Transcript Document 7286450

Lecture 1: Cryptography for Network Security
Anish Arora
CSE5473
Introduction to Network Security
Symmetric encryption
Symmetric encryption requirements
•
two requirements for secure use of symmetric encryption:
 a strong encryption algorithm
 a secret key known only to sender / receiver
y= S ‹x›
x= S ‹y›
in notation of book :
Y = EK(X)
X = DK(Y)
•
assume encryption algorithm is known
•
implies a secure channel to distribute key
Block versus stream ciphers
•
block ciphers divide messages into blocks, each is then
en/decrypted





•
like a substitution on very big characters
64-bits or more
would need table of 264 entries for a 64-bit block
instead create from smaller building blocks
using idea of a product cipher
o
substitution (S-box) provides confusion
o
permutation (P-box) provides diffusion
stream ciphers process messages a bit or byte at a time
 typically have a (pseudo) random stream key
Block versus stream ciphers … contd
 key should satisfy
o
statistical uniformity: of distribution of numbers in sequence
o
unpredictability: of successive members of sequence
 randomness of key destroys statistical properties in
message
 but must not reuse stream key
 e.g. RC4 used in SSL and WEP
•
•
many current ciphers are block ciphers
many symmetric block ciphers use Feistel Cipher
Structure
Pseudo random functions (PRFs)
•
A pseudo random function is an
 efficiently computable function
 that emulates a random oracle
 and there is no efficient algorithm for distinguishing a PRF
function, chosen randomly from its PRF family, from a
random oracle
•
Random oracle is a function that responds to every query
with a random response from its range
 note that response is deterministic
 note that it is impossible to implement a random oracle
•
Main property of PRF:
 all its outputs appear to be random
 assuming function is chosen in random
Pseudo random generators (PRGs)
•
PRFs should not be confused with PRGs
•
Main property of PRG
 a single output of a PRG appears to be random
•
Cryptographically secure (CS) PRGs are used for
generating a pool of randomness
 for selecting keys, seeds, nonces, one-time pads
 sources of physical randomness may suffice
 geiger counters, thermal noise measurement
 observing random activity on keyboard or screen
 CSPRGs can be constructed using crypto primitives, or
number theoretically
•
PRFs can be generated from PRGs
Fesitel schema for symmetric encryption
•
Overall processing at each iteration: use two 32-bit halves L and R
•
Li = Ri-1
•
Ri = Li-1  F(Ri-1, Ki)
Data Encryption Standard (DES)
•
A widely used symmetric encryption scheme
•
Algorithm is referred to as Data Encryption Algorithm (DEA)
•
DES is a block cipher
•
Plaintext is processed in 64-bit blocks
•
Key is usually 56-bits in length
•
n rounds, in each
•

every block first undergoes key-based substitution

then all blocks are collated and undergo key-based permutation
Easy in hardware, slow in software

selection of block size, key size, #rounds, round function, subkey
generation scheme trades off security vs speed
The function F in DES
•
takes 32-bit R half & 48-bit subkey and:
•
expands R to 48-bits using perm E
•
adds to subkey
•
passes through 8 S-boxes to get 32-bit result
•
finally permutes this using 32-bit perm P
DEA
Decryption runs
backward
DES History
•
IBM developed Lucifer cipher


by team led by Feistel
used 64-bit data blocks with 128-bit key
•
Then redeveloped as a commercial cipher with input from NSA & others
•
In 1973, NBS issued request for proposals for a national cipher standard
•
IBM submitted their revised Lucifer which was eventually accepted as the DES
•
DES standard is public
•
But there has been considerable controversy over design


in choice of 56-bit key (vs original Lucifer 128-bit)
and because design criteria were classified
Breaking DES
Concerns about DEA
•
Key length of only 56-bits is insufficient
•
Even with larger keys, breaking is feasible if you have
 known plaintext or have repeated encryptions
 generally these are statistical attacks
 access to timing or power consumption information
 use knowledge of implementation to derive subkey bits
 exploit fact that calculations take varying times based on input value
 particularly problematic on smartcards
Weaknesses in DES
•
DES has Weak and Semi-Weak Keys: The round key
construction is such that
 Any key comprising All 0s, All 1s, Alternating 0s and 1a, or
Alternating 1s and 0s is its own inverse (these are the 4
weak keys)
 The set of keys composed of two halves each of the above
sorts is such that each key has an inverse in this set (these
are 12 semi-weak keys)
•
Complement key property means that brute force search
for DES is of complexity 255, not 256
DES Electronic Code Book
•
•
In encryption via ECB, repeated 64-bit blocks are identically
encrypted
ECB attackers who know the data structure (e.g. fields such as
salary) can reorder blocks while preserving structure
Cipher Block Chaining
•
•
•
To overcome ECB weakness, add (i.e. XOR) a random
number to each 64-bit block being encrypted, and
additionally communicate the random number in the clear
This is inefficient
Approximation: only communicate the initial random
number, and derive the successive random numbers from
the previously encrypted message
 Initial random number is called the initialization vector
 Default IVs, such as All Zeroes, can be used, but is insecure
for repeated transmissions of the same message sequence
Cipher Block Chaining
A CBC threat
•
If message structure is known, intruder can systematically
ensure that a modified message is delivered, by changing the
previous ciphertext
 but then the previous plaintext is deciphered in a way not controlled by
intruder
•
An alternative to CBC is the Counter Mode (CTR):
precompute encryptions of a counter value and XOR with
successive messages (this method enjoys parallelism)
 to avoid reusing the same sequence of precomputed encryptions, prefix a
nonce (which is made public) to the counter value sequence
 note: message blocks are not encrypted, just XOR-ed, unlike CBC mode
Multiple DES, 3DES
•
Two successive encryptions with different keys are better than
one 56 bit key

