Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS551: Security and Privacy University of Virginia Computer Science Lecture 2: Breaking Unbreakable Ciphers.

Published byMarianna Dennis Modified over 8 years ago

Similar presentations

Presentation on theme: "David Evans CS551: Security and Privacy University of Virginia Computer Science Lecture 2: Breaking Unbreakable Ciphers."— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/~evans CS551: Security and Privacy University of Virginia Computer Science Lecture 2: Breaking Unbreakable Ciphers Confronted with the prospect of defeat, the Allied cryptanalysts had worked night and day to penetrate German ciphers. It would appear that fear was the main driving force, and that adversity is one of the foundations of successful codebreaking. Simon Singh, The Code Book

2 30 Aug 2000University of Virginia CS 5512 Menu Survey Results Vigenère – “Le Chiffre Indéchiffrable” Shannon Principles: Perfect Ciphers

3 30 Aug 2000University of Virginia CS 5513 Survey Results Forged email: 15 out of 41 Broken into systems: 8 out of 41 PGP: 1 regular, 3 occasional Movies/Books: Sneakers (14), Hackers (4), Mission Impossible (2), Wargames (2), Cryptonomicon (2), Matrix, Takedown, Enemy of the State, Cuckoo’s Egg, Maximum Security, The Net

4 30 Aug 2000University of Virginia CS 5514 Vigenère Invented by Blaise de Vigenère, ~1550 Considered unbreakable for 300 years Broken by Charles Babbage but kept secret to help British in Crimean War Attack discovered independently by Friedrich Kasiski, 1863.

5 30 Aug 2000University of Virginia CS 5515 Vigenère Encryption Key is a N -letter string. E K (P) = C where C i = (P i + K i mod N ) mod Z (size of alphabet) E “KEY” (“test”) = DIQD C 0 = (‘t’ + ‘K’) mod 26 = ‘D’ C 1 = (‘e’ + ‘E’) mod 26 = ‘I’ C 2 = (‘s’ + ‘Y’) mod 26 = ‘Q’ C 3 = (‘t’ + ‘K’) mod 26 = ‘D’

6 30 Aug 2000University of Virginia CS 5516 Babbage’s Attack Use repetition to guess key length: Sequence XFO appears at 65, 71, 122, 176. Spacings = (71 – 65) = 6 = 3 * 2 (122 – 65) = 57 = 3 * 19 (176 – 122) = 54 = 3 * 18 Key is probably 3 letters long.

7 30 Aug 2000University of Virginia CS 5517 Key length - Frequency Once you know key length, can slice ciphertext and use frequencies: L 0 : DLQLCNSOLSQRNKGBSEVYNDOIOXAXYRSOSGYKY VZXVOXCDNOOSOCOWDKOOYROEVSRBXENI Frequencies: O: 12, S: 7, Guess O = e C i = (P i + K i mod N ) mod Z ‘ O’ = (‘e’ + K 0 ) mod 26 14 = 5 + 9 => K 0 = ‘K’

8 30 Aug 2000University of Virginia CS 5518 Sometimes, not so lucky... L 1 : LMISQITVYJSSSJAHYECYSXOXGWYGJMRRXEGWRPEJXSI SLIGHTVSXILWHXYXJPERISWTM S: 9, X: 7; I: 6 guess S = ‘e’ ‘S’ = (‘e’ + K 1 ) mod 26 19 = 5 + 14 => K 1 = ‘N’ ‘X’ = (‘e’ + K 1 ) mod 26 24 = 5 + 19 => K 1 = ‘M’ ‘I’ = (‘e’ + K 1 ) mod 26 10 = 5 + 5 => K 1 = ‘E’

9 30 Aug 2000University of Virginia CS 5519

10 30 Aug 2000University of Virginia CS 55110 Vigenère Simplification Use binary alphabet: C i = (P i + K i mod N ) mod 2 C i = P i  K i mod N Use a key as long as P: C i = P i  K i One-time pad – perfect cipher!

11 30 Aug 2000University of Virginia CS 55111 Ways to Convince “I tried really hard to break my cipher, but couldn’t. I’m a genius, so I’m sure no one else can break it either.” “Lots of really smart people tried to break it, and couldn’t.” Mathematical arguments – key size (dangerous!), statistical properties of ciphertext, depends on some provably (or believed) hard problem Invulnerability to known cryptanalysis techniques (but what about undiscovered techniques?) Show that ciphertext could match multiple reasonable plaintexts without knowing key Simple monoalphabetic secure for about 10 letters of English: XBCF CF FWPHGW This is secure Spat at troner

12 30 Aug 2000University of Virginia CS 55112 Real World Standard Attacker probably has details of algorithm Attacker has a limited amount of ciphertext, often has known plaintext, occasionally has chosen plaintext Breaking a cipher means the attacker can read a secret message

13 30 Aug 2000University of Virginia CS 55113 “Academic” Standard Assume attacker has full details of the algorithm Assume attacker has an unlimited number of chosen plaintext/ciphertext pairs Assume attacker can perform a very large number of computations, up to, but not including, 2 n, where n is the key size in bits (i.e. assume that the attacker can’t mount a brute force attack, but can get close).

