security- lecture 01

8/18/2019 Security- lecture 01

1/57

Cryptography 2014

Lecture 1

Introduction

Course info

General concepts

Introductory examples

Symmetric Crypto History

November 15, 2014 1 / 51

http://-/?-


2/57

Introduction

Cryptography

... “is about communication in the presence of adversaries.”(R. Rivest)

↓ ↑

Adversary

November 15, 2014 2 / 51


3/57

Introduction

Course Objectives

Objectives

Learn how crypto primitives work.

Learn to use them correctly and reason about security.Be well-oriented in basic cryptographic concepts and methods.

Have a sound understanding of theory and implementation, as well as limitationsand vulnerability.

Be familiar with a number of examples of use of cryptographic tools in common

software and hardware artefacts.

November 15, 2014 3 / 51


4/57

Introduction

Why study cryptography?

Cryptography is everywhere!

Where?

Secure Communication: web traffic: HTTPS, wireless traffic 802.11i WPA2 (wifi),GSM (cellphone), Bluetooth.

Encrypting files on disk: EFS, TrueCrypt

Content protection (DVD, Blu-ray): CSS (Content Scrambling System), AACS

User authenticationNovember 15, 2014 4 / 51


5/57

Introduction

Secure Communication: example

!" $%&$'()"**+!,

!" -%.*$)+!,

⇒ SSL/TLS An attacker cannot eavesdrop/tamper data.

November 15, 2014 5 / 51

I d i


6/57

Introduction

Secure Communication: Secure Socket Layer/ TLS

Two main parts

1 Handshake Protocol: Establish shared secret key using public-key cryptography(2nd part of the course).

2 Record Layer: Transmit data using shared secret keyEnsure confidentiality and integrity (1st part of the course)

November 15, 2014 6 / 51

I t d ti


7/57

Introduction

Protected files on disk

!"#$

&"'( )

&"'( *

+'",( +'",(

-. (/0(#12.33"45

-. 6/73(2"45

Files encrypted

If data are stolen ⇒ Attacker (A) cannot read/tamper data

If A tries to modify Alice will detect itConfidentiality & Integrity!!

Analogous to secure communication:

Alice Today sends a message to Alice Tomorrow

November 15, 2014 7 / 51

Introduction


8/57

Introduction

Crypto Core

Secret key establishment

At the end of the protocolAlice & Bob share asecret key k .

Alice will know that she istalking to Bob.

Attacker has no clueabout k .

!"#$%'()

*+",#-.

/( !"#$%*+",#-.

/( '()

!"!#$%&'''

Secure Communication

Attacker A cannot

understand transmittedmessages.

A Cannot tampermessages.

!!

#$%&'(%)*+,-. *%' ,%-(/0,-.

12

13

November 15, 2014 8 / 51

Introduction


9/57

Introduction

But crypto can do much more

Digital Signatures

Physical ⇒ Always thesame!!

Digital ⇒ A function of the content signed.

!"#$%

'#()*+,-%

AnonymousCommunication

mix-net: Communicatevia a sequence of proxies.

Messagesencrypted/decryptedappropriately!

!"#$%

'() *#* + ,-./ /0"1 /)2

November 15, 2014 9 / 51

Introduction


10/57

Introduction

But crypto can do much more

Digital Signatures

Physical ⇒ Always thesame!!

Digital ⇒ A function of the content signed.

!"#$%

'#()*+,-%

Anonymous digital cash

Can I spend a “digital coin” without anyone knowing who I am?How to prevent double spending?

Anonymity in conflict with security!If she spends the coin once ⇒ Anonymous!More than once ⇒ Identity exposed!

!"#$%'() *+,

-(+-./0-%10%-!"

2+0)03 $)4435

November 15, 2014 9 / 51

Introduction


11/57

Protocols

Private Auctions

Auction winner = highest − bidder

pays 2nd highest bid

Other bids remainsecret.

