TECNOLOGIE E PROGETTAZIONE DI SISTEMI INFORMATICI E DI TELECOMUNICAZIONI DISPENSE INTEGRATIVE - Esame di Stato a.s. 2018/19 Classe 5A Informatica ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Esame di Stato a.s. 2018/19
Classe 5A Informatica
Classe 5B Informatica
TECNOLOGIE E
PROGETTAZIONE DI
SISTEMI INFORMATICI E DI
TELECOMUNICAZIONI
DISPENSE INTEGRATIVE
prof.ssa Sophia Danesino
1/49
Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Indice
CLIL - Cryptography...............................................................................................................3
1. Introduction..................................................................................................................................3
[SCAFFOLDING] Overhear/Evesdrop......................................................................................3
Security concerns........................................................................................................................4
Secrecy...............................................................................................................................4
Authentication....................................................................................................................5
Message Integrity...............................................................................................................5
Non repudiation.................................................................................................................7
Cryptography vs cryptology vs cryptanalysis.............................................................................8
Check point.................................................................................................................................9
2. Confidentiality/Secrecy..............................................................................................................11
[SCAFFOLDING] The words of cryptography........................................................................11
Symmetric Encryption..............................................................................................................12
Check your understanding........................................................................................................13
Kerckhoffs's principle...............................................................................................................15
Basic Properties: correctness and security.....................................................................................16
Substitution ciphers........................................................................................................................19
The Caesar cipher......................................................................................................................19
The cypher wheel......................................................................................................................19
Breaking the cipher...................................................................................................................20
Monoalphabetic substitution.....................................................................................................21
Vigenere cipher.........................................................................................................................22
Transposition ciphers.....................................................................................................................27
A transposition cipher: the spartan scytale................................................................................28
Frequency analysis.........................................................................................................................29
XOR cipher....................................................................................................................................30
One Time Pad encryption method.............................................................................................31
CRITTOGRAFIA ASIMMETRICA.........................................................................................32
Scambio di chiavi Diffie-Hellman.................................................................................................32
RSA................................................................................................................................................35
FIRMA DIGITALE.................................................................................................................38
Generazione e verifica della firma digitale....................................................................................38
Certificati elettronici......................................................................................................................39
Lo standard X.509 per i certificati............................................................................................40
Infrastruttura a chiave pubblica (PKI).......................................................................................41
Funzioni di hash.............................................................................................................................45
Funzione unidirezionale (one way function).............................................................................47
Sicurezza debole........................................................................................................................47
Sicurezza forte...........................................................................................................................47
Message Authentication Code (MAC)...........................................................................................48
BIBLIOGRAFIA E SITOGRAFIA..........................................................................................49
2/49
Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
CLIL - Cryptography
1. Introduction
[SCAFFOLDING] Overhear/Evesdrop
Read the following sentences and guess the difference between overhear and eavesdrop:
• We overheard the teacher say there would be a test today.
• There was Trudy eavesdropping outside the door.
To overhear means to accidentally hear what other people are saying, when they do not know that
you have heard.
To eavesdrop refers to a situation in which you deliberately listen secretly to other people's
conversations.
3/49
Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Security concerns
Alice and Bob want to communicate "securely", but what precisely does this mean?
http://www.science.smith.edu/~jcardell/Courses/EGR328/Readings/KR%20Security.pdf
Let us introduce Alice and Bob, two people who want to communicate "securely." Alice and Bob
are well-known fixtures in the security community, perhaps because their names are more fun
than a generic entity named "A" that wants to securely communicate with a generic entity named
"B." Illicit love affairs, wartime communication, and business transactions are the commonly cited
human needs for secure communications; preferring the first to the latter two, we're happy to use
Alice and Bob as our sender and receiver, and imagine them in this first scenario. We said that
Alice and Bob want to communicate "securely," but what precisely does this mean? Certainly, Alice
wants only Bob to be able to understand a message that she has sent, even though they are
communicating over an "insecure" medium where an intruder (Trudy, the intruder) may intercept,
read, and perform computations on whatever is transmitted from Alice to Bob. Bob also wants to
be sure that the message that he receives from Alice was indeed sent by Alice, and Alice wants to
make sure that the person with whom she is communicating is indeed Bob. Alice and Bob also
want to make sure that the contents of Alice's message have not been altered in transit. Given
these considerations, we can identify the following desirable properties of secure communication.
Secrecy
Only the sender and intended receiver should be able to understand the contents of the
transmitted message. Because eavesdroppers may intercept the message, this necessarily
requires that the message be somehow encrypted (disguise data) so that an intercepted message
can not be decrypted (understood) by an interceptor. This aspect of secrecy is probably the most
commonly perceived meaning of the term "secure communication." Note, however, that , for
example, Alice might also want the mere fact that she is communicating with Bob (or the timing or
frequency of her communications) to be a secret!
Authentication
Both the sender and receiver need to confirm the identity of other party involved in the
communication - to confirm that the other party is indeed who or what they claim to be. Face-to-
face human communication solves this problem easily by visual recognition. When communicating
4/49
Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
entities exchange messages over a medium where they can not "see" the other party,
authentication is not so simple. Why, for instance, should you believe that a received email
containing a text string saying that the email came from a friend of yours indeed came from that
friend? If someone calls on the phone claiming to be your bank and asking for your account
number, secret PIN, and account balances for verification purposes, would you give that
information out over the phone? Hopefully not.
Message Integrity
Even if the sender and receiver are able to authenticate each other, they also want to insure that
the content of their communication is not altered, either malicously or by accident, in
transmission.
