security- lecture 01
TRANSCRIPT
-
8/18/2019 Security- lecture 01
1/57
Cryptography 2014
Lecture 1
Introduction
Course info
General concepts
Introductory examples
Symmetric Crypto History
November 15, 2014 1 / 51
http://-/?-
-
8/18/2019 Security- lecture 01
2/57
Introduction
Cryptography
... “is about communication in the presence of adversaries.”(R. Rivest)
↓ ↑
Adversary
November 15, 2014 2 / 51
-
8/18/2019 Security- lecture 01
3/57
Introduction
Course Objectives
Objectives
Learn how crypto primitives work.
Learn to use them correctly and reason about security.Be well-oriented in basic cryptographic concepts and methods.
Have a sound understanding of theory and implementation, as well as limitationsand vulnerability.
Be familiar with a number of examples of use of cryptographic tools in common
software and hardware artefacts.
November 15, 2014 3 / 51
-
8/18/2019 Security- lecture 01
4/57
Introduction
Why study cryptography?
Cryptography is everywhere!
Where?
Secure Communication: web traffic: HTTPS, wireless traffic 802.11i WPA2 (wifi),GSM (cellphone), Bluetooth.
Encrypting files on disk: EFS, TrueCrypt
Content protection (DVD, Blu-ray): CSS (Content Scrambling System), AACS
User authenticationNovember 15, 2014 4 / 51
-
8/18/2019 Security- lecture 01
5/57
Introduction
Secure Communication: example
!" $%&$'()"**+!,
!" -%.*$)+!,
⇒ SSL/TLS An attacker cannot eavesdrop/tamper data.
November 15, 2014 5 / 51
I d i
-
8/18/2019 Security- lecture 01
6/57
Introduction
Secure Communication: Secure Socket Layer/ TLS
Two main parts
1 Handshake Protocol: Establish shared secret key using public-key cryptography(2nd part of the course).
2 Record Layer: Transmit data using shared secret keyEnsure confidentiality and integrity (1st part of the course)
November 15, 2014 6 / 51
I t d ti
-
8/18/2019 Security- lecture 01
7/57
Introduction
Protected files on disk
!"#$
&"'( )
&"'( *
+'",( +'",(
-. (/0(#12.33"45
-. 6/73(2"45
Files encrypted
If data are stolen ⇒ Attacker (A) cannot read/tamper data
If A tries to modify Alice will detect itConfidentiality & Integrity!!
Analogous to secure communication:
Alice Today sends a message to Alice Tomorrow
November 15, 2014 7 / 51
Introduction
-
8/18/2019 Security- lecture 01
8/57
Introduction
Crypto Core
Secret key establishment
At the end of the protocolAlice & Bob share asecret key k .
Alice will know that she istalking to Bob.
Attacker has no clueabout k .
!"#$%'()
*+",#-.
/( !"#$%*+",#-.
/( '()
!"!#$%&'''
Secure Communication
Attacker A cannot
understand transmittedmessages.
A Cannot tampermessages.
!!
#$%&'(%)*+,-. *%' ,%-(/0,-.
12
13
November 15, 2014 8 / 51
Introduction
-
8/18/2019 Security- lecture 01
9/57
Introduction
But crypto can do much more
Digital Signatures
Physical ⇒ Always thesame!!
Digital ⇒ A function of the content signed.
!"#$%
'#()*+,-%
AnonymousCommunication
mix-net: Communicatevia a sequence of proxies.
Messagesencrypted/decryptedappropriately!
!"#$%
'() *#* + ,-./ /0"1 /)2
November 15, 2014 9 / 51
Introduction
-
8/18/2019 Security- lecture 01
10/57
Introduction
But crypto can do much more
Digital Signatures
Physical ⇒ Always thesame!!
Digital ⇒ A function of the content signed.
!"#$%
'#()*+,-%
Anonymous digital cash
Can I spend a “digital coin” without anyone knowing who I am?How to prevent double spending?
