Encryption

Encryption algorithms (ciphers) protect the confidentiality

of data

Some encryption algorithms can also be used for integrity

checks

A plaintext (clear text) x is converted into a ciphertext under

the control of a key K
n we write eK(x)

Decryption with an appropriate key computes the plaintext

from the ciphertext
n we write dK(x)

ã J. Posegga, 52
 Symmetric key encryption

A B
encrypt decrypt
plaintext ciphertext plaintext

ã J. Posegga, 53
 Symmetric Encryption System

random
number

key
K
generation

Domain of trust secret key Domain of trust

K

plaintext ciphertext plaintext

x encryption eK(x) decryption x
=dK(eK(x))
Not
trusted:
Area of
attack
secret area

ã J. Posegga, 54
 Cryptanalysis

Cryptanalysis: science of recovering the plaintext from

ciphertext without the key.

Always assume attackers know the algorithms used

n Algorithms can be published to facilitate the evaluation of
their security
n Security should depend on secrecy of the key, not the
algorithm

Contrast with security by obscurity.

n Analogy: Hide a letter under your mattress versus lock it in a
safe, whose design has been published and whose locking
mechanism has withstood attacks from the world’s best
safecrackers.

ã J. Posegga, 55
 Defining Security with Games

No perfect security – many cryptographic functions are not

unconditionally secure
• In theory most cryptographic functions can be broken
• A realistic adversary with bounded computing power will
break a secure function with only very small probability
• Nevertheless we want to argue formally about the security!

Games are frequently used to model formal security

properties!
• Cryptosystem is considered secure if no adversary can win the
game with significantly greater probability than an adversary who
just guesses randomly

ã J. Posegga, 56
 Model of Attack

We can think of the adversary as playing a game:

n Input: Whatever adversary necessarily knows from the
beginning, e.g., public key, distribution of plain texts, etc.
n Oracle: Models information adversary can obtain during an
attack. Different kinds of information characterise different
types of attacks.
n Output: Whatever the adversary wants to compute, e.g.,
secret key, partial information on plain text, etc. He wins if he
succeeds.

ã J. Posegga, 57
 Attacks

1. Cyphertext Attack
Given: eK(x1), eK(x2) …
Goal: deduce x1, x2 ,…, or K
2. Known Plaintext Attack
Given: (x1, eK(x1)), x2, eK(x2)), …
Goal: deduce K
3. Chosen Plaintext Attack
like 2, but the attacker can choose xi
4. Adaptive Chosen Plaintext Attack
can not only choose plaintext, but can modify the
plaintext based on encryption results
5. Chosen ciphertext
Attacker can chose different ciphertexts to be decrypted
and gets access to the decrypted plaintext.

ã J. Posegga, 58
 Cryptographic Security

1. Specify an oracle (a type of attack).

2. Define what the adversary needs to do to win the game,

i.e., a condition on his output.

3. The system is secure under this definition, if any

efficient adversary wins the game with only negligible
probability.

ã J. Posegga, 59
 Example: Conventional Encryption

No input data for adversary.

Choose plaintext attack of following kind:

n Case 1: when asked to encrypt message x, oracle returns
encryption of x under a fixed key that is randomly chosen
initially;
or:
n Case 2: oracle returns encryption of a randomly chosen
message, totally independent of x.

Idea:
n In case 2, adversary gets completely useless data.
n If he cannot tell this apart from correct encryptions, he cannot
do any damage in the real world (case 1) either.

ã J. Posegga, 60
 Definitions

A, the alphabet, is a finite set

M Í A* is the message space. x Í M is a plaintext (message)

C is the ciphertext space, whose alphabet may differ from M

K denotes the key space of keys

Each K Î K determines a bijective function from M to C,

denoted by eK(x); this is the encryption function

For each K Î K, dK(x) denotes a bijection from C to M; this

is the decryption function.

