Cryptology Josef Zelenka University of Hradec Kralove The

Скачать презентацию Cryptology Josef Zelenka University of Hradec Kralove The

83559381eb078dc7393be65deb1ff002.ppt

Количество слайдов: 86

Cryptology Josef Zelenka University of Hradec Kralove The Czech Republic

Cryptology – basic terms • cryptology - the science that includes both cryptography and cryptanalysis, and sometimes is said to include steganography • cryptography - the transformation of ordinary text (plaintext, message, cleartext) into coded form (ciphertext) by encryption and the transformation of ciphertext into plaintext by decryption. Cryptography can be used to support digital signature, key management or key exchange, and data and communications privacy • cryptanalysis - the analysis of a cryptographic system and/or its inputs and outputs to derive confidential variables and/or sensitive data including plaintext

• plaintext (message) – original text which is not encrypted; shortly P or M (in schemes, formulas) • ciphertext – encrypted plaintext; shortly C • sender - entity in a bilateral communication which is the legitimate transmitter of information • receiver - entity in a bilateral communication which is the intended recipient of information • adversary - entity in a bilateral communication which is neither the sender nor receiver, and which tries to defeat the information security service being provided between the sender and receiver. Various other synonymous names: enemy, attacker, opponent, tapper, eavesdropper, intruder, and interloper.

Comments to history of cryptology • very long history – more than 4. 000 years • ancient Egypt, India (Kámasútra), Summer – changes of letters, steganography (hidden of message) • ancient Greece – steganography, transposition ciphers, codes (difference between code and cipher) • ancient Roma – Caesar cipher, encrypted communication with troops • from 855 – description and theory of „classical“ cryptosystems • from 1500 Europe centre of cryptology development • World War I and II – cryptology „write history“ (battle near Midway – break Japan purple code, break Germany Enigma – battle against Germany submarines) • war Israel – Egypt • nowadays – E-business, diplomacy, banks, armies …

From - to Characteristic ancient time - 15 century Codes, simple (classic“) ciphers, hidden messages 15 century – beginning of 20 century Advanced simple ciphers, cryptanalysis of simple ciphers, basis of cryptology theory 20 century Complex theory, development of mechanic and electronic ciphering machines, modern symmetric and new asymmetric cryptology, cryptographic protocols, massive application of cryptology as one from the „building stones“ of the modern society Alternative computers, quantum cryptology? , probability cryptology 21 century

Information security - targets • privacy (confidentiality) - keeping information secret from all but those who are authorized to see it. There are numerous approaches to providing confidentiality, ranging from physical protection to mathematical algorithms which render data unintelligible. • data integrity - ensuring information has not been altered by unauthorized or unknown means. To assure data integrity, one must have the ability to detect data manipulation by unauthorized parties. Data manipulation includes such things as insertion, deletion, and substitution. • non-repudiation - preventing the denial of previous commitments or actions • authorization - conveyance, to another entity, of official sanction to do or be something. Two major classes: entity authentication and data origin authentication.

• cryptographic algorithm - an algorithm that employs the science of cryptography, including encryption algorithms, cryptographic hash algorithms, digital signature algorithms, and key agreement algorithms • cryptographic key - usually shortened to just „key“. An input parameter that varies the transformation performed by a cryptographic algorithm. • cryptographic system - a set of cryptographic algorithms together with the key management processes that support use of the algorithms in some application context • block cipher - encryption scheme which breaks up the plaintext messages to be transmitted into strings (called blocks) of a fixed length t over an alphabet A, and encrypts one block at a time

• a hash function is a computationally efficient function mapping binary strings of arbitrary length to binary strings of some fixed length, called hash-values. • a cryptographic protocol (protocol) is a distributed algorithm defined by a sequence of steps precisely specifying the actions required of two or more entities to achieve a specific security objective. • a key management is the set of processes and mechanisms which support key establishment and the maintenance of ongoing keying relationships between parties, including replacing older keys with new keys as necessary.

