cryptosystem must not rely on keeping the algorithm secret 2. Diffusion Mixing-up symbols 3. Confusion Replacing a symbol with another 4. Randomization Repeated encryptions of the same text are different
used for encryption E and decryption D 1. Dk(Ek(m))=m for every k, Ek is an injection with inverse Dk 2. Ek(m) is easy to compute (either polynomial or linear) 3. Dk(c) is easy to compute (either polynomial or linear) 4. c = Ek(m) finding m is hard without k (exponential)
to combine the message and the key Ek(m) = k ⊕ m Dk(c) = k ⊕ c Problem : known-plaintext attack Dk(Ek(m)) = k ⊕ (k ⊕ m) = m so k = (k ⊕ m) ⊕ m x ⊕ x = 0 x ⊕ 0 = x
for proposals • 1974 IBM Lucifer proposal analyzed by DOD and enhanced by NSA • 1976 adopted as standard • 2004 NIST withdraws the standard Block size 64 bits Key Size 56 bits Speed ~ 50 cycles per byte Algorithm 16 round Feistel Network
Properties: • F is an arbitrary function that scrambles the input based on a key • F is not necessary invertible • A Feistel Network is invertible ➡ Achieves confusion and diffusion “Cryptography and Network Security” by William Stalllings
1998 Deep Crack, the EFF's DES cracking machine used 1,856 custom chips • Speed : matter of days • Cost : $250,000 2006 COPACOBANA, the COst-optimized Parallel COdeBreaker used 120 FCPGAs • Speed : less than 24h • Cost : $10,000
Meet-in-the-middle attack - known-plaintext attack 1. Brute force Ek1 (m) and save results in a table called TE (256 entries) 2. Brute force Dk2 (c) and save results in a table called TD (256 entries) 3. Match the two tables together to get the key candidates ➡ The more plaintext you know, the lesser key candidates ➡ Effective key-length is 57 bits ➡ This attacks applies to every encryption algorithm used as such
previous ciphertext block ✓ Repeating plaintext blocks are not exposed in the ciphertext ๏ No parallelism ➡ The Initialization Vector should not be known by the opponent and must be send separately (ECB mode for instance)
Stream cipher for encrypting large volume of data • Block cipher for encrypting fresh pseudo-random seeds Stream Cipher Block Cipher Approach Encrypt one symbol of plaintext directly into a symbol of ciphertext Encrypt a group of plaintext symbols as one block Pro Fast High diffusion Cons Low diffusion Slow
the KDC (Key Distribution Center) ➡ When Ai and Aj want to talk, the KDC can generate a new key and distribute it to them ➡ We still have n keys to distribute somehow ➡ The KDC must be trusted ➡ The KDC is a single point of failure A1 A2 A3 A4 A5
and Kp is made public ➡ … details coming later ➡ This is how the web work ! A1 - Ks1 A2 - Ks2 A3 - Ks3 A4 - Ks4 A5 - Ks5 A1 - Kp1 A2 - Kp2 A3 - Kp3 A4 - Kp4 A5 - Kp5
encryption ➡ The private key Ks for decryption 1. Dks(Ekp(m))=m for every pair (Kp, Ks) 2. Ekp(m) is easy to compute (either polynomial or linear) 3. Dks(C) is easy to compute (either polynomial or linear) 4. p = Dks(C) finding m is hard without Ks (exponential) 5. Generating a pair (Kp, Ks) is easy to compute (polynomial) 6. Finding a matching key Ks for a given Kp is hard (exponential) Kp Ks
prime if 1 and p are its only divisors e.g 3, 5, 7, 11 … • p and q are relatively prime (a.k.a. coprime) if gcd(p,q) = 1 e.g gcd(4,5) = 1 ➡ There are infinitely many primes Eurler-Fermat Theorem If n = p . q and z = (p-1).(q-1) and a such that a and n are relative primes Then az ≡ 1 (mod n)
prime number p • Addition, multiplication, exponentiation • inversion, solving linear equations Hard problem with prime numbers • Factoring primes e.g. given n find p and q such that n = p . q
q two large prime numbers and calculate n = p . q (see primality tests) 2. Compute z = (p-1).(q-1) 3. Pick a prime number e < z such that e and z are relative primes ➡ (e,n) is the public key 4. Solve the linear equation e * d = 1 ( mod z ) to find d ➡ d is the private key however p and q must be kept secret too
long keys, 1024, 2048 and 4096 are common • Is it more secure than asymmetric crypto with key lengths of 56, 128, 192, 256 ? ➡ Key lengths do not compare ! RSA Key length Effective key length 1,024 80 2,048 112 3,072 128 7,680 192 15,360 256
RSA to encrypt a shared key ➡ Use AES to encrypt message E(m) = RSAKp(k), AESk(m) Symmetric Asymmetric pro Fast No key agreement cons Key agreement Very slow