Professional Documents
Culture Documents
1.4.30Beta03
IntroductiontoCryptographyundCryptanalysis
Scope,TechnologyandFutureofCrypTool
www.cryptool.com www.cryptool.de www.cryptool.es www.cryptool.org www.cryptool.pl Prof.BernhardEsslingerandCrypToolTeam,Feb.2009
CrypTool1.4.30
Page1
Content (I)
I. CrypToolandCryptology Overview
1. 2. 3. 4. Definitionandrelevanceofcryptology TheCrypToolproject Examplesofclassicalencryptionmethods Insightsfromcryptographydevelopment
II. CrypToolFeatures
1. Overview 2. Interactionexamples 3. Challengesfordevelopers
III. Examples
1. 2. 3. 4. 5. 6. 7. 8. 9. EncryptionwithRSA/Primenumbertest/Hybridencryptionanddigitalcertificates /SSL Digitalsignaturevisualised AttackonRSAencryption(modul Ntooshort) AnalysisofencryptioninPSION5 WeakDESkeys Locatingkeymaterial(NSAKey) Attackondigitalsignaturethroughhashcollisionsearch Authenticationinaclientserverenvironment Demonstrationofasidechannelattack(onhybridencryptionprotocol) ()
Page2
CrypTool1.4.30
Content (II)
III. Examples
10. RSAattackusinglatticereduction 11. Randomanalysiswith3Dvisualisation 12. SecretSharingusingtheChineseRemainderTheorem(CRT)andShamir 13. ImplementationofCRTinastronomy(solvinglinearmodularequationsystems) 14. Visualisation ofsymmetricencryptionmethodsusingANIMAL 15. VisualisationofAES 16. VisualisationofEnigmaencryption 17. Generationofamessageauthenticationcode(MAC) 18. Hashdemonstration 19. Learningtoolfornumbertheoryandasymmetricencryption 20. Pointadditiononellipticcurves 21. Passwordqualitymete(PQM)andpasswordentropy 22. Bruteforceanalysis 23. CrypToolonlinehelp
IV. Project/Outlook/Contact
CrypTool1.4.30
Page3
Content
I. CrypToolandCryptology Overview II. CrypToolFeatures III. Examples IV. Project/Outlook/Contact
CrypTool1.4.30
Page4
DefinitionCryptologyandCryptography
Cryptology (fromtheGreekkrypts,"hidden,"andlgos,"word")isthescienceof
secure(generallysecret)communications.Thissecurityobtainsfromlegitimateusers, thetransmitterandthereceiver,beingabletotransforminformationintoacipherby virtueofakey i.e.,apieceofinformationknownonlytothem.Althoughthecipher isinscrutableandoftenunforgeable toanyonewithoutthissecretkey,theauthorized receivercaneitherdecrypttheciphertorecoverthehiddeninformationorverifythat itwassentinalllikelihoodbysomeonepossessingthekey.
Cryptography wasconcernedinitiallywithprovidingsecrecyforwrittenmessages.
Itsprinciplesapplyequallywell,however,tosecuringdataflowbetweencomputers ortoencryptingtelevisionsignals....Todaythemodern(mathematical)scienceof cryptologycontainsnotonlymechanismsforencryptionbutalsoforintegrity, electronicsignatures,randomnumbers,securekeyexchange,securecontainers, electronicvotingandelectronicmoney,andhasachievedtorenderabroadrangeof applicationsinmodernlife.
Source:Britannica(www.britannica.com) AsimilardefinitioncanbefoundonWikipedia:http://en.wikipedia.org/wiki/Cryptology
CrypTool1.4.30 Page5
RelevanceofCryptography
ExamplesforCryptographyUsage
Phonecards,cellphones,remotecontrols Cashmachines,moneytransferbetweenbanks Electroniccash,onlinebanking,secureeMail SatelliteTV,PayTV Immobilisersystemsincars DigitalRightsManagement(DRM)
Cryptography Objectives
Confidentiality
Informationcanpracticallynotbemadeavailableordisclosedto unauthorizedindividuals,entitiesorprocesses.
Authentication
Authenticationensuresthatusersareidentifiedandthoseidentitiesare appropriatelyverified.
Integrity
Integrityensuresthatdatahasnotbeenalteredordestroyedin an unauthorizedmanner.
NonRepudiation
Theprinciplethat,afterwards,itcanbeproventhattheparticipantsofa transactiondidreallyauthorizethetransactionandthattheyhaveno meanstodenytheirparticipation.
CrypTool1.4.30 Page7
The CrypToolProject
Origininawarenessprogramofabank(infirmtraining) Awarenessforemployees Developedincooperationwithuniversities(improvingeducation) Mediadidacticapproachandstandardoriented
1998Projectstart effortmorethan17manyearssincethen 2000CrypToolavailableasfreeware 2002CrypToolonCitizenCDROMfromBSI (GermanInformationSecurityAgency) 2003CrypToolbecomesOpenSource HostingbyUniversityofDarmstadt (Prof.Eckert) 2007CrypToolavailableinGerman,English,PolishundSpanish 2008.NETversionandJavaversion HostedbyUniversityofDuisburg(Prof.Weis) andSourceForge
Awards
2004 2004 2004 2008 TeleTrusT (TTTFrderpreis) NRW (ITSecurityAwardNRW) RSAEurope (FinalistofEuropeanInformationSecurityAward2004) SelectedLandmark ininitiativeGermany LandofIdeas"
Developers
Developedbypeoplefromcompaniesanduniversitiesindifferent countries Additionalprojectmembersorusablesourcesarealwaysappreciated (currentlytherearearound40peopleworkingonCrypToolworldwide).
Page8
CrypTool1.4.30
ExamplesofEarlyCryptography(1)
Ancientencryptionmethods
Tattooonaslave'sheadconcealedbyregrownhair Atbash(around600B.C.)
Hebrewsecretlanguage,reversedalphabet
Scytale fromSparta(500B.C.)
DescribedbyGreekhistorian/authorPlutarch(45 125B.C.) Twocylinders(woodenrod)withidenticaldiameter Transposition(plaintextcharactersareresorted)
Encrypted text (ciphertext): CSED
CrypTool1.4.30
Page9
ExamplesofEarlyCryptography(2)
SymmetricCaesarencryption
Caesarencryption(JuliusCaesar,100 44B.C.)
