privacy and computer science eci 2015 day 1 introduction
play

Privacy and Computer Science (ECI 2015) Day 1 - Introduction why - PowerPoint PPT Presentation

Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Sup erieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup Privacy


  1. Cryptography is not Enough Cryptography is not Enough: you can run but you can’t hide The dreamt world of mathematicians vs. the harsh reality. Implementation details do matter. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 9 / 48

  2. Cryptography is not Enough Cryptography is not Enough: you can run but you can’t hide The dreamt world of mathematicians vs. the harsh reality. Implementation details do matter. Usage protocol does matter. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 9 / 48

  3. Cryptography is not Enough Cryptography is not Enough: you can run but you can’t hide The dreamt world of mathematicians vs. the harsh reality. Implementation details do matter. Usage protocol does matter. Psychology does matter. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 9 / 48

  4. Cryptography is not Enough Cryptography is not Enough: you can run but you can’t hide The dreamt world of mathematicians vs. the harsh reality. Implementation details do matter. Usage protocol does matter. Psychology does matter. System complexity does matter. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 9 / 48

  5. Cryptography is not Enough Cryptography is not Enough: you can run but you can’t hide The dreamt world of mathematicians vs. the harsh reality. Implementation details do matter. Usage protocol does matter. Psychology does matter. System complexity does matter. Sheer luck can matter... F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 9 / 48

  6. Cryptography is not Enough Cryptography is not Enough: you can run but you can’t hide The dreamt world of mathematicians vs. the harsh reality. Implementation details do matter. Usage protocol does matter. Psychology does matter. System complexity does matter. Sheer luck can matter... = ⇒ Empirical proof: Snowden’s revalations about NSA’s practices... F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 9 / 48

  7. Cryptography is not Enough Enigma Cryptanalysis Plan Cryptography is not Enough 1 Enigma Cryptanalysis Naive Anonymization Just doesn’t Work Information Theory Cryptology: [Shannon, 1949] 2 Information theoretic studies of cryptosystems Entropy of passwords Conclusion 3 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 10 / 48

  8. Cryptography is not Enough Enigma Cryptanalysis Enigma Cryptanalysis Real life, extreme, example of the difficulty of information security during WWII. Historians estimate the effect as 1 to 2 years war shortening (literally millions of lives). First mechanization of cryptanalysis: shift from linguistic to mathematics. First use of computers ! A. Turing, father of computer science, heavily involved. Exemplary in the multiple ways used to break the “unbreakable”. = ⇒ Think outside the box ! F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 11 / 48

  9. Cryptography is not Enough Enigma Cryptanalysis Enigma Machine F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 12 / 48

  10. Cryptography is not Enough Enigma Cryptanalysis Permutations with Rotors Schematically ♠ ♠ F F ❆ ✂ ❉ ✄ ❇ � ✄ ❆ ✂ ❉ � ❇ E ♠ E ♠ ✂ ✄ ❆ ❉ ❇ ✄ ✂ ✄ ✄ ❆ ❉ ❇ D ♠ D ♠ ❇ ✂ ❆ ✄ � ❇ ✄ ✁ ❉ ❇ ✂ ❇ � ❆ ✄ ❇ ✁ ✄ ❇ ❉ ♠ ♠ C C ❇ ✁ ✄ ❆ ✁ ❅ ✁ ✄ ❇ ❉ ✁ ❇ ✄ ✁ ❆ ✁ ✄ ❇ ❅ ❉ ♠ ♠ B B ✁ ❇ ✁ ✄ ❇ ❉ ✁ ❇ ✁ ❉ ✄ ❇ ♠ ♠ A A F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 13 / 48

