Introduction to Information Security Lecture 1: Introduction & Overview

Introduction to Information Security Lecture 1: Introduction & Overview 2009. 6. Prof. Kwangjo Kim

Contents 1. Lecture Overview 2. Basic terms 3. Quick overview on information security 4. Basic Number Theory

Lecture Overview Objective: This course introduces the fundamental understanding on cryptography to apply for any secure system including classical, symmetric and asymmetric cryptosystem with mathematical background. We also deal with the cryptographic protocols and their applications. Experts in this area will give a special talk on hot issues in information security. After finishing this class, the students can gain the general knowledge and background on information security and cryptography to execute advanced research. Course Webpage http://caislab.icu.ac.kr/Lecture/data/2009/summer/ice1212/

Overview Instructor:Prof. Kwangjo Kim Assistant: Zeen Kim Text: Handouts References: • Wade Trappe, Lawrence C. Washington, “Introduction to Cryptography with Coding Theory”, 2nd Ed, 2005, Prentice Hall ISBN 0-13-186239-1 • Richard A. Mollin, “An Introduction to Cryptography”, Chapman & Hall/CRC, 2001, ISBN 1-58488-127-5 Grading Policy: Midterm (35%), Final (35%), Quiz (10%), HW (10%), Attendance (10%)

Homework (Programming): 1st Half : Select one of 15 AES candidates after round 2 except Rijndael and program it with your favorite language. (Test: encryption and decryption of given test vector) Deadline : 7/3, 2009 2nd Half : Select one of SHA-3 (round 1) candidates and program it with your favorite language. (Test: validation of given test vector) Deadline : 7/31, 2009

Schedule (1/2)

Schedule (2/2)

1. Basic Terms Lots of new terminologies in every new fields…

What is Information Security? • Data • recording of “something” measured • Raw material, just measured • Information • Information is the result of processing, manipulating and organizing data in a way that adds to the knowledge of the receiver. • Processed data • Knowledge • Knowledge is normally processed by means of structuring, grouping, filtering, organizing or pattern recognition. • Highly structured information

What is Information Security? • Information Systems • An integrated set of components for collecting, storing, processing, and communicating information. • Business firms, other organizations, and individuals in contemporary society rely on information systems to manage their operations, compete in the marketplace, supply services, and augment personal lives. • Information Revolution • A phrase we use to refer to the dramatic changes taking place during the last half of the 20th century in which service jobs based on information are more common than jobs in manufacturing or agriculture. • Information becomes more and more important than materials, resources. • Competitiveness comes from information • How much information do you have?

What is Information Security? • Information Security (정보보안, 정보보호) • Information security is the process of protecting information from unauthorized access, use, disclosure, destruction, modification, or disruption • The protection of computer systems and information from harm, theft, and unauthorized use. • Protecting the confidentiality, integrity and availability of information • Information security is an essential infrastructure technology to achieve successful information-based society • Highly information-based company without information security will lose competitiveness • What kind of protection? • Protecting important document / computer • Protecting communication networks • Protecting Internet • Protection in ubiquitous world

Cryptology = Cryptography + Cryptanalysis • Cryptography : designing secure cryptosystems • Cryptography (from the Greek kryptós and gráphein, “to write”) was originally the study of the principles and techniques by which information could be concealed in ciphers and later revealed by legitimate users employing the secret key. • Cryptanalysis : analyzing the security of cryptosystems • Cryptanalysis (from the Greek kryptós and analýein, “to loosen” or “to untie”) is the science (and art) of recovering or forging cryptographically secured information without knowledge of the key. • Cryptology : science dealing with information security • Science concerned with data communication and storage in secure and usually secret form. It encompasses both cryptography and cryptanalysis.

Cryptology • Cryptography is a basic tool to implement information security • Security goals • Secrecy (confidentiality) • Authentication • Integrity • Non-repudiation • Verifiability • More application-specific security goals • Achieve these security goals using cryptography • Without cryptography …. ???

