MODERN CRYPTOGRAPHY

MODERN 

CRYPTOGRAPHY 

Fred Piper 

Codes & Ciphers Ltd 

12 Duncan Road, Richmond 

Surrey, TW9 2JD 

Royal Holloway, University of London 

Egham Hill, Egham 

Surrey TW20 0EX

Aims of Lecture 

1. To enjoy ourselves 

2. To look at how cryptography has 

developed/changed 

3. To discuss certain aspects of the current 

situation 

NOTE: We concentrate on applications (and 

NOT on the mathematics) 

IMA 2009 2

“Many cryptographic systems rely on the inability 

of mathematicians to do mathematics”. 

(Donald Davies: LMS Lecture) 

Tongue in cheek? 

Existence proofs do not provide solutions 

Algorithms should be implementable 

IMA 2009 3

Cipher System 

Encryption Key 

Decryption Key 

Message 

m 

Encryption 

Algorithm 

Cryptogram 

c 

Interceptor 

Message 

m 

Decryption 

Algorithm 

Key establishment channel 

(secure) 

IMA 2009 4

Two Types of Cipher System 

• Conventional or Symmetric 

– Decryption Key easily obtained from Encryption Key 

• Public or Asymmetric 

– Computationally infeasible to determine Decryption Key from 

Encryption Key 

IMA 2009 5

Breaking Algorithm 

• Being able to determine plaintext from ciphertext 

without being given key 

• Exhaustive key search is always (theoretically) 

possible 

Well Designed (Symmetric) Algorithm 

• ‘Easiest’ attack is exhaustive key search 

Strong Algorithm 

• Well designed with a large number of keys 

Provable security? 

IMA 2009 

6

Cryptographic System 

• Design algorithm 

• Implement algorithm 

– Software? 

– Hardware? 

• Manage keys 

IMA 2009 7

The Human Problem 

It has always been recognised that security is 

not solely a technology issue 

Early 1980s: 

Early 1990s: 

Thorn EMI conference 

“Security is People” 

Ross Anderson’s paper 

“Why crypto systems fail” 

IMA 2009 8

Implementing Cryptographic Algorithms 

• In theory there is no difference between 

theory and practice. In practice there is 

• Poor implementation negates advantage of 

using a strong algorithm 

IMA 2009 9

Protecting Keys (Storage or Distribution) 

• Physical security 

– Tamper Resistant Security Module (TRSM) 

– Tokens (Smart Cards) 

• Components 

– Secret Sharing Scheme 

• Key hierarchies 

– Keys encrypted using other keys 

– Lower level keys derived from higher level ones 

IMA 2009 10

Side Channel Attacks 

To find a cryptographic key 

• Brute force attacks try to find the secret key by 

random trial and error 

• Side channel attacks try to use additional information 

drawn from the physical implementation of the 

cryptographic algorithm at hand so as to be 

substantially better than trial and error 

IMA 2009 11

Evolution of Side Channel Attacks 

Dec 11, 1995: Paul Kocher announces timing attack 

on the sci. crypt news group: 

“I’ve just released details of an attack many of you will 

find interesting since quite a few existing cryptography 

products and systems are potentially at risk. The 

general idea of the attack is that secret keys can be 

found by measuring the amount of time used to 

process messages. The paper describes attacks 

against RSA, fixed exponent Diffie-Hellman, and DSS, 

and the techniques can work with many other systems 

as well”. 

IMA 2009 12

Side Channel Attacks 

• Changed the way cryptographers think about 

security 

–Properties of digital circuits are far more important 

for security than was previously believed 

• Many previous design approaches recognised as 

inadequate 

IMA 2009 13

Early Ciphers 

• Simple substitution cipher 

• Enhancing by encrypting one letter then 

change key 

• Implementation was problem: Keys cannot be 

independent of each other 

• Rotors and super-encipherment 

IMA 2009 

14

Enigma Machine 

• Polyalphabetic cipher with large period 

• Day key (3 letters in code book) 

• Message key (3 ‘randomly selected’ letters 

protected by day key) 

• Problems: 

–Operators determined random selection 

–Message key sent twice 

–A message letter was never represented by itself in 

the cryptogram 

IMA 2009 

15

Bletchley Park 

IMA 2009 

16

Lessons from Bletchley Park? 

