ebook img

A Classical Introduction to Cryptography: Applications for Communications Security PDF

343 Pages·2006·1.494 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview A Classical Introduction to Cryptography: Applications for Communications Security

A CLASSICAL INTRODUCTION TO CRYPTOGRAPHY Applications for Communications Security A CLASSICAL INTRODUCTION TO CRYPTOGRAPHY Applications for Communications Security by Serge Vaudenay SwissFederalInstituteofTechnologies(EPFL) Serge Vaudenay Ch. de Riant-Mont 4 CH-1023 Crissier Switzerland Library of Congress Cataloging-in-Publication Data A C.I.P. Catalogue record for this book is available from the Library of Congress. A CLASSICAL INTRODUCTION TO MODERN CRYPTOGRAPHY Applications for Communications Security by Serge Vaudenay Swiss Fédéralel Institute of Technologies (EPFL) ISBN-10: 0-387-25464-1 e-ISBN-10: 0-387-25880-9 ISBN-13: 978-0-387-25464-7 e-ISBN-13: 978-0-387-25880-5 Printed on acid-free paper. (cid:164) 2006 Springer Science+Business Media, Inc. All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, Inc., 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now know or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks and similar terms, even if the are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. Printed in the United States of America. 9 8 7 6 5 4 3 2 1 SPIN 11357582, 11426141 springeronline.com ToChristineandEmilien Contents Preamble . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv 1 PrehistoryofCryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1 FoundationsofConventionalCryptography.................... 1 1.1.1 TheOriginsofCryptography ......................... 1 1.1.2 KeyWords........................................ 2 1.1.3 Transpositions,Substitutions,andSecretKeys............ 4 1.1.4 VernamCipher .................................... 7 1.1.5 Enigma:TowardIndustrialCryptography................ 8 1.2 RootsofModernCryptography ............................. 10 1.2.1 CryptographicProblems:TheFundamentalTrilogy........ 10 1.2.2 AssumptionsofModernCryptography.................. 11 1.2.3 AdversarialModels................................. 12 1.2.4 CryptographyfromVariousPerspectives ................ 13 1.2.5 Methodology...................................... 15 1.3 (cid:1)TheShannonTheoryofSecrecy............................ 15 1.3.1 (cid:1)SecrecyofCommunication.......................... 15 1.3.2 (cid:1)Entropy ......................................... 17 1.3.3 (cid:1)PerfectSecrecy ................................... 18 1.3.4 (cid:1)ProductCiphers................................... 19 1.4 Exercises............................................... 19 2 ConventionalCryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.1 TheDataEncryptionStandard(DES)......................... 22 2.2 DESModesofOperation.................................. 25 2.2.1 ElectronicCodeBook(ECB)......................... 25 2.2.2 CipherBlockChaining(CBC) ........................ 26 2.2.3 OutputFeedback(OFB) ............................. 27 2.2.4 CipherFeedback(CFB).............................. 29 2.2.5 CounterMode(CTR) ............................... 30 2.3 MultipleEncryption ...................................... 30 2.3.1 DoubleMode...................................... 30 2.3.2 TripleMode....................................... 31 2.4 AnApplicationofDES:UNIXPasswords..................... 31 viii Contents 2.5 ClassicalCipherSkeletons................................. 32 2.5.1 FeistelSchemes.................................... 32 2.5.2 Lai–MasseyScheme................................ 33 2.5.3 Substitution–PermutationNetwork..................... 36 2.6 OtherBlockCipherExamples .............................. 37 2.6.1 (cid:1)FOX:ALai–MasseyScheme ........................ 37 2.6.2 (cid:1)CS-CIPHER:ASubstitution–PermutationNetwork....... 40 2.7 TheAdvancedEncryptionStandard(AES) .................... 42 2.8 StreamCiphers.......................................... 46 2.8.1 StreamCiphersversusBlockCiphers................... 46 2.8.2 RC4............................................. 46 2.8.3 A5/1:GSMEncryption.............................. 48 2.8.4 E0:BluetoothEncryption............................ 