cryptographic techniques.pdf

8/10/2019 Cryptographic Techniques.pdf

1/41

Cryptographic Techniques

Information Technologies for

IPR Protections

2003/11/12

R107, CSIE Building


2/41

C. H. HUANG IN CML 2

Outline

Data security

Cryptography basics

Cryptographic systems

DES

RSA


3/41


Cryptography

Cryptography is the science of secret writing.

A cipher is a secret method of writing, where by

plaintext (cleartext) is transformed into a ciphertext.

The process of transforming plaintext into ciphertext is

called encipherment or encryption.

The reverse process of transforming ciphertext into

plaintext is called decipherment or decryption.

Encryption and decryption are controlled bycryptographic keys.


4/41


Secret Writing

Encryption

Decryption

Plaintext CiphertextKey


5/41


Attacks against Ciphers

Cryptanalysis is the science and study of methodsof breaking ciphers.

A cipher is breakable if it is possible to determine

the plaintext or key from the ciphertext, or todetermine the key from plaintext-ciphertext pairs.

Attacks Ciphertext-only attack

Known-plaintext attack

Chosen-plaintext attack


6/41


Cryptographic Systems

A cryptographic system has five components:

A plaintext message space, M

A ciphertext message space, C

A key space, K

A familiy of enciphering transformations

Ek:MC

A family of deciphering transformations

Dk:CM


7/41


Cryptographic Systems (cont.)

M Ek C Dk M

plaintext plaintextciphertext

Dk(Ek(m))=m ,for a key k

Cryptosystem requirements:

Efficient enciphering/deciphering

Systems must be easy to use

The security of the system depends only on the

keys, not the secrecy of E or D


8/41


Secure Cipher

Unconditionally secure

A cipher is unconditionally secure if no matterhow much ciphertext is intercepted, there is not

enough information in the ciphertext todetermine the plaintext uniquely.

Computationally secure

A cipher is computationally infeasible to break.


9/41


Secrecy Requirements

It should be computationally infeasible to

systematically determine the deciphering

transformation Dkfrom intercepted c, even if

corresponding m is known.

It should be computationally infeasible to

systematically determine m from intercepted c.

Ek C Dk MM

Mdisallowed

protected


10/41


Authenticity requirements

It should be computationally infeasible tosystematically determine the encipheringtransformation given c, even if corresponding m is

known. It should be computationally infeasible to

systematically find c! such that Dk(c!) is a validplaintext in M.

Ek C Dk MM

Mdisallowed

protected


11/41


Key-distribution cryptosystem

" Encrypting &decrypting are closely tied together.

" The sender and the receiver must agree on the use of acommon keybefore any message transmission takes place.

" A safe communication channel must exist between sender and

receiver

MessageSource

PEncryption

CDecryption

PReceiver

Secure key transmission


12/41


Public-key Cryptosystem

In a public key cryptosystem, each participant is assigned a pair of inversekeys E and D.

Different functions are used for enciphering and deciphering, one ofthe two keys can be made public, provided that it is impossible togenerate one key from the other.

E can be made public, but D is kept secret.

The normal key transmission between senders and receivers can bereplaced by an open directory of enciphering keys, containing the keysE for all participants.

Message

Source

PEncryption

CDecryption

PReceiver

Key source 1Ek

Key source 2Dk


13/41


Using Public-Key Cryptosystem to

Transfer Messages Secretly When a person A wishes to send a message to a

person B, the receiver!s enciphering key EB is used

to generate the ciphertext EB(m). Since the key EBis freely available, anyone can then encipher amessage destined for B. However, only the

receivers B with access to the decipher key DB can

regenerate the original text by performing the

inverse transform DB(EB(m)).


14/41


Digital Signature

Guaranteeing authenticity.

Let B be the recipient of a message m signed by

A. Then A!s signature must satisfy:

1. B must be able to able to validate A!s signature on m.

2. It must be impossible to forge A!s signature

3. If A disavow signing a message, a third party must

be able to resolve the distribute.