• Information can be very important! 

• Cryptanalysis is a powerful weapon 

• It is easy to use a strong encryption badly 

Quote: Mavis Batey (Cryptanalyst at Bletchley) 

“Sometimes people are daft enough to do what you 

want” 

IMA 2009 

17

Some Important Changes Since 1945 

• Advent of fast computers 

• Advent of new communications media 

• Wide use of binary codes 

• Cryptography is part of a larger discipline: 

Information Security 

• Many applications other than provision of 

confidentiality 

• Public key cryptography 

IMA 2009 18

Use of Cryptography 

Service 

• Confidentiality 

• Data integrity 

• Authentication 

• Non-repudiation 

Where? 

• E-commerce 

• E-voting 

• Access control 

IMA 2009 19

The ‘Secure Channel’ Concept 

AIM: To send confidential information over an 

insecure network 

• We achieve this by building a “secure channel” 

between two end points on the network 

• Typically offering: 

–Data origin authentication 

–Data integrity 

–Confidentiality 

• Cryptography is an important tool 

IMA 2009 

20

What is Cryptography Now? 

• A thriving academic discipline involving a blend 

of mathematics, statistics and computer 

science. 

– Advanced encryption, signature, key exchange primitives. 

– Secure multi-party computation. 

– Private information retrieval from databases. 

– Anonymous handshake protocols. 

– Electronic elections and auctions. 

• A popular science 

– Books, films, documentaries 

– The Da Vinci Vode 

IMA 2009 21

What is a Binary String? 

A bit string of length s might be regarded as: 

1) A string of zeros and ones 

2) A (coded) message 

3) An integer for 0 to 2 s − 1 

4) A sequence of integers 

5) Coordinates to a look-up table 

6) Vector in V(s,2) 

7) Binary polynomial (degree at most s − 1) 

8) Indicator set for integers 0 to s − 1 

9) Entries in an incidence matrix 

10) Your choice? 

IMA 2009 22

Cryptographic conjectures made in 1988 were 

settled in the 1960’s and 1970’s by geometers 

studying translation planes and spreads 

IMA 2009 23

Faster Technology 

• Used by implementers and attackers 

• Should we ‘slow down’ implementation speeds 

for encryption algorithms? 

• Moore’s Law has dramatic effect on the ‘life’ of 

an algorithm 

• Learn from DES 

IMA 2009 24

Key Search for DES 

56 bit key requires 2 56 tests 

2 56 = 7.2 x 10 16 

with 10 6 testing devices, at 10 6 

Complete test cycle in 7.2 x 10 4 

test/ seconds each: 

seconds = 20 hours 

A ‘hit’ might be expected in 10 hours 

IMA 2009 

25

DES : Exhaustive Key Search 

The following claims were published : 

Key Search Machine Cost Expected Search 

Time 

Diffie & Hellman $20m 20 hours 

(1977) 

Wiener (1993) $10.5m 21 minutes 

$ 1.5m 3.5 hours 

$600,000 35 hours 

NB : Development cost of Wiener’s machine is of the order of $500,000. 

IMA 2009 

26

DES: Key Search on Internet (1997) 

• DES key found 

• Search took 140 days 

• Search used over 10,000 computers 

• Peak rate: 7.10 9 keys/sec 

• ‘Might’ have taken 32 days 

IMA 2009 

27

DES Breaker (1998) 

• Electronic Frontier Foundation 

• Design cost $ 80,000 

• Manufacturing cost $130,000 

• Test key found in 56 hours 

• Complete search in 220 hours 

• 90 Billion keys per second 

• Design details published 

IMA 2009 

28

Fast DES Key Search 

DES Breaker used with Internet search 

Key found in less than a day 

IMA 2009 

29

Triple-DES 

• There are several different proposals for 3DES 

k 1 k 2 k 1 or k 3 

m 

Encrypt 

Decrypt 

Encrypt 

c 

• Typical deployments use 2-key or 3-key EDE 

IMA 2009 

30

User Authentication and Data Integrity 

using Symmetric Cryptography 

Can only take place between two parties who are prepared to cooperate 

with each other 

Typical authentication scheme: 

