Presentation on theme: "The University of Adelaide, School of Computer Science"— Presentation transcript:
1The University of Adelaide, School of Computer Science 14 April 2017Security in Computing, 4th Ed, PfleegerChapter 2Elementary CryptographyChapter 2 — Instructions: Language of the Computer
2In this chapter Concepts of encryption Cryptanalysis: how encryption systems are "broken"Symmetric (secret key) encryption and the DES and AES algorithmsAsymmetric (public key) encryption and the RSA algorithmKey exchange protocols and certificatesDigital signaturesCryptographic hash functions
3CryptographyCryptography (secret writing) is the strongest tool for controlling against many kinds of security threats.Well-disguised data cannot be read, modified, or fabricated easily.Cryptography is rooted in higher mathematicsGroup and field theory, computational complexity, and even real analysis, not to mention probability and statistics.Fortunately, it is not necessary to understand the underlying mathematics to be able to use cryptography.
4Terminology and Background Consider the steps involved in sending messagesfrom a sender, Sto a recipient, RIf S entrusts the message to T, who then delivers it to R, T then becomes the transmission medium.If an outsider, O, wants to access the message (to read, change, or even destroy it), we call O an interceptor or intruder.Encryption is a means of maintaining secure data in an insecure environment.
5TerminologyEncryption is the process of encoding a message so that its meaning is not obviousDecryption is the reverse process, transforming an encrypted message back into its normal, original form.Alternatively, the terms encode and decode or encipher and decipher are used instead of encrypt and decryptA system for encryption and decryption is called a cryptosystem.
6TerminologyThe original form of a message is known as plaintext, and the encrypted form is called ciphertext.
7TerminologyThe original form of a message is known as plaintext, and the encrypted form is called ciphertext.
8TerminologyFor convenience, we denote a plaintext message P as a sequence of individual charactersP = <p1, p2, …, pn>.Similarly, ciphertext is written asC = <c1, c2, …, cm>.We write C = E(P) and P = D(C), where C represents the ciphertext, E is the encryption rule, P is the plaintext, and D is the decryption rule.What we seek is a cryptosystem for which P = D(E(P)). In other words, we want to be able to convert the message to protect it from an intruder, but we also want to be able to get the original message back so that the receiver can read it properly.
9Encryption Algorithms The cryptosystem involves a set of rules for how to encrypt the plaintext and how to decrypt the ciphertext.The encryption and decryption rules, called algorithms, often use a device called a key, denoted by K, so that the resulting ciphertext depends on the original plaintext message, the algorithm, and the key value.C = E(K, P)
10Encryption Algorithms It would be very expensive for you to contract with someone to invent and make a lock just for your house.Also, you would not know whether a particular inventor's lock was really solid or how it compared with those of other inventors.A better solution is to have a few well-known, well-respected companies producing standard locks that differ according to the (physical) keyThen, you and your neighbor might have the same model of lock, but your key will open only your lock.In the same way, it is useful to have a few well-examined encryption algorithms that everyone could use, but the differing keys would prevent someone from breaking into what you are trying to protect.
11Encryption Algorithms Sometimes the encryption and decryption keys are the same, so P = D(K, E(K,P)). This form is called symmetric encryption because D and E are mirror-image processes.At other times, encryption and decryption keys come in pairs. Then, a decryption key, KD, inverts the encryption of key KE so thatP = D(KD, E(KE,P)). Encryption algorithms of this form are called asymmetricAn encryption scheme that does not require the use of a key is called a keyless cipher.
13cryptologyCryptography means hidden writing, and it refers to the practice of using encryption to conceal text.Cryptanalyst studies encryption and encrypted messages, hoping to find the hidden meanings.
14cryptologyBoth a cryptographer and a cryptanalyst attempt to translate coded material back to its original form. Normally, a cryptographer works on behalf of a legitimate sender or receiver, whereas a cryptanalyst works on behalf of an unauthorized interceptor.Cryptology is the research into and study of encryption and decryption; it includes both cryptography and cryptanalysis.