Encryption Decryption Plain Text Cipher Text Plain Text Key Key Shared key Encryption Decryption Plain Text Cipher Text Plain Text Receiver’s key Public Key Private Key Secret Key vs. Public Key Systems • Symmetric Key Cryptosystem • Public Key Cryptosystem

Common Terms (1) • Cryptography(암호설계): The study of mathematical techniques related to aspects of information security • Cryptanalysis(암호분석): The study of mathematical techniques for attempting to defeat cryptographic techniques • Cryptology(암호학): The study of cryptography and cryptanalysis • Cryptosystem(암호시스템): A general term referring to a set of cryptographic primitives used to provide information security • Symmetric key primitives; Public key primitives • Steganography: The method of concealing the existence of message • Cryptography is not the only means of providing information security, but rather one set of such techniques (physical / human security)

Common Terms (2) • Cipher: Block cipher, Stream cipher, Public key cipher • Plaintext/Cleartext (평문), Ciphertext (암호문) • Encryption/Encipherment(암호화) • Decryption/Decipherment(복호화) • Key (or Cryptographic key) • Secret key • Private key / Public key • Hashing (해쉬) • Authentication (인증) • Message authentication • User authentication • Digital signature (전자서명)

Attacks • Attacks • An efficient algorithm that, for a given cryptographic design, enables some protected elements of the design to be computed “substantially” quicker than specified by the designer. • Finding overlooked and realistic threats for which the design fails • Attacks on encryption algorithms • Exhaustive search (brute force attack) • Ciphertext-only attack • Known-plaintext attack • Chosen-plaintext attack • Chosen-ciphertext attack

Security Threats • Interruption/Denial of service • Interception: eavesdropping, wiretapping, theft … • Modification • Fabrication/Forgery • Unauthorized access • Denial of facts

Security Services • Security services • A service that enhances information security using one or more security mechanisms • Confidentiality/Secrecy (기밀성) Interception • Authentication (인증성) Forgery • Integrity (무결성) Modification • Non-repudiation (부인방지) Denial of facts • Access control (접근제어) Unauthorized access • Availability (가용성) Interruption

Availability Confidentiality Authentication Denial of Service Interception Forgery Wish to access!! Is Private? Who am I dealing with? Access Control Non-Repudiation Integrity Not SENT ! Unauthorized access Claim Modification Have you privilege? Who sent/received it? Has been altered? Security Needs for Network Communications

Security Mechanisms • Security mechanism • A mechanism designed to detect, prevent, or recover from a security attack • Encryption • Authentication • Digital signature • Key exchange • Access control • Monitoring & Responding

Models for Evaluating Security • Conditional vs. Unconditional Security • Unconditional security • Computational security • Provable vs. Ad hoc Security • Provable security • Ad hoc security

Basic Number Theory

Prime and Relative Prime Numbers Modular Arithmetic Fermat’s and Euler’s Theorem Testing for Primality Euclid’s Algorithm Chinese Remainder Theorem Discrete Logarithms Introduction to Number Theory

An integer p > 1 is a prime number if its only divisors are 1 and p Prime Factorization Any integer a>1 can be factored in a unique way as a = p11 p22 … ptt where p1 < p2 < … < pt are prime numbers and where each i > 0 If P is the set of all prime numbers, then any positive integer can be written uniquely in the following form The value of any positive integer can be specified by listing all nonzero exponents (ap) Multiplication of two numbers is equivalent to adding two corresponding exponents: k = mn  kp = mp + np for all p a|b  ap bp for all p Prime Numbers

Primes Under 2000

Greatest common divisor c = gcd(a, b) if c|a and c|b and d that divides a and b: d|c Equivalently, gcd(a, b) = max{c: c|a and c|b} k = gcd(a, b)  kp = min(ap, bp) for all p a and b are relatively prime if gcd(a, b) = 1 Relatively Prime Numbers

For any integer a and positive integer n, if a is divided by n, the following relationship holds: a = qn + r 0  r  n; q = a/n (q: quotient, r: remainder or residue) If a is an integer and n is a positive integer, a mod n is defined to be the remainder when a is divided by n a = a/n  n + (a mod n) Two integers a and b are said to be congruent modulo n if (a mod n) = (b mod n), and this is written a  b mod n Properties of modulo operator a  b mod n if n|(a – b) (a mod n) = (b mod n) implies a  b mod n a  b mod n implies b  a mod n a  b mod n and b  c mod n implies a  c mod n Modular Arithmetic

