CRYPTOLOGY WITHCRYPTOOL

1.4.30Beta03

IntroductiontoCryptographyundCryptanalysis

Scope,TechnologyandFutureofCrypTool
www.cryptool.com www.cryptool.de www.cryptool.es www.cryptool.org www.cryptool.pl Prof.BernhardEsslingerandCrypToolTeam,Feb.2009

CrypTool1.4.30

Page1

Content (I)
I. CrypToolandCryptology Overview
1. 2. 3. 4. Definitionandrelevanceofcryptology TheCrypToolproject Examplesofclassicalencryptionmethods Insightsfromcryptographydevelopment

II. CrypToolFeatures
1. Overview 2. Interactionexamples 3. Challengesfordevelopers

III. Examples
1. 2. 3. 4. 5. 6. 7. 8. 9. EncryptionwithRSA/Primenumbertest/Hybridencryptionanddigitalcertificates /SSL Digitalsignaturevisualised AttackonRSAencryption(modul Ntooshort) AnalysisofencryptioninPSION5 WeakDESkeys Locatingkeymaterial(NSAKey) Attackondigitalsignaturethroughhashcollisionsearch Authenticationinaclientserverenvironment Demonstrationofasidechannelattack(onhybridencryptionprotocol) ()
Page2

CrypTool1.4.30

Content (II)
III. Examples
10. RSAattackusinglatticereduction 11. Randomanalysiswith3Dvisualisation 12. SecretSharingusingtheChineseRemainderTheorem(CRT)andShamir 13. ImplementationofCRTinastronomy(solvinglinearmodularequationsystems) 14. Visualisation ofsymmetricencryptionmethodsusingANIMAL 15. VisualisationofAES 16. VisualisationofEnigmaencryption 17. Generationofamessageauthenticationcode(MAC) 18. Hashdemonstration 19. Learningtoolfornumbertheoryandasymmetricencryption 20. Pointadditiononellipticcurves 21. Passwordqualitymete(PQM)andpasswordentropy 22. Bruteforceanalysis 23. CrypToolonlinehelp

IV. Project/Outlook/Contact

CrypTool1.4.30

Page3

Content
I. CrypToolandCryptology Overview II. CrypToolFeatures III. Examples IV. Project/Outlook/Contact

CrypTool1.4.30

Page4

DefinitionCryptologyandCryptography
Cryptology (fromtheGreekkrypts,"hidden,"andlgos,"word")isthescienceof
secure(generallysecret)communications.Thissecurityobtainsfromlegitimateusers, thetransmitterandthereceiver,beingabletotransforminformationintoacipherby virtueofakey i.e.,apieceofinformationknownonlytothem.Althoughthecipher isinscrutableandoftenunforgeable toanyonewithoutthissecretkey,theauthorized receivercaneitherdecrypttheciphertorecoverthehiddeninformationorverifythat itwassentinalllikelihoodbysomeonepossessingthekey.

Cryptography wasconcernedinitiallywithprovidingsecrecyforwrittenmessages.
Itsprinciplesapplyequallywell,however,tosecuringdataflowbetweencomputers ortoencryptingtelevisionsignals....Todaythemodern(mathematical)scienceof cryptologycontainsnotonlymechanismsforencryptionbutalsoforintegrity, electronicsignatures,randomnumbers,securekeyexchange,securecontainers, electronicvotingandelectronicmoney,andhasachievedtorenderabroadrangeof applicationsinmodernlife.
Source:Britannica(www.britannica.com) AsimilardefinitioncanbefoundonWikipedia:http://en.wikipedia.org/wiki/Cryptology
CrypTool1.4.30 Page5

RelevanceofCryptography
ExamplesforCryptographyUsage
Phonecards,cellphones,remotecontrols Cashmachines,moneytransferbetweenbanks Electroniccash,onlinebanking,secureeMail SatelliteTV,PayTV Immobilisersystemsincars DigitalRightsManagement(DRM)

Cryptographyisnolongerlimitedtoagents,diplomatsorthemilitary. Cryptographyisamodern,mathematicallycharacterised science. BreakthroughforcryptographystartedwiththebroaduseoftheInternet Forcompaniesandgovernmentsitisimportantthatsystemsaresecureand users(clients,employees)haveacertain understandingandawarenessforITsecurity!

CrypTool1.4.30 Page6

Cryptography Objectives
Confidentiality
Informationcanpracticallynotbemadeavailableordisclosedto unauthorizedindividuals,entitiesorprocesses.

Authentication
Authenticationensuresthatusersareidentifiedandthoseidentitiesare appropriatelyverified.

Integrity
Integrityensuresthatdatahasnotbeenalteredordestroyedin an unauthorizedmanner.

NonRepudiation
Theprinciplethat,afterwards,itcanbeproventhattheparticipantsofa transactiondidreallyauthorizethetransactionandthattheyhaveno meanstodenytheirparticipation.
CrypTool1.4.30 Page7

The CrypToolProject
Origininawarenessprogramofabank(infirmtraining) Awarenessforemployees Developedincooperationwithuniversities(improvingeducation) Mediadidacticapproachandstandardoriented
1998Projectstart effortmorethan17manyearssincethen 2000CrypToolavailableasfreeware 2002CrypToolonCitizenCDROMfromBSI (GermanInformationSecurityAgency) 2003CrypToolbecomesOpenSource HostingbyUniversityofDarmstadt (Prof.Eckert) 2007CrypToolavailableinGerman,English,PolishundSpanish 2008.NETversionandJavaversion HostedbyUniversityofDuisburg(Prof.Weis) andSourceForge

Awards
2004 2004 2004 2008 TeleTrusT (TTTFrderpreis) NRW (ITSecurityAwardNRW) RSAEurope (FinalistofEuropeanInformationSecurityAward2004) SelectedLandmark ininitiativeGermany LandofIdeas"

Developers
Developedbypeoplefromcompaniesanduniversitiesindifferent countries Additionalprojectmembersorusablesourcesarealwaysappreciated (currentlytherearearound40peopleworkingonCrypToolworldwide).
Page8

CrypTool1.4.30

ExamplesofEarlyCryptography(1)
Ancientencryptionmethods

Tattooonaslave'sheadconcealedbyregrownhair Atbash(around600B.C.)
Hebrewsecretlanguage,reversedalphabet

Scytale fromSparta(500B.C.)
DescribedbyGreekhistorian/authorPlutarch(45 125B.C.) Twocylinders(woodenrod)withidenticaldiameter Transposition(plaintextcharactersareresorted)
Encrypted text (ciphertext): CSED

Plaintext: Carl is the renegade

CrypTool1.4.30

Page9

ExamplesofEarlyCryptography(2)
SymmetricCaesarencryption

Caesarencryption(JuliusCaesar,100 44B.C.)
Simplesubstitutioncipher GALLIA
Plaintext:

EST

OMNIS

DIVISA ...

ABCDEFGHIJKLMNOPQRSTUVWXYZ
Secretalphabet:

DEFGHIJKLMNOPQRSTUVWXYZABC
JDOOLD HVW RPQLV GLYLVD ...

Attack:Frequencyanalysis(typicalcharacterallocation) PresentationwithCrypToolviathefollowingmenus: Animation: Indiv.Procedures \ Visualizationofalgorithms \ Caesar Implementation: Crypt/Decrypt \ Symmetric(classic) \ Caesar/Rot13

CrypTool1.4.30

Page10

ExamplesofEarlyCryptography(3)
SymmetricVigenreencryption

VigenreEncryption (Blaise deVigenre,15231596)

Encryptionwithakeywordusingakeytable Example: Keyword:CHIFFRE Encrypting: VIGENERE becomes XPOJSVVG Theplaintextcharacter(V)isreplacedbythecharacterin thecorrespondingrowandinthecolumnofthefirstkey wordcharacter(c).Thenextplaintextcharacter(I)is replacedbythecharacterinthecorrespondingrowandin thecolumnofthenextkeywordcharacter(h),andsoon. Ifallcharactersofthekeywordhavebeenused,thenthe nextkeywordcharacteristhefirstkeycharacter. Attack (viaKasiski test):Plaintextcombinationswithan identicalciphertextcombinationcanoccur.Thedistance ofthesepatternscanbeusedtodeterminethelengthof thekeyword.Anadditionalfrequencyanalysiscanthen beusedtodeterminethekey.

