Lecture 7: Using Block Ciphers
Download
Report
Transcript Lecture 7: Using Block Ciphers
Lecture 7:
Using Block
Ciphers
Images from http://rfidanalysis.org/
CS588: Security and Privacy
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/evans
Menu
• PS2
• Modes of Operation
• Differential Cryptanalysis
Sorry, PS1 is not ready to return yet!
If you want it back before then, find me at my
office tomorrow morning, or get it from Matt
during his office hours (2:30-3:30 tomorrow)
10 February 2005
University of Virginia CS 588
2
Ken Elzinga’s Theory on
Writing Mysteries
• Requires:
– Creativity
– Discipline
• Very few people can be both
• Most good mystery novels are written by
pairs:
– “Marshall Jevons” = Bill Breit and Ken Elzinga
– “Ellery Queen” = Manfred Lee and Frederic Danna
10 February 2005
University of Virginia CS 588
3
Dave Evans’
Ken Elzinga’s Theory on
Writing Mysteries
• Requires:
Cryptography
– Creativity
– Discipline
• Very few people can be both
ciphers
• Most good mystery novels are written by
pairs: small teams
– Dolev-Yao, Needham-Schroeder, Diffie-Hellman,
Daemen/Rijmen (AES), Blum-Blum-Shub, RivestShamir-Adleman, Boneh/Franklin (IBE)
10 February 2005
University of Virginia CS 588
4
Creativity vs. Discipline
– Creativity: mostly about breaking rules
– Discipline: mostly about following rules
• Rules = internal consistency,
mathematical correctness, sticking with
stated assumptions
• US was founded by rebels and has lots
of space, so we value creativity most
(except in teenagers and soldiers)
10 February 2005
University of Virginia CS 588
5
RSA [1978]
• Ron Rivest and Adi Shamir tried to find
ways to implement public-key cryptography
• Len Adleman poked holes in their first
dozen ideas
• Eventually, they found one he couldn’t
• Adelman thought the cipher should be RS
(but Rivest convinced him otherwise)
We’ll cover RSA later after spring break, but you’ve
probably heard of it already. It’s the most important
cipher invented since One Time Pad (Vernam, 1917).
10 February 2005
University of Virginia CS 588
6
Overstatement?
“The most important technological
breakthrough in the last thousand
years.”
Lawrence Lessig
(Possibly an overstatement, but he’s
a lawyer)
10 February 2005
University of Virginia CS 588
7
PS2 Teams
• Must be diverse in at least 2 of these:
– Nationality
– Major (CS/Math/ECE/Bioinformatics/other)
– Year (Grad/4th/3rd/other)
– Liked breaking two-time pad (yes/no)
• Examples:
Find a partner before leaving today!
– Austrailian bioinformatics major can work with anyone
– USian, 4th year CS major who liked breaking two-time
pad can’t work with a USian 3rd year CS major unless
she/he didn’t like breaking the two-time pad
– If you can get Ron Rivest, Adi Shamir or Len Adelman on your
team, you don’t need to worry about the other rules
10 February 2005
University of Virginia CS 588
8
Confidentiality
Modes of Operation
10 February 2005
University of Virginia CS 588
9
Modes of Operation
• Transmitting a long plaintext using 3DES:
P = P1 || P2 || ... || PN
• Electronic Codebook Mode:
C = EK (P1) || EK (P2) || ... || EK (PN)
• Problems:
– Any identical blocks encrypted identically
• 64 bits = 8 ASCII characters
• Reveals lots about your message (even if unbroken)
– Lots of ciphertext encrypted with same K
10 February 2005
University of Virginia CS 588
10
Cipher Block Chaining
P1
P2
IV
K
DES
C1
to receiver
10 February 2005
K
DES
...
C2
to receiver
University of Virginia CS 588
11
Cipher Block Chaining
Ci = EK (Pi Ci - 1)
C1 = EK (P1 IV)
Decrypt:
Mi = DK (Ci ) Ci - 1
M1 = DK (C1 ) IV
DK (EK (Pi Ci - 1)) Ci – 1
= Pi Ci - 1 Ci – 1 = Pi
10 February 2005
University of Virginia CS 588
12
Cipher Feedback Mode
shift j bits
IV
DES
K
j bits
P1
j bits
C1
to receiver
10 February 2005
...
DES
K
P2
C2
Does the IV
need to be
secret?
to receiver
University of Virginia CS 588
13
Output Feedback Mode
shift j bits
IV
DES
K
j bits
P1
j bits
C1
to receiver
10 February 2005
...