Modulo arithmetic operation over Zn = {0, 1, …, n-1} Properties [(a mod n) + (b mod n)] mod n = (a + b) mod n [(a mod n)  (b mod n)] mod n = (a  b) mod n [(a mod n)  (b mod n)] mod n = (a  b) mod n Modular Arithmetic Operations

Modulo arithmetic over Zn = {0, 1, …, n-1} (called a set of residues of modulo n) Integers modulo n with addition and multiplication form a commutative ring Commutative laws (a + b) mod n = (b + a) mod n (a  b) mod n = (b  a) mod n Associative laws [(a + b) + c] mod n = [a + (b + c)] mod n [(a  b)  c] mod n = [a  (b  c)] mod n Distributive laws [a  (b + c)] mod n = [(a  b) + (a  c)] mod n Identities (a + 0) mod n = a mod n (a  1) mod n = a mod n Additive inverse (-a) a  Zn b s.t. a + b  0 mod n Multiplicative inverse (a-1) a (0)  Zn, if a is relative prime to n, b s.t. a  b  1 mod n If n is not prime, Zn is a ring, but not a field Zp is a field Properties of Modular Arithmetic

Modular 7 Arithmetic

Group A set of numbers with some addition operation whose result is also in the set (closure) Obeys associative law, has an identity, has inverses If also is commutative its an abelian group Ring An abelian group with a multiplication operation also Multiplication is associative and distributive over addition If multiplication is commutative, its a commutative ring e.g., integers mod N for any N Field An abelian group for addition A ring An abelian group for multiplication (ignoring 0) e.g., integers mod P where P is prime Groups, Rings, Fields

If p is prime and a is a positive integer not divisible by p, then ap-1 1 mod p Proof Start by listing the first p – 1 positive multiples of a: a, 2a, 3a, …, (p-1)a Suppose that ra and sa are the same modulo p, then we have r  s mod p, so the p-1 multiples of a above are distinct and nonzero; that is, they must be congruent to 1, 2, 3, …, p-1 in some order. Multiply all these congruences together and we find a  2a  3a  …  (p-1)a  1  2  3  …  (p-1) mod p or better, ap-1(p-1)!  (p-1)! mod p. Divide both side by (p-1)! to complete the proof Corollary If p is prime and a is any positive integer, then ap a mod p Fermat’s Little Theorem

Euler’s totient function (n) is the number of positive integers less than n (including 1) and relatively prime to n (p) = p-1 (1) = 1 (Definition) Let p and q be distinct prime numbers, n = pq. Then (pq) = (p)(q) = (p-1)(q-1) Proof Consider Zn = {0, 1, …, pq-1} The residues not relatively prime to n are 0, {p, 2p, …, (q-1)p}, and {q, 2q, …, (p-1)q} So (pq) = pq - (1 + (q-1) + (p-1)) = pq - p - q + 1 = (p-1)(q-1) Euler’s Totient Function

Euler’s Totient Function

Generalization of Fermat’s little theorem For every a and n that are relatively prime, a(n) 1 mod n Proof The proof is completely analogous to that of the Fermat's Theorem except that instead of the set of residues {1,2,...,n-1} we now consider the set of residues {x1,x2,...,x(n)} which are relatively prime to n. In exactly the same manner as before, multiplication by a modulo n results in a permutation of the set {x1, x2, ..., x(n)}. Therefore, two products are congruent: x1x2 ... x(n) (ax1)(ax2) ... (ax(n)) mod n dividing by the left-hand side proves the theorem. Corollary a(n)+1 a mod n Euler’s Theorem

Corollaries Given two prime numbers, p and q, and integers n = pq and m, with 0<m<n, m(n)+1 = m(p-1)(q-1)+1 m mod n (Demonstrate the validity of the RSA algorithm) mk(n)  1 mod n mk(n)+1  m mod n Euler’s Theorem

