Abstract image of a woman sitting on books and studying on a laptop

Crypto theory to practice

Download as PPT, PDF
D
David Hoen

1) DES is a block cipher developed in the 1970s that became a standard but is now considered insecure due to advances in computing power allowing brute force attacks on its 56-bit key. 2) DES uses a Feistel network structure applying 16 rounds of substitution and permutation. The key is used to generate 48-bit round keys for each round. 3) While initially secure, concerns were raised about the small key size of DES and whether the NSA could exploit "trapdoors". Alternatives like triple-DES were developed to increase security.

Technology
1 of 48
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
From Crypto-Theory to Crypto-Practice 1 CHAPTERCHAPTER 112:2: From Crypto-Theory to Crypto-PracticeFrom Crypto-Theory to Crypto-Practice II I.SHIFT REGISTERS The first practical approach to ONE-TIME PAD cryptosystem. IV054 Basic idea: to use a short key, called “seed'' with a pseudorandom generator to generate as long key as needed. Shift registers as pseudorandom generators linear shift register Theorem For every n > 0 there is a linear shift register of maximal period 2n -1.
2From Crypto-Theory to Crypto-Practice CRYPTOANALYSIS of linear feedback shift registers Sequences generated by linear shift registers have excellent statistical properties, but they are not resistant to a known plaintext attack. IV054 Example Let us have a 4-bit shift register and let us assume we know 8 bits of plaintext and of cryptotext. By XOR-ing these two bit sequences we get 8 bits of the output of the register (of the key), say 00011110 We need to determine c4, c3, c2, c1 such that the above sequence is outputed by the shift register state of cell 4 state of cell 3 state of cell 2 state of cell 1 c4 1 0 0 c4 ⊕ c3 c4 1 0 c2 ⊕ c4 c4 ⊕ c3 c4 1 c1 ⊕ c3 ( c4 ⊕ c3 )⊕ c4 c2 ⊕ c4 c4 ⊕ c3 c4 c4 = 1 c4 = 1 c4 ⊕ c3 =1 c3 = 0 c2 ⊕ c4 = 1 c2 = 0 c1 ⊕ c3 ⊕ c4 ⊕ c3 • c4 = 0 c1 = 1
3From Crypto-Theory to Crypto-Practice Linear RecurrencesLinear RecurrencesIV054 Linear feedback shift registers are an efficient way to realize recurrence relations of the type xn+m = c0 xn+ c1 xn+1+ … + cm-1 xn+m-1 (mod n) that can be specified by 2m bits c0 , … , cm-1 and x1 , … , xm. Recurrences realized by shift registers on previous slides are: xn+4 = xn; xn+4 = xn+2+ xn; xn+4 = xn+3 + xn. The main advantage of such recurrences is that a key of a very large period can be generated using a very few bits. For example, the recurrence xn+31 = xn + xn+3 , and any non-zero initial vector, produces sequences with period 231 – 1, what is more than two billions. Encryption using one-time pad and key generating by a linear feedback shift register succumbs easily to a known plaintext attack. If we know few bits of the plaintext and of the corresponding cryptotext, one can easily determine the initial part of the key and then the corresponding linear recurrence, as already shown.
4From Crypto-Theory to Crypto-Practice Finding Linear Recurrences – a methodFinding Linear Recurrences – a methodIV054 To test whether a given portion of a key was generated by a recurrence of a length m, if we know x1 , … , x2m , we need to solve the matrix equation and then to verify whether the remaining available bits, x2m+1 , … ,are really generated by the recurrence obtained.               =                             + + −−+ + m m m mmmm m m x x x c c c xxx xxx xxx 2 2 1 1 1 0 121 132 21     
5From Crypto-Theory to Crypto-Practice Finding Linear RecurrencesFinding Linear RecurrencesIV054 The basic idea to find linear recurrences generating a given sequence is to check whether there is such a recurrence for m = 2, 3, … In doing that we use the following result. Theorem Let If the sequence x1 , x2 , … , x2m-1 satisfies a linear recurrence of length less than m, then det(M) = 0. Conversely, if the sequence x1 , x2 , … , x2m-1 satisfies a linear recurrence of length m and det(M) = 0, then the sequence also satisfies a linear recurrence of length less than m. . 121 132 21               = −+ + mmm m m xxx xxx xxx M    
6From Crypto-Theory to Crypto-Practice Illustration: Let letters of English be encoded by integers from {0,…,25}. Let the key k = k1,…,ks be a sequence of such integers. Let p1,…,pn be a plaintext. Define for 0 Ł i < s, p–i = ks-i and construct the cryptotext by Confusion makes the relation between the cryptotext and plaintext as complex as possible. Example: polyalphabetic substitutions. II. How to make cryptoanalysts' task harder?II. How to make cryptoanalysts' task harder? Two general methods are called diffusion and confusion. Diffusion: dissipate the source language redundancy found in the plaintext by spreading it out over the cryptotext. Example 1: A permutation of the plaintext rules out possibility to use frequency tables for digrams, trigrams. Example 2: Make each letter of cryptotext to depend on so many letters of the plaintext as possible IV054 .1,26mod 0 nipc s j jii ≤≤        = ∑= −
7From Crypto-Theory to Crypto-Practice Confusion and difusion – a more detailed viewConfusion and difusion – a more detailed viewIV054 Two fundamental cryptographic techniques, introduced already by Shannon, are confusion and diffusion. Confusion obscures the relationship between the plaintext and the ciphertext, which makes much more difficult cryptanalyst’s attempts to study cryptotext by looking for redundancies and statistical patterns. (The best way to cause confusion is through complicated substitutions.) Diffusion dissipates redundancy of the plaintext by spreading it over cryptotext - that again makes much more difficult a cryptanalyst’s attempts to search for redundancy in the plaintext through observation of cryptotext. (The best way to achieve it is through transformations that cause that bits from different positions in plaintext contribute to the same bit of cryptotext.) Mono-alphabetic cryptosystems use no confusion and no diffusion. Polyalphabetic cryptosystems use only confusion. In permutation cryptosystems only diffusion step is used. DES essentially uses a sequence of confusion and diffusion steps.
8From Crypto-Theory to Crypto-Practice III. CryptosystemIII. Cryptosystem DESDES - its history- its history 15. 5. 1973 National Burea of Standards published a solicitation for a new cryptosystem. This led to the development of so far the most often used cryptosystem Data Encryption Standard - DESData Encryption Standard - DES DES was developed at IBM, as a modification of an earlier cryptosystem called Lucifer. 17. 3. 1975 DES was published for first time. After a heated public discussion, DES was adopted as a standard on 15. 1. 1977. DES used to be reviewed by NBS every 5 years. IV054
9From Crypto-Theory to Crypto-Practice DESDES - description- description DES was a revolutionary step in the secret-key cryptography history: Both encryption and decryption algorithms were made public!!!!!! Preprocessing: A secret 56-bit key k56 is chosen. A fixed+public permutation φ56 is applied to get φ56 (k56). The first (second) part of the resulting string is taken to get a 28-bit block C0 (D0). Using a fixed+public sequence s1,…,s16 of integers, 16 pairs of 28-bit blocks (Ci, Di), i = 1,…,16 are obtained as follows: Ci (Di) is obtained from Ci -1 (Di -1) by si left shifts. Using a fixed and public order, a 48-bit block Ki is created from each pair Ci and Di. IV054 Encryption A fixed+public permutation φ64 is applied to a 64-bits long plaintext w to get w ‘ = L0R0, where each of the strings L0 and R0 has 32 bits. 16 pairs of 32-bit blocks Li, Ri , 1 Ł i Ł 16, are designed using the recurrence: Li = Ri –1 Ri = Li –1 ⊕ f (Ri –1, Ki ), where f is a fixed+public and easy-to-implement function. The cryptotext c = Φ-1 64(L16,R16)
10From Crypto-Theory to Crypto-Practice DES cryptosystem -DES cryptosystem - Data Encryption Standard - 1977Data Encryption Standard - 1977IV054 Decryption φ64(c) = L16R16 is computed and then the recurrence Ri –1 = Li Li –1 = Ri⊕f (Li,,Ki ), is used to get Li,Ri i = 15,…,1,0, w = Φ-1 64(L0,R0).
11From Crypto-Theory to Crypto-Practice How fast is DES?How fast is DES? 200 megabits can be encrypted per second using a special hardware. IV054 How safe is DES?How safe is DES? Pretty good. How to increase security when using DES?How to increase security when using DES? 1. Use two keys, for a double encryption. 2. Use three keys, k1, k2 and k3 to compute c = DESk1 (DESk2 -1 (DESk3 (w))) How to increase security when encrypting long plaintexts? w = m1 m2 … mn where each mi has 64-bits. Choose a 56-bit key k and a 64-bit block c0 and compute ci = DES (mi ⊕ ci -1) for i = 1,…,m.
12From Crypto-Theory to Crypto-Practice The DES contrThe DES controoversyversy 1. There have been suspicions that the design of DES might contain hidden “trapdoors'‘ what allows NSA to decrypt messages. 2. The main criticism has been that the size of the keyspace, 2 56 , is too small for DES to be really secure. 3. In 1977 Diffie+Hellamn sugested that for 20 milions$ one could build a VLSI chip that could search the entire key space within 1 day. 4. In 1993 M. Wiener suggested a machine of the cost 100.000$ that could find the key in 1.5 days. IV054
13From Crypto-Theory to Crypto-Practice What are the key elements of DES?What are the key elements of DES?IV054 • A cryptosystem is called linear if each bit of cryptotext is a linear combination of bits of plaintext. • For linear cryptosystems there is a powerful decryption method - so-called linear cryptanalysis. • The only components of DES that are non-linear are S-boxes. • Some of original requirements for S-boxes: – Each row of an S-box should include all possible output bit combinations; – It two inputs to an S-box differ in precisely one bit, then the output must differ in a minimum of two bits; – If two inputs to an S-box differ in their first two bits, but have identical last two bits, the two outputs have to be distinct. • There have been many other very technical requirements.
14From Crypto-Theory to Crypto-Practice Weaknesses of DESWeaknesses of DESIV054 • Existence of weak keys: they are such keys k that for any plaintext p, Ek(Ek(p)) = p. There are four such keys: k ∈ {(028 , 028 ), (128 , 128 ), (028 , 128 ), (128 , 028 )} • The existence of semi-weak key pairs (k1, k2) such that for any plaintext Ek1 (Ek2 (p)) = p. • The existence of complementation property Ec(k)(c(p)) = c(Ek(p)), where c(x) is binary complement of binary string x.
15From Crypto-Theory to Crypto-Practice DES modes of operationDES modes of operation ECB mode: to encode a sequence x1, x2, x3, … of 64-bit plaintext blocks, each xi is encrypted with the same key. IV054 CBC mode: to encode a sequence x1, x2, x3, … of 64-bit plaintext blocks, a y0 is chosen and each xi is encrypted by cryptotext yi = ek (yi -1 ⊕ xi). OFB mode: to encode a sequence x1, x2, x3, … of 64-bit plaintext blocks, a z0 is choosen, zi = ek (zi -1) are computed and each xi is encrypted by cryptotext yi = xi ⊕ zi. CFB mode: to encode a sequence x1, x2, x3, … of 64-bit plaintext blocks a y0 is chosen and each xi is encrypted by cryptotext yi = xi ⊕ z, where zi = ek (yi -1).
16From Crypto-Theory to Crypto-Practice 8-bit VERSION of the CFB MODE8-bit VERSION of the CFB MODE In this mode each 8-bit piece of the plaintext is encrypted without having to wait for an entire block to be available. The plaintext is broken into 8-bit pieces: P=[P1,P2,…]. Encryption: An initial 64-bit block X1 is chosen and then, for j=1,2,… , the following computation is done: ,||)( ))(( 561 8 jjj jkjj CXRX XeLPC = ⊕= + IV054 L8(X) denotes the 8 leftmost bits of X. R56(X) denotes the rightmost 56 bits of X. X||Y denotes concatenation of strings X and Y. Decryption: ,||)( ))(( 561 8 jjj jkjj CXRX XeLCP = ⊕= +
