1 / 77

Applied Cryptography

Applied Cryptography. Spring 2014. Lecture times. Thursdays 14:30-16:00 room 413 16 lectures Some changes are possible (but hopefully, not too many). Requirements. Attend lectures (if you want to) Collect at least 20 points 2 practical assignments 20 points each

enya
Télécharger la présentation

Applied Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Applied Cryptography Spring 2014

  2. Lecture times • Thursdays 14:30-16:00 room 413 • 16 lectures • Some changes are possible (but hopefully, not too • many).

  3. Requirements • Attend lectures (if you want to) • Collect at least 20 points • 2 practical assignments 20 points each • Written exam 20 points • Any of the above is optional • The grade will be calculated (approximately) as follows: • 10 56-60 6 32-38 • 9 52-55 5 24-31 • 8 46-51 4 20-23 • 7 39-45

  4. Problems covered • Text encryption/decryption • Ciphers • Digital signatures • Hash functions • Digital signature algorithms • Protocols • Key generation and exchange • Certificates • Some real cryptographic systems • SSL and TLS standards (+ some others), email security • Smartcards, EMV, data authentication • GSM and cryptograpy, DVD "protection" etc • Security of encryptions. Some attacks

  5. Problems covered • Text encryption/decryption • Ciphers • Symmetric and asymmetric ciphers

  6. Symmetric vs. asymmetric cryptography • Symmetric ciphers – sender and recipient use the same key • Dkey(Ekey(m)) = m • Substitution cipher is an example of a symmetric cipher • Impractical for big systems – number of keys is quadratic in the number of users • The solution – asymmetric algorithms. Think of a locked mailbox! Different keys for encryption and decryption • Dprivate key(Epublic key(m)) = m

  7. Problems covered • Text encryption/decryption • Ciphers • Symmetric and asymmetric ciphers • Which ciphers to use? • Substitution

  8. Simple example – substitution cipher • The key is a permutation of the letters of the alphabet, i.e. a bijection • Encryption is performed by substituting each letter for its corresponding letter • Decryption is the same as encryption with the difference that the inverse is used

  9. Substitution cipher – example • Example: Encrypt MY DOG ATE YOUR CAT using the key U

  10. Breaking the substitution cipher • Substitution ciphers are easily broken using frequency analysis • We use the fact that different letters (or combination of letters) occur with different probability • Example – break TK IL KQ JKT TK IL TBST CR TBL OULRTCKJ • Frequency of letters in English: ETAOINSHRDLU • Most common two letter words: OF TO IN IS IT BE BY HE AS ON AT OR AN SO IF NO

  11. Problems covered • Text encryption/decryption • Ciphers • Symmetric and asymmetric ciphers • Which ciphers to use? • Substitution • XOR

  12. Vigenère cipher (poly-alphabetic) • Example: Encryption key - string of n characters e.g. "gold" We represent it with numbers corresponding to symbols from alphabet - (6,14,11,13) To encrypt i-th symbol from the block of length n, we add to it i-th number from the key (modulo size of alphabet) U

  13. Vernam cipher (XOR) Message: m1,...,mn n bits Key: k1,...,kn n bits Ciphertext: c1,...,cn, where ci = mi ki U

  14. Problems covered • Text encryption/decryption • Ciphers • Symmetric and asymmetric ciphers • Which ciphers to use? • Substitution • XOR • DES, IDEA, AES etc (symmetric)

  15. Data Encryption Standard (DES) • Financial companies found the need for a cryptographic algorithm that would have the blessing of the US government (=NSA) • First call for candidates in May 73, followed by a new call in August 74 • Not very many submissions (Why?) • IBM submitted Lucifer • NSA worked with IBM in redesigning the algorithm [From Andre L. M. dos Santos ]

  16. Data Encryption Standard (DES) • Key length: 56 + 8 parity bits = 64 bits • 8 bits are used for parity check, why is that? to make it 265 times less secure! read why 56 bits? section in the textbook. • How secure is DES? In 1998 $150K machine can break the key in 5 days! For added security, triple DES is 256more secure. [From Ravi Mukkamala]

