12/2
advertisement
COS 109 Wednesday December 2 • Housekeeping – Final exam – January 18 (Monday) at 7:30PM In class, 3 hour exam – A review session will be scheduled in advance of the exam • Today’s class – A history of codes from Caesar to Turing – Issues in designing a code/cryptosystem – Public key cryptosystems Caesar Cipher • to encode, replace A by D, B by E, C by F, etc. • to decode, replace D by A, E by B, F by C, etc. Fubswrjudskb Ghfubswhg Cryptography Decrypted Why is it a “Caesar” cipher? "Exstant et ad Ciceronem, item ad familiares domesticis de rebus, in quibus, si qua occultius perferenda erant, per notas scripsit, id est sic structo litterarum ordine, ut nullum verbum effici posset; quae si qui investigare et persequi velit, quartam elementorum litteram, id est D pro A et perinde reliquas commutet. “... quae si qui investigare et persequi velit, quartam elementorum litteram, id est D pro A et perinde reliquas commutet.” “The way to decipher those epistles was to substitute the fourth for the first letter, as D for A, and so for the other letters respectively.” C. Suetonius Tranquillus (~70-130 AD) Lives of the 12 Caesars 1. Julius Caesar, LVI (~123 AD) translation of Dr. Alexander Thomson, 1796 Taking Caesar one step further • Substitution ciphers – Substitute a new letter for each letter Simplest form – Rot13 a<->n, b<->o, …., m<->z More complex form fkbynuxtgjacievompdhqszwlr for abcdefghijklmnopqrstuvwxyz So, a becomes f, b becomes k, …. computer science becomes bvioqhnp dbgnebn – Fairly easily broken, but make for good puzzles, sharing secrets in school, keeping information from being exposed A sample substitution cipher • Cipher text – a po ifydwafm tkacafm qdgi af ypsprqkaxc. ow qdgi fisik epr pfw hvmr • Cracking the code – a must correspond to I, afm occurs at the end of a few words, maybe it means ING. So, we have I po ifydwING thIcING qdgi IN ypsprqkaxc. ow qdgi Nisik epr pNw hvGr – Either p or o must be a vowel, if p is not a vowel, w is, but that causes a problem; let’s try A for p I Ao ifydwING thIcING qdgi IN yAsAqkaxc. ow qdgi Nisik eAr ANw hvGr – o must be M and w must be Y I AM ifydYING thIcING qdgi IN yAsAqkaxc. MY qdgi Nisik eAr ANY hvGr – Where are the other vowels, let’s try E for i I AM EfydYING thIcING qdgE IN yAsAqkaxc. MY qdgE NEsEk eAr ANY hvGr – 3rd word must be ENJOYING I AM ENJOYING thIcING qOgE IN JAsAqkaxc. MY qOge NEsEk eAR ANY hvGr – Thinking a bit yields I AM ENJOYING WRITING CODE IN JAVASCRIPT. MY CODE NEVER HAS ANY BUGS CIA Kryptos sculpture Breaking the codes Codes already cracked The first message is a poetic phrase that Sanborn composed: “Between subtle shading and the absence of light lies the nuance of iqlusion.” The second one hints at something buried: “It was totally invisible. How’s that possible? They used the earth’s magnetic field. x The information was gathered and transmitted undergruund to an unknown location. x Does Langley know about this? They should: it’s buried out there somewhere. x Who knows the exact location? Only WW. This was his last message. x Thirty eight degrees fifty seven minutes six point five seconds north, seventy seven degrees eight minutes forty four seconds west. x Layer two.” WW, Sanborn told WIRED in 2005, refers to William Webster, director of the CIA at the time of the sculpture’s completion. Sanborn was forced to provide Webster with the solution to the puzzle to reassure the CIA that it wasn’t something that would embarrass the agency. The third message is a take on a passage from the diary of English Archaeologist Howard Carter describing the opening of King Tut’s tomb on Nov. 26, 1922. “Slowly, desparatly slowly, the remains of passage debris that encumbered the lower part of the doorway was removed. With trembling hands I made a tiny breach in the upper left-hand corner. And then, widening the hole a little, I inserted the candle and peered in. The hot air escaping from the chamber caused the flame to flicker, but presently details of the room within emerged from the mist. x Can you see anything? q” The Enigma The enigma’s recent glory Alan Turing *38 Engima simulator How valuable was the enigma? http://www.christies.com/lotfinder/a-three-rotor-enigma-cipher-machine-circa1939/5480138/lot/lot_details.aspx?from=searchresults&intObjectID=5480138&sid=cd7530ab-2586-4515-b057-fc353206ad81 Uses of cryptography • Warfare – Caesar cipher for communication with officers in the field – Enigma used by Germans to communicate • Secure communications – Tor scheme for onion routing • Commerce – Sharing of credit card information Cryptography basics • Alice & Bob want to exchange messages – keeping the content secret – though not