ECE 746 Secure Telecommunication Systems Course web page: http://ece.gmu.edu/courses/ECE746 ECE web page Courses Course web pages ECE 746
Download ReportTranscript ECE 746 Secure Telecommunication Systems Course web page: http://ece.gmu.edu/courses/ECE746 ECE web page Courses Course web pages ECE 746
ECE 746 Secure Telecommunication Systems Course web page: http://ece.gmu.edu/courses/ECE746 ECE web page Courses Course web pages ECE 746 Sequence of the ECE cryptography-related courses Cryptography and Computer Network Security ECE 646 every Fall Secure Telecommunication Systems ECE 746 Spring or Fall Computer Arithmetic ECE 645 every Spring ECE 746 Part of: MS in CpE Network and System Security (required course) Computer Networks (elective) MS in EE Communications (elective) MS in ISA PhD in ECE (elective) PhD in IT Certificate in Information Systems Security Certificate in Communications and Networking NETWORK AND SYSTEM SECURITY Concentration advisor: Kris Gaj 1. ECE 542 Computer Network Architectures and Protocols – S.-C. Chang, et al. 2. ECE 646 Cryptography and Computer Network Security – J-P. Kaps, K. Gaj – lab, project, C/C++, VHDL, or analytical 3. ECE 746 Secure Telecommunication Systems – K. Gaj, D. Hwang – lab, project, C/C++, VHDL, or analytical 4. ISA 666 Internet Security Protocols – R. Sandhu Distribution of students as of August 29, 2006 Ph.D. in IT 5 MS in ISA 1 MS in CpE 9 MS in EE 4 Kris Gaj Research and teaching interests: • cryptography • network security • computer arithmetic • FPGA & ASIC design Contact: Science & Technology II, room 223 [email protected], [email protected], (703) 993-1575 Office hours: Wednesday, Thursday 7:30-8:30 PM and by appointment ECE 746 Lecture Homework 20 % Midterm exam 1 (in class) 20 % Midterm exam 2 (take-home) 10 % Project Laboratory 10 % 40 % Specification - 5% Results - 12 % Oral presentation - 10% Written report - 8% Review - 5% depth Lecture • viewgraphs / chalk & blackboard • viewgraphs (please, extend with your notes) • books 2 required • articles (CryptoBytes, CHES, CRYPTO, etc.) • web sites - Crypto Resources standards, FAQs, surveys Homework • reading assignments • analytical problems • theoretical problems (may require basics of number theory or probability theory) • problems from the main textbook • short programs • literature surveys Midterm exams multiple choice test + short problems practice exams available on the web midterm exam review session - optional Tentative dates: Exam 1: November 1 Exam 2: Sunday, December 10 (take-home) Lecture topics (1) ALGORITHMS 1. Contest for the new Advanced Encryption Standard 2. Rijndael – AES 3. Groups, rings, and fields 4. Stream ciphers 5. Review of public key cryptography 6. Elliptic curve cryptosystems Lecture topics (2) IMPLEMENTATIONS 7. Smart cards 8. Side channel attacks 9. Security requirements for cryptographic modules - FIPS 140-2 Lecture topics (3) KEY MANAGEMENT 10. Random bit generators 11. Secret sharing Lecture topics (4) SELECTED SECURITY PROTOCOLS 12. Survey of security protocols SSL, IPSec, IEEE 802.11 Lecture topics (5) ZERO KNOWLEDGE & BIOMETRICS 13. Zero-knowledge identification schemes 14. Biometrics Laboratory • 3-4 labs • done at home or in the ECE labs; software downloaded from the web • based on detailed instructions • grading based on written reports “Typical” course difficulty time difficulty Stream ciphers This course ECC DPA IPSec time Project (1) • depth, originality • based on additional literature • you can start in the point where former students ended • based on something you know and are interested in • teams of 1-3 students • software / hardware / analytical • may involve experiments • over 15 project topics suggested by the instructor • you may propose your own topic Project (2) • about four weeks to choose a topic and write the specification • regular meetings with the instructor/ 3 oral progress reports • draft version of viewgraphs due December 6, 7 • discussion of draft reports and viewgraphs • draft version of final reports due December 12 • final presentations, Monday, December 18 • final written reports due Monday, December 18 • publication of reports and viewgraphs on the web Final Project Report Initial submission: Paper for review 15 pages without counting title page and the list of references 11 pt font, Times New Roman or equivalent Title page = Title, authors, abstract