270 likes | 383 Vues
254542 Networks Management and Security. Lecture 2 June 25 th & 30 th 2005. Cryptography. E = Encryption, D = Decryption K 1 and K 2 = Encryption and Decryption keys m = message or plaintext E(m, K 1 ) = ciphertext D(E(m, K 1 ), K 2 ) = m. Ciphertext. Plaintext. D. Plaintext. E.
E N D
254542 Networks Management and Security Lecture 2 June 25th & 30th 2005
Cryptography • E = Encryption, D = Decryption • K1 and K2 = Encryption and Decryption keys • m = message or plaintext • E(m, K1) = ciphertext • D(E(m, K1), K2) = m Ciphertext Plaintext D Plaintext E K1 K2
Secret-Key Cryptography • Both parties share the same key, K1 = K2 • a.k.a. Symmetric Cryptography • Secrecy can be achieved by • Information theory e.g. One time pad • Computational complexity e.g. DES, AES, etc
Information Theoretical Secrecy • A key is … • known to both parties • as long as the message • used only once for each message being sent • Theoretically unbreakable
One Time Pad • Let’s • A = Alice, B = Bob • m = message/plaintext, c = ciphertext, k = key • L = length of text, = bitwise exclusive-or • L(m) = L(k) • Then • c = m k • c k = (m k) k = m
Advantages of One Time Pad • Perfect secrecy • If the pad is never used again, no more knowledge about m can be gained • If c is known, any message can be derived using an arbitrary k (i.e. m = c k) • Note: two time pad allows some knowledge of messages • c1 c2 = (m1 k) (m2 k) = m1 m2
Disadvantages of One Time Pad • More keys are used up as more messages are sent • Keys are too long • Key management is difficult • An alternative to achieve secrecy is by computation complexity
Computation Complexity • Assumption “It is too hard and would take to long to decrypt a message” • Unproven but generally known to be true • Easier to manage and implement
Computational Security • Block cipher • Data Encryption Standard (DES) • Triple DES • Advanced Encryption Standard (AES) • Rijndael encryption • Stream cipher • RC4
Stream cipher • Operate on small units of plaintext (bits) • c1 may not be equal to c2 even if m1 = m2 and k1 = k2 • Encryption time is also important • Faster than block cipher • Approximation of the one time pad • Mostly synchronous stream cipher • K (keystream) is independent of m and c
DES • Most widely used block cipher (e.g. in banking, government, etc) • Both parties share a 64-bit key • Every 8th bit in the key is unused (making only 56 bits effective) • 64-bit blocks • 16 rounds (iterative encryption)
First step of DES • M = 0000 0001 0010 0011 0100 0101 0110 0111 (L) 1000 1001 1010 1011 1100 1101 1110 1111 (R) (L and R are both 32 bits long) • K64 = 00010011 00110100 01010111 01111001 10011011 10111100 11011111 11110001 after the PC-1 permutation PC-1 57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 9 11 3 60 52 44 36 63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4 K56 = 1111000 0110011 0010101 0101111 (C0) 0101010 1011001 1001111 0001111 (D0) * note: example from http://www.aci.net/kalliste/des.htm
Find Cn & Dn round #Left Shifts 1 1 2 1 3 2 4 2 5 2 6 2 7 2 8 2 9 1 10 2 11 2 12 2 13 2 14 2 15 2 16 1 Cn = Cn-1 << # of ith left shifts Dn = Dn-1 << # of ith left shifts 1 <= n <= 16 C0 and D0 are known
Find Kn • PC-2 14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32 • Kn = CnDn with PC-2 permutation • Each Kn is 48 bits long
Initial Permutation (IP) • Perform IP permutation on M IP 58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7 • Get L0 and R0 (32 bits each)
Encoding • For n = 1 to 16 do • Ln = Rn-1 • Rn = Ln-1 + f(Rn-1, Kn) • This will result in L16R16 • Reverse to R16L16 • Apply final permutation IP-1
+ + + Modes of Operation • Electronic Code Block (ECB) • Each block is encrypted independently • Shortcoming??? • Chain Block Coding (CBC) • Most widely used • Avoid some problems in ECB (how?) • Cipher Feedback (CFB) • Allow shorter keys c1 m1 k c2 m2 k c3 k m3 IV m1 k c1 c2 m2 k m3 m3 k c3
Using DES securely • Avoid using weak and semi-weak keys • 4 weak keys Ek(Ek(m)) = m • 12 semi-weak keys: Ek1 (Ek2 (m)) = m • Thus, 252 probability of picking weak and semi-weak keys • Change DES key frequently • But is it practical? (e.g. in encrypting harddisk files) • Possible solutions?
Cracking DES • Brute force – using exhaustive search in 256 key space • Differential cryptanalysis • Chosen plaintext is encrypted • Reduce the number of keys to 247 • Linear cryptanalysis • Linear approximation of encryption key • 243 keys
Ek1(m) m Ek2(Ek1(m)) 64 64 64 56 56 k2 k1 Decrypt with all possible K2s Encrypt with all possible K1s Double DES • Encrypt twice using two 56-bit keys = Regular DES with 112-bit key? • No, it is vulnerable to meet-in-the-middle attack • Effective search space = O(256)
Triple DES • C = Ek1 (Dk2 (Ek1 (m))) • Backward compatible • If k1 = k2, it is a regular DES • Key space = 2112
Authentication in Secret-key Cryptography • Message Authentication Code (MAC) is computed (a.k.a. checksum) • Digital signature is for public-key cryptography • Unconditionally secure MAC • MAC(M, K’) where k’ = authentication key • k’ cannot be reused message, M MAC(M, K’)
Hash function-based MAC • Hash function, H • Input can be of any length • Output is fix sized (smaller than m) • Output string is called hash value (or message digest), h = H(m) • H is relatively easy to compute • One-way (When h = H(x), x is hard to find) • Collision free i.e. given x, y is hard to find such that H(x) = H(y) • Well known hash functions are MD2, MD5, SHA
ANSI X9.17 • Key management standard for secret-key cryptography • Primarily designed for financial institutions • Large amount of transactions • Frequently updated keys • Use three-level hierarchy of keys • Master key (KKM) is manually distributed • Key-encrypting keys (KEK) are distributed online • Data keys (KDs) are also distributed online • X9.42 (for Diffie-Hellman), X9.44 (for RSA)
Public-Key Cryptography • K1 ≠ K2, asymmetric cryptography • Increase security and convenience • No key transmission • Slower than secret-key cryptography • Provide digital signature that cannot be repudiated (unlike secret-key cryptography, why?) Ep(m) m M = Ds(Ep(m)) Private key, s Public key, p
Questions • Which cryptography is suitable for a computer lab? • Password file in unix? • Large system? • Hybrid scheme • Use public-key cryptography to establish a secret key
Reading • Michael j. Wiener, “Efficient DES key search,” 1993 • Phillip Rogaway, “The Security of DESX,” 1996