Cryptology Part 1 - To Parent Directory - James Madison University

Cryptology Part 1Uses of Cryptology1. Transmission of a message with assurance that the contents will be knownonly by sender and recipienta) Steganography: existence of the message is hiddenb) Cryptography: garbling of the message so that its meaning can bediscerned only by the intended recipienti. Codesii. CiphersCharles Abzug, Ph.D.Department of Computer ScienceJames Madison UniversityHarrisonburg, VA 22807Voice Phone: 540-568-8746; Cell Phone: 443-956-9424E-mail: abzugcx@JMU.edu OR CharlesAbzug@ACM.orgHome Page: http://www.cs.jmu.edu/users/abzugcx© 2004 Charles Abzug2. Authenticationa) Message contentb) Message origin (Digital Signature)3. Miscellaneous other uses and issuesa) Electronic Voting: Confirmation of Voter-ID, Prevention of Double-Voting, Maintenance of Anonymityb) Signing of Contracts: Simultaneityc) E-cash: Avoidance of Fraud, Maintenance of Anonymity, Prevention ofTax-Avoidanced) Zero-Knowledge Protocol: ability of one party to convince the otherthat he/she has a secret, without revealing what it is01-Nov-2004 © 2004 Charles Abzug 2Terminology1. Code2. Cipher3. Key4. Algorithm5. Plaintext (or Cleartext)6. Ciphertext7. Steganography8. Cryptology9. Cryptography10. Cryptanalysis11. Enciphering or Encrypting12. Deciphering or DecryptingBasic Approaches to Cryptography1. Transposition: e.g., the Spartan Scytale (pronunciation: SIT-a-lee)2. Substitution: most modern ciphers13. Etymology: κρψποσ (kryptos) λογοσ (logos) γραφια (graphia)14. Passive Attack15. Active Attack16. Symmetric (classical cryptography , as well as modern)17. Asymmetric (modern only)01-Nov-2004 © 2004 Charles Abzug 301-Nov-2004 © 2004 Charles Abzug 4Basic Approaches to Cryptography: (1) TranspositionSYBLCRESEERACHTAYPUOHIPHRUEMTYILSOO!TDOFGBasic Approaches to Cryptography: (1) Transposition(continued)S B C E E R C T Y U H P R E T I S O T O GY l R S E A H A P O I H U M Y L O ! D FSYBLCRESEERACHTAYPUOHIPHRUEMTYILSOO!TDOFGS L E E C A U I R M I O T FY C S R H Y O P U T L O D GB R E A T P H H E Y S ! OS C E C Y H R T S T GY R E H P I U Y O DB E R T U P E I O OL S A A O H M L ! FS E C U R I TY S H O U L DB E T H E S OL E A I M O FC R Y P T O GR A P H Y !S R R A H U I ! GY E A Y I E L TB S C P P M S DL E H U H T O OC E T O R Y O F01-Nov-2004 © 2004 Charles Abzug 501-Nov-2004 © 2004 Charles Abzug 6

01-Nov-2004 © 2004 Charles Abzug 7Simple Additive CipherSimple Additive CipherPlaintext: a b c d e f g h i j k l m n o p q r s t u v w x y zCiphertext: D E F G H I J K L M N O P Q R S T U V W X Y Z A B CPlaintext: a b c d e f g h i j k l m n o p q r s t u v w x y zCiphertext: D E F G H I J K L M N O P Q R S T U V W X Y Z A B Ccleartext → .cleartext → FOHDUWHAWOHWWHU → .OHWWHU → letter01-Nov-2004 © 2004 Charles Abzug 8Basic Approaches to Cryptography: (2) SubstitutionBasic Approaches to Cryptography: (2) Substitution1. Monoalphabetic Ciphers over the "natural" alphabeta) Additive Ciphers or Shift Ciphers (keys: 1, 2, , , 25; keyspace = ?)b) Multiplicative Ciphers (keys: 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25;keyspace = ?)c) Affine Ciphers (keyspace = ?)d) General Monoalphabetic Cipher (keyspace = ?)1. Monoalphabetic Ciphers over the "natural" alphabeta) Additive Ciphers or Shift Ciphers (keys: 1, 2, , , 25; keyspace = 26)b) Multiplicative Ciphers (keys: 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25;keyspace = 12)c) Affine Ciphers (keyspace = ???)d) General Monoalphabetic Cipher (keyspace = ?)01-Nov-2004 © 2004 Charles Abzug 901-Nov-2004 © 2004 Charles Abzug 10Basic Approaches to Cryptography: (2) Substitution1. Monoalphabetic Ciphers over the "natural" alphabeta) Additive Ciphers or Shift Ciphers (keys: 1, 2, , , 25; keyspace = 26)b) Multiplicative Ciphers (keys: 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25;keyspace = 12)c) Affine Ciphers (keyspace = 12 * 26 = 312)d) General Monoalphabetic Cipher (keyspace = ???)Susceptibility of Monoalphabetic Ciphersto Cryptanalysis1. "Brute Force" Attack: try all possible keys2. Frequency Analysis (al-Kindi, eighth century)01-Nov-2004 © 2004 Charles Abzug 1101-Nov-2004 © 2004 Charles Abzug 12

