Cryptography History & Puzzles Substitution Ciphers The birth of Cryptanalysis Modern Times DES Diffie-Hellman key exchange RSA PGP Contentious Issues “Applied Cryptography”, Bruce Schneier “Cracking DES”, Electronic Frontier Foundation “The Code Book”, Simon Singh 1
Cryptography The Basic Idea: Two approaches: plaintext Key 1) Make algorithm secret and don’t use a key. Bad Idea 2) Make algorithm public but keep the key secret. algorithm ciphertext Good Idea Bmp example 2
Before Computers Substitution ciphers ruled: Caesar (Shift by N): 26 possibilities, easy to decode A B C D E F G H I J K L M N O P Q R S T U V W X Y Z A B C Key Phrase: Lots of possibilities, a bit harder to decode A B C D E F G H I J K L M N O P Q R S T U V W X Y Z B U S H A N D G O R E F I J K L M P Q T V W X Y Z C Random Mapping: 4 x 1026 possibilities, harder to decode A B C D E F G H I J K L M N O P Q R S T U V W X Y Z N D T V G K L M R E P O F I J Q U S W X B H A Y Z C 3
Before Computers Cryptanalysis: First known publication: “A Manuscript on Deciphering Cryptographic Messages” By the ninth century Arab scholar: Abu Yusuf Ya’qub ibn Is-haq ibn as-Sabbah ibn ‘omran ibn Ismail al-Kindi Statistical “Frequency Analysis” of letters & words can easily break any mono-alphabetic substitution cipher. In English: most common letters: E, T, A, O, I, N, S, … most common 2 letters words: ON, AS, TO, AT, IT… most common 3 letters words: THE, AND, FOR, WAS, … 4
ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS UEI PVUENRFUA NC FU YNMUPFMT XEPU YRFLI CNR P FMCNRLPUFNM. ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD ------ -------UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI ------'- ------ ------EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P -- ------ ----- -- DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS -------- ------ UEI PVUENRFUA NC --------- -FU YNMUPFMT XEPU -- ---- ---YRFLI CNR P ----- FMCNRLPUFNM. ------. U=t E=h I=e ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD --e-t ----t-- -et-e- the ---- -e-e---UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the --t---'- --te----e--e --e- -e----e EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he ----e- - ----- th-t ----- ---e -t DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS ---e-t ---- t- -------e- UEI PVUENRFUA NC the --th---t- -FU YNMUPFMT XEPU -t ---- -h-t YRFLI CNR P ----e --- FMCNRLPUFNM. -------t---. 5
P=a ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD --e-t ----t-- -et-e- the ---- -e-e---UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the -at---'- --te----e--e a-e---e- -e-a--e EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he -a--e- a ----- that ----- -a-e -t a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS ---e-t ------a- t- -------e --a-----e- UEI PVUENRFUA NC the a-th---t- -FU YNMUPFMT XEPU -t ---ta--- -hat YRFLI CNR P ----e --- a FMCNRLPUFNM. ------at---. F=i N=o ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD --e-i-e-t --i-to- -etoe- the -i-- -e-e-i-UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the -atio-'- i-te--i-e--e a-e--ie- -e-a--e EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he -a--e- a --o-i-io- that -o--- -a-e it a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS -o-e---e-t o--i-ia- to -i---o-e --a--i-ie- UEI PVUENRFUA NC the a-tho-it- o. FU YNMUPFMT XEPU it -o-tai-- -hat YRFLI CNR P --i-e -o- a FMCNRLPUFNM. i--o--atio-. 6
