MODERN CRYPTOGRAPHY
MODERN CRYPTOGRAPHY
MODERN CRYPTOGRAPHY
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>MODERN</strong><br />
<strong>CRYPTOGRAPHY</strong><br />
Fred Piper<br />
Codes & Ciphers Ltd<br />
12 Duncan Road, Richmond<br />
Surrey, TW9 2JD<br />
Royal Holloway, University of London<br />
Egham Hill, Egham<br />
Surrey TW20 0EX
Aims of Lecture<br />
1. To enjoy ourselves<br />
2. To look at how cryptography has<br />
developed/changed<br />
3. To discuss certain aspects of the current<br />
situation<br />
NOTE: We concentrate on applications (and<br />
NOT on the mathematics)<br />
IMA 2009 2
“Many cryptographic systems rely on the inability<br />
of mathematicians to do mathematics”.<br />
(Donald Davies: LMS Lecture)<br />
Tongue in cheek?<br />
Existence proofs do not provide solutions<br />
Algorithms should be implementable<br />
IMA 2009 3
Cipher System<br />
Encryption Key<br />
Decryption Key<br />
Message<br />
m<br />
Encryption<br />
Algorithm<br />
Cryptogram<br />
c<br />
Interceptor<br />
Message<br />
m<br />
Decryption<br />
Algorithm<br />
Key establishment channel<br />
(secure)<br />
IMA 2009 4
Two Types of Cipher System<br />
• Conventional or Symmetric<br />
– Decryption Key easily obtained from Encryption Key<br />
• Public or Asymmetric<br />
– Computationally infeasible to determine Decryption Key from<br />
Encryption Key<br />
IMA 2009 5
Breaking Algorithm<br />
• Being able to determine plaintext from ciphertext<br />
without being given key<br />
• Exhaustive key search is always (theoretically)<br />
possible<br />
Well Designed (Symmetric) Algorithm<br />
• ‘Easiest’ attack is exhaustive key search<br />
Strong Algorithm<br />
• Well designed with a large number of keys<br />
Provable security?<br />
IMA 2009<br />
6
Cryptographic System<br />
• Design algorithm<br />
• Implement algorithm<br />
– Software?<br />
– Hardware?<br />
• Manage keys<br />
IMA 2009 7
The Human Problem<br />
It has always been recognised that security is<br />
not solely a technology issue<br />
Early 1980s:<br />
Early 1990s:<br />
Thorn EMI conference<br />
“Security is People”<br />
Ross Anderson’s paper<br />
“Why crypto systems fail”<br />
IMA 2009 8
Implementing Cryptographic Algorithms<br />
• In theory there is no difference between<br />
theory and practice. In practice there is<br />
• Poor implementation negates advantage of<br />
using a strong algorithm<br />
IMA 2009 9
Protecting Keys (Storage or Distribution)<br />
• Physical security<br />
– Tamper Resistant Security Module (TRSM)<br />
– Tokens (Smart Cards)<br />
• Components<br />
– Secret Sharing Scheme<br />
• Key hierarchies<br />
– Keys encrypted using other keys<br />
– Lower level keys derived from higher level ones<br />
IMA 2009 10
Side Channel Attacks<br />
To find a cryptographic key<br />
• Brute force attacks try to find the secret key by<br />
random trial and error<br />
• Side channel attacks try to use additional information<br />
drawn from the physical implementation of the<br />
cryptographic algorithm at hand so as to be<br />
substantially better than trial and error<br />
IMA 2009 11
Evolution of Side Channel Attacks<br />
Dec 11, 1995: Paul Kocher announces timing attack<br />
on the sci. crypt news group:<br />
“I’ve just released details of an attack many of you will<br />
find interesting since quite a few existing cryptography<br />
products and systems are potentially at risk. The<br />
general idea of the attack is that secret keys can be<br />
found by measuring the amount of time used to<br />
process messages. The paper describes attacks<br />
against RSA, fixed exponent Diffie-Hellman, and DSS,<br />
and the techniques can work with many other systems<br />
as well”.<br />
IMA 2009 12
Side Channel Attacks<br />
• Changed the way cryptographers think about<br />
security<br />
–Properties of digital circuits are far more important<br />
for security than was previously believed<br />
• Many previous design approaches recognised as<br />
inadequate<br />
IMA 2009 13
Early Ciphers<br />
• Simple substitution cipher<br />
• Enhancing by encrypting one letter then<br />
change key<br />
• Implementation was problem: Keys cannot be<br />
independent of each other<br />
• Rotors and super-encipherment<br />
IMA 2009<br />
14
Enigma Machine<br />
• Polyalphabetic cipher with large period<br />