17From Crypto-Theory to Crypto-Practice Advantages of different encryption modesAdvantages of different encryption modesIV054 • CBC mode is used for block-encryption and also for authentication; • CFB mode is used for streams-encryption; • OFB mode is used for stream-encryptions that require message authentication; CTR MODE Counter Mode - some consider it as the best one. Key design: ki = Ek(n, i) for a nonce n; Encryption: yi = xi ⊕ ki This mode is very fast because a key stream can be parallelised to any degree. Because of that this mode is used in network security applications.
18From Crypto-Theory to Crypto-Practice Killers and death of DESKillers and death of DESIV054 • In 1993 M. J. Weiner suggested that one could design, using one million dollars, a computer capable to decrypt, using brute force, DES in 3.5 hours. • In 1998 group of P. Kocher designed, using a quarter million of dolars, a computer to decrypt DES in 56 hours. • In 1999 they did that in 24 hours. • It started to be clear that a new cryptosystem with larger keys is badly needed.
19From Crypto-Theory to Crypto-Practice Product- and Feistel-cryptosystems Design of several important practical cryptosystems used the following three general design principles for cryptosystems. A product cryptosystem combines two or more crypto-transformations in such a way that resulting cryptosystem is more secure than component transformations. An iterated block cryptosystem iteratively uses a round function (and it has as parameters number of rounds r, block bit-size n, subkeys bit-size k) of the input key K from which r subkeys Ki are derived. A Feistel cryptosystem is an iterated cryptosystem mapping 2t-bit plaintext (L0,R0). of t-bit blocks L0 and R0 to a 2t-bit cryptotext (Rr,Lr), through an r-round process, where r >0. For 0<I<r+1, the round i maps (Li-1,Ri-1) to (Li,Ri) using a subkey Ki as follows Li=Ri-1, Ri=Ki-1+f(Ri-1,Ki), where each subkey Ki is derived from the main key K.
20From Crypto-Theory to Crypto-Practice Blowfish cryptosystemBlowfish cryptosystemIV054 • Blowfish is Feistel type cryptosystem developed in 1994 by Bruce Schneider. • Blowfish is more secure and faster than DES. • It encrypts 8-bytes blocks into 8-bytes blocks. • Key length is variable 32k, for k = 1, 2, . . . , 16. • For decryption it does not reverse the order of encryption, but it follows it. • S-boxes are key dependent and they, as well as subkeys are created by repeated execution of Blowfish enciphering transformation. • Blowfish has very strong avalanche effect. • A follower of Blowfish, Twofish, was one of 5 candidates for AES. • Blowfish can be downloaded free from the B. Schneider web site.
21From Crypto-Theory to Crypto-Practice AES CRYPTOSYSTEMAES CRYPTOSYSTEM On October 2, 2000, NIST selected, as new Advanced Encryption Standard, the cryptosystem Rijndael, designed in1998 by Joan Daemen and Vincent Rijmen. The main goal has been to develop a new cryptographic standard that could be used to encrypt sensitive governmental information securely, well into the next century. AES was expected to be used obligatory by U.S. governmental institution and, naturally, voluntarily, but as a necessity, also by the private sector. AES is to encrypt 128-bit blocks using a key with 128, 192 or 256 bits. In addition, AES is to be used as a standard for authentication (MAC), hashing and pseudorandom numbers generation. IV054 Motivations and advantages of AES:Motivations and advantages of AES: • Short code and fast implementations • Simplicity and transparency of the design • Variable key length • Resistance against all known attacks
22From Crypto-Theory to Crypto-Practice ARITHMETICS in GF(2ARITHMETICS in GF(288 )) The basic data structure of AES is a byte a = (a 7, a 6, a 5, a 4, a 3, a 2, a 1, a0) where ai's are bits, which can be conveniently represented by the polynomial a(x) = a 7 x 7 + a 6x 6 + a 5x 5 + a 4 x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0. Bytes can be conveniently seen as elements of the field F = GF (2 8 ) / m(x), where m(x) = x 8 + x 4 + x 3 + x + 1. In the field F, the addition is the bitwise-XOR and multiplication can be elegantly expressed using polynomial multiplication modulo m(x). c = a ⊕ b; c = a • b where c(x) = [a(x) • b(x)] mod m(x) IV054
23From Crypto-Theory to Crypto-Practice MULTIPLICATION in GF(2MULTIPLICATION in GF(288 )) Multiplication c = a • b where c(x) = [a(x) • b(x)] mod m(x) in GF(28 ) can be easily performed using a new operation b = xtime(a) that corresponds to the polynomial multiplication b(x) = [a(x) • x] mod m(x), as follows set c = 00000000 and p = a; for i = 0 to 7 do c ← c ⊕ (bi • p) p ← xtime(p) Hardware implementation of the multiplication requires therefore one circuit for operation xtime and two 8-bit registers. Operation b = xtime(a) can be implemented by one step (shift) of the following shift register: IV054
24From Crypto-Theory to Crypto-Practice EXAMPLESEXAMPLES • `53‘ + `87' = `D4‘ because, in binary, `01010011‘ ⊕ `10000111‘ = `11010100‘ what means (x6 + x4 + x + 1) + (x7 + x2 + x + 1) = x7 + x6 + x4 + x2 IV054 • `57'‘• `83‘ = `C1' Indeed, (x6 + x4 + x2 + x + 1)(x7 + x + 1) = x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1 and (x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1) mod (x8 + x4 + x3 + x + 1) = x7 + x6 + 1 • `57‘ • `13‘ = (`57‘ • `01') ⊕ (`57‘ • `02') ⊕ (`57‘ • `10') = `57‘ ⊕ `AE‘ ⊕ `07‘ = `FE‘ because `57‘ • `02‘ = xtime(57) = `AE‘ `57‘ • `04‘ = xtime(AE) = `47‘ `57‘ • `08‘ = xtime(47) = `8E‘ `57‘ • `10‘ = xtime(8E) = `07'
25From Crypto-Theory to Crypto-Practice POLYNOMIALS over GF(2POLYNOMIALS over GF(288 )) Algorithms of AES work with 4-byte vectors that can be represented by polynomials of the degree at most 4 with coefficients in GF(28 ). Addition of such polynomials is done using component-wise and bit-wise XOR. Multiplication is done modulo M(x) = x4 + 1. (It holds xJ mod (x4 + 1) = xJ mod4 .) Multiplication of vectors (a3x3 + a2x2 + a1x + a0) ⊗ (b3x3 + b2x2 + b1x + b0) can be done using matrix multiplication where additions and multiplications (•) are done in GF(28 ) as described before. Multiplication of a polynomial a(x) by x results in a cyclic shift of the coefficients. IV054 , 3 2 1 0 2103 1032 0321 3210 3 2 1 0                             =               b b b b aaaa aaaa aaaa aaaa d d d d
26From Crypto-Theory to Crypto-Practice BYTE SUBSTITUTIONBYTE SUBSTITUTION Byte substitution b = SubByte(a) is defined by the following matrix operations This operation is computationally heavy and it is assumed that it will be implemented by a pre-computed substitution table. IV054 ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) . 1 1 0 0 0 1 1 0 10001111 11000111 11100011 11110001 11111000 01111100 00111110 00011111 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 0 1 2 3 4 5 6 7                           +                           ×                           =                           − − − − − − − − a a a a a a a a b b b b b b b b
27From Crypto-Theory to Crypto-Practice ENCRYPTION in AESENCRYPTION in AES Encryption and decryption are done using state matrices elements of which are bytes. A byte-matrix with 4 rows and k = 4, 6 or 8 columns is also used to write down a key with Dk = 128, 192 or 256 bits. IV054 ENCRYPTION ALGORITHMENCRYPTION ALGORITHM 1. KeyExpansion 2. AddRoundKey 3. do (k + 5)-times: a) SubByte b) ShiftRow c) MixColumn d) AddRoundKey The final round does not contain MixColumn procedure. The reason being is to be able to use the same hardware for encryption and decryption. 4. Final round a) SubByte b) ShiftRow c) AddRoundkey A E I M B F J N C G K O D H L P
28From Crypto-Theory to Crypto-Practice KEY EXPANSIONKEY EXPANSION The basic key is written into the state matrix with 4, 6 or 8 columns. The goal of the key expansion procedure is to extend the number of keys in such a way that each time a key is used actually a new key is used. The key extension algorithm generates new columns Wi of the state matrix from the columns Wi -1 and Wi-k using the following rule Wi = Wi-k ⊕ V, where F (Wi–1), if i mod k = 0 V = G (Wi –1 ), if i mod k = 4 and Dk = 256 bits, Wi –1 otherwise where the function G performs only the byte-substitution of the corresponding bytes. Function F is defined in a quite a complicated way. IV054
29From Crypto-Theory to Crypto-Practice STEPS of ENCRYPTIONSTEPS of ENCRYPTION AddRoundKey procedure adds byte-wise and bit-wise current key to the current contents of the state matrix. ShiftRow procedure cyclically shifts i-th row of the state matrix by i shifts. MixColumns procedure multiplies columns of the state matrix by the matrix IV054 2113 3211 1321 1132              
30From Crypto-Theory to Crypto-Practice DECRYPTION in AESDECRYPTION in AES Steps of the encryption algorithm map an input state matrix into an output matrix. All encryption operations have inverse operations. Decryption algorithm applies, in the opposite order as at the encryption, the inverse versions of the encryption operations. DECRYPTIONDECRYPTION 1. Key Expansion IV054 2. AddRoundKey 3. do k+5 - times: a) InvByteSub b) InvShiftRow c) InvMixColumn d) AddInvRoundKey 4. Final round a) InvByteSub b) InvShiftRow c) AddRoundKey
31From Crypto-Theory to Crypto-Practice SECURITY GOALSSECURITY GOALS The goal of the authors was that Rijndael (AES) is K-secure and hermetic in the following sense: Definition A cryptosystem is K-secure if all possible attack strategies for it have the same expected work factor and storage requirements as for the majority of possible cryptosystems with the same security. Definition A block cryptosystem is hermetic if it does not have weaknesses that are not present for the majority of cryptosystems with the same block and key length. IV054
32From Crypto-Theory to Crypto-Practice MISCELANEOUSMISCELANEOUS Pronounciation of the name Rijndael is as “Reign Dahl'‘ or “rain Doll'' or “Rhine Dahl''. IV054
33From Crypto-Theory to Crypto-Practice PKC versus SKC - comparisonsPKC versus SKC - comparisonsIV054 Security: If PKC is used, only one party needs to keep secret a (single) key; If SKC is used, both party needs to keep secret one key. No PKC has been shown perfectly secure. Perfect secrecy has been shown for One- time Pad and for quantum generation of classical keys. Longevity: With PKC, keys may need to be kept secure for (very) long time; with SKC a change of keys for each session is recommended. Key management: If a multiuser network is used, then fewer private keys are required with PKC than with SKC. Key exchange: With PKC no key exchange between communicating parties is needed; with SKC a hard-to-implement secret key exchange is needed. Digital signatures: Only PKC are usable for digital signatures. Efficiency: PKC is much slower than SKC (10 times when software implementations of RSA and DES are compared). Key sizes: Keys for PKC (2048 bits for RSA) are significantly larger than for SCK (128 bits for AES). Non-repudiation: With PKC we can ensure, using digital signatures, non- repudiation, but not with SKC.
34From Crypto-Theory to Crypto-Practice Digital envelopsDigital envelopsIV054 Modern cryptography uses both SKC and PKC, in so- called hybrid cryptosystems or in digital envelops to send a message m using a secret key k, public encryption exponent e, and secret decryption exponent d, as follows: 1. Key k is encrypted using e and sent as e(k) 2. Secret decription exponent d is used to get k=d(e(k)) 3 SKC with k is then used to encrypt a message
