Algorithms and Data Structures - Cryptography - BFH-TI Staff - Berner

Algorithms and Data Structures - Cryptography - BFH-TI Staff - Berner

Cryptography Page 1 BFH-TI: Softwareschule Schweiz Algorithms and Data Structures Cryptography Dr. Rolf Haenni CAS SD01 Berner Fachhochschule Tech...

953KB Sizes 0 Downloads 2 Views

Recommend Documents

CSE 373: Data Structures & Algorithms Finish Sor,ng; Induc,on
Quiz scores (0-‐5 possible):. CJ Cregg – 5. Donna Moss – 5. Jed Bartlet – 4. Josh Lyman – 4. Leo McGarry – 5

Algebraic Structures and Algorithms for Matching and - Mathematics
Algebraic Structures and Algorithms for Matching and Matroid Problems. Nicholas J. A. Harvey. ∗. Massachusetts Institu

CS 302 Data Structures
She would like to use her new computer to keep track of the jobs she schedules for the magicians she manages, so she hir

Cryptography
years of analysis by the best cryptographers around.” –Bruce Schneier. • Snake oil: https://www.schneier.com/crypt

Creating Staff Data Extract for Staff UID
Creating Staff Data Extract for Staff UID. Last Updated 7/12/2010. Overview. This document contains instructions to crea

Interleaving Cryptography and Mechanism Design
Princeton University and Helsinki University of Technology. FC 2004, 03.12.2003. Interleaving Cryptography and Mechanism

Cryptography and Mechanism Design - TARK
Mechanism Design is the algorithmic component of Game Theory, the synthesis of ... The goal is to design a protocol wher

Data Mining Algorithms for Graph, Text, and - IIITDM Jabalpur
About GIAN. A new program titled “Global Initiative of Academic. Networks (GIAN)” was initiated by Govt. of India in

Bad Cryptography
The module has been independently reviewed and tested to comply with FIPS 140. • The module meets all the requirements

Algorithms and Urbanisms: SimCity
algorithms built into SimCity and how they impact a general understanding of the design and function of cities. This cou

Cryptography

Page 1

BFH-TI: Softwareschule Schweiz

Algorithms and Data Structures Cryptography Dr. Rolf Haenni CAS SD01

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Cryptography

Page 2

Outline

Introduction Symmetric Cryptography Asymmetric Cryptography RSA

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Introduction

Cryptography

Page 3

Outline

Introduction Symmetric Cryptography Asymmetric Cryptography RSA

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Introduction

Cryptography

Page 4

What is Cryptography? I

Traditionally, cryptography is the practice and study of hiding written information (not its existence) Ý Kryptos: hidden (Greek) Ý Graphein: write (Greek)

I

On the other side, cryptanalysis is the study of methods for obtaining the meaning of encrypted information

I

Cryptology = cryptography + cryptanalysis

I

Historically, cryptography was mainly motivated by military and diplomatic applications (dating back to the ancient Greek)

I

Today, cryptography is a broad branch of both mathematics and computer science and is widely applied in modern IT and communications technologies Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Introduction

Cryptography

Berner Fachhochschule Technik und Informatik

Page 5

Rolf Haenni Algorithms and Data Structures

Introduction

Cryptography

Page 6

Cryptographic Terminology Alphabet A set of characters, e.g. {A, . . . , Z } or {0, 1} Plaintext The original message to be transmitted, represented as a string of characters from a given alphabet Ciphertext The message after making its content unreadable Encryption The process of producing ciphertext from plaintext Decryption The reverse process of producing plaintext from ciphertext Cipher A pair of algorithms for encryption and decryption Key A parameter that determines the functional output of a cipher (usually a string of 56–2048 random bits) Cryptosystem A system consisting of a cipher, a key generation algorithm, and other cryptographic primitives Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Introduction

Cryptography

Page 7

Basic Communication Model Entity A person, organization, . . . , which sends, receives, or manipulates information Sender The entity from which a transmitted message originates (often called Alice) Recipient The entity towards which a transmitted message is addressed (often called Bob) Opponent An entity which attacks the security of a transmitted message (often called Oscar or Eve) Trusted Third Party A neutral entity which appears to be trustworthy for both the sender and recipient Channel Medium for transmitting a message between the sender and recipient (unsecure, secure, secured) Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Introduction

Cryptography

Page 8

Basic Communication Model (cont.)

