EE579S Computer Security
Download
Report
Transcript EE579S Computer Security
EE579T / CS525T
Network Security
2: Symmetric Block Ciphers
Prof. Richard A. Stanley
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #1
Overview of Tonight’s Class
•
•
•
•
•
•
•
Class list updates
Course syllabus
Course project introduction
Review of last week’s class
Introduction to network security issues
An overview of block ciphers
Introduction to key distribution
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #2
Syllabus (subject to adjustment)
Class Worcester Waltham
1
1/14/03
1/16/03
2
1/21/03
1/23/03
3
1/28/03
1/30/03
4
2/4/03
2/6/03
5
2/11/03
2/13/03
6
2/18/03
2/20/03
7
2/25/03
2/27/03
8
3/4/03
3/6/03
9
3/11/03
3/13/03
10
3/18/03
3/20/03
11
3/25/03
3/27/03
12
4/1/03
4/3/03
13
4/8/03
4/10/03
14
4/15/03
4/17/03
15
4/22/03
4/24/03
Spring 2003
© 2000-2003, Richard A. Stanley
Topic
Introduction & Computer Security Review
Symmetric Ciphers
Asymmetric Ciphers
Network Authentication
IPSec
SSL
Vulnerability Assessment
Introduction to Network-based Attacks
SNMP and security
Firewalls
Wireless Networks and Security
Legal and Ethical Issues
Project Presentations - 1
Project Presentations - 2
Contingency week
EE579T/2 #3
Course Projects Overview
• Teams of 2-4 individuals, 4 preferred
• Identify, through research, a meaningful
network security problem (reported on as
historical or one you can hypothesize)
• Analyze the problem
– Why did it occur?
– How could you have prevented or mitigated it?
• Prepare report and present to the class
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #4
Last Week...
• Computer security is a real need in real
systems
• Without computer security, network security
is a pipedream
• Network security is an even more difficult
problem than computer security, for a
number of reasons
• Absolute security does not exist
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #5
Networks
• A network is an interconnected group of
communicating devices.
• Two primary network types
– Circuit-switched (connection oriented)
– Packet-switched (connectionless)
• Span
– WAN, MAN, LAN
– So what?
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #6
Network Topology
• The topology of a network is a view of its
interconnections, as they would be seen by an
observer looking down from great height
• Topology is important because it has implications
for security
• Three major topologies:
– star
– buss
– ring
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #7
Some Network Security Issues
• Users not necessarily registered at the node they
are accessing
– How to authenticate users?
– What is basis for access control decisions?
• Some options:
–
–
–
–
User ID
User address
Service being invoked
Cryptographic-based solutions
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #8
Internetworking
• Internetworking is the interconnection of
networks
• The Internet is an internetwork; all
internetworks are not the Internet
• Very few modern networks exist in
isolation; most are internetworked
• This has important security and legal
implications
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #9
Internetworking Concepts
• Networks are interconnected by routers or
gateways
– More about this later in the course
• Routers route a packet using the destination
network address, not the destination host
address
– Analogous to the world postal system and how
letters are routed
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #10
Network Facts
• Most computers today are connected to a
network (consider the Internet), at least for
part of the time they are in operation
• Most local networks are internetworked
• How to provide authenticity, integrity,
confidentiality, availability?