15/41


Using Public-key Systems to

Implement Digital Signatures1. A signs m by computing c=DA(m)

2. B validates A!s signature by checkingE

A(c) =m

3. A dispute can be judged by checkingwhether EA(c) restores M in the sameways as B.

Requirements: Dk(Ek(m))=Ek(Dk(m))=m


16/41


Secrecy and Authenticity in A

Public-Key System

EA(DB(C))=EA(DB(EB(DA(M))))

=EA(DA(M))

=M

DA(m)=S EB(S)=C DB(C)=S EA(S)=mm m

Transformations applied

by sender

Transformations applied

by receiver


17/41


Reference

Cryptography and Data Security, D.

Elizabeth and R. Denning, Purdue

University, 1998 FAQ about Today!s Cryptography, RSA

Laboratory, (found in www.rsa.com)

The reference listed in course handout.
http://www.rsa.com/http://www.rsa.com/


18/41


Conventional CryptosystemsUsing substitution transform and

permutation transform

Substitution Ciphers

Running Key Ciphers

Transposition Ciphers

(Permutation ciphers)

Stream Ciphers


19/41


Substitution Ciphers

Replace bits, characters, or blocks of

characters with substitutes.

Example: Caesar cipherwhich shift each letter in the English forward by K

positions (shifts past Z cycle back to A)

A simple substitution cipher is easy to solve

by performing a frequency analysis.


20/41


Running Key Ciphers

The security of a substitution cipher generallyincreases with the key length. In a running keycipher, the key length is equal to the plaintext

message.(not using a fixed key alphabet) E.g. use the text in a book as the key sequence.

The cipher may be breakable by Friedman!smethod based on the observation that both

plaintext and key letters are high frequency ones

in natural language.


21/41


Permutation Ciphers

Rearrange bits or characters in the data.

What is the key? Attacks: frequency analysis of characters.

INFORMATION TECHNIQUES FOR IPR

I R I T N E RN O M T O E H I U S O I R

F A N C Q F P

IRITNERNOMTOEHIUSOIRFANCQFP


22/41


Product Cipher

A product cipher is the composition offunctions F1,#,Ft, where each Fi may be asubstitution or permutation.

Examples of product ciphers DES

P P

S

S

S


23/41


Data Encryption Standard (DES)

The National Bureau of Standards

announced DES to be used in unclassified

U.S. Government applications.

DES enciphers 64-bit blocks with a 56-bit

key.


24/41


DES

An input block T is first transposed under an

initial permutation IP, giving T0=IP(T).

E.g. t1t2#t64t58t50#t7

Then T0 is passed through 16 iterations of functionf.

Finally, it is transposed under the inverse

permutation IP-1 to give the final result.


25/41


DES (cont.)

Let Ti denote the result of the ith iteration, and letLi and Ri denote the left and right halves of Ti.Then

Li=Ri-1Ri=Li-1 f(Ri-1, Ki)

where is the exclusive-or operation and K is a48-bit key.

After the last iteration, the left and right halves arenot changed , but instead passed to IP-1.


26/41


DES (cont.)

Calculate the function F(Ri-1, Ki):1. Using bit-selection Table E to expand 32-bit Ri-1 to a

48-bit block E(Ri-1). (Similar to permutation)

2. Calculate the exclusive-or of E(Ri-1) and Ki. Thenbreak the result into 8 6-bit blocks B1, #, B8.

3. Use each 6-bit Bjb1b2b3b4b5b6 as input to a selection(substitution ) and return a 4-bit block Sj(Bj).

b1b6row

b2b3b4b5

column


27/41


DES (cont.)

Key calculation Each iteration i uses a different 48-bit key Ki derived

from the initial key K, which is input as a 64-bit blockwith 8 parity bits in positions 8, 16, #, 64.

PC-1 discards the parity bits and transposes theremaining 56-bit bits to obtain PC-1(K).

PC-1(K) is then split to C and D of 28-bits each, andcircular shifted by LS.

Ci=LSi(Ci-1), Di=LSi (Di-1)

Ki=PC-2(CiDi).


28/41


DES (cont.)

Deciphering

The same algorithm is used, except that the

order of key for each iteration is reversed. E.g.