  11. Cryptography is not Enough Enigma Cryptanalysis Enigma Schematically ♠ F ❅ � ❆ ✂ ❉ ✄ ❇ � ✄ � ❅ ❆ ✂ ❉ � ❇ E ♠ ✂ ✄ ❆ ❉ ❇ ✄ ✂ ✄ ✄ ❆ ❉ ❇ D ♠ ❇ ✂ ❇ ✂ ❆ ✄ � ❇ ✄ ✁ ❉ ❇ ❇ ✂ ✂ ❇ � ✄ ❆ ❇ ✁ ✄ ❇ ❉ ♠ C ❇ ✂ ❇ ✁ ✄ ❆ ✁ ❅ ✁ ✄ ❇ ❉ ✂ ❇ ✁ ❇ ✄ ✁ ❆ ✁ ✄ ❇ ❅ ❉ ♠ B ✂ ❇ ✁ ❇ ✁ ✄ ❇ ❉ ✂ ❇ ✁ ❇ ✁ ❉ ✄ ❇ ♠ A F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 14 / 48

  12. Cryptography is not Enough Enigma Cryptanalysis Protocol for the Use of Enigma Book of keys: Date Rotor Initialization Plugboard 12 I II III REZ FD IZ LP MN TA SY 13 II V I KXU AN GZ ID LW MF UY 14 IV II III WGT ET IL MO NS WH BQ 15 II I V AQR UI YS AN MJ VB EH . . . . . . . . . . . . A key gives the initial configuration of the machine. Once the machine is set the operator sent three letters in order to initiate a session key (to avoid repetitions). This group of three letters was repeated twice. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 15 / 48

  13. Cryptography is not Enough Enigma Cryptanalysis Some Numbers on Enigma Each rotor is a permutation on 26: 26 3 = 17576 3 among 5 rotors: 5! / (3!2!) = 10 Plugboard, 6 wires: (26 − 2 k )! Π 5 2 × (26 − 4 k )! = 72282089880000 k =0 Number of Enigma settings: 76 × 10 18 Age of the universe in seconds: 4 , 3 × 10 17 Enigma strength is due to the combination that avoid repetitions (rotor mechanism) and huge space of keys (plugboard). Even with a copy of the machine it is untractable. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 16 / 48

  14. Cryptography is not Enough Enigma Cryptanalysis Enigma Weaknesses Internal weaknesses (algorithm weakness): Only involutive substitutions are implemented: from 26! ≃ 403 × 10 24 to 533 × 10 12 (that is a 7 , 5 × 10 11 reduction !!). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 17 / 48

  15. Cryptography is not Enough Enigma Cryptanalysis Enigma Weaknesses Internal weaknesses (algorithm weakness): Only involutive substitutions are implemented: from 26! ≃ 403 × 10 24 to 533 × 10 12 (that is a 7 , 5 × 10 11 reduction !!). Because of the reflector a letter can never be encoded by itself. = ⇒ Sometimes to test communications lines german sent large texts only made of “T’s”. = ⇒ crib technique developped by Turing. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 17 / 48

  16. Cryptography is not Enough Enigma Cryptanalysis Enigma Weaknesses Internal weaknesses (algorithm weakness): Only involutive substitutions are implemented: from 26! ≃ 403 × 10 24 to 533 × 10 12 (that is a 7 , 5 × 10 11 reduction !!). Because of the reflector a letter can never be encoded by itself. = ⇒ Sometimes to test communications lines german sent large texts only made of “T’s”. = ⇒ crib technique developped by Turing. External weaknesses (protocol use): Germans forbid the use of the same rotor at the same place for two consecutive days. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 17 / 48

  17. Cryptography is not Enough Enigma Cryptanalysis Enigma Weaknesses Internal weaknesses (algorithm weakness): Only involutive substitutions are implemented: from 26! ≃ 403 × 10 24 to 533 × 10 12 (that is a 7 , 5 × 10 11 reduction !!). Because of the reflector a letter can never be encoded by itself. = ⇒ Sometimes to test communications lines german sent large texts only made of “T’s”. = ⇒ crib technique developped by Turing. External weaknesses (protocol use): Germans forbid the use of the same rotor at the same place for two consecutive days. Repetition of the session key at the start of the message. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 17 / 48