Keyword character

Plaintext character

Encrypted character Page11

CrypTool1.4.30

ExamplesofEarlyCryptography(4)
Othersymmetricencryptionmethods

HomophoneSubstitution Playfair (invented1854bySirCharlesWheatstone,18021875)

PublishedbyBaronLyonPlayfair Substitutionofonecharacterpair byanotheronebasedonasquarebased alphabetarray

Transferofbookpages
AdaptationoftheOneTimePad(OTP)

Turninggrille(Fleissner) Permutationencryption
DoubleDice (doublecolumntransposition) (Transposition/veryeffective)

CrypTool1.4.30

Page12

CryptographyinModernTimes
Cryptographydevelopmentsinthelast100yearstill1970

Classicmethods
arestillinusetoday. (since,noteverythingcanbedonebyacomputer) andtheirprincipalsoftranspositionandsubstitution areinputsforthedesignofmodernalgorithms: combinationofsimpleoperation(atypeofmultiple encryption,asocalledcascadesofciphers),onbit level,blockcipher,rounds.

Encryptionbecomes
moresophisticated, mechanisedorcomputerised and remainssymmetric.

CrypTool1.4.30

Page13

ExamplesoftheFirstHalfofthe20thCentury
Mechanicalencryptionmachines(rotormachines)

EnigmaEncryption(ArthurScherbius,18781929)
Morethan200000machineshavebeenusedinWW2 Therotatingcylindersetcauses,thateverycharacterofthe textbecomesencryptedwithanewpermutation. Brokenbymassiveeffortofcryptographyexperts(around 7000personsinUK)withdecryptionmachines,captured originalEnigmasandbyinterceptingdailystatusreports (e.g.weatherreports). Consequencesofthissuccessfulcryptoanalysis: Ingeneralthesuccessfulcryptoanalysisoftheengima encryptionhasbeenastrategicadvantage,thathasplayed asignificantroleinwinningthewar.Somehistorians assumethatthebreakoftheenigmacodehasshortened thewarbyseveralmonthsorevenayear.
(translatedfromhttp://de.wikipedia.org/wiki/Enigma_%28Machine%29 March6,2006)

CrypTool1.4.30

Page14

Cryptography ImportantInsights(1)
Kerckhoffsprinciple(1883)
Separationofalgorithm(method)andkey e.g.Caesarencryption: Algorithm: Shiftalphabetbyacertainnumberofpositionstotheleft Key: Thecertainnumberofpositions (Caesarforexample) Kerckhoffsprinciple: ThesecretlieswithinthekeyandnotwithinthealgorithmorNosecuritythroughobscurity

OneTimePad Shannon/Vernam
Demonstrablytheoreticallysecure,butnotusableinreality(onlyredphone)

Shannons concepts:ConfusionandDiffusion
RelationbetweenM,CandKhastobeascomplexaspossible(M=message,C=cipher,K=key) Everyciphertextcharactershoulddependonasmanyplaintextcharacters andasmanycharacterofencryptionkey Avalancheeffect(small modification,bigimpact)

Trapdoorfunction(onewayfunction)
Fastinonedirection,notintheoppositedirection(withoutsecretinformation) Havingthesecrettheoppositedirectionworks(accesstothetrapdoor)
CrypTool1.4.30 Page15

ExamplesforaBreachoftheKerckhoffsPrinciple
Secretlieswithinthekeyandnotwithinthealgorithm Cellphoneencryptionpenetrated (December1999) Israeliresearchersdiscovereddesignflawsthatallowthedescramblingof supposedlyprivateconversationscarriedbyhundredsofmillions ofwirelessphones. AlexBiryukov andAdi Shamir describeinapapertobepublishedthisweekhowaPC with128MBRAMandlargeharddrivescanpenetratethesecurity ofaphonecallor datatransmissioninlessthanonesecond.Theflawedalgorithmappearsindigital GSMphonesmadebycompaniessuchasMotorola,Ericsson,andSiemens,andused bywellover100millioncustomersinEuropeandtheUnitedStates. [] PreviouslytheGSMencryptionalgorithmshavecomeunderfireforbeingdeveloped insecretawayfrompublicscrutiny butmostexpertssayhighsecuritycanonly comefrompublishedcode.Moransaid"itwasn'ttheattitudeatthetimetopublish algorithms"whentheA5cipherswasdevelopedin1989,butcurrentonesbeing createdwillbepublishedforpeerreview. [http://wired.lycos.com/news/politics/0,1283,32900,00.html]

CrypTool1.4.30

Page16

SampleofaOneTimePadAdaptation

Clothes hanger of a Stasi agent with a secret one-time pad (taken from: Spiegel Spezial 1/1990) CrypTool1.4.30 Page17

KeyDistributionProblem
Keydistributionforsymmetricencryptionmethods

If2persons communicatewitheachotherusingsymmetricencryption,theyneed onecommonsecretkey. Ifnpersonscommunicatewitheachother,thentheyneedSn =n*(n1)/2 keys.

Numberofrequiredkeys Thatis: n=100 personsrequire S100 =4.950 keys;and n=1.000 personsrequire S1000 =499.500 keys.
factor10morepersonsmean factor100morekeys
Numberofkeys

Numberofpersons CrypTool1.4.30 Page18

Cryptography ImportantInsights(2)
Solvingthekeydistributionproblemthroughasymmetriccryptography

Asymmetriccryptography
Forcenturiesitwasbelievedthat:Senderandreceiverneedsamesecret. New:Everymemberneedsakeypair(Solutionofthekeydistributionproblem)

Asymmetricencryption
Everyonecanlockapadlockorcandropaletterinamailbox. MIT,1977:LeonardAdleman,RonRivest,Adi Shamir (wellknownasRSA) GCHQCheltenham,1973:JamesEllis,CliffordCocks(admittedinpublicDecember1997)

Keydistribution
Stanford,1976:WhitfieldDiffie,MartinHellman,RalphMerkle (DiffieHellmankeyexchange) GCHQCheltenham,1975:MalcolmWilliamson

Securityinopennetworks(suchastheinternet)wouldbe extremelyexpensiveandcomplexwithoutasymmetriccryptography!
CrypTool1.4.30 Page19

EncryptionandDecryption
Symmetricundasymmetricencryption

Message Space

M KE

C=E(M,KE)

D KD
KeySpaceDK

M=D(C,KD)

KeySpaceEK Sender secret

Receiver

a) SymmetricEncryption: b) AsymmetricEncryption:
public

KE =KD KE KD

(e.g.AES) (e.g.RSA)

private/secret

CrypTool1.4.30

Page20

Cryptography ImportantInsights(3)
Increasingrelevanceofmathematicsandinformationtechnology

Moderncryptographyisbasedonmathematics
StillnewsymmetricencryptionmethodssuchasAES(betterperformanceandshorter keylengthcomparedtotheasymmetricmethodspurelybasedonmathematical problems).

Thesecurityofencryptionmethodsheavilydependsonthecurrentstatusof mathematics andinformationtechnology(IT)

Computationcomplexity(meaningprocessingeffortinrelationto keylength,storage demandanddatacomplexity) seeRSA:Bernstein,TWIRLdevice,RSA160,RSA200 (CrypToolscript,chapter 4.11.3) Veryhighactivityincurrentresearch: Factorisation,nonparallelizablealgorithm(becauseofquantumcomputing),better understandingofprotocolweaknessesandrandomgenerators,...).