15Cryptanalysis A cryptanalyst's chore is to break an encryption. cryptanalyst attempts to deduce the original meaning of a ciphertext message.Better yet, he or she hopes to determine which decrypting algorithm matches the encrypting algorithm so that other messages encoded in the same way can be broken.
16Cryptanalyst can attempt to do … Break a single messageRecognize patterns in encrypted messages, to be able to break subsequent ones by applying a straightforward decryption algorithmInfer some meaning without even breaking the encryption, such as noticing an unusual frequency of communication or determining something by whether the communication was short or long
17Cryptanalyst can attempt to do …(cont.) Deduce the key, to break subsequent messages easilyFind weaknesses in the implementation or environment of use of encryptionFind general weaknesses in an encryption algorithm, without necessarily having intercepted any messages
18Information needed by a cryptanalyst A cryptanalyst works with a variety of pieces of information: encrypted messages, known encryption algorithms, intercepted plaintext, data items known or suspected to be in a ciphertext message, mathematical or statistical tools and techniques, properties of languages, computers, and plenty of ingenuity and luck.Each piece of evidence can provide a clue, and the analyst puts the clues together to try to form a larger picture of a message's meaning in the context of how the encryption is done.
19Attack models Attack models for the cryptanalysis Ciphertext-only: is an attack model for cryptanalysis where the attacker is assumed to have access only to a set of ciphertexts.The attack is completely successful if the corresponding plaintexts can be deduced, or even better, the key.Known-plaintextis an attack model for cryptanalysis where the attacker has samples of both the plaintext and its encrypted version (ciphertext). These can be used to reveal further secret information such as secret keys.Chosen-plaintextis an attack model for cryptanalysis which presumes that the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. The goal of the attack is to gain some further information which reduces the security of the encryption scheme.
20Breakable EncryptionAn encryption algorithm is called breakable when, given enough time and data, an analyst can determine the algorithm.However, an algorithm that is theoretically breakable may in fact be impractical to try to break.Ex., consider a 25-character message that is expressed in just uppercase letters. A given cipher scheme may have 2625 (approximately 1035) possible deciphermentsIf your computer could perform on the order of 1010 operations per second, finding this decipherment would require on the order of 1025 seconds.Infeasible to compute
21Breakable EncryptionTwo other important issues must be addressed when considering the breakability of encryption algorithms.First, the cryptanalyst cannot be expected to try only the hard, long way.ingenious approach might require only 1015 operations. => 1015 operations take slightly more than one daySecond, estimates of breakability are based on current technology.Things that were infeasible in 1940 became possible by the 1950sA conjecture known as "Moore's Law" asserts that the speed of processors doubles every 1.5 years, and this conjecture has been true for over two decades.It is risky to pronounce an algorithm secure just because it cannot be broken with current technology, or worse, that it has not been broken yet.
22Representing Characters We begin with the encryption of messages written in the standard 26-letter English-alphabet, A through Z.Convention: plaintext is written in UPPERCASE letters, and ciphertext is in lowercase lettersBecause most encryption algorithms are based on mathematical transformations, they can be explained or studied more easily in mathematical form.
23Representing Characters Consider performing arithmetic on the "letters" of a messageExpressions such as A + 3 = D or K - 1 = J have their natural interpretation.Arithmetic is performed as if the alphabetic table were circular (modular arithmatic)every result of an arithmetic operation is between 0 and 25Ex. Y + 3 = B (and B – 3 = Y)Two simple forms of encryption:substitutions, in which one letter is exchanged for anothertranspositions, in which the order of the letters is rearranged
24Substitution Ciphers The Caesar Cipher ci = E(pi) = pi + 3 A full translation chart of the Caesar cipher is shown here.Using this encryption, the messageTREATY IMPOSSIBLEwould be encoded asT R E A T Y I M P O S S I B L Ew u h d w b l p s r v v l e o hThe pattern pi + 3 was easy to memorize and implement, however, it is easy break
25Cryptanalysis of the Caesar Cipher Many clues on the "TREATY IMPOSSIBLE” ciphertextthe space between the two words is preserved in the ciphertextdouble letters are preserved: The SS is translated to vvwhen a letter is repeated, it maps again to the same ciphertext as it did previously. So the letters T, I, and E always translate to w, l, and h.These clues make this cipher easy to break.