• Cryptography can help provide all the
security services except availability
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #11
Encryption Primer
•
•
•
•
Cryptography = “secret writing”
Input = plaintext
Output = ciphertext
Ciphertext = plaintext + key (in general)
– Intention is that the cipher text be unintelligible to an eavesdropper
• Two basic types of cipher
– Symmetric
– Asymmetric
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #12
Definitions
• Encryption
– The process of turning plaintext into ciphertext
• Decryption
– The process of turning ciphertext into plaintext
• Cryptanalysis
– The process of analyzing ciphertext with the
goal of recovering the plaintext, without the key
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #13
Attacks on Cryptosystems
•
•
•
•
•
•
•
Ciphertext-only attack
Known-plaintext attack
Chosen-plaintext attack
Adaptive-chosen-plaintext attack
Chosen ciphertext attack
Chosen-key attack (rare, difficult)
Rubber-hose cryptanalysis (common, easy)
Source: Bruce Schneier, Applied Cryptography--Second Edition, pp, 5-7
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #14
Crypto Algorithm Security
• Unconditionally secure if, no matter how
much ciphertext a cryptanalysis has, there is
not enough information to recover the
plaintext
• Computationally secure if it cannot be
broken with available resources, either
current or future
Source: Bruce Schneier, Applied Cryptography--Second Edition, pg. 8
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #15
Encryption
• There are many ways to render plaintext
into ciphertext
• Only ONE provably secure cryptosystem
– One-time pad
– Secure even if pad or operator captured
– BUT…errors can lead to decryption
– http://www.cia.gov/csi/books/venona/preface.htm
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #16
One Time Pad
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #17
Why Use Anything Except
One-time Pads?
•
•
•
•
•
Speed of encipherment
Letters vs. numbers
Logistics
Usability
Error rates
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #18
Other Crypto Systems
• Substitution ciphers
– Most famous is the Caesar cipher:
monoalphabetic substitution with offset = 3
– Children’s decoders usually in this category
• Book ciphers
• Codebooks
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #19
Problem Areas
• Languages have well-known statistics
–
–
–
–
E.g., “e” is most common letter in English
This can be exploited for cryptanalysis
Thus, substitution ciphers are not very secure
Similar problems plague book ciphers, etc.
• The only way to achieve true security is to
make the ciphertext appear as random as
possible
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #20
Modern Cryptography Uses
Electronic Digital Systems
• Advantages:
– Speed
– Accuracy
– Ability of using complex mathematics
• Disadvantages
– Complex equipment
– Electronic vulnerabilities
– Key management
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #21
Kerckhoffs’ Assumption
• Secrecy must reside solely in the key
– It is assumed that the attacker knows the
complete details of the cryptographic algorithm
and implementation
• A. Kerckhoffs was a 19th century Dutch
cryptographer
• Ergo, Security by obscurity doesn’t work!
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #22
Symmetric Cryptography
Alice’s message
Bob
Kryptos +
Grafos
algorithm
Shared private key
Spring 2003
© 2000-2003, Richard A. Stanley
Shared private key
Alice’s message
EE579T/2 #23
Cipher Example (Vernam)
• Encipher
• Decipher
• Plain: 001 010 011 100
• +key: 111 011 010 101
• Cipher: 110 001 001 001
• Cipher: 110 001 001 001
• +key: 111 011 010 101
• Plain: 001 010 011 100
The ciphertext is simply the plain text added to the key,
modulo 2. This is a reversible process, as seen above.
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #24
Why Does This Work?
• Cleartext is a function with known statistics,
or even a deterministic function
• Key is a truly random data stream
• Sum of a random function and a nonrandom function is a random function
• So...crucial that the key be truly random
• This is not easy!
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #25
Vernam Cipher Weaknesses
• Two-way function
– If any two of the inputs to the cryptographic
algorithm are known, the third can be
calculated
– This allows recovery of the key if the attacker
can obtain a plaintext and a ciphertext copy of
the same message -- not often a hard task
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #26
Enigma
• Probably history’s most
famous cipher machine
• Even today, a good cipher
machine
• Capable of billions of
billions of text permutations
• Codes broken!
• Depended on security by
obscurity--a failure
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #27
Sigaba
Similar in theory
to Enigma.
Designed for strategic
(fixed station) use; note
direct punching of
teletypewriter paper
tape for transmission.
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #28
How to Achieve Good
Cryptography?