  17. DES Enciphering Computation [From Sai Kovvuri]

  18. DES [From Henric Johnson]

  19. Time to break a code (106 decryptions/µs) [From Henric Johnson]

  20. Problems covered • Text encryption/decryption • Ciphers • Symmetric and asymmetric ciphers • Which ciphers to use? • Substitution • XOR • DES, IDEA, AES etc (symmetric) • RSA etc (asymmetric)

  21. Asymmetric cryptography • Each user has a public and a private key • The public key is published in a “phone book” • The private key is kept secret • Messages encrypted with the public key can be decrypted with the private key • To send a message to Mårten, look up Mårten’s public key in the “phone book”. • Mårten can then decrypt the message with his private key • Number of keys is linear in the number of users

  22. RSA • Asymmetric cryptographic algorithm published in 1978 (Rivest, Shamir, Adleman) • The most popular asymmetric algorithm used today • Now free to use – patent expired in 2000 • Relies on the hardness of factoring a number consisting of two primes • Actually invented by Cocks (from UK) in 1973, unfortunately the work was classified...

  23. Public-key cryptosystems P: *  * public key S: *  * secret key • For an arbitrary message M* we must have: • M = S(P(M)), and • M = P(S(M))

  24. Public-key cryptosystems - Encryption [Adapted from T.Cormen, C.Leiserson, R. Rivest]

  25. The RSA public-key cryptosystem p,q - two large primes (100 digits or more) n = pq e - small odd integer that is relatively prime to (p– 1)(q– 1) d - integer such that de  1 (mod(p– 1)(q– 1)) (it can be shown that it always exists) P = (e,n) - public key S = (d,n) - secret key Encoding: P(M) = Me(mod n) Decoding: S(C) = Cd(mod n) It works!

  26. RSA - Correctness n = pq e - odd and relatively prime to (p – 1)(q – 1) d - such that de  1(mod(p– 1)(q– 1)) P(M) = Me(mod n), S(C) = Cd(mod n) P(S(M)) = S(P(M)) = Med (mod n), ed = 1 + k(p– 1)(q– 1) M 0 (mod p)  MedM(Mp–1)k(q–1) (mod p)  M(1)k(q–1) (mod p)  M(mod p) M 0 (mod p)  Med M(mod p)

  27. RSA - Correctness Med M(mod p) Med M(mod q) Thus Med M(mod n)

  28. RSA - Complexity Encoding: P(M) = Me(mod n) Decoding: S(C) = Cd(mod n)

  29. Breaking RSA • If we can factor n we can break RSA • Suppose we know p, q such that pq = n • We can compute (p – 1)(q – 1) • It is now trivial to compute d = e-1 mod ((p – 1)(q – 1)) • The largest number that is (publicly) known to have been factored today is 512 bits

  30. Breaking RSA • If we can factor n we can break RSA • Suppose we know p, q such that pq = n • We can compute (p – 1)(q – 1) • It is now trivial to compute d = e-1 mod ((p – 1)(q – 1)) • The largest number that is (publicly) known to have been factored today is 512 bits • As of 2005 the largest number factored by general-purpose methods was 663 bits long

  31. Breaking RSA • If we can factor n we can break RSA • As of 2005 the largest number factored by general-purpose methods was 663 bits long • RSA keys are typically 1024–2048 bits long. Some experts believe that 1024-bit keys may become breakable in the near term (though this is disputed); few see any way that 4096-bit keys could be broken in the foreseeable future. • Other attacks exist for certain uses of RSA

  32. Problems covered • Text encryption/decryption • Ciphers • Symmetric and asymmetric ciphers • Which ciphers to use? • Substitution • XOR • DES, IDEA, AES etc (symmetric) • RSA etc (asymmetric) • Stream ciphers and block ciphers

  33. Block ciphers • A block cipher B is an encryption function Ekey:{0,1}k {0,1}l and a decryption function Dkey:{0,1}l {0,1}k such thatDkey(Ekey(m)) = m. • The value k is called block length. Usually k = l. • Commonly used block ciphers include DES, 3DES and IDEA. Clear (plain) text Cipher text n bits Key

