ece 646 – lecture 1 basic concepts of cryptology types of...
TRANSCRIPT
1
Basic Concepts of Cryptology
ECE 646 – Lecture 1
Types of Cryptosystems
CRYPTOLOGY
CRYPTOGRAPHY CRYPTANALYSIS
from Greek cryptos - hidden, secret logos - word graphos - writing
Basic Vocabulary
ciphertext (cryptogram,
encrypted message)
message (plaintext,
clear message)
message (plaintext,
clear message)
M C M
encryption (encipherment)
decryption (decipherment)
Sender Receiver
2
Cryptosystem (Cipher)
message
ciphertext
cryptographic key
N bits
M bits
K bits
Definition of a cryptosystem (cipher)
M C
family of enciphering transformations
family of deciphering transformations
K key K
message space ciphertext space key space
enciphering transformation EK(M)
deciphering transformation DK(C)
K ∈ K M ∈ M DK(EK(M)) = M
Substitution Cipher
Key = a b c d e f g h i j k l m n o p q r s t u v w x y z f q i s h n c v j t y a u w d r e x l b m z o g k p
TO BE OR NOT TO BE
BD QH DX WDB BD QH
TO BE OR NOT TO BE
enciphering
deciphering
Number of keys = 26! ≈ 4 × 1026
3
Kerckhoff’s principle
The security of a cipher MUST NOT depend on anything that cannot be easily changed
Auguste Kerckhoff, 1883, Dutch Linguist and Cryptographer
Unpublished vs. published algorithm? Unpublished algorithm Published algorithm
1. Cryptanalysis must include recovering the algorithm 2. Smaller number of users, smaller motivation to break 3. Unavailable for other countries
1. The only reliable way of assessing cipher security 2. Prevents backdoors hidden by designers 3. Large number of implementations = low cost + high performance 4. No need for anti-reverse- engineering protection 5. Software implementations 6. Domestic and international standardization
Fundamental Tenet of Cryptography
If lots of smart people have failed to solve a problem, then it probably will not be
solved anytime soon.
4
Breaking ciphers used in GSM, 1999 (1)
GSM - world's most widely used mobile telephone technology (extended into 3G UMTS and 4G LTE Advanced)
• About 90% market share of all cellular phones • about 5 billion subscribers across more than 200 countries and territories
Initially, two voice encryption algorithms: A5/1 and A5/2
encrypt voice between a cell phone and a base station
Breaking ciphers used in GSM (2)
Both voice encryption algorithms • never published • designed and analyzed by the secretive "SAGE" group (part of ETSI – European Telecommunications Standard Institute) • A5/1 believed to be based on the modified French naval cipher
Both algorithms reverse-engineered by Marc Briceno (Smartcard Developer Association) published by the Berkeley crypto group A5/1 in May 1999, A5/2 in August 1999
Breaking ciphers used in GSM (3) Published attacks
May 1999, Jovan Golic
Number of operations in the attack ~ 240
A5/1
December 1999, Alex Biryukov and Adi Shamir Less than 1 second on a single PC with 128 MB RAM and two 73 GB hard disks. Based on the analysis of the A5/1 output during the first two minutes of the conversation.
A5/2 August 1999, Ian Goldberg and David Wagner, U.C. Berkeley
Number of operations in the attack ~ 216
5
Breaking ciphers used in GSM (4) Recent Attacks
Published in 2003, based on the Japanese cipher Kasumi. A5/3
A5/2 German computer engineer Karsten Nohl published a 2 TB rainbow table which enables deriving a session key for any particular conversation with minimal hardware support.
Built into about 40% of available handsets, but so far
not always activated by mobile carriers.
Breaking ciphers used in GSM (5) Recent Attacks
A5/3 Crypto conference, August 15-19, 2010
An attack against Kasumi announced by Israeli researchers Orr Dunkelman, Nathan Keller, Adi Shamir.
Complexity: 226 bytes of encrypted data, 230 bytes of memory, 232 operations: single PC, 96-bit key in a few minutes 128-bit key in less then two hours
Breaking ciphers used in GSM (6) Recent Attacks
A5/3 2010 attack is a related-key attack – attacker must be able to observe the results of encryptions using keys that have a known relationship. It is not clear that the Kasumi algorithm (A5/3) is used by the protocol in a way that would allow this attack to succeed. Interestingly, the Kasumi algorithm is closely based on a Mitsubishi algorithm known as MISTY1. MISTY1 is not vulnerable to the 2010 attack…
6
Attack on Mifare Classics Dec 2007-Apr 2008
Secret algorithm Crypto-1 developed by Philips used, among the others, in the public transport system cards in London (Oyster card), Boston (CharlieCard), Perth (SmartRider), Seoul (T-money), Busan (Mybi), and in Netherlands (OV-Chipkaart) easily broken after successful reverse engineering of the chip. A total of about 1 billion cards all over the world.