26Cryptanalysis of the Caesar Cipher Suppose you are given the following ciphertext message, and you want to try to determine the original plaintext.Ciphertext: “wklv phvvdjh lv qrw wrr kdug wr euhdn”27-symbol alphabet: A through Z plus the "blank" characterStart with small words: English has relatively few small words, such as am, is, to, be, he, we, and, are, you, she, and so on.substitute known short words at appropriate places in the ciphertext until you have something that seems to be meaningful.Once the small words fall into place, you can try substituting for matching characters at other places in the ciphertext.There is a strong clue in the repeated r of the word wrr.two very common three-letter words having the pattern xyy are see and too. other less common possibilities are add, odd, and off
27Cryptanalysis of the Caesar Cipher Note that the combination wr appears in the ciphertextif wrr is SEE, wr would have to be SE, which is unlikelyHowever, if wrr is TOO, wr would be TO, which is quite reasonable.Substituting T for w and O for r, the message becomesThe OT could be cot, dot, got, hot, lot, not, pot, rot, or tot; a likely choice is not. Unfortunately, q = N does not give any more clues because q appears only once in this sample.The word lv is also the end of the word wklv, which probably starts with T.Likely two-letter words that can also end a longer word include so, is, in, etc.However, so is unlikely because the form T-SO is not recognizable;IN is ruled out because of the previous assumption that q is NA more promising alternative is to substitute IS for lv throughout, and continue to analyze the message in that way.By now, you might notice that the ciphertext letters uncovered are just three positions away from their plaintext counterparts.
28Cryptanalysis of the Caesar Cipher The cryptanalysis described here is ad hoc, using deduction based on guesses instead of solid principles.But you can take a more methodical approach, consideringwhich letters commonly start wordswhich letters commonly end wordswhich prefixes and suffixes are commonCryptanalysts have compiled lists of common prefixes, common suffixes, and words having particular patterns.(For example, sleeps is a word that follows the pattern abccda.)
29Other SubstitutionsIn substitutions, the alphabet is scrambled, and each plaintext letter maps to a unique ciphertext letter.mathematical way description:permutation is a reordering of the elements of a sequenceFor instance, we can permute the numbers l to 10 in many ways, including:π1 = 1, 3, 5, 7, 9, 10, 8, 6, 4, 2; and π2 = 10, 9, 8, 7, 6, 5, 4, 3, 2, 1A permutation is a function, so we can write expressions such as π1(3) = 5meaning that the letter in position 3 is to be replaced by the fifth letterIf the set is the first ten letters of the alphabet, π1(3) = 5 means that C is transformed into e
30Other Substitutions Alternative to using the permutation (π) One way to scramble an alphabet is to use a keya word that controls the permutationFor instance, if the key is word, the sender or receiver first writes the alphabet and then writes the key under the first few letters of the alphabet.The sender or receiver then fills in the remaining letters of the alphabet, in some easy-to-remember order, after the keyword.
31Complexity of Substitution Encryption and Decryption An important issue in using any cryptosystem is the time it takes to turn plaintext into ciphertext, and vice versa.it is essential that the scrambling and unscrambling not deter the authorized parties from completing their missionsThe timing is directly related to the complexity of the encryption algorithmencryption and decryption with substitution ciphers can be performed by direct lookup in a table illustrating the correspondenceTransforming a single character can be done in a constant amount of time, so we express the complexity of the algorithm by saying that the time to encrypt a message of n characters is proportional to n ( O(n) )
32Cryptanalysis of Substitution Ciphers The techniques described for breaking the Caesar cipher can also be used on other substitution ciphersShort words, words with repeated patterns, and common initial and final letters all give clues for guessing the permutation.breaking the code is a lot like working a crossword puzzle. You try a guess and continue to work to substantiate that guess until you have all the words in place or until you reach a contradictionUsing brute force attack, the cryptanalyst could try all 26! permutations of a particular ciphertext messageWe can use our knowledge of language to simplify this problem. For example, in English, some letters are used more often than others. The letters E, T, O, and A occur far more often than J, Q, X, and Z, for example.Encryption, even in a simple form, will deter the casual observer.