Simplesubstitutioncipher GALLIA
Plaintext:
EST
OMNIS
DIVISA ...
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Secretalphabet:
DEFGHIJKLMNOPQRSTUVWXYZABC
JDOOLD HVW RPQLV GLYLVD ...
Attack:Frequencyanalysis(typicalcharacterallocation) PresentationwithCrypToolviathefollowingmenus: Animation: Indiv.Procedures \ Visualizationofalgorithms \ Caesar Implementation: Crypt/Decrypt \ Symmetric(classic) \ Caesar/Rot13
CrypTool1.4.30
Page10
ExamplesofEarlyCryptography(3)
SymmetricVigenreencryption
Keyword character
Plaintext character
CrypTool1.4.30
ExamplesofEarlyCryptography(4)
Othersymmetricencryptionmethods
Transferofbookpages
AdaptationoftheOneTimePad(OTP)
Turninggrille(Fleissner) Permutationencryption
DoubleDice (doublecolumntransposition) (Transposition/veryeffective)
CrypTool1.4.30
Page12
CryptographyinModernTimes
Cryptographydevelopmentsinthelast100yearstill1970
Classicmethods
arestillinusetoday. (since,noteverythingcanbedonebyacomputer) andtheirprincipalsoftranspositionandsubstitution areinputsforthedesignofmodernalgorithms: combinationofsimpleoperation(atypeofmultiple encryption,asocalledcascadesofciphers),onbit level,blockcipher,rounds.
Encryptionbecomes
moresophisticated, mechanisedorcomputerised and remainssymmetric.
CrypTool1.4.30
Page13
ExamplesoftheFirstHalfofthe20thCentury
Mechanicalencryptionmachines(rotormachines)
EnigmaEncryption(ArthurScherbius,18781929)
Morethan200000machineshavebeenusedinWW2 Therotatingcylindersetcauses,thateverycharacterofthe textbecomesencryptedwithanewpermutation. Brokenbymassiveeffortofcryptographyexperts(around 7000personsinUK)withdecryptionmachines,captured originalEnigmasandbyinterceptingdailystatusreports (e.g.weatherreports). Consequencesofthissuccessfulcryptoanalysis: Ingeneralthesuccessfulcryptoanalysisoftheengima encryptionhasbeenastrategicadvantage,thathasplayed asignificantroleinwinningthewar.Somehistorians assumethatthebreakoftheenigmacodehasshortened thewarbyseveralmonthsorevenayear.
(translatedfromhttp://de.wikipedia.org/wiki/Enigma_%28Machine%29 March6,2006)
CrypTool1.4.30
Page14
Cryptography ImportantInsights(1)
Kerckhoffsprinciple(1883)
Separationofalgorithm(method)andkey e.g.Caesarencryption: Algorithm: Shiftalphabetbyacertainnumberofpositionstotheleft Key: Thecertainnumberofpositions (Caesarforexample) Kerckhoffsprinciple: ThesecretlieswithinthekeyandnotwithinthealgorithmorNosecuritythroughobscurity
OneTimePad Shannon/Vernam
Demonstrablytheoreticallysecure,butnotusableinreality(onlyredphone)
Shannons concepts:ConfusionandDiffusion
RelationbetweenM,CandKhastobeascomplexaspossible(M=message,C=cipher,K=key) Everyciphertextcharactershoulddependonasmanyplaintextcharacters andasmanycharacterofencryptionkey Avalancheeffect(small modification,bigimpact)
Trapdoorfunction(onewayfunction)
Fastinonedirection,notintheoppositedirection(withoutsecretinformation) Havingthesecrettheoppositedirectionworks(accesstothetrapdoor)
CrypTool1.4.30 Page15
ExamplesforaBreachoftheKerckhoffsPrinciple
Secretlieswithinthekeyandnotwithinthealgorithm Cellphoneencryptionpenetrated (December1999) Israeliresearchersdiscovereddesignflawsthatallowthedescramblingof supposedlyprivateconversationscarriedbyhundredsofmillions ofwirelessphones. AlexBiryukov andAdi Shamir describeinapapertobepublishedthisweekhowaPC with128MBRAMandlargeharddrivescanpenetratethesecurity ofaphonecallor datatransmissioninlessthanonesecond.Theflawedalgorithmappearsindigital GSMphonesmadebycompaniessuchasMotorola,Ericsson,andSiemens,andused bywellover100millioncustomersinEuropeandtheUnitedStates. [] PreviouslytheGSMencryptionalgorithmshavecomeunderfireforbeingdeveloped insecretawayfrompublicscrutiny butmostexpertssayhighsecuritycanonly comefrompublishedcode.Moransaid"itwasn'ttheattitudeatthetimetopublish algorithms"whentheA5cipherswasdevelopedin1989,butcurrentonesbeing createdwillbepublishedforpeerreview. [http://wired.lycos.com/news/politics/0,1283,32900,00.html]
CrypTool1.4.30
Page16
SampleofaOneTimePadAdaptation
Clothes hanger of a Stasi agent with a secret one-time pad (taken from: Spiegel Spezial 1/1990) CrypTool1.4.30 Page17
KeyDistributionProblem
Keydistributionforsymmetricencryptionmethods
Cryptography ImportantInsights(2)
Solvingthekeydistributionproblemthroughasymmetriccryptography
Asymmetriccryptography
Forcenturiesitwasbelievedthat:Senderandreceiverneedsamesecret. New:Everymemberneedsakeypair(Solutionofthekeydistributionproblem)
Asymmetricencryption
Everyonecanlockapadlockorcandropaletterinamailbox. MIT,1977:LeonardAdleman,RonRivest,Adi Shamir (wellknownasRSA) GCHQCheltenham,1973:JamesEllis,CliffordCocks(admittedinpublicDecember1997)
Keydistribution
Stanford,1976:WhitfieldDiffie,MartinHellman,RalphMerkle (DiffieHellmankeyexchange) GCHQCheltenham,1975:MalcolmWilliamson
Securityinopennetworks(suchastheinternet)wouldbe extremelyexpensiveandcomplexwithoutasymmetriccryptography!