!"#$%&'

()"%*

x1 x2 x3 x4 x5

f (x1, x2, x3, x4, x5)

Goal: compute f (x 1, x 2, x 3, x 4)How? ⇒ Secure multi-party computation!!

“Theorem:”

Anything that can be done with trusted auth. can also be done without.

November 15, 2014 10 / 51

Introduction


12/57

Crypto magic

Privately outsourcing computation

!"#$%

'%()$*

+,%)-

.*(/ 0#0 '*%

'%()$* 12)3

)%',"/'

45 +,%)- 6

45 )%',"/' 6

Zero knowledge (proof of knowledge)

! #$%& '() *+,'%-. %* / 00

1-%%* 2

333

456,)/7189

:%;/

November 15, 2014 11 / 51

Introduction


13/57

A rigorous science

The three steps in cryptography:

Precisely specify threat modelPropose a construction

Prove that breaking a construction under threat modelwill solve an underlying hard problem.

November 15, 2014 12 / 51

Introduction


14/57

Cryptographic goals

Cryptographic Goals

In spite of adversaries, we want to achieve (among other things)

confidentiality (keeping secret data secret).

integrity (preventing alteration).

authentication (preventing frauds).

non-repudiation (preventing denials of messages sent).

How?

Cryptography provides basic building blocks for use in building secure systems.

November 15, 2014 13 / 51

Introduction


15/57

Things to Remember

Cryptography is:

A tremendous tool

The basis for many security mechanisms

Cryptography is not

The solution to all security problems (e.g. software bugs, social engineering)

Reliable unless implemented and used properly

Something you should try to invent yourself many many examples of broken ad-hoc designs.

November 15, 2014 14 / 51

Introduction


16/57

Course data, teachers

Course code TDA351 (Chalmers), DIT250 (GU)

Web site: http://www.cse.chalmers.se/edu/course/TDA351/

Lectures:Katerina Mitrokotsa

Tutors (problem sessions and home assignments):Bart van DelftAndres MörtbergHamid Ebadi TavallaeiNikita Frolov

November 15, 2014 15 / 51

Introduction


17/57

Teaching

LecturesTuesdays 8–10 in HC4, Wednesdays 8–10 in HB1, week 1–7.Exception week 4 Lectures Wednesday and Friday.Web site contains info about the topics for the lectures.

Problem-solving sessionsFridays 10–12 in HC1, from week 1.

Home assignment feedback

Comments on your solutions to the assignments.

Office hours

See course web site.

November 15, 2014 16 / 51

Introduction


18/57

Course literature and other resources

Text book:Introduction to Modern Cryptography, Jonathan Katz & Yehuda Lindell

Previous course book also useful: Stallings: Cryptography and Network Security,6th ed.

Lecture slides, problem sets, home assignments.

Additional useful resources, available on the web:Handbook of Applied Cryptography, CRC Press 2001.Selected papers, videos, standards. See course web site.

November 15, 2014 17 / 51

Introduction


19/57

Examination

Paper-and-pencil home assignments

Done individually. Available on course web site; First to be discussed in the class.

Programming assignment

One assignment; done in groups of two or individually.

Exam

Written (closed-book) exam on the 13th of January at 14:00-18:00.

November 15, 2014 18 / 51

Introduction


20/57

Course evaluation

Chalmers procedure

Victor Lindhé ([email protected])

Oskar Montin ([email protected])

Brian Mwambazi ([email protected])

Linnéa Otterlind ([email protected])

Georgios Petros Sideris ([email protected])

Your input is important to improve the course!Reimbursement for volunteers: 200 kr voucher at Cremona.

November 15, 2014 19 / 51

Introduction


21/57

Other security courses at Chalmers and GU

Informal security specialization

We offer a package of four courses in computer and network security, that complementeach other:

Cryptography (period 2)

Computer security (period 3)

Language-based security (period 4)

Network security (period 4)

More info at http://www.cse.chalmers.se/edu/master/secspec.