Opponent

plaintext

Sender

key

Berner Fachhochschule Technik und Informatik

ciphertext

Recipient

plaintext

key

Rolf Haenni Algorithms and Data Structures

Introduction

Cryptography

Page 9

Information Security To protect sensitive information, the principal four goals to achieve are the following: Confidentiality The content of a message is not disclosed to unauthorized entities Integrity The content of a message can not be modified by an unauthorized entity Authenticity The sender (and the recipient) are who they claim they are Non-Repudiation The sender (and the recipient) of a message can not deny the transmission

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Introduction

Cryptography

Page 10

Brute-Force-Attack I

In a brute-force attack, the opponent tries all possible keys Key Length 16 bits 32 bits 56 bits 64 bits 128 bits 256 bits 512 bits 1024 bits

Number of Keys 216 = 65536 232 = 4.3∗109 256 = 7.2∗1016 264 = 1.8∗1019 2128 = 3.4∗1038 2256 = 1.2∗1077 2512 = 1.3∗10154 21024 = 1.7∗10308

106 Keys/s 32.7 ms 35.8 min. 1142 years 292353 years 5.4∗1024 years 3.5∗1063 years 2.1∗10142 years 2.7∗10296 years

106 Keys/µs 32.7 µs 2.2 ms 10.1 hours 107 days 5.4∗1018 years 3.5∗1057 years 2.1∗10136 years 2.7∗10290 years

I

Number of particles in the universe: 4∗1078 − 6∗1079

I

Age of the universe: 13.7∗109 years Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Symmetric Cryptography

Cryptography

Page 11

Outline

Introduction Symmetric Cryptography Asymmetric Cryptography RSA

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Symmetric Cryptography

Cryptography

Page 12

Symmetric Cryptosystems I

In a symmetric cryptosystem, the sender and receiver share the same secret key k

I

All classical ciphers (from the ancient Greek until 1976) are symmetric

I

The problem of using a symmetric cipher is to exchange the secret key

I

Traditionally, secret keys were exchanged over secure channels, e.g. personally or by a trustworthy messenger

I

In modern cryptography, secret keys are exchanged over secured channels (using asymmetric cryptosystems)

I

A symmetric cryptosystem achieves confidentiality, integrity, and authenticity (but not non-repudiation) Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Symmetric Cryptography

Cryptography

Page 13

AES I

AES (Advanced Encryption Standard) is the best symmetric cipher today Ý Ý Ý Ý

I

Winner of a world-wide competition in 2001 Successor of DES (Data Encryption Standard) since 2002 Key length: 128, 192, or 256 bits (DES: 56 Bits) Fast in both software and hardware

AES is a block cipher (not a bit-by-bit stream cipher) Ý The bit string message is split into blocks of size n = 128 bits Ý In principle, each block is encrypted independently Ý To avoid equal ciphertext blocks, there are several modes of operation (EBC, CBC, CFB, etc.) to link the result from encrypting one block with the encryption of another

I

AES performs a series of substitutions and permutations Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Symmetric Cryptography

Cryptography

Page 14

Substitution Cipher I

A substitution cipher replaces each character (or a group of characters) of a plaintext block by another one

I

Example: Caesar’s Cipher abcdefghij k l m n o p q r s t u v w x y z ↓↓↓↓↓↓↓↓↓↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ 0 1 2 3 4 5 6 7 8 9 10 10 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Ý Ý Ý Ý Ý

I

Plaintext: m = [M0 M1 · · · Mn−1 ], Mi ∈ {0, . . . , 25} Ciphertext: c = [C0 C1 · · · Cn−1 ], Ci ∈ {0, . . . , 25} Key: k ∈ {0, . . . , 25} Encryption: Ci = Ek (Mi ) = Mi + k mod 26 Decryption: Mi = Dk (Ci ) = Ci − k mod 26

AES substitutes groups of 8 bits (1 byte) Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Symmetric Cryptography

Cryptography

Page 15

Permutation Cipher I

I

A permutation cipher changes the order of the characters in the block Example: Shift Cipher Ý Each character in a plaintext block is shifted to the left by k positions (in a circular fashion) Ý Plaintext: m = [M0 M1 · · · Mn−1 ] Ý Ciphertext: c = [C0 C1 · · · Cn−1 ] Ý Key: k ∈ {0, . . . , n − 1} Ý Encryption: c = Ek (m) = [M0+k mod n · · · Mn−1+k mod n ] Ý Decryption: m = Dk (c) = [C0−k mod n · · · Cn−1−k mod n ]

I

In AES, each 128-bits block is divided into 4 words of size 32, which are individually shifted to the left by 0, 8, 16, or 24 bits, respectively Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Symmetric Cryptography

Cryptography

Page 16

Product Cipher I

If the amount of ciphertext is large enough, pure substitution or permutation ciphers are easy to decrypt with a frequency analysis (even if the key space is too large for a brute-force attack)