  18. Cryptography is not Enough Enigma Cryptanalysis Enigma Weaknesses Internal weaknesses (algorithm weakness): Only involutive substitutions are implemented: from 26! ≃ 403 × 10 24 to 533 × 10 12 (that is a 7 , 5 × 10 11 reduction !!). Because of the reflector a letter can never be encoded by itself. = ⇒ Sometimes to test communications lines german sent large texts only made of “T’s”. = ⇒ crib technique developped by Turing. External weaknesses (protocol use): Germans forbid the use of the same rotor at the same place for two consecutive days. Repetition of the session key at the start of the message. Some messages had a predictable structure: typically meteorological messages of 6:00 am of the Luftwaffe. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 17 / 48

  19. Cryptography is not Enough Enigma Cryptanalysis Enigma Weaknesses Internal weaknesses (algorithm weakness): Only involutive substitutions are implemented: from 26! ≃ 403 × 10 24 to 533 × 10 12 (that is a 7 , 5 × 10 11 reduction !!). Because of the reflector a letter can never be encoded by itself. = ⇒ Sometimes to test communications lines german sent large texts only made of “T’s”. = ⇒ crib technique developped by Turing. External weaknesses (protocol use): Germans forbid the use of the same rotor at the same place for two consecutive days. Repetition of the session key at the start of the message. Some messages had a predictable structure: typically meteorological messages of 6:00 am of the Luftwaffe. Operator’s bias: always the same three settings (surname of his fiancee...) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 17 / 48

  20. Cryptography is not Enough Enigma Cryptanalysis Marjan Rejevski First Attempts By espionnage French had a copy of the Enigma machine, given to the Polish (30’s). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 18 / 48

  21. Cryptography is not Enough Enigma Cryptanalysis Marjan Rejevski First Attempts By espionnage French had a copy of the Enigma machine, given to the Polish (30’s). Marjan Rejevsky was a young polish mathematician who found a way to exploit the protocol weakness of the germans (repetition of the session key). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 18 / 48

  22. Cryptography is not Enough Enigma Cryptanalysis Marjan Rejevski First Attempts By espionnage French had a copy of the Enigma machine, given to the Polish (30’s). Marjan Rejevsky was a young polish mathematician who found a way to exploit the protocol weakness of the germans (repetition of the session key). = ⇒ The first and fourth letters are the same ones. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 18 / 48

  23. Cryptography is not Enough Enigma Cryptanalysis Marjan Rejevski First Attempts By espionnage French had a copy of the Enigma machine, given to the Polish (30’s). Marjan Rejevsky was a young polish mathematician who found a way to exploit the protocol weakness of the germans (repetition of the session key). = ⇒ The first and fourth letters are the same ones. Using all the message sent in one day it is easy to construct a corresping alphabet like: First Letter ABCDEFGHIJKLMNOPQRSTUVWXYZ Fourth Letter XFEARBSLHQIGCVDZWKMNJUOYTP This table is independant from the plugboard. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 18 / 48

  24. Cryptography is not Enough Enigma Cryptanalysis Rejevski’s cycles Given a corresponding alphabet one can factor it in cycles. For instance in First Letter ABCDEFGHIJKLMNOPQRSTUVWXYZ Fourth Letter XFEARBSLHQIGCVDZWKMNJUOYTP One can make the cycles A → X → Y → T → N → V → U → J → Q → W → O → D → A B → F → B C → E → R → K → I → H → L → G → S → M → C P → Z → P F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 19 / 48