Applying eK(x) (or dK(x)) is called encryption (or

decryption)

ã J. Posegga, 61
 Encryption/decryption

An encryption scheme (or cipher) consists of a set

{ eK1 : K1 Î K } and a corresponding set { dK2 : K2 Î K }
with the property that
n for each K1 Î K there is a unique K2 Î K, such that
dK2(eK1 (x)) = x, for all x Í M

K2 and K1 form a key pair

To construct an encryption scheme requires fixing a

message space M, a ciphertext space C, and a key space
K, as well as encryption transformations { eK1 : K1 Î K }
and corresponding decryption transformations
{ dK2 : K2 Î K }

ã J. Posegga, 62
 Example

Let M = {m1, m2, m3} and C = {c1, c2, c3}. There are 3! = 6
bijections from M to C. The key space
K = {K1, K2, K3, K4, K5, K6} specifies these
transformations:
eK1 eK2 eK3

eK4 eK5 eK6

Suppose Alice and Bob agree on the transformation

eK1. To encrypt m1, Alice computes eK1(m1) = c3. Bob
decrypts c3 by reversing the arrows on the diagram and
observing that c3 points to m1.
ã J. Posegga, 63
 Symmetric Key Cryptography

An encryption scheme ({eK1 : K1 Î K }, { dK2 : K2 Î K }) is

symmetric if for each pair (eK1, dK2) it is computationally
“easy” to determine dK2 knowing only eK1 (and vice versa).
In practice: eK1 = dK2
Symmetric ciphers (secret key cryptography): same key is
used for encryption & decryption
n Encryption protects e.g. documents on the way from A to
B
n A and B have to share a key and keep their keys secret
n A procedure is required for A and B to obtain their shared
key
n For n parties to communicate directly, about n2 keys are
needed (serious drawback in practice…)

ã J. Posegga, 64
 Block Ciphers vs. Stream Ciphers

A block cipher is an encryption scheme that breaks up the

plaintext message into strings (blocks) of a fixed length l
and encrypts one block at a time.

A stream cipher is one where the block-length is 1

Codes work on words of varying length

n Translation is defined by a ‘code-book’, e.g.:

Word Code
The 701
secret 5603
mischiefs 4008
that 3790
I 2879
set 0524
... ...
ã J. Posegga, 65
 Caesar Cipher (n=3)

If we use the algorithm of simply moving each letter n

places down the alphabet then the original alphabet we
were using, or the plain text becomes a cipher text as
follows:

ã J. Posegga, 66
 Mono-alphabetic substitution ciphers

Let K be the set of all permutations on the alphabet A .

Define for each K Î K an encryption transformation eK on

strings x = x1x2...xn Î M as

eK(x) = K(x1)K(x2) · · · K(xn) = c1c2...cn = c

To decrypt c, compute the inverse permutation

dK(c) = (eK(x))-1

eK is a mono-alphabetic substitution cipher.

Example: ROT13: shift each letter by 13 places.
In Unix: „tr a-zA-Z n-za-mN-ZA-M“

ã J. Posegga, 67
 Security of such substitution

Huge key space: 26 letters = 26! Keys, but:

n Easily broken by analysing the frequency of letters
in texts written in a certain language
n Tables can be used for pairs of letters, or forbidden pairs...
n Computers can break such „encryption“ in real time.

ã J. Posegga, Source: http://home.nordwest.net/hgm/krypto/intro.htm 68

 Improvement: Homophonic Substitutions

Idea:
n Map groups of letters into new groups
n Expand the alphabet (numbers, special characters)

Important:
n Try to find a mapping that results in an equal distribution of
characters; this reduces the risks of attacks based on a
letter frequency analysis

Problem:
n If an attacker gets access to plain and cipher text of
one message: Game Over....
u N.B.: The plain text is in many cases partly known

ã J. Posegga, 69
 Vigenère-Cyphers

n Map each plain text character p into cipher text character c:

c = (p + K) mod 26 (K=Key)
n K is not identical for each character, but for instance a „key
phrase“:

EFFENBERGEFFENBERGEFF (Key)
VORLESUNGSICHERHEITIN (plain text)
ZTWPRTYEMWNHLRSLVOXNS (cipher text)

More formally:

A Key is given by sequence of numbers e = e1, . . . , et, where

pi(a) = (p + ei ) mod n, defines a permutation for |A| = n.

