Transcript Document

CS 5950/6030 Network Security
Class 6 (W, 9/14/05)
Leszek Lilien
Department of Computer Science
Western Michigan University
[Using some slides prepared by:
Prof. Aaron Striegel, U. of Notre Dame
Prof. Barbara Endicott-Popovsky, U. Washington, Prof. Deborah Frincke, U. Idaho
and Prof. Jussipekka Leiwo, Vrije Universiteit, Amsterdam, The Netherlands]
Section 2 – Class 6
Class 5:
2A.2-cont. - Basic Terminology and Notation
Cryptanalysis
Breakable Encryption
2A.4. Representing Characters
2B. Basic Types of Ciphers
2B.1. Substitution Ciphers
a. The Ceasar Cipher
b. Other Substitution Ciphers — PART 1
Class 6:
b. Other Substitution Ciphers — PART 2
c. One-Time Pads
2B.2. Transposition Ciphers
2B.3. Product Ciphers
2C. Making „Good” Ciphers
2C.1. Criteria for „Good” Ciphers
2
2A.2.-CONT- Basic Terminology and
Notation (2A.2 addendum)
 Cryptanalysis
 Breakable Encryption
3
2A.4. Representing Characters

Letters (uppercase only) represented by numbers 0-25
(modulo 26).
A B C D ...
X
Y
Z
0 1 2 3 ... 23 24 25

Operations on letters:
A + 2 = C
X + 4 = B
(circular!)
...
4
2B. Basic Types of Ciphers

Substitution ciphers—PART 1
Substitution ciphers—PART 2

Transposition (permutation) ciphers


Product ciphers
5
2B.1. Substitution Ciphers

Substitution ciphers:


Letters of P replaced with other letters by E
Outline:
a. The Caesar Cipher
b. Other Substitution Ciphers — PART 1
b. Other Substitution Ciphers — PART 2
c. One-time Pads
6
a. The Caesar Cipher (1)
 ci=E(pi)=pi+3 mod 26
(26 letters in the English alphabet)
Change each letter to the third letter following it
(circularly)
A  D, B  E, ... X  A, Y  B, Z  C
 Can represent as a permutation : (i) = i+3 mod 26
(0)=3, (1)=4, ...,
(23)=26 mod 26=0, (24)=1, (25)=2
 Key = 3, or key = ‘D’ (bec. D represents 3)
7
Attacking a Substitution Cipher
 Exhaustive search
 If the key space is small enough, try all possible keys
until you find the right one
 Cæsar cipher has 26 possible keys
from A to Z OR: from 0 to 25
 Statistical analysis (attack)
 Compare to so called 1-gram (unigram) model of
English
 It shows frequency of (single) characters in English
[cf. Barbara Endicott-Popovsky, U. Washington]
8
Cæsar’s Problem
 Conclusion: Key is too short
 1-char key – monoalphabetic substitution
 Can be found by exhaustive search
 Statistical frequencies not concealed well by short key
 They look too much like ‘regular’ English letters
 Solution: Make the key longer
 n-char key (n  2) – polyalphabetic substitution
 Makes exhaustive search much more difficult
 Statistical frequencies concealed much better
 Makes cryptanalysis harder
[cf. Barbara Endicott-Popovsky, U. Washington]
9
b. Other Substitution Ciphers
n-char key

Polyalphabetic substitution ciphers

Vigenère Tableaux cipher — PART 1

Vigenère Tableaux cipher — PART 2
10
Note: Row
Row
Row
...
Row
Vigenère Tableaux (1)

P
A – shift 0 (a->a)
B – shift 1 (a->b)
C – shift 2 (a->c)
Z – shift 25 (a->z)
[cf. J. Leiwo, VU, NL]
11
Class 5 Ended Here
12
Vigenère Tableaux (2)

Example
Key:
EXODUS
Plaintext P:
YELLOW SUBMARINE FROM YELLOW RIVER
Extended keyword (re-applied to mimic words in P):
YELLOW SUBMARINE FROM YELLOW RIVER
EXODUS EXODUSEXO DUSE XODUSE XODUS
Ciphertext:
cbxoio wlppujmks ilgq vsofhb owyyj
 Question: How derived from the keyword and
Vigenère tableaux?
[cf. J. Leiwo, VU, NL] 13
Vigenère Tableaux (3)

Example
...
Extended keyword (re-applied to mimic words in P):
YELLOW SUBMARINE FROM YELLOW RIVER
EXODUS EXODUSEXO DUSE XODUSE XODUS
Ciphertext:
cbzoio wlppujmks ilgq vsofhb owyyj
 Answer:
c from P indexes row
c from extended key indexes column
e.g.: row Y and column e  ‘c’
row E and column x  ‘b’
row L and column o  ‘z’
...
[cf. J. Leiwo, VU, NL] 14
c. One-Time Pads (1)