35From Crypto-Theory to Crypto-Practice KEY MANAGEMENTKEY MANAGEMENT Secure methods of key management are extremely important. In practice, most of the attacks on public-key cryptosystems are likely to be at the key management levels. Problems: How to obtain securely an appropriate key pair? How to get other people’s public keys? How to get confidence in the legitimacy of other's public keys? How to store keys? How to set, extend,… expiration dates of the keys? IV054 Who needs a key? Anyone wishing to sign a message, to verify signatures, to encrypt messages and to decrypt messages. How does one get a key pair? Each user should generate his/her own key pair. Once generated, a user must register his/her public-key with some central administration, called a certifying authority. This authority returns a certificate. Certificates are digital documents attesting to the binding of a public-key to an individual or institutions. They allow verification of the claim that a given public-key does belong to a given individual. Certificates help prevent someone from using a phony key to impersonate someone else. In their simplest form, certificates contain a public-key and a name. In addition they contain: expiration date, name of the certificate issuing authority, serial number of the certificate and the digital signature of the certificate issuer.
36From Crypto-Theory to Crypto-Practice How are certificates usedHow are certificates used – certification authorities– certification authorities The most secure use of authentication involves enclosing one or more certificates with every signed message. The receiver of the message verifies the certificate using the certifying authorities public-keys and, being confident of the public-keys of the sender, verifies the message's signature. There may be more certificates enclosed with a message, forming a hierarchical chain, wherein one certificate testifies to the authenticity of the previous certificate. At the top end of a certificate hierarchy is a top-level certifying-authority to be trusted without a certificate. Example According to the standards, every signature points to a certificate that validates the public-key of the signer. Specifically, each signature contains the name of the issuer of the certificate and the serial number of the certificate. IV054 How do certifying authorities store their private keys?How do certifying authorities store their private keys? It is extremely important that private-keys of certifying authorities are stored securely. One method to store the key in a tamperproof box called a Certificate Signing Unit, CSU. The CSU should, preferably, destroy its contents if ever opened. Not even employees of the certifying authority should have access to the private-key itself, but only the ability to use private-key in the certificates issuing process. CSU are for sells Note: PKCS - Public Key Certification Standards.
37From Crypto-Theory to Crypto-Practice What is PKI?What is PKI? • PKI (Public Key Infrastructure) is an infrastructure that allows to handle public-key problems for the community that uses public-key cryptography. IV054 • Structure of PKI Security policy that specifies rules under which PKI can be handled. Products that generate, store, distribute and manipulate keys. Procedures that define methods how - to generate and manipulate keys - to generate and manipulate certificates - to distribute keys and certificates - to use certificates. Authorities that take care that the general security policy is fully performed.
38From Crypto-Theory to Crypto-Practice PKI users and systemsPKI users and systems • Certificate holder • Certificate user • Certification authority (CA) • Registration authority (RA) • Revocation authority • Repository (to publish a list of certicates, of revocated certificates,...) • Policy management authority (to create certification policy) • Policy approving authority IV054
39From Crypto-Theory to Crypto-Practice SECURITY of CSECURITY of Certification and Registration authoritiesertification and Registration authorities PKI system is so secure how secure are systems for certificate authorities (CA) and registration authorities (RA). Basic principles to follow to ensure necessary security of CA and RA. • Private key of CA has to be stored in a way that is secure against intentional professional attacks. • Steps have to be made for renovation of the private key in the case of a collapse of the system. • Access to CA/RA tools has to be maximally controlled. • Each requirement for certification has to be authorized by several independent operators. • All key transactions of CA/RA have to be logged to be available for a possible audit. • All CA/RA systems and their documentation have to satisfy maximal requirements for their reliability. IV054
40From Crypto-Theory to Crypto-Practice PUBLIC-KEYPUBLIC-KEY INFRASTRUCTUREINFRASTRUCTURE PROBLEMSPROBLEMS Public-key cryptography has low infrastructure overhead, it is more secure, more truthful and with better geographical reach. However, this is due to the fact that public-key users bear a substantial administrative burden and security advantages of the public key cryptography rely excessively on the end-users' security discipline. Problem 1: With public-key cryptography users must constantly be careful to validate rigorously every public-key they use and must take care for secrecy of their private secret keys. IV054 Problem 2: End-users are rarely willing or able to manage keys sufficiently carefuly. User's behavior is the weak link in any security system, and public-key security is unable to reinforce this weakness. Problem 3: Only sophisticated users, like system administrators, can realistically be expected to meet fully the demands of public-key cryptography.
41From Crypto-Theory to Crypto-Practice Main components of public-key infrastructureMain components of public-key infrastructure • The Certification Authority (CA) signs user's public-keys. (There has to be a hierarchy of CA, with a root CA on the top.) • The Directory is a public-access database of valid certificates. • The Certificate Revocation List (CRL) - a public-access database of invalid certificates. (There has to be a hierarchy of CRL). IV054 Stages at which key management issues ariseStages at which key management issues arise • Key creation: user creates a new key pair, proves his identify to CA. CA signs a certificate. User encrypts his private key. • Single sign-on: decryption of the private key, participation in public-key protocols. • Key revocation: CRL should be checked every time a certificate is used. If a user's secret key is compromised, CRL administration has to be notified.
42From Crypto-Theory to Crypto-Practice MAIN PROBLEMSMAIN PROBLEMS • Authenticating the users: How does a CA authenticate a distant user, when issuing the initial certificate? (Ideally CA and the user should meet. Consequently, properly authenticated certificates will have to be expensive, due to the label cost in a face-to-face identity check.) • Authenticating the CA: Public key cryptography cannot secure the distribution and the validation of the Root CA's public key. • Certificate revocation lists: Timely and secure revocation presents big scaling and performance problems. As a result public-key deployment is usually proceeding without a revocation infrastructure. (Revocation is the classical Achilles' Heel of public-key cryptography.) • Private key management: The user must keep his long-lived secret key in memory during his login-session: There is no way to force a public-key user to choose a good password. (Lacking effective password-quality controls, most public-key systems are vulnerable to the off-line guessing attacks.) IV054
43From Crypto-Theory to Crypto-Practice LIFE CYCLE of CERTIFICATESLIFE CYCLE of CERTIFICATES Issuing of certificates • registration of applicants for certificates; • generation of pairs of keys; • creation of certificates; • delivering of certificates; • dissemination of certificates; • backuping of keys; IV054 Using of certificates • receiving a certificate; • validation of the certificate; • key backup and recovery; • automatic key/certificate updating Revocation of certificates • expiration of certificates validity period; • revocation of certificates; • archivation of keys and certificates.
44From Crypto-Theory to Crypto-Practice PPrettyretty GGoodood PPrivacyrivacy In June 1991 Phil Zimmermann, made publicly available software that made use of RSA cryptosystem very friendly and easy and by that he made strong cryptography widely available. Starting February 1993 Zimmermann was for three years a subject of FBI and Grand Jurry investigations, being accused of illegal exporting arms (strong cryptography tools). William Cowell, Deputy Director of NSA said: “If all personal computers in the world - approximately 200 millions - were to be put to work on a single PGP encrypted message, it would take an average an estimated 12 million times the age of universe to break a single message''. Heated discussion whether strong cryptography should be allowed keep going on. September 11 attack brought another dimension into the problem. IV054
45From Crypto-Theory to Crypto-Practice SECURITY / PRIVACY REALITY and TOOLSSECURITY / PRIVACY REALITY and TOOLSIV054 Concerning security we are winning battles, but we are loosing wars concerning privacy. Four areas concerning security and privacy: • Security of communications – cryptography • Computer security (operating systems, viruses, …) • Physical security • Identification and biometrics With google we lost privacy.
46From Crypto-Theory to Crypto-Practice How cryptographic systems get brokenHow cryptographic systems get brokenIV054 Techniques that are indeed used to break cryptosystems: By NSA: • By exhaustive search (up to 280 options). • By exploiting specific mathematical and statistical weaknesses to speed up the exhaustive search. • By selling compromised crypto-devices. • By analysing crypto-operators methods and customs. By FBI: • Using keystroke analysis. • Using the fact that in practice long keys are almost always designed from short guessable passwords.
47From Crypto-Theory to Crypto-Practice RSA in practiceRSA in practiceIV054 • 660-bits integers were already (factorized) broken in practice. • 1024-bits integers are currently used as moduli. • 512-bit integers can be factorized with a device costing 5 K $ in about 10 minutes. • 1024-bit integers could be factorized in 6 weeks by a device costing 10 millions of dollars.
48From Crypto-Theory to Crypto-Practice Patentability of cryptographyPatentability of cryptography • Cryptographic systems are patentable • Many secret-key cryptosystems have been patented • The basic idea of public-key cryptography are contained in U.S. Patents 4 200 770 (M. Hellman, W. Diffie, R. Merkle) - 29. 4. 1980 U.S. Patent 4 218 582 (M. Hellman, R. Merkle) The exclusive licensing rights to both patents are held by “Public Key Partners'' (PKP) which also holds rights to the RSA patent. All legal challenges to public-key patents have been so far settled before judgment. Some patent applications for cryptosystems have been blocked by intervention of us: intelligence or defense agencies. All cryptographic products in USA needed export licences from the State department, acting under authority of the International Traffic in Arms Regulation, which defines cryptographic devices, including software, as munition. Export of cryptography for authentication has not been restricted, Problems were only whith cryptography for privacy. IV054