E2.E1 to encrypt and D2.D1 to decrypt

Combinatorially, two keys yields more permutations than those
possible with one key

However, meet-in-the-middle cryptanalysis reduces complexity of
attack to 256, so net improvement is not large
•
3DES uses two keys: E1.D2.E1 to encrypt and D1.E2.D1 to decrypt
or three keys: E3.D2.E1 to encrypt and D3.E2.D1 to decrypt
Other symmetric block ciphers
•
•
Blowfish
 Easy to implement
 High execution speed
 Run in less than 5K of memory
 Uses a 32 to 448 bit key
RC5
 Suitable for hardware and software
 Fast, simple, but proprietary
 Adaptable to processors of different word lengths
 Variable number of rounds
 Variable-length key
 Low memory requirement
 High security
 Data-dependent rotations
AES
•
•
AES, Elliptic Curve, IDEA, Public Key cryptography concern
numbers & finite fields
US NIST issued call for ciphers in 1997
 15 candidates accepted in Jun 98
 5 were shortlisted in Aug 99
 Rijndael was selected as the AES in Oct 2000
 issued as a standard in Nov 2001
•
Symmetric block cipher, 128-bit data, 128/192/256-bit keys
 provide full specification & design details
 both C & Java implementations
 NIST have released all submissions & unclassified analyses
 iterative (vs feistel) cipher, operates on entire block per round
Asymmetric encryption: Public key cryptography
Security of public key schemes
•
•
•
brute force attacks infeasible since keys used are too large (>
512bits)
security relies on a large computation difference in difficulty
between easy (en/decrypt) and hard (cryptanalyse) problems
the hard problem is generally known, it’s just made too hard
to do in practice
•
requires the use of very large numbers
•
hence is slow compared to private key schemes
Background
•
Asymmetric cryptography invented by Diffie and Helman
’76
•
3 categories of uses:
 encryption/decryption (provide secrecy)
 digital signatures (provide authentication)
 key exchange (of session keys)
Authentication using public keys
RSA
•
by Rivest, Shamir & Adleman of MIT in 1977
•
best known & widely used public-key scheme
•
based on exponentiation in a finite (Galois) field over
integers modulo a prime
 exponentiation takes O((log n)3) operations (easy)
•
uses large integers (e.g. 1024 bits)
•
security due to cost of factoring large numbers
 factorization takes O(e
log n log log n)
operations (hard)
RSA
•
To encrypt a message M the sender:
 obtain public key of recipient KU={e,N}
 computes: C=Me mod N, where 0≤M<N
•
To decrypt the ciphertext C the receiver:
 uses its private key KR={d,p,q}
 computes: M=Cd mod N
•
Message M is smaller than modulus N (so block if needed)
RSA key generation
1: determine two primes at random - p, q
•
primes p,q must not be easily derived from mod N=p.q
 means must be sufficiently large
 typically guess and use probabilistic test
2: select either e or d and compute the other
•
•
exponents e, d are inverses in mod (p-1).(q-1)
the goal is that selection of d should be random and
unpredictable
 e is computed using extended Euclidean algorithm
•
it’s okay for e to be predictable (e.g. small), so encr. fast
 but e should not be too small, e.g. 3
RSA Example
1.
Select primes: p=17 & q=11
2.
Compute
n = pq =17×11=187
3.
Compute
ø(n)=(p–1)(q-1)=16×10=160
4.
Select
e : gcd(e,160)=1; choose e=7
5.
Determine
d: de=1 mod 160 and d < 160
i.e. d=23 since 23×7=161= 10×160+1
6.
Publish public key
KU={7,187}
7.
Keep secret private key
KR={23,17,11}
RSA Example (contd.)
•
sample RSA encryption/decryption is:
•
given message M = 88 (note 88<187)
•
encryption:
C = 887 mod 187 = 11
•
decryption:
M = 1123 mod 187 = 88
Fermat’s Little Theorem
Theorem: If n is prime,
an-1 ≡ 1 mod n
Proof:
{a mod n, 2a mod n, … (n-1)a mod n}
= since n is prime , a is not divisible by n
{1, 2, … n}
=>
a x 2a x … x (n-1)a ≡ (n-1)! mod n
=
an-1 ≡ 1 mod n
Why RSA Works
•
because of Euler's Theorem:
aø(n)mod N = 1
•
where gcd(a,N)=1
in RSA have:
 N=p.q
 ø(N)=(p-1)(q-1)
 carefully chosen e & d to be inverses mod ø(N)
 hence e.d=1+k.ø(N) for some k
•
hence :
Cd = (Me)d = M1+k.ø(N) = M1.(Mø(N))q = M1.(1)q =
M1 = M mod N
Security of RSA
•
Factoring numbers is hard
•
Breaking (p-1)(q-1) or d is not easier than factoring n
 i.e. there is an easy way to factor n once (p-1)(q-1) is
broken
 likewise if d is broken
Small M
•
•
•
M=0 and M=1 are obviously not secure on encryption,
even if e is very large
Likewise, for other small M, Me would be smaller than N
and Me mod N can be precomputed and checked by the
passive eavesdropper
Even if Alice adds a large salt s to M, the attacker can
compute the encryption of s as well as its successors (s+1
...) to guess M
Avoiding Message Guessing*
•
Add random padding to make M large and unpredictable
•
Public Key Cryptographic Standard: replace M with M’
M’=0 padding || 10 || >64 random bits || 00000000 || M
•
OAEP Scheme: Optimal asymmetric encryption padding
sender XORs message with output of the cryptographic hash
function with random input; recipient obtains random and XORs out
cryptographic hash
* [David Evans]
Exponentiation
•
can use the Square and Multiply Algorithm
•
a fast, efficient algorithm for exponentiation
•
concept is based on repeatedly squaring base
•
and multiplying in the ones that are needed to compute
the result
•
look at binary representation of exponent
•
only takes O(log2 n) multiples for number n
 e.g.
75 = 74.71 = 3.7 = 10 mod 11
 e.g.
3129 = 3128.31 = 5.3 = 4 mod 11
RSA (contd.)
•
Due to Rivest, Shamir & Adleman of MIT in 1977
•
Best known & widely used public-key scheme
•
Based on exponentiation in a finite (Galois) field over integers modulo
a prime

