CS651 Security
April 18, 2001
Shaun Arnold, Thomas Daniels, Chris Taylor, Mike Walker
• Cryptography seems like a great idea but …
– how easily is it broken
– how well designed are the algorithms
– what are performance trade offs
– can it be analyzed
• Goal: Find answers or postulations to most
(or all) of these questions
• Mono-alphabetic ciphers
• Poly-alphabetic ciphers (Vigenere)
• Rotor machine
• Statistical analyzer
• Breaking mono-alphabetic cipher
• Key length analysis
• Breaking poly-alphabetic cipher
• RSA
• Breaking the RSA implementation
• Definition
– A technique that replaces a single letter with another single letter.
An example: a b c d e f g h i j k l m n o p q r s t u v w x y z
T H O M A S U V W X Y Z B D C F G I J K E L N Q R P
• Caesar Cipher
– Replaces each letter of the alphabet with the letter three places down in the alphabet.
• General Shift Cipher
– Replace each letter of the alphabet with the letter n places down in the alphabet with wrapping.
• Keyspace
– Normal: 26! keys
– Shift cipher: 25 keys
• Strengths
– Easy computation.
– Fast to encrypt and decrypt.
• Weaknesses
– For the shift cipher, there are only 25 keys.
– Sentence structure is maintained
– Regularities of the language are maintained.
• Definition
– The use of multiple monoalphabetic substitutions as one proceeds through a plaintext message.
– Includes:
A set of related monoalphabetic substitution rules
A key determines which rule to choose.
• Strengths
– Stronger than monoalphabetic
– Large keyspace
• Example: Vigenere
– Given a key letter x and a plaintext letter y , the ciphertext is at the intersection of the row labeled x and the column labeled and the column labeled y.
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
CARS CA RSCARS CARS
THIS IS REALLY COOL
VHZK KS IWCLCQ EOFD
Z Z A B C D E F G H I J K L M N O P Q R S T U V W X Y
• Another form of letter substitution
• Used during World War II by the Germans and the
Japanese (enigma and purple)
• Hardwired connections from 26 incoming contacts to 26 outgoing contacts on each rotor
• As each letter was typed, the rotors would rotate like an odometer
• Key for a message would consist of initial configuration of the rotors (26^3 keyspace)
• An array of 26 offsets specifies the contact configuration of one rotor
– only one-to-one correspondences are allowed
– 26! possible configurations for each rotor
• (26!)^3 possible different machines could be built
• For a particular machine (contacts fixed), there are 26^3 possible initial configurations for a message (key space)
• Letter substitution repeats after 26^3 letters
This plaintext is to be encrypted with the rotor engine using the configuration given in
Stalling page forty three in figure eight of chapter two
JSHK RHHKMVNVZ SA ND TC YEZEPWHYK AAGD
NNG YSYKK GVOVFL RRKSY RRI IZNBJKJWTIPTO
YPRET IC IEODDCAZ HZBZ YRKKH YIPCN IK
LOWOJX CJXKK DC MZWAGDJ EOX
“The first step in breaking any cipher is to try to find features which correspond to the original plaintext. Whereas codes substitute groups of letters or figures for words, phrases, or even complete concepts, ciphers replace every individual letter of every individual word. They therefore tend to reflect the characteristics of the original language of the original text. This makes them vulnerable to studies of letter frequency
.”
• Reports the frequency of occurrence of all individual letters and any double and triple letter groups which appear above a given threshold (e.g. >= 5%)
• Very useful for breaking monoalphabetic ciphers
• Also a good profiler for patterns in specific genres of plaintext
•
Here is some English prose to get frequency statistics on.
– 1 0 2 0 8 1 2 2 4 0 0 1 1 3 4 1 1 3 7 5 1 0 0 0 1 0
– a b c d e f g h i j k l m n o p q r s t u v w x y z
– 3 2 2 2 2 2 2
– is en et re so st ti
– no three letter groups appeared more than once
• This text is too short to get good results
• Messages as short as 94 letters were broken relatively easily (~3.6 * key length)
• First run statistical analyzer on ciphertext
• Using resulting statistics and clever observations, begin to make guesses at character substitutions
• Unix tr utility is very useful to progressively substitute into the ciphertext
f for se c s rets are e d ge d too e e e l t s an d must a V e e W e N s t from f c rom J hi BP re n a n P f rom G f oo B s G e BB P o n e team s e
G e BB PCO e t R ea m t RXQ s e s r m essa a g e i e Q s a s XCDR
CO e a b c d e f g h i j k l m n o p q r s t u v w x
0 5 10 7 6 0 1 0 10 2 0 0 5 1 5 6 3 7 1 14 0 1 1 3 4 2
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
DT - 3, YDC - 2, EOP - 2, DCM - 2, COT - 2, CCB -2, CBI - 2
• Assume dealing with poly-alphabetic cipher
• Two letter combinations
• Let’s get VERBOSE
• Whoa!, Too Much Information (TMI)
• Establish key length
• Attack (assumed Vigenere)
– Brute-force automation
– Trial and Error (random walk)
– Other clever (or not so clever) means
• 4 blocks of cipher text of varying length
– 55 char, 10 words
– 4282 char, 765 words
– 4194 char, ? words
– 771 char, 123 words
• Keylengths respectively
– 18?, 7, 11, 7
• First three had spaces to delimit words
– all but shortest was cracked (and that could have been done with brute force)
– one had unencrypted years (trivial)
– crack time: ~ 2 hours
• No spaces to delimit words
– became much more difficult
– crack time: ~ 5-6 hours
• Assume “the” is in passage somewhere
• Start at beginning and work it
• Ex.
pgpwhgeIkhbfapwzbsvmjhjzjrrzdgbsyandvirczcnnknptfxikoahjxusioomovmubpr
...