Having established what we mean by secure communication, let us next consider exactly what is
meant by an "insecure channel." What information does an intruder have access to, and what
actions can be taken on the transmitted data? Alice, the sender, wants to send data to Bob, the
receiver. In order to securely exchange data, while meeting the requirements of secrecy,
authentication, and message integrity, Alice and Bob will exchange both control message and data
messages. All, or some of these message will typically be encrypted. A passive intruder can
listen to and record the control and data messages on the channel; an active intruder can remove
messages from the channel and/or itself add messages into the channel.
5/49
Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Quiz
SUMMARY - The Story of Alice and Bob
• Alice and Bob: generally, Alice wants to send a message to Bob.
6/49
Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Non repudiation
Information security is about constructing and analyzing protocols that overcome the influence of
adversaries and that are related to various aspects in information security such as data
confidentiality, data integrity, authentication, and non-repudiation.
• Confidentiality is a set of rules that limits access to information
• Data integrity prevents changes to information during transmission
• Authentication is the process of confirming the identity of a person
Authentication verifee who you are (Ueer-ID) while Non-Repudiation verifee what you did (e.g
eending a meeeage).
• Authentication allows to determine whether a person is really who it claims to be.
• Non repudiation meane to eneure that a traneferred meeeage hae been eent and received
by the partiee claiming to have eent and received the meeeage. Non repudiation ie a way to
guarantee that the sender of a message cannot later deny having sent the message
and that the recipient cannot deny having received the meeeage.
A malicioue ueer can capture a eigned meeeage and poet it multiple timee. Therefore a party
can repudiate having eent the eame meeeage multiple timee. Making each meeeage unique
ueing timeetampe ie therefore ueed for non-repudiation in combination with eigning and
encryption.
7/49
Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Cryptography vs cryptology vs cryptanalysis
• Cryptography: from Greek κρυπτός kryptós, "hidden, secret" and γράφειν graphein,
"writing", writing secretes
• Cryptology: from Greek κρυπτός kryptós, "hidden, secret" and -λογία -logia, "study", the
science of secrets
• Cryptanalysis: (from the Greek kryptós, "hidden", and analýein, "to loosen" or "to untie") is
the study of analyzing information systems.
8/49
Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Check point
A. Match the terms and the cartoons1.
CONFIDENTIALITY – AUTHENTICATION – NON REPUDIATION – DATA INTEGRITY
A. B.
C. D.
1 A: DATA INTEGRITY B: CONFIDENTIALITY C: NON REPUDIATION D: AUTHENTICATION
9/49
Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
B. What are we talking about?
“Data passes between a client and a Web service, sometimes through one or
more intermediaries. Messages may also be kept in repositories, such as
message queues or databases. Some of the data within the messages is
considered to be sensitive in nature. There is a risk that an attacker can gain
access to sensitive data, either by eavesdropping on the network or accessing
a repository.”2
C. Fill the gaps3
Data integrity is the opposite of data ………….., which is a form of ……… loss. The overall
intent of any data integrity technique is the same: ensure data is transmitted/recorded
……... as intended and upon receing/later retrieval, ensure the data is the …...... as it was
originally. In short, data integrity aims to prevent …….. to information. Data integrity is not
to be confused with data……., the discipline of protecting data from unauthorized parties.
exactly - data - same - corruption - security – changes
D. Match the following terms and their definition4:
Cryptology Analyzing (breaking) secrets
Cryptography Science of hiding
Cryptanalysis Secret writing
2 SECURITY
3 Data integrity is the opposite of data corruption, which is a form of data loss. The overall intent
of any data integrity technique is the same: ensure data is transmitted/recorded exactly as
intended and upon receing/later retrieval, ensure the data is the same as it was originally. In short,
data integrity aims to prevent changes to information. Data integrity is not to be confused with data
security, the discipline of protecting data from unauthorized parties.
4 Cryptology Science of hiding
Cryptography Secret writing
Cryptanalysis Analyzing (breaking) secrets
10/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
2. Confidentiality/Secrecy
By the end of this module you’ll be able to describe
the block schema of ENCRYPTION and DECRYPTION
[SCAFFOLDING] The words of cryptography
• Data that can be read and understood is called plaintext or cleartext.
• The method of disguising (disguise: mascherare, read disgais) plaintext in such a way as
to hide its substance is called encryption.
•
Encrypting plaintext results in unreadable text called cyphertext.
• The process of reverting cyphertext to its original plaintext is called decryption.
• The
encryption function takes a plaintext and produces a cyphertext.
• A message is PUT OVER an insecure channel. A message COMES OUT from a channel.
US: CIPHER UK: CYPHER
Noun: The message doesn't make sense; I think it's written in a cipher.
Verb: Cipher the message so that no one but us can understand it.
11/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Symmetric Encryption
http://youtu.be/dk40W6ULb0I?list=PLAA92F9967A520440
[0.00-2.25]
Encryption is the process of encoding messages in such a way that only authorized parties can
read it. In an encryption scheme, the message, referred to as plaintext, is encrypted using an
encryption algorithm, generating ciphertext that can only be read if decrypted. Communicating
parties must have the same key before they can achieve secure communication.
Example
Let's imagine a substitution cipher in which each letter in the plaintext is 'shifted' a certain number
of places down the alphabet. For example, with a shift of 1, A would be replaced by B, B would
become C, and so on. With a shift of 2, A would be replaced by C, B would become D, and so on.
The method is named after Julius Caesar, who apparently used it to communicate with his
generals.