K16 is used in 1st iteration, K15 is used in 2

nd

iteration#.


29/41


Disputes about DES

56-bit key length should be doubled?

A special purpose machine containing a million LSI

chips could try 256 keys in 1 day. The cost of this

machine is about $ 20 million. Amortized over 5 years,the cost per day would be $10,000.

The same level of security could be obtained using

multiple encryption scheme.

The S-box may have hidden trapdoors.

The analysis is still classified.


30/41


Stream Ciphers

A random number generator (typically LFSR) may

be used to generate a stream of key characters,

each character of the key being added to a

character of the input stream to produce an outputcharacter.

Cipher stream

Message stream

Key stream

Shift register


31/41


Cipher Based on Computationally

Difficult Problems One-way function: C=f(P)

exponentiation and logarithm

multiplication/factoring

review of number theory

NP-complete problems A systematic deterministic solution is likely to requireexponential time in the number of inputs.

f: computationally simple

f-1:computationally difficult except in special cases

when supplementary information (keys) isavailable

P C


32/41


Diffie Hellman!s public-key

cryptosystem Each user i in the system has a pair of keys Xi and

Yi, whereYi=!

Xi mod q , 1"Xi"q-1, 1"!"q-1, q: prime number

Xi is kept secret, but Yi is made public. Sender i generates the key

Kij= YjXi mod q =!XiXj mod q

from receiver j!s public key Yj and his own

private key Xi. Receiver j obtains Kij similarly from Yi and Xj.


33/41


Security of Diffie Hellman!s

System To generate the key Kij, one of the private

keys Xi or Xj must be known.

To generate the Kij from Yi and Yj, a formof logarithm below must be computed:

Kij=Yi(log Yj) mod q

which is computationally difficult.


34/41


The RSA Algorithm

Each user selects two large prime numbers

P and Q at random, and multiplies them to

obtain N=P"Q.

N should be about 200 digits long and can be

made public

P and Q are kept secret.


35/41


The RSA Algorithm (cont.)

Using P and Q, the user computes the Euler

totient function#(N), representing the

number of positive integers relatively prime

to N.

#(N)=#(P)#(Q) = (P-1) (Q-1)

The user then chooses a quantity E less than

N and relatively prime to#(N). Thequantity E is made public.


36/41



Given a message M to be enciphered, M is broken

down into a sequence of quantities M1, M2, #, Mp,

where each component Mi is represented by an

integer between 0 and N-1. The enciphering isnow done separately on each block Mi using the

public information E and N to generate a

cryptogram Ci as

Ci=Mi

E

mod N at most 2$Log2(N) multiplications are required


37/41



Using the secret information#(N), the user

can easily compute a quantity D such that

E$D=1 mod#(N) (deciphering key). I

E$D=1 mod#(N)=K#(N)+1

D=K#(N)+1/E.


38/41



By Fermat!s theorem: M#(N)mod N =1 modN, or MK#(N)+1 mod N =M mod N.

Deciphering procedure:

CiD mod N

= MiED mod N

= MiK#(N)+1 mod N

= Mi mod N

= Mi


39/41


Using RSA

Suppose user A want to send a message m to userB. User A creates the ciphertext c by c = mE mod

N, where E and N are user B!s public key.

User A sends c to user B. User B decrypts c by calculate m = cD mod N. The

relation bewteen D and E ensures that B correctlyrecovers m.

Since only B knows D, only B can decrypt the

message.


40/41


Attacks against RSA

Attacks to recover all messages for a givenkey

Factor the public modulus N to P and Q.With

P,Q, and E, the attacker can easily compute D.Attacks to recover a message

Guessed-plaintext attacks.

This attacks can be defeated by appending

random bits.


41/41


Security of RSA

The size of a key in the RSA algorithm typically refersto the size of the modulus N. The two primes P and Qshould be roughly equal length.

The longer the key size, the greater the security, butalso the slower the RSA algorithm.

The 512-bit RSA-155 was factored in seven monthduring 1999.

The RSA lab currently recommends key sizes of 1024bits for corporate use.

cryptographic techniques.pdf

Documents