Anonymity in conflict with security!If she spends the coin once ⇒ Anonymous!More than once ⇒ Identity exposed!
!"#$%'() *+,
-(+-./0-%10%-!"
2+0)03 $)4435
November 15, 2014 9 / 51
Introduction
-
8/18/2019 Security- lecture 01
11/57
Protocols
Private Auctions
Auction winner = highest − bidder
pays 2nd highest bid
Other bids remainsecret.
!"#$%&'
()"%*
x1 x2 x3 x4 x5
f (x1, x2, x3, x4, x5)
Goal: compute f (x 1, x 2, x 3, x 4)How? ⇒ Secure multi-party computation!!
“Theorem:”
Anything that can be done with trusted auth. can also be done without.
November 15, 2014 10 / 51
Introduction
-
8/18/2019 Security- lecture 01
12/57
Crypto magic
Privately outsourcing computation
!"#$%
'%()$*
+,%)-
.*(/ 0#0 '*%
'%()$* 12)3
)%',"/'
45 +,%)- 6
45 )%',"/' 6
Zero knowledge (proof of knowledge)
! #$%& '() *+,'%-. %* / 00
1-%%* 2
333
456,)/7189
:%;/
November 15, 2014 11 / 51
Introduction
-
8/18/2019 Security- lecture 01
13/57
A rigorous science
The three steps in cryptography:
Precisely specify threat modelPropose a construction
Prove that breaking a construction under threat modelwill solve an underlying hard problem.
November 15, 2014 12 / 51
Introduction
-
8/18/2019 Security- lecture 01
14/57
Cryptographic goals
Cryptographic Goals
In spite of adversaries, we want to achieve (among other things)
confidentiality (keeping secret data secret).
integrity (preventing alteration).
authentication (preventing frauds).
non-repudiation (preventing denials of messages sent).
How?
Cryptography provides basic building blocks for use in building secure systems.
November 15, 2014 13 / 51
Introduction
-
8/18/2019 Security- lecture 01
15/57
Things to Remember
Cryptography is:
A tremendous tool
The basis for many security mechanisms
Cryptography is not
The solution to all security problems (e.g. software bugs, social engineering)
Reliable unless implemented and used properly
Something you should try to invent yourself many many examples of broken ad-hoc designs.
November 15, 2014 14 / 51
Introduction
-
8/18/2019 Security- lecture 01
16/57
Course data, teachers
Course code TDA351 (Chalmers), DIT250 (GU)
Web site: http://www.cse.chalmers.se/edu/course/TDA351/
Lectures:Katerina Mitrokotsa
Tutors (problem sessions and home assignments):Bart van DelftAndres MörtbergHamid Ebadi TavallaeiNikita Frolov
November 15, 2014 15 / 51
Introduction
-
8/18/2019 Security- lecture 01
17/57
Teaching
LecturesTuesdays 8–10 in HC4, Wednesdays 8–10 in HB1, week 1–7.Exception week 4 Lectures Wednesday and Friday.Web site contains info about the topics for the lectures.
Problem-solving sessionsFridays 10–12 in HC1, from week 1.
Home assignment feedback
Comments on your solutions to the assignments.
Office hours
See course web site.
November 15, 2014 16 / 51
Introduction
-
8/18/2019 Security- lecture 01
18/57
Course literature and other resources
Text book:Introduction to Modern Cryptography, Jonathan Katz & Yehuda Lindell
Previous course book also useful: Stallings: Cryptography and Network Security,6th ed.
Lecture slides, problem sets, home assignments.
Additional useful resources, available on the web:Handbook of Applied Cryptography, CRC Press 2001.Selected papers, videos, standards. See course web site.
November 15, 2014 17 / 51
Introduction
-
8/18/2019 Security- lecture 01
19/57
Examination
Paper-and-pencil home assignments
Done individually. Available on course web site; First to be discussed in the class.