I

The frequencies of the characters in the ciphertext are compared with their frequencies in plaintext samples

I

To prevent a frquency analysis, substitutions (S-boxes) and permutations (P-boxes) are repeatedly applied in r rounds

I

Such ciphers are called product ciphers or SP-networks

I

AES has 10 rounds for 128-bit keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Symmetric Cryptography

Cryptography

Page 17

Frequency Analysis Example: Frequencies of letters in plain English 14 12.7

12

10 9.1 8.2

8

7.5 7.0

6.7

6.1

6.0

6 4.3

4.0

4 2.8

2.8

2.4

2.2 2.0

2

6.3

2.4

1.9

1.5

2.0

1.0

0.8 0.2

0.2

0.1

0.1

0 A

B

C

D

E

F

G

Berner Fachhochschule Technik und Informatik

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

Rolf Haenni Algorithms and Data Structures

Asymmetric Cryptography

Cryptography

Page 18

Outline

Introduction Symmetric Cryptography Asymmetric Cryptography RSA

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Asymmetric Cryptography

Cryptography

Page 19

Asymmetric Cryptosystems I

In a asymmetric cryptosystem, each entity possesses two keys Ý Private key e (kept secretly) Ý Public key d (distributed publicly)

I

No secure channel is needed to distribute the public key!

I

Alice encrypts the plaintext m with the public key eB of Bob: c = EeB (m)

I

Bob uses his private key dB to decrypt the ciphertext c: m = DdB (c) = DdB (EeB (m))

I

Asymmetric encryption achieves confidentiality only

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Asymmetric Cryptography

Cryptography

Page 20

Man-in-the-Middle Attack I

Asymmetric cryptosystems facilitate but do not entirely solve the key exchange problem

I

The remaining problem is to know whether a given public key belongs to the entity who claims to own it

I

An opponent can thus distribute faked public keys in the name of other entities In a Man-in-the-Middle Attack, the opponent Oscar sends faked public keys to Alice and the Bob

I

Ý Alice thinks Oscar is Bob and sends him an encrypted message Ý Oscar decrypts Alice’s message and sends it encrypted to Bob Ý Vice versa I

The key authentication problem is solved with certificates

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Asymmetric Cryptography

Cryptography

Page 21

Hybrid Cryptosystems I I

All known asymmetric cryptosystems are relatively inefficient A hybrid cryptosystem combines the flexibility of asymmetric with the efficiency of symmetric cryptosystems Ý Ý Ý Ý Ý

Alice encrypts m symmetrically with a secret key k The secret key k is ecrypted with Bob’s public key eB Ek (m) and EeB (k) are transmitted over an insecure channel Bob uses his private key dB to decrypt k = DdB (EeB (k)) The secret key k is used to decrypt m = Dk (Ek (m))

I

In other words, the secret key k is exchanged over a secured channel

I

Most cryptographic applications today use hybrid systems

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Asymmetric Cryptography

Cryptography

Page 22

Hybrid Cryptosystem Bob

Alice AEeB

k

ADdB k

m

SE

||

I

SE/SD: Symmetric encryption/decrpytion

I

AE/AD: Asymmetric encryption/decrpytion

Berner Fachhochschule Technik und Informatik

SD

m

Rolf Haenni Algorithms and Data Structures

Asymmetric Cryptography

Cryptography

Page 23

Digital Signatures I

Asymmetric cryptosystems can also be used to generate digital signatures Ý Ý Ý Ý Ý

Alice generates a hash code h = h(m) of the message m h is encrypted with Alice’s private key dA to get s = EdA (h) m together with its signature s is sent to Bob Bob decrypts h = DeA (s) with Alice’s public key eA Bob computes h(m) and compares it with h

I

With digital signatures, we can achieve integrity, authenticity, and non-repudiation

I

Combined with asymmetric encryption/decryption, all four security requirements are achieved

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Asymmetric Cryptography

Cryptography

Page 24

Digital Signature

Alice

Bob

m

h

||

m

h

AEdA

ADeA

? =

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

Asymmetric Cryptography

Cryptography

Page 25

Hybrid Cryptosystem with Digital Signature

Alice

Bob AEeB

k

ADdB k

m

SE

||

h

AEdA

Berner Fachhochschule Technik und Informatik

||

SD

m

h

ADeA

? =

Rolf Haenni Algorithms and Data Structures

RSA

Cryptography

Page 26

Outline

Introduction Symmetric Cryptography Asymmetric Cryptography RSA

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

RSA

Cryptography

Page 27

RSA I

I

The first asymmetric cryptosystem was discovered in 1977 by Rivest, Shamir, and Adleman (RSA) The method is based on number theory Ý Prime numbers: 2, 3, 5, 7, 11, 13, 17, . . . Ý Greatest common divisor: gcd(x, y ), e.g. gcd(14, 42) = 7 Ý Euler function:  if x = 1, 1   x − 1, if x is prime ϕ(x) = z−1  (y − 1) ∗ y , if x = y z and y is prime    ϕ(y ) ∗ ϕ(z), if x = y ∗ z and gcd(y , z) = 1 x 1 2 3 4 5 6 7 8 9 10 11 12 13 14 · · · ϕ(x) 1 1 2 2 4 2 6 4 6 4 10 4 12 6 . . .