November 15, 2014 20 / 51

Introduction

http://www.cse.chalmers.se/edu/master/secspechttp://www.cse.chalmers.se/edu/master/secspechttp://www.cse.chalmers.se/edu/master/secspec


22/57

Online crypto courses

Stanford crypto course online

Contains video lectures, quizzes, problem sets, programming assignments,. . .

We will use material from this course.

See https://www.coursera.org/course/crypto

Basic Probabilities & Math

Do a recap on math and basic probabilities:

http://en.wikibooks.org/High_School_Mathematics_Extensions/Discrete_Probabi

November 15, 2014 21 / 51

Symmetric Crypto: History

https://www.coursera.org/course/cryptohttp://en.wikibooks.org/High_School_Mathematics_Extensions/Discrete_Probabilityhttp://en.wikibooks.org/High_School_Mathematics_Extensions/Discrete_Probabilityhttps://www.coursera.org/course/crypto


23/57

Building block: Symmetric Encryption

!"#$%& ( )*+& (

, -.

( (

$$&/,0(1.2 .

34.% (%56

Symmetric ciphers

E , D : cipher, k : secret key (e.g. 128 bits)

m, c : plaintext, ciphertext

November 15, 2014 22 / 51



24/57


!"#$%& ( )*+& (

, -.

( (

$$&/,0(1.2 .

34.% (%56

Symmetric ciphers



Attention: Encryption algorithm is publicly known ⇒ Never use a proprietary cipher!

November 15, 2014 22 / 51



25/57


!"#$%& ( )*+& (

, -.

( (

$$&/,0(1.2 .

34.% (%56

Symmetric ciphers



Attention: Encryption algorithm is publicly known ⇒ Never use a proprietary cipher!

Kerckhoffs’ principle

Security should not rest on secrecy of the algorithms, but only on the secrecy of K .

November 15, 2014 22 / 51



26/57

Use Cases

Single use key (one time key)

Key is only used to encrypt one message

Example: encrypted email → new key generated for every email.

Multi use key (many time key)

Key used to encrypt multiple messages

⇒ Encrypted files: same key used to encrypt many files

Need more machinery than for one-time key!

November 15, 2014 23 / 51



27/57

Historical development

Ancient times – ≈ 1920.Paper-and-pencil systemsSubstitution, transposition, Vigenère, Vernam, . . .

≈ 1920 – ≈ 1960.(Pre-computer) machine ciphersEnigma, Purple, Hagelin, . . .

≈ 1960 –Computer-based systems

These are the main topics of this course.≈ 1990 –Cryptography everywhere.

November 15, 2014 24 / 51



28/57

Classification of Classical Cryptosystems

Ciphers

There are two types of basic algorithms:

transposition ciphers rearrange the order of letters in plaintext.Example: transposition → POISONISNTART

substitution ciphers replace characters in plaintext by others.Example: substitution → TVCTUJUVUJPO where a → B, b → C, c → D, · · · .

November 15, 2014 25 / 51


N i l C i


29/57

Notational Convention

For today (only) we will use the following conventions:

Messages are supposed to be in English.

We use the 26 letters only. Space, comma, period etc. are usually ignored.

Texts are written in groups of five characters.

Plaintexts are in lower case.plain textl ooksl iketh is

Ciphertexts are in upper case.SODLQ WHAWO RRNVO LNHWK LV

November 15, 2014 26 / 51


T i i Ci h


30/57

Transposition Cipher

Plaintext is divided into blocks of the same size n.Here, for explanation, we choose n = 10.

012345 67 89theory of re

01234567 89lativity ca

0 12 3456 789n be used for

0123456789cryptology

A key is a permutation of (0, 1, · · · , n − 1), say (9, 3, 0, 5, 2, 7, 8, 1, 4, 6)Characters in a plaintext block are rearranged according to the key.

01234 56789theor yofre

→ 93052 78146EOTYE FRHRO

This is repeated for each plaintext block.