Programming assignment
One assignment; done in groups of two or individually.
Exam
Written (closed-book) exam on the 13th of January at 14:00-18:00.
November 15, 2014 18 / 51
Introduction
-
8/18/2019 Security- lecture 01
20/57
Course evaluation
Chalmers procedure
Victor Lindhé ([email protected])
Oskar Montin ([email protected])
Brian Mwambazi ([email protected])
Linnéa Otterlind ([email protected])
Georgios Petros Sideris ([email protected])
Your input is important to improve the course!Reimbursement for volunteers: 200 kr voucher at Cremona.
November 15, 2014 19 / 51
Introduction
-
8/18/2019 Security- lecture 01
21/57
Other security courses at Chalmers and GU
Informal security specialization
We offer a package of four courses in computer and network security, that complementeach other:
Cryptography (period 2)
Computer security (period 3)
Language-based security (period 4)
Network security (period 4)
More info at http://www.cse.chalmers.se/edu/master/secspec.
November 15, 2014 20 / 51
Introduction
http://www.cse.chalmers.se/edu/master/secspechttp://www.cse.chalmers.se/edu/master/secspechttp://www.cse.chalmers.se/edu/master/secspec
-
8/18/2019 Security- lecture 01
22/57
Online crypto courses
Stanford crypto course online
Contains video lectures, quizzes, problem sets, programming assignments,. . .
We will use material from this course.
See https://www.coursera.org/course/crypto
Basic Probabilities & Math
Do a recap on math and basic probabilities:
http://en.wikibooks.org/High_School_Mathematics_Extensions/Discrete_Probabi
November 15, 2014 21 / 51
Symmetric Crypto: History
https://www.coursera.org/course/cryptohttp://en.wikibooks.org/High_School_Mathematics_Extensions/Discrete_Probabilityhttp://en.wikibooks.org/High_School_Mathematics_Extensions/Discrete_Probabilityhttps://www.coursera.org/course/crypto
-
8/18/2019 Security- lecture 01
23/57
Building block: Symmetric Encryption
!"#$%& ( )*+& (
, -.
( (
$$&/,0(1.2 .
34.% (%56
Symmetric ciphers
E , D : cipher, k : secret key (e.g. 128 bits)
m, c : plaintext, ciphertext
November 15, 2014 22 / 51
Symmetric Crypto: History
-
8/18/2019 Security- lecture 01
24/57
Building block: Symmetric Encryption
!"#$%& ( )*+& (
, -.
( (
$$&/,0(1.2 .
34.% (%56
Symmetric ciphers
E , D : cipher, k : secret key (e.g. 128 bits)
m, c : plaintext, ciphertext
Attention: Encryption algorithm is publicly known ⇒ Never use a proprietary cipher!
November 15, 2014 22 / 51
Symmetric Crypto: History
-
8/18/2019 Security- lecture 01
25/57
Building block: Symmetric Encryption
!"#$%& ( )*+& (
, -.
( (
$$&/,0(1.2 .
34.% (%56
Symmetric ciphers
E , D : cipher, k : secret key (e.g. 128 bits)
m, c : plaintext, ciphertext
Attention: Encryption algorithm is publicly known ⇒ Never use a proprietary cipher!
Kerckhoffs’ principle
Security should not rest on secrecy of the algorithms, but only on the secrecy of K .
November 15, 2014 22 / 51
Symmetric Crypto: History
-
8/18/2019 Security- lecture 01
26/57
Use Cases
Single use key (one time key)
Key is only used to encrypt one message
Example: encrypted email → new key generated for every email.
Multi use key (many time key)
Key used to encrypt multiple messages
⇒ Encrypted files: same key used to encrypt many files
Need more machinery than for one-time key!
November 15, 2014 23 / 51
Symmetric Crypto: History
-
8/18/2019 Security- lecture 01
27/57
Historical development
Ancient times – ≈ 1920.Paper-and-pencil systemsSubstitution, transposition, Vigenère, Vernam, . . .
