Topics 1. Modular Arithmetic Review 2. What is Cryptography? 3.
History of Cryptography 4. Transposition Ciphers 5. Substitution
Ciphers 1. Csar cipher 2. Vignere cipher 6. Cryptanalysis:
frequency analysis 7. Block Ciphers 8. DES
Slide 3
CSC 482/582: Computer Security Modular Arithmetic Congruence a
= b (mod N) iff a = b + kN Equivalently, a = b (mod N) iff N / (a
b) ex: 37=27 mod 10 b is the residue of a, modulo N Integers 0..N-1
are complete set of residues mod N
Slide 4
CSC 482/582: Computer Security Laws of Modular Arithmetic (a +
b) mod N = (a mod N + b mod N) mod N (a - b) mod N = (a mod N - b
mod N) mod N ab mod N = (a mod N)(b mod N) mod N a(b+c) mod N =
((ab mod N) + (ac mod N)) mod N
Slide 5
CSC 482/582: Computer Security What is Cryptography?
Cryptography: The art and science of keeping messages secure.
Cryptanalysis: the art and science of decrypting messages.
Cryptology: cryptography + cryptanalysis
Slide 6
CSC 482/582: Computer Security Terminology Plaintext: message
to be encrypted. Also called cleartext. Encryption: altering a
message to keep its contents secret. Ciphertext: encrypted message.
Plaintext Ciphertext Encryption Procedure
Slide 7
CSC 482/582: Computer Security History of Cryptography Egyptian
hieroglyphics ~ 2000 B.C.E. Cryptic tomb enscriptions for regality.
Spartan skytale cipher ~ 500 B.C.E. Wrapped thin sheet of papyrus
around staff. Messages written down length of staff. Decrypted by
wrapped around = diameter staff. Csar cipher ~ 50 B.C.E. Simple
alphabetic substitution cipher. al-Kindi ~ 850 C.E. Cryptanalysis
using letter frequencies.
Slide 8
CSC 482/582: Computer Security History of Cryptography Albertis
polyalphabetic cipher 1467 Decryption of Zimmerman telegram 1917
Leads US into World War I Japanese Purple Machine cracked 1937 US
breaks rotor machine for highest secrets. German Enigma machine
cracked 1933-45 Initially broken by Polish mathematician Variants
broken at Bletchley Park in UK Colossus, worlds 1 st electronic
computer.
Slide 9
CSC 482/582: Computer Security A Transposition Cipher Rearrange
letters in plaintext. Example: Rail-Fence Cipher Plaintext is HELLO
WORLD Rearrange as H L O O L E L W R D Ciphertext is HLOOL
ELWRD
Slide 10
CSC 482/582: Computer Security Cryptosystem Formal Definition
5-tuple ( E, D, M, K, C ) M set of plaintexts K set of keys C set
of ciphertexts E set of encryption functions e: M K C D set of
decryption functions d: C K M
Slide 11
CSC 482/582: Computer Security Csar cipher Letter shifting
cipher (A=>D, B=>E, C=>F, 5-tuple M = { all sequences of
letters } K = { i | i is an integer and 0 i 25 } E = { E k | k K
and for all letters m, E k (m) = (m + k) mod 26 } D = { D k | k K
and for all letters c, D k (c) = (26 + c k) mod 26 } C = M History:
Csars key was 3.
Slide 12
CSC 482/582: Computer Security Csar cipher Plaintext is HELLO
WORLD Change each letter to the third letter following it (X goes
to A, Y to B, Z to C) Key is 3, usually written as letter D
Ciphertext is KHOOR ZRUOG
Slide 13
ROT 13 Csar cipher with key of 13 13 chosen since encryption
and decryption are same operation Used to hide spoilers,
punchlines, and offensive material online. CSC 482/582: Computer
Security
Slide 14
Kerckhoffs Principle Security of cryptosystem should only
depend on 1. Quality of shared encryption algorithm E 2. Secrecy of
key K Security through obscurity tends to fail ex: DVD Content
Scrambling System
Slide 15
CSC 482/582: Computer Security Cryptanalysis Goals 1. Decrypt a
given message. 2. Recover encryption key. Adversarial models vary
based on 1. Type of information available to adversary 2.
Interaction with cryptosystem.
Slide 16
CSC 482/582: Computer Security Cryptanalysis Adversarial Models
ciphertext only: adversary has only ciphertext; goal is to find
plaintext, possibly key. known plaintext: adversary has ciphertext,
corresponding plaintext; goal is to find key. chosen plaintext:
adversary may supply plaintexts and obtain corresponding
ciphertext; goal is to find key.