EOTYE FRHRO AILIT YCAVT RUNEE FOBSD YPCOY OGRTL

November 15, 2014 27 / 51


T iti i h i it


31/57

Transposition cipher as circuit

We can illustrate (and implement in hardware) the permutation (9, 3, 0, 5, 2, 7, 8, 1, 4, 6)

as follows:

Transposition ciphers form part of many modern ciphers.

November 15, 2014 28 / 51


T iti i t


32/57

Transposition variants

A major problem in the old days was to remember the permutation. Some tricks used:

Route transposition: Plaintext is written in one pattern (diagonal, spiral, triangle,· · · ) and read out in another.

0 1 2 3 4 5

0

1

2

3

4

5

0 1 2 3 4 5

0

1

2

3

4

5

Use of keywords, e.g. alphabetical ordering of letters in 0231clue

gives (0, 2, 3, 1) for

n = 4.Longer blocks means more security – and more difficulty in remembering key!

November 15, 2014 29 / 51


Size of the key space


33/57

Size of the key space

Brute force attack are infeasible

A transposition cipher with block size n has as key a permutation of (0, 1, 2, . . . , n − 1)⇒ The number of such permutations is n!, which grows very fast with n.

Examples: 20! ≈ 2.4 · 1018, 100! ≈ 9.3 · 10157.

But ...

Transposition ciphers (with reasonable block sizes) are easily broken using frequency

analysis.

November 15, 2014 30 / 51


Few Historic Examples (all badly broken)


34/57

Few Historic Examples (all badly broken)

Substitution cipher

c := E (k , “bcza”) = “wnac ”

D (k , c ) = “bcza”

a→ c

b→ w

c→ n

z → a

. . .k :=

November 15, 2014 31 / 51


Caesar’s cipher


35/57

Caesar s cipher

Caesar’s cipher

Each letter in the plaintext is replaced by the letter three steps ahead

plain alphabet a b c d e f g h i j k l m n o p q r s t u v w

cipher alphabet D E F G H I J K L M N O P Q R S T U V W X Y Z

M = one one two −→ C = RQH RQH WZR

Decryption is done by shifting back each cipher letter three steps.

Problem

Encryption method must be kept secret from the adversary!

There is no key!

If method becomes known, all is lost.

November 15, 2014 32 / 51


Caesar Cipher


36/57

Caesar Cipher

Caesar cipher

Shift by 3

a→ d

b→ e

c→ f

z → c

. . .

y → b

November 15, 2014 33 / 51


37/57


Quiz question!


38/57

Quiz question!

Key space of substitution ciphers

What is the size of key space in the substitution cipher assuming 26 letters?

1 |K| = 26

2 |K| = 26! ⇒ 26! = 288

3 |K| = 226

4 |K| = 262

November 15, 2014 34 / 51


Comparison substitution & transposition ciphers


39/57


Transposition cipher: key a permutation of positions in a block ⇒ applies the key toeach block in the message, regardless of the letters in the block.

November 15, 2014 35 / 51




40/57

p & p p

Transposition cipher: key a permutation of positions in a block ⇒ applies the key toeach block in the message, regardless of the letters in the block.

Substitution cipher: key a permutation of the alphabet ⇒ applies the key to eachletter in the message.

November 15, 2014 35 / 51


How to break a substitution cipher?


41/57

p

What is the most common letter in English text?

1 “X”

2 “L”

3 “E” ⇐

4 “H”

November 15, 2014 36 / 51


How to break a substitution cipher?


42/57

p

1 Use frequency of English letters“e”: 12.7% , “t”: 9.1%, “a”:8.1%

2 Use frequency of pairs of letters (digrams)“he”, “an”, “in”, “th”

⇒ Ciphertext only attacks!

November 15, 2014 37 / 51


(What types of attacks do we have?


43/57

(

Types of attacks

Ciphertext only attack: The Adversary has one or more ciphertexts.

Known plaintext attacks: The Adversary has one or more plaintexts and thecorresponding cipher texts.