More Related Content

PPT
Crypto theory to practice
Harry Potter
 
PPTX
Cryptography
Harry Potter
 
PDF
Detailed cryptographic analysis of contact tracing protocols
Christian Spolaore
 
PPT
Cipher techniques
Mohd Arif
 
PPT
Cryptography
nayakslideshare
 
PPT
Chguatda.com/cmx.p02...1
nathanurag
 
PPT
02 Information System Security
Shu Shin
 
PPTX
Cryptography
Karwan Mustafa Kareem
 
Crypto theory to practice
Harry Potter
 
Cryptography
Harry Potter
 
Detailed cryptographic analysis of contact tracing protocols
Christian Spolaore
 
Cipher techniques
Mohd Arif
 
Cryptography
nayakslideshare
 
Chguatda.com/cmx.p02...1
nathanurag
 
02 Information System Security
Shu Shin
 
Cryptography
Karwan Mustafa Kareem
 

What's hot (16)

PPT
Encryptolog y-1216310707267721-9
Shan Raja
 
PDF
Information Security Cryptography ( L03- Old Cryptography Algorithms )
Anas Rock
 
PPT
overview of cryptographic techniques
Shubham Jain
 
PPTX
Applications of-linear-algebra-hill-cipher
Aashirwad Kashyap
 
PPTX
Classical encryption techniques
ramya marichamy
 
PPT
Cryptography - An Overview
ppd1961
 
PPTX
Transposition Cipher
daniyalqureshi712
 
PDF
Caesar Cipher , Substitution Cipher, PlayFair and Vigenere Cipher
Mona Rajput
 
PPTX
Cryptography (Revised Edition)
Somaditya Basak
 
PDF
CNIT 141: 10. Digital Signatures
Sam Bowne
 
PPT
Ch02
Joe Christensen
 
PDF
Transposition cipher
Antony Alex
 
PPT
Caesar cipher
Hossain Md Shakhawat
 
PPT
Elementary cryptography
Prachi Gulihar
 
PDF
Introduction to Cryptography Parts II and III
Maksim Djackov
 
PDF
Computer Security Lecture 3: Classical Encryption Techniques 2
Mohamed Loey
 
Encryptolog y-1216310707267721-9
Shan Raja
 
Information Security Cryptography ( L03- Old Cryptography Algorithms )
Anas Rock
 
overview of cryptographic techniques
Shubham Jain
 
Applications of-linear-algebra-hill-cipher
Aashirwad Kashyap
 
Classical encryption techniques
ramya marichamy
 
Cryptography - An Overview
ppd1961
 
Transposition Cipher
daniyalqureshi712
 
Caesar Cipher , Substitution Cipher, PlayFair and Vigenere Cipher
Mona Rajput
 
Cryptography (Revised Edition)
Somaditya Basak
 
CNIT 141: 10. Digital Signatures
Sam Bowne
 
Ch02
Joe Christensen
 
Transposition cipher
Antony Alex
 
Caesar cipher
Hossain Md Shakhawat
 
Elementary cryptography
Prachi Gulihar
 
Introduction to Cryptography Parts II and III
Maksim Djackov
 
Computer Security Lecture 3: Classical Encryption Techniques 2
Mohamed Loey
 
Ad

Viewers also liked (15)

PPS
Nw apresentation
john tsakas
 
PDF
Customer Identities
Sankar Narayanan
 
PDF
Nmi Presentation Sept 2007
AdrianOShaughnessy
 
PPTX
мастерская деда мороза2011
GALINA kOSHKINA
 
PDF
People and Performance UK
pphrskp
 
PPT
Making The Change 11 27 08
rgillt1
 
PPT
Giacomo casarin 269073 iuavcamp presentazione
giacomocasarin
 
DOC
Shamna_Kammana_Testing_Engineer
Shamna Sherwin
 
PPT
transporte uk joel falcon
JoelFalcon
 
PDF
Bade Smells in Code
Will Shen
 
PDF
Capital one-mascot-challenge
Nellymoser
 
PPTX
Energy
MrsKendall
 
PDF
Fic papo
Luis Alberto Trivinho Strixino
 
PPT
Sydney\'s Maritime Museum
Lifelong Learning
 
PDF
Presentation One
dss49
 
Nw apresentation
john tsakas
 
Customer Identities
Sankar Narayanan
 
Nmi Presentation Sept 2007
AdrianOShaughnessy
 
мастерская деда мороза2011
GALINA kOSHKINA
 
People and Performance UK
pphrskp
 
Making The Change 11 27 08
rgillt1
 
Giacomo casarin 269073 iuavcamp presentazione
giacomocasarin
 
Shamna_Kammana_Testing_Engineer
Shamna Sherwin
 
transporte uk joel falcon
JoelFalcon
 
Bade Smells in Code
Will Shen
 
Capital one-mascot-challenge
Nellymoser
 
Energy
MrsKendall
 
Fic papo
Luis Alberto Trivinho Strixino
 
Sydney\'s Maritime Museum
Lifelong Learning
 
Presentation One
dss49
 
Ad

Similar to Crypto theory to practice (20)

PPTX
Chapter-Three Part One.pptxghgjhhjghjhjhhj
Shemse Shukre
 
PPTX
2 Mathematics of Cryptographyy chapter 2
ShivaniSehrawat3
 
PPT
Jaimin chp-8 - network security-new -use this - 2011 batch
Jaimin Jani
 
PPTX
Cryptography
subodh pawar
 
PPSX
Introductory Lecture on Cryptography and Information Security
Bikramjit Sarkar, Ph.D.
 