Seriousmistake:Realmathematicshasnoeffectsonthewar. (G.H.Hardy,1940) Vendorsdiscoversecurityasanessentialpurchasecriterion.

CrypTool1.4.30

Page21

DemonstrationinCrypTool

- Statistic Analysis - Encrypting twice is not always better:

Caesar: C + D = G (3 + 4 = 7) Vigenre: - CAT + DOG = FOZ [(2,0,19)+(3,14,6)=(5,14,25)] - "Hund" + "Katze" ="RUGCLENWGYXDATRNHNMH")

- Vernam (OTP) - AES (output key, brute-force analysis)

CrypTool1.4.30

Page22

Content
I. CrypToolandCryptology Overview II. CrypToolFeatures? III. Examples IV. Project/Outlook/Contact

CrypTool1.4.30

Page23

CrypToolFeatures
1.WhatisCrypTool?

eLearning

Freewareprogramwithgraphicaluserinterface Cryptographicmethodscanbeappliedandanalysed Comprehensiveonlinehelp(understandablewithoutdeepercryptographyknowledge) Containsnearlyallstateoftheartcryptographyfunctions Easyentryintomodernandclassicalcryptography Notahackertool

2.WhyCrypTool?
Origininawarenessinitiativeofafinancialinstitute Developedinclosecooperationwithuniversities Improvementofuniversityeducationandinfirmtraining

3.Targetgroup
Coregroup:Studentsofcomputerscience,businesscomputingandmathematics Butalsofor:computerusers,applicationdevelopers,employees Prerequisite:PCknowledge Preferable:Interestinmathematicsand/orprogramming
CrypTool1.4.30 Page24

ContentoftheProgramPackage
CrypToolprogram

Germa n Polish ,English, andS panish

Allfunctionsintegratedinasingleprogramwithconsistentgraphicalinterface RunsonWin32 CryptographylibrariesfromSecude andOpenSSL LongintegerarithmeticfromMiracl andGMP,LatticebasereductionviaNTL(Shoup)

AESTool
StandaloneprogramforAESencryption(andcreationofselfextractingfiles)

Educationalgame
NumberShark encouragestheunderstandingoffactorsandprimenumbers.

ComprehensiveOnlineHelp(HTMLHelp)
ContextsensitivehelpavailableviaF1forallprogramfunctions(includingmenus) Detailedusecasesforalotofprogramfunctions(tutorial)

Script(.pdf file)withbackgroundinformation
Encryptionmethods Primefactorisation Digitalsignature Ellipticcurves Publickeycertification Basicnumbertheory Crypto2020

TwoshortstoriesrelatedtocryptographybyDr.C.Elsner
TheDialogueoftheSisters (aRSAvariantaskeyelement) TheChineseLabyrinth (NumberstheorytasksforMarcoPolo)

Learningtoolfornumbertheory
CrypTool1.4.30 Page25

Features(1)
Cryptography
Classicalcryptography
Caesar(andROT13) Monoalphabeticsubstitution (andAtbash) Vigenre Hill Homophonesubstitution Playfair ADFGVX ByteAddition XOR Vernam Permutation/Transposition (RailFence,) Solitaire

Cryptanalysis
Attackonclassicalmethods
Ciphertextonly
Caesar Vigenre Addition XOR Substitution Playfair

Knownplaintext
Hill

Manually(supported)
Monoalphabeticalsubstitution Playfair,ADFGVX,Solitaire

Supportedanalysismethods
Entropy,floating frequency Histogram,ngramanalysis Autocorrelation Periodicity Randomanalysis Base64/UUEncode
Page26

Severaloptionstoeasilyunderstand thecryptographymethods
Selectablealphabet Options:handlingofblanks,etc.
CrypTool1.4.30

Features (2)
Cryptography
Modernsymmetricencryption
IDEA,RC2,RC4,RC6,DES,3DES,DESX AEScandidatesofthelastselection round(Serpent,Twofish,) AES(=Rijndael) DESL,DESXL

Cryptanalysis
Bruteforceattackonsymmetric algorithm
Forallalgorithms Assumptions:
Entropyofplaintextissmallorkeyis partlyknownorplaintextalphabetis known

Asymmetricencryption
RSAwithX.509certificates RSAdemonstration Understandingofexamples Alphabetandblocklength selectable

AttackonRSAencryption
FactorisationofRSAmodule Latticebasedattacks

Hybridencryption(RSA+AES)
Interactivedataflowdiagram

Attackonhybridencryption
AttackonRSAor AttackonAES(sidechannelattack)
Page27

CrypTool1.4.30

Features(3)
Cryptography
Digitalsignature RSAwithX.509certificates
Signatureasdataflowdiagram

Cryptanalysis
AttackonRSAsignature FactorisationoftheRSAmodule Feasibleupto250bitsor75 decimal places(onstandarddesktopPCs) Attackonhashfunctions/digitalsignature Generatehashcollisionsfor ASCIIbasedtext(birthdayparadox)(up to40bitinaround5min) Analysisofrandomdata FIPSPUB1401testbattery Periodicity,Vitany,entropy Floatingfrequency,histogram ngramanalysis,autocorrelation ZIPcompressiontest
Page28

DSAwithX.509certificates EllipticCurveDSA,NybergRueppel Hashfunctions MD2,MD4,MD5 SHA,SHA1,SHA2,RIPEMD160 Randomgenerators Secude x2 modn Linearcongruencegenerator(LCG) Inversecongruencegenerator(ICG)

CrypTool1.4.30

Features(4)
Animation/Demos
Caesar,Vigenre,Nihilist,DES(allwithANIMAL) Enigma(Flash) Rijdael/AES(Flash) Hybridencryptionanddecryption(AESRSAandAESECC) Generationandverificationofdigitalsignatures DiffieHellmankeyexchange Secretsharing(withCRTorShamir) Challengeresponsemethod(authentication) Sidechannelattack Graphical3Dpresentationof(random)datastreams Sensitivityofhashfunctionsregardingplaintextmodifications NumbertheoryandRSAcryptosystem

CrypTool1.4.30

Page29

Features(5)
Additionalfunctions
Homophoneandpermutationencryption(DoubleColumnTransposition) PKCS#12importandexportforPSEs (PersonalSecurityEnvironment) Generatehashesoflargefiles,withoutloadingthem Flexiblebruteforceattacksonanymodernsymmetricalgorithm ECCdemonstration(asJavaapplication) PasswordQualityMeter(PQM)andpasswordentropy Andalotmore

CrypTool1.4.30

Page30

LanguageStructureAnalysis
LanguageanalysisoptionsavailableinCrypTool

Numberofcharacters,ngram,entropy
SeemenuAnalysis \ ToolsforAnalysis \ ...

