CS 59506030 Network Security Class 7 F 91605
- Slides: 29
CS 5950/6030 Network Security Class 7 (F, 9/16/05) Leszek Lilien Department of Computer Science Western Michigan University [Using some slides prepared by: Prof. Aaron Striegel, U. of Notre Dame Prof. Barbara Endicott-Popovsky, U. Washington, and Prof. Deborah Frincke, U. Idaho Prof. Jussipekka Leiwo, VU, The Netherlands]
2 B. Basic Types of Ciphers n 2 B. 1. Substitution ciphers. . . b. Other Substitution Ciphers c. One-time Pads Class 5 Last Class (Class 6) n 2 B. 2. Transposition (permutation) ciphers n 2 B. 3. Product ciphers 2
b. Other Substitution Ciphers n-char key n Polyalphabetic substitution ciphers n Vigenère Tableaux cipher 3
c. One-Time Pads n OPT - variant of using Vigenère Tableaux n n One-Time Pad: n n . . . Types of One-Time Pads n Vernam Cipher n n . . . Book Ciphers (p. 49) n . . . 4
2 B. 2. Transposition Ciphers (1) § Rearrange letters in plaintext to produce ciphertext § Example 1 a and 1 b: Columnar transposition § Plaintext: HELLO WORLD § Transposition onto: (a) 3 columns: (b) onto 2 columns: HEL LOW ORL DXX XX - padding § Ciphertext (read column-by column): (a) hlodeorxlwlx HE LL OW OR LD (b) hloolelwrd § What is the key? § Number of columns: (a) key = 3 and (b) key = 2 5
Attacking Transposition Ciphers § Anagramming § n-gram – n-char strings in English § Digrams (2 -grams) for English alphabet are: aa, ab, ac, . . . az, ba, bb, bc, . . . , zz § Trigrams are: aaa, aab, . . . § 4 -grams (quadgrams? ) are: aaaa, aaab, . . . § Attack procedure: § If 1 -gram frequencies in C match English frequencies (but other n-gram frequencies do not), then it is probably a transposition encryption § Find n-grams with the highest frequencies in C § Rearrange substrings in C to form n-grams with highest frequencies [cf. Barbara Endicott-Popovsky, U. Washington] 6
2 B. 3. Product Ciphers n A. k. a. combination Ciphers n Built of multiple blocks, each is: n Substitution n Transposition or: n Example: two-block product cipher n n E 2(E 1(P, KE 1), KE 2) Product cipher might not be stronger than its individual components used separately! n Might not be even as strong as individual components 7
2 C. Making „Good” Ciphers Cipher = encryption algorithm n Outline 2 C. 1. Criteria for „Good” Ciphers 8
2 C. 1. Criteria for „Good” Ciphers n „Good” depends on intended application n Claude Shannon’s criteria (1949) n Characteristics of good encryption schemes n n Confusion Diffusion Commercial Principles of Sound Encryption Systems Examples of popular commercial E’s: DES = Data Encryption Standard n DES / RSA / AES RSA = Rivest-Shamir-Adelman AES = Advanced Encryption Standard (relatively new) 9
Section 2 – Class 7 Class 6: 2. Introductionto Cryptology. . . 2 B. Basic Types of Ciphers — PART 2 2 B. 1. Substitution Ciphers — PART 2 2 B. 2. Transposition Ciphers 2 B. 3. Product Ciphers 2 C. Making „Good” Ciphers 2 C. 1. Criteria for „Good” Ciphers Class 7: 2 C. 2. Stream and Block Ciphers Class 6 Class 7 2 C. 3. Cryptanalysis 2 C. 4. Symmetric and Asymm. Cryptosystems—PART 1 10
2 C. 2. Stream and Block Ciphers (1) a. Stream ciphers b. Problems with stream ciphers c. Block ciphers d. Pros / cons for stream and block ciphers 11
a. Stream Ciphers (1) n Stream cipher: 1 char from P 1 char for C n Example: polyalphabetic cipher § P and K (repeated ‘EXODUS’): YELLOWSUBMARINEFROMYELLOWRIVER EXODUSEXODUSEXODUS § Encryption (char after char, using Vigenère Tableaux): (1) E(Y, E) c (2) E(E, X) b (3) E(L, O) z. . . § C: cbzoiowlppujmksilgqvsofhbowyyj § C as sent (in the right-to-left order): Sender S jyywobhfosvqgliskmjupplwoiozbc Receiver R 12
Stream Ciphers (2) n Example: polyalphabetic cipher - cont. § C as received (in the right-to-left order): Sender S jyywobhfosvqgliskmjupplwoiozbc Receiver R § C and K for decryption: cbzoiowlppujmksilgqvsofhbowyyj EXODUSEXODUSEXODUS § Decryption: (1) D(c, E) Y (2) D(b, X) E (3)D(z, O) L. . . § Decrypted P: YEL. . . Q: Do you know how D uses Vigenère Tableaux? 13
b. Problems with Stream Ciphers n (1) Problems with stream ciphers n Dropping a char from key K results in wrong decryption n Example: § P and K (repeated ‘EXODUS’) with a char in K missing: YELLOWSUBMARINEFROMYELLOWRIVER EODUSEXODUSEXODUSE missing X in K ! (no errors in repeated K later) § Encryption (using VT): 1) E(Y, E) c 2) E(E, O) s 3) E(L, D) o. . . § Ciphertext: cso. . . C in the order as sent (right-to-left): . . . osc 14
Problems with Stream Ciphers (2) § C as received (in the right-to-left order): . . . osc § C and correct K (‘EXODUS’) for decryption: cso. . . EXO. . . n n Decryption (using VT, applying correct key): 1) D(c, E) Y 2) D(s, X) V 3) D(o, O) A. . . Decrypted P: YVA. . . - Wrong! n We know it’s wrong, Receiver might not know it yet! 15
