Private Key Cryptography
Download
Report
Transcript Private Key Cryptography
Lecture 2.2: Private Key
Cryptography II
CS 436/636/736
Spring 2012
Nitesh Saxena
Today’s fun/informative bit –
The Smudge Attack
• See: http://www.usenix.org/event/woot10/tech/full_papers/Aviv.pdf
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
2
Course Administration
• TA/Grader: Eric Frees
– Email: [email protected]
– Office hours: 2-4pm on Wednesdays, Ugrad lab
(CH 154)
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
3
Outline of today’s lecture
• Block Ciphers
• Data Encryption Standard (DES)
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
4
Block Ciphers and Stream Ciphers
• Block ciphers partition plaintext into blocks
and encrypt each block independently (with
the same key) to produce ciphertext blocks.
• A stream cipher generates a keystream and
encrypts by combining the keystream with the
plaintext, usually with the bitwise XOR
operation.
• We will focus mostly on Block Ciphers
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
5
DES – Data Encryption Standard
•
•
•
•
Encrypts by series of substitution and transpositions.
Based on Feistel Structure
Worldwide standard for more than 20 years.
Designed by IBM (Lucifer) with later help (interference?) from
NSA.
• No longer considered secure for highly sensitive applications.
• Replacement standard AES (advanced encryption standard)
recently completed.
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
6
DES – Overview (Block Operation)
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
7
DES – Each Round
4/8/2015
8
DES – Function F
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
9
DES – Key Schedule (KS)
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
10
Operation Tables of DES:
Key Schedule, PC-1, PC-2
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
11
Operation Tables (IP, IP-1, E and P)
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
12
S-boxes: S1 (as an example)
0000
00
01
10
11
0001
14
0
4
15
4
15
1
12
0010
13
7
14
8
0011
1
4
8
2
0100
2
14
13
4
0101
15
2
6
9
0110
11
13
2
1
0111
8
1
11
7
Sj
S (b1b2b3b4b5b6)
1000
1001
3
10
15
5
1010
10
6
12
11
6
12
9
3
1011
12
11
7
14
1100
5
9
3
10
1101
9
5
10
0
1110
0
3
5
6
1111
7
8
0
13
Is the table entry from
row : b1b 2
colum n: b3b 4b5b6
S (011001) 6d 0110
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
13
DES Decryption
• Same as the encryption algorithm with the
“reversed” key schedule – NEXT!
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
14
x
Plain text
Initial permutation (IP)
L0
R0
Round-1 (key K1)
L0 F ( R0, K 1)
R0
Rounds 2-15
L15
R15
R15
L15 F ( R15, K 16)
Round-16 (key K16)
swap
L15 F ( R15, K 16)
R15
IP inverse
4/8/2015
y
Cipher text
15
R15
IP inverse
y
L15 F ( R15, K 16)
Cipher text
IP
encrypt
L15 F ( R15, K 16)
R15
Round-1 (K16)
=
R15
L15
Since
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
decrypt
L15 F ( R15, K 16) F ( R15, K 16)
R15
bb 0
b0 b
16
DES Example
We choose a random plaintext block and a random key, and
determine what the ciphertext block would be (all in
hexadecimal):
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
17
Example (contd) -- encryption
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
18
Example (contd) -- decryption
Let us see how Bob, at the destination, can decipher the
ciphertext received from Alice using the same key. Table 6.16
shows some interesting points.
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
19
DES Security: Avalanche Effect
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
20
DES Security
• S-Box design not well understood
• Has survived some recent sophisticated
attacks (differential cryptanalysis)
• Key is too short. Hence is vulnerable to brute
force attack.
• 1998 distributed attack took 3 months.
• $1,000,000 machine will crack DES in 35
minutes – 1997 estimate. $10,000 – 2.5 days.
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
21
DES Cracking machine
•
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
22
Super-encryption.
• If key length is a concern, then instead of
encrypting once, encrypt twice!!
C = EK2(EK1(P))
P = DK2(DK1(C))
• Does this result in a larger key space?
• Encrypting with multiple keys is known as
super-encryption.
• May not always be a good idea
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
23
Double DES
• Double DES is almost as easy to break as
single DES (Needs more memory though)!
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
24
Double DES – Meet-in-the-middle
Attack (due to Diffie-Hellman)
• Based on the observation that, if
C = EK2(EK1(P))
Then
X = EK1(P) = DK2(C).
• Given a known (P, C) pair, encrypt P with all possible values of
K and store result in table T.
• Next, decrypt C with all possible keys K and check result. If
match occurs then check key pair with new known (P, C) pair.
If match occurs, you have found the keys. Else continue as
before.
• Process will terminate successfully.
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
25
Meet-in-the-middle Explanation
• The first match does not say anything as we
have 264 ciphertexts and 2112 keys.
• On the average 2112 / 264 = 248 keys will
produce same ciphertext.
• So there could be 248 possible candidates
• We can use a second pair (P’,C’)
• So, probability that false alarm will survive
two known (P, C) pairs is 248 / 264 = 2-16.
• One can always check a third pair to further
reduce the chance of a false alarm.
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
26
Triple DES
Triple DES (2 keys) requires 2112 search. Is
reasonably secure.
Triple DES (3 keys) requires 2112 as well
Which one is better?
27
Some Questions
• Double encryption in DES increases the key space size from
2^56 to 2^112 – true or false?
• Is known-plaintext an active or a passive attack?
• Is chosen-ciphertext attack an active or a passive attack?
• Reverse Engineering is applied to what design of systems –
open or closed?
• Alice needs to send a 64-bit long top-secret letter to Bob.
Which of the ciphers that we studied today should she use?
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
28
Further Reading
• Chapter 7.4 of HAC
• Chapter 3 of Stallings
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
29