cryptographic techniques.pdf
TRANSCRIPT
-
8/10/2019 Cryptographic Techniques.pdf
1/41
Cryptographic Techniques
Information Technologies for
IPR Protections
2003/11/12
R107, CSIE Building
-
8/10/2019 Cryptographic Techniques.pdf
2/41
C. H. HUANG IN CML 2
Outline
Data security
Cryptography basics
Cryptographic systems
DES
RSA
-
8/10/2019 Cryptographic Techniques.pdf
3/41
C. H. HUANG IN CML 3
Cryptography
Cryptography is the science of secret writing.
A cipher is a secret method of writing, where by
plaintext (cleartext) is transformed into a ciphertext.
The process of transforming plaintext into ciphertext is
called encipherment or encryption.
The reverse process of transforming ciphertext into
plaintext is called decipherment or decryption.
Encryption and decryption are controlled bycryptographic keys.
-
8/10/2019 Cryptographic Techniques.pdf
4/41
C. H. HUANG IN CML 4
Secret Writing
Encryption
Decryption
Plaintext CiphertextKey
-
8/10/2019 Cryptographic Techniques.pdf
5/41
C. H. HUANG IN CML 5
Attacks against Ciphers
Cryptanalysis is the science and study of methodsof breaking ciphers.
A cipher is breakable if it is possible to determine
the plaintext or key from the ciphertext, or todetermine the key from plaintext-ciphertext pairs.
Attacks Ciphertext-only attack
Known-plaintext attack
Chosen-plaintext attack
-
8/10/2019 Cryptographic Techniques.pdf
6/41
C. H. HUANG IN CML 6
Cryptographic Systems
A cryptographic system has five components:
A plaintext message space, M
A ciphertext message space, C
A key space, K
A familiy of enciphering transformations
Ek:MC
A family of deciphering transformations
Dk:CM
-
8/10/2019 Cryptographic Techniques.pdf
7/41
C. H. HUANG IN CML 7
Cryptographic Systems (cont.)
M Ek C Dk M
plaintext plaintextciphertext
Dk(Ek(m))=m ,for a key k
Cryptosystem requirements:
Efficient enciphering/deciphering
Systems must be easy to use
The security of the system depends only on the
keys, not the secrecy of E or D
-
8/10/2019 Cryptographic Techniques.pdf
8/41
C. H. HUANG IN CML 8
Secure Cipher
Unconditionally secure
A cipher is unconditionally secure if no matterhow much ciphertext is intercepted, there is not
enough information in the ciphertext todetermine the plaintext uniquely.
Computationally secure
A cipher is computationally infeasible to break.
-
8/10/2019 Cryptographic Techniques.pdf
9/41
C. H. HUANG IN CML 9
Secrecy Requirements
It should be computationally infeasible to
systematically determine the deciphering
transformation Dkfrom intercepted c, even if
corresponding m is known.
It should be computationally infeasible to
systematically determine m from intercepted c.
Ek C Dk MM
Mdisallowed
protected
-
8/10/2019 Cryptographic Techniques.pdf
10/41
C. H. HUANG IN CML 10
Authenticity requirements
It should be computationally infeasible tosystematically determine the encipheringtransformation given c, even if corresponding m is
known. It should be computationally infeasible to
systematically find c! such that Dk(c!) is a validplaintext in M.
Ek C Dk MM
Mdisallowed
protected
-
8/10/2019 Cryptographic Techniques.pdf
11/41
C. H. HUANG IN CML 11
Key-distribution cryptosystem
" Encrypting &decrypting are closely tied together.
" The sender and the receiver must agree on the use of acommon keybefore any message transmission takes place.
" A safe communication channel must exist between sender and
receiver
MessageSource
PEncryption
CDecryption
PReceiver
Secure key transmission
-
8/10/2019 Cryptographic Techniques.pdf
12/41
C. H. HUANG IN CML 12
Public-key Cryptosystem
In a public key cryptosystem, each participant is assigned a pair of inversekeys E and D.
Different functions are used for enciphering and deciphering, one ofthe two keys can be made public, provided that it is impossible togenerate one key from the other.
