Transcript EE5552 Network Security and Encryption

EE5552 Network Security and
Encryption
block 6
Dr. T.J. Owens CMath, FIMA, MIEEE
Dr T. Itagaki MIET, MIEEE, MAES
Block 6:
Modern Symmetric Key
Cryptography
Objectives
After studying this material you should
• Appreciate that many block ciphers are Feistel ciphers.
• Be able to explain how a Feistel cipher works.
• Be able to outline the architecture, modes of operation and
applications of the DES.
• Be able to outline the architecture of the AES.
Feistel Ciphers and the DES
Block Ciphers
The Data Encryption Standard (DES) developed from IBM's Lucifer Cipher
It is based on the Feistel Ladder
Almost all block ciphers since Lucifer have been Feistel ciphers
Such ciphers have a flat keyspace (with possible exception of few weak keys)
o this means the cipher is equally difficult to attack whichever key is chosen.
The 3G system encryption and integrity algorithms are both built around the
KASUMI block cipher which is a Feistel cipher with 8 rounds.
Feistel Ciphers (1)
The plaintext is viewed as a pair of n bit words (w1, w2). A
function f is chosen and the pair (w2, f(w2) ⊕ w1). is formed,
where ⊕ is bitwise addition modulo 2.
This step is called a round and is repeated as many times as
required, choosing a different f each time.
Feistel Ciphers (2)
A Feistel cipher gets its strength
from the fact that a number
of rounds involving nonlinear transformations are
applied to the data.
Careful choice of the nonlinear
functions can help ensure
that easy to solve sets of
equations are unlikely to
arise.
Feistel Ciphers (3)
The Feistel Ladder
Feistel Ciphers (4)
To make the example
easier to follow we
use functions over the
set {0, 1, 2, 3, 4} and
addition modulo 5 as
our mixing operation.
Plaintext pair (3, 2) is
enciphered as follows:
Feistel Ciphers (5)
Ciphertext is deciphered
as follows:
Feistel Ciphers (6)
To emphasise that this process is invertible for every message
every plaintext block of two characters was encrypted.
ALL POSSIBLE PLAINTEXT PAIRS
CORRESPONDING CIPHERTEXTS
Notice that the corresponding ciphertext pairs are all distinct.
The Data Encryption Standard (DES) (1)
An algorithm published in 1977 by the American National Bureau of
Standards now named NIST (National Institute of Standards and
Technology).
Superseded as a NIST standard by AES (Advanced Encryption Standard), DES
has been withdrawn as a NIST standard.
Officially it is now known as the Data Encryption Algorithm (DEA), but it is still
usually referred to as DES.
DES is a monoalphabetic (block) cipher with an alphabet of 264 letters.
The Data Encryption Standard (DES) (2)
The operation of DES is complex and a demonstration of its operation is
provided in CrypTool which you can run at your own pace.
In the pull down menu go to:
Indiv. Procedures/Visualization of Algorithms/DES
A summary of the operation of DES is provided below which you should read
in conjunction with the demonstration.
The Data Encryption Standard (DES) (3)
The initial permutation is not
cryptographically significant.
The DES ladder is a Feistel ladder
with 16 stages or rounds.
Each of the stages in the ladder
has the following structure:
Each of the 16 stages requires a
48 bit subkey, ki.
These are generated from the
original 56 bit key according to
the following key schedule.
The Data Encryption Standard (DES) (4)
The E-box expands a 32 bit block to a 48 bit block by permuting bits and
repeating some.
This ensures that each input bit can affect the result of more than one
application of S-box so that each output bit depends on every input bit
after as few rounds of the cipher as possible.
The E-box also makes result the same size as the key for the XOR operation
and provides a longer result that can be compressed in the S-box.
The 56 bit key is split into two halves, then the halves are circularly shifted by
either one or two bits, depending on the round, finally 48 of the 56 bits
are selected and their order permuted.
The Data Encryption Standard (DES) (5)
The 56 bit key is split into two halves, then the halves are circularly shifted by
either one or two bits, depending on the round, finally 48 of the 56 bits
are selected and their order permuted.
The S-box splits its 48 bit input into 8 blocks of 6 bits. Each 6 bit block is
mapped to a 4 bit result in a substitution table and thus the output of S is
again 32 bits.
Note that these 8 substitutions are independent of each other. Much of the
work in designing DES was to design S box tables.
