Applied
Cryptography
Spring 2015
Lecture times
Thursdays
14:30-16:00 room 413
16 lectures
Some changes are possible (but hopefully, not too
many).
Requirements
Attend lectures (if you want to)
Collect at least 20 points
 2 practical assignments
 Written exam
20 points each
20 points
Any of the above is optional
The grade will be calculated (approximately) as follows:
10
9
8
7
56-60
52-55
46-51
39-45
6
5
4
32-38
24-31
20-23
Problems covered

Text encryption/decryption


Digital signatures




Key generation and exchange
Certificates
Some real cryptographic systems




Hash functions (used also for authentication)
Digital signature algorithms
Protocols


Ciphers
SSL and TLS standards (+ some others), email security
Smartcards, EMV, data authentication
GSM and cryptograpy, DVD "protection" etc
Security of encryptions. Some attacks
Problems covered
 Text encryption/decryption
 Ciphers
 Symmetric and asymmetric ciphers
Symmetric vs. asymmetric cryptography

Symmetric ciphers – sender and recipient use
the same key




Dkey(Ekey(m)) = m
Substitution cipher is an example of a symmetric
cipher
Impractical for big systems – number of keys is
quadratic in the number of users
The solution – asymmetric algorithms. Think of a
locked mailbox! Different keys for encryption
and decryption

Dprivate key(Epublic key(m)) = m
Problems covered
 Text encryption/decryption
 Ciphers
 Symmetric and asymmetric ciphers
 Which ciphers to use?
 Substitution
Simple example – substitution cipher

The key is a permutation of the letters of the
alphabet, i.e. a bijection E :   

Encryption is performed by substituting each
letter for its corresponding letter

Decryption is the same as encryption with the
1
difference that the inverse E is used
Substitution cipher – example

Example: Encrypt MY DOG ATE YOUR CAT using
the key
ABCDEFGHIJKLMNOPQRSTUVWXYZ
UWGRPNQSBJXMECAIZOYTDFHKLV
Breaking the substitution cipher



Substitution ciphers are easily broken using frequency
analysis
We use the fact that different letters (or combination of
letters) occur with different probability
Example – break
TK IL KQ JKT TK IL TBST CR TBL OULRTCKJ


Frequency of letters in English: ETAOINSHRDLU
Most common two letter words: OF TO IN IS IT BE BY
HE AS ON AT OR AN SO IF NO
Problems covered
 Text encryption/decryption
 Ciphers
 Symmetric and asymmetric ciphers
 Which ciphers to use?
 Substitution
 XOR
Vigenère cipher (poly-alphabetic)

Example:
Encryption key - string of n characters e.g. "gold"
We represent it with numbers corresponding to
symbols from alphabet - (6,14,11,13)
To encrypt i-th symbol from the block of length n,
we add to it i-th number from the key (modulo size
of alphabet)
Vernam cipher (XOR)
Message:
m1,...,mn
n bits
Key:
k1,...,kn
n bits
Ciphertext:
c1,...,cn, where ci = mi  ki
Vigenère cipher and one time pads
Apart from secure key distribution problem
Vigenere cipher is unbreakable if key length is not
shorter than encrypted text and each key is used
only once (so called one-time-pad)
Problems covered
 Text encryption/decryption
 Ciphers
 Symmetric and asymmetric ciphers
 Which ciphers to use?
 Substitution
 XOR
 DES, IDEA, AES etc (symmetric)
Data Encryption Standard (DES)

Financial companies found the need for a
cryptographic algorithm that would have the blessing
of the US government (=NSA)

First call for candidates in May 73, followed by a
new call in August 74

Not very many submissions (Why?)
 IBM submitted Lucifer

NSA worked with IBM in redesigning the algorithm
[From Andre L. M. dos Santos ]
Data Encryption Standard (DES)

Key length: 56 + 8 parity bits = 64 bits

8 bits are used for parity check,
why is that? to make it 265 times less secure!
read why 56 bits? section in the textbook.

How secure is DES? In 1998 $150K machine can
break the key in 5 days!
For added security, triple DES is 256 more secure.
[From Ravi Mukkamala]
DES
Enciphering Computation
[From Sai Kovvuri]
DES
[From Henric Johnson]
Feistel ciphers
Li-1
Ri-1
f(Ri-1,K)
+
Li
Ri
K
AES - Single round
Time to break a code (106
decryptions/µs)
[From Henric Johnson]
Problems covered
 Text encryption/decryption
 Ciphers
 Symmetric and asymmetric ciphers
 Which ciphers to use?
 Substitution
 XOR
 DES, IDEA, AES etc (symmetric)
 RSA etc (asymmetric)
Asymmetric cryptography

Each user has a public and a private key






The public key is published in a “phone book”
The private key is kept secret
Messages encrypted with the public key can be
decrypted with the private key
To send a message to Mårten, look up Mårten’s
public key in the “phone book”.
Mårten can then decrypt the message with his
private key
Number of keys is linear in the number of users
RSA




Asymmetric cryptographic algorithm published
in 1978 (Rivest, Shamir, Adleman)
The most popular asymmetric algorithm used
today
Now free to use – patent expired in 2000
Relies on the hardness of factoring a number
consisting of two primes
Actually invented by Cocks (from UK) in 1973,
unfortunately the work was classified...