Figures included in the text Final submission: Camera-ready copy IEEE format published on the web Project Report Reviews Detailed evaluation form published on the web Reviews evaluated by the instructor based on: • justification of evaluation scores • mistakes found (and those overlooked) • constructive suggestions • fairness Project Types Software Hardware program in a high-level language (C, C++, Java) or assembly language behavioral model in HDL (VHDL, Verilog) mapped into FPGA or ASIC, verified using timing simulation Analytical literature survey; comparative analysis of competing algorithms, protocols, or implementations IMPORTANT RULE!!! MS CpE and MS EE Students MUST choose implementation-oriented projects, i.e. Software Hardware, or Hybrid SW/HW Software Project topics - Software Educational software for a cryptographic laboratory KRYPTOS OPEN SOURCE PROJECT http://www.kryptosproject.org/ Prerequisites: C/C++ Idea: Develop extensions to the existing GMU educational software for teaching cryptography - KRYPTOS Examples of tasks: • provide a choice of an underlying library - currently only Crypto++ - faster libraries available but more difficult to integrate • statistical tests for randomness of input, output, and intermediate results Comparative Analysis of Software Multi-precision Arithmetic Libraries for Public Key Cryptography High Performance Ashraf AbuSharekh MS Thesis, April 2004 GMP,NTL, LiDIA CLN OpenSSL MIRACL PIOLOGIE CryptoPP Low Low High Primitives Schemes Support Statistical Tests for Randomness Multiple tests for randomness available Public domain implementations of selected tests exists - NIST Statistical Test Suite - DIEHARD battery of randomness tests by Prof. Marsaglia from University of Florida No clear consensus which tests should be used for testing true and pseudorandom number generators NIST standard in the initial stage of development Projects - Software Timing attacks against public key cryptosystems • Timing cryptanalysis of RSA and ECCs implemented using public-domain libraries of operations on large integers • Initial implementation developed by Kevin Magee as a part of ECE 746 & scholarly paper ??? Key Messages Projects - Software Cache attacks against secret key cryptosystems • The attack based on a different access time to different levels of memory (cache L1, cache L2, RAM, disk) • The attack breaks practical implementations of AES, DES, etc. within several hours • SW implemenation by Prof. Daniel Bernstein, UIC • Initial analysis by one of the GMU students Array addr1 addr2 Different access time Project topics - Software Generating large primes for cryptographic applications Prerequisites: C/C++ or Java Assumptions: • AKS and Frobenius-Grantham algorithms • previous-semester implementations in C++ and Java inefficient • better mathematical analysis required • better choice of library functions needed • timing measurements for various prime sizes • comparative analysis Project topics - Software Factoring of large numbers using Number Field Sieve Prerequisites: C/C++ Assumptions: • based on a multi-precision arithmetic library GMP • multiple C codes already exists and should be used for this project • optimizations for maximum speed • close collaboration with the GMU factoring team • interesting experiments with hard to predict results GMU Factoring Team Mathematicians/ Cryptographers Soonhak Kwon Ph.D in Mathematics, Johns Hopkins University Maryland, U.S Visiting professor at GMU on leave from Sungkyunkwan University, Suwon, Korea Patrick Baier D. Phil. in Mathematics, Oxford University Oxford, U.K Affiliated with George Washington Univeristy Software experiments Paul Kohlbrenner Ph.D student, ECE Department George Mason University Virginia, U.S GMU Factoring Team Hardware design Hoang Le Ramakrishna Bachimanchi Khaleeluddin Mohammed MS in Computer Engineering students ECE Department George Mason University Virginia, U.S.A. Number Field Sieve (NFS) Polynomial Selection Relation Collection Sieving 200-250 bit numbers Linear Algebra Square Root Smoothness testing Smoothness testing within NFS • Trial Division to get factors up to 210 • Rho Method (one round) to get the factors up to 220 • p-1 Method (one round) to get the factors up to 230 • ECM=Elliptic Curve Method (multiple rounds) to get the factors up to 240 Rho Algorithm- Floyd’s Method f(x)=x2+a with a≠{-2,0} No. of