Miller-Ravin primality test Can be used to determine if a large number is prime Based on the following theorem If p is an odd prime, then the equation x2 ≡ 1 (mod p) has only two solutions – namely, x ≡1 (mod p) and x ≡ 1 (mod p) Proof Omitted If there exist solutions to x2 ≡ 1 (mod n) other than  1, then n is not prime Testing for Primality (Miller-Ravin’s)

An efficient way to compute ab mod n Repeated squaring Computes ac mod n as c is increased from 0 to b Each exponent computed in a sequence is either twice the previous exponent or one more than the previous exponent Each iteration of the loop uses one of the identities a2c mod n = (ac)2 mod n, a2c+1 mod n = a  (ac)2 mod n depending on whether bi = 0 or 1 Just after bit bi is read and processed, the value of c is the same as the prefix bkbk-1…bi of the binary representation of b Variable c is not needed (included just for explanation) Modular Exponentiation • Modular-Exponentiation(a, b, n) • c  0 • d  1 • let bkbk-1…b0 be the binary representation of b • for i  k downto 0 • do c  2c • d  (d  d) mod n • if bi = 1 • then c  c + 1 • d  (d  a) mod n • return d

Example Result of Modular-Exponentiation algorithm for ab mod n, where a = 7, b = 560 = 1000110000, n = 561. The values are shown after each execution of the for loop Modular Exponentiation - Example • Modular-Exponentiation(a, b, n) • c  0 • d  1 • let bkbk-1…b0 be the binary representation of b • for i  k downto 0 • do c  2c • d  (d  d) mod n • if bi = 1 • then c  c + 1 • d  (d  a) mod n • return d

Core algorithm is WITNESS(a, n) n : inputs to WITNESS, to be tested for primality, a : some randomly chosen integer, 1  a < n WITNESS(a, n) is TRUE if and only if a is a “witness” to the compositeness of n – that is, if it is possible using a to prove that n is composite If WITENSS returns FALSE, then n may be prime Testing for Primality (Miller-Ravin’s) • WITNESS (a, n) • let bkbk-1…b0 be the binary rep. of (n-1) • d  1 • for i  k downto 0 • do x  d • d  (d  d) mod n • if d =1 and x  1 and x  n –1 • then return TRUE • if bi = 1 • then d  (d  a) mod n • if d  1 • then return TRUE • return FALSE

Lines 3-9 compute d as an-1 mod n (identical to that employed by Modular-Exponentiation) • Whenever squaring step is performed on line 5, lines 6,7 check to see if nontrivial square root of 1 has just been discovered (x  1 (mod n) yet x2  1 (mod n)). If so, returns TRUE • If WITENSS returns TRUE from line 11, then it has discovered that d = an-1 mod n  1. If n is prime, however, by Fermat’s theorem an-1  1 (mod n) for all a. Therefore, n cannot be prime Testing for Primality (Miller-Ravin’s) • WITNESS (a, n) • let bkbk-1…b0 be the binary rep. of (n-1) • d  1 • for i  k downto 0 • do x  d • d  (d  d) mod n • if d =1 and x  1 and x  n –1 • then return TRUE • if bi = 1 • then d  (d  a) mod n • if d  1 • then return TRUE • return FALSE

Testing for Primality (Miller-Ravin’s) • Miller-Ravin Primaility Test • Probabilistic search • Repeatedly invoke s times WITNESS(n,a) using randomly chosen values for a, if return false, then the probability that n is prime is at least 1 – 2-s • MILLER_RAVIN (n, s) • for j  1 to s • do a  RANDOM(1, n-1) • if WITNESS(a, n) • then return COMPOSITE • return PRIME

Based on the following theorem gcd(a, b) = gcd(b, a mod b) Proof If d = gcd(a, b), then d|a and d|b For any positive integer b, a = kb + r ≡ r mod b, a mod b = r a mod b = a – kb (for some integer k) because d|b, d|kb because d|a, d|(a mod b) ∴ d is a common divisor of b and (a mod b) Conversely, if d is a common divisor of b and (a mod b), then d|kb and d|[ kb+(a mod b)] d|[ kb+(a mod b)] = d|a ∴ Set of common divisors of a and b is equal to the set of common divisors of b and (a mod b) ex) gcd(18,12) = gcd(12,6) = gcd(6,0) = 6 gcd(11,10) = gcd(10,1) = gcd(1,0) = 1 Euclid’s Algorithm – Finding GCD

