Download
elec5616 computer and network security n.
Skip this Video
Loading SlideShow in 5 Seconds..
ELEC5616 computer and network security PowerPoint Presentation
Download Presentation
ELEC5616 computer and network security

ELEC5616 computer and network security

139 Vues Download Presentation
Télécharger la présentation

ELEC5616 computer and network security

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. ELEC5616computer and network security matt barrie mattb@ee.usyd.edu.au lecture 5 :: attacks on DES

  2. DES keys • Given one plaintext/cyphertext (m,c) pair, there is a very high probability that only one key will satisfy c = DES(m,k) • Consider DES as a collection of permutations π(1) … π(256). • If πi are independent permutations then  (m, k) : Pr [  k1≠ k : DES(m, k1) = DES(m, k) ] = 256 . 2-64 = 2-8 = 0.39% • Thus given one (m, c) pair the key is uniquely determined. The problem is to find k. lecture 5 :: attacks on DES

  3. attacks on DES • Exhaustive key search • For a strong n-bit block cypher with a j-bit key, the key can be recovered on average in 2j-1 operations given a small number (< (j+4)/n) of plaintext-cyphertext pairs • For DES, j = 56 bits, n = 64 bits so exhaustive search is expected to yield the key in 255 operations • Cyphertext-only DES key search • Suppose DES is used to encrypt 8 x 8 ASCII characters (=64 bits) per block, with one bit being a parity bit. • Trial decryption yields all 8 parity bits valid with probability 2-8 • and thus for t blocks 2-8t • Over 256 keys, this leads to probability of correct key being 2-56 / 2-8t • thus only t ~ 10 blocks are enough lecture 5 :: attacks on DES

  4. reducing effort in attacks on DES • DES is a Feistel network, thus: DES(m, k) = DES(m, k) • This is called the “Complementation Property” • So for a CPA: if c1 = DES(m, k) and c2 = DES(m, k) then if DES(m, k1) ≠ c1 nor c2 then k ≠ k1 nor k1 • Search space is reduced by half lecture 5 :: attacks on DES

  5. 2DES • Double encryption with DES (2DES) is bad 2DESk1k2(m) = Ek1(Ek2(m)) • 2DES is vulnerable to “meet in the middle” attack • i.e. for a fixed message, m, create a table: Ek(m) for all k є {0,1}56 • Then for c = Ek1k2(m) try all k until Dk1(c) is in the table • Thus 2DES can be broken on average in 256 operations using 256 memory slots (a time-space tradeoff)- not good for 112 bits of key (56 + 56) lecture 5 :: attacks on DES

  6. 3DES • Two-key Triple DES (3DES): DES three times, two keys (112 bits) 3DESk1k2(m) = Ek1(Dk2(Ek1(m))) • The strength of DES (& 3DES) is that it does not form a group DESk1(DESk2(m)) ≠ DESk3(m) • Consider the time-space tradeoff on 2TDES: • for time 2(56+64)/s and space s, we can recover k1 and k2 in 2TDES • If s > 28 then we can do better than exhaustive search. lecture 5 :: attacks on DES

  7. DESX • A modification of DES to avoid exhaustive key search is DESX k1 = 56 bits (DES key) k2 = 64 bits (whitening key) k3 = h(k2, k3) = 64 bits DESXk1k2k3(m) = k3  Ek1 (m  k2) • Whitening key gives greater resilience to brute force attacks • Given j plaintext / cyphertext pairs, the effective key size is greater than or equal to |k| + n -1 - log j = 56 + 64 - 1 - log j = 119 - log j ≥ 100 bits lecture 5 :: attacks on DES

  8. DES round functions • The function F(x,ki): {0,1}32 x {0,1}48→ {0,1}32 x (32 bits) ki (48 bits) expansion 48 bits b 48 bits 8 x S-boxes (4x16) (substitution) nonlinear confuse 6 bits x 8 s1 s8 4 bits x 8 32 bits P-box (permutation) diffuse P lecture 5 :: attacks on DES

  9. differential cryptanalysis • This method is a better-than-brute-force approach to attacking DES with (plaintext, cyphertext) pairs (CPA). • Involves looking at the XOR of two texts. • We consider any s-box function F(x, ki) : • Define the difference measure (on input) as Δ = b1  b2 = (x1  ki)  (x2 ki) = x1  x2 • The input XOR (b1  b2) does not depend on the key but the output XOR (e1  e2) does. b1, b2 (2x6 bits) S box e1, e2 (2x4 bits) lecture 5 :: attacks on DES

  10. differential cryptanalysis • Now define the set Δ(b) consisting of ordered pairs (b1 , b2) having input XOR b: Δ(b) = {(b1, b2) є {0,1}6 | b1  b2 = b} where | Δ(b) | = 26 = 64 • Take the example where b = 110100, then if we consider the first S-box the pairs might be Δ(b) = {(000000,110100), (000001,110101), … (111111,001011)}    110100 110100 110100 lecture 5 :: attacks on DES

  11. differential cryptanalysis • If this is done for all 64 pairs in Δ(b) then the following distribution of output XORs (e1  e2) is obtained: (e1  e2) 0000 0001 0010 0011 … 1111 0 8 16 6 6 • Now suppose that (b1  b2) = 110100 and (e1  e2) = 0001, then (b1 , b2) must be one of eight possible pairs, hence b1 is one of 16 possible values. • Since x1 is known (this is a KPA), the 6 bits of the key XORed with x1 to give b1 are one of 16 possible values. • This procedure is repeated for different Δs to make deductions about the key bits and eventually recover the key. lecture 5 :: attacks on DES