  25. Cryptography is not Enough Enigma Cryptanalysis Rejevski’s cycles Given a corresponding alphabet one can factor it in cycles. For instance in First Letter ABCDEFGHIJKLMNOPQRSTUVWXYZ Fourth Letter XFEARBSLHQIGCVDZWKMNJUOYTP One can make the cycles A → X → Y → T → N → V → U → J → Q → W → O → D → A B → F → B C → E → R → K → I → H → L → G → S → M → C P → Z → P It turns out that this decomposition in cycles is unique with relation to the original setting of the rotors (like DNA code for it). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 19 / 48

  26. Cryptography is not Enough Enigma Cryptanalysis Rejevski’s cycles Given a corresponding alphabet one can factor it in cycles. For instance in First Letter ABCDEFGHIJKLMNOPQRSTUVWXYZ Fourth Letter XFEARBSLHQIGCVDZWKMNJUOYTP One can make the cycles A → X → Y → T → N → V → U → J → Q → W → O → D → A B → F → B C → E → R → K → I → H → L → G → S → M → C P → Z → P It turns out that this decomposition in cycles is unique with relation to the original setting of the rotors (like DNA code for it). ⇒ Just make a big book with all combinations ! (26 3 × 10) = F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 19 / 48

  27. Cryptography is not Enough Enigma Cryptanalysis Rejevski’s cycles Given a corresponding alphabet one can factor it in cycles. For instance in First Letter ABCDEFGHIJKLMNOPQRSTUVWXYZ Fourth Letter XFEARBSLHQIGCVDZWKMNJUOYTP One can make the cycles A → X → Y → T → N → V → U → J → Q → W → O → D → A B → F → B C → E → R → K → I → H → L → G → S → M → C P → Z → P It turns out that this decomposition in cycles is unique with relation to the original setting of the rotors (like DNA code for it). ⇒ Just make a big book with all combinations ! (26 3 × 10) = It is not over: plugboard ? (easy to crack by hand. Do you find out how ?) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 19 / 48

  28. Cryptography is not Enough Enigma Cryptanalysis Cryptanalysis Automated: A. Turing at Bletchley Park In may 1937 Germans changed their protocols and Rejevsky’s attack was no longer possible. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 20 / 48

  29. Cryptography is not Enough Enigma Cryptanalysis Cryptanalysis Automated: A. Turing at Bletchley Park In may 1937 Germans changed their protocols and Rejevsky’s attack was no longer possible. Turing noted a similarity between messages: clear text attack. Famous example wetter in the message of the meteorological site. Called “cribs” it can lead to an attack. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 20 / 48

  30. Cryptography is not Enough Enigma Cryptanalysis Cryptanalysis Automated: A. Turing at Bletchley Park In may 1937 Germans changed their protocols and Rejevsky’s attack was no longer possible. Turing noted a similarity between messages: clear text attack. Famous example wetter in the message of the meteorological site. Called “cribs” it can lead to an attack. Suppose you know that the message) starts with: WETTERUEBERSICHTNULLSECHSNULLNULL Consider the cyphertext: W E T T E R U E B E R S I C H T E R G H W T S S K J F E G L A W There is a cycle W → 0 E → 1 R → 4 T → 16 W F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 20 / 48

  31. Cryptography is not Enough Enigma Cryptanalysis Cryptanalysis Bombe (schema) How to automatically discovers those cycles ? We can try to work on 4 machines in parallel. By linking them together, and setting them correctly, following the crib we can close an electrical circuit: F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 21 / 48

  32. Cryptography is not Enough Enigma Cryptanalysis Turing’s Cryptanalysis Bombe F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 22 / 48

  33. Cryptography is not Enough Enigma Cryptanalysis Information War War actions were made to make the Germans communicate. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 23 / 48

  34. Cryptography is not Enough Enigma Cryptanalysis Information War War actions were made to make the Germans communicate. = ⇒ indeed Allies knew how geographic data were encoded (standard espionage). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 23 / 48