Recursive algorithm Function Euclid (a, b) /* assume a  b  0 */ if b = 0 then return a else return Euclid(b, a mod b) Iterative algorithm Euclid(d, f) /* assume d > f > 0 */ 1. X  d; Y  f 2. if Y=0 return X = gcd(d, f) 3. R = X mod Y 4. X  Y 5. Y  R 6. goto 2 Euclid’s Algorithm – Finding GCD

If gcd(d, f) =1, d has a multiplicative inverse modulo f Euclid’s algorithm can be extended to find the multiplicative inverse In addition to finding gcd(d, f), if the gcd is 1, the algorithm returns multiplicative inverse of d (modulo f) Euclid’s Alg. – Finding Multiplicative Inverse • Extended Euclid(d, f) • (X1, X2, X3)  (1, 0, f); (Y1, Y2, Y3)  (0, 1, d) • If Y3 = 0 return X3 = gcd(d, f); no inverse • If Y3 = 1 return Y3 = gcd(d, f); Y2 = d-1 mod f • Q = X3/Y3 • (T1, T2, T3)  (X1  QY1, X2  QY2, X3  QY3) • (X1, X2, X3)  (Y1, Y2, Y3) • (Y1, Y2, Y3)  (T1, T2, T3) • goto 2

Euclid’s Alg. – Finding Multiplicative Inverse • Extended Euclid(d, f) • (X1, X2, X3)  (1, 0, f); (Y1, Y2, Y3)  (0, 1, d) • If Y3 = 0 return X3 = gcd(d, f); no inverse • If Y3 = 1 return Y3 = gcd(d, f); Y2 = d-1 mod f • Q = X3/Y3 • (T1, T2, T3)  (X1  QY1, X2  QY2, X3  QY3) • (X1, X2, X3)  (Y1, Y2, Y3) • (Y1, Y2, Y3)  (T1, T2, T3) • goto 2 Note: Always f  Y1 + d  Y2 = Y3

Let M = m1 m2 m3  …  mk, where mi’s are pairwise relatively prime, i.e., gcd(mi, mj) = 1, 1 ≤ i≠j ≤ k Assertion A  (a1, a2,…..,ak), where A  ZM, ai Zmi, and ai = A mod mi for 1 ≤ i ≤ k One to one correspondence(bijection) between ZM and the Cartesian product Zm1 Zm2 ….  Zmk For every integer A such that 0 ≤ A < M, there is a unique k-tuple (a1, a2,…..,ak)with 0 ≤ ai <mi For every such k-tuple (a1, a2,…..,ak), there is a unique A in ZM Transformation from A to (a1, a2,…..,ak) is unique Computing A from (a1, a2,…..,ak) is done as follows Let Mi = M/mi for 1 ≤ i ≤ k, i.e., Mi = m1 m2 …  mi-1 mi+1 …  mk Note that Mi ≡ 0 (mod mj) for all j ≠ i Let ci = Mi x (Mi-1 mod mi) for 1 ≤ i ≤ k Then A ≡ (a1c1+ a2c2 + …+ akck) mod M  ai = A mod mi, since cj≡ Mj ≡ 0 (mod mi) if j≠ i and ci ≡ 1 (mod mi) Chinese Remainder Theorem

Operations performed on the elements of ZM can be equivalently performed on the corresponding k-tuples by performing the operation independently in each coordinate position ex) A ↔ (a1, a2, ... ,ak), B ↔ (b1, b2, … ,bk) (A  B) mod M ↔ ((a1 b1) mod m1, … ,(ak  bk) mod mk) (A  B) mod M ↔ ((a1 b1) mod m1, … ,(ak bk) mod mk) (A  B) mod M ↔ ((a1 b1) mod m1, … ,(ak bk) mod mk) CRT provides a way to manipulate (potentially large) numbers mod M in term of tuples of smaller numbers Chinese Remainder Theorem

Introduction to Information Security Lecture 1: Introduction & Overview