EE579S Computer Security

Download Report

Transcript EE579S Computer Security

EE579T / CS525T Network Security 3: Symmetric Block Ciphers

WPI

EE579T/3 #1

Overview of Tonight’s Class

WPI

EE579T/3 #2

Last Week...

• Networks and internetworks have become ubiquitous • Networking allows interconnection of computers without much concern for the local OS or machine architecture • Networking raises many serious security issues, which must be solved • The pace of network security problem development is exceeding the pace of their solution Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #3

Security in the News

• Complexity is the enemy of security – You have heard this tune before!

– Recently discovered that all (with one partial exception) products designed to perform secure file erasure fail in this task • Leave NTFS alternate data streams, master file table • NTFS is a very complex file system • Complete analysis difficult, often not done • Complexity level often beyond our control Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #4

Network Security This Week

• Have you been to MyParty?

– Worm, written in Visual C++, looks like link to web – Set to spread between 1/24 and 1/29 – Mails itself to everyone in your address book

who is not infected

(avoids tip-off) – Leaves behind backdoor Trojan Horse, Troj/Msstake-A, which could allow unauthorized access – Sends message to [email protected] (to track progress?) – Caught by Norton Antivirus 2002 (if up-to-date) – Forced filtering on WPI network to block it Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #5

Encryption Primer

• Cryptography = “secret writing” • Input = plaintext • Output = ciphertext • Ciphertext = plaintext + key (in general) –

Intention is that the cipher text be unintelligible to an eavesdropper

WPI

EE579T/3 #6

Definitions

• Encryption – The process of turning plaintext into ciphertext • Decryption – The process of turning ciphertext into plaintext • Cryptanalysis – The process of analyzing ciphertext with the goal of recovering the plaintext,

without the key

WPI

EE579T/3 #7

Attacks on Cryptosystems

• Ciphertext-only attack • Known-plaintext attack • Chosen-plaintext attack • Adaptive-chosen-plaintext attack • Chosen ciphertext attack • Chosen-key attack (rare, difficult) • Rubber-hose cryptanalysis (common, easy) Source: Bruce Schneier,

Applied Cryptography--Second Edition

WPI

EE579T/3 #8

Crypto Algorithm Security

• Unconditionally secure if, no matter how much ciphertext a cryptanalysis has, there is not enough information to recover the plaintext • Computationally secure if it cannot be broken with available resources, either current or future Source: Bruce Schneier,

Applied Cryptography--Second Edition

WPI

EE579T/3 #9

Encryption

• There are many ways to render plaintext into ciphertext • Only ONE provably secure cryptosystem – One-time pad – Secure even if pad or operator captured – BUT…errors can lead to decryption – http://www.cia.gov/csi/books/venona/preface.htm

WPI

EE579T/3 #10

One Time Pad

WPI

EE579T/3 #11

Why Use Anything Except One-time Pads?

WPI

EE579T/3 #12

Other Crypto Systems

• Substitution ciphers – Most famous is the Caesar cipher: monoalphabetic substitution with offset = 3 – Children’s decoders usually in this category • Book ciphers • Codebooks Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #13

Problem Areas

• Languages have well-known statistics – E.g., “e” is most common letter in English – This can be exploited for cryptanalysis – Thus, substitution ciphers are not very secure – Similar problems plague book ciphers, etc.

WPI

EE579T/3 #14

Modern Cryptography Uses Electronic Digital Systems

WPI

EE579T/3 #15

Kerckhoffs’ Assumption

• Secrecy must reside solely in the key – It is assumed that the attacker knows the complete details of the cryptographic algorithm and implementation • A. Kerckhoffs was a 19 th century Dutch cryptographer • Ergo,

Security by obscurity doesn’t work!

WPI

EE579T/3 #16

Symmetric Cryptography

WPI

Shared private key Alice’s message EE579T/3 #17

Cipher Example (Vernam)

• Encipher • Plain: 001 010 011 100 • +key: 111 011 010 101 • Cipher: 110 001 001 001 • Decipher • Cipher: 110 001 001 001 • +key: 111 011 010 101 • Plain: 001 010 011 100 The ciphertext is simply the plain text added to the key, modulo 2. This is a reversible process, as seen above.

WPI

EE579T/3 #18

Why Does This Work?

• Cleartext is a function with known statistics, or even a deterministic function • Key is a truly random data stream • Sum of a random function and a non random function is a random function • So...crucial that the key be truly random • This is not easy!

WPI

EE579T/3 #19

Vernam Cipher Weaknesses

• Two-way function – If any two of the inputs to the cryptographic algorithm are known, the third can be calculated – This allows recovery of the key if the attacker can obtain a plaintext and a ciphertext copy of the same message -- not often a hard task Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #20

Enigma

• Probably history’s most famous cipher machine • Even today, a good cipher machine • Capable of billions of billions of text permutations • Codes broken!

WPI

EE579T/3 #21

How to Achieve Good Cryptography?