1234567890112345678901123456789011234567890112345678901123456789 nhe nis
DECRYPTED TEXT
POSSIBLE KEY
• RSA Implementation
• Attacking RSA Implementation
• 64-bit asymmetric block encryption
C = M e mod n
M = C d mod n = (M e mod n) d mod n = M ed mod n
KU = {e, n}; KR = {d, n} n = pq; p and q are large primes
• BigInt class allows arbitrary integer length
– Typical prime: 24-33 decimal digits
– Typical e: 4 digits
– Typical n: 48 – 66 digits
– Latest RSA challenge (n): 155 digits factored in ~5 months (1999)
• Intercept encrypted email message:
Date: Tue, 27 Mar 2001 22:05:41 -0500 (EST)
From: Shaun C. Arnold sca7m@cs.virginia.edu
20105813699066933652114750065334914038566035999047214
40965537435712718982167337205677653313428359179535719
31719124736396128899063853421163843776098975111964558
29319273754942488085059927130420128944948701514530867
5607425258175809522455958025037536184380738224357998
36892698252078898979704532606448317684588947647820846
46138545006120238968599008085448357757447537785680901
6714823353811366414574730869546386941974433807952398 […]
• Assume RSA implementation is known
• Only ciphertext is available
• Timing attack: Exploit prime number generator implementation main(){
BigInt P = GetPrime();
BigInt Q = GetPrime();
[…]
GetPrime( ) { srand48( (unsigned int) time(0) );
BigInt N = rand_int( 10 24 , 10 33 ); if( n % 2 == 0) { n = n + 1; } while(!is_prime( N )) { N += 2; } return N;
}
• Total time since project assigned: 7,862,400 seconds
• Determine search space
– Script measured prime number generation
• 14 - 82 seconds per number on dept. machines
– 12-110 seconds for prime number generation
– Run within ~5 minutes of email timestamp (300 sec.)
– ~30,000 search combinations * 2 min = ~42 days, or
3,628,800 seconds
• Parallel execution of crack program
– 103 450-Mhz PII Linux machines (Centurion)
– ~12 hours running time
Date: Fri, 6 Apr 2001 20:13:52 -0400
From: Andrew Grimshaw <grimshaw@virginia.edu>
To: Michael Pittman Walker <mpw7t@cs.virginia.edu>
Subject: crackdriver
Mike,
This code is killing the net. What is it? It is all over the testnet machines.
Nuke it now please.
Andrew
• 19 Megs output:
Start: 985748522 Second: 985748581
>c`bW+^E^R#(SbM^]1Z^E^Bi=@=!;^LV\BQRY^G^P^PN0Uz^CY<}b^Vc)@R`
+LT#^P,]^c>{^^YH+*^M85-^W#&[$K*^BS^E
Start: 985748522 Second: 985748582
Anyone who attempts to generate random numbers by deterministic means is of course living in a state of sin
John von Neumann
Start: 985748522 Second: 985748583
,*!F^E&/^F.>Y.^EUM^X^DAaO^C^AXT^[L/0>^PaSGy@^X^S5^PM5B^Rna^B
^X?^V{DE^\C^T^QA WS^O7a'^Y0*
• Length of text and redundancy influence cryptanalysis
• Long keys make cryptanalysis difficult for poly (keylength:text length)
• RSA (and other algorithms) strength depends on correctness of implementation
1. How hard is cryptanalysis without knowing the algorithm?
2. When does cryptanalysis become infeasible?
• In general, cryptographic strength should not rest on this. Assume the cracker knows.
• Nature of plaintext (CC #, English prose)
– how much of the plaintext space is meaningful?
– Redundancy in message
• Ratio of message length to key length
• Plaintext/Ciphertext pairs
• Key length >= Message length?
– Focus on the key instead of the message
• One time pad
• The quick brown fox jumps over the lazy dog
– 1 1 1 1 3 1 1 2 1 1 1 1 1 1 4 1 1 2 1 2 2 1 1 1 1 1
– a b c d e f g h i j k l m n o p q r s t u v w x y z
– 35 letters total
– only 2 repeated double letter combos (th, he)
– only 1 repeated triple letter combo (the)
• The quick brown fox jumps over a lazy dog
– 2 1 1 1 2 1 1 1 1 1 1 1 1 1 4 1 1 2 1 1 2 1 1 1 1 1
– a b c d e f g h i j k l m n o p q r s t u v w x y z
– 33 letters total
– no repeated double letter combos
– no repeated triple letter combos
• Even a monoalphabetic cipher (26 letter key) would be difficult to break