01-Nov-2004 © 2004 Charles Abzug 13Relative Frequencies of Letters in English TextletterabcdefghijklmRelativeFrequency(%)8.1671.4922.7824.25312.7022.2282.0156.0946.9660.1530.7724.0252.406letternopqrstuvwxyzRelativeFrequency(%)6.7497.5071.9290.0955.9876.3279.0562.7580.9782.3600.1501.9740.074Basic Approaches to Cryptography: (2) Substitution1. Monoalphabetic Ciphers over the "natural" alphabeta) Additive Ciphers or Shift Ciphers (keys: 1, 2, , , 25; keyspace = 26)b) Multiplicative Ciphers (keys: 1, 3, 5, 7, 9, 11, 15, 17, 19, 21, 23, 25;keyspace = 12)c) Affine Ciphers (keyspace = 12 * 26 = 312)d) General Monoalphabetic Cipher (keyspace = 26! =403,291,461,126,605,635,584,000,000 > 4 * 10 26 )2. Polyalphabetic Ciphers over the "natural" alphabet3. Complex Monoalphabetic Ciphers01-Nov-2004 © 2004 Charles Abzug 14Simple Monoalphabetic Cipher with Keyword1. Uses a keyword2. Second and all subsequent repetitions of each character deleted3. Length of keyword generally smaller than 264. Remaining letters of alphabet (i.e., those not present in the keyword) thenlisted in alphabetical order to make up 26 letters.5. Example keyword: ANTIDISESTABLISHMENTARIANISM6. Example keyword with duplicates removed: ANTIDSEBLHMNR7. Final key, augmented from keyword: ANTIDSEBLHMNRCFGJKOPQUVWXYZPolyalphabetic Cipher with Keyword: the Vigenère Cipher1. Uses a keyword2. Second and all subsequent repetitions of each character deleted3. Length of keyword generally smaller than 264. Keyword repeated as many times as necessary to fill out the plaintext5. Each letter of plaintext encrypted IAW the corresponding line of the Vigenèresquare)6. Example keyword: ANTIDISESTABLISHMENTARIANISM7. Example keyword with duplicates removed: ANTIDSEBLHMNR8. Final Key: ANTIDSEBLHMNRANTIDSEBLHMNRANTIDSEBLHMNRANTIDSEBLHMNRANTIDSEBLHMNRANTIDSEBLHMNRANTIDSEBLHMNR . . .9. Keyword Length for this example: 1301-Nov-2004 © 2004 Charles Abzug 1501-Nov-2004 © 2004 Charles Abzug 16More Robust Polyalphabetic Cipher with Keytext1. Uses a lengthy text as key2. Repetitions of key characters accepted3. Arbitrary length of key text: generally longer than plaintext4. Each letter of plaintext encrypted IAW the corresponding line of the Vigenèresquare)Attacks on Vigenère Cipher1. Overall strategy: Determine the keylength; once known, the problem reducesto multiple monoalphabetic substitutions.2. By hand: search for repeating digraphs, trigraphs, quadgraphs to guesskeylength.3. Develop table of repetition distances for each character pattern.5. Example key text: WHEN IN THE COURSE OF HUMAN EVENTS ITBECOMES NECESSARY FOR ONE PEOPLE TO DISSOLVE THEPOLITICAL BANDS WHICH HAVE CONNECTED THEM WITH ANOTHERAND TO ASSUME AMONG THE POWERS OF THE EARTH THE SEPARATEAND EQUAL STATION TO WHICH THE LAWS OF NATURE AND . . .01-Nov-2004 © 2004 Charles Abzug 1701-Nov-2004 © 2004 Charles Abzug 18

01-Nov-2004 © 2004 Charles Abzug 19Stallings' Fig. 3.5Stallings' Fig. 3.601-Nov-2004 © 2004 Charles Abzug 20Stallings' Fig. 3.7Stallings' Fig. 3.801-Nov-2004 © 2004 Charles Abzug 2101-Nov-2004 © 2004 Charles Abzug 22Needham-Schroeder ProtocolStallings' Fig. 3.9• original third-party key distribution protocol• for session between A & B mediated by KDC• protocol overview is:1. A→KDC: ID A || ID B || N 12. KDC→A: E Ka [Ks || ID B || N 1 || E Kb [Ks||ID A ] ]3. A→B: E Kb [Ks||ID A ]4. B→A: E Ks [N 2 ]5. A→B: E Ks [f(N 2 )]01-Nov-2004 © 2004 Charles Abzug 2301-Nov-2004 © 2004 Charles Abzug 24