PPT
Iss lecture 2
Ali Habeeb
 
PPTX
Data Encryption Standard (DES) and Alternatives.pptx
MohammedAljubairi
 
PPT
Computer security
James Wong
 
PPT
Computer security
Tony Nguyen
 
PPT
Computer security
Fraboni Ec
 
PPT
Computer security
Luis Goldster
 
PPT
Computer security
Harry Potter
 
PPT
Computer security
Young Alista
 
PPT
Computer security
David Hoen
 
PPT
ICSE6104 Lecture bbbbbbbbbbbbbbbbbbbb 2.ppt
David622220
 
PDF
1 DES.pdf
nitin571047
 
PPTX
Cryptography in discrete structure .pptx
ayeshaimtiaz067
 
PPT
Mathematics Towards Elliptic Curve Cryptography-by Dr. R.Srinivasan
municsaa
 
PPT
Network and Information Security unit2.ppt.ppt
Vivekananda Gn
 
PDF
Analysis of Cryptographic Algorithms
ijsrd.com
 
Chapter-Three Part One.pptxghgjhhjghjhjhhj
Shemse Shukre
 
2 Mathematics of Cryptographyy chapter 2
ShivaniSehrawat3
 
Jaimin chp-8 - network security-new -use this - 2011 batch
Jaimin Jani
 
Cryptography
subodh pawar
 
Introductory Lecture on Cryptography and Information Security
Bikramjit Sarkar, Ph.D.
 
Iss lecture 2
Ali Habeeb
 
Data Encryption Standard (DES) and Alternatives.pptx
MohammedAljubairi
 
Computer security
James Wong
 
Computer security
Tony Nguyen
 
Computer security
Fraboni Ec
 
Computer security
Luis Goldster
 
Computer security
Harry Potter
 
Computer security
Young Alista
 
Computer security
David Hoen
 
ICSE6104 Lecture bbbbbbbbbbbbbbbbbbbb 2.ppt
David622220
 
1 DES.pdf
nitin571047
 
Cryptography in discrete structure .pptx
ayeshaimtiaz067
 
Mathematics Towards Elliptic Curve Cryptography-by Dr. R.Srinivasan
municsaa
 
Network and Information Security unit2.ppt.ppt
Vivekananda Gn
 
Analysis of Cryptographic Algorithms
ijsrd.com
 

More from David Hoen (20)

PPT
Introduction to prolog
David Hoen
 
PPT
Database introduction
David Hoen
 
PPTX
Building a-database
David Hoen
 
PPTX
Decision tree
David Hoen
 
PPT
Database constraints
David Hoen
 
PPT
Prolog programming
David Hoen
 
PPT
Hash crypto
David Hoen
 
PPTX
Introduction to security_and_crypto
David Hoen
 
PPTX
Key exchange in crypto
David Hoen
 
PPTX
Nlp naive bayes
David Hoen
 
PPT
Prolog resume
David Hoen
 
PPT
Access data connection
David Hoen
 
PPT
Basic dns-mod
David Hoen
 
PPT
Database concepts
David Hoen
 
PPTX
Hashfunction
David Hoen
 
PPTX
Datamining with nb
David Hoen
 
PDF
Text categorization as a graph
David Hoen
 
PPT
Xml schema
David Hoen
 
PPT
Text classification
David Hoen
 
PPT
Text classification methods
David Hoen
 
Introduction to prolog
David Hoen
 
Database introduction
David Hoen
 
Building a-database
David Hoen
 
Decision tree
David Hoen
 
Database constraints
David Hoen
 
Prolog programming
David Hoen
 
Hash crypto
David Hoen
 
Introduction to security_and_crypto
David Hoen
 
Key exchange in crypto
David Hoen
 
Nlp naive bayes
David Hoen
 
Prolog resume
David Hoen
 
Access data connection
David Hoen
 
Basic dns-mod
David Hoen
 
Database concepts
David Hoen
 
Hashfunction
David Hoen
 
Datamining with nb
David Hoen
 
Text categorization as a graph
David Hoen
 
Xml schema
David Hoen
 
Text classification
David Hoen
 
Text classification methods
David Hoen
 

Recently uploaded (20)

PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
August Patch Tuesday
Ivanti
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Five Habits of High-Impact Board Members
OnBoard
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Unlock new opportunities with location data.pdf
Precisely
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
The various Industrial Revolutions .pptx
bandileshozi3
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
August Patch Tuesday
Ivanti
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Getting Started with Data Integration: FME Form 101
Safe Software
 

