Cryptographic basics • Cryptology is divided into cryptography and steganography. • Cryptography means ciphering and deciphering text. The goal is not to hide that test is encrypted. It is only difficult to decrypt it. • Steganography is a collection of techniques, which hide the text that should be kept secret (like hiding microfilms to a pin point, hiding text into images and so on). Steganography is not necessarily difficult to break, once you know where is the hidden text. • It is possible to combine the two techniques and e.g. hide encrypted text into images using steganography. • Cryptoanalysis is the art of decrypting cipher text without a key. Cryptographic basics • Encryption is made with an encryption algorithm, usually a hardware or software piece is executing the algorithm. encryption key clear text encryption decryption key cipher text decryption clear text • Keyless algorithms where the algorithm is secret are no longer used. One historical keyless algorithm is Caesar’s cipher. Cryptography basics • Symmetric and asymmetric cryptoalgorithms • a symmetric cryptoalgorithm uses the same key in both sending and receiving side, asymmetric cryptoalgorithms, introduced by Diffie and Hellman 1976, use different keys to encrypt and to decrypt. • Stream and block ciphers • A stream cipher encrypts data working on each bit or byte separately, a block cipher encrypts a block (like 64 bits, 128 bits etc.) of data in one time. • A stream cipher is fast but block ciphers are considered more secure. • Modern data communication protocols, like IPsec, use only block ciphers. GSM A5/1 is an example of a stream cipher. Cryptography basics • Symmetric cryptoalgorithms are developed following Shannon’s two principles: confusion and diffusion. • Confusion = mix up the clear text so that it is difficult to decipher. • Diffusion = every change in clear text should cause many changes in cipher text. • Confusion is often made by substitution: a letter or a bit sequences is replaced by another. • Diffusion is often made by transposition: change the order of letters or bit sequences in the text. • Clearly, with substitution and transposition there are very many alternatives, with 26 letters and text of N letters, the N ( 26 )! number of possible ciphertexts is • Example, N=256, then (26 N )! 2.07 10365 Cryptography basics • Such a number of combinations can never be tried. Unfortunately real cyptoalgorithms are not completely random and they give much fever alternatives. • The problem with letter based cryptoalgorithms is that it is difficult to remove patterns from data. Natural language has very many patterns, like common endings and more popular letters and so on. • A cyptoanalysist can try to guess what could be some words in the cipher text and if he guesses some letters, the rest will be easier to guess. • Today symmetric algorithms are bit-based and mix up the text so much that ciphertext is statistically as random as possible. • Let us look at DES, it makes confusion with substitution boxes and diffusion with transposition boxes and several rounds. Cryptography basics • DES Data Encryptation Standard • DES has 56 bit keys (expressed as 64 bit strings because of redundancy) • DES is not any more safe, it was broken 1998 in 20 hours with a special Deep Crack DES cracker. First time DES was broken 1997 with 14000 PCs in four months. 47 • DES can be broken with linear cryptoanalysis in about 2 56 • steps, but Deep Crack cracks by brute force trying 2 keys. • DES is a Feistel network, meaning a special structure splitting a block (64 bits in DES) to two halves and mixing them so, that individual operations can lose information but the whole structure is bijective, so that you can crypt data and use the same Feistel network to decrypt it. • IPsec has a mandatory support for DES. Cryptography basics cleartext block 64 bits bittiä • DES L0, 32 bittiä R0, 32 bits f K1 XOR L1 R1 14 rounds the same way L15 R15 f XOR L16 1 R16 cryptotext block 64 bits bittiä K16 Cryptography basics • In DES the plaintext block is divided into left and right blocks (L0, R0). The algorithms has 16 rounds and on each round the left and right blocks are swapped in the following way: Li = R(i-1) Ri = L(i-1) XOR f(R(i-1), Ki) • So new left block is the previous right block and the new right block is obtained by XORing the previous left block with the previous right block encrypted with some function f using a key Ki. • An encryptation algorithm satisfying this formula is a Feistel network. It means that f need not be a bijection for this encryptation to work. On each round f is a different function made with permutations and substitutions. • The triple DES (3DES) has effective key length at least twice that of DES and is considered strong. Cryptography basics • Other good symmetric block ciphers are IDEA, CAST and Blowfish. IPsec implementations have optional support for these algorithms. A main motivation for creation of a new standard is the ability to use longer block lengths than in DES. • The new Advanced Encryptation Standard (AES) is recently elected. It is Rijndael. • Rijndael has a flexible key size and flexible block length. 