1. CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Classical Cryptography

2. CIT 380: Securing Computer SystemsSlide #2 Overview 1.Modular Arithmetic Review 2.What is Cryptography? 3.Transposition Ciphers 4.Substition Ciphers 1.Cæsar cipher 2.Vigènere cipher 5.Cryptanalysis: frequency analysis 6.Block Ciphers 7.DES

3. CIT 380: Securing Computer SystemsSlide #3 Modular Arithmetic Congruence –a = b (mod N) iff a = b + kN –Equivalently, a = b (mod N) iff N / (a – b) –ex: 37=27 mod 10 b is the residue of a, modulo N –Ints 0..N-1 are complete set of residues mod N

4. CIT 380: Securing Computer SystemsSlide #4 Laws of Modular Arithmetic 1.(a + b) mod N = (a mod N + b mod N) mod N 2.(a - b) mod N = (a mod N - b mod N) mod N 3.ab mod N = (a mod N)(b mod N) mod N 4.a(b+c) mod N = ((ab mod N)+(ac mod N)) mod N

5. CIT 380: Securing Computer SystemsSlide #5 What is Cryptography? Cryptography: The art and science of keeping messages secure. Cryptanalysis: the art and science of decrypting messages. Cryptology: cryptography + cryptanalysis

6. CIT 380: Securing Computer SystemsSlide #6 Terminology Plaintext: message to be encrypted. Also called cleartext. Encryption: altering a message to keep its contents secret. Ciphertext: encrypted message. Plaintext Ciphertext Encryption Procedure

7. CIT 380: Securing Computer SystemsSlide #7 History of Cryptography Egyptian hieroglyphics ~ 2000 B.C.E. –Cryptic tomb enscriptions for regality. Spartan skytale cipher ~ 500 B.C.E. –Wrapped thin sheet of papyrus around staff. –Messages written down length of staff. –Decrypted by wrapped around = diameter staff. Cæsar cipher ~ 50 B.C.E. –Simple alphabetic substitution cipher. al-Kindi ~ 850 C.E. –Cryptanalysis using letter frequencies.

8. CIT 380: Securing Computer SystemsSlide #8 History of Cryptography Alberti’s polyalphabetic cipher 1467 Decryption of Zimmerman telegram 1917 –Leads US into World War I Japanese Purple Machine cracked 1937 –US breaks rotor machine for highest secrets. German Enigma machine cracked 1933-45 –Initially broken by Polish mathematician Rejewski –Variants broken at Bletchley Park in UK –Colossus, world’s 1 st electronic computer.

9. CIT 380: Securing Computer SystemsSlide #9 Cryptosystem Formal Definition 5-tuple ( E, D, M, K, C ) –M set of plaintexts –K set of keys –C set of ciphertexts –E set of encryption functions e: M  K  C –D set of decryption functions d: C  K  M

10. CIT 380: Securing Computer SystemsSlide #10 Example: Cæsar cipher Letter shifting cipher (A=>D, B=>E, C=>F, …) 5-tuple –M = { all sequences of letters } –K = { i | i is an integer and 0 ≤ i ≤ 25 } –E = { E k | k  K and for all letters m, E k (m) = (m + k) mod 26 } –D = { D k | k  K and for all letters c, D k (c) = (26 + c – k) mod 26 } –C = M History: Cæsar’s key was 3.

11. CIT 380: Securing Computer SystemsSlide #11 Example: Cæsar cipher Plaintext is HELLO WORLD Change each letter to the third letter following it (X goes to A, Y to B, Z to C) –Key is 3, usually written as letter ‘D’ Ciphertext is KHOOR ZRUOG

12. CIT 380: Securing Computer SystemsSlide #12 A Transposition Cipher Rearrange letters in plaintext. Example: Rail-Fence Cipher –Plaintext is HELLO WORLD –Rearrange as H L O O L E L W R D –Ciphertext is HLOOL ELWRD

13. CIT 380: Securing Computer SystemsSlide #13 Cryptosystem Security Dependencies 1.Quality of shared encryption algorithm E 2.Secrecy of key K

14. CIT 380: Securing Computer SystemsSlide #14 Cryptanalysis Goals –Decrypt a given message. –Recover encryption key. Adversarial models vary based on –Type of information available to adversary –Interaction with cryptosystem.

15. CIT 380: Securing Computer SystemsSlide #15 Cryptanalysis Adversarial Models 1.ciphertext only: adversary has only ciphertext; goal is to find plaintext, possibly key. 2.known plaintext: adversary has ciphertext, corresponding plaintext; goal is to find key. 3.chosen plaintext: adversary may supply plaintexts and obtain corresponding ciphertext; goal is to find key.