Function: if we translate all of our characters to numbers, 'a'=0, 'b'=1, 'c'=2, ... , 'z'=25 w e can
represent the encryption function, e(x), where x is the character we are encrypting, as:
and the decryption function as:
Key k: the number of characters to shift the cipher alphabet
12/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Check your understanding
[Eavesdropper] [False]
[True]
[Plaintext, Cleartext]
13/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
[True] [True]
[Goes from an element of C to an element of M] [Both decryption and decryption are done with the same key]
[True]
14/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Kerckhoffs's principle
• Kerckhoffs's principle5: a cryptographic system should be secure even if
everything about the system, except the key, is public knowledge.
• Shannon's maxim6: the enemy knows the system.
http://youtu.be/dFTxdaXosrw?list=PLAA92F9967A520440
5 19 January 1835 – 9 August 1903
6 April 30, 1916 – February 24, 2001
15/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Basic Properties: correctness and security
By the end of this module you’ll be able to verify if a cryptosystem
is CORRECT and SECURE
m∈M messages,
For all messages the result of decrypting c∈C ciphertexts,
the encryption k∈K is
of the message keys
the same as
the message we started with.
Correctness property: ∀m,k: Dk(Ek(m))=m
The result of decrypting the encryption of the message is the same as
the message we started with.
Security property: A ciphertext reveals nothing about key or message.
QUIZ: Do the following functions satisfy the correctness/security property for a
symmetric cypher7?
• Ek(m)=m+k Dk(c)=c-k
• Ek(m)=m Dk(c)=c
• Ek(m)=m%k Dk(c)=c*K
Answer:
http://youtu.be/B7KqXFpyEEE?list=PLAA92F9967A520440
7 From: "Applied cryptography" (Udacity) by Dave Evans
16/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Task
Now you’re going to work in pairs to complete a task about the correctness and security properties.
The aim is to deeply understand when a cipher is correct and secure.
In each pair I’d you to talk together and find a function that satisfies the correctness property and
the security one.
I’ll give you 5 minutes to complete the task, then I’ll ask you to demonstrate the function you
choose satisfies the properties.
Test
1. What does SYMMETRIC cryptography mean?
2. Read the following principles and answer the quiz
Kerckhoffs's principle (1835-1903): a
cryptographic system should be secure
even if everything about the system,
except the key, is public knowledge.
Shannon's maxim (1916-2001): the
enemy knows the system.
QUIZ: What parts of a cryptosystem must be kept secret?
□ Alice
□ Encryption Algorithm
□ Decryption Algorithm
□ Keys
□ Ciphertext
3. With the addition of the key, you are now working with three main elements m, c, k. You want your
encryption function to take the message m and a key k and map that to a ciphertext c. Your decryption
function will take a ciphertext and a key and map that to a message.
Correctness property: to be correct you need to obtain the same message after decryption. For all
messages and keys, you have the property that the result of decrypting the ciphertext 8, using that key9, is the
original message. This can be written as:
Security property: the ciphertext reveals nothing about the key or the message.
8The ciphertext is the result of encrypting using the key and the message.
9 The subscript indicates that there are two inputs for the decryption function: one is the key and one is the
input ciphertext.
17/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
QUIZ: Which of these functions satisfy the correctness property for a symmetric cipher? Each choice is a pair
of functions and the message and the keys are natural numbers:
• M = {1, 2, 3, ...}
• K = {1, 2, 3, ...}
QUIZ: Do the following functions satisfy the correctness/security property for a symmetric cipher?
• Ek(m)=m+k Dk(c)=c-k
• Ek(m)=m Dk(c)=c
• Ek(m)=m%k Dk(c)=c*K
18/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Substitution ciphers
By the end of this module you’ll know how a SUBSTITUTION cipher works
The Caesar cipher
The action of a Caesar cipher is to replace each plaintext letter with a different one a fixed number
of places down the alphabet. The cipher illustrated here uses a left shift of three, so that (for
example) each occurrence of E in the plaintext becomes B in the ciphertext10.
The cypher wheel
A cipher wheel is an encrypting device that consists of two concentric circles inner circle and outer
circle.The inner circle is fixed and outer circle is rotated randomly,so that it stops at some
point.Then ‘A’ of outer circle is tallied with the position of ‘A’ of inner circle.That position is
considered as key and the mapping of all the positions of outer and inner circles is used as
encrypting logic11.
In the picture key = 3 ,since ‘A’ of outer circle is on ‘D’ of inner circle.
10 http://en.wikipedia.org/wiki/Caesar_cipher
11 https://impythonist.wordpress.com/2014/09/11/alas-julius-caesar-doesnt-have-python-in-50-bc/
19/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Breaking the cipher
Breaking the scheme is straightforward. Since there are only a limited number of possible shifts (25
in English12: if you shift by 26 you are back to where you started), they can each be tested in turn in
a brute force attack. One way to do this is to write out a snippet of the ciphertext in a table of all
possible shifts. The example given is for the ciphertext "EXXEGOEXSRGI":
Caesar cipher coding
Watch the following video from Khan Academy and code an algorithm that encrypts and decrypts a
plaintext using the Caesar cipher.
http://youtu.be/
sMOZf4GN3oc
Flaw= difetto, Narrow down= restringere/limitare, Consistent= coerente, Blow= colpo.
12 The modern English alphabet consists of 26 letters.
20/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Monoalphabetic substitution
A monoalphabetic substitution cipher relies on a fixed replacement structure. That is, the
substitution is fixed for each letter of the alphabet. Thus, if "A" is encrypted to "C", then every
time we see the letter "A" in the plaintext, we replace it with the letter "C" in the ciphertext.
How many checks does a brute-force attack in the worst case?
Solution: there are 26!-1 possible keys.