  35. Cryptography is not Enough Enigma Cryptanalysis Information War War actions were made to make the Germans communicate. = ⇒ indeed Allies knew how geographic data were encoded (standard espionage). Allies knew where the U-boot were, they could have destroyed them all at once... but the Germans would have switched their cryptosystems. How to use the information ? F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 23 / 48

  36. Cryptography is not Enough Enigma Cryptanalysis Information War War actions were made to make the Germans communicate. = ⇒ indeed Allies knew how geographic data were encoded (standard espionage). Allies knew where the U-boot were, they could have destroyed them all at once... but the Germans would have switched their cryptosystems. How to use the information ? F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 23 / 48

  37. Cryptography is not Enough Enigma Cryptanalysis Conclusion The mathematics of the cryptosystem is just a paramater among others: F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 24 / 48

  38. Cryptography is not Enough Enigma Cryptanalysis Conclusion The mathematics of the cryptosystem is just a paramater among others: espionage, F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 24 / 48

  39. Cryptography is not Enough Enigma Cryptanalysis Conclusion The mathematics of the cryptosystem is just a paramater among others: espionage, protocol applications, F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 24 / 48

  40. Cryptography is not Enough Enigma Cryptanalysis Conclusion The mathematics of the cryptosystem is just a paramater among others: espionage, protocol applications, practical implementations, F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 24 / 48

  41. Cryptography is not Enough Enigma Cryptanalysis Conclusion The mathematics of the cryptosystem is just a paramater among others: espionage, protocol applications, practical implementations, sheer luck,... F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 24 / 48

  42. Cryptography is not Enough Enigma Cryptanalysis Conclusion The mathematics of the cryptosystem is just a paramater among others: espionage, protocol applications, practical implementations, sheer luck,... No such thing as coincidence... F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 24 / 48

  43. Cryptography is not Enough Naive Anonymization Just doesn’t Work Plan Cryptography is not Enough 1 Enigma Cryptanalysis Naive Anonymization Just doesn’t Work Information Theory Cryptology: [Shannon, 1949] 2 Information theoretic studies of cryptosystems Entropy of passwords Conclusion 3 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 25 / 48

  44. Cryptography is not Enough Naive Anonymization Just doesn’t Work Practical Case of de-Anonymization: Netflix Striking results [Narayanan and Shmatikov, 2009]. Netflix publishes a subset of its customer data: the aim is to produce usefull suggestions for movies in pay per view. Users Movies/Marks Movies/marks hidden 456789 87/4, 998/2, 687/4 954/2, 486/4 654953 45/3, 743/3, 486/4 687/3, 45/4 ... Data are simply anonymized by changing the real name to a random number. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 26 / 48

  45. Cryptography is not Enough Naive Anonymization Just doesn’t Work Practical Case of de-Anonymization: Netflix Striking results [Narayanan and Shmatikov, 2009]. Netflix publishes a subset of its customer data: the aim is to produce usefull suggestions for movies in pay per view. Users Movies/Marks Movies/marks hidden 456789 87/4, 998/2, 687/4 954/2, 486/4 654953 45/3, 743/3, 486/4 687/3, 45/4 ... Data are simply anonymized by changing the real name to a random number. R´ esults : 99% of correct de-anonymization for more than 8 marks (84% if one forget about the date when the mark was set if non mainstream movies are seen). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 26 / 48

  46. Cryptography is not Enough Naive Anonymization Just doesn’t Work Social Data Anonymization: Dimensions and Principles Problem more down to the earth than non-interference: Partial knowledge of the graph by the opponent. Active attacker (embedding fake sub graphs to re-identify them). Object of interests vary from one data set to another. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 27 / 48

  47. Cryptography is not Enough Naive Anonymization Just doesn’t Work Social Data Anonymization: Dimensions and Principles Problem more down to the earth than non-interference: Partial knowledge of the graph by the opponent. Active attacker (embedding fake sub graphs to re-identify them). Object of interests vary from one data set to another. Hence three important points to consider: Background Knowledge: What does the opponent know ? Model of 1 the opponent. Privacity: what is attacked ? 2 Usage: How the data is going to be analyzed ? 3 = ⇒ Anonymizing techniques F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 27 / 48

