Goals of this lecture:

to introduce basic concepts & terminology of encryption to prepare us for studying modern cryptography

SCYTALE , is an example for a really old tech that was used to cipher (encrypt) information . The concept of operation is so simple . Get a long strip of leather and wind it over a rode like the picture , write the clear data on the leather over the rod and then unwind it . h l h h d d h i di

HELP ME I AM UNDER ATTACK will be "HENTEIDTLAEAPMRCMUAK , and it totally depends on the diameter of the rod , which is the key to decipher the message .

Plaintext: original message to be encrypted Ciphertext: the encrypted message Enciphering or encryption: the process of converting plaintext into ciphertext Encryption algorithm: performs encryption oTwo inputs: a plaintext and a secret key

Deciphering or decryption: recovering p g yp g plaintext from ciphertext Decryption algorithm: performs decryption oTwo inputs: ciphertext and secret key Secret key: same key used for encryption and decryption oAlso referred to as a symmetric key y y

Cipher or cryptographic system : a scheme p yp g p y for encryption and decryption Cryptography: science of studying ciphers Cryptanalysis: science of studying attacks against cryptographic systems i t t hi t Cryptology: cryptography + cryptanalysis

y p y Symmetric cipher: same key used for encryption and decryption oBlock cipher: encrypts a block of plaintext at p yp p
a time (typically 64 or 128 bits)

oStream cipher: encrypts data one bit or one

byte at a time

Asymmetric cipher: different keys used for encryption and decryption

6

or conventional / secret-key / single-key sender and recipient share a common key all classical encryption algorithms are symmetric The Th only type of ciphers prior to the l f i h i h invention of asymmetric-key ciphers in 1970s 1970 s by far most widely used
7

Goal: Confidentiality
Alice Ali My account number is 485853 and my PIN is 4984 4984 Bob

Eve

Message sent in clear: Eve can overhear Encryption unintelligible to Eve; only Bob can decipher with his secret key (shared w/ Alice)

Notations mathematically:
Y = EK(X) X = DK(Y)
or or

Y = E(K, X) X = D(K, Y)

X = plaintext Y = ciphertext K = secret key

E = encryption algorithm D = decryption algorithm D i th i f is the inverse of E Both E and D are known to public p
9

Alice

EK1(M) K1

DK2(C) K2

Bob

M message K1 encryption key EK1(M) message M is encrypted using key K1 C ciphertext K2 decryption key DK2(C) ciphertext C is decrypted using key K2
If K1=K2 this is symmetric i (secret key) encryption If K1K2 this is asymmetric (public key) encryption

Alice encrypts (algorithm F) a message (m) y with the same key (k) that Bob uses to decrypt.
Alice 1. Construct m 2. Compute c= F(m,k) 3. Send c to Bob Bob

4. Receive c from Alice 5. Compute d=F-1(c,k) 6 m=d 6.

Eve can see c, but cannot compute m because k is only known to Alice and Bob

Objective: to recover the plaintext of a ciphertext or, more typically, to recover ll the secret key. Kerkhoffs principle: the adversary knows all details about a cryptosystem except the secret key. key Two general approaches: obrute-force attack onon-brute-force attack (cryptanalytic attack)
12

Try every key to decipher the ciphertext. On average, need to try half of all possible keys average Time needed proportional to size of key space
Key Size (bits) K Si (bit ) 32 56 128 168 26 characters (permutation) Number f N b of Alternative Keys 232 = 4.3 109 256 = 7.2 1016 72 2128 = 3.4 1038 2168 = 3.7 1050 26! = 4 1026 Time required at 1 Ti i d t decryption/s 231 s 255 s 2127 s years 2167 s years = 35.8 minutes = 1142 years = 5.4 1024 = 5.9 1036 Time required at 106 Ti i d t decryptions/s 2.15 milliseconds 10.01 10 01 hours 5.4 1018 years 5.9 1030 years 6.4 106 years

2 1026 s = 6.4 1012 years

13

y y May be classified by how much information needed by the attacker: oCiphertext-only attack Ciphertext only oKnown-plaintext attack oChosen-plaintext attack Chosen plaintext oChosen-ciphertext attack

14

Given: a ciphertext c Q: what is the plaintext m? An encryption scheme is completely insecure if it cannot resist ciphertext-only attacks. tt k

15

Alice

EK(M) K

DK(C) K

Bob

Eve

Cyphertext-only attack: C h t t l tt k Eve can gather and analyze Cs to learn K How does Eve know she got the right key? g g y Eve has to have enough ciphertext

Given: (m1,c1), (m2,c2), , (mk,ck) and a new ciphertext c. Q: what is the plaintext of new ciphertext c? f Q: h is h Q what i the secret k in use? key i ?