The S-box tables are nonlinear transformations, the crucial elements of the
cipher.
Resulting 32 bits are permuted in the P-box.
The Data Encryption Standard (DES) (6)
One DES ROUND
DES Configurations
They are defined in the ANSI Standard X3.106-1982, Modes of
Operation of the DEA.
ECB: Electronic Codebook (1)
In this mode a 64 bit plaintext is
encrypted once using one 56 bit
DES key.
This mode is vulnerable to known
plaintext attack by exhaustive key
search.
A symmetry means that there are
“only” 255 keys to try. This is a big
number, but not so big that it is
out of range of special purpose
hardware, or massively parallel
processors.
ECB: Electronic Codebook (2)
ECB mode is generally used only for key encryption.
The Electronic Frontier Foundation funded a team of engineers
to build a DES cracking machine at a cost of $210,000. This
broke a DES challenge in 3 days.
In 2006 Sandeep Kumar and colleagues at the universities of
Bochum and Kiel build a DES cracking machine for $10,000
that could break DES in 7 days on average.
Currently SciEngines RIVYERA machine holds the record for
brute-force breaking DES utilizing 128 Spartan-3 5000 FPGAs
being able to break DES in under 24 hours.
ECB: Electronic Codebook (3)
The vulnerability of DES in ECB mode exhaustive key search
(Brute force attack) have led to its replacement by triple DES.
It is important to realise that ECB mode should never be used to
encrypt a message of more than one input block that has an
authenticity requirement as it could be subject to a cut and
splice attack.
o For example, from the message ‘Pay account number X the
sum Y transaction number Z’ an attacker could initiate a
payment where some of the digits of X have been replaced
with some of the digits of Z.
ECB: Electronic Codebook (4)
Triple Encryption (1)
One could increase the strength of a block cipher by applying it
twice with different keys; this would appear to increase the
size of the keyspace to search to 22n keys (from 2n).
BUT double-DES is vulnerable to a known plaintext attack, the
meet-in-the-middle attack that only needs 2n+1 rather 22n
than encryptions to be performed.
ECB: Electronic Codebook (5)
Triple Encryption (2)
Better is triple DES with three different DES keys.
Triple DES works because DES is not a group, so encrypting a plaintext under
one DES key and then encrypting the result under another key is not
always equivalent to a single encryption under a single key.
ECB: Electronic Codebook (6)
Triple DES is now very popular primarily because Key size
remains in practice the only true point of attack in DES.
The best meet in the middle attack for triple DES with three keys
requires 2n trial encryptions, and thus effectively doubles the
key size of DES to 112 bits, and should prevent decryption by
an enemy capable of single-key exhaustive search.
Of course, using triple-encryption takes three times as long as
single-encryption DES.
ECB: Electronic Codebook (7)
AES has a 128 bit input block and new systems use AES as of
choice but the banking industry is committed to using block
ciphers with a 64 bit input block because of the way the
protocols by which ATMs (Automatic Teller Machines), pointof-sale terminals and bank networks talk to each other format
messages. Triple-DES is likely to be used for such applications
for the foreseeable future.
CBC: Cipher Block Chaining (1)
In CBC mode, a random initialisation vector (IV) is transmitted
and also XORed with the first block of plaintext.
The result is then encrypted with DES and transmitted.
The result is also XORed with the next data block and the process
repeated.
CBC mode helps protect against certain attacks although not
against exaustive search or a technique called differential
analysis.
This is a useful technique for preventing an adversary from
building up a codebook of plaintext-ciphertext pairs.
CBC: Cipher Block Chaining (2)
It also prevents replay and deletions of single blocks, although it
does not provide message integrity protection. A change
within a block of ciphertext will only affect two plaintext
blocks on decryption.
In practice, most commercial applications that encrypt more
than one block use CBC which is specified in several
standards.
For additional security, one could use triple encryption with CBC,
but since single DES in CBC mode is usually considered secure
enough, triple encryption is not often used.
CBC: Cipher Block Chaining (3)
CFB: Cipher Feedback Mode (1)
This is a variant of CBC which does not require that a full 64 bit
block is received before encryption can begin.
The plaintext is enciphered in blocks of s bits at a time and each
ciphertext block of s bits is fed into a 64 bit shift register.
The shift register is the input to the DES for the next block of s
bits.
