1 lecture #9 traditional cryptography hait summer 2005 shimrit tzur-david

1

Lecture #9Traditional Cryptography

HAIT

Summer 2005

Shimrit Tzur-David

2

Notations

• cryptography - the principles and methods of transforming an intelligible message into one that is unintelligible, and then retransforming that message back to its original form.

• plaintext - the original intelligible message • ciphertext - the transformed message • cipher - an algorithm for transforming an intelligible

message into one that is unintelligible by transposition and/or substitution methods

• key - some critical information used by the cipher, known only to the sender & receiver

3

Notations – Cont.

• encipher (encode) - the process of converting plaintext to ciphertext using a cipher and a key

• decipher (decode) - the process of converting ciphertext back into plaintext using a cipher and a key

• cryptanalysis - the study of principles and methods of transforming an unintelligible message back into an intelligible message without knowledge of the key. Also called code-breaking

• cryptology - both cryptography and cryptanalysis • code - an algorithm for transforming an intelligible

message into an unintelligible one using a code-book

4

Notations – Cont.

• C = EK(P) - the encryption of the plaintext P using key K gives the ciphertext C.

• P = DK(C) - the decryption of C to get the plaintext

• DK(EK(P)) = P

• E and D are mathematical functions of two parameters: the key and the message.

5

Introduction • There were 3 main constraints:

1. The ability of the code clerk to perform the necessary transformations, often on a battlefield with little equipment.

2. The difficulty in switching over quickly from one cryptographic method to another one, since this entails retraining a large number of people.

3. The danger of a code clerk being captured by the enemy has made it essential to be able to change the cryptographic method instantly if need be.

6

The encryption model – for a symmetric-key cipher

7

The encryption model – Cont.

• The plaintext is transformed by a function that is parameterized by a key.

• The ciphertext, is then transmitted. • The enemy hears and accurately copies down the ciphertext.• Unlike the intended recipient, he does not know what the

decryption key is and so cannot decrypt the ciphertext.• Passive intruder - the intruder can only listen to the

communication channel• Active intruder - the intruder can record messages and play

them back later, inject his own messages, or modify legitimate messages before they get to the receiver.

8

Flexibility

• The cryptanalyst knows how the encryption method, E, and decryption, D work in detail.

• The amount of effort necessary to invent, test, and install a new algorithm every time the old method is compromised (or thought to be compromised) has always made it impractical to keep the encryption algorithm secret.

• There is a need to keep E and D secret without changing the encryption algorithm.

9

Flexibility – Cont.• In contrast to the general method, which may only be

changed every few years, the key can be changed as often as required.

• The basic model is a stable and publicly-known.• The general method parameterized by a secret and

easily changed key. • Kerckhoff's principle: All algorithms must be public;

only the keys are secret.• If many experts have tried to break the algorithm for

few years and no one has succeeded, it is probably pretty solid

10

The Key Length

• Consider a simple combination lock:– A key length of two digits means 100 possibilities. – A key length of three digits means 1000 possibilities– A key length of six digits means a million possibilities.

• The work factor for breaking the system by exhaustive search of the key space is exponential in the key length.

• To prevent your kid from reading your e-mail, 64-bit keys will do.

• For routine commercial use, at least 128 bits should be used. • To keep major governments issues, keys of at least 256 bits,

preferably more, are needed.

11

The Cryptanalysis Problem

• From the cryptanalyst's point of view, the cryptanalysis problem has two principal variations:

1. Quantity of ciphertext and no plaintext - the ciphertext-only problem.

2. Matched ciphertext and plaintext - the known plaintext problem

12

The Cryptanalysis Problem – Cont.

• Novices assumption: if a cipher can withstand a ciphertext-only attack, the crypto-algorithm is secure.

• In many cases the cryptanalyst can make a good guess at parts of the plaintext.

• For example, the first thing many computers say when you call them up is ‘login:’

• Equipped with some matched plaintext-ciphertext pairs, the cryptanalyst's job becomes much easier.

• To achieve security, the cryptographer should make sure that the system is unbreakable even if his opponent can encrypt arbitrary amounts of chosen plaintext.

13

Encryption Methods

• Encryption methods have been divided into two categories: – substitution ciphers– transposition ciphers

14

Substitution Ciphers • In a substitution cipher each letter or group of letters

is replaced by another letter or group of letters. • One of the oldest known ciphers is the Caesar cipher. • In this method, a becomes D, b becomes E, c

becomes F, ... , and z becomes C. • For example, ‘attack’ becomes DWWDFN. • A slight generalization of the Caesar cipher allows

the ciphertext alphabet to be shifted by k letters, instead of always 3.

