1 / 63

Lecture 2: Private Key Cryptography II

Lecture 2: Private Key Cryptography II. CS 436/636/736 Spring 2014 Nitesh Saxena. Today’s fun/informative bit – The Smudge Attack. See: http://www.usenix.org/event/woot10/tech/full_papers/Aviv.pdf. Course Administration. Everything seems to be under control  Any questions?

nuala
Télécharger la présentation

Lecture 2: Private Key Cryptography II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 2: Private Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena

  2. Today’s fun/informative bit – The Smudge Attack • See: http://www.usenix.org/event/woot10/tech/full_papers/Aviv.pdf Lecture 2.2 - Private Key Cryptography II

  3. Course Administration • Everything seems to be under control  • Any questions? • HW1 heads up • To be posted by this weekend • Covers lecture 1, 2 • 10-12 days for you to work on it Lecture 2.2 - Private Key Cryptography II

  4. Outline of today’s lecture • Block Ciphers • Data Encryption Standard (DES) • DES Security and Extensions • Block Cipher Modes of Encryption • AES (at home reading assignment) Lecture 2.2 - Private Key Cryptography II

  5. Block Ciphers and Stream Ciphers • Block ciphers partition plaintext into blocks and encrypt each block independently (with the same key) to produce ciphertext blocks. • A stream cipher generates a keystream and encrypts by combining the keystream with the plaintext, usually with the bitwise XOR operation. • We will focus mostly on Block Ciphers Lecture 2.2 - Private Key Cryptography II

  6. DES – Data Encryption Standard • Encrypts by series of substitution and transpositions. • Based on Feistel Structure • Worldwide standard for more than 25 years. • Designed by IBM (Lucifer) with later help from NSA. • No longer considered secure for highly sensitive applications. • Replacement standard AES (advanced encryption standard) recently completed. Lecture 2.2 - Private Key Cryptography II

  7. DES – Overview (Block Operation) Lecture 2.2 - Private Key Cryptography II

  8. DES – Each Round

  9. DES – Function F Lecture 2.2 - Private Key Cryptography II

  10. DES – Key Schedule (KS) Lecture 2.2 - Private Key Cryptography II

  11. Operation Tables of DES: Key Schedule, PC-1, PC-2 Lecture 2.2 - Private Key Cryptography II

  12. Operation Tables (IP, IP-1, E and P) Lecture 2.2 - Private Key Cryptography II

  13. S-boxes: S1 (as an example) Is the table entry from Lecture 2.2 - Private Key Cryptography II

  14. DES Decryption • Same as the encryption algorithm with the “reversed” key schedule – NEXT! Lecture 2.2 - Private Key Cryptography II

  15. Plain text Initial permutation (IP) Round-1 (key K1) Rounds 2-15 Round-16 (key K16) swap IP inverse Cipher text

  16. IP Round-1 (K16) = Since encrypt IP inverse Cipher text decrypt Lecture 2.2 - Private Key Cryptography II

  17. DES Example We choose a random plaintext block and a random key, and determine what the ciphertext block would be (all in hexadecimal): Lecture 2.2 - Private Key Cryptography II

  18. Example (contd) -- encryption Lecture 2.2 - Private Key Cryptography II

  19. Example (contd) -- decryption Let us see how Bob, at the destination, can decipher the ciphertext received from Alice using the same key. Table 6.16 shows some interesting points. Lecture 2.2 - Private Key Cryptography II

  20. DES Security: Avalanche Effect Lecture 2.2 - Private Key Cryptography II

  21. Further Reading • Chapter 7.4 of HAC • Chapter 3 of Stallings Lecture 2.2 - Private Key Cryptography II

  22. DES Security • S-Box design not well understood • Has survived some recent sophisticated attacks (differential cryptanalysis) • Key is too short. Hence is vulnerable to brute force attack. • 1998 distributed attack took 3 months. • $1,000,000 machine will crack DES in 35 minutes – 1997 estimate. $10,000 – 2.5 days. Lecture 2.2 - Private Key Cryptography II

  23. DES Cracking machine Lecture 2.2 - Private Key Cryptography II

  24. Super-encryption. • If key length is a concern, then instead of encrypting once, encrypt twice!! C = EK2(EK1(P)) P = DK1(DK2(C)) • Does this result in a larger key space? • Encrypting with multiple keys is known as super-encryption. • May not always be a good idea Lecture 2.2 - Private Key Cryptography II