16. CIT 380: Securing Computer SystemsSlide #16 Classical Cryptography Sender & receiver share common key –Keys may be the same, or trivial to derive from one another. –Sometimes called symmetric cryptography.

17. CIT 380: Securing Computer SystemsSlide #17 Substitution Ciphers Substitute plaintext chars for ciphered chars. –Simple: Always use same substitution function. –Polyalphabetic: Use different substitution functions based on position in message.

18. CIT 380: Securing Computer SystemsSlide #18 Cryptanalysis of Cæsar Cipher Exhaustive search –If the key space is small enough, try all possible keys until you find the right one. –Cæsar cipher has 26 possible keys.

19. CIT 380: Securing Computer SystemsSlide #19 General Simple Substitution Cipher Key Space: All permutations of alphabet. Encryption: –Replace each plaintext letter x with K(x) Decryption: –Replace each ciphertext letter y with K -1 (y) Example: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z K= F U B A R D H G J I L K N M P O S Q Z W X Y V T C E CRYPTO BQCOWP

20. CIT 380: Securing Computer SystemsSlide #20 General Substitution Cryptanalysis Exhaustive search impossible –Key space size is 26! =~ 4 x 1026 –Historically thought to be unbreakable. –Yet people solve them as newspaper puzzles every day… Solution: frequency analysis. Lesson: A large key space is necessary but not sufficient for security of a cryptosystem.

21. CIT 380: Securing Computer SystemsSlide #21 Cryptanalysis: Frequency Analysis Languages have different frequencies of –letters –digrams (groups of 2 letters) –trigrams (groups of 3 letters) –etc. Simple substitution ciphers preserve frequency distributions.

22. CIT 380: Securing Computer SystemsSlide #22 English Letter Frequencies

23. CIT 380: Securing Computer SystemsSlide #23 Additional Frequency Features 1.Digram frequencies –Common digraphs: EN, RE, ER, NT, TH 2.Trigram frequencies –Common trigrams: THE, ING, THA, ENT 3.Vowels other than E rarely followed by another vowel. 4.The letter Q is followed only by U. 5.Many others.

24. CIT 380: Securing Computer SystemsSlide #24 Countering Frequency Analysis Nulls –Insert additional symbols (numbers) which have no meaning in random places. Idiosyncratic spellings –Hacker speak: www.google.com/intl/xx-hacker Homophonic substitution –Each letter has multiple substitutions. These techniques increase difficulty of frequency analysis but don’t make it impossible.

25. CIT 380: Securing Computer SystemsSlide #25 Countering Frequency Analysis Primary weakness of simple substition: –Each ciphertext letter corresponds to only one letter of plaintext. Solution: polyalphabetic substitution –Use multiple cipher alphabets. –Switch between cipher alphabets from character to character in the plaintext.

26. CIT 380: Securing Computer SystemsSlide #26 Letter Frequency Distributions

27. CIT 380: Securing Computer SystemsSlide #27 Vigènere Cipher Use phrase instead of letter as key. Example: –Message THE BOY HAS THE BALL –Key VIG –Encipher using Cæsar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG Key space size is 26 m.

28. CIT 380: Securing Computer SystemsSlide #28 Relevant Parts of Tableau G I V A G I V B H J W E L M Z H N P C L R T G O U W J S Y A N T Z B O Y E H T Tableau shown has relevant rows, columns only. Example encipherments: 1.key V, letter T: follow V column down to T row (giving “O”) 2.Key I, letter H: follow I column down to H row (giving “P”)

29. CIT 380: Securing Computer SystemsSlide #29 Useful Terms period: length of key –In earlier example, period is 3 tableau: table used to encipher and decipher –Vigènere cipher has key letters on top, plaintext letters on the left.

30. CIT 380: Securing Computer SystemsSlide #30 Simple Attacks 1.Chosen Plaintext –Choose plaintext of all a’s. –If long enough, it will be encrypted to the key. 2.Dictionary Attack –Guess key from dictionary and try decryption. 3.Brute Force –Try every possible key in turn. –Is there a ciphertext only attack that’s faster?

31. CIT 380: Securing Computer SystemsSlide #31 Vigènere Cryptanalysis 1.Find key length (period). 2.Break message into n parts, each part being enciphered using the same key letter. 3.Use frequency analysis to solve resulting simple substition ciphers. key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG

32. CIT 380: Securing Computer SystemsSlide #32 Kaskski Test Conjunction of key repetition with repeated portion of plaintext produces repeated ciphertext. Example: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG Key and plaintext line up over the repetitions. Distance between reptitions is 9 – Repeated phrase “OPK” at 1 st and 10 th positions. – Period is a multiple of 9 (1, 3 or 9.)

