History & Puzzles Substitution Ciphers The birth of Cryptanalysis Modern Times DES Diffie-Hellman key exchange RSA PGP Contentious Issues
Applied Cryptography, Bruce Schneier Cracking DES, Electronic Frontier Foundation The Code Book, Simon Singh
MS 1
Cryptography
The Basic Idea:
Two approaches:
1) Make algorithm secret and dont use a key. Bad Idea 2) Make algorithm public but keep the key secret. Good Idea Bmp example
plaintext Key
algorithm
ciphertext
MS 2
Before Computers
Substitution ciphers ruled:
Caesar (Shift by N): 26 possibilities, easy to decode
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
MS 3
Before Computers
Cryptanalysis:
First known publication: A Manuscript on Deciphering Cryptographic Messages By the ninth century Arab scholar:
Abu Yusuf Yaqub ibn Is-haq ibn as-Sabbah ibn omran ibn Ismail al-Kindi
Statistical Frequency Analysis of letters & words can easily break any mono-alphabetic substitution cipher. In English: most common letters: E, T, A, O, I, N, S, most common 2 letters words: ON, AS, TO, AT, IT most common 3 letters words: THE, AND, FOR, WAS,
MS 4
ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD --------- ------- ------ --- ---- -------UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI --- ------'- ------------ -------- ------EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P -- ------ - --------- ---- ----- ---- -- DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS ---------- -------- -- -------- ---------U=t E=h I=e
UEI PVUENRFUA NC FU YNMUPFMT XEPU YRFLI CNR P FMCNRLPUFNM. UEI PVUENRFUA NC --- --------- -FU YNMUPFMT XEPU -- -------- ---YRFLI CNR P ----- --- FMCNRLPUFNM. -----------. UEI PVUENRFUA NC the --th---t- -FU YNMUPFMT XEPU -t -------- -h-t YRFLI CNR P ----e --- FMCNRLPUFNM. -------t---.
MS 5
ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD --e---e-t ----t-- -et-e- the ---- -e-e---UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the --t---'- --te----e--e --e---e- -e----e EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he ----e- - --------- th-t ----- ---e -t DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS ---e---e-t -------- t- -------e --------e-
P=a
ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD --e---e-t ----t-- -et-e- the ---- -e-e---UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the -at---'- --te----e--e a-e---e- -e-a--e EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he -a--e- a --------- that ----- -a-e -t a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS ---e---e-t ------a- t- -------e --a-----e-
UEI PVUENRFUA NC the a-th---t- -FU YNMUPFMT XEPU -t ---ta--- -hat YRFLI CNR P ----e --- a FMCNRLPUFNM. ------at---.
F=i N=o
ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD --e-i-e-t --i-to- -etoe- the -i-- -e-e-i-UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the -atio-'- i-te--i-e--e a-e--ie- -e-a--e EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he -a--e- a --o-i-io- that -o--- -a-e it a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS -o-e---e-t o--i-ia- to -i---o-e --a--i-ie-
UEI PVUENRFUA NC the a-tho-it- oFU YNMUPFMT XEPU it -o-tai-- -hat YRFLI CNR P --i-e -o- a FMCNRLPUFNM. i--o--atio-.
MS 6
C=f R=r
ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD -re-i-e-t --i-to- -etoe- the -i-- re-e-i-UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the -atio-'- i-te--i-e--e a-e--ie- -e-a--e EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he -a--e- a -ro-i-io- that -o--- -a-e it a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS -o-er--e-t offi-ia- to -i---o-e --a--ifie-
UEI PVUENRFUA NC the a-thorit- of FU YNMUPFMT XEPU it -o-tai-- -hat YRFLI CNR P -ri-e for a FMCNRLPUFNM. i-for-atio-.
ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD -re-i-e-t cli-to- -etoe- the -ill re-e-i-UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the -atio-'- i-telli-e-ce a-e-cie- -ecau-e EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he calle- a -ro-i-io- that -oul- -a-e it a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS -o-er--e-t official to -i-clo-e cla--ifie-
UEI PVUENRFUA NC the authority of FU YNMUPFMT XEPU it co-tai-- -hat YRFLI CNR P cri-e for a FMCNRLPUFNM. i-for-atio-.