• Well-reviewed algorithms
– So weaknesses cannot “hide” until after
implementation
• Excellent key generation & management
– To maintain secrecy of the key
• Algorithms that are sufficiently complex so
as to not permit feasible exhaustive attacks
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #29
More Definitions
• Block cipher
– Data is broken into fixed-size blocks, and
encrypted a block at a time
– Blocks are padded out if necessary
• Stream cipher
– Data is encrypted a bit at a time, as it is
presented to the encryption engine
• Most algorithms in use today are block
ciphers
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #30
Feistel Ciphers: Characteristics
• Special class of iterated block ciphers
• Ciphertext calculated from plaintext by
repeated application of the same
transformation or round function
• Encryption and decryption are
structurally identical (subkey order
reversed for decryption)
• Fast, even in software implementation
• Easily analyzed (i.e., deficiencies more
readily found by analysis)
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #31
Feistel Ciphers: Step by Step
• Plaintext split into two halves
• Round function f is applied to
one half using a subkey
• Output of f is XOR’d with the
other half of the plaintext
• Two halves are swapped
• Process repeated for n rounds
• No swap after last round
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #32
Subkey Generation
• Creating the subkeys in a Feistel cipher has
a major effect on the overall security of the
algorithm
– Possible to create weak keys
– Changes in the subkey algorithm can result in
effectively different realizations of the
algorithm
• DES is based on Feistel rounds, and uses a
complex method of subkey generation
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #33
Importance of Feistel Ciphers
• Basis of DES, other important algorithms
– Horst Feistel worked for IBM in 1973
– IBM’s Lucifer algorithm, based on Feistel
rounds, became the DES standard in 1977
• Many other algorithm authors have used Feistel
rounds, or variants thereof, to realize block ciphers
• Feistel ciphers are not the only kind of iterative
block cipher
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #34
DES: Feistel Applied
• DES: Data Encryption Standard
• Formal specification -- FIPS PUB 46-3, last
affirmed 25 October 1999
http://www.csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
• Describes two cryptographic algorithms
– DES
– TDEA (commonly referred to as 3DES)
• DES based on IBM Lucifer cipher of 1974
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #35
DES Characteristics
• 64-bit block cipher
• 56-bit key, with additional 8 bits used for
error checking (odd parity on each byte)
• Four operating modes
–
–
–
–
Electronic Codebook (ECB)
Cipher Block Chaining (CBC)
Cipher Feedback (CFB)
Output Feedback (OFB)
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #36
DES Enciphering Computation
Feistel round
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #37
Initial Permutation
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #38
Cipher Function, f(Rn,Kn)
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #39
How Can This Happen?
• Turn 32-bit plaintext into 48-bit output
• Add to 48-bit key
• Get 32-bit output
?
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #40
Crypto Function Details
• E-function takes the input to the Feistel
round and expands it to 48 bits
• S-boxes (for selection, usually referred to as
substitution) permute bits to produce the
proper output
• P-function permutes 32-bit output of the Sboxes
• Inverse permutation (IP-1) restores bit order
after the 16 Feistel rounds
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #41
E-function
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #42
P-Function
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #43
S-box Example
Result over 8 S-boxes: 48 bits
Spring 2003
© 2000-2003, Richard A. Stanley
32 bits
EE579T/2 #44
Key Scheduling
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #45
Permuted Choice 1
C( )
D( )
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #46
Left Shift Schedule
NB: These are
circular left shifts
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #47
Permuted Choice 2
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #48
DES Decryption
• As DES is a Feistel cipher, decryption uses
the same engine as does encryption
• For decryption:
– The DES engine is precisely the same as the
encryption engine -- it is not run in reverse
(e.g. with the input coming in the “bottom”)
– Instead, the key schedule is run in reverse; i.e.
the first subkey used is K16, then K15, etc.,
finishing with K1
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #49
Principal DES Operating Modes-1
(FIPS PUB 81)
• Electronic Code Book (ECB)
– Encrypts one block at a time with selected key
– Simplest implementation of DES
– Vulnerability: repeated plaintext can reveal
key, and then all cipher blocks can be decrypted
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #50
ECB
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #51
Principal DES Operating Modes-2
(FIPS PUB 81)
• Cipher Block Chaining (CBC)
– Input to each block is the output of the previous
block next plaintext block
– Initial block XOR’d with an Initialization
Vector (IV)
– This approach greatly improves the security of
DES against key searches
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #52
CBC
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #53
Additional DES Modes -1
(FIPS PUB 81)
• Cipher Feedback Mode
– previous ciphertext block encrypted and output
XOR’d with plaintext block to produce current
ciphertext block
– can use feedback that is less than one full data
block
– initialization vector used as “seed” for the
process.
