Cryptology For Engineers

ALDEC Webinar

Created and Presented by Jerry Kaczynski, ALDEC Research Engineer

Rev. 1.6a

www.aldec.com

Agenda • Basic Terms

• Ciphers

• Hybrid Cryptosystem

• Authentication

• Cryptanalysis

2

www.aldec.com

BASIC TERMS

Simple Explanations

3

www.aldec.com

Cryptology • Cryptology combines Greek terms κρυπτός (kryptos = secret)

and λόγος (logos = study) to describe science or study of hiding, securely transferring and recovering information.

• Cryptology can be divided into two closely related disciplines: Cryptography – dealing with securing information,

Cryptanalysis – trying to break security.

• Cryptology finds many practical implementations in banking,

electronic commerce,

telecommunication,

military and

IP (Intellectual Property) protection.

4

www.aldec.com

Plaintext 5

To be, or not to be- that is the question: Whether 'tis nobler in the mind to suffer The slings and arrows of outrageous fortune Or to take arms against a sea of troubles, And by opposing end them. To die- to sleep- No more; and by a sleep to say we end The heartache, and the thousand natural shocks That flesh is heir to. 'Tis a consummation Devoutly to be wish'd. To die- to sleep. To sleep- perchance to dream: ay, there's the rub! For in that sleep of death what dreams may come When we have shuffled off this mortal coil, Must give us pause. There's the respect That makes calamity of so long life. For who would bear the whips and scorns of time, Th' oppressor's wrong, the proud man's contumely, The pangs of despis'd love, the law's delay, The insolence of office, and the spurns That patient merit of th' unworthy takes, . . .

• Plaintext is the document/message everybody can read and understand.

• We are using document icon to represent plaintext in diagrams.

≡

Hamlet 3/1

www.aldec.com

Cipher & Key

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

6

+3 +3

• Cipher is an algorithm that converts plaintext into something that cannot be read by uninitiated persons and later allows retrieval of the plaintext.

• Key is a value that personalizes cipher by modifying its algorithm.

• Caesar’s cipher (one of the oldest known ciphers) shifts each letter in plaintext alphabet by given number of positions.

• The key in Caesar’s cipher is the number of shifted positions (+3 in our diagram).

= +3

www.aldec.com

Cipher Strength • The stronger the cipher, the more difficult it is

to break it for some attacker.

• Strength of the cipher is measured by complexity of the algorithm and size of the key.

• The more complex the cipher algorithm, the more difficult it is to devise quick method of reversing it. (Caesar’s cipher is so simple that anybody can break it now.)

• The longer the key, the more difficult it is to guess it by trial and error approach, a.k.a. brute force attack. (Caesar’s key is 5-bit number – 1 of 26 possible in our example – so guessing it without computer takes no more than an hour.)

7

www.aldec.com

Ciphertext 8

Wr eh, ru qrw wr eh- wkdw lv wkh txhvwlrq: Zkhwkhu 'wlv qreohu lq wkh plqg wr vxiihu Wkh volqjv dqg duurzv ri rxwudjhrxv iruwxqh Ru wr wdnh dupv djdlqvw d vhd ri wurxeohv, Dqg eb rssrvlqj hqg wkhp. Wr glh- wr vohhs- Qr pruh; dqg eb d vohhs wr vdb zh hqg Wkh khduwdfkh, dqg wkh wkrxvdqg qdwxudo vkrfnv Wkdw iohvk lv khlu wr. 'Wlv d frqvxppdwlrq Ghyrxwob wr eh zlvk'g. Wr glh- wr vohhs. Wr vohhs- shufkdqfh wr guhdp: db, wkhuh'v wkh uxe! Iru lq wkdw vohhs ri ghdwk zkdw guhdpv pdb frph Zkhq zh kdyh vkxiiohg rii wklv pruwdo frlo, Pxvw jlyh xv sdxvh. Wkhuh'v wkh uhvshfw Wkdw pdnhv fdodplwb ri vr orqj olih. Iru zkr zrxog ehdu wkh zklsv dqg vfruqv ri wlph, Wk' rssuhvvru'v zurqj, wkh surxg pdq'v frqwxphob, Wkh sdqjv ri ghvslv'g oryh, wkh odz'v ghodb, Wkh lqvrohqfh ri riilfh, dqg wkh vsxuqv Wkdw sdwlhqw phulw ri wk' xqzruwkb wdnhv, . . .