C=f R=r ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD -re-i-e-t --i-to- -etoe- the -i-- re-e-i-UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the -atio-'- i-te--i-e--e a-e--ie- -e-a--e EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he -a--e- a -ro-i-io- that -o--- -a-e it a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS -o-er--e-t offi-ia- to -i---o-e --a--ifie- UEI PVUENRFUA NC the a-thorit- of FU YNMUPFMT XEPU it -o-tai-- -hat YRFLI CNR P -ri-e for a FMCNRLPUFNM. i-for-atio-. Y=c K=l V=u A=y ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD -re-i-e-t cli-to- -etoe- the -ill re-e-i-UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the -atio-'- i-telli-e-ce a-e-cie- -ecau-e EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he calle- a -ro-i-io- that -oul- -a-e it a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS -o-er--e-t official to -i-clo-e cla--ifie- UEI PVUENRFUA NC the authority of FU YNMUPFMT XEPU it co-tai-- -hat YRFLI CNR P cri-e for a FMCNRLPUFNM. i-for-atio-. 7
O=p T=s S=d M=n L=m ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD president clinton -etoed the -ill rene-in. UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the nation's intelli-ence a-encies -ecause EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he called a pro-ision that -ould ma-e it a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS -o-ernment official to disclose classified UEI PVUENRFUA NC the authority of FU YNMUPFMT XEPU it contains -hat YRFLI CNR P crime for a FMCNRLPUFNM. information. W=v H=b D=g M=n L=m X=w J=k ORITFSIMU YKFMUNM WIUNIS UEI HFKK RIMIXFMD president clinton vetoed the bill renewing UEI MPUFNM'T FMUIKKFDIMYI PDIMYFIT HIYPVTI the nation's intelligence agencies because EI YPKKIS P ORNWFTFNM UEPU XNVKS LPJI FU P he called a provision that would make it a DNWIRMLIMU NCCFYFPK UN SFTYKNTI YKPTTFCFIS government official to disclose classified UEI PVUENRFUA NC the authority of FU YNMUPFMT XEPU it contains what YRFLI CNR P crime for a FMCNRLPUFNM. information. 8
There are patches to try to increase the security of the mono-alphabetic substitution cipher: -Eliminate spaces -Use many to one mappings that level the frequencies -Lots of other clever ideas… Still very weak! Clever cryptanalysists knew how to beat them all hundreds of years ago !! Polyalphabetic substitution ciphers provided the next big step. (Worked OK until the dawn of modern computers). Idea: Use many different substitution alphabets; different ones for different letters. 9
Vigenere square (1586) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 a B C D E F G H I J K L M N O P Q R S T U V W X Y Z A b C D E F G H I J K L M N O P Q R S T U V W X Y Z A B c D E F G H I J K L M N O P Q R S T U V W X Y Z A B C d E F G H I J K L M N O P Q R S T U V W X Y Z A B C D e F G H I J K L M N O P Q R S T U V W X Y Z A B C D E f G H I J K L M N O P Q R S T U V W X Y Z A B C D E F g H I J K L M N O P Q R S T U V W X Y Z A B C D E F G h I J K L M N O P Q R S T U V W X Y Z A B C D E F G H i J K L M N O P Q R S T U V W X Y Z A B C D E F G H I j K L M N O P Q R S T U V W X Y Z A B C D E F G H I J k L M N O P Q R S T U V W X Y Z A B C D E F G H I J K l M N O P Q R S T U V W X Y Z A B C D E F G H I J K L m N O P Q R S T U V W X Y Z A B C D E F G H I J K L M n O P Q R S T U V W X Y Z A B C D E F G H I J K L M N o P Q R S T U V W X Y Z A B C D E F G H I J K L M N O p Q R S T U V W X Y Z A B C D E F G H I J K L M N O P q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q r S T U V W X Y Z A B C D E F G H I J K L M N O P Q R s T U V W X Y Z A B C D E F G H I J K L M N O P Q R S t U V W X Y Z A B C D E F G H I J K L M N O P Q R S T u V W X Y Z A B C D E F G H I J K L M N O P Q R S T U v W X Y Z A B C D E F G H I J K L M N O P Q R S T U V w X Y Z A B C D E F G H I J K L M N O P Q R S T U V W x Y Z A B C D E F G H I J K L M N O P Q R S T U V W X y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 10