DES
K
P2
C2
to receiver
University of Virginia CS 588
14
CFB vs OFB
shift j bits
IV
DES
K
j bits
P1
DES
K
C1
to receiver
j bits
P2
shift j bits
IV
DES
K
C2
to receiver
P1
DES
K
C1
to receiver
j bits
P2
C2
to receiver
Which is better for wireless transmissions?
Which is better for preventing message tampering?
10 February 2005
University of Virginia CS 588
15
What does is mean to
“break” a cipher?
• Practical:
– You can determine the plaintext corresponding to
some ciphertext without the key
– You can determine the key given some plaintextciphertext pairs
10 February 2005
University of Virginia CS 588
16
What does is mean to
“break” a cipher?
• Academic:
– You have a technique that does better than brute
force (e.g., break 112-bit 3DES with 2111 max
attempts)
– You have a techniques that does better than brute
force on a weakened (less rounds, smaller block)
version of cipher (e.g., break DES with 15 rounds)
– You have identified some mathematical weakness if
the cipher, but don’t yet know how to use it usefully
(e.g., there exist two different keys that map plaintext
to same ciphertext)
10 February 2005
University of Virginia CS 588
17
DES Attacks
• Last time:
– Mostly Brute force (guessing all keys)
• DES keyspace is too small
• But no where near good enough for 3DES
– Side-Channel: Power Analysis
• Now: Differential Cryptanalysis
10 February 2005
University of Virginia CS 588
18
Differential Cryptanalysis
• [Biham & Shamir, 1990]
• With enough work (247) and enough chosen
plaintexts (247) can find key (compared to 256
brute force work)
• Successful academic attack: takes 3 years
of 1.5Mbps encrypting chosen plaintext to
get enough!
• Is successful practical attack on other
ciphers
10 February 2005
University of Virginia CS 588
19
Differential Cryptanalysis Idea
• Choose plaintext pairs with fixed
difference: X = X X’
• Use differences in resulting ciphertext to
guess key probabilities
• Requires choosen plaintext: attacker
chooses plaintext and receives ciphertext
(e.g., SpeedyPass challenge-response protocol!)
10 February 2005
University of Virginia CS 588
20
One Round
X’
X
32 bits
E/P
X1 48 bits
Kn
X2
32 bits
E/P
X1’ 48 bits
X2’
S
S
X3
32 bits
X3’
P
10 February 2005
E/P preserves values:
Xi = 0 X1ep(i) = X1ep(i)’
where ep(i) is a function defined by
32 bits the E table
P
X4’
X4
X = X X’
Xi = 0 iff Xi = Xi’
preserves values:
X2i = X1i Kn X2i’= X1i’ Kn
Xi = 0 X2ep(i) = X2ep(i)’
University of Virginia CS 588
21
One Round, cont.
X2’
X2
S
S
Xi = 0 X2ep(i) = X2ep(i)’
P
X3i = X3i’ X4p(i) = X4p(i)’
X3’
X3
P
X4’
X4
S-boxes are non-linear!
(Known from ciphertext)
Xi = 0 X3s(ep(i)) = X3s(ep(i))’
But, maybe they do probabilistically:
Xi = 0 p(X3s(ep(i)) = X3s(ep(i))’) > .5 ?
p(X3s(ep(i)) = X3s(ep(i))’) < .5 ?
Its a function of the key: p determined experimentally.
10 February 2005
University of Virginia CS 588
22
This slides are based on Howard Heys’
Tutorial on Linear and Divverential Cryptanalysis
(linked from course website)
Differential Characteristics
A = [A1, A2, A3…A64]
B = [B1, B2, B3…B64]
Outputs: a = [a1, a2, a3…a64] = { A }K
b = [b1, b2, b3…b64] = { B }K
Differences:
ΔP = A B = [ A1 B1, …, A64 B64 ]
ΔC = a b = [ a1 b1, …, a64 b64 ]
Differential = (ΔP, ΔC)
Inputs:
10 February 2005
University of Virginia CS 588
23
Goal
Inputs: A = [A1, A2, A3…A64]
B = [B1, B2, B3…B64]
Outputs:
a = [a1, a2, a3…a64] = { A }K
b = [b1, b2, b3…b64] = { B }K
Differences:
ΔP = A B = [ A1 B1, …, A64 B64 ]
ΔC = a b = [ a1 b1, …, a64 b64 ]
Differential = (ΔP, ΔC)
• Find a particular value of ΔP for which a
particular ΔC value occurs with high
probability
• Allows attacker to predict bits coming into
last round of cipher
If you know what one round of DES does, you can
find the subkey for that round (fairly easily)!