Cryptology – basic principles

Kerckhoffs’ desiderata, a set of requirements for cipher systems (1883) • the system should be, if not theoretically unbreakable, unbreakable in practice; • compromise of the system details should not inconvenience the correspondents; • the key should be remember able without notes and easily changed; • the cryptogram should be transmissible by telegraph; • the encryption apparatus should be portable and operable by a single person; • the system should be easy, requiring neither the knowledge of a long list of rules nor mental strain.

block cipher – often any rounds • advantages – high level of the diffusion (dependence of plaintext on plaintext), low propensity to non-authorised modifications and misusage (its difficult to find the structure of plaintext; for example what was heading of message), often is possible manage security through lengthen block and key • disadvantages – retardation during encryption, error propagation (typical is influence on the whole block, or by the method of feedback on longer part of message), usually slower than stream ciphers, usually more complicated implementation

stream cipher – symbol of plaintext is immediately change on symbol of ciphertext, ciphertext depend on given symbol, key and algorithm, by feedback on other previous symbols and/or input vectors • advantages – speed, error don't propagate • disadvantages – low level of diffusion, propensity to modification and misuse (for example number of account – although was not deciphered it can be connected to another message)

Cryptology – „classic“ ciphers • the substitution ciphers (stream, symmetric) • the transposition ciphers (block)

The substitution ciphers • block/stream ciphers which replace symbols (or groups of symbols) by other symbols or groups of symbols • simple substitution cipher (mono-alphabetic substitution cipher) – the same substitution of one letter to one another letter – N! is key space where N is number of letters in alphabet; brute force attack is difficult/impossible); for 26 letters is 26! = 4. 1026 keys; if you examine 1000. 000 keys per second still you must compute 1, 27. 1013 years – age of universe is app. 1, 5. 1010 years – it is insecure – in ciphertext distribution of letters is the same as in plaintext (in the given language) – cryptoanalysis can combine frequency analysis of ciphertext (see Fig. 1, Fig. 2, and Fig. 3) and ad hoc method – there are possibilities to strengthen an algorithm - homophonic substitution cipher, polyalphabetic substitution cipher

Fig. 1 Frequency of distribution of letters of Czech and English language /5/ 14 12 10 8 Czech English 6 4 2 0 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Fig. 2 Frequency of distribution of letters chosen languages /5/ 20 18 16 14 12 10 8 6 4 2 0 A B C D E F G H I J K L M N O P Q R S T U Czech Slowak English German French Italy Spanish Portugal V W X Y Z

Fig. 3 Frequency of distribution of letters of Czech language /5/

The substitution ciphers – the trivial shift cipher/Caesar cipher • alphabetic shift through k characters for some fixed k • Key space only n where n is the number of letters of alphabet • cryptanalysis is trivial: – Brute force attack – Frequency analysis – to find most frequently letter

Th substitution ciphers - polygram substitution • groups of characters being substituted by other groups of characters • e. g. sequences of two plaintext characters (digrams) may be replaced by other digrams. In the same way the sequences of three plaintext characters (trigrams) can be replaced by other trigrams, or more generally using n-grams. • In full digram substitution over an alphabet of 26 characters, the key may be any of the 262 digrams, arranged in a table with row and column indices corresponding to the first and second characters in the digram, and the table entries being the ciphertext digrams substituted for the plaintext pairs. There are then (262)! keys.

The substitution ciphers - polyalphabetic cipher • variants of polyalphabetic cipher were used through centuries including the World War II (for example the legendary Enigma) • examples of variants: – Vigenére cipher – Polyalphabetic cipher machines and rotors • flatter distribution of letters using polyalphabetic cipher is clear from Fig. 4

Fig. 4 Flatter distribution of letters using polyalphabetic cipher /7/ frequency of accidence 0, 07 0, 06 0, 05 0, 04 0, 03 0, 02 0, 01 0 A C E G I K M O Q S U W Y

The substitution ciphers - homophonic substitution cipher • algorithm uses substitution of one letter to another letter but for frequent letters this substituted letters are randomly chosen from the set of two, three or more letters • as a result there is a „flatter“ distribution of letter frequencies and frequency analysis is difficult • examples – E as a most frequent letter (e. g. English, Czech) is substituted by four letters, A by three letters etc.