Vigenere square 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 a B C D E F G H I J K L M N O P Q R S T U V W X Y Z A b C D E F G H I J K L M N O P Q R S T U V W X Y Z A B c D E F G H I J K L M N O P Q R S T U V W X Y Z A B C d E F G H I J K L M N O P Q R S T U V W X Y Z A B C D e F G H I J K L M N O P Q R S T U V W X Y Z A B C D E f G H I J K L M N O P Q R S T U V W X Y Z A B C D E F g H I J K L M N O P Q R S T U V W X Y Z A B C D E F G h I J K L M N O P Q R S T U V W X Y Z A B C D E F G H i J K L M N O P Q R S T U V W X Y Z A B C D E F G H I j K L M N O P Q R S T U V W X Y Z A B C D E F G H I J Keyword VOTEVOTEVOTE… Plaintext ihavethreestinkydogs… Ciphertext DVTZZHAVZSLXDBDCYCZW… k L M N O P Q R S T U V W X Y Z A B C D E F G H I J K l M N O P Q R S T U V W X Y Z A B C D E F G H I J K L m N O P Q R S T U V W X Y Z A B C D E F G H I J K L M n O P Q R S T U V W X Y Z A B C D E F G H I J K L M N o P Q R S T U V W X Y Z A B C D E F G H I J K L M N O p Q R S T U V W X Y Z A B C D E F G H I J K L M N O P q R S T U V W X Y Z A B C D E F G H I J K L M N O P Q r S T U V W X Y Z A B C D E F G H I J K L M N O P Q R s T U V W X Y Z A B C D E F G H I J K L M N O P Q R S t U V W X Y Z A B C D E F G H I J K L M N O P Q R S T u V W X Y Z A B C D E F G H I J K L M N O P Q R S T U v W X Y Z A B C D E F G H I J K L M N O P Q R S T U V w X Y Z A B C D E F G H I J K L M N O P Q R S T U V W x Y Z A B C D E F G H I J K L M N O P Q R S T U V W X y Z A B C D E F G H I J K L M N O P Q R S T U V W X Y z A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Immune to frequency analysis ! 11
This can still be cryptanalyzed: - just N monoaphabetic substitution ciphers (N is length of key) - so, just solve the N monoaphabetic problems as before Keyword VOTEVOTEVOTE… Plaintext ihavethreestinkydogs… Ciphertext DVTZZHAVZSLXDBDCYCZW… DZZDY… VHSBC… TALDZ… ZVXCW… Do frequency analysis on these separately 12
OK, so make the key longer. Make it as long as the message ! Keyword VOTINGISIMPORTANTFOR… Plaintext ihavethreestinkydogs… Ciphertext DVTDRZPJMQPHAGKLWTUJ… If there are patterns in the key (for example, words), the message can still be decrypted with a bit of work. Enigma: Repeated after 263 = 17, 576 letters Successfully broken by Rajewski, Turing et al. (a lot of work…protocol important) 13
However: IF If the key is as long as the message AND The key is completely random THEN The encryption is perfect (can’t be broken) !!! This is called a “One Time Pad” 14
The proof that a one time pad gives perfect security is simple: Suppose you have the ciphertext Since all keys are equally likely, then all decoded messages are equally likely ! How message was encoded: Keyword ASDF Plaintext dogs Ciphertext DGJX How it should be decoded given the correct key: Ciphertext DGJX Keyword ASDF Plaintext dogs How it could be decoded given an equally likely key: Ciphertext DGJX Keyword BGQF Plaintext cats 15
Along come computers Tailor made for both code making & braking* Represent message as a list of numbers (bits) and operate on these with your favorite algorithm. Simplest Case: Exclusive OR Plaintext DEAD Key Ciphertext BEEF 0 0=0 1 0=1 0 1=1 1 1=0 1101 1110 1010 1101 1011 1110 1111 = 0110 0000 0100 0010 = 6042 *Computing engines were spawned from code-breaking efforts during WW-II (Turing). 16
This is an example of Symmetric Key Encryption Plaintext DEAD 1101 1110 1010 1101 Key Ciphertext BEEF 1011 1110 1111 = 0110 0000 0100 0010 = 6042 Ciphertext Key Plaintext 6042 BEEF 0110 0000 0100 0010 1011 1110 1111 1101 1110 1010 1101 = DEAD = Real Simple: Same key to encode and decode 17
SO: Just generate a long “one time pad” bitstream, do the simple XOR, and we have perfect security. This has two problems: 1) It’s hard to generate a long truly random bitstream. 2) Sender and receiver must both have the same one time pad (i. e. the key). If we make the algorithm more sophisticated we can make the minimum length of a secure key much shorter. 18