Both CBC and CFB have the disadvantage that any missing or
inserted bits at any point in the message will cause all
subsequent message blocks to be incorrectly deciphered.
o This is called error propagation.
CFB: Cipher Feedback Mode (2)
However, in CFB if some bits in one block of s bits are corrupted
by noise so that a 0 is read as a 1 or vice versa the system will
recover after one block of s bits.
CFB was designed for use in military High Frequency radio links
which are vulnerable to fading but is not often used these
days as error correction protocols are used do address the
problem of bits being received incorrectly.
CFB: Cipher Feedback Mode (3)
OFB: Output Feedback (1)
OFB mode protects against error propagation because ciphertext is not fed
back into either the encryption or decryption process.
This is one standard way of turning a block cipher into a stream cipher.
However, like any stream cipher OFM fails to protect message integrity. For
example, fund transfer messages are very highly structured. Suppose an
attacker knew bytes 37-42 of such a message contained the amount to be
transferred. They could request a modest sum (500 euro) to be sent to an
accomplice. If by wiretapping the attacker can obtain the corresponding
ciphertext for the message C = M ⊕ K they know M for bytes 37-42 so
know K for bytes 37-42. They take the ciphertext and change bytes 37-42
to read 500,000 euro XORed with K for bytes 37-42 then send it on. This is
an example of an attack in depth.
OFB: Output Feedback (2)
For security, even if only k bits are output at each stage, all 64 bits should be
used for feedback.
OFB: Output Feedback (3)
Example: Mickey Mouse
Original
ECB
CBC
Weak Keys
In DES there are four keys for which encryption is exactly the
same as decryption so encrypting twice with one of these
weak keys recovers the original plaintext.
However, the number of weak keys is such a small fraction of all
possible keys that the chance of picking one at random is very
small so they pose no significant threat to security.
Algebraic Attacks (1)
DES is not open to any attack based on the algebraic structure of
groups because it has been proved not to be a group.
DES has been controversial since its inception for a number of
reasons:
Design details were kept secret.
This led to speculation that it had a trapdoor (In reality the
reason was that DES was designed to be resistant to
differential cryptanalysis.
When DES was designed this method of attack was known only
to the intelligence community and was classified).
Shortness of the key also caused controversy.
Algebraic Attacks (2)
It has been argued that it should be 128 bits as in the original
Lucifer system.
DES is now very old and ECB mode is now vulnerable to a known
plaintext attack by exhaustive key search.
Advanced Encryption Standard (AES) has been proposed as the
replacement for DES.
There are of course other block ciphers and the following have
gained commercial acceptance:
IDEA, Blowfish, RC4, CAST-128.
Modes of operation for symmetric
key block ciphers
In 2001 NIST issued a recommendation that: “defines five confidentiality
modes of operation for use with an underlying symmetric key block cipher
algorithm:
• Electronic Codebook (ECB)
• Cipher Block Chaining (CBC)
• Cipher Feedback (CFB)
• Output Feedback (OFB)
• Counter (CTR)
Used with an underlying block cipher algorithm that is approved in a Federal
Information Processing Standard (FIPS), these modes can provide
cryptographic protection for sensitive, but unclassified, computer data.
CTR: Counter
In both CTR encryption and CTR decryption, the forward cipher functions can
be performed in parallel.
Similarly, the plaintext block that corresponds to any particular ciphertext
block can be recovered independently from the other plaintext blocks if
the corresponding counter block can be determined.
Moreover, the forward cipher functions can be applied to the counters prior
to the availability of the plaintext or ciphertext data.
In Wi-Fi RSN the security protocol built around AES is called Counter Mode –
CBC MAC Protocol or CCMP.
Basic counter mode does not provide any message authentication, only
encryption.
o Therefore, for RSN, additional capabilities are added.
Advanced Encryption Standard (1)
DEA was designed for hardware implementation and
consequently cannot be implemented efficiently in software.
Consequently, Triple DES is relatively slow to encrypt and decrypt
when implemented in software and a more efficient
replacement is desirable.
Furthermore, Triple DES encodes messages in blocks of 64-bits
and a larger block size, giving a larger input alphabet, is
desirable for greater security.
In 1997 the US National Institute for Standards and Technology
(NIST) announced it would be developing an Advanced
Encryption Standard (AES) as a replacement for DES.