The substitution ciphers - Vernam Cipher • synonyms: a one-time system or a one-time pad • Vernam cipher over the binary alphabet is defined by ci = mi ki for i = 1; 2; 3…; where m 1; m 2; m 3; … are the plaintext digits, k 1; k 2; k 3; . (the keystream) are the key digits, c 1; c 2; c 3; . are the ciphertext digits, and is the XOR function (bitwise addition modulo 2). Decryption is defined by mi = ci ki. If the keystream digits are generated independently and randomly, the Vernam cipher is called a one-time pad, and is unconditionally secure against a ciphertext-only attack. • Conditions of safety: – the key can be used only one time – the key is the same length as a message – the key must be delivered through the secret channel – to destroy key after usage – the key must be a sequence of random digits generated in natural processes not generated via pseudorandom generators

Scheme of the binary Vernam cipher The same key stream of random numbers plaintext XOR ciphering ciphertext XOR deciphering

The substitution ciphers - Vernam Cipher • characteristics of synchronous stream ciphers: – synchronization requirements – no error propagation – a ciphertext digit, that is modified (but not deleted) during transmission, does not affect the decryption of other ciphertext digits – sensibility to active attacks – there must be control mechanisms of message change (for example hash of message)

The Symmetric Cryptology

The chosen symmetric algorithms Name Typical characteristics IDEA (International key 128 b, block 64 b, patented, part of PGP, Data Encryption good diffusion, safety, high speed Algorithm) DES (Data Encryption Standard) 3 DES (Triple DES) key 64 b (but only 56 b ciphering), block 64 b, based on Feistel networks, until 1977 American standard for the symmetric encryption, at 2000 replaced by AES key 112 or 168 b, block 64 b, strengthen variant of DES (DES used three times, first and third step ciphering, second deciphering

The chosen symmetric algorithms Name Typical characteristics Blowfish Key from 32 to 448 b, block 64 b, author Schneier 1993, based on Feistel networks FEAL (Fast Data Encryption Algorithm) key 64 b, block 64 b, created in Japan (Nippon Telegraph a Telephone Corporation) 1986, based on Feistel networks, was enhanced through more rounds key 256 b, block 64 b, 32 rounds, from 1989 Russian cryptographic standard for the state administration, based on Feistel networks Gost 28147 -89 (Gosudarstvěnnyj standart) Other symmetric algorithms: SAFER, RC 5, LOKI’ 89, CAST, 3 WAY, SHARK, SKIPJACK, RC 2…

DES – the basic characteristics • based on Feistel networks – scheme • operation (see scheme on next page) – substitution in S-boxes (mixture of right side, subkeys), generation different subkeys for every round, permutation, mixture of left and right side • only 56 b long key (the exhaustive search app. hours), role of NIST • well defined S-boxes– safety against linear and differential cryptanalysis • 25 year used as a standard for non high-secret data • existence of weak keys and semi-weak keys – a DES weak key is a key K such that EK(EK(x)) = x for all x – a pair of DES semi-weak keys is a pair (K 1; K 2) with EK 1(EK 2 (x)) = x

DES – the function of the right side

3 DES DES-1 DES K 1 K 2 K 3 plaintext ciphertext DES-1 DES

The new cryptographic standard - AES (Rijndael) /4/ Authors Vincent Rijmen – COSIC Belgium Joan Daemen – Proton World Belgium The reasons: DES is not safe and is breakable in the real time 3 DES – safe but slow The beginning of Rijndael – the end of 1996 1997 – the first attempts of AES NIST - National Institute of Science and Technology (1998 - 15, 1999 - 5 algorithm) FIPS - Federal Information Processing Standard AES – Advanced Encryption Standard (october 2000 chosen Rijndael)

Rijndael - AES Key and block size can be 128 b, 192 b, or 256 b (16 B, 24 B, or 32 B)

Rijndael - AES The number of rounds depends on the key and block size and can be 10, 12, 14 – see table below Nb …. Number of bytes of block of data Nk …. Number of bytes of key

Rijndael - AES Keys New key for each round special expansion procedure creates a big key from which generates round keys Their lenght is: block size * (number of round + 1) Example: for 128 b blok and 10 rounds it is 1408 b block of data big key is divided in different round keys in this way: first key second key first N bits next N bits etc.