MS 7
ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD president clinton -etoed the -ill rene-inUEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the nation's intelli-ence a-encies -ecause EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he called a pro-ision that -ould ma-e it a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS -o-ernment official to disclose classified
UEI PVUENRFUA NC the authority of FU YNMUPFMT XEPU it contains -hat YRFLI CNR P crime for a FMCNRLPUFNM. information.
ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD president clinton vetoed the bill renewing UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the nation's intelligence agencies because EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he called a provision that would make it a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS government official to disclose classified
UEI PVUENRFUA NC the authority of FU YNMUPFMT XEPU it contains what YRFLI CNR P crime for a FMCNRLPUFNM. information.
MS 8
There are patches to try to increase the security of the mono-alphabetic substitution cipher: -Eliminate spaces -Use many to one mappings that level the frequencies -Lots of other clever ideas Still very weak! Clever cryptanalysists knew how to beat them all hundreds of years ago !!
Polyalphabetic substitution ciphers provided the next big step. (Worked OK until the dawn of modern computers).
Idea: Use many different substitution alphabets; different ones for different letters.
MS 9
Vigenere square
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
a B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
b C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
c D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
d E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
e F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
f G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
g H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
h I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
i J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
j K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
k L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
l M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
m N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
n O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
o P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
p Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
r S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
s T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
t U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
u V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
v W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
w X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
x Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
This can still be cryptanalyzed: - just N monoaphabetic substitution ciphers (N is length of key) - so, just solve the N monoaphabetic problems as before
Keyword VOTEVOTEVOTEVOTEVOTE Plaintext ihavethreestinkydogs Ciphertext DVTZZHAVZSLXDBDCYCZW
MS 12
If there are patterns in the key (for example, words), the message can still be decrypted with a bit of work.
Enigma: Repeated after 263 = 17,576 letters Successfully broken by Rajewski, Turing et al. (a lot of workprotocol important)
MS 13
However:
IF If the key is as long as the message AND The key is completely random THEN The encryption is perfect (cant be broken) !!!
MS 14
The proof that a one time pad gives perfect security is simple: Suppose you have the ciphertext Since all keys are equally likely, then all decoded messages are equally likely !
Keyword ASDF Plaintext dogs Ciphertext DGJX Ciphertext DGJX Keyword ASDF Plaintext dogs Ciphertext DGJX Keyword BGQF Plaintext cats
MS 15
Plaintext
DEAD
Key Ciphertext
BEEF
*Computing engines were spawned from code-breaking efforts during WW-II (Turing). MS 16
6042 BEEF
MS 17
SO: Just generate a long one time pad bitstream, do the simple XOR, and we have perfect security. This has two problems:
1) Its hard to generate a long truly random bitstream.
2) Sender and receiver must both have the same one time pad (i.e. the key).
If we make the algorithm more sophisticated we can make the minimum length of a secure key much shorter.
MS 18
Suppose we have an algorithm that takes a block of plaintext and converts it into a block of ciphertext using an N bit key. Suppose that changing any single bit in the key completely changes the ciphertext.
plaintext block
If N = 128, the time required is way beyond the age of the universe.
DES (Digital Encryption Standard)
N bit Key
ciphertext block
MS 19
DES
L0 32
R1=L0 + f(R0,K1)
f
L16=R15 IP-1 64 bit ciphertext block
R16=L15 + f(R15,K16)
MS 20
IP (Initial Permutation):
8 16 24 32 40 48 56
16
24
32
40
48
56
MS 21
L0
32
R0 32 Expansion Permutation 48 48 48
S-Box Substitution
48 bit subkey Generator K48 = g(i,K56) (The key for each round is deterministically found from the input 56 bit key).
32
P-Box Permutation
32
32 L1
32 R1
MS 22
32 Expansion Permutation 48
12
13
16
17
20
21
24
25
28
29
32
48
MS 23
48 48 48
48
48
MS 24
48
S-Box Substitution
32
48
S-box 1
S-box 2
S-box 3
S-box 4
S-box 5
S-box 6
S-box 7
S-box 8
12
13
16
17
20
21
24
25
28
29
32
MS 25
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
Page select
S-box 1
0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 5 11 3 14 10 0 1 7 6 13
MS 26
32
P-Box Permutation 32
12
13
16
17
20
21
24
25
28
29
32
12
13
16
17
20
21
24
25
28
29
32
MS 27
16
24
32
40
48
56
MS 28
16
24
32
40
48
56
MS 29
K56
Shift left by Ni
Shift accumulates every round
8 16 24 32
Shift left by Ni
Ni = {1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1}
40 48 56
16
24
32
40
48
K48
MS 30
DES Advantages:
Very Fast:
Ideally suited for implementation in hardware (bit shifts, look-ups etc).
plaintext block
Dedicated hardware (in 1996) could run DES at 200 Mbyte/s. Well suited for voice, video etc.