33. CIT 380: Securing Computer SystemsSlide #33 Example Vigènere Ciphertext ADQYS MIUSB OXKKT MIBHK IZOOO EQOOG IFBAG KAUMF VVTAA CIDTW MOCIO EQOOG BMBFV ZGGWP CIEKQ HSNEW VECNE DLAAV RWKXS VNSVP HCEUT QOIOF MEGJS WTPCH AJMOC HIUIX

34. CIT 380: Securing Computer SystemsSlide #34 Repetitions in Example LettersStartEndDistanceFactors MI 515102, 5 OO 222755 OEQOOG 2454302, 3, 5 FV 3963242, 2, 2, 3 AA 4387442, 2, 11 MOC 50122722, 2, 2, 3, 3 QO 56105497, 7 PC 69117482, 2, 2, 2, 3 NE 778362, 3 SV 949733 CH 11812462, 3

35. CIT 380: Securing Computer SystemsSlide #35 Estimate of Period OEQOOG is probably not a coincidence –Two character repetitions may be chance. –Period may be 1, 2, 3, 5, 6, 10, 15, or 30 Most others (7/10) have 2 in their factors Almost as many (6/10) have 3 in their factors. Begin with period of 2  3 = 6.

36. CIT 380: Securing Computer SystemsSlide #36 Letter Coincidence Coincidence: Picking two letters at random from a message that are identical. Probability of picking two a’s –Let there be n letters in the ciphertext. –Let there be n a a’s in the ciphertext. –The probability of selecting two a’s at random

37. CIT 380: Securing Computer SystemsSlide #37 Index of Coincidence Probability of chosing two identical letters Coincidence probabilities for two letters: –English plaintext: 0.0667 –Random English letters: 1/26  0.0385

38. CIT 380: Securing Computer SystemsSlide #38 English Letter Frequencies a0.080h0.060n0.070t0.090 b0.015i0.065o0.080u0.030 c j0.005p0.020v0.010 d0.040k0.005q0.002w0.015 e0.130l0.035r0.065x0.005 f0.020m0.030s0.060y0.020 g0.015z0.002

39. CIT 380: Securing Computer SystemsSlide #39 Coincidence Counting Simple Language: f(A)=0.75, f(B)=0.25 Simple Cipher: Swap A’s and B’s AA.5625 BB.0625 AB.1875 BA.1875 AA.1875 BB.1875 AB.5625 BA.0625 PlaintextPlaintext/Ciphertext

40. CIT 380: Securing Computer SystemsSlide #40 Friedman Test Expected IC –Random: 0.0385 –Plaintext: 0.0667 0.0385 Expected IC by period –2: 0.052 –3: 0.047 –4: 0.045 –5: 0.044 –10: 0.041 0.0667 Index of Coincidence Shorter Key Longer Key

41. CIT 380: Securing Computer SystemsSlide #41 Compute I.C. for Example For our ciphertext, IC = 0.043 –Indicates a key of slightly more than 5. –A statistical measure, so it can be in error, but it agrees with the previous estimate (6). If the key has m characters, then every m th character is enciphered with the same shift. –The string of letters won’t be recognizable. –But its letter frequencies should be the same as English as it’s a monoalphabetic ciphertext.

42. CIT 380: Securing Computer SystemsSlide #42 Splitting Into Alphabets AlphabetIC AIKHOIATTOBGEEERNEOSAI 0.069 DUKKEFUAWEMGKWDWSUFWJU 0.078 QSTIQBMAMQBWQVLKVTMTMI 0.078 YBMZOAFCOOFPHEAXPQEPOX 0.056 SOIOOGVICOVCSVASHOGCC 0.124 MXBOGKVDIGZINNVVCIJHH 0.043 Divide cipher into 6 (period) alphabets. IC indicates single alphabet, except #4 and #6.

