Transcript Document
CS 5950/6030 Network Security
Class 6 (W, 9/14/05)
Leszek Lilien
Department of Computer Science
Western Michigan University
[Using some slides prepared by:
Prof. Aaron Striegel, U. of Notre Dame
Prof. Barbara Endicott-Popovsky, U. Washington, Prof. Deborah Frincke, U. Idaho
and Prof. Jussipekka Leiwo, Vrije Universiteit, Amsterdam, The Netherlands]
Section 2 – Class 6
Class 5:
2A.2-cont. - Basic Terminology and Notation
Cryptanalysis
Breakable Encryption
2A.4. Representing Characters
2B. Basic Types of Ciphers
2B.1. Substitution Ciphers
a. The Ceasar Cipher
b. Other Substitution Ciphers — PART 1
Class 6:
b. Other Substitution Ciphers — PART 2
c. One-Time Pads
2B.2. Transposition Ciphers
2B.3. Product Ciphers
2C. Making „Good” Ciphers
2C.1. Criteria for „Good” Ciphers
2
2A.2.-CONT- Basic Terminology and
Notation (2A.2 addendum)
Cryptanalysis
Breakable Encryption
3
2A.4. Representing Characters
Letters (uppercase only) represented by numbers 0-25
(modulo 26).
A B C D ...
X
Y
Z
0 1 2 3 ... 23 24 25
Operations on letters:
A + 2 = C
X + 4 = B
(circular!)
...
4
2B. Basic Types of Ciphers
Substitution ciphers—PART 1
Substitution ciphers—PART 2
Transposition (permutation) ciphers
Product ciphers
5
2B.1. Substitution Ciphers
Substitution ciphers:
Letters of P replaced with other letters by E
Outline:
a. The Caesar Cipher
b. Other Substitution Ciphers — PART 1
b. Other Substitution Ciphers — PART 2
c. One-time Pads
6
a. The Caesar Cipher (1)
ci=E(pi)=pi+3 mod 26
(26 letters in the English alphabet)
Change each letter to the third letter following it
(circularly)
A D, B E, ... X A, Y B, Z C
Can represent as a permutation : (i) = i+3 mod 26
(0)=3, (1)=4, ...,
(23)=26 mod 26=0, (24)=1, (25)=2
Key = 3, or key = ‘D’ (bec. D represents 3)
7
Attacking a Substitution Cipher
Exhaustive search
If the key space is small enough, try all possible keys
until you find the right one
Cæsar cipher has 26 possible keys
from A to Z OR: from 0 to 25
Statistical analysis (attack)
Compare to so called 1-gram (unigram) model of
English
It shows frequency of (single) characters in English
[cf. Barbara Endicott-Popovsky, U. Washington]
8
Cæsar’s Problem
Conclusion: Key is too short
1-char key – monoalphabetic substitution
Can be found by exhaustive search
Statistical frequencies not concealed well by short key
They look too much like ‘regular’ English letters
Solution: Make the key longer
n-char key (n 2) – polyalphabetic substitution
Makes exhaustive search much more difficult
Statistical frequencies concealed much better
Makes cryptanalysis harder
[cf. Barbara Endicott-Popovsky, U. Washington]
9
b. Other Substitution Ciphers
n-char key
Polyalphabetic substitution ciphers
Vigenère Tableaux cipher — PART 1
Vigenère Tableaux cipher — PART 2
10
Note: Row
Row
Row
...
Row
Vigenère Tableaux (1)
P
A – shift 0 (a->a)
B – shift 1 (a->b)
C – shift 2 (a->c)
Z – shift 25 (a->z)
[cf. J. Leiwo, VU, NL]
11
Class 5 Ended Here
12
Vigenère Tableaux (2)
Example
Key:
EXODUS
Plaintext P:
YELLOW SUBMARINE FROM YELLOW RIVER
Extended keyword (re-applied to mimic words in P):
YELLOW SUBMARINE FROM YELLOW RIVER
EXODUS EXODUSEXO DUSE XODUSE XODUS
Ciphertext:
cbxoio wlppujmks ilgq vsofhb owyyj
Question: How derived from the keyword and
Vigenère tableaux?
[cf. J. Leiwo, VU, NL] 13
Vigenère Tableaux (3)
Example
...
Extended keyword (re-applied to mimic words in P):
YELLOW SUBMARINE FROM YELLOW RIVER
EXODUS EXODUSEXO DUSE XODUSE XODUS
Ciphertext:
cbzoio wlppujmks ilgq vsofhb owyyj
Answer:
c from P indexes row
c from extended key indexes column
e.g.: row Y and column e ‘c’
row E and column x ‘b’
row L and column o ‘z’
...
