VIEWS: 163 PAGES: 15 POSTED ON: 6/2/2011
Outline Conventional Encryption Model Chapter 2 CONVENTIONAL ENCRYPTION: Steganography CLASSICAL TECHNIQUES Classical Encryption Techniques Yeuan-Kuen Lee September Ch 2 Conventional Encryption: Classical Techniques 2 2.1 Conventional Encryption Model 2.1 Conventional Encryption Model Plaintext Original intelligible message Ciphertext Apparently random nonsense message Encryption process An algorithm - produce a different output depending on the specific key being used at the time. A key – a value independent of plaintext, shared by sender and recipient. Figure 2.1 Simplified Model of Conventional Encryption Ch 2 Conventional Encryption: Classical Techniques 3 Ch 2 Conventional Encryption: Classical Techniques 4 2.1 Conventional Encryption Model 2.1 Conventional Encryption Model The ciphertext can be transformed back to the original ˆ X Encryption algorithm ( E ) Cryptanalyst plaintext by using a decryption algorithm and the same ˆ K Y = EK(X) key that was used for encryption. The security of conventional encryption depends on the Message X Encryption Encryption Y Decryption Decryption X Algorithm Algorithm Destination secrecy of the key, not the secrecy of the algorithm. source Algorithm Ciphertext Algorithm Y = [Y1, Y2, …, YN] It is impractical to decrypt a message based on the Plaintext K ciphertext plus knowledge of the encryption/decryption X = [X1, X2, …, XM] algorithm. Secure channel Decryption algorithm ( D ) Key The principal security problem is maintaining the secrecy source X = DK(Y) Key of the key. K = [K1, K2, …, KJ] Figure 2.2 Model of Conventional Cryptosystem Ch 2 Conventional Encryption: Classical Techniques 5 Ch 2 Conventional Encryption: Classical Techniques 6 2.1 Conventional Encryption Model 2.1 Conventional Encryption Model An opponent Cryptography - the art of secret writing. Classified along three independent dimensions: Observing Y, but not having access to K and X, may 1. The type of operations used for transforming attempt to recover X or K, or both X and K. plaintext to ciphertext. Substitution Assumed that the opponent knows E and D Transposition If only the message is interested, then an estimated 2. The number of keys used. ˆ plaintext X is generated. Symmetric, single-key, secret-key encryption Asymmetric, two-key, public-key encryption If future messages are interested, then an estimated 3. The way in which the plaintext is processed. ˆ key K is generated. Block cipher Stream cipher Ch 2 Conventional Encryption: Classical Techniques 7 Ch 2 Conventional Encryption: Classical Techniques 8 2.1 Conventional Encryption Model 2.1 Conventional Encryption Model Cryptanalysis Cryptanalysis (Conti.) The process of attempting to discover X or K or both. Known plaintext attack – Table 2.1 summarizes the various types of Known to cryptography cryptanalytic attacks based on the amount of 1. Encryption algorithm information known to the cryptanalyst. 2. Ciphertext to be decoded Ciphertext only attack - 3. One or more plaintext-ciphertext pairs formed with the secret key Known to cryptography Probable-word attack – may have little knowledge of 1. Encryption algorithm what is in the message 2. Ciphertext to be decoded Accounting file: placement of certain key words Brute-force approach of trying all possible keys Copyright statement in some standardized position Statistical tests: type of plaintext Ch 2 Conventional Encryption: Classical Techniques 9 Ch 2 Conventional Encryption: Classical Techniques 10 2.1 Conventional Encryption Model 2.1 Conventional Encryption Model Cryptanalysis (Conti.) Cryptanalysis (Conti.) Chosen-plaintext attack – Chosen-ciphertext attack – Known to cryptography Known to cryptography 1. Encryption algorithm 1. Encryption algorithm 2. Ciphertext to be decoded 2. Ciphertext to be decoded 3. Plaintext message chosen by cryptanalyst, together with 3. Purported ciphertext chosen by cryptanalyst, together its corresponding ciphertext generated with the secret with its corresponding decrypted plaintext generated key with the secret key Example: password file Chosen-text attack – chosen-plaintext or chosen- Differential cryptanalysis (explored Ch3) ciphertext attack Ch 2 Conventional Encryption: Classical Techniques 11 Ch 2 Conventional Encryption: Classical Techniques 12 2.1 Conventional Encryption Model 2.1 Conventional Encryption Model Cryptanalysis (Conti.) Unconditionally secure Only relative weak algorithms fail to withstand a If the ciphertext generated by an encryption scheme does not ciphertext-only