Lecture 6:
advertisement
Lecture 6:
Striving for
Confusion
Structures have been found in
DES that were undoubtedly
inserted to strengthen the
system against certain types of
attack. Structures have also
been found that appear to
weaken the system.
Lexar Corporation, “An Evalution
of the DES”, 1976.
CS588: Security and Privacy
University of Virginia
Computer Science
David Evans
http://www.cs.virginia.edu/evans
Menu
• PS1 Question 4b
– Will return PS1 Thursday
• DES
• Strengthening DES
• Breaking DES
8 February 2005
University of Virginia CS 588
2
Permutation Cipher
How much information can be
transmitted with perfect secrecy using
symbols from the English alphabet (26
letters) with a transposition cipher with
block size 8 and a permutation chosen
randomly from all possible
permutations?
8 February 2005
University of Virginia CS 588
3
Key Space
1
2
3
4
5
6
7
8
Random Permutation
8! Keys
8 February 2005
Perfect Cipher Keyspace Theorem:
Cannot transmit more than 8! different
message securely
University of Virginia CS 588
4
8! Messages
M = { ABCDEFGH,
BACDEFGH,
CABDEFGH,
DABCEFGH,
EABCDFGH,
…}
Why couldn’t you
also include
IJKLMNOP?
What if there
were only 2 alphabet
symbols?
(Note: can transmit
as many blocks as
you want)
Midterm Question
8 February 2005
University of Virginia CS 588
5
Feistel Cipher Recap
Plaintext
R0
Substitution
- Can provide confusion
and diffusion (because of
permutation), but only if F
is confusing
F
Permutation
Round
L0
Last time:
- Decryption works, as
long as the keys are
K1 used in reverse order
L1
8 February 2005
R1
University of Virginia CS 588
6
DES
• NIST (then NBS) sought standard for
data security (1973)
• IBM’s Lucifer only reasonable proposal
• Modified by NSA
– Changed S-Boxes
– Reduced key from 128 to 56 bits
• Adopted as standard in 1976
• More bits have been encrypted using
DES than any other cipher
8 February 2005
University of Virginia CS 588
7
DES Algorithm
• Feistel cipher with added initial
permutation
• Complex choice of F
• 16 rounds
• 56-bit key, shifts and permutations
produce 48-bit subkeys for each round
8 February 2005
University of Virginia CS 588
8
DES’s F
32 bits
Expand and Permute (using E table)
48 bits
Kn
Substitute (using S boxes)
32 bits
Permutation
The goal is confusion!
8 February 2005
University of Virginia CS 588
9
S-Boxes
6 bits
Example: 110011
S-Box
4 bits
64 entry lookup table
1001
Critical to security
NSA changed choice of S-Boxes
Only non-linear step in DES
E(11) E(01) + E(10)
8 February 2005
University of Virginia CS 588
10
DES Avalanche
Input:
Permuted:
Round 1:
Round 2:
Round 3:
Round 4:
Round 5:
Round 6:
Round 7:
Round 8:
Round 9:
Round 10:
Round 11:
Round 12:
Round 13:
Round 14:
Round 15:
Round 16:
Output:
...............................................................*
.......................................*........................
.......*........................................................
.*..*...*.....*........................*........................
.*..*.*.**..*.*.*.*....**.....**.*..*...*.....*.................
..*.*****.*.*****.*.*......*.....*..*.*.**..*.*.*.*....**.....**
*...**..*.*...*.*.*.*...*.***..*..*.*****.*.*****.*.*......*....
...*..**.....*.*..**.*.**...*..**...**..*.*...*.*.*.*...*.***..*
*****...***....**...*..*.*..*......*..**.....*.*..**.*.**...*..*
*.*.*.*.**.....*.*.*...**.*...*******...***....**...*..*.*..*...
***.*.***...**.*.****.....**.*..*.*.*.*.**.....*.*.*...**.*...**
*.*..*.*.**.*..*.**.***.**.*...****.*.***...**.*.****.....**.*..
..******......*..******....*....*.*..*.*.**.*..*.**.***.**.*...*
*..***....*...*.*.*.***...****....******......*..******....*....
**..*....*..******...*........*.*..***....*...*.*.*.***...****..
*.**.*....*.*....**.*...*..**.****..*....*..******...*........*.
**.*....*.*.*...*.**.*..*.*.**.**.**.*....*.*....**.*...*..**.**
.*..*.*..*..*.**....**..*..*..****.*....*.*.*...*.**.*..*.*.**.*
..*..**.*.*...*....***..***.**.*...*..*..*.*.*.**.*....*.*.*.**.
