分析案例密碼學(xué)

CollegeofComputerScienceandElectronic群編程分組（A,安全安全男男男男女男女女男安全女男男男女女男男女編程分組（C安全安全女男男男男男男女男女女女男女女男女男女男男女男男女女女男男女男女女女王男UnderstandingCryptography–ATextbookforStudentsandPractitionersbyChristofPaarandJanChapter1–IntroductiontoCryptographyver.October28,2010TheseslideswerepreparedbyChristofPaarandJanSomelegalstuff(sorry):TermsofTheslidescanused ofcharge.AllcopyrightsfortheslidesremainwithChristofPaarandJanPelzl.Thetitleofthepanyingbook“UnderstandingCryptography”byandtheauthor’snamesmustremainoneachIftheslidesaremodified,appropriatecreditstothebookauthorsandbooktitlemustremainwithintheItisnotpermittedtoreproducepartsoralloftheslidesinprintedwhatsoeverwithoutwrittenconsentbythe

Chapter1ofUnderstandingCryptographybyChristofPaarandJanContentofthisOverviewonthefieldofBasicsofsymmetric SubstitutionModularShift(orCaesar)CipherandAffine

Chapter1ofUnderstandingCryptographybyChristofPaarandJanContentofthisOverviewonthefieldofBasicsofsymmetric SubstitutionModularShift(orCaesar)CipherandAffine

Chapter1ofUnderstandingCryptographybyChristofPaarandJan ClassificationoftheFieldof Symmetric Block Streamaahighlyimmature

Chapter1ofUnderstandingCryptographybyChristofPaarandJan SomeBasicAncientCrypto:EarlysignsofencryptioninEqyptinca.2000Letter-basedencryptionschemes(e.g.,Caesarcipher)populareverSymmetricciphers:Allencryptionschemesfromancienttimesuntil1976weresymmetricones.Asymmetricciphers:In1976public-key(orasymmetric)cryptographywasopenlyproposedbyDiffie, manandMerkle.HybridSchemes:Themajorityoftoday‘sprotocolsarehybridschemes,i.e.,theusesymmetricciphers(e.g.,forencryptionandmessageauthentication)asymmetricciphers(e.g.,forkeyexchangeanddigital

Chapter1ofUnderstandingCryptographybyChristofPaarandJanContentofthisOverviewonthefieldofBasicsofsymmetric SubstitutionModularShift(orCaesar)CipherandAffine

Chapter1ofUnderstandingCryptographybyChristofPaarandJan SymmetricAlternativenames:private-key,single-keyorsecret-key(badguy)Unsecurechannel(e.g.Internet)xxProblemAliceandBobwouldliketocommunicateviaaninsecurechannel(e.g.,WLANorInternet).AmaliciousthirdpartyOscar(thebadguy)haschannelaccessbutshouldnotbeabletounderstandthecommunication.

Chapter1ofUnderstandingCryptographybyChristofPaarandJan SymmetricSolution:EncryptionwithsymmetricOscarobtainsonlyciphertexty,thatlookslikerandombits

(badguy)y

insecurechannel(e.g.Internet)

e(

d() d()y yKeyKeyxis yistheKisthe

Securewhyancientpeoplechosethismodeltodevelopsymmetrickeycryptography?Setofallkeys{K1,K2,...,Kn}isthekey

Chapter1ofUnderstandingCryptographybyChristofPaarandJan Symmetric???EncryptionDecryptiony=x=EncryptionanddecryptionareinverseoperationsifthesamekeyKisusedonbothdK(y)=dK(eK(x))=ddK()istheinversefunctionof

Chapter1ofUnderstandingCryptographybyChristofPaarandJansetofallx

setofallynumbernumberofintextsEQUALtonumberpossibleciphertextswhenkeyissetofallx

setofallynumberofpossibleciphertextsisatleastequaltonumberofpossible innumberofpossibleciphertextsisatleastequaltonumberofpossible intexts,whenkeyisnotassigned SymmetricEncryptionDecryption

y=eK(x)x=EncryptionanddecryptionareinverseoperationsifthesamekeyKisusedonbothdK(y)=dK(eK(x))=Important:ThekeymustbetransmittedviaasecurechannelbetweenAliceandThesecurechannelcanberealized,e.g.,bymanuallyinstallingthekeyfortheWi-FiProtectedAccess( )protocolorahumancourier.However,thesystemisonlysecureifanattackerdoesnotlearnthekeyTheproblemofsecurecommunicationisreduced1.securetransmissionandstorageofthekey2.findpropereK()and

Chapter1ofUnderstandingCryptographybyChristofPaarandJanContentofthisOverviewonthefieldofBasicsofsymmetric SubstitutionModularShift(orCaesar)CipherandAffine

Chapter1ofUnderstandingCryptographybyChristofPaarandJan Whydoweneed calThereisnomathematicalproofofsecurityforanycalTheonlywaytohaveassurancethatacipherissecureistotrytobreakit(andfail)!

