Computer System Security CSE 5339/7339 Lecture 10 September 21, 2004

Download Report

Transcript Computer System Security CSE 5339/7339 Lecture 10 September 21, 2004 

Computer System Security
CSE 5339/7339
Lecture 10
September 21, 2004
Computer Science and Engineering
Contents
 DES assignment
 More Student Presentations
 Advanced Encryption Standard (AES)
 Cryptographic Hash
 Mehmet’s Presentation
Computer Science and Engineering
DES Group Exercise
What would be the 64-bit output of round 1 be
using the plaintext and key given below (in
hexadecimal format):
P = 2D 75 F4 DB A3 3E 3F 89
K = D4 3C B1 9A E4 90 D7 C6
Computer Science and Engineering
Student presentations
 9/21 Mehmet
 9/23 Padmaraj
 9/28
 9/30
 10/5
Computer Science and Engineering
Advanced Encryption Standard (ASE)
- By mid 1990s, virtually all cryptologists agreed that DES
needed to be replaced by an advanced encryption
standard for the 21st century
- In 1997, NIST issued a request for candidate AES
algorithms.
Computer Science and Engineering
The minimum requirements for a
proposed algorithm:
-
-
-
-
A symmetric-key cryptosystem
A block cipher
Capable of supporting a block size
of 128 bits
Capable of supporting key length of
128, 192, and 256 bits
Available on a worldwide, nonexclusive, royalty-free basis
Computer Science and Engineering
Criteria for Evaluation
-
Security
- Soundness of the mathematical basis for an algorithm’s
claimed strength
- Research community search for flaws
-
Computational Efficiency
Memory Requirements
Flexibility
Simplicity
Computer Science and Engineering
Advanced Encryption Standard (ASE)
- NIST chose 15 algorithms for evaluation in the first round,
9 of them were descendants of DES
- One was selected out of five made it to the second round
- Rijndael (Rine dahl)  Vincent Rijmen & Joam Daemen
- In 2001, it was formally adopted by US
Computer Science and Engineering
ASE (cont)
- Regular Rounds (9, 11, 13)
- Additional final Round is different (10th, 12th, 14th)
- Each regular round consists of 4 steps
- Byte substitution (BSB)
- Shift row (SR)
- Mix column (MC)
- Add Round key (ARK)
Computer Science and Engineering
ASE Overview
Plaintext (128)
ARK
Subkey0
9 rounds
BSB
SR
Ciphertext (128)
ARK
Subkey10
Computer Science and Engineering
Round i
BSB
SR
CM
ARK
Subkeyi
Computer Science and Engineering
State
-128-bit block  4 x 4 matrix
-128 bits  16 bytes  b0, b1, b2, .., b15
b0
b4
b8
b12
b1
b5
b9
b13
b2
b6
b10
b14
b3
b7
b11
b15
Computer Science and Engineering
Key
-128-bit key  4 x 4 matrix
-128 bits  16 bytes  k0, k1, k2, .., k15
k0
k4
k8
k12
k1
k5
k9
k13
k2
k6
k10
k14
k3
k7
k11
k15
Computer Science and Engineering
4 Operations
1. s[i,j]  s’[i,j] (predefined substitution table, Table 10-11
page 663)
2. Rows – left circular shift
3. The 4 elements in each column are multiplied by a
polynomial
4. Key is derived and added to each column
Computer Science and Engineering
Exercise
Using the table,
Find the substitution of
6b, ff, 6e, 09
Computer Science and Engineering
Shift Row
b0
b4
b8
b12
b0
b4
b8
b12
b1
b5
b9
b13
b5
b9
b13
b1
b2
b6
b10
b14
b10
b14
b2
b6
b3
b7
b11
b15
b15
b3
b7
b11
Computer Science and Engineering
Byte Representation as polynomial
One byte  8 bits B7, B6, B5, B4, B3, B2, B1, B0
B7x7 + B6 x6 + B5 x5 + B4 x4 + B3 x3 + B2 x2 + B1 x + B0
Example:
E5 (hex) = 1110 0101 (binary) = x7 + x6 + x5 + x2 + 1 (poly)
Computer Science and Engineering
Mix Column
=
2
3
1
1
1
2
3
1
1
1
2
3
3
1
1
2
*
Multiplying by 1  no change
Multiplying by 2 shift left one bit
Multiplying by 3  shift left one bit and XOR with original value
More than 8 bits  100011011 is subtracted
Computer Science and Engineering
Exercise
?
?
?
?
=
2
3
1
1
e5
1
2
3
1
a8
1
1
2
3
3
1
1
2
*
6f
33
Computer Science and Engineering
6e
2c
c6
95
Computer Science and Engineering
Add Key
b0
b4
b8
b12
k0
k4
k8
k12
b1
b5
b9
b13
k1
k5
k9
k13
b2
b6
b10
b14
k2
k6
k10
k14
b3
b7
b11
b15
k3
k7
k11
k15
b’x
=
bx
XOR
kx
Computer Science and Engineering
Example
k = 1f 34 0c da 5a 29 bb 71 6e a3 90 f1 47 d6 8b 12
B = e5 a8 6f 33 0a 52 31 9c c2 75 f8 1e b0 46 de 3a
B’ = fa 9c 63 9e 50 7b 8a ed ac d6 68 ef f7 90 55 28
Computer Science and Engineering
Key Generation
4 bytes
4 bytes
4 bytes
4 bytes
Circular left shift 1byte
S-box
X-OR
X-OR
4 bytes
4 bytes
4 bytes
Round constant
4 bytes
Computer Science and Engineering
Round Constant Table
Round
1
2
3
4
5
6
7
8
9
Final
Round Constant (hex)
01 00 00 00
02 00 00 00
04 00 00 00
08 00 00 00
10 00 00 00
20 00 00 00
40 00 00 00
80 00 00 00
1b 00 00 00
36 00 00 00
Computer Science and Engineering
Group Exercise
k = 1f 34 0c da 5a 29 bb 71 6e a3 90 f1 47 d6 8b 12
Final 4 bytes = 47 d6 8b 12
After shift = d6 8b 12 47
Find the next sub key
Computer Science and Engineering
Cryptographic Hash Functions (take notes)
 Message Digest Functions
 Protect integrity
 Users create a message digest or fingerprint of a
digital document
 Message Authentication Codes (MACs)
 Protect both integrity and authenticity
 MACs produce fingerprints based on both a
given document and a secret key
Computer Science and Engineering
Message Digest Functions
 Checksums  fingerprint of a message
 If the message changes, the checksum will not match
 Most checksums are good in detecting accidental
changes made to a message
 They are not designed to prevent an adversary from
intentionally changing a message resulting a message
with the same checksum
 Message digests are designed to protect against this
possibility
Computer Science and Engineering
One-Way Hash Functions
M
H
H(M) = h
Example
M = “Elvis”
H(M) = (“E” + “L” + “V” + “I” + “S”) mod 26
H(M) = (5 + 12 + 22 + 9 + 19) mod 26
H(M) = 67 mod 26
H(M) = 15
Computer Science and Engineering
Collision
x
H
H(x)
=
y
H
H(y)
Example
x = “Viva”
Y = “Vegas”
H(x) = H(y) = 2
Computer Science and Engineering
Collision-resistant, One-way hash functions
 Given M, it is easy to compute h
 Given any h, it is hard to find any M such that H(M) = h
 Given M1, it is difficult to find M2 (not identical to M1)
such that H(M1) = H(M2)
Functions that satisfy these criteria are called message
digest. They produce a fixed-length digest (fingerprint)
Computer Science and Engineering
The Secure Hash Algorithm (SHA-1)
SHA-1
A message
composed
of b bits
160-bit
message
digest
Computer Science and Engineering
Step 1 -- Padding
 Padding  the total length of a padded message
is multiple of 512
 Every message is padded even if its length is
already a multiple of 512
 Padding is done by appending to the input:
 A single bit, 1
 Enough additional bits, all 0, to make the final
512 block exactly 448 bits long
 A 64-bit integer representing the length of the
original message in bits
Computer Science and Engineering
Example
 M = 01100010 11001010 1001 (20 bits)
 Padding is done by appending to the input:
 A single bit, 1
 427 0s
 A 64-bit integer representing 20
 Pad(M) = 01100010 11001010 10011000 … 00010100
Computer Science and Engineering
Example
 Length of M = 500 bits
 Padding is done by appending to the input:
 A single bit, 1
 459 0s
 A 64-bit integer representing 500
 Length of Pad(M) = 1024 bits
Computer Science and Engineering
Initialize 85 32-bit words (Hexa)