the fact that they are communicating • they need some kind of secret method that scrambles messages – makes them unintelligible to bad guys but intelligible to good guys – Method cannot overly delay communication • the secret is a "key" (like a password) – known only to the communicating parties – that is used to do the scrambling and unscrambling – for Caesar cipher, the "key" is the amount of the shift (A => D, etc.) – for substitution ciphers, the key is the permutation of the alphabet – for Enigma, key is wiring and position of wheels plus settings of patches – It has to be possible to manage (e.g. remember) the key Modern secret key cryptography • messages encrypted and decrypted with a shared secret key – usually the same key for both operations ("symmetric") • encryption/decryption algorithm is known to adversaries – "security by obscurity" does not work • attacks – decrypt specific message(s) by analysis various combinations of known or chosen plaintext and ciphertext – determine key by "brute force" (try all possible keys) • if key is compromised, all past and future messages are compromised • big problem: key distribution – need a secure way to get the key to both/all parties diplomatic pouches, secret agents, … – doesn't work when the parties don't know each other – or have no possible channel for exchanging a secret key – or when want to exchange secret messages with many different parties e.g., credit card numbers on Internet Popular schemes -- DES and AES • Data Encryption Standard (DES) – developed ~1977 by IBM, with NSA involvement – widely used, though lingering concerns about trap doors – 56-bit key is now much too short: can exhaustively test all keys in a few hours with comparatively cheap special-purpose hardware – "triple DES" uses 3 DES encryptions to increase effective key length • Advanced Encryption Standard (AES) – result of an international competition run by NIST (www.nist.gov/aes) – completely open: algorithms and analyses in public domain – Rijndael: winning algorithm selected October 2000 approved as official US government standard – 128, 192, 256-bit keys – fast in both hardware and software implementations Advanced Encryption Standard (AES) • Rijndael – Joan Daemen & Vincent Rijmen, Belgium – 128, 192, 256-bit keys Public key cryptography • fundamentally new idea – Diffie & Hellman (USA, 1976); earlier in England but kept secret • each person has a public key and a private key – the keys are mathematically related – a message encrypted with one can only be decrypted with the other • public keys are published, visible to everyone • private keys are secret, known only to owner • Alice sends a secret message to Bob by – encrypting it with Bob's public key – only Bob can decrypt it, using his private key • Bob sends a secret reply to Alice by – encrypting it with Alice's public key – only Alice can decrypt it, using her private key • Eve knows Alice and Bob are talking – but can’t decrypt what they are saying RSA public key cryptographic algorithm • most widely used public key system • invented by Ron Rivest, Adi Shamir, Len Adleman, 1977 – patent expired Sept 2000, now in public domain • based on (apparent) difficulty of factoring very large integers – "large" >= 1024 bits ~ 300 digits – public key based on product of two large (secret) primes – encrypting and decrypting require knowledge of the factors • slow, so usually use RSA to exchange a secret "session key" – session key used for secret key encryption with AES – used by SSH for secure login – used by browsers for secure exchange of credit card numbers https: http with encryption – SSL (Secure Sockets Layer) or TLS (Transport Layer Security) used to encrypt TCP/IP Public key personae • Martin Hellman, Whitfield Diffie • Adi Shamir, Ron Rivest, Len Adleman Website of the day • http://1000.chromeexperiments.com/ Encryption • The most basic problem in Cryptography is Encryption: Private Message m Bob Alice Eve the eavesdropper Encryption • Have to make it easy for Bob to recover m • But hard for Eve to learn anything about m Encrypted Message E(m) Bob Alice Eve the eavesdropper Public-Key Cryptography [Diffie-Hellman 1976] Bob’s Public Key Bob’s Secret Key Bob • Everybody knows Bob’s published Public Key. • Only Bob knows his secret key. Public-Key Encryption Encrypted Message E(m) Alice Bob • Alice uses Bob’s public key to encrypt m. • Bob uses his secret key to recover (decrypt) m. Public-Key Encryption Encrypted Message E(m) Alice Eve the eavesdropper Bob • Alice and Eve both know Bob’s public key. • Eve must not be able to “break” the encryption even though she knows the public key. Sidebar on Prime Numbers • • A number p is