Public-key cryptosystems
P: *  *
S: *  *
public key
secret key
For an arbitrary message M* we must have:
• M = S(P(M)), and
• M = P(S(M))
Public-key cryptosystems Encryption
[Adapted from T.Cormen, C.Leiserson, R. Rivest]
The RSA public-key cryptosystem
p,q
n = pq
e
d
P = (e,n)
S = (d,n)
Encoding:
Decoding:
- two large primes (100 digits or more)
- small odd integer that is relatively prime to
(p – 1)(q – 1)
- integer such that de  1 (mod (p – 1)(q – 1))
(it can be shown that it always exists)
- public key
- secret key
P(M) = Me (mod n)
S(C) = Cd (mod n)
It works!
RSA - Correctness
n = pq
e
- odd and relatively prime to (p – 1)(q – 1)
d
- such that de  1(mod (p – 1)(q – 1))
P(M) = Me (mod n), S(C) = Cd (mod n)
P(S(M)) = S(P(M)) = Med (mod n), ed = 1 + k (p – 1)(q – 1)
M  0 (mod p)

M  0 (mod p)

Med  M(Mp–1)k(q–1) (mod p)
 M(1)k(q–1) (mod p)
 M (mod p)
Med  M (mod p)
RSA - Correctness
Med  M (mod p)
Med  M (mod q)
Thus Med  M (mod n)
RSA - Complexity
Encoding:
P(M) = Me (mod n)
Decoding:
S(C) = Cd (mod n)
Breaking RSA

If we can factor n we can break RSA




Suppose we know p, q such that pq = n
We can compute (p – 1)(q – 1)
It is now trivial to compute d = e-1 mod ((p – 1)(q – 1))
The largest number that is (publicly) known to
have been factored today is 512 bits
Breaking RSA

If we can factor n we can break RSA





Suppose we know p, q such that pq = n
We can compute (p – 1)(q – 1)
It is now trivial to compute d = e-1 mod ((p – 1)(q – 1))
The largest number that is (publicly) known to
have been factored today is 512 bits
As of 2005 the largest number factored by
general-purpose methods was 663 bits long
Breaking RSA

If we can factor n we can break RSA

As of 2005 the largest number factored by
general-purpose methods was 663 bits long

RSA keys are typically 1024–2048 bits long.
Some experts believe that 1024-bit keys may
become breakable in the near term (though this
is disputed); few see any way that 4096-bit keys
could be broken in the foreseeable future.

Other attacks exist for certain uses of RSA
Problems covered
 Text encryption/decryption
 Ciphers
 Symmetric and asymmetric ciphers
 Which ciphers to use?
 Substitution
 XOR
 DES, IDEA, AES etc (symmetric)
 RSA etc (asymmetric)
 Stream ciphers and block ciphers
Block ciphers

A block cipher B is an encryption function
Ekey:{0,1}k  {0,1}l and a decryption function
Dkey:{0,1}l  {0,1}k such that Dkey(Ekey(m)) = m.

The value k is called block length. Usually k = l.

Commonly used block ciphers include DES,
3DES and IDEA.
Clear (plain) text
Cipher text
n bits
Key
Stream ciphers
Problems covered
 Text encryption/decryption
 Ciphers
 Symmetric and asymmetric ciphers
 Which ciphers to use?
 Substitution
 XOR
 DES, IDEA, AES etc (symmetric)
 RSA etc (asymmetric)
 Stream ciphers and block ciphers
 Chaining
Chaining ciphers - ECB