33The Cryptographer's Dilemma An encryption algorithm must be regular for it to be algorithmic and for cryptographers to be able to remember it. Unfortunately, the regularity gives clues to the cryptanalystThere is no solution to this dilemma
34One-Time PadsA one-time pad is sometimes considered the perfect cipherlarge, nonrepeating set of keys is written on sheets of paper, glued together into a pad.if the keys are 20 characters long and a sender must transmit a message 300 characters in lengththe sender would tear off the next 15 pages of keysThe sender would write the keys one at a time above the letters of the plaintext andencipher the plaintext with a prearranged chart (called a Vigenère tableau) that has all 26 letters in each column, in some scrambled order
35One-Time Pads The one-time pad method has two problems: the need for absolute synchronization between sender and receiver, andthe need for an unlimited number of keys.keyPlaintextciphertextbecause row M column i is u, row A column a is a, and so on.
36Transpositions (Permutations) The goal of substitution is confusionthe encryption method is an attempt to make it difficult for a cryptanalyst or intruder to determine how a message and key were transformed into ciphertext.A transposition (permutation) is an encryption in which the letters of the message are rearranged.the cryptography aims for diffusion
37Columnar Transpositions rearrangement of the characters of the plaintext into columnsThe following set of characters is a five-column transposition.
38Columnar Transpositions For instance, suppose you want to write the plaintext message THIS IS A MESSAGE TO SHOW HOW A COLUMNAR TRANSPOSITION WORKS. We arrange the letters in five columnsThe resulting ciphertext would then be read down the columns as
39Encipherment/Decipherment Complexity This cipher involves no additional work beyond arranging the letters and reading them off again.Therefore, the algorithm requires a constant amount of work per character, and the time needed to apply the algorithm is proportional to the length of the message.we cannot produce output characters until all the message's characters have been read. This restriction occurs because all characters must be entered in the first column before output of the second column can begin, but the first column is not complete until all characters have been read.Thus, the delay associated with this algorithm also depends on the length of the message, as opposed to the constant delay we have seen in previous algorithms
40Digrams, Trigrams, and Other Patterns Just as there are characteristic letter frequencies, there are also characteristic patterns of pairs of adjacent letters, called digrams.Letter pairs such as -re-, -th-, -en-, and -ed- appear very frequently.
41Cryptanalysis by Digram Analysis The first step in analyzing the transposition is computing the letter frequencies.If we find that in fact all letters appear with their normal frequencies, we can infer that a transposition has been performed.The problem is to find where in the ciphertext a pair of adjacent columns lies and where the ends of the columns are
42Cryptanalysis by Digram Analysis Assume the block being compared is seven charactersThe first comparison is c1 to c8, c2 to c9, …, c7 to c14. Then, we try a distance of eight characters, and so the window of comparison shifts and c1 is compared to c9, c2 to c10, and continuing..For each window position, we ask two questions. First, do common digrams appear, and second, do most of the digrams look reasonable?Figure 2-5 Moving Comparisons.
