2IS80 Fundamentals of Informatics Quartile 2, 20152016 Lecture 11: Information, Cryptography Lecturer: Tom Verhoeff Theme 3: Information Road Map for Information Theme Problem: Communication and storage of information Sender Channel Receiver

Storer Memory Retrieve r Lecture 9: Compression for efficient communication Lecture 10: Protection against noise for reliable communication Lecture 11: Protection against adversary for secure communication Shannons Coding Theorems Source Coding Theorem (Shannon, 1948): There is a precise limit on compression: the source entropy Sender

Encoder Channel Decoder Receiver Channel Coding Theorem (Shannon, 1948): There is a precise limit on efficiency loss on a noisy channel to achieve (almost 100%) reliability: the effective channel capacity Sender Encoder Channel Decoder Receiver

Noise Secure Communication Situation and approach Terminology: Sender Alice; Receiver Bob; Enemy Eve (eavesdropper) Unencoded / decoded message plaintext Encoded message ciphertext Encode / decode encrypt / decrypt (or sign / verify) Alice Eve Enemy Bob

Sender Encoder Channel Decoder Receiver Plaintext Encrypt Sign Ciphertext

Decrypt Verify Plaintext Information Security Concerns 1. Confidentiality: enemy cannot obtain information from message E.g. also not partial information about content 2. Authenticity: enemy cannot pretend to be a legitimate sender E.g. send a message in name of someone else

3. Integrity: enemy cannot tamper with messages on channel E.g. replace (part of) message with other content unnoticed Enemy 1. 2. Channel Enemy Enemy 3. Channel Channel

Cant Compression Provide Confidentiality? What are the symbol statistics after good compression? In favor: Result looks random: P(0) P(1) , etc. Against: the compression algorithm will become known Against: Obscurity Security Kerckhoffs Principle (1883) Kerckhoffs: A cryptosystem should be secure, even if everything about the system, except the key, is public knowledge The security should be in the difficulty of getting the secret key Shannon: the enemy knows the system being used one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them

No security through obscurity Criteria for Secure Encryption Knowing the encryption algorithm and the ciphertext, but without knowing the key, it should be more costly to recover any information about plaintext than the value of that information. It should not take significantly less effort than trying all keys Enemy can do no better than apply brute force The key space (set of all keys) should be sufficiently large One-Time Pad to Ensure Confidentiality Sender and receiver somehow agree on uniformly random key One key bit per plaintext bit One-time pad contains sheets with random numbers, used once Encode: add key bit to plaintext bit modulo 2 ciphertext bit

0 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 0 = 0; 1 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 0 = 1; 0 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 1 = 1; 1 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 1 = 0 Decode: add key bit to ciphertext bit modulo 2 (same as encode!) Enemy Sender Encoder Key Channel Decoder Key

Receiver Why One-Time Pad Decoding Works Encode: ciphertext = plaintext 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 key Decode: ciphertext 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 key = [ by definition of ciphertext ] (plaintext 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 key) 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 key = [ by associativity of 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0: order of 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 evaluation is irrelevant ] plaintext 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 (key 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 key) = [ each bit is its own 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0-inverse: 0 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 0 = 0; 1 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 1 = 0 ] plaintext 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 0 =

[ 0 is identity of 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0: 0 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 0 = 0; 1 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 0 = 1 ] plaintext One-Time Pad: Perfect Secrecy What can enemy do, when knowing just the ciphertext? Given ciphertext C, consider any plaintext P P could have been the original plaintext for C Take key = P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 C; then, encoding P with this key yields P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 key = [ choice of key ] P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 ( P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 C ) = [ 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 is associative ] ( P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 P ) 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 C = [ properties of 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0: a 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 a = 0; a 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 0 = a ]

C For each given ciphertext, all plaintexts are equally probable Enemy has no clue, provided key is random Even brute force trying of all keys will not work Application: Pin Hiding & Secret Sharing How to hide your decimal PIN code P (plaintext)? Choose random key k with same length Subtract digit-wise modulo 10 to obtain cipher C = P K K 2 4 6 8 (PIN P) 8 9 3 9 (random key K) 4 5 3 9 (ciphertext C) Store K and C in two different places Or: give them to two persons Or: send them along two separate channels