• Ciphertext is the document/message encrypted using some cipher and readable only to those who have the key.

• We are using document with key icon to represent ciphertext in diagrams.

≡

Hamlet 3/1 with Caesar’s cipher & +3 key

www.aldec.com

Encryption • Encryption is the process of applying selected cipher and key to

the plaintext in order to obtain ciphertext (encrypted message).

9

Encryption

www.aldec.com

Decryption • Decryption is the process of applying known key and cipher

(in reverse) to the ciphertext in order to recover plaintext (original message).

10

Decryption

www.aldec.com

Distance

Cryptosystem • Cryptosystem is a complete system encompassing all people,

procedures, tools, ciphers, keys, and transmission channels involved in a secure data transfer.

11

Data transfer Encryption Decryption

Alice Bob

www.aldec.com

CIPHERS

How Encryption is Done

12

www.aldec.com

Substitution Ciphers • In this group of ciphers, each unit in the plaintext

(letter, symbol or group of symbols) is replaced with some other unit.

• The simplest example of substitution cipher is Caesar’s cipher we have seen in Basic Terms section.

• Substitution ciphers can be easily broken, as described in “The Gold-Bug” by Edgar Allan Poe or “The Adventure of the Dancing Men” Sherlock Holmes story by Sir Arthur Conan Doyle.

• Substitution ciphers are no longer used alone, but can be a part of larger (and safer) encryption schemes.

13

www.aldec.com

Transposition Ciphers • Transposition ciphers change position of symbols within the

message according to the predefined scheme.

• Rail Fence Cipher – a simple transposition cipher – requires the message to be written in a wave pattern and then read in regular rows:

14

P D O E A I O T V L N I C V R D T R T M M V D O I E M A S E S T E E F P

PDOEAIOTV LNICVRDTRTMMVDOIEM ASESTEEFP

• Transposition ciphers are too simple to be secure, but are still used as a part of better encryption schemes.

www.aldec.com

Symmetric Ciphers • All ciphers we have mentioned so far (and all ciphers in use until

late 20th century) have one thing in common: a secret key – number or phrase – that must be known to both sender and recipient of the message.

• Since both parties have to keep the key secret, those ciphers are known as symmetric ciphers or secret key ciphers.

15

Alice Bob We use single frame around the key

to signify that it must be secret

www.aldec.com

Block Ciphers • One class of modern symmetric ciphers performs encryption

on fixed-length chunks of data: we call them block ciphers.

• Originally 64 bit (8 characters) block size was used, now 128 bit (16 characters) blocks are more popular.

• Plaintext is divided into the block-size chunks before encryption; last chunk is padded to full block size if needed.

• Each chunk is encrypted the same way (with the same key) by identical encryption units.

• Internal operations of encryption unit consist of several rounds of substitutions, transpositions and logical operations.

• Each round gets its own key derived from the secret key using key schedule algorithm.

• Outputs of encryption units are merged into ciphertext.

16

www.aldec.com

Popular Block Ciphers • DES (Data Encryption Standard) was announced in 1976 as a national

standard in the USA and quickly gained worldwide popularity.

DES uses 64 bit block and 56 bit keys.

DES was broken in 22 hours in 1999, so it is no longer considered secure in critical applications.

• AES (Advanced Encryption Standard), a DES successor, was announced in 2001 as a winner of 5 year long contest.

AES implements 128 bit block length.

Uses 3 strengths of keys: 128 bit, 192 bit and 256 bit.

All versions of AES are safe now, although 128 bit version may be broken in the nearest future.

• Other block ciphers worth mentioning: 3DES, IDEA, Blowfish.

17

www.aldec.com

ECB – Trivial Block Cipher Mode • The simplest mode of operation for block ciphers requires only the

plaintext (divided into blocks and padded) and a secret key:

18

Plaintext

Padding

DES Encryption

DES Encryption

DES Encryption

Ciphertext

• This mode of operation is called ECB (Electronic CodeBook); it looks OK, but has one serious problem…

www.aldec.com

Pattern Preservation in ECB • If we use DES-ECB to encrypt 64x64 pixel bitmap with 256 colors:

• We will notice that ECB preserves patterns:

• This property of ECB makes it useless in serious applications. Other block cipher modes of operation were created to address this issue.

