Transcript EE579S Computer Security
EE579T / CS525T Network Security 3: Symmetric Block Ciphers
Prof. Richard A. Stanley Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #1
Overview of Tonight’s Class
• Class list issues • Review of last week’s class • Network security in the news • An overview of block ciphers • Introduction to key distribution Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #2
Last Week...
• Networks and internetworks have become ubiquitous • Networking allows interconnection of computers without much concern for the local OS or machine architecture • Networking raises many serious security issues, which must be solved • The pace of network security problem development is exceeding the pace of their solution Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #3
Security in the News
• Complexity is the enemy of security – You have heard this tune before!
– Recently discovered that all (with one partial exception) products designed to perform secure file erasure fail in this task • Leave NTFS alternate data streams, master file table • NTFS is a very complex file system • Complete analysis difficult, often not done • Complexity level often beyond our control Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #4
Network Security This Week
• Have you been to MyParty?
– Worm, written in Visual C++, looks like link to web – Set to spread between 1/24 and 1/29 – Mails itself to everyone in your address book
who is not infected
(avoids tip-off) – Leaves behind backdoor Trojan Horse, Troj/Msstake-A, which could allow unauthorized access – Sends message to [email protected] (to track progress?) – Caught by Norton Antivirus 2002 (if up-to-date) – Forced filtering on WPI network to block it Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #5
Encryption Primer
• Cryptography = “secret writing” • Input = plaintext • Output = ciphertext • Ciphertext = plaintext + key (in general) –
Intention is that the cipher text be unintelligible to an eavesdropper
• Two basic types of cipher – Symmetric – Asymmetric Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #6
Definitions
• Encryption – The process of turning plaintext into ciphertext • Decryption – The process of turning ciphertext into plaintext • Cryptanalysis – The process of analyzing ciphertext with the goal of recovering the plaintext,
without the key
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #7
Attacks on Cryptosystems
• Ciphertext-only attack • Known-plaintext attack • Chosen-plaintext attack • Adaptive-chosen-plaintext attack • Chosen ciphertext attack • Chosen-key attack (rare, difficult) • Rubber-hose cryptanalysis (common, easy) Source: Bruce Schneier,
Applied Cryptography--Second Edition
, pp, 5-7 Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #8
Crypto Algorithm Security
• Unconditionally secure if, no matter how much ciphertext a cryptanalysis has, there is not enough information to recover the plaintext • Computationally secure if it cannot be broken with available resources, either current or future Source: Bruce Schneier,
Applied Cryptography--Second Edition
, pg. 8 Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #9
Encryption
• There are many ways to render plaintext into ciphertext • Only ONE provably secure cryptosystem – One-time pad – Secure even if pad or operator captured – BUT…errors can lead to decryption – http://www.cia.gov/csi/books/venona/preface.htm
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #10
One Time Pad
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #11
Why Use Anything Except One-time Pads?
• Speed of encipherment • Letters vs. numbers • Logistics • Usability • Error rates Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #12
Other Crypto Systems
• Substitution ciphers – Most famous is the Caesar cipher: monoalphabetic substitution with offset = 3 – Children’s decoders usually in this category • Book ciphers • Codebooks Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #13
Problem Areas
• Languages have well-known statistics – E.g., “e” is most common letter in English – This can be exploited for cryptanalysis – Thus, substitution ciphers are not very secure – Similar problems plague book ciphers, etc.
• The only way to achieve true security is to make the ciphertext appear as random as possible Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #14
Modern Cryptography Uses Electronic Digital Systems
• Advantages: – Speed – Accuracy – Ability of using complex mathematics • Disadvantages – Complex equipment – Electronic vulnerabilities – Key management Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #15
Kerckhoffs’ Assumption
• Secrecy must reside solely in the key – It is assumed that the attacker knows the complete details of the cryptographic algorithm and implementation • A. Kerckhoffs was a 19 th century Dutch cryptographer • Ergo,
Security by obscurity doesn’t work!
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #16
Symmetric Cryptography
Alice’s message Bob Shared private key Spring 2002 © 2000-2002, Richard A. Stanley Kryptos + Grafos algorithm
WPI
Shared private key Alice’s message EE579T/3 #17
Cipher Example (Vernam)
• Encipher • Plain: 001 010 011 100 • +key: 111 011 010 101 • Cipher: 110 001 001 001 • Decipher • Cipher: 110 001 001 001 • +key: 111 011 010 101 • Plain: 001 010 011 100 The ciphertext is simply the plain text added to the key, modulo 2. This is a reversible process, as seen above.
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #18
Why Does This Work?