exponentiation takes O((log n)3) operations (easy)
•
Uses large integers (e.g. 1024 bits)
•
Security due to cost of factoring large numbers


•
factorization takes O(e log n log log n) operations (hard)
barring dramatic breakthrough 1024+ bit RSA secure
Timing attacks possible


exploit time taken in exponentiation to infer operands
countermeasures
 use constant exponentiation time, add random delays
Hash functions
•
a hash function produces a fingerprint of some file/message/data
h = H(M)
•

condenses a variable-length message M

to a fixed-sized fingerprint
usually assume that the hash function is public, not keyed

•
•
cf. MAC which is keyed
hash used to detect changes to message, e.g. by creating a digital
signature or fingerprint of a message
cryptographically secure hashes also used to generate PRFs, e.g. to
derive keys
Requirements for hash functions
1.
can be applied to any sized message M
2.
produces fixed-length output h
3.
is easy to compute h=H(M) for any message M
4.
given h is infeasible to find x s.t. H(x)=h
•
one-way property
given x is infeasible to find y s.t. H(y)=H(x)
5.
•
weak collision resistance
is infeasible to find any x,y s.t. H(y)=H(x)
6.
•
strong collision resistance
Simple hash functions
•
there are several proposals for simple functions, based on
XOR of message blocks:
 e.g. longitudinal redundancy check:
 xor of columns of n-bit block arranged in rows
 e.g. above+ circular left shift of hash after each row
 effect of rotated XOR (RXOR) is to randomize the input
•
but these lack weak collision resistance
 simply “add a block” to obtain desired hash
•
need a stronger cryptographic function, which tolerates
strong collision resistance as well
More on weak collision resistance
•
•
•
How big should our hash function be?
If attacker can perform 263 hashes, hash function should
have 64 bits is output so that probability that the attacker
can find another message with the same hash is less than
0.5
Assuming hash function distribution is uniform
 Prob (one guess gives same hash)= 2-64
 Prob (the guess does not give same hash)= 1- 2-64
 Prob
(2L
hash guesses dont give the same hash) = (1-
2-64)2
63
Birthday attacks imply need longer hash values
•
•
You might think a 64-bit hash is secure, but by Birthday
Paradox is not
Given k people, what is the probability that there are two people
with the same birthday
If birthdays uniformly distributed over 365 days,
probability of no duplicates = 365x364x … x (365-k+1) / 365k
= 365!/((365-k)! x 365k)
Birthday attacks imply need longer hash values
•
birthday attack on strong-collision resistance works thus:
m

