Modern Cryptography Code: ICE0605 Credit/Hour : 3/3 Prof : Kwangjo Kim (Tel. x6118), kkj@icu.ac.kr, http://vega.icu.ac.kr/~kkj TA :Hyunrok Lee (tank@icu.ac.kr) Hour : Mon./Wed.19:00-20:15 Web page : http://caislab.icu.ac.kr/Lecture/data/2008/s pring/ice605 1 Syllabus 1. Course Description As an introductory course to cryptography and information security, this lecture introduces the security notions and basic building blocks of modern cryptography. We discuss two typical cryptosystems- symmetric cryptosystems that include block ciphers (DES and AES) and stream ciphers, and public key (asymmetric) cryptosystems like RSA, ElGamal, Elliptic Curve Cryptosystem, etc. The hash function, digital signature, key management and identification scheme including zero knowledge proof are also discussed. No prerequisites are required. 2. Textbook - Main Textbook : Douglas R. Stinson, Cryptography-Theory and Practice, 3rd Ed. CRC Press, 2006, ISBN 1-58488-508-4 - Recommended Reading Material : Menezes et al, Handbook of Applied Cryptography, CRC Press, 1997, ISBN 0-8493-8523-7 - Handouts 3. Test and Evaluation - Midterm Exam: 20%, Final Exam:25% - Homework: 15% , Quiz:10%, Term Project : 25% , Attendance 5% 2 Weekly Lecture Wk Contents Cmt Wk Contents Cmt 9 Public Key Cryptosystem (II) Hw#3 1 Introduction/Conventional Cipher 2 Block Cipher (I) Hw#1 10 Digital Signature (I) Qz#3 3 Block Cipher (II) Qz#1 11 Digital Signature (II) Hw#4 4 Cryptanalysis Hw#2 12 Identification Qz#4 5 Stream Cipher Qz#2 13 ZKIP/Key Management Hw#5 6 Hash Functions/ MAC TR#1 14 TP Presentation TR#2 7 Midterm Exam 15 Final Exam 8 Public Key Cryptosystem (I) 3 Related Subject • Mathematics - Number Theory - Algebra : Group, Ring & Field Theory - Elliptic curves • Probability/ Statistics • Information Theory / Coding Theory • Computational Complexity - algorithm, Turing machine - NP-completeness • Quantum Computing, etc 4 Who is interested in cryptology ? Emerging Applications Traditional • Government • Diplomatic • Military • Finance • Police • Industrial • Academic • Standard • Electronic Commerce • Service Provider • DRM/ Digital Watermark • Ubiquitous Security • Rule and Regulations • etc. Security anywhere 5 Worldwide Academic Research • USA - IACR (International Association for Cryptologic Research) http://www.iacr.org/ : Crypto(‘81-), Eurocrypt(’82-), Asiacrypt(’91-), FSE, PKC, CHES - IEEE(Symposium on Privacy and Security) - ACM-CCS (Comp. & Comm. Security) - PKI Workshop(’01-), etc. • Europe - ESORICS(European Symposium on Research in Computer Security) - EuroPKI(’04-), etc. • Asia - Australia : Auscrypt(‘90-’92), ACISP (‘95-) - Japan : SCIS(‘84-), CSS(’02-), IWSEC(’06-) , Pairing(’07-) - Korea : KIISC (Korea Institute of Information Security and Cryptology) (’89-) http://www.kiisc.or.kr/, ICISC(‘97-), IWDW(’02-), WISA(’0-), IWAP(’00-) - China : ICICS(‘00-),ACNS(’02-) - Malaysia : Mycrypt(’05-) - India : Indocrypt (’99-), -Vietnam: Vietcrypt(’06-) 6 History of Asiacrypt 1900BC : Non-standard hieroglyphics 1500BC : Mesopotamian pottery glazes 50BC : Caesar cipher 1518 : Trithemius’ cipher book 1558 : Keys invented 1583 : Vigenere’s book 1790 : Jefferson wheel 1854 : Playfair cipher 1857 : Beaufort’s cipher 1917 : Friedman’s Riverbank Labs 1917 : Vernam one-time pads 7 Term Projects(Ex.) Cryptographic application of your majoring field Design and/or Cryptanalysis of Block Cipher or Stream cipher Design and/or Cryptanalysis of Public Key Cryptography Design of cryptographic protocols for key management or authentication, etc. New applications of cryptographic protocols for secure e-voting, secure WSN, etc Efficient Implementation of cryptographic library in RFID etc. 8 Questions Why are you taking this course? What do you expect after this course? 