21/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Vigenere cipher
Scaffolding: vocabulary
Let's start looking at the following vocabulary:
have a crush on = avere una cotta per (Eve has a crush on Bob)
to bud = sbocciare (a budding romance)
at all cost = a tutti i costi
to shift the alphabet BY a certain numbers of letters
to shift a letter BY one/two/.. place/s TO another letter
to crack the code = decifrare il codice
it occurs almost 13% of the time = compare quasi il 13% del tempo
to thwart = impedire
to rip = strappare
to rip through sth = to move very powerfully through a place or building, destroying it quickly
(diffondersi velocemente)
to plague = affliggere
as a brief aside = means that the author was discussing one subject, but for a short time, he
wishes to give the reader a different point of view or to offer a different way of thinking about the
subject
to match up = accoppiare
to end up with = finire per (it was obvious throughout the whole romantic comedy that the two
characters would end up with each other.)
to meet up = incontrarsi
it's worth it to ... = vale la pena di ...
interwoven = connesso (to weave, wove, woven: intrecciare, tessere)
to crop up = saltare fuori
weird = strano, misterioso
prying = impiccione, ficcanaso
Now watch this video from Nate Hardison (Harvard University) and write a summary about the
substitution ciphers you learnt (try to use the previous vocabulary as much as you can):
http://youtu.be/9zASwVoshiM
22/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Vigenère cipher
Video transcript
https://www.youtube.com/watch?v=9zASwVoshiM
Meet Alice. Alice has a crush on Bob. Fortunately for Alice, Bob
also has eyes for her.
Unfortunately for their budding romance, not only do Alice's
parents disapprove of Bob, but Alice's best friend, Evelyn, has a
secret crush on Bob and selfishly wants to keep them apart at all
costs.
To send secret messages to each other that Alice's parents can't
understand, Alice and Bob have been using a Caesar cipher, which
works by shifting the alphabet by a certain number of letters as a
way to generate a new alphabet. Each letter in the original
alphabet is then substituted by its corresponding letter in the
new shifted alphabet.
Alice's favorite number is 3, which Bob knows, so she uses 3 as
her key. When she shifts the English alphabet by 3 letters, A
becomes D, B becomes E, C becomes F, and so forth.
When she gets to the end of the alphabet, to the letters X, Y, and
Z, she just wraps around back to the beginning of the alphabet and
substitutes X with A, Y with B, and Z with C.
So when Alice goes to encrypt her secret message to Bob, namely
"Meet me at the park at eleven a.m.," she just makes the
appropriate substitutions. M becomes P, E becomes H, and so on
until her unencrypted plain text message is turned into encrypted
cipher text: "Phhw ph dw wkh sdun dw hohyhq dp" is definitely not
the most romantic sounding, but Alice believe that it'll do.
Alice gives the message to Evelyn to deliver to Bob's house. But
Evelyn instead takes it back to her room and tries to crack the
code. One of the first things Evelyn notices is that the letter H
occurs 7 times in the message, many more times than any other
letter.
Knowing that the letter E is the most common in the English
language, occurring almost 13% of the time, Evelyn guesses that H
has been substituted for E in order to make the secret message and
tries using a key of 3 to decrypt it.
Within minutes, Evelyn figures out Alice's plans and evilly calls
Alice's parents. Had Alice and Bob taken CS50, they would have
known of this frequency analysis attack on the Caesar cipher,
which allows it to be broken quite quickly.
They would also have known that the cipher is easily subject to a
brute-force attack, whereby Evelyn could have tried all of the
possible 25 keys, or shifts of the English alphabet, in order to
decipher the message.
Why 25 keys and not 26? Well, try shifting any letter by 26
positions, and you'll see why.
Anyway, a brute-force attack would have taken Evelyn a bit longer
but not long enough to keep her from thwarting Alice and Bob's
plans, especially if Evelyn has the aid of a computer which could
rip through all 25 cases in an instant.
23/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
So, this problem also plagued others who used the Caesar cipher,
and therefore people began experimenting with more complex
substitution ciphers that use multiple shift values instead of
just one. One of the most well-known of these is called Vigenère
cipher.
How do we get multiple shift values? Well, instead of using a
number as the key, we use a word for the key. We'll use each
letter in the key to generate a number, and the effect is that
we'll have multiple Caesar cipher-style keys for shifting letters.
Let's see how this works by encrypting Alice's message to Bob:
“Meet me at the park at eleven a.m. ” I, personally, think bacon
is delicious, so let's use that as the key. If we take the message
in its unencrypted, plain-text format, we see that it's 25 letters
long. Bacon has only 5 letters, so we need to repeat it 5 times to
make it match the length of the plain text:
Bacon bacon bacon bacon bacon.
As a brief aside, if the number of letters in the plain text
didn't divide cleanly by the number of letters in the key, we just
end the final repetition of our key early, using only the letters
we needed to make everything match up.
Now we go about finding the shift values. We're going to do this
by using the position of each letter of our key, bacon, in the A
to Z alphabet.
Since we're computer scientists, we like to start counting at zero
instead of 1, so we're going to say that the position of the first
letter of bacon, B, is in position 1 in the zero-indexed A to Z
alphabet, not 2, and the position of A is zero, not 1. Using this
algorithm, we can find the shift values for each letter.
To encrypt the plain text and generate cipher text, we just shift
each letter in the plain text by the specified amount, just like
we do with the Caesar cipher, wrapping from Z back to A if
necessary. M gets shifted by 1 place to become N. The first E
doesn't shift at all, but we shift the second E by 2 places to G
and T by 14 places to H.