Rijndael - AES The algorithm 10, 12, or 14 rounds Encryption and decryption have 4 byte oriented transformation steps (procedures). ciphering deciphering Byte. Sub – nonlinearity Round key addition – addition of Shift. Row – intracolumn dispersion round key Mix. Column – intercolumn dispersion Inv. Mix. Column - intercolumn Round key addition – addition of dispersion round key Inv. Shift. Row - intracolumn dispersion Inv. Byte. Sub – non-linearity

Rijndael - AES Byte. Sub Bytes are transformed via S-box which is the only one for the algorithm. As a result there is a high non-linearity in the block. Byte. Sub transformation has two steps: • multiplicative inversion • afinne transformation

Rijndael - AES Shift. Row This function moves rows of matrix to different positions Nb C 1 C 2 C 3 4 1 2 3 6 1 2 3 8 1 3 4 Nb – size of block data C 1, C 2, C 3 – move in 1. , 2. and 3. row (from 0)

Rijndael - AES Mix. Column Collums are multiplied by polynom ‘ 03’x 3 + ‘ 01’x 2 + ‘ 01’x + ‘ 02’ and divided modulo x 4 + 1 As a result there is a high intercolumn dispersion in the block.

Rijndael - AES The round key addition Here originates dependence of round function on round key. It is used merely XOR operation.

Rijndael - AES Safety Algorithm will be tested every 5 years Their structure eliminates weak keys. It is safe against linear and differential cryptanalysis and the other known crypto analytical attacks include brute force attack. Speed 128 b key and 128 b block of data, Pentium 200 MHz, implementation Visual C++ - 70 Mb/s

Advantages of the symmetric-key cryptography • can be designed to have high rates of data throughput - some hardware implementations achieve encryption rates of hundreds of megabytes per second, while software implementations may attain throughput rates in the megabytes per second • keys for symmetric-key ciphers are relatively short • can be composed to produce stronger ciphers. Simple transformations which are easy to analyse, and can be used to construct strong product ciphers. • have an extensive history

Disadvantages of the symmetric-key cryptography • in a bilateral communication, the key must remain secret at both ends • in a large network, there are many key pairs to be managed • In a bilateral communication between entities A and B, sound cryptographic practice dictates that the key be changed frequently, and perhaps for each communication session.

Asymmetric cryptography

Basic commentaries • Definition: encryption scheme is asymmetric if there are minimum two keys one for the encryption and second one for the decryption • asymmetric cryptography is not the same as the public-key cryptography • Definition: public-key cryptography is encryption scheme where there are minimum two keys, one for the encryption and second one for the decryption (secret key), and at the same time key for the encryption (public key) could be published • the basic principle of the public-key cryptography: one public and one private key, often authenticity connected with the public key (role of CA – certification authority) • the public-key encryption is most commonly used in practice: – for the transport of keys subsequently used for bulk data encryption by symmetric algorithms and other applications including data integrity and authentication – for encrypting small data items such as credit card numbers and PIN's – to provide authentication guarantees in entity authentication (the digital signatures) • scheme of asymmetric cryptosystem

Basis of safety basic question: is possible to compute secret key from public key? different safety basis for different algorithms any class of problems have the similar computational difficulty (for example the integer factorisation problem and the discrete logarithm problem) – the integer factorisation problem – the discrete logarithm problem – the generalized discrete logarithm problem – subset sum problem – linear code decoding problem most often is discussed the integer factorisation problem (RSA, Rabin, Blum-Goldwasser probabilistic)