A and B share a secret key K which (they believe) is known 

only to them 

A sends a ‘challenge’ to B. If the response is the challenge 

encrypted with key K then A believes the response is from B 

Data Integrity: 

If A sends a message to B with a cryptographic checksum using 

K then B uses K to check the checksum and, if it is correct, knows 

the message is unaltered and came from A 

Note: A and B need to protect against replays etc 

IMA 2009 31

Digital Signatures and User Authentication using 

Public Key Cryptography 

• Can take place between any two parties, A and B 

provided they each know the other’s public key 

Typical authentication scheme: 

A sends a challenge (encrypted using B’s public key) to 

B. If B returns the challenge in clear then A believes it 

came from B 

Data Integrity: 

A sends a message to B with a cryptographic checksum 

(digital signature) calculated using A’s private key. B 

uses A’s public key to check the digital signature 

IMA 2009 32

Attacks on Scheme Implementing RSA 

If A and B use RSA for authentication and/or digital 

signatures then, if I want to impersonate A, I must 

either 

• Obtain A’s private key 

• Convince B that my public key belongs to A 

NOTE: A standard method of protecting against the 

latter attacks is to use a Public Key Infrastructure 

(PKI). This is a significant overhead 

• Identity based encryption? 

IMA 2009 33

How Does it Work? 

The CA certifies 

that Fred Piper’s 

public key 

is……….. 

Electronically 

signed by 

the CA 

The Certificate can accompany all Fred’s messages 

The recipient must directly or indirectly: 

• Trust the authority that issued the certificate (CA) 

• Validate the certificate 

IMA 2009 34

RSA: The Theory (1) 

n = pq where p,q are large primes 

Public key: (n,e) where (e,(p − 1)(q − 1)) = 1 

Encryption: for 0 ≤ m ≤ n − 1 c = m e modn 

Secret key: d where ed = 1 mod(p − 1)(q − 1)) 

Decryption: m = c d modn 

IMA 2009 35

RSA: The Theory (2) 

RSA problem: Find e th roots modn 

• Knowledge of p,q solves RSA problem 

Conjectures: 

• RSA problem and integer factorisation are 

computationally equivalent 

• Factorisation is hard 

Conclusion: RSA is secure for sufficiently large n 

IMA 2009 36

RSA Security 

Problem 

The theoretical argument establishing the 

security of RSA assumes that to factor n the 

attacker will need to implement a 

(mathematical) factoring algorithm such as the 

number field sieve 

IMA 2009 37

Early Attacks on RSA 

Attack prime generator rather than try to factor n 

mathematically 

1.Exhaustive prime search 

2.Exploit bias in generation process 

IMA 2009 38

RSA Implementation 

RSA involves computing x a (mod N) for large x, a and N 

To speed up process need: 

• Fast multiplication algorithm 

• Avoid intermediate values becoming too large 

• Limit number of modular multiplications 

IMA 2009 39

RSA, DSA, and ECDSA 

•In terms of security: 

RSA-1024 ≈ DL-1024 ≈ ECDL-160/170 

≈AES-80 

Encrypt Decrypt Sign Verify Sig. size 

RSA 17 384 384 17 1024 

DL-based 480 240 240 480 320 

ECDL-based 120 60 60 120 320 

IMA 2009 40

Saints or Sinners ? 

Sender 

Receiver 

Interceptor 

Who are the ‘good’ guys ? 

IMA 2009 41

Law Enforcement’s Dilemmas 

• Do not want to intrude into people’s private 

lives 

• Do not want to hinder e-commerce 

• Want to have their own secure 

communications 

• Occasionally use interception to obtain 

information 

• Occasionally need to read confiscated, 

encrypted information 

IMA 2009 42

Cryptography and You 

• SSL 

• ATMs 

• Digital signatures 

• Encrypted files 

• Access control 

• E-ticketing 

• E-voting 

• E-Government 

• Etc 

IMA 2009 43

MODERN CRYPTOGRAPHY

Create successful ePaper yourself

Delete template?

Save as template?