56 bit Key
ciphertext block
MS 31
DES Security:
Not too good:
Trying all 256 possible keys is not that hard these days. (Thank the NSA for this) If you spend ~$25k you can build a DES password cracker that can will succeed in a few hours. Back in 1975 this would have cost a few billion $$. It is widely believed that the NSA did this. Similar algorithms with longer keys are available today (IDEA).
MS 32
plaintext block
f EFF
ciphertext block
56 bit Key
Other Issues:
With any symmetric algorithm, the key must be agreed upon by sender and receiver in a secure way. Before 1976, key exchange was by far the biggest problem in secure communications !
3)
4) 5)
MS 34
If j = +1 or 1 then the chance that p is not prime is no more than 50% Choose another a and test again. Repeat until desired confidence is reached.
MS 35
MS 36
1) 2) 3) 4)
Pick two large prime numbers p and q. These are secret. Calculate n = pq Pick another number e such that e and (p-1)(q-1) are relatively prime. The numbers n and e make up your public key. Publish them!
5) Calculate d such that ed = 1 mod (p-1)(q-1) {i.e. d = e-1 mod (p-1)(q-1) } 6) The number d is your private key.
Encrypt message m via c = me mod n Decrypt the ciphertext c via m = cd mod n
example
MS 37
RSA Drawbacks:
RSA is slow (i.e. computationally intensive). Message must be broken into chunks ~ n in size, and each block is encrypted separately. Does not really lend itself to hardware implementation: Most RSA chips (in 1996) needed ~106 clock cycles per 512 bit encryption.
MS 38
RSA Security:
RSA is secure because its very hard to factor n to find p and q if n is sufficiently big. (Discrete logarithms). Sufficiently Big means ~2048 bits Hard means that all the computers on earth could not do it in the age of the universe. Symmetric key algorithms can provide the same raw security with key-lengths between 64 and 128 bits.
MS 39
PGP = Pretty Good Privacy Use IDEA for encryption (similar to DES except 128 bit key) Use RSA for key IDEA key-exchange. (RSA key-lengths up to 2048 bits supported). Made available as freeware (www.pgp.com). In 1993 Zimmerman was charged with illegally exporting weapons. The FBI & DOJ hounded him until 1996 when the charges were dropped.
MS 40
Todays Issues
CLIPPER & CAPSTONE Encryption chips developed by the NSA. Uses Escrowed Encryption Standard (EES) Each chip has a back door that the government has a key to. They can use this key in the same sense as they can now do a phone wiretap.
Tempest
MS 41
Quantum Cryptography
(Kwiat @ UIUC !)
How Bob and Alice can agree on a perfectly secret one-time pad:
0
MS 42
Quantum Cryptography
(Kwiat @ UIUC !)
Alice randomly switches between + and x schemes, and sends a random string of 1s and 0s to Bob. (Alice keeps track of the schemes she used and the bits she sent).
MS 43
Quantum Cryptography
(Kwiat @ UIUC !)
Bob measures these photons with his own random choice of scheme (he does not know what Alice has done). Sometimes he gets it right, sometimes he gets it wrong:
0 0
0 1
Alices message
0 0
0 1
Bob measures
MS 44
Quantum Cryptography
(Kwiat @ UIUC !)
Alice phones Bob and tells him how her schemes were chosen. Bob tell Alice which schemes he guessed right. Considering only these, they now agree on a subset of bits sent.
0 0
Alices message
Bob measures
MS 45
Quantum Cryptography
(Kwiat @ UIUC !)
Someone listening on the phone only knows which schemes were used, but not what the polarization was.
Any attempt to intercept photons will alter their state, which Alice and Bob can detect by comparing some of their bits to make sure they agree (and discarding these).
0 0
MS 46