What happens when the clear text is longer than the block
length k?
Most simple solution — encrypt each block separately.
This mode is called ECB, Electronic Code Book
Clear text
Key
Enc
Enc
Enc
Enc
Cipher text
[From Mårten Trolin]
Chaining ciphers - CBC
Problems covered
 Text encryption/decryption
 Ciphers
 Symmetric and asymmetric ciphers
 Which ciphers to use?
 Substitution
 XOR
 DES, IDEA, AES etc (symmetric)
 RSA etc (asymmetric)
 Stream ciphers and block ciphers
 Chaining
 Libraries of cryptographic functions
Problems covered
 Text encryption/decryption
 Ciphers
 Symmetric and asymmetric ciphers
 Which ciphers to use?
 Stream and block ciphers
 Chaining
 Stream ciphers and block ciphers
 Chaining
 Libraries of cryptographic functions
 Digital signatures
 Hash functions
 MD5, SHA-1 etc
Public-key cryptosystems - Digital
signature
[Adapted from T.Cormen, C.Leiserson, R. Rivest]
Unix passwords
httpd:Nologin:100:22:httpd:/usr/users/httpd:/bin/sh
guest:41LYDCYHYJzHQ:200:15:Guest:/usr/users/guest:/bin/tcsh
oracle:Nologin:201:200::/usr/users/oracle:/bin/tcsh
mysql:LS6qP.LbvchSk:202:202::/usr/users/mysql:/bin/tcsh
Andris:Ie7K1yjGLDqsw:203:203::/usr/users/Andris:/bin/tcsh
Initially Unix password length was up to 8 characters,
encrypted by 1-way hash function crypt(3).
Are they safe?
Properties of good hash functions



Let H be a hash function
One-way
 Given x, unfeasible to compute an v such
that H(v) = x
Collision-free
 Unfeasible to find x1 and x2 such that H(x1) =
H(x2) and x1  x2
MD5

MD5 Message Digest Algorithm
Step 1: Append padding bits



Padded so that its bit length  448 mod 512 (i.e., the length of padded
message is 64 bits less than an integer multiple of 512 bits)
Padding is always added, even if the message is already of the
desired length (1 to 512 bits)
Padding bits: 1000….0 (a single 1-bit followed by the necessary
number of 0-bits)
[From H. Yoon]
MD5
MD5 Message Digest Algorithm

Step 1: Append padding bits

Step 2: Append length




64-bit length: contains the length of the original message modulo 264
The expanded message is Y0, Y1, …, YL-1; the total length is L  512
bits
The expanded message can be thought of as a multiple of 16 32-bit
words
Let M[0 … N-1] denote the word of the resulting message, where N =
L  16
[From H. Yoon]
MD5
MD5 Message Digest Algorithm

MD5 processing of a single
512-bit block
(MD5 compression function)


[From H. Yoon]
SHA-3 - Keccak
Selected as SHA-3 on 2.10.2012.
Hash sizes:224,256,384,512
The sponge construction for hash functions. pi are input, zi are
hashed output. The unused "capacity" c should be twice the desired
resistance to collision or preimage attacks.
Designed by: G.Bertoni, J.Daemen, M.Peeters, G.Assche.
Built upon RadioGatún.
Problems covered
 Text encryption/decryption
 Ciphers
 Symmetric and asymmetric ciphers
 Which ciphers to use?
 Stream and block ciphers
 Chaining
 Stream ciphers and block ciphers
 Chaining
 Libraries of cryptographic functions
 Digital signatures
 Hash functions
 MD5, SHA-1 etc

Digital signature algorithms (DSA etc)
Digital signature algorithm - DSA
Problems covered

Text encryption/decryption


Digital signatures



Ciphers
Hash functions
Digital signature algorithms
Protocols

Key generation and exchange
What is a protocol?
Protocol - a series of steps, involving two or more parties,
designed to accomplish a task.
For cryptographic protocols:
— It should not be possible to do more or learn more than
what is specified in the protocol
Types of
protocols
Communications using symmetric
cryptography
(1) Alice and Bob agree on a cryptosystem.
(2) Alice and Bob agree on a key.
(3) Alice takes her plaintext message and encrypts it using
the encryption algorithm and the key. This creates a
ciphertext message.
(4) Alice sends the ciphertext message to Bob.
(5) Bob decrypts the ciphertext message with the same
algorithm and key and reads it.
Communications using public-key
cryptography
(1) Alice and Bob agree on a public-key cryptosystem.
(2) Bob sends Alice his public key.
(3) Alice encrypts her message using Bob’s public key and
sends it to Bob.
(4) Bob decrypts Alice’s message using his private key.
Problems covered

Text encryption/decryption


Digital signatures



Ciphers
Hash functions
Digital signature algorithms
Protocols


Key generation and exchange
Certificates
Digital Certificates

A digital identity document binding a public-private
key pair to a specific person or organization

Verifying a digital signature only proves that the
signer had the private key corresponding to the
public key used to decrypt the signature

This does not prove that the public-private key
pair belonged to the claimed individual