≈ 1920 – ≈ 1960.(Pre-computer) machine ciphersEnigma, Purple, Hagelin, . . .
≈ 1960 –Computer-based systems
These are the main topics of this course.≈ 1990 –Cryptography everywhere.
November 15, 2014 24 / 51
Symmetric Crypto: History
-
8/18/2019 Security- lecture 01
28/57
Classification of Classical Cryptosystems
Ciphers
There are two types of basic algorithms:
transposition ciphers rearrange the order of letters in plaintext.Example: transposition → POISONISNTART
substitution ciphers replace characters in plaintext by others.Example: substitution → TVCTUJUVUJPO where a → B, b → C, c → D, · · · .
November 15, 2014 25 / 51
Symmetric Crypto: History
N i l C i
-
8/18/2019 Security- lecture 01
29/57
Notational Convention
For today (only) we will use the following conventions:
Messages are supposed to be in English.
We use the 26 letters only. Space, comma, period etc. are usually ignored.
Texts are written in groups of five characters.
Plaintexts are in lower case.plain textl ooksl iketh is
Ciphertexts are in upper case.SODLQ WHAWO RRNVO LNHWK LV
November 15, 2014 26 / 51
Symmetric Crypto: History
T i i Ci h
-
8/18/2019 Security- lecture 01
30/57
Transposition Cipher
Plaintext is divided into blocks of the same size n.Here, for explanation, we choose n = 10.
012345 67 89theory of re
01234567 89lativity ca
0 12 3456 789n be used for
0123456789cryptology
A key is a permutation of (0, 1, · · · , n − 1), say (9, 3, 0, 5, 2, 7, 8, 1, 4, 6)Characters in a plaintext block are rearranged according to the key.
01234 56789theor yofre
→ 93052 78146EOTYE FRHRO
This is repeated for each plaintext block.
EOTYE FRHRO AILIT YCAVT RUNEE FOBSD YPCOY OGRTL
November 15, 2014 27 / 51
Symmetric Crypto: History
T iti i h i it
-
8/18/2019 Security- lecture 01
31/57
Transposition cipher as circuit
We can illustrate (and implement in hardware) the permutation (9, 3, 0, 5, 2, 7, 8, 1, 4, 6)
as follows:
Transposition ciphers form part of many modern ciphers.
November 15, 2014 28 / 51
Symmetric Crypto: History
T iti i t
-
8/18/2019 Security- lecture 01
32/57
Transposition variants
A major problem in the old days was to remember the permutation. Some tricks used:
Route transposition: Plaintext is written in one pattern (diagonal, spiral, triangle,· · · ) and read out in another.
0 1 2 3 4 5
0
1
2
3
4
5
0 1 2 3 4 5
0
1
2
3
4
5
Use of keywords, e.g. alphabetical ordering of letters in 0231clue
gives (0, 2, 3, 1) for
n = 4.Longer blocks means more security – and more difficulty in remembering key!
November 15, 2014 29 / 51
Symmetric Crypto: History
Size of the key space
-
8/18/2019 Security- lecture 01
33/57
Size of the key space
Brute force attack are infeasible
A transposition cipher with block size n has as key a permutation of (0, 1, 2, . . . , n − 1)⇒ The number of such permutations is n!, which grows very fast with n.
Examples: 20! ≈ 2.4 · 1018, 100! ≈ 9.3 · 10157.
But ...
Transposition ciphers (with reasonable block sizes) are easily broken using frequency
analysis.