Each number by itself provides no information about PIN P Together they can reconstruct the PIN P = C 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 K Given just one, when forced, you can make any PIN appear Trade-offs for One-Time Pad Very simple, efficient (once you have the key), and perfect Requires as many random symbols as length of plaintext Must use a fresh key for every message Randomness is costly to generate Doubles number of bits to communicate Parties need to agree on random key (one-time pad) securely Communicate it beforehand, or afterwards over secure channel Chickenegg problem Neither the key, nor the ciphertext by itself can reveal plaintext Perfect secrecy It is important that the enemy does not get both (and knows it)

Symmetric Cryptography: Shared Secret Key Block cipher: Chop plaintext into equal size blocks Encrypt each block separately, using the same secret key Key can be shorter than plaintext Encryption with secret key: Could add modulo 2, like the one-time pad This results in a substitution cipher Could involve more elaborate slicing and dicing Shannon: Confusion and diffusion; substitution and transposition There are various secure standards (e.g. AES) Given the ciphertext, limited number of plaintexts possible Enemy can try keys: security is proportional to number of keys Cipher Block Chaining: Motivation

E.g. message consists of sequence of 8-bit colors, block size 8 bit Plaintext Ciphertext, with blocks encrypted separately Ciphertext, with cipher block chaining Cipher Block Chaining: Each plaintext block is first added to previous ciphertext block Cipher Block Chaining: Implementation Trade-offs for Symmetric

Cryptography Improves confidentiality, but not authenticity or integrity Each pair of persons, who want to communicate securely as a pair, needs their own secret key N persons: N (N-1) / 2 pairs N2 keys Key needs to be agreed upon securely Key needs to be chosen randomly (no pattern) Key is shorter than one-time pad, and is reused on multiple blocks Danger: provides opportunity to break the code Relatively fast Security without Shared Keys: Challenge Alice and Bob each have their own padlock-key combination Lock A with key A Lock B with key B

They have a strong box that can be locked with padlocks How can Alice send a message securely to Bob? Without also sending keys around Security without Shared Keys: Solution Alice: Puts message in box Locks box with her lock A, keeping key A Sends box to Bob Bob: Cannot open lock A Adds his lock B, keeping key B; box is not locked twice Sends box back to Alice Alice: Cannot open lock B

Removes her lock A; box remains locked with lock B Sends box again to Bob Bob: Removes his lock B Takes message from box DiffieHellman Trick Visualized Alice Insecure Pay 1000 to #1234 channel Bob

A QWERTY A B QWERTY A A B QWERTY B Pay 1000 to #1234

B Security without Shared Key: Attempt Alice: Chooses long random key RA Adds her key to plaintext P (modulo 2): C1 = P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RA Sends ciphertext C1 to Bob Bob: Chooses long random key RB Adds his key to C1: C2 = C1 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RB = P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RA 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RB Sends ciphertext C2 back to Alice Alice: Adds her key to C2: C3 = C2 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RA = P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RA 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RB 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RA = P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RB Sends C3 again to Bob Bob:

Adds his key to C3: C3 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RB = P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RB 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RB = P Weakness in Attempt Each ciphertext by itself provides perfect secrecy C1 = P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RA; C2 = P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RA 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RB; C3 = P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RB However, if enemy obtains all three ciphertexts, then C1 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 C2 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 C3 = [ definition of C1, C2, C3 ] ( P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RA ) 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 ( P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RA 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RB ) 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 ( P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RB ) = [ 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 is associative: can regroup terms ] P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RA 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RA 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RB 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RB

= [ 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 is commutative: can reorder terms ] P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RA 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RA 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RB 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 RB = [ each bit is its own 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0-inverse: a 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 a = 0 ] P 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 0 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 0 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 0 [ 0 is identity of 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0: a 0 = 0; 1 0 = 1; 0 1 = 1; 1 1 = 0 0 = a ] P = Asymmetric Cryptography Each party has a key pair:

private key Kprivate (kept secret; only known by one party) public key Kpublic (made publicly available to everyone) Given the public key, it is hard to find corresponding private key Encryption function E(key, text) Decryption function D(key, text) ciphertext = E(Kpublic, plaintext) plaintext = D(K plaintext = D(Kprivate, ciphertext) Given the ciphertext and public key, it is hard to find plaintext Given the ciphertext and private key, it is easy to find plaintext Sender encrypts plaintext with public key of receiver Receiver decrypts cipthertext with own private key Practical Public-key Crypto: RSA Generate key pair: Generate two random large primes P and Q Compute product N = P * Q Take e coprime (no common divisor) to R = (P 1) * (Q 1)