The chosen algorithms RSA (Rivest most used cipher in the field of digital – Shamir – signatures and hybrid cryptology, simple Adleman) algorithm, but relatively slow (high exponents, modular arithmetics) ECDSA digital signatures, based on elliptic curves (shorter keys) D-H (Diffie – key exchange Hellman) El. Gamal ciphering; safety - the discrete logarithm problem, Diffie-Hellman problem

The chosen algorithms DSA (Digital Signature Algorithm) digital signatures; safety - the discrete logarithm problem Rabin encryption; safety - the integer factorisation problem

Mathematical principles - primality • number of primes: N = n/ln (n) • the primality testing vs. factoring - the problem of deciding whether an integer is composite or prime seems to be, in general, much easier than the factoring problem • the probabilistic primality tests – Fermat’s test (if n is a prime and a is any integer, 1 a n-1, then an-1 1 (mod n); a is called a Fermat witness for n; problem - Carmichael numbers: – Carmichael numbers: n is a composite integer such that an-1 1 (mod n) for all integers a which satisfy gcd (a; n)=1 – Solovay-Strassen test – Miller-Rabin test

RSA • nowadays as standard for asymmetric cryptology • digital signatures and hybrid cryptology • encryption is slow – safety is based on difficulty of the integer factorisation problem when integer has more than 200 decimal ciphers, and this order can have exponents in integer modular exponentiation: C=Me mod (n)

RSA Encryption and decryption B encrypts a message m for A, which A decrypts Encryption B should do the following: (a) Obtain A’s authentic public key (n; e). (b) Represent the message as an integer m in the interval [0; n - 1]. (c) Compute c = me mod n (d) Send the ciphertext c to A. Decryption to recover plaintext m from c, A should do the following: (a) Use the private key d to recover m = cd mod n.

RSA Key generation for RSA public-key encryption: • generate two large random (and distinct) primes p and q, each roughly the same size • compute n = pq and = (p - 1) (q - 1) • select a random integer e, 1 < e < , such that gcd(e; ) = 1 • use the extended Euclidean algorithm to compute the unique integer d, 1 < d < , such that ed 1 (mod ) • public key is (n; e); private key is d

RSA Definition: the integers e and d in RSA key generation are called the encryption exponent and the decryption exponent, respectively, while n is called the modulus Safety The problem of computing the RSA decryption exponent d from the public key (n; e), and the problem of factoring n, are computationally equivalent.

RSA – security problems • Small encryption exponent e • Small decryption exponent d • Common modulus attack (but knowledge of any (ei; di) pair allows for the factorisation of the modulus n) How to choice p and q • 1024 -bit or larger moduli should be used • p and q should be about the same bit length, and sufficiently large. For example, if a 1024 -bit modulus n is to be used, then each of p and q should be about 512 bits in length. • difference (p − q) should not be too small. If d (p − q) is small, then p q and hence p sqrt (n). Thus, n could be factored efficiently simply by trial division by all odd integers close to sqrt (n). If p and q are chosen at random, then p − q will be appropriately large with overwhelming probability. • Use strong primes? ? ?

RSA – security problems the strong primes: A prime p is said to be a strong prime if the following three conditions are fulfilled: • p - 1 has a large prime factor, denoted r; • p + 1 has a large prime factor; • r - 1 has a large prime factor • there is no especial reason for requiring the use of strong primes in RSA key generation

Advantages of the asymmetric-key cryptography • Only the private key must be kept secret (authenticity of public keys must, however, be guaranteed). • Depending on the mode of usage, a private key/public key pair may remain unchanged for considerable periods of time, e. g. , many sessions (even several years). • Many public-key schemes yield relatively efficient digital signature mechanisms. • In a large network, the number of keys necessary may be considerably smaller than in the symmetric-key scenario.

Disadvantages of the asymmetric-key cryptography • Throughput rates for the most popular public-key encryption methods are several orders of magnitude slower than the best known symmetric-key schemes. • Key sizes are typically much larger than those required for symmetric-key encryption • No public-key scheme has been proven to be secure (the same can be said for block ciphers). The most effective public-key encryption schemes found to date have their security based on the presumed difficulty of a small set of number-theoretic problems. • Public-key cryptography does not have as extensive a history as symmetric-key encryption, being discovered only in the mid 1970 s.