We need an independent third party to verify the
person’s identity (through non-electronic means)
and issue a digital certificate
[Adapted from Information Security Group, ICU]
Public Key Certificate (EMV)
Public Key Certificate
Certificate
Core
Public Key
General information
about the user and the
application
User’s public key
(including remainder)
Hash of data
Hash Result
Public Key
Remainder
EMV formatting
Signature (decryption)
by a Trusted Third Party
[From M.Ganley]
Digital Certificates
authority
Certificate Authority
customer
Digital
Wallet
bank
Internet
Cyber Shopping Mall
Payment
System
merchant
[Adapted from Information Security Group, ICU]
Problems covered

Text encryption/decryption


Digital signatures



Hash functions
Digital signature algorithms
Protocols



Ciphers
Key generation and exchange
Certificates
Some real cryptographic systems

SSL and TLS standards (+ some others)
SSL – establishing communications
Problems covered

Text encryption/decryption


Digital signatures



Hash functions
Digital signature algorithms
Protocols



Ciphers
Key generation and exchange
Certificates
Some real cryptographic systems



SSL and TLS standards (+ some others), email security
Smartcards, EMV, data authentication
Electronic voting systems (or their absence :) (???)
What are "smart cards"?
•
•
•
•
8 (16, 32) bit CPU
Often at 3.5795 or 4.9152 MHz
RAM : 128 bytes- 16 Kbytes
ROM : 1 - 32 Kbytes
• Contains the code
• EEPROM : 1 - 32 Kbytes
• Contains the data
• A small part are OTP (One Time Programmable) bytes
• Optional:
Random Noise Generation, sensors, security logic,
Modular Exponentiations Unit or Co-processor
EMV – Europay, MasterCard, Visa

Necessary to have standards for smartcards





Physical size
Electrical connection
API for payment applications
Any smart-card must be usable anywhere
Europay, MasterCard and Visa have
created specifications named EMV for
this purpose
Smart-card transaction flow
Card
Terminal
Acquirer
Issuer
Card – terminal
interaction
On-line authorization
(conditional)
Card – terminal interaction
(if after online authorization)
Transaction data transfer
(possibly including declined transactions’ info)
Problems covered

Text encryption/decryption


Digital signatures



Hash functions
Digital signature algorithms
Protocols



Ciphers
Key generation and exchange
Certificates
Some real cryptographic systems



SSL and TLS standards (+ some others), email security
Smartcards, EMV, data authentication
GSM and cryptograpy, DVD "protection" etc
GSM security
54 bits is the effective key length
of the A5/1 algorithm.
40 bits is the effective key length
of the GEA algorithm.
Both algorithm employ (“ineffective”)
64-bit keys.
GPRS - Confidentiality:
GEA1
GEA2
GEA3 (new, open)
RBS
SGSN
Base Station Controller
CS - Confidentiality,
A5/1
A5/2
A5/3 (new, open)
Radio Base Station
MSC
Authentication:
A3 Algorithm
[From M.Näslund]
DVD data encryption
[From D.Touretzky]
DVD - authentication
[From G.Kesden]
Key revocation - subset difference scheme
Problems covered

Text encryption/decryption


Digital signatures




Key generation and exchange
Certificates
Some real cryptographic systems




Hash functions
Digital signature algorithms
Protocols


Ciphers
SSL and TLS standards (+ some others), email security
Smartcards, EMV, data authentication
GSM and cryptograpy, DVD "protection" etc
Security of encryptions. Some attacks
Textbooks
Bruce Schneier
Applied Cryptography:
Protocols, Algorithms, and
Source Code in C
John Wiley & Sons 1996
Textbooks
Wenbo Mao
Modern Cryptography: theory
and practice
Prentice Hall, 2003
Textbooks
Niels Ferguson
Bruce Schneier
Practical Cryptography
Wiley Publishing Inc 2003
Textbooks
Alfred J. Menezes
Paul C. van Oorschot
Scott A. Vanstone
Handbook of Applied
Cryptography
CRC Press 1996
Textbooks
Stephen Thomas
SSL and TLS Essentials:
Securing the Web
Wiley Publishing Inc. 2000
Textbooks
Eric Rescorla
SSL and TLS:
Designing and building secure
systems
Addison-Wesley 2001
Textbooks
Jason Weiss
Java Cryptographic Extensions
Morgan Kaufmann Publishers
2004
Web page(s)
http://susurs.mii.lu.lv/juris/courses/ac2015.html
It is expected to contain:
 short summaries of lectures
 power point presentations
 problems for programming assignments/project
 your grades (???)
 other relevant information (exam dates, changes in
lecture times etc)
Web page(s)
http://susurs.mii.lu.lv/juris/courses/ac2015.html
Course material also available as e-course:
https://estudijas.lu.lv/login/index.php
The original lectures by Mårten Trolin
(Spring 2003) are available on DVD
Contact information
Juris Vīksna
Room 421, Rainis boulevard 29
email: juris.viksna@mii.lu.lv
phone: +371-67213716