Slide 17
CSC 482/582: Computer Security Classical Cryptography Sender
and receiver share common key Keys may be the same, or be trivial
to derive from one another. Sometimes called symmetric
cryptography.
Slide 18
CSC 482/582: Computer Security Substitution Ciphers Substitute
plaintext chars for ciphered chars. Simple: Always use same
substitution function. Polyalphabetic: Use different substitution
functions based on position in message.
Slide 19
CSC 482/582: Computer Security Cryptanalysis of Csar Cipher
Exhaustive search If the key space is small enough, try all
possible keys until you find the right one. Csar cipher has only 26
possible keys.
Slide 20
CSC 482/582: Computer Security General Simple Substitution
Cipher Key Space: All permutations of alphabet. Encryption: Replace
each plaintext letter x with K(x) Decryption: Replace each
ciphertext letter y with K -1 (y) Example: A B C D E F G H I J K L
M N O P Q R S T U V W X Y Z K= F U B A R D H G J I L K N M P O S Q
Z W X Y V T C E CRYPTO BQCOWP
Slide 21
CSC 482/582: Computer Security General Substitution
Cryptanalysis Exhaustive search impossible Key space size is 26! =~
4 x 10 26 Historically thought to be unbreakable.
Slide 22
CSC 482/582: Computer Security Cryptanalysis: Frequency
Analysis Languages have different frequencies of letters digraphs
(groups of 2 letters) trigraphs (groups of 3 letters) etc. Simple
substitution ciphers preserve frequency distributions.
Slide 23
CSC 482/582: Computer Security English Letter Frequencies
Slide 24
CSC 482/582: Computer Security Additional Frequency Features
Digraph frequencies Common digraphs: EN, RE, ER, NT Vowels other
than E rarely followed by another vowel. The letter Q is followed
only by U.
Slide 25
CSC 482/582: Computer Security Countering Frequency Analysis
Nulls Insert additional symbols (numbers) which have no meaning in
random places. Idiosyncratic spellings n0rM4L s34rCh Hacker speak:
www.google.com/webhp?hl=xx-hackerwww.google.com/webhp?hl=xx-hacker
Homophonic substitution Each letter has multiple substitutions.
Techniques increase difficulty but dont make impossible.
Slide 26
CSC 482/582: Computer Security Countering Frequency Analysis
Primary weakness of simple substition: Each ciphertext letter
corresponds to only one letter of plaintext. Solution:
polyalphabetic substitution Use multiple cipher alphabets. Switch
between cipher alphabets from character to character in the
plaintext.
Slide 27
CSC 482/582: Computer Security Letter Frequency
Distributions
Slide 28
CSC 482/582: Computer Security Vignere Cipher Use phrase
instead of letter as key. Example Message THE BOY HAS THE BALL Key
VIG Encipher using Csar cipher for each letter: key
VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG
Reproduction of CSA Cipher Disk
Slide 29
CSC 482/582: Computer Security Relevant Parts of Tableau G I V
A G I V B H J W E L M Z H N P C L R T G O U W J S Y A N T Z B O Y E
H T Tableau shown only has relevant rows and columns. Example
encipherments: key V, letter T: follow V column down to T row
(giving O) Key I, letter H: follow I column down to H row (giving
P)
Slide 30
CSC 482/582: Computer Security Useful Terms period: length of
key In earlier example, period is 3 tableau: table used to encipher
and decipher Vignere cipher has key letters on top, plaintext
letters on the left.
Slide 31
CSC 482/582: Computer Security Vignere Cryptanalysis 1. Find
key length (period), which we will call n. 2. Break message into n
parts, each part being enciphered using the same key letter. 3. Use
frequency analysis to solve resulting n simple substitution
ciphers. key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher
OPKWWECIYOPKWIRG
Slide 32
CSC 482/582: Computer Security Kasiski Test Conjunction of key
repetition with repeated portion of plaintext produces repeated
ciphertext. Example: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL
cipher OPKWWECIYOPKWIRG Key and plaintext line up over the
repetitions. Distance between repetitions is 9 Repeated phrase OPK
at 1 st and 10 th positions. Period is a multiple of 9 (1, 3 or
9.)
CSC 482/582: Computer Security Repetitions in Example
LettersStartEndDistanceFactors MI 515102, 5 OO 222755 OEQOOG
2454302, 3, 5 FV 3963242, 2, 2, 3 AA 4387442, 2, 11 MOC 50122722,
2, 2, 3, 3 QO 56105497, 7 PC 69117482, 2, 2, 2, 3 NE 778362, 3 SV
949733 CH 11812462, 3
Slide 35
CSC 482/582: Computer Security Estimate of Period OEQOOG is
probably not a coincidence Two character repetitions may be chance.