attack. contain enough information to determine uniquely the corresponding plaintext, no matter how much ciphertext is Generally, an encryption algorithm is designed to available and how much time an opponent has. withstand a know-plaintext attack. No encryption algorithm is unconditionally secure, except the one-time pad scheme Conditionally secure 1. The cost of breaking the cipher exceeds the value of the encrypted information 2. The time required to break the cipher exceeds the useful lifetime of the information Ch 2 Conventional Encryption: Classical Techniques 13 Ch 2 Conventional Encryption: Classical Techniques 14 2.1 Conventional Encryption Model 2.2 Steganography Cryptography Table 2.2 Average Time Required for Exhaustive Key Search crypto – graphy : secret – writing Conceal the meaning of message Number of Time required at Time required at Key Size (bits) alternative keys 1 encryption/us 106 encryption/us Steganography 32 232 = 4.3*109 231 us = 35.8 min 2.15 ms stegano – graphy : covered – writing 56 256 = 7.2*1016 255 us = 1142 years 10.01 hrs Conceal the existence of message 128 2128 = 3.4*1038 2127 us = 5.4*1024 years 5.4*1018 years 26 char perm. 26! = 4*1026 2*1026 us = 6.4*1012years 6.4*106 years Ch 2 Conventional Encryption: Classical Techniques 15 Ch 2 Conventional Encryption: Classical Techniques 16 2.2 Steganography 2.2 Steganography Stegosaur (Roof Lizard) Dear George, Greetings to all at Oxford. Many thanks for your Letter and for the summer examination package. All Entry Forms and Fees Forms should be ready for final despatch to the syndicate by Friday 20th or at the very latest, I’m told, by the 21st. Admin has improved here, though there’s room for improvement still; just give us all two or three more years and we’ll really show you! Please don’t let these wretched 16 + proposals destroy your basic O and A pattern. Certainly this sort of change, if implemented immediately, would bring chaos. Sincerely yours, Ch 2 Conventional Encryption: Classical Techniques 17 Ch 2 Conventional Encryption: Classical Techniques 18 2.2 Steganography 2.2 Steganography Historical steganographic techniques Character marking Cryptography Conceal the meaning of message Invisible ink Pin punctures Typewriter correction ribbon Conceal the existence of message Steganography Ch 2 Conventional Encryption: Classical Techniques 19 Ch 2 Conventional Encryption: Classical Techniques 20 2.2 Steganography 2.2 Steganography General Steganographic Model Requirements of a Steganographic System Sender Message Message Receiver Imperceptible (image fidelity) Compressing Compressing Decompressing Decompressing Undetectable (Steganalysis) image, text Decrypting Security audio, Encrypting Encrypting Decrypting video Payload Cover- Stego- media Embedding Embedding media Extracting Extracting Limited Robustness Stego-key Stego-key Warden (Blindness) Ch 2 Conventional Encryption: Classical Techniques 21 Ch 2 Conventional Encryption: Classical Techniques 22 2.2 Steganography 2.2 Steganography Steganalysis Specific Pattern of S-Tools palette in cover-image The art of detecting any hidden message on the communication channel. If the existence of the hidden message is revealed, the goal of steganography is defeated. Two types of steganalytic techniques Visual attack Result of the Airfield image embedded in the Statistical attack 8-bit Renoir with S-Tools. (the cover image was reduced from 248 to 32 unique colors) luminance-ordered palette in stego-image Ch 2 Conventional Encryption: Classical Techniques 23 Ch 2 Conventional Encryption: Classical Techniques 24 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Two basic building blocks Caesar cipher Substitution techniques - the letters of plaintext Replacing each letter of the alphabet with the letter are replaced by other letters or by numbers of symbols standing three places further down the alphabet - Caeser cipher Transformation - Monoalphabetic cipher Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z - Playfair cipher Cipher: D E F G H I J K L M N O P Q R S T U V WX Y Z A B C - Hill cipher <Example> Transposition techniques - performing some sort Plain: me e t me a f t e r t h e t o g a p a r t y of permutation on the plaintext letters Cipher: P H H W P H D I WH U WK H WR J D S D U WB Rotor machines - multiple stages of encryption Ch 2 Conventional Encryption: Classical Techniques 25 Ch 2 Conventional Encryption: Classical Techniques 26 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Caesar cipher (Conti.) Caesar cipher (Conti.) If we assign