CrypTool1.4.30 Page19
EncryptionandDecryption
Symmetricundasymmetricencryption
Message Space
M KE
C=E(M,KE)
D KD
KeySpaceDK
M=D(C,KD)
Receiver
a) SymmetricEncryption: b) AsymmetricEncryption:
public
KE =KD KE KD
(e.g.AES) (e.g.RSA)
private/secret
CrypTool1.4.30
Page20
Cryptography ImportantInsights(3)
Increasingrelevanceofmathematicsandinformationtechnology
Moderncryptographyisbasedonmathematics
StillnewsymmetricencryptionmethodssuchasAES(betterperformanceandshorter keylengthcomparedtotheasymmetricmethodspurelybasedonmathematical problems).
CrypTool1.4.30
Page21
DemonstrationinCrypTool
CrypTool1.4.30
Page22
Content
I. CrypToolandCryptology Overview II. CrypToolFeatures? III. Examples IV. Project/Outlook/Contact
CrypTool1.4.30
Page23
CrypToolFeatures
1.WhatisCrypTool?
eLearning
2.WhyCrypTool?
Origininawarenessinitiativeofafinancialinstitute Developedinclosecooperationwithuniversities Improvementofuniversityeducationandinfirmtraining
3.Targetgroup
Coregroup:Studentsofcomputerscience,businesscomputingandmathematics Butalsofor:computerusers,applicationdevelopers,employees Prerequisite:PCknowledge Preferable:Interestinmathematicsand/orprogramming
CrypTool1.4.30 Page24
ContentoftheProgramPackage
CrypToolprogram
AESTool
StandaloneprogramforAESencryption(andcreationofselfextractingfiles)
Educationalgame
NumberShark encouragestheunderstandingoffactorsandprimenumbers.
ComprehensiveOnlineHelp(HTMLHelp)
ContextsensitivehelpavailableviaF1forallprogramfunctions(includingmenus) Detailedusecasesforalotofprogramfunctions(tutorial)
Script(.pdf file)withbackgroundinformation
Encryptionmethods Primefactorisation Digitalsignature Ellipticcurves Publickeycertification Basicnumbertheory Crypto2020
TwoshortstoriesrelatedtocryptographybyDr.C.Elsner
TheDialogueoftheSisters (aRSAvariantaskeyelement) TheChineseLabyrinth (NumberstheorytasksforMarcoPolo)
Learningtoolfornumbertheory
CrypTool1.4.30 Page25
Features(1)
Cryptography
Classicalcryptography
Caesar(andROT13) Monoalphabeticsubstitution (andAtbash) Vigenre Hill Homophonesubstitution Playfair ADFGVX ByteAddition XOR Vernam Permutation/Transposition (RailFence,) Solitaire
Cryptanalysis
Attackonclassicalmethods
Ciphertextonly
Caesar Vigenre Addition XOR Substitution Playfair
Knownplaintext
Hill
Manually(supported)
Monoalphabeticalsubstitution Playfair,ADFGVX,Solitaire
Supportedanalysismethods
Entropy,floating frequency Histogram,ngramanalysis Autocorrelation Periodicity Randomanalysis Base64/UUEncode
Page26
Severaloptionstoeasilyunderstand thecryptographymethods
Selectablealphabet Options:handlingofblanks,etc.
CrypTool1.4.30
Features (2)
Cryptography
Modernsymmetricencryption
IDEA,RC2,RC4,RC6,DES,3DES,DESX AEScandidatesofthelastselection round(Serpent,Twofish,) AES(=Rijndael) DESL,DESXL
Cryptanalysis
Bruteforceattackonsymmetric algorithm
Forallalgorithms Assumptions:
Entropyofplaintextissmallorkeyis partlyknownorplaintextalphabetis known
Asymmetricencryption
RSAwithX.509certificates RSAdemonstration Understandingofexamples Alphabetandblocklength selectable
AttackonRSAencryption
FactorisationofRSAmodule Latticebasedattacks
Hybridencryption(RSA+AES)
Interactivedataflowdiagram
Attackonhybridencryption
AttackonRSAor AttackonAES(sidechannelattack)
Page27
CrypTool1.4.30
Features(3)
Cryptography
Digitalsignature RSAwithX.509certificates
Signatureasdataflowdiagram
Cryptanalysis
AttackonRSAsignature FactorisationoftheRSAmodule Feasibleupto250bitsor75 decimal places(onstandarddesktopPCs) Attackonhashfunctions/digitalsignature Generatehashcollisionsfor ASCIIbasedtext(birthdayparadox)(up to40bitinaround5min) Analysisofrandomdata FIPSPUB1401testbattery Periodicity,Vitany,entropy Floatingfrequency,histogram ngramanalysis,autocorrelation ZIPcompressiontest
Page28
DSAwithX.509certificates EllipticCurveDSA,NybergRueppel Hashfunctions MD2,MD4,MD5 SHA,SHA1,SHA2,RIPEMD160 Randomgenerators Secude x2 modn Linearcongruencegenerator(LCG) Inversecongruencegenerator(ICG)
CrypTool1.4.30
Features(4)
Animation/Demos
Caesar,Vigenre,Nihilist,DES(allwithANIMAL) Enigma(Flash) Rijdael/AES(Flash) Hybridencryptionanddecryption(AESRSAandAESECC) Generationandverificationofdigitalsignatures DiffieHellmankeyexchange Secretsharing(withCRTorShamir) Challengeresponsemethod(authentication) Sidechannelattack Graphical3Dpresentationof(random)datastreams Sensitivityofhashfunctionsregardingplaintextmodifications NumbertheoryandRSAcryptosystem
CrypTool1.4.30
Page29
Features(5)
Additionalfunctions
Homophoneandpermutationencryption(DoubleColumnTransposition) PKCS#12importandexportforPSEs (PersonalSecurityEnvironment) Generatehashesoflargefiles,withoutloadingthem Flexiblebruteforceattacksonanymodernsymmetricalgorithm ECCdemonstration(asJavaapplication) PasswordQualityMeter(PQM)andpasswordentropy Andalotmore
CrypTool1.4.30
Page30
LanguageStructureAnalysis
LanguageanalysisoptionsavailableinCrypTool
Numberofcharacters,ngram,entropy
SeemenuAnalysis \ ToolsforAnalysis \ ...