  25. Double DES • Double DES is almost as easy to break as single DES (Needs more memory though)! Lecture 2.2 - Private Key Cryptography II

  26. Double DES – Meet-in-the-middle Attack (due to Diffie-Hellman) • Based on the observation that, if C = EK2(EK1(P)) Then X = EK1(P) = DK2(C). • Given a known (P, C) pair, encrypt P with all possible values of K and store result in table T. • Next, decrypt C with all possible keys K and check result. If match occurs then check key pair with new known (P, C) pair. If match occurs, you have found the keys. Else continue as before. • Process will terminate successfully. Lecture 2.2 - Private Key Cryptography II

  27. Meet-in-the-middle Explanation • The first match does not say anything as we have 264 ciphertexts and 2112 keys. • On the average 2112 / 264 = 248 keys will produce same ciphertext. • So there could be 248 possible candidates • We can use a second pair (P’,C’) • So, probability that false alarm will survive two known (P, C) pairs is 248 / 264 = 2-16. • One can always check a third pair to further reduce the chance of a false alarm. Lecture 2.2 - Private Key Cryptography II

  28. Triple DES • Triple DES (2 keys) requires 2112 search. Is reasonably secure. • Triple DES (3 keys) requires 2112 as well • Which one is better?

  29. Block Cipher Encryption modes • Electronic Code Book (ECB) • Cipher Block Chain (CBC) • Most popular one • Cipher Feed Back (CFB) • Output Feed Back (OFB) Lecture 2.3 - Private Key Cryptography III

  30. Analysis We will analyze each of the modes in terms of: • Security • Computational Efficiency (parallelizing encryption/decryption) • Transmission Errors • Integrity Protection Lecture 2.3 - Private Key Cryptography III

  31. Electronic Code Book (ECB) Mode • Although DES encrypts 64 bits (a block) at a time, it can encrypt a long message (file) in Electronic Code Book (ECB) mode. • Deterministic -- If same key is used then identical plaintext blocks map to identical ciphertext Lecture 2.3 - Private Key Cryptography III

  32. Example – why ECB is bad? Tux encrypted with AES in ECB mode Tux Lecture 2.3 - Private Key Cryptography III

  33. Cipher Block Chain (CBC) Mode encryption decryption Lecture 2.3 - Private Key Cryptography III

  34. CBC Traits • Randomized encryption • IV – Initialization vector serves as the randomness for first block computation; the ciphertext of the previous block serves as the randomness for the current block computation • IV is a random value • IV is no secret; it is sent along with the ciphertext blocks (it is part of the ciphertext) Lecture 2.3 - Private Key Cryptography III

  35. Example – why CBC is good? Tux encrypted with AES in CBC mode Tux Lecture 2.3 - Private Key Cryptography III

  36. CBC – More Properties • What happens if k-th cipher block CK gets corrupted in transmission. • With ECB – Only decrypted PK is affected. • With CBC? • Only blocks PK and PK+1 are affected!! • What if one plaintext block PK is changed? • With ECB only CK affected. • With CBC all subsequent ciphertext blocks will be affected. • “Avalanche effect” • This leads to an effective integrity protection mechanism (or message authentication code (MAC)) Lecture 2.3 - Private Key Cryptography III

  37. Cipher Feedback Mode (CFB)

  38. CFB Properties • Randomized encryption – good for security (Tux won’t be visible after encryption!) • Change in one plaintext bit is going to affect all subsequent ciphertext bits. So can be used for MAC. • Change in ciphertext bit results in? Lecture 2.3 - Private Key Cryptography III

  39. Output Feedback Mode (OFB)

  40. OFB Properties • Randomized encryption – good for security (Tux won’t be visible after encryption!) • Bit errors in transmission do not propagate (except for the IV) • Not good for authentication – no avalanche effect Lecture 2.3 - Private Key Cryptography III

  41. Security of Block Cipher Modes • ECB is not even secure against eavesdroppers (ciphertext only and known plaintext attacks) • CBC, CFB and OFB are secure against CPA attacks (assuming 3-DES or AES is used in each block computation); automatically secure against eavesdropping attacks • However, none is secure against CCA. Why? • Intuitively, this is because the ciphertext can be “massaged” in a meaningful way -- see whiteboard (please take notes)