a numerical equivalent to each letter Brute-force cryptanalysis (a=0, b=1, c=2…etc), then for each plaintext letter p, Fig.2.4 substitute the ciphertext letter C : Why? Three important characteristics: C = E(p) = (p + 3) mod 26 1. The encryption and decryption algorithms are known. General Caesar algorithm 2. There are only 25 keys to try. C = E(p) = (p + k) mod 26 3. The language of the plaintext is known and easily where 1 ≤ k ≤ 25 recognizable. Decryption algorithm < Fig.2.5 > p = D(C) = (C - k) mod 26 Using ZIP algorithm to Compress the plaintext before encryption Ch 2 Conventional Encryption: Classical Techniques 27 Ch 2 Conventional Encryption: Classical Techniques 28 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Monoalphabetic cipher An arbitrary substitution is used 26! ( ≈ 4×1026 ) possible keys: to eliminate brute-force attack (table 2.2) If the cryptanalyst knows the nature of the plaintext (e.g., noncompressed English text), then the analyst can exploit the regularities of the language. < Fig.2.6 > Relative frequency of letters in English text Fig. 2.6 Relative frequency of letters in English text Ch 2 Conventional Encryption: Classical Techniques 29 Ch 2 Conventional Encryption: Classical Techniques 30 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Monoalphabetic cipher (Conti.) Playfair cipher Digram – two-letter combination The best-known multiple-letter encryption cipher Frequency of diagrams is a powerful regularity. Treat digrams in the plaintext as single units and The most common digram is ‘th’. (ZW) translates these units into ciphertext digrams. Trigram – three-letter combination The most frequent trigram is ‘the’. (ZWP) 5*5 matrix of letters M M O O N N A A R R constructed using a keyword. C H Y B D Homophone – C H Y B D Provide multiple substitutes for a single letter E E F F G G I/J I/J K K Multiple-letter patterns (e.g., digram frequencies) L L P P Q Q S S T T still survive in the ciphertext U U V V W W X X Z Z Ch 2 Conventional Encryption: Classical Techniques 31 Ch 2 Conventional Encryption: Classical Techniques 32 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Playfair cipher (Conti.) Playfair cipher (Conti.) Plaintext is encrypted two letters at a time, according to 3. Plaintext letters that fall in the same column of the the following rules: matrix are replaced by the letter beneath, with the top 1. Repeating plaintext letter that would fall in the same pair element of the column circularity following the last. are separated with a filler letter (such as x) [ mu ] [ CM ] [ balloon ] [ ba lx lo on ] M M O O N N A A R R 4. Otherwise, each plaintext letter M M O O N N A A R R is replaced by the letter that lies 2. Plaintext letters that fall in the C H Y B D C H Y B D C H Y B D in its own row and the column C H Y B D same row of the matrix are E E F F G G I/J I/J K K occupied by the other plaintext E E F F G G I/J I/J K K replaced by the letter to the letter. right in a circular fashion L L P P Q Q S S T T [ hs ] [ BP ], L L P P Q Q S S T T [ ar ] [ RM ] U U V V W W X X Z Z [ ea ] [ IM ] ( or [ JM ] ) U U V V W W X X Z Z Ch 2 Conventional Encryption: Classical Techniques 33 Ch 2 Conventional Encryption: Classical Techniques 34 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Playfair cipher (Conti.) There are 26*26=676 digrams, so that identification of individual digrams is more difficult. The relative frequencies of individual letters exhibit a much greater range than that of diagrams, making frequency analysis much more difficult. Standard field system by the British Army in WWI Considerable use by the U.S. Army and other allied forces during WWII. However, it still leaves much of the structure of the plaintext language intact. Fig.2.7 Relative Frequency of Occurrence of Letters. Ch 2 Conventional Encryption: Classical Techniques 35 Ch 2 Conventional Encryption: Classical Techniques 36 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Hill cipher Hill cipher (Conti.) Lester Hill, 1929 Matrix-vector form Take m successive plaintext letters and substitutes for them m ciphertext letters c1 k11 k12 k13 p1 c = k The substitution is determined by m linear 2 21 k22 k23 p2 transformation. c3 k31 k32 k33 p3 For m = 3, C = KP C1 = (k11p1+k12p2+k13p3) mod 26 where C and P are column vectors of length 3, C2 = (k21p2+k22p2+k23p3) mod 26 representing the plaintext and ciphertext, and K is a C3 = (k31p3+k32p2+k33p3) mod 26 3*3 matrix, representing the encryption key. Operation are performed mod 26. Ch 2 Conventional Encryption: Classical