E can be made public, but D is kept secret.
The normal key transmission between senders and receivers can bereplaced by an open directory of enciphering keys, containing the keysE for all participants.
Message
Source
PEncryption
CDecryption
PReceiver
Key source 1Ek
Key source 2Dk
-
8/10/2019 Cryptographic Techniques.pdf
13/41
C. H. HUANG IN CML 13
Using Public-Key Cryptosystem to
Transfer Messages Secretly When a person A wishes to send a message to a
person B, the receiver!s enciphering key EB is used
to generate the ciphertext EB(m). Since the key EBis freely available, anyone can then encipher amessage destined for B. However, only the
receivers B with access to the decipher key DB can
regenerate the original text by performing the
inverse transform DB(EB(m)).
-
8/10/2019 Cryptographic Techniques.pdf
14/41
C. H. HUANG IN CML 14
Digital Signature
Guaranteeing authenticity.
Let B be the recipient of a message m signed by
A. Then A!s signature must satisfy:
1. B must be able to able to validate A!s signature on m.
2. It must be impossible to forge A!s signature
3. If A disavow signing a message, a third party must
be able to resolve the distribute.
-
8/10/2019 Cryptographic Techniques.pdf
15/41
C. H. HUANG IN CML 15
Using Public-key Systems to
Implement Digital Signatures1. A signs m by computing c=DA(m)
2. B validates A!s signature by checkingE
A(c) =m
3. A dispute can be judged by checkingwhether EA(c) restores M in the sameways as B.
Requirements: Dk(Ek(m))=Ek(Dk(m))=m
-
8/10/2019 Cryptographic Techniques.pdf
16/41
C. H. HUANG IN CML 16
Secrecy and Authenticity in A
Public-Key System
EA(DB(C))=EA(DB(EB(DA(M))))
=EA(DA(M))
=M
DA(m)=S EB(S)=C DB(C)=S EA(S)=mm m
Transformations applied
by sender
Transformations applied
by receiver
-
8/10/2019 Cryptographic Techniques.pdf
17/41
C. H. HUANG IN CML 17
Reference
Cryptography and Data Security, D.
Elizabeth and R. Denning, Purdue
University, 1998 FAQ about Today!s Cryptography, RSA
Laboratory, (found in www.rsa.com)
The reference listed in course handout.
http://www.rsa.com/http://www.rsa.com/ -
8/10/2019 Cryptographic Techniques.pdf
18/41
C. H. HUANG IN CML 18
Conventional CryptosystemsUsing substitution transform and
permutation transform
Substitution Ciphers
Running Key Ciphers
Transposition Ciphers
(Permutation ciphers)
Stream Ciphers
-
8/10/2019 Cryptographic Techniques.pdf
19/41
C. H. HUANG IN CML 19
Substitution Ciphers
Replace bits, characters, or blocks of
characters with substitutes.
Example: Caesar cipherwhich shift each letter in the English forward by K
positions (shifts past Z cycle back to A)
A simple substitution cipher is easy to solve
by performing a frequency analysis.
-
8/10/2019 Cryptographic Techniques.pdf
20/41
C. H. HUANG IN CML 20
Running Key Ciphers
The security of a substitution cipher generallyincreases with the key length. In a running keycipher, the key length is equal to the plaintext
message.(not using a fixed key alphabet) E.g. use the text in a book as the key sequence.
The cipher may be breakable by Friedman!smethod based on the observation that both
plaintext and key letters are high frequency ones
in natural language.
-
8/10/2019 Cryptographic Techniques.pdf
21/41
C. H. HUANG IN CML 21
Permutation Ciphers
Rearrange bits or characters in the data.
What is the key? Attacks: frequency analysis of characters.
INFORMATION TECHNIQUES FOR IPR
I R I T N E RN O M T O E H I U S O I R
F A N C Q F P
IRITNERNOMTOEHIUSOIRFANCQFP
-
8/10/2019 Cryptographic Techniques.pdf
22/41
C. H. HUANG IN CML 22
Product Cipher
A product cipher is the composition offunctions F1,#,Ft, where each Fi may be asubstitution or permutation.