Features required from today’s ciphers
STRENGTH
FUNCTIONALITY • easy key distribution • digital signatures
PERFORMANCE
Block vs. stream ciphers
Types of Cryptosystems (1)
7
Block vs. stream ciphers
Stream cipher
Internal state - IS Block cipher
K K
M1, M2, …, Mn m1, m2, …, mn
C1, C2, …, Cn c1, c2, …, cn
Ci=fK(Mi) ci = fK(mi, ISi) ISi+1=gK(mi, ISi)
Every block of ciphertext is a function of only one
corresponding block of plaintext
Every block of ciphertext is a function of the current block
of plaintext and the current internal state of the cipher
Typical stream cipher Sender Receiver
Pseudorandom Keystream Generator
mi
plaintext
ci
ciphertext
ki keystream
key initialization vector (seed)
Pseudorandom Keystream Generator
mi plaintext
ci
ciphertext
ki keystream
key initialization vector (seed)
Secret-key vs. public-key ciphers
Types of Cryptosystems (2)
8
Secret-key (Symmetric) Cryptosystems
key of Alice and Bob - KAB key of Alice and Bob - KAB
Alice Bob
Network
Encryption Decryption
Key Distribution Problem
N - Users N · (N-1) 2
Keys
Users Keys
100 5,000 1000 500,000
Public Key (Asymmetric) Cryptosystems
Public key of Bob - KB Private key of Bob - kB
Alice Bob
Network
Encryption Decryption
9
Classification of cryptosystems Terminology
secret-key symmetric symmetric-key classical conventional
public key asymmetric
One-way function X f(X) Y
f-1(Y)
EXAMPLE: f: Y=f(X) = AX mod P
where P and A are constants, P is a large prime, A is an integer smaller than P
Number of bits of P Average number of multiplications necessary to compute f f -1
1000 1500 1030
Trap-door one-way function
X f(X) Y
f-1(Y)
Whitfield Diffie and Martin Hellman “New directions in cryptography,” 1976
PUBLIC KEY
PRIVATE KEY
10
Key Distribution Alice Bob
message
ciphertext
message
ciphertext
Bob’s public key
Bob’s private key
Bob’s public key
message
ciphertext
Bob’s public key
Intruder
Evaluating the security of secret-key ciphers
Classification of attacks (1)
Ciphertext-only attack
Given:
Looked for:
Example: Frequency analysis of letters in the ciphertext (effective only for most simple historical ciphers)
plaintext
ciphertext
or key
11
Classification of attacks (2) Known plaintext attack
Given:
Looked for:
Example:
remaining plaintext
ciphertext
or key
guessed fragment of the plaintext
exhaustive key search (brute-force ) attack
successive keys cipher
Classification of attacks (3) Chosen plaintext attack
Given:
Looked for:
Example:
key
Differential cryptanalysis
Encryption module key
Capability to encipher an arbitrarily chosen fragment of the plaintext
Encryption module key
Mi Mi*
Ci Ci*
i=1..N
Classification of attacks (4)
Chosen ciphertext attack
Given:
Looked for: key
Encryption module key
Capability to decipher an arbitrarily chosen fragment of the ciphertext
12
Implementing Cryptography
Software or hardware?
SOFTWARE HARDWARE security of data
during transmission
flexibility (new cryptoalgorithms,
protection against new attacks)
speed
random key generation
access control to keys
tamper resistance (viruses, internal attacks)
low cost
Basic hardware implementations of cryptography
• VLSI chip (ASIC, FPGA)
• smart card
• cryptographic card
• stand-alone cryptographic device
13
Why are cryptographic chips needed?
• hardware accelerators for web servers SSL (Secure Sockets Layer)/TLS (Transport Layer Security) – cryptographic protocols used by majority of today’s web servers to protect credit card numbers and other sensitive information for on-line transactions, such as buying a book on the amazon.com SSL 2.0 => SSL 3.0 => TLS 1.0 => TLS 1.1 => TLS 1.2
Why are cryptographic chips needed?
• hardware accelerators for Virtual Private Networks (VPNs) IPSec (Secure Internet Protocol) – cryptographic protocol used to support VPNs (Virtual Private Networks), i.e., secure communication between remote Local Area Networks (LANs) using Internet IPSec optional in IP ver. 4, required in emerging IP ver. 6 Acceleration can be provided using: - secure gateways
Virtual Private Network
• local networks may belong to the same or different organizations • security gateways may come from different vendors
Internet
Security gateway
Security gateway .
.
.
.
.
.
.
.
Cryptographic end points
Host
Host
Host
Host
Remote user
14
Why are cryptographic chips needed?
• hardware accelerators for wireless gateways IEEE 802.11 – most popular wireless protocol including strong encryption and authentication
Wireless
gateway
Why are cryptographic chips needed?
• secure satellite communications
• secure phones
• secure storage
• secure XML supply chain communication
• cipher breaking
• secure PDAs
Evolution of cryptography and cryptanalysis
cryptography
cryptanalysis
2000 1990 1980 1970 1940 1920
mathematics
engineering
physics
DES RSA ECC
algebra statistics number theory
rotor machines
enciphering devices
integrated circuits
software packages
operating systems
quantum cryptography
mathematics
engineering
physics
statistics permutation theory
cryptologic bombs
supercomputers computer networks
quantum computing
mainframes
number theory
2010
Pairing-based
specialized hardware
algebra
specialized instructions
Post-quantum
15
Progress in Implementations of Cryptography
Jefferson disk, 1795
First Rotor Machines
Hebern Machine, 1917-1918 Hagelin Machine, 1925-1940’s
16
Enigma
Cryptographic chips and boards
Progress in Implementations of Cryptoanalysis
17
British Cryptologic Bomb Used to Break Enigma
Colossus: First Mainframe
Supercomputer Cray
Computer Museum, Mountain View, CA
18
Ruhr University, Bochum, University of Kiel, Germany, 2006
120 Spartan 3 FPGAs Clock frequency 100 MHz
Cost: € 8980
COPACOBANA
CAIRN 3 – Specialized Machine to Break RSA
Tetsuya Izu and Jun Kogure and Takeshi Shimoyama (Fujitsu)
CHES 2007 – September 2007
2007
Japan