Advanced Encryption Standard (2)
NIST stipulated that AES would specify an unclassified publicly
disclosed encryption algorithm available royalty free,
worldwide, and that the algorithm would be a symmetric key
block cipher supporting input blocks of at least 128 bits and
key sizes of 128, 192, and 256 bits.
After a rigorous evaluation process, from an original field of 15
candidates on 2 October 2000 the Rijndael cipher was
selected by NIST for the AES.
The Rijndael cipher was invented by Belgian researchers Joan
Daemen (male) and Vincent Rijmen.
AES was published as Federal Information Processing Standards
(FIPS) publication 197 on 4 December 2001.
Algorithm specification (1)
The Rijndael cipher is an iterated block cipher with a variable
block length and variable key length where a block is the
smallest data size the algorithm will encrypt.
The block length and key length can be independently specified
to be 128, 192 or 256 bits.
However, the variations of Rijndael which act on the larger block
sizes are not included in AES.
Rijndael is not a Feistel cipher.
AES contains nonlinear (S-box substitution) and linear (shiftrow
and mixcolumn) mixing layers.
Algorithm specification (2)
Each block of plain text is encrypted several times with a repeating sequence
of various functions that constitute a so called round.
The number of rounds used depends on the key length.
For a key length of 128 bits 10 rounds are used, for a key length of 192 bits 12
rounds are used, and for a key length of 256 bits 14 rounds are used.
For an excellent demonstration of 10 round AES encryption from the CrypTool
pull down menu choose:
Indiv.Procedures/VisualizationofAlgorithms/AES/Rijndael Animation
For an illustration of AES decryption choose:
Indiv.Procedures/VisualizationofAlgorithms/AES/Rijndael Inspector
Concluding Remarks (1)
Side-channel attacks do not attack the underlying cryptographic algorithm,
and so have nothing to do with its security, but attack implementations of
the cipher on systems which inadvertently leak data. There are several
such known attacks on certain implementations of AES.
In October 2005 a paper was presented that demonstrated several cachetiming attacks against AES. One attack was able to obtain an entire AES key
after only 800 operations triggering encryption, in a total of 65
milliseconds. This attack requires the attacker to be able to run programs
on the same system or platform that is performing AES.
In December 2009 an attack on some hardware implementations of AES was
published that used Differential Fault Analysis and allows recovery of key
with complexity of 232.
Concluding Remarks (2)
Although there is no proof of the security of the AES cryptographic algorithm
it is the first publicly accessible and open cipher approved by the United
States National Security Agency (NSA) for top secret information. In 2003
it stated:
“The design and strength of all key lengths of the AES algorithm (i.e., 128, 192
and 256) are sufficient to protect classified information up to the SECRET
level. TOP SECRET information will require use of either the 192 or 256 key
lengths. The implementation of AES in products intended to protect
national security systems and/or information must be reviewed and
certified by NSA prior to their acquisition and use.”
See: http://csrc.nist.gov/groups/ST/toolkit/documents/aes/CNSS15FS.pdf
Concluding Remarks (3)
On July 1, 2009, Bruce Schneier blogged about related-key attacks published
in December 2009 on the 192-bit and 256-bit versions of AES, which
exploit AES's somewhat simple key schedule. A related-key attack can
break 256-bit AES with a complexity of 299.5 which while faster than brute
force is still infeasible. In a similar manner, 192-bit AES can be broken by
an attack with a complexity of 2176. 128-bit AES is not affected by these
attacks.
See: http://eprint.iacr.org/2009/317
Concluding Remarks (4)
Note: In cryptography, a related-key attack is any form of cryptanalysis where
the attacker can observe the operation of a cipher under several different
keys whose values are initially unknown, but where some mathematical
relationship connecting the keys is known to the attacker. If the AES
algorithm is properly implemented this is a somewhat unrealistic model so
both of the above attacks are still mainly of theoretical interest and do not
present a threat to practical applications using AES.
Concluding Remarks (5)
The recommended modes of operation of AES are ECB, CBC, CFB, OFB and
CTR, although many others have been proposed.
The result of every step in the encryption process is dependent on every bit
of the key.
AES has very limited RAM and ROM memory requirements and so is suitable
for use in restricted-resource environments such as smart cards.
o One current recommendation is for 3GPP AKA algorithms is MILENAGE which
is based on AES
It is likely to take several years for AES to replace DES.
It is important to note that AES is freely available worldwide.