1
1
1
5
18
28
29
26
Source: Willem de Graaf, http://www-groups.dcs.st-and.ac.uk/~wdg/slides/node150.html
8 February 2005
University of Virginia CS 588
11
Key Schedule
• Need 16 48-bit keys
– Best security: just use 16 independent keys
– 768 key bits
• 56-bit key used (64 bits for parity
checking)
– Produce 48-bit round keys by shifting and
permuting
8 February 2005
University of Virginia CS 588
12
DES Keys
56 bits
Key
Next round
28 bits
28 bits
Shift (1 or 2 bits)
Shift (1 or 2 bits)
Compress/Permute
Ki = PC (Shift (Left (Ki-1))
|| Shift (Right (Ki-1)))
8 February 2005
University of Virginia CS 588
Kn
Are there any
weak keys?
13
Is DES a perfect cipher?
• No: more messages than keys
• Even for 1 64-bit block
264 messages > 256 keys
8 February 2005
University of Virginia CS 588
14
Attacking DES: Brute Force
• Key is 56 bits
• 256 = 7.2 * 1016 = 72 quadrillion
• Try 1 per second = 9 Billion years to
search entire space
• Distributed attacks
– Steal/borrow idle cycles on networked PCs
– Search half of key space with
100000 PCs * 1M keys/second in 25 days
8 February 2005
University of Virginia CS 588
15
Brute Force Attacks
• RSA DES challenges:
– 1997: 96 days (using 70,000 machines)
– Feb 1998: 41 days (distributed.net)
8 February 2005
University of Virginia CS 588
16
Multiple Encryption
8 February 2005
University of Virginia CS 588
17
Multiple Encryption
• C = EK2 (EK1 (P))
• Does it double the key space?
• Monoalphabetic cipher
Ci = K2[K1[Pi]]
= K3[Pi] for some K3
8 February 2005
University of Virginia CS 588
18
Double-Vigenère
C = EK2 (EK1 (P))
Vigenère: Ci = (Pi + Ki mod N) mod Z
Ci = ((Pi + K1i mod N1 mod Z) + K2i mod N2) mod Z
= (Pi + K1i mod N1 + K2i mod N2 ) mod Z
if N1 = N2:
= (Pi + K3i mod N) mod Z (K3 = K1 + K2)
what if N1 N2?
8 February 2005
University of Virginia CS 588
19
Double-Vigenère
• K1 = "BOND"
• K2 = "JAMES"
BONDBONDBONDBONDBONDBONDBOND
+ JAMESJAMESJAMESJAMESJAMESJAM
= KOZHTXNPFGWDNSFMBARVKOZHTXNP
• Effective key length: LCM (N1, N2) = 20
8 February 2005
University of Virginia CS 588
20
Double DES
• C = EK2 (EK1 (P))
• Is there a K3 such that C = EK3 (P)?
– There are 256 keys, and 264! mappings
– If DES is good, keys map randomly to mappings.
– Probability that a randomly chosen mapping
corresponds to a DES key:
256 / 264! << 1 / 263!
• Effective key size of Double DES?
= 256 * 256 = 2112
WRONG!
8 February 2005
University of Virginia CS 588
21
Known Plaintext Attack
P
K1
K2
E
E
try all possible keys
try all possible keys
P
E
C
XK1
XK2
YK1
YK2
XK256
YK256
D
C
One XKi = YKj means K1 = Ki and K2 = Kj
8 February 2005
University of Virginia CS 588
22
Meet-in-the-Middle Attack
• C = EK2 (EK1 (P))
• X = EK1 (P) = DK2 (C)
• Brute force attack (given one P/C pair):
calculate EK1 (P) for all keys (256 work)
calculate DK2 (C) for all keys (256 work)
the match gives the keys
• Total work = 2 * 256 = 257
8 February 2005
University of Virginia CS 588
23
Hmmm…maybe thrice?
8 February 2005
University of Virginia CS 588
24
2-Key Triple DES
• C = EK1 (DK2 (EK1 (P)))
• Why DK2 not EK2?
– Backwards compatibility with DES
– If K1 = K2: C = EK1 (DK1 (EK1 (P))) = EK1 (P)
• Actual key size = 56 + 56 bits = 112 bits
• Meet-in-the-middle?
– X = EK1 (P) = DK1 (EK2 (C))
256
need to try 2112
8 February 2005
University of Virginia CS 588
25
How secure is Triple-DES
• Brute force search: 2112 keys
– Best DES attack: 245 B keys/second
– 6.7 * 1014 years (compared to 22 hours)
– 1011 years = total lifetime of universe
(closed universe theory)
• Best known attack - reduces to 2120-log2n
– n = number of known P-C pairs
– n = 264, work is 256
Realistic?