17

Alice

EK(M) K

DK(C) K

Bob

Eve

Known-plaintext attack: Eve can attempt to learn K by observing many ciphertexts C for known messages M How does Eve obtain the plaintext?

Given: (m1,c1), (m2,c2), , (mk,ck), where c ) c ) c) m1, m2, , mk are chosen by the adversary; and a new ciphertext c. Q Q: what is the plaintext of c, or what is the p , secret key?

19

Alice

EK(M) K

DK(C) K

Bob

Mallory

Chosen-plaintext attack: Mallory can feed chosen messages M into encryption algorithm and look at resulting ciphertexts C. Learn either K or messages M that produce C. Assumption is that extremely few messages M can produce same C.

In 1942, US Navy cryptanalysts discovered that Japan was planning an attack on AF. AF . They believed that AF means Midway island. Pentagon didn t think so. didnt so US forces in Midway sent a plain message that their freshwater supplies were low low. Shortly, US intercepted a Japanese ciphertext saying th t AF was l t that low on water. This proved that AF is Midway.
21

Given: (m1,c1), (m2,c2), , (mk,ck), where c1, c2, , ck are chosen by the adversary; and a new ciphertext c. Q: what is the plaintext of c, or what is the secret key?

22

Alice

EK(M) K

DK(C) K

Bob

Man-in-the-middle attack: o Mallory can substitute messages o Mallory can modify messages o So that they have different meaning o So that they are scrambled oMallory can drop messages l o M ll Mallory can replay messages t Ali to Alice, B b or Bob the third party

Mallory

Alice

EK(M) K

DK(C) K

Bob

Eve

Brute-force attack: Eve has caught a ciphertext and will try every possible key to try to decrypt it. This can be made infinitely hard by choosing a large keyspace. y p

Plaintext is viewed as a sequence of elements (e.g., bits or characters) l ( bi h ) Substitution cipher: replacing each element of the plaintext with another element. Transposition (or permutation) cipher: rearranging the order of the elements of the plaintext. Product cipher: using multiple stages of substitutions and transpositions
25

Substitution oGoal obscure relationship bet een Goal: obsc re between

plaintext and ciphertext oSubstitute parts of plaintext with parts of ciphertext i h

Transposition (shuffling) oGoal: dissipate redundancy of the plaintext by

spreading it over ciphertext oThis way changing one bit of plaintext affects many bits of the ciphertext (if we have rounds of encryption)

Earliest known substitution cipher Invented by Julius Caesar Each letter is replaced by the letter K positions further down the alphabet. (e.g. K=3)

Plain:

abcdefghi j k lmnopqrst uvwxyz Cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C p

Example: ohio state

HELLO b becomes KHOOR

RKLR VWDWH
27

Mathematically, map letters to numbers:

a, b, c, ..., x, y, z 0, 1, 2, ..., 23, 24, 25

Then the general Caesar cipher is:

c = EK(p) = (p + k) mod 26 d p = DK(c) = (c k) mod 26

Can be generalized with any alphabet.

28

Key space: {0, 1, ..., 25} Instead of using number k=3 we could use I d f i b k 3 ld k [1,25]. K would be our key How can we break this cipher? o Vulnerable to brute-force attacks. E.g., break ciphertext "UNOU YZGZK Need to recognize it when have the plaintext

What if the plaintext is written in Swahili?

29

We can also choose a mapping for each letter W l h i f h l tt (A ...Z) : for example, (H is A, E is M, L is K, O is Y). This mapping would be our key. This is monoalphabetic cipher. o HELLO becomes AMKKY b Monoalphabetic: each character is replaced p p with another character How can we break this cipher? frequency of symbols stays the same and f f b l h d can be used to break the cipher

Shuffle the letters and map each plaintext letter to a d ff l different random ciphertext l d h letter:
Plain letters: ab cd efghi jk lmno pq r s t uvw xyz Cipher letters: DKVQFIBJWPESCXHTMYAUOLRGZN p Plaintext: ifwewishtoreplaceletters Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA What does a key look like?

31

Now we have a total of 26! = 4 x 1026 keys. keys With so many keys, it is secure against brute-force attacks brute force attacks. But not secure against some cryptanalytic attacks. k Problem is language characteristics.