CrypTool1.4.30
Page31
DemonstrationofInteractivity(1)
Vigenreanalysis
Demonstration in CrypTool
Analysisoftheencryptionresults:
Analysis \ SymmetricEncryption(classic) \ Ciphertextonly \ Vigenre Derivedkeylength7,DerivedkeyTESTETE
2. EncryptstartingexamplewithTEST
Crypt/Decrypt \ Symmetric(classic) \ Vigenre EnterTEST Encrypt
Analysisoftheencryptionresults:
Analysis \ SymmetricEncryption(classic) \ Ciphertextonly \ Vigenre Derivedkeylength8 notcorrect Keylengthautomaticallysetto4(canalsobeadjustedmanually) DerivedkeyTEST
CrypTool1.4.30 Page32
DemonstrationofInteractivity(2)
Automatedfactorisation
Demonstration in CrypTool
Factorisationofacompoundnumberwithfactorisationalgorithms
Menu:Indiv.Procedures \ RSACryptosystem \ FactorisationofaNumber Somemethodsareexecutedinparallel(multithreaded) Methodshavespecificadvantagesanddisadvantages(e.g.somemethodscanonly determinesmallfactors)
Factorisationexample1:
316775895367314538931177095642205088158145887517 48-digit decimal number = 3*1129*6353*1159777*22383173213963*567102977853788110597
Factorisationexample2:
75-digit decimal number 2^250 1 = 3*11*31*251*601*1801*4051*229668251*269089806001 * 4710883168879506001*5519485418336288303251
CrypTool1.4.30
Page33
ConceptsforaUserFriendlyInterface
1. Contextsensitivehelp(F1)
F1onaselectedmenuentryshowsinformationaboutthealgorithm/method. F1inadialogboxexplainstheusageofthedialog. Theseassistancesandthecontentsofthesuperordinatemenusarecrosslinkedinthe onlinehelp.
2. Pasteofkeysinkeyinputdialog
CTRLVcanbeusedtopastecontentsfromtheclipboard. Usedkeyscanbetakenoutofciphertextwindowsviaaniconin theiconbar.A correspondingiconinthekeyinputdialogcanbeusedtopastethekeyintothekeyfield. ACrypToolinternalmemorywhichisavailableforeverymethodisused(helpfulforlarge specific keys e.g.homophoneencryption).
Iconbar
CrypTool1.4.30
Page34
ChallengesforDevelopers(Examples)
1. Manyfunctionsrunninginparallel
Factorisationrunswithmultithreadedalgorithms
2. Highperformance
Locatehashcollisions(birthdayparadox)orperformbruteforceanalysis
3. Considermemorylimits
Floydalgorithm(mappingstolocatehashcollisions)orfactorisationwithquadraticsieve
4. Timemeasurementandestimates
Displayofelapsedtimewhileusingbruteforce
5. Reusability/Integration
Formsforprimenumbergeneration RSAcryptosystem(switchestheviewaftersuccessfulattackfrom publickeyuserto privatekeyowner)
6. Partlyautomatetheconsistencyoffunctions,GUIandonlinehelp
(includingdifferentlanguages)
CrypTool1.4.30
Page35
Content
I. CrypToolandCryptology Overview II. CrypToolFeatures III. Examples IV. Project/Outlook/Contact
CrypTool1.4.30
Page36
CrypToolExamples
Overviewofexamples
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. EncryptionwithRSA/Primenumbertests/Hybridencryptionand digitalcertificates/SSL Digitalsignaturevisualised AttackonRSAencryption(modul Ntooshort) AnalysisofencryptioninPSION5 WeakDESkeys Locatingkeymaterial(NSAkey) Attackondigitalsignaturethroughhashcollisionsearch Authenticationinaclientserverenvironment Demonstrationofasidechannelattack(onhybridencryptionprotocol) AttackonRSAusinglatticereduction Randomanalysiswith3Dvisualisation SecretSharingusingtheChineseRemainderTheorem(CRT)andShamir ImplementationofCRTinastronomy(solvinglinearmodularequationsystems) VisualisationofsymmetricencryptionmethodsusingANIMAL VisualisationofAES VisualisationofEnigmaencryption Generationofamessageauthenticationcode(MAC) Hashdemonstration Learningtoolfornumbertheoryandasymmetricencryption Pointadditiononellipticcurves Passwordqualitymeter(PQM)andpasswordentropy Bruteforceanalysis CrypToolonlinehelp
CrypTool1.4.30
Page37
Examples (1)
EncryptionwithRSA(inrealitymostlyhybridencryption)
Basisfore.g.SSLprotocol(accesstoprotectedwebsites) AsymmetricencryptionusingRSA
Everyuserhasakeypair onepublicandoneprivatekey Senderencryptswithpublickeyoftherecipient Recipientdecryptswithhisprivatekey
Implementedusuallyinacombinationwithsymmetricmethods(transfer ofthesymmetrickeythroughRSAasymmetricencryption/decryption)
Keypair
Confidential Message
Encryption
Decryption
Confidential Message
Examples(1)
EncryptionusingRSA Mathematicalbackground/algorithm
(n, e) (d)
p, q large, randomly chosen prime numbers with n = p*q; d is calculated under the constraints gcd[(n),e] = 1; e*d 1 mod (n). Encryption and decryption operation: (me)d m mod n
n is the module, which length in bits is referred to as RSA key length. gcd = greatest common divisor. (n) is the Euler phi function. Procedure : Transformation of message in binary representation Encrypt message m = m1,...,mk block wise, with for all mj: 0 mj < n; maximum block size r, so that: 2r n (2r-1 < n)
CrypTool1.4.30 Page39
Examples(1)
Primenumbertests ForRSAhugeprimesareneeded
Fast probabilistic tests Deterministic tests The prime number test methods can test much faster whether a big number is prime, than the known factorization methods can divide a number of a similar size in its prime factors. For the AKS test the GMP library (GNU Multiple Precision Arithmetic Library) was integrated into CrypTool.