Hybrid cryptology • suitable combination of advantages of symmetric and asymmetric cryptology • scheme of hybrid cryptosystem • solve problems: speed of algorithms, key management, authorisation of communicating parties, level of safety, digital signatures (data string which associates a message (in digital form) with some originating entity) • detailed scheme

Steganography

Principles /6/

Examples /8/ Secret message M 1 • „Steganography is the art and science of communicating in a way which hides the existence of the communication. In contrast to cryptography, where the “enemy” is allowed to detect, intercept and modify messages without being able to violate certain security premises guaranteed by a cryptosystem, the goal of steganography is to hide messages inside other “harm-less” messages in a way that does not allow any “enemy” to even detect that there is a second secret message present [Markus Kuhn 1995]. “ • Secret picture M 2

Examples /8/ Cover picture C 1 Cover picture C 2

Examples /8/ M 1 + C 1 M 2 + C 2

Examples – lingvistic steganography /9/ • News Eight Weather: Tonight increasing snow. Unexpected precipitation smothers eastern towns. Be extremely cautious and use snowtires especially heading east. The highways are knowingly slippery. Highway evacuation is suspected. Police report emergency situations in downtown ending near Tuesday. • first letters hide message: Newt is upset because he thinks he is President

Examples – linguistic steganography Cestovní ruch je komplexní a mnoha oblastmi a z mnoha hledisek se prolínající společenský jev bez jakýchkoli pevně stanovitelných hranic, který je synergickým souhrnem všech jevů, vztahů a dopadů v časoprostorovém kontextu, souvisejících s narůstající mobilitou lidí motivovanou uspokojováním jejich potřeb v oblasti využití volného času, rekreace, cestování, poznání, sociální, kulturní a v dalších oblastech. Jevovou náplní cestovního ruchu jsou především souhrnné aktivity účastníků cestovního ruchu, procesy související s budováním a provozováním zařízení, které poskytují služby pro účastníky cestovního ruchu, aktivity spojené s rozvojem a ochranou zdrojů pro cestovní ruch, souhrn politických a veřejně – správních aktivit (politika, propagace a regulace cestovního ruchu, mezinárodní spolupráce apod. ) a současně i reakce místní komunity a místních ekosystémů (zpětná vazba) na uvedené aktivity

Marking - properties robust marking system has the following properties: • Marks should not degrade the perceived quality of the work • Detecting the presence and/or value of a mark should require knowledge of a secret • If multiple marks are inserted in a single object, then they should not interfere with each other; moreover if different copies of an object are distributed with different marks, then different users should not be able to process their copies in order to generate a new copy that identities none of them • The mark should survive all attacks that do not degrade the work's perceived quality, including re-sampling, re-quantisation, compression and especially combinations of these

Cryptanalysis

Cryptanalysis is much easier when /5, 7/: 1. There apriori knowledge about plaintext – for example language in which the message could be written 2. Redundant information in plaintext – for example the structure of words, diacritics, own language redundancy 3. Knowledge of cryptographic system – for example the length and the structure of keys, dependence of ciphering time on length of the key, the way of deriving private key from public key 4. Failure in cryptographic protocol – for example the unsuitable way of signing of message without hashing of message, the repeated use of one-time key in Vernam cipher, the repeated use of the same moduli and different exponents in the RSA 5. Other specific knowledge – for example the access to the RSA public key enables specific form of brute force attack generating possible text and comparison with given ciphertext

The basic cryptanalytic attacks • A ciphertext-only attack - the adversary (or cryptanalyst) tries to deduce the decryption key or plaintext by only observing ciphertext. Any encryption scheme vulnerable to this type of attack is considered to be completely insecure. • A known-plaintext attack - the adversary has a quantity of plaintext and corresponding ciphertext. • A chosen-plaintext attack - the adversary chooses plaintext and is then given corresponding ciphertext. Subsequently, the adversary uses any information deduced in order to recover plaintext corresponding to previously unseen ciphertext. • special types: – rubber-hose cryptanalysis – corruption cryptanalysis

Cryptoanalysis and the key space • An encryption scheme can be broken by trying all possible keys to see which one the communicating parties are using (assuming that the class of encryption functions is public knowledge). This is called an exhaustive search of the key space. It follows then that the number of keys (i. e. the size of the key space) should be large enough to make this approach computationally infeasible. It is the objective of a designer of an encryption scheme that this be the best approach to break the system.

