Computer Security Basic Crypto

Computer SecurityBasic Crypto

Introduction Cryptosystem: (E,D,M,K,C) M is the set of plaintexts K the set of keys C the set of ciphertexts E: M  K C the set of enciphering functions D: C  K Mthe set of deciphering functions

Introduction • Shift Cipher: M = C = K = Z26, with -- eK(x) = x + K mod26 -- dK(y) = y – K mod26 where x,y is in Z26 • Substitution Cipher: P = C = Z26, with K the set of permutations p on Z26 and -- ep(x) = p(x) -- dp(y) = p-1(y).

CryptosystemsBlock ciphers The Shift Cipher and Substitution Cipher are block ciphers: successive plaintext elements (blocks) are encrypted using the same key. We now consider some other block ciphers. • The Affine Cipher, is a special case of the • Substitution Cipher with • -- eK(x) = ax + b mod26 -- dK(y) = a-1y - a-1b mod26 wherea,b x,y is in Z26 andxis invertible.

Block ciphers The Vigenere Cipher is polyalphabetic. Let m > 1 • M = C = K = (Z26)m • For a key K = (k1, …, km) • -- eK(x1,…,xm) = (x1 + k1, …, xm + km) -- dK (y1,…,ym) = (y1 - k1, …, ym - km) where all operations are in Z26.

Block ciphers The Hill Cipher is also polyalphabetic. Let m > 1 • M = C = (Z26)m , Kis the set of all m by m invertible matrices over (Z26)m • For a key K • -- eK(x) = xK -- dK (y)= yK-1 with all operations are in Z26.

Block ciphers The Permutation Cipher. Let m > 1 M = C = (Z26)m , Kis the set of all permutations of {1,…,m}. • For a key (permutation) p • -- ep(x1,…,xm) = (xp(1),…,xp(m)) -- dp(y1,…,ym) = (yp-1(1),…, yp-1(1)) where p-1(1) is the inverse of p.

Stream Ciphers The ciphers considered so far are block ciphers. Another type of cryptosystem is the stream cipher.

Stream Ciphers • A synchronous stream cipher is a tuple (E,D,M,C,K,L,) with a function gsuch that: • M, C, K, E, Dare as before. • L is the keysteam alphabet • g is the keystream generator: it takes as input a key K and outputs an infinite string z1,z2, … called the keystream, where zi are in L. • For each zi are in L there is an encryption ruleez in E, and a decryption ruledz in D such that: dz (ez(x)) = x for all plaintexts x in M.

Stream Ciphers The Linear Feedback Shift Register or LFSR. The keystream is computed as follows: Let (k1,k2, … ,km) be the initialized key vector at time t. At the next time unit the key vector is updated as follows: -- k1 is tapped as the next keystream bit -- k2, … , km are each shifted one place to the left -- the “new” value of km is computed by m-1 km+1 =Scj kj+1 j=0

Stream Ciphers Let x1,x2, … be the plaintext (a binary string). Then the ciphertext is: y1,y2, … where yi,= xi + ki, for i=1,2,… and the sum is bitwise xor .

Cryptanalysis Attacks on Cryptosystems • Ciphertext only attack: the opponent possesses a string of ciphertexts: y1,y2, … • Known plaintext attack: the opponent possesses a string of plaintexts x1,x2, … and the corresponding string of ciphertexts: y1,y2, …

Attacks on Cryptosystems • Chosen plaintext attack: the opponent can choose a string of plaintexts x1,x2, … and obtain the corresponding string of ciphertexts: y1,y2, … • Chosen ciphertext attack: the opponent can choose a string of ciphertexts: y1,y2, … and construct the corresponding string of plaintexts x1,x2, …

Cryptanalysis of the shift cipher and substitution cipher: Ciphertext attack --use statistical properties of the language Cryptanalysis of the affine and Vigenere cipher: Ciphertext attack --use statistical: properties of the language Attacks on the affine and Vigenere cipher: Ciphertext attack --use statistical: properties of the language Cryptanalysis

Cryptanalysis of the Hill cipher: Known plaintext attack Cryptanalysis of the LFSR stream cipher: Known plaintext attack Cryptanalysis

One time pad This is a binary stream cipher whose key stream is a randomstream This cipher has perfect secrecy

Security • Computational security Computationally hard to break: requires super-polynomial computations (in the length of the ciphertext) • Provable security Security is reduced to a well studied problem though to be hard, e.g. factorization. • Unconditional security No bound on computation: cannot be broken even with infinite power/space. Only way to break is by “lucky” guessing.

Some Probability Theory • The random variables X,Y areindependent if: Pr[x,y] = Pr[x] . Pr[y], for all x,y in X In general, Pr[x,y] = Pr[x|y] . Pr[y] = Pr[y|x] . Pr[x], for all x,y in X

Some Probability Theory • Bayes’ Law: Pr[x|y] = • Corollary: X,Yare independentrandom variables (r.v.) iff Pr[x|y] = Pr[x]for all x,yinX Pr[y|x] . Pr[x] ----------------for allx,y inX Pr[y]

Perfect secrecy • A cryptosystem is perfectly secure if : Pr[x|y] = Pr[x], for all x in M and y in C

Perfect secrecy Theorem Let |K|=|C|=|M| for a cryptosystem. We have perfect secrecy iff : • Every key is used with equal probability, • For each x in P and y inC there is a unique key K in K that encrypts x to y 1 ------ |K |

One time pad We have K = C = M =Z2n. Also given: x = x1,…,xn and y = y1,…,yn, the key K = K1,…,Kn is unique because K = x+ymod 2 Finally all keys are chosen equiprobably. Therefore, the one time pad has perfect secrecy

Kerchoffs’ assumption The adversary knows all details of the encrypting function except the secret key

DES DES is a Feistel cipher. Block length 64 bits (effectively 56) Key length 56 bits Ciphertext length 64 bits

DES It has a round function g for which: g([Li-1,Ri-1 ]),Ki ) = (Li ,Ri), where Li = Ri-1 and Ri = Li-1 XOR f (Ri-1, Ki).