10 February 2005
University of Virginia CS 588
24
From
Howard Heys’ Tutorial on Linear and Differential Cryptanalysis
http://www.engr.mun.ca/~howard/PAPERS/ldc_tutorial.pdf
10 February 2005
University of Virginia CS 588
25
S-box: S1
6 bits: x1x2x3x4x5x6
x2x3x4x5 select column
Remember: S-Boxes
are confusing, but not
secret. All DES
implementataions use
the same S-Boxes.
x1x6
0
00
E 4 D 1 2 F B 8 3 A 6 C 5 9 0 7
01
0 F 7 4 E 2 D 1 A 6 C B 9 5 3 8
10
4 1 E 8 D 6 2 B F C 9 7 3 A 5 0
F C 8 2 4 9 1 7 5 B 3 E A 0 6 D
11
1
2
3
4
5
6
7
8
9
A
B
C
D
E
F
4 inputs to S1 produce 0: 011100, 000001, 111110, 111011
10 February 2005
University of Virginia CS 588
26
Partial pair XOR Distribution, S1
Input XOR (6 bits)
Output XOR (4 bits)
0
1
2
3
4
5
6
7
8
9
A
B
C
D
E
F
0 64
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
6
2
4
4
0 10 12
4 10
6
2
4
2
0
0
0
8
0
4
4
4
0
6
8
6 12
6
4
2
4
8
4
2
4
0
2
4
4
2
4
8
6
2
2
...
3F
10 February 2005
University of Virginia CS 588
8
27
What would ideal distribution be?
Output XOR
0
1
2
3
4
5
6
7
8
9
A
B
C
D
E
Input XOR
0
1
2
...
3F
10 February 2005
University of Virginia CS 588
28
F
Input XOR
What would
ideal
distribution
be?
Getting determinstically different
outputs when
Output XOR
the inputs are identical is really,
2 3 4 5really
6 hard!
7 8 9 A B C D
0
1
0 4
4
4
4
4
4
4
4
4
4
4
4
4
1 4
4
4
4
4
4
4
4
4
4
4
4
4
E
F
4
4
4
4
4
4
Why
can’t
we
just
make
4 4 4 4 4 4 4 4 4 4 4 4 4 4
4 S-Boxes
4 4 4 4 4 that
4 4 4do
4 this?
4 4 4 4 4
2 4
4
...
4
3F 4
4
4
10 February 2005
4
4
4
4
4
4
4
University of Virginia CS 588
4
4
4
4
4
4
29
Differential Cryptanalysis
• Propagate experimental probabilities for
1 round through 16 rounds
• After enough P-C pairs, one key
becomes most probable
• Difficulty depends heavily on S-Box
choices
• First published in 1990, but NSA knew
about it in 1973! (That’s why they
changed IBM’s S-Boxes!)
10 February 2005
University of Virginia CS 588
30
Differential Cryptanalysis
• “Successful” on DES up to 15 rounds (better
than exhaustive search)
• By 16th round, characteristics probabilities
are 2-56
• Very successful on DES variants (breaks
GDES with 6 chosen plaintexts)
• Very successful on FEAL (FEAL-4, FEAL-8,
FEAL-N, FEAL-NX, ...)
• Would be very successful on Curry Cipher
(but so would less sophisticated techniques)
10 February 2005
University of Virginia CS 588
31
Related Techniques
• Linear Cryptanalysis [Matsui, 1994]
– Try to find equations like,
Xi1 Xi2 … Xin
Yj1 Yj2 … Yjv
=0
where Xik selects some input bit and Yjk selects
some output bit
such that probability it is satisfied is different
from ½
• Boomerang Attack [Wagner 1999]
• Slide Attacks [Biryukov & Wagner, 1999]
10 February 2005
University of Virginia CS 588
32
Charge
• Find a partner for PS2 now
– If you already have gotten past question 1
with someone, you can keep working
together
– Otherwise, find a partner who satisfies the
diversity constraints (different in 2 or more):
•
•
•
•
Nationality
Major (CS/Math/ECE/Bioinformatics/other)
Year (Grad/4th/3rd/other)
Liked breaking two-time pad (yes/no)
10 February 2005
University of Virginia CS 588
33