If we work through the plain text, we end up with, "Negh zf av huf
pcfx bt gzrwep oz."
Again, not very romantic-sounding but definitely cryptic. If Alice
and Bob had known about Vigenère cipher, would they have been safe
from Evelyn's prying eyes? What do you think? Would you want to
log into your bank account if your bank decided to use Vigenère
cipher to encrypt your communication using your password as your
key? If I were you, I wouldn't.
And while Evelyn might be kept busy long enough for Alice and Bob
to have their meet-up, it's not worth it for Alice and Bob to
chance it.
Vigenère cipher is relatively easy to break if you know the length
of the key because then you can treat the encrypted cipher text as
the product of a few interwoven Caesar ciphers.
Finding the length of the key isn't terribly hard, either. If the
original plain-text message is long enough that some words occur
multiple times, eventually you'll see repetition cropping up in
the encrypted cipher text, as in this example, where you see MONCY
appear twice.
24/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Additionally, you can perform a brute-force attack on the cipher.
This does take significantly longer than a brute-force attack on
the Caesar cipher, which can be done almost instantaneously with a
computer since instead of 25 cases to check you've got 26ⁿ-1
possibilities, where n is the length of the unknown key.
This is because each letter in the key could be any of the 26
letters, A through Z, and a smart person would try to use a key
that can't be found in a dictionary, which means that you'd have
to test all of the weird letter combinations, like ZXXXFF, and not
just a couple hundred thousand words in the dictionary.
The minus 1 comes into the math because you wouldn't want to use a
key with only A's, since with our zero-indexed alphabet that would
give you the same effect as using a Caesar cipher with a key of
zero.
Anyway, 26ⁿ-1 does get large rather quickly, but while you
definitely wouldn't want to try breaking a cipher by hand this
way, this is definitely doable with a computer.
Fortunately for Alice and Bob, and for online banking,
cryptographers have developed more secure ways to encrypt secret
messages from prying eyes.
However, that's a topic for another time.
My name is Nate Hardison. This is CS50.
25/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Let's play a game!
Encrypt and decrypt the following message "HELLO FROM ITALY" using a polialphabetic cipher
(use the key "CLIL")
Vigenère cipher
26/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Transposition ciphers
Transposition (or anagram) ciphers are where the letters are jumbled up together: instead of
replacing characters with other characters, this cipher just changes the order of the characters.
This means that the giveaway for a transposition cipher is that frequency analysis shows that the
constituent letters are what would be expected in a standard text (eg. e is the most common
English letter). What typically happens is that the text to be encrypted is arranged in a number of
columns. These columns are then reordered resulting in encrypted text eg. (1, 2, 3, 4, 5) -> (4, 5, 3,
2, 1). To decrypt you need to workout the number of columns and then rearrange the columns13.
From Encrypting using a keyword-based transposition cipher
https://youtu.be/Y_E0M5vfw3g
h
13 http://www.richkni.co.uk/php/crypta/trans0.php
27/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
A transposition cipher: the spartan scytale
A scytale14 is a tool used to perform a transposition cipher, consisting of a cylinder with a strip of
parchment wound around it on which is written a message. The ancient Greeks, and the Spartans
in particular, are said to have used this cipher to communicate during military campaigns.
A description of how it operated is not known from before Plutarch (50-120 AD):
When the ephors send out an admiral or a general, they make two round
pieces of wood exactly alike in length and thickness, so that each corresponds
to the other in its dimensions, and keep one themselves, while they give the
other to their envoy. These pieces of wood they call scytalae. Whenever, then,
they wish to send some secret and important message, they make a scroll of
parchment15 long and narrow and wind it round their scytale, leaving no vacant
space thereon, but covering its surface all round with the parchment. After
doing this, they write what they wish on the parchment, just as it lies wrapped
about the scytale; and when they have written their message, they take the
parchment of and send it, without the piece of wood, to the commander. He,
when he has received it, cannot get any meaning out of it, since the letters
have no connection, but are disarranged, unless he takes his own scytale and
winds the strip of parchment about it, so that, when its spiral course is restored
perfectly, and that which follows is joined to that which precedes, he reads
around the staf, and so discovers the continuity of the message. And the
parchment, like the staf, is called scytale, as the thing measured bears the
name of the measure.
Plutarch, Lives (Lysander 19), ed. Bernadotte Perr
Make your own scytale:
http://www.classic-play.com/spies-like-us-secret-codes-pt-2/
14 Read schitali
15 Rotolo di papiro
28/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Frequency analysis
Frequency analysis16 is the study of letters or groups of letters contained in a ciphertext in an
attempt to partially reveal the message. The English language (as well as most other languages)
have certain letters and groups of letters appear in varying frequencies.
0.14
0.12
0.1
0.08
0.06
0.04
0.02
0
a b c d e f g h i j k l m n o p q r s t u v w x y z
This is a chart of the frequency distribution of letters in the English alphabet. As you can see, the
letter ‘e’ is the most common, followed by ‘t’ and ‘a’, with ‘j’, ‘q’, ‘x’, and ‘z’ being very uncommon.
Knowing the usual frequencies of letters in English communication, if the encryption method does
not effectively mask these frequencies it is possible to statistically determine parts of the plaintext
from looking at the ciphertext alone. Let’s look at an example based on a plaintext encrypted with
the Caesar Cipher – a cipher that provides no protection from frequency analysis.
wkh sdvvzrug lv vhyhq grqw whoo dqbrqh
Let’s get the letter frequencies (how often each letter appears) of this ciphertext.
h=5
v=4
q=3
r=3
g=3
d=2
b=1
k=1
l=1
s=1
y=1
Okay, so we’ve found our frequencies. The first reaction here is to try h = e and since we know the
cipher used is the Caesar cipher we can try a shift of -3 and the message is revealed!