Period may be 1, 2, 3, 5, 6, 10, 15, or 30 Most others (7/10) have
2 in their factors Almost as many (6/10) have 3 in their factors.
Begin with period of 2 3 = 6.
Slide 36
CSC 482/582: Computer Security Letter Coincidence Coincidence:
Picking two letters at random from a message that are identical.
Procedure Place one text above other. Count coincidences.
Coincidence probabilities for two letters: Random English letters:
1/26 0.0385 English plaintext: 0.0667
Slide 37
CSC 482/582: Computer Security English Letter Frequencies
a0.080h0.060n0.070t0.090 b0.015i0.065o0.080u0.030 c
j0.005p0.020v0.010 d0.040k0.005q0.002w0.015
e0.130l0.035r0.065x0.005 f0.020m0.030s0.060y0.020 g0.015z0.002
Slide 38
CSC 482/582: Computer Security Index of Coincidence Probability
that two randomly chosen letters of a ciphertext of N characters
coincide. F i is frequency of cipher character number i N is the
length of the ciphertext
Slide 39
CSC 482/582: Computer Security Index of Coincidence Expected IC
Random: 0.0385 Plaintext: 0.0667 0.0385 Expected IC by period 2:
0.052 3: 0.047 4: 0.045 5: 0.044 10: 0.041 0.0667 Index of
Coincidence Shorter Key Longer Key
Slide 40
CSC 482/582: Computer Security Compute IC for Example IC =
Number of Coincidences/Number of Pairs = ( 0i25 [n i (n i 1)] ) / (
N (N 1) ) For our ciphertext, IC = 0.043 Indicates a key of
slightly more than 5. A statistical measure, so it can be in error,
but it agrees with the previous estimate (which was 6.)
Slide 41
CSC 482/582: Computer Security Splitting Into Alphabets
AlphabetIC AIKHOIATTOBGEEERNEOSAI 0.069 DUKKEFUAWEMGKWDWSUFWJU
0.078 QSTIQBMAMQBWQVLKVTMTMI 0.078 YBMZOAFCOOFPHEAXPQEPOX 0.056
SOIOOGVICOVCSVASHOGCC 0.124 MXBOGKVDIGZINNVVCIJHH 0.043 Divide
cipher into 6 (period) alphabets. IC indicates single alphabet,
except #4 and #6.
Slide 42
CSC 482/582: Computer Security Frequency Examination
ABCDEFGHIJKLMNOPQRSTUVWXYZ 131004011301001300112000000
210022210013010000010404000 312000000201140004013021000
421102201000010431000000211 510500021200000500030020000 6
01110022311012100000030101 HMMMHMMHHMMMMHHMLHHHMLLLLL Unshifted
frequencies (H high, M medium, L low)
Slide 43
CSC 482/582: Computer Security Begin Decryption First matches
characteristics of unshifted alphabet Third matches if I shifted to
A Sixth matches if V shifted to A Substitute into ciphertext (bold
are substitutions) ADIYS RIUKB OCKKL MIGHKAZOTO EIOOL IFTAG PAUEF
VATAS CIITW EOCNO EIOOL BMTFV EGGOP CNEKI HSSEW NECSE DDAAA RWCXS
ANSNPHHEUL QONOF EEGOS WLPCM AJEOC MIUAX
Slide 44
CSC 482/582: Computer Security Look For Clues AJE in last line
suggests are, meaning second alphabet maps A into S: ALIYS RICKB
OCKSL MIGHS AZOTO MIOOL INTAG PACEF VATIS CIITE EOCNO MIOOL BUTFV
EGOOP CNESI HSSEE NECSE LDAAA RECXS ANANP HHECL QONON EEGOS ELPCM
AREOC MICAX
Slide 45
CSC 482/582: Computer Security Next Alphabet MICAX in last line
suggests mical (a common ending for an adjective), meaning fourth
alphabet maps O into A: ALIMS RICKP OCKSL AIGHS ANOTO MICOL INTOG
PACET VATIS QIITE ECCNO MICOL BUTTV EGOOD CNESI VSSEE NSCSE LDOAA
RECLS ANAND HHECL EONON ESGOS ELDCM ARECC MICAL
Slide 46
CSC 482/582: Computer Security Got It! QI means that U maps
into I, as Q is always followed by U: ALIME RICKP ACKSL AUGHS ANATO
MICAL INTOS PACET HATIS QUITE ECONO MICAL BUTTH EGOOD ONESI VESEE
NSOSE LDOMA RECLE ANAND THECL EANON ESSOS ELDOM ARECO MICAL
Slide 47
CSC 482/582: Computer Security Rotor Machines Observation: If
Vignere key is very long, frequency analysis wont work. Implement:
multiple rounds of Vignere substitution. Machine contains multiple
cylinders. Each cylinder has 26 states (ciphers.) Cylinders rotate
to change states on different schedules. m-cylinder machine has 26
m substitution ciphers.