43Combinations of Approaches Substitution and transposition can be considered as building blocks for encryption.A combination of two ciphers is called a product cipher.Product ciphers are typically performed one after another, as in E2(E1(P,k1), k2)
44Making "Good" Encryption Algorithms What Makes a "Secure" Encryption Algorithm?What does it mean for a cipher to be "good"?The meaning of good depends on the intended use of the cipherA cipher to be used by military personnel in the field has different requirements from one to be used in a secure installation with substantial computer supportIn this section, we look more closely at the different characteristics of ciphers
45Shannon's Characteristics of "Good" Ciphers The amount of secrecy needed should determine the amount of labor appropriate for the encryption and decryption.reiteration of the principle of timeliness from Chapter 1The set of keys and the enciphering algorithm should be free from complexityIf the process is too complex, it will not be usedwe should restrict neither the choice of keys nor the types of plaintext on which the algorithm can workFor instance, an algorithm that works only on plaintext having an equal number of A's and E's is useless.Similarly, it would be difficult to select keys such that the sum of the values of the letters of the key is a prime number.Furthermore, the key must be transmitted, stored, and remembered
46Shannon's Characteristics of "Good" Ciphers The implementation of the process should be as simple as possibleformulated with hand implementation in mindA complicated algorithm is prone to error or likely to be forgottenWith the development and popularity of digital computers, algorithms far too complex for hand implementation became feasibleStill, the issue of complexity is important. People will avoid an encryption algorithm whose implementation process severely hinders message transmissionAnd a complex algorithm is more likely to be programmed incorrectly.
47Shannon's Characteristics of "Good" Ciphers Errors in ciphering should not propagate and cause corruption of further information in the messageOne error early in the process should not throw off the entire remaining ciphertextFor example, dropping one letter in a columnar transposition throws off the entire remaining enciphermentThe size of the enciphered text should be no larger than the text of the original messageciphertext that expands dramatically in size cannot possibly carry more information than the plaintextit gives the cryptanalyst more data from which to infer a patternlonger ciphertext implies more space for storage and more time to communicate
48Properties of "Trustworthy" Encryption Systems When we say that encryption is "commercial grade," or "trustworthy," we mean that it meets these constraints:It is based on sound mathematicsIt has been analyzed by competent experts and found to be soundIt has stood the "test of time.“Three algorithms are popular in the commercial world and meet the above criteria: DES (data encryption standard), RSA (Rivest Shamir Adelman, named after the inventors), and AES (advanced encryption standard).
49Symmetric and Asymmetric Encryption Systems Two basic kinds of encryptions: symmetric (also called "secret key") and asymmetric (also called "public key")SymmetricOne key for enrcyption and decryptionUsually, the decryption algorithm is closely related to the encryption oneEx., Caesar cipher: encryption: Pi + 3; decryption Ci - 3provide a two-way channel to their usersA and B share a secret key, and they can both encrypt information to send to the other as well as decrypt information from the otherthe system also provides authentication proof that a message received was not fabricated by someone other than the declared sender
50Symmetric Encryption Systems The symmetry of this situation is a major advantage of this type of encryptionBut, has key distribution problemHow do A and B obtain their shared secret key?In general, n users who want to communicate in pairs needn * (n - 1)/2 keysBy the nature of the public key approach, you can send a public key in an message or post it in a public directoryOnly the corresponding private key, which presumably is kept privateSo, for all encryption algorithms, key management is a major issueinvolves storing, safeguarding, and activating keys
51Stream and Block Ciphers Most of the ciphers we have presented so far are stream ciphersconvert one symbol of plaintext immediately into a symbol of ciphertextThe exception is the columnar transposition cipherThe transformation depends only on the symbol, the key, and the control information of the encipherment algorithmskipping a character inthe key during encryption,affect the encryption of allfuture characters
52Stream and Block Ciphers A block cipher encrypts a group of plaintext symbols as one blockEx., The columnar transpositionentire message is translated as one blockBlock ciphers work on blocks of plaintext and produce blocks of ciphertext
