Introduction To Security and Privacy Einführung in die IT-Sicherheit I

Transcription

1 Introduction To Security and Privacy Einführung in die IT-Sicherheit I Prof. Dr. rer. nat. Doğan Kesdoğan Institut für Wirtschaftsinformatik kesdogan@fb5.uni-siegen.de 1

2 Multiple letter ciphers 2

3 Playfair Cipher Drawback of monoalphabetic cipher: Not even the large number of keys provides security Only shuffles frequency distribution of letters Encryption of multiple letters: Instead of encrypting single letters, now encrypt pairs of letters. E.g. map pair th to pair XP The Playfair Cipher is an example History of Playfair: Invented by Charles Wheatstone in 1854, but named after his friend Baron Playfair Standard cipher of British army in Word War 1 and still used in Word War 2 3

4 Playfair Key Matrix Construction of Cipher: A 5X5 matrix of letters based on a keyword Fill in letters of keyword (MONARCHY) Fill rest of matrix with other letters E.g. using the keyword MONARCHY M O N A R C H Y B D E F G I/J K L P Q S T U V W X Z 4

5 Encrypting and Decrypting Plaintext is encrypted two letters at a time 1. Repeated letters: insert filler like 'X 2. Letters in same row: replace each with letter to right (wrapping back to start from end) 3. Letters in same column: replace each with the letter below it (wrapping to top from bottom) 4. Otherwise: each letter is replaced by the letter in the same row and in the column of the other letter of the pair M O N A R C H Y B D E F G I/J K L P Q S T U V W X Z 1. balloon -> BA LX LO ON 2. ar -> RM 3. mu ->CM 4. hs -> BP 5

6 Encrypting and Decrypting Plaintext is encrypted two letters at a time 1. Repeated letters: insert filler like 'X 2. Letters in same row: replace each with letter to right (wrapping back to start from end) 3. Letters in same column: replace each with the letter below it (wrapping to top from bottom) 4. Otherwise: each letter is replaced by the letter in the same row and in the column of the other letter of the pair M O N A R C H Y B D E F G I/J K L P Q S T U V W X Z 1. balloon -> BA LX LO ON 2. ar -> RM 3. mu ->CM 4. hs -> BP 6

7 Encrypting and Decrypting Plaintext is encrypted two letters at a time 1. Repeated letters: insert filler like 'X 2. Letters in same row: replace each with letter to right (wrapping back to start from end) 3. Letters in same column: replace each with the letter below it (wrapping to top from bottom) 4. Otherwise: each letter is replaced by the letter in the same row and in the column of the other letter of the pair M O N A R C H Y B D E F G I/J K L P Q S T U V W X Z 1. balloon -> BA LX LO ON 2. ar -> RM 3. mu ->CM 4. hs -> BP 7

8 Security of Playfair Cipher Positive: Security much improved over monoalphabetic, since have 26 x 26 = 676 digrams Would need a 676 entry frequency table to analyse (verses 26 for a monoalphabetic) And correspondingly more ciphertext Drawback: It can be broken, given a few hundred letters, since still has much of plaintext structure 8

9 Polyalphabetic ciphers 9

10 Polyalphabetic Ciphers Polyalphabetic substitution ciphers: Improve security using multiple cipher alphabets Make cryptanalysis harder with more alphabets to guess and flatter frequency distribution Use a key to select which alphabet is used for each letter of the message Use each alphabet in turn Repeat from start after end of key is reached 10

11 Vigenère Cipher Cipher: Simplest polyalphabetic substitution cipher Effectively multiple caesar ciphers key is multiple letters long k = k 1 k 2... k d i th letter specifies i th alphabet to use Use each alphabet in turn Repeat from start after d letters in message Decryption simply works in reverse 11

12 Example of Vigenère Cipher write the plaintext out write the keyword repeated above it use each key letter as a caesar cipher key encrypt the corresponding plaintext letter E.g. using keyword deceptive ( ) key: deceptivedeceptivedeceptive plaintext: wearediscoveredsaveyourself ciphertext:zicvtwqngrzgvtwavzhcqyglmgj 12

13 Security of Vigenère Ciphers Positive: Have multiple ciphertext letters for each plaintext letter Hence letter frequencies are better obscured than using monoalphabetic ciphers Attack: Start with letter frequencies and see if look monoalphabetic or not (by letter distribution) If not, then need to determine number of alphabets, since then can attach each 13