• Cleartext is a function with known statistics, or even a deterministic function • Key is a truly random data stream • Sum of a random function and a non random function is a random function • So...crucial that the key be truly random • This is not easy!
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #19
Vernam Cipher Weaknesses
• Two-way function – If any two of the inputs to the cryptographic algorithm are known, the third can be calculated – This allows recovery of the key if the attacker can obtain a plaintext and a ciphertext copy of the same message -- not often a hard task Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #20
Enigma
• Probably history’s most famous cipher machine • Even today, a good cipher machine • Capable of billions of billions of text permutations • Codes broken!
• Depended on security by obscurity--a failure Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #21
How to Achieve Good Cryptography?
• Well-reviewed algorithms – So weaknesses cannot “hide” until after implementation • Excellent key generation & management – To maintain secrecy of the key • Algorithms that are sufficiently complex so as to not permit feasible exhaustive attacks Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #22
More Definitions
• Block cipher – Data is broken into fixed-size blocks, and encrypted a block at a time – Blocks are padded out if necessary • Stream cipher – Data is encrypted a bit at a time, as it is presented to the encryption engine • Most algorithms in use today are block ciphers Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #23
Feistel Ciphers: Characteristics
• Special class of iterated block ciphers • Ciphertext calculated from plaintext by repeated application of the same transformation or round function • Encryption and decryption are structurally identical (subkey order reversed for decryption) • Fast, even in software implementation • Easily analyzed (i.e., deficiencies more readily found by analysis) Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #24
Feistel Ciphers: Step by Step
• Plaintext split into two halves • Round function
f
is applied to one half using a subkey • Output of
f
is XOR’d with the other half of the plaintext • Two halves are swapped • Process repeated for
n
rounds • No swap after last round Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #25
Subkey Generation
• Creating the subkeys in a Feistel cipher has a major effect on the overall security of the algorithm – Possible to create weak keys – Changes in the subkey algorithm can result in effectively different realizations of the algorithm • DES is based on Feistel rounds, and uses a complex method of subkey generation Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #26
Importance of Feistel Ciphers
• Basis of DES, other important algorithms – Horst Feistel worked for IBM in 1973 – IBM’s
Lucifer
algorithm, based on Feistel rounds, became the DES standard in 1977 • Many other algorithm authors have used Feistel rounds, or variants thereof, to realize block ciphers • Feistel ciphers are
not
the only kind of iterative block cipher Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #27
DES: Feistel Applied
• DES: Data Encryption Standard • Formal specification -- FIPS PUB 46-3, last affirmed 25 October 1999 http://www.csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
• Describes two cryptographic algorithms – DES – TDEA (commonly referred to as 3DES) • DES based on IBM
Lucifer
cipher of 1974 Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #28
DES Characteristics
• 64-bit block cipher • 56-bit key, with additional 8 bits used for error checking (odd parity on each byte) • Four operating modes – Electronic Codebook (ECB) – Cipher Block Chaining (CBC) – Cipher Feedback (CFB) – Output Feedback (OFB) Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #29
DES Enciphering Computation
Feistel round Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #30
Initial Permutation
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #31
Cipher Function,
f(R n ,K n )
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #32
How Can This Happen?
• Turn 32-bit plaintext into 48-bit output • Get 32-bit output • Add to 48-bit key ?
Spring 2002 © 2000-2002, Richard A. Stanley EE579T/3 #33
WPI
Crypto Function Details
•
E
-function takes the input to the Feistel round and expands it to 48 bits •
S
-boxes (for
selection
, usually referred to as
substitution
) permute bits to produce the proper output •
P
-function
permutes
32-bit output of the
S
boxes • Inverse permutation (
IP -1
) restores bit order after the 16 Feistel rounds Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #34
E
-function
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #35
P
-Function
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #36
S-
box Example
Result over 8
S
-boxes: 48 bits 32 bits Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #37
Key Scheduling
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #38
Permuted Choice 1
C ( ) D ( )
EE579T/3 #39 Spring 2002 © 2000-2002, Richard A. Stanley
WPI
Left Shift Schedule
NB: These are circular left shifts Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #40
Permuted Choice 2
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #41
DES Decryption
• As DES is a Feistel cipher, decryption uses the same engine as does encryption • For decryption: – The DES engine is
precisely the same
as the encryption engine -- it is not run in reverse (e.g. with the input coming in the “bottom”) – Instead, the
key schedule
is run in reverse; i.e. the first subkey used is K 16 , then K 15 , etc., finishing with K 1 Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #42
Principal DES Operating Modes-1
(FIPS PUB 81) • Electronic Code Book (ECB) – Encrypts one block at a time with selected key – Simplest implementation of DES – Vulnerability: repeated plaintext can reveal key, and then all cipher blocks can be decrypted EE579T/3 #43 Spring 2002 © 2000-2002, Richard A. Stanley
WPI
ECB
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #44
Principal DES Operating Modes-2
(FIPS PUB 81) • Cipher Block Chaining (CBC) – Input to each block is the output of the previous block next plaintext block – Initial block XOR’d with an
Initialization Vector (IV)
–
This approach greatly improves the security of DES against key searches
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #45
CBC
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #46
Additional DES Modes -1
(FIPS PUB 81) • Cipher Feedback Mode – previous ciphertext block encrypted and output XOR’d with plaintext block to produce current ciphertext block – can use feedback that is less than one full data block – initialization vector used as “seed” for the process.