[cf. J. Leiwo, VU, NL] 14
c. One-Time Pads (1)
OPT - variant of using Vigenère Tableaux
Fixes problem with VT: key used might be too short
Above: ‘EXODUS’ – 6 chars
Sometimes considered a perfect cipher
One-Time Pad:
Used extensively during Cold War
Large, nonrepeating set of long keys on pad sheets/pages
Sender and receiver have identical pads
Example:
300-char msg to send, 20-char key per sheet
=> use & tear off 300/20 = 15 pages from the pad
15
One-Time Pads (2)
Example – cont.:
Encryption:
Sender writes letters of consecutive 20-char keys
above the letters of P (from the pad 15 pages)
Sender encipher P using Vigenère Tableaux (or other
prearranged chart)
Sender destroys used keys/sheets
Decryption:
Receiver uses Vigenère Tableaux
Receiver uses the same set of consecutive 20-char
keys from the same 15 consecutive pages of the pad
Receiver destroys used keys/sheets
16
One-Time Pads (3)
Note:
Effect: a key as long as the message
If only key length ≤ the number of chars in the pad
The key is always changing (and destroyed after use)
Weaknesses
Perfect synchronization required between S and R
Intercepted or dropped messages can destroy synchro
Need lots of keys
Needs to distribute pads securely
No problem to generate keys
Problem: printing, distribution, storing, accounting
Frequency distribution not flat enough
Non-flat distribution facilitates breaking
17
Types of One-Time Pads
Vernam Cipher
= (lttr + random nr) mod 26 (p.48)
Need (pseudo) random nr generator
E.g., V = 21; (V +76) mod 26 = 97 mod 26 = 19; 19 = t
Book Ciphers (p.49)
Book used as a pad
need not destroy – just don’t reuse keys
Use common Vigenère Tableaux
Details: textbook
Incl. example of breaking a book cipher
Bec. distribution not flat
18
Question:
Does anybody know other ciphers using books?
Or invent your own cipher using books?
19
Question:
...other ciphers using books?
My examples:
Use any agreed upon book
P: SECRET
Example 1:
Page 52 from a book:
52
ever, making predictions in ten letter
seven of those secret positi
gorithm
Example 2:
Use:
(page_nr, line_nr,
letter_in_line)
Use:
(page_nr, line_nr,
word_nr)
C: 52 2 1 52 1 1 52 1 16 ...
C: 52 2 4
Better: use different pages for
each char in P
Computer can help find words in
a big electronic book quickly!
20
2B.2. Transposition Ciphers (1)
Rearrange letters in plaintext to produce ciphertext
Example 1a and 1b: Columnar transposition
Plaintext: HELLO WORLD
(b) onto 2 columns:
HE
LL
OW
OR
Ciphertext (read column-by column):
LD
(a) hlodeorxlwlx
(b) hloolelwrd
Transposition onto: (a) 3 columns:
HEL
LOW
ORL
DXX
XX - padding
What is the key?
Number of columns: (a) key = 3 and (b) key = 2
21
Transposition Ciphers (2)
Example 2: Rail-Fence Cipher
Plaintext:
HELLO WORLD
Transposition into 2 rows (rails) column-by-column:
HLOOL
ELWRD
Ciphertext: hloolelwrd
(Does it look familiar?)
[cf. Barbara Endicott-Popovsky, U. Washington]
What is the key?
Number of rails
key = 2
22
Attacking Transposition Ciphers
Anagramming
n-gram – n-char strings in English
Digrams (2-grams) for English alphabet are are: aa, ab,
ac, ...az, ba, bb, bc, ..., zz
(262 rows in digram table)
Trigrams are: aaa, aab, ...
(263 rows)
4-grams (quadgrams?) are: aaaa, aaab, ... (264 rows)
Attack procedure:
If 1-gram frequencies in C match their freq’s in English but
other n-gram freq’s in C do not match their freq’s in
English, then it is probably a transposition encryption
Find n-grams with the highest frequencies in C
Start with n=2
Rearrange substrings in C to form n-grams with highest
freq’s
[cf. Barbara Endicott-Popovsky, U. Washington]
23
Example: Step 1
Ciphertext C: hloolelwrd (from Rail-Fence cipher)
N-gram frequency check
1-gram frequencies in C do match their frequencies in English
2-gram (hl, lo, oo, ...) frequencies in C do not match their
frequencies in English
Question: How frequency of „hl” in C is calculated?