Suppose we have an algorithm that takes a block of plaintext and converts it into a block of ciphertext using an N bit key. Suppose that changing any single bit in the key completely changes the ciphertext. We could only break this by trying all 2 N possible keys. If N = 128, the time required is way beyond the age of the universe. DES (Digital Encryption Standard) plaintext block f N bit Key ciphertext block 19
64 bit plaintext block DES IP L 0 R 0 32 32 f L 1=R 0 K 1 (derived from 56 bit key) R 1=L 0 + f(R 0, K 1) repeat 16 times… K 16 (derived from 56 bit key) f L 16=R 15 R 16=L 15 + f(R 15, K 16) IP-1 64 bit ciphertext block 20
IP (Initial Permutation): 8 16 24 32 40 48 56 21
L 0 R 0 32 32 Expansion Permutation 48 48 48 S-Box Substitution 32 P-Box Permutation 48 bit subkey Generator K 48 = g(i, K 56) (The key for each round is deterministically found from the input 56 bit key). 32 32 L 1 32 R 1 22
32 Expansion Permutation 48 1 1 4 5 8 9 12 13 16 17 20 21 24 25 28 29 32 48 23
48 48 48 1 48 X-OR with 48 bit key 1 48 24
48 S-Box Substitution 32 1 48 S-box 1 S-box 2 S-box 3 1 5 9 4 8 12 S-box 4 13 16 S-box 5 17 20 S-box 6 21 24 S-box 7 25 28 S-box 8 29 32 25
How an S-Box works Page select S-box 1 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 10 6 12 11 9 5 3 1 8 4 1 14 15 12 9 11 0 8 13 6 7 3 10 15 12 8 2 4 5 11 3 14 10 9 0 2 5 1 7 6 13 26
32 P-Box Permutation 32 1 4 5 8 9 12 13 16 17 20 21 24 25 28 29 32 27
IP-1 (Final Permutation): 8 16 24 32 40 48 56 28
Initial Key Permutation 8 16 24 32 40 48 56 64 29
Key Split & Shift & Compress 8 16 24 32 40 K 56 Ni = {1, 1, 2, 2, 2, 1} Shift accumulates every round 16 8 56 Shift left by Ni 8 48 24 16 32 24 40 32 48 40 56 48 K 48 30
DES Advantages: Very Fast: Ideally suited for implementation in hardware (bit shifts, look-ups etc). Dedicated hardware (in 1996) could run DES at 200 Mbyte/s. Well suited for voice, video etc. plaintext block f 56 bit Key ciphertext block 31
DES Security: Not too good: Trying all 256 possible keys is not that hard these days. plaintext block (Thank the NSA for this) If you spend ~$25 k you can build a DES password cracker that can will succeed in a few hours. f 56 bit Key EFF ciphertext block Back in 1975 this would have cost a few billion $$. It is widely believed that the NSA did this. Similar algorithms with longer keys are available today (IDEA). 32
Other Issues: With any symmetric algorithm, the key must be agreed upon by sender and receiver in a secure way. Before 1976, key exchange was by far the biggest problem in secure communications ! Then along came Diffie & Hellman… 33
Modular Arithmetic to the Rescue: Diffie–Hellman Key Exchange 1) 2) 3) 4) 5) How Alice and Bob want to come up with the same key by talking on the phone without giving it away to a third party listening to the conversation. They agree on a large prime number p and a small integer g. These numbers are not secret. Alice picks a large random integer a, and calculates A = ga mod p Alice tells Bob what A is. Bob picks a large random integer b, and calculates B = gb mod p Bob tells Alice what B is. Alice computes Ka = Ba mod p. Bob computes Kb = Ab mod p. Low and behold: Ka = Kb = gab mod p. Someone spying on the phone can not get the key without knowing a and b, which were never spoken. Figuring out a and b from A, B, g, and p is as hard as it is to factor numbers the same size as p, hence p should be big (hundreds of digits). 34
Generating Huge Primes: Idea: 1) Pick a big random number. 2) Test to see if it’s prime. Don’t do this the hard way (factoring)… There are several probabilistic methods: Choose a possible prime p=33209533878488951298293621905948288497515233544999 Choose a “witness” random number a = 7229265988 Calculate j = a(p-1)/2 mod p (= 1 in this case) If j = +1 or – 1 then the chance that p is not prime is no more than 50% Choose another “a” and test again. Repeat until desired confidence is reached. 35