Techniques 37 Ch 2 Conventional Encryption: Classical Techniques 38 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Hill cipher (Conti.) Hill cipher (Conti.) Example: Decryption requires using K-1 , the inverse of the Plaintext “paymoremoney” matrix K, 4 9 15 Key 17 17 5 K -1 = 15 17 6 K = 21 18 21 24 0 17 2 2 19 KK-1 = K-1K=I The first three letters is “pay” = (15, 0, 24) t General Expressions C = KP mod 26 = (375, 819, 486) t mod 26 C = EK(P) = KP = (11, 13, 18) t = “LNS” P = DK(C) = K-1C = K-1KP = P Ciphertext “LNSHDLEWMTRW” Ch 2 Conventional Encryption: Classical Techniques 39 Ch 2 Conventional Encryption: Classical Techniques 40 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Hill cipher (Conti.) Hill cipher (Conti.) As with Playfair, the strength of the Hill cipher is that For an m*m Hill cipher, it completely hides single-letter frequencies. suppose we have m plaintext-ciphertext pairs, A 3*3 Hill cipher hides not only single-letter but two- each of length m. letter frequency information. Pj = ( p1j, p2j, p3j, p4j . . ., pmj ) Use a larger matrix hides more frequency information Cj = ( c1j, c2j, c3j, c4j . . ., cmj ) Strong against a ciphertext-only attack Cj = KPj for 1≤ j ≤ m and for some unknown key Easily broken with a known plaintext attack. matrix K. Define X = (pij) , Y = (cij). Y = XK If X has an inverse, K =X-1Y Ch 2 Conventional Encryption: Classical Techniques 41 Ch 2 Conventional Encryption: Classical Techniques 42 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Polyalphabetic ciphers Use different monoalphabetic substitutions as one proceeds through the plaintext message 1. A set of related monoalphabetic substitution rules is used. 2. A key determines which particular rule is chosen for a given transformation. Vigenere cipher 26 Caesar ciphers are used, with shifts of 0 through 25 Each cipher is denoted by a key letter (from a to z) Table 2.4 The Modern Vigenere Tablean Ch 2 Conventional Encryption: Classical Techniques 43 Ch 2 Conventional Encryption: Classical Techniques 44 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Vigenere cipher (Conti.) Vigenere cipher (Conti.) Given a key letter x and a plaintext letter y, the Not all knowledge of the plaintext structure is lost. ciphertext letter is at the intersection of the row Example: Fig. 2.7. labeled x and the column labeled y Attack: key: d e c e p t i v e d e c e p t i v e d e c e p t i v e 1. Either monoalphabetic substitution or a Vigenere plaintext: w e a r e d i s c o v e r e d s a v e y o u r s e l f cipher? ciphertext: Z I C V T W Q N G R Z G V T W A V Z H C Q Y G L M G J If a monoalphabetic substitution is used, then the statistical properties of the ciphertext should be the The strength is that there are multiple ciphertext same as that of the language of the plaintext. letters for each plaintext letter, one for each unique Referring to Fig. 2.6 letter of the keyword. Ch 2 Conventional Encryption: Classical Techniques 45 Ch 2 Conventional Encryption: Classical Techniques 46 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Vigenere cipher (Conti.) Vigenere cipher (Conti.) Attack (Conti.) Attack (Conti.) 2. How to determine the keyword length? 3. If the keyword length is N, then the cipher consists If two identical sequences of plaintext letters occur at of N monoalphabetic substitution ciphers. a distance that is an integer multiple of the keyword The letters at positions 1, N+1, 2N+1, and so on will be length, they will generate identical ciphertext sequences encrypted with the same monoalphabetic ciphers. An analyst looking at only the ciphertext can detect the 4. Each monoalphabetic ciphers can be attacked using repeated sequences, e.g., VTW at a displacement of 9. frequency characteristics Assume that the keyword either 3 or 9 in length By looking for common factors in the displacements of Using a non-repeating keyword can eliminate the the various sequences, the analyst will make a good guess periodic nature of the keyword length. Ch 2 Conventional Encryption: Classical Techniques 47 Ch 2 Conventional Encryption: Classical Techniques 48 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Vigenere cipher (Conti.) Vigenere cipher (Conti.) Autokey system – a keyword is concatenated with the Ultimate defense - To choose a keyword that is as plaintext itself to provide a running key long as the plaintext and has no statistical relationship to it key: d e c e p t i v e w e a r e d i s c o v e r e d s a v Vernam cipher: 1918, AT&T engineer, Gilbert Vernam plaintext: w e a r e d i s c