14 30 Aug 2000University of Virginia CS 55114 Shannon’s Theory [1945] Message space: { M 1, M 2,..., M n } Assume finite number of messages Each message has probability p(M 1 ) + p(M 2 ) +... + p(M n ) = 1 Key space: { K 1, K 2,..., K l } (Based on Eli Biham’s notes)

15 30 Aug 2000University of Virginia CS 55115 Perfect Cipher: Definition M1M1 M2M2 MnMn C1C1 C2C2 CnCn KaKa... KbKb A perfect cipher: there is some key that maps any message to any ciphertext with equal probability. For any i, j: p (M i |C j ) = p (M i )

16 30 Aug 2000University of Virginia CS 55116 Perfect Cipher Definition:  i, j : p (M i |C j ) = p (M i ) p(M) p(C | M) = p(C) p(M | C) So, a cipher is perfect iff:  M, Cp(C) = p (C | M) =  p(K) E K (M) = C K Sum over all keys such that E K (M) = C.

17 30 Aug 2000University of Virginia CS 55117 Perfect Cipher So, a cipher is perfect iff:  M, Cp(C) =  p(K) E K (M) = C Or:  C  p(K) is independent of M E K (M) = C Without knowing anything about the key, any ciphertext is equally likely to match and plaintext. K K

18 30 Aug 2000University of Virginia CS 55118 Example: Monoalphabetic Random monoalphabetic substitution for one letter message:  C,M: p(C) = p(C | M) = 1/26.

19 30 Aug 2000University of Virginia CS 55119 Example: One-Time Pad For each bit: p(C i = 0) = p(C i = 0 | M i = 0) = p(C i = 0 | M i = 1) = ½ since C i = K i  M i p (K i  M i = 0) = p (K i = 1) * p (M i = 1) + p (K i = 0) * p (M i = 0) Truly random K means p (K i = 1) = p (K i = 0) = ½ = ½ * p (M i = 1) + ½ * p (M i = 0) = ½ * (p (M i = 1) + p (M i = 0)) = ½ All key bits are independent, so: p(C) = p(C | M)QED.

20 30 Aug 2000University of Virginia CS 55120 Perfect Cipher Keyspace Theorem Theorem: If a cipher is perfect, there must be at least as many keys ( l ) are there are possible messages ( n ).

21 30 Aug 2000University of Virginia CS 55121 Proof by Contradiction Suppose there is a perfect cipher with l < n. (More messages than keys.) Let C 0 be some ciphertext with p(C 0 ) > 0. There exist m messages M such that M = D K (C 0 ) n - m messages M 0 such that M 0  D K (C 0 ) We know 1  m  l 0 and there is at least one message M 0.

22 30 Aug 2000University of Virginia CS 55122 Proof, cont. Consider the message M 0 where M 0  D K (C 0 ) for any K. So, p (C 0 | M 0 ) = 0. In a perfect cipher, p (C 0 | M 0 ) = p (C 0 ) > 0. Contradiction! It isn’t a perfect cipher. Hence, all perfect ciphers must have l  n.

23 30 Aug 2000University of Virginia CS 55123 Example: Monoalphabetic Random monoalphabetic substitution is not a perfect cipher for messages of up to 20 letters: l = 26! n = 26 20 l < n its not a perfect cipher. In previous proof, could choose C 0 = “AB” and M 0 = “ee” and p (C 0 | M 0 ) = 0.

24 30 Aug 2000University of Virginia CS 55124 Example: Monoalphabetic Is random monoalphabetic substitution a perfect cipher for messages of up to 2 letters? l = 26! n = 26 2 l  n. No! Showing l  n does not prove its perfect.