CrypTool1.4.30

Page31

DemonstrationofInteractivity(1)
Vigenreanalysis

Demonstration in CrypTool

TheresultoftheVigenreanalysiscanbemanuallyreworked(changingthe keylength): 1. EncryptstartingexamplewithTESTETE

Crypt/Decrypt \ Symmetric(classic) \ Vigenre EnterTESTETE Encrypt

Analysisoftheencryptionresults:
Analysis \ SymmetricEncryption(classic) \ Ciphertextonly \ Vigenre Derivedkeylength7,DerivedkeyTESTETE

2. EncryptstartingexamplewithTEST
Crypt/Decrypt \ Symmetric(classic) \ Vigenre EnterTEST Encrypt

Analysisoftheencryptionresults:
Analysis \ SymmetricEncryption(classic) \ Ciphertextonly \ Vigenre Derivedkeylength8 notcorrect Keylengthautomaticallysetto4(canalsobeadjustedmanually) DerivedkeyTEST
CrypTool1.4.30 Page32

DemonstrationofInteractivity(2)
Automatedfactorisation

Demonstration in CrypTool

Factorisationofacompoundnumberwithfactorisationalgorithms
Menu:Indiv.Procedures \ RSACryptosystem \ FactorisationofaNumber Somemethodsareexecutedinparallel(multithreaded) Methodshavespecificadvantagesanddisadvantages(e.g.somemethodscanonly determinesmallfactors)

Factorisationexample1:
316775895367314538931177095642205088158145887517 48-digit decimal number = 3*1129*6353*1159777*22383173213963*567102977853788110597

Factorisationexample2:
75-digit decimal number 2^250 1 = 3*11*31*251*601*1801*4051*229668251*269089806001 * 4710883168879506001*5519485418336288303251

CrypTool1.4.30

Page33

ConceptsforaUserFriendlyInterface
1. Contextsensitivehelp(F1)
F1onaselectedmenuentryshowsinformationaboutthealgorithm/method. F1inadialogboxexplainstheusageofthedialog. Theseassistancesandthecontentsofthesuperordinatemenusarecrosslinkedinthe onlinehelp.

2. Pasteofkeysinkeyinputdialog
CTRLVcanbeusedtopastecontentsfromtheclipboard. Usedkeyscanbetakenoutofciphertextwindowsviaaniconin theiconbar.A correspondingiconinthekeyinputdialogcanbeusedtopastethekeyintothekeyfield. ACrypToolinternalmemorywhichisavailableforeverymethodisused(helpfulforlarge specific keys e.g.homophoneencryption).

Iconbar

CrypTool1.4.30

Page34

ChallengesforDevelopers(Examples)
1. Manyfunctionsrunninginparallel
Factorisationrunswithmultithreadedalgorithms

2. Highperformance
Locatehashcollisions(birthdayparadox)orperformbruteforceanalysis

3. Considermemorylimits
Floydalgorithm(mappingstolocatehashcollisions)orfactorisationwithquadraticsieve

4. Timemeasurementandestimates
Displayofelapsedtimewhileusingbruteforce

5. Reusability/Integration
Formsforprimenumbergeneration RSAcryptosystem(switchestheviewaftersuccessfulattackfrom publickeyuserto privatekeyowner)

6. Partlyautomatetheconsistencyoffunctions,GUIandonlinehelp
(includingdifferentlanguages)

CrypTool1.4.30

Page35

Content
I. CrypToolandCryptology Overview II. CrypToolFeatures III. Examples IV. Project/Outlook/Contact

CrypTool1.4.30

Page36

CrypToolExamples
Overviewofexamples
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. EncryptionwithRSA/Primenumbertests/Hybridencryptionand digitalcertificates/SSL Digitalsignaturevisualised AttackonRSAencryption(modul Ntooshort) AnalysisofencryptioninPSION5 WeakDESkeys Locatingkeymaterial(NSAkey) Attackondigitalsignaturethroughhashcollisionsearch Authenticationinaclientserverenvironment Demonstrationofasidechannelattack(onhybridencryptionprotocol) AttackonRSAusinglatticereduction Randomanalysiswith3Dvisualisation SecretSharingusingtheChineseRemainderTheorem(CRT)andShamir ImplementationofCRTinastronomy(solvinglinearmodularequationsystems) VisualisationofsymmetricencryptionmethodsusingANIMAL VisualisationofAES VisualisationofEnigmaencryption Generationofamessageauthenticationcode(MAC) Hashdemonstration Learningtoolfornumbertheoryandasymmetricencryption Pointadditiononellipticcurves Passwordqualitymeter(PQM)andpasswordentropy Bruteforceanalysis CrypToolonlinehelp

CrypTool1.4.30

Page37

Examples (1)
EncryptionwithRSA(inrealitymostlyhybridencryption)

Basisfore.g.SSLprotocol(accesstoprotectedwebsites) AsymmetricencryptionusingRSA
Everyuserhasakeypair onepublicandoneprivatekey Senderencryptswithpublickeyoftherecipient Recipientdecryptswithhisprivatekey

Implementedusuallyinacombinationwithsymmetricmethods(transfer ofthesymmetrickeythroughRSAasymmetricencryption/decryption)
Keypair

Confidential Message

Encryption

Decryption

Confidential Message

PublicKey Senderusespublickey oftherecipient

CrypTool1.4.30

PrivateKey Recipientuseshis privatekey

Page38

Examples(1)
EncryptionusingRSA Mathematicalbackground/algorithm

Public key: Private key: where:

(n, e) (d)

p, q large, randomly chosen prime numbers with n = p*q; d is calculated under the constraints gcd[(n),e] = 1; e*d 1 mod (n). Encryption and decryption operation: (me)d m mod n
n is the module, which length in bits is referred to as RSA key length. gcd = greatest common divisor. (n) is the Euler phi function. Procedure : Transformation of message in binary representation Encrypt message m = m1,...,mk block wise, with for all mj: 0 mj < n; maximum block size r, so that: 2r n (2r-1 < n)
CrypTool1.4.30 Page39

Examples(1)
Primenumbertests ForRSAhugeprimesareneeded

Fast probabilistic tests Deterministic tests The prime number test methods can test much faster whether a big number is prime, than the known factorization methods can divide a number of a similar size in its prime factors. For the AKS test the GMP library (GNU Multiple Precision Arithmetic Library) was integrated into CrypTool.
Menu: Indiv.Procedure \ RSACryptosystem \ PrimeNumberTest
CrypTool1.4.30
Remark: 2^255 - 1 = 7 * 31 * 103 * 151 * 2143 * 11119 * 106591 * 131071 * 949111 * 9520972806333758431 * 5702451577639775545838643151

Page40

Examples(1)
Hybridencryptionanddigitalcertificates

Hybridencryption Combinationofasymmetricandsymmetricencryption
1.Generationofarandomsymmetrickey(sessionkey) 2.Sessionkeyistransferred protectedbyasymmetrickey 3.Messageistransferred protectedbysessionkey

Problem:Maninthemiddleattacks doesthepublickeyoftherecipientreally belongtotherecipient? Solution:Digitalcertificates Acentralinstance(e.g.Telesec,VeriSign,Deutsche BankPKI),thatisbeingtrustedbyallusers,ensurestheauthenticityofthe certificateandthecontainedpublickey(similartoapassportissuedbythe state). Hybridencryptionbasedondigitalcertificatesisthefoundationforallsecured electroniccommunication:
InternetShoppingandOnlineBanking SecureeMail

CrypTool1.4.30

Page41

Examples(1)
SecuredonlineconnectionusingSSLandcertificates

This means, that the connection is authenticated (at least at one side) and that the transferred data is strongly encrypted.
CrypTool1.4.30 Page42

Examples (1)
Attributesorfieldsofacertificate

Generalattributes/fields
Issuer(e.g.VeriSign) Requestor Validityperiod Serialnumber Certificatetype/Version(X.509v3) Signaturealgorithm Publickey(andmethod)

PublicKey

CrypTool1.4.30

Page43

Examples (1)
EstablishingasecureSSLconnection(serverauthentication)

Client
1. SSLinitiation Sendservercertificate 3. Validateservercertificate(usinglocallyinstalledrootcertificates) 4. Retrievepublickeyofserver(fromservercertificate) 5. Generatearandomsymmetrickey(sessionkey) Sendsessionkey 6. (encryptedwithpublickeyofserver) 2.

Server

Receivesessionkey
(decrypted by private key of the server)

7.

Encryptedcommunicationbasedon exchangedsessionkey
CrypTool1.4.30 Page44

Examples(1)
EstablishingasecureSSLconnection(serverauthentication)

General
TheexampleshowsthetypicalSSLconnectionestablishmentinordertotransfersensitive dataovertheinternet(e.g.onlineshopping). DuringSSLconnectionestablishmentonlytheserverisauthenticatedusingthedigital certificate(authenticationoftheuserusuallyoccursthroughusernameandpassword aftertheSSLconnectionhasbeenestablished). SSLalsoofferstheoptionforclientauthenticationbasedondigitalcertificates.