ã J. Posegga, 70
 Attacking Vigenère

If the length of the key is known, split text accordingly;

then:
n Each block uses a Caesar Cipher.

Example: length = 4
n take 1., 5., 9., etc. character and attack with a letter
frequency analysis
n Continue with 2., 6., 10., ...

If the length is unknown: try to guess it and attack it as

above
n Computers were built for stupid tasks like this...

ã J. Posegga, 71
 One-time Pads

A one-time pad is a stream cipher defined on A = {0,1}

n A message x1x2...xn Î M is encrypted by a binary string
K = K1K2...Kn

eK(x1x2...xn) = (x1 Å K1 ) (x2 Å K2 ) ... (xn Å Kn )

and decrypted by:

dK(x1x2...xn) = (x1 Å K1 ) (x2 Å K2 ) ... (xn Å Kn )

n Every key sequence is equally likely, so is every plaintext!

n Provides unconditional (information theoretic) security, if key
isn’t reused!
n Problem: Securely exchanging and synchronizing long keys.

ã J. Posegga, 72
 One-time pad

Provably secure cryptosystem, invented by Gilbert Vernam

in 1918.

One-time Pad = secret key, at least as long as message to

protect

Interpret one-time pad as “noise” for the message,

encryption and decryption with XOR:
n 0 means “don’t flip”
1 means “flip”
n Encryption Decryption
Message
Example: 0110010 Encrypted 1101011
Pad 1011001 Pad 1011001
Encrypted 1101011 Message 0110010

ã J. Posegga, 73
 Security of the One-time Pad

The security of the OTP depends on the randomness of the

key.
n It is hard to define randomness precisely
n Fundamental properties:
u Unpredictability: The probability of guessing
the next bit is not better than ½ (independent of the number of
the bits of a sequence observed).
u Equal Distribution: The number of 1’s and 0’s is asymptotically
equal.
u Pseudo-randomness: Sequence appears random to a
computationally bounded adversary.

ã J. Posegga, 74
 Proof Sketch

The probability of a key bit being 1 or 0 is exactly equal to

½.
- plaintext bits are not balanced. Let the probability of 0 be x,
then the probability of 1 is 1-x.

Probability of ciphertext bits:

mi prob. ki prob. ci prob.

0 x 0 0.5 0 0.5 · x
0 x 1 0.5 1 0.5 · x
1 1-x 0 0.5 1 0.5 · (1-x)
1 1-x 1 0.5 0 0.5 · (1-x)

ã J. Posegga, 75
 Transposition Ciphers

n Transposition does not change the letters

itself, but their position in a text
n Example: Write text in groups of 5 letters, and
read it in columns

THISI
SASIM
PLEEX à TSPAHALMISEPSIELIMXE
AMPLE

ã J. Posegga, 76
 Historic Version (500 b.C.)

ã J. Posegga, 77
 Composite Ciphers

Ciphers based on just substitutions or transpositions are in

general not secure
n Ciphers need to be combined.

But:
n Two substitutions are actually only another substitution,
n Two transpositions are actually only one transposition,

A substitution followed by a transposition makes a new and

(presumably) more secure cipher.
n Difficult to do by hand ® invention of cipher machines

ã J. Posegga, 78
ã J. Posegga, 79
 The Enigma

Position determines
the encryption key

Rotor
Display for the
cipher text Lamps

keyboard
Input of
plain text
wiring

Additional
permutations

Source: Deutsches Museum, München

ã J. Posegga, 80
ã J. Posegga, 81
 Enigma (I)

Consists of a sequence of rotors.

Each rotor is an electrically isolated device with

26 cointacts on each side.

Each input contact is connected to an output

contact, the scheme is secret.