• Well-reviewed algorithms – So weaknesses cannot “hide” until after implementation • Excellent key generation & management – To maintain secrecy of the key • Algorithms that are sufficiently complex so as to not permit feasible exhaustive attacks Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #22

More Definitions

• Block cipher – Data is broken into fixed-size blocks, and encrypted a block at a time – Blocks are padded out if necessary • Stream cipher – Data is encrypted a bit at a time, as it is presented to the encryption engine • Most algorithms in use today are block ciphers Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #23

Feistel Ciphers: Characteristics

• Special class of iterated block ciphers • Ciphertext calculated from plaintext by repeated application of the same transformation or round function • Encryption and decryption are structurally identical (subkey order reversed for decryption) • Fast, even in software implementation • Easily analyzed (i.e., deficiencies more readily found by analysis) Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #24

Feistel Ciphers: Step by Step

• Plaintext split into two halves • Round function

is applied to one half using a subkey • Output of

is XOR’d with the other half of the plaintext • Two halves are swapped • Process repeated for

WPI

EE579T/3 #25

Subkey Generation

• Creating the subkeys in a Feistel cipher has a major effect on the overall security of the algorithm – Possible to create weak keys – Changes in the subkey algorithm can result in effectively different realizations of the algorithm • DES is based on Feistel rounds, and uses a complex method of subkey generation Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #26

Importance of Feistel Ciphers

• Basis of DES, other important algorithms – Horst Feistel worked for IBM in 1973 – IBM’s

Lucifer

algorithm, based on Feistel rounds, became the DES standard in 1977 • Many other algorithm authors have used Feistel rounds, or variants thereof, to realize block ciphers • Feistel ciphers are

not

WPI

EE579T/3 #27

DES: Feistel Applied

• DES: Data Encryption Standard • Formal specification -- FIPS PUB 46-3, last affirmed 25 October 1999 http://www.csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

• Describes two cryptographic algorithms – DES – TDEA (commonly referred to as 3DES) • DES based on IBM

Lucifer

WPI

EE579T/3 #28

DES Characteristics

• 64-bit block cipher • 56-bit key, with additional 8 bits used for error checking (odd parity on each byte) • Four operating modes – Electronic Codebook (ECB) – Cipher Block Chaining (CBC) – Cipher Feedback (CFB) – Output Feedback (OFB) Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #29

DES Enciphering Computation

WPI

EE579T/3 #30

Initial Permutation

WPI

EE579T/3 #31

Cipher Function,

f(R n ,K n )

WPI

EE579T/3 #32

How Can This Happen?

• Turn 32-bit plaintext into 48-bit output • Get 32-bit output • Add to 48-bit key ?

WPI

Crypto Function Details

•

-function takes the input to the Feistel round and expands it to 48 bits •

-boxes (for

selection

, usually referred to as

substitution

) permute bits to produce the proper output •

-function

permutes

32-bit output of the

boxes • Inverse permutation (

IP -1

WPI

EE579T/3 #34

-function

WPI

EE579T/3 #35

-Function

WPI

EE579T/3 #36

S-

box Example

Result over 8

WPI

EE579T/3 #37

Key Scheduling

WPI

EE579T/3 #38

Permuted Choice 1

C ( ) D ( )

WPI

Left Shift Schedule

WPI

EE579T/3 #40

Permuted Choice 2

WPI

EE579T/3 #41

DES Decryption

• As DES is a Feistel cipher, decryption uses the same engine as does encryption • For decryption: – The DES engine is

precisely the same

as the encryption engine -- it is not run in reverse (e.g. with the input coming in the “bottom”) – Instead, the

key schedule

WPI

EE579T/3 #42

Principal DES Operating Modes-1

(FIPS PUB 81) • Electronic Code Book (ECB) – Encrypts one block at a time with selected key – Simplest implementation of DES – Vulnerability: repeated plaintext can reveal key, and then all cipher blocks can be decrypted EE579T/3 #43 Spring 2002 © 2000-2002, Richard A. Stanley

WPI

ECB

WPI

EE579T/3 #44

Principal DES Operating Modes-2

(FIPS PUB 81) • Cipher Block Chaining (CBC) – Input to each block is the output of the previous block next plaintext block – Initial block XOR’d with an

Initialization Vector (IV)

–

This approach greatly improves the security of DES against key searches

WPI

EE579T/3 #45

CBC

WPI

EE579T/3 #46

Additional DES Modes -1

(FIPS PUB 81) • Cipher Feedback Mode – previous ciphertext block encrypted and output XOR’d with plaintext block to produce current ciphertext block – can use feedback that is less than one full data block – initialization vector used as “seed” for the process.