Menu: Indiv.Procedure \ RSACryptosystem \ PrimeNumberTest
CrypTool1.4.30
Remark: 2^255 - 1 = 7 * 31 * 103 * 151 * 2143 * 11119 * 106591 * 131071 * 949111 * 9520972806333758431 * 5702451577639775545838643151
Page40
Examples(1)
Hybridencryptionanddigitalcertificates
Hybridencryption Combinationofasymmetricandsymmetricencryption
1.Generationofarandomsymmetrickey(sessionkey) 2.Sessionkeyistransferred protectedbyasymmetrickey 3.Messageistransferred protectedbysessionkey
Problem:Maninthemiddleattacks doesthepublickeyoftherecipientreally belongtotherecipient? Solution:Digitalcertificates Acentralinstance(e.g.Telesec,VeriSign,Deutsche BankPKI),thatisbeingtrustedbyallusers,ensurestheauthenticityofthe certificateandthecontainedpublickey(similartoapassportissuedbythe state). Hybridencryptionbasedondigitalcertificatesisthefoundationforallsecured electroniccommunication:
InternetShoppingandOnlineBanking SecureeMail
CrypTool1.4.30
Page41
Examples(1)
SecuredonlineconnectionusingSSLandcertificates
This means, that the connection is authenticated (at least at one side) and that the transferred data is strongly encrypted.
CrypTool1.4.30 Page42
Examples (1)
Attributesorfieldsofacertificate
Generalattributes/fields
Issuer(e.g.VeriSign) Requestor Validityperiod Serialnumber Certificatetype/Version(X.509v3) Signaturealgorithm Publickey(andmethod)
PublicKey
CrypTool1.4.30
Page43
Examples (1)
EstablishingasecureSSLconnection(serverauthentication)
Client
1. SSLinitiation Sendservercertificate 3. Validateservercertificate(usinglocallyinstalledrootcertificates) 4. Retrievepublickeyofserver(fromservercertificate) 5. Generatearandomsymmetrickey(sessionkey) Sendsessionkey 6. (encryptedwithpublickeyofserver) 2.
Server
Receivesessionkey
(decrypted by private key of the server)
7.
Encryptedcommunicationbasedon exchangedsessionkey
CrypTool1.4.30 Page44
Examples(1)
EstablishingasecureSSLconnection(serverauthentication)
General
TheexampleshowsthetypicalSSLconnectionestablishmentinordertotransfersensitive dataovertheinternet(e.g.onlineshopping). DuringSSLconnectionestablishmentonlytheserverisauthenticatedusingthedigital certificate(authenticationoftheuserusuallyoccursthroughusernameandpassword aftertheSSLconnectionhasbeenestablished). SSLalsoofferstheoptionforclientauthenticationbasedondigitalcertificates.
CommentstotheSSLconnectionestablishment
ad(1): SSLInitiation duringthisphasethecharacteristicsofthesessionkey(e.g.bitsize) aswellasthesymmetricencryptionalgorithm(e.g.3DES,AES)arenegotiated. ad(2): Incaseofamultilevelcertificatehierarchytherequiredintermediatecertificates arebeingpassedtotheclient,too. ad(3): Inthisphasetherootcertificatesinstalledinthebrowserscertificatestoreare usedtovalidatetheservercertificate. ad(5): Thesessionkeyisbasedonthenegotiatedcharacteristics(see1).
CrypTool1.4.30
Page45
Examples(2)
Digitalsignaturevisualised
Digitalsignature
Increasinglyimportant equivalencewithmanualsignature (digitalsignaturelaw) increasinglyusedbyindustry, governmentandconsumers Fewpeopleknowhowitworksexactly
VisualisationinCrypTool
Interactivedataflowdiagram Similartothevisualisationofhybrid encryption
CrypTool1.4.30
Page46
Examples(2)
Digitalsignaturevisualised:a)Preparation
1.Selecthashfunction
2.Providekeyand certificate(notshownhere)
CrypTool1.4.30
Page47
Examples(2)
Digitalsignaturevisualised:b)Cryptography
3.
4.
5.
CrypTool1.4.30
Page48
Examples(2)
Digitalsignaturevisualised:c)Result
CrypTool1.4.30
Page49
Examples(3)
AttackonRSAencryptionwithshortRSAmodulus
ExamplefromSongY.Yan,NumberTheoryforComputing,Springer,2000
Publickey
RSAmodulusN=63978486879527143858831415041 (95bit,29decimaldigits) publicexponente=17579
Ciphertext(blocklength=8):
C1 =45411667895024938209259253423, C2 =16597091621432020076311552201, C3 =46468979279750354732637631044, C4 =32870167545903741339819671379
The ciphertext is not necessary for the actual cryptanalysis (locating the private key) !
Thetextshallbedeciphered!
SolutionusingCrypTool(moredetailedinonlinehelpexamplessection)
EnterpublicparametersintoRSAcryptosystem (menu:Indiv.Procedures) ButtonFactorisetheRSAmodulus yieldsthetwoprimefactorspq =N Basedonthatinformationtheprivateexponentd=e1 mod(p1)(q1)isdetermined Decrypttheciphertextwithd:Mi =Cid modN
Examples(3)
ShortRSAmodulus:enterpublicRSAparameters
Menu:Indiv.Procedures \ RSACryptosystem \ RSADemonstration
1.EnterRSApara metersNande
2.Factorise
CrypTool1.4.30
Page51
Examples(3)
ShortRSAmodulus:factoriseRSAmodulus
3.Factorisation yieldspandq
CrypTool1.4.30
Page52
Examples(3)
ShortRSAmodulus:determineprivatekeyd
5.Adjustoptions
CrypTool1.4.30
Page53
Examples(3)
ShortRSAmodulus:adjustoptions
6.Selectalphabet
7.Selectcodingmethod 8.Selectblocklength
CrypTool1.4.30
Page54
Examples(3)
ShortRSAmodulus:decryptciphertext
9.Enterciphertext
10.Decrypt
CrypTool1.4.30
Page55
Examples(4)
AnalysisofencryptionusedinthePSION5
Practicalapplicationofcryptanalysis:
Attackontheencryptionoptioninthe PSION5PDAwordprocessingapplication Startingpoint:anencryptedfileonthePSION Requirements
EncryptedEnglishorGermantext Dependingonmethodandkeylength,100bytesuptoseveralkB oftext
Procedure
Preanalysis
entropy floatingentropy compressiontest probablyclassical encryptionalgorithm
Autocorrelation Tryoutautomaticanalysiswithclassicalmethods
CrypTool1.4.30 Page56
Examples(4)
PSION5PDA determineentropy,compressiontest
CrypTool1.4.30
Page57
Examples(4)
PSION5PDA determineautocorrelation
*TheencryptedfileisavailablewithCrypTool(seeCrypTool\examples\psionenc.hex)
CrypTool1.4.30 Page58
Examples(4)
PSION5PDA automaticanalysis
Automaticanalysisusing
Vigenre:nosuccess XOR:nosuccess binaryaddition
CrypToolcalculatesthekeylength usingautocorrelation:32bytes Theusercanchoosewhichcharacter isexpectedtooccurmostfrequently: e =0x65(ASCIIcode) Analysiscalculatesthemost likelykey(basedontheassumptions aboutdistribution) Result:good,butnotperfect
CrypTool1.4.30
Page59
Examples(4)
PSION5PDA resultsofautomaticanalysis
Resultsofautomaticanalysiswithassumptionbinaryaddition:
Resultisgood,butnotperfect:24outof32keybytescorrect. Thekeylength32wascorrectlydetermined.