OPT - variant of using Vigenère Tableaux


Fixes problem with VT: key used might be too short
 Above: ‘EXODUS’ – 6 chars
Sometimes considered a perfect cipher


One-Time Pad:



Used extensively during Cold War
Large, nonrepeating set of long keys on pad sheets/pages
Sender and receiver have identical pads
Example:

300-char msg to send, 20-char key per sheet
=> use & tear off 300/20 = 15 pages from the pad
15
One-Time Pads (2)

Example – cont.:
 Encryption:
 Sender writes letters of consecutive 20-char keys
above the letters of P (from the pad 15 pages)
 Sender encipher P using Vigenère Tableaux (or other
prearranged chart)
 Sender destroys used keys/sheets
 Decryption:
 Receiver uses Vigenère Tableaux
 Receiver uses the same set of consecutive 20-char
keys from the same 15 consecutive pages of the pad
 Receiver destroys used keys/sheets
16
One-Time Pads (3)

Note:

Effect: a key as long as the message



If only key length ≤ the number of chars in the pad
The key is always changing (and destroyed after use)
Weaknesses



Perfect synchronization required between S and R
 Intercepted or dropped messages can destroy synchro
Need lots of keys
Needs to distribute pads securely
 No problem to generate keys


Problem: printing, distribution, storing, accounting
Frequency distribution not flat enough

Non-flat distribution facilitates breaking
17
Types of One-Time Pads

Vernam Cipher




= (lttr + random nr) mod 26 (p.48)
Need (pseudo) random nr generator
E.g., V = 21; (V +76) mod 26 = 97 mod 26 = 19; 19 = t
Book Ciphers (p.49)

Book used as a pad



need not destroy – just don’t reuse keys
Use common Vigenère Tableaux
Details: textbook

Incl. example of breaking a book cipher
 Bec. distribution not flat
18

Question:
Does anybody know other ciphers using books?
Or invent your own cipher using books?
19


Question:
...other ciphers using books?
My examples:

Use any agreed upon book

P: SECRET

Example 1:
Page 52 from a book:
52
ever, making predictions in ten letter
seven of those secret positi
gorithm

Example 2:
Use:
(page_nr, line_nr,
letter_in_line)
Use:
(page_nr, line_nr,
word_nr)
C: 52 2 1 52 1 1 52 1 16 ...
C: 52 2 4
Better: use different pages for
each char in P
Computer can help find words in
a big electronic book quickly!
20
2B.2. Transposition Ciphers (1)
 Rearrange letters in plaintext to produce ciphertext
 Example 1a and 1b: Columnar transposition
 Plaintext: HELLO WORLD
(b) onto 2 columns:
HE
LL
OW
OR
 Ciphertext (read column-by column):
LD
(a) hlodeorxlwlx
(b) hloolelwrd
 Transposition onto: (a) 3 columns:
HEL
LOW
ORL
DXX
XX - padding
 What is the key?
 Number of columns: (a) key = 3 and (b) key = 2
21
Transposition Ciphers (2)
 Example 2: Rail-Fence Cipher
 Plaintext:
HELLO WORLD
 Transposition into 2 rows (rails) column-by-column:
HLOOL
ELWRD
 Ciphertext: hloolelwrd
(Does it look familiar?)
[cf. Barbara Endicott-Popovsky, U. Washington]
 What is the key?
 Number of rails
key = 2
22
Attacking Transposition Ciphers
 Anagramming
 n-gram – n-char strings in English
 Digrams (2-grams) for English alphabet are are: aa, ab,
ac, ...az, ba, bb, bc, ..., zz
(262 rows in digram table)
 Trigrams are: aaa, aab, ...
(263 rows)
 4-grams (quadgrams?) are: aaaa, aaab, ... (264 rows)
 Attack procedure:
 If 1-gram frequencies in C match their freq’s in English but
other n-gram freq’s in C do not match their freq’s in
English, then it is probably a transposition encryption
 Find n-grams with the highest frequencies in C
 Start with n=2
 Rearrange substrings in C to form n-grams with highest
freq’s
[cf. Barbara Endicott-Popovsky, U. Washington]
23
Example: Step 1
Ciphertext C: hloolelwrd (from Rail-Fence cipher)
 N-gram frequency check
 1-gram frequencies in C do match their frequencies in English
 2-gram (hl, lo, oo, ...) frequencies in C do not match their
frequencies in English
 Question: How frequency of „hl” in C is calculated?
 3-gram (hlo, loo, ool, ...) frequencies in C do not match their
frequencies in English
 ...
=> it is
probably a transposition
 Frequencies in English for all 2-grams from C starting with h
 he 0.0305
as table of freq’s
of English digrams
 ho 0.0043
shows
 hl, hw, hr, hd < 0.0010
 Implies that in hloolelwrd e follows h
[cf. Barbara Endicott-Popovsky, U. Washington]
24
Example: Step 2
 Arrange so the h and e are adjacent
Since 2-gram suggests a solution, cut C into 2 substrings –
the 2nd substring starting with e:
hlool elwrd
Put them in 2 columns:
he
ll
ow
or
ld
 Read row by row, to get original P: HELLO WORLD
[cf. Barbara Endicott-Popovsky, U. Washington]
25
2B.3. Product Ciphers