Examples of product ciphers DES
P P
S
S
S
-
8/10/2019 Cryptographic Techniques.pdf
23/41
C. H. HUANG IN CML 23
Data Encryption Standard (DES)
The National Bureau of Standards
announced DES to be used in unclassified
U.S. Government applications.
DES enciphers 64-bit blocks with a 56-bit
key.
-
8/10/2019 Cryptographic Techniques.pdf
24/41
C. H. HUANG IN CML 24
DES
An input block T is first transposed under an
initial permutation IP, giving T0=IP(T).
E.g. t1t2#t64t58t50#t7
Then T0 is passed through 16 iterations of functionf.
Finally, it is transposed under the inverse
permutation IP-1 to give the final result.
-
8/10/2019 Cryptographic Techniques.pdf
25/41
C. H. HUANG IN CML 25
DES (cont.)
Let Ti denote the result of the ith iteration, and letLi and Ri denote the left and right halves of Ti.Then
Li=Ri-1Ri=Li-1 f(Ri-1, Ki)
where is the exclusive-or operation and K is a48-bit key.
After the last iteration, the left and right halves arenot changed , but instead passed to IP-1.
-
8/10/2019 Cryptographic Techniques.pdf
26/41
C. H. HUANG IN CML 26
DES (cont.)
Calculate the function F(Ri-1, Ki):1. Using bit-selection Table E to expand 32-bit Ri-1 to a
48-bit block E(Ri-1). (Similar to permutation)
2. Calculate the exclusive-or of E(Ri-1) and Ki. Thenbreak the result into 8 6-bit blocks B1, #, B8.
3. Use each 6-bit Bjb1b2b3b4b5b6 as input to a selection(substitution ) and return a 4-bit block Sj(Bj).
b1b6row
b2b3b4b5
column
-
8/10/2019 Cryptographic Techniques.pdf
27/41
C. H. HUANG IN CML 27
DES (cont.)
Key calculation Each iteration i uses a different 48-bit key Ki derived
from the initial key K, which is input as a 64-bit blockwith 8 parity bits in positions 8, 16, #, 64.
PC-1 discards the parity bits and transposes theremaining 56-bit bits to obtain PC-1(K).
PC-1(K) is then split to C and D of 28-bits each, andcircular shifted by LS.
Ci=LSi(Ci-1), Di=LSi (Di-1)
Ki=PC-2(CiDi).
-
8/10/2019 Cryptographic Techniques.pdf
28/41
C. H. HUANG IN CML 28
DES (cont.)
Deciphering
The same algorithm is used, except that the
order of key for each iteration is reversed. E.g.
K16 is used in 1st iteration, K15 is used in 2
nd
iteration#.
-
8/10/2019 Cryptographic Techniques.pdf
29/41
C. H. HUANG IN CML 29
Disputes about DES
56-bit key length should be doubled?
A special purpose machine containing a million LSI
chips could try 256 keys in 1 day. The cost of this
machine is about $ 20 million. Amortized over 5 years,the cost per day would be $10,000.
The same level of security could be obtained using
multiple encryption scheme.
The S-box may have hidden trapdoors.
The analysis is still classified.
-
8/10/2019 Cryptographic Techniques.pdf
30/41
C. H. HUANG IN CML 30
Stream Ciphers
A random number generator (typically LFSR) may
be used to generate a stream of key characters,
each character of the key being added to a
character of the input stream to produce an outputcharacter.
Cipher stream
Message stream
Key stream
Shift register
-
8/10/2019 Cryptographic Techniques.pdf
31/41
C. H. HUANG IN CML 31
Cipher Based on Computationally
Difficult Problems One-way function: C=f(P)
exponentiation and logarithm
multiplication/factoring
review of number theory
NP-complete problems A systematic deterministic solution is likely to requireexponential time in the number of inputs.
f: computationally simple
f-1:computationally difficult except in special cases
when supplementary information (keys) isavailable
P C
-
8/10/2019 Cryptographic Techniques.pdf
32/41
C. H. HUANG IN CML 32
Diffie Hellman!s public-key
cryptosystem Each user i in the system has a pair of keys Xi and
Yi, whereYi=!