01-Nov-2004 © 2004 Charles Abzug 25Needham-Schroeder ProtocolUsing Public-Key Encryption• used to securely distribute a new session key forcommunications between A & B• but is vulnerable to a replay attack if an old session key hasbeen compromised– then message 3 can be resent convincing B that iscommunicating with A• modifications to address this require:– timestamps (Denning 81)– using an extra nonce (Neuman 93)• have a range of approaches based on the use of public-keyencryption• need to ensure have correct public keys for other parties• using a central Authentication Server (AS)• various protocols exist using timestamps or nonces01-Nov-2004 © 2004 Charles Abzug 26Denning AS ProtocolOne-Way Authentication• Denning 81 presented the following:1. A→AS: ID A || ID B2. AS→A: E KRas [ID A ||KU a ||T] || E KRas [ID B ||KU b ||T]3. A→B: E KRas [ID A ||KU a ||T] || E KRas [ID B ||KU b ||T] ||E KUb [E KRas [K s ||T]]• note session key is chosen by A, hence AS need not be trustedto protect it• timestamps prevent replay but require synchronized clocks• required when sender & receiver are not in communications atsame time (eg. email)• have header in clear so can be delivered by email system• may want contents of body protected & sender authenticated01-Nov-2004 © 2004 Charles Abzug 2701-Nov-2004 © 2004 Charles Abzug 28Using Symmetric Encryption• can refine use of KDC but can’t have final exchange of nonces,vis:1. A→KDC: ID A || ID B || N 12. KDC→A: E Ka [Ks || ID B || N 1 || E Kb [Ks||ID A ] ]3. A→B: E Kb [Ks||ID A ] || E Ks [M]• does not protect against replays– could rely on timestamp in message, though email delaysmake this problematicPublic-Key Approaches• have seen some public-key approaches• if confidentiality is major concern, can use:A→B: E KUb [Ks] || E Ks [M]– has encrypted session key, encrypted message• if authentication needed use a digital signature with a digitalcertificate:A→B: M || E KRa [H(M)] || E KRas [T||ID A ||KU a ]– with message, signature, certificate01-Nov-2004 © 2004 Charles Abzug 2901-Nov-2004 © 2004 Charles Abzug 30

01-Nov-2004 © 2004 Charles Abzug 31Arbitrated Techniques for Digital SignatureKerberosStallings' Table 13.1• trusted key server system from MIT• provides centralised private-key third-party authentication in adistributed network– allows users access to services distributed through network– without needing to trust all workstations– rather all trust a central authentication server• two versions in use: 4 & 501-Nov-2004 © 2004 Charles Abzug 32Kerberos RequirementsKerberos 4 Overview• first published report identified its requirements as:– security– reliability– transparency– scalability• implemented using an authentication protocol based onNeedham-Schroeder• a basic third-party authentication scheme• have an Authentication Server (AS)– users initially negotiate with AS to identify self– AS provides a non-corruptible authentication credential (ticketgranting ticket TGT)• have a Ticket Granting server (TGS)– users subsequently request access to other services from TGS onbasis of users TGT01-Nov-2004 © 2004 Charles Abzug 3301-Nov-2004 © 2004 Charles Abzug 34Kerberos 4 OverviewMessage Exchanges in Kerberos v.4Stallings' Fig. 14.1Stallings' Table 14.301-Nov-2004 © 2004 Charles Abzug 3501-Nov-2004 © 2004 Charles Abzug 36

01-Nov-2004 © 2004 Charles Abzug 37Kerberos RealmsKerberos Version 5• a Kerberos environment consists of:– a Kerberos server– a number of clients, all registered with server– application servers, sharing keys with server• this is termed a realm– typically a single administrative domain• if have multiple realms, their Kerberos servers must share keysand trust• developed in mid 1990’s• provides improvements over v4– addresses environmental shortcomings• encryption alg, network protocol, byte order, ticketlifetime, authentication forwarding, interrealm auth– and technical deficiencies• double encryption, non-std mode of use, session keys,password attacks• specified as Internet standard RFC 151001-Nov-2004 © 2004 Charles Abzug 38X.509 Authentication ServiceX.509 Certificates• part of CCITT X.500 directory service standards– distributed servers maintaining some info database• defines framework for authentication services– directory may store public-key certificates– with public key of user– signed by certification authority• also defines authentication protocols• uses public-key crypto & digital signatures– algorithms not standardised, but RSA recommended• issued by a Certification Authority (CA), containing:– version (1, 2, or 3)– serial number (unique within CA) identifying certificate– signature algorithm identifier– issuer X.500 name (CA)– period of validity (from - to dates)– subject X.500 name (name of owner)– subject public-key info (algorithm, parameters, key)– issuer unique identifier (v2+)– subject unique identifier (v2+)– extension fields (v3)– signature (of hash of all fields in certificate)• notation CA denotes certificate for A signed by CA01-Nov-2004 © 2004 Charles Abzug 3901-Nov-2004 © 2004 Charles Abzug 40X.509 CertificatesObtaining a CertificateStallings' Fig. 14.3• any user with access to CA can get any certificate from it• only the CA can modify a certificate• because cannot be forged, certificates can be placed in a publicdirectory01-Nov-2004 © 2004 Charles Abzug 4101-Nov-2004 © 2004 Charles Abzug 42