10 Basic Concepts(I) Cryptology Encryption(Decryption),Key,Plaintext,Ciphertext, Deciphertext = Crypto(Hidden) + Logos (word) = Cryptography + Cryptanalysis = Code Writing + Code Breaking Adversary C=E(P,Ke) P E() P=D(C,Kd) C Insecure channel D Kd Ke Key D() Secure channel 11 Basic Concepts(II) Channel ◦ Secure : trust, registered mail, tamper-proof device ◦ Insecure : open, public channel Entity ◦ Sender (Alice) ◦ Receiver (Bob) ◦ Adversary (Charlie) Passive attack : wiretapping ->Privacy Active attack : modification,impersonation -> Authentication 12 Basic Concepts(III) Classification of crypto algorithms ◦ by date Traditional( ~19C): Caesar Mechanical(WW I, II ): Rotor Machine, Purple Modern(‘50~): DES, IDEA, AES and RSA, ECC ◦ by number of keys Conventional: {1,single,common} key, symmetric Public key cryptosystem: {2,dual} keys, asymmetric ◦ by size of plaintext Block Cipher Stream Cipher 13 Security Requirements - Privacy “Keeping information secret from all but those who are authorized to it.” Eavesdropping C A B Attacker (Eavesdropper) ※ Pictures are taken from the CryptMail User's Guide, Copyright (C) 1994 Utimaco Belgium, 14 Security Requirements - Authentication Entity authentication (or identification) : Corroboration of the identity of an entity (e.g., a person, a computer terminal, etc) Message authentication : Corroboration the source of information also known as data origin authentication = data integrity Impersonation A B C 15 Security Requirements - Integrity “ Ensuring information has not been altered by unauthorized or unknown means.” Modification C A B 16 Security Requirements - Non-repudiation “Preventing the denial of previous commitment or actions.” Repudiation A I sent this No, I didn’t message to you receive it. B 17 Basic Security Requirements Privacy (or confidentiality) : keeping information secret from all but those who are authorized to it. Data integrity : ensuring information has not been altered by unauthorized or unknown means Authentication Entity authentication (or identification) : corroboration of the identity of an entity (e.g., a person, a computer terminal, etc) Message authentication: corroboration the source of information ; also known as data origin authentication Signature: a means to bind information to an entity Access control: restricting access to resources to privileged entities. Non-repudiation: preventing the denial of previous commitment or actions. 18 Advanced Security Requirements Authorization: conveyance, to another entity, of official sanction to do or be something. Validation: a means to provide timeliness of authorization to use or manipulate information or services Certification: endorsement of information by a trusted entity Revocation: retraction of certification or authorization Time stamping: recording the time of creation or existence of information Witnessing : verifying the creation or existence of information by an entity other than the creator Receipt: acknowledgement that information has been received Ownership: a means to provide an entity with the legal right to use or transfer a resource to others Anonymity: concealing the identity of an entity involved in some process 19 A taxonomy of cryptographic primitives arbitrary length hash functions Unkeyed 1-way permutations Primitives RNG, PUF block ciphers symmetric-key ciphers Security Symmetric-key Primitives Primitives arbitrary length (keyed) hash functions(MAC) stream ciphers signatures Identification primitives Public-key public-key ciphers Primitives signatures Identification primitives RNG(Random Number Generator), PUF(Physically Unclonable Function) 20 Attacking Model(I) By available information to attacker ◦ COA (Ciphertext Only Attack) ◦ KPA (Known Plaintext Attack) ◦ CPA (Chosen Plaintext Attack) ◦ CCA (Chosen Ciphertext Attack) • Kerckhoff’s principle: knows the cryptosystem being used 22 Attacking Model (II) • Exhaustive Key Search : Time = O(n), Space=O(1) • (Pre-computed) Table Lookup : Time=O(1), Space= O(n), • Time-Memory Tradeoff : Time =O(n2/3) , Space =O(n2/3) 23 Classification of Security Unconditionally secure : unlimited power of adversary, perfect (ex. : one-time pad) Provably secure : under the assumption of well-known hard mathematical problem Computationally secure : amount of computational effort by the best known methods (Practical Secure) 24 Brief History of Modern Cryptology Shannon, The Communication Theory of Secrecy Systems Differential Cryptanalysis Diffie and Hellman DSA DES RSA OAEP ECC 19751977 1978 1949 Differential Fault Analysis Linear Cryptanalysis 1985/ 1987 SHA-1 19881990199119921993 19941995 Polynomial based PKC 1996 1998 Random Oracle Model Zero Knowledge Proof Impossible Differential Cryptanalysis AES – FIPS 197 SHA-2 IBE from Pairing ID based PKC w/o Random Oracle E-Voting (Votopia) Collisions on Hash Functions Certificateless PKC Power of the Randomized Iterate Cryptography with Constant Input Locality 25 2000 2001 2002 2003 2004 2005 2006 2007