o v e r e d s a v e y o u r s e l f binary data ciphertext: Z I C V T W Q N G K Z E I I G A S X S T S L V V W L A C i = p i ⊕ ki Statistical techniques can be applied to cryptanalysis pi = ith binary digit of plaintext since the key and the plaintext share the same ki = ith binary digit of key frequency distribution of letters Ci = ith binary digit of ciphertext Example: e enciphered by e can be expeated to occur ⊕ = exclusive-or (XOR) operation with a frequency of (0.1275)2=0.0163 pi = Ci ⊕ ki Ch 2 Conventional Encryption: Classical Techniques 49 Ch 2 Conventional Encryption: Classical Techniques 50 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Vigenere cipher (Conti.) Vigenere cipher (Conti.) Vernam cipher (Conti.) One-time pad The essence of this technique is the mean of Army Signal Corp officer, Joseph Mauborgne construction of the key. Using a random key that was truly as long as the message Use a running loop of tape as keyword : a very long but Unbreakable repeating keyword Can be broken with sufficient ciphertext, the use of Produce random output that bears no statistical known or probable plaintext sequences, or both. relationship to the plaintext The practical difficult – sender and receiver must be in possession of, and protect, the random key. Ch 2 Conventional Encryption: Classical Techniques 51 Ch 2 Conventional Encryption: Classical Techniques 52 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Transposition Techniques Transposition Techniques (Conti.) Performs some sort of permutation on the plaintext A more complex scheme letters to write the message in a rectangle, row by row, and read the message off, column by column, but permute Rail fence technique the order of the columns. The plaintext is written down as a sequence of diagonals The order of the columns then becomes the key. and then read off as a sequence of rows Plaintext “attack postponed until two am xyz” Plaintext “meet me after the toga party” Key: 4 3 1 2 5 6 7 m e m a t r h t g p r y plaintext: a t t a c k p o s t p o n e e t e f e t e o a a t d u n t i l t Ciphertext ”MEMATRHTGPRYETEFETEOAAT w o a m x y z Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ Ch 2 Conventional Encryption: Classical Techniques 53 Ch 2 Conventional Encryption: Classical Techniques 54 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Transposition Techniques (Conti.) Transposition Techniques (Conti.) Perform more than one stage of transposition Perform more than one stage of transposition (Conti.) Key: 4 3 1 2 5 6 7 The original sequence of letters is 01 02 03 04 05 06 07 08 09 10 11 12 13 14 plaintext: t t n a a p t 15 16 17 18 19 20 21 22 23 24 25 26 27 28 m t s u o a o After the first transposition: d w c o i x k 03 10 17 24 04 11 18 25 02 09 16 23 01 08 n l y p e t z 15 22 05 12 19 26 06 13 20 27 07 14 21 28 Ciphertext: NSCYAUOPTTWLTMDNAOIEPAXTTOKZ After the second transposition: 17 09 05 27 24 16 12 07 10 02 22 20 03 25 15 13 04 23 19 14 11 01 26 21 18 08 06 28 This is a much less structured permutation and is much more difficult to cryptanalysis. Ch 2 Conventional Encryption: Classical Techniques 55 Ch 2 Conventional Encryption: Classical Techniques 56 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Rotor machines Rotors are 75a-e. Rotor machines (Conti.) Consists of a set of independently rotating cylinders A single cylinder defines a monoalphabetic substitution After each input key is depressed, the cylinder rotates one position, so that the internal connections are shifted accordingly. Thus, a different monoalphabetic substitution cipher is defined. A polyalphabetic substitution algorithm with a period of 26. Edward Hebern’s “Electric Code Machine,” 1921 U.S. Patent 1683072. Ch 2 Conventional Encryption: Classical Techniques 57 Ch 2 Conventional Encryption: Classical Techniques 58 2.3 Classical Encryption Techniques 2.3 Classical Encryption Techniques Rotor machines (Conti.) Multiple cylinders The output pins of one cylinder are connected to the input pins of the next The cylinder farthest from the operator input rotates one pin position with each keystroke For every complete rotation of the outer cylinder, the middle cylinder rotates one pin position For every complete rotation of the middle cylinder, the inner cylinder rotates one pin position 26*26*26=17576 different substitution algorithms Point to the way to DES Fig. 2.8 Three-Rotor Machine with wiring represented by numbered contacts. Ch 2 Conventional Encryption: Classical Techniques 59 Ch 2 Conventional Encryption: Classical Techniques 60