-> each rotor defines a substitution.

current

current
ã J. Posegga, 82
 The Enigma Machine: Beyond Caesar Ciphers

(Source: Andrew Hodges: Alan Turing: The Enigma; Simon and Schuster; 1983)

ã J. Posegga, 83
https://spectrum.ieee.org/the-scandalous-history-of-the-last-rotor-cipher-machine
ã J. Posegga, 84
 Properties of the Enigma

A letter never maps to itself

Encryption and decryption works with identical settings
2×1020 different keys
Code books were used to transport the keys:
n A distinct setting of rotors for each day to encrypt a message
(„session“) key
n Individual message keys were used to encrypt transmissions

The Enigma was believed to be very secure

n this was in fact true, compared to the state of the art in encryption
at that time
n However, the scheme was broken...

ã J. Posegga, 85
 Cyptanalysis of the Enigma

The Enigma scheme was broken during WW II, without that

the Germans became aware of it.
n The Enigma was still believed to be secure (even after WW II).

Weaknesses of the Enigma scheme:

n The machine (or parts of it) became accessible to the adversary

n Certain specifics of the ciphering scheme

plus:
n The adversary spend enormous effort on breaking the scheme
(Bletchley Park, Polish Scientists)
n Lots of cipher text was available

Examples:

ã J. Posegga, 86
ã J. Posegga, 87
ã J. Posegga, 88
 Loss of Machines and Code Books

The Polish secret service received an Enigma in 1927; the

machine was mistakenly sent to a Germany company in
Poland.
n Although this was a „civil version“, the principles underlying the
Enigma became known to the adversary.

The British Army attacked poorly armed weather ships of the

Germans, which were also using the Enigma
n The adversary got access to code books (without the knowledge
of the Germans)
n Many (old) messages could be decrypted

ã J. Posegga, 89
 Specifics of the Enigma Scheme

A letter is never mapped to Example:

itself! GAAHADFDEGFDTGH
WAHRHEIT
-> Known Plaintext Attack: WAHRHEIT
n If a certain word of the plain WAHRHEIT (*)
text is known, one can WAHRHEIT
determine the positions in the WAHRHEIT (*)
cipher text, where this word WAHRHEIT
possibly appears. WAHRHEIT (*)
WAHRHEIT (*)
„Wahrheit“ is known to appear in
plain text.
(*) possible positions in cipher
text.

ã J. Posegga, 90
 Block ciphers & stream ciphers

Block ciphers: encrypt sequences of “long” data blocks

without changing the key
n security relies on design of encryption function
n typical block length: 64 bits, 128 bits

Stream ciphers: encrypt sequences of “short” data blocks

under a changing key stream
n security relies on design of key stream generator
n encryption can be quite simple, often XOR
n typical block length: 1 bit, 1 byte, 8-bit word
-> Example: WEP encryption in IEEE802.11b

ã J. Posegga, 91
 WLAN Security Threat Model

Wireless Link
User
Authentication LAN
AP Rogue AP

Fake AP
Eves dropping

Four main threats:

1. Intruder (user authentication)

2. Evesdropping

3. Man in the middle attack (fake AP)

4. Back door (rogue AP)

ã J. Posegga, 92
 Wired Equivalence Privacy

Shared key between

n Stations.
n An Access Point.

Extended Service Set

n All Access Points will have same shared key.

No key management
n Shared key entered manually into
u Stations
u Access points
u Key management nightmare in large wireless LANs

ã J. Posegga, 93
 Properties of Vernam Ciphers (1)

The WEP encryption algorithm RC4 is a Vernam Cipher:

Pseudo-random
Encryption Key K number generator

Random byte b
Plaintext data byte Ciphertext data byte
Å
p c

Decryption works the same way: p = c Å b

ã J. Posegga, 94
 IEEE 802.11b Encryption

802.11 Hdr Data ICV

Encrypt and Encapsulate

802.11 Hdr IV C i Data

= Pi Å RC4(vi,k)
ICV

Key Stream RC4(IV,k)

IVIV[24]
IV
[24] cipher
Seed PRNG text
[64/128] (RC4)
ks
[40/105]

XOR
Plain
Text Checksum
(CRC 32)
Data + Checksum
ã J. Posegga, 95