8 February 2005
University of Virginia CS 588
26
3-Key Triple DES
•
•
•
•
C = EK3 (DK2 (EK1 (P)))
H(K) = 168
Used by PGP, S/MIME
How much work to brute-force?
– Meet-in-the-middle:
X = DK3 (C) = DK2 (EK1 (P))
256
8 February 2005
+
2112
University of Virginia CS 588
27
Cracking DES (1998)
90B keys per second
Cost < $250K (in 1998)
56 hours to solve RSA DES
Challenge
8 February 2005
University of Virginia CS 588
28
Cracking DES (2001)
• Mike Bond, Richard Clayton (University of
Cambridge PhD Students)
• IBM 4578 “Cryptoprocessor” (used in banking
security – generates PINs from account
numbers)
• $995 for custom FPGA
• 20 hours to extract key
• Meet-in-the-middle attack (we’ll discuss this
next class)
8 February 2005
University of Virginia CS 588
29
Cracking DES (2005)
Girish Ratanpal
8 February 2005
University of Virginia CS 588
30
POWER ANALYSIS ATTACKS
Girish Ratanpal
Electrical & Computer Engineering
UVA
The Problem
• Mathematically secure Cryptographic
algorithms.
• Implementations leak out information.
• Side-channels
– Execution time
– Power consumption
– Radio frequencies
– Electric/magnetic fields
8 February 2005
University of Virginia CS 588
32
The Power consumption sidechannel
• Correlation between operation and
power consumed.
– E.g. MOV 0 v/s MOV FF
• Correlation between power consumed
and bit transitions at the output of gates.
– E.g. 01 v/s 10
8 February 2005
University of Virginia CS 588
33
DPA attack on DES
32
32
L15
R15
K16
P
S
32
EP
48
L16
48
R16
32
32
IIP
64
8 February 2005
University of Virginia CS 588
• Guess the 6bit sub-key of
K16
• Determine Ci,
L15[0]
• Determine
selection
function
D(Ci, b, K16)
34
DES attack contd.
• Collect power traces with k time
samples for m cipher-texts.
• Divide the traces into two sets T0 and
T1 using the selection function.
• Compute the average.
1
1
A
1
[
k
]
T [k ]
• A0[k ] | T 0 | T [k ]
| T1 |
i
i
Ti [ k ]T 1
Ti [ k ]T 0
•
S[k ] A1[k ] A0[k ]
8 February 2005
-this is the DPA trace
University of Virginia CS 588
35
S[k] with Correct Guess
8 February 2005
University of Virginia CS 588
36
S[k] with Incorrect Guess
8 February 2005
University of Virginia CS 588
37
Subkey for SBOX-5
8 February 2005
University of Virginia CS 588
38
Existing Countermeasures
1. Noise Insertion: Directly reduces SNR of
S[k].
2. Temporal De-synchronization
•
•
•
Randomly varying clock
Dummy instructions
Randomized instruction stream
3. Algorithmic Countermeasure
•
Intermediate results masking
4. Supply Current Shielding
•
Off-chip capacitors
8 February 2005
University of Virginia CS 588
39
Existing Countermeasures
• Algorithmic & Temporal Desynchronization – affect implementation
• Need for a solution that
– Puts minimal constraints on hardware
implementation
– Can be integrated on-chip
8 February 2005
University of Virginia CS 588
40
Suppression circuit
Vdd
Rsense
Cfilter
Circuit
Under
Protection
8 February 2005
+
Tshunt
OPAMP
-
Vref
University of Virginia CS 588
• Voltage
sensed by
Rsense
• Current
feedback to
keep voltage
constant.
• Cfilter for high
frequency
components.
41
Result of Suppression
Suppression
I_supply (mA) whth and w/o suppression
0.006
0.005
0.004
0.003
0.002
0.001
0
0.00E+ 1.00E- 2.00E- 3.00E- 4.00E- 5.00E- 6.00E- 7.00E- 8.00E- 9.00E- 1.00E00
05
05
05
05
05
05
05
05
05
04
time (s)
8 February 2005
University of Virginia CS 588
42
DPA on Protected Device
8 February 2005
University of Virginia CS 588
43
Charge
• Deadline for project proposals delayed
until Feb 17
– Start using the forum to find project teams
• PS2 out today, due next Tuesday
– Read the attached paper before
Thursday’s class
– We’ll talk about it Thursday
8 February 2005
University of Virginia CS 588
44