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #47
CFB
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #48
Additional DES Modes -2
(FIPS PUB 81) • Output Feedback Mode (OFB) – similar to CFB mode
except
data XOR’d with each plaintext block is generated independently of both the plaintext and ciphertext – initialization vector
s
0 used as “seed” for a sequence of data blocks
s i
– each data block
s i
derived from encryption of the previous data block
s i
-1 Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #49
OFB
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #50
Importance of DES
• Ubiquitous, U.S. federal standard • When standardized, 56-bit made cipher computationally secure – This is no longer the case – DES has been broken using brute force attacks in 56 hours, using recycled computer boards costing less than $250,000 (July 15, 1998) • Immediate fix: Triple Data Encryption Algorithm (or Triple DES, 3DES) Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #51
TDEA
Encryption Spring 2002 © 2000-2002, Richard A. Stanley Decryption
WPI
EE579T/3 #52
TDEA Realities
• Two keying options – Three separate keys (as shown previous slide) – Two keys; E K1 = E K3 – Resultant key lengths of 168 or 112 bits • For mathematical reasons we won’t go into here, 3-key TDEA is only about twice as secure as DES, not 3 times as secure • Implemented in hardware, 3-key TDEA can achieve throughputs approaching 1 Gbps Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #53
TDEA Advantages
• Thoroughly analyzed, unlikely to have any hidden vulnerabilities • Much less vulnerable to brute force attack than DES • Can be implemented in silicon, with very fast throughput Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #54
TDEA Disadvantages
• Algorithm produces slow software implementations • Limited to 64-bit block size • Trebles the key distribution problem of DES EE579T/3 #55 Spring 2002 © 2000-2002, Richard A. Stanley
WPI
AES: The Next Generation
• Advanced Encryption Standard (FIPS PUB 197) – Established to counter weaknesses of DES – Based on Rijndael algorithm • Joan Daemen and Vincent Rijmen, Belgians, authors – U. S. standard adopted Nov. 26, 2001 – Becomes effective May 26, 2002 – Key lengths of 128, 192, and 256 bits – Block size of 128 bits • In AES, Rijndael allows for other sizes Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #56
Rijndael Structure
• Rijndael is
not
a Feistel cipher; rather, it uses substitution boxes • “...typically part of the bits of the intermediate state are simply transposed unchanged to another position” • “...[each] round transformation is composed of three distinct invertible uniform transformations” Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #57
AES’ Future
• Clearly intended to replace DES & TDEA • Designed for efficient software implementation • Not yet as thoroughly analyzed as DES • Expect implementations on the market this year • Probably a long coexistence of TDEA & AES Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #58
Key Types
• Permanent – Used for a fixed, prearranged period of time – Typically used for applications such as key distribution, government communications, etc.
• Session – Valid only for current communications session – Destroyed after session terminates Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #59
Key Distribution Problem
• Secret keys must be prepositioned at all locations
before
secure communications can occur.
• How to do this?
– Secure physical transport – Secure electronic transport • The search for a way to accomplish this led to the development of
public key cryptography
, which we will study next class Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #60
Summary -1
• Symmetric key cryptography uses one key, shared by all users of the cipher • There are many weaknesses to basic crypto algorithms like the Vernam cipher • Feistel ciphers provide a more complex algorithm that permits iterative encryption • Feistel cipher decryption uses same process as encryption, making process simpler Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #61
Summary - 2
• Block ciphers are widely used • Most commonly used block cipher today is TDEA, operating in one of 4 modes • TDEA is limited by 64-bit block and key size, provides poor software implementation • AES chosen to replace TDEA • Should be several years of coexistence Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #62
Homework
• Read Chapter 3 sections 3.3, 3.4, 3.6
• Do following exercises from text: – 2.1a,b – 2.4
– 2.5
– 2.7
Spring 2002 © 2000-2002, Richard A. Stanley
WPI
EE579T/3 #63