• Day key (3 letters in code book)<br />
• Message key (3 ‘randomly selected’ letters<br />
protected by day key)<br />
• Problems:<br />
–Operators determined random selection<br />
–Message key sent twice<br />
–A message letter was never represented by itself in<br />
the cryptogram<br />
IMA 2009<br />
15
Bletchley Park<br />
IMA 2009<br />
16
Lessons from Bletchley Park?<br />
• Information can be very important!<br />
• Cryptanalysis is a powerful weapon<br />
• It is easy to use a strong encryption badly<br />
Quote: Mavis Batey (Cryptanalyst at Bletchley)<br />
“Sometimes people are daft enough to do what you<br />
want”<br />
IMA 2009<br />
17
Some Important Changes Since 1945<br />
• Advent of fast computers<br />
• Advent of new communications media<br />
• Wide use of binary codes<br />
• Cryptography is part of a larger discipline:<br />
Information Security<br />
• Many applications other than provision of<br />
confidentiality<br />
• Public key cryptography<br />
IMA 2009 18
Use of Cryptography<br />
Service<br />
• Confidentiality<br />
• Data integrity<br />
• Authentication<br />
• Non-repudiation<br />
Where?<br />
• E-commerce<br />
• E-voting<br />
• Access control<br />
IMA 2009 19
The ‘Secure Channel’ Concept<br />
AIM: To send confidential information over an<br />
insecure network<br />
• We achieve this by building a “secure channel”<br />
between two end points on the network<br />
• Typically offering:<br />
–Data origin authentication<br />
–Data integrity<br />
–Confidentiality<br />
• Cryptography is an important tool<br />
IMA 2009<br />
20
What is Cryptography Now?<br />
• A thriving academic discipline involving a blend<br />
of mathematics, statistics and computer<br />
science.<br />
– Advanced encryption, signature, key exchange primitives.<br />
– Secure multi-party computation.<br />
– Private information retrieval from databases.<br />
– Anonymous handshake protocols.<br />
– Electronic elections and auctions.<br />
• A popular science<br />
– Books, films, documentaries<br />
– The Da Vinci Vode<br />
IMA 2009 21
What is a Binary String?<br />
A bit string of length s might be regarded as:<br />
1) A string of zeros and ones<br />
2) A (coded) message<br />
3) An integer for 0 to 2 s − 1<br />
4) A sequence of integers<br />
5) Coordinates to a look-up table<br />
6) Vector in V(s,2)<br />
7) Binary polynomial (degree at most s − 1)<br />
8) Indicator set for integers 0 to s − 1<br />
9) Entries in an incidence matrix<br />
10) Your choice?<br />
IMA 2009 22
Cryptographic conjectures made in 1988 were<br />
settled in the 1960’s and 1970’s by geometers<br />
studying translation planes and spreads<br />
IMA 2009 23
Faster Technology<br />
• Used by implementers and attackers<br />
• Should we ‘slow down’ implementation speeds<br />
for encryption algorithms?<br />
• Moore’s Law has dramatic effect on the ‘life’ of<br />
an algorithm<br />
• Learn from DES<br />
IMA 2009 24
Key Search for DES<br />
56 bit key requires 2 56 tests<br />
2 56 = 7.2 x 10 16<br />
with 10 6 testing devices, at 10 6<br />
Complete test cycle in 7.2 x 10 4<br />
test/ seconds each:<br />
seconds = 20 hours<br />
A ‘hit’ might be expected in 10 hours<br />
IMA 2009<br />
25
DES : Exhaustive Key Search<br />
The following claims were published :<br />
Key Search Machine Cost Expected Search<br />
Time<br />
Diffie & Hellman $20m 20 hours<br />
(1977)<br />
Wiener (1993) $10.5m 21 minutes<br />
$ 1.5m 3.5 hours<br />
$600,000 35 hours<br />
NB : Development cost of Wiener’s machine is of the order of $500,000.<br />
IMA 2009<br />
26
DES: Key Search on Internet (1997)<br />
• DES key found<br />
• Search took 140 days<br />
• Search used over 10,000 computers<br />
• Peak rate: 7.10 9 keys/sec<br />
• ‘Might’ have taken 32 days<br />
IMA 2009<br />
27
DES Breaker (1998)<br />
• Electronic Frontier Foundation<br />
• Design cost $ 80,000<br />
• Manufacturing cost $130,000<br />
• Test key found in 56 hours<br />
• Complete search in 220 hours<br />
• 90 Billion keys per second<br />
• Design details published<br />
IMA 2009<br />
28
Fast DES Key Search<br />
DES Breaker used with Internet search<br />
Key found in less than a day<br />
IMA 2009<br />
29
Triple-DES<br />
• There are several different proposals for 3DES<br />
k 1 k 2 k 1 or k 3<br />
m<br />
Encrypt<br />
Decrypt<br />
Encrypt<br />
c<br />