DES round encryption

DES inner function

DES computation path

Attacks on DES • Brute force • Linear Cryptanalysis -- Known plaintext attack • Differential cryptanalysis • Chosen plaintext attack • Modify plaintext bits, observe change in ciphertext No dramatic improvement on brute force

Countering Attacks • Large keyspace combats brute force attack • Triple DES (say EDE mode, 2 or 3 keys) • Use AES

AES Block length 128 bits. Key lengths 128 (or 192 or 256). The AES is an iterated cipher with Nr=10 (or 12 or 14) In each round we have: • Subkey mixing • A substitution • A permutation

Modes of operation Four basic modes of operation are available for block ciphers: • Electronic codebook mode: ECB • Cipher block chaining mode: CBC • Cipher feedback mode: CFB • Output feedback mode: OFB

Electronic Codebook mode, ECB Each plaintext xi is encrypted with the same key K: yi = eK(xi). So, the naïve use of a block cipher.

x1 x2 x3 x4 DES DES DES DES y1 y2 y3 y4 ECB

Cipher Block Chaining mode, CBC Each cipher block yi-1 is xor-ed with the next plaintext xi : yi = eK(yi-1 XOR xi) before being encrypted to get the next plaintext yi. The chain is initialized with an initialization vector: y0 = IV with length, the block size.

x1 x2 x3 x4 IV + + + + DES DES DES DES y1 y2 y3 y4 CBC

Cipher and Output feedback modes (CFB & OFB) CFB z0 = IV and recursively: zi = eK(yi-1) and yi = xi XOR zi OFB z0 = IV and recursively: zi = eK(zi-1) and yi = xi XOR zi

CFB mode x1 x2 IV eK + eK + eK y1 y2

OFB mode IV eK eK x1 x2 + + y1 y2

Public Key Cryptography AliceBob Alice and Bob want to exchange a private key in public.

Public Key Cryptography Alicega mod pBob gb mod p The private key is:gab mod p where p is a prime and g is a generator of Zp

The RSA cryptosystem Let n = pq, where p and q are primes. Let M = C= Zn, and let a,b be such thatab = 1 mod f(n). Define eK(x) = xb mod n and dK(y) = ya mod n, where (x,y)e Zn. Public key = (n,b), Private key (n,a).

Check We have: ed = 1 mod f(n), so ed = 1 + tf(n). Therefore, dK(eK(m)) = (me)d = med = mtf(n)+1 = (mf(n))t m = 1.m = m mod n

Example p = 101, q = 113, n = 11413. f(n) = 100x112 = 11200 = 26527 For encryption use e = 3533. Then d = e-1 mod11200 = 6597. Bob publishes: n = 11413, e = 3533. Suppose Alice wants to encrypt: 9726. She computes 97263533 mod 11413 = 5761 To decrypt it Bob computes: 57616597 mod 11413 = 9726

Security of RSA • Relation to factoring. Recovering the plaintext m from an RSA ciphertext c is easy if factoring is possible. • The RSA problem Given (n,e) and c, compute: m such that me = c mod n

The Rabin cryptosystem Let n = pq, p,q primes with p,q 3 mod 4. Let P = C = Zn* and define K = {(n,p,q)}. For K = (n,p,q) define eK(x) = x 2 mod n dK(y) = mod n The value of n is the public key, while p,q are the private key.

The RSA digital signature scheme Let n = pq, where p and q are primes. Let P = A= Zn , and define e,d such thated = 1 mod f(n). Define sigK(m) = md mod n and verK(m,y) = true y = me mod n, where (m,y)eZn. Public key = (n,e), Private key (n,d).

The Digital Signature Algorithm Let p be a an L-bit prime prime, 512  L 1024 and L  0 mod 64 , let q be a 160-bit prime that divides p-1 and Let e Zp* be a q-th root of 1 modulo p. Let M = Zp-1, A = Zqx Zqand K = {(x,y): y = x modp }. • The public key is p,q,,y. • The private key is (p,q,), x.

The Digital Signature scheme • Signing Let me Zp-1 be a message. For public key is p,g,,y, with y = x modp, and secret random number k e Zp-1, define: sigK(m,k) = (s,t), where • s = (k modp) mod q • t = (SHA1(m)+xs)k-1modq • Verification Let • e1 = SHA-1(m) t-1 modq • e2 = st-1 modq verK(m,(s,t)) = true (e1 ye2 modp) mod q = s.

Computer Security Basic Crypto

Computer Security Basic Crypto

Presentation Transcript

Good Computer Security Practices Basic Security Awareness

Computer Security

Basic security

Introduction to Security and Crypto

Basic Computer

Computer Security

Computer Security

Computer Security

Basic Computer Security

Basic Computer

Computer Security

Computer Basic

basic computer

Basic security

Basic Security

A Basic Introduction to Computer Security

Basic Computer Security