Crypto theory to practice

  • 1. From Crypto-Theory to Crypto-Practice 1 CHAPTERCHAPTER 112:2: From Crypto-Theory to Crypto-PracticeFrom Crypto-Theory to Crypto-Practice II I.SHIFT REGISTERS The first practical approach to ONE-TIME PAD cryptosystem. IV054 Basic idea: to use a short key, called “seed'' with a pseudorandom generator to generate as long key as needed. Shift registers as pseudorandom generators linear shift register Theorem For every n > 0 there is a linear shift register of maximal period 2n -1.
  • 2. 2From Crypto-Theory to Crypto-Practice CRYPTOANALYSIS of linear feedback shift registers Sequences generated by linear shift registers have excellent statistical properties, but they are not resistant to a known plaintext attack. IV054 Example Let us have a 4-bit shift register and let us assume we know 8 bits of plaintext and of cryptotext. By XOR-ing these two bit sequences we get 8 bits of the output of the register (of the key), say 00011110 We need to determine c4, c3, c2, c1 such that the above sequence is outputed by the shift register state of cell 4 state of cell 3 state of cell 2 state of cell 1 c4 1 0 0 c4 ⊕ c3 c4 1 0 c2 ⊕ c4 c4 ⊕ c3 c4 1 c1 ⊕ c3 ( c4 ⊕ c3 )⊕ c4 c2 ⊕ c4 c4 ⊕ c3 c4 c4 = 1 c4 = 1 c4 ⊕ c3 =1 c3 = 0 c2 ⊕ c4 = 1 c2 = 0 c1 ⊕ c3 ⊕ c4 ⊕ c3 • c4 = 0 c1 = 1
  • 3. 3From Crypto-Theory to Crypto-Practice Linear RecurrencesLinear RecurrencesIV054 Linear feedback shift registers are an efficient way to realize recurrence relations of the type xn+m = c0 xn+ c1 xn+1+ … + cm-1 xn+m-1 (mod n) that can be specified by 2m bits c0 , … , cm-1 and x1 , … , xm. Recurrences realized by shift registers on previous slides are: xn+4 = xn; xn+4 = xn+2+ xn; xn+4 = xn+3 + xn. The main advantage of such recurrences is that a key of a very large period can be generated using a very few bits. For example, the recurrence xn+31 = xn + xn+3 , and any non-zero initial vector, produces sequences with period 231 – 1, what is more than two billions. Encryption using one-time pad and key generating by a linear feedback shift register succumbs easily to a known plaintext attack. If we know few bits of the plaintext and of the corresponding cryptotext, one can easily determine the initial part of the key and then the corresponding linear recurrence, as already shown.
  • 4. 4From Crypto-Theory to Crypto-Practice Finding Linear Recurrences – a methodFinding Linear Recurrences – a methodIV054 To test whether a given portion of a key was generated by a recurrence of a length m, if we know x1 , … , x2m , we need to solve the matrix equation and then to verify whether the remaining available bits, x2m+1 , … ,are really generated by the recurrence obtained.               =                             + + −−+ + m m m mmmm m m x x x c c c xxx xxx xxx 2 2 1 1 1 0 121 132 21     
  • 5. 5From Crypto-Theory to Crypto-Practice Finding Linear RecurrencesFinding Linear RecurrencesIV054 The basic idea to find linear recurrences generating a given sequence is to check whether there is such a recurrence for m = 2, 3, … In doing that we use the following result. Theorem Let If the sequence x1 , x2 , … , x2m-1 satisfies a linear recurrence of length less than m, then det(M) = 0. Conversely, if the sequence x1 , x2 , … , x2m-1 satisfies a linear recurrence of length m and det(M) = 0, then the sequence also satisfies a linear recurrence of length less than m. . 121 132 21               = −+ + mmm m m xxx xxx xxx M    
  • 6. 6From Crypto-Theory to Crypto-Practice Illustration: Let letters of English be encoded by integers from {0,…,25}. Let the key k = k1,…,ks be a sequence of such integers. Let p1,…,pn be a plaintext. Define for 0 Ł i < s, p–i = ks-i and construct the cryptotext by Confusion makes the relation between the cryptotext and plaintext as complex as possible. Example: polyalphabetic substitutions. II. How to make cryptoanalysts' task harder?II. How to make cryptoanalysts' task harder? Two general methods are called diffusion and confusion. Diffusion: dissipate the source language redundancy found in the plaintext by spreading it out over the cryptotext. Example 1: A permutation of the plaintext rules out possibility to use frequency tables for digrams, trigrams. Example 2: Make each letter of cryptotext to depend on so many letters of the plaintext as possible IV054 .1,26mod 0 nipc s j jii ≤≤        = ∑= −
  • 7. 7From Crypto-Theory to Crypto-Practice Confusion and difusion – a more detailed viewConfusion and difusion – a more detailed viewIV054 Two fundamental cryptographic techniques, introduced already by Shannon, are confusion and diffusion. Confusion obscures the relationship between the plaintext and the ciphertext, which makes much more difficult cryptanalyst’s attempts to study cryptotext by looking for redundancies and statistical patterns. (The best way to cause confusion is through complicated substitutions.) Diffusion dissipates redundancy of the plaintext by spreading it over cryptotext - that again makes much more difficult a cryptanalyst’s attempts to search for redundancy in the plaintext through observation of cryptotext. (The best way to achieve it is through transformations that cause that bits from different positions in plaintext contribute to the same bit of cryptotext.) Mono-alphabetic cryptosystems use no confusion and no diffusion. Polyalphabetic cryptosystems use only confusion. In permutation cryptosystems only diffusion step is used. DES essentially uses a sequence of confusion and diffusion steps.
  • 8. 8From Crypto-Theory to Crypto-Practice III. CryptosystemIII. Cryptosystem DESDES - its history- its history 15. 5. 1973 National Burea of Standards published a solicitation for a new cryptosystem. This led to the development of so far the most often used cryptosystem Data Encryption Standard - DESData Encryption Standard - DES DES was developed at IBM, as a modification of an earlier cryptosystem called Lucifer. 17. 3. 1975 DES was published for first time. After a heated public discussion, DES was adopted as a standard on 15. 1. 1977. DES used to be reviewed by NBS every 5 years. IV054
  • 9. 9From Crypto-Theory to Crypto-Practice DESDES - description- description DES was a revolutionary step in the secret-key cryptography history: Both encryption and decryption algorithms were made public!!!!!! Preprocessing: A secret 56-bit key k56 is chosen. A fixed+public permutation φ56 is applied to get φ56 (k56). The first (second) part of the resulting string is taken to get a 28-bit block C0 (D0). Using a fixed+public sequence s1,…,s16 of integers, 16 pairs of 28-bit blocks (Ci, Di), i = 1,…,16 are obtained as follows: Ci (Di) is obtained from Ci -1 (Di -1) by si left shifts. Using a fixed and public order, a 48-bit block Ki is created from each pair Ci and Di. IV054 Encryption A fixed+public permutation φ64 is applied to a 64-bits long plaintext w to get w ‘ = L0R0, where each of the strings L0 and R0 has 32 bits. 16 pairs of 32-bit blocks Li, Ri , 1 Ł i Ł 16, are designed using the recurrence: Li = Ri –1 Ri = Li –1 ⊕ f (Ri –1, Ki ), where f is a fixed+public and easy-to-implement function. The cryptotext c = Φ-1 64(L16,R16)
  • 10. 10From Crypto-Theory to Crypto-Practice DES cryptosystem -DES cryptosystem - Data Encryption Standard - 1977Data Encryption Standard - 1977IV054 Decryption φ64(c) = L16R16 is computed and then the recurrence Ri –1 = Li Li –1 = Ri⊕f (Li,,Ki ), is used to get Li,Ri i = 15,…,1,0, w = Φ-1 64(L0,R0).
  • 11. 11From Crypto-Theory to Crypto-Practice How fast is DES?How fast is DES? 200 megabits can be encrypted per second using a special hardware. IV054 How safe is DES?How safe is DES? Pretty good. How to increase security when using DES?How to increase security when using DES? 1. Use two keys, for a double encryption. 2. Use three keys, k1, k2 and k3 to compute c = DESk1 (DESk2 -1 (DESk3 (w))) How to increase security when encrypting long plaintexts? w = m1 m2 … mn where each mi has 64-bits. Choose a 56-bit key k and a 64-bit block c0 and compute ci = DES (mi ⊕ ci -1) for i = 1,…,m.
  • 12. 12From Crypto-Theory to Crypto-Practice The DES contrThe DES controoversyversy 1. There have been suspicions that the design of DES might contain hidden “trapdoors'‘ what allows NSA to decrypt messages. 2. The main criticism has been that the size of the keyspace, 2 56 , is too small for DES to be really secure. 3. In 1977 Diffie+Hellamn sugested that for 20 milions$ one could build a VLSI chip that could search the entire key space within 1 day. 4. In 1993 M. Wiener suggested a machine of the cost 100.000$ that could find the key in 1.5 days. IV054
  • 13. 13From Crypto-Theory to Crypto-Practice What are the key elements of DES?What are the key elements of DES?IV054 • A cryptosystem is called linear if each bit of cryptotext is a linear combination of bits of plaintext. • For linear cryptosystems there is a powerful decryption method - so-called linear cryptanalysis. • The only components of DES that are non-linear are S-boxes. • Some of original requirements for S-boxes: – Each row of an S-box should include all possible output bit combinations; – It two inputs to an S-box differ in precisely one bit, then the output must differ in a minimum of two bits; – If two inputs to an S-box differ in their first two bits, but have identical last two bits, the two outputs have to be distinct. • There have been many other very technical requirements.
  • 14. 14From Crypto-Theory to Crypto-Practice Weaknesses of DESWeaknesses of DESIV054 • Existence of weak keys: they are such keys k that for any plaintext p, Ek(Ek(p)) = p. There are four such keys: k ∈ {(028 , 028 ), (128 , 128 ), (028 , 128 ), (128 , 028 )} • The existence of semi-weak key pairs (k1, k2) such that for any plaintext Ek1 (Ek2 (p)) = p. • The existence of complementation property Ec(k)(c(p)) = c(Ek(p)), where c(x) is binary complement of binary string x.
  • 15. 15From Crypto-Theory to Crypto-Practice DES modes of operationDES modes of operation ECB mode: to encode a sequence x1, x2, x3, … of 64-bit plaintext blocks, each xi is encrypted with the same key. IV054 CBC mode: to encode a sequence x1, x2, x3, … of 64-bit plaintext blocks, a y0 is chosen and each xi is encrypted by cryptotext yi = ek (yi -1 ⊕ xi). OFB mode: to encode a sequence x1, x2, x3, … of 64-bit plaintext blocks, a z0 is choosen, zi = ek (zi -1) are computed and each xi is encrypted by cryptotext yi = xi ⊕ zi. CFB mode: to encode a sequence x1, x2, x3, … of 64-bit plaintext blocks a y0 is chosen and each xi is encrypted by cryptotext yi = xi ⊕ z, where zi = ek (yi -1).
  • 16. 16From Crypto-Theory to Crypto-Practice 8-bit VERSION of the CFB MODE8-bit VERSION of the CFB MODE In this mode each 8-bit piece of the plaintext is encrypted without having to wait for an entire block to be available. The plaintext is broken into 8-bit pieces: P=[P1,P2,…]. Encryption: An initial 64-bit block X1 is chosen and then, for j=1,2,… , the following computation is done: ,||)( ))(( 561 8 jjj jkjj CXRX XeLPC = ⊕= + IV054 L8(X) denotes the 8 leftmost bits of X. R56(X) denotes the rightmost 56 bits of X. X||Y denotes concatenation of strings X and Y. Decryption: ,||)( ))(( 561 8 jjj jkjj CXRX XeLCP = ⊕= +
  • 17. 17From Crypto-Theory to Crypto-Practice Advantages of different encryption modesAdvantages of different encryption modesIV054 • CBC mode is used for block-encryption and also for authentication; • CFB mode is used for streams-encryption; • OFB mode is used for stream-encryptions that require message authentication; CTR MODE Counter Mode - some consider it as the best one. Key design: ki = Ek(n, i) for a nonce n; Encryption: yi = xi ⊕ ki This mode is very fast because a key stream can be parallelised to any degree. Because of that this mode is used in network security applications.