• Typical deployments use 2-key or 3-key EDE<br />
IMA 2009<br />
30
User Authentication and Data Integrity<br />
using Symmetric Cryptography<br />
Can only take place between two parties who are prepared to cooperate<br />
with each other<br />
Typical authentication scheme:<br />
A and B share a secret key K which (they believe) is known<br />
only to them<br />
A sends a ‘challenge’ to B. If the response is the challenge<br />
encrypted with key K then A believes the response is from B<br />
Data Integrity:<br />
If A sends a message to B with a cryptographic checksum using<br />
K then B uses K to check the checksum and, if it is correct, knows<br />
the message is unaltered and came from A<br />
Note: A and B need to protect against replays etc<br />
IMA 2009 31
Digital Signatures and User Authentication using<br />
Public Key Cryptography<br />
• Can take place between any two parties, A and B<br />
provided they each know the other’s public key<br />
Typical authentication scheme:<br />
A sends a challenge (encrypted using B’s public key) to<br />
B. If B returns the challenge in clear then A believes it<br />
came from B<br />
Data Integrity:<br />
A sends a message to B with a cryptographic checksum<br />
(digital signature) calculated using A’s private key. B<br />
uses A’s public key to check the digital signature<br />
IMA 2009 32
Attacks on Scheme Implementing RSA<br />
If A and B use RSA for authentication and/or digital<br />
signatures then, if I want to impersonate A, I must<br />
either<br />
• Obtain A’s private key<br />
• Convince B that my public key belongs to A<br />
NOTE: A standard method of protecting against the<br />
latter attacks is to use a Public Key Infrastructure<br />
(PKI). This is a significant overhead<br />
• Identity based encryption?<br />
IMA 2009 33
How Does it Work?<br />
The CA certifies<br />
that Fred Piper’s<br />
public key<br />
is………..<br />
Electronically<br />
signed by<br />
the CA<br />
The Certificate can accompany all Fred’s messages<br />
The recipient must directly or indirectly:<br />
• Trust the authority that issued the certificate (CA)<br />
• Validate the certificate<br />
IMA 2009 34
RSA: The Theory (1)<br />
n = pq where p,q are large primes<br />
Public key: (n,e) where (e,(p − 1)(q − 1)) = 1<br />
Encryption: for 0 ≤ m ≤ n − 1 c = m e modn<br />
Secret key: d where ed = 1 mod(p − 1)(q − 1))<br />
Decryption: m = c d modn<br />
IMA 2009 35
RSA: The Theory (2)<br />
RSA problem: Find e th roots modn<br />
• Knowledge of p,q solves RSA problem<br />
Conjectures:<br />
• RSA problem and integer factorisation are<br />
computationally equivalent<br />
• Factorisation is hard<br />
Conclusion: RSA is secure for sufficiently large n<br />
IMA 2009 36
RSA Security<br />
Problem<br />
The theoretical argument establishing the<br />
security of RSA assumes that to factor n the<br />
attacker will need to implement a<br />
(mathematical) factoring algorithm such as the<br />
number field sieve<br />
IMA 2009 37
Early Attacks on RSA<br />
Attack prime generator rather than try to factor n<br />
mathematically<br />
1.Exhaustive prime search<br />
2.Exploit bias in generation process<br />
IMA 2009 38
RSA Implementation<br />
RSA involves computing x a (mod N) for large x, a and N<br />
To speed up process need:<br />
• Fast multiplication algorithm<br />
• Avoid intermediate values becoming too large<br />
• Limit number of modular multiplications<br />
IMA 2009 39
RSA, DSA, and ECDSA<br />
•In terms of security:<br />
RSA-1024 ≈ DL-1024 ≈ ECDL-160/170<br />
≈AES-80<br />
Encrypt Decrypt Sign Verify Sig. size<br />
RSA 17 384 384 17 1024<br />
DL-based 480 240 240 480 320<br />
ECDL-based 120 60 60 120 320<br />
IMA 2009 40
Saints or Sinners ?<br />
Sender<br />
Receiver<br />
Interceptor<br />
Who are the ‘good’ guys ?<br />
IMA 2009 41
Law Enforcement’s Dilemmas<br />
• Do not want to intrude into people’s private<br />
lives<br />
• Do not want to hinder e-commerce<br />
• Want to have their own secure<br />
communications<br />
• Occasionally use interception to obtain<br />
information<br />
• Occasionally need to read confiscated,<br />
encrypted information<br />
IMA 2009 42
Cryptography and You<br />
• SSL<br />
• ATMs<br />
• Digital signatures<br />
• Encrypted files<br />
• Access control<br />
• E-ticketing<br />
• E-voting<br />
• E-Government<br />
• Etc<br />
IMA 2009 43