43. CIT 380: Securing Computer SystemsSlide #43 Frequency Examination ABCDEFGHIJKLMNOPQRSTUVWXYZ 131004011301001300112000000 210022210013010000010404000 312000000201140004013021000 421102201000010431000000211 510500021200000500030020000 6 01110022311012100000030101 HMMMHMMHHMMMMHHMLHHHMLLLLL Unshifted frequencies (H high, M medium, L low)

44. CIT 380: Securing Computer SystemsSlide #44 Begin Decryption First matches characteristics of unshifted alphabet Third matches if I shifted to A Sixth matches if V shifted to A Substitute into ciphertext (bold are substitutions) ADIYS RIUKB OCKKL MIGHKAZOTO EIOOL IFTAG PAUEF VATAS CIITW EOCNO EIOOL BMTFV EGGOP CNEKI HSSEW NECSE DDAAA RWCXS ANSNP HHEUL QONOF EEGOS WLPCM AJEOC MIUAX

45. CIT 380: Securing Computer SystemsSlide #45 Look For Clues AJE in last line suggests “are”, meaning second alphabet maps A into S: ALIYS RICKB OCKSL MIGHS AZOTO MIOOL INTAG PACEF VATIS CIITE EOCNO MIOOL BUTFV EGOOP CNESI HSSEE NECSE LDAAA RECXS ANANP HHECL QONON EEGOS ELPCM AREOC MICAX

46. CIT 380: Securing Computer SystemsSlide #46 Next Alphabet MICAX in last line suggests “mical” (a common ending for an adjective), meaning fourth alphabet maps O into A: ALIMS RICKP OCKSL AIGHS ANOTO MICOL INTOG PACET VATIS QIITE ECCNO MICOL BUTTV EGOOD CNESI VSSEE NSCSE LDOAA RECLS ANAND HHECL EONON ESGOS ELDCM ARECC MICAL

47. CIT 380: Securing Computer SystemsSlide #47 Got It! QI means that U maps into I, as Q is always followed by U: ALIME RICKP ACKSL AUGHS ANATO MICAL INTOS PACET HATIS QUITE ECONO MICAL BUTTH EGOOD ONESI VESEE NSOSE LDOMA RECLE ANAND THECL EANON ESSOS ELDOM ARECO MICAL

48. CIT 380: Securing Computer SystemsSlide #48 Countering Frequency Analaysis Observation: If Vigènere key is very long, frequency analysis won’t work. Problem: Long keys are hard to remember. Solution: Use multiple encryptions. –Encrypting with a key m and key n is same as encryption by key whose length is least common multiple of m and n. –If m and n are relatively prime, then the least common multiple is mn.

49. CIT 380: Securing Computer SystemsSlide #49 Rotor Machines Use multiple rounds of Vigènere substitution. –Machine contains multiple cylinders. –Each cylinder has 26 states (ciphers). –Cylinders rotate to change states on different schedules. –m-cylinder machine has 26 m substitution ciphers.

50. CIT 380: Securing Computer SystemsSlide #50 Enigma Machine 3 rotors: 17576 substitutions. 3 rotors can be used in any order: 6 combinations. Plug board: 6 pairs of letters can be swapped. Total keys ~ 10 16

51. CIT 380: Securing Computer SystemsSlide #51 Perfect Security: The One-Time Pad A Vigenère cipher with a random key at least as long as the message. Provably unbreakable. Example ciphertext: DXQR. Equally likely to correspond to –plaintext DOIT (key AJIY ) –plaintext DONT (key AJDY ) –and any other 4 letters.

52. CIT 380: Securing Computer SystemsSlide #52 One-Time Pad Warning: keys must be random, or you can attack the cipher by trying to regenerate the key. Approximations, such as using computer pseudorandom number generators to generate keys, are not random.

53. CIT 380: Securing Computer SystemsSlide #53 Block Ciphers Encrypt groups (blocks) of chars at once. Improvement over single char substitution –Cryptanalysis must use digraph frequencies for two-char blocks. –Longer blocks are more difficult to analyze. –Modern ciphers are block ciphers. Example: Playfair Cipher, 1854

54. CIT 380: Securing Computer SystemsSlide #54 Playfair Cipher Create 5x5 table –Fill in spaces with letters of key, dropping duplicate letters. –Fill remaining spaces with unused letters of alphabet in order Drop Q … or I = J PLAYF I|JREXM BCDGH KNOQS TUVWZ

55. CIT 380: Securing Computer SystemsSlide #55 Playfair Cipher Encryption Algorithm 1.If letters of pair are identical (or only one letter remains), add an “X” after first letter. 2.If two letters are in same row or column, replace them with the succeeding letters. 3.Otherwise, two letters form a rectangle, and we replace them with letters on the same row respectively at the other pair of corners.