  • 18. 18From Crypto-Theory to Crypto-Practice Killers and death of DESKillers and death of DESIV054 • In 1993 M. J. Weiner suggested that one could design, using one million dollars, a computer capable to decrypt, using brute force, DES in 3.5 hours. • In 1998 group of P. Kocher designed, using a quarter million of dolars, a computer to decrypt DES in 56 hours. • In 1999 they did that in 24 hours. • It started to be clear that a new cryptosystem with larger keys is badly needed.
  • 19. 19From Crypto-Theory to Crypto-Practice Product- and Feistel-cryptosystems Design of several important practical cryptosystems used the following three general design principles for cryptosystems. A product cryptosystem combines two or more crypto-transformations in such a way that resulting cryptosystem is more secure than component transformations. An iterated block cryptosystem iteratively uses a round function (and it has as parameters number of rounds r, block bit-size n, subkeys bit-size k) of the input key K from which r subkeys Ki are derived. A Feistel cryptosystem is an iterated cryptosystem mapping 2t-bit plaintext (L0,R0). of t-bit blocks L0 and R0 to a 2t-bit cryptotext (Rr,Lr), through an r-round process, where r >0. For 0<I<r+1, the round i maps (Li-1,Ri-1) to (Li,Ri) using a subkey Ki as follows Li=Ri-1, Ri=Ki-1+f(Ri-1,Ki), where each subkey Ki is derived from the main key K.
  • 20. 20From Crypto-Theory to Crypto-Practice Blowfish cryptosystemBlowfish cryptosystemIV054 • Blowfish is Feistel type cryptosystem developed in 1994 by Bruce Schneider. • Blowfish is more secure and faster than DES. • It encrypts 8-bytes blocks into 8-bytes blocks. • Key length is variable 32k, for k = 1, 2, . . . , 16. • For decryption it does not reverse the order of encryption, but it follows it. • S-boxes are key dependent and they, as well as subkeys are created by repeated execution of Blowfish enciphering transformation. • Blowfish has very strong avalanche effect. • A follower of Blowfish, Twofish, was one of 5 candidates for AES. • Blowfish can be downloaded free from the B. Schneider web site.
  • 21. 21From Crypto-Theory to Crypto-Practice AES CRYPTOSYSTEMAES CRYPTOSYSTEM On October 2, 2000, NIST selected, as new Advanced Encryption Standard, the cryptosystem Rijndael, designed in1998 by Joan Daemen and Vincent Rijmen. The main goal has been to develop a new cryptographic standard that could be used to encrypt sensitive governmental information securely, well into the next century. AES was expected to be used obligatory by U.S. governmental institution and, naturally, voluntarily, but as a necessity, also by the private sector. AES is to encrypt 128-bit blocks using a key with 128, 192 or 256 bits. In addition, AES is to be used as a standard for authentication (MAC), hashing and pseudorandom numbers generation. IV054 Motivations and advantages of AES:Motivations and advantages of AES: • Short code and fast implementations • Simplicity and transparency of the design • Variable key length • Resistance against all known attacks
  • 22. 22From Crypto-Theory to Crypto-Practice ARITHMETICS in GF(2ARITHMETICS in GF(288 )) The basic data structure of AES is a byte a = (a 7, a 6, a 5, a 4, a 3, a 2, a 1, a0) where ai's are bits, which can be conveniently represented by the polynomial a(x) = a 7 x 7 + a 6x 6 + a 5x 5 + a 4 x 4 + a 3 x 3 + a 2 x 2 + a 1 x + a 0. Bytes can be conveniently seen as elements of the field F = GF (2 8 ) / m(x), where m(x) = x 8 + x 4 + x 3 + x + 1. In the field F, the addition is the bitwise-XOR and multiplication can be elegantly expressed using polynomial multiplication modulo m(x). c = a ⊕ b; c = a • b where c(x) = [a(x) • b(x)] mod m(x) IV054
  • 23. 23From Crypto-Theory to Crypto-Practice MULTIPLICATION in GF(2MULTIPLICATION in GF(288 )) Multiplication c = a • b where c(x) = [a(x) • b(x)] mod m(x) in GF(28 ) can be easily performed using a new operation b = xtime(a) that corresponds to the polynomial multiplication b(x) = [a(x) • x] mod m(x), as follows set c = 00000000 and p = a; for i = 0 to 7 do c ← c ⊕ (bi • p) p ← xtime(p) Hardware implementation of the multiplication requires therefore one circuit for operation xtime and two 8-bit registers. Operation b = xtime(a) can be implemented by one step (shift) of the following shift register: IV054
  • 24. 24From Crypto-Theory to Crypto-Practice EXAMPLESEXAMPLES • `53‘ + `87' = `D4‘ because, in binary, `01010011‘ ⊕ `10000111‘ = `11010100‘ what means (x6 + x4 + x + 1) + (x7 + x2 + x + 1) = x7 + x6 + x4 + x2 IV054 • `57'‘• `83‘ = `C1' Indeed, (x6 + x4 + x2 + x + 1)(x7 + x + 1) = x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1 and (x13 + x11 + x9 + x8 + x6 + x5 + x4 + x3 + 1) mod (x8 + x4 + x3 + x + 1) = x7 + x6 + 1 • `57‘ • `13‘ = (`57‘ • `01') ⊕ (`57‘ • `02') ⊕ (`57‘ • `10') = `57‘ ⊕ `AE‘ ⊕ `07‘ = `FE‘ because `57‘ • `02‘ = xtime(57) = `AE‘ `57‘ • `04‘ = xtime(AE) = `47‘ `57‘ • `08‘ = xtime(47) = `8E‘ `57‘ • `10‘ = xtime(8E) = `07'
  • 25. 25From Crypto-Theory to Crypto-Practice POLYNOMIALS over GF(2POLYNOMIALS over GF(288 )) Algorithms of AES work with 4-byte vectors that can be represented by polynomials of the degree at most 4 with coefficients in GF(28 ). Addition of such polynomials is done using component-wise and bit-wise XOR. Multiplication is done modulo M(x) = x4 + 1. (It holds xJ mod (x4 + 1) = xJ mod4 .) Multiplication of vectors (a3x3 + a2x2 + a1x + a0) ⊗ (b3x3 + b2x2 + b1x + b0) can be done using matrix multiplication where additions and multiplications (•) are done in GF(28 ) as described before. Multiplication of a polynomial a(x) by x results in a cyclic shift of the coefficients. IV054 , 3 2 1 0 2103 1032 0321 3210 3 2 1 0                             =               b b b b aaaa aaaa aaaa aaaa d d d d
  • 26. 26From Crypto-Theory to Crypto-Practice BYTE SUBSTITUTIONBYTE SUBSTITUTION Byte substitution b = SubByte(a) is defined by the following matrix operations This operation is computationally heavy and it is assumed that it will be implemented by a pre-computed substitution table. IV054 ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) . 1 1 0 0 0 1 1 0 10001111 11000111 11100011 11110001 11111000 01111100 00111110 00011111 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 0 1 2 3 4 5 6 7                           +                           ×                           =                           − − − − − − − − a a a a a a a a b b b b b b b b
  • 27. 27From Crypto-Theory to Crypto-Practice ENCRYPTION in AESENCRYPTION in AES Encryption and decryption are done using state matrices elements of which are bytes. A byte-matrix with 4 rows and k = 4, 6 or 8 columns is also used to write down a key with Dk = 128, 192 or 256 bits. IV054 ENCRYPTION ALGORITHMENCRYPTION ALGORITHM 1. KeyExpansion 2. AddRoundKey 3. do (k + 5)-times: a) SubByte b) ShiftRow c) MixColumn d) AddRoundKey The final round does not contain MixColumn procedure. The reason being is to be able to use the same hardware for encryption and decryption. 4. Final round a) SubByte b) ShiftRow c) AddRoundkey A E I M B F J N C G K O D H L P
  • 28. 28From Crypto-Theory to Crypto-Practice KEY EXPANSIONKEY EXPANSION The basic key is written into the state matrix with 4, 6 or 8 columns. The goal of the key expansion procedure is to extend the number of keys in such a way that each time a key is used actually a new key is used. The key extension algorithm generates new columns Wi of the state matrix from the columns Wi -1 and Wi-k using the following rule Wi = Wi-k ⊕ V, where F (Wi–1), if i mod k = 0 V = G (Wi –1 ), if i mod k = 4 and Dk = 256 bits, Wi –1 otherwise where the function G performs only the byte-substitution of the corresponding bytes. Function F is defined in a quite a complicated way. IV054
  • 29. 29From Crypto-Theory to Crypto-Practice STEPS of ENCRYPTIONSTEPS of ENCRYPTION AddRoundKey procedure adds byte-wise and bit-wise current key to the current contents of the state matrix. ShiftRow procedure cyclically shifts i-th row of the state matrix by i shifts. MixColumns procedure multiplies columns of the state matrix by the matrix IV054 2113 3211 1321 1132              
  • 30. 30From Crypto-Theory to Crypto-Practice DECRYPTION in AESDECRYPTION in AES Steps of the encryption algorithm map an input state matrix into an output matrix. All encryption operations have inverse operations. Decryption algorithm applies, in the opposite order as at the encryption, the inverse versions of the encryption operations. DECRYPTIONDECRYPTION 1. Key Expansion IV054 2. AddRoundKey 3. do k+5 - times: a) InvByteSub b) InvShiftRow c) InvMixColumn d) AddInvRoundKey 4. Final round a) InvByteSub b) InvShiftRow c) AddRoundKey
  • 31. 31From Crypto-Theory to Crypto-Practice SECURITY GOALSSECURITY GOALS The goal of the authors was that Rijndael (AES) is K-secure and hermetic in the following sense: Definition A cryptosystem is K-secure if all possible attack strategies for it have the same expected work factor and storage requirements as for the majority of possible cryptosystems with the same security. Definition A block cryptosystem is hermetic if it does not have weaknesses that are not present for the majority of cryptosystems with the same block and key length. IV054
  • 32. 32From Crypto-Theory to Crypto-Practice MISCELANEOUSMISCELANEOUS Pronounciation of the name Rijndael is as “Reign Dahl'‘ or “rain Doll'' or “Rhine Dahl''. IV054
  • 33. 33From Crypto-Theory to Crypto-Practice PKC versus SKC - comparisonsPKC versus SKC - comparisonsIV054 Security: If PKC is used, only one party needs to keep secret a (single) key; If SKC is used, both party needs to keep secret one key. No PKC has been shown perfectly secure. Perfect secrecy has been shown for One- time Pad and for quantum generation of classical keys. Longevity: With PKC, keys may need to be kept secure for (very) long time; with SKC a change of keys for each session is recommended. Key management: If a multiuser network is used, then fewer private keys are required with PKC than with SKC. Key exchange: With PKC no key exchange between communicating parties is needed; with SKC a hard-to-implement secret key exchange is needed. Digital signatures: Only PKC are usable for digital signatures. Efficiency: PKC is much slower than SKC (10 times when software implementations of RSA and DES are compared). Key sizes: Keys for PKC (2048 bits for RSA) are significantly larger than for SCK (128 bits for AES). Non-repudiation: With PKC we can ensure, using digital signatures, non- repudiation, but not with SKC.
  • 34. 34From Crypto-Theory to Crypto-Practice Digital envelopsDigital envelopsIV054 Modern cryptography uses both SKC and PKC, in so- called hybrid cryptosystems or in digital envelops to send a message m using a secret key k, public encryption exponent e, and secret decryption exponent d, as follows: 1. Key k is encrypted using e and sent as e(k) 2. Secret decription exponent d is used to get k=d(e(k)) 3 SKC with k is then used to encrypt a message