Examples(4)
PSION5PDA determiningtheremainingkeybytes
Copykeytoclipboardduringautomaticanalysis Inautomaticanalysishexdump,
Determineincorrectbytepositions,e.g.0xAAatposition3 Guessandwritedowncorrespondingcorrectbytes:e =0x65
Inencryptedinitialfilehexdump,
Determineinitialbytesfromthecalculatedbytepositions:0x99 CalculatecorrectkeybyteswithCALC.EXE:0x99 0x65=0x34
Keyfromtheclipboard
Correct12865B341498872C393E43741396A45670235E111E907AB7C0841... Decryptencryptedinitialdocumentusingbinaryaddition Bytesatposition3,3+32,3+2*32,...arenowcorrect
CrypTool1.4.30
Page61
Examples(5)
WeakDESkey
encrypt2timeswith resultsinplaintext
CrypTool1.4.30
Page62
Examples(6)
Locatekeymaterial
CrypTool1.4.30
Page63
Examples(6)
Comparisononfloatingfrequencywithotherfiles
CrypTool1.4.30
Page64
Examples(7)
Attackondigitalsignature
Examples(7)
Attackondigitalsignature idea(I)
AttackonthedigitalsignatureofanASCIItextbasedonhashcollisionsearch. Idea: ASCIItextscanbemodifiedbychanging/insertingnonprintablecharacters,without changingthevisiblecontent Modifytwotextsinparalleluntilahashcollisionisfound Exploitthebirthdayparadox(birthdayattack) Genericattackapplicabletoallhashfunctions Canberuninparallelonmanymachines(notimplemented) ImplementedinCrypToolaspartofthebachelorthesisMethodsandToolsfor AttacksonDigitalSignatures (German),2003.
CrypTool1.4.30
Page66
Examples(7)
Attackondigitalsignature idea(II)
1.
harmless message M H
3.
2. 1.
evil message M S
Compare hashes
Identical signatures
3 .
1. Modification:startingfromamessageM createNdifferentmessagesM1, ..., MN withthesamecontent asM. 2. Search:findmodifiedmessagesMiH and MjS withthesamehashvalue. 3. Attack:thesignaturesofthosetwo documentsMiH and MjS arethesame.
LocateHashCollisions(1)
Mappingviatextmodifications
Randomlyselectedstartingpointforcollisionssearch
modify
0010 0100
1100 1110
modify
hash
modify
0010 0100
harmless message
CrypTool1.4.30
black:allnodeswithinthecycle
Page68
LocateHashCollisions(2)
FloydAlgorithm:meetwithinthecycle
9
15
30
26
28
3 20 21 18 12 2
19 6 25
0 14
Startingpoint
23 16 24 10 22
17
Step1: Locatematchingpointwithincycle:
31
11
CrypTool1.4.30
Page69
LocateHashCollisions(3)
Stepintocycle(ExtensionofFloyd):findentrypoint
9
28
3 20 21 18 12 2
19 6
Entry point
5 23 16 24 10 22 17
25
0 14
Step2:Locateentrypointofseries1in thecycle[25]:
31
29 1 11
CrypTool1.4.30
Page70
BirthdayParadoxAttackonDigitalSignature
ExaminationofFloydalgorithm Visualandinteractivepresentation oftheFloydalgorithm(Moving throughthemapping"intoa cycle). AdaptationoftheFloydalgorithm foradigitalsignatureattack.
Examples (7)
Attack ondigitalsignature
Anexamplefora good Mapping (nearlyallnodes aregreen). Inthisgraphalmost allnodesbelongto abigtree,which leadsintothecycle withanevenhash valueandwhere theentrypoint predecessorwithin thecycleisodd. Thatmeansthat theattackerfindsa usefulcollisionfor nearlyallstarting points.
GoodCollision
Page72
Examples(7)
Attackondigitalsignature:attack
1.
2.
4.
3.
Examples(7)
Attackondigitalsignature:results
Experimentalresults
MD5: 4F 47 DF 1F D2 DE CC BE 4B 52 86 29 F7 A8 1A 9A
MD5: 4F 47 DF 1F 30 38 BB 6C AB 31 B7 52 91 DC D2 70
CrypTool1.4.30
Page74
Examples(8)
Authenticationinaclientserverenvironment
Interactivedemofor differentauthentication methods. Definedopportunities oftheattacker. Youcanplaytheroleof anattacker. Learningeffect: Onlymutual authenticationissecure.