CommentstotheSSLconnectionestablishment
ad(1): SSLInitiation duringthisphasethecharacteristicsofthesessionkey(e.g.bitsize) aswellasthesymmetricencryptionalgorithm(e.g.3DES,AES)arenegotiated. ad(2): Incaseofamultilevelcertificatehierarchytherequiredintermediatecertificates arebeingpassedtotheclient,too. ad(3): Inthisphasetherootcertificatesinstalledinthebrowserscertificatestoreare usedtovalidatetheservercertificate. ad(5): Thesessionkeyisbasedonthenegotiatedcharacteristics(see1).

CrypTool1.4.30

Page45

Examples(2)
Digitalsignaturevisualised

Digitalsignature
Increasinglyimportant equivalencewithmanualsignature (digitalsignaturelaw) increasinglyusedbyindustry, governmentandconsumers Fewpeopleknowhowitworksexactly

VisualisationinCrypTool
Interactivedataflowdiagram Similartothevisualisationofhybrid encryption

Menu: DigitalSignatures/PKI \ Signature Demonstration(Signature Generation)

CrypTool1.4.30

Page46

Examples(2)
Digitalsignaturevisualised:a)Preparation

1.Selecthashfunction

2.Providekeyand certificate(notshownhere)

CrypTool1.4.30

Page47

Examples(2)
Digitalsignaturevisualised:b)Cryptography

3.Calculate hashvalue 4.Encrypt hashvalue withprivate key(sign) 5.Generate signature

3.

4.

5.

CrypTool1.4.30

Page48

Examples(2)
Digitalsignaturevisualised:c)Result

6.Thesigneddocument cannowbesaved. Theoperationscanbeperformedin anyorder,aspermittedbydata dependencies.

CrypTool1.4.30

Page49

Examples(3)
AttackonRSAencryptionwithshortRSAmodulus

ExamplefromSongY.Yan,NumberTheoryforComputing,Springer,2000
Publickey
RSAmodulusN=63978486879527143858831415041 (95bit,29decimaldigits) publicexponente=17579

Ciphertext(blocklength=8):
C1 =45411667895024938209259253423, C2 =16597091621432020076311552201, C3 =46468979279750354732637631044, C4 =32870167545903741339819671379

The ciphertext is not necessary for the actual cryptanalysis (locating the private key) !

Thetextshallbedeciphered!

SolutionusingCrypTool(moredetailedinonlinehelpexamplessection)
EnterpublicparametersintoRSAcryptosystem (menu:Indiv.Procedures) ButtonFactorisetheRSAmodulus yieldsthetwoprimefactorspq =N Basedonthatinformationtheprivateexponentd=e1 mod(p1)(q1)isdetermined Decrypttheciphertextwithd:Mi =Cid modN

TheattackwithCrypToolworksforRSAmoduli upto250bit. Thenyoucoulddigitallysignforsomeoneelse!

CrypTool1.4.30 Page50

Examples(3)
ShortRSAmodulus:enterpublicRSAparameters
Menu:Indiv.Procedures \ RSACryptosystem \ RSADemonstration

1.EnterRSApara metersNande

2.Factorise

CrypTool1.4.30

Page51

Examples(3)
ShortRSAmodulus:factoriseRSAmodulus

3.Factorisation yieldspandq

CrypTool1.4.30

Page52

Examples(3)
ShortRSAmodulus:determineprivatekeyd

Changetheview totheownerofthe secretkey 4.pandqhave beenentered automatically andsecretkeyd hasbeen calculated

5.Adjustoptions

CrypTool1.4.30

Page53

Examples(3)
ShortRSAmodulus:adjustoptions

6.Selectalphabet

7.Selectcodingmethod 8.Selectblocklength

CrypTool1.4.30

Page54

Examples(3)
ShortRSAmodulus:decryptciphertext

9.Enterciphertext

10.Decrypt

CrypTool1.4.30

Page55

Examples(4)
AnalysisofencryptionusedinthePSION5

Practicalapplicationofcryptanalysis:
Attackontheencryptionoptioninthe PSION5PDAwordprocessingapplication Startingpoint:anencryptedfileonthePSION Requirements
EncryptedEnglishorGermantext Dependingonmethodandkeylength,100bytesuptoseveralkB oftext

Procedure
Preanalysis
entropy floatingentropy compressiontest probablyclassical encryptionalgorithm

Autocorrelation Tryoutautomaticanalysiswithclassicalmethods
CrypTool1.4.30 Page56

Examples(4)
PSION5PDA determineentropy,compressiontest

Compressibility: clearindicatorfor weakcryptography (sizewasreduced by21%)

Theentropyprovides noindicationfora specificencryption method.

CrypTool1.4.30

Page57

Examples(4)
PSION5PDA determineautocorrelation

Distinctivecombpattern: typicalforVigenre, XORandbinaryaddition

*TheencryptedfileisavailablewithCrypTool(seeCrypTool\examples\psionenc.hex)
CrypTool1.4.30 Page58

Examples(4)
PSION5PDA automaticanalysis

Automaticanalysisusing
Vigenre:nosuccess XOR:nosuccess binaryaddition
CrypToolcalculatesthekeylength usingautocorrelation:32bytes Theusercanchoosewhichcharacter isexpectedtooccurmostfrequently: e =0x65(ASCIIcode) Analysiscalculatesthemost likelykey(basedontheassumptions aboutdistribution) Result:good,butnotperfect

CrypTool1.4.30

Page59

Examples(4)
PSION5PDA resultsofautomaticanalysis

Resultsofautomaticanalysiswithassumptionbinaryaddition:
Resultisgood,butnotperfect:24outof32keybytescorrect. Thekeylength32wascorrectlydetermined.

Thepasswordenteredwasnot32byteslong. PSIONWordderivestheactualkeyfromthepassword. Manualpostprocessingproducestheencryptedtext(notshown).

CrypTool1.4.30 Page60

Examples(4)
PSION5PDA determiningtheremainingkeybytes

Copykeytoclipboardduringautomaticanalysis Inautomaticanalysishexdump,
Determineincorrectbytepositions,e.g.0xAAatposition3 Guessandwritedowncorrespondingcorrectbytes:e =0x65

Inencryptedinitialfilehexdump,
Determineinitialbytesfromthecalculatedbytepositions:0x99 CalculatecorrectkeybyteswithCALC.EXE:0x99 0x65=0x34

Keyfromtheclipboard
Correct12865B341498872C393E43741396A45670235E111E907AB7C0841... Decryptencryptedinitialdocumentusingbinaryaddition Bytesatposition3,3+32,3+2*32,...arenowcorrect

CrypTool1.4.30

Page61

Examples(5)
WeakDESkey

encrypt2timeswith resultsinplaintext

CrypTool1.4.30

Page62

Examples(6)
Locatekeymaterial

ThefunctionFloatingfrequency issuitableforlocatingkey materialandencryptedareasinfiles.

Background:
Keydataismorerandom thantextorprogramcode Canberecognizedaspeaksinthefloatingfrequency Example:theNSAkey inadvapi32.dll(WindowsNT)

CrypTool1.4.30

Page63

Examples(6)
Comparisononfloatingfrequencywithotherfiles

CrypTool1.4.30

Page64

Examples(7)
Attackondigitalsignature

Attack: Findtwo messageswith thesamehash value!