  42. Summary of CCA Attacks • Assume adversary has eavesdropped upon a ciphertext – (C0, C1, C2) -- corresponding to a plaintext (M1, M2). C0 is IV. • Adversary is not allowed to query for (C0, C1, C2) itself • With CBC, adversary queries for (C0’, C1, C2) and obtains (M1’, M2) • With CFB, he queries for (C0, C1, C2’) and obtains (M1, M2’) • With OFB, he queries for (C0, C1’,C2)/(C0,C1, C2’)/(C0, C1’,C2’) and obtains (M1’,M2)/(M1,M2’)/(M1’,M2’), respectively

  43. How to achieve CCA security? • Prevent any massaging of the ciphertext • Intuitively, this can be achieved by using integrity protection mechanisms (such as MACs), which we will study later • The ciphertext is generated using CBC/CFB/OFB and a MAC is generated on this ciphertext • Both ciphertext and the MAC is sent off • The other party decrypts only if MAC is valid Lecture 2.3 - Private Key Cryptography III

  44. Advanced Encryption Standard (AES) • National Institute of Science and Technology • DES is an aging standard that no longer addresses today’s needs for strong encryption • Triple-DES: Endorsed by NIST as today’s defacto standard • AES: The Advanced Encryption Standard • Finalized in 2001 • Goal – To define Federal Information Processing Standard (FIPS) by selecting a new powerful encryption algorithm suitable for encrypting government documents • AES candidate algorithms were required to be: • Symmetric-key, supporting 128, 192, and 256 bit keys • Royalty-Free • Unclassified (i.e. public domain) • Available for worldwide export Lecture 2.3 - Private Key Cryptography III

  45. AES • AES Round-3 Finalist Algorithms: • MARS • Candidate offering from IBM • RC6 • Developed by Ron Rivest of RSA Labs, creator of the widely used RC4 algorithm • Twofish • From Counterpane Internet Security, Inc. • Serpent • Designed by Ross Anderson, Eli Biham and Lars Knudsen • Rijndael: the winner! • Designed by Joan Daemen and Vincent Rijmen Lecture 2.3 - Private Key Cryptography III

  46. Other Symmetric Ciphers and their applications • IDEA (used in PGP) • Blowfish (password hashing in OpenBSD) • RC4 (used in WEP), RC5 • SAFER (used in Bluetooth) Lecture 2.3 - Private Key Cryptography III

  47. Some Questions • Double encryption in DES increases the key space size from 2^56 to 2^112 – true or false? • Is known-plaintext an active or a passive attack? • Is chosen-ciphertext attack an active or a passive attack? • Reverse Engineering is applied to what design of systems – open or closed? • Alice needs to send a 64-bit long top-secret letter to Bob. Which of the ciphers that we studied today should she use? Lecture 2.2 - Private Key Cryptography II

  48. Some Questions • C=DES(K,P); where (P, C are 64-bit long blocks). What would be DES(K,”PPPP”) in ECB mode? What it would be in CBC mode? • ECB is secure for sending just one block of data: true or false? • Is it okay to re-use IV in CBC? Why/why not? • Alice needs to send a *long* top-secret message to Bob. Which of the ciphers that we studied today can she use? • Is ECB secure against CPA? • Is CBC secure against CPA? • Is CBC secure against CCA? • Is OFB secure against CCA? Lecture 2.3 - Private Key Cryptography III

  49. AES: Rinjdael At home reading assignment! Lecture 2.3 - Private Key Cryptography III

  50. Rijndael • Joan Daemen (of Proton World International) and Vincent Rijmen (of Katholieke Universiteit Leuven). • (pronounced “Rhine-doll”) • Allows only 128, 192, and 256-bit key sizes (unlike the other candidates) • Variable block length of 128, 192, or 256 bits. All nine combinations of key/block length possible. • A block is the smallest data size the algorithm will encrypt • Vast speed improvement over DES in both hardware and software implementations • 8416 bytes/sec on a 20MHz 8051 (@ 12 CPI) • 8.8 Mbytes/sec on a 200MHz Pentium Pro Lecture 2.3 - Private Key Cryptography III

More Related