16 http://learncryptography.com/frequency-analysis/
29/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
XOR cipher
In cryptography, the simple XOR cipher is an encryption algorithm that operates according to the
principles:
where ⊕ denotes the exclusive disjunction (XOR) operation. With this logic, a string of text can
be encrypted by applying the bitwise XOR operator to every character using a given key. To
decrypt the output, merely reapplying the XOR function with the key will remove the cipher.
For example, the string "Wiki" (01010111 01101001 01101011 01101001 in 8-bit ASCII) can be
encrypted with the repeating key 11110011 as follows:
Its primary merit is that it is simple to implement, and that the XOR operation is computationally
inexpensive.
30/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
One Time Pad encryption method
If the key is random and is at least as long as the message, the XOR
cipher is much more secure than when there is key repetition within a
message.
With a key that is truly random, the result is a one-time pad (also
known as the Vernam17 cipher) which is unbreakable even in theory.
It is possible to prove that a stream cipher encryption scheme is unbreakable if the following
preconditions are met:
1. the key must be as long as the plain text.
2. the key must be truly random.
3. the key must only be used once
One Time Pad keys are used in pairs. The keys are distributed securely prior to encryption. One
copy of the key is kept by the sender and one by the recipient.
1. To encrypt plain text data, the sender uses a key string equally long as the plain text. The
key is used by mixing (XOR-ing) bit by bit, always adding one bit of the key with one bit of
the plain text to create one bit of cipher text.
2. This cipher text is then sent to the recipient.
3. At the recipient’s end, the encoded message is mixed (XOR-ed) with the duplicate copy of
the One Time Key and the plain text is restored.
4. Both sender’s and recipient’s keys are automatically destroyed after use, so that erroneous
re-application of the same key is impossible.
The mostcritical aspect of the Vernam cipher is the
randomness of the pad sequence. An event sequence can be
said to be truly random if it is impossible to predict the next
event in the sequence even if the entire state of the
generating process up to that point is known. Any
deterministic process, such as running software on a computer,
can never produce truly random numbers.
17 Gilbert Vernam invented and patented his cipher in 1917 while working at AT&T.
31/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
CRITTOGRAFIA ASIMMETRICA
Il punto debole della crittografia simmetrica è lo scambio della chiave: se questa viene
intercettata la crittografia diventa inutile. Una svolta nella storia della crittografia venne con la
crittografia asimmetrica, conosciuta anche come crittografia a coppia di chiavi, crittografia a chiave
pubblica/privata o anche solo crittografia a chiave pubblica: un tipo di crittografia dove ad ogni
utente è associata una coppia di chiavi:
• la chiave pubblica, che viene distribuita, con cui si cifra
• la chiave privata, con cui si cifra, che deve rimanere segreta.
In questo modo si evitano i problemi relativi allo scambio dell'unica chiave utile alla
cifratura/decifratura presente invece nella crittografia simmetrica.
La crittografia a chiave pubblica fu una vera rivoluzione nella storia della crittografia, preceduta da
un meccanismo per lo scambio sicuro della chiave.
Scambio di chiavi Diffie-Hellman
Lo scambio di chiavi Diffie-Hellman (Diffie-Hellman key exchange) è un protocollo crittografico che
consente a due entità di stabilire una chiave condivisa e segreta utilizzando un canale di
comunicazione insicuro (pubblico) senza la necessità che le due parti si siano scambiate
informazioni o si siano incontrate in precedenza. La chiave ottenuta mediante questo protocollo
può essere successivamente impiegata per cifrare le comunicazioni successive tramite uno
schema di crittografia simmetrica.
Il protocollo per lo scambio di chiave Diffie-Hellman fu sviluppato da Diffie ed Hellman nel 1976.
Possiamo intuire il funzionamento tramite l’uso di colori: l’idea è che è facile mischiare due o più
colori, ma è praticamente impossibile ricavare i colori di partenza a partire dal colore condiviso.
32/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Questo meccanismo si ritrova nella fattorizzazione dei numeri primi.
Il protocollo ha due parametri di sistema p e g, sono entrambi pubblici. Il parametro p è un numero
primo e il parametro g (generalmente chiamato generatore) è un intero minore di p.
Supponiamo che Bob e Alice si vogliano accordare su una chiave segreta condivisa usando il
protocollo di Diffie-Hellman, procederanno come segue:
• Alice genera un valore casuale a che solo lei conosce e Bob fa altrettanto generando b.
• Quindi ricaveranno i loro numeri pubblici usando i parametri p e g e i loro numeri privati. Il
valore pubblico di Alice è A=ga mod p, mentre quello di Bob sarà B=gb mod p.
• A questo punto si scambiano i loro valori pubblici.
• Alice calcola Bamod p = (gb)a mod p = k
• Bob calcola A bod p = (ga)b mod p. = k
Alice e Bob hanno una chiave segreta condivisa k.
33/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
In questo modo si risolve il problema della distribuzione delle chiavi: Bob infatti deve generare una
sola coppia di chiavi e può distribuire a chi vuole la propria chiave pubblica.
Le due chiavi, pubblica e privata, sono fra loro correlate ma è estremamente difficile risalire alla
seconda conoscendo la prima. Questa difficoltà è di natura matematica, o meglio, è legata
ad un problema matematico18 particolarmente difficile da risolvere.