  48. Cryptography is not Enough Naive Anonymization Just doesn’t Work Social Data Anonymization: Techniques Two families: Clustering: group together edges and nodes. k-anonymity (and l-diversity): there should be at least k-1 other candidates with similar features. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 28 / 48

  49. Cryptography is not Enough Naive Anonymization Just doesn’t Work Social Data Anonymization: Techniques Two families: Clustering: group together edges and nodes. k-anonymity (and l-diversity): there should be at least k-1 other candidates with similar features. Let us focus on the k-anonymity approach: the problem amounts to create G ′ such that G ′ = G 1 ⊕ G 2 ⊕ ... ⊕ G k such that G i s are isomorphic graphs. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 28 / 48

  50. Cryptography is not Enough Naive Anonymization Just doesn’t Work Social Data Anonymization: Techniques Two families: Clustering: group together edges and nodes. k-anonymity (and l-diversity): there should be at least k-1 other candidates with similar features. Let us focus on the k-anonymity approach: the problem amounts to create G ′ such that G ′ = G 1 ⊕ G 2 ⊕ ... ⊕ G k such that G i s are isomorphic graphs. It is NP-hard to find graph transformations minimizing the editing distance between a graph and a k -isomorphic graph. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 28 / 48

  51. Cryptography is not Enough Naive Anonymization Just doesn’t Work Social Data Anonymization: Techniques Two families: Clustering: group together edges and nodes. k-anonymity (and l-diversity): there should be at least k-1 other candidates with similar features. Let us focus on the k-anonymity approach: the problem amounts to create G ′ such that G ′ = G 1 ⊕ G 2 ⊕ ... ⊕ G k such that G i s are isomorphic graphs. It is NP-hard to find graph transformations minimizing the editing distance between a graph and a k -isomorphic graph. One tentative: select 1 / k nodes randomly, create k clones, link the clones together e.g. with categorical graph transformation approaches. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 28 / 48

  52. Information Theory Cryptology: [Shannon, 1949] Plan Cryptography is not Enough 1 Enigma Cryptanalysis Naive Anonymization Just doesn’t Work Information Theory Cryptology: [Shannon, 1949] 2 Information theoretic studies of cryptosystems Entropy of passwords Conclusion 3 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 29 / 48

  53. Information Theory Cryptology: [Shannon, 1949] IT and Privacy : Art or Science ? Computer science : art or science ? “The Art of Computer Programming”, D.E. Knuth. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 30 / 48

  54. Information Theory Cryptology: [Shannon, 1949] IT and Privacy : Art or Science ? Computer science : art or science ? “The Art of Computer Programming”, D.E. Knuth. Basic issue in privacy : how do you study the strength of a cryptosystem ? Computational security. Provable security. Unconditional security. What attack are considered ? Cyphertext only ? Plaintext attack ? Partial plaintext ? etc. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 30 / 48

  55. Information Theory Cryptology: [Shannon, 1949] Information Theory 101 First things first: What is information ? F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 31 / 48

  56. Information Theory Cryptology: [Shannon, 1949] Information Theory 101 First things first: What is information ? = ⇒ ultimately it can be seen as the way to reduce incertainty. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 31 / 48

  57. Information Theory Cryptology: [Shannon, 1949] Information Theory 101 First things first: What is information ? = ⇒ ultimately it can be seen as the way to reduce incertainty. Pioneer work of C.E. Shannon: “A mathematical Theory of communication”, The Bell System Technical Journal, vol. 27, 1948. “Communication Theory of Secrecy Systems”, The Bell System Technical Journal, vol. 28, 1949. It is a study of probability theory. More precisely how probability distribution is affected by some hypotheses. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 31 / 48