53Confusion and Diffusion Two additional important concepts are related to the amount of work required to perform an encryptionAn algorithm providing good confusion has a complex functional relationship between the plaintext/key pair and the ciphertextit will take an interceptor a long time to determine the relationship between plaintext, key, and ciphertextEx1: Caesar cipher is not good for an analyst who deduces the transformation of a few letters can also predict the transformation of the remaining letters, with no additional informationEx2: one-time pad is good because one plaintext letter can be transformed to any ciphertext letter at different places in the output
54Confusion and Diffusion Two additional important concepts are related to the amount of work required to perform an encryptionConfusionDiffusion: distributing the information from single plaintext letters over the entire output
55Cryptanalysis Breaking Encryption Schemes Assume that the attacker knows the encryption/decryption algorithm then she may use three types of attacksCiphertext only attackThe attacker has only the ciphertext and wants to know the plaintext (and the key if possible)Known plaintext attackThe attacker has both the plaintext and its corresponding ciphertext. The goal is to find the keyChosen plaintext attackThe attacker may ask that specific plaintexts be enciphered and she is given the corresponding ciphertexts. Her goal is to find the key that was used
56The Data Encryption Standard (DES) developed for the U.S. government1976intended for use by the general publicaccepted as a cryptographic standard both in the United States and abroadmany hardware and software systems have been designed with the DESHowever, recently its adequacy has been questioned
57The Data Encryption Standard (DES) Overviewcombination of two fundamental building blocks of encryption: substitution and transpositionderives its strength from repeated application of these two techniquesone on top of the other, for a total of 16 cyclesHard to trace a single bit through 16 iterationsThe algorithm begins by encrypting the plaintext as blocks of 64 bitsThe key is 64 bits longin fact it is only 56-bit (the other bits are used to check digits)
58The Data Encryption Standard (DES) OverviewLeverages the two techniques Shannon identified to conceal information: confusion and diffusionensuring that the output bits have no obvious relationship to the input bits and spreading the effect of one plaintext bit to other bits in the ciphertextSubstitution provides the confusion, and transposition provides the diffusion
59The Data Encryption Standard (DES) A Cycle in the DES.
63The Data Encryption Standard (DES) Double and Triple DESthe DES 56-bit key length is not long enough for some people to feel comfortableComputing power has increased dramaticallysome researchers suggest using a double encryption for greater secrecyTake two keys, k1 and k2perform two encryptions, one on top of the other: E(k2, E(k1,m)).Does this make the key as powerful as 112-bit key? NOthe cryptanalyst works plaintext and ciphertext toward each otherIt only becomes 57-bit keyHowever, a simple trick does indeed enhance the security of DESThe so-called triple DES procedure is C = E(k3, E(k2, E(k1,m))).This process gives a strength equivalent to a 112-bit keydifferential and linear cryptanalysis (self study)
64The Advanced Encryption Standards(AES) To solve the DES security problemsContest to develop a new algorithmRijndael (pronounced RINE dahl) algorithmWon the contest and became the AESKey lengths are: 128, 192, 256 (and possibly more) bits1999the U.S. government has approved AES for protecting Secret and Top Secret classified documents
65Public Key EncryptionIn 1976, Diffie and Hellman proposed a new kind of encryption systemEach user has two keys:One is public and the other is privateAlso, use one to encrypt and the other to decryptIn symmetric key system, each pair of users needs a separate key
66Public Key EncryptionIn a public key or asymmetric encryption system, each user has two keys:a public key and a private key.The user may publish the public key freelyThe keys operate as inversesone key undoes the encryption provided by the other keyEx. let kPRIV be a user's private key, and let kPUB be the corresponding public keywe can write the relationship asP = D(kPRIV, E(kPUB, P)) = D(kPUB, E(kPRIV, P))
67Rivest Shamir Adelman (RSA) Encryption Public key systemRSA has been the subject of extensive cryptanalysis: no serious flaws have yet been foundBased on an underlying hard problemDetermining the prime factors of a large numberAn area of mathematics known as number theorymathematicians study properties of numbers such as their prime factorsOperates with arithmetic mod n
68Rivest Shamir Adelman (RSA) Encryption The two keys used in RSA, d and e, are used for decryption and encryptionThey are actually interchangeableEither can be chosen as the public key (the other must be kept private)P = E(D(P)) = D(E(P))Any plaintext block P is encrypted as Pe mod nfactoring Pe to uncover the encrypted plaintext is difficultlegitimate receiver who knows d simply computes (Pe)d mod n = P and recovers P without having to factor Pe.