Are there enough Huge Primes? YES! • For numbers near n the chance of a number being prime is one in ln(n) • There about 10150 prime numbers containing 512 bits (155 digits). • If every atom in the universe needed a billion primes every microsecond from the beginning of time until now, we would only use 10110 primes. 36
Public Key Cryptography: RSA (Rivest, Shamnir, Adleman: 1977) IDEA: Alice has a “public” encryption key that everyone knows, and a “private” decryption key that only she knows. Bob looks up her public key, encrypts his message, and sends it to her. She decrypts it with her private key. 1) 2) 3) 4) Pick two large prime numbers p and q. These are secret. Calculate n = pq Pick another number e such that e and (p-1)(q-1) are relatively prime. The numbers n and e make up your public key. Publish them! 5) Calculate d such that ed = 1 mod (p-1)(q-1) {i. e. d = e-1 mod (p-1)(q-1) } 6) The number d is your private key. Encrypt message m via c = me mod n Decrypt the ciphertext c via m = cd mod n example This is what happens when you buy a book from Amazon. com 37
RSA Drawbacks: RSA is slow (i. e. computationally intensive). Message must be broken into chunks ~ n in size, and each block is encrypted separately. Does not really lend itself to hardware implementation: Most RSA chips (in 1996) needed ~106 clock cycles per 512 bit encryption. 38
RSA Security: RSA is secure because its very hard to factor n to find p and q if n is sufficiently big. (Discrete logarithms). “Sufficiently Big” means ~2048 bits “Hard” means that all the computers on earth could not do it in the age of the universe. Symmetric key algorithms can provide the same “raw” security with key-lengths between 64 and 128 bits. 39
The PGP Solution (had Phil Zimmerman in very hot water from 1992 to 1996) PGP = Pretty Good Privacy Use IDEA for encryption (similar to DES except 128 bit key) Use RSA for key IDEA key-exchange. (RSA key-lengths up to 2048 bits supported). Made available as freeware (www. pgp. com). In 1993 Zimmerman was charged with “illegally exporting weapons”. The FBI & DOJ hounded him until 1996 when the charges were dropped. 40
Todays Issues CLIPPER & CAPSTONE Encryption chips developed by the NSA. Uses Escrowed Encryption Standard (EES) Each chip has a “back door” that the government has a key to. They can use this key in the same sense as they can now do a phone wiretap. Not very popular, not (yet) required by law. (These things really piss off the encryption community; the NSA loves them) Tempest 41
Quantum Cryptography (Kwiat @ UIUC !) How Bob and Alice can agree on a perfectly secret one-time pad: Suppose Alice can send binary information using polarized photons. There are 2 distinct encoding schemes: + and x. 1 0 42
Quantum Cryptography (Kwiat @ UIUC !) Alice randomly switches between + and x schemes, and sends a random string of 1’s and 0’s to Bob. (Alice keeps track of the schemes she used and the bits she sent). 1 1 1 0 0 43
Quantum Cryptography (Kwiat @ UIUC !) Bob measures these photons with his own random choice of scheme (he does not know what Alice has done). Sometimes he gets it right, sometimes he gets it wrong: 1 1 1 0 0 0 0 1 0 0 Alice’s message Bob measures 44
Quantum Cryptography (Kwiat @ UIUC !) Alice phones Bob and tells him how her schemes were chosen. Bob tell Alice which schemes he guessed right. Considering only these, they now agree on a subset of bits sent. 1 1 0 0 0 0 Alice’s message Bob measures 45
Quantum Cryptography (Kwiat @ UIUC !) Someone listening on the phone only knows which schemes were used, but not what the polarization was. Any attempt to intercept photons will alter their state, which Alice and Bob can detect by comparing some of their bits to make sure they agree (and discarding these). 1 0 0 One time pad ! 46
Скачать презентацию Cryptography History Puzzles Substitution Ciphers The birth
4fcf8796ce7b511bf220fb5316123845.ppt