• In this case k becomes a key to the general method of circularly shifted alphabets.

15

Monoalphabetic Substitution(Symbol-for-symbol)

• The next improvement is to have each of the symbols in the plaintext map onto some other letters. For example:– plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z

– ciphertext: Q W E R T Y U I O P A S D F G H J K L Z X C V B N M

• The key is the 26-letter string corresponding to the full alphabet.

• The plaintext ‘attack’ would be transformed into QZZQEA.

• Does it look safe?

16

Monoalphabetic Substitution – Cont.• At first glance this might appear to be a safe system. • There are 26! possible keys is in use. Trying all of them

is not a promising approach. A computer would take ~1010 years to try all the keys.

• Nevertheless, given a surprisingly small amount of ciphertext, the cipher can be broken easily.

• The basic attack takes advantage of the statistical properties of natural languages. In English, e is the most common letter, followed by t, o, a, n, i, etc. The most common two-letter combinations are th, in, er, re, and an. The most common three-letter combinations are the, ing, and, and ion.

17

Transposition Ciphers • Substitution ciphers preserve the order of the plaintext symbols. • Transposition ciphers, in contrast, reorder the letters but do not

disguise them. • The columnar transposition:

18

The Columnar Transposition

• The cipher is keyed by a word or phrase not containing any repeated letters.

• In the example, MEGABUCK is the key. • The purpose of the key is to number the columns,

column 1 being under the key letter closest to the start of the alphabet, and so on.

• The plaintext is written horizontally, in rows, padded to fill the matrix if need be.

• The ciphertext is read out by columns, starting with the column whose key letter is the lowest.

19

Breaking Transposition Cipher• Step 1: The cryptanalyst must be aware that he

is dealing with a transposition cipher. – By looking at the frequency of E, T, A, O, I, N,

etc., it is easy to see if they fit the normal pattern for plaintext.

• Step 2: Make a guess at the number of columns– the plaintext phrase milliondollars occurs

somewhere in the message

• Step 3: Order the columns– By frequency

20

One-Time Pads • Unbreakable cipher

– Choose a random bit string as the key. – Convert the plaintext into a bit string– Compute the XOR of these two strings, bit by bit.

• The resulting ciphertext cannot be broken.• The reason derives from information theory: there is

simply no information in the message because all possible plaintexts of the given length are equally likely.

21

Cryptographic Principles

• Redundancy – All encrypted messages must contain some

redundancy, that is, information not needed to understand the message.

• Freshness – Some measures must be taken to ensure that each

message received can be verified as being fresh, that is, sent very recently.

22

Redundancy Motivation

• Consider a mail-order company, The Couch Potato (TCP), with 60,000 products.

• Ordering messages consist of a 16-byte customer name followed by a 3-byte data field.

• The last 3 bytes are to be encrypted using a very long key known only by the customer and TCP.

• This might seem secure since passive intruders cannot decrypt the messages.

• Suppose that a recently-fired employee wants to punish TCP.

23

Motivation – Cont.

• Just before leaving, he takes the customer list with him. • He writes a program to generate fictitious orders using real

customer names. • Since he does not have the list of keys, he just puts random

numbers in the last 3 bytes, and sends hundreds of orders.• When these messages arrive, TCP's computer uses the

customer's name to locate the key and decrypt the message. • Unfortunately for TCP, almost every 3-byte message is valid,

so the computer begins printing out shipping instructions.• In this way an active intruder can cause a massive amount of

trouble, even though he cannot understand the messages his computer is generating.

24

The Solution

• This problem can be solved by the addition of redundancy to all messages.

• For example, if order messages are extended to 12 bytes, the first 9 of which must be zeros, then this attack no longer works because the ex-employee can no longer generate a large stream of valid messages.

• All messages must contain considerable redundancy so that active intruders cannot send random junk and have it be interpreted as a valid message.

25

Freshness

• This measure is needed to prevent active intruders from playing back old messages.

• If no such measures were taken, our ex-employee could keep repeating previously sent valid messages.

• Some method is needed to foil replay attacks• A solution is to include in every message a timestamp

valid only for, say, 10 seconds. • The receiver can then just keep messages around for

10 seconds. Messages older than 10 seconds can be thrown out.