CrypTool1.4.30
Page75
Examples(9)
Demonstrationofasidechannelattack(onahybridencryptionprotocol)
Examples(9)
Ideaforthissidechannelattack
UlrichKhn SidechannelattacksontextbookRSAandElGamal encryption, 2003 Prerequisites: RSAencryption:C=Me (modN)anddecryption:M=Cd modN. 128Bitsessionkeys(inM)arewordbookencoded (nullpadding). Theserverknowsthesecretkeydand
usesafterdecryptionthe128leastsignificantbitsonly(novalidationofzeropaddingbits)(thatmeanstheserver doesnotrecognizeifthereissomethingotherthanzero). Promptsanerrormessage,iftheencryptionattemptresultsina wrongsessionkey(decryptedtextcannotbe interpretedbytheserver).Inallothercasestherewillbenomessage. Ideaforattack:ApproximationforZoutoftheequationN=M* ZperM=|N/Z| M= 000...................................000
Null-Padding
Session Key
C = Me (mod N)
M.Z.2128
CrypTool1.4.30
M
Page77
Examples(10)
Mathematics:AttacksonRSAusinglatticereduction
Theseassumptionsarerealistic
CrypTool1.4.30
Page78
Examples(11)
Randomanalysiswith3Dvisualisation
3Dvisualisationforrandomanalysis
Example1 Openanarbitraryfile(e.g.reportinWordorPowerPoint presentation) Itisrecommendedtoselectafilewithatleast100kB 3Danalysisusingmenu:Analysis \ AnalyseRandomness \ 3DVisualization Result:structuresareeasilyrecognisable Example2 Generationofrandomnumbers:Indiv.Procedures \ Tools \ GenerateRandomNumbers Itisrecommendedtogenerateatleast100.000randombytes 3Danalysisusingmenu:Analysis \ AnalyseRandomness \ 3DVisualization Result:uniformdistribution(nostructuresarerecognisable)
CrypTool1.4.30
Page79
Examples(12)
SecretsharingwithCRT implementationoftheChineseremaindertheorem(CRT)
CrypTool1.4.30
Page80
Examples(12)
Shamir secretsharing
Secretsharingexample(2)
Problem
Asecretvalueshouldbesplitfornpeople. toutofnpeoplearerequiredtorestorethesecretvalueK. (t,n)thresholdscheme
Menu: Indiv.Procedures \ SecretSharing Demonstration(Shamir) 1. EnterthesecretK,numberofpersonsnand thresholdt 2. Generatepolynom 3. Useparameters UsingReconstruction thesecretcanbe restored
CrypTool1.4.30
Page81
Examples(13)
ImplementationofCRTtosolvelinearmodularequationsystems
Scenario inastronomy
Howlongdoesittakeuntil agivennumberofplanets (withdifferentrotation times)tobecomealigned? Theresultisalinear modularequationsystem, thatcanbesolvedwiththe Chineseremaindertheorem (CRT). Inthisdemoyoucanenter upto9equationsand computeasolutionusing theCRT.
Examples (14)
Visualisation ofsymmetricencryptionmethodsusingANIMAL(1)
Animationspeed
Scalingofvisualisation
CrypTool
Menu:Indiv.Procedures \ Visualizationofalgorithms \ Interactiveanimationcontrolusing integratedcontrolcenterwindow.
Animationcontrols(next, forward,pause,etc.) Directselectionofananimationstep
CrypTool1.4.30 Page83
Examples (14)
Visualisation ofsymmetricencryptionmethodsusingANIMAL(2)
VisualizationofDESencryption
CrypTool1.4.30
Page84
Examples (15)
Visualisation ofAES(Rijndaelcipher)
RijndaelAnimation(theRijndaelcipherwasthewinneroftheAESsubmission)
Visualisation showsanimationoftheroundbasedencryptionprocess(usingfixeddata)
RijndaelInspector
Encryptionprocessfortesting(usingyourowndata)
CrypTool1.4.30
Page85
Examples (16)
Visualisation oftheEnigmaencryption
Selectrotors
Changerotor setting
Changeplugs
CrypTool1.4.30
Page86
Examples (17)
Generationofamessageauthenticationcode(MAC)
MessageAuthenticationCode(MAC)
Ensuresintegrityofamessage Authenticationofthemessage Basis:acommonkey
GenerationofaMACinCrypTool
1. Chooseahashfunction 2. SelectMACvariant 3. Enterakey(dependingonMACvariantalso twokeys) 4. GenerationoftheMAC(automatic)
1.
2.
3.
4.
CrypTool1.4.30
Page87
Examples(18)
Hashdemonstration
Sensitivityofhashfunctionstoplaintext modifications
1.Selectahashfunction 2.Modificationofcharactersinplaintext Example: EnteringablankafterCrypTool intheexample textresultsina50.6%changeofthebitsofthe generatedhashvalue. Agoodhashfunctionshouldreactsensitiveto eventhesmallestchangewithintheplaintext Avalancheeffect (smallchange,bigimpact). 1. 2.
CrypTool1.4.30
Page88
Examples (19)
Learningtoolfornumbertheory
Number theory
supportedby graphicalelements andtoolstotryout
Topics:
1. 2. 3. 4. Integers Residue classes Primegeneration Publickey cryptography 5. Factorization 6. Discrete logarithms
Examples (20)
Pointadditiononellipticcurves
Example2
MarkpointPonthecurve Pressbutton2*P:ThetangentofpointP intersectsthecurveinpointR MirroringontheXaxisresultsinpointR
Changecurveparameters Deletepoints Logfileof calculations
Page90
Examples (21)
PasswordQualityMeter(PQM)1
Examples (21)
PasswordQualityMeter(PQM)2
FindingsofthePasswordQualityMeter
Passwordqualitydependsprimarilyonthelengthofthepassword. Ahigherqualityofthepasswordcanbeachievedbyusingdifferenttypesof characters:upper/lowercase,numbersandspecialcharacters(passwordspace) Passwordentropy asindicatoroftherandomnessofpasswordcharactersofthe passwordspace(higherpasswordentropyresultsinimprovedpasswordquality) Passwordsshouldnotexistinadictionary (remark:adictionarycheckisnotyet implementedinCrypTool).
Qualityofapasswordfromanattackersperspective
Attackonapassword(ifanynumberofattemptsarepossible):
1. Classicaldictionaryattack 2. Dictionaryattackwithvariants (e.g.4digitnumbercombinations:Summer2007) 3. Bruteforceattack bytestingallcombinations(withadditionalparameterssuchas limitationsonthetypesofcharactersets)
Examples (22)
Bruteforceanalysis1
Bruteforce analysis
Optimised bruteforceanalysisundertheassumptionthatthekeyispartlyknown.
Example AnalysiswithDES(ECB)
Attempttofindtheremainderofthekeyinordertodecryptanencryptedtext (Assumption:Theplaintextisablockof8ASCIIcharacters). Key(Hex) 68ac78dd40bbefd* 0123456789ab**** 98765432106***** 0000000000****** 000000000000**** abacadaba******* dddddddddd****** Encryptedtext (Hex) 66b9354452d29eb5 1f0dd05d8ed51583 bcf9ebd1979ead6a 8cf42d40e004a1d4 0ed33fed7f46c585 d6d8641bc4fb2478 a2e66d852e175f5c
CrypTool1.4.30
Page93
Examples(22)
Bruteforceanalysis2
1. Inputofencryptedtext 2. Usebruteforceanalysis 3. Inputpartlyknownkey 4. Startbruteforceanalysis 5. Analysisoftheresults:Lowentropyasevidenceofapossibledecryption.However,becauseaveryshort plaintexthasbeenusedinthisexample,thecorrectresultdoes nothavethelowestentropy.