H0 = 67452301
H1 = EFCDAB89
H2 = 98BADCFE
H3 = 10325476
H4 = C3D2E1F0




K0 – K19 = 5A827999
K20 – K39 = 6ED9EBA1
K40 – K59 = 8F1BBCDC
K60 – K79 = CA62C1D6
Computer Science and Engineering
Step 2 -- Dividing Pad(M)
 Pad (M) = B1, B2, B3, …, Bn
 Each Bi denote a 512-bit block
 Each Bi is divided into 16 32-bit words
W0, W1, …, W15
Computer Science and Engineering
Step 3 – Use W0 - W15 to compute W16 – W79
 To Compute word Wj (16<=j<=79):


Wj-3, Wj-8, Wj-14 , Wj-16 are XORed
The result is circularly left shifted one bit
Computer Science and Engineering
Step 4 – Copy H0 – H4 into A,B,C,D,E
 A = H0
 B = H1
 C = H2
 D = H3
 D = H4
Computer Science and Engineering
Step 5 – Four functions
 For j = 0, 19 fj(B,C,D) = (B AND C) OR ( B AND
D) OR (C AND D)
 For j = 20, 39 fj(B,C,D) = (B XOR C XOR D)
 For j = 40, 59 fj(B,C,D) = (B AND C) OR ((NOT
B) AND D)
 For j = 60, 79 fj(B,C,D) = (B XOR C XOR D)
Computer Science and Engineering
Step 6 – Loop
For j = 0 to 79
Do
TEMP = Circular_left_shift_5 (A) + fj(B,C,D) + E + Wj + Kj
E = D; D = C; C = Circular_left_shift_30(B); B = A; A =
TEMP
Done
+  addition (ignore overflow)
Computer Science and Engineering
Step 7 – Final
H0 = H0 + A
H1 = H1 + B
H2 = H2 + C
H3 = H3 + D
H4 = H4 + E
Computer Science and Engineering
Done
Once these steps have been performed on each
512-bit block (B1, B2, …, Bn) of the padded
message in turn, the 160-bit message digest is
given by
H0 H1 H2 H3 H4
Computer Science and Engineering
Message Authentication Codes (MACs)
 A message authentication code (MAC) is a keydependent message digest function:
MAC(M,K) = h
Computer Science and Engineering
A MAC Based on a Block Cipher
M1
M1
M1
XOR
XOR
Encrypt
Encrypt
K
K
…
Encrypt
MAC
K
Computer Science and Engineering