opponent generates 2 /2 variations of a valid message all with
essentially the same meaning

opponent also generates 2
message

two sets of messages are compared to find pair with same hash
(probability > 0.5 by birthday paradox)

have user sign the valid message, then substitute the forgery which
will have a valid signature
m/
2
variations of a desired fraudulent
•
conclusion is that need to use longer hash values
•
also, you might wish to change every message you sign !
Hash algorithms
•
similarities in evolution of hash functions & block ciphers
 increasing power of brute-force attacks led to evolution in
algorithms
 from DES to AES in block ciphers
 from MD4 & MD5 to SHA-1 in hash algorithms
•
likewise tend to use common iterative structure as do block
ciphers
 iteration of collision-resistant round compression function
preserves collision resistance
•
good round functions should have an avalanche effect

small changes in input should have large changes in output
Block ciphers as hash functions
•
can use block ciphers as hash functions
 using H0=0 and zero-pad of final block
 compute: Hi = EMi [Hi-1]
 and use final block as the hash value
 similar to cipher block chaining but without a key
•
•
but resulting hash should not be too small (64-bit)
like block ciphers have brute-force attacks, and a
number of analytic attacks on iterated hash functions
MD5
•
designed by Ronald Rivest (the R in RSA)
•
latest in a series of MD2, MD4
•
produces a 128-bit hash value
•
until recently was the most widely used hash algorithm
 in recent times had both brute-force & cryptanalytic concerns
•
specified as Internet standard RFC1321
MD5 overview
1.
pad message so its length is 448 mod 512
2.
append a 64-bit length value to message
3.
initialise 4-word (128-bit) MD buffer (A,B,C,D)
4.
process message in 16-word (512-bit) blocks:
5.

using 4 rounds of 16-bit operations on message block & buffer

add output to buffer input to form new buffer value
output hash value is the final buffer value
MD5 overview
MD4
•
precursor to MD5
•
also produces a 128-bit hash of message
•
has 3 rounds of 16 steps vs 4 in MD5
•
design goals:
 collision resistant (hard to find collisions)
 direct security (no dependence on "hard" problems)
 fast, simple, compact
 favours little-endian systems (e.g., PCs)
Strength of MD5
•
MD5 hash is dependent on all message bits
•
Rivest claimed security is as strong as can be with 128 bit code
•
known attacks are:

Berson 92 attacked any 1 round using differential cryptanalysis (but
can’t extend)

Boer & Bosselaers 93 found a pseudo collision (again unable to extend)

Dobbertin 96 created collisions on MD compression function (but initial
constants prevent exploit)

•
conclusion was that MD5 should be vulnerable soon
In 2004, an attack was found
Secure Hash Algorithm (SHA)
•
SHA was designed by NIST & NSA in 1993, revised 1995 as SHA-1
•
US standard for use with DSA signature scheme

standard is FIPS 180-1 1995, also Internet RFC3174

nb. the algorithm is SHA, the standard is SHS
•
produces 160-bit hash values
•
now the generally preferred hash algorithm
•

SHA-1 is now regarded as broken (with a theoretical attack of 251)

This year SHA-3 is being finalized
based on design of MD4 with key differences
SHA overview
1.
pad message so its length is 448 mod 512
2.
append a 64-bit length value to message
3.
initialise 5-word (160-bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
4.
5.
process message in 16-word (512-bit) chunks:

expand 16 words into 80 words by mixing & shifting

use 4 rounds of 20 bit operations on message block & buffer

add output to input to form new buffer value
output hash value is the final buffer value
SHA-1 verses MD5
•
•
brute force attack is harder (160 vs 128 bits for MD5)
was regarded as less vulnerable to attacks (compared to
MD4/5), but this is no longer true
•
a little slower than MD5 (80 vs 64 steps)
•
both designed as simple and compact
•
optimised for big endian CPU's (vs MD5 which is optimised
for little endian CPU’s)
Revised secure hash standard
•
NIST has issued a revision FIPS 180-2
•
adds 3 additional hash algorithms
•
SHA-256, SHA-384, SHA-512
•
designed for compatibility with increased security
provided by the AES cipher
•
structure & detail is similar to SHA-1
•
hence analysis should be similar
Reading on Crypto
Comparable to the extent covered in class, read
•
Chapter 3:
3.1-3.4, 3.6
•
Chapter 5:
5.1
•
Chapter 6:
6.2-6.5
•
Chapter 7:
7.4
•
Chapter 9:
9.1-9.2
•
Chapter 11:
11.4-11.5
•
Chapter 12:
12.1-12.2