32

Human languages are not random. Letters are not equally frequently used. In English, i b far th I E li h E is by f the most common t letter, followed by T, R, N, I, O, A, S. Other letters like Z, J, K, Q, X are fairly rare. There are tables of single, double & triple g , p letter frequencies for various languages

33

34

In decreasing order of frequency Double letters: th he an in er re es on, Triple letters: the and ent ion tio for nde,

35

Key concept:

omonoalphabetic substitution does not change

relative letter frequencies

To attack, we ocalculate letter frequencies for ciphertext ocompare this distribution against the known one

36

Given ciphertext:

Count relative letter frequencies (see next page) Guess {P, Z} = {e, t} Of double letters, ZW has highest frequency, so guess ZW = th and h f d hence ZWP = the Proceeding with trial and error finally get: g yg
it was disclosed yesterday that several informal but direct contacts have been made with political representatives of the viet cong in moscow

UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ

37

P Z S U O M

13.33 11.67 8.33 8 33 8.33 7.50 7 50 6.67

H D E V X

5.83 5.00 5 00 5.00 4.17 4 17 4.17

F W Q T A

3.33 3.33 2.50 2 50 2.50 1 67 1.67

B G Y I J

1.67 1.67 1.67 1 67 0.83 0.83 0 83

C K L N R

0.00 0.00 0 00 0.00 0.00 0 00 0.00

38

Not even the large number of keys in a p p y monoalphabetic cipher p provides security. One approach to improving security is to encrypt multiple letters at a time. yp p The Playfair Cipher is the best known such cipher. p Invented by Charles Wheatstone in 1854, but named after his friend Baron Playfair. y

39

Use a 5 x 5 matrix. matrix Fill in letters of the key (w/o duplicates). Fill the rest of matrix with other letters letters. E.g., key = MONARCHY.
M C E L U O H F P V N Y G Q W A B I/J S X R D K T Z
40

Plaintext is encrypted two letters at a time.

1. If a pair is a repeated letter, insert filler like 'X. 2. b th l tt f ll i th 2 If both letters fall in the same row, replace each l h
with the letter to its right (circularly).

3. If both letters fall in the same column, replace

each with the the letter below it (circularly).

4. Otherwise, each letter is replaced by the letter in

the same row but in the column of the other letter of the pair.

41

Equivalent to a monoalphabetic cipher with an alphabet of 26 x 26 = 676 characters. l h b f h Security is much improved over the simple monoalphabetic cipher. l h b ti i h Was widely used for many decades oeg. b US & British military in WW1 and early WW2 by S h l d l 2 Once thought to be unbreakable. Actually, it can be broken, because it still leaves some structure of plaintext intact.
42

Keyword Infosec I/J E G P V N C H Q W F A K R X O B L T Y S D M U Z

43

Rules recall: oGroup plaintext letters two at a time

oSeparate repeating letters with an x oT k a pair of l Take i f letters f from plaintext l i oPlaintext letters in the same row are replaced by
letters t th right (cyclic manner) l tt to the i ht ( li ) by letters below (cyclic manner)

oPlaintext letters in the same column are replaced oPlaintext letters in different row and column are
replaced by the letter in the row corresponding to the column of the other letter and vice versa
44

E.g., Plaintext: CRYPTO IS TOO EASY Keyword is INFOSEC Grouped text: CR YP TO IS TO XO EA SY Ciphertext: AQ VT YB NI YB YF CB OZ To decrypt, the receiver reconstructs the 5 x 5 matrix using the keyword and then uses the same rules as for encryption
45

A sequence of monoalphabetic ciphers (M1, M2, M3, ..., Mk) is used in turn to encrypt letters. A key d t k determines which sequence of i hi h f ciphers to use. Each plaintext letter has multiple corresponding ciphertext letters. This makes cryptanalysis harder since the letter frequency distribution will be flatter.
46

Simplest and most common polyalphabetic substitution cipher Consider the set of all Caesar ciphers: { Ca, Cb, Cc, ..., Cz } Key: e.g. security Encrypt each letter using Cs, Ce, Cc, Cu, Cr, E hl i Ci, Ct, Cy in turn. Repeat from start after Cy. Decryption simply works in reverse.
47

E.g., Message = SEE ME IN MALL Take keyword as INFOSEC Vigenre cipher works as follows: SEEMEI NMALL INFOSEC I NFO ------------------------------------ARJAWMPUNQZ

49

To decrypt, the receiver places the keyword characters below each ciphertext character h b l h i h h Using the table, choose the row table corresponding to the keyword character and look for the ciphertext character in that row Plaintext character is then at the top of that column

50

Decryption of ciphertext: A RJ AWMPUNQZ I NFO S EC I NFO ---------------------------------S E EMEIN MALL Best feature is that same plaintext character is substituted by different ciphertext characters (i e polyalphabetic) (i.e.,

51

Keyword: deceptive
key: deceptivedeceptivedeceptive plaintext: wearediscoveredsaveyourself ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ

52

There are multiple (how many?) ciphertext letters corresponding to each plaintext letter letter. So, letter frequencies are obscured but not totally lost. To break Vigenere cipher:

1. 1 Try to guess the key length How? length. 2. If key length is N, the cipher consists of N Caesar 3. Attack each individual cipher as before.

ciphers. Plaintext letters at positions k, N+k, 2N+k, 3N+k, etc., are encoded by the same cipher.