  34. Stream ciphers

  35. Problems covered • Text encryption/decryption • Ciphers • Symmetric and asymmetric ciphers • Which ciphers to use? • Substitution • XOR • DES, IDEA, AES etc (symmetric) • RSA etc (asymmetric) • Stream ciphers and block ciphers • Chaining

  36. Chaining ciphers - ECB Clear text Key Enc Enc Enc Enc Cipher text • What happens when the clear text is longer than the block length k? • Most simple solution — encrypt each block separately. • This mode is called ECB, Electronic Code Book [From Mårten Trolin]

  37. Chaining ciphers - CBC

  38. Problems covered • Text encryption/decryption • Ciphers • Symmetric and asymmetric ciphers • Which ciphers to use? • Substitution • XOR • DES, IDEA, AES etc (symmetric) • RSA etc (asymmetric) • Stream ciphers and block ciphers • Chaining • Libraries of cryptographic functions

  39. Problems covered • Text encryption/decryption • Ciphers • Symmetric and asymmetric ciphers • Which ciphers to use? • Stream and block ciphers • Chaining • Stream ciphers and block ciphers • Chaining • Libraries of cryptographic functions • Digital signatures • Hash functions • MD5, SHA-1 etc

  40. Public-key cryptosystems - Digital signature [Adapted from T.Cormen, C.Leiserson, R. Rivest]

  41. Properties of good hash functions • Let H be a hash function • One-way • Given x, unfeasible to compute an v such that H(v) = x • Collision-free • Unfeasible to find x1 and x2 such that H(x1) = H(x2) and x1x2

  42. MD5 Message Digest Algorithm MD5 • Step 1: Append padding bits • Padded so that its bit length  448 mod 512 (i.e., the length of padded message is 64 bits less than an integer multiple of 512 bits) • Padding is always added, even if the message is already of the desired length (1 to 512 bits) • Padding bits: 1000….0 (a single 1-bit followed by the necessary number of 0-bits) [From H. Yoon]

  43. MD5 Message Digest Algorithm MD5 • Step 1: Append padding bits • Step 2: Append length • 64-bit length: contains the length of the original message modulo 264 • The expanded message is Y0, Y1, …, YL-1; the total length is L  512 bits • The expanded message can be thought of as a multiple of 16 32-bit words • Let M[0 … N-1] denote the word of the resulting message, where N = L  16 [From H. Yoon]

  44. MD5 Message Digest Algorithm    MD5 MD5 processing of a single 512-bit block (MD5 compression function) [From H. Yoon]

  45. Another use of hash functions - passwords httpd:Nologin:100:22:httpd:/usr/users/httpd:/bin/sh guest:41LYDCYHYJzHQ:200:15:Guest:/usr/users/guest:/bin/tcsh oracle:Nologin:201:200::/usr/users/oracle:/bin/tcsh mysql:LS6qP.LbvchSk:202:202::/usr/users/mysql:/bin/tcsh Andris:Ie7K1yjGLDqsw:203:203::/usr/users/Andris:/bin/tcsh Password length up to 8 characters, encrypted by 1-way hash function crypt(3).

  46. Problems covered • Text encryption/decryption • Ciphers • Symmetric and asymmetric ciphers • Which ciphers to use? • Stream and block ciphers • Chaining • Stream ciphers and block ciphers • Chaining • Libraries of cryptographic functions • Digital signatures • Hash functions • MD5, SHA-1 etc • Digital signature algorithms (DSA etc)

  47. Digital signature algorithm - DSA

  48. Problems covered • Text encryption/decryption • Ciphers • Digital signatures • Hash functions • Digital signature algorithms • Protocols • Key generation and exchange

  49. What is a protocol? • Protocol - a series of steps, involving two or more parties, • designed to accomplish a task. • For cryptographic protocols: • — It should not be possible to do more or learn more than • what is specified in the protocol

  50. Types of protocols

More Related