Transcript Private Key Cryptography

Lecture 2.2: Private Key
Cryptography II
CS 436/636/736
Spring 2012
Nitesh Saxena
Today’s fun/informative bit –
The Smudge Attack
• See: http://www.usenix.org/event/woot10/tech/full_papers/Aviv.pdf
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
2
Course Administration
• TA/Grader: Eric Frees
– Email: [email protected]
– Office hours: 2-4pm on Wednesdays, Ugrad lab
(CH 154)
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
3
Outline of today’s lecture
• Block Ciphers
• Data Encryption Standard (DES)
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
4
Block Ciphers and Stream Ciphers
• Block ciphers partition plaintext into blocks
and encrypt each block independently (with
the same key) to produce ciphertext blocks.
• A stream cipher generates a keystream and
encrypts by combining the keystream with the
plaintext, usually with the bitwise XOR
operation.
• We will focus mostly on Block Ciphers
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
5
DES – Data Encryption Standard
•
•
•
•
Encrypts by series of substitution and transpositions.
Based on Feistel Structure
Worldwide standard for more than 20 years.
Designed by IBM (Lucifer) with later help (interference?) from
NSA.
• No longer considered secure for highly sensitive applications.
• Replacement standard AES (advanced encryption standard)
recently completed.
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
6
DES – Overview (Block Operation)
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
7
DES – Each Round
4/8/2015
8
DES – Function F
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
9
DES – Key Schedule (KS)
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
10
Operation Tables of DES:
Key Schedule, PC-1, PC-2
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
11
Operation Tables (IP, IP-1, E and P)
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
12
S-boxes: S1 (as an example)
0000
00
01
10
11
0001
14
0
4
15
4
15
1
12
0010
13
7
14
8
0011
1
4
8
2
0100
2
14
13
4
0101
15
2
6
9
0110
11
13
2
1
0111
8
1
11
7
Sj
S (b1b2b3b4b5b6)
1000
1001
3
10
15
5
1010
10
6
12
11
6
12
9
3
1011
12
11
7
14
1100
5
9
3
10
1101
9
5
10
0
1110
0
3
5
6
1111
7
8
0
13
Is the table entry from
row : b1b 2
colum n: b3b 4b5b6
S (011001)  6d  0110
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
13
DES Decryption
• Same as the encryption algorithm with the
“reversed” key schedule – NEXT!
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
14
x
Plain text
Initial permutation (IP)
L0
R0
Round-1 (key K1)
L0  F ( R0, K 1)
R0
Rounds 2-15
L15
R15
R15
L15  F ( R15, K 16)
Round-16 (key K16)
swap
L15  F ( R15, K 16)
R15
IP inverse
4/8/2015
y
Cipher text
15
R15
IP inverse
y
L15  F ( R15, K 16)
Cipher text
IP
encrypt
L15  F ( R15, K 16)
R15
Round-1 (K16)
=
R15
L15
Since
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
decrypt
L15  F ( R15, K 16)  F ( R15, K 16)
R15
bb  0
b0 b
16
DES Example
We choose a random plaintext block and a random key, and
determine what the ciphertext block would be (all in
hexadecimal):
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
17
Example (contd) -- encryption
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
18
Example (contd) -- decryption
Let us see how Bob, at the destination, can decipher the
ciphertext received from Alice using the same key. Table 6.16
shows some interesting points.
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
19
DES Security: Avalanche Effect
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
20
DES Security
• S-Box design not well understood
• Has survived some recent sophisticated
attacks (differential cryptanalysis)
• Key is too short. Hence is vulnerable to brute
force attack.
• 1998 distributed attack took 3 months.
• $1,000,000 machine will crack DES in 35
minutes – 1997 estimate. $10,000 – 2.5 days.
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
21
DES Cracking machine
•
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
22
Super-encryption.
• If key length is a concern, then instead of
encrypting once, encrypt twice!!
C = EK2(EK1(P))
P = DK2(DK1(C))
• Does this result in a larger key space?
• Encrypting with multiple keys is known as
super-encryption.
• May not always be a good idea
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
23
Double DES
• Double DES is almost as easy to break as
single DES (Needs more memory though)!
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
24
Double DES – Meet-in-the-middle
Attack (due to Diffie-Hellman)
• Based on the observation that, if
C = EK2(EK1(P))
Then
X = EK1(P) = DK2(C).
• Given a known (P, C) pair, encrypt P with all possible values of
K and store result in table T.
• Next, decrypt C with all possible keys K and check result. If
match occurs then check key pair with new known (P, C) pair.
If match occurs, you have found the keys. Else continue as
before.
• Process will terminate successfully.
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
25
Meet-in-the-middle Explanation
• The first match does not say anything as we
have 264 ciphertexts and 2112 keys.
• On the average 2112 / 264 = 248 keys will
produce same ciphertext.
• So there could be 248 possible candidates
• We can use a second pair (P’,C’)
• So, probability that false alarm will survive
two known (P, C) pairs is 248 / 264 = 2-16.
• One can always check a third pair to further
reduce the chance of a false alarm.
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
26
Triple DES



Triple DES (2 keys) requires 2112 search. Is
reasonably secure.
Triple DES (3 keys) requires 2112 as well
Which one is better?
27
Some Questions
• Double encryption in DES increases the key space size from
2^56 to 2^112 – true or false?
• Is known-plaintext an active or a passive attack?
• Is chosen-ciphertext attack an active or a passive attack?
• Reverse Engineering is applied to what design of systems –
open or closed?
• Alice needs to send a 64-bit long top-secret letter to Bob.
Which of the ciphers that we studied today should she use?
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
28
Further Reading
• Chapter 7.4 of HAC
• Chapter 3 of Stallings
4/8/2015
Lecture 2.2 - Private Key Cryptography
II
29