November 15, 2014 30 / 51
Symmetric Crypto: History
Few Historic Examples (all badly broken)
-
8/18/2019 Security- lecture 01
34/57
Few Historic Examples (all badly broken)
Substitution cipher
c := E (k , “bcza”) = “wnac ”
D (k , c ) = “bcza”
a→ c
b→ w
c→ n
z → a
. . .k :=
November 15, 2014 31 / 51
Symmetric Crypto: History
Caesar’s cipher
-
8/18/2019 Security- lecture 01
35/57
Caesar s cipher
Caesar’s cipher
Each letter in the plaintext is replaced by the letter three steps ahead
plain alphabet a b c d e f g h i j k l m n o p q r s t u v w
cipher alphabet D E F G H I J K L M N O P Q R S T U V W X Y Z
M = one one two −→ C = RQH RQH WZR
Decryption is done by shifting back each cipher letter three steps.
Problem
Encryption method must be kept secret from the adversary!
There is no key!
If method becomes known, all is lost.
November 15, 2014 32 / 51
Symmetric Crypto: History
Caesar Cipher
-
8/18/2019 Security- lecture 01
36/57
Caesar Cipher
Caesar cipher
Shift by 3
a→ d
b→ e
c→ f
z → c
. . .
y → b
November 15, 2014 33 / 51
-
8/18/2019 Security- lecture 01
37/57
Symmetric Crypto: History
Quiz question!
-
8/18/2019 Security- lecture 01
38/57
Quiz question!
Key space of substitution ciphers
What is the size of key space in the substitution cipher assuming 26 letters?
1 |K| = 26
2 |K| = 26! ⇒ 26! = 288
3 |K| = 226
4 |K| = 262
November 15, 2014 34 / 51
Symmetric Crypto: History
Comparison substitution & transposition ciphers
-
8/18/2019 Security- lecture 01
39/57
Comparison substitution & transposition ciphers
Transposition cipher: key a permutation of positions in a block ⇒ applies the key toeach block in the message, regardless of the letters in the block.
November 15, 2014 35 / 51
Symmetric Crypto: History
Comparison substitution & transposition ciphers
-
8/18/2019 Security- lecture 01
40/57
p & p p
Transposition cipher: key a permutation of positions in a block ⇒ applies the key toeach block in the message, regardless of the letters in the block.
Substitution cipher: key a permutation of the alphabet ⇒ applies the key to eachletter in the message.
November 15, 2014 35 / 51
Symmetric Crypto: History
How to break a substitution cipher?
-
8/18/2019 Security- lecture 01
41/57
p
What is the most common letter in English text?
1 “X”
2 “L”
3 “E” ⇐
4 “H”
November 15, 2014 36 / 51
Symmetric Crypto: History
How to break a substitution cipher?
-
8/18/2019 Security- lecture 01
42/57
p
1 Use frequency of English letters“e”: 12.7% , “t”: 9.1%, “a”:8.1%
2 Use frequency of pairs of letters (digrams)“he”, “an”, “in”, “th”
⇒ Ciphertext only attacks!
November 15, 2014 37 / 51
Symmetric Crypto: History
(What types of attacks do we have?
-
8/18/2019 Security- lecture 01
43/57
(
Types of attacks
Ciphertext only attack: The Adversary has one or more ciphertexts.
Known plaintext attacks: The Adversary has one or more plaintexts and thecorresponding cipher texts.
Chosen plaintext attack: The Adversary can choose plain texts, have themencrypted and obtain the corresponding ciphertexts.