25 30 Aug 2000University of Virginia CS 55125 Information Theory [Shannon 1948] Entropy ( H ): –Amount of information in a message H(M) = log 2 n where n is the number of possible meanings H (month of year) = log 2 12  3.6 (need 4 bits to encode a year)

26 30 Aug 2000University of Virginia CS 55126 Rate Absolute rate: how much information can be encoded R = log 2 Z(Z=size of alphabet) R English = Actual rate of a language: r = H(M) / N M is an N -letter message. r of months spelled out using ASCII: log 2 26  4.7 bits / letter = log 2 12 / (8 letters * 8 bits/letter)  0.06

27 30 Aug 2000University of Virginia CS 55127 Rate of English r(English) is about 1.3 bits/letter (.28 letters/letter). –How do we get this? How many meaningful 20-letter messages in English? r = H(M) / N 1.3 = H(M)/20 H(M) = 26 = log 2 n n = 2 26 = 6.7 million (of 2*10 28 possible) One out of 7 * 10 20 randomly selected 20-letter groups

28 30 Aug 2000University of Virginia CS 55128 Redundancy Redundancy (D) is defined: D = R – r Redundancy in English: D = 4.7 – 1.3 = 3.4 bits/letter Each letter is 1.3 bits of content, and 3.4 bits of redundancy. (~72%) ASCII: 1 byte per letter D = 8 – 1.3 = 6.7 84% redundancy, 14% information

29 30 Aug 2000University of Virginia CS 55129 Unicity Distance Entropy of cryptosystem: (K = number of possible keys) H(K) = log 2 K H(64-bit key) = 64 Unicity: U = H(K)/D Minimum amount of ciphertext needed for brute-force attack to succeed.

30 30 Aug 2000University of Virginia CS 55130 Unicity Examples One-Time Pad H(K) = infinite U = H(K)/D = infinite Monoalphabetic Substitution H(K) = log 2 26!  87 D = 3.4 (redundancy in English) U = H(K)/D  25.5 Intuition: if you have 25 letters, probably only matches one possible plaintext. D = 0 (random bit stream) U = H(K)/D = infinite

31 30 Aug 2000University of Virginia CS 55131 Unicity Theoretical and probabilistic measure of how much ciphertext is needed to determine a unique plaintext Does not indicate how much ciphertext is needed for cryptanalysis If you have less than unicity distance ciphertext, can’t tell if guess is right. As redundancy approaches 0, hard to cryptanalyze even simple cipher.

32 30 Aug 2000University of Virginia CS 55132 Charge Problem Set 1: due next Monday Next time: –Project team assignments If I don’t have your survey yet, make sure I get it today! –DES – most widely used modern cipher

Download ppt "David Evans CS551: Security and Privacy University of Virginia Computer Science Lecture 2: Breaking Unbreakable Ciphers."

Similar presentations

CLASSICAL ENCRYPTION TECHNIQUES

CLASSICAL ENCRYPTION TECHNIQUES
Cryptography encryption authentication digital signatures

Cryptography encryption authentication digital signatures
Classical Encryption Techniques Week 6-wend. One-Time Pad if a truly random key as long as the message is used, the cipher will be secure called a One-Time.

Classical Encryption Techniques Week 6-wend. One-Time Pad if a truly random key as long as the message is used, the cipher will be secure called a One-Time.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Cryptology  Terminology  plaintext - text that is not encrypted.  ciphertext - the output of the encryption process.  key - the information required.

Cryptology  Terminology  plaintext - text that is not encrypted.  ciphertext - the output of the encryption process.  key - the information required.
Lecture 2.1: Private Key Cryptography -- I CS 436/636/736 Spring 2013 Nitesh Saxena.

Lecture 2.1: Private Key Cryptography -- I CS 436/636/736 Spring 2013 Nitesh Saxena.
Introduction to Cryptography and Security Mechanisms Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms Dr Keith Martin McCrea
Ref. Cryptography: theory and practice Douglas R. Stinson

Ref. Cryptography: theory and practice Douglas R. Stinson
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
CSE331: Introduction to Networks and Security Lecture 17 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 17 Fall 2002.
Intro To Encryption Exercise 1. Monoalphabetic Ciphers Examples:  Caesar Cipher  At Bash  PigPen (Will be demonstrated)  …

Intro To Encryption Exercise 1. Monoalphabetic Ciphers Examples:  Caesar Cipher  At Bash  PigPen (Will be demonstrated)  …
Shannon ’ s theory part II Ref. Cryptography: theory and practice Douglas R. Stinson.

Shannon ’ s theory part II Ref. Cryptography: theory and practice Douglas R. Stinson.
CryptographyPerfect secrecySlide 1 Today What does it mean for a cipher to be: –Computational secure? Unconditionally secure? Perfect secrecy –Conditional.

CryptographyPerfect secrecySlide 1 Today What does it mean for a cipher to be: –Computational secure? Unconditionally secure? Perfect secrecy –Conditional.
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.

CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
Chapter 2 – Classical Encryption Techniques

Chapter 2 – Classical Encryption Techniques
Lecture 2: Perfect Ciphers (in Theory, not Practice)

Lecture 2: Perfect Ciphers (in Theory, not Practice)
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Chapter 12 Cryptography (slides edited by Erin Chambers)

Chapter 12 Cryptography (slides edited by Erin Chambers)

Similar presentations

Ads by Google