  • 35. 35From Crypto-Theory to Crypto-Practice KEY MANAGEMENTKEY MANAGEMENT Secure methods of key management are extremely important. In practice, most of the attacks on public-key cryptosystems are likely to be at the key management levels. Problems: How to obtain securely an appropriate key pair? How to get other people’s public keys? How to get confidence in the legitimacy of other's public keys? How to store keys? How to set, extend,… expiration dates of the keys? IV054 Who needs a key? Anyone wishing to sign a message, to verify signatures, to encrypt messages and to decrypt messages. How does one get a key pair? Each user should generate his/her own key pair. Once generated, a user must register his/her public-key with some central administration, called a certifying authority. This authority returns a certificate. Certificates are digital documents attesting to the binding of a public-key to an individual or institutions. They allow verification of the claim that a given public-key does belong to a given individual. Certificates help prevent someone from using a phony key to impersonate someone else. In their simplest form, certificates contain a public-key and a name. In addition they contain: expiration date, name of the certificate issuing authority, serial number of the certificate and the digital signature of the certificate issuer.
  • 36. 36From Crypto-Theory to Crypto-Practice How are certificates usedHow are certificates used – certification authorities– certification authorities The most secure use of authentication involves enclosing one or more certificates with every signed message. The receiver of the message verifies the certificate using the certifying authorities public-keys and, being confident of the public-keys of the sender, verifies the message's signature. There may be more certificates enclosed with a message, forming a hierarchical chain, wherein one certificate testifies to the authenticity of the previous certificate. At the top end of a certificate hierarchy is a top-level certifying-authority to be trusted without a certificate. Example According to the standards, every signature points to a certificate that validates the public-key of the signer. Specifically, each signature contains the name of the issuer of the certificate and the serial number of the certificate. IV054 How do certifying authorities store their private keys?How do certifying authorities store their private keys? It is extremely important that private-keys of certifying authorities are stored securely. One method to store the key in a tamperproof box called a Certificate Signing Unit, CSU. The CSU should, preferably, destroy its contents if ever opened. Not even employees of the certifying authority should have access to the private-key itself, but only the ability to use private-key in the certificates issuing process. CSU are for sells Note: PKCS - Public Key Certification Standards.
  • 37. 37From Crypto-Theory to Crypto-Practice What is PKI?What is PKI? • PKI (Public Key Infrastructure) is an infrastructure that allows to handle public-key problems for the community that uses public-key cryptography. IV054 • Structure of PKI Security policy that specifies rules under which PKI can be handled. Products that generate, store, distribute and manipulate keys. Procedures that define methods how - to generate and manipulate keys - to generate and manipulate certificates - to distribute keys and certificates - to use certificates. Authorities that take care that the general security policy is fully performed.
  • 38. 38From Crypto-Theory to Crypto-Practice PKI users and systemsPKI users and systems • Certificate holder • Certificate user • Certification authority (CA) • Registration authority (RA) • Revocation authority • Repository (to publish a list of certicates, of revocated certificates,...) • Policy management authority (to create certification policy) • Policy approving authority IV054
  • 39. 39From Crypto-Theory to Crypto-Practice SECURITY of CSECURITY of Certification and Registration authoritiesertification and Registration authorities PKI system is so secure how secure are systems for certificate authorities (CA) and registration authorities (RA). Basic principles to follow to ensure necessary security of CA and RA. • Private key of CA has to be stored in a way that is secure against intentional professional attacks. • Steps have to be made for renovation of the private key in the case of a collapse of the system. • Access to CA/RA tools has to be maximally controlled. • Each requirement for certification has to be authorized by several independent operators. • All key transactions of CA/RA have to be logged to be available for a possible audit. • All CA/RA systems and their documentation have to satisfy maximal requirements for their reliability. IV054
  • 40. 40From Crypto-Theory to Crypto-Practice PUBLIC-KEYPUBLIC-KEY INFRASTRUCTUREINFRASTRUCTURE PROBLEMSPROBLEMS Public-key cryptography has low infrastructure overhead, it is more secure, more truthful and with better geographical reach. However, this is due to the fact that public-key users bear a substantial administrative burden and security advantages of the public key cryptography rely excessively on the end-users' security discipline. Problem 1: With public-key cryptography users must constantly be careful to validate rigorously every public-key they use and must take care for secrecy of their private secret keys. IV054 Problem 2: End-users are rarely willing or able to manage keys sufficiently carefuly. User's behavior is the weak link in any security system, and public-key security is unable to reinforce this weakness. Problem 3: Only sophisticated users, like system administrators, can realistically be expected to meet fully the demands of public-key cryptography.
  • 41. 41From Crypto-Theory to Crypto-Practice Main components of public-key infrastructureMain components of public-key infrastructure • The Certification Authority (CA) signs user's public-keys. (There has to be a hierarchy of CA, with a root CA on the top.) • The Directory is a public-access database of valid certificates. • The Certificate Revocation List (CRL) - a public-access database of invalid certificates. (There has to be a hierarchy of CRL). IV054 Stages at which key management issues ariseStages at which key management issues arise • Key creation: user creates a new key pair, proves his identify to CA. CA signs a certificate. User encrypts his private key. • Single sign-on: decryption of the private key, participation in public-key protocols. • Key revocation: CRL should be checked every time a certificate is used. If a user's secret key is compromised, CRL administration has to be notified.
  • 42. 42From Crypto-Theory to Crypto-Practice MAIN PROBLEMSMAIN PROBLEMS • Authenticating the users: How does a CA authenticate a distant user, when issuing the initial certificate? (Ideally CA and the user should meet. Consequently, properly authenticated certificates will have to be expensive, due to the label cost in a face-to-face identity check.) • Authenticating the CA: Public key cryptography cannot secure the distribution and the validation of the Root CA's public key. • Certificate revocation lists: Timely and secure revocation presents big scaling and performance problems. As a result public-key deployment is usually proceeding without a revocation infrastructure. (Revocation is the classical Achilles' Heel of public-key cryptography.) • Private key management: The user must keep his long-lived secret key in memory during his login-session: There is no way to force a public-key user to choose a good password. (Lacking effective password-quality controls, most public-key systems are vulnerable to the off-line guessing attacks.) IV054
  • 43. 43From Crypto-Theory to Crypto-Practice LIFE CYCLE of CERTIFICATESLIFE CYCLE of CERTIFICATES Issuing of certificates • registration of applicants for certificates; • generation of pairs of keys; • creation of certificates; • delivering of certificates; • dissemination of certificates; • backuping of keys; IV054 Using of certificates • receiving a certificate; • validation of the certificate; • key backup and recovery; • automatic key/certificate updating Revocation of certificates • expiration of certificates validity period; • revocation of certificates; • archivation of keys and certificates.
  • 44. 44From Crypto-Theory to Crypto-Practice PPrettyretty GGoodood PPrivacyrivacy In June 1991 Phil Zimmermann, made publicly available software that made use of RSA cryptosystem very friendly and easy and by that he made strong cryptography widely available. Starting February 1993 Zimmermann was for three years a subject of FBI and Grand Jurry investigations, being accused of illegal exporting arms (strong cryptography tools). William Cowell, Deputy Director of NSA said: “If all personal computers in the world - approximately 200 millions - were to be put to work on a single PGP encrypted message, it would take an average an estimated 12 million times the age of universe to break a single message''. Heated discussion whether strong cryptography should be allowed keep going on. September 11 attack brought another dimension into the problem. IV054
  • 45. 45From Crypto-Theory to Crypto-Practice SECURITY / PRIVACY REALITY and TOOLSSECURITY / PRIVACY REALITY and TOOLSIV054 Concerning security we are winning battles, but we are loosing wars concerning privacy. Four areas concerning security and privacy: • Security of communications – cryptography • Computer security (operating systems, viruses, …) • Physical security • Identification and biometrics With google we lost privacy.
  • 46. 46From Crypto-Theory to Crypto-Practice How cryptographic systems get brokenHow cryptographic systems get brokenIV054 Techniques that are indeed used to break cryptosystems: By NSA: • By exhaustive search (up to 280 options). • By exploiting specific mathematical and statistical weaknesses to speed up the exhaustive search. • By selling compromised crypto-devices. • By analysing crypto-operators methods and customs. By FBI: • Using keystroke analysis. • Using the fact that in practice long keys are almost always designed from short guessable passwords.
  • 47. 47From Crypto-Theory to Crypto-Practice RSA in practiceRSA in practiceIV054 • 660-bits integers were already (factorized) broken in practice. • 1024-bits integers are currently used as moduli. • 512-bit integers can be factorized with a device costing 5 K $ in about 10 minutes. • 1024-bit integers could be factorized in 6 weeks by a device costing 10 millions of dollars.
  • 48. 48From Crypto-Theory to Crypto-Practice Patentability of cryptographyPatentability of cryptography • Cryptographic systems are patentable • Many secret-key cryptosystems have been patented • The basic idea of public-key cryptography are contained in U.S. Patents 4 200 770 (M. Hellman, W. Diffie, R. Merkle) - 29. 4. 1980 U.S. Patent 4 218 582 (M. Hellman, R. Merkle) The exclusive licensing rights to both patents are held by “Public Key Partners'' (PKP) which also holds rights to the RSA patent. All legal challenges to public-key patents have been so far settled before judgment. Some patent applications for cryptosystems have been blocked by intervention of us: intelligence or defense agencies. All cryptographic products in USA needed export licences from the State department, acting under authority of the International Traffic in Arms Regulation, which defines cryptographic devices, including software, as munition. Export of cryptography for authentication has not been restricted, Problems were only whith cryptography for privacy. IV054