50 2.9 BruteForceAttacks ...................................... 51 2.9.1 ExhaustiveSearch.................................. 52 2.9.2 DictionaryAttack .................................. 53 2.9.3 CodebookAttack................................... 54 2.9.4 (cid:1)Time–MemoryTradeoffs............................ 54 2.9.5 Meet-in-the-MiddleAttack........................... 59 2.10 Exercises............................................... 60 3 DedicatedConventionalCryptographicPrimitives . . . . . . . . . . . . . . 63 3.1 CryptographicHashing.................................... 63 3.1.1 Usage............................................ 63 3.1.2 ThreatModels..................................... 64 3.1.3 FromCompressiontoHashing........................ 65 3.1.4 ExampleofMD5................................... 66 3.1.5 ExamplesofSHAandSHA-1......................... 67 3.2 TheBirthdayParadox..................................... 70 3.3 (cid:1)ADedicatedAttackonMD4 .............................. 74 3.4 MessageAuthenticationCodes.............................. 78 3.4.1 Usage............................................ 78 3.4.2 ThreatModel...................................... 79 3.4.3 MACfromBlockCiphers:CBC-MAC.................. 80 3.4.4 (cid:1)AnalysisofCBC-MAC............................. 82 3.4.5 (cid:1)MACfromStreamCiphers.......................... 86 3.4.6 MACfromHashFunctions:HMAC.................... 88 3.4.7 AnAuthenticatedModeofOperation................... 90 3.5 CryptographicPseudorandomGenerators ..................... 92 3.5.1 UsageandThreatModel............................. 92 3.5.2 (cid:1)CongruentialPseudorandomGenerator ................ 92 3.5.3 PracticalExamples ................................. 93 3.6 Exercises............................................... 95 Contents ix 4 (cid:1)ConventionalSecurityAnalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 4.1 (cid:1)DifferentialCryptanalysis................................. 97 4.2 (cid:1)LinearCryptanalysis..................................... 103 4.3 (cid:1)ClassicalSecurityStrengthening ........................... 111 4.3.1 (cid:1)Nonlinearities .................................... 111 4.3.2 (cid:1)CharacteristicsandMarkovCiphers................... 112 4.3.3 (cid:1)TheoreticalDifferentialandLinearCryptanalysis ........ 114 4.3.4 (cid:1)AdhocConstruction............................... 120 4.4 (cid:1)ModernSecurityAnalysis................................. 123 4.4.1 (cid:1)DistinguishabilitySecurityModel..................... 123 4.4.2 (cid:1)TheLuby–RackoffResult........................... 125 4.4.3 (cid:1)Decorrelation..................................... 126 4.5 Exercises............................................... 132 5 SecurityProtocolswithConventionalCryptography . . . . . . . . . . . . . 135 5.1 PasswordAccessControl .................................. 135 5.1.1 UNIXPasswords................................... 136 5.1.2 BasicAccessControlinHTTP........................ 136 5.1.3 PAPAccessControlinPPP........................... 137 5.2 Challenge–ResponseProtocols.............................. 137 5.2.1 DigestAccessControlinHTTP....................... 138 5.2.2 CHAPAccessControlinPPP......................... 140 5.3 One-TimePassword ...................................... 140 5.3.1 LamportScheme................................... 140 5.3.2 S/KeyandOTP.................................... 141 5.4 KeyDistribution......................................... 142 5.4.1 TheNeedham–SchroederAuthenticationProtocol......... 142 5.4.2 Kerberos ......................................... 143 5.4.3 (cid:1)MerklePuzzles ................................... 145 5.5 (cid:1)AuthenticationChains.................................... 145 5.5.1 (cid:1)MerkleTree...................................... 145 5.5.2 (cid:1)TimestampsandNotary............................. 147 5.6 WirelessCommunication:TwoCaseStudies................... 148 5.6.1 TheGSMNetwork ................................. 148 5.6.2 TheBluetoothNetwork.............................. 150 5.7 Exercises............................................... 153 6 AlgorithmicAlgebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 6.1 BasicGroupTheory...................................... 