WPI

EE579T/3 #47

CFB

WPI

EE579T/3 #48

Additional DES Modes -2

(FIPS PUB 81) • Output Feedback Mode (OFB) – similar to CFB mode

except

data XOR’d with each plaintext block is generated independently of both the plaintext and ciphertext – initialization vector

0 used as “seed” for a sequence of data blocks

s i

– each data block

s i

derived from encryption of the previous data block

s i

WPI

EE579T/3 #49

OFB

WPI

EE579T/3 #50

Importance of DES

• Ubiquitous, U.S. federal standard • When standardized, 56-bit made cipher computationally secure – This is no longer the case – DES has been broken using brute force attacks in 56 hours, using recycled computer boards costing less than $250,000 (July 15, 1998) • Immediate fix: Triple Data Encryption Algorithm (or Triple DES, 3DES) Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #51

TDEA

WPI

EE579T/3 #52

TDEA Realities

• Two keying options – Three separate keys (as shown previous slide) – Two keys; E K1 = E K3 – Resultant key lengths of 168 or 112 bits • For mathematical reasons we won’t go into here, 3-key TDEA is only about twice as secure as DES, not 3 times as secure • Implemented in hardware, 3-key TDEA can achieve throughputs approaching 1 Gbps Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #53

TDEA Advantages

• Thoroughly analyzed, unlikely to have any hidden vulnerabilities • Much less vulnerable to brute force attack than DES • Can be implemented in silicon, with very fast throughput Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #54

TDEA Disadvantages

WPI

AES: The Next Generation

• Advanced Encryption Standard (FIPS PUB 197) – Established to counter weaknesses of DES – Based on Rijndael algorithm • Joan Daemen and Vincent Rijmen, Belgians, authors – U. S. standard adopted Nov. 26, 2001 – Becomes effective May 26, 2002 – Key lengths of 128, 192, and 256 bits – Block size of 128 bits • In AES, Rijndael allows for other sizes Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #56

Rijndael Structure

• Rijndael is

not

a Feistel cipher; rather, it uses substitution boxes • “...typically part of the bits of the intermediate state are simply transposed unchanged to another position” • “...[each] round transformation is composed of three distinct invertible uniform transformations” Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #57

AES’ Future

• Clearly intended to replace DES & TDEA • Designed for efficient software implementation • Not yet as thoroughly analyzed as DES • Expect implementations on the market this year • Probably a long coexistence of TDEA & AES Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #58

Key Types

• Permanent – Used for a fixed, prearranged period of time – Typically used for applications such as key distribution, government communications, etc.

WPI

EE579T/3 #59

Key Distribution Problem

• Secret keys must be prepositioned at all locations

before

secure communications can occur.

• How to do this?

– Secure physical transport – Secure electronic transport • The search for a way to accomplish this led to the development of

public key cryptography

WPI

EE579T/3 #60

Summary -1

• Symmetric key cryptography uses one key, shared by all users of the cipher • There are many weaknesses to basic crypto algorithms like the Vernam cipher • Feistel ciphers provide a more complex algorithm that permits iterative encryption • Feistel cipher decryption uses same process as encryption, making process simpler Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #61

Summary - 2

• Block ciphers are widely used • Most commonly used block cipher today is TDEA, operating in one of 4 modes • TDEA is limited by 64-bit block and key size, provides poor software implementation • AES chosen to replace TDEA • Should be several years of coexistence Spring 2002 © 2000-2002, Richard A. Stanley

WPI

EE579T/3 #62

Homework

• Read Chapter 3 sections 3.3, 3.4, 3.6

• Do following exercises from text: – 2.1a,b – 2.4

– 2.5

– 2.7

WPI

EE579T/3 #63

EE579S Computer Security

Transcript EE579S Computer Security

EE579T / CS525T Network Security 3: Symmetric Block Ciphers

Overview of Tonight’s Class

Last Week...

Security in the News

Network Security This Week

Encryption Primer

Definitions

Attacks on Cryptosystems

Crypto Algorithm Security

Encryption

One Time Pad

Why Use Anything Except One-time Pads?

Other Crypto Systems

Problem Areas

Modern Cryptography Uses Electronic Digital Systems

Kerckhoffs’ Assumption

Symmetric Cryptography

Cipher Example (Vernam)

Why Does This Work?

Vernam Cipher Weaknesses

Enigma

How to Achieve Good Cryptography?

More Definitions

Feistel Ciphers: Characteristics

Feistel Ciphers: Step by Step

Subkey Generation

Importance of Feistel Ciphers

DES: Feistel Applied

DES Characteristics

DES Enciphering Computation

Initial Permutation

Cipher Function,

How Can This Happen?

Crypto Function Details

-function

-Function

box Example

Key Scheduling

Permuted Choice 1

Left Shift Schedule

Permuted Choice 2

DES Decryption

Principal DES Operating Modes-1

ECB

Principal DES Operating Modes-2

CBC

Additional DES Modes -1

CFB

Additional DES Modes -2

OFB

Importance of DES

TDEA

TDEA Realities

TDEA Advantages

TDEA Disadvantages

AES: The Next Generation

Rijndael Structure

AES’ Future

Key Types

Key Distribution Problem

Summary -1

Summary - 2

Homework

Directory