Slide 48
CSC 482/582: Computer Security Enigma Machine 3 rotors: 17576
substitutions. 3 rotors can be used in any order: 6 combinations.
Some machines had up to 8 rotors Plug board: 6 pairs of letters can
be swapped. Total keys ~ 10 16
Slide 49
CSC 482/582: Computer Security One-Time Pad A Vigenre cipher
with a random key at least as long as the message. Provably
unbreakable. Example ciphertext: DXQR. Equally likely to correspond
to plaintext DOIT (key AJIY ) plaintext DONT (key AJDY ) and any
other 4 letters.
Slide 50
CSC 482/582: Computer Security One-Time Pad Warning: keys must
be random, or you can attack the cipher by trying to regenerate the
key. Approximations, such as using pseudorandom number generators
to generate keys, are not random.
Slide 51
CSC 482/582: Computer Security Block Ciphers Encrypt groups
(blocks) of chars at once. Improvement over single char
substitution Cryptanalysis must use digraph frequencies for
two-char blocks. Longer blocks are more difficult to analyze.
Modern ciphers are block ciphers. Example: Playfair Cipher,
1854
Slide 52
CSC 482/582: Computer Security Playfair Cipher Create 5x5 table
Fill in spaces with letters of key, dropping duplicate letters.
Fill remaining spaces with unused letters of alphabet in order Drop
Q or I = J PLAYF I|JREXM BCDGH KNOQS TUVWZ Charles Wheatstone
Slide 53
CSC 482/582: Computer Security Playfair Cipher Encryption
Algorithm 1. If letters of pair are identical (or only one letter
remains), add an X after first letter. 2. If two letters are in
same row or column, replace them with the succeeding letters. 3.
Otherwise, two letters form a rectangle, and we replace them with
letters on the same row respectively at the other pair of
corners.
Slide 54
CSC 482/582: Computer Security Playfair Cipher Example
Plaintext is HELLO WORLD Pair HE is rectangle, replace with DM Pair
LX (X inserted) is rectangle, YR Pair LO is rectangle, replace with
AN Pair WO is rectangle, replace with VQ Pair RL is in column,
replace with CR Pair DX is rectangle, replace with GE Ciphertext is
DMYRANVQCRGE PLAYF I|JREXM BCDGH KNOQS TUVWZ
Slide 55
CSC 482/582: Computer Security Transposition Cipher
Cryptanalysis Anagramming If 1-gram frequencies match English
frequencies, but other n-gram frequencies do not, then, message
likely ciphered via transposition. Rearrange letters to form
n-grams with highest frequencies.
Slide 56
CSC 482/582: Computer Security Cryptanalysis Example
Ciphertext: HLOOLELWRD Frequencies of 2-grams beginning with H HE
0.0305 HO 0.0043 HL, HW, HR, HD < 0.0010 Frequencies of 2-grams
ending in H WH 0.0026 EH, LH, OH, RH, DH 0.0002 Implies E follows
H
Slide 57
CSC 482/582: Computer Security Cryptanalysis Example Arrange so
the H and E are adjacent HE LL OW OR LD Read across, then down, to
recover plaintext.
Slide 58
CSC 482/582: Computer Security SP-Networks Combine
Substitution+Permutation (transposition) Confusion: adding unknown
key values will confuse attacker about value of plaintext symbol.
Diffusion: Spread plaintext data throughout ciphertext. Designing
for Security Block Size Number of Rounds Each input bit is XOR of
several output bits from previous round. Choice of S-boxes
Slide 59
CSC 482/582: Computer Security Overview of the DES Block
cipher: encrypts blocks of 64 bits 56-bit key + 8 parity bits
Product cipher substitution + transposition 16 rounds (iterations)
of encryption round key generated from user key
Slide 60
CSC 482/582: Computer Security Encipherment Split 64-bit block
L 0 =init left half R 0 =init right half Encrypt with f=round fn K
1 =round 1 key Join L + R halves L 16 =round 16 left half R 16
=round 16 right half
Slide 61
CSC 482/582: Computer Security The f Function Each round has
effect: L i = R i-1 R i = L i-1 f(R i-1, K i )
Slide 62
CSC 482/582: Computer Security Controversy Considered too weak
Diffie, Hellman said in a few years technology would allow DES to
be broken in days (1976). EFF built Deep Crack in 1998 for
$250,000. Brute forced DES in 56 hours. 2008 RIVYERA averages under
1 day, costs under $10,000. Design decisions not public NSA
involved in weakening cipher. 128-bit key reduced to 56 bits.