155 6.1.1 BasicSetTheory................................... 155 6.1.2 Groups........................................... 157 6.1.3 GeneratingaGroup,ComparingGroups ................ 158 6.1.4 BuildingNewGroups............................... 159 6.1.5 FundamentalsonGroups............................. 159 x Contents 6.2 TheRingZ ............................................ 160 n 6.2.1 Rings............................................ 160 6.2.2 DefinitionofZ .................................... 161 n 6.2.3 Additions,Multiplications,Inversion................... 162 6.2.4 TheMultiplicativeGroupZ∗ ......................... 166 n 6.2.5 Exponentiation .................................... 167 6.2.6 Z :TheChineseRemainderTheorem ................. 167 mn 6.3 TheFiniteFieldZ ....................................... 169 p 6.3.1 BasicPropertiesofZ ............................... 169 p 6.3.2 (cid:1)QuadraticResidues................................ 170 6.4 FiniteFields............................................. 172 6.5 (cid:1)EllipticCurvesoverFiniteFields........................... 173 6.5.1 (cid:1)Characteristic p >3............................... 173 6.5.2 (cid:1)CharacteristicTwo................................. 176 6.5.3 (cid:1)GeneralResults................................... 177 6.6 Exercises............................................... 178 7 AlgorithmicNumberTheory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 7.1 Primality............................................... 181 7.1.1 FermatTest ....................................... 181 7.1.2 (cid:1)CarmichaelNumbers.............................. 182 7.1.3 (cid:1)Solovay–StrassenTest.............................. 184 7.1.4 Miller-RabinTest................................... 187 7.1.5 (cid:1)AnalysisoftheMiller-RabinTest..................... 189 7.1.6 PrimeNumberGeneration ........................... 189 7.2 (cid:1)Factorization........................................... 190 7.2.1 (cid:1)PollardRhoMethod ............................... 190 7.2.2 (cid:1)Pollard p−1Method.............................. 192 7.2.3 (cid:1)TheEllipticCurvesMethod(ECM)................... 194 7.2.4 (cid:1)FermatFactorizationandFactorBases................. 196 7.2.5 (cid:1)TheQuadraticSieve ............................... 197 7.2.6 (cid:1)FactorizationNowadays............................. 199 7.2.7 (cid:1)FactorizationTomorrow ............................ 199 7.3 ComputingOrdersinGroups............................... 201 7.3.1 FindingtheGroupExponent.......................... 201 7.3.2 ComputingElementOrdersinGroups.................. 202 7.4 (cid:1)DiscreteLogarithm...................................... 203 7.4.1 (cid:1)PollardRhoMethod ............................... 204 7.4.2 (cid:1)ShanksBabySteps–GiantStepsAlgorithm ............ 204 7.4.3 (cid:1)Pohlig–HellmanAlgorithm.......................... 205 7.4.4 (cid:1)FactorBaseandIndexCalculusAlgorithm.............. 210 7.5 Exercises............................................... 211 Contents xi 8 (cid:1)ElementsofComplexityTheory . . . . . . . . . . . . . . . . . . . . . . . . . . 215 8.1 (cid:1)FormalComputation..................................... 215 8.1.1 (cid:1)FormalLanguagesandRegularExpressions ............ 215 8.1.2 (cid:1)FiniteAutomata................................... 216 8.1.3 (cid:1)BeyondFiniteAutomataCapabilities.................. 218 8.1.4 (cid:1)TuringMachines.................................. 218 8.2 (cid:1)AbilityFrontiers ........................................ 220 8.2.1 (cid:1)StandardComputationalModels...................... 220 8.2.2 (cid:1)BeyondComputability.............................. 220 8.2.3 (cid:1)DecisionalProblemsandDecidability ................. 221 8.3 (cid:1)ComplexityReduction ................................... 222 8.3.1 (cid:1)AsymptoticTimeComplexity........................ 222 8.3.2 (cid:1)ComplexityClassesP,NP,co-NP..................... 223 8.3.3 (cid:1)Intractability ..................................... 224 8.3.4 (cid:1)OraclesandTuringReduction........................ 225 8.4 Exercises............................................... 226 9 Public-KeyCryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 9.1 Diffie–Hellman.......................................... 