  58. Information Theory Cryptology: [Shannon, 1949] Discrete Probabilities Discrete random variable: X Probability distribution: P s. t. � i ∈ I Pr P [ X = x i ] = 1 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 32 / 48

  59. Information Theory Cryptology: [Shannon, 1949] Discrete Probabilities Discrete random variable: X Probability distribution: P s. t. � i ∈ I Pr P [ X = x i ] = 1 Joint Probability: Pr P , Q [ X = x , Y = y ] Conditional Probability: Pr P , Q [ X = x | Y = y ] F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 32 / 48

  60. Information Theory Cryptology: [Shannon, 1949] Discrete Probabilities Discrete random variable: X Probability distribution: P s. t. � i ∈ I Pr P [ X = x i ] = 1 Joint Probability: Pr P , Q [ X = x , Y = y ] Conditional Probability: Pr P , Q [ X = x | Y = y ] Pr P , Q [ x , y ] = Pr P , Q [ x | y ] Pr Q [ y ] = Pr Q , P [ y | x ] Pr P [ x ] F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 32 / 48

  61. Information Theory Cryptology: [Shannon, 1949] Discrete Probabilities Discrete random variable: X Probability distribution: P s. t. � i ∈ I Pr P [ X = x i ] = 1 Joint Probability: Pr P , Q [ X = x , Y = y ] Conditional Probability: Pr P , Q [ X = x | Y = y ] Pr P , Q [ x , y ] = Pr P , Q [ x | y ] Pr Q [ y ] = Pr Q , P [ y | x ] Pr P [ x ] Theorem (Baye’s theorem) if Pr P [ y ] > 0 then Pr P , Q [ x | y ] = Pr P [ x ] Pr Q , P [ y | x ] Pr Q [ y ] F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 32 / 48

  62. Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Plan Cryptography is not Enough 1 Enigma Cryptanalysis Naive Anonymization Just doesn’t Work Information Theory Cryptology: [Shannon, 1949] 2 Information theoretic studies of cryptosystems Entropy of passwords Conclusion 3 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 33 / 48

  63. Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Perfect Secrecy How to prove unconditional strength for a cryptosystem ? F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 34 / 48

  64. Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Perfect Secrecy How to prove unconditional strength for a cryptosystem ? Formal definition of a cryptosystem: Definition (cryptosystem) ( T , C , K , E , ∆) with: T : clear T exts. C : C yphers. K : Keys. ∀ k ∈ K there is e k ∈ E and d k ∈ ∆ such that e k : T → C d k : C → T and ∀ x ∈ T , one has d k ( e k ( x )) = x F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 34 / 48

  65. Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Secrecy and Probabilities Plaintext: X following P . Key: K following equiprobable distribution. Since usually the key is chosen before encryption it is fair to assume K and X are independent random variables. The probability of cyphertexts can be computed from K and X : C ( K ) = { e K ( x ) | x ∈ T } F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 35 / 48

  66. Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Secrecy and Probabilities Plaintext: X following P . Key: K following equiprobable distribution. Since usually the key is chosen before encryption it is fair to assume K and X are independent random variables. The probability of cyphertexts can be computed from K and X : C ( K ) = { e K ( x ) | x ∈ T } Pr P [ Y = y ] = � { K | y ∈ C ( K ) } Pr K [ K = K ] Pr P [ x = d K ( y )] F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 35 / 48

  67. Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Secrecy and Probabilities Plaintext: X following P . Key: K following equiprobable distribution. Since usually the key is chosen before encryption it is fair to assume K and X are independent random variables. The probability of cyphertexts can be computed from K and X : C ( K ) = { e K ( x ) | x ∈ T } Pr P [ Y = y ] = � { K | y ∈ C ( K ) } Pr K [ K = K ] Pr P [ x = d K ( y )] Pr P [ y = y | x = x ] = � { K | x = d K ( y ) } Pr K [ K = K ] F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 35 / 48