18 Il problema del logaritmo discreto
34/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
RSA
In crittografia la sigla RSA indica un algoritmo di crittografia asimmetrica, inventato nel 1977 da
Ronald Rivest, Adi Shamir e Leonard Adleman utilizzabile per cifrare o firmare informazioni.
Il sistema di crittografia si basa sull'esistenza di due chiavi distinte, che vengono usate per cifrare e
decifrare. Se la prima chiave viene usata per la cifratura, la seconda deve necessariamente essere
utilizzata per la decifratura e viceversa. La questione fondamentale è che nonostante le due
chiavi siano fra loro dipendenti, non è possibile risalire dall'una all'altra, in modo che se
anche si è a conoscenza di una delle due chiavi, non si possa risalire all'altra, garantendo in
questo modo l'integrità della crittografia.
RSA è basato sull'elevata complessità computazionale della fattorizzazione in numeri primi 19.
In breve dati due numeri primi molto grandi è facile calcolare n=p*q, ma è computazionalmente
troppo lungo trovare i due fattori p e q, noto n.
19 Il teorema fondamentale dell'aritmetica afferma che: ogni numero naturale maggiore di 1 o è
un numero primo o si può esprimere come prodotto di numeri primi. Tale rappresentazione è
unica, se si prescinde dall'ordine in cui compaiono i fattori.
35/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Concetto base
Per semplificare il funzionamento immaginiamo che A debba spedire un messaggio segreto a B.
A B
(di B) (di B)
1. B sceglie due chiavi: una privata e una pubblica. Le chiavi sono delle coppie di numeri.
2. B invia la propria chiave pubblica ad A. Chiunque può vedere questa chiave.
3. A usa questa chiave per cifrare il messaggio.
4. A manda il messaggio cifrato a B, chiunque può vederlo, ma non decifrarlo.
5. B riceve il messaggio e utilizzando la chiave privata che solo lui conosce lo decifra.
Immaginiamo che la chiave pubblica sia la coppia (n,e) e che quella privata sia (n,d)
Cifratura: c = memod n
Un messaggio m viene cifrato attraverso l'operazione memod n trasformandolo nel messaggio
cifrato c.
Decifrazione: m =cd mod n
Una volta trasmesso c viene decifrato con cd mod n=m riottenendo il messaggio in chiaro.
Esempio
Il messaggio viene rappresentato come un valore intero. Un messaggio è una sequenza di bit di
cui si può trovare l'equivalente decimale.
Se messaggio='m'=100100012=145
quindi crittografare un messaggio equivale a cifrare il suo corrispondente intero decimale.
Supponiamo messaggio=7
Messaggio in chiaro cifrato con (n,e)=(55,3): 73mod 55 =13
Messaggio cifrato decifrato con (n,d)=(55,27): 1327mod 55 =7
36/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
La generazione delle chiavi
[SOLO LETTURA]
1. Si scelgono a caso due numeri primi p e q abbastanza grandi da garantire la sicurezza
dell'algoritmo (sono consigliati almeno 4096 bit): p e q devono rimanere privati!
2. si calcola il loro prodotto n=p*q20, chiamato modulo (dato che tutta l'aritmetica seguente è
modulo n), e il prodotto z=(p-1)(q-1)
3. si calcola la chiave per cifrare: si sceglie un numero 1Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
FIRMA DIGITALE
Generazione e verifica della firma digitale
I metodi crittografici a chiave pubblica possono essere utilizzati per la generazione della firma
digitale.
Mentre nella crittografia la chiave pubblica viene usata per la cifratura, ed il destinatario usa quella
privata per leggere in chiaro il messaggio, nel sistema della firma digitale:
• il mittente utilizza la sua chiave privata per generare la firma
• la firma ed il messaggio vengono inviati al destinatario
• il destinatario verifica la provenienza del messaggio, grazie alla chiave pubblica del
mittente.
Chiunque può accertare la provenienza del messaggio adoperando la chiave pubblica.
L’algoritmo RSA, usato per generare firme elettroniche, si basa semplicemente sull’inversione del
ruolo delle chiavi rispetto a quello utilizzato per assicurare la riservatezza. Le differenze fra le due
applicazioni risiedono essenzialmente nel fatto che per la firma digitale si evita di dover applicare
l’operazione di cifratura all’intero testo (con notevole risparmio di tempo).
Il testo da firmare viene compresso in una sorta di riassunto (detto impronta digitale), tramite
un’apposita funzione di Hash, costruita in modo da rendere minima la probabilità che da testi
diversi si possa ottenere il medesimo valore dell’impronta. La dimensione del riassunto è fissa, e
molto più piccola di quella del messaggio originale; sicché la generazione della firma risulta
estremamente rapida.
Poichè la firma è calcolata a partire dall’hash del messaggio, la firma non solo autentica la
provenienza dello stesso, ma ne garantisce l’integrità. Il mittente, infine, non può negare di aver
inviato il messaggio poiché è l’unico in possesso della chiave privata (non ripudio).
38/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Certificati elettronici
Nella tecnologia di crittografia a chiave pubblica sia in fase di cifratura sia in fase di verifica di
una firma digitale occorre ritrovare la chiave pubblica o del destinatario di un messaggio o del
firmatario del messaggio firmato. In entrambi i casi la chiave pubblica non è confidenziale; la
criticità sta nel garantire l’autenticità delle chiave pubbliche, ossia sta nell’assicurare che una
certa chiave pubblica appartenga effettivamente all’interlocutore per cui si vuole cifrare o di
cui si deve verificare la firma. Se, infatti, una terza parte prelevasse la chiave pubblica del
destinatario sostituendola con la propria, il contenuto dei messaggi cifrati sarebbe disvelato
e le firme digitali potrebbero essere falsificate.