56. CIT 380: Securing Computer SystemsSlide #56 Playfair Cipher Example Plaintext is HELLO WORLD –Pair HE is rectangle, replace with DM –Pair LX (X inserted) is rectangle, YR –Pair LO is rectangle, replace with AN –Pair WO is rectangle, replace with VQ –Pair RL is in column, replace with CR –Pair DX is rectangle, replace with GE Ciphertext is DMYRANVQCRGE

57. CIT 380: Securing Computer SystemsSlide #57 Transposition Cipher Cryptanalysis Anagramming –If 1-gram frequencies match English frequencies, but other n-gram frequencies do not, –then, message likely ciphered via transposition. –Rearrange letters to form n-grams with highest frequencies.

58. CIT 380: Securing Computer SystemsSlide #58 Cryptanalysis Example Rail Fence Ciphertext: HLOOLELWRD Frequencies of 2-grams beginning with H –HE 0.0305 –HO 0.0043 –HL, HW, HR, HD < 0.0010 Frequencies of 2-grams ending in H –WH 0.0026 –EH, LH, OH, RH, DH ≤ 0.0002 Implies E follows H

59. CIT 380: Securing Computer SystemsSlide #59 Cryptanalysis Example Arrange so the H and E are adjacent HE LL OW OR LD Read across, then down, to recover plaintext.

60. CIT 380: Securing Computer SystemsSlide #60 Shannon Criteria 1.Kerchoff’s Principle –The only secret should be the key. –Cipher should be secure if mechanism known but not the key. 2.Use both substitution + permutation –Substitution: hide local patterns of language. –Permutation: hide large-scale patterns by mixing different parts of plaintext.

61. CIT 380: Securing Computer SystemsSlide #61 SP-Networks Combine Substitution+Permutation (transposition) –Substitution: adding unknown key values will confuse attacker about value of plaintext symbol. –Permutation: Transposing text to ensure nothing is left in its original position. Designing for Security –Block Size –Number of Rounds Each input bit is XOR of several output bits from previous round. –Choice of S-boxes

62. CIT 380: Securing Computer SystemsSlide #62 Overview of the DES 1.Block cipher: encrypts blocks of 64 bits –56-bit key + 8 parity bits 2.Product cipher –substitution + transposition 3.16 rounds (iterations) of encryption –Round key generated from user key –Each round is a Feistel network.

63. CIT 380: Securing Computer SystemsSlide #63 DES Modes Electronic Code Book Mode (ECB) –Encipher each block independently. Insecure. Cipher Block Chaining Mode (CBC) –XOR each block with previous ciphertext block. –Requires an initialization vector for the first one. Triple DES: Encrypt-Decrypt-Encrypt Mode (3 keys: k, k´, k´´) –c = DES k (DES k´ –1 (DES k’’ (m))) –Double-encryption vulnerable to meet-in-middle attack, reducing difficulty from 2 112 to 2 57.

64. CIT 380: Securing Computer SystemsSlide #64 CBC Mode Encryption  init. vector m1m1 DES c1c1  m2m2 c2c2 sent … … …

65. CIT 380: Securing Computer SystemsSlide #65 Current Status of DES Design for computer system, associated software that could break any DES-enciphered message in a few days published in 1998. Several challenges to break DES messages solved using distributed computing. NIST selected Rijndael as Advanced Encryption Standard, successor to DES. –128-bit block product cipher. –Designed to withstand attacks that succeeded on DES. –Keys: 128, 192, or 256 bits.

66. CIT 380: Securing Computer SystemsSlide #66 Key Points 1.Cryptography is the art of securing messages. 2.Types of ciphers 1.Substitition 2.Transposition (permutation) 3.Product 3.Cryptanalysis 1.Language features can be used to break ciphers. 2.Frequency analysis: Kaski test, Index of Coincidence. 4.Block ciphers 1.DES

67. CIT 380: Securing Computer SystemsSlide #67 References 1.Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. 2.Paul Garrett, Making, Breaking Codes: An Introduction to Cryptology, Prentice Hall, 2001. 3.David Kahn, The Codebreakers, MacMillan, 1967. 4.Wenbo Mao, Modern Cryptography: Theory and Practice, Prentice Hall, 2004. 5.Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone, Handbook of Applied Cryptography, http://www.cacr.math.uwaterloo.ca/hac/, CRC Press, 1996.Alfred J. MenezesPaul C. van OorschotScott A. Vanstone http://www.cacr.math.uwaterloo.ca/hac/ 6.NIST, FIPS Publication 46-3: Data Encryption Standard (DES), 1999, http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf 7.Bruce Schneier, Applied Cryptography, 2 nd edition, Wiley, 1996. 8.US Government Dept of the Army, FM 34-40-2 FIELD MANUAL, 1990, http://www.umich.edu/~umich/fm-34-40-2/ 9.John Viega and Gary McGraw, Building Secure Software, Addison- Wesley, 2002.