Chapter1ofUnderstandingCryptographybyChristofPaarandJan ernments(U.S., ,Russia,etc)intentionallydesignflawedcryptosystemsand usethemtoocostlytore proofofciphersecurity)?wasaDutchlinguistandcryptographerwhowasprofessoroflanguagesattheécoledesHautesétudesCommercialesinParisinthelate19thcentury.“即使 Whydoweneed Thereisnomathematicalproofofsecurityforanypracticalandfail)Theonlywaytohaveassurancethatacipherissecureistotrytoandfail)Kerckhoffs‘sPrincipleisparamountinmodernAAcryptosystemshouldbesecureeveniftheattacker(Oscar)knowsalldetailsaboutthesystem,withtheexceptionofthesecretkey.isisopensourcesoftwaremoresecurethanclosedsourcesoftware?

Chapter1ofUnderstandingCryptographybyChristofPaarandJan Whydoweneed Thereisnomathematicalproofofsecurityforanypracticalandfail)Theonlywaytohaveassurancethatacipherissecureistotrytoandfail)Kerckhoffs‘sPrincipleisparamountinmodernAAcryptosystemshouldbesecureeveniftheattacker(Oscar)knowsalldetailsaboutthesystem,withtheexceptionofthesecretkey.InordertoachieveKerckhoffs‘sPrincipleinOnlyusewidelyknownciphersthathavebeencrypt yzedforseveralyearsbygoodcryptographers!(UnderstandingCryptographyonlytreatssuchciphers)Remark:Itistemptingtoassumethatacipheris?moresecure“ifitsdetailsaresecret.However,historyhasshowntimeandagainthatsecretcipherscanalmostalwaysbeenbrokenoncetheyhavebeenreversedengineered.(Example:ContentScramblingSystem(CSS)forDVDcontentprotection.)

Chapter1ofUnderstandingCryptographybyChristofPaarandJan ysis:Attacking ImplementationAttack:Trytoextractkeythroughreverseengineeringorpowermeasurement,e.g.,forabankingsmartcard.SocialEngineering:E.g.,trickauserintogivingupher

Chapter1ofUnderstandingCryptographybyChristofPaarandJan Attack(orExhaustiveKeySearch)againstSymmetricTreatsthecipherasablackRequires(atleast) intext-ciphertextpair(x0,CheckallpossiblekeysuntilconditionisdK(y0)= HowmanykeystoweneedinbitKeySecuritylife asbestpossibleShortterm(fewdaysorLong-term(severaldecadesintheabsenceofquantumLong-term(alsoresistantagainstquantumcomputers–notethatQCdonotexistatthemomentandmightneverexist)Important:Anadversaryonlyneedstosucceedwithoneattack.Thus,alongkeyspacedoesnothelpifotherattacks(e.g.,socialengineering)arepossible..

Chapter1ofUnderstandingCryptographybyChristofPaarandJanContentofthisOverviewonthefieldofBasicsofsymmetric SubstitutionModularShift(orCaesar)CipherandAffine

Chapter1ofUnderstandingCryptographybyChristofPaarandJan SubstitutionHistoricalGreattoolforunderstanding yticalEncryptslettersratherthanbits(likeallciphersuntilafterWWIdea: ce intextletterbyafixedotherAkBdCwforinstance,ABBAwouldbeencryptedasExampleiqifccvqqrfbrdqvfllcqnardqcfjwhwzhrbnnbhcchwwhbsqvqbrehwqvhlqHowsecureistheSubstitutionCipher?Let‘slookat

Chapter1ofUnderstandingCryptographybyChristofPaarandJan AttacksagainsttheSubstitutionAttack:ExhaustiveKeySearch Simplytryeverypossiblesubsititutiontableuntilanin intextappears(notethateachsubstitutiontableisakey)..Howmanysubstitutiontables(=keys)are26x25x…x3x2x1=26!?Searchthrough288keysiscomple yinfeasiblewithtoday‘scomputers!(cf.earliertableonkeylengths)Q:Canwenowconcludethatthesubstitutioncipherissecuresinceabrute-attackisnotfeasible?A:No!Wehavetoprotectagainstallpossible

Chapter1ofUnderstandingCryptographybyChristofPaarandJan 2.Attack:Letter ysis LettershaveverydifferentfrequenciesintheEnglishMoreover:thefrequency intextlettersis intheForinstance,“e“isthemostcommonletterinEnglish;almost13%ofalllettersinatypicalEnglishtextare“e“.Thenextmostcommononeis“t“withaboutLetterLetterfrequenciesinEnglish..

Chapter1ofUnderstandingCryptographybyChristofPaarandJan BreakingtheSubstitutionCipherwithLetterFrequencyLet‘sreturntoourexampleandidentifythemostfrequentiqifccvqqrfbrdqvfllcqnardqcfjwhwzhrbnnbhcchwwhbsqvqbrehwqvhlqWe cetheciphertextletterqbyEandiEifccvEErfbrdEvfllcEnardEcfjwhwzhrbnnbhcchwwhbsEvEbrehwEvhlEByfurtherguessingbasedonthefr