A.k.a. combination ciphers

Built of multiple blocks, each is:

Substitution

Transposition
or:

Example: two-block product cipher


E2(E1(P, KE1), KE2)
Product cipher might not be stronger than its
individual components used separately!

Might not be even as strong as individual components
26
Survey of Students’ Background
and Experience (1)
Background Survey
CS 5950/6030 Network Security - Fall 2005
Please print all your answers.
First name: __________________________ Last name: _____________________________
Email
_____________________________________________________________________
Undergrad./Year ________
OR: Grad./Year or Status (e.g., Ph.D. student) ________________
Major
_____________________________________________________________________
PART 1. Background and Experience
1-1)Please rate your knowledge in the following areas (0 = None, 5 = Excellent).
UNIX/Linux/Solaris/etc. Experience (use, administration, etc.)
0
1
2
3
Network Protocols (TCP, UDP, IP, etc.)
0
1
2
3
Cryptography (basic ciphers, DES, RSA, PGP, etc.)
0
1
2
3
Computer Security (access control, security fundamentals, etc.)
0
1
2
3
4
5
4
5
4
5
4
5
Any new students
who did not fill out the survey?
27
2C. Making „Good” Ciphers
Cipher = encryption algorithm

Outline
2C.1. Criteria for „Good” Ciphers
2C.2. Stream and Block Ciphers
2C.3. Cryptanalysis
2C.4. Symmetric and Asymmetric Cryptosystems
28
2C.1. Criteria for „Good” Ciphers (1)

„Good” depends on intended application

Substitution



Transposition


C scrambles text => hides n-grams for n > 1
Product ciphers


C hides chars of P
If > 1 key, C dissipates high frequency chars
Can do all of the above
What is more important for your app?
What facilities available to sender/receiver?

E.g., no supercomputer support on the battlefield
29
Criteria for „Good” Ciphers (2)

Claude Shannon’s criteria (1949):
1. Needed degree of secrecy should determine amount of
labor
 How long does the data need to stay secret?
(cf. Principle of Adequate Protection)
2. Set of keys and enciphering algorithm should be free from
complexity
 Can choose any keys or any plaintext for given E
 E not too complex
(cf. Principle of Effectiveness)
3. Implementation should be as simple as possible
 Complexity => errors
(cf. Principle of Effectiveness)
[cf. A. Striegel] 30
Criteria for „Good” Ciphers (3)

Shannon’s criteria (1949) – cont.
4. Propagation of errors should be limited
 Errors happen => their effects should be limited
One error should not invlidate the whole C
(None of the 4 Principles — Missing? — Invent a new Principle?)

5. Size / storage of C should be restricted
 Size (C) should not be > size (P)
 More text is more data for cryptanalysts to work with
 Need more space for storage, more time to send
(cf. Principle of Effectiveness)

Proposed at the dawn of computer era –
still valid!
[cf. A. Striegel] 31
Criteria for „Good” Ciphers (4)

Characteristics of good encryption schemes


Confusion:
interceptor cannot predict what will happen to C when she
changes one char in P
 E with good confusion:
hides well relationship between P”+”K, and C
Diffusion:
changes in P spread out over many parts of C
 Good diffusion => attacker needs access to much of C
to infer E
32
Criteria for „Good” Ciphers (5)

Commercial Principles of Sound Encryption Systems
1. Sound mathematics
 Proven vs. not broken so far
2. Verified by expert analysis
 Including outside experts
3. Stood the test of time
 Long-term success is not a guarantee
 Still. Flows in many E’s discovered soon after their release

Examples of popular commercial E’s:

DES / RSA / AES
DES = Data Encryption Standard
RSA = Rivest-Shamir-Adelman
AES = Advanced Encryption Standard (rel. new)
[cf. A. Striegel] 33
Continued - Class 7