And d with e * d = 1 (mod R) Publish N and e as public key; keep P, Q, d private Encrypt plaintext m as me (mod N) Decrypt ciphertext c as cd (mod N) Security depends on mathematical assumptions For key pair generation: integer factorization is considered hard For encryption: discrete root extraction is considered hard Other Uses of Asymmetric Cryptography Digital signature helps ensure Authenticity: did the claimed sender really send this message? Integrity: is the received message really the message sent? Sign message (create detached signature) : Sender decrypts message with own private key Only this sender can sign this way Verify (detached signature for given message m):

Receiver encrypts signature with senders public key Encryption result should equal m If verification fails, then Either the signature was not valid, or the message was modified Everyone (with public key) can verify signature Man-in-the-Middle Attack Alice wants to send confidential message to Bob 1. 2. 3. 4. 5. 6. Alice requests Bobs public key

Eve intercepts Bobs public key, and returns her own public key Alice encrypts message with this (Eves) public key Eve intercepts ciphertext, decrypts it, and reads / modifies it Eve then re-encrypts message with Bobs real public key Bob receives ciphertext, and decrypts it Alice and Bob cannot detect this breach of security If Alice signs the plaintext, then Eve can read but not modify message If Alice signs the ciphertext, then Bob will detect re-encryption Man-in-the-Middle Attack Visualized Pay 1000 for service S to #1234 Pay 1000 for service S

to #5678 A QWERTY E A ASDFGH E B ASDFGH E QWERTY A B

E E A QWERTY E ASDFGH B Pay 1000 for service S to #1234 E Pay 1000 for service S

to #5678 B Trade-offs for Asymmetric Cryptography Pairwise secure communication in group of N persons: N key pairs needed (cf. N2 keys for symmetric crypto) Key management: Why can you trust a public key? Public Key Infrastructure (PKI) Man-in-the-middle attack Complexity of inverting (breaking) the one-way functions Prime factorization of large numbers Discrete logarithms modulo large primes Relatively slow Longer keys needed than for symmetric crypto Hybrid Crypto System

Combine good elements of symmetric and asymmetric crypto To repair weaknesses Use (slower) public-key crypto to encrypt secret keys create signatures Use (faster) secret-key crypto to encrypt messages GPG: GNU Privacy Guard Hybrid crypto system Based on open Pretty Good Privacy (PGP) standard Available on Windows, Mac, Linux Integrates with other software tools (e.g. email clients) Supports key and trust management Web of trust: sign keys of others Summary of Crypto

Secure communication and storage of information Confidentiality (no reading by enemy): encrypt Authenticity (no tricking by enemy): sign Integrity (no tampering by enemy: sign Kerckhoffs Principle, Shannon's maxim Symmetric crypto: shared secret key Encrypt and decrypt with identical key One-time pad: perfect secrecy Cipher block chaining Asymmetric crypto: public key + private key One-way trapdoor functions Encrypt with receivers public key, and decrypt with private key Sign with senders private key, and verify with public key RSA, GPG Summary of Information Theme Efficient, reliable, and secure communication:

No computation in problem: information received unchanged Known limits on what can and cannot be achieved Heavy computations in solution: information is en/decoded Efficient: adapt to source characteristics (statistics) Reliable: adapt to channel characteristics (noise) Secure: adapt to enemy characteristics Confidentiality Authenticity Integrity Digital Communication Stack Sender Efficiency: Remove Redundancy

Security: Increase Complexity Reliability: Add Redundancy Source Sign & Channel Encoder

Encrypt Encoder Noise Channel Enemy Receiver Source Decrypt Channel Decoder

& Verify Decoder Applications Digital audio (CD) Digital telecommunication (GSM) Digital video (DVD) Digital television broadcasting Internet Webshops Internet banking Electronic voting Anonymous digital money Bitcoins

Secure Computation: Example How can third party determine average age of a group, without discovering more about the ages than the average? Announcements Deadline for Assignment 3: Fri 18 Dec 2015, 23:59 Khan Academy: Gambling with Secrets (Cryptography) Especially 4, 8, optionally 7 Crypto part (Lecture 11) involves GPG: www.gnupg.org Windows, Mac, Linux versions available GPG Quick Start Next theme: Limits on Computability