iterations t<100√qmax(qmax is the maximum factor we can find from Rho method) We choose random x0 in the range(0,N-1) and x1=f(x0) x0 ↓ d=1 ← ↓f(f()) x1 x4 x2 d=d*(x4-x2) x6 x3 d=d*(x6-x3) x2 ↓ d=d*(x2-x1) ↓f() ↓ ……………………………………….. …………………………………… … …………………………………… … . . . xt xt/2 d=d*(xt-xt/2) xt+2 x(t+2)/2 d=d*(xt+2-x(t+2)/2) ↓ ↓ ………………………………………….. …………………………………………. . x2i xi d=d*(x2i-xi) x2(i+1) xi+1 d=d*(x2i+2-xi+1) x2t xt d=d*(x2t-xt) ↓ ↓ ……………………………………….. ………………………………………. *x2i+2=f(f(x2i)),xi+1=f(xi) q=gcd(d,N) . . Without optimization Platforms SRC 6 from SRC Computers with 4 Virtex II FPGAs http://www.srccomputers.com/ COPACOBANA from Ruhr University of Bochum, Germany with 120 Spartan 3 FPGAs http://www.copacobana.org Example of an experiment: Percentage of 200-bit numbers factored as a function of the number of runs of Elliptic Curve Method Interesting subtask Generation of truly random numbers with known factorization Two known methods by: • Kalai • Bach Trade-offs in terms of • difficulty of implementation • expected running time Task: Efficient implementation and comparison in terms of • development time • running time • randomness of generated numbers Project topics - Software Efficient implementation of Elliptic Curve Cryptosystems over binary Galois Fields, GF(2m) in polynomial bases, based on special polynomials (trinomials and pentanomials) Efficient implementation of Elliptic Curve Cryptosystems over binary Galois Fields, GF(2m) in normal bases Elliptic Curve Cryptosystems - ECC a true alternative for RSA several times shorter keys fast and compact implementations, in particular in hardware a family of cryptosystems, instead of a single cryptosystem Hierarchy of operations in the implementation of Elliptic Curve Cryptosystems Level 4 Elliptic Curve Cryptosystems Scalar multiplication Level 3 k·P Elliptic curve point operations Level 2 Point addition P+Q 2P Point doubling Level 1 x·y x2 x-1 xy Multiplication Squaring Inversion Addition/ Subtraction Field operations Finite Fields = Galois Fields GF(pm) GF(p) Arithmetic operations present in many libraries p – prime pm – number of elements in the field GF(2m) Polynomial basis representation Most significant special cases Normal basis representation Fast in hardware Fast squaring Basic operations of ECC Basic operations in Galois Field GF(2m) • addition and subtraction (xor): x+y, x-y (XOR) • multiplication, squaring: x y, x2 • inversion: x-1 Basic operations on points of an Elliptic Curve • addition of points: • doubling a point: P+Q 2P Complex operations on points of an Elliptic Curve • scalar multiplication: k P = P + P + …+P k times Elements of the Galois Field GF(2m) Binary representation (used for storing and processing in computer systems): A = (am-1, am-2, …, a2, a1, a0) ai {0, 1} Polynomial representation (used for the definition of basic arithmetic operations): m-1 A(x) = aixi = am-1xm-1 + am-2xm-2 + …+ a2x2 + a1x+a0 i=0 multiplication + addition modulo 2 (XOR) Addition and Multiplication in the Galois Field GF(2m) Inputs A = (am-1, am-2, …, a2, a1, a0) B = (bm-1, bm-2, …, b2, b1, b0) ai , bi {0, 1} Output C = (cm-1, cm-2, …, c2, c1, c0) ci {0, 1} Addition in the Galois Field GF(2m) Addition A A(x) B B(x) C C(x) = A(x) + B(x) = = (am-1+bm-1)xm-1 + (am-2+bm-2)xm-2+ …+ + (a2+b2)x2 + (a1+b1)x + (a0+b0) = = cm-1xm-1 + cm-2xm-2 + …+ c2x2 + c1x+c0 multiplication + addition modulo 2 (XOR) ci = ai + bi = ai XOR bi C = A XOR B Multiplication in the Galois Field GF(2m) Multiplication A A(x) B B(x) C C(x) = A(x) B(x) mod P(X) = cm-1xm-1 + cm-2xm-2 + …+ c2x2 + c1x+c0 P(x) - irreducible polynomial of the degree m P(x) = pmxm + pm-1xm-1 + …+ p2x2 + p1x+p0 Galois Field Operation - Multiplication Special polynomials Inputs : A A(x) B B(x) Outputs C C(x) = A(x) B(x) mod P(x) P(x) - irreducible constant polynomial of the degree m P(x) = xm+xk+1(trinomial) or P(x) = xm+xk1+xk2+xk3+1(pentanomial) depending on n . k, k1, k2, k3 are chosen to be as small as possible to simplify calculations General polynomials Inputs : A A(x) B B(x) P P(x) Outputs C C(x) = A(x) B(x) mod P(x) P : variable P(x) = pnxm+ pn-1xm-1+…+p1x+p0 5 Special Field Polynomials Recommended by NIST P163(x) = x163 + x7 + x6 + x3 + 1 P233(x) = x233 + x74 + 1 P283(x) = x283 + x12 + x7 + x5 + 1 P409(x) = x409 + x87 + 1 P571(x) = x571 + x10 + x5 + x2 + 1 There always exists an irreducible trinomial or