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

RSA

Cryptography

Page 28

RSA Key Generation I

Choose N = p ∗ q, such that p and q are prime

I

Compute ϕ(N) = (p − 1)(q − 1)

I

Public key: choose 1 < e < ϕ(N) such that gcd(e, ϕ(N)) = 1 Private key: compute d such that e ∗ d mod ϕ(N) = 1

I

Ý Modular multiplicative inverse I

Example: Ý Ý Ý Ý Ý

p = 3, q = 11 N = 3 ∗ 11 = 33 ϕ(22) = 2 ∗ 10 = 20 e = 3, which satifies gcd(3, 20) = 1 d = 7, which satisfies 3 ∗ 7 mod 20 = 1

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

RSA

Cryptography

Page 29

RSA Encryption and Decryption I

Split plaintext into blocks m of length n = blog Nc bits

I

Interpret each block as a number m < N

I

Encryption: c = Ee (m) = me mod N

I

Decryption: m = Dd (c) = c d mod N

I

Proof . . .

I

Example: e = 3, d = 7, N = 33 Ý Ý Ý Ý

n = blog 33c = 5 m = [00110] = 6 c = 63 mod 33 = 216 mod 33 = 18 = [10010] m = 187 mod 33 = 6120 2200 032 mod 33 = 6

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

RSA

Cryptography

Page 30

Attacking RSA I

To attack an RSA-encrypted ciphertext c, we need to infer d from e and N

I

For this, we need to know ϕ(N) = (p − 1)(q − 1)

I

For this, we need to infer p and q from N = p ∗ q In other words, we need to recover the prime factors of N

I

Ý Easy for small numbers Ý Difficult for large numbers Ý Practically impossible for very large numbers I

The RSA key length is usually 512, 1024, or 2048 bits

I

The factorization problem is widely believed to be unfeasible, but this is still unproven

Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

RSA

Cryptography

Page 31

RSA Algorithms I

To implement RSA, we need efficient algorithms to perform the following tasks with very large number: Ý Ý Ý Ý Ý

Generate prime numbers at random (see §10.1.6) Integer multiplication (see §10.4.4) Greatest common divisor (see §10.1.2) Modular multiplicative inverse (see §10.1.5) Modular exponentiation (see §10.1.4)

I

Prime numbers are generated by generating random numbers and testing them for primality

I

The best known primality test runs in O(log6+ n) time, which is very slow if n is large (polynomial in the number of bits)

I

There are various efficient probabilistic primality tests, which have error probabilities that converge quickly towards 0 Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

RSA

Cryptography

Page 32

Euclid’s Algorithm I

The greatest common divisor is efficiently computed by Euclid’s algorithm: ( x, if y = 0 gcd(x, y ) = gcd(y , x mod y ), otherwise

I

Example: gcd(108, 44) = gcd(44, 20) = gcd(20, 4) = gcd(4, 0) = 4

I

Runs in O(log max(x, y )) time, i.e. linear in the number of bits

I

There is a variation called binary Euclid’s algorithm, in which the modulo operator is replaced by divisions by 2 (right-shift)

I

Another variation called extended Euclid’s algorithm computes modular multiplicative inverses Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures

RSA

Cryptography

Page 33

Repeated Squaring Algorithm I

I

The modular exponentiation is efficiently repeated squaring  algorithm: x,  y x mod n = (x y /2 mod n)2 mod n,   x ∗ (x y −1 mod n) mod n, Example:

computed with the if y = 1 if y is even if y is odd

187 mod 33 = 18 ∗ (186 mod 33) mod 33 = 18 ∗ ((183 mod 33)2 mod 33) mod 33 = 18 ∗ ((18 ∗ (182 mod 33) mod 33)2 mod 33) mod 33 = 18 ∗ ((18 ∗ ((18 mod 33)2 mod 33) mod 33)2 mod 33) mod 33 = ··· = 6 I

Runs in O(log y ) time, i.e. linear in the number of bits Berner Fachhochschule Technik und Informatik

Rolf Haenni Algorithms and Data Structures