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #54
CFB
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #55
Additional DES Modes -2
(FIPS PUB 81)
• Output Feedback Mode (OFB)
– similar to CFB mode except data XOR’d with
each plaintext block is generated independently
of both the plaintext and ciphertext
– initialization vector s0 used as “seed” for a
sequence of data blocks si
– each data block si derived from encryption of
the previous data block si-1
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #56
OFB
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #57
Importance of DES
• Ubiquitous, U.S. federal standard
• When standardized, 56-bit made cipher
computationally secure
– This is no longer the case
– DES has been broken using brute force attacks
in 56 hours, using recycled computer boards
costing less than $250,000 (July 15, 1998)
• Immediate fix: Triple Data Encryption
Algorithm (or Triple DES, 3DES)
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #58
TDEA
Encryption
Decryption
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #59
TDEA Realities
• Two keying options
– Three separate keys (as shown previous slide)
– Two keys; EK1 = EK3
– Resultant key lengths of 168 or 112 bits
• For mathematical reasons we won’t go into here,
3-key TDEA is only about twice as secure as DES,
not 3 times as secure
• Implemented in hardware, 3-key TDEA can
achieve throughputs approaching 1 Gbps
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #60
TDEA Advantages
• Thoroughly analyzed, unlikely to have any
hidden vulnerabilities
• Much less vulnerable to brute force attack
than DES
• Can be implemented in silicon, with very
fast throughput
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #61
TDEA Disadvantages
• Algorithm produces slow software
implementations
• Limited to 64-bit block size
• Trebles the key distribution problem of DES
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #62
AES: The Next Generation
• Advanced Encryption Standard (FIPS PUB 197)
– Established to counter weaknesses of DES
– Based on Rijndael algorithm
• Joan Daemen and Vincent Rijmen, Belgians, authors
– U. S. standard adopted Nov. 26, 2001
– Became effective May 26, 2002
– Key lengths of 128, 192, and 256 bits
– Block size of 128 bits
• In AES, Rijndael allows for other sizes
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #63
Rijndael Structure
• Rijndael is not a Feistel cipher; rather, it
uses substitution boxes
• “...typically part of the bits of the
intermediate state are simply transposed
unchanged to another position”
• “...[each] round transformation is composed
of three distinct invertible uniform
transformations”
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #64
AES’ Future
• Clearly intended to replace DES & TDEA
• Designed for efficient software
implementation
• Not yet as thoroughly analyzed as DES
• Expect implementations on the market this
year
• Probably a long coexistence of TDEA &
AES
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #65
Key Types
• Permanent
– Used for a fixed, prearranged period of time
– Typically used for applications such as key
distribution, government communications, etc.
• Session
– Valid only for current communications session
– Destroyed after session terminates
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #66
Key Distribution Problem
• Secret keys must be prepositioned at all
locations before secure communications can
occur.
• How to do this?
– Secure physical transport
– Secure electronic transport
• The search for a way to accomplish this led to the
development of public key cryptography, which we
will study next class
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #67
Summary -1
• Symmetric key cryptography uses one key,
shared by all users of the cipher
• There are many weaknesses to basic crypto
algorithms like the Vernam cipher
• Feistel ciphers provide a more complex
algorithm that permits iterative encryption
• Feistel cipher decryption uses same process
as encryption, making process simpler
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #68
Summary - 2
• Block ciphers are widely used
• Most commonly used block cipher today is
TDEA, operating in one of 4 modes
• TDEA is limited by 64-bit block and key
size, provides poor software implementation
• AES chosen to replace TDEA
• Should be several years of coexistence
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #69
Homework
• Read Chapter 3 sections 3.3, 3.4, 3.6
• Do following exercises from text:
–
–
–
–
2.1a,b
2.4
2.5
2.7
Spring 2003
© 2000-2003, Richard A. Stanley
EE579T/2 #70