69Rivest Shamir Adelman (RSA) Encryption Here is how it workstake two large primes, p and q, and compute their product n = pqn is called the modulusChoose a number, e, less than n and relatively prime to (p-1)(q-1)i.e., e and (p-1)(q-1) have no common factors except 1Find another number d such that (ed - 1) is divisible by (p-1)(q-1)The values e and d are called the public and private exponents, respectively.The public key is the pair (n, e); the private key is (n, d).The factors p and q may be destroyed or kept with the private key.It is currently difficult to obtain the private key d from the public key (n, e).If one could factor n into p and q, then one could obtain the private key d.Example: Suppose Alice wants to send a message m to Bob. Alice creates the ciphertext c by exponentiating: c = me mod n, where e and n are Bob's public key. She sends c to Bob. To decrypt, Bob also exponentiates: m = cd mod n; the relationship between e and d ensures that Bob correctly recovers m. Since only Bob knows d, only Bob can decrypt this message.
70RSA Example Choose p = 3 and q = 11 Compute n = p * q = 3 * 11 = 33 the number of positive integers less than n that are co-prime to ni.e., no common factors with n except 11 is includedChoose e such that 1 < e < φ(n) and e and n are co-prime. Let e = 7Compute a value for d such that (d * e) % φ(n) = 1. One solution is d = 3 [(3 * 7) % 20 = 1]Public key is (e, n) => (7, 33)Private key is (d, n) => (3, 33)The encryption of m = 2 is c = 27 % 33 = 29The decryption of c = 29 is m = 293 % 33 = 2
72The Uses of Encryption Cryptographic Hash Functions Key Exchange Digital SignaturesCertificates
73The Uses of EncryptionEncryption implements protected communications channelsit can also be used for other duties/applicationsCryptographic Hash Functions, Key Exchange, Digital Signatures, CertificatesPublic key algorithms are useful only for specialized tasksvery slow; take 10,000 times as long to perform as a symmetric encryptionunderlying modular exponentiation depends on multiplication and divisionslower than the bit operations (addition, exclusive OR, substitution, and shifting) on which symmetric algorithms are basedsymmetric encryption is the cryptographers' "workhorse," and public key encryption is reserved for specialized, infrequent uses, where slow operation is not a continuing problem
75Cryptographic Hash Functions The most widely used cryptographic hash functions areMD4, MD5 (where MD stands for Message Digest)MD5 is an improved version of MD4Any message will have 128-bit digestSHA/SHS (Secure Hash Algorithm or Standard).it produces a 160-bit digestcryptanalysis attacks on SHA, MD4, and MD5For SHA, the attack is to find two plaintexts that produce the same hash digest (collision)263 steps, far short of the 280 steps that would be expected of a 160-bit hash function
76Birthday AttackIn probability theory, the birthday problem or birthday paradox concerns the probability that, in a set of n randomly chosen people, some pair of them will have the same birthday.By the pigeonhole principle, the probability reaches 100% when the number of people reaches 367 (since there are 366 possible birthdays, including February 29).However, 99% probability is reached with just 57 people, and 50% probability with 23 people.These conclusions are based on the assumption that each day of the year (except February 29) is equally probable for a birthday.The mathematics behind this problem led to a well-known cryptographic attack called the birthday attack, which uses this probabilistic model to reduce the complexity of cracking a hash function.
77Birthday AttackA list of 23 people, comparing the birthday of the first person on the list to the others allows 22 chances for a matching birthday, the second person on the list to the others allows 21 chances for a matching birthday, third person has 20 chances, and so on. Hence total chances are: = 253, so comparing every person to all of the others allows 253 distinct chances (combinations): in a group of 23 people there are (23 * 22) / 2 = 253 pairs.
78Key Exchange We talk about symmetric keys here The problem is almost circular: To establish an encrypted session, you need an encrypted means to exchange keys.