14 Kasiski Method Find Keyword length: Method developed by Babbage / Kasiski Repetitions in ciphertext give clues to period Find same plaintext an exact period apart which results in the same ciphertext Of course, could also be random fluke Example: VTW is repeated after 9 letters in example Suggests keyword length is a devisor of 9, i.e. 3 or 9 Then attack each monoalphabetic cipher individually using same techniques as before key: deceptivedeceptivedeceptive plaintext: wearediscoveredsaveyourself ciphertext:zicvtwqngrzgvtwavzhcqyglmgj 14

15 Unconditional Security 15

16 Unconditional Security One time pad Vigenère with plaintext space = ciphertext space = key space For any plaintext & any ciphertext there exists a key mapping one to other Key can be used only once Mathematically: Let P, C, K = {0,1} n be domain of p,c,k, where P = C = K p,c,k {0,1} n, key chosen randomly and uniformly distributed Encryption: c = p k, where is exclusive or Decryption: p = c k Example: key: plaintext: ciphertext: = 16

17 Unconditional Security Unconditional secure Cipher Insecure Cipher Plaintext p Key k Ciphertext c Plaintext p Key k Ciphertext c k i {0,1} 2, i {1,..,4} k 1 = 01 k 2 = 11 Unconditional security Ciphertext should not provide any new information about plaintext p c P(p c) = P(p), i.e. probability of plaintext p given that ciphertext c is known is the same as directly guessing p Such a system is unbreakable, given any computing time and memory 17

18 Bayes Probability Theorem Conditional Probability: Let Ω be event space, i.e. set of all elementary events Let A, E 1 Ω be events P(A E 1 ) is prob. of event A given event E 1 (i.e. A conditioned on E 1 ) Bayes theorem: P( A E1) P( A E1) = P( E ) 1 Bayes theorem: Given: Pairwise stochastic independent events E 1, E 2,.., E n E 1,.., E n covers all possible outcomes, i.e. E 1.. E n = Ω and P(E 1.. E n ) = 1 For any even A: P( A) = n i= 1 P( A E ) P( i E i ) P(Ω) = 1 18

19 Proof Show: Pr(p c) = Pr(p) c is uniformly distributed, because each key is equally likely used p can be arbitrary distributed Plaintext c Key k Ciphertext p k 1 k 2 k 3 k Pr( p c) Pr( p c) = Pr( c) Pr( c p) Pr( p) = Pr( c) = = = = Pr( p) Pr( c p) Pr( p) Pr( p ) Pr( c p P i Pr( p)2 Pr( p p P i Pr( p) Pr( p p P i i n i i )2 ) n p i )

20 Drawback of One-Time-Pad Generation of large quantity of random key is expensive Secure distribution of key But there seems to be a way out by quantum cryptography 20

21 One-Time-Pad & Quantum Cryptography (Excursion)_ Quantum cryptography Use quantum mechanical effects polarisation of light (photon) Heisenberg uncertainty principle no cloning theory to generate random numbers securely transfer secret key (eavesdropping of key detectable) Commercially available for banking: Id Quantique, Siemens IT Solutions, MagiQ 1. Alice defines: - 0: / or - 1: \ or random base x or + 2. Choose base x or + 50% correct base 3. Eavesdropping cause additional errors (no cloning theorem) 21

22 One-Time-Pad & Quantum Cryptography (Excursion) Definition: Base: Determine linear polarisation axes of photons. Two bases are possible, either x or + \, / : Possible polarisation directions of a photon using base x, : Possible polarisation directions of a photon using base + Example: Assume base + is used to send photon with polarisation direction If receiver uses base + to measure photon polarisation, then he receives, i.e. original polarisation If receiver uses base x to measure photon polarisation, then he randomly receives in 50% of the cases \ In 50% of the cases / 22

23 One-Time-Pad & Quantum Cryptography (Excursion) Alice: Sends the base she used for each transmitted bit to Bob, e.g. through the Internet Bob: Drops all the bits where his base is distinct to Alice s base If no eavesdropper: non-dropped bits error free If eavesdropper exists: non dropped bits contain errors. Can be verified by sending checking-bit encrypted with a non-dropped bit Eve: If chooses the same base as Alice to measure polarisation, then no additional error is caused. Only in 50% of the cases If no error detected, then Alice and Bob use one-time-pad and exchanged key for confidential data transmission 23