Xi mod q , 1"Xi"q-1, 1"!"q-1, q: prime number
Xi is kept secret, but Yi is made public. Sender i generates the key
Kij= YjXi mod q =!XiXj mod q
from receiver j!s public key Yj and his own
private key Xi. Receiver j obtains Kij similarly from Yi and Xj.
-
8/10/2019 Cryptographic Techniques.pdf
33/41
C. H. HUANG IN CML 33
Security of Diffie Hellman!s
System To generate the key Kij, one of the private
keys Xi or Xj must be known.
To generate the Kij from Yi and Yj, a formof logarithm below must be computed:
Kij=Yi(log Yj) mod q
which is computationally difficult.
-
8/10/2019 Cryptographic Techniques.pdf
34/41
C. H. HUANG IN CML 34
The RSA Algorithm
Each user selects two large prime numbers
P and Q at random, and multiplies them to
obtain N=P"Q.
N should be about 200 digits long and can be
made public
P and Q are kept secret.
-
8/10/2019 Cryptographic Techniques.pdf
35/41
C. H. HUANG IN CML 35
The RSA Algorithm (cont.)
Using P and Q, the user computes the Euler
totient function#(N), representing the
number of positive integers relatively prime
to N.
#(N)=#(P)#(Q) = (P-1) (Q-1)
The user then chooses a quantity E less than
N and relatively prime to#(N). Thequantity E is made public.
-
8/10/2019 Cryptographic Techniques.pdf
36/41
C. H. HUANG IN CML 36
The RSA Algorithm (cont.)
Given a message M to be enciphered, M is broken
down into a sequence of quantities M1, M2, #, Mp,
where each component Mi is represented by an
integer between 0 and N-1. The enciphering isnow done separately on each block Mi using the
public information E and N to generate a
cryptogram Ci as
Ci=Mi
E
mod N at most 2$Log2(N) multiplications are required
-
8/10/2019 Cryptographic Techniques.pdf
37/41
C. H. HUANG IN CML 37
The RSA Algorithm (cont.)
Using the secret information#(N), the user
can easily compute a quantity D such that
E$D=1 mod#(N) (deciphering key). I
E$D=1 mod#(N)=K#(N)+1
D=K#(N)+1/E.
-
8/10/2019 Cryptographic Techniques.pdf
38/41
C. H. HUANG IN CML 38
The RSA Algorithm (cont.)
By Fermat!s theorem: M#(N)mod N =1 modN, or MK#(N)+1 mod N =M mod N.
Deciphering procedure:
CiD mod N
= MiED mod N
= MiK#(N)+1 mod N
= Mi mod N
= Mi
-
8/10/2019 Cryptographic Techniques.pdf
39/41
C. H. HUANG IN CML 39
Using RSA
Suppose user A want to send a message m to userB. User A creates the ciphertext c by c = mE mod
N, where E and N are user B!s public key.
User A sends c to user B. User B decrypts c by calculate m = cD mod N. The
relation bewteen D and E ensures that B correctlyrecovers m.
Since only B knows D, only B can decrypt the
message.
-
8/10/2019 Cryptographic Techniques.pdf
40/41
C. H. HUANG IN CML 40
Attacks against RSA
Attacks to recover all messages for a givenkey
Factor the public modulus N to P and Q.With
P,Q, and E, the attacker can easily compute D.Attacks to recover a message
Guessed-plaintext attacks.
This attacks can be defeated by appending
random bits.
-
8/10/2019 Cryptographic Techniques.pdf
41/41
C. H. HUANG IN CML 41
Security of RSA
The size of a key in the RSA algorithm typically refersto the size of the modulus N. The two primes P and Qshould be roughly equal length.
The longer the key size, the greater the security, butalso the slower the RSA algorithm.
The 512-bit RSA-155 was factored in seven monthduring 1999.
The RSA lab currently recommends key sizes of 1024bits for corporate use.