S-boxes may have backdoors.
Slide 63
CSC 482/582: Computer Security Differential Cryptanalysis A
chosen ciphertext attack Biham and Shamir (1990) Examines pairs of
plaintext with particular diffs. Requires 2 47 plaintext,
ciphertext pairs. Only 2 14 pairs required with 8 round DES.
Revealed several properties S-box designed to resist differential
cryptanalysis. IBM revealed knowledge of technique at design time.
Linear cryptanalysis improves result Linear approximation of DES.
Requires 2 43 plaintext, ciphertext pairs. DES not designed to
resist this technique.
Slide 64
CSC 482/582: Computer Security DES Modes Electronic Code Book
Mode (ECB) Encipher each block independently. 64-bit blocks = 8
characters will be repeated. Attacker can build dictionary of
blocks. Cipher Block Chaining Mode (CBC) XOR each block with
previous ciphertext block. Requires an initialization vector for
the first one. Triple DES: Encrypt-Decrypt-Encrypt Mode (3 keys: k,
k, k) c = DES k (DES k 1 (DES k (m))) Middle decrypt allows
backward compatibility if k=k=k Double-encryption vulnerable to
meet-in-middle attack, reducing difficulty from 2 112 to 2 57.
Slide 65
CSC 482/582: Computer Security CBC Mode Encryption init. vector
m1m1 DES c1c1 m2m2 c2c2 sent
CSC 482/582: Computer Security Self-Healing Property Plaintext
heals after 2 blocks. i.e., if ciphertext altered, error propagated
2 blocks. Initial message 3231343336353837 3231343336353837
3231343336353837 3231343336353837 Received as (underlined 4c should
be 4b) ef7c4cb2b4ce6f3b f6266e3a97af0e2c 746ab9a6308f4256
33e60b451b09603d Which decrypts to efca61e19f4836f1
3231333336353837 3231343336353837 3231343336353837
Slide 68
CSC 482/582: Computer Security Current Status of DES Design for
computer system, associated software that could break any
DES-enciphered message in a few days published in 1998. Several
challenges to break DES messages solved using distributed
computing. NIST selected Rijndael as Advanced Encryption Standard,
replacement to DES in October 2000. Rijndael winner of 3-year
competition of 15 ciphers. DES too easily crackable. Triple DES too
slow.
Slide 69
Advanced Encryption Standard Block size is 128 bits Variable
key size 128, 192, and 256 bits 10, 12, and 14 rounds Known attacks
Only vulnerable to attacks on a reduced # of rounds. CSC 482/582:
Computer Security
Slide 70
Key Points Cryptography is the art of securing messages. Types
of ciphers Substitution (monoalphabetic and polyalphabetic)
Transposition (permutation) Product Cryptanalysis Language features
can be used to break ciphers. Frequency analysis: Kasiski test,
Index of Coincidence. Block ciphers ECB mode insecure; need to use
CBC for block ciphers DES obsolete due to small 56-bit keys.
3DES=112 bit key. AES current standard with 128, 192, and 256 bit
keys.
Slide 71
CSC 482/582: Computer Security References 1. Matt Bishop,
Introduction to Computer Security, Addison-Wesley, 2005. 2. David
Kahn, The Codebreakers, MacMillan, 1967. 3. Alfred J. Menezes, Paul
C. van Oorschot and Scott A. Vanstone, Handbook of Applied
Cryptography, http://www.cacr.math.uwaterloo.ca/hac/, CRC Press,
1996. Alfred J. MenezesPaul C. van OorschotScott A. Vanstone
http://www.cacr.math.uwaterloo.ca/hac/ 4. NIST, FIPS Publication
46-3: Data Encryption Standard (DES), 1999,
http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf 5.
Bruce Schneier, Applied Cryptography, 2 nd edition, Wiley, 1996. 6.
US Government Dept of the Army, FM 34-40-2 FIELD MANUAL, 1990,
http://www.umich.edu/~umich/fm-34-40-2/ 7. John Viega and Gary
McGraw, Building Secure Software, Addison- Wesley, 2002.