19

www.aldec.com

CBC – Practical Block Cipher Mode • Cipher-Block Chaining mode (CBC) XORs each block of plaintext with

the ciphertext block from the previous encryption unit. Since the first unit has no predecessor, Initialization Vector (IV) is used with the first block of plaintext.

20

DES Encryption

Plaintext_1

IV

X

Ciphertext_1

DES Encryption

Plaintext_2

X

Ciphertext_2

*IV should be random, but does not have to be secret.

. . .

. . .

. . .

www.aldec.com

CBC vs. ECB • CBC mode uses data from two neighboring units to avoid pattern

preservation.

• Let’s compare results of encrypting our “K” bitmap using ECB and CBC modes:

• CBC is the most popular (but not the only one) block cipher mode of operation in practical applications.

21

ECB

CBC

www.aldec.com

Stream Ciphers • Some applications require encryption performed very quickly on live

stream of data – audiovisual data transmission is a good example.

• Block ciphers are not the most efficient in those applications, so stream ciphers may be used instead.

• Stream cipher combines (XORs) plaintext data stream with pseudorandom data stream (keystream) to produce ciphertext data stream.

22

X

Plaintext stream

Keystream

Ciphertext stream

• Most popular stream cipher is RC4 (designed in 1987). New generation includes ciphers such as Salsa20 and Rabbit.

• Some modes of operation (CFB, OFB, CTR) can turn block cipher into a stream cipher.

www.aldec.com

Advantages of Symmetric Ciphers • Modern symmetric ciphers (block and stream)

are frequently used due to several advantages:

Security (if you are using latest/updated versions).

Fast operation.

Easy implementation in software (e.g. OpenSSL library).

Efficient implementation in hardware (some may be patented, though).

• There is one serious disadvantage of symmetric ciphers:

Managing secret keys. (Getting secret keys to all involved parties and keeping them secure from unauthorized access is a critical part of symmetric cipher cryptosystem.)

23

www.aldec.com

Asymmetric Ciphers • New idea appeared in the 20th century: an asymmetric cipher with a

public key (available to anybody) that allows message encryption, but not decryption.

• To decrypt a message, matching private key is needed; it is used only by the message recipient.

24

We use double frame around private key and no frame around public key

Public Key

Private Key

Bob Alice

www.aldec.com

RSA Cipher • RSA* is the most popular asymmetric cipher based on the following

principles: Finding two large, random prime numbers p and q and computing n=pq is easy.

Factorizing n is extremely expensive operation, so even if you reveal n, recovering p and q is not feasible.

Selecting two more numbers d and e (related to p and q) lets you create simple function for message encryption: me mod n and ciphertext decryption: cd mod n.

Public key contains modulus n and public exponent e.

Private key contains modulus n and private exponent d.

• RSA was developed independently in the 1973-76 period by the UK intelligence agency and MIT* teams.

• RSA with keys shorter than 1024 bits is no longer considered secure; 2048 bit keys are recommended for long-term applications.

25

*RSA stands for Rivest, Shamir and Adleman – its MIT inventors.

www.aldec.com

Sample RSA Cryptosystem • In typical RSA cryptosystem sender grabs up-to-date public key of the

recipient, encrypts and sends the message. Recipient uses private key to decrypt the message.

26

Alice Bob

Public Key Private Key

Padded Plaintext

RSA Encryption

Encrypted Plaintext

Data transfer

Encrypted Plaintext

RSA Decryption

Decrypted Plaintext

www.aldec.com

Advantages of Asymmetric Ciphers • The main advantages of asymmetric ciphers include:

Easy key distribution.

High security.

Versatility.

• The key disadvantage of asymmetric ciphers is:

Complex/slow operation.

In practical applications, only sending messages shorter than key length makes sense.

Proper padding of the message is required to maintain high security.

27

www.aldec.com

Benefits of Encoding • Sometimes encrypted information must be transferred via channels

prepared for text data (e.g. e-mail, IP embedded in source code).

• All modern ciphers produce pure binary output, which can fool text tools into things like jumping to new page, ending transmission.

• The method of solving this problem is called encoding: for each 3 bytes of un-encoded message, 4 printable characters are generated.

• Character set in the encoding output is selected so that it looks the same no matter which text tools open it.