called prime if its only factors are 1 and itself Examples: 2,3,7,11,13, … • There are lots of prime numbers. • Fact: It is known how to check quickly if a number is prime or not. • So, to find a big prime number, we can just keep generating large random numbers until we find a prime. Sidebar on Primes (cont.) • Given two primes p and q, it is easy to multiply them together: N = pq • But given N, how do you find p and q quickly? i.e. how do you factor N? – Easy for small numbers (e.g. 6 or 35) • For centuries, mathematicians have been trying to find ways to factor large numbers quickly. No one knows how! • Factoring a 10,000 digit N would take centuries on the fastest computer in existence! How do we know factoring is hard? • Problem has a long history • Prizes are offered and have been for a long time • Factoring progress happens slowly • Factor RSA-896 which is 4120234369866595438555313653325759481798116998443279 8284545562643387644556524842619809887042316184187926 1420247188869492560931776375033421130982397485150944 9091069102698610318627041148808669705649029036536588 6743373172081310410519086425479328260139125762403394 6373269391 and get a $75,000 prize • With current algorithms, Moore’s Law adds a digit or 2 every year Basic Math & Crypto • We want to make it so that if Eve the eavesdropper breaks our system, she would have to factor a very large number. • We’ll (almost) do that. Modular Arithmetic • … Ordinary Arithmetic: -4 • -3 -2 -1 0 1 2 3 Arithmetic Modulo N: N=0 1 (N – 1) 2 (N – 2) (N – 3) 3 … 4 … Modular Arithmetic • Example: Arithmetic Modulo 12 (like Arithmetic on time) • 3 + 11 (Modulo 12) = 2 • 2 – 4 (Modulo 12) = 10 • 5 * 4 (Modulo 12) = 8 • 4 * 3 (Modulo 12) = 0 The RSA Encryption Scheme [Rivest Shamir Adleman 1978] • Bob picks two large primes p and q, and computes: N = pq • Fact: Because Bob knows p and q, he can pick numbers e and d such that: • For all m: d (me) = m (Modulo N) • Bob’s Public Key will be e, N • Bob’s secret key will be d The RSA Encryption Scheme • Fact: Because Bob knows p and q, he can pick numbers e and d such that: • For all m: d e (m ) = m (Modulo N) • To Encrypt a message m, Alice computes: • E(m) = me (Modulo N) • To Decrypt, Bob computes: • m = E(m)d (Modulo N) The RSA Encryption Scheme • To Encrypt a message m, Alice computes: • E(m) = me (Modulo N) • The only known way to compute m from E(m) involves factoring N. • For Eve to break this system, she would have to solve a long-standing open problem in Mathematics. Digital signatures • can use public key cryptography for digital signatures – if Alice encrypts a message with her private key – and it decodes properly with her public key – it had to be Alice who encoded it • signature can be attached to a message – Alice encrypts a message with her private key – Alice encrypts the result with Bob's public key – only Bob can decrypt this (with his private key) but it won't make any sense yet – Bob then decrypts it with Alice's public key – if it decodes properly, it had to be Alice who encrypted it originally • necessary properties of digital signatures – – – – can only be done by the right person: can't be forged can't re-use a signature to sign something else signature attached to a document: signs specific contents signature can't be repudiated Secure hashes • digital signature usually done by signing a ”secure hash" or “message digest” of a document, not the document itself • secure hash algorithm reduces input data to a comparatively short number such that – any change to the original document produces a completely different hash – can't deduce the original document from the number – can't find another document that has the same hash • current secure hash algorithms – MD5 (Rivest, MIT): 128 bits – SHA-1 (US government standard): 160 bits – SHA-2 (also standard): family of 224, 256, 384, or 512 bits • international competition to create a new secure hash, SHA-3 – analogous to AES competition (also run by NIST) – first round submissions 10/08, final round 12/10, – winner announced in Oct 2012 Properties of public/private keys • can't deduce the public key from the private, or vice versa • can't find another encryption key that works with the decryption key • keys are long enough that brute force search is infeasible • nasty problems: – – – – if a key is lost, all messages and signatures are lost if a key is compromised, all messages and signatures are compromised it's hard to revoke a key it's hard to repudiate a key (and hard to distinguish that from revoking) • authentication – how do you know who you are talking to? is that really Alice's public key? – public key infrastructure, web of trust, digital certificates