Menu:Analysis \ Hash \ Attack onthe HashValue ofthe DigitalSignature

CrypTool1.4.30 Page65

Examples(7)
Attackondigitalsignature idea(I)

AttackonthedigitalsignatureofanASCIItextbasedonhashcollisionsearch. Idea: ASCIItextscanbemodifiedbychanging/insertingnonprintablecharacters,without changingthevisiblecontent Modifytwotextsinparalleluntilahashcollisionisfound Exploitthebirthdayparadox(birthdayattack) Genericattackapplicabletoallhashfunctions Canberuninparallelonmanymachines(notimplemented) ImplementedinCrypToolaspartofthebachelorthesisMethodsandToolsfor AttacksonDigitalSignatures (German),2003.

Concepts: Mappings ModifiedFloydalgorithm(constantmemoryconsumption)

CrypTool1.4.30

Page66

Examples(7)
Attackondigitalsignature idea(II)

1.
harmless message M H

3.

2. 1.
evil message M S

Compare hashes

Identical signatures

3 .

1. Modification:startingfromamessageM createNdifferentmessagesM1, ..., MN withthesamecontent asM. 2. Search:findmodifiedmessagesMiH and MjS withthesamehashvalue. 3. Attack:thesignaturesofthosetwo documentsMiH and MjS arethesame.

Weknowfromthebirthdayparadoxthatforhashvaluesofbitlengthn: N 2n searchcollisionbetweenMH andM1S,...,MNS: search collision between M1H,...,MNH andM1S,...,MNS: N 2n/2

Estimatednumberofgeneratedmessagesinorderto findahashcollision.
CrypTool1.4.30 Page67

LocateHashCollisions(1)
Mappingviatextmodifications
Randomlyselectedstartingpointforcollisionssearch

Identical hash value

hash modify hash

0011 1111

modify

0010 0100

1100 0010 1111 0010

1100 1110

modify

hash

modify
0010 0100

harmless message

evil message green/red:pathfromatreetothecycle thiscanleadtoausefulor uselesscollision. square/round:hashvaluehaseven/oddparity

CrypTool1.4.30

black:allnodeswithinthecycle

Page68

LocateHashCollisions(2)
FloydAlgorithm:meetwithinthecycle
9

start/collision cycle increment1 increment 2

7 13 27 4 8

15

30

26

28

Example: Functiongraphwith 32nodes

3 20 21 18 12 2

19 6 25

0 14

Startingpoint
23 16 24 10 22

17

Step1: Locatematchingpointwithincycle:
31

Twoserieswithidenticalstartingpoint[16]: oneserieswithincrement1,theotherwith increment2.

29

Result(basedongraphtheory): bothseriesalwaysendupinacycle. bothseriesmatchinanodewithinthecycle (inthiscase0).

11

CrypTool1.4.30

Page69

LocateHashCollisions(3)
Stepintocycle(ExtensionofFloyd):findentrypoint
9

start/collision cycle move insubtree move in cycle

7 13 4 27 8 15 30 26

28

3 20 21 18 12 2

19 6

Entry point
5 23 16 24 10 22 17

25

0 14

Step2:Locateentrypointofseries1in thecycle[25]:
31

29 1 11

Series1startsagainfromstarting point;series3withanincrementof1 startsatmatchingpointwithinthecycle (inthiscase0). Result: Theseries(1and3)matchincycle entrypointofseries1(inthiscase25) Thepredecessors(inthiscase17and2) resultinahashcollision.

CrypTool1.4.30

Page70

BirthdayParadoxAttackonDigitalSignature
ExaminationofFloydalgorithm Visualandinteractivepresentation oftheFloydalgorithm(Moving throughthemapping"intoa cycle). AdaptationoftheFloydalgorithm foradigitalsignatureattack.

Startingpoint Goodcollision Badcollision

*TheFloydalgorithmisimplementedinCrypTool,butthe visualizationofthealgorithmisnotyetimplemented. CrypTool1.4.30 Page71

Examples (7)
Attack ondigitalsignature
Anexamplefora good Mapping (nearlyallnodes aregreen). Inthisgraphalmost allnodesbelongto abigtree,which leadsintothecycle withanevenhash valueandwhere theentrypoint predecessorwithin thecycleisodd. Thatmeansthat theattackerfindsa usefulcollisionfor nearlyallstarting points.

GoodCollision

Page72

Examples(7)
Attackondigitalsignature:attack

1.

2.

4.

3.

Menu:Analysis \ Hash \ Attack onthe HashValue ofthe DigitalSignature

CrypTool1.4.30 Page73

Examples(7)
Attackondigitalsignature:results

Experimentalresults
MD5: 4F 47 DF 1F D2 DE CC BE 4B 52 86 29 F7 A8 1A 9A

MD5: 4F 47 DF 1F 30 38 BB 6C AB 31 B7 52 91 DC D2 70

72Bitpartialcollision(equalityof thefirst72hashvaluebits)were foundinacoupleofdaysona singlePC. Signaturesusinghashvaluesofup to128bitcanbeattackedtoday usingmassiveparallelsearch! Usehashvaluesofatleast160bit length.

Thefirst32bitsofthehashvaluesareidentical. Inadditiontotheinteractivehandling: AutomatedofflinefeatureinCrypTool:Executeandlogtheresultsforentiresetsof parameterconfigurations.AvailablethroughcommandlineexecutionofCrypTool.

CrypTool1.4.30

Page74

Examples(8)
Authenticationinaclientserverenvironment

Interactivedemofor differentauthentication methods. Definedopportunities oftheattacker. Youcanplaytheroleof anattacker. Learningeffect: Onlymutual authenticationissecure.

Menu:Indiv.Procedures \ Protocols \ Network Authentication

CrypTool1.4.30

Page75

Examples(9)
Demonstrationofasidechannelattack(onahybridencryptionprotocol)

Menu:Analysis \ Asymmetric Encryption \ SideChannel Attack on TextbookRSA

CrypTool1.4.30 Page76

Examples(9)
Ideaforthissidechannelattack

UlrichKhn SidechannelattacksontextbookRSAandElGamal encryption, 2003 Prerequisites: RSAencryption:C=Me (modN)anddecryption:M=Cd modN. 128Bitsessionkeys(inM)arewordbookencoded (nullpadding). Theserverknowsthesecretkeydand
usesafterdecryptionthe128leastsignificantbitsonly(novalidationofzeropaddingbits)(thatmeanstheserver doesnotrecognizeifthereissomethingotherthanzero). Promptsanerrormessage,iftheencryptionattemptresultsina wrongsessionkey(decryptedtextcannotbe interpretedbytheserver).Inallothercasestherewillbenomessage. Ideaforattack:ApproximationforZoutoftheequationN=M* ZperM=|N/Z| M= 000...................................000
Null-Padding

Session Key

C = Me (mod N)

AllbitpositionsforZaresuccessivelycalculated:Foreverysteponegets1furtherbit.TheattackermodifiesCto C (seebelow).IfabitoverflowoccurswhilecalculatingM ontheserver(recipient),theserversendsanerror message.BasedonthisinformationtheattackergetsabitforZ. ifthemostsignificantbitofMequals1,thenM unequalMmod2128, M =

SessionKey 000...............000 SessionKey

C =Me =Me.(1+Z.2128)e (mod N)

M.Z.2128
CrypTool1.4.30

M
Page77

Examples(10)
Mathematics:AttacksonRSAusinglatticereduction

Showshowtheparametersofthe RSAmethodhavetobechosen,so thatthealgorithmresiststhelattice reductionattacksdescribedin currentliterature. 3variants

1. Thesecretexponentdistoosmallin comparisontoN. 2. OneofthefactorsofNispartially known. 3. Apartoftheplaintextisknown.

Theseassumptionsarerealistic

Menu: Analysis \ Asymmetric Encryption \ Lattice Based Attacks onRSA \

CrypTool1.4.30

Page78

Examples(11)
Randomanalysiswith3Dvisualisation

3Dvisualisationforrandomanalysis
Example1 Openanarbitraryfile(e.g.reportinWordorPowerPoint presentation) Itisrecommendedtoselectafilewithatleast100kB 3Danalysisusingmenu:Analysis \ AnalyseRandomness \ 3DVisualization Result:structuresareeasilyrecognisable Example2 Generationofrandomnumbers:Indiv.Procedures \ Tools \ GenerateRandomNumbers Itisrecommendedtogenerateatleast100.000randombytes 3Danalysisusingmenu:Analysis \ AnalyseRandomness \ 3DVisualization Result:uniformdistribution(nostructuresarerecognisable)

CrypTool1.4.30

Page79

Examples(12)
SecretsharingwithCRT implementationoftheChineseremaindertheorem(CRT)

Secret sharing example (1):

Problem:
5peoplegetasinglekey Togainaccessatleast3ofthe5peoplehave tobepresent

Menu: Indiv.Procedures \ Chinese RemainderTheoremApplications \ SecretSharingbyCRT Options allowstoconfiguremore detailsofthemethod.