  68. Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Secrecy and Probabilities Plaintext: X following P . Key: K following equiprobable distribution. Since usually the key is chosen before encryption it is fair to assume K and X are independent random variables. The probability of cyphertexts can be computed from K and X : C ( K ) = { e K ( x ) | x ∈ T } Pr P [ Y = y ] = � { K | y ∈ C ( K ) } Pr K [ K = K ] Pr P [ x = d K ( y )] Pr P [ y = y | x = x ] = � { K | x = d K ( y ) } Pr K [ K = K ] By Baye’s theorem � Pr P [ x = x ] × Pr K [ K = K ] { K | x = d K ( y ) } Pr P [ x = x | y = y ] = � Pr K [ K = K ] Pr P [ x = d K ( y )] { K | y ∈ C ( K ) } F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 35 / 48

  69. Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Defining Perfect Secrecy Definition (Perfect Secrecy) A cryptotsytem has perfect secrecy if: Pr [ x | y ] = Pr [ x ] In other words if the a posteriori probability that the plaintext is x , given the cypher y is identical to the a priori probability that the plaintext is x . One-time pad can be proven to achieve perfect secrecy. Shannon’s perfect secrecy theorem: The cryptosystem has perfect secrecy if and only if each key is used with equal probability 1 / | K | for every plaintext x and ciphertext y, there is a unique key k such that e k ( x ) = y . F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 36 / 48

  70. Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Entropy What if the key is used for more than one encryption ? F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 37 / 48

  71. Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Entropy What if the key is used for more than one encryption ? Entropy is a mathematical measure of information or uncertainty. = ⇒ computed as function of probability distribution. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 37 / 48

  72. Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Entropy What if the key is used for more than one encryption ? Entropy is a mathematical measure of information or uncertainty. = ⇒ computed as function of probability distribution. Suppose X following P : what is learnt through experiments following P ? = ⇒ This is the entropy of X : H ( X ) Imagine a mind game: guess a word while its letters are given one by one. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 37 / 48

  73. Information Theory Cryptology: [Shannon, 1949] Information theoretic studies of cryptosystems Entropy definition Definition (Entropy) Let X follow P , then � H ( X ) = − Pr P [ X = x ] log 2 ( Pr P [ X = x ]) x ∈ X The log is undefined for 0, but the limit is 0... so it is ok in the sum. The choice of the base of the log is arbitrary. Many applications to cryptosystems, eg: Theorem Consider the cryptosystem ( T , C , K , E , ∆) : H ( K | C ) = H ( K ) + H ( P ) − H ( C ) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 38 / 48

  74. Information Theory Cryptology: [Shannon, 1949] Entropy of passwords Plan Cryptography is not Enough 1 Enigma Cryptanalysis Naive Anonymization Just doesn’t Work Information Theory Cryptology: [Shannon, 1949] 2 Information theoretic studies of cryptosystems Entropy of passwords Conclusion 3 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 39 / 48

  75. Information Theory Cryptology: [Shannon, 1949] Entropy of passwords How to Choose a Password ? By far the most used technology of access control. Problems linked to the number of passwords to manage (reuse?). A lot of advices are available in order to buid a “secure” password. Information theory can help us to scientifically assess whether a password is good. = ⇒ The problem is to find a not too short, but not too long and difficult to rememeber. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 40 / 48

  76. Information Theory Cryptology: [Shannon, 1949] Entropy of passwords How to Choose a Password ? By far the most used technology of access control. Problems linked to the number of passwords to manage (reuse?). A lot of advices are available in order to buid a “secure” password. Information theory can help us to scientifically assess whether a password is good. = ⇒ The problem is to find a not too short, but not too long and difficult to rememeber. In real life: Building of a dictionnary by a scan of the hard drive (50% success rate). Using a password manager is a good compromise. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough erieure de Lyon) July 2015 40 / 48

Recommend


More recommend