3-gram (hlo, loo, ool, ...) frequencies in C do not match their
frequencies in English
...
=> it is
probably a transposition
Frequencies in English for all 2-grams from C starting with h
he 0.0305
as table of freq’s
of English digrams
ho 0.0043
shows
hl, hw, hr, hd < 0.0010
Implies that in hloolelwrd e follows h
[cf. Barbara Endicott-Popovsky, U. Washington]
24
Example: Step 2
Arrange so the h and e are adjacent
Since 2-gram suggests a solution, cut C into 2 substrings –
the 2nd substring starting with e:
hlool elwrd
Put them in 2 columns:
he
ll
ow
or
ld
Read row by row, to get original P: HELLO WORLD
[cf. Barbara Endicott-Popovsky, U. Washington]
25
2B.3. Product Ciphers
A.k.a. combination ciphers
Built of multiple blocks, each is:
Substitution
Transposition
or:
Example: two-block product cipher
E2(E1(P, KE1), KE2)
Product cipher might not be stronger than its
individual components used separately!
Might not be even as strong as individual components
26
Survey of Students’ Background
and Experience (1)
Background Survey
CS 5950/6030 Network Security - Fall 2005
Please print all your answers.
First name: __________________________ Last name: _____________________________
Email
_____________________________________________________________________
Undergrad./Year ________
OR: Grad./Year or Status (e.g., Ph.D. student) ________________
Major
_____________________________________________________________________
PART 1. Background and Experience
1-1)Please rate your knowledge in the following areas (0 = None, 5 = Excellent).
UNIX/Linux/Solaris/etc. Experience (use, administration, etc.)
0
1
2
3
Network Protocols (TCP, UDP, IP, etc.)
0
1
2
3
Cryptography (basic ciphers, DES, RSA, PGP, etc.)
0
1
2
3
Computer Security (access control, security fundamentals, etc.)
0
1
2
3
4
5
4
5
4
5
4
5
Any new students
who did not fill out the survey?
27
2C. Making „Good” Ciphers
Cipher = encryption algorithm
Outline
2C.1. Criteria for „Good” Ciphers
2C.2. Stream and Block Ciphers
2C.3. Cryptanalysis
2C.4. Symmetric and Asymmetric Cryptosystems
28
2C.1. Criteria for „Good” Ciphers (1)
„Good” depends on intended application
Substitution
Transposition
C scrambles text => hides n-grams for n > 1
Product ciphers
C hides chars of P
If > 1 key, C dissipates high frequency chars
Can do all of the above
What is more important for your app?
What facilities available to sender/receiver?
E.g., no supercomputer support on the battlefield
29
Criteria for „Good” Ciphers (2)
Claude Shannon’s criteria (1949):
1. Needed degree of secrecy should determine amount of
labor
How long does the data need to stay secret?
(cf. Principle of Adequate Protection)
2. Set of keys and enciphering algorithm should be free from
complexity
Can choose any keys or any plaintext for given E
E not too complex
(cf. Principle of Effectiveness)
3. Implementation should be as simple as possible
Complexity => errors
(cf. Principle of Effectiveness)
[cf. A. Striegel] 30
Criteria for „Good” Ciphers (3)
Shannon’s criteria (1949) – cont.
4. Propagation of errors should be limited
Errors happen => their effects should be limited
One error should not invlidate the whole C
(None of the 4 Principles — Missing? — Invent a new Principle?)
5. Size / storage of C should be restricted
Size (C) should not be > size (P)
More text is more data for cryptanalysts to work with
Need more space for storage, more time to send
(cf. Principle of Effectiveness)
Proposed at the dawn of computer era –
still valid!
[cf. A. Striegel] 31
Criteria for „Good” Ciphers (4)
Characteristics of good encryption schemes
Confusion:
interceptor cannot predict what will happen to C when she
changes one char in P
E with good confusion:
hides well relationship between P”+”K, and C
Diffusion:
changes in P spread out over many parts of C
Good diffusion => attacker needs access to much of C
to infer E
32
Criteria for „Good” Ciphers (5)
Commercial Principles of Sound Encryption Systems
1. Sound mathematics
Proven vs. not broken so far
2. Verified by expert analysis
Including outside experts
3. Stood the test of time
Long-term success is not a guarantee
Still. Flows in many E’s discovered soon after their release
Examples of popular commercial E’s:
DES / RSA / AES
DES = Data Encryption Standard
RSA = Rivest-Shamir-Adelman
AES = Advanced Encryption Standard (rel. new)
[cf. A. Striegel] 33
Continued - Class 7