10 rounds on each round the cryptation function is a a simple combination of substitution and permutation. • Rijndael is not a Feistel network, therefore on each round the encryptation function is bijective. • It is possible to create strong cryptoalgorithms which are impossible to break, unless • parallel computing methods like quantum computers are developed, (quite possible) or • P=NP will be proved (unlikely, but possible) • Asymmetric cryptoalgorithms • RSA (Rivest-Shamir-Adleman) find two large primes p, q and calculate n=pq Find a number e such that e and Carmichaelin funktio ( pq ) =GCD(p-1)(q-1) are relatively prime (i.e., they have no common divisors). (Here GCD=greatest common divisor) Find some d such that ed=1 mod ( pq ) (this is easy) Then if X is a plaintext block, we get the ciphertext block Y • Y X e mod n and X Y d mod n • El-Gamal • Uses the discrete logarithm problem, quite similar to DiffieHellman key exchange algorithm. Encrypted block 2*plaintext block in length. It is used in DSA (Digital Signature Algorithm) Asymmetric cryptoalgorithms • RSA is based on the difficulty of factoring a modulus of a large number n. • In order to be too difficult for modern computers, n must be of the order of 21024 or more. • Elliptic curve digital signature algorithm (ECDSA) gives the same strength with much shorter keys. (But the method is only suitable for digital signatures, not for encryptation). • RSA modulus 1024 2048 4096 • ECDSA field size 160 211 296 • Elliptic curves are sets of points (x,y) satisfying y x ax b 2 3 • This looks like a simple third order polynomial, the trick is that the coefficients a and b are not compex numbers or reals, but they are in a finite field. The solving any problems gets very hard. Cryptography basics • Diffie-Hellman key exchange • IPsec Internet Key Exchange (IKE) uses Diffie-Hellman. • Alice and Bob want to create a symmetric key for communication. So, they want to create a common secret which only they share. Let the generator number g and some prime number p be known to all (not secret). • Alice picks up a number a and Bob picks up a number b. • Then they calculate numbers A and B as A g a mod p B g b mod p • Alice sends to Bob the number A and Bob send to Alice number B. These numbers do not need to be kept secret. • Alice and Bob can both count a shared secret S as S Ab mod p B a mod p g ab mod p Cryptography basics • As asymmetric cryptoalgorithms are slow, usually one can only encrypt small data units with them. • A common usage is digital signature: a hash value is produced by some one-way function which compresses the data. Then the hash value is crypted with a secret key. • A one-way function is a function which is easy to calculate but difficult to invert, so it is easy to count the hash but difficult to find data which hashes to a given hash value. • IPsec uses some well-known hash functions: MD5 and SHA. • MD5 (Message Digest number 5) has some problems, one has demonstrated that it is possible to find two data values hashing to the same hash value. • IPsec uses a strengthened version of the hash values: HMACMD5 does not have the problem. Cryptographic basics, digital signatures • Let us look at an early example of a digital signature identifying Nero. • Apocalypse gives 666 as the name of the beast. • Caesar Nero is written in Hebrew as • Nun Vau Resh Nun Resh Samex Koph • 50 6 200 50 200 60 100 • the sum is 666. We know this is the likely explanation because some Creek versions of Apocalypse give the number as 616 and a similar calculation in Creek gives 616. • Unfortunately the signature is not unique to Nero, many people have found other explanations, the Pope being one of the most popular choices for the beast (for crackpots). Cryptographic basics, digital signatures • In order to make a unique digital signature, you need a oneway hash collision-free function and public key cryptoalgorithm. • One-way function is a function, which is fast to calculate but the inverse is very slow to calculate. For instance, f ( x) x mod m n • A hash function is a function which maps a long number into a short number. Naturally, many long numbers map to the same short number. A hash function is called collisionfree if it is hard to find any long number which maps to a short number obtained by using the hash function. • Now you take the message you want to sign, put it through a one-way collision free hash function and it produces a short number. This number you encrypt with your private key. • It is the digital signature. Cryptographic basics, digital signatures • You send both the message and the digital signature. • Anybody can check the digital signature by counting the hash value (the short number) from the message since the used one-way collision-free hash function is known to all. • Then he can also decrypt the digital signature you gave with your known public key. • It must be the same number what the hash produced. • Typically, electronic signature is in a data structure indicating the hash algorithm, public key algorithm and known parameters for these algorithms. Cryptography basics • • • • Example: Digital signature algorithms used in IPsec: RSA, suits well to digital signatures DSA (Digital Signature Algorithm), a similar algorithms to El-Gamal, uses SHA (Secure Hash Algorithm) for hashing. • Algorithms for message integrity in IPsec: • Digital signatures can be used to proof that the message has not changes. There are symmetric and asymmetric algorithms for this. • MAC (Message Authentication Code) is a family of symmetric message integrity check algorithms. IPsec uses one special MAC: HMAC. • It can be used with different hash functions, so there are HMAC-SHA and HMAC-MD5. Cryptography basics • Modes of symmetric cryptoalgorithms • Block ciphers can be used in several modes. • Electronic Code Book (ECB), Cipher Block Chaining (CBC), Output Feedback (OFB), Counter mode, ... • In ECB blocks are crypted individually, not suitable for communication, but good for storing data as then data can be decrypted without decrypting all previous blocks. • In other modes previous plaintext or ciphertext blocks are used to encypt the next block. • The feedback modes (CBC, OFB, Counter) differ mostly in error propagation. For links with high error ratio OFB or Counter mode are better than CBC. • IPsec uses all block ciphers in the CBC-mode. Cryptography basics • Cipher Block Chaining Mode (CBC) plaintext IV ciphertext + + + E E E IV D D D + + + ciphertext IV = Initialization vector E = Encryption component D = Decryption component plaintext