Problems with Stream Ciphers (3) n The problem might be recoverable n Example: If R had more characters decoded, R might be able to detect that S dropped a key char, and R could recover n E. g. , suppose that R decoded: YELLOW SUBMAZGTR § R could guess, that the 2 nd word should really be: SUBMARINE § => R would know that S dropped a char from K after sending „SUBMA” § => R could go back 4 chars, drop a char from K („recalibrate K with C”), and get „resynchronized” with S 16
c. Block Ciphers (1) n n We can do better than using recovery for stream ciphers n Solution: use block ciphers Block cipher: 1 block of chars from P 1 block of chars for C n n Example of block cipher: columnar transposition Block size = „o(message length)” (informally) 17
Block Ciphers (2) n Why block size = „o(message length)” ? n Because must wait for ”almost” the entire C before can decode some characters near beginning of P E. g. , for P = ‘HELLO WORLD’, block size is „o(10)” Suppose that Key = 3 (3 columns): HEL LOW ORL DXX n C as sent (in the right-to-left order): n n Sender S xlwlxroedolh Receiver R 18
Block Ciphers (3) n C as received (in the right-to-left order): xlwlxroedolh n R knows: K = 3, block size = 12 (=> 4 rows) 123 456 789 abc a=10 b=11 c=12 => R knows that characters wil be sent in the order: 1 st-4 th-7 th-10 th--2 nd-5 th-8 th-11 th--3 rd-6 th-9 th-12 th n R must wait for at least: n 1 char of C to decode 1 st char of P (‘h’) n 5 chars of C to decode 2 nd char of P (‘he’) n 9 chars of C to decode 3 rd, 4 th, and 5 th chars of P (‘hello’) n 10 chars of C to decode 6 th, 7 th, and 8 th chars of P (‘hello wor’) n etc. 19
Block Ciphers (4) n Informally, we might call ciphers like the above example columnar transposition cipher „weak-block” ciphers n n R can get some (even most) but not all chars of P before entire C is received n R can get one char of P immediately n the 1 st-after 1 of C (delay of 1 - 1 = 0) n R can get some chars of P with „small” delay n e. g. , 2 nd-after 5 of C (delay of 5 - 2 = 3) n R can get some chars of P with „large” delay n e. g. , 3 rd-after 9 of C (delay of 9 – 3 = 6) There are block ciphers when R cannot even start decoding C before receiving the entire C n Informally, we might call them „strong-block” ciphers 20
d. Pros / Cons for Stream and Block Ciphers n (1) Pros / cons for stream ciphers n n + Low delay for decoding individual symbols n Can decode ASA received + Low error propagation n Error in E(c 1) does not affect E(c 2) - Low diffusion n Each char separately encoded => carries over its frequency info - Susceptibility to malicious insertion / modification n Adversary can fabricate a new msg from pieces of broken msgs, even if he doesn’t know E (just broke a few msgs) 21
Pros / Cons for Stream and Block Ciphers (2) n Pros / cons for block ciphers n n + High diffusion n Frequency of a char from P diffused over (a few chars of) a block of C + Immune to insertion n Impossible to insert a char into a block without easy detection (block size would change) n Impossible to modify a char in a block without easy detection (if checksums are used) 22
Pros / Cons for Stream and Block Ciphers (3) n Pros / cons for block ciphers — Part 2 n - High delay for decoding individual chars n See example for ‘hello worldxx’ above n n For some E can’t decode even the 1 st char before whole k chars of a block are received - High error propagation n It affects the block, not just a single char 23
2 C. 3. Cryptanalysis (1) n What cryptanalysts do when confronted with unknown? Four 1) 2) 3) 4) n possible situations w. r. t. available info: C available Full P available Partial P available E available (or D available) (1) – (4) suggest 5 different approaches 24
Cryptanalysis (2) n Cryptanalyst approaches 1) Ciphertext-only attack n We have shown examples for such attacks n E. g. , for Caesar’s cipher, columnar transposition cipher 2) Known plaintext attack n Analyst have C and P n Needs to deduce E such that C=E(P), then finds D 3) Probable plaintext attack n Partial decryption provides partial match to C n This provides more clues 25
Cryptanalysis (3) n Cryptanalyst approaches – cont. 4) Chosen plaintext attack n Analyst able to fabricate encrypted msgs n Then observe effects of msgs on adversary’s actions n This provides further hints 5) Chosen ciphertext attack n n Analyst has both E and C Run E for many candidate plaintexts to find P for which E(P) = C n Purpose: to find KE 26
2 C. 4. Symmetric and Asymmetric Cryptosystems (1) n Symmetric encryption n n = secret key encryption KE = KD — called a secret key or a private key Only sender S and receiver R know the key [cf. J. Leiwo] n As long as the key remains secret, it also provides authentication (= proof of sender’s identity) 27
Symmetric and Asymmetric Cryptosystems (2 a) n Problems with symmetric encryption: n n Ensuring security of the „key channel” Need an efficient key distribution infrastructure n A separate key needed for each communicating S-R pair n For n communicating users, need: n * (n -1) /2 keys 28
End of Class 7 29