Menu:Analysis \ SymmetricEncryption(modern) \ DES(ECB) UseView \ ShowasHexDump
CrypTool1.4.30
Page94
Examples(23)
CrypToolonlinehelp1
Menu:Help \ StartingPage
CrypTool1.4.30 Page95
Examples (23)
CrypToolonlinehelp2
CrypTool1.4.30
Page96
Content
I. CrypToolandCryptology Overview II. CrypToolFeatures III. Examples IV. Project/Outlook/Contact
CrypTool1.4.30
Page97
FutureCrypToolDevelopment(1)
Plannedafterrelease1.4.30(seereadmefile)
CT1.x JCT JCT JCT JCT CT2 CT2 CT2 CT2 CT2 Masspatternsearch VisualisationofinteroperabilityofS/MIMEandOpenPGPformats Tripartitekeyagreements Analysisofentropy Statisticalanalysisofblockciphers Comprehensivevisualisationonthetopicofprimenumbers DemonstrationofBleichenbachers RSAsignatureforgery Demonstrationofvirtualcreditcardnumbers(approachagainstcreditcardabuse) WEPencryptionandWEPanalysis Graphicaldesignorientedmodeforbeginnersplusexpertmode
CT =CrypTool CT2 =CrypTool2.0 JCT =JCrypTool
CT2/JCT Creationofacommandlineversionforbatchprocessing CT2/JCT Modernpurepluginarchitecturewithloadingofplugins All Idea Idea Idea Furtherparameterization/Increasingtheflexibilityofpresent algorithms VisualisationoftheSSLprotocol Demonstrationofvisualcryptography Integrationofcryptolibrarycrypto++fromWei Dai
Page98
CrypTool1.4.30
FutureCrypToolDevelopment(2)
InProgress(seereadmefile)
1. JCT:PortandredesignofCrypToolinJava/SWT/Eclipse3.4/ RPC
see:http://jcryptool.sourceforge.net Milestone4availableforusersanddevelopers(February2009)
2. CT2:PortandredesignoftheC++versionwithC#/WPF/VS2008 /.NET3.5 3.
directsuccessorofcurrentreleases:allowsvisualprogramming, Beta1availableforusersanddevelopers(July2008,permanentlyupdated) C2L:DirectportoftheC++versiontoLinuxwithQt4(veryslowprogress) see:http://www.cryptoolinux.net
CrypTool2(CT2)
CrypTool1.4.30
JCrypTool(JCT)
Page99
CrypToolasaFramework
Proposal
Reusethecomprehensivesetofalgorithms,includedlibrariesandinterfaceelementsas foundation FreeofchargetraininginFrankfurt,howtostartwithCrypTool development Advantage:Yourowncodedoesnotdisappear,butwillbemaintained
Futuredevelopmentenvironments
Forversionsafter1.4.3x: CT2 C#version:.NETwithVisualStudio2008 ExpressEdition(free),WPFundPerl Java Javaversion:Eclipse3.4,RCP,SWT(free) C2L C++versionforLinuxwith Qt 4.x,GCC4.xand Perl
CrypTool1.4.30
Page100
CrypTool RequestforContribution
Everycontributiontotheprojectishighlyappreciated
Feedback,criticism,suggestionsandideas Integrationofadditionalalgorithms,protocols,analysis(consistencyandcompleteness) Developmentassistance(programming,layout,translation,test) ForthecurrentC/C++project Forthenewprojects C#project: CrypTool2.0 Javaproject: JCrypTool EspeciallyUniversityfacultiesusingCrypToolforeducationalpurposesareinvitedto contributetothefurtherdevelopmentofCrypTool. Significantcontributionscanbereferencedbyname(inhelp,readme,aboutdialogandonthe CrypToolwebsite). CurrentlyCrypToolisbeingdownloadedmorethan3000timesamonth(with1/3forthe Englishversion).
CrypTool1.4.30
Page101
CrypTool Summary
THE elearningprogramforcryptology Overmorethan10yearsasuccessfulopen sourceproject Morethan200,000downloads Internationalutilisationinschools,universitiesas wellascompaniesandgovernmentagencies Extensiveonlinehelpanddocumentation Availableforfreeandmultilanguagesupport
CrypTool1.4.30 Page102
Contact
Prof.BernhardEsslinger
UniversityofSiegen Faculty5,EconomicsandBusinessComputing DeutscheBankAG Director,ITSecurityManager
CrypTool1.4.30
Page103
AdditionalLiterature
Asintroductiontocryptology
SimonSingh,TheCodebook,1999,Doubleday KlausSchmeh,Codeknacker gegen Codemacher.Diefaszinierende Geschichteder Verschlsselung,2ndedition,2007,W3L[German] Udo Ulfkotte,Wirtschaftsspionage,2001,Goldmann [German] JohannesBuchmann,IntroductiontoCryptography,2ndedition,2004,Springer ClaudiaEckert,ITSicherheit,5thedition,2008,Oldenbourg [German] A.Beutelspacher /J.Schwenk /K.D.Wolfenstetter,Moderne Verfahren der Kryptographie,5th edition,2004,Vieweg [German] [HAC]Menezes,vanOorschot,Vanstone,HandbookofAppliedCryptography,1996,CRCPress vanOorschot,Wiener,ParallelCollisionSearchwithApplicationtoHashFunctionsand Discrete Logarithms,1994,ACM Additionalcryptographyliterature seealsothelinksattheCrypToolwebpageandtheliteraturein theCrypToolonlinehelp(e.g.byWtjen,Salomaa,Brands,Schneier,Shoup,Stamp/Low,) ImportanceofcryptographyinthebroadercontextofITsecurity andriskmanagement
Seee.g.KennethC.Laudon /JaneP.Laudon /Detlef Schoder,Wirtschaftsinformatik,2005,Pearson,chapter 14[German] SeeWikipedia(http://en.wikipedia.org/wiki/Risk_management)
CrypTool1.4.30
Page104
CrypTool1.4.30
Page105
www.cryptoportal.org