Calc.steps showsallstepsto generatethekey.

CrypTool1.4.30

Page80

Examples(12)
Shamir secretsharing

Secretsharingexample(2)
Problem
Asecretvalueshouldbesplitfornpeople. toutofnpeoplearerequiredtorestorethesecretvalueK. (t,n)thresholdscheme

Menu: Indiv.Procedures \ SecretSharing Demonstration(Shamir) 1. EnterthesecretK,numberofpersonsnand thresholdt 2. Generatepolynom 3. Useparameters UsingReconstruction thesecretcanbe restored

CrypTool1.4.30

Page81

Examples(13)
ImplementationofCRTtosolvelinearmodularequationsystems

Scenario inastronomy
Howlongdoesittakeuntil agivennumberofplanets (withdifferentrotation times)tobecomealigned? Theresultisalinear modularequationsystem, thatcanbesolvedwiththe Chineseremaindertheorem (CRT). Inthisdemoyoucanenter upto9equationsand computeasolutionusing theCRT.

Menu: Indiv.Procedures \ ChineseRemainderTheoremApplications \ Astronomy andPlanetary Motion

CrypTool1.4.30 Page82

Examples (14)
Visualisation ofsymmetricencryptionmethodsusingANIMAL(1)

Animatedvisualisation ofseveral symmetricalgorithms

Caesar Vigenre Nihilist DES

Animationspeed

Scalingofvisualisation

CrypTool
Menu:Indiv.Procedures \ Visualizationofalgorithms \ Interactiveanimationcontrolusing integratedcontrolcenterwindow.
Animationcontrols(next, forward,pause,etc.) Directselectionofananimationstep
CrypTool1.4.30 Page83

Examples (14)
Visualisation ofsymmetricencryptionmethodsusingANIMAL(2)

VisualizationofDESencryption

Afterthepermutationoftheinputblockusing theinitialisationvectorIVthekeyKisbeing permutedwithPC1andPC2.

Thecorefunctionf ofDES,whichlinkstheright halfoftheblockRi1 withthepartialkeyKi.

CrypTool1.4.30

Page84

Examples (15)
Visualisation ofAES(Rijndaelcipher)

RijndaelAnimation(theRijndaelcipherwasthewinneroftheAESsubmission)
Visualisation showsanimationoftheroundbasedencryptionprocess(usingfixeddata)

RijndaelInspector
Encryptionprocessfortesting(usingyourowndata)

Menu:Indiv.Procedures \ VisualisationofAlgorithms \ AES \ RijndaelAnimation orRijndaelInspector

CrypTool1.4.30

Page85

Examples (16)
Visualisation oftheEnigmaencryption

Selectrotors

Changerotor setting

Changeplugs

Show settings Inputof plaintext Outputof encryptedtext

ResetEnigma toinitial stateor randomstate AdditionalHTMLonlinehelp

CrypTool1.4.30

Page86

Examples (17)
Generationofamessageauthenticationcode(MAC)

MessageAuthenticationCode(MAC)
Ensuresintegrityofamessage Authenticationofthemessage Basis:acommonkey

GenerationofaMACinCrypTool
1. Chooseahashfunction 2. SelectMACvariant 3. Enterakey(dependingonMACvariantalso twokeys) 4. GenerationoftheMAC(automatic)

1.

2.

3.

Menu: Indiv.Procedures \ Hash \ GenerationofMACs

4.

CrypTool1.4.30

Page87

Examples(18)
Hashdemonstration

Sensitivityofhashfunctionstoplaintext modifications
1.Selectahashfunction 2.Modificationofcharactersinplaintext Example: EnteringablankafterCrypTool intheexample textresultsina50.6%changeofthebitsofthe generatedhashvalue. Agoodhashfunctionshouldreactsensitiveto eventhesmallestchangewithintheplaintext Avalancheeffect (smallchange,bigimpact). 1. 2.

Menu: Indiv.Procedures \ Hash \ HashDemonstration

CrypTool1.4.30

Page88

Examples (19)
Learningtoolfornumbertheory

Number theory
supportedby graphicalelements andtoolstotryout

Topics:
1. 2. 3. 4. Integers Residue classes Primegeneration Publickey cryptography 5. Factorization 6. Discrete logarithms

Menu: Indiv.Procedures \ NumberTheory Interactive \ Learningtoolfornumbertheory

CrypTool1.4.30 Page89

Examples (20)
Pointadditiononellipticcurves

Visualisation ofpointadditiononellipticcurves Foundationofellipticcurvecryptography(ECC) Example1

MarkpointPonthecurve MarkpointQonthecurve PressbuttonP+Q:Thestraightline throughPandQintersectsthecurve inpointR MirroringontheXaxisresultsinpointR

Example2
MarkpointPonthecurve Pressbutton2*P:ThetangentofpointP intersectsthecurveinpointR MirroringontheXaxisresultsinpointR
Changecurveparameters Deletepoints Logfileof calculations

Menu:Indiv.Procedures \ NumberTheory Interactive \ PointAdditiononEllipticCurves

CrypTool1.4.30

Page90

Examples (21)
PasswordQualityMeter(PQM)1

Functions Measuringthequalityofpasswords ComparewithPQMs inotherapplications:KeePass,Mozilla undPGP ExperimentalmeasuringthroughCrypToolalgorithm Example:Inputofapassword(whileshowingthepassword)

Password: 1234 Password: X40bTRds&11w_dks

Menu: Indiv. Procedures Tools \ Password Quality Meter CrypTool1.4.30

Menu: Indiv. Procedures \ Tools \ Password Entropy Page91

Examples (21)
PasswordQualityMeter(PQM)2

FindingsofthePasswordQualityMeter
Passwordqualitydependsprimarilyonthelengthofthepassword. Ahigherqualityofthepasswordcanbeachievedbyusingdifferenttypesof characters:upper/lowercase,numbersandspecialcharacters(passwordspace) Passwordentropy asindicatoroftherandomnessofpasswordcharactersofthe passwordspace(higherpasswordentropyresultsinimprovedpasswordquality) Passwordsshouldnotexistinadictionary (remark:adictionarycheckisnotyet implementedinCrypTool).

Qualityofapasswordfromanattackersperspective
Attackonapassword(ifanynumberofattemptsarepossible):
1. Classicaldictionaryattack 2. Dictionaryattackwithvariants (e.g.4digitnumbercombinations:Summer2007) 3. Bruteforceattack bytestingallcombinations(withadditionalparameterssuchas limitationsonthetypesofcharactersets)

Agoodpasswordshouldbechosensothatattack1.and2.donot compromisethe password.Regardingbruteforceattacksthelengthofthepassword(atleast8 characters)aswellastheusedcharactersetsareimportant.

CrypTool1.4.30 Page92

Examples (22)
Bruteforceanalysis1

Bruteforce analysis
Optimised bruteforceanalysisundertheassumptionthatthekeyispartlyknown.