01-Nov-2004 © 2004 Charles Abzug 43CA HierarchyCA Hierarchy Use• if both users share a common CA then they are assumed toknow its public key• otherwise CA's must form a hierarchy• use certificates linking members of hierarchy to validate otherCA's– each CA has certificates for clients (forward) and parent(backward)• each client trusts parents certificates• enable verification of any certificate from one CA by users ofall other CAs in hierarchyStallings' Fig 14.401-Nov-2004 © 2004 Charles Abzug 44Certificate RevocationAuthentication Procedures• certificates have a period of validity• may need to revoke before expiry, eg:1. user's private key is compromised2. user is no longer certified by this CA3. CA's certificate is compromised• CA’s maintain list of revoked certificates– the Certificate Revocation List (CRL)• users should check certs with CA’s CRL• X.509 includes three alternative authentication procedures:• One-Way Authentication• Two-Way Authentication• Three-Way Authentication• all use public-key signatures01-Nov-2004 © 2004 Charles Abzug 4501-Nov-2004 © 2004 Charles Abzug 46One-Way AuthenticationTwo-Way Authentication• 1 message ( A->B) used to establish– the identity of A and that message is from A– message was intended for B– integrity & originality of message• message must include timestamp, nonce, B's identity and issigned by A• 2 messages (A->B, B->A) which also establishes in addition:– the identity of B and that reply is from B– that reply is intended for A– integrity & originality of reply• reply includes original nonce from A, also timestamp and noncefrom B01-Nov-2004 © 2004 Charles Abzug 4701-Nov-2004 © 2004 Charles Abzug 48

01-Nov-2004 © 2004 Charles Abzug 49Three-Way AuthenticationX.509 Version 3• 3 messages (A->B, B->A, A->B) which enables aboveauthentication without synchronized clocks• has reply from A back to B containing signed copy of noncefrom B• means that timestamps need not be checked or relied upon• has been recognised that additional information is needed in acertificate– email/URL, policy details, usage constraints• rather than explicitly naming new fields defined a generalextension method• extensions consist of:– extension identifier– criticality indicator– extension value01-Nov-2004 © 2004 Charles Abzug 50Certificate ExtensionsSummary• key and policy information– convey info about subject & issuer keys, plus indicators ofcertificate policy• certificate subject and issuer attributes– support alternative names, in alternative formats forcertificate subject and/or issuer• certificate path constraints– allow constraints on use of certificates by other CA’s• have considered:– Kerberos trusted key server system– X.509 authentication and certificates01-Nov-2004 © 2004 Charles Abzug 5101-Nov-2004 © 2004 Charles Abzug 52Data Encryption Standard (DES)Stallings' Fig. 3.501-Nov-2004 © 2004 Charles Abzug 5301-Nov-2004 © 2004 Charles Abzug 54

01-Nov-2004 © 2004 Charles Abzug 55Stallings' Fig. 3.6Stallings' Fig. 3.701-Nov-2004 © 2004 Charles Abzug 56Stallings' Table 3.2Stallings' Fig. 3.801-Nov-2004 © 2004 Charles Abzug 5701-Nov-2004 © 2004 Charles Abzug 58Stallings' Fig. 3.9Stallings' Table 3.301-Nov-2004 © 2004 Charles Abzug 5901-Nov-2004 © 2004 Charles Abzug 60

01-Nov-2004 © 2004 Charles Abzug 61Stallings' Table 3.4Stallings' Table 3.501-Nov-2004 © 2004 Charles Abzug 62Stallings' Fig. 3.15Advanced Encryption Standard (AES)01-Nov-2004 © 2004 Charles Abzug 6301-Nov-2004 © 2004 Charles Abzug 64Stallings' Table 5.3Stallings' Fig. 5.101-Nov-2004 © 2004 Charles Abzug 6501-Nov-2004 © 2004 Charles Abzug 66

01-Nov-2004 © 2004 Charles Abzug 67Stallings' Fig. 5.2Stallings' Fig. 5.301-Nov-2004 © 2004 Charles Abzug 68Stallings' Fig. 5.7END01-Nov-2004 © 2004 Charles Abzug 6901-Nov-2004 © 2004 Charles Abzug 70