pentanomial for a field degree, m<10,000 Problem: Known libraries do not support operations using special polynomials (trinomials, pentanomials) Project: Implement and optimize Galois Field operations using special polynomials (C/C++, possibly assembly language) and compare the results vs. results for several major libraries and public domain implementations. Implement selected ECC schemes based on the optimized library. Hardware Project topics - Hardware Implementation of selected candidates competing in the eSTREAM contest for the stream cipher standard Prerequisites: VHDL or Verilog, FPGA or semi-custom ASIC design Assumptions: • design in a hardware description language at the RTL level • optimization for maximum speed, minimum area, or minimum power • verification using available tools • logic synthesis to the gate/standard cell level • static timing analysis and timing simulation • possible experimental testing using the SRC reconfigurable computer Contest for the new stream cipher standard PROFILE 1 • Stream cipher suitable for software implementations optimized for high speed • Key size - 128 bits • Initialization vector – 64 bits or 128 bits PROFILE 2 • Stream cipher suitable for hardware implementations with limited memory, number of gates, or power supply • Key size - 80 bits • Initialization vector – 32 bits or 64 bits Contest for the new stream cipher standard Schedule of the contest November 2004 Request for proposals 29 April 2005 Deadline for submissions 26-27 May 2005 Stream Cipher Workshop, Danmark March 2006 End of Phase I September 2007 End of Phase II January 2008 Final report time http://www.ecrypt.eu.org/stream/ Project topics - Software Implementation of selected candidates competing in the eSTREAM contest for the stream cipher standard in • assembly language • Java Comparison with the optimized C implementations submitted by the authors of the algorithms. Project topics - Hardware Implementation of a selected new mode of operation of a secret-key cipher providing both encryption and authentication (e.g., GCM, CCM, OCB, EAX) Initial work: Milind Parelkar, Authenticated – Encryption in Hardware, MS Thesis, ECE Department, GMU, Dec. 2005. Prerequisites: VHDL or Verilog, FPGA or semi-custom ASIC design Assumptions: • design in a hardware description language at the RTL level • optimization for maximum speed, minimum area, or minimum power • verification using available tools • logic synthesis to the gate/standard cell level • static timing analysis and timing simulation Project topics - Hardware Critical analysis of the existing implementations of AES Prerequisites: basic understanding of hardware and FPGA and ASIC design technologies • There exists easily over 20 different academic and commercial implementations of AES in hardware • Limited number of distinctly different architectures and implementation tricks • Analyze and compare existing implementations and determine which factors influence most the performance of the given implementation and how they can be fairly compared against each other Kinds of Random Number Generators True Random Number Generator (TRNG) Cryptographically Secure Pseudo Random Number Generator (CSPRNG) Cannot be Reproduced Pseudo Random Number Generator (PRNG) Unpredictable Unpredictable Looks Random Looks Random Looks Random Analysis of existing implementations of True Random Number Generators • internal vs. external • hardwired vs. soft • source of randomness • principle for extracting randomness • speed • interface to user logic • production test • runtime test • self-test • validation/certificate • reproducibility • resistance to attacks Analysis of countermeasures against side-channel attacks based on power analysis 16 rounds of DES DPA – Differential Power Analysis The most successful practical attack against implementations of cryptography. Existing countermeasures offer limited protection. Analytical Preferred topics related to your • Ph.D. research • MS Thesis Examples of analytical projects related to this class: 1. Evolution of protocols and products for Secure Wireless Communication: algorithms, modes of operation, key management, etc. 2. Certification of cryptographic modules according to FIPS 140-2 and/or Common Criteria– case study of FPGA-based products and/or smart cards 3. Survey of patents related to cryptographic algorithms and their implementations