497515233544999 Choose a “witness” random number a = 7229265988 Calculate j = a (p-1)/2 mod p (= 1 in this case) If j = +1 or –1 then the chance that p is not prime is no more than 50% Choose another “a” and test again. Repeat until desired confidence is reached. Don’t do this the hard way (factoring)…

MS 36 Are there enough Huge Primes?YES! For numbers near n the chance of a number being prime is one in ln(n) There are about 10 150 prime numbers containing 512 bits (155 digits). If every atom in the universe needed a billion primes every microsecond from the beginning of time until now, we would only use 10 110 primes.

MS 37 RSA Public Key Cryptography: RSA (Rivest, Shamnir, Adleman: 1977) IDEA: IDEA: Alice has a “public” encryption key that everyone knows, and a “private” decryption key that only she knows. Bob looks up her public key, encrypts his message, and sends it to her. She decrypts it with her private key. 1)Pick two large prime numbers p and q. These are secret. 2)Calculate n = pq 3)Pick another number e such that e and (p-1)(q-1) are relatively prime. 4)The numbers n and e make up your public key. Publish them! 5)Calculate d such that ed = 1 mod (p-1)(q-1) {i.e. d = e -1 mod (p-1)(q-1) } 6)The number d is your private key. Encrypt message m via c = m e mod n Decrypt the ciphertext c via m = c d mod n This is what happens when you buy a book from Amazon.com example

MS 38 RSA Drawbacks: RSA is slow (i.e. computationally intensive). Message must be broken into chunks ~ n in size, and each block is encrypted separately. Does not really lend itself to hardware implementation: Most RSA chips (in 1996) needed ~10 6 clock cycles per 512 bit encryption.

MS 39 RSA Security: RSA is secure because its very hard to factor n to find p and q if n is sufficiently big. (Discrete logarithms). “Hard” means that all the computers on earth could not do it in the age of the universe. “Sufficiently Big” means ~2048 bits Symmetric key algorithms can provide the same “raw” security with key-lengths between 64 and 128 bits.

MS 40 The PGP Solution The PGP Solution (had Phil Zimmerman in very hot water from 1992 to 1996) PGP = Pretty Good Privacy Use IDEA for encryption (similar to DES except 128 bit key) Use RSA for key IDEA key-exchange. (RSA key-lengths up to 2048 bits supported). Made available as freeware (www.pgp.com). In 1993 Zimmerman was charged with “illegally exporting weapons”. The FBI & DOJ hounded him until 1996 when the charges were dropped.

MS 41 Todays Issues CLIPPER & CAPSTONE Encryption chips developed by the NSA. Uses Escrowed Encryption Standard (EES) Each chip has a “back door” that the government has a key to. They can use this key in the same sense as they can now do a phone wiretap. Not very popular, not (yet) required by law. (These things really piss off the encryption community; the NSA loves them) Tempest

MS 42 Quantum Cryptography (Kwiat @ UIUC !) Suppose Alice can send binary information using polarized photons. 1 0 1 0 There are 2 distinct encoding schemes: + and x. How Bob and Alice can agree on a perfectly secret one-time pad:

MS 43 Quantum Cryptography (Kwiat @ UIUC !) Alice randomly switches between + and x schemes, and sends a random string of 1’s and 0’s to Bob. (Alice keeps track of the schemes she used and the bits she sent). 10 1 0 1 01 0 0 0

MS 44 Quantum Cryptography (Kwiat @ UIUC !) Bob measures these photons with his own random choice of scheme (he does not know what Alice has done). Sometimes he gets it right, sometimes he gets it wrong: 10 1 0 1 0 1 00 Alice’s message 1 0 1 0 1 0 1 0 0 0 Bob measures 0

MS 45 Quantum Cryptography (Kwiat @ UIUC !) Alice phones Bob and tells him how her schemes were chosen. Bob tell Alice which schemes he guessed right. Considering only these, they now agree on a subset of bits sent. 0 0 1 1 0 Alice’s message 0 0 1 0 1 0 Bob measures 0

MS 46 Quantum Cryptography (Kwiat @ UIUC !) Someone listening on the phone only knows which schemes were used, but not what the polarization was. Any attempt to intercept photons will alter their state, which Alice and Bob can detect by comparing some of their bits to make sure they agree (and discarding these). 0 0 1 1 0 One time pad ! 0

Similar presentations