• Once popular UUencoding was now replaced with Base64 encoding.

28

Encoding can be very useful!

66 EF 21 AC 78 C0 65 97 FD 65 3F 66 C6 A4 A8 82 76 43 03 97 AA 0C C4 63 3F FA EB BE 7F 0E BF 54

Zu8hrHjAZZf9ZT9mxqSognZDA5eqDMRjP/rrvn8Ov1Q=

Plaintext

AES ciphertext (hex)

Base64 encoded ciphertext

www.aldec.com

HYBRID CRYPTOSYSTEMS

How to Have Cookie and Eat It, Too…

29

www.aldec.com

Bright Idea • We have noted in the Ciphers section that the greatest

problem with symmetric ciphers is key exchange and security.

• Asymmetric ciphers do not have this problem, but are too slow to process large amounts of data.

• What would happen if: Alice encrypts big message using symmetric cipher

with random secret key.

Alice encrypts secret key using asymmetric cipher and Bob’s public key.

Alice sends encrypted data and encrypted key to Bob

Bob decrypts secret key using his private key.

Bob decrypts message using recovered secret key and discards the key.

• We would get very practical hybrid cryptosystem!

30

www.aldec.com

Hybrid Cryptosystem Diagram 31

Alice Bob

Public Key

Secret Key

Plaintext

Symmetric Encryption

Ciphertext

Asymmetric Encryption

Encrypted Key

Ciphertext

Encrypted Key

Private Key

Asymmetric Decryption

Secret Key

Symmetric Decryption

Decrypted Plaintext

www.aldec.com

Why Hybrid Cryptosystems Work? • Hybrid cryptosystems try to have the best of both worlds:

Speed and security of established symmetric ciphers.

Easy key handling and security of asymmetric ciphers.

• Very secure symmetric keys are typically 256 bit long, so encrypting them using slow asymmetric cipher does not waste too much time.

• Since the symmetric secret key (session key) is sent with the message, it can be selected randomly and discarded after decryption.

• Reuse of session keys is a serious offence against hybrid cryptosystem security!

32

www.aldec.com

Advanced Hybrid Cryptosystems • Our main Hybrid Cryptosystem Diagram shows

ciphertext packaged with just one encrypted key.

• We can encrypt session key more times, using different public key each time.

• As long as ‘suitcase’ with encrypted key is clearly marked, private key owner will be able to identify the one meant for him/her.

• Same message can be encrypted for multiple recipients if we use this methodology.

• This cryptosystem is used for standard-compliant distribution of HDL IP.

33

www.aldec.com

AUTHENTICATION

Do You Know Who Are You Talking To?

34

www.aldec.com

Verifying Identities • Imagine this situation: Chuck pretends to be Bob and sends Alice a

message stating that he has to change his public key. If Alice believes him, she will be sending to Chuck secret messages that were meant to reach Bob…

• If attackers can convince you that they are somebody you know and trust, they may get access to your secrets without breaking the encryption algorithm or guessing the key.

• That’s why authentication – the process of verifying identity of the source of information gets so important.

35

www.aldec.com

Digital Signatures – Basics • Digital signatures are the reliable way of authenticating sender of the

encrypted message. They utilize one cryptographic technique we already discussed – asymmetric ciphers, and one we have to introduce – message digests created using hash functions.

• If you look at the RSA cipher description, you will notice that encryption and decryption are almost identical – only exponents are different. It means that you can use decryption exponent for encryption purposes and vice versa!

• Signing entire message using inverted asymmetric cipher is impractical, that’s why long message is converted into short, fixed-length, unique digest before signing.

36

011001

www.aldec.com

Signing Flow • Alice encrypts message using Bob’s public key.

• Alice computes digest of the message.

• Alice signs digest using her own private key.

• Alice sends encrypted message and signed digest to Bob.

• Bob decrypts message using his own private key.

• Bob computes digest of the message.

• Bob decrypts received digest using Alice’s public key.

• Bob compares computed and received digests. If both are the same, it means that sender knows Alice’s private key the sender must be Alice.

37

B

A D SD

SD

D

B

D

A SD D

D D = ?

www.aldec.com

Popular Algorithms • Cryptographic hash functions should be irreversible (you

cannot retrieve message from its digest) and resistant to collisions (finding two different messages with the same digest).