79Key Exchange Public key cryptography can help To see how, suppose S and R want to derive a shared symmetric keykPRIV-S, kPUB-S, kPRIV-R, and kPUB-R, are the private and public keys for S and R, respectivelyS chooses any symmetric key KS sends E(kPRIV-S,K) to RR takes S's public key, removes the encryption, and obtains KOoops, any eavesdropper who can get S's public key can also obtain Klet S send E(kPUB-R, K) to R. Then, only R can decrypt KOoops, R has no assurance that K came from SThe solution is for S to send to R:E(kPUB-R, E(kPRIV-S, K))
81Key Exchange Another key exchange approach Diffie-Hellman key exchange protocolS and R use some simple arithmetic to exchange a secretThey agree on a field size n and a starting number gthey can communicate these numbers in the clearEach thinks up a secret number, say, s and r.S sends to R gs and R sends to S grS computes (gr)s and R computes (gs)r ,which are the same, so grs = gsr becomes their shared secretcomputations are done over a field of integers mod n (omitted for simplicity)Diffie-Hellman, however, does NOT provide authenticationYou can not be sure if you are talking to the right person
82Digital SignaturesA digital signature is a protocol that produces the same effect as a real signature:It is a mark that only the sender can makebut other people can easily recognize as belonging to the sender
83Digital Signatures Two conditions It must be unforgeable: If person P signs message M with signature S(P,M), it is impossible for anyone else to produce the pair [M, S(P,M)]It must be authentic: If a person R receives the pair [M, S(P,M)] purportedly from P, R can check that the signature is really from POnly P could have created this signature, and the signature is firmly attached to M
85Digital Signatures Two more properties It is not alterable. After being transmitted, M cannot be changed by S, R, or an interceptor.It is not reusable. A previous message presented again will be instantly detected by R.
86Digital Signatures Public Key Protocol ideally suited to digital signatures.E: use the public key in transformationD: use the private key in transformation
87CertificatesA public key and user's identity are bound together in a certificate, which is then signed by someone called a certificate authority, certifying the accuracy of the binding.
88The University of Adelaide, School of Computer Science 14 April 2017CertificatesThe algorithms to generate a matched pair of public and private keys are publicly known, and software that does it is widely available.So if Alice wanted to use a public key cipher, she could generate her own pair of public and private keys, keep the private key hidden, and publicize the public key.But how can she publicize her public key— assert that it belongs to her—in such a way that other participants can be sure it really belongs to her?Chapter 2 — Instructions: Language of the Computer
89The University of Adelaide, School of Computer Science 14 April 2017CertificatesA complete scheme for certifying bindings between public keys and identities— what key belongs to who—is called a Public Key Infrastructure (PKI).A PKI starts with the ability to verify identities and bind them to keys out of band. By “out of band,” we mean something outside the network and the computers that comprise it, such as in the following scenarios.If Alice and Bob are individuals who know each other, then they could get together in the same room and Alice could give her public key to Bob directly, perhaps on a business card.Chapter 2 — Instructions: Language of the Computer
90The University of Adelaide, School of Computer Science 14 April 2017CertificatesIf Bob is an organization, Alice the individual could present conventional identification, perhaps involving a photograph or fingerprints.If Alice and Bob are computers owned by the same company, then a system administrator could configure Bob with Alice’s public key.A digitally signed statement of a public key binding is called a public key certificate, or simply a certificateChapter 2 — Instructions: Language of the Computer
91The University of Adelaide, School of Computer Science 14 April 2017CertificatesOne of the major standards for certificates is known as X.509. This standard leaves a lot of details open, but specifies a basic structure. A certificate clearly must includethe identity of the entity being certifiedthe public key of the entity being certifiedthe identity of the signerthe digital signaturea digital signature algorithm identifier (which cryptographic hash and which cipher)Chapter 2 — Instructions: Language of the Computer
92The University of Adelaide, School of Computer Science 14 April 2017CertificatesCertification AuthoritiesA certification authority or certificate authority (CA) is an entity claimed (by someone) to be trustworthy for verifying identities and issuing public key certificates.There are commercial CAs, governmental CAs, and even free CAs.To use a CA, you must know its own key. You can learn that CA’s key, however, if you can obtain a chain of CA-signed certificates that starts with a CA whose key you already know.Then you can believe any certificate signed by that new CAChapter 2 — Instructions: Language of the Computer