Cryptanalysis of the classical ciphers • language statistics • method of Kasiski – the number of monoalphabetic substitution in polyalphabetic substitution; the number of characters between the beginning of the repeated ciphertext segments is a multiple of the keyword length • index of coincidence - an alternative to Kasiski’s method

Cryptanalysis of the classical ciphers index of coincidence of the chosen languages /7/ language English Danish Finnish French Spanish index of coincidence 0, 066895 0, 070731 0, 073796 0, 074604 0, 076613 language Holland German Italy Russian Slovak index of coincidence 0, 079805 0, 076667 0, 073294 0, 056074 0, 06027

Cryptanalysis of the classical ciphers index of coincidence in the dependence of key length /7/ key length 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. I(C)*100000 6027 4936 4573 4391 4282 4295 4157 4119 4088 4064 key length 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. I(C)*100000 4044 4028 4014 4002 3991 3982 3974 3967 3961 3955

Brute force attack • Only one against high quality algorithms • Can be supported by other techniques which reduce key space (differential cryptanalysis, linear cryptanalysis, timing attack, meet-in-the middle attack etc. ) • The most known is attack using all keys from the key space (variant of attack against key space) but there are many other variants not only against key space but other characteristics of algorithms: – Attack generating ciphertext above possible texts and comparison ciphertext and database of generated ciphertext (mainly against cryptography with public key, hash function) – Factorisation of module – attack against key in RSA – Finding of discrete logarithm • What to do against brute force attack: – Long key – Long block (against accompanied methods) – Random numbers at part of block – To analyse progress in alternative computing – To publish algorithms

Brute force attack • New possible techniques, methods: – Quantum computers – DNA computers – Different versions of the parallel computing (partly as ideas): • Biological computer • Chinese lottery • Users of internet • Computer viruses

Brute force attack - quantum computers • Most progressive technology (high speed, new concept of computing) but… • High technology difficulties – low temperatures, high stability of laser pulses, errors and their detection etc. • Last year – factorisation of number 15 Initial conditions Development in time Detection of final state

Attacks against protocols (Menezes et al) • known-key attack. In this attack an adversary obtains some keys used previously and then uses this information to determine new keys. • replay. In this attack an adversary records a communication session and replays the entire session, or a portion thereof, at some later point in time. • impersonation. Here an adversary assumes the identity of one of the legitimate parties in a network. • dictionary. This is usually an attack against passwords. Typically, a password is stored in a computer file as the image of an unkeyed hash function. When a user logs on and enters a password, it is hashed and the image is compared to the stored value. An adversary can take a list of probable passwords, hash all entries in this list, and then compare this to the list of true encrypted passwords with the hope of finding matches. • forward search. This attack is similar in spirit to the dictionary attack and is used to decrypt messages.

Case study: Attacks against protocol for RSA • Alice have ciphertext C, where C me mod n and wish to read it; she is looking for plaintext as a result of M Cd mod n. What are Alice knowledges: public key e, module n, C • She choice random number r, r n, and compute x, y a t. • x re mod n y xc mod n t r– 1 mod n • If x re mod n, than r xd mod n. Now she send to signature via secret key y and return u yd mod n • Alice compute • tu r– 1 yd mod n r– 1 xd cd mod n r– 1 r cd mod n m • and although she does not known secret key she can read the message • Conclusion: • cryptographic protocol has the same importance as the message • never signature unknown message without use of hash function