53

Main idea: Plaintext words separated by multiples of the key length are encoded in the same way. In our example, if plaintext = thexxxxxxthe then the will be encrypted thexxxxxxthe the to the same ciphertext words. So look at the ciphertext for repeated p p p patterns. E.g. repeated VTW in the previous example suggests a key length of 3 or 9: i h ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ Of course, the repetition could be a random fluke.

54

Before modern ciphers, rotor machines were most common complex ciphers in use. l h Widely used in WW2. Used U d a series of rotating cylinders. i f i li d Implemented a polyalphabetic substitution cipher of period K. With 3 cylinders, K = 263 =17,576. With 5 cylinders, K = 265 =12 x 106. t cy de s, 6 0 What is a key?

o If the adversary has a machine o If the adversary d th d doesnt h t have a machine hi

55

56

57

58

59

Also called permutation ciphers. Shuffle the plaintext, without altering the actual letters used. Example: Row Transposition Ciphers

60

Plaintext is written row by row in a rectangle. Ciphertext: write out the columns in an order specified by a key.
Key: 3 4 2 1 5 6 7 Plaintext:

a t t a c k p o s t p o n e d u n t i l t w o a mx y z

Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ
61

Uses a sequence of substitutions and transpositions oHarder to break than just substitutions or
t a spos t o s transpositions

This is a bridge from classical to modern ciphers.

62

A cipher is unconditionally secure if it is secure no matter how much resources (time, space) the attacker has. A cipher is computationally secure if the best algorithm for breaking it will require so much resources (e.g., 1000 years) th t h ( ) that practically the cryptosystem is secure. All the ciphers we have examined are not unconditionally secure.
63

Vernams one-time pad cipher Key = k1k2 k3k4 K (random, used one-time only) y ( , y Plaintext = m1m2m3m4 K Ciphertext = c1c2c3c4 K where ci = mi ki Can be proved to be unconditionally secure.

64

g g Hide a message in another message. E.g., hide your plaintext in a graphic image oEach pixel has 3 bytes specifying the RGB color p y p y g oThe least significant bits of pixels can be changed
w/o greatly affecting the image quality oSo can hide messages in these LSBs

Advantage: hiding existence of messages D b k high h d Drawback: hi h overhead

65

 Take a 640x480 (=30,7200) pixel image. 115 200 Using only 1 LSB can hide 115,200 characters LSB, Using 4 LSBs, can hide 460,800 characters.

66

An actual message from a German spy oread second letter in each word Apparently, neutrals protest is thoroughly A utral s discounted and ignored. Isman hard hit. Blockade issue affect pretext for embargo on by products, ejecting suets and vegetable oils. Pershing Sails from NY June 1

67

Have considered:

oclassical cipher techniques and terminology omonoalphabetic substitution ciphers ocryptanalysis using letter frequencies oPlayfair cipher opolyalphabetic ciphers otransposition ciphers oproduct ciphers and rotor machines ostenography
68

50 B.C. Julius Caesar uses cryptographic technique 400 A.D. Kama Sutra in India mentions yp g p q cryptographic techniques 1250 British monk Roger Bacon describes simple ciphers 1466 Leon Alberti develops a cipher disk 1861 U i i h during Union f forces use a cipher d i Civil War

69

1914 1917

1917 1919

World War I British, French, and German forces use encryption technology William Friedman, Father of U.S. encryption efforts starts a school ff h l for teaching cryptanalysis in Illinois AT&T employee Gilbert Vernam invents polyalphabetic cipher G l hi Germans d develop th E i the Engima machine for encryption

70

1937 1942 1948 1976 1976 1977 key

Japanese design the Purple machine for encryption Navajo windtalkers help with secure communication during World War II Claude Shannon d l d h develops statistical l l methods for encryption/decryption IBM develops DES Diffie Hellman develop public key / private key cryptography Ri t Shamir Adleman d l Rivest Sh i Adl develop th the RSA algorithm for public key / private

71

y Outline Syllabus oConcept of Secure Computing, Domain of

Protection, Social Engineering, Attacks and Defenses, Defenses Defining Security Policy Classical Policy, Ciphers, Encryption and Decryption, Symmetric and Asymmetric Ciphers, Operating System Holes, Holes Application Security (Web e-mail (Web, e mail, Databases), Viruses, Privacy, and Digital Rights Management, Intrusion Detection Systems, Secure Protocols Security of Middleware Software Protocols, Middleware, Protection, Web Security and Wireless Network Security.

72