La distribuzione delle chiavi pubbliche è, pertanto, il problema cruciale della tecnologia
a chiave pubblica. Il problema della distribuzione delle chiavi pubbliche è risolto tramite
l’impiego dei certificati elettronici. Un certificato è un documento elettronico che associa una
chiave pubblica ad una persona fisica/ente. L’utilizzo dei certificati elettronici presuppone,
l’esistenza di una Autorità di Certificazione (Certification Authority o CA) che li emetta e
li gestisca. La CA firma il certificato.
I compiti di una CA sono:
• rilascio e pubblicazione del certificato (firmato con la propria chiave privata)
• manutenzione del registro delle chiavi pubbliche
• revoca o sospensione dei certificati in caso di istanza dell'interessato o in caso di abusi,
falsificazioni, ecc. e nel contempo aggiornamento della lista pubblica dei certificati
sospesi o revocati (certificate revocation list)
39/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Lo standard X.509 per i certificati
Lo standard ormai diffusamente riconosciuto di definizione del formato dei certificati è
quello descritto nello standard X.509 ISO/IEC/ITU [RFC2459] (Visa e MasterCard hanno ad
esempio adottato le specifiche X.509 come base per la definizione dello standard per il
commercio elettronico SET, Secure Electronic Transaction).
Ogni certificato è una struttura dati costituita da una parte dati contenente:
• versione: indica la versione del formato del certificato (1, 2 o 3)
• serial number: è un codice numerico che identifica il certificato tra tutti i certificati emessi
dall’Autorità di Certificazione
• signature algorithm: specifica l’algoritmo utilizzato dalla CA per firmare il certificato; è data
dalla coppia funzione hash – algoritmo a chiave pubblica
• issuer name: è il nome della CA
• subject name: informazioni che identificano univocamente il possessore di una chiave
pubblica
• il valore della chiave pubblica
• il periodo di validità temporale del certificato (da … a)
• la firma digitale della autorità di certificazione con cui si assicura autenticità della
chiave ed integrità delle informazioni contenute nel certificato
• Subject Unique Identifier: è una stringa di bit aggiuntivi, opzionale, usata nel caso di
omonimia di due membri in una stessa CA
• Issuer Unique Identifier: è una stringa di bit aggiuntivi, opzionale, usata nel caso in cui
nella struttura ad albero ci siano due CA
40/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Se un intruso tentasse, durante la pubblicazione del certificato, di alterarne il contenuto, la
manomissione sarebbe immediatamente rilevata in fase di verifica della firma sul
certificato; il processo di verifica fallirebbe e l’utente finale sarebbe avvertito della non integrità
della chiave pubblica contenuta nel certificato.
Infrastruttura a chiave pubblica (PKI)
Le infrastrutture a chiave pubblica (Public Key Infrastructure) forniscono il
supporto necessario affinché la tecnologia di crittografia a chiave pubblica sia utilizzabile su
larga scala.
Una infrastruttura a chiave pubblica introduce il concetto di third-party trust, ossia di quella
situazione che si verifica quando due generiche entità si fidano implicitamente l’una dell’altra
senza che abbiano precedentemente stabilito una personale relazione di fiducia. Questo è
possibile perché entrambe le entità condiviono una relazione di fiducia con una terza parte
comune.
41/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Third-party trust è un requisito fondamentale per qualsiasi implementazione su larga scala
che utilizzi crittografia a chiave pubblica e in una PKI viene realizzata attraverso l’Autorità
di Certificazione. In Italia sono, ad esempio, Infocamere, Poste italiane, Actalis S.p.A. (elenco
aggiornato e completo dei certificatori qualificati nel sito del cnipa www.cnipa.gov.it).
42/49Sophia Danesino – Dispense integrative “TPSIT” a.s. 2017/18
Il modello di una PKI in realtà prevede due enti: l’autorità di registrazione e quella di certificazione
RA: Autorità di Registrazione
L’accertamento dell’identità dell’utente richiedente un certificato elettronico, deve
precedere l’effettiva emissione del certificato; è indispensabile procedere a tale verifica
dato che con l’emissione di un certificato elettronico si rende pubblicamente valida
l’associazione tra una certa chiave pubblica e una certa entità. Una volta attestata la
validità dell’identità dell’utente attraverso una serie di procedure definite nell’ambito di una
precisa politica di sicurezza (ad esempio, il controllo della carta di identità), l’autorità
di registrazione ha il compito di abilitare l’utente come appartenente ad uno specifico dominio
di fiducia ; la funzionalità di autorità di registrazione può essere espletata dall’autorità di
certificazione stessa oppure delegata ad altre entità.
CA: Autorità di Certificazione
Costituisce il cuore di una PKI; la sua principale funzione consiste nel creare i
certificati elettronici per quegli utenti precedentemente abilitati nella fase di registrazione
al dominio di fiducia di cui la CA è garante; un’Autorità di Certificazione non si deve limitare
esclusivamente alla generazione dei certificati, ma deve poterne gestire l’intero ciclo di vita. Il
ciclo di vita comprende le fasi di generazione, aggiornamento (nel caso in cui il certificato stia per
perdere validità temporale), sostituzione (nel caso di scadenza della validità temporale) e
revoca nel caso in cui le condizioni di emissione del certificato non siano più valide. Un
ulteriore compito della CA è stabilire relazioni di fiducia con altre CA.
La CA pubblica su un specifico server pubblico detto “Certificate Server” liberamente accessibile,
la lista dei certificati in corso di validità o con l’indicazione se questi certificati sono revocati o
sospesi.
43/49You can also read