Case study: Attacks against protocol for RSA • • common modulus n c 1 me 1 mod n c 2 me 2 mod n Alice know n, e 1, e 2, c 1, c 2 (modulus, public keys, unsuitable encrypted same messages) gcd (e 1, e 2) = 1 (definition – their connection to (p– 1)*(q– 1)), she can find r and s so, that re 1 + se 2 = 1, choice r 0 compute (c 1– 1)–r * c 2 s (me 1 mod n)r * me 2 s mod n mre 1+se 2 mod n m mod n

Conclusion • nowadays cryptology offer a big amount of cryptographic tools; these tools can be combine and optimally chose according targets • symmetric and asymmetric cryptology have their typical advantages; advantages can be combine in the hybrid cryptology • cryptographic protocol has for the safety of cryptosystem the same importance as the cryptographic algorithm • role of the modern cryptology is not only in the privacy (or hidden) of messages but in ensuring data integrity (hash function), non-repudiation (digital signature) and authorization (digital signature, hash function) • cryptology is a basis of E-business • cryptosystem has the same strong (safety) as the weakest element (cryptographic algorithm, key management, cryptographic protocol) • cryptology can be strong security service

Cryptology 1. Which method can you effectively use for cryptoanalysis of Caesar cipher? – – 2. the frequency analysis of letters ad hoc method combination of ad hoc method and the frequency analysis of letters brute force attack Which method can you effectively use for cryptoanalysis of monoalphabetic cipher? – – 3. the frequency analysis of letters ad hoc method combination of ad hoc method and the frequency analysis of letters brute force attack What is a basis of security of RSA? – – – Obscurity of algorithm Difficulty of factorisation of large integer Good secrecy of the key

Cryptology 4. – – 5. 6. 7. 8. 9. Which methods (principally) of proving primality are used in cryptology? Probability testing Dividing by primes until sqrt (n) Frequency analysis Kasiski method Can you use frequent analysis for cryptanalysis of modern encryption algorithms? What is advantage combining steganography and cryptology? Does exist theoretically unbrecable encryption algorithm? What kind of use hash function in the cryptology? What is the difference between electronic and digital signature?

Cryptology 10. Can you compare the role of biometry and cryptology in the process of entity authorisation? 11. Why you use hash function in the cryptographic protocol for digital signature? 12. What is difference between one-way function and pseudo-one -way function? 13. Which knowledge you can use in the attack against „classic“ cryptosystems? 14. Which knowledge you can use in the attack against modern cryptosystems? 15. What is common brute force attack against symmetric cryptosystems and asymmetric cryptosystems? 16. What is a „dictionary attack? Can you describe their forms? What kind of countermeasures you can made? 17. What are the problems of frequent analysis of ciphertext? 18. Can be used techniques of „classic“ crypographic algorithms used nowadays?

Cryptology 19. What is the most important property of Vernam cipher? 20. Why is so frequently discussed problem of factorising on integers? 21. What describe legislation about digital signature?

Literature, information resources 1. 2. 3. 4. 5. 6. 7. 8. 9. Kahn: The Codebreakers Menezes, A. J. , van Oorschot, P. C. , Vanstone, S. A. : Handbook of Applied Cryptography, CRC Press 1996 Schneier, B. : Applied Cryptography Second Edition: protocols, algorithms, and source code in C, John Wiley & Sons, 1996 Daemen, J. - Rijmen, V. : The Rijndael Block Cipher, AES Proposal, 2000 Zelenka, J. et all: Ochrana dat. Kryptologie. Gaudeamus Hradec Králové 2003 SIMMONS, G. J. : The Prisoners' Problem and the Subliminal Channel, in Advances in Cryptology, Proceedings of Crypto ‘ 83, Plenum press, 1984, s. 51 -67 Grošek O. , Porubský Š: Šifrovanie, Grada 1992, ISBN 80 -85424 -62 -2 JOHNSON, Neil F. Steganography [online], 2000 [cit. 2002 -02 -26], www. jjtc. com/stegdoc/ PETITCOLAS, Fabien A. P. History of Steganography [online], [cit. 2002 -02 -26],