Private Key Cryptography
advertisement
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena Today’s fun/informative bit – The Smudge Attack • See: http://www.usenix.org/event/woot10/tech/full_papers/Aviv.pdf 4/8/2015 Lecture 2.2 - Private Key Cryptography II 2 Course Administration • TA/Grader: Eric Frees – Email: efrees@uab.edu – Office hours: 2-4pm on Wednesdays, Ugrad lab (CH 154) 4/8/2015 Lecture 2.2 - Private Key Cryptography II 3 Outline of today’s lecture • Block Ciphers • Data Encryption Standard (DES) 4/8/2015 Lecture 2.2 - Private Key Cryptography II 4 Block Ciphers and Stream Ciphers • Block ciphers partition plaintext into blocks and encrypt each block independently (with the same key) to produce ciphertext blocks. • A stream cipher generates a keystream and encrypts by combining the keystream with the plaintext, usually with the bitwise XOR operation. • We will focus mostly on Block Ciphers 4/8/2015 Lecture 2.2 - Private Key Cryptography II 5 DES – Data Encryption Standard • • • • Encrypts by series of substitution and transpositions. Based on Feistel Structure Worldwide standard for more than 20 years. Designed by IBM (Lucifer) with later help (interference?) from NSA. • No longer considered secure for highly sensitive applications. • Replacement standard AES (advanced encryption standard) recently completed. 4/8/2015 Lecture 2.2 - Private Key Cryptography II 6 DES – Overview (Block Operation) 4/8/2015 Lecture 2.2 - Private Key Cryptography II 7 DES – Each Round 4/8/2015 8 DES – Function F 4/8/2015 Lecture 2.2 - Private Key Cryptography II 9 DES – Key Schedule (KS) 4/8/2015 Lecture 2.2 - Private Key Cryptography II 10 Operation Tables of DES: Key Schedule, PC-1, PC-2 4/8/2015 Lecture 2.2 - Private Key Cryptography II 11 Operation Tables (IP, IP-1, E and P) 4/8/2015 Lecture 2.2 - Private Key Cryptography II 12 S-boxes: S1 (as an example) 0000 00 01 10 11 0001 14 0 4 15 4 15 1 12 0010 13 7 14 8 0011 1 4 8 2 0100 2 14 13 4 0101 15 2 6 9 0110 11 13 2 1 0111 8 1 11 7 Sj S (b1b2b3b4b5b6) 1000 1001 3 10 15 5 1010 10 6 12 11 6 12 9 3 1011 12 11 7 14 1100 5 9 3 10 1101 9 5 10 0 1110 0 3 5 6 1111 7 8 0 13 Is the table entry from row : b1b 2 colum n: b3b 4b5b6 S (011001) 6d 0110 4/8/2015 Lecture 2.2 - Private Key Cryptography II 13 DES Decryption • Same as the encryption algorithm with the “reversed” key schedule – NEXT! 4/8/2015 Lecture 2.2 - Private Key Cryptography II 14 x Plain text Initial permutation (IP) L0 R0 Round-1 (key K1) L0 F ( R0, K 1) R0 Rounds 2-15 L15 R15 R15 L15 F ( R15, K 16) Round-16 (key K16) swap L15 F ( R15, K 16) R15 IP inverse 4/8/2015 y Cipher text 15 R15 IP inverse y L15 F ( R15, K 16) Cipher text IP encrypt L15 F ( R15, K 16) R15 Round-1 (K16) = R15 L15 Since 4/8/2015 Lecture 2.2 - Private Key Cryptography II decrypt L15 F ( R15, K 16) F ( R15, K 16) R15 bb 0 b0 b 16 DES Example We choose a random plaintext block and a random key, and determine what the ciphertext block would be (all in hexadecimal): 4/8/2015 Lecture 2.2 - Private Key Cryptography II 17 Example (contd) -- encryption 4/8/2015 Lecture 2.2 - Private Key Cryptography II 18 Example (contd) -- decryption Let us see how Bob, at the destination, can decipher the ciphertext received from Alice using the same key. Table 6.16 shows some interesting points. 4/8/2015 Lecture 2.2 - Private Key Cryptography II 19 DES Security: Avalanche Effect 4/8/2015 Lecture 2.2 - Private Key Cryptography II 20 DES Security • S-Box design not well understood • Has survived some recent sophisticated attacks (differential cryptanalysis) • Key is too short. Hence is vulnerable to brute force attack. • 1998 distributed attack took 3 months. • $1,000,000 machine will crack DES in 35 minutes – 1997 estimate. $10,000 – 2.5 days. 4/8/2015 Lecture 2.2 - Private Key Cryptography II 21 DES Cracking machine • 4/8/2015 Lecture 2.2 - Private Key Cryptography II 22 Super-encryption. • If key length is a concern, then instead of encrypting once, encrypt twice!! C = EK2(EK1(P)) P = DK2(DK1(C)) • Does this result in a larger key space? • Encrypting with multiple keys is known as super-encryption. • May not always be a good idea 4/8/2015 Lecture 2.2 - Private Key Cryptography II 23 Double DES • Double DES is almost as easy to break as single DES (Needs more memory though)! 4/8/2015 Lecture 2.2 - Private Key Cryptography II 24 Double DES – Meet-in-the-middle Attack (due to Diffie-Hellman) • Based on the observation that, if C = EK2(EK1(P)) Then X = EK1(P) = DK2(C). • Given a known (P, C) pair, encrypt P with all possible values of K and store result in table T. • Next, decrypt C with all possible keys K and check result. If match occurs then check key pair with new known (P, C) pair. If match occurs, you have found the keys. Else continue as before. • Process will terminate successfully. 4/8/2015 Lecture 2.2 - Private Key Cryptography II 25 Meet-in-the-middle Explanation • The first match does not say anything as we have 264 ciphertexts and 2112 keys. • On the average 2112 / 264 = 248 keys will produce same ciphertext. • So there could be 248 possible candidates • We can use a second pair (P’,C’) • So, probability that false alarm will survive two known (P, C) pairs is 248 / 264 = 2-16. • One can always check a third pair to further reduce the chance of a false alarm. 4/8/2015 Lecture 2.2 - Private Key Cryptography II 26 Triple DES Triple DES (2 keys) requires 2112 search. Is reasonably secure. Triple DES (3 keys) requires 2112 as well Which one is better? 27 Some Questions • Double encryption in DES increases the key space size from 2^56 to 2^112 – true or false? • Is known-plaintext an active or a passive attack? • Is chosen-ciphertext attack an active or a passive attack? • Reverse Engineering is applied to what design of systems – open or closed? • Alice needs to send a 64-bit long top-secret letter to Bob. Which of the ciphers that we studied today should she use? 4/8/2015 Lecture 2.2 - Private Key Cryptography II 28 Further Reading • Chapter 7.4 of HAC • Chapter 3 of Stallings 4/8/2015 Lecture 2.2 - Private Key Cryptography II 29
