Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography
2 Where we are Course intro Cryptography Intro to crypto Modern crypto Symmetric encryption Asymmetric encryption Beyond encryption Cryptographic protocols Attacking protocols Program/OS security & trust Networks security Beyond technology
3 Outline Cryptographic schemes Design principles Confusion and diffusion Randomization Kerchoff’s principle Mathematical foundations Computational complexity One-way functions Trapdoors What is a secure cipher?
4 (Symmetric) Encryption Schemes (K, E, D) Key generation algorithm K : {0,1} Encryption algorithm E : {0,1} x {0,1} {0,1} E k : {0,1} {0,1} Decryption algorithm D: {0,1} x {0,1} {0,1} D k : {0,1} {0,1}
5 What makes a cipher good ? behaves as expected Functionally sound based on mathematics Confusion and diffusion examined by experts Open design stood the test of time Moore’s law
6 Functional requirements E, D : {0,1} n x {0,1} {0,1} n D k (E k (m)) = m For every k, E k is an injection with inverse D k E k (m) is easy to compute, given m and k D k (x) is easy to compute, given x and k Polynomial in max{n, } - often linear If x = E k (m), it is hard to find m without k Exponential in
7 Confusion and Diffusion Confusion Replace symbol with another Hide plaintext symbols Diffusion Mix up symbols Spread plaintext around WHATANI ZZZJUCL WHATANI ANWIHAT Modern ciphers are a combination
8 Augmenting diffusion Make it harder for attacker Repeated encryptions of same text are different Randomization E k : {0,1} x {0,1} {0,1} D k : {0,1} {0,1} It must be that > Part of all modern ciphers
9 Open Design Kerchoff’s Principle (1883) The security of a cryptosystem must not depend on keeping the algorithm secret No security by obscurity Better Lots of smart but innocuous people dissect it Than a single smart malicious
10 Shannon’s criteria 1. Strength of cipher proportional to effort 2. Keys should be simple 3. Implementation should be simple 4. Errors should not propagate 5. Size of ciphertext same as plaintext
11 Critique to Shannon’s Criteria Shannon’s criteria based on manual process 1. Strength of cipher proportional to effort Strength should be depend on value, cost, time 2. Keys should be simple Not necessarily 3. Implementation should be simple Efficient! 4. Errors should not propagate Yes, many countermeasures nowadays 5. Size of ciphertext same as plaintext Not necessarily Computers allow powerful automation
12 Computational problems Finite space of solutions Always decidable Can grow in size (n) Bigger size, bigger solution space Questions How hard is it to find a solution? How hard is it to verify a solution? “Hard” = amount of time Generic algorithms –Best algorithm possible Not special cases!
13 Computational classes PP Finding solution polynomial in n –Element lookup in list – O(n) –Sorting a list – O(n 2 ) Verifying solution also polynomial in n NP Verifying solution polynomial in n Finding solution may not be polynomial in n –Polynomial if we can “guess” –Polynomial if we can try solutions in parallel EXP Finding solution exponential in n Verifying solution may not be polynomial in n
14 Computational complexity P NP EXP P EXP P = NP ? Open problem Believed false n n2n2 n3n3 n 100 PNPEXP 2n2n 22n22n
15 NP-Complete problems In NP As hard or harder than any other NP problem Represent all NP problems –If polynomial solution exists, all NP problems have one P = NP –If not, no NP-complete problem has one P NP Characteristics Always solvable Verifying solution is polynomial No known polynomial way to find solution Exponential as far as we know
16 Computation in practice Bounded by time If a small polynomial instance is solvable Slightly larger instance also solvable Possibly with tomorrow’s technology If a small exponential instance is solvable Slightly larger instance may not be solvable Maybe not even with tomorrow’s technology … but Moore’s law is exponential? Physical limitations Can always choose a big enough instance
17 NP-Completeness and Crypto Require attacker to solve an NP-complete problem to find plaintext Exponential work in n But … Crumbles if P = NP May be easy for small n Side channel attacks Advances in technology –But Moore’s law is exponential ?? Trends in cryptography Rely on problems that are harder than NP Quantum cryptography
18 One-way functions Easy to compute f(i) o Evaluation in P Linear Hard to invert f -1 (o) I Inverse is NP- complete Foundations of Hashing f inputoutput Easy – P Hard – NP
19 One-way functions with trapdoor Easy to compute f(i,t) o Encryption in P Linear Hard to invert normally f -1 (o) i Decryption without key is NP-complete Easy to invert through trapdoor f -1 (o,t) i Decryption with key in P Linear Foundations of Encryption Digital signatures f inputoutput Easy – P Hard – NP Easy – P trapdoor
20 Some NP-complete Problems Boolean satisfiability Is there an assignment of boolean value that make a formula in conjunctive normal form true? Knapsack Is there a way to fill a bag of a given size completely with objects of various sizes? Cliques Does a graph have a complete subgraph of a given size? Discrete logarithm Is there a such that g a mod n = b Integer factorization What are the prime factors of number n?
21 When is a Cipher Secure? Polynomial adversary cannot tell a real encryption box from a fake one m x Ek(_)Ek(_) m x Ek(0)Ek(0)
22 Formal Definition Let E: {0,1} x {0,1} {0,1} A(x m) = 1 iff x = E k (m) A algorithm polynomial in key length x m = E k (m) (K,E,D) is a secure encryption scheme if polynomial p(_) s.t. > k {0,1} Pr[A(x m m) = 1] - Pr[A(x 0 m) = 1] < 1/p( )
23 Key length The strength of a cipher is given by the length of the key Strength is non-polynomial in 10% longer key requires much more than 10% extra work Often each extra bit doubles the effort To get a stronger cipher, make key longer! Guideline for modern ciphers Ciphers with variable key length –RSA –AES Not sufficient for bad ciphers!