229 9.1.1 Public-KeyCryptosystems ........................... 230 9.1.2 TheDiffie–HellmanKeyAgreementProtocol............ 231 9.2 (cid:1)ExperimentwithNP-Completeness ......................... 234 9.2.1 (cid:1)KnapsackProblem................................. 235 9.2.2 (cid:1)TheMerkle–HellmanCryptosystem................... 235 9.3 Rivest–Shamir–Adleman(RSA)............................. 236 9.3.1 PlainRSACryptosystem............................. 236 9.3.2 RSAStandards .................................... 240 9.3.3 AttacksonBroadcastEncryptionwithLowExponent...... 241 9.3.4 AttacksonLowExponent............................ 241 9.3.5 SideChannelAttacks ............................... 241 9.3.6 (cid:1)BitSecurityofRSA................................ 243 9.3.7 (cid:1)BacktotheEncryptionSecurityAssumptions........... 244 9.3.8 RSA–OAEP....................................... 246 9.4 ElGamalEncryption...................................... 248 9.5 Exercises............................................... 250 10 DigitalSignature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 10.1 DigitalSignatureSchemes ................................. 253 10.2 RSASignature .......................................... 255 10.2.1 FromPublic-KeyCryptosystemtoDigitalSignature...... 255 10.2.2 OnthePlainRSASignature......................... 256 xii Contents 10.2.3 ISO/IEC9796.................................... 257 10.2.4 (cid:1)AttackontheISO/IEC9796SignatureScheme......... 259 10.2.5 PKCS#1......................................... 260 10.3 ElGamalSignatureFamily ................................. 260 10.3.1 ElGamalSignature ................................ 260 10.3.2 (cid:1)TheBleichenbacherAttackagainsttheElGamalSignature 262 10.3.3 SchnorrSignature................................. 263 10.3.4 TheDigitalSignatureStandard(DSS) ................. 264 10.3.5 (cid:1)ECDSA........................................ 264 10.3.6 Pointcheval–VaudenaySignature ..................... 266 10.4 (cid:1)TowardProvableSecurityforDigitalSignatures ............... 266 10.4.1 (cid:1)FromInteractiveProofstoSignatures................. 266 10.4.2 (cid:1)SecurityintheRandomOracleModel ................ 270 10.5 Exercises............................................... 274 11 (cid:1)CryptographicProtocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 11.1 (cid:1)Zero-Knowledge........................................ 277 11.1.1 (cid:1)NotionofZero-Knowledge......................... 277 11.1.2 (cid:1)TheBasicFiat–ShamirProtocol..................... 278 11.1.3 (cid:1)TheFeige–Fiat–ShamirProtocol..................... 280 11.2 (cid:1)SecretSharing.......................................... 282 11.2.1 (cid:1)TheShamirThresholdScheme...................... 283 11.2.2 (cid:1)PerfectSecretSharingSchemes ..................... 284 11.2.3 (cid:1)AccessStructureofPerfectSecretSharingSchemes..... 285 11.2.4 (cid:1)TheBenaloh–LeichterSecretSharingScheme.......... 286 11.3 (cid:1)SpecialPurposeDigitalSignatures.......................... 287 11.3.1 (cid:1)UndeniableSignature ............................. 288 11.3.2 (cid:1)OtherSpecialPurposeDigitalSignatures.............. 291 11.4 (cid:1)OtherProtocols......................................... 292 11.5 Exercises............................................... 293 12 FromCryptographytoCommunicationSecurity . . . . . . . . . . . . . . . 295 12.1 Certificates ............................................. 296 12.2 SSH:SecureShell........................................ 297 12.2.1 PrinciplesofSSH ................................. 298 12.2.2 SSH2KeyExchangeandAuthentication............... 299 12.3 SSL:SecureSocketLayer.................................. 300 12.3.1 Handshake....................................... 301 12.3.2 CipherSuites..................................... 302 12.3.3 RecordProtocol................................... 304 12.3.4 StreamCipher.................................... 304 12.3.5 BlockCipher..................................... 304 12.3.6 MasterKeyExchange.............................. 305 12.3.7 KeyDerivation ................................... 306

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.