  12. linear cryptanalysis • Consider the cyphertext derived by combining certain bits from the plaintext and key: • The cypher can easily be broken, for example, if c[1] = p[4]  p[17]  k[5]  k[3] i.e. k[3]  k[5] = c[1]  p[4]  p[17] • This is because the cypher is linear. plaintext key cyphertext lecture 5 :: attacks on DES

  13. linear cryptanalysis • If we use the following notation: p[i1, …, iu] = p[i1]  p[i2]  …  p[iu] (the xor bits of the plaintext) • Also define ρ = Pr [ p[i1, …, iu]  c[j1, …, jv] = k [s1, …, sw] ] • Now if |ρ - 0.5| is large, then we can guess k [s1, … , sw] • Optimally for a break|ρ - 0.5|= 0.5 (ρ = 0 or 1)(perfect cipher would have ρ = 0.5) lecture 5 :: attacks on DES

  14. algorithm to recover key bits • Given R plaintext, cyphertext pairs (R is large): if ρ > 0.5 then k[s1, …, sw] = majority{p[i1, …, iu]}  c[j1, …, jv]} over all plaintext cyphertext pairs if ρ < 0.5 then k[s1, …, sw] = minority = 1  majority • (*) Fact: if given R ≥ (ρ - 0.5)-2 then the correct value of k[s1, … , sw] is obtained with probability > 97.7% lecture 5 :: attacks on DES

  15. linear cryptanalysis of DES • In 1993, Matsui made the following observation about DES which approximates the 5th S-box as a linear function: ρ5 = Pr[ x[4] = S5(x)[0,1,2,3] ] = 12/64 = 0.19 (Note x є {0,1}6) • For the ith DES round Pri [ri[15]  F(ri , ki)[7,18,24,29] = ki[22]] = ρ5 = 0.19 (ri is the ith round right hand part) where the bits have been chosen to undo the permutation. lecture 5 :: attacks on DES

  16. attack on 3 round DES left half of plaintext right half of plaintext l0 r0 From the first round we can write Pr[r1[7,18,24,29] xor l0[7,18,24,29] xor r0[15] = k0[22]] = ρ5 From the last round we can write Pr[r1[7,18,24,29] xor cr[7,18,24,29] xor cl[15] = k2[22]] = ρ5 XORing together gives Pr[l0[7,18,24,29] xor cr[7,18,24,29] xor cl[15] xor r0[15] = k0[22] xor k2[22]] = ρ5 .ρ5 + (1- ρ5)2 = 0.7 Using the fact (*) we can find k0[22] xor k2[22] using R = (0.7 - 0.5)-2 = 25 plaintext/cyphertext pairs F(r0,k0) l1 r1 F(r1,k1) l2 r2 F(r2,k2) l3 r3 left half of cyphertext right half of cyphertext lecture 5 :: attacks on DES

  17. DES strengths against attacks AttackComplexity # messages requirements known chosen storage processing exhaustive precomputation - 1 256 1 (lookup) exhaustive search 1 - neg. 255 linear cryptanalysis 243(85%) - for texts 243 238(10%) - for texts 250 differential cryptanalysis - 247 for texts 247 255 - for texts 255 lecture 5 :: attacks on DES

  18. advanced encryption standard (AES) • NIST Requirements: • Block cypher • 128 bit blocks • 128/192/256 bit keys • Strength equal to or better than 3DES at greatly improved efficiency • smartcard, hardware, software • flexibility • simplicity and elegance • Royalty-free worldwide • security for over 30 years • may protect sensitive data for over 100 years • public confidence in the cypher lecture 5 :: attacks on DES

  19. AES candidates • 15 submissions from international field • Some strong candidates: Name Type Rounds Rel. Speed Gates (cycles) Twofish Feistel 16 1254 23k Serpent SP-network 32 1800 70k Mars Ext. Feistel 32 1600 70k cells Rijndael Square 10, 12, 14 1276 ??? RC6 Feistel 20 1436 ??? lecture 5 :: attacks on DES

  20. AES • Rijndael (pronounced “rain-dahl”) announced Oct 2000 • Operates on 128 bit blocks • Key length is variable: 128, 192 or 256 bits • An SP-network • Uses a single S-box which acts on a byte input to give a byte output (think of as a 256 byte lookup table): S(x) = M(1/x) + b over the field GF(28) (M is a matrix, b is a constant) • Construction gives tight differential and linear bounds. lecture 5 :: attacks on DES

  21. 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 16 AES overview • Linear transformation arranging 16 bytes of the value being encoded in a square and doing bytewise shuffling and mixing. • Step 1: Add Round Key • simply XORs in the subkey for the current round • Step 2: Byte-sub • S-box substitution • Step 3: Shuffle (ShiftRows) • top row of four bytes in unchanged • second row is shifted one place left • third row is shifted two places left • fourth row is shifted three places left • Step 4: Mix Column • four bytes in a column are mixed using a matrix multiplication • Result: Change in the input effects all of output in 2 rounds lecture 5 :: attacks on DES

  22. AES lecture 5 :: attacks on DES

  23. AES overview • Number of rounds variable: • 10 for 128-bit keys • 12 for 192-bit keys • 14 for 256-bit keys • Gives 50% margin of safety based on current known attacks • attack for 6 round 128 bit keys • attack for 7 round 192 bit keys • attack for 9 round 256 bit keys • however require enormous amount of texts (certificational) • Safety against feasible attacks believed to currently be ~100% lecture 5 :: attacks on DES

  24. references • Towards the 128-bit Era: AES Candidates (interest only)http://home.ecn.ab.ca/~jsavard/crypto/co0408.htm • Stallings (3rd Ed) • §4 • Handbook of Applied Cryptography • §7.1 - §7.4 lecture 5 :: attacks on DES