November 15, 2014 38 / 51
-
8/18/2019 Security- lecture 01
44/57
Symmetric Crypto: History
An Example
-
8/18/2019 Security- lecture 01
45/57
Ciphertext
UKBYBIPOUZBCUFEEBORUKBYBHOBBRFESPVKBWFOFERVNBCVBZPRUBOFERVNBCVBPCYYFVUFOFEIKNWFRFIKJNUPWRFIPOUNVNIPUBRNCUKBEFWWFDNCHXCYBOHOPYXPUBNCUBOYNRVNIWNCPOJIOFHOPZRVFZIXUBORJRUBZRBCHNCBBONCHRJZSFWNVRJRUBZRPCYZPUKBZPUNVPWPCYVFZIXUPUNFCPWRVNBCVBRPYYNUNFCPWWJUKBYBIPOUZBCUIPOUNVNIPUBRNCHOPYXPUBNCUBOYNRVNIWNCPOJIOFHOPZRNCRVNBCUNENVVFZIXUNCHPCYVFZIXUPUNFCPWZP
UKBZPUNVR
! #$
% #&
' ##
( #)
* )$
! "
! #
! $
%* ++
(' +,
'! +,
'% -
! %&
! $#
'.! $
/0% $
123 &
! #'"
456789:
;756789:
November 15, 2014 40 / 51
-
8/18/2019 Security- lecture 01
46/57
-
8/18/2019 Security- lecture 01
47/57
Symmetric Crypto: History
Correlation
-
8/18/2019 Security- lecture 01
48/57
Let {f i }25i =0 be observed relative letter frequencies in ciphertext and {p i }
25i =0 letter
frequencies in English.
If (unknown) shift is k , then we should have f i ≈ p (i +k ) mod 26.
To find k , we computec k =
25i =0
f i · p (i +k ) mod 26
for k = 0, 1, . . . 25. The k for which c k is maximal is likely to be the correct shift.
In fact, maximal c k is expected to be ca 0.066, while all others are around 0.038.
November 15, 2014 42 / 51
Symmetric Crypto: History
Vigener Cipher (16th century, Rome)
-
8/18/2019 Security- lecture 01
49/57
! # ! # $ % & ' ! # $ % & '
$ # ( ) * & * + , ! - . * $ & ' . * $
! # $ % &%& $'( )*+
, # / / / 0 1 ! 2 1 . & 1 + ( 3 ! 4 5
period = key length
If we assume that most common first letter in the encrypted blocks is “H”Then: first letter of the key = “H” - “E” =“C”
November 15, 2014 43 / 51
Symmetric Crypto: History
Vigener Cipher (16th century, Rome)
-
8/18/2019 Security- lecture 01
50/57
Step 1: Find the key length!
Step 2: Perform a frequency analysis of the ciphertext!
November 15, 2014 44 / 51
-
8/18/2019 Security- lecture 01
51/57
-
8/18/2019 Security- lecture 01
52/57
Symmetric Crypto: History
Rotor Machines
-
8/18/2019 Security- lecture 01
53/57
!
#
$
%
%
&
'
(
)
*
+
%
%
,
-
.
.
)
*
+
%
%
,
-
-
.
)
*
+
%
%
,/01
November 15, 2014 47 / 51
Symmetric Crypto: History
Rotor Machines
-
8/18/2019 Security- lecture 01
54/57
Most famous: the Enigma (3-5 rotors)
Number of keys = 264 = 218
November 15, 2014 48 / 51
Symmetric Crypto: History
Data Encryption Standard (1974)
-
8/18/2019 Security- lecture 01
55/57
Data Encryption Standard
Number of keys = 256
, block size = 64 bits ⇒ Broken
Current ciphers: AES (2001) (128 bit keys), Salsa20 (2008) many many others
November 15, 2014 49 / 51
Symmetric Crypto: History
Things to remember
-
8/18/2019 Security- lecture 01
56/57
Things to remember
Cryptography is a tremendous tool !
Not the solution to all security problems!!
Security should not rest on the secrecy of algorithm.
Historical ciphers ⇒ all badly broken
Questions
How do we break a substitution cipher?
What is the difference between a substitution and a transposition cipher?
How can we break the Vigener cipher?
Tomorrow ⇒ One Time Pad & Stream ciphers
November 15, 2014 50 / 51
Symmetric Crypto: History
-
8/18/2019 Security- lecture 01
57/57
References:
Crypto Course Stanford, Dan Boneh
“Cryptography and Network Security: Principles and practice” (Chapters 1.1, 2)
“Introduction to Modern Cryptography”, Lindell and Katz (Chapter 1)
Thank you for your attention!
November 15, 2014 51 / 51