• Historic MD5 hash function with 128-bit digest was broken in 2008 and newer SHA-1 with 160-bit digest is considered vulnerable.

• Newer hash functions: SHA-2 (256 and 512-bit digest) and Whirlpool (512-bit digest) are considered secure.

• There are signature schemes based on RSA cipher, e.g. RSA-PSS.

• Very popular signing algorithm is called DSA (Digital Signature Algorithm).

38

www.aldec.com

CRYPTANALYSIS

The Enemy Knows The System

39

www.aldec.com

Security Through Obscurity? • For long time it was assumed that all elements

of the cryptosystem should be kept secret to increase security.

• It was discovered in the late 19th century that in a well-designed cryptosystem only keys must be secret – revealing ciphers used should not compromise security. Claude Shannon described it briefly: The enemy knows the system.

• Obscurity may discourage some attackers, but if they succeed anyway, legitimate users of the cryptosystem will not realize that they have a problem…

• Popular ciphers are constantly scrutinized by the community, so their users know immediately when problems are discovered.

40

www.aldec.com

Beginnings of Cryptanalysis • Cryptanalysis was always driving the development of better ciphers.

• Frequency analysis was invented in the 9th century: it checks frequency of letter occurrences in real language and compares it with the frequency of symbols occurrences in the ciphertext.

• Letter frequency diagram of the English language is shown here (with six most frequent letters highlighted).

• If six most frequent letters in a ciphertext are g, v, c, q, k, p - we can suspect that it is using Caesar’s cipher with shift +2.

• Frequencies of letter groups and words can also be utilized in frequency analysis.

41

www.aldec.com

20th Century Cryptanalysis • The most spectacular success of cryptanalysis

in the 20th century was braking the cryptosystem of German ENIGMA shortly before the 2nd World War. Since the machine was resistant to frequency analysis, advanced math apparatus and other methods were used instead.

• Differential cryptanalysis tests how differences in a plaintext manifest in the ciphertext generated from it – in order to break encryption.

• Linear cryptanalysis finds affine approximation to the operation of the cipher.

• Both differential and linear cryptanalysis were used successfully to break modern block and stream ciphers.

42

www.aldec.com

Fighting Cryptanalysis • Using the most recent ciphers and other elements of

the cryptosystem is the key to secure information transfer.

• Maintaining high level of randomness is important: if somebody always starts his messages with “Dear Friend, …”, does not change cipher key and uses fixed Initialization Vector, even the best cipher will not help!

• IVs should always be randomly generated before each symmetric encryption session. The same rule applies to secret keys in hybrid cryptosystems.

• Proper message padding is critical for securing asymmetric cryptosystems.

• Always remember about side attacks – attempts to compromise the implementation of the cipher, not the cipher itself.

43

www.aldec.com

Summary • This webinar should give everybody solid background

required for any practical application of cryptology.

• Although information presented here is not embargoed anywhere, access to actual algorithms and their implementations may be prohibited in some areas due to political and/or copyright reasons. Always proceed with caution with your cryptology applications!

• We did not have time to discuss some additional cryptology-related topics such as key management, certificates, etc. They will receive adequate treatment in our next webinar.

• Check back with ALDEC for the next webinar “Secure IP Delivery -

Practical Introduction for HDL Users”.

44

www.aldec.com

Conclusion • Feel free to contact ALDEC if you need more info about EDA-related topics and our design

creation and verification tools.

45

Standards and Other Cryptology Documents: DES official description: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf AES official description: http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf RSA standard page: http://www.rsa.com/rsalabs/node.asp?id=2125 DSA official description: http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf Public keys and signing: http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf NOTES: Wikipedia is a surprisingly reliable source of additional data about cryptology.

Visit cryptool.org if you want to experiment with cryptology safely.

ALDEC Website: http://www.aldec.com Telephone E-mail USA +1-702-990-4400 sales@aldec.com Canada: +1-613-867-8600 sales@aldec.com Europe: +33-6-80-32-60-56 sales-eu@aldec.com Japan: +81-3-5312-1791 sales-jp@aldec.com India: +91-80-32551030 sales-sa@aldec.com China: +86-21-6875-20-30 info@aldec.com.cn Taiwan: +886-2-26599119 ext. 950 sales-tw@aldec.com Israel: +972-52-2573422 sales-il@aldec.com