Example AnalysiswithDES(ECB)
Attempttofindtheremainderofthekeyinordertodecryptanencryptedtext (Assumption:Theplaintextisablockof8ASCIIcharacters). Key(Hex) 68ac78dd40bbefd* 0123456789ab**** 98765432106***** 0000000000****** 000000000000**** abacadaba******* dddddddddd****** Encryptedtext (Hex) 66b9354452d29eb5 1f0dd05d8ed51583 bcf9ebd1979ead6a 8cf42d40e004a1d4 0ed33fed7f46c585 d6d8641bc4fb2478 a2e66d852e175f5c

CrypTool1.4.30

Page93

Examples(22)
Bruteforceanalysis2
1. Inputofencryptedtext 2. Usebruteforceanalysis 3. Inputpartlyknownkey 4. Startbruteforceanalysis 5. Analysisoftheresults:Lowentropyasevidenceofapossibledecryption.However,becauseaveryshort plaintexthasbeenusedinthisexample,thecorrectresultdoes nothavethelowestentropy.
Menu:Analysis \ SymmetricEncryption(modern) \ DES(ECB) UseView \ ShowasHexDump

CrypTool1.4.30

Page94

Examples(23)
CrypToolonlinehelp1

Menu:Help \ StartingPage
CrypTool1.4.30 Page95

Examples (23)
CrypToolonlinehelp2

CrypTool1.4.30

Page96

Content
I. CrypToolandCryptology Overview II. CrypToolFeatures III. Examples IV. Project/Outlook/Contact

CrypTool1.4.30

Page97

FutureCrypToolDevelopment(1)
Plannedafterrelease1.4.30(seereadmefile)
CT1.x JCT JCT JCT JCT CT2 CT2 CT2 CT2 CT2 Masspatternsearch VisualisationofinteroperabilityofS/MIMEandOpenPGPformats Tripartitekeyagreements Analysisofentropy Statisticalanalysisofblockciphers Comprehensivevisualisationonthetopicofprimenumbers DemonstrationofBleichenbachers RSAsignatureforgery Demonstrationofvirtualcreditcardnumbers(approachagainstcreditcardabuse) WEPencryptionandWEPanalysis Graphicaldesignorientedmodeforbeginnersplusexpertmode
CT =CrypTool CT2 =CrypTool2.0 JCT =JCrypTool

CT2/JCT Creationofacommandlineversionforbatchprocessing CT2/JCT Modernpurepluginarchitecturewithloadingofplugins All Idea Idea Idea Furtherparameterization/Increasingtheflexibilityofpresent algorithms VisualisationoftheSSLprotocol Demonstrationofvisualcryptography Integrationofcryptolibrarycrypto++fromWei Dai
Page98

CrypTool1.4.30

FutureCrypToolDevelopment(2)
InProgress(seereadmefile)
1. JCT:PortandredesignofCrypToolinJava/SWT/Eclipse3.4/ RPC
see:http://jcryptool.sourceforge.net Milestone4availableforusersanddevelopers(February2009)

2. CT2:PortandredesignoftheC++versionwithC#/WPF/VS2008 /.NET3.5 3.
directsuccessorofcurrentreleases:allowsvisualprogramming, Beta1availableforusersanddevelopers(July2008,permanentlyupdated) C2L:DirectportoftheC++versiontoLinuxwithQt4(veryslowprogress) see:http://www.cryptoolinux.net

CrypTool2(CT2)
CrypTool1.4.30

JCrypTool(JCT)
Page99

CrypToolasaFramework
Proposal
Reusethecomprehensivesetofalgorithms,includedlibrariesandinterfaceelementsas foundation FreeofchargetraininginFrankfurt,howtostartwithCrypTool development Advantage:Yourowncodedoesnotdisappear,butwillbemaintained

Current developmentenvironment: MicrosoftVisualStudioC++,Perl,

SubversionSourceCodeManagement CrypTool1.4.30:VisualC++.net(=VC++9.0)(=VisualStudio2008Standard) Descriptionfordevelopers:seereadmesource.txt Download:Sourcesandbinariesofreleases. Togetsourcesofcurrentbetas,pleaseseesubversionrepository.

Futuredevelopmentenvironments
Forversionsafter1.4.3x: CT2 C#version:.NETwithVisualStudio2008 ExpressEdition(free),WPFundPerl Java Javaversion:Eclipse3.4,RCP,SWT(free) C2L C++versionforLinuxwith Qt 4.x,GCC4.xand Perl

CrypTool1.4.30

Page100

CrypTool RequestforContribution
Everycontributiontotheprojectishighlyappreciated
Feedback,criticism,suggestionsandideas Integrationofadditionalalgorithms,protocols,analysis(consistencyandcompleteness) Developmentassistance(programming,layout,translation,test) ForthecurrentC/C++project Forthenewprojects C#project: CrypTool2.0 Javaproject: JCrypTool EspeciallyUniversityfacultiesusingCrypToolforeducationalpurposesareinvitedto contributetothefurtherdevelopmentofCrypTool. Significantcontributionscanbereferencedbyname(inhelp,readme,aboutdialogandonthe CrypToolwebsite). CurrentlyCrypToolisbeingdownloadedmorethan3000timesamonth(with1/3forthe Englishversion).

CrypTool1.4.30

Page101

CrypTool Summary
THE elearningprogramforcryptology Overmorethan10yearsasuccessfulopen sourceproject Morethan200,000downloads Internationalutilisationinschools,universitiesas wellascompaniesandgovernmentagencies Extensiveonlinehelpanddocumentation Availableforfreeandmultilanguagesupport
CrypTool1.4.30 Page102

Contact
Prof.BernhardEsslinger
UniversityofSiegen Faculty5,EconomicsandBusinessComputing DeutscheBankAG Director,ITSecurityManager

esslinger@fb5.unisiegen.de www.cryptool.com www.cryptool.de www.cryptool.es www.cryptool.org www.cryptool.pl

Additionalcontacts:SeereadmewithintheCrypToolfolder

CrypTool1.4.30

Page103

AdditionalLiterature
Asintroductiontocryptology
SimonSingh,TheCodebook,1999,Doubleday KlausSchmeh,Codeknacker gegen Codemacher.Diefaszinierende Geschichteder Verschlsselung,2ndedition,2007,W3L[German] Udo Ulfkotte,Wirtschaftsspionage,2001,Goldmann [German] JohannesBuchmann,IntroductiontoCryptography,2ndedition,2004,Springer ClaudiaEckert,ITSicherheit,5thedition,2008,Oldenbourg [German] A.Beutelspacher /J.Schwenk /K.D.Wolfenstetter,Moderne Verfahren der Kryptographie,5th edition,2004,Vieweg [German] [HAC]Menezes,vanOorschot,Vanstone,HandbookofAppliedCryptography,1996,CRCPress vanOorschot,Wiener,ParallelCollisionSearchwithApplicationtoHashFunctionsand Discrete Logarithms,1994,ACM Additionalcryptographyliterature seealsothelinksattheCrypToolwebpageandtheliteraturein theCrypToolonlinehelp(e.g.byWtjen,Salomaa,Brands,Schneier,Shoup,Stamp/Low,) ImportanceofcryptographyinthebroadercontextofITsecurity andriskmanagement
Seee.g.KennethC.Laudon /JaneP.Laudon /Detlef Schoder,Wirtschaftsinformatik,2005,Pearson,chapter 14[German] SeeWikipedia(http://en.wikipedia.org/wiki/Risk_management)

CrypTool1.4.30

Page104

www.cryptool.org /.com /.de/.es/.pl

CrypTool1.4.30

Page105

www.cryptoportal.org

Theteachersportal currentlyexistsinGerman only. HelpforanEnglishversion ofthisportaliswelcome.

CrypTool1.4.30 Page106