Chosen plaintext attack: The Adversary can choose plain texts, have themencrypted and obtain the corresponding ciphertexts.

November 15, 2014 38 / 51


44/57


An Example


45/57

Ciphertext

UKBYBIPOUZBCUFEEBORUKBYBHOBBRFESPVKBWFOFERVNBCVBZPRUBOFERVNBCVBPCYYFVUFOFEIKNWFRFIKJNUPWRFIPOUNVNIPUBRNCUKBEFWWFDNCHXCYBOHOPYXPUBNCUBOYNRVNIWNCPOJIOFHOPZRVFZIXUBORJRUBZRBCHNCBBONCHRJZSFWNVRJRUBZRPCYZPUKBZPUNVPWPCYVFZIXUPUNFCPWRVNBCVBRPYYNUNFCPWWJUKBYBIPOUZBCUIPOUNVNIPUBRNCHOPYXPUBNCUBOYNRVNIWNCPOJIOFHOPZRNCRVNBCUNENVVFZIXUNCHPCYVFZIXUPUNFCPWZP

UKBZPUNVR

! #$

% #&

' ##

( #)

* )$

! "

! #

! $

%* ++

(' +,

'! +,

'% -

! %&

! $#

'.! $

/0% $

123 &

! #'"

456789:

;756789:

November 15, 2014 40 / 51


46/57


47/57


Correlation


48/57

Let {f i }25i =0 be observed relative letter frequencies in ciphertext and {p i }

25i =0 letter

frequencies in English.

If (unknown) shift is k , then we should have f i ≈ p (i +k ) mod 26.

To find k , we computec k =

25i =0

f i · p (i +k ) mod 26

for k = 0, 1, . . . 25. The k for which c k is maximal is likely to be the correct shift.

In fact, maximal c k is expected to be ca 0.066, while all others are around 0.038.

November 15, 2014 42 / 51


Vigener Cipher (16th century, Rome)


49/57

! # ! # $ % & ' ! # $ % & '

$ # ( ) * & * + , ! - . * $ & ' . * $

! # $ % &%& $'( )*+

, # / / / 0 1 ! 2 1 . & 1 + ( 3 ! 4 5

period = key length

If we assume that most common first letter in the encrypted blocks is “H”Then: first letter of the key = “H” - “E” =“C”

November 15, 2014 43 / 51


Vigener Cipher (16th century, Rome)


50/57

Step 1: Find the key length!

Step 2: Perform a frequency analysis of the ciphertext!

November 15, 2014 44 / 51


51/57


52/57


Rotor Machines


53/57

!

#

$

%

%

&

'

(

)

*

+

%

%

,

-

.

.

)

*

+

%

%

,

-

-

.

)

*

+

%

%

,/01

November 15, 2014 47 / 51


Rotor Machines


54/57

Most famous: the Enigma (3-5 rotors)

Number of keys = 264 = 218

November 15, 2014 48 / 51


Data Encryption Standard (1974)


55/57

Data Encryption Standard

Number of keys = 256

, block size = 64 bits ⇒ Broken

Current ciphers: AES (2001) (128 bit keys), Salsa20 (2008) many many others

November 15, 2014 49 / 51


Things to remember


56/57

Things to remember

Cryptography is a tremendous tool !

Not the solution to all security problems!!

Security should not rest on the secrecy of algorithm.

Historical ciphers ⇒ all badly broken

Questions

How do we break a substitution cipher?

What is the difference between a substitution and a transposition cipher?

How can we break the Vigener cipher?

Tomorrow ⇒ One Time Pad & Stream ciphers

November 15, 2014 50 / 51



57/57

References:

Crypto Course Stanford, Dan Boneh

“Cryptography and Network Security: Principles and practice” (Chapters 1.1, 2)

“Introduction to Modern Cryptography”, Lindell and Katz (Chapter 1)

Thank you for your attention!

November 15, 2014 51 / 51

security- lecture 01

Documents